From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1F13CD2AB3B
	for <linux-mm@archiver.kernel.org>; Tue, 29 Oct 2024 12:58:14 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 6E4DD6B0096; Tue, 29 Oct 2024 08:58:14 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 695546B0098; Tue, 29 Oct 2024 08:58:14 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 534D86B0099; Tue, 29 Oct 2024 08:58:14 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 34C136B0096
	for <linux-mm@kvack.org>; Tue, 29 Oct 2024 08:58:14 -0400 (EDT)
Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id CF5E9C1363
	for <linux-mm@kvack.org>; Tue, 29 Oct 2024 12:58:13 +0000 (UTC)
X-FDA: 82726642152.23.547964F
Received: from fout-a2-smtp.messagingengine.com (fout-a2-smtp.messagingengine.com [103.168.172.145])
	by imf25.hostedemail.com (Postfix) with ESMTP id 3B310A0005
	for <linux-mm@kvack.org>; Tue, 29 Oct 2024 12:57:54 +0000 (UTC)
Authentication-Results: imf25.hostedemail.com;
	dkim=pass header.d=shutemov.name header.s=fm1 header.b="F LiCmXC";
	dkim=pass header.d=messagingengine.com header.s=fm3 header.b="A+M6/08A";
	dmarc=none;
	spf=pass (imf25.hostedemail.com: domain of kirill@shutemov.name designates 103.168.172.145 as permitted sender) smtp.mailfrom=kirill@shutemov.name
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1730206637; a=rsa-sha256;
	cv=none;
	b=BzArcSdnoTgl9o4kPYU4f6yFY0h3qW3ZP96Kw5UafuD40aDF4Aw8jKGwk2cV9AHunXdWvU
	XHAOn4fHTvKtn37jTm9oUFrwf9ep7gMPTN+hu6m/uY1QuvFadqgTCS8SCgr20RHCyMZ8Dv
	xbpMHITe4d9ZojjJ1yA9wFEWij8XwYA=
ARC-Authentication-Results: i=1;
	imf25.hostedemail.com;
	dkim=pass header.d=shutemov.name header.s=fm1 header.b="F LiCmXC";
	dkim=pass header.d=messagingengine.com header.s=fm3 header.b="A+M6/08A";
	dmarc=none;
	spf=pass (imf25.hostedemail.com: domain of kirill@shutemov.name designates 103.168.172.145 as permitted sender) smtp.mailfrom=kirill@shutemov.name
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1730206637;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=MkwNu/f8kONwvdOyDcH7H6PdkajNfgH9UgOlaZjZQLE=;
	b=D7ABrabsNDg1D9lneCusIkOk18QRbtlOAlO1IlkVRr+BZ5axvWpHeXeG3oQu+A5Gz3Xyqi
	qsDsWPQrnSnbSe44lBVs/6oXOSUbyk2BSZVKRCidsgrhI/Cl38LxqaHZq3jPu+lqh9byIT
	SBCMS608Nxx57stAJ4igshLTx7ed7OA=
Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41])
	by mailfout.phl.internal (Postfix) with ESMTP id 22CC2138042B;
	Tue, 29 Oct 2024 08:58:11 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-01.internal (MEProxy); Tue, 29 Oct 2024 08:58:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov.name;
	 h=cc:cc:content-type:content-type:date:date:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm1; t=1730206691; x=
	1730293091; bh=MkwNu/f8kONwvdOyDcH7H6PdkajNfgH9UgOlaZjZQLE=; b=F
	LiCmXCU7CfgRhxZUCBIPTHRliIW0eJsJefDfqs/KNArugyMt9VnRb8E2Ci37n7iD
	1yTLlM1KIwSemd8VrtnSiIwvAQ6h/eKWQ9NL42VjAl/Wa7f8RserOYFPV4EO0gvh
	H/3G53wrpLMkJM9UCl09CzM2EMBQB8AD9/JQN0qnRXmR3xcrrwbvYOV7HLekcTmG
	k6NCc/cSBadOs0+n5GKT0ij92wPZfxqxFHCGMF3etUJnGQX5N/gtVTin4+mZOyjv
	MGJvYBB1DNPt+SlwCrmYcfGVka1J4RkOhJpMIlxRziAdFAaWZK6bmIMqlgz2uKhw
	zuPqIUEIh1pSbG45YiI/A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=
	1730206691; x=1730293091; bh=MkwNu/f8kONwvdOyDcH7H6PdkajNfgH9UgO
	laZjZQLE=; b=A+M6/08An0PUXiByp9tmxKCQGHTlN1/QTf03pfbg0pj/yxUgjzK
	l4UtXFOPQq3XrpUhhFTUbVwE/tW6nTTvyfQq4NDVMLeFGcnilJ6C3xZTUbm94KNt
	5QmbZRoZKcIg/dH81OWXY38YKCwFLPLK1G2obpR81T3SsAIivkmql7+SYOBTETBZ
	kkxwOvBhxTNaJpf088YZtr+AnNenfpfYt7oZm/mio5P21G8O+/aoIeCQEpzLJ2TW
	cC5BB3grsxngrveSZlls+6McCf0l4Q/lXN6j1NvAhk2JeCegZePqpIa/ObxOU7LD
	r13WCCdPMSgXUi3UWBnV9Upm7HP3xfUncFQ==
X-ME-Sender: <xms:4tsgZ-cBSSAPRznTO8zzYLqMbdOq89LF3FScsnnkhHusysdaIrTljA>
    <xme:4tsgZ4N1tbHYQabm3oupRD9_e3I5RhhRZzBZOFVZd3uTRarhpQXKxlxrgM2jAU_9x
    eoccasU_x9vjLd4yWY>
X-ME-Received: <xmr:4tsgZ_gS-5dYdxRDhLdv_9xHhhETqWfBdPrgkLZMduUn9eM7p7n0eVY4A-BdXpKVCyeTtA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrvdekuddggedvucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh
    htshculddquddttddmnegoufhushhpvggtthffohhmrghinhculdegledmnecujfgurhep
    fffhvfevuffkfhggtggujgesthdtsfdttddtvdenucfhrhhomhepfdfmihhrihhllhcute
    drucfuhhhuthgvmhhovhdfuceokhhirhhilhhlsehshhhuthgvmhhovhdrnhgrmhgvqeen
    ucggtffrrghtthgvrhhnpedvffdugeetuedvtdffveetudduvdeutddthfevffdtveevhf
    dujeeuvdegfefhkeenucffohhmrghinhepshihiihkrghllhgvrhdrrghpphhsphhothdr
    tghomhdpghhoohhglhgvrghpihhsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenuc
    frrghrrghmpehmrghilhhfrhhomhepkhhirhhilhhlsehshhhuthgvmhhovhdrnhgrmhgv
    pdhnsggprhgtphhtthhopeelpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehloh
    hrvghniihordhsthhorghkvghssehorhgrtghlvgdrtghomhdprhgtphhtthhopehlihgr
    mhdrhhhofihlvghtthesohhrrggtlhgvrdgtohhmpdhrtghpthhtohepvhgsrggskhgrse
    hsuhhsvgdrtgiipdhrtghpthhtohepjhgrnhhnhhesghhoohhglhgvrdgtohhmpdhrtghp
    thhtohepshihiigsohhtodegsgehtgejtdegtdduvdekledvtgegugdvvdhfugesshihii
    hkrghllhgvrhdrrghpphhsphhothhmrghilhdrtghomhdprhgtphhtthhopegrkhhpmhes
    lhhinhhugidqfhhouhhnuggrthhiohhnrdhorhhgpdhrtghpthhtoheplhhinhhugidqkh
    gvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtoheplhhinhhugidq
    mhhmsehkvhgrtghkrdhorhhgpdhrtghpthhtohepshihiihkrghllhgvrhdqsghughhsse
    hgohhoghhlvghgrhhouhhpshdrtghomh
X-ME-Proxy: <xmx:4tsgZ79PdRpkCtRB1ua77Bzh_evP3BBtSVOo8vg3jtXYgDingVQ2kw>
    <xmx:4tsgZ6tS8AsgiOL7eqMR5BrJR04awtdbJdcHuLl_lZHjPGAXSBhmAg>
    <xmx:4tsgZyFxIwBvFRergvhYlm6O6NkYlTt4VFMRY1hMf0_pi1zMuh70Rg>
    <xmx:4tsgZ5NixEHDo2-P8VxEE1rNENaGuZMKxnuQpbVzYzG6NUvULsn8jw>
    <xmx:49sgZ0LeCYKFadvC_1tSoYUnhUuu4XK7CzKJsGBs4LcHzuQBayCmHbRu>
Feedback-ID: ie3994620:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 29 Oct 2024 08:58:06 -0400 (EDT)
Date: Tue, 29 Oct 2024 14:58:02 +0200
From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>, 
	Vlastimil Babka <vbabka@suse.cz>, Jann Horn <jannh@google.com>, 
	syzbot <syzbot+4b5c704012892c4d22fd@syzkaller.appspotmail.com>, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, 
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mm?] kernel BUG in zap_huge_pmd
Message-ID: <lifszx2644jx4dzc537w645wtk3qo7q5xxeam7ad7lihagvt7z@dooml2xm73dx>
References: <67205708.050a0220.11b624.04bc.GAE@google.com>
 <ri2667onovzkphvyxqnxe724ymxqs52pkzpdesina35v55ccnr@4kghwz6eevom>
 <3b06d23d-de9e-471f-ab99-54c96cb077bd@lucifer.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3b06d23d-de9e-471f-ab99-54c96cb077bd@lucifer.local>
X-Rspam-User: 
X-Rspamd-Queue-Id: 3B310A0005
X-Rspamd-Server: rspam01
X-Stat-Signature: f5eag6jg6813pzako8ofezwnyq8pjznw
X-HE-Tag: 1730206674-564174
X-HE-Meta: U2FsdGVkX1/sQnAYpX60ViVaQKDreZ6PfZMX1WPx1ejAa4SRCXUCTdvqr9EGNnSITQnpHiTQpVh/7KPkcnHeY232fzfnn2CqIPAXnglbQ4zqESAJ6XlVm3iK+ENm50QR100loKUeAuqKwIf9B5YsqFP2c/Nt/z18MwKqullMPqEKXmi4ujTg9rfg9nGFMgk/djuRxev+TjZ6tPXMvQtmKijUj0FiaHLAHlKS/lXQsvqpzgtVg2D3nZWFzWV7Mf93B6tdWs/uOXf+iiNiInfZF+JB9+J89boWMYTH8P6j4FQ7mzpPHP5dY3RHZAqKOcJtbSIln31QJzXy8TrE/lmk7xuX7P4HvOV3lHx2f96HuMwfCC9piZJjwgaKh/vsZzpWfRMQMTF6NjwxKLMCjqRkgYqpd5h4siFn175QfK6vpgE92QE+LOB8LeO+/WtHR0L2uzS2BBnSE3Gfve7cYPa7ynuek+WSKyrNmRAdTvsvVwiLJ8JMZ6x+OvgYQK8gXP4XVKlmUtG0RRRad8ux6LHJpRWHnwqPK37G/QkTGdn9Lwl+nJLHnbAMI5paxUIta6lmgyzpEmeKHebcBsnF4byotoi3zFCRPFSfbdt3fMQjLvaKCMGGK2xCgNBVg6WvE0bNyb8jRLcZzrHFv0zBiCdYFFqYWXgLrvsoZQortGGYiRmTFEtzRjPUxcpsVz5RtvrniSretWrQOr5uoDEcz4yJga/luwPgHOCWN69XawYF8cUmsWMfhO8oRQLSmjcgvaShEHHNsQimG6dMLBFq5SqMbfrRGFNB7hVT7v19SIH7RBXHALSMVvF9L/mCDvjOYA6wZtI3uXzsf+R1mKMkBPiKRM1Y/LVnjWygSzshKIazc8HIwitn+iQ0tTJA7XWJHB+GFZwscjO/zviiwOeWobLu1rdBGy06xvZ2zoU7Ca1wzA0BHmO7S+9EJVg4r521kfiRNr8gm67/dFNGRiRI5th
 2WzkOjvr
 rEgHuuKdU1jrNPlOPgZxGbpaLvhMx+CS1hXVLiEaURDOWiv+JPDTjKZsemsYEaF058/BM61T8JB40pxqtXO1Otii+Fh2slevYmIvKXM6PUDA+rlIBfpQnU2rqfrbWW8OIi+57bk2REXyJP432mBEQjqpB5M3/ih4l4OFVuRrvdkol/ZSRbY/WSGv3WfSM6Bkl5cYhO6p+um5iRU9FFokyz9pk54EpsXQDmMe1nHrQRTwiBswWlPELuAsQ36tC9AXAf4wDmwfdWVcl8E6PYA8CLSrgyWdXDkk8dMd36SUQOpk1AOAJ0fgy7EgXJgnRMGnQT/9HF1NcVz3GQ5rXOST62DtpQypa+KCS6MypdyvXCiamKj9oJEC05GEM7qwgTociiHXg0Irxcz2uZpwqEugDC9PcpZYSakF97HCOIFLKCVBK7DJgmzbI0HnRDqyQn/Ksy/JHGbkTNR2LdAcX4CnYZg42phyTjkbSzrdSHG/E03+UNq+dX21uNYzLifUMv3cRxMGqz3ZgULBbwDbVjQjk4bWTRtmrdEQosSAToWzBZ/3PBsVx4GJX4UkExIcvLUQ/8RPOxXn7tJes+h8c8Tl/zMME7Css0dDr3KxjogAv3RhA/QFOrZD5BGqPoBDlPkvsVfNR6LvEVIRncp6h2O16eNwuaD+N7JY7JJHxdgDTVVFK2evTeWvPbtU23M4I8/o3iU0lq7dy9nTfAYNSJlkIvlGTrW0z6/9yR50BJ3YfbQfkIwn6i3nl+hf8lHwpMyaVP74ZatgxOGxAUXu8m4TGe+12Nc/yF4+dPVKZezCec1Z3j5Y3giSSpULbtWCFKyAuzty0KD6OoUPdHD4ifKUgBKmQxNcS9tNFK+MMZDjnIL2LgrzYvpjsq0D5pVrhDQDKMpL9dsH2v6aUQxFVRbptzhPHzae+ZHSiRW/tYfzpRvluwWdIOWBOCZHkftmYj2mULCqCH0FuzL0rK3DBdJShtzwe9FvO
 dArCp5HF
 nPrbs7OHZ4rAtdd0h7GJN1AA1ID2GEP+bp1foHaRx+Y=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Tue, Oct 29, 2024 at 12:07:00PM +0000, Lorenzo Stoakes wrote:
> On Tue, Oct 29, 2024 at 01:44:47PM +0200, Kirill A. Shutemov wrote:
> > On Mon, Oct 28, 2024 at 08:31:20PM -0700, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    4e46774408d9 Merge tag 'for-6.12-rc4-tag' of git://git.ker..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=10fb2ebb980000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=4b5c704012892c4d22fd
> > > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11f730e7980000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=177eae40580000
> > >
> > > Downloadable assets:
> > > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-4e467744.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/058a92aaf61a/vmlinux-4e467744.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/0b79757fbe5e/bzImage-4e467744.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+4b5c704012892c4d22fd@syzkaller.appspotmail.com
> > >
> > > R10: 000000000401d031 R11: 0000000000000246 R12: 0000000000000004
> > > R13: 00007f33ed7673fc R14: 00007f33ed737334 R15: 00007f33ed7673e4
> > >  </TASK>
> > > ------------[ cut here ]------------
> > > kernel BUG at mm/huge_memory.c:2085!
> > > Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
> > > CPU: 0 UID: 0 PID: 5095 Comm: syz-executor380 Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0
> > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> > > RIP: 0010:zap_huge_pmd+0x953/0xc40 mm/huge_memory.c:2085
> >
> > I believe it is bug in mmap_region() around handling
> > vms_gather_munmap_vmas() and vms_complete_munmap_vmas().
> >
> > What reproduces does is:
> >
> > 1. Creating hugetlb mapping
> > 2. Setting up UFFD on it
> > 3. Creating a new that partially overlaps with mapping created on step 1
> >
> > On step 3 an error is injected which makes vma_iter_prealloc() fail and
> > unmap_region() is called in error path.
> >
> > The unmap_region() is called with the newly created as an argument, but
> > page tables still contain entries from hugetlb mapping that was never
> > fully unmapped because vms_complete_munmap_vmas() has not called yet.
> >
> > Since the new VMA is not hugetlb, unmapping code takes THP codepath and
> > calls zap_huge_pmd(). zap_huge_pmd() sees PTE marker swap entry installed
> > by hugetlb_mfill_atomic_pte() and gets confused.
> >
> > I don't understand vms_gather/complete_munmap_vmas() code well enough.
> > I am not sure what the right fix would be.
> > Maybe call vms_complete_munmap_vmas() earlier?
> 
> We just changed around how this stuff aborts in a hotfix series that should
> avoid this, actually.
> 
> Unfortunately I don't have the netlink setup syzbot has locally so not sure
> how reliably i can repro.

Build the config in the report and run it under KVM (virtme?).


-- 
  Kiryl Shutsemau / Kirill A. Shutemov