[syzbot] kernel BUG in find_lock_entries

[syzbot] kernel BUG in find_lock_entries

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    902e7f373fff Merge tag 'net-5.14-rc5' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15337cd6300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=702bfdfbf389c324
dashboard link: https://syzkaller.appspot.com/bug?extid=c87be4f669d920c76330
compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=157afce9300000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=152fc43a300000

The issue was bisected to:

commit 997acaf6b4b59c6a9c259740312a69ea549cc684
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Mon Jan 11 15:37:07 2021 +0000

    lockdep: report broken irq restoration

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=137296e6300000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10f296e6300000
console output: https://syzkaller.appspot.com/x/log.txt?x=177296e6300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c87be4f669d920c76330@syzkaller.appspotmail.com
Fixes: 997acaf6b4b5 ("lockdep: report broken irq restoration")

 __pagevec_release+0x7d/0xf0 mm/swap.c:992
 pagevec_release include/linux/pagevec.h:81 [inline]
 shmem_undo_range+0x5da/0x1a60 mm/shmem.c:931
 shmem_truncate_range mm/shmem.c:1030 [inline]
 shmem_setattr+0x4f0/0x890 mm/shmem.c:1091
 notify_change+0xbb8/0x1060 fs/attr.c:398
 do_truncate fs/open.c:64 [inline]
 vfs_truncate+0x6be/0x880 fs/open.c:112
 do_sys_truncate fs/open.c:135 [inline]
 __do_sys_truncate fs/open.c:147 [inline]
 __se_sys_truncate fs/open.c:145 [inline]
 __x64_sys_truncate+0x110/0x1b0 fs/open.c:145
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
------------[ cut here ]------------
kernel BUG at mm/filemap.c:2041!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
Code: e8 00 3d d8 ff 4c 89 e7 48 c7 c6 20 70 39 8a e8 71 bf 0d 00 0f 0b e8 ea 3c d8 ff 4c 89 e7 48 c7 c6 40 62 39 8a e8 5b bf 0d 00 <0f> 0b e8 d4 3c d8 ff 4c 89 e7 48 c7 c6 80 6a 39 8a e8 45 bf 0d 00
RSP: 0018:ffffc9000a52f7e0 EFLAGS: 00010246
RAX: c75c992acedb0700 RBX: 0000000000000001 RCX: ffff8880161ab880
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc9000a52f930 R08: ffffffff81d080d4 R09: ffffed1017383f24
R10: ffffed1017383f24 R11: 0000000000000000 R12: ffffea0000f40000
R13: 0000000000001000 R14: fffffffffffffffe R15: 0000000000001140
FS:  00007f1334d1f700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007faaa593a000 CR3: 00000000165b1000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 shmem_undo_range+0x1ea/0x1a60 mm/shmem.c:910
 shmem_truncate_range mm/shmem.c:1030 [inline]
 shmem_setattr+0x4f0/0x890 mm/shmem.c:1091
 notify_change+0xbb8/0x1060 fs/attr.c:398
 do_truncate fs/open.c:64 [inline]
 vfs_truncate+0x6be/0x880 fs/open.c:112
 do_sys_truncate fs/open.c:135 [inline]
 __do_sys_truncate fs/open.c:147 [inline]
 __se_sys_truncate fs/open.c:145 [inline]
 __x64_sys_truncate+0x110/0x1b0 fs/open.c:145
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x44a9a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1334d1f208 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00000000004cb4f8 RCX: 000000000044a9a9
RDX: 00007f1334d1f700 RSI: 0000000000000001 RDI: 0000000020000340
RBP: 00000000004cb4f0 R08: 00007f1334d1f700 R09: 0000000000000000
R10: 00007f1334d1f700 R11: 0000000000000246 R12: 00000000004cb4fc
R13: 00007ffdec06b36f R14: 00007f1334d1f300 R15: 0000000000022000
Modules linked in:
---[ end trace 4dcd0c81778c7d51 ]---
RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
Code: e8 00 3d d8 ff 4c 89 e7 48 c7 c6 20 70 39 8a e8 71 bf 0d 00 0f 0b e8 ea 3c d8 ff 4c 89 e7 48 c7 c6 40 62 39 8a e8 5b bf 0d 00 <0f> 0b e8 d4 3c d8 ff 4c 89 e7 48 c7 c6 80 6a 39 8a e8 45 bf 0d 00
RSP: 0018:ffffc9000a52f7e0 EFLAGS: 00010246
RAX: c75c992acedb0700 RBX: 0000000000000001 RCX: ffff8880161ab880
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc9000a52f930 R08: ffffffff81d080d4 R09: ffffed1017383f24
R10: ffffed1017383f24 R11: 0000000000000000 R12: ffffea0000f40000
R13: 0000000000001000 R14: fffffffffffffffe R15: 0000000000001140
FS:  00007f1334d1f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557a29364160 CR3: 00000000165b1000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] kernel BUG in find_lock_entries

[Matthew Wilcox]

On Mon, Aug 09, 2021 at 02:02:22PM -0700, syzbot wrote:
> The issue was bisected to:
> 
> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
> Author: Mark Rutland <mark.rutland@arm.com>
> Date:   Mon Jan 11 15:37:07 2021 +0000
> 
>     lockdep: report broken irq restoration

That's just a bogus bisection.  The correct bad commit is 5c211ba29deb.

> kernel BUG at mm/filemap.c:2041!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041

This patch should fix it.  It's not just removing the warning; this
warning duplicates the warning a few lines down (after taking the
lock).  It's not safe to make this assertion without holding the page
lock as the page can move between the page cache and the swap cache.

#syz test

diff --git a/mm/filemap.c b/mm/filemap.c
index d1458ecf2f51..34de0b14aaa9 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2038,7 +2038,6 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start,
 		if (!xa_is_value(page)) {
 			if (page->index < start)
 				goto put;
-			VM_BUG_ON_PAGE(page->index != xas.xa_index, page);
 			if (page->index + thp_nr_pages(page) - 1 > end)
 				goto put;
 			if (!trylock_page(page))

Re: [syzbot] kernel BUG in find_lock_entries

[syzbot]

> On Mon, Aug 09, 2021 at 02:02:22PM -0700, syzbot wrote:
>> The issue was bisected to:
>> 
>> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
>> Author: Mark Rutland <mark.rutland@arm.com>
>> Date:   Mon Jan 11 15:37:07 2021 +0000
>> 
>>     lockdep: report broken irq restoration
>
> That's just a bogus bisection.  The correct bad commit is 5c211ba29deb.
>
>> kernel BUG at mm/filemap.c:2041!
>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
>
> This patch should fix it.  It's not just removing the warning; this
> warning duplicates the warning a few lines down (after taking the
> lock).  It's not safe to make this assertion without holding the page
> lock as the page can move between the page cache and the swap cache.
>
> #syz test

want 2 args (repo, branch), got 4

>
> diff --git a/mm/filemap.c b/mm/filemap.c
> index d1458ecf2f51..34de0b14aaa9 100644
> --- a/mm/filemap.c
> +++ b/mm/filemap.c
> @@ -2038,7 +2038,6 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start,
>  		if (!xa_is_value(page)) {
>  			if (page->index < start)
>  				goto put;
> -			VM_BUG_ON_PAGE(page->index != xas.xa_index, page);
>  			if (page->index + thp_nr_pages(page) - 1 > end)
>  				goto put;
>  			if (!trylock_page(page))

Re: [syzbot] kernel BUG in find_lock_entries

[syzbot]

> On Mon, Aug 09, 2021 at 02:02:22PM -0700, syzbot wrote:
>> The issue was bisected to:
>> 
>> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
>> Author: Mark Rutland <mark.rutland@arm.com>
>> Date:   Mon Jan 11 15:37:07 2021 +0000
>> 
>>     lockdep: report broken irq restoration
>
> That's just a bogus bisection.  The correct bad commit is 5c211ba29deb.
>
>> kernel BUG at mm/filemap.c:2041!
>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
>
> This patch should fix it.  It's not just removing the warning; this
> warning duplicates the warning a few lines down (after taking the
> lock).  It's not safe to make this assertion without holding the page
> lock as the page can move between the page cache and the swap cache.
>
> #syz test

want 2 args (repo, branch), got 4

>
> diff --git a/mm/filemap.c b/mm/filemap.c
> index d1458ecf2f51..34de0b14aaa9 100644
> --- a/mm/filemap.c
> +++ b/mm/filemap.c
> @@ -2038,7 +2038,6 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start,
>  		if (!xa_is_value(page)) {
>  			if (page->index < start)
>  				goto put;
> -			VM_BUG_ON_PAGE(page->index != xas.xa_index, page);
>  			if (page->index + thp_nr_pages(page) - 1 > end)
>  				goto put;
>  			if (!trylock_page(page))
>
> -- 
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/YRGxNaVc1cGsyd0Y%40casper.infradead.org.