[syzbot] [mm?] WARNING: bad unlock balance in madvise_cold_or_pageout_pte_range

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+c641706ad4e9688cccdf@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	 linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [mm?] WARNING: bad unlock balance in madvise_cold_or_pageout_pte_range
Date: Tue, 02 Apr 2024 10:32:27 -0700	[thread overview]
Message-ID: <000000000000662a630615207d87@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    c0b832517f62 Add linux-next specific files for 20240402
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=155b7db1180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=afcaf46d374cec8c
dashboard link: https://syzkaller.appspot.com/bug?extid=c641706ad4e9688cccdf
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0d36ec76edc7/disk-c0b83251.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6f9bb4e37dd0/vmlinux-c0b83251.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2349287b14b7/bzImage-c0b83251.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c641706ad4e9688cccdf@syzkaller.appspotmail.com

=====================================
WARNING: bad unlock balance detected!
6.9.0-rc2-next-20240402-syzkaller #0 Not tainted
-------------------------------------
syz-executor.4/9211 is trying to release lock (ptlock_ptr(ptdesc)) at:
[<ffffffff81f01c0f>] spin_unlock include/linux/spinlock.h:391 [inline]
[<ffffffff81f01c0f>] madvise_cold_or_pageout_pte_range+0x170f/0x3990 mm/madvise.c:480
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz-executor.4/9211:
 #0: ffff888067e40b18 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:144 [inline]
 #0: ffff888067e40b18 (&mm->mmap_lock){++++}-{3:3}, at: do_madvise+0x481/0x44a0 mm/madvise.c:1429

stack backtrace:
CPU: 0 PID: 9211 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240402-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_unlock_imbalance_bug+0x256/0x2c0 kernel/locking/lockdep.c:5194
 __lock_release kernel/locking/lockdep.c:5431 [inline]
 lock_release+0x599/0x9f0 kernel/locking/lockdep.c:5774
 __raw_spin_unlock include/linux/spinlock_api_smp.h:141 [inline]
 _raw_spin_unlock+0x16/0x50 kernel/locking/spinlock.c:186
 spin_unlock include/linux/spinlock.h:391 [inline]
 madvise_cold_or_pageout_pte_range+0x170f/0x3990 mm/madvise.c:480
 walk_pmd_range mm/pagewalk.c:143 [inline]
 walk_pud_range mm/pagewalk.c:221 [inline]
 walk_p4d_range mm/pagewalk.c:256 [inline]
 walk_pgd_range+0xba1/0x1810 mm/pagewalk.c:293
 __walk_page_range+0x132/0x720 mm/pagewalk.c:395
 walk_page_range+0x58f/0x7c0 mm/pagewalk.c:521
 madvise_cold_page_range mm/madvise.c:562 [inline]
 madvise_cold mm/madvise.c:584 [inline]
 madvise_vma_behavior mm/madvise.c:1028 [inline]
 madvise_walk_vmas mm/madvise.c:1256 [inline]
 do_madvise+0x1e7b/0x44a0 mm/madvise.c:1442
 __do_sys_madvise mm/madvise.c:1457 [inline]
 __se_sys_madvise mm/madvise.c:1455 [inline]
 __x64_sys_madvise+0xa6/0xc0 mm/madvise.c:1455
 do_syscall_64+0xfb/0x240
 entry_SYSCALL_64_after_hwframe+0x72/0x7a
RIP: 0033:0x7ff60947dda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff60a1b50c8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007ff6095abf80 RCX: 00007ff60947dda9
RDX: 0000000000000014 RSI: 0000000000600000 RDI: 0000000020000000
RBP: 00007ff6094ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007ff6095abf80 R15: 00007fffacd4bc68
 </TASK>
------------[ cut here ]------------
pvqspinlock: lock 0xffff88802ed23120 has corrupted value 0x0!
WARNING: CPU: 1 PID: 9211 at kernel/locking/qspinlock_paravirt.h:510 __pv_queued_spin_unlock_slowpath+0x241/0x2f0 kernel/locking/qspinlock_paravirt.h:508
Modules linked in:
CPU: 1 PID: 9211 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240402-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__pv_queued_spin_unlock_slowpath+0x241/0x2f0 kernel/locking/qspinlock_paravirt.h:508
Code: 65 47 6e f6 4c 89 f0 48 c1 e8 03 0f b6 04 18 84 c0 0f 85 9f 00 00 00 41 8b 16 48 c7 c7 c0 26 cb 8b 4c 89 f6 e8 90 f3 cb f5 90 <0f> 0b 90 90 eb 8d 44 89 f1 80 e1 07 38 c1 0f 8c 26 ff ff ff 4c 89
RSP: 0018:ffffc9000e477238 EFLAGS: 00010246
RAX: 5e9807e53cfb4f00 RBX: dffffc0000000000 RCX: 0000000000040000
RDX: ffffc9000b3b8000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: dffffc0000000000 R08: ffffffff81580192 R09: fffffbfff1c39b10
R10: dffffc0000000000 R11: fffffbfff1c39b10 R12: 1ffff11005da4626
R13: ffff88802ed23130 R14: ffff88802ed23120 R15: ffff88802ed23120
FS:  00007ff60a1b56c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fea8ecdaab3 CR3: 000000005d0fe000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __raw_callee_save___pv_queued_spin_unlock_slowpath+0x15/0x30
 .slowpath+0x9/0x16
 pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:589 [inline]
 queued_spin_unlock arch/x86/include/asm/qspinlock.h:57 [inline]
 do_raw_spin_unlock+0x13c/0x8b0 kernel/locking/spinlock_debug.c:142
 __raw_spin_unlock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_unlock+0x1e/0x50 kernel/locking/spinlock.c:186
 spin_unlock include/linux/spinlock.h:391 [inline]
 madvise_cold_or_pageout_pte_range+0x170f/0x3990 mm/madvise.c:480
 walk_pmd_range mm/pagewalk.c:143 [inline]
 walk_pud_range mm/pagewalk.c:221 [inline]
 walk_p4d_range mm/pagewalk.c:256 [inline]
 walk_pgd_range+0xba1/0x1810 mm/pagewalk.c:293
 __walk_page_range+0x132/0x720 mm/pagewalk.c:395
 walk_page_range+0x58f/0x7c0 mm/pagewalk.c:521
 madvise_cold_page_range mm/madvise.c:562 [inline]
 madvise_cold mm/madvise.c:584 [inline]
 madvise_vma_behavior mm/madvise.c:1028 [inline]
 madvise_walk_vmas mm/madvise.c:1256 [inline]
 do_madvise+0x1e7b/0x44a0 mm/madvise.c:1442
 __do_sys_madvise mm/madvise.c:1457 [inline]
 __se_sys_madvise mm/madvise.c:1455 [inline]
 __x64_sys_madvise+0xa6/0xc0 mm/madvise.c:1455
 do_syscall_64+0xfb/0x240
 entry_SYSCALL_64_after_hwframe+0x72/0x7a
RIP: 0033:0x7ff60947dda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff60a1b50c8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007ff6095abf80 RCX: 00007ff60947dda9
RDX: 0000000000000014 RSI: 0000000000600000 RDI: 0000000020000000
RBP: 00007ff6094ca47a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007ff6095abf80 R15: 00007fffacd4bc68
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2024-04-02 17:32 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-02 17:32 syzbot [this message]
2024-04-03  8:55 ` [syzbot] [mm?] WARNING: bad unlock balance in madvise_cold_or_pageout_pte_range David Hildenbrand
2024-04-03 10:04   ` Ryan Roberts
2024-04-04 10:56 ` syzbot
2024-04-04 11:23   ` Ryan Roberts
2024-04-04 20:35     ` syzbot
2024-04-04 11:44   ` Hillf Danton
2024-04-04 22:19     ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000662a630615207d87@google.com \
    --to=syzbot+c641706ad4e9688cccdf@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.