[syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    b8f52214c61a Merge tag 'audit-pr-20241205' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=164958df980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c579265945b98812
dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/27d16eb66738/disk-b8f52214.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4e6e3d3856a3/vmlinux-b8f52214.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e4a9277cf155/bzImage-b8f52214.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com

 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
 free_contig_range+0x133/0x3f0 mm/page_alloc.c:6630
 destroy_args+0xa87/0xe60 mm/debug_vm_pgtable.c:1017
 debug_vm_pgtable+0x168e/0x31a0 mm/debug_vm_pgtable.c:1397
 do_one_initcall+0x12b/0x700 init/main.c:1266
 do_initcall_level init/main.c:1328 [inline]
 do_initcalls init/main.c:1344 [inline]
 do_basic_setup init/main.c:1363 [inline]
 kernel_init_freeable+0x5c7/0x900 init/main.c:1577
 kernel_init+0x1c/0x2b0 init/main.c:1466
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
------------[ cut here ]------------
WARNING: CPU: 0 PID: 10473 at ./include/linux/rmap.h:217 __folio_rmap_sanity_checks+0x356/0x540 include/linux/rmap.h:217
Modules linked in:
CPU: 0 UID: 0 PID: 10473 Comm: syz.3.899 Not tainted 6.13.0-rc1-syzkaller-00182-gb8f52214c61a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__folio_rmap_sanity_checks+0x356/0x540 include/linux/rmap.h:217
Code: d2 b0 ff 49 8d 6f ff e8 28 d2 b0 ff 48 39 eb 0f 84 53 fe ff ff e8 1a d2 b0 ff 48 c7 c6 20 ac 7a 8b 48 89 df e8 db fb f6 ff 90 <0f> 0b 90 e9 36 fe ff ff e8 fd d1 b0 ff 49 89 ec 31 ff 41 81 e4 ff
RSP: 0018:ffffc900036b75d8 EFLAGS: 00010246
RAX: 0000000000080000 RBX: ffffea0001108000 RCX: ffffc9000de50000
RDX: 0000000000080000 RSI: ffffffff81e933a5 RDI: ffff88802e0d8444
RBP: ffffea000111ffc0 R08: 0000000000000000 R09: fffffbfff20be52a
R10: ffffffff905f2957 R11: 0000000000000006 R12: 0000000000000000
R13: 0000000000000410 R14: 0000000000000000 R15: dead000000000100
FS:  00007ffb8d5086c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1678a23712 CR3: 0000000068232000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 __folio_add_rmap mm/rmap.c:1170 [inline]
 __folio_add_file_rmap mm/rmap.c:1489 [inline]
 folio_add_file_rmap_ptes+0x72/0x310 mm/rmap.c:1511
 set_pte_range+0x135/0x520 mm/memory.c:5065
 filemap_map_folio_range mm/filemap.c:3572 [inline]
 filemap_map_pages+0xb5a/0x16b0 mm/filemap.c:3681
 do_fault_around mm/memory.c:5280 [inline]
 do_read_fault mm/memory.c:5313 [inline]
 do_fault mm/memory.c:5456 [inline]
 do_pte_missing+0xdae/0x3e70 mm/memory.c:3979
 handle_pte_fault mm/memory.c:5801 [inline]
 __handle_mm_fault+0x103c/0x2a40 mm/memory.c:5944
 handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6112
 faultin_page mm/gup.c:1187 [inline]
 __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
 populate_vma_page_range+0x27f/0x3a0 mm/gup.c:1923
 __mm_populate+0x1d6/0x380 mm/gup.c:2026
 mm_populate include/linux/mm.h:3386 [inline]
 vm_mmap_pgoff+0x293/0x360 mm/util.c:585
 ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:542
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
 __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffb8c77fed9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffb8d508058 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007ffb8c946080 RCX: 00007ffb8c77fed9
RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000
RBP: 00007ffb8c7f3cc8 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007ffb8c946080 R15: 00007ffd68dca078
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[David Hildenbrand]

On 11.12.24 02:54, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    b8f52214c61a Merge tag 'audit-pr-20241205' of git://git.ke..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=164958df980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c579265945b98812
> dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/27d16eb66738/disk-b8f52214.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4e6e3d3856a3/vmlinux-b8f52214.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/e4a9277cf155/bzImage-b8f52214.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com
> 
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> page last free pid 1 tgid 1 stack trace:
>   reset_page_owner include/linux/page_owner.h:25 [inline]
>   free_pages_prepare mm/page_alloc.c:1127 [inline]
>   free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
>   free_contig_range+0x133/0x3f0 mm/page_alloc.c:6630
>   destroy_args+0xa87/0xe60 mm/debug_vm_pgtable.c:1017
>   debug_vm_pgtable+0x168e/0x31a0 mm/debug_vm_pgtable.c:1397
>   do_one_initcall+0x12b/0x700 init/main.c:1266
>   do_initcall_level init/main.c:1328 [inline]
>   do_initcalls init/main.c:1344 [inline]
>   do_basic_setup init/main.c:1363 [inline]
>   kernel_init_freeable+0x5c7/0x900 init/main.c:1577
>   kernel_init+0x1c/0x2b0 init/main.c:1466
>   ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 10473 at ./include/linux/rmap.h:217 __folio_rmap_sanity_checks+0x356/0x540 include/linux/rmap.h:217

That is:

VM_WARN_ON_FOLIO(page_folio(page + nr_pages - 1) != folio, folio);

Meaning, nr_pages crosses our folio, which is bad.

Note that

VM_WARN_ON_FOLIO(page_folio(page) != folio, folio);

Held.

(doing the page arithmetic will work as we are not crossing memory 
section boundaries with any pages we expect in here right now)

> Modules linked in:
> CPU: 0 UID: 0 PID: 10473 Comm: syz.3.899 Not tainted 6.13.0-rc1-syzkaller-00182-gb8f52214c61a #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> RIP: 0010:__folio_rmap_sanity_checks+0x356/0x540 include/linux/rmap.h:217
> Code: d2 b0 ff 49 8d 6f ff e8 28 d2 b0 ff 48 39 eb 0f 84 53 fe ff ff e8 1a d2 b0 ff 48 c7 c6 20 ac 7a 8b 48 89 df e8 db fb f6 ff 90 <0f> 0b 90 e9 36 fe ff ff e8 fd d1 b0 ff 49 89 ec 31 ff 41 81 e4 ff
> RSP: 0018:ffffc900036b75d8 EFLAGS: 00010246
> RAX: 0000000000080000 RBX: ffffea0001108000 RCX: ffffc9000de50000
> RDX: 0000000000080000 RSI: ffffffff81e933a5 RDI: ffff88802e0d8444
> RBP: ffffea000111ffc0 R08: 0000000000000000 R09: fffffbfff20be52a
> R10: ffffffff905f2957 R11: 0000000000000006 R12: 0000000000000000
> R13: 0000000000000410 R14: 0000000000000000 R15: dead000000000100
> FS:  00007ffb8d5086c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f1678a23712 CR3: 0000000068232000 CR4: 0000000000350ef0
> Call Trace:
>   <TASK>
>   __folio_add_rmap mm/rmap.c:1170 [inline]
>   __folio_add_file_rmap mm/rmap.c:1489 [inline]
>   folio_add_file_rmap_ptes+0x72/0x310 mm/rmap.c:1511

So set_pte_range() is already called with a wrong page + nr combination 
I suspect.



>   set_pte_range+0x135/0x520 mm/memory.c:5065
>   filemap_map_folio_range mm/filemap.c:3572 [inline]
>   filemap_map_pages+0xb5a/0x16b0 mm/filemap.c:3681
>   do_fault_around mm/memory.c:5280 [inline]
>   do_read_fault mm/memory.c:5313 [inline]
>   do_fault mm/memory.c:5456 [inline]
>   do_pte_missing+0xdae/0x3e70 mm/memory.c:3979
>   handle_pte_fault mm/memory.c:5801 [inline]
>   __handle_mm_fault+0x103c/0x2a40 mm/memory.c:5944
>   handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6112
>   faultin_page mm/gup.c:1187 [inline]
>   __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
>   populate_vma_page_range+0x27f/0x3a0 mm/gup.c:1923
>   __mm_populate+0x1d6/0x380 mm/gup.c:2026
>   mm_populate include/linux/mm.h:3386 [inline]
>   vm_mmap_pgoff+0x293/0x360 mm/util.c:585
>   ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:542
>   __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
>   __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
>   __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7ffb8c77fed9
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffb8d508058 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
> RAX: ffffffffffffffda RBX: 00007ffb8c946080 RCX: 00007ffb8c77fed9
> RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000
> RBP: 00007ffb8c7f3cc8 R08: 0000000000000007 R09: 0000000000000000
> R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007ffb8c946080 R15: 00007ffd68dca078
>   </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
> 


-- 
Cheers,

David / dhildenb

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15248af8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1652fadf980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98a974fc662d/disk-8155b4ef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2dea9b72f624/vmlinux-8155b4ef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/593a42b9eb34/bzImage-8155b4ef.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/07bcc698db35/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com

 do_ftruncate+0x4a1/0x540 fs/open.c:192
 do_sys_ftruncate fs/open.c:207 [inline]
 __do_sys_ftruncate fs/open.c:212 [inline]
 __se_sys_ftruncate fs/open.c:210 [inline]
 __x64_sys_ftruncate+0x94/0xf0 fs/open.c:210
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7889 at ./include/linux/rmap.h:216 __folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
Modules linked in:
CPU: 0 UID: 0 PID: 7889 Comm: syz.0.163 Not tainted 6.13.0-rc3-next-20241220-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
Code: 0f 0b 90 e9 b7 fd ff ff e8 8e cb ab ff 48 ff cb e9 f8 fd ff ff e8 81 cb ab ff 4c 89 e7 48 c7 c6 00 a7 15 8c e8 32 a4 f5 ff 90 <0f> 0b 90 e9 e9 fd ff ff e8 64 cb ab ff 48 ff cb e9 34 fe ff ff e8
RSP: 0018:ffffc90002f26fd8 EFLAGS: 00010246
RAX: 2a0e9269706cf300 RBX: ffffea00014280c0 RCX: ffffc90002f26b03
RDX: 0000000000000005 RSI: ffffffff8c0aaba0 RDI: ffffffff8c5fed00
RBP: 00000000000131bb R08: ffffffff901ab1f7 R09: 1ffffffff203563e
R10: dffffc0000000000 R11: fffffbfff203563f R12: ffffea0001420000
R13: ffffea00014280c0 R14: 0000000000000000 R15: 00000000000001fc
FS:  00007f75ef9f16c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020a56000 CR3: 00000000642f0000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __folio_add_rmap mm/rmap.c:1170 [inline]
 __folio_add_file_rmap mm/rmap.c:1489 [inline]
 folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
 set_pte_range+0x30c/0x750 mm/memory.c:5136
 filemap_map_folio_range mm/filemap.c:3639 [inline]
 filemap_map_pages+0xfbe/0x1900 mm/filemap.c:3748
 do_fault_around mm/memory.c:5351 [inline]
 do_read_fault mm/memory.c:5384 [inline]
 do_fault mm/memory.c:5527 [inline]
 do_pte_missing mm/memory.c:4048 [inline]
 handle_pte_fault+0x3888/0x5ee0 mm/memory.c:5890
 __handle_mm_fault mm/memory.c:6033 [inline]
 handle_mm_fault+0x11f5/0x1d50 mm/memory.c:6202
 faultin_page mm/gup.c:1196 [inline]
 __get_user_pages+0x1a92/0x4140 mm/gup.c:1491
 populate_vma_page_range+0x264/0x330 mm/gup.c:1929
 __mm_populate+0x27a/0x460 mm/gup.c:2032
 mm_populate include/linux/mm.h:3400 [inline]
 vm_mmap_pgoff+0x303/0x430 mm/util.c:585
 ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:607
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f75eeb85d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f75ef9f1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f75eed76080 RCX: 00007f75eeb85d29
RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000
RBP: 00007f75eec01b08 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f75eed76080 R15: 00007ffd2129f438
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1661050f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17438af8580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=101006df980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98a974fc662d/disk-8155b4ef.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2dea9b72f624/vmlinux-8155b4ef.xz
kernel image: https://storage.googleapis.com/syzbot-assets/593a42b9eb34/bzImage-8155b4ef.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5f780361c9ef/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com

 xfs_vn_setattr+0x25d/0x320 fs/xfs/xfs_iops.c:1065
 notify_change+0xbca/0xe90 fs/attr.c:552
 do_truncate+0x220/0x310 fs/open.c:65
 do_ftruncate+0x4a1/0x540 fs/open.c:192
 do_sys_ftruncate fs/open.c:207 [inline]
 __do_sys_ftruncate fs/open.c:212 [inline]
 __se_sys_ftruncate fs/open.c:210 [inline]
 __x64_sys_ftruncate+0x94/0xf0 fs/open.c:210
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
------------[ cut here ]------------
WARNING: CPU: 1 PID: 11276 at ./include/linux/rmap.h:217 __folio_rmap_sanity_checks+0x369/0x590 include/linux/rmap.h:217
Modules linked in:
CPU: 1 UID: 0 PID: 11276 Comm: syz-executor139 Not tainted 6.13.0-rc3-next-20241220-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__folio_rmap_sanity_checks+0x369/0x590 include/linux/rmap.h:217
Code: 0f 0b 90 e9 e9 fd ff ff e8 64 cb ab ff 48 ff cb e9 34 fe ff ff e8 57 cb ab ff 4c 89 e7 48 c7 c6 e0 a7 15 8c e8 08 a4 f5 ff 90 <0f> 0b 90 e9 25 fe ff ff e8 3a cb ab ff 4c 89 e7 48 c7 c6 40 a9 15
RSP: 0018:ffffc9000e67efd8 EFLAGS: 00010246
RAX: 8577b516ce8a9400 RBX: ffffea0001a58080 RCX: ffffc9000e67eb03
RDX: 0000000000000005 RSI: ffffffff8c0aaba0 RDI: ffffffff8c5fed00
RBP: 00000000000024c0 R08: ffffffff901ab1f7 R09: 1ffffffff203563e
R10: dffffc0000000000 R11: fffffbfff203563f R12: ffffea0001a50000
R13: ffffea0001a55c00 R14: 0000000000000000 R15: 0000000000000093
FS:  00007f885c85f6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88545b7000 CR3: 000000007fea2000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __folio_add_rmap mm/rmap.c:1170 [inline]
 __folio_add_file_rmap mm/rmap.c:1489 [inline]
 folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
 set_pte_range+0x30c/0x750 mm/memory.c:5136
 filemap_map_folio_range mm/filemap.c:3639 [inline]
 filemap_map_pages+0xfbe/0x1900 mm/filemap.c:3748
 do_fault_around mm/memory.c:5351 [inline]
 do_read_fault mm/memory.c:5384 [inline]
 do_fault mm/memory.c:5527 [inline]
 do_pte_missing mm/memory.c:4048 [inline]
 handle_pte_fault+0x3888/0x5ee0 mm/memory.c:5890
 __handle_mm_fault mm/memory.c:6033 [inline]
 handle_mm_fault+0x11f5/0x1d50 mm/memory.c:6202
 faultin_page mm/gup.c:1196 [inline]
 __get_user_pages+0x1a92/0x4140 mm/gup.c:1491
 populate_vma_page_range+0x264/0x330 mm/gup.c:1929
 __mm_populate+0x27a/0x460 mm/gup.c:2032
 mm_populate include/linux/mm.h:3400 [inline]
 vm_mmap_pgoff+0x303/0x430 mm/util.c:585
 ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:607
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f885c8d20f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 1d 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f885c85f208 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f885c95c6d8 RCX: 00007f885c8d20f9
RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000
RBP: 00007f885c95c6d0 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000028011 R11: 0000000000000246 R12: 00007f885c928908
R13: 00746e6572727563 R14: 632e79726f6d656d R15: 6d766b2f7665642f
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[Hillf Danton]

On Fri, 27 Dec 2024 20:56:21 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
> git tree:       linux-next
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1652fadf980000

#syz test

--- x/mm/filemap.c
+++ y/mm/filemap.c
@@ -3636,6 +3636,10 @@ static vm_fault_t filemap_map_folio_rang
 		continue;
 skip:
 		if (count) {
+			for (unsigned int i = 0; i < count; i++) {
+				if (page_folio(page + i) != folio)
+					goto out;
+			}
 			set_pte_range(vmf, folio, page, count, addr);
 			*rss += count;
 			folio_ref_add(folio, count);
@@ -3658,6 +3662,7 @@ skip:
 			ret = VM_FAULT_NOPAGE;
 	}
 
+out:
 	vmf->pte = old_ptep;
 
 	return ret;
@@ -3702,7 +3707,7 @@ vm_fault_t filemap_map_pages(struct vm_f
 	struct file *file = vma->vm_file;
 	struct address_space *mapping = file->f_mapping;
 	pgoff_t file_end, last_pgoff = start_pgoff;
-	unsigned long addr;
+	unsigned long addr, pmd_end;
 	XA_STATE(xas, &mapping->i_pages, start_pgoff);
 	struct folio *folio;
 	vm_fault_t ret = 0;
@@ -3731,6 +3736,12 @@ vm_fault_t filemap_map_pages(struct vm_f
 	if (end_pgoff > file_end)
 		end_pgoff = file_end;
 
+	/* make vmf->pte[x] valid */
+	pmd_end = ALIGN(addr, PMD_SIZE);
+	pmd_end = (pmd_end - addr) >> PAGE_SHIFT;
+	if (end_pgoff - start_pgoff > pmd_end)
+		end_pgoff = start_pgoff + pmd_end;
+
 	folio_type = mm_counter_file(folio);
 	do {
 		unsigned long end;
--

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com
Tested-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com

Tested on:

commit:         8155b4ef Add linux-next specific files for 20241220
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=175f88b0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=178ee6df980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[David Hildenbrand]

On 28.12.24 13:25, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1661050f980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
> dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17438af8580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=101006df980000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/98a974fc662d/disk-8155b4ef.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/2dea9b72f624/vmlinux-8155b4ef.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/593a42b9eb34/bzImage-8155b4ef.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/5f780361c9ef/mount_0.gz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com
> 
>   xfs_vn_setattr+0x25d/0x320 fs/xfs/xfs_iops.c:1065
>   notify_change+0xbca/0xe90 fs/attr.c:552
>   do_truncate+0x220/0x310 fs/open.c:65
>   do_ftruncate+0x4a1/0x540 fs/open.c:192
>   do_sys_ftruncate fs/open.c:207 [inline]
>   __do_sys_ftruncate fs/open.c:212 [inline]
>   __se_sys_ftruncate fs/open.c:210 [inline]
>   __x64_sys_ftruncate+0x94/0xf0 fs/open.c:210
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 11276 at ./include/linux/rmap.h:217 __folio_rmap_sanity_checks+0x369/0x590 include/linux/rmap.h:217
> Modules linked in:
> CPU: 1 UID: 0 PID: 11276 Comm: syz-executor139 Not tainted 6.13.0-rc3-next-20241220-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> RIP: 0010:__folio_rmap_sanity_checks+0x369/0x590 include/linux/rmap.h:217
> Code: 0f 0b 90 e9 e9 fd ff ff e8 64 cb ab ff 48 ff cb e9 34 fe ff ff e8 57 cb ab ff 4c 89 e7 48 c7 c6 e0 a7 15 8c e8 08 a4 f5 ff 90 <0f> 0b 90 e9 25 fe ff ff e8 3a cb ab ff 4c 89 e7 48 c7 c6 40 a9 15
> RSP: 0018:ffffc9000e67efd8 EFLAGS: 00010246
> RAX: 8577b516ce8a9400 RBX: ffffea0001a58080 RCX: ffffc9000e67eb03
> RDX: 0000000000000005 RSI: ffffffff8c0aaba0 RDI: ffffffff8c5fed00
> RBP: 00000000000024c0 R08: ffffffff901ab1f7 R09: 1ffffffff203563e
> R10: dffffc0000000000 R11: fffffbfff203563f R12: ffffea0001a50000
> R13: ffffea0001a55c00 R14: 0000000000000000 R15: 0000000000000093
> FS:  00007f885c85f6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f88545b7000 CR3: 000000007fea2000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   <TASK>
>   __folio_add_rmap mm/rmap.c:1170 [inline]
>   __folio_add_file_rmap mm/rmap.c:1489 [inline]
>   folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
>   set_pte_range+0x30c/0x750 mm/memory.c:5136

If I would have to guess, I would assume that we have a refcount issue 
such that we succeed in splitting a folio while concurrently mapping it.

-- 
Cheers,

David / dhildenb

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[Matthew Wilcox]

On Fri, Jan 10, 2025 at 04:48:03PM +0100, David Hildenbrand wrote:
> On 28.12.24 13:25, syzbot wrote:
> > syzbot has found a reproducer for the following issue on:
> > 
> > HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1661050f980000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
> > dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
> > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17438af8580000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=101006df980000
> > 
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/98a974fc662d/disk-8155b4ef.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/2dea9b72f624/vmlinux-8155b4ef.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/593a42b9eb34/bzImage-8155b4ef.xz
> > mounted in repro: https://storage.googleapis.com/syzbot-assets/5f780361c9ef/mount_0.gz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com
> > 
> >   xfs_vn_setattr+0x25d/0x320 fs/xfs/xfs_iops.c:1065
> >   notify_change+0xbca/0xe90 fs/attr.c:552
> >   do_truncate+0x220/0x310 fs/open.c:65
> >   do_ftruncate+0x4a1/0x540 fs/open.c:192
> >   do_sys_ftruncate fs/open.c:207 [inline]
> >   __do_sys_ftruncate fs/open.c:212 [inline]
> >   __se_sys_ftruncate fs/open.c:210 [inline]
> >   __x64_sys_ftruncate+0x94/0xf0 fs/open.c:210
> >   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> >   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > ------------[ cut here ]------------
> > WARNING: CPU: 1 PID: 11276 at ./include/linux/rmap.h:217 __folio_rmap_sanity_checks+0x369/0x590 include/linux/rmap.h:217
> > Modules linked in:
> > CPU: 1 UID: 0 PID: 11276 Comm: syz-executor139 Not tainted 6.13.0-rc3-next-20241220-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> > RIP: 0010:__folio_rmap_sanity_checks+0x369/0x590 include/linux/rmap.h:217
> > Code: 0f 0b 90 e9 e9 fd ff ff e8 64 cb ab ff 48 ff cb e9 34 fe ff ff e8 57 cb ab ff 4c 89 e7 48 c7 c6 e0 a7 15 8c e8 08 a4 f5 ff 90 <0f> 0b 90 e9 25 fe ff ff e8 3a cb ab ff 4c 89 e7 48 c7 c6 40 a9 15
> > RSP: 0018:ffffc9000e67efd8 EFLAGS: 00010246
> > RAX: 8577b516ce8a9400 RBX: ffffea0001a58080 RCX: ffffc9000e67eb03
> > RDX: 0000000000000005 RSI: ffffffff8c0aaba0 RDI: ffffffff8c5fed00
> > RBP: 00000000000024c0 R08: ffffffff901ab1f7 R09: 1ffffffff203563e
> > R10: dffffc0000000000 R11: fffffbfff203563f R12: ffffea0001a50000
> > R13: ffffea0001a55c00 R14: 0000000000000000 R15: 0000000000000093
> > FS:  00007f885c85f6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f88545b7000 CR3: 000000007fea2000 CR4: 00000000003526f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >   <TASK>
> >   __folio_add_rmap mm/rmap.c:1170 [inline]
> >   __folio_add_file_rmap mm/rmap.c:1489 [inline]
> >   folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
> >   set_pte_range+0x30c/0x750 mm/memory.c:5136
> 
> If I would have to guess, I would assume that we have a refcount issue such
> that we succeed in splitting a folio while concurrently mapping it.

That would seem hard to accomplish, because both hold the folio lock,
so it wouldn't be just a refcount bug but also a locking bug.  Not sure
what this is though.

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[David Hildenbrand]

On 10.01.25 17:14, Matthew Wilcox wrote:
> On Fri, Jan 10, 2025 at 04:48:03PM +0100, David Hildenbrand wrote:
>> On 28.12.24 13:25, syzbot wrote:
>>> syzbot has found a reproducer for the following issue on:
>>>
>>> HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
>>> git tree:       linux-next
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1661050f980000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
>>> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17438af8580000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=101006df980000
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-assets/98a974fc662d/disk-8155b4ef.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-assets/2dea9b72f624/vmlinux-8155b4ef.xz
>>> kernel image: https://storage.googleapis.com/syzbot-assets/593a42b9eb34/bzImage-8155b4ef.xz
>>> mounted in repro: https://storage.googleapis.com/syzbot-assets/5f780361c9ef/mount_0.gz
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com
>>>
>>>    xfs_vn_setattr+0x25d/0x320 fs/xfs/xfs_iops.c:1065
>>>    notify_change+0xbca/0xe90 fs/attr.c:552
>>>    do_truncate+0x220/0x310 fs/open.c:65
>>>    do_ftruncate+0x4a1/0x540 fs/open.c:192
>>>    do_sys_ftruncate fs/open.c:207 [inline]
>>>    __do_sys_ftruncate fs/open.c:212 [inline]
>>>    __se_sys_ftruncate fs/open.c:210 [inline]
>>>    __x64_sys_ftruncate+0x94/0xf0 fs/open.c:210
>>>    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>>>    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>>>    entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>> ------------[ cut here ]------------
>>> WARNING: CPU: 1 PID: 11276 at ./include/linux/rmap.h:217 __folio_rmap_sanity_checks+0x369/0x590 include/linux/rmap.h:217
>>> Modules linked in:
>>> CPU: 1 UID: 0 PID: 11276 Comm: syz-executor139 Not tainted 6.13.0-rc3-next-20241220-syzkaller #0
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
>>> RIP: 0010:__folio_rmap_sanity_checks+0x369/0x590 include/linux/rmap.h:217
>>> Code: 0f 0b 90 e9 e9 fd ff ff e8 64 cb ab ff 48 ff cb e9 34 fe ff ff e8 57 cb ab ff 4c 89 e7 48 c7 c6 e0 a7 15 8c e8 08 a4 f5 ff 90 <0f> 0b 90 e9 25 fe ff ff e8 3a cb ab ff 4c 89 e7 48 c7 c6 40 a9 15
>>> RSP: 0018:ffffc9000e67efd8 EFLAGS: 00010246
>>> RAX: 8577b516ce8a9400 RBX: ffffea0001a58080 RCX: ffffc9000e67eb03
>>> RDX: 0000000000000005 RSI: ffffffff8c0aaba0 RDI: ffffffff8c5fed00
>>> RBP: 00000000000024c0 R08: ffffffff901ab1f7 R09: 1ffffffff203563e
>>> R10: dffffc0000000000 R11: fffffbfff203563f R12: ffffea0001a50000
>>> R13: ffffea0001a55c00 R14: 0000000000000000 R15: 0000000000000093
>>> FS:  00007f885c85f6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> CR2: 00007f88545b7000 CR3: 000000007fea2000 CR4: 00000000003526f0
>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>> Call Trace:
>>>    <TASK>
>>>    __folio_add_rmap mm/rmap.c:1170 [inline]
>>>    __folio_add_file_rmap mm/rmap.c:1489 [inline]
>>>    folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
>>>    set_pte_range+0x30c/0x750 mm/memory.c:5136
>>
>> If I would have to guess, I would assume that we have a refcount issue such
>> that we succeed in splitting a folio while concurrently mapping it.
> 
> That would seem hard to accomplish, because both hold the folio lock,
> so it wouldn't be just a refcount bug but also a locking bug.  Not sure
> what this is though.

Yeah, but we also have

https://lkml.kernel.org/r/6774bf44.050a0220.25abdd.098a.GAE@google.com

-- 
Cheers,

David / dhildenb

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[Matthew Wilcox]

On Fri, Jan 10, 2025 at 05:19:54PM +0100, David Hildenbrand wrote:
> On 10.01.25 17:14, Matthew Wilcox wrote:
> > On Fri, Jan 10, 2025 at 04:48:03PM +0100, David Hildenbrand wrote:
> > > If I would have to guess, I would assume that we have a refcount issue such
> > > that we succeed in splitting a folio while concurrently mapping it.
> > 
> > That would seem hard to accomplish, because both hold the folio lock,
> > so it wouldn't be just a refcount bug but also a locking bug.  Not sure
> > what this is though.
> 
> Yeah, but we also have
> 
> https://lkml.kernel.org/r/6774bf44.050a0220.25abdd.098a.GAE@google.com

That one is a UAF on the vma, so it's either a different issue, or the
problem is with the VMA refcount/lookup/..., not the folio refcount.
cc'ing the relevant maintainers.

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[David Hildenbrand]

On 10.01.25 17:27, Matthew Wilcox wrote:
> On Fri, Jan 10, 2025 at 05:19:54PM +0100, David Hildenbrand wrote:
>> On 10.01.25 17:14, Matthew Wilcox wrote:
>>> On Fri, Jan 10, 2025 at 04:48:03PM +0100, David Hildenbrand wrote:
>>>> If I would have to guess, I would assume that we have a refcount issue such
>>>> that we succeed in splitting a folio while concurrently mapping it.
>>>
>>> That would seem hard to accomplish, because both hold the folio lock,
>>> so it wouldn't be just a refcount bug but also a locking bug.  Not sure
>>> what this is though.
>>
>> Yeah, but we also have
>>
>> https://lkml.kernel.org/r/6774bf44.050a0220.25abdd.098a.GAE@google.com
> 
> That one is a UAF on the vma, so it's either a different issue, or the
> problem is with the VMA refcount/lookup/..., not the folio refcount.
> cc'ing the relevant maintainers.

Agreed, it's all a bit confusing.

-- 
Cheers,

David / dhildenb

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[David Hildenbrand]

On 31.12.24 09:41, Hillf Danton wrote:
> On Fri, 27 Dec 2024 20:56:21 -0800
>> syzbot has found a reproducer for the following issue on:
>>
>> HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
>> git tree:       linux-next
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1652fadf980000
> 
> #syz test
> 
> --- x/mm/filemap.c
> +++ y/mm/filemap.c
> @@ -3636,6 +3636,10 @@ static vm_fault_t filemap_map_folio_rang
>   		continue;
>   skip:
>   		if (count) {
> +			for (unsigned int i = 0; i < count; i++) {
> +				if (page_folio(page + i) != folio)
> +					goto out;
> +			}

IIRC, count <= nr_pages. Wouldn't that mean that we somehow pass in 
nr_pages that already exceeds the given folio+start?

When I last looked at this, I was not able to spot the error in the 
caller :(

>   			set_pte_range(vmf, folio, page, count, addr);
>   			*rss += count;
>   			folio_ref_add(folio, count);
> @@ -3658,6 +3662,7 @@ skip:
>   			ret = VM_FAULT_NOPAGE;
>   	}
>   
> +out:
>   	vmf->pte = old_ptep;
>   
>   	return ret;
> @@ -3702,7 +3707,7 @@ vm_fault_t filemap_map_pages(struct vm_f
>   	struct file *file = vma->vm_file;
>   	struct address_space *mapping = file->f_mapping;
>   	pgoff_t file_end, last_pgoff = start_pgoff;
> -	unsigned long addr;
> +	unsigned long addr, pmd_end;
>   	XA_STATE(xas, &mapping->i_pages, start_pgoff);
>   	struct folio *folio;
>   	vm_fault_t ret = 0;
> @@ -3731,6 +3736,12 @@ vm_fault_t filemap_map_pages(struct vm_f
>   	if (end_pgoff > file_end)
>   		end_pgoff = file_end;
>   
> +	/* make vmf->pte[x] valid */
> +	pmd_end = ALIGN(addr, PMD_SIZE);
> +	pmd_end = (pmd_end - addr) >> PAGE_SHIFT;
> +	if (end_pgoff - start_pgoff > pmd_end)
> +		end_pgoff = start_pgoff + pmd_end;
> +

do_fault_around() comments "This way it's easier to guarantee that we 
don't cross page table boundaries."

It does some magic with PTRS_PER_PTE.

You're diff here seems to indicate that this is not the case?

But it's rather surprising that we see these issues pop up just now in 
-next.

-- 
Cheers,

David / dhildenb

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[Liam R. Howlett]

* David Hildenbrand <david@redhat.com> [250110 11:31]:
> On 10.01.25 17:27, Matthew Wilcox wrote:
> > On Fri, Jan 10, 2025 at 05:19:54PM +0100, David Hildenbrand wrote:
> > > On 10.01.25 17:14, Matthew Wilcox wrote:
> > > > On Fri, Jan 10, 2025 at 04:48:03PM +0100, David Hildenbrand wrote:
> > > > > If I would have to guess, I would assume that we have a refcount issue such
> > > > > that we succeed in splitting a folio while concurrently mapping it.
> > > > 
> > > > That would seem hard to accomplish, because both hold the folio lock,
> > > > so it wouldn't be just a refcount bug but also a locking bug.  Not sure
> > > > what this is though.
> > > 
> > > Yeah, but we also have
> > > 
> > > https://lkml.kernel.org/r/6774bf44.050a0220.25abdd.098a.GAE@google.com
> > 
> > That one is a UAF on the vma, so it's either a different issue, or the
> > problem is with the VMA refcount/lookup/..., not the folio refcount.
> > cc'ing the relevant maintainers.
> 
> Agreed, it's all a bit confusing.
> 

This might involve Suren's patch set which changes the locking of the
vmas.

Suren, if you respin and it's not too much trouble can you please make a
git branch with the latest patches for easier review and testing?

Thanks,
Liam

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[Liam R. Howlett]

* syzbot <syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com> [241228 07:25]:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1661050f980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
> dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17438af8580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=101006df980000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/98a974fc662d/disk-8155b4ef.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/2dea9b72f624/vmlinux-8155b4ef.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/593a42b9eb34/bzImage-8155b4ef.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/5f780361c9ef/mount_0.gz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com
> 

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-unstable

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[Suren Baghdasaryan]

On Fri, Jan 10, 2025 at 11:56 AM Liam R. Howlett
<Liam.Howlett@oracle.com> wrote:
>
> * David Hildenbrand <david@redhat.com> [250110 11:31]:
> > On 10.01.25 17:27, Matthew Wilcox wrote:
> > > On Fri, Jan 10, 2025 at 05:19:54PM +0100, David Hildenbrand wrote:
> > > > On 10.01.25 17:14, Matthew Wilcox wrote:
> > > > > On Fri, Jan 10, 2025 at 04:48:03PM +0100, David Hildenbrand wrote:
> > > > > > If I would have to guess, I would assume that we have a refcount issue such
> > > > > > that we succeed in splitting a folio while concurrently mapping it.
> > > > >
> > > > > That would seem hard to accomplish, because both hold the folio lock,
> > > > > so it wouldn't be just a refcount bug but also a locking bug.  Not sure
> > > > > what this is though.
> > > >
> > > > Yeah, but we also have
> > > >
> > > > https://lkml.kernel.org/r/6774bf44.050a0220.25abdd.098a.GAE@google.com
> > >
> > > That one is a UAF on the vma, so it's either a different issue, or the
> > > problem is with the VMA refcount/lookup/..., not the folio refcount.
> > > cc'ing the relevant maintainers.
> >
> > Agreed, it's all a bit confusing.
> >
>
> This might involve Suren's patch set which changes the locking of the
> vmas.

Possibly... The patchset in linux-next on Jan 1st was somewhat
different from the latest one.

>
> Suren, if you respin and it's not too much trouble can you please make a
> git branch with the latest patches for easier review and testing?

Ok, I'll see what I can do.
Thanks,
Suren.

>
> Thanks,
> Liam

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[Hillf Danton]

On Fri, 10 Jan 2025 17:35:25 +0100 David Hildenbrand <david@redhat.com>
> On 31.12.24 09:41, Hillf Danton wrote:
> > On Fri, 27 Dec 2024 20:56:21 -0800
> >> syzbot has found a reproducer for the following issue on:
> >>
> >> HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
> >> git tree:       linux-next
> >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1652fadf980000
> > 
> > #syz test
> > 
> > --- x/mm/filemap.c
> > +++ y/mm/filemap.c
> > @@ -3636,6 +3636,10 @@ static vm_fault_t filemap_map_folio_rang
> >   		continue;
> >   skip:
> >   		if (count) {
> > +			for (unsigned int i = 0; i < count; i++) {
> > +				if (page_folio(page + i) != folio)
> > +					goto out;
> > +			}
> 
> IIRC, count <= nr_pages. Wouldn't that mean that we somehow pass in 
> nr_pages that already exceeds the given folio+start?
> 
> When I last looked at this, I was not able to spot the error in the 
> caller :(
> 
This is a debug patch at the first place, and this hunk overlaps with the
next one.
> >   			set_pte_range(vmf, folio, page, count, addr);
> >   			*rss += count;
> >   			folio_ref_add(folio, count);
> > @@ -3658,6 +3662,7 @@ skip:
> >   			ret = VM_FAULT_NOPAGE;
> >   	}
> >   
> > +out:
> >   	vmf->pte = old_ptep;
> >   
> >   	return ret;
> > @@ -3702,7 +3707,7 @@ vm_fault_t filemap_map_pages(struct vm_f
> >   	struct file *file = vma->vm_file;
> >   	struct address_space *mapping = file->f_mapping;
> >   	pgoff_t file_end, last_pgoff = start_pgoff;
> > -	unsigned long addr;
> > +	unsigned long addr, pmd_end;
> >   	XA_STATE(xas, &mapping->i_pages, start_pgoff);
> >   	struct folio *folio;
> >   	vm_fault_t ret = 0;
> > @@ -3731,6 +3736,12 @@ vm_fault_t filemap_map_pages(struct vm_f
> >   	if (end_pgoff > file_end)
> >   		end_pgoff = file_end;
> >   
> > +	/* make vmf->pte[x] valid */
> > +	pmd_end = ALIGN(addr, PMD_SIZE);
> > +	pmd_end = (pmd_end - addr) >> PAGE_SHIFT;
> > +	if (end_pgoff - start_pgoff > pmd_end)
> > +		end_pgoff = start_pgoff + pmd_end;
> > +
> 
> do_fault_around() comments "This way it's easier to guarantee that we 
> don't cross page table boundaries."
> 
> It does some magic with PTRS_PER_PTE.
> 
> You're diff here seems to indicate that this is not the case?
> 
> But it's rather surprising that we see these issues pop up just now in 
> -next.
> 
Given double check [1], I am lean to thinking this is a simple OOB issue.

[1] https://lore.kernel.org/all/6774eca1.050a0220.25abdd.09b2.GAE@google.com/

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[Liam R. Howlett]

* Suren Baghdasaryan <surenb@google.com> [250110 16:25]:
> On Fri, Jan 10, 2025 at 11:56 AM Liam R. Howlett
> <Liam.Howlett@oracle.com> wrote:
> >
> > * David Hildenbrand <david@redhat.com> [250110 11:31]:
> > > On 10.01.25 17:27, Matthew Wilcox wrote:
> > > > On Fri, Jan 10, 2025 at 05:19:54PM +0100, David Hildenbrand wrote:
> > > > > On 10.01.25 17:14, Matthew Wilcox wrote:
> > > > > > On Fri, Jan 10, 2025 at 04:48:03PM +0100, David Hildenbrand wrote:
> > > > > > > If I would have to guess, I would assume that we have a refcount issue such
> > > > > > > that we succeed in splitting a folio while concurrently mapping it.
> > > > > >
> > > > > > That would seem hard to accomplish, because both hold the folio lock,
> > > > > > so it wouldn't be just a refcount bug but also a locking bug.  Not sure
> > > > > > what this is though.
> > > > >
> > > > > Yeah, but we also have
> > > > >
> > > > > https://lkml.kernel.org/r/6774bf44.050a0220.25abdd.098a.GAE@google.com
> > > >
> > > > That one is a UAF on the vma, so it's either a different issue, or the
> > > > problem is with the VMA refcount/lookup/..., not the folio refcount.
> > > > cc'ing the relevant maintainers.
> > >
> > > Agreed, it's all a bit confusing.
> > >
> >
> > This might involve Suren's patch set which changes the locking of the
> > vmas.
> 
> Possibly... The patchset in linux-next on Jan 1st was somewhat
> different from the latest one.

Yeah, I asked the bot to retest the latest unstable (which is still
somewhat out of date..).  I suspect it'll be okay now.  We'll see what
it comes back with.

> 
> >
> > Suren, if you respin and it's not too much trouble can you please make a
> > git branch with the latest patches for easier review and testing?
> 
> Ok, I'll see what I can do.

Thanks, I appreciate it.

Regards,
Liam

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __folio_rmap_sanity_checks

 do_truncate fs/open.c:65 [inline]
 do_ftruncate+0x462/0x580 fs/open.c:181
 do_sys_ftruncate fs/open.c:196 [inline]
 __do_sys_ftruncate fs/open.c:201 [inline]
 __se_sys_ftruncate fs/open.c:199 [inline]
 __x64_sys_ftruncate+0x94/0xf0 fs/open.c:199
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
------------[ cut here ]------------
WARNING: CPU: 1 PID: 10938 at ./include/linux/rmap.h:216 __folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
Modules linked in:
CPU: 1 UID: 0 PID: 10938 Comm: syz.0.314 Not tainted 6.13.0-rc6-syzkaller-g0703fa3785f1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
Code: 0f 0b 90 e9 b7 fd ff ff e8 0e c3 ab ff 48 ff cb e9 f8 fd ff ff e8 01 c3 ab ff 4c 89 e7 48 c7 c6 80 9f 15 8c e8 f2 95 f5 ff 90 <0f> 0b 90 e9 e9 fd ff ff e8 e4 c2 ab ff 48 ff cb e9 34 fe ff ff e8
RSP: 0018:ffffc9000cdff098 EFLAGS: 00010246
RAX: fddae3826e06a400 RBX: ffffea0001450100 RCX: ffffc9000cdfec03
RDX: 0000000000000005 RSI: ffffffff8c0aa1e0 RDI: ffffffff8c5fb3a0
RBP: 000000000001318a R08: ffffffff901988f7 R09: 1ffffffff203311e
R10: dffffc0000000000 R11: fffffbfff203311f R12: ffffea0001438000
R13: ffffea0001450100 R14: 0000000000000000 R15: 0000000000000003
FS:  00007f40ae2076c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055558cd15608 CR3: 0000000029cd0000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __folio_add_rmap mm/rmap.c:1170 [inline]
 __folio_add_file_rmap mm/rmap.c:1489 [inline]
 folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
 set_pte_range+0x30c/0x750 mm/memory.c:5134
 filemap_map_folio_range mm/filemap.c:3620 [inline]
 filemap_map_pages+0xfbb/0x1900 mm/filemap.c:3729
 do_fault_around mm/memory.c:5349 [inline]
 do_read_fault mm/memory.c:5382 [inline]
 do_fault mm/memory.c:5525 [inline]
 do_pte_missing mm/memory.c:4046 [inline]
 handle_pte_fault mm/memory.c:5870 [inline]
 __handle_mm_fault+0x3f4e/0x6ee0 mm/memory.c:6013
 handle_mm_fault+0x3e2/0x8c0 mm/memory.c:6182
 faultin_page mm/gup.c:1196 [inline]
 __get_user_pages+0x1a8f/0x4140 mm/gup.c:1491
 populate_vma_page_range+0x264/0x330 mm/gup.c:1929
 __mm_populate+0x27a/0x460 mm/gup.c:2032
 mm_populate include/linux/mm.h:3470 [inline]
 vm_mmap_pgoff+0x303/0x430 mm/util.c:580
 ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:607
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f40ad385d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f40ae207038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f40ad576080 RCX: 00007f40ad385d29
RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000
RBP: 00007f40ad401b08 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f40ad576080 R15: 00007ffe9513a848
 </TASK>


Tested on:

commit:         0703fa37 mm: remove PageTransTail()
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-unstable
console output: https://syzkaller.appspot.com/x/log.txt?x=11a391df980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9a23460a3770d89c
dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[David Hildenbrand]

On 10.01.25 22:03, Liam R. Howlett wrote:
> * syzbot <syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com> [241228 07:25]:
>> syzbot has found a reproducer for the following issue on:
>>
>> HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
>> git tree:       linux-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1661050f980000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88
>> dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
>> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17438af8580000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=101006df980000
>>
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/98a974fc662d/disk-8155b4ef.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/2dea9b72f624/vmlinux-8155b4ef.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/593a42b9eb34/bzImage-8155b4ef.xz
>> mounted in repro: https://storage.googleapis.com/syzbot-assets/5f780361c9ef/mount_0.gz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+c0673e1f1f054fac28c2@syzkaller.appspotmail.com
>>
> 
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-unstable
> 

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-stable

-- 
Cheers,

David / dhildenb

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __folio_rmap_sanity_checks

page last free pid 7533 tgid 7532 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_folios+0xe39/0x18b0 mm/page_alloc.c:2706
 folios_put_refs+0x76c/0x860 mm/swap.c:962
 folio_batch_release include/linux/pagevec.h:101 [inline]
 truncate_inode_pages_range+0x460/0x10e0 mm/truncate.c:330
 iomap_write_failed fs/iomap/buffered-io.c:668 [inline]
 iomap_write_iter fs/iomap/buffered-io.c:999 [inline]
 iomap_file_buffered_write+0xca5/0x11c0 fs/iomap/buffered-io.c:1039
 xfs_file_buffered_write+0x2de/0xac0 fs/xfs/xfs_file.c:792
 new_sync_write fs/read_write.c:586 [inline]
 vfs_write+0xaeb/0xd30 fs/read_write.c:679
 ksys_write+0x18f/0x2b0 fs/read_write.c:731
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7538 at ./include/linux/rmap.h:216 __folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
Modules linked in:
CPU: 0 UID: 0 PID: 7538 Comm: syz.1.57 Not tainted 6.13.0-rc6-syzkaller-gcd6313beaeae #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
Code: 0f 0b 90 e9 b7 fd ff ff e8 ee af ab ff 48 ff cb e9 f8 fd ff ff e8 e1 af ab ff 4c 89 e7 48 c7 c6 c0 9c 15 8c e8 82 6f f5 ff 90 <0f> 0b 90 e9 e9 fd ff ff e8 c4 af ab ff 48 ff cb e9 34 fe ff ff e8
RSP: 0018:ffffc9000c38efd8 EFLAGS: 00010246
RAX: f8a45fcd41963a00 RBX: ffffea00014f8000 RCX: ffffc9000c38eb03
RDX: 0000000000000005 RSI: ffffffff8c0aa3e0 RDI: ffffffff8c5fa860
RBP: 0000000000013186 R08: ffffffff901978b7 R09: 1ffffffff2032f16
R10: dffffc0000000000 R11: fffffbfff2032f17 R12: ffffea00014f0000
R13: ffffea00014f8080 R14: 0000000000000000 R15: 0000000000000002
FS:  00007f14451f96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000140 CR3: 0000000073716000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __folio_add_rmap mm/rmap.c:1170 [inline]
 __folio_add_file_rmap mm/rmap.c:1489 [inline]
 folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
 set_pte_range+0x30c/0x750 mm/memory.c:5065
 filemap_map_folio_range mm/filemap.c:3563 [inline]
 filemap_map_pages+0xfbe/0x1900 mm/filemap.c:3672
 do_fault_around mm/memory.c:5280 [inline]
 do_read_fault mm/memory.c:5313 [inline]
 do_fault mm/memory.c:5456 [inline]
 do_pte_missing mm/memory.c:3979 [inline]
 handle_pte_fault+0x3888/0x5ed0 mm/memory.c:5801
 __handle_mm_fault mm/memory.c:5944 [inline]
 handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6112
 faultin_page mm/gup.c:1196 [inline]
 __get_user_pages+0x1c82/0x49e0 mm/gup.c:1494
 populate_vma_page_range+0x264/0x330 mm/gup.c:1932
 __mm_populate+0x27a/0x460 mm/gup.c:2035
 mm_populate include/linux/mm.h:3397 [inline]
 vm_mmap_pgoff+0x2c3/0x3d0 mm/util.c:580
 ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:546
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1445385d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f14451f9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f1445575fa0 RCX: 00007f1445385d29
RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000
RBP: 00007f1445401b08 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1445575fa0 R15: 00007ffe4c3a7978
 </TASK>


Tested on:

commit:         cd6313be Revert "vmstat: disable vmstat_work on vmstat..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-stable
console output: https://syzkaller.appspot.com/x/log.txt?x=10b34bc4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d18955ff6936aa88
dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[David Hildenbrand]

On 11.01.25 02:00, Hillf Danton wrote:
> On Fri, 10 Jan 2025 17:35:25 +0100 David Hildenbrand <david@redhat.com>
>> On 31.12.24 09:41, Hillf Danton wrote:
>>> On Fri, 27 Dec 2024 20:56:21 -0800
>>>> syzbot has found a reproducer for the following issue on:
>>>>
>>>> HEAD commit:    8155b4ef3466 Add linux-next specific files for 20241220
>>>> git tree:       linux-next
>>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1652fadf980000
>>>
>>> #syz test
>>>
>>> --- x/mm/filemap.c
>>> +++ y/mm/filemap.c
>>> @@ -3636,6 +3636,10 @@ static vm_fault_t filemap_map_folio_rang
>>>    		continue;
>>>    skip:
>>>    		if (count) {
>>> +			for (unsigned int i = 0; i < count; i++) {
>>> +				if (page_folio(page + i) != folio)
>>> +					goto out;
>>> +			}
>>
>> IIRC, count <= nr_pages. Wouldn't that mean that we somehow pass in
>> nr_pages that already exceeds the given folio+start?
>>
>> When I last looked at this, I was not able to spot the error in the
>> caller :(
>>
> This is a debug patch at the first place, and this hunk overlaps with the
> next one.

Yeah, I was rather wondering if you had any clue why that hunk might 
help on its own.

-- 
Cheers,

David / dhildenb

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[David Hildenbrand]

On 11.01.25 10:54, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in __folio_rmap_sanity_checks
> 
> page last free pid 7533 tgid 7532 stack trace:
>   reset_page_owner include/linux/page_owner.h:25 [inline]
>   free_pages_prepare mm/page_alloc.c:1127 [inline]
>   free_unref_folios+0xe39/0x18b0 mm/page_alloc.c:2706
>   folios_put_refs+0x76c/0x860 mm/swap.c:962
>   folio_batch_release include/linux/pagevec.h:101 [inline]
>   truncate_inode_pages_range+0x460/0x10e0 mm/truncate.c:330
>   iomap_write_failed fs/iomap/buffered-io.c:668 [inline]
>   iomap_write_iter fs/iomap/buffered-io.c:999 [inline]
>   iomap_file_buffered_write+0xca5/0x11c0 fs/iomap/buffered-io.c:1039
>   xfs_file_buffered_write+0x2de/0xac0 fs/xfs/xfs_file.c:792
>   new_sync_write fs/read_write.c:586 [inline]
>   vfs_write+0xaeb/0xd30 fs/read_write.c:679
>   ksys_write+0x18f/0x2b0 fs/read_write.c:731
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 7538 at ./include/linux/rmap.h:216 __folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
> Modules linked in:
> CPU: 0 UID: 0 PID: 7538 Comm: syz.1.57 Not tainted 6.13.0-rc6-syzkaller-gcd6313beaeae #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> RIP: 0010:__folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
> Code: 0f 0b 90 e9 b7 fd ff ff e8 ee af ab ff 48 ff cb e9 f8 fd ff ff e8 e1 af ab ff 4c 89 e7 48 c7 c6 c0 9c 15 8c e8 82 6f f5 ff 90 <0f> 0b 90 e9 e9 fd ff ff e8 c4 af ab ff 48 ff cb e9 34 fe ff ff e8
> RSP: 0018:ffffc9000c38efd8 EFLAGS: 00010246
> RAX: f8a45fcd41963a00 RBX: ffffea00014f8000 RCX: ffffc9000c38eb03
> RDX: 0000000000000005 RSI: ffffffff8c0aa3e0 RDI: ffffffff8c5fa860
> RBP: 0000000000013186 R08: ffffffff901978b7 R09: 1ffffffff2032f16
> R10: dffffc0000000000 R11: fffffbfff2032f17 R12: ffffea00014f0000
> R13: ffffea00014f8080 R14: 0000000000000000 R15: 0000000000000002
> FS:  00007f14451f96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020000140 CR3: 0000000073716000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   <TASK>
>   __folio_add_rmap mm/rmap.c:1170 [inline]
>   __folio_add_file_rmap mm/rmap.c:1489 [inline]
>   folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
>   set_pte_range+0x30c/0x750 mm/memory.c:5065
>   filemap_map_folio_range mm/filemap.c:3563 [inline]
>   filemap_map_pages+0xfbe/0x1900 mm/filemap.c:3672
>   do_fault_around mm/memory.c:5280 [inline]
>   do_read_fault mm/memory.c:5313 [inline]
>   do_fault mm/memory.c:5456 [inline]
>   do_pte_missing mm/memory.c:3979 [inline]
>   handle_pte_fault+0x3888/0x5ed0 mm/memory.c:5801
>   __handle_mm_fault mm/memory.c:5944 [inline]
>   handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6112
>   faultin_page mm/gup.c:1196 [inline]
>   __get_user_pages+0x1c82/0x49e0 mm/gup.c:1494
>   populate_vma_page_range+0x264/0x330 mm/gup.c:1932
>   __mm_populate+0x27a/0x460 mm/gup.c:2035
>   mm_populate include/linux/mm.h:3397 [inline]
>   vm_mmap_pgoff+0x2c3/0x3d0 mm/util.c:580
>   ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:546
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f1445385d29
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f14451f9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
> RAX: ffffffffffffffda RBX: 00007f1445575fa0 RCX: 00007f1445385d29
> RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000
> RBP: 00007f1445401b08 R08: 0000000000000004 R09: 0000000000000000
> R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f1445575fa0 R15: 00007ffe4c3a7978
>   </TASK>
> 
> 
> Tested on:
> 
> commit:         cd6313be Revert "vmstat: disable vmstat_work on vmstat..
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-stable
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b34bc4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d18955ff6936aa88
> dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

I tried reproducing it in manually in an x86-64 VM with the provided
config and C reproducer, so far no luck :(

Looking at the reports, we always seem to be dealing with an order-9 (PMD-size) XFS folio
with dentry name(?):"memory.current".

Apparently, we're PTE-mapping that PMD_sized folio.

[  141.392393][ T7538] page: refcount:1025 mapcount:1 mapping:ffff88805b10ba48 index:0x400 pfn:0x53c00
[  141.402708][ T7538] head: order:9 mapcount:512 entire_mapcount:0 nr_pages_mapped:512 pincount:0
[  141.411562][ T7538] memcg:ffff88805b82e000
[  141.415930][ T7538] aops:xfs_address_space_operations ino:42a dentry name(?):"memory.current"
[  141.424695][ T7538] flags: 0xfff5800000027d(locked|referenced|uptodate|dirty|lru|workingset|head|node=0|zone=1|lastcpupid=0x7ff)
[  141.436464][ T7538] raw: 00fff5800000027d ffffea00014d0008 ffffea00014f8008 ffff88805b10ba48
[  141.445242][ T7538] raw: 0000000000000400 0000000000000000 0000040100000000 ffff88805b82e000
[  141.454649][ T7538] head: 00fff5800000027d ffffea00014d0008 ffffea00014f8008 ffff88805b10ba48
[  141.463708][ T7538] head: 0000000000000400 0000000000000000 0000040100000000 ffff88805b82e000
[  141.472549][ T7538] head: 00fff00000000209 ffffea00014f0001 ffffffff000001ff 0000000000000200
[  141.481225][ T7538] head: 0000000000000200 0000000000000000 0000000000000000 0000000000000000
[  141.490004][ T7538] page dumped because: VM_WARN_ON_FOLIO((_Generic((page), const struct page *: (const struct folio *)_compound_head(page), struct page *: (struct folio *)_compound_head(page))) != folio)
[  141.508510][ T7538] page_owner tracks the page as allocated


-- 
Cheers,

David / dhildenb

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[Liam R. Howlett]

* David Hildenbrand <david@redhat.com> [250113 10:40]:
> On 11.01.25 10:54, syzbot wrote:
> > Hello,
> > 
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > WARNING in __folio_rmap_sanity_checks
> > 
> > page last free pid 7533 tgid 7532 stack trace:
> >   reset_page_owner include/linux/page_owner.h:25 [inline]
> >   free_pages_prepare mm/page_alloc.c:1127 [inline]
> >   free_unref_folios+0xe39/0x18b0 mm/page_alloc.c:2706
> >   folios_put_refs+0x76c/0x860 mm/swap.c:962
> >   folio_batch_release include/linux/pagevec.h:101 [inline]
> >   truncate_inode_pages_range+0x460/0x10e0 mm/truncate.c:330
> >   iomap_write_failed fs/iomap/buffered-io.c:668 [inline]
> >   iomap_write_iter fs/iomap/buffered-io.c:999 [inline]
> >   iomap_file_buffered_write+0xca5/0x11c0 fs/iomap/buffered-io.c:1039
> >   xfs_file_buffered_write+0x2de/0xac0 fs/xfs/xfs_file.c:792
> >   new_sync_write fs/read_write.c:586 [inline]
> >   vfs_write+0xaeb/0xd30 fs/read_write.c:679
> >   ksys_write+0x18f/0x2b0 fs/read_write.c:731
> >   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> >   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > ------------[ cut here ]------------
> > WARNING: CPU: 0 PID: 7538 at ./include/linux/rmap.h:216 __folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
> > Modules linked in:
> > CPU: 0 UID: 0 PID: 7538 Comm: syz.1.57 Not tainted 6.13.0-rc6-syzkaller-gcd6313beaeae #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> > RIP: 0010:__folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
> > Code: 0f 0b 90 e9 b7 fd ff ff e8 ee af ab ff 48 ff cb e9 f8 fd ff ff e8 e1 af ab ff 4c 89 e7 48 c7 c6 c0 9c 15 8c e8 82 6f f5 ff 90 <0f> 0b 90 e9 e9 fd ff ff e8 c4 af ab ff 48 ff cb e9 34 fe ff ff e8
> > RSP: 0018:ffffc9000c38efd8 EFLAGS: 00010246
> > RAX: f8a45fcd41963a00 RBX: ffffea00014f8000 RCX: ffffc9000c38eb03
> > RDX: 0000000000000005 RSI: ffffffff8c0aa3e0 RDI: ffffffff8c5fa860
> > RBP: 0000000000013186 R08: ffffffff901978b7 R09: 1ffffffff2032f16
> > R10: dffffc0000000000 R11: fffffbfff2032f17 R12: ffffea00014f0000
> > R13: ffffea00014f8080 R14: 0000000000000000 R15: 0000000000000002
> > FS:  00007f14451f96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020000140 CR3: 0000000073716000 CR4: 00000000003526f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >   <TASK>
> >   __folio_add_rmap mm/rmap.c:1170 [inline]
> >   __folio_add_file_rmap mm/rmap.c:1489 [inline]
> >   folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
> >   set_pte_range+0x30c/0x750 mm/memory.c:5065
> >   filemap_map_folio_range mm/filemap.c:3563 [inline]
> >   filemap_map_pages+0xfbe/0x1900 mm/filemap.c:3672
> >   do_fault_around mm/memory.c:5280 [inline]
> >   do_read_fault mm/memory.c:5313 [inline]
> >   do_fault mm/memory.c:5456 [inline]
> >   do_pte_missing mm/memory.c:3979 [inline]
> >   handle_pte_fault+0x3888/0x5ed0 mm/memory.c:5801
> >   __handle_mm_fault mm/memory.c:5944 [inline]
> >   handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6112
> >   faultin_page mm/gup.c:1196 [inline]
> >   __get_user_pages+0x1c82/0x49e0 mm/gup.c:1494
> >   populate_vma_page_range+0x264/0x330 mm/gup.c:1932
> >   __mm_populate+0x27a/0x460 mm/gup.c:2035
> >   mm_populate include/linux/mm.h:3397 [inline]
> >   vm_mmap_pgoff+0x2c3/0x3d0 mm/util.c:580
> >   ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:546
> >   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> >   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > RIP: 0033:0x7f1445385d29
> > Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00007f14451f9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
> > RAX: ffffffffffffffda RBX: 00007f1445575fa0 RCX: 00007f1445385d29
> > RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000
> > RBP: 00007f1445401b08 R08: 0000000000000004 R09: 0000000000000000
> > R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
> > R13: 0000000000000000 R14: 00007f1445575fa0 R15: 00007ffe4c3a7978
> >   </TASK>
> > 
> > 
> > Tested on:
> > 
> > commit:         cd6313be Revert "vmstat: disable vmstat_work on vmstat..
> > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-stable
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10b34bc4580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=d18955ff6936aa88
> > dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
> > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> 
> I tried reproducing it in manually in an x86-64 VM with the provided
> config and C reproducer, so far no luck :(

Yeah, same here.

Thanks for testing mm-stable with the bot.

> 
> Looking at the reports, we always seem to be dealing with an order-9 (PMD-size) XFS folio
> with dentry name(?):"memory.current".
> 
> Apparently, we're PTE-mapping that PMD_sized folio.
> 
> [  141.392393][ T7538] page: refcount:1025 mapcount:1 mapping:ffff88805b10ba48 index:0x400 pfn:0x53c00
> [  141.402708][ T7538] head: order:9 mapcount:512 entire_mapcount:0 nr_pages_mapped:512 pincount:0
> [  141.411562][ T7538] memcg:ffff88805b82e000
> [  141.415930][ T7538] aops:xfs_address_space_operations ino:42a dentry name(?):"memory.current"
> [  141.424695][ T7538] flags: 0xfff5800000027d(locked|referenced|uptodate|dirty|lru|workingset|head|node=0|zone=1|lastcpupid=0x7ff)
> [  141.436464][ T7538] raw: 00fff5800000027d ffffea00014d0008 ffffea00014f8008 ffff88805b10ba48
> [  141.445242][ T7538] raw: 0000000000000400 0000000000000000 0000040100000000 ffff88805b82e000
> [  141.454649][ T7538] head: 00fff5800000027d ffffea00014d0008 ffffea00014f8008 ffff88805b10ba48
> [  141.463708][ T7538] head: 0000000000000400 0000000000000000 0000040100000000 ffff88805b82e000
> [  141.472549][ T7538] head: 00fff00000000209 ffffea00014f0001 ffffffff000001ff 0000000000000200
> [  141.481225][ T7538] head: 0000000000000200 0000000000000000 0000000000000000 0000000000000000
> [  141.490004][ T7538] page dumped because: VM_WARN_ON_FOLIO((_Generic((page), const struct page *: (const struct folio *)_compound_head(page), struct page *: (struct folio *)_compound_head(page))) != folio)
> [  141.508510][ T7538] page_owner tracks the page as allocated
> 

Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2)

[David Hildenbrand]

On 13.01.25 16:45, Liam R. Howlett wrote:
> * David Hildenbrand <david@redhat.com> [250113 10:40]:
>> On 11.01.25 10:54, syzbot wrote:
>>> Hello,
>>>
>>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>>> WARNING in __folio_rmap_sanity_checks
>>>
>>> page last free pid 7533 tgid 7532 stack trace:
>>>    reset_page_owner include/linux/page_owner.h:25 [inline]
>>>    free_pages_prepare mm/page_alloc.c:1127 [inline]
>>>    free_unref_folios+0xe39/0x18b0 mm/page_alloc.c:2706
>>>    folios_put_refs+0x76c/0x860 mm/swap.c:962
>>>    folio_batch_release include/linux/pagevec.h:101 [inline]
>>>    truncate_inode_pages_range+0x460/0x10e0 mm/truncate.c:330
>>>    iomap_write_failed fs/iomap/buffered-io.c:668 [inline]
>>>    iomap_write_iter fs/iomap/buffered-io.c:999 [inline]
>>>    iomap_file_buffered_write+0xca5/0x11c0 fs/iomap/buffered-io.c:1039
>>>    xfs_file_buffered_write+0x2de/0xac0 fs/xfs/xfs_file.c:792
>>>    new_sync_write fs/read_write.c:586 [inline]
>>>    vfs_write+0xaeb/0xd30 fs/read_write.c:679
>>>    ksys_write+0x18f/0x2b0 fs/read_write.c:731
>>>    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>>>    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>>>    entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>> ------------[ cut here ]------------
>>> WARNING: CPU: 0 PID: 7538 at ./include/linux/rmap.h:216 __folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
>>> Modules linked in:
>>> CPU: 0 UID: 0 PID: 7538 Comm: syz.1.57 Not tainted 6.13.0-rc6-syzkaller-gcd6313beaeae #0
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
>>> RIP: 0010:__folio_rmap_sanity_checks+0x33f/0x590 include/linux/rmap.h:216
>>> Code: 0f 0b 90 e9 b7 fd ff ff e8 ee af ab ff 48 ff cb e9 f8 fd ff ff e8 e1 af ab ff 4c 89 e7 48 c7 c6 c0 9c 15 8c e8 82 6f f5 ff 90 <0f> 0b 90 e9 e9 fd ff ff e8 c4 af ab ff 48 ff cb e9 34 fe ff ff e8
>>> RSP: 0018:ffffc9000c38efd8 EFLAGS: 00010246
>>> RAX: f8a45fcd41963a00 RBX: ffffea00014f8000 RCX: ffffc9000c38eb03
>>> RDX: 0000000000000005 RSI: ffffffff8c0aa3e0 RDI: ffffffff8c5fa860
>>> RBP: 0000000000013186 R08: ffffffff901978b7 R09: 1ffffffff2032f16
>>> R10: dffffc0000000000 R11: fffffbfff2032f17 R12: ffffea00014f0000
>>> R13: ffffea00014f8080 R14: 0000000000000000 R15: 0000000000000002
>>> FS:  00007f14451f96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> CR2: 0000000020000140 CR3: 0000000073716000 CR4: 00000000003526f0
>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>> Call Trace:
>>>    <TASK>
>>>    __folio_add_rmap mm/rmap.c:1170 [inline]
>>>    __folio_add_file_rmap mm/rmap.c:1489 [inline]
>>>    folio_add_file_rmap_ptes+0x82/0x380 mm/rmap.c:1511
>>>    set_pte_range+0x30c/0x750 mm/memory.c:5065
>>>    filemap_map_folio_range mm/filemap.c:3563 [inline]
>>>    filemap_map_pages+0xfbe/0x1900 mm/filemap.c:3672
>>>    do_fault_around mm/memory.c:5280 [inline]
>>>    do_read_fault mm/memory.c:5313 [inline]
>>>    do_fault mm/memory.c:5456 [inline]
>>>    do_pte_missing mm/memory.c:3979 [inline]
>>>    handle_pte_fault+0x3888/0x5ed0 mm/memory.c:5801
>>>    __handle_mm_fault mm/memory.c:5944 [inline]
>>>    handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6112
>>>    faultin_page mm/gup.c:1196 [inline]
>>>    __get_user_pages+0x1c82/0x49e0 mm/gup.c:1494
>>>    populate_vma_page_range+0x264/0x330 mm/gup.c:1932
>>>    __mm_populate+0x27a/0x460 mm/gup.c:2035
>>>    mm_populate include/linux/mm.h:3397 [inline]
>>>    vm_mmap_pgoff+0x2c3/0x3d0 mm/util.c:580
>>>    ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:546
>>>    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>>>    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>>>    entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>> RIP: 0033:0x7f1445385d29
>>> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
>>> RSP: 002b:00007f14451f9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
>>> RAX: ffffffffffffffda RBX: 00007f1445575fa0 RCX: 00007f1445385d29
>>> RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000
>>> RBP: 00007f1445401b08 R08: 0000000000000004 R09: 0000000000000000
>>> R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000
>>> R13: 0000000000000000 R14: 00007f1445575fa0 R15: 00007ffe4c3a7978
>>>    </TASK>
>>>
>>>
>>> Tested on:
>>>
>>> commit:         cd6313be Revert "vmstat: disable vmstat_work on vmstat..
>>> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm mm-stable
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=10b34bc4580000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=d18955ff6936aa88
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2
>>> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>>
>> I tried reproducing it in manually in an x86-64 VM with the provided
>> config and C reproducer, so far no luck :(
> 
> Yeah, same here.
> 
> Thanks for testing mm-stable with the bot.

I have a suspicion of what might go very wrong here ... let me try 
playing with a manual reproducer to trigger the scenario I have in mind.

So far, I don't think this issue is related to the latest VMA changes.

We saw it upstream so far once, and I suspect it's an upstream issue.

-- 
Cheers,

David / dhildenb