* kernel BUG at mm/gup.c:LINE!
@ 2018-07-04 4:19 syzbot
2018-07-04 10:01 ` Tetsuo Handa
0 siblings, 1 reply; 19+ messages in thread
From: syzbot @ 2018-07-04 4:19 UTC (permalink / raw)
To: akpm, aneesh.kumar, dan.j.williams, kirill.shutemov,
linux-kernel, linux-mm, mst, syzkaller-bugs, viro, ying.huang,
zi.yan
Hello,
syzbot found the following crash on:
HEAD commit: d3bc0e67f852 Merge tag 'for-4.18-rc2-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1000077c400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a63be0c83e84d370
dashboard link: https://syzkaller.appspot.com/bug?extid=5dcb560fe12aa5091c06
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=158577a2400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
------------[ cut here ]------------
kernel BUG at mm/gup.c:1242!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 1 PID: 4837 Comm: syz-executor0 Not tainted 4.18.0-rc2+ #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__mm_populate+0x472/0x520 mm/gup.c:1242
Code: ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e aa 00 00 00 44 8b 75 98 45
31 e4 e9 58 ff ff ff e8 b5 9e d1 ff 0f 0b e8 ae 9e d1 ff <0f> 0b 48 8b bd
60 ff ff ff e8 d0 72 0f 00 e9 52 fc ff ff 48 8b bd
RSP: 0018:ffff8801aae77ae0 EFLAGS: 00010293
RAX: ffff8801cfb48280 RBX: 0000000000008000 RCX: ffffffff81aa6a68
RDX: 0000000000000000 RSI: ffffffff81aa6dc2 RDI: 0000000000000006
RBP: ffff8801aae77ba0 R08: ffff8801cfb48280 R09: fffffbfff133d66a
R10: 0000000000000003 R11: 0000000000000000 R12: 000000007bf81000
R13: 0000000000007676 R14: dffffc0000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8801daf00000(0063) knlGS:000000000865b900
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000080e3a94 CR3: 00000001cb021000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
mm_populate include/linux/mm.h:2296 [inline]
vm_brk_flags+0x1fe/0x240 mm/mmap.c:3038
vm_brk+0x1f/0x30 mm/mmap.c:3045
load_elf_library+0x711/0x8e0 fs/binfmt_elf.c:1266
__do_sys_uselib fs/exec.c:161 [inline]
__se_sys_uselib fs/exec.c:120 [inline]
__ia32_sys_uselib+0x37e/0x4c0 fs/exec.c:120
do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7fcbcb9
Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b
5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90
90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ff8df4ac EFLAGS: 00000282 ORIG_RAX: 0000000000000056
RAX: ffffffffffffffda RBX: 0000000020000040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace f964ea7008b66351 ]---
RIP: 0010:__mm_populate+0x472/0x520 mm/gup.c:1242
Code: ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e aa 00 00 00 44 8b 75 98 45
31 e4 e9 58 ff ff ff e8 b5 9e d1 ff 0f 0b e8 ae 9e d1 ff <0f> 0b 48 8b bd
60 ff ff ff e8 d0 72 0f 00 e9 52 fc ff ff 48 8b bd
RSP: 0018:ffff8801aae77ae0 EFLAGS: 00010293
RAX: ffff8801cfb48280 RBX: 0000000000008000 RCX: ffffffff81aa6a68
RDX: 0000000000000000 RSI: ffffffff81aa6dc2 RDI: 0000000000000006
RBP: ffff8801aae77ba0 R08: ffff8801cfb48280 R09: fffffbfff133d66a
R10: 0000000000000003 R11: 0000000000000000 R12: 000000007bf81000
R13: 0000000000007676 R14: dffffc0000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8801daf00000(0063) knlGS:000000000865b900
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000080e3a94 CR3: 00000001cb021000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-04 4:19 kernel BUG at mm/gup.c:LINE! syzbot
@ 2018-07-04 10:01 ` Tetsuo Handa
2018-07-04 11:17 ` Michal Hocko
0 siblings, 1 reply; 19+ messages in thread
From: Tetsuo Handa @ 2018-07-04 10:01 UTC (permalink / raw)
To: Michal Hocko
Cc: syzbot, akpm, aneesh.kumar, dan.j.williams, kirill.shutemov,
linux-mm, mst, syzkaller-bugs, viro, ying.huang, zi.yan
+Michal Hocko
On 2018/07/04 13:19, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: d3bc0e67f852 Merge tag 'for-4.18-rc2-tag' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1000077c400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a63be0c83e84d370
> dashboard link: https://syzkaller.appspot.com/bug?extid=5dcb560fe12aa5091c06
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> userspace arch: i386
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=158577a2400000
Here is C reproducer made from syz reproducer. mlockall(MCL_FUTURE) is involved.
This problem is triggerable by an unprivileged user.
Shows different result on x86_64 (crash) and x86_32 (stall).
------------------------------------------------------------
/* Need to compile using "-m32" option if host is 64bit. */
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
int uselib(const char *library);
int main(int argc, char *argv[])
{
int fd = open("file", O_WRONLY | O_CREAT, 0644);
write(fd, "\x7f\x45\x4c\x46\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02"
"\x00\x06\x00\xca\x3f\x8b\xca\x00\x00\x00\x00\x38\x00\x00\x00\x00\x00"
"\x00\xf7\xff\xff\xff\xff\xff\xff\x1f\x00\x02\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x7b"
"\x66\xff\x00\x00\x05\x00\x00\x00\x76\x86\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x31\x0f\xf3\xee\xc1\xb0\x00\x0c\x08\x53\x55\xbe\x88\x47"
"\xc2\x2e\x30\xf5\x62\x82\xc6\x2c\x95\x72\x3f\x06\x8f\xe4\x2d\x27\x96"
"\xcc", 120);
fchmod(fd, 0755);
close(fd);
mlockall(MCL_FUTURE); /* Removing this line avoids the bug. */
uselib("file");
return 0;
}
------------------------------------------------------------
------------------------------------------------------------
CentOS Linux 7 (Core)
Kernel 4.18.0-rc3 on an x86_64
localhost login: [ 81.210241] emacs (9634) used greatest stack depth: 10416 bytes left
[ 140.099935] ------------[ cut here ]------------
[ 140.101904] kernel BUG at mm/gup.c:1242!
[ 140.103572] invalid opcode: 0000 [#1] SMP
[ 140.105220] CPU: 2 PID: 9667 Comm: a.out Not tainted 4.18.0-rc3 #644
[ 140.107762] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[ 140.112000] RIP: 0010:__mm_populate+0x1e2/0x1f0
[ 140.113875] Code: 55 d0 65 48 33 14 25 28 00 00 00 89 d8 75 21 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 75 18 f1 ff 0f 0b e8 6e 18 f1 ff <0f> 0b 31 db eb c9 e8 93 06 e0 ff 0f 1f 00 55 48 89 e5 53 48 89 fb
[ 140.121403] RSP: 0018:ffffc90000dffd78 EFLAGS: 00010293
[ 140.123516] RAX: ffff8801366c63c0 RBX: 000000007bf81000 RCX: ffffffff813e4ee2
[ 140.126352] RDX: 0000000000000000 RSI: 0000000000007676 RDI: 000000007bf81000
[ 140.129236] RBP: ffffc90000dffdc0 R08: 0000000000000000 R09: 0000000000000000
[ 140.132110] R10: ffff880135895c80 R11: 0000000000000000 R12: 0000000000007676
[ 140.134955] R13: 0000000000008000 R14: 0000000000000000 R15: 0000000000007676
[ 140.137785] FS: 0000000000000000(0000) GS:ffff88013a680000(0063) knlGS:00000000f7db9700
[ 140.140998] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 140.143303] CR2: 00000000f7ea56e0 CR3: 0000000134674004 CR4: 00000000000606e0
[ 140.145906] Call Trace:
[ 140.146728] vm_brk_flags+0xc3/0x100
[ 140.147830] vm_brk+0x1f/0x30
[ 140.148714] load_elf_library+0x281/0x2e0
[ 140.149875] __ia32_sys_uselib+0x170/0x1e0
[ 140.151028] ? copy_overflow+0x30/0x30
[ 140.152105] ? __ia32_sys_uselib+0x170/0x1e0
[ 140.153301] do_fast_syscall_32+0xca/0x420
[ 140.154455] entry_SYSENTER_compat+0x70/0x7f
[ 140.155651] RIP: 0023:0xf7f9fc99
[ 140.156568] Code: 89 c8 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[ 140.161951] RSP: 002b:00000000ffcca47c EFLAGS: 00000246 ORIG_RAX: 0000000000000056
[ 140.164292] RAX: ffffffffffffffda RBX: 0000000008048614 RCX: 00000000000001ed
[ 140.166390] RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000000
[ 140.168400] RBP: 00000000ffcca4a8 R08: 0000000000000000 R09: 0000000000000000
[ 140.170352] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 140.172302] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 140.174255] Modules linked in:
[ 140.175255] ---[ end trace d38f4666ebf4809c ]---
[ 140.176838] RIP: 0010:__mm_populate+0x1e2/0x1f0
[ 140.178239] Code: 55 d0 65 48 33 14 25 28 00 00 00 89 d8 75 21 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 75 18 f1 ff 0f 0b e8 6e 18 f1 ff <0f> 0b 31 db eb c9 e8 93 06 e0 ff 0f 1f 00 55 48 89 e5 53 48 89 fb
[ 140.183795] RSP: 0018:ffffc90000dffd78 EFLAGS: 00010293
[ 140.185293] RAX: ffff8801366c63c0 RBX: 000000007bf81000 RCX: ffffffff813e4ee2
[ 140.187285] RDX: 0000000000000000 RSI: 0000000000007676 RDI: 000000007bf81000
[ 140.189282] RBP: ffffc90000dffdc0 R08: 0000000000000000 R09: 0000000000000000
[ 140.191298] R10: ffff880135895c80 R11: 0000000000000000 R12: 0000000000007676
[ 140.193478] R13: 0000000000008000 R14: 0000000000000000 R15: 0000000000007676
[ 140.195740] FS: 0000000000000000(0000) GS:ffff88013a680000(0063) knlGS:00000000f7db9700
[ 140.198178] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 140.199864] CR2: 00000000f7ea56e0 CR3: 0000000134674004 CR4: 00000000000606e0
[ 140.201998] Kernel panic - not syncing: Fatal exception
------------------------------------------------------------
------------------------------------------------------------
CentOS Linux 7 (AltArch)
Kernel 4.18.0-rc3-00113-gfc36def on an i686
localhost login: [ 231.139466] INFO: rcu_sched self-detected stall on CPU
[ 231.140169] INFO: rcu_sched detected stalls on CPUs/tasks:
[ 231.141010] 5-....: (20761 ticks this GP) idle=0b6/1/1073741826 softirq=1654/1654 fqs=5193
[ 231.145209]
[ 231.145213] 5-....: (20761 ticks this GP) idle=0b6/1/1073741826 softirq=1654/1654 fqs=5194
[ 231.145216] (t=21003 jiffies g=884 c=883 q=12)
[ 231.145777]
[ 231.148182] NMI backtrace for cpu 5
[ 231.149527] (detected by 4, t=21011 jiffies, g=884, c=883, q=12)
[ 231.150049] CPU: 5 PID: 956 Comm: a.out Not tainted 4.18.0-rc3-00113-gfc36def #365
[ 231.155315] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[ 231.158549] Call Trace:
[ 231.159341] dump_stack+0x57/0x7b
[ 231.160422] nmi_cpu_backtrace+0xc4/0xd0
[ 231.161641] nmi_trigger_cpumask_backtrace+0x9a/0xe0
[ 231.163174] ? vprintk_default+0x32/0x40
[ 231.164408] ? lapic_can_unplug_cpu+0xa0/0xa0
[ 231.165760] arch_trigger_cpumask_backtrace+0x10/0x20
[ 231.167321] rcu_dump_cpu_stacks+0x6f/0x96
[ 231.168596] rcu_check_callbacks+0x532/0x680
[ 231.169994] ? account_process_tick+0x55/0x120
[ 231.171371] ? tick_sched_do_timer+0x50/0x50
[ 231.172700] update_process_times+0x23/0x50
[ 231.174016] tick_sched_handle+0x3a/0x50
[ 231.175277] tick_sched_timer+0x34/0x80
[ 231.176492] __hrtimer_run_queues+0xe4/0x170
[ 231.177822] hrtimer_interrupt+0x10d/0x2b0
[ 231.179101] smp_apic_timer_interrupt+0x4f/0x90
[ 231.180511] ? smp_apic_timer_interrupt+0x54/0x90
[ 231.181968] apic_timer_interrupt+0x3c/0x44
[ 231.183262] EIP: __get_user_pages+0x3/0x3e0
[ 231.184559] Code: e4 89 f0 89 1c 24 e8 fc 1b 03 00 8b 55 e4 c6 02 00 85 c0 0f 85 b0 fb ff ff e9 21 fd ff ff 89 f6 8d bc 27 00 00 00 00 55 89 e5 <57> 56 53 83 ec 44 8b 7d 08 89 45 dc 8b 45 10 89 55 d8 89 4d e8 89
[ 231.190324] EAX: f2301300 EBX: 00001053 ECX: 7bf88000 EDX: f235c240
[ 231.192259] ESI: 7bf88000 EDI: f6ebbea4 EBP: f6ebbe5c ESP: f6ebbe5c
[ 231.194170] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00000206
[ 231.196252] populate_vma_page_range+0x77/0x80
[ 231.197631] __mm_populate+0x8c/0x110
[ 231.198780] vm_brk_flags+0xab/0xc0
[ 231.199867] vm_brk+0xa/0x10
[ 231.200803] load_elf_library+0x1c0/0x1e0
[ 231.202073] sys_uselib+0x11a/0x160
[ 231.203266] do_fast_syscall_32+0x95/0x188
[ 231.204562] entry_SYSENTER_32+0x4e/0x7c
[ 231.205787] EIP: 0xb7f98fd1
[ 231.206676] Code: c1 9e f3 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[ 231.212378] EAX: ffffffda EBX: 08048614 ECX: 000001ed EDX: 00000003
[ 231.214302] ESI: 00000000 EDI: 00000000 EBP: bfbfaa28 ESP: bfbfa9fc
[ 231.216223] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[ 231.218302] Sending NMI from CPU 4 to CPUs 5:
[ 231.219719] NMI backtrace for cpu 5
[ 231.219722] CPU: 5 PID: 956 Comm: a.out Not tainted 4.18.0-rc3-00113-gfc36def #365
[ 231.219722] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[ 231.219726] EIP: queued_spin_lock_slowpath+0x32/0x200
[ 231.219727] Code: 66 66 66 66 90 ba 01 00 00 00 8d b6 00 00 00 00 8b 01 85 c0 75 12 f0 0f b1 11 85 c0 75 f2 5b 5e 5f 5d c3 90 8d 74 26 00 f3 90 <eb> e4 8d 74 26 00 81 fa 00 01 00 00 66 90 0f 84 3f 01 00 00 81 e2
[ 231.219745] EAX: 00000001 EBX: 00000001 ECX: d66ce500 EDX: 00000001
[ 231.219746] ESI: 00000046 EDI: d66ce500 EBP: f6ebbcf0 ESP: f6ebbce4
[ 231.219747] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00000002
[ 231.219748] CR0: 80050033 CR2: b7ebb3f0 CR3: 32646760 CR4: 000406f0
[ 231.219788] Call Trace:
[ 231.219792] _raw_spin_lock_irqsave+0x33/0x40
[ 231.219795] rcu_check_callbacks+0x539/0x680
[ 231.219798] ? account_process_tick+0x55/0x120
[ 231.219801] ? tick_sched_do_timer+0x50/0x50
[ 231.219803] update_process_times+0x23/0x50
[ 231.219804] tick_sched_handle+0x3a/0x50
[ 231.219806] tick_sched_timer+0x34/0x80
[ 231.219807] __hrtimer_run_queues+0xe4/0x170
[ 231.219809] hrtimer_interrupt+0x10d/0x2b0
[ 231.219811] smp_apic_timer_interrupt+0x4f/0x90
[ 231.219812] ? smp_apic_timer_interrupt+0x54/0x90
[ 231.219814] apic_timer_interrupt+0x3c/0x44
[ 231.219816] EIP: __get_user_pages+0x3/0x3e0
[ 231.219816] Code: e4 89 f0 89 1c 24 e8 fc 1b 03 00 8b 55 e4 c6 02 00 85 c0 0f 85 b0 fb ff ff e9 21 fd ff ff 89 f6 8d bc 27 00 00 00 00 55 89 e5 <57> 56 53 83 ec 44 8b 7d 08 89 45 dc 8b 45 10 89 55 d8 89 4d e8 89
[ 231.219834] EAX: f2301300 EBX: 00001053 ECX: 7bf88000 EDX: f235c240
[ 231.219835] ESI: 7bf88000 EDI: f6ebbea4 EBP: f6ebbe5c ESP: f6ebbe5c
[ 231.219836] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00000206
[ 231.219838] populate_vma_page_range+0x77/0x80
[ 231.219840] __mm_populate+0x8c/0x110
[ 231.219842] vm_brk_flags+0xab/0xc0
[ 231.219844] vm_brk+0xa/0x10
[ 231.219846] load_elf_library+0x1c0/0x1e0
[ 231.219849] sys_uselib+0x11a/0x160
[ 231.219850] do_fast_syscall_32+0x95/0x188
[ 231.219852] entry_SYSENTER_32+0x4e/0x7c
[ 231.219853] EIP: 0xb7f98fd1
[ 231.219854] Code: c1 9e f3 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[ 231.219872] EAX: ffffffda EBX: 08048614 ECX: 000001ed EDX: 00000003
[ 231.219873] ESI: 00000000 EDI: 00000000 EBP: bfbfaa28 ESP: bfbfa9fc
[ 231.219874] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[ 294.144215] INFO: rcu_sched self-detected stall on CPU
[ 294.145578] INFO: rcu_sched detected stalls on CPUs/tasks:
[ 294.145926] 5-....: (83606 ticks this GP) idle=0b6/1/1073741826 softirq=1654/1654 fqs=20101
[ 294.145927]
[ 294.147855] 5-....: (83606 ticks this GP) idle=0b6/1/1073741826 softirq=1654/1654 fqs=20101
[ 294.150966] (t=84007 jiffies g=884 c=883 q=411)
[ 294.151577]
[ 294.154593] NMI backtrace for cpu 5
[ 294.156334] (detected by 4, t=84007 jiffies, g=884, c=883, q=411)
[ 294.156958] CPU: 5 PID: 956 Comm: a.out Not tainted 4.18.0-rc3-00113-gfc36def #365
[ 294.163053] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[ 294.166957] Call Trace:
[ 294.167772] dump_stack+0x57/0x7b
[ 294.168860] nmi_cpu_backtrace+0xc4/0xd0
[ 294.170289] nmi_trigger_cpumask_backtrace+0x9a/0xe0
[ 294.171852] ? vprintk_default+0x32/0x40
[ 294.173228] ? lapic_can_unplug_cpu+0xa0/0xa0
[ 294.174801] arch_trigger_cpumask_backtrace+0x10/0x20
[ 294.176446] rcu_dump_cpu_stacks+0x6f/0x96
[ 294.177803] rcu_check_callbacks+0x532/0x680
[ 294.179231] ? account_process_tick+0x55/0x120
[ 294.180643] ? tick_sched_do_timer+0x50/0x50
[ 294.182056] update_process_times+0x23/0x50
[ 294.183408] tick_sched_handle+0x3a/0x50
[ 294.184664] tick_sched_timer+0x34/0x80
[ 294.185874] __hrtimer_run_queues+0xe4/0x170
[ 294.187221] hrtimer_interrupt+0x10d/0x2b0
[ 294.188657] ? apic_timer_interrupt+0x3c/0x44
[ 294.190079] smp_apic_timer_interrupt+0x4f/0x90
[ 294.191720] apic_timer_interrupt+0x3c/0x44
[ 294.193175] EIP: populate_vma_page_range+0x19/0x80
[ 294.194722] Code: 2d 04 f3 ff 0f 0b 0f 0b 89 f6 8d bc 27 00 00 00 00 55 89 e5 57 56 89 d6 53 29 f1 83 ec 18 8b 50 20 8b 40 2c c1 e9 0c 89 0c 24 <89> f1 c7 44 24 0c 00 00 00 00 89 55 f0 89 c3 89 c7 81 e3 00 00 08
[ 294.200571] EAX: 00102073 EBX: f600e888 ECX: 00000000 EDX: f235c240
[ 294.202604] ESI: 7bf88000 EDI: 7bf88000 EBP: f6ebbe88 ESP: f6ebbe64
[ 294.204756] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00000246
[ 294.207295] __mm_populate+0x8c/0x110
[ 294.208653] vm_brk_flags+0xab/0xc0
[ 294.209949] vm_brk+0xa/0x10
[ 294.211018] load_elf_library+0x1c0/0x1e0
[ 294.212580] sys_uselib+0x11a/0x160
[ 294.213901] do_fast_syscall_32+0x95/0x188
[ 294.215436] entry_SYSENTER_32+0x4e/0x7c
[ 294.216955] EIP: 0xb7f98fd1
[ 294.217995] Code: c1 9e f3 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[ 294.224703] EAX: ffffffda EBX: 08048614 ECX: 000001ed EDX: 00000003
[ 294.226681] ESI: 00000000 EDI: 00000000 EBP: bfbfaa28 ESP: bfbfa9fc
[ 294.228654] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[ 294.230799] Sending NMI from CPU 4 to CPUs 5:
[ 294.253453] NMI backtrace for cpu 5
[ 294.253458] CPU: 5 PID: 956 Comm: a.out Not tainted 4.18.0-rc3-00113-gfc36def #365
[ 294.253459] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[ 294.253465] EIP: __mm_populate+0x7a/0x110
[ 294.253466] Code: 39 7b 04 77 03 8b 5b 08 85 db 74 6c 8b 03 8b 4d e8 39 c1 76 63 8b 73 04 39 f1 0f 46 f1 f7 43 2c 00 44 00 00 75 21 39 c7 89 f1 <0f> 42 f8 8d 45 ec 89 fa 89 04 24 89 d8 e8 f4 fe ff ff 85 c0 78 40
[ 294.253495] EAX: 7bf81000 EBX: f600e888 ECX: 7bf88676 EDX: f235c240
[ 294.253496] ESI: 7bf88676 EDI: 7bf88000 EBP: f6ebbeb8 ESP: f6ebbe90
[ 294.253498] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00000206
[ 294.253499] CR0: 80050033 CR2: b7ebb3f0 CR3: 32646760 CR4: 000406f0
[ 294.253608] Call Trace:
[ 294.253613] vm_brk_flags+0xab/0xc0
[ 294.253616] vm_brk+0xa/0x10
[ 294.253619] load_elf_library+0x1c0/0x1e0
[ 294.253622] sys_uselib+0x11a/0x160
[ 294.253625] do_fast_syscall_32+0x95/0x188
[ 294.253630] entry_SYSENTER_32+0x4e/0x7c
[ 294.253632] EIP: 0xb7f98fd1
[ 294.253632] Code: c1 9e f3 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[ 294.253660] EAX: ffffffda EBX: 08048614 ECX: 000001ed EDX: 00000003
[ 294.253662] ESI: 00000000 EDI: 00000000 EBP: bfbfaa28 ESP: bfbfa9fc
[ 294.253663] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
------------------------------------------------------------
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-04 10:01 ` Tetsuo Handa
@ 2018-07-04 11:17 ` Michal Hocko
2018-07-04 11:48 ` Zi Yan
0 siblings, 1 reply; 19+ messages in thread
From: Michal Hocko @ 2018-07-04 11:17 UTC (permalink / raw)
To: Tetsuo Handa
Cc: syzbot, akpm, aneesh.kumar, dan.j.williams, kirill.shutemov,
linux-mm, mst, syzkaller-bugs, viro, ying.huang, zi.yan
On Wed 04-07-18 19:01:51, Tetsuo Handa wrote:
> +Michal Hocko
>
> On 2018/07/04 13:19, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: d3bc0e67f852 Merge tag 'for-4.18-rc2-tag' of git://git.ker..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1000077c400000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a63be0c83e84d370
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5dcb560fe12aa5091c06
> > compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> > userspace arch: i386
> > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=158577a2400000
>
> Here is C reproducer made from syz reproducer. mlockall(MCL_FUTURE) is involved.
>
> This problem is triggerable by an unprivileged user.
> Shows different result on x86_64 (crash) and x86_32 (stall).
>
> ------------------------------------------------------------
> /* Need to compile using "-m32" option if host is 64bit. */
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> #include <unistd.h>
> #include <sys/mman.h>
> int uselib(const char *library);
>
> int main(int argc, char *argv[])
> {
> int fd = open("file", O_WRONLY | O_CREAT, 0644);
> write(fd, "\x7f\x45\x4c\x46\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02"
> "\x00\x06\x00\xca\x3f\x8b\xca\x00\x00\x00\x00\x38\x00\x00\x00\x00\x00"
> "\x00\xf7\xff\xff\xff\xff\xff\xff\x1f\x00\x02\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x7b"
> "\x66\xff\x00\x00\x05\x00\x00\x00\x76\x86\x00\x00\x00\x00\x00\x00\x00"
> "\x00\x00\x00\x31\x0f\xf3\xee\xc1\xb0\x00\x0c\x08\x53\x55\xbe\x88\x47"
> "\xc2\x2e\x30\xf5\x62\x82\xc6\x2c\x95\x72\x3f\x06\x8f\xe4\x2d\x27\x96"
> "\xcc", 120);
> fchmod(fd, 0755);
> close(fd);
> mlockall(MCL_FUTURE); /* Removing this line avoids the bug. */
> uselib("file");
> return 0;
> }
> ------------------------------------------------------------
>
> ------------------------------------------------------------
> CentOS Linux 7 (Core)
> Kernel 4.18.0-rc3 on an x86_64
>
> localhost login: [ 81.210241] emacs (9634) used greatest stack depth: 10416 bytes left
> [ 140.099935] ------------[ cut here ]------------
> [ 140.101904] kernel BUG at mm/gup.c:1242!
Is this
VM_BUG_ON(len != PAGE_ALIGN(len));
in __mm_populate? I do not really get why we should VM_BUG_ON when the
len is not page aligned to be honest. The library is probably containing
some funky setup but if we simply cannot round up to the next PAGE_SIZE
boundary then we should probably just error out and fail. This is an
area I am really familiar with so I cannot really judge.
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-04 11:17 ` Michal Hocko
@ 2018-07-04 11:48 ` Zi Yan
2018-07-04 12:11 ` Michal Hocko
2018-07-04 12:12 ` kernel BUG at mm/gup.c:LINE! Oscar Salvador
0 siblings, 2 replies; 19+ messages in thread
From: Zi Yan @ 2018-07-04 11:48 UTC (permalink / raw)
To: Michal Hocko
Cc: Tetsuo Handa, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, viro, ying.huang
[-- Attachment #1: Type: text/plain, Size: 3106 bytes --]
On 4 Jul 2018, at 7:17, Michal Hocko wrote:
> On Wed 04-07-18 19:01:51, Tetsuo Handa wrote:
>> +Michal Hocko
>>
>> On 2018/07/04 13:19, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following crash on:
>>>
>>> HEAD commit: d3bc0e67f852 Merge tag 'for-4.18-rc2-tag' of git://git.ker..
>>> git tree: upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1000077c400000
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=a63be0c83e84d370
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=5dcb560fe12aa5091c06
>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>> userspace arch: i386
>>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=158577a2400000
>>
>> Here is C reproducer made from syz reproducer. mlockall(MCL_FUTURE) is involved.
>>
>> This problem is triggerable by an unprivileged user.
>> Shows different result on x86_64 (crash) and x86_32 (stall).
>>
>> ------------------------------------------------------------
>> /* Need to compile using "-m32" option if host is 64bit. */
>> #include <sys/types.h>
>> #include <sys/stat.h>
>> #include <fcntl.h>
>> #include <unistd.h>
>> #include <sys/mman.h>
>> int uselib(const char *library);
>>
>> int main(int argc, char *argv[])
>> {
>> int fd = open("file", O_WRONLY | O_CREAT, 0644);
>> write(fd, "\x7f\x45\x4c\x46\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02"
>> "\x00\x06\x00\xca\x3f\x8b\xca\x00\x00\x00\x00\x38\x00\x00\x00\x00\x00"
>> "\x00\xf7\xff\xff\xff\xff\xff\xff\x1f\x00\x02\x00\x00\x00\x00\x00\x00"
>> "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x7b"
>> "\x66\xff\x00\x00\x05\x00\x00\x00\x76\x86\x00\x00\x00\x00\x00\x00\x00"
>> "\x00\x00\x00\x31\x0f\xf3\xee\xc1\xb0\x00\x0c\x08\x53\x55\xbe\x88\x47"
>> "\xc2\x2e\x30\xf5\x62\x82\xc6\x2c\x95\x72\x3f\x06\x8f\xe4\x2d\x27\x96"
>> "\xcc", 120);
>> fchmod(fd, 0755);
>> close(fd);
>> mlockall(MCL_FUTURE); /* Removing this line avoids the bug. */
>> uselib("file");
>> return 0;
>> }
>> ------------------------------------------------------------
>>
>> ------------------------------------------------------------
>> CentOS Linux 7 (Core)
>> Kernel 4.18.0-rc3 on an x86_64
>>
>> localhost login: [ 81.210241] emacs (9634) used greatest stack depth: 10416 bytes left
>> [ 140.099935] ------------[ cut here ]------------
>> [ 140.101904] kernel BUG at mm/gup.c:1242!
>
> Is this
> VM_BUG_ON(len != PAGE_ALIGN(len));
> in __mm_populate? I do not really get why we should VM_BUG_ON when the
> len is not page aligned to be honest. The library is probably containing
> some funky setup but if we simply cannot round up to the next PAGE_SIZE
> boundary then we should probably just error out and fail. This is an
> area I am really familiar with so I cannot really judge.
A strange thing is that __mm_populate() is only called by do_mlock() from mm/mlock.c,
which makes len PAGE_ALIGN already. That VM_BUG_ON should not be triggered.
—
Best Regards,
Yan Zi
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 516 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-04 11:48 ` Zi Yan
@ 2018-07-04 12:11 ` Michal Hocko
2018-07-04 15:15 ` Oscar Salvador
2018-07-04 12:12 ` kernel BUG at mm/gup.c:LINE! Oscar Salvador
1 sibling, 1 reply; 19+ messages in thread
From: Michal Hocko @ 2018-07-04 12:11 UTC (permalink / raw)
To: Zi Yan
Cc: Tetsuo Handa, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, viro, ying.huang
On Wed 04-07-18 07:48:27, Zi Yan wrote:
> On 4 Jul 2018, at 7:17, Michal Hocko wrote:
>
> > On Wed 04-07-18 19:01:51, Tetsuo Handa wrote:
> >> +Michal Hocko
> >>
> >> On 2018/07/04 13:19, syzbot wrote:
> >>> Hello,
> >>>
> >>> syzbot found the following crash on:
> >>>
> >>> HEAD commit: d3bc0e67f852 Merge tag 'for-4.18-rc2-tag' of git://git.ker..
> >>> git tree: upstream
> >>> console output: https://syzkaller.appspot.com/x/log.txt?x=1000077c400000
> >>> kernel config: https://syzkaller.appspot.com/x/.config?x=a63be0c83e84d370
> >>> dashboard link: https://syzkaller.appspot.com/bug?extid=5dcb560fe12aa5091c06
> >>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> >>> userspace arch: i386
> >>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=158577a2400000
> >>
> >> Here is C reproducer made from syz reproducer. mlockall(MCL_FUTURE) is involved.
> >>
> >> This problem is triggerable by an unprivileged user.
> >> Shows different result on x86_64 (crash) and x86_32 (stall).
> >>
> >> ------------------------------------------------------------
> >> /* Need to compile using "-m32" option if host is 64bit. */
> >> #include <sys/types.h>
> >> #include <sys/stat.h>
> >> #include <fcntl.h>
> >> #include <unistd.h>
> >> #include <sys/mman.h>
> >> int uselib(const char *library);
> >>
> >> int main(int argc, char *argv[])
> >> {
> >> int fd = open("file", O_WRONLY | O_CREAT, 0644);
> >> write(fd, "\x7f\x45\x4c\x46\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02"
> >> "\x00\x06\x00\xca\x3f\x8b\xca\x00\x00\x00\x00\x38\x00\x00\x00\x00\x00"
> >> "\x00\xf7\xff\xff\xff\xff\xff\xff\x1f\x00\x02\x00\x00\x00\x00\x00\x00"
> >> "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x7b"
> >> "\x66\xff\x00\x00\x05\x00\x00\x00\x76\x86\x00\x00\x00\x00\x00\x00\x00"
> >> "\x00\x00\x00\x31\x0f\xf3\xee\xc1\xb0\x00\x0c\x08\x53\x55\xbe\x88\x47"
> >> "\xc2\x2e\x30\xf5\x62\x82\xc6\x2c\x95\x72\x3f\x06\x8f\xe4\x2d\x27\x96"
> >> "\xcc", 120);
> >> fchmod(fd, 0755);
> >> close(fd);
> >> mlockall(MCL_FUTURE); /* Removing this line avoids the bug. */
> >> uselib("file");
> >> return 0;
> >> }
> >> ------------------------------------------------------------
> >>
> >> ------------------------------------------------------------
> >> CentOS Linux 7 (Core)
> >> Kernel 4.18.0-rc3 on an x86_64
> >>
> >> localhost login: [ 81.210241] emacs (9634) used greatest stack depth: 10416 bytes left
> >> [ 140.099935] ------------[ cut here ]------------
> >> [ 140.101904] kernel BUG at mm/gup.c:1242!
> >
> > Is this
> > VM_BUG_ON(len != PAGE_ALIGN(len));
> > in __mm_populate? I do not really get why we should VM_BUG_ON when the
> > len is not page aligned to be honest. The library is probably containing
> > some funky setup but if we simply cannot round up to the next PAGE_SIZE
> > boundary then we should probably just error out and fail. This is an
> > area I am really familiar with so I cannot really judge.
>
> A strange thing is that __mm_populate() is only called by do_mlock() from mm/mlock.c,
> which makes len PAGE_ALIGN already. That VM_BUG_ON should not be triggered.
Not really. vm_brk_flags does call mm_populate for mlocked brk which is
the case for mlockall. I do not see any len sanitization in that path.
Well do_brk_flags does the roundup. I think we should simply remove the
bug on and round up there. mm_populate is an internal API and we should
trust our callers.
Anyway, the minimum fix seems to be the following (untested):
diff --git a/mm/mmap.c b/mm/mmap.c
index 9859cd4e19b9..56ad19cf2aea 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -186,8 +186,8 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
return next;
}
-static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf);
-
+static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags,
+ struct list_head *uf);
SYSCALL_DEFINE1(brk, unsigned long, brk)
{
unsigned long retval;
@@ -245,7 +245,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
goto out;
/* Ok, looks good - let it rip. */
- if (do_brk(oldbrk, newbrk-oldbrk, &uf) < 0)
+ if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)
goto out;
set_brk:
@@ -2939,12 +2939,6 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
- len = PAGE_ALIGN(request);
- if (len < request)
- return -ENOMEM;
- if (!len)
- return 0;
-
/* Until we need other flags, refuse anything except VM_EXEC. */
if ((flags & (~VM_EXEC)) != 0)
return -EINVAL;
@@ -3016,18 +3010,20 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long
return 0;
}
-static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf)
-{
- return do_brk_flags(addr, len, 0, uf);
-}
-
-int vm_brk_flags(unsigned long addr, unsigned long len, unsigned long flags)
+int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
{
struct mm_struct *mm = current->mm;
+ unsigned long len;
int ret;
bool populate;
LIST_HEAD(uf);
+ len = PAGE_ALIGN(request);
+ if (len < request)
+ return -ENOMEM;
+ if (!len)
+ return 0;
+
if (down_write_killable(&mm->mmap_sem))
return -EINTR;
--
Michal Hocko
SUSE Labs
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-04 11:48 ` Zi Yan
2018-07-04 12:11 ` Michal Hocko
@ 2018-07-04 12:12 ` Oscar Salvador
1 sibling, 0 replies; 19+ messages in thread
From: Oscar Salvador @ 2018-07-04 12:12 UTC (permalink / raw)
To: Zi Yan
Cc: Michal Hocko, Tetsuo Handa, syzbot, akpm, aneesh.kumar,
dan.j.williams, kirill.shutemov, linux-mm, mst, syzkaller-bugs,
viro, ying.huang
> A strange thing is that __mm_populate() is only called by do_mlock() from mm/mlock.c,
> which makes len PAGE_ALIGN already. That VM_BUG_ON should not be triggered.
Unless I overlooked something, __mm_populate() gets called from:
load_elf_library() -> vm_brk() -> vm_brk_flags():
vm_brk_flags() {
...
populate = ((mm->def_flags & VM_LOCKED) != 0);
...
if (populate && !ret)
mm_populate(addr, len);
}
mm_populate() -> __mm_populate():
__mm_populate() {
...
VM_BUG_ON(len != PAGE_ALIGN(len));
...
}
In load_elf_library(), we have:
len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
ELF_MIN_ALIGN - 1);
bss = eppnt->p_memsz + eppnt->p_vaddr;
if (bss > len) {
error = vm_brk(len, bss - len);
if (error)
goto out_free_ph;
}
So len gets page aligned, but not bss (eppnt->p_memsz + eppnt->p_vaddr), maybe that's the problem?
--
Oscar Salvador
SUSE L3
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-04 12:11 ` Michal Hocko
@ 2018-07-04 15:15 ` Oscar Salvador
2018-07-05 0:35 ` Tetsuo Handa
2018-07-05 6:44 ` Michal Hocko
0 siblings, 2 replies; 19+ messages in thread
From: Oscar Salvador @ 2018-07-04 15:15 UTC (permalink / raw)
To: Michal Hocko
Cc: Zi Yan, Tetsuo Handa, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, viro, ying.huang
>
> Not really. vm_brk_flags does call mm_populate for mlocked brk which is
> the case for mlockall. I do not see any len sanitization in that path.
> Well do_brk_flags does the roundup. I think we should simply remove the
> bug on and round up there. mm_populate is an internal API and we should
> trust our callers.
>
> Anyway, the minimum fix seems to be the following (untested):
>
> diff --git a/mm/mmap.c b/mm/mmap.c
> index 9859cd4e19b9..56ad19cf2aea 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -186,8 +186,8 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
> return next;
> }
>
> -static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf);
> -
> +static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags,
> + struct list_head *uf);
> SYSCALL_DEFINE1(brk, unsigned long, brk)
> {
> unsigned long retval;
> @@ -245,7 +245,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
> goto out;
>
> /* Ok, looks good - let it rip. */
> - if (do_brk(oldbrk, newbrk-oldbrk, &uf) < 0)
> + if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)
> goto out;
>
> set_brk:
> @@ -2939,12 +2939,6 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long
> pgoff_t pgoff = addr >> PAGE_SHIFT;
> int error;
>
> - len = PAGE_ALIGN(request);
> - if (len < request)
> - return -ENOMEM;
> - if (!len)
> - return 0;
> -
> /* Until we need other flags, refuse anything except VM_EXEC. */
> if ((flags & (~VM_EXEC)) != 0)
> return -EINVAL;
> @@ -3016,18 +3010,20 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long
> return 0;
> }
>
> -static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf)
> -{
> - return do_brk_flags(addr, len, 0, uf);
> -}
> -
> -int vm_brk_flags(unsigned long addr, unsigned long len, unsigned long flags)
> +int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
> {
> struct mm_struct *mm = current->mm;
> + unsigned long len;
> int ret;
> bool populate;
> LIST_HEAD(uf);
>
> + len = PAGE_ALIGN(request);
> + if (len < request)
> + return -ENOMEM;
> + if (!len)
> + return 0;
> +
> if (down_write_killable(&mm->mmap_sem))
> return -EINTR;
I gave this patch a try but the system doesn't boot.
Unfortunately, I don't have the stacktrace on hand, but I'll get back to it tomorrow.
Anyway, I just gave it a try, and making sure that bss gets page aligned seems to
"fix" the issue (at the process doesn't hang anymore):
- bss = eppnt->p_memsz + eppnt->p_vaddr;
+ bss = ELF_PAGESTART(eppnt->p_memsz + eppnt->p_vaddr);
if (bss > len) {
error = vm_brk(len, bss - len);
Although I'm not sure about the correctness of this.
--
Oscar Salvador
SUSE L3
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-04 15:15 ` Oscar Salvador
@ 2018-07-05 0:35 ` Tetsuo Handa
2018-07-05 7:18 ` Oscar Salvador
2018-07-05 6:44 ` Michal Hocko
1 sibling, 1 reply; 19+ messages in thread
From: Tetsuo Handa @ 2018-07-05 0:35 UTC (permalink / raw)
To: Oscar Salvador, viro
Cc: Michal Hocko, Zi Yan, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, ying.huang
Oscar Salvador wrote:
> Anyway, I just gave it a try, and making sure that bss gets page aligned seems to
> "fix" the issue (at the process doesn't hang anymore):
>
> - bss = eppnt->p_memsz + eppnt->p_vaddr;
> + bss = ELF_PAGESTART(eppnt->p_memsz + eppnt->p_vaddr);
> if (bss > len) {
> error = vm_brk(len, bss - len);
>
> Although I'm not sure about the correctness of this.
static int set_brk(unsigned long start, unsigned long end, int prot)
{
start = ELF_PAGEALIGN(start);
end = ELF_PAGEALIGN(end);
if (end > start) {
/*
* Map the last of the bss segment.
* If the header is requesting these pages to be
* executable, honour that (ppc32 needs this).
*/
int error = vm_brk_flags(start, end - start,
prot & PROT_EXEC ? VM_EXEC : 0);
if (error)
return error;
}
current->mm->start_brk = current->mm->brk = end;
return 0;
}
static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
struct file *interpreter, unsigned long *interp_map_addr,
unsigned long no_base, struct elf_phdr *interp_elf_phdata)
{
(...snipped...)
/*
* Next, align both the file and mem bss up to the page size,
* since this is where elf_bss was just zeroed up to, and where
* last_bss will end after the vm_brk_flags() below.
*/
elf_bss = ELF_PAGEALIGN(elf_bss);
last_bss = ELF_PAGEALIGN(last_bss);
/* Finally, if there is still more bss to allocate, do it. */
if (last_bss > elf_bss) {
error = vm_brk_flags(elf_bss, last_bss - elf_bss,
bss_prot & PROT_EXEC ? VM_EXEC : 0);
if (error)
goto out;
}
(...snipped...)
}
static int load_elf_library(struct file *file)
{
(...snipped...)
len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
ELF_MIN_ALIGN - 1);
bss = eppnt->p_memsz + eppnt->p_vaddr;
if (bss > len) {
error = vm_brk(len, bss - len);
if (error)
goto out_free_ph;
}
(...snipped...)
}
So, indeed "bss" needs to be aligned.
But ELF_PAGESTART() or ELF_PAGEALIGN(), which one to use?
#define ELF_PAGESTART(_v) ((_v) & ~(unsigned long)(ELF_MIN_ALIGN-1))
#define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
Is
- len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
- ELF_MIN_ALIGN - 1);
+ len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
suggesting that
- bss = eppnt->p_memsz + eppnt->p_vaddr;
+ bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
is the right choice? I don't know...
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-04 15:15 ` Oscar Salvador
2018-07-05 0:35 ` Tetsuo Handa
@ 2018-07-05 6:44 ` Michal Hocko
2018-07-05 7:18 ` Oscar Salvador
1 sibling, 1 reply; 19+ messages in thread
From: Michal Hocko @ 2018-07-05 6:44 UTC (permalink / raw)
To: Oscar Salvador
Cc: Zi Yan, Tetsuo Handa, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, viro, ying.huang
On Wed 04-07-18 17:15:29, Oscar Salvador wrote:
> >
> > Not really. vm_brk_flags does call mm_populate for mlocked brk which is
> > the case for mlockall. I do not see any len sanitization in that path.
> > Well do_brk_flags does the roundup. I think we should simply remove the
> > bug on and round up there. mm_populate is an internal API and we should
> > trust our callers.
> >
> > Anyway, the minimum fix seems to be the following (untested):
> >
> > diff --git a/mm/mmap.c b/mm/mmap.c
> > index 9859cd4e19b9..56ad19cf2aea 100644
> > --- a/mm/mmap.c
> > +++ b/mm/mmap.c
> > @@ -186,8 +186,8 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
> > return next;
> > }
> >
> > -static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf);
> > -
> > +static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags,
> > + struct list_head *uf);
> > SYSCALL_DEFINE1(brk, unsigned long, brk)
> > {
> > unsigned long retval;
> > @@ -245,7 +245,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
> > goto out;
> >
> > /* Ok, looks good - let it rip. */
> > - if (do_brk(oldbrk, newbrk-oldbrk, &uf) < 0)
> > + if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)
> > goto out;
> >
> > set_brk:
> > @@ -2939,12 +2939,6 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long
> > pgoff_t pgoff = addr >> PAGE_SHIFT;
> > int error;
> >
> > - len = PAGE_ALIGN(request);
> > - if (len < request)
> > - return -ENOMEM;
> > - if (!len)
> > - return 0;
> > -
> > /* Until we need other flags, refuse anything except VM_EXEC. */
> > if ((flags & (~VM_EXEC)) != 0)
> > return -EINVAL;
> > @@ -3016,18 +3010,20 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long
> > return 0;
> > }
> >
> > -static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf)
> > -{
> > - return do_brk_flags(addr, len, 0, uf);
> > -}
> > -
> > -int vm_brk_flags(unsigned long addr, unsigned long len, unsigned long flags)
> > +int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
> > {
> > struct mm_struct *mm = current->mm;
> > + unsigned long len;
> > int ret;
> > bool populate;
> > LIST_HEAD(uf);
> >
> > + len = PAGE_ALIGN(request);
> > + if (len < request)
> > + return -ENOMEM;
> > + if (!len)
> > + return 0;
> > +
> > if (down_write_killable(&mm->mmap_sem))
> > return -EINTR;
>
> I gave this patch a try but the system doesn't boot.
> Unfortunately, I don't have the stacktrace on hand, but I'll get back to it tomorrow.
This is more than unexpected. The patch merely move the alignment check
up. I will try to investigate some more but I am off for next four days
and won't be online most of the time.
Btw. does the same happen if you keep do_brk helper and add the length
sanitization there as well?
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-05 0:35 ` Tetsuo Handa
@ 2018-07-05 7:18 ` Oscar Salvador
2018-07-05 11:40 ` Oscar Salvador
0 siblings, 1 reply; 19+ messages in thread
From: Oscar Salvador @ 2018-07-05 7:18 UTC (permalink / raw)
To: Tetsuo Handa
Cc: viro, Michal Hocko, Zi Yan, syzbot, akpm, aneesh.kumar,
dan.j.williams, kirill.shutemov, linux-mm, mst, syzkaller-bugs,
ying.huang
> So, indeed "bss" needs to be aligned.
> But ELF_PAGESTART() or ELF_PAGEALIGN(), which one to use?
>
> #define ELF_PAGESTART(_v) ((_v) & ~(unsigned long)(ELF_MIN_ALIGN-1))
> #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
>
> Is
>
> - len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
> - ELF_MIN_ALIGN - 1);
> + len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
>
> suggesting that
>
> - bss = eppnt->p_memsz + eppnt->p_vaddr;
> + bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
>
> is the right choice? I don't know...
Yes, I think that ELF_PAGEALIGN is the right choice here.
Given that bss is 0x7bf88676, using ELF_PAGESTART aligns it but backwards, while ELF_PAGEALIGN does
the right thing:
bss = 0x7bf88676
ELF_PAGESTART (bss) = 0x7bf88000
ELF_PAGEALIGN (bss) = 0x7bf89000
--
Oscar Salvador
SUSE L3
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-05 6:44 ` Michal Hocko
@ 2018-07-05 7:18 ` Oscar Salvador
2018-07-05 12:30 ` Oscar Salvador
0 siblings, 1 reply; 19+ messages in thread
From: Oscar Salvador @ 2018-07-05 7:18 UTC (permalink / raw)
To: Michal Hocko
Cc: Zi Yan, Tetsuo Handa, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, viro, ying.huang
> This is more than unexpected. The patch merely move the alignment check
> up. I will try to investigate some more but I am off for next four days
> and won't be online most of the time.
>
> Btw. does the same happen if you keep do_brk helper and add the length
> sanitization there as well?
I will give it a try and I will let you know.
--
Oscar Salvador
SUSE L3
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-05 7:18 ` Oscar Salvador
@ 2018-07-05 11:40 ` Oscar Salvador
0 siblings, 0 replies; 19+ messages in thread
From: Oscar Salvador @ 2018-07-05 11:40 UTC (permalink / raw)
To: Tetsuo Handa
Cc: viro, Michal Hocko, Zi Yan, syzbot, akpm, aneesh.kumar,
dan.j.williams, kirill.shutemov, linux-mm, mst, syzkaller-bugs,
ying.huang
On Thu, Jul 05, 2018 at 09:18:08AM +0200, Oscar Salvador wrote:
> > So, indeed "bss" needs to be aligned.
> > But ELF_PAGESTART() or ELF_PAGEALIGN(), which one to use?
> >
> > #define ELF_PAGESTART(_v) ((_v) & ~(unsigned long)(ELF_MIN_ALIGN-1))
> > #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
> >
> > Is
> >
> > - len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
> > - ELF_MIN_ALIGN - 1);
> > + len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
> >
> > suggesting that
> >
> > - bss = eppnt->p_memsz + eppnt->p_vaddr;
> > + bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
> >
> > is the right choice? I don't know...
>
> Yes, I think that ELF_PAGEALIGN is the right choice here.
> Given that bss is 0x7bf88676, using ELF_PAGESTART aligns it but backwards, while ELF_PAGEALIGN does
> the right thing:
>
> bss = 0x7bf88676
> ELF_PAGESTART (bss) = 0x7bf88000
> ELF_PAGEALIGN (bss) = 0x7bf89000
I think this should do the trick:
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 0ac456b52bdd..6c7e005ae12d 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1259,9 +1259,9 @@ static int load_elf_library(struct file *file)
goto out_free_ph;
}
- len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
- ELF_MIN_ALIGN - 1);
- bss = eppnt->p_memsz + eppnt->p_vaddr;
+
+ len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
+ bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
if (bss > len) {
error = vm_brk(len, bss - len);
if (error)
I could only test it in x86_64 (with -m32).
Could you test it on x86_32?
--
Oscar Salvador
SUSE L3
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-05 7:18 ` Oscar Salvador
@ 2018-07-05 12:30 ` Oscar Salvador
2018-07-05 13:40 ` Tetsuo Handa
2018-07-06 5:35 ` Michal Hocko
0 siblings, 2 replies; 19+ messages in thread
From: Oscar Salvador @ 2018-07-05 12:30 UTC (permalink / raw)
To: Michal Hocko
Cc: Zi Yan, Tetsuo Handa, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, viro, ying.huang
On Thu, Jul 05, 2018 at 09:18:39AM +0200, Oscar Salvador wrote:
>
> > This is more than unexpected. The patch merely move the alignment check
> > up. I will try to investigate some more but I am off for next four days
> > and won't be online most of the time.
> >
> > Btw. does the same happen if you keep do_brk helper and add the length
> > sanitization there as well?
I took another look.
The problem was that while deleting the check in do_brk_flags(), this left then "len"
local variable with an unset value, but we need it to contain the request value
because we do use it in further calls in do_brk_flags(), like:
while (find_vma_links(mm, addr, addr + len, &prev, &rb_link,
&rb_parent)) {
if (do_munmap(mm, addr, len, uf))
return -ENOMEM;
}
or
if (!may_expand_vm(mm, flags, len >> PAGE_SHIFT))
and so on.
This boots and works with the reproducer:
diff --git a/mm/mmap.c b/mm/mmap.c
index 9859cd4e19b9..e4c9e995870f 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -186,8 +186,8 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
return next;
}
-static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf);
-
+static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags,
+ struct list_head *uf);
SYSCALL_DEFINE1(brk, unsigned long, brk)
{
unsigned long retval;
@@ -245,7 +245,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
goto out;
/* Ok, looks good - let it rip. */
- if (do_brk(oldbrk, newbrk-oldbrk, &uf) < 0)
+ if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)
goto out;
set_brk:
@@ -2934,17 +2934,11 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long
{
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma, *prev;
- unsigned long len;
+ unsigned long len = request;
struct rb_node **rb_link, *rb_parent;
pgoff_t pgoff = addr >> PAGE_SHIFT;
int error;
- len = PAGE_ALIGN(request);
- if (len < request)
- return -ENOMEM;
- if (!len)
- return 0;
-
/* Until we need other flags, refuse anything except VM_EXEC. */
if ((flags & (~VM_EXEC)) != 0)
return -EINVAL;
@@ -3016,18 +3010,20 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long
return 0;
}
-static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf)
-{
- return do_brk_flags(addr, len, 0, uf);
-}
-
-int vm_brk_flags(unsigned long addr, unsigned long len, unsigned long flags)
+int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
{
struct mm_struct *mm = current->mm;
int ret;
+ unsigned long len;
bool populate;
LIST_HEAD(uf);
+ len = PAGE_ALIGN(request);
+ if (len < request)
+ return -ENOMEM;
+ if (!len)
+ return 0;
+
if (down_write_killable(&mm->mmap_sem))
return -EINTR;
But I think that we should also add:
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 0ac456b52bdd..6c7e005ae12d 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1259,9 +1259,9 @@ static int load_elf_library(struct file *file)
goto out_free_ph;
}
- len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr +
- ELF_MIN_ALIGN - 1);
- bss = eppnt->p_memsz + eppnt->p_vaddr;
+
+ len = ELF_PAGEALIGN(eppnt->p_filesz + eppnt->p_vaddr);
+ bss = ELF_PAGEALIGN(eppnt->p_memsz + eppnt->p_vaddr);
if (bss > len) {
error = vm_brk(len, bss - len);
if (error)
--
Oscar Salvador
SUSE L3
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-05 12:30 ` Oscar Salvador
@ 2018-07-05 13:40 ` Tetsuo Handa
2018-07-06 5:35 ` Michal Hocko
1 sibling, 0 replies; 19+ messages in thread
From: Tetsuo Handa @ 2018-07-05 13:40 UTC (permalink / raw)
To: Oscar Salvador, Michal Hocko
Cc: Zi Yan, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, viro, ying.huang
On 2018/07/05 21:30, Oscar Salvador wrote:
> This boots and works with the reproducer:
Yes, this patch fixes the problem on x86_32.
> But I think that we should also add:
Yes, this patch also fixes the problem on x86_32.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-05 12:30 ` Oscar Salvador
2018-07-05 13:40 ` Tetsuo Handa
@ 2018-07-06 5:35 ` Michal Hocko
2018-07-06 7:40 ` Oscar Salvador
2018-07-06 7:50 ` [PATCH] mm: do not bug_on on incorrect lenght in __mm_populate kbuild test robot
1 sibling, 2 replies; 19+ messages in thread
From: Michal Hocko @ 2018-07-06 5:35 UTC (permalink / raw)
To: Oscar Salvador
Cc: Zi Yan, Tetsuo Handa, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, viro, ying.huang
On Thu 05-07-18 14:30:17, Oscar Salvador wrote:
> On Thu, Jul 05, 2018 at 09:18:39AM +0200, Oscar Salvador wrote:
> >
> > > This is more than unexpected. The patch merely move the alignment check
> > > up. I will try to investigate some more but I am off for next four days
> > > and won't be online most of the time.
> > >
> > > Btw. does the same happen if you keep do_brk helper and add the length
> > > sanitization there as well?
>
> I took another look.
> The problem was that while deleting the check in do_brk_flags(), this left then "len"
> local variable with an unset value, but we need it to contain the request value
> because we do use it in further calls in do_brk_flags(), like:
Very well spotted. Thanks for noticing! I am really half online so I
cannot give it much testing right now. But here is the updated patch
with the changelog. I cannot really tell whether the other change to
align up in load_elf_library is correct as well. It seems OK but
everything around elf loading is tricky from my past experience.
My patch simply makes vm_brk_flags behavior consistent so I believe we
should do that regardless (unless I've screwed something else here of
course).
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: kernel BUG at mm/gup.c:LINE!
2018-07-06 5:35 ` Michal Hocko
@ 2018-07-06 7:40 ` Oscar Salvador
2018-07-06 7:50 ` [PATCH] mm: do not bug_on on incorrect lenght in __mm_populate kbuild test robot
1 sibling, 0 replies; 19+ messages in thread
From: Oscar Salvador @ 2018-07-06 7:40 UTC (permalink / raw)
To: Michal Hocko
Cc: Zi Yan, Tetsuo Handa, syzbot, akpm, aneesh.kumar, dan.j.williams,
kirill.shutemov, linux-mm, mst, syzkaller-bugs, viro, ying.huang
> Reported-by: syzbot <syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com>
> [osalvador: fix up vm_brk_flags s@request@len@]
> Tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Cc: stable
> Signed-off-by: Michal Hocko <mhocko@suse.com>
hi Michal,
I gave it another spin and it works for me.
FWIW:
Reviewed-by: Oscar Salvador <osalvador@suse.de>
--
Oscar Salvador
SUSE L3
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] mm: do not bug_on on incorrect lenght in __mm_populate
2018-07-06 5:35 ` Michal Hocko
2018-07-06 7:40 ` Oscar Salvador
@ 2018-07-06 7:50 ` kbuild test robot
2018-07-06 8:23 ` Oscar Salvador
1 sibling, 1 reply; 19+ messages in thread
From: kbuild test robot @ 2018-07-06 7:50 UTC (permalink / raw)
To: Michal Hocko
Cc: kbuild-all, Oscar Salvador, Zi Yan, Tetsuo Handa, syzbot, akpm,
aneesh.kumar, dan.j.williams, kirill.shutemov, linux-mm, mst,
syzkaller-bugs, viro, ying.huang
[-- Attachment #1: Type: text/plain, Size: 8053 bytes --]
Hi Michal,
I love your patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on v4.18-rc3 next-20180705]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Michal-Hocko/mm-do-not-bug_on-on-incorrect-lenght-in-__mm_populate/20180706-134850
config: x86_64-randconfig-x015-201826 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All errors (new ones prefixed by >>):
mm/mmap.c: In function 'do_brk_flags':
>> mm/mmap.c:2936:16: error: 'len' redeclared as different kind of symbol
unsigned long len;
^~~
mm/mmap.c:2932:59: note: previous definition of 'len' was here
static int do_brk_flags(unsigned long addr, unsigned long len, unsigned long flags, struct list_head *uf)
^~~
vim +/len +2936 mm/mmap.c
^1da177e4 Linus Torvalds 2005-04-16 2926
^1da177e4 Linus Torvalds 2005-04-16 2927 /*
^1da177e4 Linus Torvalds 2005-04-16 2928 * this is really a simplified "do_mmap". it only handles
^1da177e4 Linus Torvalds 2005-04-16 2929 * anonymous maps. eventually we may be able to do some
^1da177e4 Linus Torvalds 2005-04-16 2930 * brk-specific accounting here.
^1da177e4 Linus Torvalds 2005-04-16 2931 */
e3049e198 Michal Hocko 2018-07-06 2932 static int do_brk_flags(unsigned long addr, unsigned long len, unsigned long flags, struct list_head *uf)
^1da177e4 Linus Torvalds 2005-04-16 2933 {
^1da177e4 Linus Torvalds 2005-04-16 2934 struct mm_struct *mm = current->mm;
^1da177e4 Linus Torvalds 2005-04-16 2935 struct vm_area_struct *vma, *prev;
16e72e9b3 Denys Vlasenko 2017-02-22 @2936 unsigned long len;
^1da177e4 Linus Torvalds 2005-04-16 2937 struct rb_node **rb_link, *rb_parent;
^1da177e4 Linus Torvalds 2005-04-16 2938 pgoff_t pgoff = addr >> PAGE_SHIFT;
3a4597568 Kirill Korotaev 2006-09-07 2939 int error;
^1da177e4 Linus Torvalds 2005-04-16 2940
16e72e9b3 Denys Vlasenko 2017-02-22 2941 /* Until we need other flags, refuse anything except VM_EXEC. */
16e72e9b3 Denys Vlasenko 2017-02-22 2942 if ((flags & (~VM_EXEC)) != 0)
16e72e9b3 Denys Vlasenko 2017-02-22 2943 return -EINVAL;
16e72e9b3 Denys Vlasenko 2017-02-22 2944 flags |= VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
3a4597568 Kirill Korotaev 2006-09-07 2945
2c6a10161 Al Viro 2009-12-03 2946 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
de1741a13 Alexander Kuleshov 2015-11-05 2947 if (offset_in_page(error))
3a4597568 Kirill Korotaev 2006-09-07 2948 return error;
3a4597568 Kirill Korotaev 2006-09-07 2949
363ee17f0 Davidlohr Bueso 2014-01-21 2950 error = mlock_future_check(mm, mm->def_flags, len);
363ee17f0 Davidlohr Bueso 2014-01-21 2951 if (error)
363ee17f0 Davidlohr Bueso 2014-01-21 2952 return error;
^1da177e4 Linus Torvalds 2005-04-16 2953
^1da177e4 Linus Torvalds 2005-04-16 2954 /*
^1da177e4 Linus Torvalds 2005-04-16 2955 * mm->mmap_sem is required to protect against another thread
^1da177e4 Linus Torvalds 2005-04-16 2956 * changing the mappings in case we sleep.
^1da177e4 Linus Torvalds 2005-04-16 2957 */
^1da177e4 Linus Torvalds 2005-04-16 2958 verify_mm_writelocked(mm);
^1da177e4 Linus Torvalds 2005-04-16 2959
^1da177e4 Linus Torvalds 2005-04-16 2960 /*
^1da177e4 Linus Torvalds 2005-04-16 2961 * Clear old maps. this also does some error checking for us
^1da177e4 Linus Torvalds 2005-04-16 2962 */
9fcd14571 Rasmus Villemoes 2015-04-15 2963 while (find_vma_links(mm, addr, addr + len, &prev, &rb_link,
9fcd14571 Rasmus Villemoes 2015-04-15 2964 &rb_parent)) {
897ab3e0c Mike Rapoport 2017-02-24 2965 if (do_munmap(mm, addr, len, uf))
^1da177e4 Linus Torvalds 2005-04-16 2966 return -ENOMEM;
^1da177e4 Linus Torvalds 2005-04-16 2967 }
^1da177e4 Linus Torvalds 2005-04-16 2968
^1da177e4 Linus Torvalds 2005-04-16 2969 /* Check against address space limits *after* clearing old maps... */
846383359 Konstantin Khlebnikov 2016-01-14 2970 if (!may_expand_vm(mm, flags, len >> PAGE_SHIFT))
^1da177e4 Linus Torvalds 2005-04-16 2971 return -ENOMEM;
^1da177e4 Linus Torvalds 2005-04-16 2972
^1da177e4 Linus Torvalds 2005-04-16 2973 if (mm->map_count > sysctl_max_map_count)
^1da177e4 Linus Torvalds 2005-04-16 2974 return -ENOMEM;
^1da177e4 Linus Torvalds 2005-04-16 2975
191c54244 Al Viro 2012-02-13 2976 if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
^1da177e4 Linus Torvalds 2005-04-16 2977 return -ENOMEM;
^1da177e4 Linus Torvalds 2005-04-16 2978
^1da177e4 Linus Torvalds 2005-04-16 2979 /* Can we just expand an old private anonymous mapping? */
ba470de43 Rik van Riel 2008-10-18 2980 vma = vma_merge(mm, prev, addr, addr + len, flags,
19a809afe Andrea Arcangeli 2015-09-04 2981 NULL, NULL, pgoff, NULL, NULL_VM_UFFD_CTX);
ba470de43 Rik van Riel 2008-10-18 2982 if (vma)
^1da177e4 Linus Torvalds 2005-04-16 2983 goto out;
^1da177e4 Linus Torvalds 2005-04-16 2984
^1da177e4 Linus Torvalds 2005-04-16 2985 /*
^1da177e4 Linus Torvalds 2005-04-16 2986 * create a vma struct for an anonymous mapping
^1da177e4 Linus Torvalds 2005-04-16 2987 */
c5e3b83e9 Pekka Enberg 2006-03-25 2988 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
^1da177e4 Linus Torvalds 2005-04-16 2989 if (!vma) {
^1da177e4 Linus Torvalds 2005-04-16 2990 vm_unacct_memory(len >> PAGE_SHIFT);
^1da177e4 Linus Torvalds 2005-04-16 2991 return -ENOMEM;
^1da177e4 Linus Torvalds 2005-04-16 2992 }
^1da177e4 Linus Torvalds 2005-04-16 2993
5beb49305 Rik van Riel 2010-03-05 2994 INIT_LIST_HEAD(&vma->anon_vma_chain);
^1da177e4 Linus Torvalds 2005-04-16 2995 vma->vm_mm = mm;
^1da177e4 Linus Torvalds 2005-04-16 2996 vma->vm_start = addr;
^1da177e4 Linus Torvalds 2005-04-16 2997 vma->vm_end = addr + len;
^1da177e4 Linus Torvalds 2005-04-16 2998 vma->vm_pgoff = pgoff;
^1da177e4 Linus Torvalds 2005-04-16 2999 vma->vm_flags = flags;
3ed75eb8f Coly Li 2007-10-18 3000 vma->vm_page_prot = vm_get_page_prot(flags);
^1da177e4 Linus Torvalds 2005-04-16 3001 vma_link(mm, vma, prev, rb_link, rb_parent);
^1da177e4 Linus Torvalds 2005-04-16 3002 out:
3af9e8592 Eric B Munson 2010-05-18 3003 perf_event_mmap(vma);
^1da177e4 Linus Torvalds 2005-04-16 3004 mm->total_vm += len >> PAGE_SHIFT;
846383359 Konstantin Khlebnikov 2016-01-14 3005 mm->data_vm += len >> PAGE_SHIFT;
128557ffe Michel Lespinasse 2013-02-22 3006 if (flags & VM_LOCKED)
ba470de43 Rik van Riel 2008-10-18 3007 mm->locked_vm += (len >> PAGE_SHIFT);
d9104d1ca Cyrill Gorcunov 2013-09-11 3008 vma->vm_flags |= VM_SOFTDIRTY;
5d22fc25d Linus Torvalds 2016-05-27 3009 return 0;
^1da177e4 Linus Torvalds 2005-04-16 3010 }
^1da177e4 Linus Torvalds 2005-04-16 3011
:::::: The code at line 2936 was first introduced by commit
:::::: 16e72e9b30986ee15f17fbb68189ca842c32af58 powerpc: do not make the entire heap executable
:::::: TO: Denys Vlasenko <dvlasenk@redhat.com>
:::::: CC: Linus Torvalds <torvalds@linux-foundation.org>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 29269 bytes --]
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] mm: do not bug_on on incorrect lenght in __mm_populate
2018-07-06 7:50 ` [PATCH] mm: do not bug_on on incorrect lenght in __mm_populate kbuild test robot
@ 2018-07-06 8:23 ` Oscar Salvador
2018-07-06 9:02 ` Michal Hocko
0 siblings, 1 reply; 19+ messages in thread
From: Oscar Salvador @ 2018-07-06 8:23 UTC (permalink / raw)
To: kbuild test robot
Cc: Michal Hocko, kbuild-all, Zi Yan, Tetsuo Handa, syzbot, akpm,
aneesh.kumar, dan.j.williams, kirill.shutemov, linux-mm, mst,
syzkaller-bugs, viro, ying.huang
On Fri, Jul 06, 2018 at 03:50:53PM +0800, kbuild test robot wrote:
> Hi Michal,
>
> I love your patch! Yet something to improve:
>
> [auto build test ERROR on linus/master]
> [also build test ERROR on v4.18-rc3 next-20180705]
> [if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
>
> url: https://github.com/0day-ci/linux/commits/Michal-Hocko/mm-do-not-bug_on-on-incorrect-lenght-in-__mm_populate/20180706-134850
> config: x86_64-randconfig-x015-201826 (attached as .config)
> compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
> reproduce:
> # save the attached .config to linux build tree
> make ARCH=x86_64
>
> All errors (new ones prefixed by >>):
>
> mm/mmap.c: In function 'do_brk_flags':
> >> mm/mmap.c:2936:16: error: 'len' redeclared as different kind of symbol
> unsigned long len;
> ^~~
> mm/mmap.c:2932:59: note: previous definition of 'len' was here
> static int do_brk_flags(unsigned long addr, unsigned long len, unsigned long flags, struct list_head *uf)
Somehow I missed that.
Maybe some remains from yesterday.
The local variable "len" must be dropped.
--
Oscar Salvador
SUSE L3
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] mm: do not bug_on on incorrect lenght in __mm_populate
2018-07-06 8:23 ` Oscar Salvador
@ 2018-07-06 9:02 ` Michal Hocko
0 siblings, 0 replies; 19+ messages in thread
From: Michal Hocko @ 2018-07-06 9:02 UTC (permalink / raw)
To: Oscar Salvador
Cc: kbuild test robot, kbuild-all, Zi Yan, Tetsuo Handa, syzbot,
akpm, aneesh.kumar, dan.j.williams, kirill.shutemov, linux-mm,
mst, syzkaller-bugs, viro, ying.huang
On Fri 06-07-18 10:23:48, Oscar Salvador wrote:
> On Fri, Jul 06, 2018 at 03:50:53PM +0800, kbuild test robot wrote:
> > Hi Michal,
> >
> > I love your patch! Yet something to improve:
> >
> > [auto build test ERROR on linus/master]
> > [also build test ERROR on v4.18-rc3 next-20180705]
> > [if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
> >
> > url: https://github.com/0day-ci/linux/commits/Michal-Hocko/mm-do-not-bug_on-on-incorrect-lenght-in-__mm_populate/20180706-134850
> > config: x86_64-randconfig-x015-201826 (attached as .config)
> > compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
> > reproduce:
> > # save the attached .config to linux build tree
> > make ARCH=x86_64
> >
> > All errors (new ones prefixed by >>):
> >
> > mm/mmap.c: In function 'do_brk_flags':
> > >> mm/mmap.c:2936:16: error: 'len' redeclared as different kind of symbol
> > unsigned long len;
> > ^~~
> > mm/mmap.c:2932:59: note: previous definition of 'len' was here
> > static int do_brk_flags(unsigned long addr, unsigned long len, unsigned long flags, struct list_head *uf)
>
> Somehow I missed that.
> Maybe some remains from yesterday.
>
> The local variable "len" must be dropped.
Of course. This is what it looks like when you post patches in hurry
before leaving. Mea culpa. Sorry about that. Refreshed
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2018-07-06 9:02 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-04 4:19 kernel BUG at mm/gup.c:LINE! syzbot
2018-07-04 10:01 ` Tetsuo Handa
2018-07-04 11:17 ` Michal Hocko
2018-07-04 11:48 ` Zi Yan
2018-07-04 12:11 ` Michal Hocko
2018-07-04 15:15 ` Oscar Salvador
2018-07-05 0:35 ` Tetsuo Handa
2018-07-05 7:18 ` Oscar Salvador
2018-07-05 11:40 ` Oscar Salvador
2018-07-05 6:44 ` Michal Hocko
2018-07-05 7:18 ` Oscar Salvador
2018-07-05 12:30 ` Oscar Salvador
2018-07-05 13:40 ` Tetsuo Handa
2018-07-06 5:35 ` Michal Hocko
2018-07-06 7:40 ` Oscar Salvador
2018-07-06 7:50 ` [PATCH] mm: do not bug_on on incorrect lenght in __mm_populate kbuild test robot
2018-07-06 8:23 ` Oscar Salvador
2018-07-06 9:02 ` Michal Hocko
2018-07-04 12:12 ` kernel BUG at mm/gup.c:LINE! Oscar Salvador
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.