From: Paolo Bonzini <pbonzini@redhat.com>
To: syzbot <syzbot+6bde52d89cfdf9f61425@syzkaller.appspotmail.com>,
david@redhat.com, frankja@linux.ibm.com, imbrenda@linux.ibm.com,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
maciej.szmigiero@oracle.com, seanjc@google.com,
syzkaller-bugs@googlegroups.com, vkuznets@redhat.com,
wanpengli@tencent.com, will@kernel.org,
Linux-MM <linux-mm@kvack.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [syzbot] WARNING in kvm_mmu_notifier_invalidate_range_start (2)
Date: Mon, 21 Mar 2022 12:01:40 +0100 [thread overview]
Message-ID: <33b6fb1d-b35c-faab-4737-01427c48d09d@redhat.com> (raw)
In-Reply-To: <000000000000b6df0f05dab7e92c@google.com>
On 3/21/22 11:25, syzbot wrote:
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a2d0a9700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d34fd9700000
>
> The issue was bisected to:
>
> commit ed922739c9199bf515a3e7fec3e319ce1edeef2a
> Author: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
> Date: Mon Dec 6 19:54:28 2021 +0000
>
> KVM: Use interval tree to do fast hva lookup in memslots
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=142aa59d700000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=162aa59d700000
> console output: https://syzkaller.appspot.com/x/log.txt?x=122aa59d700000
It bisects here just because the patch introduces the warning; the issue
is a mmu_notifier_invalidate_range_start with an empty range. The
offending system call
mremap(&(0x7f000000d000/0x2000)=nil, 0xfffffffffffffe74, 0x1000, 0x3,
&(0x7f0000007000/0x1000)=nil)
really means old_len == 0 (it's page-aligned at the beginning of
sys_mremap), and flags includes MREMAP_FIXED so it goes down to
mremap_to and from there to move_page_tables. No function on this path
attempts to special case old_len == 0, the immediate fix would be
diff --git a/mm/mremap.c b/mm/mremap.c
index 002eec83e91e..0e175aef536e 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -486,6 +486,9 @@ unsigned long move_page_tables(struct vm_area_struct
pmd_t *old_pmd, *new_pmd;
pud_t *old_pud, *new_pud;
+ if (!len)
+ return 0;
+
old_end = old_addr + len;
flush_cache_range(vma, old_addr, old_end);
but there are several other ways to fix this elsewhere in the call chain:
- check for old_len == 0 somewhere in mremap_to
- skip the call in __mmu_notifier_invalidate_range_start and
__mmu_notifier_invalidate_range_end, if people agree not to play
whack-a-mole with the callers of mmu_notifier_invalidate_range_*.
- remove the warning in KVM
Thanks,
Paolo
next prev parent reply other threads:[~2022-03-21 11:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-21 10:25 [syzbot] WARNING in kvm_mmu_notifier_invalidate_range_start (2) syzbot
2022-03-21 10:25 ` syzbot
2022-03-21 10:25 ` syzbot
2022-03-21 11:01 ` Paolo Bonzini [this message]
2022-03-21 13:42 ` Maciej S. Szmigiero
2022-03-28 15:22 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=33b6fb1d-b35c-faab-4737-01427c48d09d@redhat.com \
--to=pbonzini@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=imbrenda@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maciej.szmigiero@oracle.com \
--cc=seanjc@google.com \
--cc=syzbot+6bde52d89cfdf9f61425@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.