From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02D26C47DD9 for ; Fri, 23 Feb 2024 02:10:50 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F0D0F6B0085; Thu, 22 Feb 2024 21:10:49 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E95AF6B00CE; Thu, 22 Feb 2024 21:10:49 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D35F56B00CF; Thu, 22 Feb 2024 21:10:49 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id C4EA46B0085 for ; Thu, 22 Feb 2024 21:10:49 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 40F8040FF4 for ; Fri, 23 Feb 2024 02:10:49 +0000 (UTC) X-FDA: 81821440218.10.35B7667 Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by imf23.hostedemail.com (Postfix) with ESMTP id 0185214000A for ; Fri, 23 Feb 2024 02:10:45 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=none; spf=pass (imf23.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp designates 202.181.97.72 as permitted sender) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1708654247; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=IhQtskIbKQRnmbU5qW/fMwpwzssXhnFusrugPzDhi3U=; b=dTgvRlaCdrVecF0Fd2oOeTYzkRhaA7jz3DviqVpc8lXqFRG326AX1x9i+Iq+6MNMcMHTQK iDHEOFrw0DqkYwoOlr3clY3IYixb6wu0ujBFY0E/DFeYrQxAFnVyhT+pM1fuWZk9PePsVz 2PIr+zve/YkCQqZWMyLVBi3r8xjHVzY= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1708654247; a=rsa-sha256; cv=none; b=dMAdVQgb9vTzzswhfS5Wh4ZXoIskLxZgJFMXM5wHbZnC+8rCpffMsq09aC3T7ujzlYuOLL v12H3uBthnNtKb/CQVCExQmMFYIMl+hUCeLCGj761XT92PdlWEJAEXAwj8+YWMoNbaeMnq ZNa+EzWztyruF3QoXQR8ingbM626q90= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=none; spf=pass (imf23.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp designates 202.181.97.72 as permitted sender) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp; dmarc=none Received: from fsav313.sakura.ne.jp (fsav313.sakura.ne.jp [153.120.85.144]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 41N2AINF067235; Fri, 23 Feb 2024 11:10:18 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav313.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav313.sakura.ne.jp); Fri, 23 Feb 2024 11:10:17 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav313.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 41N2AC6J067189 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 23 Feb 2024 11:10:17 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Fri, 23 Feb 2024 11:10:13 +0900 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Johannes Weiner , Yosry Ahmed , Nhat Pham , Minchan Kim , Sergey Senozhatsky Cc: linux-mm From: Tetsuo Handa Subject: [mm/page_alloc or mm/vmscan or mm/zswap] use-after-free in obj_malloc() Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Stat-Signature: cdoza9p6ph5psgc31ufm66g69quh4zs5 X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 0185214000A X-Rspam-User: X-HE-Tag: 1708654245-835351 X-HE-Meta: U2FsdGVkX1+hpHD80oKz2zz32Gt60VRHfh54l32Zkutls5/P/XB2O4mxiZCIf2tZ1Skfw/vqsubdzMSe9OM/Rzs7CI5kyHl88IR+I59+SSAqdXt24wZwWHUbZHX+fcf7O7wi7JWiMXF/gywEZs/KiEDO1587C+pNAx4qPd4MynjWIn7kRImqmw+7J8BaaLiUCT9rqf5oId4gWNHbmhpc/LEERMLNqtqzfVJ8YXKGjNUqlsSqr4fXSqoKLfEgxgg5q9Td3QpcTfv1eunTJrx3qmJTZXDSENZskydNprLmMkY27pxYL/xBlw9usmpU6Ivsy4CoOzMUWAKP0RvBv/Qjacc4TaqmgPS3p8FZUQABa8zb+8KCgVe68t45exCUBpAcnjHs6E1PiV2kMHc9SakwtB03oDTjdhVAW+bs7fIELPrs+pj8hMIDyNFg2w0QFyS56HLkFmB1z7mvnxXVonZcDkgDgu9luiyu2eD4pzLU01X3mw/ZW9iEk7j+peVo5FIEFskJG2Bbi9HJ0hVUWteK31cG/1DM3fjJ6PDTt8xpqKAg1Uq2eYVKE8x2NkCIQ0pa+ok+yX9AO2PeHe6d7N4dYaUk3JQuvry6M47tg2uI+jrNMrtdPzrCi98LOk9jH8tduOYUitdwZDx+65hGfjF+vtDcb/EyqrEt3nLsdO8VDcTYwcnvsEESz1H30gK29n1ozUD/+XhNTuXUA7qeFxJVbwgpo4atuM1g7q/jllgU7uYgzG+JuPBFf2pyRyaewh9oHWK+d5++hx+Ddohhs0JnKjyAgnc6I+5IXxDalBe2ydKezSGY0ZF3OjP9XdTUeUQ66yD27u+Lo1+SfS2nK/WNjtDQRZC4tM48BgJQmQ8awjMOKds6InQjoeeljCgYLnRGLpRH8nn1OpdHwtFRjHK0T+Tq8D0jOqPoy6d332f8cDylCIGHli0n/jv8pZbXutWtT21rBldZvi3ypjXkaBP xDR2bju8 SxEfkKuLnzkojNsOXFFs9FmlvXDBzUxC8yLShxBBJbROlCzj18jo6LR65rRIIYM/1v4LGeuLwc11n5zkdqDieQSFMH126EPtnlbiOg3OhRHa3+D6hhTjH+dVTM2RcEKjtopORrZtb9xMgZ+H/OJUQx4bUcmwFZhQRdeAJbcXxRy4fLaKg3qgM1nZ3Uj8xowWX7ew6jWrTVOFVTcS4wIODghRhuBPDYAkv0LARMFPuUONM9YjEgKywFlnbkhMCTMYd/BbmCGrgyRRP25yVjwzG+SaweI0TwhvPehRb X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: I can observe this bug during evict_folios() from 6.7.0 to 6.8.0-rc5-00163-gffd2cb6b718e. Since I haven't observed with 6.6.0, this bug might be introduced in 6.7 cycle. ---------------------------------------- [ 0.000000][ T0] Linux version 6.8.0-rc5-00163-gffd2cb6b718e (root@ubuntu) (Ubuntu clang version 14.0.0-1ubuntu1.1, Ubuntu LLD 14.0.0) #1094 SMP PREEMPT_DYNAMIC Fri Feb 23 01:45:21 UTC 2024 [ 50.026544][ T2974] ===================================================== [ 50.030627][ T2974] BUG: KMSAN: use-after-free in obj_malloc+0x6cc/0x7b0 [ 50.034611][ T2974] obj_malloc+0x6cc/0x7b0 obj_malloc at mm/zsmalloc.c:0 [ 50.037250][ T2974] zs_malloc+0xdbd/0x1400 zs_malloc at mm/zsmalloc.c:0 [ 50.039852][ T2974] zs_zpool_malloc+0xa5/0x1b0 zs_zpool_malloc at mm/zsmalloc.c:372 [ 50.044707][ T2974] zpool_malloc+0x110/0x150 zpool_malloc at mm/zpool.c:258 [ 50.049607][ T2974] zswap_store+0x2bbb/0x3d30 zswap_store at mm/zswap.c:1637 [ 50.054463][ T2974] swap_writepage+0x15b/0x4f0 swap_writepage at mm/page_io.c:198 [ 50.059392][ T2974] pageout+0x41d/0xef0 pageout at mm/vmscan.c:654 [ 50.064057][ T2974] shrink_folio_list+0x4d7a/0x7480 shrink_folio_list at mm/vmscan.c:1316 [ 50.069176][ T2974] evict_folios+0x30f1/0x5170 evict_folios at mm/vmscan.c:4521 [ 50.074082][ T2974] try_to_shrink_lruvec+0x983/0xd20 [ 50.079352][ T2974] shrink_one+0x72d/0xeb0 [ 50.084061][ T2974] shrink_many+0x70d/0x10b0 [ 50.088859][ T2974] lru_gen_shrink_node+0x577/0x850 [ 50.094192][ T2974] shrink_node+0x13d/0x1de0 [ 50.099028][ T2974] shrink_zones+0x878/0x14a0 [ 50.103958][ T2974] do_try_to_free_pages+0x2ac/0x16a0 [ 50.109138][ T2974] try_to_free_pages+0xd9e/0x1910 [ 50.114190][ T2974] __alloc_pages_slowpath+0x147a/0x2bd0 [ 50.119555][ T2974] __alloc_pages+0xb8c/0x1050 [ 50.124472][ T2974] alloc_pages_mpol+0x8e0/0xc80 [ 50.129367][ T2974] alloc_pages+0x224/0x240 [ 50.134022][ T2974] pipe_write+0xabe/0x2ba0 [ 50.138632][ T2974] vfs_write+0xfb0/0x1b80 [ 50.143171][ T2974] ksys_write+0x275/0x500 [ 50.147723][ T2974] __x64_sys_write+0xdf/0x120 [ 50.152431][ T2974] do_syscall_64+0xd1/0x1b0 [ 50.157106][ T2974] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 50.162382][ T2974] [ 50.165956][ T2974] Uninit was stored to memory at: [ 50.170819][ T2974] obj_malloc+0x70a/0x7b0 set_freeobj at mm/zsmalloc.c:476 (inlined by) obj_malloc at mm/zsmalloc.c:1333 [ 50.175341][ T2974] zs_malloc+0xdbd/0x1400 zs_malloc at mm/zsmalloc.c:0 [ 50.179923][ T2974] zs_zpool_malloc+0xa5/0x1b0 zs_zpool_malloc at mm/zsmalloc.c:372 [ 50.184636][ T2974] zpool_malloc+0x110/0x150 zpool_malloc at mm/zpool.c:258 [ 50.189257][ T2974] zswap_store+0x2bbb/0x3d30 zswap_store at mm/zswap.c:1637 [ 50.193918][ T2974] swap_writepage+0x15b/0x4f0 swap_writepage at mm/page_io.c:198 [ 50.198615][ T2974] pageout+0x41d/0xef0 pageout at mm/vmscan.c:654 [ 50.203012][ T2974] shrink_folio_list+0x4d7a/0x7480 shrink_folio_list at mm/vmscan.c:1316 [ 50.207772][ T2974] evict_folios+0x30f1/0x5170 evict_folios at mm/vmscan.c:4521 [ 50.212321][ T2974] try_to_shrink_lruvec+0x983/0xd20 [ 50.217092][ T2974] shrink_one+0x72d/0xeb0 [ 50.221441][ T2974] shrink_many+0x70d/0x10b0 [ 50.225891][ T2974] lru_gen_shrink_node+0x577/0x850 [ 50.230614][ T2974] shrink_node+0x13d/0x1de0 [ 50.235128][ T2974] shrink_zones+0x878/0x14a0 [ 50.239646][ T2974] do_try_to_free_pages+0x2ac/0x16a0 [ 50.244461][ T2974] try_to_free_pages+0xd9e/0x1910 [ 50.249151][ T2974] __alloc_pages_slowpath+0x147a/0x2bd0 [ 50.254148][ T2974] __alloc_pages+0xb8c/0x1050 [ 50.258679][ T2974] alloc_pages_mpol+0x8e0/0xc80 [ 50.263289][ T2974] alloc_pages+0x224/0x240 [ 50.267767][ T2974] pipe_write+0xabe/0x2ba0 [ 50.272190][ T2974] vfs_write+0xfb0/0x1b80 [ 50.276543][ T2974] ksys_write+0x275/0x500 [ 50.280931][ T2974] __x64_sys_write+0xdf/0x120 [ 50.289451][ T2974] do_syscall_64+0xd1/0x1b0 [ 50.303402][ T2974] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 50.318721][ T2974] [ 50.328931][ T2974] Uninit was created at: [ 50.341845][ T2974] free_unref_page_prepare+0x130/0xfc0 arch_static_branch_jump at arch/x86/include/asm/jump_label.h:55 (inlined by) memcg_kmem_online at include/linux/memcontrol.h:1840 (inlined by) free_pages_prepare at mm/page_alloc.c:1096 (inlined by) free_unref_page_prepare at mm/page_alloc.c:2346 [ 50.356492][ T2974] free_unref_page_list+0x139/0x1050 free_unref_page_list at mm/page_alloc.c:2532 [ 50.370898][ T2974] shrink_folio_list+0x7139/0x7480 list_empty at include/linux/list.h:373 (inlined by) list_splice at include/linux/list.h:545 (inlined by) shrink_folio_list at mm/vmscan.c:1490 [ 50.385025][ T2974] evict_folios+0x30f1/0x5170 evict_folios at mm/vmscan.c:4521 [ 50.398448][ T2974] try_to_shrink_lruvec+0x983/0xd20 [ 50.412660][ T2974] shrink_one+0x72d/0xeb0 [ 50.425591][ T2974] shrink_many+0x70d/0x10b0 [ 50.438827][ T2974] lru_gen_shrink_node+0x577/0x850 [ 50.454390][ T2974] shrink_node+0x13d/0x1de0 [ 50.479401][ T2974] shrink_zones+0x878/0x14a0 [ 50.529610][ T2974] do_try_to_free_pages+0x2ac/0x16a0 [ 50.544397][ T2974] try_to_free_pages+0xd9e/0x1910 [ 50.559556][ T2974] __alloc_pages_slowpath+0x147a/0x2bd0 [ 50.574932][ T2974] __alloc_pages+0xb8c/0x1050 [ 50.589024][ T2974] alloc_pages_mpol+0x8e0/0xc80 [ 50.603421][ T2974] alloc_pages+0x224/0x240 [ 50.616483][ T2974] pipe_write+0xabe/0x2ba0 [ 50.629601][ T2974] vfs_write+0xfb0/0x1b80 [ 50.643009][ T2974] ksys_write+0x275/0x500 [ 50.656157][ T2974] __x64_sys_write+0xdf/0x120 [ 50.670080][ T2974] do_syscall_64+0xd1/0x1b0 [ 50.683405][ T2974] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 50.698626][ T2974] ----------------------------------------