[syzbot] kernel BUG in find_lock_entries
14 views
Skip to first unread message
syzbot
Aug 9, 2021, 5:02:24āÆPM8/9/21
to ak...@linux-foundation.org, b...@alien8.de, fred...@kernel.org, h...@zytor.com, jmat...@google.com, jo...@8bytes.org, k...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, mark.r...@arm.com, masa...@kernel.org, mi...@redhat.com, npi...@gmail.com, pbon...@redhat.com, pet...@infradead.org, rafael.j...@intel.com, ros...@goodmis.org, sea...@google.com, sedat...@gmail.com, syzkall...@googlegroups.com, tg...@linutronix.de, vi...@massaru.org, vkuz...@redhat.com, wanp...@tencent.com, wi...@kernel.org, x...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: 902e7f373fff Merge tag 'net-5.14-rc5' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15337cd6300000
kernel config: https://syzkaller.appspot.com/x/.config?x=702bfdfbf389c324
dashboard link: https://syzkaller.appspot.com/bug?extid=c87be4f669d920c76330
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=157afce9300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=152fc43a300000
The issue was bisected to:
commit 997acaf6b4b59c6a9c259740312a69ea549cc684
Author: Mark Rutland <mark.r...@arm.com>
Date: Mon Jan 11 15:37:07 2021 +0000
lockdep: report broken irq restoration
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=137296e6300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10f296e6300000
console output: https://syzkaller.appspot.com/x/log.txt?x=177296e6300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c87be4...@syzkaller.appspotmail.com
Fixes: 997acaf6b4b5 ("lockdep: report broken irq restoration")
__pagevec_release+0x7d/0xf0 mm/swap.c:992
pagevec_release include/linux/pagevec.h:81 [inline]
shmem_undo_range+0x5da/0x1a60 mm/shmem.c:931
shmem_truncate_range mm/shmem.c:1030 [inline]
shmem_setattr+0x4f0/0x890 mm/shmem.c:1091
notify_change+0xbb8/0x1060 fs/attr.c:398
do_truncate fs/open.c:64 [inline]
vfs_truncate+0x6be/0x880 fs/open.c:112
do_sys_truncate fs/open.c:135 [inline]
__do_sys_truncate fs/open.c:147 [inline]
__se_sys_truncate fs/open.c:145 [inline]
__x64_sys_truncate+0x110/0x1b0 fs/open.c:145
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
------------[ cut here ]------------
kernel BUG at mm/filemap.c:2041!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
Code: e8 00 3d d8 ff 4c 89 e7 48 c7 c6 20 70 39 8a e8 71 bf 0d 00 0f 0b e8 ea 3c d8 ff 4c 89 e7 48 c7 c6 40 62 39 8a e8 5b bf 0d 00 <0f> 0b e8 d4 3c d8 ff 4c 89 e7 48 c7 c6 80 6a 39 8a e8 45 bf 0d 00
RSP: 0018:ffffc9000a52f7e0 EFLAGS: 00010246
RAX: c75c992acedb0700 RBX: 0000000000000001 RCX: ffff8880161ab880
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc9000a52f930 R08: ffffffff81d080d4 R09: ffffed1017383f24
R10: ffffed1017383f24 R11: 0000000000000000 R12: ffffea0000f40000
R13: 0000000000001000 R14: fffffffffffffffe R15: 0000000000001140
FS: 00007f1334d1f700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007faaa593a000 CR3: 00000000165b1000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
shmem_undo_range+0x1ea/0x1a60 mm/shmem.c:910
shmem_truncate_range mm/shmem.c:1030 [inline]
shmem_setattr+0x4f0/0x890 mm/shmem.c:1091
notify_change+0xbb8/0x1060 fs/attr.c:398
do_truncate fs/open.c:64 [inline]
vfs_truncate+0x6be/0x880 fs/open.c:112
do_sys_truncate fs/open.c:135 [inline]
__do_sys_truncate fs/open.c:147 [inline]
__se_sys_truncate fs/open.c:145 [inline]
__x64_sys_truncate+0x110/0x1b0 fs/open.c:145
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x44a9a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1334d1f208 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00000000004cb4f8 RCX: 000000000044a9a9
RDX: 00007f1334d1f700 RSI: 0000000000000001 RDI: 0000000020000340
RBP: 00000000004cb4f0 R08: 00007f1334d1f700 R09: 0000000000000000
R10: 00007f1334d1f700 R11: 0000000000000246 R12: 00000000004cb4fc
R13: 00007ffdec06b36f R14: 00007f1334d1f300 R15: 0000000000022000
Modules linked in:
---[ end trace 4dcd0c81778c7d51 ]---
RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
Code: e8 00 3d d8 ff 4c 89 e7 48 c7 c6 20 70 39 8a e8 71 bf 0d 00 0f 0b e8 ea 3c d8 ff 4c 89 e7 48 c7 c6 40 62 39 8a e8 5b bf 0d 00 <0f> 0b e8 d4 3c d8 ff 4c 89 e7 48 c7 c6 80 6a 39 8a e8 45 bf 0d 00
RSP: 0018:ffffc9000a52f7e0 EFLAGS: 00010246
RAX: c75c992acedb0700 RBX: 0000000000000001 RCX: ffff8880161ab880
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc9000a52f930 R08: ffffffff81d080d4 R09: ffffed1017383f24
R10: ffffed1017383f24 R11: 0000000000000000 R12: ffffea0000f40000
R13: 0000000000001000 R14: fffffffffffffffe R15: 0000000000001140
FS: 00007f1334d1f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557a29364160 CR3: 00000000165b1000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 902e7f373fff Merge tag 'net-5.14-rc5' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15337cd6300000
kernel config: https://syzkaller.appspot.com/x/.config?x=702bfdfbf389c324
dashboard link: https://syzkaller.appspot.com/bug?extid=c87be4f669d920c76330
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=157afce9300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=152fc43a300000
The issue was bisected to:
commit 997acaf6b4b59c6a9c259740312a69ea549cc684
Author: Mark Rutland <mark.r...@arm.com>
Date: Mon Jan 11 15:37:07 2021 +0000
lockdep: report broken irq restoration
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=137296e6300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10f296e6300000
console output: https://syzkaller.appspot.com/x/log.txt?x=177296e6300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c87be4...@syzkaller.appspotmail.com
Fixes: 997acaf6b4b5 ("lockdep: report broken irq restoration")
__pagevec_release+0x7d/0xf0 mm/swap.c:992
pagevec_release include/linux/pagevec.h:81 [inline]
shmem_undo_range+0x5da/0x1a60 mm/shmem.c:931
shmem_truncate_range mm/shmem.c:1030 [inline]
shmem_setattr+0x4f0/0x890 mm/shmem.c:1091
notify_change+0xbb8/0x1060 fs/attr.c:398
do_truncate fs/open.c:64 [inline]
vfs_truncate+0x6be/0x880 fs/open.c:112
do_sys_truncate fs/open.c:135 [inline]
__do_sys_truncate fs/open.c:147 [inline]
__se_sys_truncate fs/open.c:145 [inline]
__x64_sys_truncate+0x110/0x1b0 fs/open.c:145
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
------------[ cut here ]------------
kernel BUG at mm/filemap.c:2041!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
Code: e8 00 3d d8 ff 4c 89 e7 48 c7 c6 20 70 39 8a e8 71 bf 0d 00 0f 0b e8 ea 3c d8 ff 4c 89 e7 48 c7 c6 40 62 39 8a e8 5b bf 0d 00 <0f> 0b e8 d4 3c d8 ff 4c 89 e7 48 c7 c6 80 6a 39 8a e8 45 bf 0d 00
RSP: 0018:ffffc9000a52f7e0 EFLAGS: 00010246
RAX: c75c992acedb0700 RBX: 0000000000000001 RCX: ffff8880161ab880
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc9000a52f930 R08: ffffffff81d080d4 R09: ffffed1017383f24
R10: ffffed1017383f24 R11: 0000000000000000 R12: ffffea0000f40000
R13: 0000000000001000 R14: fffffffffffffffe R15: 0000000000001140
FS: 00007f1334d1f700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007faaa593a000 CR3: 00000000165b1000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
shmem_undo_range+0x1ea/0x1a60 mm/shmem.c:910
shmem_truncate_range mm/shmem.c:1030 [inline]
shmem_setattr+0x4f0/0x890 mm/shmem.c:1091
notify_change+0xbb8/0x1060 fs/attr.c:398
do_truncate fs/open.c:64 [inline]
vfs_truncate+0x6be/0x880 fs/open.c:112
do_sys_truncate fs/open.c:135 [inline]
__do_sys_truncate fs/open.c:147 [inline]
__se_sys_truncate fs/open.c:145 [inline]
__x64_sys_truncate+0x110/0x1b0 fs/open.c:145
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x44a9a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1334d1f208 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00000000004cb4f8 RCX: 000000000044a9a9
RDX: 00007f1334d1f700 RSI: 0000000000000001 RDI: 0000000020000340
RBP: 00000000004cb4f0 R08: 00007f1334d1f700 R09: 0000000000000000
R10: 00007f1334d1f700 R11: 0000000000000246 R12: 00000000004cb4fc
R13: 00007ffdec06b36f R14: 00007f1334d1f300 R15: 0000000000022000
Modules linked in:
---[ end trace 4dcd0c81778c7d51 ]---
RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
Code: e8 00 3d d8 ff 4c 89 e7 48 c7 c6 20 70 39 8a e8 71 bf 0d 00 0f 0b e8 ea 3c d8 ff 4c 89 e7 48 c7 c6 40 62 39 8a e8 5b bf 0d 00 <0f> 0b e8 d4 3c d8 ff 4c 89 e7 48 c7 c6 80 6a 39 8a e8 45 bf 0d 00
RSP: 0018:ffffc9000a52f7e0 EFLAGS: 00010246
RAX: c75c992acedb0700 RBX: 0000000000000001 RCX: ffff8880161ab880
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc9000a52f930 R08: ffffffff81d080d4 R09: ffffed1017383f24
R10: ffffed1017383f24 R11: 0000000000000000 R12: ffffea0000f40000
R13: 0000000000001000 R14: fffffffffffffffe R15: 0000000000001140
FS: 00007f1334d1f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557a29364160 CR3: 00000000165b1000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Aug 9, 2021, 6:51:24āÆPM8/9/21
to Matthew Wilcox, ak...@linux-foundation.org, b...@alien8.de, fred...@kernel.org, h...@zytor.com, jmat...@google.com, jo...@8bytes.org, k...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, mark.r...@arm.com, masa...@kernel.org, mi...@redhat.com, npi...@gmail.com, pbon...@redhat.com, pet...@infradead.org, rafael.j...@intel.com, ros...@goodmis.org, sea...@google.com, sedat...@gmail.com, syzkall...@googlegroups.com, tg...@linutronix.de, vi...@massaru.org, vkuz...@redhat.com, wanp...@tencent.com, wi...@kernel.org, wi...@infradead.org, x...@kernel.org
> On Mon, Aug 09, 2021 at 02:02:22PM -0700, syzbot wrote:
>> The issue was bisected to:
>>
>> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
>> Author: Mark Rutland <mark.r...@arm.com>
>> Date: Mon Jan 11 15:37:07 2021 +0000
>>
>> lockdep: report broken irq restoration
>
> That's just a bogus bisection. The correct bad commit is 5c211ba29deb.
>> The issue was bisected to:
>>
>> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
>> Author: Mark Rutland <mark.r...@arm.com>
>> Date: Mon Jan 11 15:37:07 2021 +0000
>>
>> lockdep: report broken irq restoration
>
>
>> kernel BUG at mm/filemap.c:2041!
>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
>
> This patch should fix it. It's not just removing the warning; this
>> kernel BUG at mm/filemap.c:2041!
>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
>
> warning duplicates the warning a few lines down (after taking the
> lock). It's not safe to make this assertion without holding the page
> lock as the page can move between the page cache and the swap cache.
>
> #syz test
want 2 args (repo, branch), got 4
>
> diff --git a/mm/filemap.c b/mm/filemap.c
> index d1458ecf2f51..34de0b14aaa9 100644
> --- a/mm/filemap.c
> +++ b/mm/filemap.c
> @@ -2038,7 +2038,6 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start,
> if (!xa_is_value(page)) {
> if (page->index < start)
> goto put;
> - VM_BUG_ON_PAGE(page->index != xas.xa_index, page);
> if (page->index + thp_nr_pages(page) - 1 > end)
> goto put;
> if (!trylock_page(page))
Matthew Wilcox
Aug 9, 2021, 6:54:39āÆPM8/9/21
to syzbot, ak...@linux-foundation.org, b...@alien8.de, fred...@kernel.org, h...@zytor.com, jmat...@google.com, jo...@8bytes.org, k...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, mark.r...@arm.com, masa...@kernel.org, mi...@redhat.com, npi...@gmail.com, pbon...@redhat.com, pet...@infradead.org, rafael.j...@intel.com, ros...@goodmis.org, sea...@google.com, sedat...@gmail.com, syzkall...@googlegroups.com, tg...@linutronix.de, vi...@massaru.org, vkuz...@redhat.com, wanp...@tencent.com, wi...@kernel.org, x...@kernel.org
On Mon, Aug 09, 2021 at 02:02:22PM -0700, syzbot wrote:
> The issue was bisected to:
>
> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
> Author: Mark Rutland <mark.r...@arm.com>
> Date: Mon Jan 11 15:37:07 2021 +0000
>
> lockdep: report broken irq restoration
>
> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
> Author: Mark Rutland <mark.r...@arm.com>
> Date: Mon Jan 11 15:37:07 2021 +0000
>
> lockdep: report broken irq restoration
That's just a bogus bisection. The correct bad commit is 5c211ba29deb.
> kernel BUG at mm/filemap.c:2041!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
This patch should fix it. It's not just removing the warning; this
warning duplicates the warning a few lines down (after taking the
lock). It's not safe to make this assertion without holding the page
lock as the page can move between the page cache and the swap cache.
#syz test
warning duplicates the warning a few lines down (after taking the
lock). It's not safe to make this assertion without holding the page
lock as the page can move between the page cache and the swap cache.
#syz test
syzbot
Aug 9, 2021, 6:54:41āÆPM8/9/21
to Matthew Wilcox, ak...@linux-foundation.org, b...@alien8.de, fred...@kernel.org, h...@zytor.com, jmat...@google.com, jo...@8bytes.org, k...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, mark.r...@arm.com, masa...@kernel.org, mi...@redhat.com, npi...@gmail.com, pbon...@redhat.com, pet...@infradead.org, rafael.j...@intel.com, ros...@goodmis.org, sea...@google.com, sedat...@gmail.com, syzkall...@googlegroups.com, tg...@linutronix.de, vi...@massaru.org, vkuz...@redhat.com, wanp...@tencent.com, wi...@kernel.org, wi...@infradead.org, x...@kernel.org
> On Mon, Aug 09, 2021 at 02:02:22PM -0700, syzbot wrote:
>> The issue was bisected to:
>>
>> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
>> Author: Mark Rutland <mark.r...@arm.com>
>> Date: Mon Jan 11 15:37:07 2021 +0000
>>
>> lockdep: report broken irq restoration
>
> That's just a bogus bisection. The correct bad commit is 5c211ba29deb.
>
>> kernel BUG at mm/filemap.c:2041!
>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
>
> This patch should fix it. It's not just removing the warning; this
> warning duplicates the warning a few lines down (after taking the
> lock). It's not safe to make this assertion without holding the page
> lock as the page can move between the page cache and the swap cache.
>
> #syz test
>> The issue was bisected to:
>>
>> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
>> Author: Mark Rutland <mark.r...@arm.com>
>> Date: Mon Jan 11 15:37:07 2021 +0000
>>
>> lockdep: report broken irq restoration
>
> That's just a bogus bisection. The correct bad commit is 5c211ba29deb.
>
>> kernel BUG at mm/filemap.c:2041!
>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
>
> This patch should fix it. It's not just removing the warning; this
> warning duplicates the warning a few lines down (after taking the
> lock). It's not safe to make this assertion without holding the page
> lock as the page can move between the page cache and the swap cache.
>
> #syz test
want 2 args (repo, branch), got 4
>
>
> diff --git a/mm/filemap.c b/mm/filemap.c
> index d1458ecf2f51..34de0b14aaa9 100644
> --- a/mm/filemap.c
> +++ b/mm/filemap.c
> @@ -2038,7 +2038,6 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start,
> if (!xa_is_value(page)) {
> if (page->index < start)
> goto put;
> - VM_BUG_ON_PAGE(page->index != xas.xa_index, page);
> if (page->index + thp_nr_pages(page) - 1 > end)
> goto put;
> if (!trylock_page(page))
>
> --
> index d1458ecf2f51..34de0b14aaa9 100644
> --- a/mm/filemap.c
> +++ b/mm/filemap.c
> @@ -2038,7 +2038,6 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start,
> if (!xa_is_value(page)) {
> if (page->index < start)
> goto put;
> - VM_BUG_ON_PAGE(page->index != xas.xa_index, page);
> if (page->index + thp_nr_pages(page) - 1 > end)
> goto put;
> if (!trylock_page(page))
>
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/YRGxNaVc1cGsyd0Y%40casper.infradead.org.
syzbot
Aug 12, 2021, 8:07:10āÆAM8/12/21
to chouhan.sh...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in find_lock_entries
do_group_exit+0x168/0x2d0 kernel/exit.c:922
get_signal+0x16b0/0x2080 kernel/signal.c:2808
arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
RSP: 0018:ffffc9000b2c77e0 EFLAGS: 00010246
RAX: 46bbb7e0299b1800 RBX: 0000000000000400 RCX: ffff88802cdbd4c0
R10: ffffed1017389798 R11: 0000000000000000 R12: ffffea0001318000
R13: 0000000000000400 R14: fffffffffffffffe R15: 00000000000004c0
FS: 00007fde97e44700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fde97e44188 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665e9
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000020000340
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038
R13: 00007fff9e33571f R14: 00007fde97e44300 R15: 0000000000022000
Modules linked in:
---[ end trace 426a6eda0648f26d ]---
RSP: 0018:ffffc9000b2c77e0 EFLAGS: 00010246
RAX: 46bbb7e0299b1800 RBX: 0000000000000400 RCX: ffff88802cdbd4c0
R10: ffffed1017389798 R11: 0000000000000000 R12: ffffea0001318000
R13: 0000000000000400 R14: fffffffffffffffe R15: 00000000000004c0
FS: 00007fde97e44700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
commit: 1746f4db Merge tag 'orphans-v5.14-rc6' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14265dbe300000
kernel config: https://syzkaller.appspot.com/x/.config?x=730106bfb5bf8ace
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in find_lock_entries
do_group_exit+0x168/0x2d0 kernel/exit.c:922
get_signal+0x16b0/0x2080 kernel/signal.c:2808
arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
------------[ cut here ]------------
------------[ cut here ]------------
kernel BUG at mm/filemap.c:2041!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12137 Comm: syz-executor.0 Not tainted 5.14.0-rc5-syzkaller #0
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
Code: e8 b0 36 d8 ff 4c 89 e7 48 c7 c6 20 70 39 8a e8 71 bf 0d 00 0f 0b e8 9a 36 d8 ff 4c 89 e7 48 c7 c6 40 62 39 8a e8 5b bf 0d 00 <0f> 0b e8 84 36 d8 ff 4c 89 e7 48 c7 c6 80 6a 39 8a e8 45 bf 0d 00
RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
RSP: 0018:ffffc9000b2c77e0 EFLAGS: 00010246
RAX: 46bbb7e0299b1800 RBX: 0000000000000400 RCX: ffff88802cdbd4c0
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc9000b2c7930 R08: ffffffff81d085e4 R09: ffffed1017389798
R10: ffffed1017389798 R11: 0000000000000000 R12: ffffea0001318000
R13: 0000000000000400 R14: fffffffffffffffe R15: 00000000000004c0
FS: 00007fde97e44700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ff66440b20 CR3: 000000003529b000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
shmem_undo_range+0x1ea/0x1a60 mm/shmem.c:910
shmem_truncate_range mm/shmem.c:1030 [inline]
shmem_setattr+0x4f0/0x890 mm/shmem.c:1091
notify_change+0xbb8/0x1060 fs/attr.c:398
do_truncate fs/open.c:64 [inline]
vfs_truncate+0x6be/0x880 fs/open.c:112
do_sys_truncate fs/open.c:135 [inline]
__do_sys_truncate fs/open.c:147 [inline]
__se_sys_truncate fs/open.c:145 [inline]
__x64_sys_truncate+0x110/0x1b0 fs/open.c:145
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665e9
shmem_undo_range+0x1ea/0x1a60 mm/shmem.c:910
shmem_truncate_range mm/shmem.c:1030 [inline]
shmem_setattr+0x4f0/0x890 mm/shmem.c:1091
notify_change+0xbb8/0x1060 fs/attr.c:398
do_truncate fs/open.c:64 [inline]
vfs_truncate+0x6be/0x880 fs/open.c:112
do_sys_truncate fs/open.c:135 [inline]
__do_sys_truncate fs/open.c:147 [inline]
__se_sys_truncate fs/open.c:145 [inline]
__x64_sys_truncate+0x110/0x1b0 fs/open.c:145
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fde97e44188 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665e9
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000020000340
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038
R13: 00007fff9e33571f R14: 00007fde97e44300 R15: 0000000000022000
Modules linked in:
---[ end trace 426a6eda0648f26d ]---
RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041
Code: e8 b0 36 d8 ff 4c 89 e7 48 c7 c6 20 70 39 8a e8 71 bf 0d 00 0f 0b e8 9a 36 d8 ff 4c 89 e7 48 c7 c6 40 62 39 8a e8 5b bf 0d 00 <0f> 0b e8 84 36 d8 ff 4c 89 e7 48 c7 c6 80 6a 39 8a e8 45 bf 0d 00
RSP: 0018:ffffc9000b2c77e0 EFLAGS: 00010246
RAX: 46bbb7e0299b1800 RBX: 0000000000000400 RCX: ffff88802cdbd4c0
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc9000b2c7930 R08: ffffffff81d085e4 R09: ffffed1017389798
R10: ffffed1017389798 R11: 0000000000000000 R12: ffffea0001318000
R13: 0000000000000400 R14: fffffffffffffffe R15: 00000000000004c0
FS: 00007fde97e44700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ff66440b20 CR3: 000000003529b000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
commit: 1746f4db Merge tag 'orphans-v5.14-rc6' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14265dbe300000
kernel config: https://syzkaller.appspot.com/x/.config?x=730106bfb5bf8ace
Reply all
Reply to author
Forward
0 new messages