From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CCFC3D2AB20 for ; Tue, 29 Oct 2024 11:44:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 37C366B009C; Tue, 29 Oct 2024 07:44:59 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3044E6B009D; Tue, 29 Oct 2024 07:44:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 17DF56B009E; Tue, 29 Oct 2024 07:44:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id EA7E16B009C for ; Tue, 29 Oct 2024 07:44:58 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 519FA80E1B for ; Tue, 29 Oct 2024 11:44:58 +0000 (UTC) X-FDA: 82726457772.18.C623545 Received: from fout-a1-smtp.messagingengine.com (fout-a1-smtp.messagingengine.com [103.168.172.144]) by imf06.hostedemail.com (Postfix) with ESMTP id AC821180023 for ; Tue, 29 Oct 2024 11:44:38 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=shutemov.name header.s=fm1 header.b="Z wsn8yE"; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=aM0WKcLg; dmarc=none; spf=pass (imf06.hostedemail.com: domain of kirill@shutemov.name designates 103.168.172.144 as permitted sender) smtp.mailfrom=kirill@shutemov.name ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1730202179; a=rsa-sha256; cv=none; b=Q3NAUXmZZSmhEOMQZrEGYS8ydK2OCsvz7axWcFU8xicXYxntsj5vtFokSqxG8QYsfOMxlG M6z7VL7C5RbXVjzX8cBAlP3pi80Zj/FkgO93qqoTeEZd2q//Ft693bzlTBj+bueTlkcYl6 vSb/BDsv3ilcgx+mZbSOZiufhstmQuM= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=shutemov.name header.s=fm1 header.b="Z wsn8yE"; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=aM0WKcLg; dmarc=none; spf=pass (imf06.hostedemail.com: domain of kirill@shutemov.name designates 103.168.172.144 as permitted sender) smtp.mailfrom=kirill@shutemov.name ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1730202179; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=2yhhCgEHp5rC8pZ/9rE4AScoEjDNa/UwiC/T7RhrIdY=; b=hePEId0H1VQx394EONDrs5MWWMZKS+Z8Zp1Zapz757L+NJkOOPjGQ9YGusx5mDk8u0YjaQ T/bqIyRFyA7TR4KYr1/jJ6msdufaHCbACKjwfFvOwdxJ8jWOfBJYZbyk30t77yMTG35zif wGPy4cQdru1eX54rmbUP2BULoI/2Yyw= Received: from phl-compute-09.internal (phl-compute-09.phl.internal [10.202.2.49]) by mailfout.phl.internal (Postfix) with ESMTP id 76D8513801B6; Tue, 29 Oct 2024 07:44:55 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-09.internal (MEProxy); Tue, 29 Oct 2024 07:44:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov.name; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm1; t=1730202295; x= 1730288695; bh=2yhhCgEHp5rC8pZ/9rE4AScoEjDNa/UwiC/T7RhrIdY=; b=Z wsn8yEjjtdzjavd5ocNP+hcLG+HfNeFZ0Fd9Snt5DscpWZOJz1CfAfhM/KCZKMCY yGFPd2sbVwks020nkRzKjFM9T/vgEjPYj5I2/0ReNIvgFuQg5TheBEO3AtWu8gVv ZkMg5m7AL5zkcPdUh7kbq/tDg3ccbFXsg8d9EpoNA6q9mauHeYu+c+2ah2zx2c/m L7kLh/RNBmI27mPlWF7wkKLcH2OXKPpahIh6V7Y1AYFD4Gj1qeCXhn4FU9SIC+Mz d8sy7jgksIopAt/acCGj/XmnZ6muUAOEhYLVWhP7kLOdSR/gSMMCCvO7RD+ZWANN D9YRg8OrLjwVwenrPC5YA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1730202295; x=1730288695; bh=2yhhCgEHp5rC8pZ/9rE4AScoEjDNa/UwiC/ T7RhrIdY=; b=aM0WKcLg2sBIyUZBXeJdy9Zdoy6sUNI0dlbY+QM10NVIjGTIc7S JRuiIwc3RkHaLAgdpKJDu7S0X39cCMT2oTd7MvxK0AB46Vxq1baSTLEwuWWZxJUK 8PSdPGy8GjiMHxB3O/V+hp1I1n1TTGWg6OF8FzVd7QvRBuE8bElR30QUwKRCFMCk Vw3XdRtXY9gSKbdnvnlCezEoUzOyraxnpYcNGlbVgaCwAg5XKcgcmkZc3XDJo+Va BaZNjsdTOZNgw0fhHKGjpB7I5j3DkNMZO3vc3Lar8wJFXE+h4gyd4o5Z7uuccQ9w Ms4wRpiW2b7v2vPIsUMhHRXQ8p6z8aeSyMA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrvdekuddgvdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnegoufhushhpvggtthffohhmrghinhculdegledmnecujfgurhep fffhvfevuffkfhggtggujgesthdtsfdttddtvdenucfhrhhomhepfdfmihhrihhllhcute drucfuhhhuthgvmhhovhdfuceokhhirhhilhhlsehshhhuthgvmhhovhdrnhgrmhgvqeen ucggtffrrghtthgvrhhnpedvffdugeetuedvtdffveetudduvdeutddthfevffdtveevhf dujeeuvdegfefhkeenucffohhmrghinhepshihiihkrghllhgvrhdrrghpphhsphhothdr tghomhdpghhoohhglhgvrghpihhsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomhepkhhirhhilhhlsehshhhuthgvmhhovhdrnhgrmhgv pdhnsggprhgtphhtthhopeelpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehlih grmhdrhhhofihlvghtthesohhrrggtlhgvrdgtohhmpdhrtghpthhtoheplhhorhgvnhii ohdrshhtohgrkhgvshesohhrrggtlhgvrdgtohhmpdhrtghpthhtohepvhgsrggskhgrse hsuhhsvgdrtgiipdhrtghpthhtohepjhgrnhhnhhesghhoohhglhgvrdgtohhmpdhrtghp thhtohepshihiigsohhtodegsgehtgejtdegtdduvdekledvtgegugdvvdhfugesshihii hkrghllhgvrhdrrghpphhsphhothhmrghilhdrtghomhdprhgtphhtthhopegrkhhpmhes lhhinhhugidqfhhouhhnuggrthhiohhnrdhorhhgpdhrtghpthhtoheplhhinhhugidqkh gvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtoheplhhinhhugidq mhhmsehkvhgrtghkrdhorhhgpdhrtghpthhtohepshihiihkrghllhgvrhdqsghughhsse hgohhoghhlvghgrhhouhhpshdrtghomh X-ME-Proxy: Feedback-ID: ie3994620:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 29 Oct 2024 07:44:51 -0400 (EDT) Date: Tue, 29 Oct 2024 13:44:47 +0200 From: "Kirill A. Shutemov" To: "Liam R. Howlett" , Lorenzo Stoakes , Vlastimil Babka , Jann Horn Cc: syzbot , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [mm?] kernel BUG in zap_huge_pmd Message-ID: References: <67205708.050a0220.11b624.04bc.GAE@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <67205708.050a0220.11b624.04bc.GAE@google.com> X-Rspamd-Queue-Id: AC821180023 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 8jx5ipkz3btkacuaiwodn8h54tjgj81t X-HE-Tag: 1730202278-688102 X-HE-Meta: U2FsdGVkX19JawIuomeuDy/jgCr950BqRVsWecucS/R0iTbDIKTSbRbMqKWufdJE7iatFd9UBv2whbu1VngY3quMD909FSD9eAOcZChHJ/RXP3OOQaPKuc/heCwqD8WIxjqSqNnURfS7UrQ4J323X1x7RujfF6FCpxwrmk4iHxKRiJ13/VTGANaXaRRSlzem1zF5wY8OBLoGVahh6bI2Rsl0pAaGcI8SKMyHJJUyaNOax+oskkDlRrr3wygFX0+oDWBsccNdd38l7+arbnF5JTxssMSPfYHPn6skZ+yzmVKu26r1QA3oDyJiuhEtr7xnlKTSN7xhvqj+XpfFS+HAFE4qXFJoEP7hU5MWme1cP5PRJCkDXH6f7FK6kDqzNqp61XlwD+KzKLLxFxQYGoi+RpnPJKrkZHWEmBG6NcjI9v4ZZPC4xhIVXeaU6GHSQAsL9gvPtzpJq0nhWwXrpxm/NRKEeRvrPNal4hXSRuYAMC58Twswe5X8A3Ks5ZMivU407VEFHj5/X88ADI7k85W9CzKb9eVk2I1FWkD22tmkNN4os6okJLntOmdpRyGdX2S2nn8vW3MzvXwrITOfbGJuq46sKjiPdlJhiI+R1ejLu0YWgPSOLfDYKZERSgvTnFQ+EDRvU6Bq5Z0XVvfidQy52K2iQDxhUJTYsE7u58Y6stiKaueXuf0XG19Vatvxh45uz92mfxSRibw6608VarE+ZVMbYLI/sMlGWttAzLem4K0/slPlSsahKcESVvRZ7/uS8r6qUnw1kRh1noaFtBuI2V/dCP/NbQkFfUq3iTN8V54fecxxsVFMxMDG2F9CF/KJwr/uKnxZolROBwpidhv7mntTUMOq927Ac7t8beX6+WPawdqef7MrhemLGozFagvP0XG1JVi2rmRFI16mz/wuQfWMfmZYMQirCtuhk64fjIpmv6XXSWWpUsQTh9fgPhygQDmABohaXdHIZb6/eUL NVyUIgyH r5GJpfHyHbwTFiZthYPnunjxoyTnxnMDRQHrwyG0XCXPMNWa5+YhMQhuK+nRQ+U1QbtS8+sSb08qbdK7T4W42tko+okURRnDPdgl1uwLfk8KtB4CvUSIG7gsYot3NMrT+TIST8pOXDd866gr9P1D7Wh0wmBu7nrFPjVHen3R1mnamx+1WJKb1Mnol35ey7r90KpQrRaaWhylp0UgwWL90h+Tql46uBSV4n8KOT2A2EWQJt0P6ajiDXThBqGx5kMOpcH0LTroxciSMPP3vAoi29WZHCus620tR63KMV7RfYxbc6HJKcP3/AZ0HgRx4PZcBGDHCm/IbG11QFWyL4JgrX0dTKzHAOWu6jy6VnZr8oLXDwEkICDd/bJAh36vJIxlwZWEA3mVBT0dY7YKOqE8l2g6L1ezr+HElUipbYqLVT2PPUzLW4b4dklz6dD1roGt984OWN28lsYJoo6YOhvPg6dX/i28nKhWdAb9LYw93fmafECIrEQr4qvSkJJlV9/PVwPYw3tKz6vFB3xqFzEdURJ/zJouRZhvJeb2LQLjFDek9PXZIxh/rGNf7pfHyHq+nOi2JucFyM+Q57E9c3MjKRIcku+M0Wd+aNdu8SUQJPwqyT7LWlYS0eT62xk50ztFDf19jHFfzwTv3jpovIzHMcfpuJeIzIZKtzk/LF5h7suRwFcdsHFsOYlHh4y1QRfFxEcW1gJMjUHVsKwB4a1PU2/otCLbk3H4fNa61LNIZaOiEaAdJGbi6vh7DCOsije0e8sOeN7RRe2O5JlF3wYZInNUe9/f7XAKObOAnQKsuZTcoTh418nVrX8eifbAIv+0UVkJFJskipMxH159XMdjvx5LTuQnKjWsDrVPOlFYKcosSe76LsRF2eUcfd9bUvBkq3SkAwq1N/AWF01tbkpU3+MAYCjkLzrI/1ZyTGHTtfiRFcIPkNpxaY5fFzR5KlZtmG9jv4arccF6fWAVbzO1+gJ/C3xxk jUfYESoU yxkM+kuOKZm3HfDm4vrRFSPsNyihyVdeltWGfelMFI8= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Oct 28, 2024 at 08:31:20PM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 4e46774408d9 Merge tag 'for-6.12-rc4-tag' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=10fb2ebb980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=fc6f8ce8c5369043 > dashboard link: https://syzkaller.appspot.com/bug?extid=4b5c704012892c4d22fd > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f730e7980000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177eae40580000 > > Downloadable assets: > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-4e467744.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/058a92aaf61a/vmlinux-4e467744.xz > kernel image: https://storage.googleapis.com/syzbot-assets/0b79757fbe5e/bzImage-4e467744.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+4b5c704012892c4d22fd@syzkaller.appspotmail.com > > R10: 000000000401d031 R11: 0000000000000246 R12: 0000000000000004 > R13: 00007f33ed7673fc R14: 00007f33ed737334 R15: 00007f33ed7673e4 > > ------------[ cut here ]------------ > kernel BUG at mm/huge_memory.c:2085! > Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI > CPU: 0 UID: 0 PID: 5095 Comm: syz-executor380 Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 > RIP: 0010:zap_huge_pmd+0x953/0xc40 mm/huge_memory.c:2085 I believe it is bug in mmap_region() around handling vms_gather_munmap_vmas() and vms_complete_munmap_vmas(). What reproduces does is: 1. Creating hugetlb mapping 2. Setting up UFFD on it 3. Creating a new that partially overlaps with mapping created on step 1 On step 3 an error is injected which makes vma_iter_prealloc() fail and unmap_region() is called in error path. The unmap_region() is called with the newly created as an argument, but page tables still contain entries from hugetlb mapping that was never fully unmapped because vms_complete_munmap_vmas() has not called yet. Since the new VMA is not hugetlb, unmapping code takes THP codepath and calls zap_huge_pmd(). zap_huge_pmd() sees PTE marker swap entry installed by hugetlb_mfill_atomic_pte() and gets confused. I don't understand vms_gather/complete_munmap_vmas() code well enough. I am not sure what the right fix would be. Maybe call vms_complete_munmap_vmas() earlier? -- Kiryl Shutsemau / Kirill A. Shutemov