All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sean Christopherson <seanjc@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: syzbot <syzbot+644848628d5e12d5438c@syzkaller.appspotmail.com>,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	syzkaller-bugs@googlegroups.com, kvm@vger.kernel.org
Subject: Re: [syzbot] kernel BUG in workingset_activation (2)
Date: Tue, 15 Nov 2022 20:07:36 +0000	[thread overview]
Message-ID: <Y3PxiIMOu+7x89YS@google.com> (raw)
In-Reply-To: <20221115112729.1c82988047557e45765cc42d@linux-foundation.org>

On Tue, Nov 15, 2022, Andrew Morton wrote:
> On Tue, 15 Nov 2022 08:23:44 -0800 syzbot <syzbot+644848628d5e12d5438c@syzkaller.appspotmail.com> wrote:
> 
> > Hello,
> > 
> > syzbot found the following issue on:
> 
> Thanks.
> 
> > HEAD commit:    f4bc5bbb5fef Merge tag 'nfsd-5.17-2' of git://git.kernel.o..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16c683d8700000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=5707221760c00a20
> > dashboard link: https://syzkaller.appspot.com/bug?extid=644848628d5e12d5438c
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1691d2c2700000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16cde752700000
> > 
> > Bisection is inconclusive: the issue happens on the oldest tested release.
> > 
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=174c8174700000
> > final oops:     https://syzkaller.appspot.com/x/report.txt?x=14cc8174700000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10cc8174700000
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+644848628d5e12d5438c@syzkaller.appspotmail.com
> > 
> >  do_one_initcall+0x103/0x650 init/main.c:1300
> >  do_initcall_level init/main.c:1373 [inline]
> >  do_initcalls init/main.c:1389 [inline]
> >  do_basic_setup init/main.c:1408 [inline]
> >  kernel_init_freeable+0x6b1/0x73a init/main.c:1613
> >  kernel_init+0x1a/0x1d0 init/main.c:1502
> >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> > ------------[ cut here ]------------
> > kernel BUG at include/linux/memcontrol.h:470!
> 
> That's
> 
> 	VM_BUG_ON_FOLIO(folio_test_slab(folio), folio);
> 
> in folio_memcg_rcu().
> 
> I'll cc the KVM list.

Thanks!  Saw this internally, was waiting for it to hit the lists.

I haven't been able to repro the syzkaller test (abuses /dev/bus/usb crud), but
I believe the issue is that KVM attempts to mark a kmalloc'd page as accessed.
workingset_activation() doesn't expect this and invokes folio_memcg_rcu() on a
SLAB page, which triggers the VM_BUG.

I suspect this can be reproduced with a KVM selftest by mapping KVM's own vcpu->run
memory into the guest.  I'll give that a shot.

In the meantime...

#sys test https://github.com/sean-jc/linux.git x86/no_slab_accessed

  reply	other threads:[~2022-11-15 20:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-15 16:23 [syzbot] kernel BUG in workingset_activation (2) syzbot
2022-11-15 19:27 ` Andrew Morton
2022-11-15 20:07   ` Sean Christopherson [this message]
2023-06-28  8:00 ` [syzbot] [kernel?] " syzbot
2023-06-28  8:20   ` Ruihan Li

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y3PxiIMOu+7x89YS@google.com \
    --to=seanjc@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=syzbot+644848628d5e12d5438c@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.