* [syzbot] [mm?] [io-uring?] WARNING in get_pte_pfn @ 2023-12-22 8:11 syzbot 2023-12-22 14:55 ` Jens Axboe 2023-12-23 3:30 ` [syzbot] [mm] " Yu Zhao 0 siblings, 2 replies; 5+ messages in thread From: syzbot @ 2023-12-22 8:11 UTC (permalink / raw) To: akpm, axboe, io-uring, linux-kernel, linux-mm, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: 0e389834672c Merge tag 'for-6.7-rc5-tag' of git://git.kern.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1454824ee80000 kernel config: https://syzkaller.appspot.com/x/.config?x=f21aff374937e60e dashboard link: https://syzkaller.appspot.com/bug?extid=03fd9b3f71641f0ebf2d compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b4ef49e80000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118314d6e80000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/e58cd74e152a/disk-0e389834.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/45d17ccb34bc/vmlinux-0e389834.xz kernel image: https://storage.googleapis.com/syzbot-assets/b9b7105d4e08/bzImage-0e389834.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: [email protected] ------------[ cut here ]------------ WARNING: CPU: 1 PID: 5066 at mm/vmscan.c:3242 get_pte_pfn+0x1b5/0x3f0 mm/vmscan.c:3242 Modules linked in: CPU: 1 PID: 5066 Comm: syz-executor668 Not tainted 6.7.0-rc5-syzkaller-00270-g0e389834672c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 RIP: 0010:get_pte_pfn+0x1b5/0x3f0 mm/vmscan.c:3242 Code: f3 74 2a e8 6d 78 cb ff 31 ff 48 b8 00 00 00 00 00 00 00 02 48 21 c5 48 89 ee e8 e6 73 cb ff 48 85 ed 74 4e e8 4c 78 cb ff 90 <0f> 0b 90 48 c7 c3 ff ff ff ff e8 3c 78 cb ff 48 b8 00 00 00 00 00 RSP: 0018:ffffc900041e6878 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 000000000007891d RCX: ffffffff81bbf6e3 RDX: ffff88807d813b80 RSI: ffffffff81bbf684 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000200 R11: 0000000000000003 R12: 0000000000000200 R13: 1ffff9200083cd0f R14: 0000000000010b21 R15: 0000000020ffc000 FS: 0000555555f4d480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000005fbfa000 CR4: 0000000000350ef0 Call Trace: <TASK> lru_gen_look_around+0x70d/0x11a0 mm/vmscan.c:4001 folio_referenced_one+0x5a2/0xf70 mm/rmap.c:843 rmap_walk_anon+0x225/0x570 mm/rmap.c:2485 rmap_walk mm/rmap.c:2562 [inline] rmap_walk mm/rmap.c:2557 [inline] folio_referenced+0x28a/0x4b0 mm/rmap.c:960 folio_check_references mm/vmscan.c:829 [inline] shrink_folio_list+0x1ace/0x3f00 mm/vmscan.c:1160 evict_folios+0x6e7/0x1b90 mm/vmscan.c:4499 try_to_shrink_lruvec+0x638/0xa10 mm/vmscan.c:4704 lru_gen_shrink_lruvec mm/vmscan.c:4849 [inline] shrink_lruvec+0x314/0x2990 mm/vmscan.c:5622 shrink_node_memcgs mm/vmscan.c:5842 [inline] shrink_node+0x811/0x3710 mm/vmscan.c:5877 shrink_zones mm/vmscan.c:6116 [inline] do_try_to_free_pages+0x36c/0x1940 mm/vmscan.c:6178 try_to_free_mem_cgroup_pages+0x31a/0x770 mm/vmscan.c:6493 try_charge_memcg+0x3d3/0x11f0 mm/memcontrol.c:2742 obj_cgroup_charge_pages mm/memcontrol.c:3255 [inline] __memcg_kmem_charge_page+0xdd/0x2a0 mm/memcontrol.c:3281 __alloc_pages+0x263/0x2420 mm/page_alloc.c:4585 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 __get_free_pages+0xc/0x40 mm/page_alloc.c:4615 io_mem_alloc+0x33/0x60 io_uring/io_uring.c:2789 io_allocate_scq_urings io_uring/io_uring.c:3842 [inline] io_uring_create io_uring/io_uring.c:4019 [inline] io_uring_setup+0x13ed/0x2430 io_uring/io_uring.c:4131 __do_sys_io_uring_setup io_uring/io_uring.c:4158 [inline] __se_sys_io_uring_setup io_uring/io_uring.c:4152 [inline] __x64_sys_io_uring_setup+0x98/0x140 io_uring/io_uring.c:4152 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f4b0e4778a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff814fe868 EFLAGS: 00000202 ORIG_RAX: 00000000000001a9 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4b0e4778a9 RDX: 0000000020000700 RSI: 0000000020000640 RDI: 0000000000005a19 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000020000700 R10: 00007fff814fe8d0 R11: 0000000000000202 R12: 0000000020000640 R13: 0000000000000000 R14: 0000000000005a19 R15: 0000000020000700 </TASK> --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at [email protected]. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [mm?] [io-uring?] WARNING in get_pte_pfn 2023-12-22 8:11 [syzbot] [mm?] [io-uring?] WARNING in get_pte_pfn syzbot @ 2023-12-22 14:55 ` Jens Axboe 2023-12-23 4:59 ` Yu Zhao 2023-12-23 3:30 ` [syzbot] [mm] " Yu Zhao 1 sibling, 1 reply; 5+ messages in thread From: Jens Axboe @ 2023-12-22 14:55 UTC (permalink / raw) To: syzbot, akpm, io-uring, linux-kernel, linux-mm, syzkaller-bugs On 12/22/23 1:11 AM, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 0e389834672c Merge tag 'for-6.7-rc5-tag' of git://git.kern.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1454824ee80000 > kernel config: https://syzkaller.appspot.com/x/.config?x=f21aff374937e60e > dashboard link: https://syzkaller.appspot.com/bug?extid=03fd9b3f71641f0ebf2d > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b4ef49e80000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118314d6e80000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/e58cd74e152a/disk-0e389834.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/45d17ccb34bc/vmlinux-0e389834.xz > kernel image: https://storage.googleapis.com/syzbot-assets/b9b7105d4e08/bzImage-0e389834.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: [email protected] > > ------------[ cut here ]------------ > WARNING: CPU: 1 PID: 5066 at mm/vmscan.c:3242 get_pte_pfn+0x1b5/0x3f0 mm/vmscan.c:3242 > Modules linked in: > CPU: 1 PID: 5066 Comm: syz-executor668 Not tainted 6.7.0-rc5-syzkaller-00270-g0e389834672c #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > RIP: 0010:get_pte_pfn+0x1b5/0x3f0 mm/vmscan.c:3242 > Code: f3 74 2a e8 6d 78 cb ff 31 ff 48 b8 00 00 00 00 00 00 00 02 48 21 c5 48 89 ee e8 e6 73 cb ff 48 85 ed 74 4e e8 4c 78 cb ff 90 <0f> 0b 90 48 c7 c3 ff ff ff ff e8 3c 78 cb ff 48 b8 00 00 00 00 00 > RSP: 0018:ffffc900041e6878 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: 000000000007891d RCX: ffffffff81bbf6e3 > RDX: ffff88807d813b80 RSI: ffffffff81bbf684 RDI: 0000000000000005 > RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 > R10: 0000000000000200 R11: 0000000000000003 R12: 0000000000000200 > R13: 1ffff9200083cd0f R14: 0000000000010b21 R15: 0000000020ffc000 > FS: 0000555555f4d480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 000000005fbfa000 CR4: 0000000000350ef0 > Call Trace: > <TASK> > lru_gen_look_around+0x70d/0x11a0 mm/vmscan.c:4001 > folio_referenced_one+0x5a2/0xf70 mm/rmap.c:843 > rmap_walk_anon+0x225/0x570 mm/rmap.c:2485 > rmap_walk mm/rmap.c:2562 [inline] > rmap_walk mm/rmap.c:2557 [inline] > folio_referenced+0x28a/0x4b0 mm/rmap.c:960 > folio_check_references mm/vmscan.c:829 [inline] > shrink_folio_list+0x1ace/0x3f00 mm/vmscan.c:1160 > evict_folios+0x6e7/0x1b90 mm/vmscan.c:4499 > try_to_shrink_lruvec+0x638/0xa10 mm/vmscan.c:4704 > lru_gen_shrink_lruvec mm/vmscan.c:4849 [inline] > shrink_lruvec+0x314/0x2990 mm/vmscan.c:5622 > shrink_node_memcgs mm/vmscan.c:5842 [inline] > shrink_node+0x811/0x3710 mm/vmscan.c:5877 > shrink_zones mm/vmscan.c:6116 [inline] > do_try_to_free_pages+0x36c/0x1940 mm/vmscan.c:6178 > try_to_free_mem_cgroup_pages+0x31a/0x770 mm/vmscan.c:6493 > try_charge_memcg+0x3d3/0x11f0 mm/memcontrol.c:2742 > obj_cgroup_charge_pages mm/memcontrol.c:3255 [inline] > __memcg_kmem_charge_page+0xdd/0x2a0 mm/memcontrol.c:3281 > __alloc_pages+0x263/0x2420 mm/page_alloc.c:4585 > alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 > __get_free_pages+0xc/0x40 mm/page_alloc.c:4615 > io_mem_alloc+0x33/0x60 io_uring/io_uring.c:2789 > io_allocate_scq_urings io_uring/io_uring.c:3842 [inline] > io_uring_create io_uring/io_uring.c:4019 [inline] > io_uring_setup+0x13ed/0x2430 io_uring/io_uring.c:4131 > __do_sys_io_uring_setup io_uring/io_uring.c:4158 [inline] > __se_sys_io_uring_setup io_uring/io_uring.c:4152 [inline] > __x64_sys_io_uring_setup+0x98/0x140 io_uring/io_uring.c:4152 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x63/0x6b > RIP: 0033:0x7f4b0e4778a9 > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fff814fe868 EFLAGS: 00000202 ORIG_RAX: 00000000000001a9 > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4b0e4778a9 > RDX: 0000000020000700 RSI: 0000000020000640 RDI: 0000000000005a19 > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000020000700 > R10: 00007fff814fe8d0 R11: 0000000000000202 R12: 0000000020000640 > R13: 0000000000000000 R14: 0000000000005a19 R15: 0000000020000700 > </TASK> Don't think this is io_uring related, test case looks like it's just setting up and tearing down big rings. -- Jens Axboe ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [mm?] [io-uring?] WARNING in get_pte_pfn 2023-12-22 14:55 ` Jens Axboe @ 2023-12-23 4:59 ` Yu Zhao 0 siblings, 0 replies; 5+ messages in thread From: Yu Zhao @ 2023-12-23 4:59 UTC (permalink / raw) To: Jens Axboe; +Cc: syzbot, akpm, io-uring, linux-kernel, linux-mm, syzkaller-bugs On Fri, Dec 22, 2023 at 7:55 AM Jens Axboe <[email protected]> wrote: > > On 12/22/23 1:11 AM, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 0e389834672c Merge tag 'for-6.7-rc5-tag' of git://git.kern.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=1454824ee80000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=f21aff374937e60e > > dashboard link: https://syzkaller.appspot.com/bug?extid=03fd9b3f71641f0ebf2d > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b4ef49e80000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118314d6e80000 > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/e58cd74e152a/disk-0e389834.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/45d17ccb34bc/vmlinux-0e389834.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/b9b7105d4e08/bzImage-0e389834.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: [email protected] > > > > ------------[ cut here ]------------ > > WARNING: CPU: 1 PID: 5066 at mm/vmscan.c:3242 get_pte_pfn+0x1b5/0x3f0 mm/vmscan.c:3242 > > Modules linked in: > > CPU: 1 PID: 5066 Comm: syz-executor668 Not tainted 6.7.0-rc5-syzkaller-00270-g0e389834672c #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > > RIP: 0010:get_pte_pfn+0x1b5/0x3f0 mm/vmscan.c:3242 > > Code: f3 74 2a e8 6d 78 cb ff 31 ff 48 b8 00 00 00 00 00 00 00 02 48 21 c5 48 89 ee e8 e6 73 cb ff 48 85 ed 74 4e e8 4c 78 cb ff 90 <0f> 0b 90 48 c7 c3 ff ff ff ff e8 3c 78 cb ff 48 b8 00 00 00 00 00 > > RSP: 0018:ffffc900041e6878 EFLAGS: 00010293 > > RAX: 0000000000000000 RBX: 000000000007891d RCX: ffffffff81bbf6e3 > > RDX: ffff88807d813b80 RSI: ffffffff81bbf684 RDI: 0000000000000005 > > RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 > > R10: 0000000000000200 R11: 0000000000000003 R12: 0000000000000200 > > R13: 1ffff9200083cd0f R14: 0000000000010b21 R15: 0000000020ffc000 > > FS: 0000555555f4d480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000000000000000 CR3: 000000005fbfa000 CR4: 0000000000350ef0 > > Call Trace: > > <TASK> > > lru_gen_look_around+0x70d/0x11a0 mm/vmscan.c:4001 > > folio_referenced_one+0x5a2/0xf70 mm/rmap.c:843 > > rmap_walk_anon+0x225/0x570 mm/rmap.c:2485 > > rmap_walk mm/rmap.c:2562 [inline] > > rmap_walk mm/rmap.c:2557 [inline] > > folio_referenced+0x28a/0x4b0 mm/rmap.c:960 > > folio_check_references mm/vmscan.c:829 [inline] > > shrink_folio_list+0x1ace/0x3f00 mm/vmscan.c:1160 > > evict_folios+0x6e7/0x1b90 mm/vmscan.c:4499 > > try_to_shrink_lruvec+0x638/0xa10 mm/vmscan.c:4704 > > lru_gen_shrink_lruvec mm/vmscan.c:4849 [inline] > > shrink_lruvec+0x314/0x2990 mm/vmscan.c:5622 > > shrink_node_memcgs mm/vmscan.c:5842 [inline] > > shrink_node+0x811/0x3710 mm/vmscan.c:5877 > > shrink_zones mm/vmscan.c:6116 [inline] > > do_try_to_free_pages+0x36c/0x1940 mm/vmscan.c:6178 > > try_to_free_mem_cgroup_pages+0x31a/0x770 mm/vmscan.c:6493 > > try_charge_memcg+0x3d3/0x11f0 mm/memcontrol.c:2742 > > obj_cgroup_charge_pages mm/memcontrol.c:3255 [inline] > > __memcg_kmem_charge_page+0xdd/0x2a0 mm/memcontrol.c:3281 > > __alloc_pages+0x263/0x2420 mm/page_alloc.c:4585 > > alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 > > __get_free_pages+0xc/0x40 mm/page_alloc.c:4615 > > io_mem_alloc+0x33/0x60 io_uring/io_uring.c:2789 > > io_allocate_scq_urings io_uring/io_uring.c:3842 [inline] > > io_uring_create io_uring/io_uring.c:4019 [inline] > > io_uring_setup+0x13ed/0x2430 io_uring/io_uring.c:4131 > > __do_sys_io_uring_setup io_uring/io_uring.c:4158 [inline] > > __se_sys_io_uring_setup io_uring/io_uring.c:4152 [inline] > > __x64_sys_io_uring_setup+0x98/0x140 io_uring/io_uring.c:4152 > > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > > do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 > > entry_SYSCALL_64_after_hwframe+0x63/0x6b > > RIP: 0033:0x7f4b0e4778a9 > > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > > RSP: 002b:00007fff814fe868 EFLAGS: 00000202 ORIG_RAX: 00000000000001a9 > > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4b0e4778a9 > > RDX: 0000000020000700 RSI: 0000000020000640 RDI: 0000000000005a19 > > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000020000700 > > R10: 00007fff814fe8d0 R11: 0000000000000202 R12: 0000000020000640 > > R13: 0000000000000000 R14: 0000000000005a19 R15: 0000000020000700 > > </TASK> > > Don't think this is io_uring related, test case looks like it's just > setting up and tearing down big rings. Can confirm it is an MM bug. Just posted the fix: https://lore.kernel.org/[email protected]/ ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [mm] WARNING in get_pte_pfn 2023-12-22 8:11 [syzbot] [mm?] [io-uring?] WARNING in get_pte_pfn syzbot 2023-12-22 14:55 ` Jens Axboe @ 2023-12-23 3:30 ` Yu Zhao 2023-12-23 4:02 ` [syzbot] [mm?] [io-uring?] " syzbot 1 sibling, 1 reply; 5+ messages in thread From: Yu Zhao @ 2023-12-23 3:30 UTC (permalink / raw) To: syzbot; +Cc: akpm, axboe, io-uring, linux-kernel, linux-mm, syzkaller-bugs On Fri, Dec 22, 2023 at 12:11:21AM -0800, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 0e389834672c Merge tag 'for-6.7-rc5-tag' of git://git.kern.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1454824ee80000 > kernel config: https://syzkaller.appspot.com/x/.config?x=f21aff374937e60e > dashboard link: https://syzkaller.appspot.com/bug?extid=03fd9b3f71641f0ebf2d > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b4ef49e80000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118314d6e80000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/e58cd74e152a/disk-0e389834.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/45d17ccb34bc/vmlinux-0e389834.xz > kernel image: https://storage.googleapis.com/syzbot-assets/b9b7105d4e08/bzImage-0e389834.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: [email protected] > > ------------[ cut here ]------------ > WARNING: CPU: 1 PID: 5066 at mm/vmscan.c:3242 get_pte_pfn+0x1b5/0x3f0 mm/vmscan.c:3242 > Modules linked in: > CPU: 1 PID: 5066 Comm: syz-executor668 Not tainted 6.7.0-rc5-syzkaller-00270-g0e389834672c #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 > RIP: 0010:get_pte_pfn+0x1b5/0x3f0 mm/vmscan.c:3242 > Code: f3 74 2a e8 6d 78 cb ff 31 ff 48 b8 00 00 00 00 00 00 00 02 48 21 c5 48 89 ee e8 e6 73 cb ff 48 85 ed 74 4e e8 4c 78 cb ff 90 <0f> 0b 90 48 c7 c3 ff ff ff ff e8 3c 78 cb ff 48 b8 00 00 00 00 00 > RSP: 0018:ffffc900041e6878 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: 000000000007891d RCX: ffffffff81bbf6e3 > RDX: ffff88807d813b80 RSI: ffffffff81bbf684 RDI: 0000000000000005 > RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 > R10: 0000000000000200 R11: 0000000000000003 R12: 0000000000000200 > R13: 1ffff9200083cd0f R14: 0000000000010b21 R15: 0000000020ffc000 > FS: 0000555555f4d480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 000000005fbfa000 CR4: 0000000000350ef0 > Call Trace: > <TASK> > lru_gen_look_around+0x70d/0x11a0 mm/vmscan.c:4001 > folio_referenced_one+0x5a2/0xf70 mm/rmap.c:843 > rmap_walk_anon+0x225/0x570 mm/rmap.c:2485 > rmap_walk mm/rmap.c:2562 [inline] > rmap_walk mm/rmap.c:2557 [inline] > folio_referenced+0x28a/0x4b0 mm/rmap.c:960 > folio_check_references mm/vmscan.c:829 [inline] > shrink_folio_list+0x1ace/0x3f00 mm/vmscan.c:1160 > evict_folios+0x6e7/0x1b90 mm/vmscan.c:4499 > try_to_shrink_lruvec+0x638/0xa10 mm/vmscan.c:4704 > lru_gen_shrink_lruvec mm/vmscan.c:4849 [inline] > shrink_lruvec+0x314/0x2990 mm/vmscan.c:5622 > shrink_node_memcgs mm/vmscan.c:5842 [inline] > shrink_node+0x811/0x3710 mm/vmscan.c:5877 > shrink_zones mm/vmscan.c:6116 [inline] > do_try_to_free_pages+0x36c/0x1940 mm/vmscan.c:6178 #syz test diff --git a/mm/vmscan.c b/mm/vmscan.c index 9dd8977de5a2..041f9ad8f95b 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -3230,7 +3230,8 @@ static bool get_next_vma(unsigned long mask, unsigned long size, struct mm_walk return false; } -static unsigned long get_pte_pfn(pte_t pte, struct vm_area_struct *vma, unsigned long addr) +static unsigned long get_pte_pfn(pte_t pte, struct vm_area_struct *vma, unsigned long addr, + struct page *page) { unsigned long pfn = pte_pfn(pte); @@ -3239,8 +3240,14 @@ static unsigned long get_pte_pfn(pte_t pte, struct vm_area_struct *vma, unsigned if (!pte_present(pte) || is_zero_pfn(pfn)) return -1; - if (WARN_ON_ONCE(pte_devmap(pte) || pte_special(pte))) + if (pte_devmap(pte) || pte_special(pte)) { + if (page) + dump_page(page, "get_pte_pfn()"); + dump_vma(vma); + dump_mm(vma->vm_mm); + BUG(); return -1; + } if (WARN_ON_ONCE(!pfn_valid(pfn))) return -1; @@ -3331,7 +3338,7 @@ static bool walk_pte_range(pmd_t *pmd, unsigned long start, unsigned long end, total++; walk->mm_stats[MM_LEAF_TOTAL]++; - pfn = get_pte_pfn(ptent, args->vma, addr); + pfn = get_pte_pfn(ptent, args->vma, addr, NULL); if (pfn == -1) continue; @@ -3998,7 +4005,7 @@ void lru_gen_look_around(struct page_vma_mapped_walk *pvmw) unsigned long pfn; pte_t ptent = ptep_get(pte + i); - pfn = get_pte_pfn(ptent, pvmw->vma, addr); + pfn = get_pte_pfn(ptent, pvmw->vma, addr, pfn_to_page(pvmw->pfn)); if (pfn == -1) continue; ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [syzbot] [mm?] [io-uring?] WARNING in get_pte_pfn 2023-12-23 3:30 ` [syzbot] [mm] " Yu Zhao @ 2023-12-23 4:02 ` syzbot 0 siblings, 0 replies; 5+ messages in thread From: syzbot @ 2023-12-23 4:02 UTC (permalink / raw) To: akpm, axboe, io-uring, linux-kernel, linux-mm, syzkaller-bugs, yuzhao Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: kernel BUG in get_pte_pfn ioctx_table 0000000000000000 owner ffff8880208f3b80 exe_file ffff88801a7ff180 notifier_subscriptions 0000000000000000 numa_next_scan 4294946352 numa_scan_offset 0 numa_scan_seq 0 tlb_flush_pending 0 def_flags: 0x0() ------------[ cut here ]------------ kernel BUG at mm/vmscan.c:3248! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 5911 Comm: syz-executor.0 Not tainted 6.7.0-rc6-syzkaller-00248-g5254c0cbc92d-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 RIP: 0010:get_pte_pfn+0x3ec/0x450 mm/vmscan.c:3248 Code: ef e8 48 27 0a 00 49 8d 7d 10 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 80 3c 02 00 75 5a 49 8b 7d 10 e8 c5 29 0a 00 90 <0f> 0b 4c 89 ef e8 fa 0f 22 00 e9 dc fc ff ff 48 c7 c7 80 43 19 8f RSP: 0018:ffffc9000bb4e868 EFLAGS: 00010286 RAX: 0000000000000331 RBX: ffffea0001fb0240 RCX: ffffffff816a6559 RDX: 0000000000000000 RSI: ffffffff816aea02 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000200 R13: ffff88807ba95e00 R14: 1ffff92001769d0e R15: 0000000000010b22 FS: 00007ff14dc496c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000076e1e000 CR4: 0000000000350ef0 Call Trace: <TASK> lru_gen_look_around+0x743/0x11f0 mm/vmscan.c:4008 folio_referenced_one+0x5a2/0xf70 mm/rmap.c:843 rmap_walk_anon+0x225/0x570 mm/rmap.c:2485 rmap_walk mm/rmap.c:2562 [inline] rmap_walk mm/rmap.c:2557 [inline] folio_referenced+0x28a/0x4b0 mm/rmap.c:960 folio_check_references mm/vmscan.c:829 [inline] shrink_folio_list+0x1ace/0x3f00 mm/vmscan.c:1160 evict_folios+0x6e7/0x1b90 mm/vmscan.c:4506 try_to_shrink_lruvec+0x638/0xa10 mm/vmscan.c:4711 lru_gen_shrink_lruvec mm/vmscan.c:4856 [inline] shrink_lruvec+0x314/0x2990 mm/vmscan.c:5629 shrink_node_memcgs mm/vmscan.c:5849 [inline] shrink_node+0x811/0x3710 mm/vmscan.c:5884 shrink_zones mm/vmscan.c:6123 [inline] do_try_to_free_pages+0x36c/0x1940 mm/vmscan.c:6185 try_to_free_mem_cgroup_pages+0x31a/0x770 mm/vmscan.c:6500 try_charge_memcg+0x3d3/0x11f0 mm/memcontrol.c:2742 obj_cgroup_charge_pages mm/memcontrol.c:3255 [inline] __memcg_kmem_charge_page+0xdd/0x2a0 mm/memcontrol.c:3281 __alloc_pages+0x263/0x2420 mm/page_alloc.c:4585 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 __get_free_pages+0xc/0x40 mm/page_alloc.c:4615 io_mem_alloc+0x33/0x60 io_uring/io_uring.c:2789 io_allocate_scq_urings io_uring/io_uring.c:3842 [inline] io_uring_create io_uring/io_uring.c:4019 [inline] io_uring_setup+0x13ed/0x2430 io_uring/io_uring.c:4131 __do_sys_io_uring_setup io_uring/io_uring.c:4158 [inline] __se_sys_io_uring_setup io_uring/io_uring.c:4152 [inline] __x64_sys_io_uring_setup+0x98/0x140 io_uring/io_uring.c:4152 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7ff14ce7cba9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff14dc49058 EFLAGS: 00000206 ORIG_RAX: 00000000000001a9 RAX: ffffffffffffffda RBX: 00007ff14cf9bf80 RCX: 00007ff14ce7cba9 RDX: 0000000020000700 RSI: 0000000020000640 RDI: 0000000000005a19 RBP: 00007ff14cec847a R08: 0000000000000000 R09: 0000000020000700 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000640 R13: 0000000000000000 R14: 0000000000005a19 R15: 0000000020000700 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:get_pte_pfn+0x3ec/0x450 mm/vmscan.c:3248 Code: ef e8 48 27 0a 00 49 8d 7d 10 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 80 3c 02 00 75 5a 49 8b 7d 10 e8 c5 29 0a 00 90 <0f> 0b 4c 89 ef e8 fa 0f 22 00 e9 dc fc ff ff 48 c7 c7 80 43 19 8f RSP: 0018:ffffc9000bb4e868 EFLAGS: 00010286 RAX: 0000000000000331 RBX: ffffea0001fb0240 RCX: ffffffff816a6559 RDX: 0000000000000000 RSI: ffffffff816aea02 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000200 R13: ffff88807ba95e00 R14: 1ffff92001769d0e R15: 0000000000010b22 FS: 00007ff14dc496c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000076e1e000 CR4: 0000000000350ef0 Tested on: commit: 5254c0cb Merge tag 'block-6.7-2023-12-22' of git://git.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1709d481e80000 kernel config: https://syzkaller.appspot.com/x/.config?x=314e9ad033a7d3a7 dashboard link: https://syzkaller.appspot.com/bug?extid=03fd9b3f71641f0ebf2d compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=1120ad76e80000 ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-12-23 5:00 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-12-22 8:11 [syzbot] [mm?] [io-uring?] WARNING in get_pte_pfn syzbot 2023-12-22 14:55 ` Jens Axboe 2023-12-23 4:59 ` Yu Zhao 2023-12-23 3:30 ` [syzbot] [mm] " Yu Zhao 2023-12-23 4:02 ` [syzbot] [mm?] [io-uring?] " syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox