[syzbot] [mm?] BUG: Bad page map (7)
12 views
Skip to first unread message
syzbot
Sep 9, 2023, 1:12:49 PM9/9/23
to ak...@linux-foundation.org, fengw...@intel.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, wi...@infradead.org
Hello,
syzbot found the following issue on:
HEAD commit: 3f86ed6ec0b3 Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=142a0e00680000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ff1fa8680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1445ba2fa80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/15ea526c030f/disk-3f86ed6e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e8f0baca67e5/vmlinux-3f86ed6e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e39fafbb687d/bzImage-3f86ed6e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f82bb81a1d50/mount_0.gz
The issue was bisected to:
commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
Author: Yin Fengwei <fengw...@intel.com>
Date: Wed Aug 2 15:14:05 2023 +0000
filemap: batch PTE mappings
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13c37c58680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10237c58680000
console output: https://syzkaller.appspot.com/x/log.txt?x=17c37c58680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+55cc72...@syzkaller.appspotmail.com
Fixes: 617c28ecab22 ("filemap: batch PTE mappings")
BUG: Bad page map in process syz-executor332 pte:fffff8ce8c120 pmd:79462067
page:ffffea0001cc5cc0 refcount:9 mapcount:-1 mapping:ffff8880774b1b50 index:0x3 pfn:0x73173
head:ffffea0001cc5c00 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888015e5a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001cc5c01 dead000000000122 dead000000000400
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00007c9948 ffff888013245030 ffff8880774b1b50
head: 0000000000000000 ffff888027450e00 00000009ffffffff ffff888015e5a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5036, tgid 5036 (syz-executor332), ts 61415422939, free_ts 21789924659
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880774b1b50 index:5
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5036 Comm: syz-executor332 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff93b1d0eb9
Code: Unable to access opcode bytes at 0x7ff93b1d0e8f.
RSP: 002b:00007ffc50f66f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 0000000000000003 RCX: 00007ff93b1d0eb9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffc50f67188 R14: 0000000000000001 R15: 00007ffc50f66f50
</TASK>
BUG: Bad page map in process syz-executor332 pte:fffff8ce8d120 pmd:79462067
page:ffffea0001cc5c80 refcount:9 mapcount:-1 mapping:ffff8880774b1b50 index:0x2 pfn:0x73172
head:ffffea0001cc5c00 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888015e5a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001cc5c01 ffffea0001cc5c90 ffffea0001cc5c90
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00007c9948 ffff888013245030 ffff8880774b1b50
head: 0000000000000000 ffff888027450e00 00000009ffffffff ffff888015e5a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5036, tgid 5036 (syz-executor332), ts 61415422939, free_ts 21789914922
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880774b1b50 index:6
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5036 Comm: syz-executor332 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff93b1d0eb9
Code: Unable to access opcode bytes at 0x7ff93b1d0e8f.
RSP: 002b:00007ffc50f66f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 0000000000000003 RCX: 00007ff93b1d0eb9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffc50f67188 R14: 0000000000000001 R15: 00007ffc50f66f50
</TASK>
BUG: Bad page map in process syz-executor332 pte:fffff8ce8e120 pmd:79462067
page:ffffea0001cc5c40 refcount:9 mapcount:-1 mapping:ffff8880774b1b50 index:0x1 pfn:0x73171
head:ffffea0001cc5c00 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888015e5a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001cc5c01 dead000000000122 fffffffdffffffff
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00007c9948 ffff888013245030 ffff8880774b1b50
head: 0000000000000000 ffff888027450e00 00000009ffffffff ffff888015e5a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5036, tgid 5036 (syz-executor332), ts 61415422939, free_ts 21789904946
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880774b1b50 index:7
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5036 Comm: syz-executor332 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff93b1d0eb9
Code: Unable to access opcode bytes at 0x7ff93b1d0e8f.
RSP: 002b:00007ffc50f66f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 0000000000000003 RCX: 00007ff93b1d0eb9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffc50f67188 R14: 0000000000000001 R15: 00007ffc50f66f50
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 3f86ed6ec0b3 Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=142a0e00680000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ff1fa8680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1445ba2fa80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/15ea526c030f/disk-3f86ed6e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e8f0baca67e5/vmlinux-3f86ed6e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e39fafbb687d/bzImage-3f86ed6e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f82bb81a1d50/mount_0.gz
The issue was bisected to:
commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
Author: Yin Fengwei <fengw...@intel.com>
Date: Wed Aug 2 15:14:05 2023 +0000
filemap: batch PTE mappings
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13c37c58680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10237c58680000
console output: https://syzkaller.appspot.com/x/log.txt?x=17c37c58680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+55cc72...@syzkaller.appspotmail.com
Fixes: 617c28ecab22 ("filemap: batch PTE mappings")
BUG: Bad page map in process syz-executor332 pte:fffff8ce8c120 pmd:79462067
page:ffffea0001cc5cc0 refcount:9 mapcount:-1 mapping:ffff8880774b1b50 index:0x3 pfn:0x73173
head:ffffea0001cc5c00 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888015e5a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001cc5c01 dead000000000122 dead000000000400
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00007c9948 ffff888013245030 ffff8880774b1b50
head: 0000000000000000 ffff888027450e00 00000009ffffffff ffff888015e5a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5036, tgid 5036 (syz-executor332), ts 61415422939, free_ts 21789924659
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880774b1b50 index:5
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5036 Comm: syz-executor332 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff93b1d0eb9
Code: Unable to access opcode bytes at 0x7ff93b1d0e8f.
RSP: 002b:00007ffc50f66f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 0000000000000003 RCX: 00007ff93b1d0eb9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffc50f67188 R14: 0000000000000001 R15: 00007ffc50f66f50
</TASK>
BUG: Bad page map in process syz-executor332 pte:fffff8ce8d120 pmd:79462067
page:ffffea0001cc5c80 refcount:9 mapcount:-1 mapping:ffff8880774b1b50 index:0x2 pfn:0x73172
head:ffffea0001cc5c00 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888015e5a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001cc5c01 ffffea0001cc5c90 ffffea0001cc5c90
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00007c9948 ffff888013245030 ffff8880774b1b50
head: 0000000000000000 ffff888027450e00 00000009ffffffff ffff888015e5a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5036, tgid 5036 (syz-executor332), ts 61415422939, free_ts 21789914922
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880774b1b50 index:6
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5036 Comm: syz-executor332 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff93b1d0eb9
Code: Unable to access opcode bytes at 0x7ff93b1d0e8f.
RSP: 002b:00007ffc50f66f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 0000000000000003 RCX: 00007ff93b1d0eb9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffc50f67188 R14: 0000000000000001 R15: 00007ffc50f66f50
</TASK>
BUG: Bad page map in process syz-executor332 pte:fffff8ce8e120 pmd:79462067
page:ffffea0001cc5c40 refcount:9 mapcount:-1 mapping:ffff8880774b1b50 index:0x1 pfn:0x73171
head:ffffea0001cc5c00 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888015e5a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001cc5c01 dead000000000122 fffffffdffffffff
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00007c9948 ffff888013245030 ffff8880774b1b50
head: 0000000000000000 ffff888027450e00 00000009ffffffff ffff888015e5a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5036, tgid 5036 (syz-executor332), ts 61415422939, free_ts 21789904946
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880774b1b50 index:7
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5036 Comm: syz-executor332 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff93b1d0eb9
Code: Unable to access opcode bytes at 0x7ff93b1d0e8f.
RSP: 002b:00007ffc50f66f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 0000000000000003 RCX: 00007ff93b1d0eb9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffc50f67188 R14: 0000000000000001 R15: 00007ffc50f66f50
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Sep 9, 2023, 9:26:11 PM9/9/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 09 Sep 2023 10:12:48 -0700
Update nr_pages with count.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/mm/filemap.c
+++ y/mm/filemap.c
@@ -3514,8 +3514,9 @@ skip:
page += count;
vmf->pte += count;
addr += count * PAGE_SIZE;
+ nr_pages -= count;
count = 0;
- } while (--nr_pages > 0);
+ } while (nr_pages > 0);
if (count) {
set_pte_range(vmf, folio, page, count, addr);
--
> HEAD commit: 3f86ed6ec0b3 Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1445ba2fa80000
> git tree: upstream
Update nr_pages with count.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/mm/filemap.c
+++ y/mm/filemap.c
@@ -3514,8 +3514,9 @@ skip:
page += count;
vmf->pte += count;
addr += count * PAGE_SIZE;
+ nr_pages -= count;
count = 0;
- } while (--nr_pages > 0);
+ } while (nr_pages > 0);
if (count) {
set_pte_range(vmf, folio, page, count, addr);
--
syzbot
Sep 9, 2023, 9:48:27 PM9/9/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
6128][ T1] Bluetooth: CMTP socket layer initialized
[ 11.167105][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 11.168195][ T1] Bluetooth: HIDP socket layer initialized
[ 11.172202][ T1] NET: Registered PF_RXRPC protocol family
[ 11.173221][ T1] Key type rxrpc registered
[ 11.174103][ T1] Key type rxrpc_s registered
[ 11.175373][ T1] NET: Registered PF_KCM protocol family
[ 11.177012][ T1] lec:lane_module_init: lec.c: initialized
[ 11.178099][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 11.179340][ T1] l2tp_core: L2TP core driver, V2.0
[ 11.180274][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 11.181142][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 11.182523][ T1] l2tp_netlink: L2TP netlink interface
[ 11.183484][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 11.184413][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 11.185606][ T1] NET: Registered PF_PHONET protocol family
[ 11.186593][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 11.200112][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 11.201028][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 11.202450][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 11.204370][ T1] sctp: Hash tables configured (bind 32/56)
[ 11.206695][ T1] NET: Registered PF_RDS protocol family
[ 11.208580][ T1] Registered RDS/infiniband transport
[ 11.209974][ T1] Registered RDS/tcp transport
[ 11.210991][ T1] tipc: Activated (version 2.0.0)
[ 11.211996][ T1] NET: Registered PF_TIPC protocol family
[ 11.213362][ T1] tipc: Started in single node mode
[ 11.215000][ T1] NET: Registered PF_SMC protocol family
[ 11.216427][ T1] 9pnet: Installing 9P2000 support
[ 11.218072][ T1] NET: Registered PF_CAIF protocol family
[ 11.224698][ T1] NET: Registered PF_IEEE802154 protocol family
[ 11.225896][ T1] Key type dns_resolver registered
[ 11.227373][ T1] Key type ceph registered
[ 11.228473][ T1] libceph: loaded (mon/osd proto 15/24)
[ 11.230827][ T1] batman_adv: B.A.T.M.A.N. advanced 2023.3 (compatibility version 15) loaded
[ 11.232604][ T1] openvswitch: Open vSwitch switching datapath
[ 11.235717][ T1] NET: Registered PF_VSOCK protocol family
[ 11.236769][ T1] mpls_gso: MPLS GSO support
[ 11.243298][ T1] start plist test
[ 11.247904][ T1] end plist test
[ 11.253615][ T1] IPI shorthand broadcast: enabled
[ 11.254447][ T1] AVX2 version of gcm_enc/dec engaged.
[ 11.255539][ T1] AES CTR mode by8 optimization enabled
[ 12.602761][ T1] sched_clock: Marking stable (12570027239, 29094014)->(12607351949, -8230696)
[ 12.606252][ T1] registered taskstats version 1
[ 12.616134][ T1] Loading compiled-in X.509 certificates
[ 12.621456][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 0fcda5d31b9f9e23b67f9531e962fbe56b39254a'
[ 12.627580][ T1] zswap: loaded using pool lzo/zbud
[ 12.790353][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 14.931835][ T1] Key type .fscrypt registered
[ 14.936714][ T1] Key type fscrypt-provisioning registered
[ 14.948499][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 14.968179][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 14.976514][ T1] Key type big_key registered
[ 14.983726][ T1] Key type encrypted registered
[ 14.988784][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 14.995300][ T1] Loading compiled-in module X.509 certificates
[ 15.004766][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 0fcda5d31b9f9e23b67f9531e962fbe56b39254a'
[ 15.015603][ T1] ima: Allocated hash algorithm: sha256
[ 15.021319][ T1] ima: No architecture policies found
[ 15.026950][ T1] evm: Initialising EVM extended attributes:
[ 15.032950][ T1] evm: security.selinux (disabled)
[ 15.038150][ T1] evm: security.SMACK64
[ 15.042312][ T1] evm: security.SMACK64EXEC
[ 15.046787][ T1] evm: security.SMACK64TRANSMUTE
[ 15.051729][ T1] evm: security.SMACK64MMAP
[ 15.056388][ T1] evm: security.apparmor (disabled)
[ 15.062008][ T1] evm: security.ima
[ 15.065787][ T1] evm: security.capability
[ 15.072963][ T1] evm: HMAC attrs: 0x1
[ 15.078819][ T1] PM: Magic number: 7:6:660
[ 15.084338][ T1] block ram13: hash matches
[ 15.088945][ T1] tty ptyeb: hash matches
[ 15.095332][ T1] printk: console [netcon0] enabled
[ 15.100612][ T1] netconsole: network logging started
[ 15.106370][ T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 15.113617][ T1] rdma_rxe: loaded
[ 15.118018][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 15.128407][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 15.135560][ T27] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 15.139271][ T1] clk: Disabling unused clocks
[ 15.146516][ T27] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 15.149815][ T1] ALSA device list:
[ 15.149823][ T1] #0: Dummy 1
[ 15.165921][ T1] #1: Loopback 1
[ 15.169835][ T1] #2: Virtual MIDI Card 1
[ 15.176161][ T1] md: Waiting for all devices to be available before autodetect
[ 15.184171][ T1] md: If you don't use raid, use raid=noautodetect
[ 15.190736][ T1] md: Autodetecting RAID arrays.
[ 15.195704][ T1] md: autorun ...
[ 15.199351][ T1] md: ... autorun DONE.
[ 15.221012][ T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[ 15.233646][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 15.242842][ T1] devtmpfs: mounted
[ 15.334482][ T1] Freeing unused kernel image (initmem) memory: 2888K
[ 15.341305][ T1] Write protecting the kernel read-only data: 196608k
[ 15.351574][ T1] Freeing unused kernel image (rodata/data gap) memory: 1744K
[ 15.456635][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 15.470328][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 15.480231][ T1] Run /sbin/init as init process
[ 15.485161][ T1] with arguments:
[ 15.488944][ T1] /sbin/init
[ 15.492542][ T1] with environment:
[ 15.496505][ T1] HOME=/
[ 15.499813][ T1] TERM=linux
[ 15.503335][ T1] spec_store_bypass_disable=prctl
[ 15.508699][ T1] BOOT_IMAGE=/boot/bzImage
[ 15.527423][ T1] ------------[ cut here ]------------
[ 15.533025][ T1] kernel BUG at mm/page_table_check.c:121!
[ 15.538936][ T1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 15.544990][ T1] CPU: 1 PID: 1 Comm: init Not tainted 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
[ 15.554359][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 15.564598][ T1] RIP: 0010:page_table_check_set+0x592/0x860
[ 15.570694][ T1] Code: ff e8 22 c9 9a ff 48 ff cb e9 5d fd ff ff e8 15 c9 9a ff 48 ff cb 49 89 df e9 dd fd ff ff e8 05 c9 9a ff 0f 0b e8 fe c8 9a ff <0f> 0b e8 f7 c8 9a ff 0f 0b e8 f0 c8 9a ff 0f 0b e8 e9 c8 9a ff 0f
[ 15.590306][ T1] RSP: 0000:ffffc90000067738 EFLAGS: 00010293
[ 15.596503][ T1] RAX: ffffffff81f2ddf2 RBX: ffff88801aa3cec0 RCX: ffff888015e60000
[ 15.604482][ T1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 15.612475][ T1] RBP: 0000000000000001 R08: ffffffff81f2dc65 R09: 1ffff110035479d8
[ 15.620471][ T1] R10: dffffc0000000000 R11: ffffed10035479d9 R12: ffff88801aa3ce80
[ 15.628441][ T1] R13: 0000000000000020 R14: 1ffffffff23ec5fc R15: 0000000000000000
[ 15.636433][ T1] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 15.645376][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 15.651953][ T1] CR2: 00007fade5d58d20 CR3: 000000001b89b000 CR4: 00000000003506e0
[ 15.659929][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 15.667892][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 15.675879][ T1] Call Trace:
[ 15.679152][ T1] <TASK>
[ 15.682078][ T1] ? __die_body+0x8b/0xe0
[ 15.686493][ T1] ? die+0xa1/0xd0
[ 15.690250][ T1] ? do_trap+0x153/0x380
[ 15.694486][ T1] ? page_table_check_set+0x592/0x860
[ 15.699880][ T1] ? do_error_trap+0x1dc/0x2c0
[ 15.704670][ T1] ? page_table_check_set+0x592/0x860
[ 15.710059][ T1] ? do_int3+0x50/0x50
[ 15.714134][ T1] ? handle_invalid_op+0x34/0x40
[ 15.719095][ T1] ? page_table_check_set+0x592/0x860
[ 15.724474][ T1] ? exc_invalid_op+0x33/0x50
[ 15.729226][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 15.734259][ T1] ? page_table_check_set+0x405/0x860
[ 15.739663][ T1] ? page_table_check_set+0x592/0x860
[ 15.745064][ T1] ? page_table_check_set+0x592/0x860
[ 15.750435][ T1] ? page_table_check_set+0x592/0x860
[ 15.755814][ T1] __page_table_check_ptes_set+0x220/0x280
[ 15.761624][ T1] ? __page_table_check_pud_clear+0xb0/0xb0
[ 15.767533][ T1] ? folio_add_file_rmap_range+0x55e/0x840
[ 15.773354][ T1] set_pte_range+0x8fa/0x920
[ 15.777936][ T1] ? xas_find+0x339/0xaa0
[ 15.782274][ T1] ? mm_counter_file+0x2c0/0x2c0
[ 15.787206][ T1] ? next_uptodate_folio+0xa5d/0xb10
[ 15.792473][ T1] filemap_map_pages+0xc23/0x1560
[ 15.797501][ T1] ? filemap_read_folio+0x770/0x770
[ 15.802683][ T1] ? __lock_acquire+0x7f70/0x7f70
[ 15.807696][ T1] ? pte_offset_map_nolock+0x137/0x1e0
[ 15.813228][ T1] ? kasan_save_stack+0x4f/0x60
[ 15.818073][ T1] ? __kasan_record_aux_stack+0xad/0xc0
[ 15.823601][ T1] ? call_rcu+0x167/0xa70
[ 15.827909][ T1] ? task_work_run+0x24a/0x300
[ 15.832656][ T1] ? exit_to_user_mode_prepare+0xb1/0x140
[ 15.838445][ T1] ? filemap_read_folio+0x770/0x770
[ 15.843648][ T1] handle_mm_fault+0x47dd/0x6200
[ 15.848599][ T1] ? numa_migrate_prep+0x380/0x380
[ 15.853694][ T1] ? rcu_is_watching+0x15/0xb0
[ 15.858436][ T1] ? rcu_is_watching+0x15/0xb0
[ 15.863180][ T1] ? lock_release+0xbf/0x9d0
[ 15.867781][ T1] ? mtree_range_walk+0x6a0/0x7e0
[ 15.872813][ T1] ? __lock_acquire+0x7f70/0x7f70
[ 15.877831][ T1] ? lock_vma_under_rcu+0x2cf/0x6c0
[ 15.883024][ T1] ? __init_rwsem+0x160/0x160
[ 15.887692][ T1] ? mas_walk+0x224/0x260
[ 15.892006][ T1] ? lock_vma_under_rcu+0x5ab/0x6c0
[ 15.897207][ T1] ? rcu_is_watching+0x15/0xb0
[ 15.901978][ T1] exc_page_fault+0x455/0x860
[ 15.906664][ T1] asm_exc_page_fault+0x26/0x30
[ 15.911500][ T1] RIP: 0033:0x7fade5d58d20
[ 15.915921][ T1] Code: Unable to access opcode bytes at 0x7fade5d58cf6.
[ 15.922916][ T1] RSP: 002b:00007fffac073220 EFLAGS: 00010202
[ 15.928965][ T1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 15.936940][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 15.944904][ T1] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 15.952888][ T1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 15.960847][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 15.968987][ T1] </TASK>
[ 15.972178][ T1] Modules linked in:
[ 15.976221][ T1] ---[ end trace 0000000000000000 ]---
[ 15.981728][ T1] RIP: 0010:page_table_check_set+0x592/0x860
[ 15.987742][ T1] Code: ff e8 22 c9 9a ff 48 ff cb e9 5d fd ff ff e8 15 c9 9a ff 48 ff cb 49 89 df e9 dd fd ff ff e8 05 c9 9a ff 0f 0b e8 fe c8 9a ff <0f> 0b e8 f7 c8 9a ff 0f 0b e8 f0 c8 9a ff 0f 0b e8 e9 c8 9a ff 0f
[ 16.007555][ T1] RSP: 0000:ffffc90000067738 EFLAGS: 00010293
[ 16.013643][ T1] RAX: ffffffff81f2ddf2 RBX: ffff88801aa3cec0 RCX: ffff888015e60000
[ 16.021641][ T1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 16.029615][ T1] RBP: 0000000000000001 R08: ffffffff81f2dc65 R09: 1ffff110035479d8
[ 16.037570][ T1] R10: dffffc0000000000 R11: ffffed10035479d9 R12: ffff88801aa3ce80
[ 16.045595][ T1] R13: 0000000000000020 R14: 1ffffffff23ec5fc R15: 0000000000000000
[ 16.053591][ T1] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 16.062632][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 16.069231][ T1] CR2: 00007fade5d58cf6 CR3: 000000001b89b000 CR4: 00000000003506e0
[ 16.077285][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 16.085270][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 16.093277][ T1] Kernel panic - not syncing: Fatal exception
[ 16.099524][ T1] Kernel Offset: disabled
[ 16.103871][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build283487419=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 8bc9053e8
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"8bc9053e88dacf57f5ce550da040d31895eb9626\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14f77e1c680000
Tested on:
commit: a3c57ab7 iov_iter: Kunit tests for page extraction
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
syzbot tried to test the proposed patch but the build/boot failed:
6128][ T1] Bluetooth: CMTP socket layer initialized
[ 11.167105][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 11.168195][ T1] Bluetooth: HIDP socket layer initialized
[ 11.172202][ T1] NET: Registered PF_RXRPC protocol family
[ 11.173221][ T1] Key type rxrpc registered
[ 11.174103][ T1] Key type rxrpc_s registered
[ 11.175373][ T1] NET: Registered PF_KCM protocol family
[ 11.177012][ T1] lec:lane_module_init: lec.c: initialized
[ 11.178099][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 11.179340][ T1] l2tp_core: L2TP core driver, V2.0
[ 11.180274][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 11.181142][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 11.182523][ T1] l2tp_netlink: L2TP netlink interface
[ 11.183484][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 11.184413][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 11.185606][ T1] NET: Registered PF_PHONET protocol family
[ 11.186593][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 11.200112][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 11.201028][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 11.202450][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 11.204370][ T1] sctp: Hash tables configured (bind 32/56)
[ 11.206695][ T1] NET: Registered PF_RDS protocol family
[ 11.208580][ T1] Registered RDS/infiniband transport
[ 11.209974][ T1] Registered RDS/tcp transport
[ 11.210991][ T1] tipc: Activated (version 2.0.0)
[ 11.211996][ T1] NET: Registered PF_TIPC protocol family
[ 11.213362][ T1] tipc: Started in single node mode
[ 11.215000][ T1] NET: Registered PF_SMC protocol family
[ 11.216427][ T1] 9pnet: Installing 9P2000 support
[ 11.218072][ T1] NET: Registered PF_CAIF protocol family
[ 11.224698][ T1] NET: Registered PF_IEEE802154 protocol family
[ 11.225896][ T1] Key type dns_resolver registered
[ 11.227373][ T1] Key type ceph registered
[ 11.228473][ T1] libceph: loaded (mon/osd proto 15/24)
[ 11.230827][ T1] batman_adv: B.A.T.M.A.N. advanced 2023.3 (compatibility version 15) loaded
[ 11.232604][ T1] openvswitch: Open vSwitch switching datapath
[ 11.235717][ T1] NET: Registered PF_VSOCK protocol family
[ 11.236769][ T1] mpls_gso: MPLS GSO support
[ 11.243298][ T1] start plist test
[ 11.247904][ T1] end plist test
[ 11.253615][ T1] IPI shorthand broadcast: enabled
[ 11.254447][ T1] AVX2 version of gcm_enc/dec engaged.
[ 11.255539][ T1] AES CTR mode by8 optimization enabled
[ 12.602761][ T1] sched_clock: Marking stable (12570027239, 29094014)->(12607351949, -8230696)
[ 12.606252][ T1] registered taskstats version 1
[ 12.616134][ T1] Loading compiled-in X.509 certificates
[ 12.621456][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 0fcda5d31b9f9e23b67f9531e962fbe56b39254a'
[ 12.627580][ T1] zswap: loaded using pool lzo/zbud
[ 12.790353][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 14.931835][ T1] Key type .fscrypt registered
[ 14.936714][ T1] Key type fscrypt-provisioning registered
[ 14.948499][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 14.968179][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 14.976514][ T1] Key type big_key registered
[ 14.983726][ T1] Key type encrypted registered
[ 14.988784][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 14.995300][ T1] Loading compiled-in module X.509 certificates
[ 15.004766][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 0fcda5d31b9f9e23b67f9531e962fbe56b39254a'
[ 15.015603][ T1] ima: Allocated hash algorithm: sha256
[ 15.021319][ T1] ima: No architecture policies found
[ 15.026950][ T1] evm: Initialising EVM extended attributes:
[ 15.032950][ T1] evm: security.selinux (disabled)
[ 15.038150][ T1] evm: security.SMACK64
[ 15.042312][ T1] evm: security.SMACK64EXEC
[ 15.046787][ T1] evm: security.SMACK64TRANSMUTE
[ 15.051729][ T1] evm: security.SMACK64MMAP
[ 15.056388][ T1] evm: security.apparmor (disabled)
[ 15.062008][ T1] evm: security.ima
[ 15.065787][ T1] evm: security.capability
[ 15.072963][ T1] evm: HMAC attrs: 0x1
[ 15.078819][ T1] PM: Magic number: 7:6:660
[ 15.084338][ T1] block ram13: hash matches
[ 15.088945][ T1] tty ptyeb: hash matches
[ 15.095332][ T1] printk: console [netcon0] enabled
[ 15.100612][ T1] netconsole: network logging started
[ 15.106370][ T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 15.113617][ T1] rdma_rxe: loaded
[ 15.118018][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 15.128407][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 15.135560][ T27] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 15.139271][ T1] clk: Disabling unused clocks
[ 15.146516][ T27] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 15.149815][ T1] ALSA device list:
[ 15.149823][ T1] #0: Dummy 1
[ 15.165921][ T1] #1: Loopback 1
[ 15.169835][ T1] #2: Virtual MIDI Card 1
[ 15.176161][ T1] md: Waiting for all devices to be available before autodetect
[ 15.184171][ T1] md: If you don't use raid, use raid=noautodetect
[ 15.190736][ T1] md: Autodetecting RAID arrays.
[ 15.195704][ T1] md: autorun ...
[ 15.199351][ T1] md: ... autorun DONE.
[ 15.221012][ T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[ 15.233646][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 15.242842][ T1] devtmpfs: mounted
[ 15.334482][ T1] Freeing unused kernel image (initmem) memory: 2888K
[ 15.341305][ T1] Write protecting the kernel read-only data: 196608k
[ 15.351574][ T1] Freeing unused kernel image (rodata/data gap) memory: 1744K
[ 15.456635][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 15.470328][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 15.480231][ T1] Run /sbin/init as init process
[ 15.485161][ T1] with arguments:
[ 15.488944][ T1] /sbin/init
[ 15.492542][ T1] with environment:
[ 15.496505][ T1] HOME=/
[ 15.499813][ T1] TERM=linux
[ 15.503335][ T1] spec_store_bypass_disable=prctl
[ 15.508699][ T1] BOOT_IMAGE=/boot/bzImage
[ 15.527423][ T1] ------------[ cut here ]------------
[ 15.533025][ T1] kernel BUG at mm/page_table_check.c:121!
[ 15.538936][ T1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 15.544990][ T1] CPU: 1 PID: 1 Comm: init Not tainted 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
[ 15.554359][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 15.564598][ T1] RIP: 0010:page_table_check_set+0x592/0x860
[ 15.570694][ T1] Code: ff e8 22 c9 9a ff 48 ff cb e9 5d fd ff ff e8 15 c9 9a ff 48 ff cb 49 89 df e9 dd fd ff ff e8 05 c9 9a ff 0f 0b e8 fe c8 9a ff <0f> 0b e8 f7 c8 9a ff 0f 0b e8 f0 c8 9a ff 0f 0b e8 e9 c8 9a ff 0f
[ 15.590306][ T1] RSP: 0000:ffffc90000067738 EFLAGS: 00010293
[ 15.596503][ T1] RAX: ffffffff81f2ddf2 RBX: ffff88801aa3cec0 RCX: ffff888015e60000
[ 15.604482][ T1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 15.612475][ T1] RBP: 0000000000000001 R08: ffffffff81f2dc65 R09: 1ffff110035479d8
[ 15.620471][ T1] R10: dffffc0000000000 R11: ffffed10035479d9 R12: ffff88801aa3ce80
[ 15.628441][ T1] R13: 0000000000000020 R14: 1ffffffff23ec5fc R15: 0000000000000000
[ 15.636433][ T1] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 15.645376][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 15.651953][ T1] CR2: 00007fade5d58d20 CR3: 000000001b89b000 CR4: 00000000003506e0
[ 15.659929][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 15.667892][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 15.675879][ T1] Call Trace:
[ 15.679152][ T1] <TASK>
[ 15.682078][ T1] ? __die_body+0x8b/0xe0
[ 15.686493][ T1] ? die+0xa1/0xd0
[ 15.690250][ T1] ? do_trap+0x153/0x380
[ 15.694486][ T1] ? page_table_check_set+0x592/0x860
[ 15.699880][ T1] ? do_error_trap+0x1dc/0x2c0
[ 15.704670][ T1] ? page_table_check_set+0x592/0x860
[ 15.710059][ T1] ? do_int3+0x50/0x50
[ 15.714134][ T1] ? handle_invalid_op+0x34/0x40
[ 15.719095][ T1] ? page_table_check_set+0x592/0x860
[ 15.724474][ T1] ? exc_invalid_op+0x33/0x50
[ 15.729226][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 15.734259][ T1] ? page_table_check_set+0x405/0x860
[ 15.739663][ T1] ? page_table_check_set+0x592/0x860
[ 15.745064][ T1] ? page_table_check_set+0x592/0x860
[ 15.750435][ T1] ? page_table_check_set+0x592/0x860
[ 15.755814][ T1] __page_table_check_ptes_set+0x220/0x280
[ 15.761624][ T1] ? __page_table_check_pud_clear+0xb0/0xb0
[ 15.767533][ T1] ? folio_add_file_rmap_range+0x55e/0x840
[ 15.773354][ T1] set_pte_range+0x8fa/0x920
[ 15.777936][ T1] ? xas_find+0x339/0xaa0
[ 15.782274][ T1] ? mm_counter_file+0x2c0/0x2c0
[ 15.787206][ T1] ? next_uptodate_folio+0xa5d/0xb10
[ 15.792473][ T1] filemap_map_pages+0xc23/0x1560
[ 15.797501][ T1] ? filemap_read_folio+0x770/0x770
[ 15.802683][ T1] ? __lock_acquire+0x7f70/0x7f70
[ 15.807696][ T1] ? pte_offset_map_nolock+0x137/0x1e0
[ 15.813228][ T1] ? kasan_save_stack+0x4f/0x60
[ 15.818073][ T1] ? __kasan_record_aux_stack+0xad/0xc0
[ 15.823601][ T1] ? call_rcu+0x167/0xa70
[ 15.827909][ T1] ? task_work_run+0x24a/0x300
[ 15.832656][ T1] ? exit_to_user_mode_prepare+0xb1/0x140
[ 15.838445][ T1] ? filemap_read_folio+0x770/0x770
[ 15.843648][ T1] handle_mm_fault+0x47dd/0x6200
[ 15.848599][ T1] ? numa_migrate_prep+0x380/0x380
[ 15.853694][ T1] ? rcu_is_watching+0x15/0xb0
[ 15.858436][ T1] ? rcu_is_watching+0x15/0xb0
[ 15.863180][ T1] ? lock_release+0xbf/0x9d0
[ 15.867781][ T1] ? mtree_range_walk+0x6a0/0x7e0
[ 15.872813][ T1] ? __lock_acquire+0x7f70/0x7f70
[ 15.877831][ T1] ? lock_vma_under_rcu+0x2cf/0x6c0
[ 15.883024][ T1] ? __init_rwsem+0x160/0x160
[ 15.887692][ T1] ? mas_walk+0x224/0x260
[ 15.892006][ T1] ? lock_vma_under_rcu+0x5ab/0x6c0
[ 15.897207][ T1] ? rcu_is_watching+0x15/0xb0
[ 15.901978][ T1] exc_page_fault+0x455/0x860
[ 15.906664][ T1] asm_exc_page_fault+0x26/0x30
[ 15.911500][ T1] RIP: 0033:0x7fade5d58d20
[ 15.915921][ T1] Code: Unable to access opcode bytes at 0x7fade5d58cf6.
[ 15.922916][ T1] RSP: 002b:00007fffac073220 EFLAGS: 00010202
[ 15.928965][ T1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 15.936940][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 15.944904][ T1] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 15.952888][ T1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 15.960847][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 15.968987][ T1] </TASK>
[ 15.972178][ T1] Modules linked in:
[ 15.976221][ T1] ---[ end trace 0000000000000000 ]---
[ 15.981728][ T1] RIP: 0010:page_table_check_set+0x592/0x860
[ 15.987742][ T1] Code: ff e8 22 c9 9a ff 48 ff cb e9 5d fd ff ff e8 15 c9 9a ff 48 ff cb 49 89 df e9 dd fd ff ff e8 05 c9 9a ff 0f 0b e8 fe c8 9a ff <0f> 0b e8 f7 c8 9a ff 0f 0b e8 f0 c8 9a ff 0f 0b e8 e9 c8 9a ff 0f
[ 16.007555][ T1] RSP: 0000:ffffc90000067738 EFLAGS: 00010293
[ 16.013643][ T1] RAX: ffffffff81f2ddf2 RBX: ffff88801aa3cec0 RCX: ffff888015e60000
[ 16.021641][ T1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 16.029615][ T1] RBP: 0000000000000001 R08: ffffffff81f2dc65 R09: 1ffff110035479d8
[ 16.037570][ T1] R10: dffffc0000000000 R11: ffffed10035479d9 R12: ffff88801aa3ce80
[ 16.045595][ T1] R13: 0000000000000020 R14: 1ffffffff23ec5fc R15: 0000000000000000
[ 16.053591][ T1] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 16.062632][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 16.069231][ T1] CR2: 00007fade5d58cf6 CR3: 000000001b89b000 CR4: 00000000003506e0
[ 16.077285][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 16.085270][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 16.093277][ T1] Kernel panic - not syncing: Fatal exception
[ 16.099524][ T1] Kernel Offset: disabled
[ 16.103871][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build283487419=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 8bc9053e8
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"8bc9053e88dacf57f5ce550da040d31895eb9626\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14f77e1c680000
Tested on:
commit: a3c57ab7 iov_iter: Kunit tests for page extraction
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15f413fc680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Hillf Danton
Sep 9, 2023, 10:37:20 PM9/9/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 09 Sep 2023 10:12:48 -0700
> HEAD commit: 3f86ed6ec0b3 Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1445ba2fa80000
> git tree: upstream
Update nr_pages without count.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/mm/filemap.c
+++ y/mm/filemap.c
struct file *file = vma->vm_file;
struct page *page = folio_page(folio, start);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
- unsigned int count = 0;
+ unsigned int count, i;
pte_t *old_ptep = vmf->pte;
- do {
+ count = 0;
+ for (i = 0; i < nr_pages; i++) {
if (PageHWPoison(page + count))
goto skip;
@@ -3515,7 +3516,7 @@ skip:
vmf->pte += count;
addr += count * PAGE_SIZE;
addr += count * PAGE_SIZE;
count = 0;
- } while (--nr_pages > 0);
+ }
- } while (--nr_pages > 0);
+ }
syzbot
Sep 9, 2023, 10:56:29 PM9/9/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page map in process syz-executor.0 pte:fffff9a91c120 pmd:7ef9e067
page:ffffea000195b8c0 refcount:9 mapcount:-1 mapping:ffff888075b15190 index:0x3 pfn:0x656e3
head:ffffea000195b800 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888023d52000
head: 0000000000000000 ffff8880295fbc80 00000009ffffffff ffff888023d52000
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
Code: Unable to access opcode bytes at 0x7f766007cabf.
RSP: 002b:00007f7660d270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f766019bf80 RCX: 00007f766007cae9
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f766019bf80 R15: 00007fff3bbb47b8
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a91d120 pmd:7ef9e067
page:ffffea000195b880 refcount:9 mapcount:-1 mapping:ffff888075b15190 index:0x2 pfn:0x656e2
head:ffffea000195b800 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888023d52000
head: 0000000000000000 ffff8880295fbc80 00000009ffffffff ffff888023d52000
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
Code: Unable to access opcode bytes at 0x7f766007cabf.
RSP: 002b:00007f7660d270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f766019bf80 RCX: 00007f766007cae9
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f766019bf80 R15: 00007fff3bbb47b8
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a91e120 pmd:7ef9e067
page:ffffea000195b840 refcount:9 mapcount:-1 mapping:ffff888075b15190 index:0x1 pfn:0x656e1
head:ffffea000195b800 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888023d52000
head: 0000000000000000 ffff8880295fbc80 00000009ffffffff ffff888023d52000
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
Code: Unable to access opcode bytes at 0x7f766007cabf.
RSP: 002b:00007f7660d270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f766019bf80 RCX: 00007f766007cae9
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f766019bf80 R15: 00007fff3bbb47b8
</TASK>
Tested on:
commit: a3c57ab7 iov_iter: Kunit tests for page extraction
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1264dfec680000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page map in process syz-executor.0 pte:fffff9a91c120 pmd:7ef9e067
page:ffffea000195b8c0 refcount:9 mapcount:-1 mapping:ffff888075b15190 index:0x3 pfn:0x656e3
head:ffffea000195b800 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888023d52000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000195b801 dead000000000122 dead000000000400
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001b3b948 ffff8880142af030 ffff888075b15190
head: 0000000000000000 ffff8880295fbc80 00000009ffffffff ffff888023d52000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5456, tgid 5455 (syz-executor.0), ts 78822082874, free_ts 15468294632
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075b15190 index:5
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5456 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f766007cae9
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7f766007cabf.
RSP: 002b:00007f7660d270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f766019bf80 RCX: 00007f766007cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f76600c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f766019bf80 R15: 00007fff3bbb47b8
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a91d120 pmd:7ef9e067
page:ffffea000195b880 refcount:9 mapcount:-1 mapping:ffff888075b15190 index:0x2 pfn:0x656e2
head:ffffea000195b800 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888023d52000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000195b801 ffffea000195b890 ffffea000195b890
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001b3b948 ffff8880142af030 ffff888075b15190
head: 0000000000000000 ffff8880295fbc80 00000009ffffffff ffff888023d52000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5456, tgid 5455 (syz-executor.0), ts 78822082874, free_ts 15468288757
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075b15190 index:6
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5456 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f766007cae9
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7f766007cabf.
RSP: 002b:00007f7660d270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f766019bf80 RCX: 00007f766007cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f76600c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f766019bf80 R15: 00007fff3bbb47b8
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a91e120 pmd:7ef9e067
page:ffffea000195b840 refcount:9 mapcount:-1 mapping:ffff888075b15190 index:0x1 pfn:0x656e1
head:ffffea000195b800 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888023d52000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea000195b801 dead000000000122 fffffffdffffffff
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001b3b948 ffff8880142af030 ffff888075b15190
head: 0000000000000000 ffff8880295fbc80 00000009ffffffff ffff888023d52000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5456, tgid 5455 (syz-executor.0), ts 78822082874, free_ts 15468282901
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075b15190 index:7
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5456 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f766007cae9
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7f766007cabf.
RSP: 002b:00007f7660d270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f766019bf80 RCX: 00007f766007cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f76600c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f766019bf80 R15: 00007fff3bbb47b8
</TASK>
Tested on:
commit: a3c57ab7 iov_iter: Kunit tests for page extraction
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10734fafa80000
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Matthew Wilcox
Sep 9, 2023, 11:02:47 PM9/9/23
to syzbot, ak...@linux-foundation.org, fengw...@intel.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
> Author: Yin Fengwei <fengw...@intel.com>
> Date: Wed Aug 2 15:14:05 2023 +0000
>
> filemap: batch PTE mappings
Hmm ... I don't know if this is the bug, but ...
> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
> Author: Yin Fengwei <fengw...@intel.com>
> Date: Wed Aug 2 15:14:05 2023 +0000
>
> filemap: batch PTE mappings
#syz test
diff --git a/mm/filemap.c b/mm/filemap.c
index 582f5317ff71..580d0b2b1a7c 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3506,7 +3506,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
if (count) {
set_pte_range(vmf, folio, page, count, addr);
folio_ref_add(folio, count);
set_pte_range(vmf, folio, page, count, addr);
- if (in_range(vmf->address, addr, count))
+ if (in_range(vmf->address, addr, count * PAGE_SIZE))
ret = VM_FAULT_NOPAGE;
}
@@ -3520,7 +3520,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
if (count) {
set_pte_range(vmf, folio, page, count, addr);
folio_ref_add(folio, count);
set_pte_range(vmf, folio, page, count, addr);
- if (in_range(vmf->address, addr, count))
+ if (in_range(vmf->address, addr, count * PAGE_SIZE))
ret = VM_FAULT_NOPAGE;
}
syzbot
Sep 9, 2023, 11:29:30 PM9/9/23
to ak...@linux-foundation.org, fengw...@intel.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, wi...@infradead.org
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page map in process syz-executor.0 pte:fffff9b7dc120 pmd:1ce8f067
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
page:ffffea00019208c0 refcount:9 mapcount:-1 mapping:ffff8880766e5190 index:0x3 pfn:0x64823
head:ffffea0001920800 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88801d8b4000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001920801 dead000000000122 dead000000000400
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a08288 ffff88807acd1030 ffff8880766e5190
head: 0000000000000000 ffff888019789200 00000009ffffffff ffff88801d8b4000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5453, tgid 5452 (syz-executor.0), ts 76204282340, free_ts 15924727179
page_owner tracks the page as allocated
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5453 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Code: Unable to access opcode bytes at 0x7f4cbf47cabf.
RSP: 002b:00007f4cc01920c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f4cbf59bf80 RCX: 00007f4cbf47cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f4cbf4c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4cbf59bf80 R15: 00007fff582f4a98
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9b7dd120 pmd:1ce8f067
page:ffffea0001920880 refcount:9 mapcount:-1 mapping:ffff8880766e5190 index:0x2 pfn:0x64822
head:ffffea0001920800 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88801d8b4000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001920801 ffffea0001920890 ffffea0001920890
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a08288 ffff88807acd1030 ffff8880766e5190
head: 0000000000000000 ffff888019789200 00000009ffffffff ffff88801d8b4000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5453, tgid 5452 (syz-executor.0), ts 76204282340, free_ts 15924721374
page_owner tracks the page as allocated
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5453 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Code: Unable to access opcode bytes at 0x7f4cbf47cabf.
RSP: 002b:00007f4cc01920c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f4cbf59bf80 RCX: 00007f4cbf47cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f4cbf4c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4cbf59bf80 R15: 00007fff582f4a98
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9b7de120 pmd:1ce8f067
page:ffffea0001920840 refcount:9 mapcount:-1 mapping:ffff8880766e5190 index:0x1 pfn:0x64821
head:ffffea0001920800 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88801d8b4000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001920801 dead000000000122 fffffffdffffffff
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a08288 ffff88807acd1030 ffff8880766e5190
head: 0000000000000000 ffff888019789200 00000009ffffffff ffff88801d8b4000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5453, tgid 5452 (syz-executor.0), ts 76204282340, free_ts 15924715505
page_owner tracks the page as allocated
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5453 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Code: Unable to access opcode bytes at 0x7f4cbf47cabf.
RSP: 002b:00007f4cc01920c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f4cbf59bf80 RCX: 00007f4cbf47cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f4cbf4c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4cbf59bf80 R15: 00007fff582f4a98
</TASK>
Tested on:
commit: a3c57ab7 iov_iter: Kunit tests for page extraction
git tree: upstream
Tested on:
commit: a3c57ab7 iov_iter: Kunit tests for page extraction
console output: https://syzkaller.appspot.com/x/log.txt?x=16a308d8680000
kernel config: https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1037a92c680000
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 10, 2023, 12:03:48 AM9/10/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/filemap.c b/mm/filemap.c
index 582f5317ff71..5b80cb86079c 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3487,7 +3487,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
do {
if (PageHWPoison(page + count))
- goto skip;
+ goto next;
if (mmap_miss > 0)
mmap_miss--;
@@ -3509,7 +3509,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
if (in_range(vmf->address, addr, count))
ret = VM_FAULT_NOPAGE;
}
-
+next:
count++;
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/filemap.c b/mm/filemap.c
index 582f5317ff71..5b80cb86079c 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3487,7 +3487,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
do {
if (PageHWPoison(page + count))
- goto skip;
+ goto next;
if (mmap_miss > 0)
mmap_miss--;
@@ -3509,7 +3509,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
if (in_range(vmf->address, addr, count))
ret = VM_FAULT_NOPAGE;
}
-
+next:
count++;
syzbot
Sep 10, 2023, 12:26:36 AM9/10/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page map in process syz-executor.0 pte:fffff9a870120 pmd:7e5a4067
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
page:ffffea000195e3c0 refcount:9 mapcount:-1 mapping:ffff888075a15190 index:0x3 pfn:0x6578f
head:ffffea000195e300 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888078e4c000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000195e301 dead000000000122 dead000000000400
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c96d48 ffff888028d06030 ffff888075a15190
head: 0000000000000000 ffff888024430680 00000009ffffffff ffff888078e4c000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 78041218379, free_ts 14540162808
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075a15190 index:5
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5451 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Code: Unable to access opcode bytes at 0x7fad9507cabf.
RSP: 002b:00007fff19e93398 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffdfc RBX: 00000000000130aa RCX: 00007fad9507cae9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fad9519bf8c
RBP: 0000000000000032 R08: 00007fad9519bf8c R09: 00007fad9519bf8c
R10: 00007fff19e934d0 R11: 0000000000000246 R12: 00007fad9519bf8c
R13: 00000000000130dc R14: 00007fff19e934f0 R15: 00007fff19e934d0
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a871120 pmd:7e5a4067
page:ffffea000195e380 refcount:9 mapcount:-1 mapping:ffff888075a15190 index:0x2 pfn:0x6578e
head:ffffea000195e300 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888078e4c000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000195e301 ffffea000195e390 ffffea000195e390
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c96d48 ffff888028d06030 ffff888075a15190
head: 0000000000000000 ffff888024430680 00000009ffffffff ffff888078e4c000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 78041218379, free_ts 14540156810
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075a15190 index:6
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5451 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Code: Unable to access opcode bytes at 0x7fad9507cabf.
RSP: 002b:00007fff19e93398 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffdfc RBX: 00000000000130aa RCX: 00007fad9507cae9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fad9519bf8c
RBP: 0000000000000032 R08: 00007fad9519bf8c R09: 00007fad9519bf8c
R10: 00007fff19e934d0 R11: 0000000000000246 R12: 00007fad9519bf8c
R13: 00000000000130dc R14: 00007fff19e934f0 R15: 00007fff19e934d0
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a872120 pmd:7e5a4067
page:ffffea000195e340 refcount:9 mapcount:-1 mapping:ffff888075a15190 index:0x1 pfn:0x6578d
head:ffffea000195e300 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888078e4c000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea000195e301 dead000000000122 fffffffdffffffff
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c96d48 ffff888028d06030 ffff888075a15190
head: 0000000000000000 ffff888024430680 00000009ffffffff ffff888078e4c000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 78041218379, free_ts 14540150873
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075a15190 index:7
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5451 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Code: Unable to access opcode bytes at 0x7fad9507cabf.
RSP: 002b:00007fff19e93398 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffdfc RBX: 00000000000130aa RCX: 00007fad9507cae9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fad9519bf8c
RBP: 0000000000000032 R08: 00007fad9519bf8c R09: 00007fad9519bf8c
R10: 00007fff19e934d0 R11: 0000000000000246 R12: 00007fad9519bf8c
R13: 00000000000130dc R14: 00007fff19e934f0 R15: 00007fff19e934d0
</TASK>
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17f73e80680000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12ede8a0680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 10, 2023, 12:30:56 AM9/10/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3bd786f76de2
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3bd786f76de2
syzbot
Sep 10, 2023, 1:04:40 AM9/10/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
Tested on:
commit: 3bd786f7 mm: convert do_set_pte() to set_pte_range()
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12f38578680000
kernel config: https://syzkaller.appspot.com/x/.config?x=d998bc457cffc7ac
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
Tested on:
commit: 3bd786f7 mm: convert do_set_pte() to set_pte_range()
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12f38578680000
kernel config: https://syzkaller.appspot.com/x/.config?x=d998bc457cffc7ac
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Edward AD
Sep 10, 2023, 1:36:25 AM9/10/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3bd786f76de2
diff --git a/mm/filemap.c b/mm/filemap.c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3bd786f76de2
index 014b73eb96a1..d6b27083a5af 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3480,7 +3480,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
struct file *file = vma->vm_file;
struct page *page = folio_page(folio, start);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
- unsigned int count = 0;
+ unsigned int count = 0, i;
struct page *page = folio_page(folio, start);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
- unsigned int count = 0;
pte_t *old_ptep = vmf->pte;
do {
@@ -3502,7 +3502,8 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
continue;
skip:
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0; i < count; i++)
+ set_pte_range(vmf, folio, page, 1, addr);
folio_ref_add(folio, count);
if (in_range(vmf->address, addr, count))
ret = VM_FAULT_NOPAGE;
@@ -3516,7 +3517,8 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
ret = VM_FAULT_NOPAGE;
} while (--nr_pages > 0);
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0; i < count; i++)
+ set_pte_range(vmf, folio, page, 1, addr);
folio_ref_add(folio, count);
syzbot
Sep 10, 2023, 1:47:31 AM9/10/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file mm/filemap.c
Hunk #1 FAILED at 3480.
Hunk #2 FAILED at 3502.
Hunk #3 FAILED at 3516.
3 out of 3 hunks FAILED
Tested on:
commit: 3bd786f7 mm: convert do_set_pte() to set_pte_range()
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
patch: https://syzkaller.appspot.com/x/patch.diff?x=1598150c680000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file mm/filemap.c
Hunk #1 FAILED at 3480.
Hunk #2 FAILED at 3502.
Hunk #3 FAILED at 3516.
3 out of 3 hunks FAILED
Tested on:
commit: 3bd786f7 mm: convert do_set_pte() to set_pte_range()
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
patch: https://syzkaller.appspot.com/x/patch.diff?x=1598150c680000
Edward AD
Sep 10, 2023, 2:01:23 AM9/10/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3bd786f76de2
diff --git a/mm/filemap.c b/mm/filemap.c
index 582f5317ff71..f89edad86842 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3bd786f76de2
diff --git a/mm/filemap.c b/mm/filemap.c
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3482,7 +3482,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
struct file *file = vma->vm_file;
struct page *page = folio_page(folio, start);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
- unsigned int count = 0;
+ unsigned int count = 0, i;
pte_t *old_ptep = vmf->pte;
do {
@@ -3504,7 +3504,8 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
struct page *page = folio_page(folio, start);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
- unsigned int count = 0;
+ unsigned int count = 0, i;
pte_t *old_ptep = vmf->pte;
do {
continue;
skip:
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++)
+ set_pte_range(vmf, folio, page, 1, addr);
folio_ref_add(folio, count);
if (in_range(vmf->address, addr, count))
ret = VM_FAULT_NOPAGE;
@@ -3518,7 +3519,8 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
skip:
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++)
+ set_pte_range(vmf, folio, page, 1, addr);
folio_ref_add(folio, count);
if (in_range(vmf->address, addr, count))
ret = VM_FAULT_NOPAGE;
Edward AD
Sep 10, 2023, 2:04:03 AM9/10/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
Hillf Danton
Sep 10, 2023, 2:07:20 AM9/10/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 09 Sep 2023 10:12:48 -0700
> HEAD commit: 3f86ed6ec0b3 Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1445ba2fa80000
> git tree: upstream
Update vmf->pte.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/mm/filemap.c
+++ y/mm/filemap.c
struct page *page = folio_page(folio, start);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
unsigned int count = 0;
- pte_t *old_ptep = vmf->pte;
do {
if (PageHWPoison(page + count))
@@ -3524,7 +3523,6 @@ skip:
ret = VM_FAULT_NOPAGE;
}
- vmf->pte = old_ptep;
WRITE_ONCE(file->f_ra.mmap_miss, mmap_miss);
return ret;
--
syzbot
Sep 10, 2023, 2:18:37 AM9/10/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file mm/filemap.c
Hunk #1 FAILED at 3482.
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file mm/filemap.c
Hunk #2 FAILED at 3504.
Hunk #3 FAILED at 3518.
3 out of 3 hunks FAILED
Tested on:
commit: 3bd786f7 mm: convert do_set_pte() to set_pte_range()
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=17892108680000
Tested on:
commit: 3bd786f7 mm: convert do_set_pte() to set_pte_range()
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:
syzbot
Sep 10, 2023, 2:31:31 AM9/10/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad rss-counter state
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad rss-counter state mm:ffff88807e128980 type:MM_FILEPAGES val:4
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=159bc11c680000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=100caac7a80000
syzbot
Sep 10, 2023, 2:49:34 AM9/10/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map in process syz-executor.0 pte:fffff9af08120 pmd:29f05067
page:ffffea0001943dc0 refcount:9 mapcount:-1 mapping:ffff88807726d190 index:0x3 pfn:0x650f7
head:ffffea0001943d00 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88801fe7a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001943d01 dead000000000122 dead000000000400
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a3d488 ffff888078c81030 ffff88807726d190
head: 0000000000000000 ffff8880228b4280 00000009ffffffff ffff88801fe7a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 76195790660, free_ts 16216492891
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807726d190 index:5
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5452 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Code: Unable to access opcode bytes at 0x7f484f27cabf.
RSP: 002b:00007f48500a30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f484f39bf80 RCX: 00007f484f27cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f484f2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f484f39bf80 R15: 00007fff133f0e78
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9af09120 pmd:29f05067
page:ffffea0001943d80 refcount:9 mapcount:-1 mapping:ffff88807726d190 index:0x2 pfn:0x650f6
head:ffffea0001943d00 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88801fe7a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001943d01 ffffea0001943d90 ffffea0001943d90
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a3d488 ffff888078c81030 ffff88807726d190
head: 0000000000000000 ffff8880228b4280 00000009ffffffff ffff88801fe7a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 76195790660, free_ts 16216486903
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807726d190 index:6
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5452 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Code: Unable to access opcode bytes at 0x7f484f27cabf.
RSP: 002b:00007f48500a30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f484f39bf80 RCX: 00007f484f27cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f484f2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f484f39bf80 R15: 00007fff133f0e78
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9af0a120 pmd:29f05067
page:ffffea0001943d40 refcount:9 mapcount:-1 mapping:ffff88807726d190 index:0x1 pfn:0x650f5
head:ffffea0001943d00 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88801fe7a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001943d01 dead000000000122 fffffffdffffffff
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a3d488 ffff888078c81030 ffff88807726d190
head: 0000000000000000 ffff8880228b4280 00000009ffffffff ffff88801fe7a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 76195790660, free_ts 16216480753
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807726d190 index:7
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5452 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Code: Unable to access opcode bytes at 0x7f484f27cabf.
RSP: 002b:00007f48500a30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f484f39bf80 RCX: 00007f484f27cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f484f2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f484f39bf80 R15: 00007fff133f0e78
</TASK>
Tested on:
commit: 535a265d Merge tag 'perf-tools-for-v6.6-1-2023-09-05' ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=17052190680000
kernel config: https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11052190680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 10, 2023, 3:31:32 AM9/10/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/filemap.c b/mm/filemap.c
index 582f5317ff71..807bba538864 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/filemap.c b/mm/filemap.c
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3482,7 +3482,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
struct file *file = vma->vm_file;
+++ b/mm/filemap.c
@@ -3482,7 +3482,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
struct file *file = vma->vm_file;
struct page *page = folio_page(folio, start);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
- unsigned int count = 0;
+ unsigned int count = 0, i;
+ unsigned int count = 0, i;
pte_t *old_ptep = vmf->pte;
do {
@@ -3504,10 +3504,16 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
do {
continue;
skip:
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++) {
+ set_pte_range(vmf, folio, page, 1, addr);
+ page++;
skip:
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++) {
+ set_pte_range(vmf, folio, page, 1, addr);
+ mvf->pte++;
+ addr += PAGE_SIZE;
+ }
folio_ref_add(folio, count);
if (in_range(vmf->address, addr, count))
ret = VM_FAULT_NOPAGE;
+ count = 0;
if (in_range(vmf->address, addr, count))
ret = VM_FAULT_NOPAGE;
}
count++;
@@ -3518,7 +3524,12 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
} while (--nr_pages > 0);
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++) {
+ set_pte_range(vmf, folio, page, 1, addr);
+ page++;
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++) {
+ set_pte_range(vmf, folio, page, 1, addr);
+ mvf->pte++;
+ addr += PAGE_SIZE;
+ }
syzbot
Sep 10, 2023, 3:51:33 AM9/10/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
.....+...+mm/filemap.c:3513:5: error: use of undeclared identifier 'mvf'
.mm/filemap.c:3533:4: error: use of undeclared identifier 'mvf'
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
syzbot tried to test the proposed patch but the build/boot failed:
.....+...+mm/filemap.c:3513:5: error: use of undeclared identifier 'mvf'
.mm/filemap.c:3533:4: error: use of undeclared identifier 'mvf'
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1017a194680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 10, 2023, 4:13:21 AM9/10/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/filemap.c b/mm/filemap.c
index 582f5317ff71..5e07bf996e9a 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/filemap.c b/mm/filemap.c
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3482,7 +3482,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
struct file *file = vma->vm_file;
struct page *page = folio_page(folio, start);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
- unsigned int count = 0;
+ unsigned int count = 0, i;
pte_t *old_ptep = vmf->pte;
do {
@@ -3504,10 +3504,16 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
continue;
skip:
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++) {
+ set_pte_range(vmf, folio, page, 1, addr);
+ page++;
+ vmf->pte++;
+++ b/mm/filemap.c
@@ -3482,7 +3482,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
struct file *file = vma->vm_file;
struct page *page = folio_page(folio, start);
unsigned int mmap_miss = READ_ONCE(file->f_ra.mmap_miss);
- unsigned int count = 0;
+ unsigned int count = 0, i;
pte_t *old_ptep = vmf->pte;
do {
@@ -3504,10 +3504,16 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
continue;
skip:
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++) {
+ set_pte_range(vmf, folio, page, 1, addr);
+ page++;
+ addr += PAGE_SIZE;
+ }
folio_ref_add(folio, count);
if (in_range(vmf->address, addr, count))
ret = VM_FAULT_NOPAGE;
+ count = 0;
}
count++;
@@ -3518,7 +3524,12 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
} while (--nr_pages > 0);
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++) {
+ set_pte_range(vmf, folio, page, 1, addr);
+ page++;
+ vmf->pte++;
+ }
folio_ref_add(folio, count);
if (in_range(vmf->address, addr, count))
ret = VM_FAULT_NOPAGE;
+ count = 0;
}
count++;
@@ -3518,7 +3524,12 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
} while (--nr_pages > 0);
if (count) {
- set_pte_range(vmf, folio, page, count, addr);
+ for (i = 0;i < count; i++) {
+ set_pte_range(vmf, folio, page, 1, addr);
+ page++;
syzbot
Sep 10, 2023, 4:53:28 AM9/10/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1628086fa80000
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=131182d8680000
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Hillf Danton
Sep 10, 2023, 7:48:02 AM9/10/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 09 Sep 2023 10:12:48 -0700
> HEAD commit: 3f86ed6ec0b3 Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1445ba2fa80000
> git tree: upstream
--- x/mm/rmap.c
+++ y/mm/rmap.c
@@ -1279,7 +1279,7 @@ void folio_add_new_anon_rmap(struct foli
if (likely(!folio_test_pmd_mappable(folio))) {
/* increment count (starts at -1) */
- atomic_set(&folio->_mapcount, 0);
+ atomic_inc(&folio->_mapcount);
nr = 1;
} else {
/* increment count (starts at -1) */
--
syzbot
Sep 10, 2023, 8:37:25 AM9/10/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page map in process syz-executor.0 pte:fffff9a4fc120 pmd:27564067
page:ffffea000196c0c0 refcount:9 mapcount:-1 mapping:ffff888076fc0410 index:0x3 pfn:0x65b03
head:ffffea000196c000 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888021424000
head: 0000000000000000 ffff88801c0ae900 00000009ffffffff ffff888021424000
release_pages+0x642/0x23f0 mm/swap.c:1008
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
zap_page_range_single+0x451/0x510 mm/memory.c:1768
madvise_dontneed_single_vma mm/madvise.c:825 [inline]
madvise_dontneed_free mm/madvise.c:906 [inline]
madvise_vma_behavior mm/madvise.c:1045 [inline]
madvise_walk_vmas mm/madvise.c:1270 [inline]
do_madvise+0x23f0/0x45d0 mm/madvise.c:1450
__do_sys_madvise mm/madvise.c:1463 [inline]
__se_sys_madvise mm/madvise.c:1461 [inline]
__x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1461
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888076fc0410 index:5
RIP: 0033:0x7f6cb8c7cae9
Code: Unable to access opcode bytes at 0x7f6cb8c7cabf.
RSP: 002b:00007f6cb9a470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f6cb8d9bf80 RCX: 00007f6cb8c7cae9
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a4fd120 pmd:27564067
page:ffffea000196c080 refcount:9 mapcount:-1 mapping:ffff888076fc0410 index:0x2 pfn:0x65b02
head:ffffea000196c000 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888021424000
head: 0000000000000000 ffff88801c0ae900 00000009ffffffff ffff888021424000
release_pages+0x642/0x23f0 mm/swap.c:1008
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
zap_page_range_single+0x451/0x510 mm/memory.c:1768
madvise_dontneed_single_vma mm/madvise.c:825 [inline]
madvise_dontneed_free mm/madvise.c:906 [inline]
madvise_vma_behavior mm/madvise.c:1045 [inline]
madvise_walk_vmas mm/madvise.c:1270 [inline]
do_madvise+0x23f0/0x45d0 mm/madvise.c:1450
__do_sys_madvise mm/madvise.c:1463 [inline]
__se_sys_madvise mm/madvise.c:1461 [inline]
__x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1461
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888076fc0410 index:6
RIP: 0033:0x7f6cb8c7cae9
Code: Unable to access opcode bytes at 0x7f6cb8c7cabf.
RSP: 002b:00007f6cb9a470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f6cb8d9bf80 RCX: 00007f6cb8c7cae9
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a4fe120 pmd:27564067
page:ffffea000196c040 refcount:9 mapcount:-1 mapping:ffff888076fc0410 index:0x1 pfn:0x65b01
head:ffffea000196c000 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888021424000
head: 0000000000000000 ffff88801c0ae900 00000009ffffffff ffff888021424000
release_pages+0x642/0x23f0 mm/swap.c:1008
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
zap_page_range_single+0x451/0x510 mm/memory.c:1768
madvise_dontneed_single_vma mm/madvise.c:825 [inline]
madvise_dontneed_free mm/madvise.c:906 [inline]
madvise_vma_behavior mm/madvise.c:1045 [inline]
madvise_walk_vmas mm/madvise.c:1270 [inline]
do_madvise+0x23f0/0x45d0 mm/madvise.c:1450
__do_sys_madvise mm/madvise.c:1463 [inline]
__se_sys_madvise mm/madvise.c:1461 [inline]
__x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1461
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888076fc0410 index:7
RIP: 0033:0x7f6cb8c7cae9
Code: Unable to access opcode bytes at 0x7f6cb8c7cabf.
RSP: 002b:00007f6cb9a470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f6cb8d9bf80 RCX: 00007f6cb8c7cae9
kernel config: https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
page:ffffea000196c0c0 refcount:9 mapcount:-1 mapping:ffff888076fc0410 index:0x3 pfn:0x65b03
head:ffffea000196c000 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888021424000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000196c001 dead000000000122 dead000000000400
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a0bbc8 ffff88802087a030 ffff888076fc0410
head: 0000000000000000 ffff88801c0ae900 00000009ffffffff ffff888021424000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5455, tgid 5454 (syz-executor.0), ts 80410050199, free_ts 55464708323
page_owner tracks the page as allocated
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
zap_page_range_single+0x451/0x510 mm/memory.c:1768
madvise_dontneed_single_vma mm/madvise.c:825 [inline]
madvise_dontneed_free mm/madvise.c:906 [inline]
madvise_vma_behavior mm/madvise.c:1045 [inline]
madvise_walk_vmas mm/madvise.c:1270 [inline]
do_madvise+0x23f0/0x45d0 mm/madvise.c:1450
__do_sys_madvise mm/madvise.c:1463 [inline]
__se_sys_madvise mm/madvise.c:1461 [inline]
__x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1461
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888076fc0410 index:5
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5455 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Code: Unable to access opcode bytes at 0x7f6cb8c7cabf.
RSP: 002b:00007f6cb9a470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f6cb8d9bf80 RCX: 00007f6cb8c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f6cb8cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6cb8d9bf80 R15: 00007ffdc7779988
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a4fd120 pmd:27564067
page:ffffea000196c080 refcount:9 mapcount:-1 mapping:ffff888076fc0410 index:0x2 pfn:0x65b02
head:ffffea000196c000 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888021424000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000196c001 ffffea000196c090 ffffea000196c090
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a0bbc8 ffff88802087a030 ffff888076fc0410
head: 0000000000000000 ffff88801c0ae900 00000009ffffffff ffff888021424000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5455, tgid 5454 (syz-executor.0), ts 80410050199, free_ts 55464708323
page_owner tracks the page as allocated
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
zap_page_range_single+0x451/0x510 mm/memory.c:1768
madvise_dontneed_single_vma mm/madvise.c:825 [inline]
madvise_dontneed_free mm/madvise.c:906 [inline]
madvise_vma_behavior mm/madvise.c:1045 [inline]
madvise_walk_vmas mm/madvise.c:1270 [inline]
do_madvise+0x23f0/0x45d0 mm/madvise.c:1450
__do_sys_madvise mm/madvise.c:1463 [inline]
__se_sys_madvise mm/madvise.c:1461 [inline]
__x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1461
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888076fc0410 index:6
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5455 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Code: Unable to access opcode bytes at 0x7f6cb8c7cabf.
RSP: 002b:00007f6cb9a470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f6cb8d9bf80 RCX: 00007f6cb8c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f6cb8cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6cb8d9bf80 R15: 00007ffdc7779988
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9a4fe120 pmd:27564067
page:ffffea000196c040 refcount:9 mapcount:-1 mapping:ffff888076fc0410 index:0x1 pfn:0x65b01
head:ffffea000196c000 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888021424000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea000196c001 dead000000000122 fffffffdffffffff
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a0bbc8 ffff88802087a030 ffff888076fc0410
head: 0000000000000000 ffff88801c0ae900 00000009ffffffff ffff888021424000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5455, tgid 5454 (syz-executor.0), ts 80410050199, free_ts 55464708323
page_owner tracks the page as allocated
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
zap_page_range_single+0x451/0x510 mm/memory.c:1768
madvise_dontneed_single_vma mm/madvise.c:825 [inline]
madvise_dontneed_free mm/madvise.c:906 [inline]
madvise_vma_behavior mm/madvise.c:1045 [inline]
madvise_walk_vmas mm/madvise.c:1270 [inline]
do_madvise+0x23f0/0x45d0 mm/madvise.c:1450
__do_sys_madvise mm/madvise.c:1463 [inline]
__se_sys_madvise mm/madvise.c:1461 [inline]
__x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1461
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888076fc0410 index:7
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5455 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Code: Unable to access opcode bytes at 0x7f6cb8c7cabf.
RSP: 002b:00007f6cb9a470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f6cb8d9bf80 RCX: 00007f6cb8c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f6cb8cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6cb8d9bf80 R15: 00007ffdc7779988
</TASK>
Tested on:
commit: 535a265d Merge tag 'perf-tools-for-v6.6-1-2023-09-05' ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10d27178680000
Tested on:
commit: 535a265d Merge tag 'perf-tools-for-v6.6-1-2023-09-05' ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15b641dc680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 11, 2023, 1:38:05 AM9/11/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
index 6c264d2f969c..8ec0b01a05eb 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4332,19 +4332,23 @@ void set_pte_range(struct vm_fault *vmf, struct folio *folio,
bool write = vmf->flags & FAULT_FLAG_WRITE;
bool prefault = in_range(vmf->address, addr, nr * PAGE_SIZE);
pte_t entry;
+ struct page *p = page;
- flush_icache_pages(vma, page, nr);
- entry = mk_pte(page, vma->vm_page_prot);
+ flush_icache_pages(vma, p, nr);
+ do {
+ entry = mk_pte(p, vma->vm_page_prot);
- if (prefault && arch_wants_old_prefaulted_pte())
- entry = pte_mkold(entry);
- else
- entry = pte_sw_mkyoung(entry);
+ if (prefault && arch_wants_old_prefaulted_pte())
+ entry = pte_mkold(entry);
+ else
+ entry = pte_sw_mkyoung(entry);
- if (write)
- entry = maybe_mkwrite(pte_mkdirty(entry), vma);
- if (unlikely(uffd_wp))
- entry = pte_mkuffd_wp(entry);
+ if (write)
+ entry = maybe_mkwrite(pte_mkdirty(entry), vma);
+ if (unlikely(uffd_wp))
+ entry = pte_mkuffd_wp(entry);
+ p++;
+ }while(nr--);
/* copy-on-write page */
if (write && !(vma->vm_flags & VM_SHARED)) {
add_mm_counter(vma->vm_mm, MM_ANONPAGES, nr);
syzbot
Sep 11, 2023, 2:00:36 AM9/11/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
P is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 15.077650][ T1] sctp: Hash tables configured (bind 32/56)
[ 15.084720][ T1] NET: Registered PF_RDS protocol family
[ 15.091024][ T1] Registered RDS/infiniband transport
[ 15.096999][ T1] Registered RDS/tcp transport
[ 15.101882][ T1] tipc: Activated (version 2.0.0)
[ 15.107544][ T1] NET: Registered PF_TIPC protocol family
[ 15.114052][ T1] tipc: Started in single node mode
[ 15.120068][ T1] NET: Registered PF_SMC protocol family
[ 15.126098][ T1] 9pnet: Installing 9P2000 support
[ 15.131579][ T1] NET: Registered PF_CAIF protocol family
[ 15.143100][ T1] NET: Registered PF_IEEE802154 protocol family
[ 15.149895][ T1] Key type dns_resolver registered
[ 15.155086][ T1] Key type ceph registered
[ 15.160117][ T1] libceph: loaded (mon/osd proto 15/24)
[ 15.166897][ T1] batman_adv: B.A.T.M.A.N. advanced 2023.3 (compatibility version 15) loaded
[ 15.176400][ T1] openvswitch: Open vSwitch switching datapath
[ 15.184703][ T1] NET: Registered PF_VSOCK protocol family
[ 15.191107][ T1] mpls_gso: MPLS GSO support
[ 15.200856][ T1] start plist test
[ 15.209882][ T1] end plist test
[ 15.217596][ T1] IPI shorthand broadcast: enabled
[ 15.222871][ T1] AVX2 version of gcm_enc/dec engaged.
[ 15.228691][ T1] AES CTR mode by8 optimization enabled
[ 16.600018][ T1] sched_clock: Marking stable (16540020622, 52880384)->(16596679781, -3778775)
[ 16.612177][ T1] registered taskstats version 1
[ 16.640616][ T1] Loading compiled-in X.509 certificates
[ 16.657409][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 13ca5901c646d6c2f2427647dee191ab3a2d3dfd'
[ 16.673024][ T1] zswap: loaded using pool lzo/zbud
[ 16.858318][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 18.951894][ T1] Key type .fscrypt registered
[ 18.956790][ T1] Key type fscrypt-provisioning registered
[ 18.968516][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 18.986892][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 18.995648][ T1] Key type big_key registered
[ 19.003162][ T1] Key type encrypted registered
[ 19.008569][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 19.014970][ T1] Loading compiled-in module X.509 certificates
[ 19.024280][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 13ca5901c646d6c2f2427647dee191ab3a2d3dfd'
[ 19.035659][ T1] ima: Allocated hash algorithm: sha256
[ 19.041445][ T1] ima: No architecture policies found
[ 19.047232][ T1] evm: Initialising EVM extended attributes:
[ 19.053235][ T1] evm: security.selinux (disabled)
[ 19.058513][ T1] evm: security.SMACK64
[ 19.062664][ T1] evm: security.SMACK64EXEC
[ 19.067352][ T1] evm: security.SMACK64TRANSMUTE
[ 19.072484][ T1] evm: security.SMACK64MMAP
[ 19.077102][ T1] evm: security.apparmor (disabled)
[ 19.082277][ T1] evm: security.ima
[ 19.086267][ T1] evm: security.capability
[ 19.090787][ T1] evm: HMAC attrs: 0x1
[ 19.096750][ T1] PM: Magic number: 7:161:820
[ 19.102185][ T1] tty ptyt0: hash matches
[ 19.108479][ T1] printk: console [netcon0] enabled
[ 19.113777][ T1] netconsole: network logging started
[ 19.119566][ T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 19.127497][ T1] rdma_rxe: loaded
[ 19.132121][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 19.142965][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 19.149841][ T9] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 19.153437][ T1] clk: Disabling unused clocks
[ 19.160784][ T9] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 19.164544][ T1] ALSA device list:
[ 19.177648][ T1] #0: Dummy 1
[ 19.181437][ T1] #1: Loopback 1
[ 19.185528][ T1] #2: Virtual MIDI Card 1
[ 19.191926][ T1] md: Waiting for all devices to be available before autodetect
[ 19.199626][ T1] md: If you don't use raid, use raid=noautodetect
[ 19.206576][ T1] md: Autodetecting RAID arrays.
[ 19.211896][ T1] md: autorun ...
[ 19.215752][ T1] md: ... autorun DONE.
[ 19.248802][ T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[ 19.262620][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 19.288808][ T1] devtmpfs: mounted
[ 19.297688][ T1] Freeing unused kernel image (initmem) memory: 2888K
[ 19.343072][ T1] Write protecting the kernel read-only data: 196608k
[ 19.354834][ T1] Freeing unused kernel image (rodata/data gap) memory: 1756K
[ 19.461203][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 19.472870][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 19.482994][ T1] Run /sbin/init as init process
[ 19.487933][ T1] with arguments:
[ 19.491902][ T1] /sbin/init
[ 19.495562][ T1] with environment:
[ 19.499692][ T1] HOME=/
[ 19.502953][ T1] TERM=linux
[ 19.506676][ T1] spec_store_bypass_disable=prctl
[ 19.512036][ T1] BOOT_IMAGE=/boot/bzImage
[ 19.600330][ T1] page:ffffea0004ffd100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x13ff44
[ 19.610740][ T1] memcg:ffff888015e5a000
[ 19.615387][ T1] flags: 0x17ff00000000008(uptodate|node=0|zone=2|lastcpupid=0x7ff)
[ 19.623878][ T1] page_type: 0xffffffff()
[ 19.628240][ T1] raw: 017ff00000000008 0000000000000000 dead000000000122 0000000000000000
[ 19.636933][ T1] raw: 0000000000000001 0000000000000000 00000001ffffffff ffff888015e5a000
[ 19.645626][ T1] page dumped because: VM_BUG_ON_FOLIO(nr != 1)
[ 19.651861][ T1] page_owner tracks the page as allocated
[ 19.657935][ T1] page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 1, tgid 1 (init), ts 19600302547, free_ts 0
[ 19.673727][ T1] post_alloc_hook+0x1e6/0x210
[ 19.678619][ T1] get_page_from_freelist+0x31ec/0x3370
[ 19.684232][ T1] __alloc_pages+0x255/0x670
[ 19.688993][ T1] __folio_alloc+0x13/0x30
[ 19.693724][ T1] vma_alloc_folio+0x48a/0x9a0
[ 19.698586][ T1] handle_mm_fault+0x2083/0x6200
[ 19.703645][ T1] exc_page_fault+0x2ac/0x860
[ 19.708390][ T1] asm_exc_page_fault+0x26/0x30
[ 19.713282][ T1] page_owner free stack trace missing
[ 19.718704][ T1] ------------[ cut here ]------------
[ 19.724218][ T1] kernel BUG at mm/memory.c:4355!
[ 19.729346][ T1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 19.735494][ T1] CPU: 1 PID: 1 Comm: init Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
[ 19.745127][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 19.755261][ T1] RIP: 0010:set_pte_range+0x6f6/0x700
[ 19.760718][ T1] Code: ff ff ff ff 4c 89 f7 e8 a8 d8 9f 02 48 89 df be 01 00 00 00 e8 3b 3e fe ff 48 8b 7c 24 30 48 c7 c6 20 9f 14 8b e8 9a a2 fc ff <0f> 0b 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 55 48 89 e5 41 57 41 56
[ 19.780579][ T1] RSP: 0000:ffffc90000067380 EFLAGS: 00010246
[ 19.786662][ T1] RAX: 6e2be7838de7a100 RBX: ffff88802b146880 RCX: ffffffff816d1d70
[ 19.794637][ T1] RDX: 0000000000000000 RSI: ffffffff8b597480 RDI: ffffffff8b597440
[ 19.802826][ T1] RBP: ffffc90000067470 R08: ffffffff8e9a39af R09: 1ffffffff1d34735
[ 19.811367][ T1] R10: dffffc0000000000 R11: fffffbfff1d34736 R12: 0000000000000000
[ 19.819345][ T1] R13: 1ffff110054c0ba2 R14: ffff88802b146d70 R15: dffffc0000000000
[ 19.827577][ T1] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 19.836671][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 19.843413][ T1] CR2: 00005641ea389008 CR3: 0000000027a15000 CR4: 00000000003506e0
[ 19.851380][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 19.859684][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 19.867652][ T1] Call Trace:
[ 19.870923][ T1] <TASK>
[ 19.873865][ T1] ? __die_body+0x8b/0xe0
[ 19.878190][ T1] ? die+0xa1/0xd0
[ 19.881988][ T1] ? do_trap+0x153/0x380
[ 19.886381][ T1] ? set_pte_range+0x6f6/0x700
[ 19.891131][ T1] ? do_error_trap+0x1dc/0x2c0
[ 19.895898][ T1] ? set_pte_range+0x6f6/0x700
[ 19.900669][ T1] ? __lock_acquire+0x7f70/0x7f70
[ 19.905849][ T1] ? do_int3+0x50/0x50
[ 19.909897][ T1] ? handle_invalid_op+0x34/0x40
[ 19.914813][ T1] ? set_pte_range+0x6f6/0x700
[ 19.919663][ T1] ? exc_invalid_op+0x33/0x50
[ 19.924328][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 19.929421][ T1] ? lock_release+0xb0/0x9d0
[ 19.934011][ T1] ? set_pte_range+0x6f6/0x700
[ 19.939198][ T1] ? mm_counter_file+0x2c0/0x2c0
[ 19.944397][ T1] ? do_raw_spin_unlock+0x13b/0x8b0
[ 19.949754][ T1] ? filemap_fault+0x10bf/0x1710
[ 19.954762][ T1] finish_fault+0x520/0xa60
[ 19.959268][ T1] ? set_pte_range+0x700/0x700
[ 19.964022][ T1] ? kthread_blkcg+0x53/0xd0
[ 19.968724][ T1] ? __do_fault+0x2a2/0x4e0
[ 19.973208][ T1] handle_mm_fault+0x3940/0x6200
[ 19.978134][ T1] ? numa_migrate_prep+0x380/0x380
[ 19.983253][ T1] ? mt_find+0x5e3/0x780
[ 19.987533][ T1] ? read_lock_is_recursive+0x20/0x20
[ 19.993525][ T1] ? mtree_destroy+0x30/0x30
[ 19.998115][ T1] ? __asan_memset+0x23/0x40
[ 20.002700][ T1] ? lock_mm_and_find_vma+0x9c/0x2d0
[ 20.008178][ T1] exc_page_fault+0x2ac/0x860
[ 20.012947][ T1] asm_exc_page_fault+0x26/0x30
[ 20.017873][ T1] RIP: 0010:rep_stos_alternative+0x40/0x80
[ 20.023754][ T1] Code: ff c7 48 ff c9 75 f6 c3 48 89 07 48 83 c7 08 83 e9 08 74 f3 83 f9 08 73 ef eb e2 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 89 07 48 89 47 08 48 89 47 10 48 89 47 18 48 89 47 20 48 89 47
[ 20.043630][ T1] RSP: 0000:ffffc90000067ad8 EFLAGS: 00050206
[ 20.049880][ T1] RAX: 0000000000000000 RBX: 00005641ea389008 RCX: 0000000000000ff8
[ 20.058222][ T1] RDX: 0000000000000000 RSI: ffffffff8b597480 RDI: 00005641ea389008
[ 20.066645][ T1] RBP: ffffc90000067d30 R08: ffffffff8e9a39af R09: 1ffffffff1d34735
[ 20.074804][ T1] R10: dffffc0000000000 R11: fffffbfff1d34736 R12: dffffc0000000000
[ 20.083573][ T1] R13: 0000000000004018 R14: 0000000000000000 R15: 0000000000000ff8
[ 20.091592][ T1] padzero+0x5e/0xb0
[ 20.095583][ T1] load_elf_binary+0x1a4a/0x2760
[ 20.100614][ T1] ? load_script+0x820/0x820
[ 20.105199][ T1] ? _raw_read_unlock+0x28/0x40
[ 20.110380][ T1] ? load_misc_binary+0x54a/0xa50
[ 20.115583][ T1] ? ima_file_mprotect+0x630/0x630
[ 20.120794][ T1] ? tomoyo_bprm_check_security+0x127/0x140
[ 20.126808][ T1] bprm_execve+0x90e/0x1740
[ 20.131316][ T1] ? alloc_bprm+0x900/0x900
[ 20.135828][ T1] ? copy_string_kernel+0x1c9/0x1f0
[ 20.141028][ T1] kernel_execve+0x8ea/0xa10
[ 20.145815][ T1] ? rest_init+0x2b0/0x2b0
[ 20.150300][ T1] kernel_init+0xde/0x2a0
[ 20.154620][ T1] ret_from_fork+0x48/0x80
[ 20.159230][ T1] ? rest_init+0x2b0/0x2b0
[ 20.163714][ T1] ret_from_fork_asm+0x11/0x20
[ 20.168639][ T1] </TASK>
[ 20.171654][ T1] Modules linked in:
[ 20.175728][ T1] ---[ end trace 0000000000000000 ]---
[ 20.181213][ T1] RIP: 0010:set_pte_range+0x6f6/0x700
[ 20.186708][ T1] Code: ff ff ff ff 4c 89 f7 e8 a8 d8 9f 02 48 89 df be 01 00 00 00 e8 3b 3e fe ff 48 8b 7c 24 30 48 c7 c6 20 9f 14 8b e8 9a a2 fc ff <0f> 0b 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 55 48 89 e5 41 57 41 56
[ 20.206795][ T1] RSP: 0000:ffffc90000067380 EFLAGS: 00010246
[ 20.213145][ T1] RAX: 6e2be7838de7a100 RBX: ffff88802b146880 RCX: ffffffff816d1d70
[ 20.221408][ T1] RDX: 0000000000000000 RSI: ffffffff8b597480 RDI: ffffffff8b597440
[ 20.229500][ T1] RBP: ffffc90000067470 R08: ffffffff8e9a39af R09: 1ffffffff1d34735
[ 20.237674][ T1] R10: dffffc0000000000 R11: fffffbfff1d34736 R12: 0000000000000000
[ 20.246462][ T1] R13: 1ffff110054c0ba2 R14: ffff88802b146d70 R15: dffffc0000000000
[ 20.255249][ T1] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 20.264302][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.270905][ T1] CR2: 00005641ea389008 CR3: 0000000027a15000 CR4: 00000000003506e0
[ 20.278999][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 20.287262][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 20.295369][ T1] Kernel panic - not syncing: Fatal exception
[ 20.302700][ T1] Kernel Offset: disabled
[ 20.307733][ T1] Rebooting in 86400 seconds..
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1966354878=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 8bc9053e8
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"8bc9053e88dacf57f5ce550da040d31895eb9626\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=167fe6bfa80000
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
syzbot tried to test the proposed patch but the build/boot failed:
P is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 15.084720][ T1] NET: Registered PF_RDS protocol family
[ 15.091024][ T1] Registered RDS/infiniband transport
[ 15.096999][ T1] Registered RDS/tcp transport
[ 15.101882][ T1] tipc: Activated (version 2.0.0)
[ 15.107544][ T1] NET: Registered PF_TIPC protocol family
[ 15.114052][ T1] tipc: Started in single node mode
[ 15.120068][ T1] NET: Registered PF_SMC protocol family
[ 15.126098][ T1] 9pnet: Installing 9P2000 support
[ 15.131579][ T1] NET: Registered PF_CAIF protocol family
[ 15.143100][ T1] NET: Registered PF_IEEE802154 protocol family
[ 15.149895][ T1] Key type dns_resolver registered
[ 15.155086][ T1] Key type ceph registered
[ 15.160117][ T1] libceph: loaded (mon/osd proto 15/24)
[ 15.166897][ T1] batman_adv: B.A.T.M.A.N. advanced 2023.3 (compatibility version 15) loaded
[ 15.176400][ T1] openvswitch: Open vSwitch switching datapath
[ 15.184703][ T1] NET: Registered PF_VSOCK protocol family
[ 15.191107][ T1] mpls_gso: MPLS GSO support
[ 15.200856][ T1] start plist test
[ 15.209882][ T1] end plist test
[ 15.217596][ T1] IPI shorthand broadcast: enabled
[ 15.222871][ T1] AVX2 version of gcm_enc/dec engaged.
[ 15.228691][ T1] AES CTR mode by8 optimization enabled
[ 16.600018][ T1] sched_clock: Marking stable (16540020622, 52880384)->(16596679781, -3778775)
[ 16.612177][ T1] registered taskstats version 1
[ 16.640616][ T1] Loading compiled-in X.509 certificates
[ 16.657409][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 13ca5901c646d6c2f2427647dee191ab3a2d3dfd'
[ 16.673024][ T1] zswap: loaded using pool lzo/zbud
[ 16.858318][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 18.951894][ T1] Key type .fscrypt registered
[ 18.956790][ T1] Key type fscrypt-provisioning registered
[ 18.968516][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 18.986892][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 18.995648][ T1] Key type big_key registered
[ 19.003162][ T1] Key type encrypted registered
[ 19.008569][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 19.014970][ T1] Loading compiled-in module X.509 certificates
[ 19.024280][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 13ca5901c646d6c2f2427647dee191ab3a2d3dfd'
[ 19.035659][ T1] ima: Allocated hash algorithm: sha256
[ 19.041445][ T1] ima: No architecture policies found
[ 19.047232][ T1] evm: Initialising EVM extended attributes:
[ 19.053235][ T1] evm: security.selinux (disabled)
[ 19.058513][ T1] evm: security.SMACK64
[ 19.062664][ T1] evm: security.SMACK64EXEC
[ 19.067352][ T1] evm: security.SMACK64TRANSMUTE
[ 19.072484][ T1] evm: security.SMACK64MMAP
[ 19.077102][ T1] evm: security.apparmor (disabled)
[ 19.082277][ T1] evm: security.ima
[ 19.086267][ T1] evm: security.capability
[ 19.090787][ T1] evm: HMAC attrs: 0x1
[ 19.096750][ T1] PM: Magic number: 7:161:820
[ 19.102185][ T1] tty ptyt0: hash matches
[ 19.108479][ T1] printk: console [netcon0] enabled
[ 19.113777][ T1] netconsole: network logging started
[ 19.119566][ T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 19.127497][ T1] rdma_rxe: loaded
[ 19.132121][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 19.142965][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 19.149841][ T9] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 19.153437][ T1] clk: Disabling unused clocks
[ 19.160784][ T9] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 19.164544][ T1] ALSA device list:
[ 19.177648][ T1] #0: Dummy 1
[ 19.181437][ T1] #1: Loopback 1
[ 19.185528][ T1] #2: Virtual MIDI Card 1
[ 19.191926][ T1] md: Waiting for all devices to be available before autodetect
[ 19.199626][ T1] md: If you don't use raid, use raid=noautodetect
[ 19.206576][ T1] md: Autodetecting RAID arrays.
[ 19.211896][ T1] md: autorun ...
[ 19.215752][ T1] md: ... autorun DONE.
[ 19.248802][ T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[ 19.262620][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 19.288808][ T1] devtmpfs: mounted
[ 19.297688][ T1] Freeing unused kernel image (initmem) memory: 2888K
[ 19.343072][ T1] Write protecting the kernel read-only data: 196608k
[ 19.354834][ T1] Freeing unused kernel image (rodata/data gap) memory: 1756K
[ 19.461203][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 19.472870][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 19.482994][ T1] Run /sbin/init as init process
[ 19.487933][ T1] with arguments:
[ 19.491902][ T1] /sbin/init
[ 19.495562][ T1] with environment:
[ 19.499692][ T1] HOME=/
[ 19.502953][ T1] TERM=linux
[ 19.506676][ T1] spec_store_bypass_disable=prctl
[ 19.512036][ T1] BOOT_IMAGE=/boot/bzImage
[ 19.600330][ T1] page:ffffea0004ffd100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x13ff44
[ 19.610740][ T1] memcg:ffff888015e5a000
[ 19.615387][ T1] flags: 0x17ff00000000008(uptodate|node=0|zone=2|lastcpupid=0x7ff)
[ 19.623878][ T1] page_type: 0xffffffff()
[ 19.628240][ T1] raw: 017ff00000000008 0000000000000000 dead000000000122 0000000000000000
[ 19.636933][ T1] raw: 0000000000000001 0000000000000000 00000001ffffffff ffff888015e5a000
[ 19.645626][ T1] page dumped because: VM_BUG_ON_FOLIO(nr != 1)
[ 19.651861][ T1] page_owner tracks the page as allocated
[ 19.657935][ T1] page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 1, tgid 1 (init), ts 19600302547, free_ts 0
[ 19.673727][ T1] post_alloc_hook+0x1e6/0x210
[ 19.678619][ T1] get_page_from_freelist+0x31ec/0x3370
[ 19.684232][ T1] __alloc_pages+0x255/0x670
[ 19.688993][ T1] __folio_alloc+0x13/0x30
[ 19.693724][ T1] vma_alloc_folio+0x48a/0x9a0
[ 19.698586][ T1] handle_mm_fault+0x2083/0x6200
[ 19.703645][ T1] exc_page_fault+0x2ac/0x860
[ 19.708390][ T1] asm_exc_page_fault+0x26/0x30
[ 19.713282][ T1] page_owner free stack trace missing
[ 19.718704][ T1] ------------[ cut here ]------------
[ 19.724218][ T1] kernel BUG at mm/memory.c:4355!
[ 19.729346][ T1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 19.735494][ T1] CPU: 1 PID: 1 Comm: init Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
[ 19.745127][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[ 19.755261][ T1] RIP: 0010:set_pte_range+0x6f6/0x700
[ 19.760718][ T1] Code: ff ff ff ff 4c 89 f7 e8 a8 d8 9f 02 48 89 df be 01 00 00 00 e8 3b 3e fe ff 48 8b 7c 24 30 48 c7 c6 20 9f 14 8b e8 9a a2 fc ff <0f> 0b 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 55 48 89 e5 41 57 41 56
[ 19.780579][ T1] RSP: 0000:ffffc90000067380 EFLAGS: 00010246
[ 19.786662][ T1] RAX: 6e2be7838de7a100 RBX: ffff88802b146880 RCX: ffffffff816d1d70
[ 19.794637][ T1] RDX: 0000000000000000 RSI: ffffffff8b597480 RDI: ffffffff8b597440
[ 19.802826][ T1] RBP: ffffc90000067470 R08: ffffffff8e9a39af R09: 1ffffffff1d34735
[ 19.811367][ T1] R10: dffffc0000000000 R11: fffffbfff1d34736 R12: 0000000000000000
[ 19.819345][ T1] R13: 1ffff110054c0ba2 R14: ffff88802b146d70 R15: dffffc0000000000
[ 19.827577][ T1] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 19.836671][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 19.843413][ T1] CR2: 00005641ea389008 CR3: 0000000027a15000 CR4: 00000000003506e0
[ 19.851380][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 19.859684][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 19.867652][ T1] Call Trace:
[ 19.870923][ T1] <TASK>
[ 19.873865][ T1] ? __die_body+0x8b/0xe0
[ 19.878190][ T1] ? die+0xa1/0xd0
[ 19.881988][ T1] ? do_trap+0x153/0x380
[ 19.886381][ T1] ? set_pte_range+0x6f6/0x700
[ 19.891131][ T1] ? do_error_trap+0x1dc/0x2c0
[ 19.895898][ T1] ? set_pte_range+0x6f6/0x700
[ 19.900669][ T1] ? __lock_acquire+0x7f70/0x7f70
[ 19.905849][ T1] ? do_int3+0x50/0x50
[ 19.909897][ T1] ? handle_invalid_op+0x34/0x40
[ 19.914813][ T1] ? set_pte_range+0x6f6/0x700
[ 19.919663][ T1] ? exc_invalid_op+0x33/0x50
[ 19.924328][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 19.929421][ T1] ? lock_release+0xb0/0x9d0
[ 19.934011][ T1] ? set_pte_range+0x6f6/0x700
[ 19.939198][ T1] ? mm_counter_file+0x2c0/0x2c0
[ 19.944397][ T1] ? do_raw_spin_unlock+0x13b/0x8b0
[ 19.949754][ T1] ? filemap_fault+0x10bf/0x1710
[ 19.954762][ T1] finish_fault+0x520/0xa60
[ 19.959268][ T1] ? set_pte_range+0x700/0x700
[ 19.964022][ T1] ? kthread_blkcg+0x53/0xd0
[ 19.968724][ T1] ? __do_fault+0x2a2/0x4e0
[ 19.973208][ T1] handle_mm_fault+0x3940/0x6200
[ 19.978134][ T1] ? numa_migrate_prep+0x380/0x380
[ 19.983253][ T1] ? mt_find+0x5e3/0x780
[ 19.987533][ T1] ? read_lock_is_recursive+0x20/0x20
[ 19.993525][ T1] ? mtree_destroy+0x30/0x30
[ 19.998115][ T1] ? __asan_memset+0x23/0x40
[ 20.002700][ T1] ? lock_mm_and_find_vma+0x9c/0x2d0
[ 20.008178][ T1] exc_page_fault+0x2ac/0x860
[ 20.012947][ T1] asm_exc_page_fault+0x26/0x30
[ 20.017873][ T1] RIP: 0010:rep_stos_alternative+0x40/0x80
[ 20.023754][ T1] Code: ff c7 48 ff c9 75 f6 c3 48 89 07 48 83 c7 08 83 e9 08 74 f3 83 f9 08 73 ef eb e2 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 89 07 48 89 47 08 48 89 47 10 48 89 47 18 48 89 47 20 48 89 47
[ 20.043630][ T1] RSP: 0000:ffffc90000067ad8 EFLAGS: 00050206
[ 20.049880][ T1] RAX: 0000000000000000 RBX: 00005641ea389008 RCX: 0000000000000ff8
[ 20.058222][ T1] RDX: 0000000000000000 RSI: ffffffff8b597480 RDI: 00005641ea389008
[ 20.066645][ T1] RBP: ffffc90000067d30 R08: ffffffff8e9a39af R09: 1ffffffff1d34735
[ 20.074804][ T1] R10: dffffc0000000000 R11: fffffbfff1d34736 R12: dffffc0000000000
[ 20.083573][ T1] R13: 0000000000004018 R14: 0000000000000000 R15: 0000000000000ff8
[ 20.091592][ T1] padzero+0x5e/0xb0
[ 20.095583][ T1] load_elf_binary+0x1a4a/0x2760
[ 20.100614][ T1] ? load_script+0x820/0x820
[ 20.105199][ T1] ? _raw_read_unlock+0x28/0x40
[ 20.110380][ T1] ? load_misc_binary+0x54a/0xa50
[ 20.115583][ T1] ? ima_file_mprotect+0x630/0x630
[ 20.120794][ T1] ? tomoyo_bprm_check_security+0x127/0x140
[ 20.126808][ T1] bprm_execve+0x90e/0x1740
[ 20.131316][ T1] ? alloc_bprm+0x900/0x900
[ 20.135828][ T1] ? copy_string_kernel+0x1c9/0x1f0
[ 20.141028][ T1] kernel_execve+0x8ea/0xa10
[ 20.145815][ T1] ? rest_init+0x2b0/0x2b0
[ 20.150300][ T1] kernel_init+0xde/0x2a0
[ 20.154620][ T1] ret_from_fork+0x48/0x80
[ 20.159230][ T1] ? rest_init+0x2b0/0x2b0
[ 20.163714][ T1] ret_from_fork_asm+0x11/0x20
[ 20.168639][ T1] </TASK>
[ 20.171654][ T1] Modules linked in:
[ 20.175728][ T1] ---[ end trace 0000000000000000 ]---
[ 20.181213][ T1] RIP: 0010:set_pte_range+0x6f6/0x700
[ 20.186708][ T1] Code: ff ff ff ff 4c 89 f7 e8 a8 d8 9f 02 48 89 df be 01 00 00 00 e8 3b 3e fe ff 48 8b 7c 24 30 48 c7 c6 20 9f 14 8b e8 9a a2 fc ff <0f> 0b 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 55 48 89 e5 41 57 41 56
[ 20.206795][ T1] RSP: 0000:ffffc90000067380 EFLAGS: 00010246
[ 20.213145][ T1] RAX: 6e2be7838de7a100 RBX: ffff88802b146880 RCX: ffffffff816d1d70
[ 20.221408][ T1] RDX: 0000000000000000 RSI: ffffffff8b597480 RDI: ffffffff8b597440
[ 20.229500][ T1] RBP: ffffc90000067470 R08: ffffffff8e9a39af R09: 1ffffffff1d34735
[ 20.237674][ T1] R10: dffffc0000000000 R11: fffffbfff1d34736 R12: 0000000000000000
[ 20.246462][ T1] R13: 1ffff110054c0ba2 R14: ffff88802b146d70 R15: dffffc0000000000
[ 20.255249][ T1] FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 20.264302][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 20.270905][ T1] CR2: 00005641ea389008 CR3: 0000000027a15000 CR4: 00000000003506e0
[ 20.278999][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 20.287262][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 20.295369][ T1] Kernel panic - not syncing: Fatal exception
[ 20.302700][ T1] Kernel Offset: disabled
[ 20.307733][ T1] Rebooting in 86400 seconds..
git status (err=<nil>)
HEAD detached at 8bc9053e8
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"8bc9053e88dacf57f5ce550da040d31895eb9626\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16854b78680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Yin Fengwei
Sep 11, 2023, 3:12:55 AM9/11/23
to syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, wi...@infradead.org
On 9/10/23 01:12, syzbot wrote:
> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
> Author: Yin Fengwei <fengw...@intel.com>
> Date: Wed Aug 2 15:14:05 2023 +0000
>
> filemap: batch PTE mappings
diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
index a629b1b9f65a6..2701b47efa8f7 100644
--- a/arch/x86/include/asm/pgtable_64.h
+++ b/arch/x86/include/asm/pgtable_64.h
@@ -168,6 +168,28 @@ static inline void native_pgd_clear(pgd_t *pgd)
native_set_pgd(pgd, native_make_pgd(0));
}
+static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
+ pte_t *ptep, pte_t pte, unsigned int nr)
+{
+ bool protnone = (pte_flags(pte) & (_PAGE_PROTNONE | _PAGE_PRESENT))
+ == _PAGE_PROTNONE;
+
+ page_table_check_ptes_set(mm, ptep, pte, nr);
+
+ for(;;) {
+ native_set_pte(ptep, pte);
+ if (--nr == 0)
+ break;
+
+ ptep++;
+ if (protnone)
+ pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
+ else
+ pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+ }
+}
+#define set_ptes set_ptes
+
/*
* Conversion functions: convert a page and protection to a page entry,
* and a page entry and page directory to the page they refer to.
Yin Fengwei
Sep 11, 2023, 3:24:42 AM9/11/23
to Matthew Wilcox, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hi Matthew,
On 9/10/23 11:02, Matthew Wilcox wrote:
> On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
>> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
>> Author: Yin Fengwei <fengw...@intel.com>
>> Date: Wed Aug 2 15:14:05 2023 +0000
>>
>> filemap: batch PTE mappings
>
> Hmm ... I don't know if this is the bug, but ...
I do think we should merge your patch here. LKP already noticed some performance
regressions. I suppose this patch can fix some of them.
I root caused the this "bad page map" issue in my local env. It's related with pte
with protnone on x86_64. So if pte is not protnone, advancing pte by adding
1UL << PFN_PTE_SHIFT is correct. But if pte is protnone, should subtract
1UL << PFN_PTE_SHIFT. I saw pfn_pte() had pfn ^= protnone_mask() and just realized
it.
The producer mmap with PROT_NONE and then trigger SIGXFSZ and create core file.
That will cause GUP with FOLL_FORCE and create protnone pte.
I submitted request to sysbot to test the fixing worked on my local env. Thanks.
Regards
Yin, Fengwei
On 9/10/23 11:02, Matthew Wilcox wrote:
> On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
>> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
>> Author: Yin Fengwei <fengw...@intel.com>
>> Date: Wed Aug 2 15:14:05 2023 +0000
>>
>> filemap: batch PTE mappings
>
> Hmm ... I don't know if this is the bug, but ...
regressions. I suppose this patch can fix some of them.
I root caused the this "bad page map" issue in my local env. It's related with pte
with protnone on x86_64. So if pte is not protnone, advancing pte by adding
1UL << PFN_PTE_SHIFT is correct. But if pte is protnone, should subtract
1UL << PFN_PTE_SHIFT. I saw pfn_pte() had pfn ^= protnone_mask() and just realized
it.
The producer mmap with PROT_NONE and then trigger SIGXFSZ and create core file.
That will cause GUP with FOLL_FORCE and create protnone pte.
I submitted request to sysbot to test the fixing worked on my local env. Thanks.
Regards
Yin, Fengwei
Yin Fengwei
Sep 11, 2023, 3:32:33 AM9/11/23
to Matthew Wilcox, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On 9/11/23 15:24, Yin Fengwei wrote:
> Hi Matthew,
>
> On 9/10/23 11:02, Matthew Wilcox wrote:
>> On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
>>> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
>>> Author: Yin Fengwei <fengw...@intel.com>
>>> Date: Wed Aug 2 15:14:05 2023 +0000
>>>
>>> filemap: batch PTE mappings
>>
>> Hmm ... I don't know if this is the bug, but ...
> I do think we should merge your patch here. LKP already noticed some performance
> regressions. I suppose this patch can fix some of them.
fixed. Will keep you updated for any progress. Thanks.
Regards
Yin, Fengwei
syzbot
Sep 11, 2023, 3:48:34 AM9/11/23
to ak...@linux-foundation.org, fengw...@intel.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, wi...@infradead.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
Tested on:
commit: 0bb80ecc Linux 6.6-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174c0ad8680000
kernel config: https://syzkaller.appspot.com/x/.config?x=13f2a37749f07ab2
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174c0ad8680000
kernel config: https://syzkaller.appspot.com/x/.config?x=13f2a37749f07ab2
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1421990c680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Yin, Fengwei
Sep 11, 2023, 4:30:10 AM9/11/23
to Matthew Wilcox, syzbot, ak...@linux-foundation.org, fengw...@intel.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hi Matthew,
On Sun, Sep 10, 2023 at 04:02:32AM +0100, Matthew Wilcox wrote:
> On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
> > commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
> > Author: Yin Fengwei <fengw...@intel.com>
> > Date: Wed Aug 2 15:14:05 2023 +0000
> >
> > filemap: batch PTE mappings
>
> Hmm ... I don't know if this is the bug, but ...
This is Fengwei. Sorry for replying with my private email. I can't access
my compony email now.
Yes. This is a bug. But I think it just impact the performance.
I will look at this regression. Thanks and sorry for the trouble.
On Sun, Sep 10, 2023 at 04:02:32AM +0100, Matthew Wilcox wrote:
> On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
> > commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
> > Author: Yin Fengwei <fengw...@intel.com>
> > Date: Wed Aug 2 15:14:05 2023 +0000
> >
> > filemap: batch PTE mappings
>
> Hmm ... I don't know if this is the bug, but ...
my compony email now.
Yes. This is a bug. But I think it just impact the performance.
I will look at this regression. Thanks and sorry for the trouble.
Edward AD
Sep 11, 2023, 5:46:21 AM9/11/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
index a629b1b9f65a..e5e14e164c09 100644
--- a/arch/x86/include/asm/pgtable_64.h
+++ b/arch/x86/include/asm/pgtable_64.h
@@ -259,6 +259,22 @@ extern void cleanup_highmap(void);
extern void init_extra_mapping_uc(unsigned long phys, unsigned long size);
extern void init_extra_mapping_wb(unsigned long phys, unsigned long size);
+static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
+ pte_t *ptep, pte_t pte, unsigned int nr)
+{
+ page_table_check_ptes_set(mm, ptep, pte, nr);
+
+ for(;;) {
+ set_pte(ptep, pte);
+
+ for(;;) {
+ if (--nr == 0)
+ break;
+
+ ptep++;
+ break;
+
+ ptep++;
+ pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+ }
+}
+#define set_ptes set_ptes
+
#define gup_fast_permitted gup_fast_permitted
+ }
+}
+#define set_ptes set_ptes
+
static inline bool gup_fast_permitted(unsigned long start, unsigned long end)
{
syzbot
Sep 11, 2023, 6:12:38 AM9/11/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page map in process syz-executor.0 pte:fffff99cf8120 pmd:78f39067
page:ffffea000198c1c0 refcount:9 mapcount:-1 mapping:ffff8880670fd190 index:0x3 pfn:0x66307
head:ffffea000198c100 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88807ad24000
head: 0000000000000000 ffff888019b03800 00000009ffffffff ffff88807ad24000
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
Code: Unable to access opcode bytes at 0x7f48c127cabf.
RSP: 002b:00007f48c204b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f48c139bf80 RCX: 00007f48c127cae9
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff99cf9120 pmd:78f39067
page:ffffea000198c180 refcount:9 mapcount:-1 mapping:ffff8880670fd190 index:0x2 pfn:0x66306
head:ffffea000198c100 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88807ad24000
head: 0000000000000000 ffff888019b03800 00000009ffffffff ffff88807ad24000
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
Code: Unable to access opcode bytes at 0x7f48c127cabf.
RSP: 002b:00007f48c204b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f48c139bf80 RCX: 00007f48c127cae9
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff99cfa120 pmd:78f39067
page:ffffea000198c140 refcount:9 mapcount:-1 mapping:ffff8880670fd190 index:0x1 pfn:0x66305
head:ffffea000198c100 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88807ad24000
head: 0000000000000000 ffff888019b03800 00000009ffffffff ffff88807ad24000
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
Code: Unable to access opcode bytes at 0x7f48c127cabf.
RSP: 002b:00007f48c204b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f48c139bf80 RCX: 00007f48c127cae9
</TASK>
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14ad8ebfa80000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
page:ffffea000198c1c0 refcount:9 mapcount:-1 mapping:ffff8880670fd190 index:0x3 pfn:0x66307
head:ffffea000198c100 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88807ad24000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000198c101 dead000000000122 dead000000000400
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c7b088 ffff8880780d7030 ffff8880670fd190
head: 0000000000000000 ffff888019b03800 00000009ffffffff ffff88807ad24000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5455, tgid 5454 (syz-executor.0), ts 76565665345, free_ts 14221404932
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880670fd190 index:5
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5455 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f48c127cae9
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7f48c127cabf.
RSP: 002b:00007f48c204b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f48c139bf80 RCX: 00007f48c127cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f48c12c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f48c139bf80 R15: 00007ffc34065028
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff99cf9120 pmd:78f39067
page:ffffea000198c180 refcount:9 mapcount:-1 mapping:ffff8880670fd190 index:0x2 pfn:0x66306
head:ffffea000198c100 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88807ad24000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000198c101 ffffea000198c190 ffffea000198c190
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c7b088 ffff8880780d7030 ffff8880670fd190
head: 0000000000000000 ffff888019b03800 00000009ffffffff ffff88807ad24000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5455, tgid 5454 (syz-executor.0), ts 76565665345, free_ts 14221399035
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880670fd190 index:6
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5455 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f48c127cae9
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7f48c127cabf.
RSP: 002b:00007f48c204b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f48c139bf80 RCX: 00007f48c127cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f48c12c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f48c139bf80 R15: 00007ffc34065028
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff99cfa120 pmd:78f39067
page:ffffea000198c140 refcount:9 mapcount:-1 mapping:ffff8880670fd190 index:0x1 pfn:0x66305
head:ffffea000198c100 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88807ad24000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea000198c101 dead000000000122 fffffffdffffffff
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c7b088 ffff8880780d7030 ffff8880670fd190
head: 0000000000000000 ffff888019b03800 00000009ffffffff ffff88807ad24000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5455, tgid 5454 (syz-executor.0), ts 76565665345, free_ts 14221393121
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880670fd190 index:7
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5455 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f48c127cae9
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_bad_pte+0x581/0x5c0 mm/memory.c:535
zap_pte_range mm/memory.c:1458 [inline]
zap_pmd_range mm/memory.c:1573 [inline]
zap_pud_range mm/memory.c:1602 [inline]
zap_p4d_range mm/memory.c:1623 [inline]
unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
unmap_vmas+0x209/0x3a0 mm/memory.c:1731
exit_mmap+0x297/0xc50 mm/mmap.c:3210
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x612/0x2290 kernel/exit.c:861
do_group_exit+0x206/0x2c0 kernel/exit.c:1024
get_signal+0x175d/0x1840 kernel/signal.c:2892
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7f48c127cabf.
RSP: 002b:00007f48c204b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f48c139bf80 RCX: 00007f48c127cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f48c12c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f48c139bf80 R15: 00007ffc34065028
</TASK>
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=163125dc680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Matthew Wilcox
Sep 11, 2023, 9:26:20 AM9/11/23
to Yin Fengwei, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On Mon, Sep 11, 2023 at 03:12:27PM +0800, Yin Fengwei wrote:
>
> +static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> + pte_t *ptep, pte_t pte, unsigned int nr)
> +{
> + bool protnone = (pte_flags(pte) & (_PAGE_PROTNONE | _PAGE_PRESENT))
> + == _PAGE_PROTNONE;
> +
> + page_table_check_ptes_set(mm, ptep, pte, nr);
> +
> + for(;;) {
> + native_set_pte(ptep, pte);
> + if (--nr == 0)
> + break;
> +
> + ptep++;
> + if (protnone)
> + pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> + else
> + pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> + }
> +}
> +#define set_ptes set_ptes
Thanks for figuring this out. I don't think I would have been able to!
>
> +static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> + pte_t *ptep, pte_t pte, unsigned int nr)
> +{
> + bool protnone = (pte_flags(pte) & (_PAGE_PROTNONE | _PAGE_PRESENT))
> + == _PAGE_PROTNONE;
> +
> + page_table_check_ptes_set(mm, ptep, pte, nr);
> +
> + for(;;) {
> + native_set_pte(ptep, pte);
> + if (--nr == 0)
> + break;
> +
> + ptep++;
> + if (protnone)
> + pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> + else
> + pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> + }
> +}
> +#define set_ptes set_ptes
I think this solution probably breaks pgtable-2level configs,
unfortunately. How about this? If other architectures decide to adopt
the inverted page table entry in the future, it'll work for them too.
#syz test
diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h
index e9482a11ac52..a89be3e9b032 100644
--- a/arch/x86/include/asm/pgtable-2level.h
+++ b/arch/x86/include/asm/pgtable-2level.h
@@ -123,9 +123,6 @@ static inline u64 flip_protnone_guard(u64 oldval, u64 val, u64 mask)
return val;
}
-static inline bool __pte_needs_invert(u64 val)
-{
- return false;
-}
+#define __pte_needs_invert(val) false
#endif /* _ASM_X86_PGTABLE_2LEVEL_H */
diff --git a/arch/x86/include/asm/pgtable-invert.h b/arch/x86/include/asm/pgtable-invert.h
index a0c1525f1b6f..f21726add655 100644
--- a/arch/x86/include/asm/pgtable-invert.h
+++ b/arch/x86/include/asm/pgtable-invert.h
@@ -17,6 +17,7 @@ static inline bool __pte_needs_invert(u64 val)
{
return val && !(val & _PAGE_PRESENT);
}
+#define __pte_needs_invert __pte_needs_invert
/* Get a mask to xor with the page table entry to get the correct pfn. */
static inline u64 protnone_mask(u64 val)
diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
index 1fba072b3dac..34b12e94b850 100644
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
#define arch_flush_lazy_mmu_mode() do {} while (0)
#endif
+#ifndef __pte_needs_invert
+#define __pte_needs_invert(pte) false
+#endif
+
#ifndef set_ptes
/**
* set_ptes - Map consecutive pages to a contiguous range of addresses.
@@ -231,7 +235,10 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
if (--nr == 0)
break;
ptep++;
- pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+ if (__pte_needs_invert(pte_val(pte)))
+ pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
+ else
+ pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
}
arch_leave_lazy_mmu_mode();
+ else
+ pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
}
}
syzbot
Sep 11, 2023, 10:00:47 AM9/11/23
to ak...@linux-foundation.org, fengw...@intel.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, wi...@infradead.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
Tested on:
commit: 0bb80ecc Linux 6.6-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1010b50c680000
kernel config: https://syzkaller.appspot.com/x/.config?x=13f2a37749f07ab2
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
Tested on:
commit: 0bb80ecc Linux 6.6-rc1
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=13f2a37749f07ab2
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=155d6578680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Dave Hansen
Sep 11, 2023, 12:02:06 PM9/11/23
to Matthew Wilcox, Yin Fengwei, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On 9/11/23 06:26, Matthew Wilcox wrote:
> @@ -231,7 +235,10 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> if (--nr == 0)
> break;
> ptep++;
> - pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> + if (__pte_needs_invert(pte_val(pte)))
> + pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> + else
> + pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> }
> arch_leave_lazy_mmu_mode();
> }
This is much better than a whole x86 fork of set_ptes(). But it's still
> @@ -231,7 +235,10 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> if (--nr == 0)
> break;
> ptep++;
> - pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> + if (__pte_needs_invert(pte_val(pte)))
> + pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> + else
> + pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> }
> arch_leave_lazy_mmu_mode();
> }
a bit wonky because it exposes the PTE inversion logic to generic code.
Could we do something like this instead? It'll (probably) end up
repeating the PTE inversion logic each way though the loop, so it's less
efficient than what you have above. But unless I buggered something, it
"just works" without exposing any of the inversion logic to generic code.
The trick is that pte_pfn() undoes the inversion and then pfn_pte()
re-does it on each trip through the loop.
static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
pte_t *ptep, pte_t pte, unsigned int nr)
{
pgprot_t prot = pte_pgprot(x);
unsigned long pfn = pte_pfn(pte);
page_table_check_ptes_set(mm, ptep, pte, nr);
arch_enter_lazy_mmu_mode();
for (;;) {
set_pte(ptep, pte);
if (--nr == 0)
break;
ptep++;
pfn++;
break;
ptep++;
pte = pfn_pte(pfn, pgprot);
}
arch_leave_lazy_mmu_mode();
}
Obviously completely untested. :)
Matthew Wilcox
Sep 11, 2023, 12:44:14 PM9/11/23
to Dave Hansen, Yin Fengwei, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On Mon, Sep 11, 2023 at 08:34:57AM -0700, Dave Hansen wrote:
> On 9/11/23 06:26, Matthew Wilcox wrote:
> > @@ -231,7 +235,10 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> > if (--nr == 0)
> > break;
> > ptep++;
> > - pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> > + if (__pte_needs_invert(pte_val(pte)))
> > + pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> > + else
> > + pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> > }
> > arch_leave_lazy_mmu_mode();
> > }
>
> This is much better than a whole x86 fork of set_ptes(). But it's still
> a bit wonky because it exposes the PTE inversion logic to generic code.
I saw that as an advantage ... let people know that it exists as a
> On 9/11/23 06:26, Matthew Wilcox wrote:
> > @@ -231,7 +235,10 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> > if (--nr == 0)
> > break;
> > ptep++;
> > - pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> > + if (__pte_needs_invert(pte_val(pte)))
> > + pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> > + else
> > + pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> > }
> > arch_leave_lazy_mmu_mode();
> > }
>
> This is much better than a whole x86 fork of set_ptes(). But it's still
> a bit wonky because it exposes the PTE inversion logic to generic code.
concept.
> static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> pte_t *ptep, pte_t pte, unsigned int nr)
> {
> pgprot_t prot = pte_pgprot(x);
> unsigned long pfn = pte_pfn(pte);
>
> page_table_check_ptes_set(mm, ptep, pte, nr);
>
> arch_enter_lazy_mmu_mode();
> for (;;) {
> set_pte(ptep, pte);
> if (--nr == 0)
> break;
> ptep++;
> pfn++;
> pte = pfn_pte(pfn, pgprot);
> }
> arch_leave_lazy_mmu_mode();
> }
>
> Obviously completely untested. :)
my version. Not sure that's great.
How about this? Keeps the inverted knowledge entirely in arch/x86.
Compiles to exactly the same code as the version I sent earlier.
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index d6ad98ca1288..c9781b8b14af 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -955,6 +955,14 @@ static inline int pte_same(pte_t a, pte_t b)
return a.pte == b.pte;
}
+static inline pte_t pte_next(pte_t pte)
+{
+ if (__pte_needs_invert(pte_val(pte)))
+ return __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
+ return __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+}
+#define pte_next pte_next
+
static inline int pte_present(pte_t a)
{
return pte_flags(a) & (_PAGE_PRESENT | _PAGE_PROTNONE);
diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
index 1fba072b3dac..7a932ed59c27 100644
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
#define arch_flush_lazy_mmu_mode() do {} while (0)
#endif
+#ifndef pte_next
+++ b/include/linux/pgtable.h
@@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
#define arch_flush_lazy_mmu_mode() do {} while (0)
#endif
+#define pte_next(pte) ((pte) + (1UL << PFN_PTE_SHIFT))
+#endif
+
#ifndef set_ptes
/**
* set_ptes - Map consecutive pages to a contiguous range of addresses.
@@ -231,7 +235,7 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
+
#ifndef set_ptes
/**
* set_ptes - Map consecutive pages to a contiguous range of addresses.
if (--nr == 0)
break;
ptep++;
- pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+ pte = pte_next(pte);
break;
ptep++;
- pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
}
arch_leave_lazy_mmu_mode();
}
Dave Hansen
Sep 11, 2023, 1:05:28 PM9/11/23
to Matthew Wilcox, Yin Fengwei, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On 9/11/23 09:44, Matthew Wilcox wrote:
>> static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>> pte_t *ptep, pte_t pte, unsigned int nr)
>> {
>> pgprot_t prot = pte_pgprot(x);
>> unsigned long pfn = pte_pfn(pte);
>>
>> page_table_check_ptes_set(mm, ptep, pte, nr);
>>
>> arch_enter_lazy_mmu_mode();
>> for (;;) {
>> set_pte(ptep, pte);
>> if (--nr == 0)
>> break;
>> ptep++;
>> pfn++;
>> pte = pfn_pte(pfn, pgprot);
>> }
>> arch_leave_lazy_mmu_mode();
>> }
>>
>> Obviously completely untested. 😄
>> static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>> pte_t *ptep, pte_t pte, unsigned int nr)
>> {
>> pgprot_t prot = pte_pgprot(x);
>> unsigned long pfn = pte_pfn(pte);
>>
>> page_table_check_ptes_set(mm, ptep, pte, nr);
>>
>> arch_enter_lazy_mmu_mode();
>> for (;;) {
>> set_pte(ptep, pte);
>> if (--nr == 0)
>> break;
>> ptep++;
>> pfn++;
>> pte = pfn_pte(pfn, pgprot);
>> }
>> arch_leave_lazy_mmu_mode();
>> }
>>
> After fixing your two typos, this assembles to 176 bytes more code than
> my version. Not sure that's great.
Heh, only two? ;)
> my version. Not sure that's great.
Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
much. I'd much rather have that than another window into x86 goofiness
to maintain.
Does that 176 bytes translate into meaningful performance, or is it just
a bunch of register bit twiddling that the CPU will sail through?
Matthew Wilcox
Sep 11, 2023, 3:12:39 PM9/11/23
to Dave Hansen, Yin Fengwei, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On Mon, Sep 11, 2023 at 09:55:37AM -0700, Dave Hansen wrote:
> On 9/11/23 09:44, Matthew Wilcox wrote:
> > After fixing your two typos, this assembles to 176 bytes more code than
> > my version. Not sure that's great.
>
> On 9/11/23 09:44, Matthew Wilcox wrote:
> > After fixing your two typos, this assembles to 176 bytes more code than
> > my version. Not sure that's great.
>
> Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
> much. I'd much rather have that than another window into x86 goofiness
> to maintain.
>
> Does that 176 bytes translate into meaningful performance, or is it just
> a bunch of register bit twiddling that the CPU will sail through?
I'm ... not sure how to tell. It's 1120 bytes vs 944 bytes and crawling
> much. I'd much rather have that than another window into x86 goofiness
> to maintain.
>
> Does that 176 bytes translate into meaningful performance, or is it just
> a bunch of register bit twiddling that the CPU will sail through?
through that much x86 assembly isn't my idea of a great time. I can
send you objdump -dr for all three options if you like? Maybe there's
a quick way to compare them that I've never known about.
Dave Hansen
Sep 11, 2023, 4:22:56 PM9/11/23
to Matthew Wilcox, Yin Fengwei, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
.config and generally what compiler you're on.
I'll see if there's anything silly happening that's causing the
generated code to blow up.
Matthew Wilcox
Sep 12, 2023, 12:59:38 AM9/12/23
to Dave Hansen, Yin Fengwei, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
I don't think there's anything particularly strange about my .config
If you compile this patch as-is, you'll get your preferred code.
Remove the #define DH and you get mine.
I would say that 176 bytes is 3 cachelines of I$, which isn't free,
even if all the insns in it can be executed while the CPU is waiting
for cache misses. This ought to be a pretty tight loop anyway; we're
just filling in adjacent PTEs. There may not be many spare cycles
for "free" uops to execute.
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index d6ad98ca1288..c9781b8b14af 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -955,6 +955,14 @@ static inline int pte_same(pte_t a, pte_t b)
return a.pte == b.pte;
}
+static inline pte_t pte_next(pte_t pte)
+{
+ if (__pte_needs_invert(pte_val(pte)))
+ return __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
+ return __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+}
+#define pte_next pte_next
+
static inline int pte_present(pte_t a)
{
return pte_flags(a) & (_PAGE_PRESENT | _PAGE_PROTNONE);
diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
#define arch_flush_lazy_mmu_mode() do {} while (0)
#endif
+#ifndef pte_next
+#define pte_next(pte) ((pte) + (1UL << PFN_PTE_SHIFT))
+#endif
+
#ifndef set_ptes
/**
* set_ptes - Map consecutive pages to a contiguous range of addresses.
@@ -223,6 +227,11 @@ static inline int pmd_young(pmd_t pmd)
+++ b/include/linux/pgtable.h
@@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
#define arch_flush_lazy_mmu_mode() do {} while (0)
#endif
+#ifndef pte_next
+#define pte_next(pte) ((pte) + (1UL << PFN_PTE_SHIFT))
+#endif
+
#ifndef set_ptes
/**
* set_ptes - Map consecutive pages to a contiguous range of addresses.
static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
pte_t *ptep, pte_t pte, unsigned int nr)
{
+#define DH
pte_t *ptep, pte_t pte, unsigned int nr)
{
+#ifdef DH
+ pgprot_t prot = pte_pgprot(pte);
+ unsigned long pfn = pte_pfn(pte);
+#endif
page_table_check_ptes_set(mm, ptep, pte, nr);
arch_enter_lazy_mmu_mode();
@@ -231,7 +240,12 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
arch_enter_lazy_mmu_mode();
if (--nr == 0)
break;
ptep++;
break;
ptep++;
- pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+#ifdef DH
+ pfn++;
+ pte = pfn_pte(pfn, prot);
+#else
+ pte = pte_next(pte);
+#endif
}
arch_leave_lazy_mmu_mode();
}
Hillf Danton
Sep 12, 2023, 7:20:22 AM9/12/23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Sat, 09 Sep 2023 10:12:48 -0700
> HEAD commit: 3f86ed6ec0b3 Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1445ba2fa80000
#syz test
--- x/mm/filemap.c
> HEAD commit: 3f86ed6ec0b3 Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1445ba2fa80000
#syz test
+++ y/mm/filemap.c
@@ -3495,6 +3495,8 @@ static vm_fault_t filemap_map_folio_rang
if (mmap_miss > 0)
mmap_miss--;
+ if (pte_protnone(vmf->pte[count]))
+ goto skip;
/*
* NOTE: If there're PTE markers, we'll leave them to be
* handled in the specific fault path, and it'll prohibit the
--
syzbot
Sep 12, 2023, 7:44:30 AM9/12/23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page map in process syz-executor.0 pte:fffff99a98120 pmd:1fbee067
page:ffffea00019959c0 refcount:9 mapcount:-1 mapping:ffff88807736c9d0 index:0x3 pfn:0x66567
head:ffffea0001995900 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88802112c000
head: 0000000000000000 ffff8880146f3b80 00000009ffffffff ffff88802112c000
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
RIP: 0033:0x7f3a06c7cae9
Code: Unable to access opcode bytes at 0x7f3a06c7cabf.
RSP: 002b:00007f3a07a010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f3a06d9bf80 RCX: 00007f3a06c7cae9
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff99a99120 pmd:1fbee067
page:ffffea0001995980 refcount:9 mapcount:-1 mapping:ffff88807736c9d0 index:0x2 pfn:0x66566
head:ffffea0001995900 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88802112c000
head: 0000000000000000 ffff8880146f3b80 00000009ffffffff ffff88802112c000
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
RIP: 0033:0x7f3a06c7cae9
Code: Unable to access opcode bytes at 0x7f3a06c7cabf.
RSP: 002b:00007f3a07a010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f3a06d9bf80 RCX: 00007f3a06c7cae9
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff99a9a120 pmd:1fbee067
page:ffffea0001995940 refcount:9 mapcount:-1 mapping:ffff88807736c9d0 index:0x1 pfn:0x66565
head:ffffea0001995900 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88802112c000
head: 0000000000000000 ffff8880146f3b80 00000009ffffffff ffff88802112c000
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
RIP: 0033:0x7f3a06c7cae9
Code: Unable to access opcode bytes at 0x7f3a06c7cabf.
RSP: 002b:00007f3a07a010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f3a06d9bf80 RCX: 00007f3a06c7cae9
</TASK>
Tested on:
commit: 0bb80ecc Linux 6.6-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16cb00e8680000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
page:ffffea00019959c0 refcount:9 mapcount:-1 mapping:ffff88807736c9d0 index:0x3 pfn:0x66567
head:ffffea0001995900 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88802112c000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001995901 dead000000000122 dead000000000400
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c1b9c8 ffff888020f3a030 ffff88807736c9d0
head: 0000000000000000 ffff8880146f3b80 00000009ffffffff ffff88802112c000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5463, tgid 5461 (syz-executor.0), ts 75822700865, free_ts 14932935563
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807736c9d0 index:5
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5463 Comm: syz-executor.0 Not tainted 6.6.0-rc1-syzkaller-dirty #0
Code: Unable to access opcode bytes at 0x7f3a06c7cabf.
RSP: 002b:00007f3a07a010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f3a06d9bf80 RCX: 00007f3a06c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f3a06cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f3a06d9bf80 R15: 00007fffc30ea648
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff99a99120 pmd:1fbee067
page:ffffea0001995980 refcount:9 mapcount:-1 mapping:ffff88807736c9d0 index:0x2 pfn:0x66566
head:ffffea0001995900 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88802112c000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001995901 ffffea0001995990 ffffea0001995990
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c1b9c8 ffff888020f3a030 ffff88807736c9d0
head: 0000000000000000 ffff8880146f3b80 00000009ffffffff ffff88802112c000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5463, tgid 5461 (syz-executor.0), ts 75822700865, free_ts 14932929861
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807736c9d0 index:6
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5463 Comm: syz-executor.0 Tainted: G B 6.6.0-rc1-syzkaller-dirty #0
Code: Unable to access opcode bytes at 0x7f3a06c7cabf.
RSP: 002b:00007f3a07a010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f3a06d9bf80 RCX: 00007f3a06c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f3a06cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f3a06d9bf80 R15: 00007fffc30ea648
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff99a9a120 pmd:1fbee067
page:ffffea0001995940 refcount:9 mapcount:-1 mapping:ffff88807736c9d0 index:0x1 pfn:0x66565
head:ffffea0001995900 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88802112c000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001995901 dead000000000122 fffffffdffffffff
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c1b9c8 ffff888020f3a030 ffff88807736c9d0
head: 0000000000000000 ffff8880146f3b80 00000009ffffffff ffff88802112c000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5463, tgid 5461 (syz-executor.0), ts 75822700865, free_ts 14932924004
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4568 [inline]
do_fault mm/memory.c:4705 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4978 [inline]
__handle_mm_fault mm/memory.c:5119 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807736c9d0 index:7
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5463 Comm: syz-executor.0 Tainted: G B 6.6.0-rc1-syzkaller-dirty #0
Code: Unable to access opcode bytes at 0x7f3a06c7cabf.
RSP: 002b:00007f3a07a010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f3a06d9bf80 RCX: 00007f3a06c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f3a06cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f3a06d9bf80 R15: 00007fffc30ea648
</TASK>
Tested on:
commit: 0bb80ecc Linux 6.6-rc1
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=13f2a37749f07ab2
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12510d08680000
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Dave Hansen
Sep 12, 2023, 12:17:26 PM9/12/23
to Matthew Wilcox, Yin Fengwei, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On 9/11/23 21:59, Matthew Wilcox wrote:
> I don't think there's anything particularly strange about my .config
I just saw some DEBUG_VM #ifdefs around the area and wondered if any of
> I don't think there's anything particularly strange about my .config
them were to blame for the bloat.
Dave Hansen
Sep 12, 2023, 2:01:19 PM9/12/23
to Matthew Wilcox, Yin Fengwei, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
I went poking at it a bit. One remarkable thing is how many pv_ops
calls there are. Those are definitely keeping the compiler from helping
is out here too much.
Your version has 9 pv_ops calls while mine has 6. So mine may have more
instructions in _this_ function, but it could easily be made up for by
call overhead and extra instructions in the pv_ops.
Also, I went looking for a way to poke at set_ptes() and profile it a
bit and get some actual numbers. It seems like in most cases it would
be limited to use via fault around. Is there some other way to poke at
it easily?
So, in the end, I see code which is not (as far as I can see) in a hot
path, and (again, to me) there's no compelling performance argument one
way or another.
I still like my version. *Known* simplicity and uniformity win out in
my book over unknown performance benefits.
But, fixing the bug is the most important thing. I don't feel strongly
about it to NAK your version either.
Edward AD
Sep 13, 2023, 12:49:07 AM9/13/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
index 6c264d2f969c..359b7a599fa2 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4332,8 +4332,9 @@ void set_pte_range(struct vm_fault *vmf, struct folio *folio,
bool write = vmf->flags & FAULT_FLAG_WRITE;
bool prefault = in_range(vmf->address, addr, nr * PAGE_SIZE);
pte_t entry;
+ struct page *p = page;
- flush_icache_pages(vma, page, nr);
+ flush_icache_pages(vma, p, nr);
bool prefault = in_range(vmf->address, addr, nr * PAGE_SIZE);
pte_t entry;
+ struct page *p = page;
- flush_icache_pages(vma, page, nr);
entry = mk_pte(page, vma->vm_page_prot);
if (prefault && arch_wants_old_prefaulted_pte())
syzbot
Sep 13, 2023, 1:08:37 AM9/13/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page map in process syz-executor.0 pte:fffff9b3c4120 pmd:1ef3d067
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
page:ffffea0001930ec0 refcount:9 mapcount:-1 mapping:ffff888068279b50 index:0x3 pfn:0x64c3b
head:ffffea0001930e00 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88807adee000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001930e01 dead000000000122 dead000000000400
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c85748 ffff88807af4a030 ffff888068279b50
head: 0000000000000000 ffff888018ff0380 00000009ffffffff ffff88807adee000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5457, tgid 5456 (syz-executor.0), ts 77503381347, free_ts 14582469419
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4569 [inline]
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_fault mm/memory.c:4706 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4979 [inline]
__handle_mm_fault mm/memory.c:5120 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5285
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888068279b50 index:5
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5456 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Code: Unable to access opcode bytes at 0x7f49da47cabf.
RSP: 002b:00007ffe94b1ac68 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffdfc RBX: 0000000000012e89 RCX: 00007f49da47cae9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f49da59bf8c
RBP: 0000000000000032 R08: 00007f49da59bf8c R09: 00007f49da59bf8c
R10: 00007ffe94b1ada0 R11: 0000000000000246 R12: 00007f49da59bf8c
R13: 0000000000012ebb R14: 00007ffe94b1adc0 R15: 00007ffe94b1ada0
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9b3c5120 pmd:1ef3d067
page:ffffea0001930e80 refcount:9 mapcount:-1 mapping:ffff888068279b50 index:0x2 pfn:0x64c3a
head:ffffea0001930e00 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88807adee000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001930e01 ffffea0001930e90 ffffea0001930e90
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c85748 ffff88807af4a030 ffff888068279b50
head: 0000000000000000 ffff888018ff0380 00000009ffffffff ffff88807adee000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5457, tgid 5456 (syz-executor.0), ts 77503381347, free_ts 14582461936
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4569 [inline]
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_fault mm/memory.c:4706 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4979 [inline]
__handle_mm_fault mm/memory.c:5120 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5285
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888068279b50 index:6
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5456 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Code: Unable to access opcode bytes at 0x7f49da47cabf.
RSP: 002b:00007ffe94b1ac68 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffdfc RBX: 0000000000012e89 RCX: 00007f49da47cae9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f49da59bf8c
RBP: 0000000000000032 R08: 00007f49da59bf8c R09: 00007f49da59bf8c
R10: 00007ffe94b1ada0 R11: 0000000000000246 R12: 00007f49da59bf8c
R13: 0000000000012ebb R14: 00007ffe94b1adc0 R15: 00007ffe94b1ada0
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9b3c6120 pmd:1ef3d067
page:ffffea0001930e40 refcount:9 mapcount:-1 mapping:ffff888068279b50 index:0x1 pfn:0x64c39
head:ffffea0001930e00 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88807adee000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001930e01 dead000000000122 fffffffdffffffff
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c85748 ffff88807af4a030 ffff888068279b50
head: 0000000000000000 ffff888018ff0380 00000009ffffffff ffff88807adee000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5457, tgid 5456 (syz-executor.0), ts 77503381347, free_ts 14582455909
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4569 [inline]
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_fault mm/memory.c:4706 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4979 [inline]
__handle_mm_fault mm/memory.c:5120 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5285
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888068279b50 index:7
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5456 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Code: Unable to access opcode bytes at 0x7f49da47cabf.
RSP: 002b:00007ffe94b1ac68 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffdfc RBX: 0000000000012e89 RCX: 00007f49da47cae9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f49da59bf8c
RBP: 0000000000000032 R08: 00007f49da59bf8c R09: 00007f49da59bf8c
R10: 00007ffe94b1ada0 R11: 0000000000000246 R12: 00007f49da59bf8c
R13: 0000000000012ebb R14: 00007ffe94b1adc0 R15: 00007ffe94b1ada0
</TASK>
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1165dd94680000
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1715d342680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Yin Fengwei
Sep 14, 2023, 3:34:39 AM9/14/23
to Matthew Wilcox, Dave Hansen, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hi Matthew,
I checked the commit message of 6b28baca9b1f0d4a42b865da7a05b1c81424bd5c:
The invert is done by pte/pmd_modify and pfn/pmd/pud_pte for PROTNONE and
pte/pmd/pud_pfn undo it.
This assume that no code path touches the PFN part of a PTE directly
without using these primitives.
So maybe we should always use these APIs even we make x86 specific set_ptes()?
I will find a test machine to measure the performance difference of these two
versions by using xfs + will-it-scale. Will keep you guys updated.
Regards
Yin, Fengwei
The invert is done by pte/pmd_modify and pfn/pmd/pud_pte for PROTNONE and
pte/pmd/pud_pfn undo it.
This assume that no code path touches the PFN part of a PTE directly
without using these primitives.
So maybe we should always use these APIs even we make x86 specific set_ptes()?
I will find a test machine to measure the performance difference of these two
versions by using xfs + will-it-scale. Will keep you guys updated.
Regards
Yin, Fengwei
Yin Fengwei
Sep 14, 2023, 4:38:09 AM9/14/23
to Matthew Wilcox, Dave Hansen, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
on an IceLake with 48C/96T + 192G RAM.
The host filesystem is ext4 (I can't change it to xfs). So I create a diskimage,
format it as xfs and mount it to test directory.
The test result is like following:
Matthew's version Dave's version
run1 379045929 375241566
run2 377870413 373950068
run3 378623159 371884035
run4 376890127 372391340
avg 378107407 373366752.3 -1.23%
stddev 0.20% 0.40%
run1,2,3,4 uses: page_fault4_processes -s 2 -t 96
run5 9696280 9599164
run6 9683840 9579984
run7 9684832 9595912
run8 9697936 9617408
avg 9690722 9598117 -0.96%
stddev 0% 0%
run5,6,7,8 uses: page_fault4_processes -s 2 -t 1
Conclusion: Dave's version is a little slower than Matthew's version. But the difference
is very small from what I can tell. Let me know if you have any question. Thanks.
Regards
Yin, Fengwei
>
>
> Regards
> Yin, Fengwei
Edward AD
Sep 14, 2023, 8:14:46 AM9/14/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
index 6c264d2f969c..207c88130c42 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4331,20 +4331,26 @@ void set_pte_range(struct vm_fault *vmf, struct folio *folio,
bool uffd_wp = vmf_orig_pte_uffd_wp(vmf);
bool write = vmf->flags & FAULT_FLAG_WRITE;
bool prefault = in_range(vmf->address, addr, nr * PAGE_SIZE);
- pte_t entry;
bool prefault = in_range(vmf->address, addr, nr * PAGE_SIZE);
+ pte_t entry[nr];
+ int i;
+ struct page *p = page;
flush_icache_pages(vma, page, nr);
- entry = mk_pte(page, vma->vm_page_prot);
-
- if (prefault && arch_wants_old_prefaulted_pte())
- entry = pte_mkold(entry);
- else
- entry = pte_sw_mkyoung(entry);
-
- entry = pte_mkold(entry);
- else
- entry = pte_sw_mkyoung(entry);
- if (write)
- entry = maybe_mkwrite(pte_mkdirty(entry), vma);
- if (unlikely(uffd_wp))
- entry = pte_mkuffd_wp(entry);
+
+ for (i = 0;i < nr;i++) {
- entry = maybe_mkwrite(pte_mkdirty(entry), vma);
- if (unlikely(uffd_wp))
- entry = pte_mkuffd_wp(entry);
+
+ entry[i] = mk_pte(p, vma->vm_page_prot);
+
+ if (prefault && arch_wants_old_prefaulted_pte())
+ entry[i] = pte_mkold(entry[i]);
+ else
+ entry[i] = pte_sw_mkyoung(entry[i]);
+
+ if (write)
+ entry[i] = maybe_mkwrite(pte_mkdirty(entry[i]), vma);
+ if (unlikely(uffd_wp))
+ entry[i] = pte_mkuffd_wp(entry[i]);
+ p++;
+ }
/* copy-on-write page */
if (write && !(vma->vm_flags & VM_SHARED)) {
add_mm_counter(vma->vm_mm, MM_ANONPAGES, nr);
@@ -4355,7 +4361,7 @@ void set_pte_range(struct vm_fault *vmf, struct folio *folio,
if (write && !(vma->vm_flags & VM_SHARED)) {
add_mm_counter(vma->vm_mm, MM_ANONPAGES, nr);
add_mm_counter(vma->vm_mm, mm_counter_file(page), nr);
folio_add_file_rmap_range(folio, page, nr, vma, false);
}
- set_ptes(vma->vm_mm, addr, vmf->pte, entry, nr);
+ set_ptes(vma->vm_mm, addr, vmf->pte, entry[0], nr);
/* no need to invalidate: a not-present page won't be cached */
update_mmu_cache_range(vmf, vma, addr, vmf->pte, nr);
syzbot
Sep 14, 2023, 8:31:33 AM9/14/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page map in process syz-executor.0 pte:fffff9b8d0120 pmd:1f620067
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
page:ffffea000191cbc0 refcount:9 mapcount:-1 mapping:ffff888075b20410 index:0x3 pfn:0x6472f
head:ffffea000191cb00 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff8880289f6000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000191cb01 dead000000000122 dead000000000400
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00019a61c8 ffff888079193030 ffff888075b20410
head: 0000000000000000 ffff88802953a680 00000009ffffffff ffff8880289f6000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 77307902756, free_ts 14916435521
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4574 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_fault mm/memory.c:4711 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4984 [inline]
__handle_mm_fault mm/memory.c:5125 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5290
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075b20410 index:5
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5452 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Code: Unable to access opcode bytes at 0x7fcbae67cabf.
RSP: 002b:00007fcbaf3d60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007fcbae79bf80 RCX: 00007fcbae67cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007fcbae6c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fcbae79bf80 R15: 00007ffd88af2618
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9b8d1120 pmd:1f620067
page:ffffea000191cb80 refcount:9 mapcount:-1 mapping:ffff888075b20410 index:0x2 pfn:0x6472e
head:ffffea000191cb00 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff8880289f6000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000191cb01 ffffea000191cb90 ffffea000191cb90
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00019a61c8 ffff888079193030 ffff888075b20410
head: 0000000000000000 ffff88802953a680 00000009ffffffff ffff8880289f6000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 77307902756, free_ts 14916429590
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4574 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_fault mm/memory.c:4711 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4984 [inline]
__handle_mm_fault mm/memory.c:5125 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5290
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075b20410 index:6
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5452 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Code: Unable to access opcode bytes at 0x7fcbae67cabf.
RSP: 002b:00007fcbaf3d60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007fcbae79bf80 RCX: 00007fcbae67cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007fcbae6c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fcbae79bf80 R15: 00007ffd88af2618
</TASK>
BUG: Bad page map in process syz-executor.0 pte:fffff9b8d2120 pmd:1f620067
page:ffffea000191cb40 refcount:9 mapcount:-1 mapping:ffff888075b20410 index:0x1 pfn:0x6472d
head:ffffea000191cb00 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff8880289f6000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea000191cb01 dead000000000122 fffffffdffffffff
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00019a61c8 ffff888079193030 ffff888075b20410
head: 0000000000000000 ffff88802953a680 00000009ffffffff ffff8880289f6000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 77307902756, free_ts 14916423636
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_read_fault mm/memory.c:4574 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
__alloc_pages+0x255/0x670 mm/page_alloc.c:4439
folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
ra_alloc_folio mm/readahead.c:468 [inline]
page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
do_sync_mmap_readahead+0x444/0x850
filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
__xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
__do_fault+0x133/0x4e0 mm/memory.c:4204
do_fault mm/memory.c:4711 [inline]
do_pte_missing mm/memory.c:3669 [inline]
handle_pte_fault mm/memory.c:4984 [inline]
__handle_mm_fault mm/memory.c:5125 [inline]
handle_mm_fault+0x48d2/0x6200 mm/memory.c:5290
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075b20410 index:7
__get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
__get_user_pages_locked mm/gup.c:1504 [inline]
get_dump_page+0x146/0x2b0 mm/gup.c:2018
dump_user_range+0x126/0x910 fs/coredump.c:913
elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
do_one_initcall+0x23d/0x7d0 init/main.c:1232
do_initcall_level+0x157/0x210 init/main.c:1294
do_initcalls+0x3f/0x80 init/main.c:1310
kernel_init_freeable+0x440/0x5d0 init/main.c:1547
kernel_init+0x1d/0x2a0 init/main.c:1437
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5452 Comm: syz-executor.0 Tainted: G B 6.5.0-syzkaller-11704-g3f86ed6ec0b3-dirty #0
Code: Unable to access opcode bytes at 0x7fcbae67cabf.
RSP: 002b:00007fcbaf3d60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007fcbae79bf80 RCX: 00007fcbae67cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007fcbae6c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fcbae79bf80 R15: 00007ffd88af2618
</TASK>
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16aa803c680000
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=1feed7da1decb7a3
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=173e2ea0680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 14, 2023, 8:31:41 AM9/14/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
index 6c264d2f969c..c51dc520db14 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
add_mm_counter(vma->vm_mm, mm_counter_file(page), nr);
folio_add_file_rmap_range(folio, page, nr, vma, false);
}
- set_ptes(vma->vm_mm, addr, vmf->pte, entry, nr);
folio_add_file_rmap_range(folio, page, nr, vma, false);
}
- set_ptes(vma->vm_mm, addr, vmf->pte, entry, nr);
+ for (i = 0;i < nr;i++) {
+ page_table_check_ptes_set(vma->vm_mm, vmf->pte, entry[i], 1);
+ set_pte(vmf->pte, entry[i]);
+ vmf->pte++;
+ }
syzbot
Sep 14, 2023, 9:10:40 AM9/14/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1606a344680000
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=1feed7da1decb7a3
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1252b474680000
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 15, 2023, 8:00:45 AM9/15/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
index 6c264d2f969c..d816763777d5 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
add_mm_counter(vma->vm_mm, mm_counter_file(page), nr);
folio_add_file_rmap_range(folio, page, nr, vma, false);
}
- set_ptes(vma->vm_mm, addr, vmf->pte, entry, nr);
+ for (i = 0;i < nr;i++)
+ set_ptes(vma->vm_mm, addr, vmf->pte, entry[i], 1);
folio_add_file_rmap_range(folio, page, nr, vma, false);
}
- set_ptes(vma->vm_mm, addr, vmf->pte, entry, nr);
+ for (i = 0;i < nr;i++)
syzbot
Sep 15, 2023, 8:16:30 AM9/15/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad rss-counter state
BUG: Bad rss-counter state mm:ffff888028651300 type:MM_FILEPAGES val:4
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15ac9c64680000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad rss-counter state mm:ffff888028651300 type:MM_FILEPAGES val:4
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=1feed7da1decb7a3
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17152d62680000
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 15, 2023, 8:28:46 AM9/15/23
to syzbot+55cc72...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test filemap
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
index 6c264d2f969c..32d3235b7e30 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f86ed6ec0b3
diff --git a/mm/memory.c b/mm/memory.c
add_mm_counter(vma->vm_mm, mm_counter_file(page), nr);
folio_add_file_rmap_range(folio, page, nr, vma, false);
}
- set_ptes(vma->vm_mm, addr, vmf->pte, entry, nr);
+ for (i = 0;i < nr;i++) {
+ set_ptes(vma->vm_mm, addr, vmf->pte, entry[i], 1);
+ vmf->pte++;
folio_add_file_rmap_range(folio, page, nr, vma, false);
}
- set_ptes(vma->vm_mm, addr, vmf->pte, entry, nr);
+ for (i = 0;i < nr;i++) {
+ set_ptes(vma->vm_mm, addr, vmf->pte, entry[i], 1);
+ }
syzbot
Sep 15, 2023, 8:59:36 AM9/15/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+55cc72...@syzkaller.appspotmail.com
Tested on:
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11e4d89c680000
commit: 3f86ed6e Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=1feed7da1decb7a3
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14cef464680000
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Yin Fengwei
Sep 18, 2023, 9:12:03 PM9/18/23
to Matthew Wilcox, Dave Hansen, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Yin Fengwei
Hi Matthew,
On 9/14/23 15:33, Yin Fengwei wrote:
I'd like to move this bug fixing forward. Based on the test result here:
https://lore.kernel.org/linux-mm/124631ab-eb4c-6584...@intel.com/
There is very small performance delta between your version and Dave's.
What do you think if we propose to merge Dave's version? Or do I need collect
more data? Thanks.
On 9/14/23 15:33, Yin Fengwei wrote:
https://lore.kernel.org/linux-mm/124631ab-eb4c-6584...@intel.com/
There is very small performance delta between your version and Dave's.
What do you think if we propose to merge Dave's version? Or do I need collect
more data? Thanks.
Dave Hansen
Sep 19, 2023, 12:11:55 PM9/19/23
to Yin Fengwei, Matthew Wilcox, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On 9/18/23 18:11, Yin Fengwei wrote:
>> I will find a test machine to measure the performance difference of these two
>> versions by using xfs + will-it-scale. Will keep you guys updated.
> I'd like to move this bug fixing forward. Based on the test result here:
> https://lore.kernel.org/linux-mm/124631ab-eb4c-6584...@intel.com/
> There is very small performance delta between your version and Dave's.
>
> What do you think if we propose to merge Dave's version? Or do I need collect
> more data? Thanks.
I honestly don't feel that strongly about my version versus Matthew's.
>> I will find a test machine to measure the performance difference of these two
>> versions by using xfs + will-it-scale. Will keep you guys updated.
> I'd like to move this bug fixing forward. Based on the test result here:
> https://lore.kernel.org/linux-mm/124631ab-eb4c-6584...@intel.com/
> There is very small performance delta between your version and Dave's.
>
> What do you think if we propose to merge Dave's version? Or do I need collect
> more data? Thanks.
I like mine, but I'll happily ack either approach.
The thing I care about the most is getting the bug fixed ... quickly. :)
Yin Fengwei
Sep 19, 2023, 9:29:33 PM9/19/23
to Dave Hansen, Matthew Wilcox, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Regarding the performance delta is very small, I thought we should follow the
commit message of 6b28baca9b1f0d4a42b865da7a05b1c81424bd5c:
The invert is done by pte/pmd_modify and pfn/pmd/pud_pte for PROTNONE and
pte/pmd/pud_pfn undo it.
This assume that no code path touches the PFN part of a PTE directly
without using these primitives.
Regards
The invert is done by pte/pmd_modify and pfn/pmd/pud_pte for PROTNONE and
pte/pmd/pud_pfn undo it.
This assume that no code path touches the PFN part of a PTE directly
without using these primitives.
Yin, Fengwei
Matthew Wilcox
Sep 19, 2023, 9:47:34 PM9/19/23
to Yin Fengwei, Dave Hansen, syzbot, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
On Wed, Sep 20, 2023 at 09:29:18AM +0800, Yin Fengwei wrote:
>
>
> On 9/20/23 00:11, Dave Hansen wrote:
> > On 9/18/23 18:11, Yin Fengwei wrote:
> >>> I will find a test machine to measure the performance difference of these two
> >>> versions by using xfs + will-it-scale. Will keep you guys updated.
> >> I'd like to move this bug fixing forward. Based on the test result here:
> >> https://lore.kernel.org/linux-mm/124631ab-eb4c-6584...@intel.com/
> >> There is very small performance delta between your version and Dave's.
> >>
> >> What do you think if we propose to merge Dave's version? Or do I need collect
> >> more data? Thanks.
> >
> > I honestly don't feel that strongly about my version versus Matthew's.
> > I like mine, but I'll happily ack either approach.
> >
> > The thing I care about the most is getting the bug fixed ... quickly. :)
> Same in my side.
I'm just redoing the commit message now.
>
>
> On 9/20/23 00:11, Dave Hansen wrote:
> > On 9/18/23 18:11, Yin Fengwei wrote:
> >>> I will find a test machine to measure the performance difference of these two
> >>> versions by using xfs + will-it-scale. Will keep you guys updated.
> >> I'd like to move this bug fixing forward. Based on the test result here:
> >> https://lore.kernel.org/linux-mm/124631ab-eb4c-6584...@intel.com/
> >> There is very small performance delta between your version and Dave's.
> >>
> >> What do you think if we propose to merge Dave's version? Or do I need collect
> >> more data? Thanks.
> >
> > I honestly don't feel that strongly about my version versus Matthew's.
> > I like mine, but I'll happily ack either approach.
> >
> > The thing I care about the most is getting the bug fixed ... quickly. :)
> Same in my side.
Reply all
Reply to author
Forward
0 new messages