* [syzbot] [mm?] kernel BUG in move_pages @ 2024-01-11 16:25 syzbot 2024-01-11 16:40 ` Suren Baghdasaryan 0 siblings, 1 reply; 13+ messages in thread From: syzbot @ 2024-01-11 16:25 UTC (permalink / raw) To: aarcange, akpm, linux-kernel, linux-mm, surenb, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 git tree: linux-next console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz The issue was bisected to: commit adef440691bab824e39c1b17382322d195e1fab0 Author: Andrea Arcangeli <aarcange@redhat.com> Date: Wed Dec 6 10:36:56 2023 +0000 userfaultfd: UFFDIO_MOVE uABI bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") do_one_initcall+0x128/0x680 init/main.c:1237 do_initcall_level init/main.c:1299 [inline] do_initcalls init/main.c:1315 [inline] do_basic_setup init/main.c:1334 [inline] kernel_init_freeable+0x692/0xc30 init/main.c:1552 kernel_init+0x1c/0x2a0 init/main.c:1442 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 ------------[ cut here ]------------ kernel BUG at include/linux/page-flags.h:1035! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 79 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> userfaultfd_move fs/userfaultfd.c:2047 [inline] userfaultfd_ioctl+0x683/0x6420 fs/userfaultfd.c:2169 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl fs/ioctl.c:857 [inline] __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd0/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x62/0x6a RIP: 0033:0x7f4bada9b3e9 Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff2c1d6998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fff2c1d6b68 RCX: 00007f4bada9b3e9 RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003 RBP: 00007f4badb0e610 R08: 00007fff2c1d6b68 R09: 00007fff2c1d6b68 R10: 00007fff2c1d6b68 R11: 0000000000000246 R12: 0000000000000001 R13: 00007fff2c1d6b58 R14: 0000000000000001 R15: 0000000000000001 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 79 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 16:25 [syzbot] [mm?] kernel BUG in move_pages syzbot @ 2024-01-11 16:40 ` Suren Baghdasaryan 2024-01-11 16:44 ` Suren Baghdasaryan 0 siblings, 1 reply; 13+ messages in thread From: Suren Baghdasaryan @ 2024-01-11 16:40 UTC (permalink / raw) To: syzbot; +Cc: aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On Thu, Jan 11, 2024 at 8:25 AM syzbot <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 > git tree: linux-next > console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 > kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 > dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz > kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz > > The issue was bisected to: > > commit adef440691bab824e39c1b17382322d195e1fab0 > Author: Andrea Arcangeli <aarcange@redhat.com> > Date: Wed Dec 6 10:36:56 2023 +0000 > > userfaultfd: UFFDIO_MOVE uABI > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 > final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 > console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com > Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") > > do_one_initcall+0x128/0x680 init/main.c:1237 > do_initcall_level init/main.c:1299 [inline] > do_initcalls init/main.c:1315 [inline] > do_basic_setup init/main.c:1334 [inline] > kernel_init_freeable+0x692/0xc30 init/main.c:1552 > kernel_init+0x1c/0x2a0 init/main.c:1442 > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > ------------[ cut here ]------------ > kernel BUG at include/linux/page-flags.h:1035! > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] From a quick look, I think the new ioctl is being used against a file-backed page and that's why PageAnonExclusive() throws this error. I'll confirm if this is indeed the case and will add checks for that case. Thanks! > RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 > Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 79 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 > RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 > RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 > RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda > R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 > FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > userfaultfd_move fs/userfaultfd.c:2047 [inline] > userfaultfd_ioctl+0x683/0x6420 fs/userfaultfd.c:2169 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:871 [inline] > __se_sys_ioctl fs/ioctl.c:857 [inline] > __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xd0/0x250 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x62/0x6a > RIP: 0033:0x7f4bada9b3e9 > Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fff2c1d6998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > RAX: ffffffffffffffda RBX: 00007fff2c1d6b68 RCX: 00007f4bada9b3e9 > RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003 > RBP: 00007f4badb0e610 R08: 00007fff2c1d6b68 R09: 00007fff2c1d6b68 > R10: 00007fff2c1d6b68 R11: 0000000000000246 R12: 0000000000000001 > R13: 00007fff2c1d6b58 R14: 0000000000000001 R15: 0000000000000001 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 > Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 79 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 > RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 > RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 > RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda > R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 > FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 16:40 ` Suren Baghdasaryan @ 2024-01-11 16:44 ` Suren Baghdasaryan 2024-01-11 18:34 ` Suren Baghdasaryan 0 siblings, 1 reply; 13+ messages in thread From: Suren Baghdasaryan @ 2024-01-11 16:44 UTC (permalink / raw) To: syzbot; +Cc: aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: > > On Thu, Jan 11, 2024 at 8:25 AM syzbot > <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: > > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 > > git tree: linux-next > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 > > dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz > > > > The issue was bisected to: > > > > commit adef440691bab824e39c1b17382322d195e1fab0 > > Author: Andrea Arcangeli <aarcange@redhat.com> > > Date: Wed Dec 6 10:36:56 2023 +0000 > > > > userfaultfd: UFFDIO_MOVE uABI > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 > > final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 > > console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com > > Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") > > > > do_one_initcall+0x128/0x680 init/main.c:1237 > > do_initcall_level init/main.c:1299 [inline] > > do_initcalls init/main.c:1315 [inline] > > do_basic_setup init/main.c:1334 [inline] > > kernel_init_freeable+0x692/0xc30 init/main.c:1552 > > kernel_init+0x1c/0x2a0 init/main.c:1442 > > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > > ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > > ------------[ cut here ]------------ > > kernel BUG at include/linux/page-flags.h:1035! > > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > > CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > > RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > > From a quick look, I think the new ioctl is being used against a > file-backed page and that's why PageAnonExclusive() throws this error. > I'll confirm if this is indeed the case and will add checks for that > case. Thanks! Hmm. Looking at the reproducer it does not look like a file-backed memory... Anyways, I'm on it. > > > RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 > > Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 79 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 > > RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 > > RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 > > RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 > > RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda > > R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 > > R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 > > FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > Call Trace: > > <TASK> > > userfaultfd_move fs/userfaultfd.c:2047 [inline] > > userfaultfd_ioctl+0x683/0x6420 fs/userfaultfd.c:2169 > > vfs_ioctl fs/ioctl.c:51 [inline] > > __do_sys_ioctl fs/ioctl.c:871 [inline] > > __se_sys_ioctl fs/ioctl.c:857 [inline] > > __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 > > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > > do_syscall_64+0xd0/0x250 arch/x86/entry/common.c:83 > > entry_SYSCALL_64_after_hwframe+0x62/0x6a > > RIP: 0033:0x7f4bada9b3e9 > > Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > > RSP: 002b:00007fff2c1d6998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > RAX: ffffffffffffffda RBX: 00007fff2c1d6b68 RCX: 00007f4bada9b3e9 > > RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003 > > RBP: 00007f4badb0e610 R08: 00007fff2c1d6b68 R09: 00007fff2c1d6b68 > > R10: 00007fff2c1d6b68 R11: 0000000000000246 R12: 0000000000000001 > > R13: 00007fff2c1d6b58 R14: 0000000000000001 R15: 0000000000000001 > > </TASK> > > Modules linked in: > > ---[ end trace 0000000000000000 ]--- > > RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > > RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 > > Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 79 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 > > RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 > > RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 > > RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 > > RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda > > R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 > > R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 > > FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > > > > --- > > This report is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this issue. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > > > If the report is already addressed, let syzbot know by replying with: > > #syz fix: exact-commit-title > > > > If you want syzbot to run the reproducer, reply with: > > #syz test: git://repo/address.git branch-or-commit-hash > > If you attach or paste a git patch, syzbot will apply it before testing. > > > > If you want to overwrite report's subsystems, reply with: > > #syz set subsystems: new-subsystem > > (See the list of subsystem names on the web dashboard) > > > > If the report is a duplicate of another one, reply with: > > #syz dup: exact-subject-of-another-report > > > > If you want to undo deduplication, reply with: > > #syz undup ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 16:44 ` Suren Baghdasaryan @ 2024-01-11 18:34 ` Suren Baghdasaryan 2024-01-11 18:58 ` David Hildenbrand 0 siblings, 1 reply; 13+ messages in thread From: Suren Baghdasaryan @ 2024-01-11 18:34 UTC (permalink / raw) To: syzbot, David Hildenbrand, Peter Xu Cc: aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On Thu, Jan 11, 2024 at 8:44 AM Suren Baghdasaryan <surenb@google.com> wrote: > > On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: > > > > On Thu, Jan 11, 2024 at 8:25 AM syzbot > > <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: > > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 > > > git tree: linux-next > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 > > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 > > > > > > Downloadable assets: > > > disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz > > > vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz > > > kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz > > > > > > The issue was bisected to: > > > > > > commit adef440691bab824e39c1b17382322d195e1fab0 > > > Author: Andrea Arcangeli <aarcange@redhat.com> > > > Date: Wed Dec 6 10:36:56 2023 +0000 > > > > > > userfaultfd: UFFDIO_MOVE uABI > > > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 > > > final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 > > > console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com > > > Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") > > > > > > do_one_initcall+0x128/0x680 init/main.c:1237 > > > do_initcall_level init/main.c:1299 [inline] > > > do_initcalls init/main.c:1315 [inline] > > > do_basic_setup init/main.c:1334 [inline] > > > kernel_init_freeable+0x692/0xc30 init/main.c:1552 > > > kernel_init+0x1c/0x2a0 init/main.c:1442 > > > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > > > ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > > > ------------[ cut here ]------------ > > > kernel BUG at include/linux/page-flags.h:1035! > > > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > > > CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > > > RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > > > > From a quick look, I think the new ioctl is being used against a > > file-backed page and that's why PageAnonExclusive() throws this error. > > I'll confirm if this is indeed the case and will add checks for that > > case. Thanks! > > Hmm. Looking at the reproducer it does not look like a file-backed > memory... Anyways, I'm on it. Looks like the test is trying to move the huge_zero_page. Wonder how we should handle this. Just fail or do something else? Adding David and Peter for feedback. > > > > > > RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 > > > Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 79 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 > > > RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 > > > RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 > > > RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 > > > RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda > > > R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 > > > R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 > > > FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 > > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 > > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > Call Trace: > > > <TASK> > > > userfaultfd_move fs/userfaultfd.c:2047 [inline] > > > userfaultfd_ioctl+0x683/0x6420 fs/userfaultfd.c:2169 > > > vfs_ioctl fs/ioctl.c:51 [inline] > > > __do_sys_ioctl fs/ioctl.c:871 [inline] > > > __se_sys_ioctl fs/ioctl.c:857 [inline] > > > __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 > > > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > > > do_syscall_64+0xd0/0x250 arch/x86/entry/common.c:83 > > > entry_SYSCALL_64_after_hwframe+0x62/0x6a > > > RIP: 0033:0x7f4bada9b3e9 > > > Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > > > RSP: 002b:00007fff2c1d6998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > > RAX: ffffffffffffffda RBX: 00007fff2c1d6b68 RCX: 00007f4bada9b3e9 > > > RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003 > > > RBP: 00007f4badb0e610 R08: 00007fff2c1d6b68 R09: 00007fff2c1d6b68 > > > R10: 00007fff2c1d6b68 R11: 0000000000000246 R12: 0000000000000001 > > > R13: 00007fff2c1d6b58 R14: 0000000000000001 R15: 0000000000000001 > > > </TASK> > > > Modules linked in: > > > ---[ end trace 0000000000000000 ]--- > > > RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > > > RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 > > > Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 79 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 > > > RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 > > > RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 > > > RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 > > > RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda > > > R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 > > > R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 > > > FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 > > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 > > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > > > > > > > --- > > > This report is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this issue. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > > > > > If the report is already addressed, let syzbot know by replying with: > > > #syz fix: exact-commit-title > > > > > > If you want syzbot to run the reproducer, reply with: > > > #syz test: git://repo/address.git branch-or-commit-hash > > > If you attach or paste a git patch, syzbot will apply it before testing. > > > > > > If you want to overwrite report's subsystems, reply with: > > > #syz set subsystems: new-subsystem > > > (See the list of subsystem names on the web dashboard) > > > > > > If the report is a duplicate of another one, reply with: > > > #syz dup: exact-subject-of-another-report > > > > > > If you want to undo deduplication, reply with: > > > #syz undup ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 18:34 ` Suren Baghdasaryan @ 2024-01-11 18:58 ` David Hildenbrand 2024-01-11 20:20 ` Suren Baghdasaryan 0 siblings, 1 reply; 13+ messages in thread From: David Hildenbrand @ 2024-01-11 18:58 UTC (permalink / raw) To: Suren Baghdasaryan, syzbot, Peter Xu Cc: aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On 11.01.24 19:34, Suren Baghdasaryan wrote: > On Thu, Jan 11, 2024 at 8:44 AM Suren Baghdasaryan <surenb@google.com> wrote: >> >> On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: >>> >>> On Thu, Jan 11, 2024 at 8:25 AM syzbot >>> <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: >>>> >>>> Hello, >>>> >>>> syzbot found the following issue on: >>>> >>>> HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 >>>> git tree: linux-next >>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 >>>> kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 >>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 >>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 >>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 >>>> >>>> Downloadable assets: >>>> disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz >>>> vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz >>>> kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz >>>> >>>> The issue was bisected to: >>>> >>>> commit adef440691bab824e39c1b17382322d195e1fab0 >>>> Author: Andrea Arcangeli <aarcange@redhat.com> >>>> Date: Wed Dec 6 10:36:56 2023 +0000 >>>> >>>> userfaultfd: UFFDIO_MOVE uABI >>>> >>>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 >>>> final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 >>>> >>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: >>>> Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com >>>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") >>>> >>>> do_one_initcall+0x128/0x680 init/main.c:1237 >>>> do_initcall_level init/main.c:1299 [inline] >>>> do_initcalls init/main.c:1315 [inline] >>>> do_basic_setup init/main.c:1334 [inline] >>>> kernel_init_freeable+0x692/0xc30 init/main.c:1552 >>>> kernel_init+0x1c/0x2a0 init/main.c:1442 >>>> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 >>>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 >>>> ------------[ cut here ]------------ >>>> kernel BUG at include/linux/page-flags.h:1035! >>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN >>>> CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 >>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 >>>> RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] >>> >>> From a quick look, I think the new ioctl is being used against a >>> file-backed page and that's why PageAnonExclusive() throws this error. >>> I'll confirm if this is indeed the case and will add checks for that >>> case. Thanks! >> >> Hmm. Looking at the reproducer it does not look like a file-backed >> memory... Anyways, I'm on it. > > Looks like the test is trying to move the huge_zero_page. Wonder how > we should handle this. Just fail or do something else? Adding David > and Peter for feedback. You'll need some special-casing to handle that. But it should be fairly easy. -- Cheers, David / dhildenb ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 18:58 ` David Hildenbrand @ 2024-01-11 20:20 ` Suren Baghdasaryan 2024-01-11 21:00 ` David Hildenbrand 0 siblings, 1 reply; 13+ messages in thread From: Suren Baghdasaryan @ 2024-01-11 20:20 UTC (permalink / raw) To: David Hildenbrand Cc: syzbot, Peter Xu, aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On Thu, Jan 11, 2024 at 6:58 PM David Hildenbrand <david@redhat.com> wrote: > > On 11.01.24 19:34, Suren Baghdasaryan wrote: > > On Thu, Jan 11, 2024 at 8:44 AM Suren Baghdasaryan <surenb@google.com> wrote: > >> > >> On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: > >>> > >>> On Thu, Jan 11, 2024 at 8:25 AM syzbot > >>> <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: > >>>> > >>>> Hello, > >>>> > >>>> syzbot found the following issue on: > >>>> > >>>> HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 > >>>> git tree: linux-next > >>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 > >>>> kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 > >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 > >>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > >>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 > >>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 > >>>> > >>>> Downloadable assets: > >>>> disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz > >>>> vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz > >>>> kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz > >>>> > >>>> The issue was bisected to: > >>>> > >>>> commit adef440691bab824e39c1b17382322d195e1fab0 > >>>> Author: Andrea Arcangeli <aarcange@redhat.com> > >>>> Date: Wed Dec 6 10:36:56 2023 +0000 > >>>> > >>>> userfaultfd: UFFDIO_MOVE uABI > >>>> > >>>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 > >>>> final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 > >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 > >>>> > >>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: > >>>> Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com > >>>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") > >>>> > >>>> do_one_initcall+0x128/0x680 init/main.c:1237 > >>>> do_initcall_level init/main.c:1299 [inline] > >>>> do_initcalls init/main.c:1315 [inline] > >>>> do_basic_setup init/main.c:1334 [inline] > >>>> kernel_init_freeable+0x692/0xc30 init/main.c:1552 > >>>> kernel_init+0x1c/0x2a0 init/main.c:1442 > >>>> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > >>>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > >>>> ------------[ cut here ]------------ > >>>> kernel BUG at include/linux/page-flags.h:1035! > >>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN > >>>> CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 > >>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > >>>> RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > >>> > >>> From a quick look, I think the new ioctl is being used against a > >>> file-backed page and that's why PageAnonExclusive() throws this error. > >>> I'll confirm if this is indeed the case and will add checks for that > >>> case. Thanks! > >> > >> Hmm. Looking at the reproducer it does not look like a file-backed > >> memory... Anyways, I'm on it. > > > > Looks like the test is trying to move the huge_zero_page. Wonder how > > we should handle this. Just fail or do something else? Adding David > > and Peter for feedback. > > You'll need some special-casing to handle that. But it should be fairly > easy. Ok, so should we treat zeropage the same as PAE and map destination PTE/PMD to zeropage while clearing source PTE/PMD? > > -- > Cheers, > > David / dhildenb > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 20:20 ` Suren Baghdasaryan @ 2024-01-11 21:00 ` David Hildenbrand 2024-01-11 21:04 ` Suren Baghdasaryan 0 siblings, 1 reply; 13+ messages in thread From: David Hildenbrand @ 2024-01-11 21:00 UTC (permalink / raw) To: Suren Baghdasaryan Cc: syzbot, Peter Xu, aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On 11.01.24 21:20, Suren Baghdasaryan wrote: > On Thu, Jan 11, 2024 at 6:58 PM David Hildenbrand <david@redhat.com> wrote: >> >> On 11.01.24 19:34, Suren Baghdasaryan wrote: >>> On Thu, Jan 11, 2024 at 8:44 AM Suren Baghdasaryan <surenb@google.com> wrote: >>>> >>>> On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: >>>>> >>>>> On Thu, Jan 11, 2024 at 8:25 AM syzbot >>>>> <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> syzbot found the following issue on: >>>>>> >>>>>> HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 >>>>>> git tree: linux-next >>>>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 >>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 >>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 >>>>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 >>>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 >>>>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 >>>>>> >>>>>> Downloadable assets: >>>>>> disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz >>>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz >>>>>> kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz >>>>>> >>>>>> The issue was bisected to: >>>>>> >>>>>> commit adef440691bab824e39c1b17382322d195e1fab0 >>>>>> Author: Andrea Arcangeli <aarcange@redhat.com> >>>>>> Date: Wed Dec 6 10:36:56 2023 +0000 >>>>>> >>>>>> userfaultfd: UFFDIO_MOVE uABI >>>>>> >>>>>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 >>>>>> final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 >>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 >>>>>> >>>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: >>>>>> Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com >>>>>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") >>>>>> >>>>>> do_one_initcall+0x128/0x680 init/main.c:1237 >>>>>> do_initcall_level init/main.c:1299 [inline] >>>>>> do_initcalls init/main.c:1315 [inline] >>>>>> do_basic_setup init/main.c:1334 [inline] >>>>>> kernel_init_freeable+0x692/0xc30 init/main.c:1552 >>>>>> kernel_init+0x1c/0x2a0 init/main.c:1442 >>>>>> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 >>>>>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 >>>>>> ------------[ cut here ]------------ >>>>>> kernel BUG at include/linux/page-flags.h:1035! >>>>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN >>>>>> CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 >>>>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 >>>>>> RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] >>>>> >>>>> From a quick look, I think the new ioctl is being used against a >>>>> file-backed page and that's why PageAnonExclusive() throws this error. >>>>> I'll confirm if this is indeed the case and will add checks for that >>>>> case. Thanks! >>>> >>>> Hmm. Looking at the reproducer it does not look like a file-backed >>>> memory... Anyways, I'm on it. >>> >>> Looks like the test is trying to move the huge_zero_page. Wonder how >>> we should handle this. Just fail or do something else? Adding David >>> and Peter for feedback. >> >> You'll need some special-casing to handle that. But it should be fairly >> easy. > > Ok, so should we treat zeropage the same as PAE and map destination > PTE/PMD to zeropage while clearing source PTE/PMD? Likely yes. So it's transparent for user space what we are moving. (this sounds like an easy case to not require a prior write access just to move it) -- Cheers, David / dhildenb ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 21:00 ` David Hildenbrand @ 2024-01-11 21:04 ` Suren Baghdasaryan 2024-01-11 21:06 ` David Hildenbrand 0 siblings, 1 reply; 13+ messages in thread From: Suren Baghdasaryan @ 2024-01-11 21:04 UTC (permalink / raw) To: David Hildenbrand Cc: syzbot, Peter Xu, aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On Thu, Jan 11, 2024 at 9:00 PM David Hildenbrand <david@redhat.com> wrote: > > On 11.01.24 21:20, Suren Baghdasaryan wrote: > > On Thu, Jan 11, 2024 at 6:58 PM David Hildenbrand <david@redhat.com> wrote: > >> > >> On 11.01.24 19:34, Suren Baghdasaryan wrote: > >>> On Thu, Jan 11, 2024 at 8:44 AM Suren Baghdasaryan <surenb@google.com> wrote: > >>>> > >>>> On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: > >>>>> > >>>>> On Thu, Jan 11, 2024 at 8:25 AM syzbot > >>>>> <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: > >>>>>> > >>>>>> Hello, > >>>>>> > >>>>>> syzbot found the following issue on: > >>>>>> > >>>>>> HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 > >>>>>> git tree: linux-next > >>>>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 > >>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 > >>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 > >>>>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > >>>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 > >>>>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 > >>>>>> > >>>>>> Downloadable assets: > >>>>>> disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz > >>>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz > >>>>>> kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz > >>>>>> > >>>>>> The issue was bisected to: > >>>>>> > >>>>>> commit adef440691bab824e39c1b17382322d195e1fab0 > >>>>>> Author: Andrea Arcangeli <aarcange@redhat.com> > >>>>>> Date: Wed Dec 6 10:36:56 2023 +0000 > >>>>>> > >>>>>> userfaultfd: UFFDIO_MOVE uABI > >>>>>> > >>>>>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 > >>>>>> final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 > >>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 > >>>>>> > >>>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: > >>>>>> Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com > >>>>>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") > >>>>>> > >>>>>> do_one_initcall+0x128/0x680 init/main.c:1237 > >>>>>> do_initcall_level init/main.c:1299 [inline] > >>>>>> do_initcalls init/main.c:1315 [inline] > >>>>>> do_basic_setup init/main.c:1334 [inline] > >>>>>> kernel_init_freeable+0x692/0xc30 init/main.c:1552 > >>>>>> kernel_init+0x1c/0x2a0 init/main.c:1442 > >>>>>> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > >>>>>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > >>>>>> ------------[ cut here ]------------ > >>>>>> kernel BUG at include/linux/page-flags.h:1035! > >>>>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN > >>>>>> CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 > >>>>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > >>>>>> RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > >>>>> > >>>>> From a quick look, I think the new ioctl is being used against a > >>>>> file-backed page and that's why PageAnonExclusive() throws this error. > >>>>> I'll confirm if this is indeed the case and will add checks for that > >>>>> case. Thanks! > >>>> > >>>> Hmm. Looking at the reproducer it does not look like a file-backed > >>>> memory... Anyways, I'm on it. > >>> > >>> Looks like the test is trying to move the huge_zero_page. Wonder how > >>> we should handle this. Just fail or do something else? Adding David > >>> and Peter for feedback. > >> > >> You'll need some special-casing to handle that. But it should be fairly > >> easy. > > > > Ok, so should we treat zeropage the same as PAE and map destination > > PTE/PMD to zeropage while clearing source PTE/PMD? > > Likely yes. So it's transparent for user space what we are moving. (this > sounds like an easy case to not require a prior write access just to > move it) Ok, working on it. split_huge_pmd() already knows how to split huge_zero_page but I think I'll need special handling in both move_pages_pte() and move_pages_huge_pmd(). > > -- > Cheers, > > David / dhildenb > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 21:04 ` Suren Baghdasaryan @ 2024-01-11 21:06 ` David Hildenbrand 2024-01-11 21:13 ` Suren Baghdasaryan 0 siblings, 1 reply; 13+ messages in thread From: David Hildenbrand @ 2024-01-11 21:06 UTC (permalink / raw) To: Suren Baghdasaryan Cc: syzbot, Peter Xu, aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On 11.01.24 22:04, Suren Baghdasaryan wrote: > On Thu, Jan 11, 2024 at 9:00 PM David Hildenbrand <david@redhat.com> wrote: >> >> On 11.01.24 21:20, Suren Baghdasaryan wrote: >>> On Thu, Jan 11, 2024 at 6:58 PM David Hildenbrand <david@redhat.com> wrote: >>>> >>>> On 11.01.24 19:34, Suren Baghdasaryan wrote: >>>>> On Thu, Jan 11, 2024 at 8:44 AM Suren Baghdasaryan <surenb@google.com> wrote: >>>>>> >>>>>> On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: >>>>>>> >>>>>>> On Thu, Jan 11, 2024 at 8:25 AM syzbot >>>>>>> <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> syzbot found the following issue on: >>>>>>>> >>>>>>>> HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 >>>>>>>> git tree: linux-next >>>>>>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 >>>>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 >>>>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 >>>>>>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 >>>>>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 >>>>>>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 >>>>>>>> >>>>>>>> Downloadable assets: >>>>>>>> disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz >>>>>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz >>>>>>>> kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz >>>>>>>> >>>>>>>> The issue was bisected to: >>>>>>>> >>>>>>>> commit adef440691bab824e39c1b17382322d195e1fab0 >>>>>>>> Author: Andrea Arcangeli <aarcange@redhat.com> >>>>>>>> Date: Wed Dec 6 10:36:56 2023 +0000 >>>>>>>> >>>>>>>> userfaultfd: UFFDIO_MOVE uABI >>>>>>>> >>>>>>>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 >>>>>>>> final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 >>>>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 >>>>>>>> >>>>>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: >>>>>>>> Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com >>>>>>>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") >>>>>>>> >>>>>>>> do_one_initcall+0x128/0x680 init/main.c:1237 >>>>>>>> do_initcall_level init/main.c:1299 [inline] >>>>>>>> do_initcalls init/main.c:1315 [inline] >>>>>>>> do_basic_setup init/main.c:1334 [inline] >>>>>>>> kernel_init_freeable+0x692/0xc30 init/main.c:1552 >>>>>>>> kernel_init+0x1c/0x2a0 init/main.c:1442 >>>>>>>> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 >>>>>>>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 >>>>>>>> ------------[ cut here ]------------ >>>>>>>> kernel BUG at include/linux/page-flags.h:1035! >>>>>>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN >>>>>>>> CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 >>>>>>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 >>>>>>>> RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] >>>>>>> >>>>>>> From a quick look, I think the new ioctl is being used against a >>>>>>> file-backed page and that's why PageAnonExclusive() throws this error. >>>>>>> I'll confirm if this is indeed the case and will add checks for that >>>>>>> case. Thanks! >>>>>> >>>>>> Hmm. Looking at the reproducer it does not look like a file-backed >>>>>> memory... Anyways, I'm on it. >>>>> >>>>> Looks like the test is trying to move the huge_zero_page. Wonder how >>>>> we should handle this. Just fail or do something else? Adding David >>>>> and Peter for feedback. >>>> >>>> You'll need some special-casing to handle that. But it should be fairly >>>> easy. >>> >>> Ok, so should we treat zeropage the same as PAE and map destination >>> PTE/PMD to zeropage while clearing source PTE/PMD? >> >> Likely yes. So it's transparent for user space what we are moving. (this >> sounds like an easy case to not require a prior write access just to >> move it) > > Ok, working on it. split_huge_pmd() already knows how to split > huge_zero_page but I think I'll need special handling in both > move_pages_pte() and move_pages_huge_pmd(). A PTE-mapped huge zeropage is just a page table populated with the ordinary shared zeropage. Are you moving the ordinary shared zeropage as well? If not, you should do so for consistency (or not do either :) ). -- Cheers, David / dhildenb ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 21:06 ` David Hildenbrand @ 2024-01-11 21:13 ` Suren Baghdasaryan 2024-01-11 23:23 ` Suren Baghdasaryan 0 siblings, 1 reply; 13+ messages in thread From: Suren Baghdasaryan @ 2024-01-11 21:13 UTC (permalink / raw) To: David Hildenbrand Cc: syzbot, Peter Xu, aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On Thu, Jan 11, 2024 at 1:06 PM David Hildenbrand <david@redhat.com> wrote: > > On 11.01.24 22:04, Suren Baghdasaryan wrote: > > On Thu, Jan 11, 2024 at 9:00 PM David Hildenbrand <david@redhat.com> wrote: > >> > >> On 11.01.24 21:20, Suren Baghdasaryan wrote: > >>> On Thu, Jan 11, 2024 at 6:58 PM David Hildenbrand <david@redhat.com> wrote: > >>>> > >>>> On 11.01.24 19:34, Suren Baghdasaryan wrote: > >>>>> On Thu, Jan 11, 2024 at 8:44 AM Suren Baghdasaryan <surenb@google.com> wrote: > >>>>>> > >>>>>> On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: > >>>>>>> > >>>>>>> On Thu, Jan 11, 2024 at 8:25 AM syzbot > >>>>>>> <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: > >>>>>>>> > >>>>>>>> Hello, > >>>>>>>> > >>>>>>>> syzbot found the following issue on: > >>>>>>>> > >>>>>>>> HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 > >>>>>>>> git tree: linux-next > >>>>>>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 > >>>>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 > >>>>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 > >>>>>>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > >>>>>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 > >>>>>>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 > >>>>>>>> > >>>>>>>> Downloadable assets: > >>>>>>>> disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz > >>>>>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz > >>>>>>>> kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz > >>>>>>>> > >>>>>>>> The issue was bisected to: > >>>>>>>> > >>>>>>>> commit adef440691bab824e39c1b17382322d195e1fab0 > >>>>>>>> Author: Andrea Arcangeli <aarcange@redhat.com> > >>>>>>>> Date: Wed Dec 6 10:36:56 2023 +0000 > >>>>>>>> > >>>>>>>> userfaultfd: UFFDIO_MOVE uABI > >>>>>>>> > >>>>>>>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 > >>>>>>>> final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 > >>>>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 > >>>>>>>> > >>>>>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: > >>>>>>>> Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com > >>>>>>>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") > >>>>>>>> > >>>>>>>> do_one_initcall+0x128/0x680 init/main.c:1237 > >>>>>>>> do_initcall_level init/main.c:1299 [inline] > >>>>>>>> do_initcalls init/main.c:1315 [inline] > >>>>>>>> do_basic_setup init/main.c:1334 [inline] > >>>>>>>> kernel_init_freeable+0x692/0xc30 init/main.c:1552 > >>>>>>>> kernel_init+0x1c/0x2a0 init/main.c:1442 > >>>>>>>> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > >>>>>>>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > >>>>>>>> ------------[ cut here ]------------ > >>>>>>>> kernel BUG at include/linux/page-flags.h:1035! > >>>>>>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN > >>>>>>>> CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 > >>>>>>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > >>>>>>>> RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > >>>>>>> > >>>>>>> From a quick look, I think the new ioctl is being used against a > >>>>>>> file-backed page and that's why PageAnonExclusive() throws this error. > >>>>>>> I'll confirm if this is indeed the case and will add checks for that > >>>>>>> case. Thanks! > >>>>>> > >>>>>> Hmm. Looking at the reproducer it does not look like a file-backed > >>>>>> memory... Anyways, I'm on it. > >>>>> > >>>>> Looks like the test is trying to move the huge_zero_page. Wonder how > >>>>> we should handle this. Just fail or do something else? Adding David > >>>>> and Peter for feedback. > >>>> > >>>> You'll need some special-casing to handle that. But it should be fairly > >>>> easy. > >>> > >>> Ok, so should we treat zeropage the same as PAE and map destination > >>> PTE/PMD to zeropage while clearing source PTE/PMD? > >> > >> Likely yes. So it's transparent for user space what we are moving. (this > >> sounds like an easy case to not require a prior write access just to > >> move it) > > > > Ok, working on it. split_huge_pmd() already knows how to split > > huge_zero_page but I think I'll need special handling in both > > move_pages_pte() and move_pages_huge_pmd(). > > A PTE-mapped huge zeropage is just a page table populated with the > ordinary shared zeropage. Are you moving the ordinary shared zeropage as > well? If not, you should do so for consistency (or not do either :) ). Yes, I think I should move ordinary zeropages as well. > > -- > Cheers, > > David / dhildenb > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 21:13 ` Suren Baghdasaryan @ 2024-01-11 23:23 ` Suren Baghdasaryan 2024-01-12 1:44 ` Suren Baghdasaryan 0 siblings, 1 reply; 13+ messages in thread From: Suren Baghdasaryan @ 2024-01-11 23:23 UTC (permalink / raw) To: David Hildenbrand Cc: syzbot, Peter Xu, aarcange, akpm, linux-kernel, linux-mm, syzkaller-bugs On Thu, Jan 11, 2024 at 9:13 PM Suren Baghdasaryan <surenb@google.com> wrote: > > On Thu, Jan 11, 2024 at 1:06 PM David Hildenbrand <david@redhat.com> wrote: > > > > On 11.01.24 22:04, Suren Baghdasaryan wrote: > > > On Thu, Jan 11, 2024 at 9:00 PM David Hildenbrand <david@redhat.com> wrote: > > >> > > >> On 11.01.24 21:20, Suren Baghdasaryan wrote: > > >>> On Thu, Jan 11, 2024 at 6:58 PM David Hildenbrand <david@redhat.com> wrote: > > >>>> > > >>>> On 11.01.24 19:34, Suren Baghdasaryan wrote: > > >>>>> On Thu, Jan 11, 2024 at 8:44 AM Suren Baghdasaryan <surenb@google.com> wrote: > > >>>>>> > > >>>>>> On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: > > >>>>>>> > > >>>>>>> On Thu, Jan 11, 2024 at 8:25 AM syzbot > > >>>>>>> <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: > > >>>>>>>> > > >>>>>>>> Hello, > > >>>>>>>> > > >>>>>>>> syzbot found the following issue on: > > >>>>>>>> > > >>>>>>>> HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 > > >>>>>>>> git tree: linux-next > > >>>>>>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 > > >>>>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 > > >>>>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 > > >>>>>>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > > >>>>>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 > > >>>>>>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 > > >>>>>>>> > > >>>>>>>> Downloadable assets: > > >>>>>>>> disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz > > >>>>>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz > > >>>>>>>> kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz > > >>>>>>>> > > >>>>>>>> The issue was bisected to: > > >>>>>>>> > > >>>>>>>> commit adef440691bab824e39c1b17382322d195e1fab0 > > >>>>>>>> Author: Andrea Arcangeli <aarcange@redhat.com> > > >>>>>>>> Date: Wed Dec 6 10:36:56 2023 +0000 > > >>>>>>>> > > >>>>>>>> userfaultfd: UFFDIO_MOVE uABI > > >>>>>>>> > > >>>>>>>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 > > >>>>>>>> final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 > > >>>>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 > > >>>>>>>> > > >>>>>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: > > >>>>>>>> Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com > > >>>>>>>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") > > >>>>>>>> > > >>>>>>>> do_one_initcall+0x128/0x680 init/main.c:1237 > > >>>>>>>> do_initcall_level init/main.c:1299 [inline] > > >>>>>>>> do_initcalls init/main.c:1315 [inline] > > >>>>>>>> do_basic_setup init/main.c:1334 [inline] > > >>>>>>>> kernel_init_freeable+0x692/0xc30 init/main.c:1552 > > >>>>>>>> kernel_init+0x1c/0x2a0 init/main.c:1442 > > >>>>>>>> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > > >>>>>>>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > > >>>>>>>> ------------[ cut here ]------------ > > >>>>>>>> kernel BUG at include/linux/page-flags.h:1035! > > >>>>>>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN > > >>>>>>>> CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 > > >>>>>>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > > >>>>>>>> RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > > >>>>>>> > > >>>>>>> From a quick look, I think the new ioctl is being used against a > > >>>>>>> file-backed page and that's why PageAnonExclusive() throws this error. > > >>>>>>> I'll confirm if this is indeed the case and will add checks for that > > >>>>>>> case. Thanks! > > >>>>>> > > >>>>>> Hmm. Looking at the reproducer it does not look like a file-backed > > >>>>>> memory... Anyways, I'm on it. > > >>>>> > > >>>>> Looks like the test is trying to move the huge_zero_page. Wonder how > > >>>>> we should handle this. Just fail or do something else? Adding David > > >>>>> and Peter for feedback. > > >>>> > > >>>> You'll need some special-casing to handle that. But it should be fairly > > >>>> easy. > > >>> > > >>> Ok, so should we treat zeropage the same as PAE and map destination > > >>> PTE/PMD to zeropage while clearing source PTE/PMD? > > >> > > >> Likely yes. So it's transparent for user space what we are moving. (this > > >> sounds like an easy case to not require a prior write access just to > > >> move it) > > > > > > Ok, working on it. split_huge_pmd() already knows how to split > > > huge_zero_page but I think I'll need special handling in both > > > move_pages_pte() and move_pages_huge_pmd(). > > > > A PTE-mapped huge zeropage is just a page table populated with the > > ordinary shared zeropage. Are you moving the ordinary shared zeropage as > > well? If not, you should do so for consistency (or not do either :) ). > > Yes, I think I should move ordinary zeropages as well. I have a version that seems to work but I want to test it more and it's too heavy to be considered a quick fix for linux-next. I'll post a simple one-line fix which takes care of this crash and keeps the behavior for zeropages the same (ioctl returns -EBUSY). Later will post a separate patch to move huge and ordinary zeropages. > > > > > -- > > Cheers, > > > > David / dhildenb > > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-11 23:23 ` Suren Baghdasaryan @ 2024-01-12 1:44 ` Suren Baghdasaryan 2024-01-12 2:57 ` Stephen Rothwell 0 siblings, 1 reply; 13+ messages in thread From: Suren Baghdasaryan @ 2024-01-12 1:44 UTC (permalink / raw) To: Stephen Rothwell, akpm Cc: syzbot, Peter Xu, David Hildenbrand, aarcange, linux-kernel, linux-mm, syzkaller-bugs On Thu, Jan 11, 2024 at 3:23 PM Suren Baghdasaryan <surenb@google.com> wrote: > > On Thu, Jan 11, 2024 at 9:13 PM Suren Baghdasaryan <surenb@google.com> wrote: > > > > On Thu, Jan 11, 2024 at 1:06 PM David Hildenbrand <david@redhat.com> wrote: > > > > > > On 11.01.24 22:04, Suren Baghdasaryan wrote: > > > > On Thu, Jan 11, 2024 at 9:00 PM David Hildenbrand <david@redhat.com> wrote: > > > >> > > > >> On 11.01.24 21:20, Suren Baghdasaryan wrote: > > > >>> On Thu, Jan 11, 2024 at 6:58 PM David Hildenbrand <david@redhat.com> wrote: > > > >>>> > > > >>>> On 11.01.24 19:34, Suren Baghdasaryan wrote: > > > >>>>> On Thu, Jan 11, 2024 at 8:44 AM Suren Baghdasaryan <surenb@google.com> wrote: > > > >>>>>> > > > >>>>>> On Thu, Jan 11, 2024 at 8:40 AM Suren Baghdasaryan <surenb@google.com> wrote: > > > >>>>>>> > > > >>>>>>> On Thu, Jan 11, 2024 at 8:25 AM syzbot > > > >>>>>>> <syzbot+705209281e36404998f6@syzkaller.appspotmail.com> wrote: > > > >>>>>>>> > > > >>>>>>>> Hello, > > > >>>>>>>> > > > >>>>>>>> syzbot found the following issue on: > > > >>>>>>>> > > > >>>>>>>> HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 > > > >>>>>>>> git tree: linux-next > > > >>>>>>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14941cdee80000 > > > >>>>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=4056b9349f3da8c9 > > > >>>>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=705209281e36404998f6 > > > >>>>>>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > > > >>>>>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0a09e80000 > > > >>>>>>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15bc7331e80000 > > > >>>>>>>> > > > >>>>>>>> Downloadable assets: > > > >>>>>>>> disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/disk-e2425464.raw.xz > > > >>>>>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinux-e2425464.xz > > > >>>>>>>> kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/bzImage-e2425464.xz > > > >>>>>>>> > > > >>>>>>>> The issue was bisected to: > > > >>>>>>>> > > > >>>>>>>> commit adef440691bab824e39c1b17382322d195e1fab0 > > > >>>>>>>> Author: Andrea Arcangeli <aarcange@redhat.com> > > > >>>>>>>> Date: Wed Dec 6 10:36:56 2023 +0000 > > > >>>>>>>> > > > >>>>>>>> userfaultfd: UFFDIO_MOVE uABI > > > >>>>>>>> > > > >>>>>>>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11cb6ea9e80000 > > > >>>>>>>> final oops: https://syzkaller.appspot.com/x/report.txt?x=13cb6ea9e80000 > > > >>>>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15cb6ea9e80000 > > > >>>>>>>> > > > >>>>>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > >>>>>>>> Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com > > > >>>>>>>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") > > > >>>>>>>> > > > >>>>>>>> do_one_initcall+0x128/0x680 init/main.c:1237 > > > >>>>>>>> do_initcall_level init/main.c:1299 [inline] > > > >>>>>>>> do_initcalls init/main.c:1315 [inline] > > > >>>>>>>> do_basic_setup init/main.c:1334 [inline] > > > >>>>>>>> kernel_init_freeable+0x692/0xc30 init/main.c:1552 > > > >>>>>>>> kernel_init+0x1c/0x2a0 init/main.c:1442 > > > >>>>>>>> ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > > > >>>>>>>> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > > > >>>>>>>> ------------[ cut here ]------------ > > > >>>>>>>> kernel BUG at include/linux/page-flags.h:1035! > > > >>>>>>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN > > > >>>>>>>> CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-20240105-syzkaller #0 > > > >>>>>>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > > > >>>>>>>> RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > > > >>>>>>> > > > >>>>>>> From a quick look, I think the new ioctl is being used against a > > > >>>>>>> file-backed page and that's why PageAnonExclusive() throws this error. > > > >>>>>>> I'll confirm if this is indeed the case and will add checks for that > > > >>>>>>> case. Thanks! > > > >>>>>> > > > >>>>>> Hmm. Looking at the reproducer it does not look like a file-backed > > > >>>>>> memory... Anyways, I'm on it. > > > >>>>> > > > >>>>> Looks like the test is trying to move the huge_zero_page. Wonder how > > > >>>>> we should handle this. Just fail or do something else? Adding David > > > >>>>> and Peter for feedback. > > > >>>> > > > >>>> You'll need some special-casing to handle that. But it should be fairly > > > >>>> easy. > > > >>> > > > >>> Ok, so should we treat zeropage the same as PAE and map destination > > > >>> PTE/PMD to zeropage while clearing source PTE/PMD? > > > >> > > > >> Likely yes. So it's transparent for user space what we are moving. (this > > > >> sounds like an easy case to not require a prior write access just to > > > >> move it) > > > > > > > > Ok, working on it. split_huge_pmd() already knows how to split > > > > huge_zero_page but I think I'll need special handling in both > > > > move_pages_pte() and move_pages_huge_pmd(). > > > > > > A PTE-mapped huge zeropage is just a page table populated with the > > > ordinary shared zeropage. Are you moving the ordinary shared zeropage as > > > well? If not, you should do so for consistency (or not do either :) ). > > > > Yes, I think I should move ordinary zeropages as well. > > I have a version that seems to work but I want to test it more and > it's too heavy to be considered a quick fix for linux-next. I'll post > a simple one-line fix which takes care of this crash and keeps the > behavior for zeropages the same (ioctl returns -EBUSY). Later will > post a separate patch to move huge and ordinary zeropages. I posted a quick fix for this issue here: https://lore.kernel.org/all/20240112013935.1474648-1-surenb@google.com/ It cleanly applies over linux-next, mm-stable and mm-unstable. Andrew, Stephen, could you please pull the fix into your branches? Thanks, Suren. > > > > > > > > > -- > > > Cheers, > > > > > > David / dhildenb > > > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in move_pages 2024-01-12 1:44 ` Suren Baghdasaryan @ 2024-01-12 2:57 ` Stephen Rothwell 0 siblings, 0 replies; 13+ messages in thread From: Stephen Rothwell @ 2024-01-12 2:57 UTC (permalink / raw) To: Suren Baghdasaryan Cc: akpm, syzbot, Peter Xu, David Hildenbrand, aarcange, linux-kernel, linux-mm, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 467 bytes --] Hi all, On Thu, 11 Jan 2024 17:44:57 -0800 Suren Baghdasaryan <surenb@google.com> wrote: > > I posted a quick fix for this issue here: > https://lore.kernel.org/all/20240112013935.1474648-1-surenb@google.com/ > It cleanly applies over linux-next, mm-stable and mm-unstable. Andrew, > Stephen, could you please pull the fix into your branches? Since I will be away for a few days, I have applied that to linux-next today. -- Cheers, Stephen Rothwell [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2024-01-12 2:57 UTC | newest] Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-01-11 16:25 [syzbot] [mm?] kernel BUG in move_pages syzbot 2024-01-11 16:40 ` Suren Baghdasaryan 2024-01-11 16:44 ` Suren Baghdasaryan 2024-01-11 18:34 ` Suren Baghdasaryan 2024-01-11 18:58 ` David Hildenbrand 2024-01-11 20:20 ` Suren Baghdasaryan 2024-01-11 21:00 ` David Hildenbrand 2024-01-11 21:04 ` Suren Baghdasaryan 2024-01-11 21:06 ` David Hildenbrand 2024-01-11 21:13 ` Suren Baghdasaryan 2024-01-11 23:23 ` Suren Baghdasaryan 2024-01-12 1:44 ` Suren Baghdasaryan 2024-01-12 2:57 ` Stephen Rothwell
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.