From: Catalin Marinas <catalin.marinas@arm.com>
To: Magnus Karlsson <magnus.karlsson@gmail.com>
Cc: "Daniel Borkmann" <daniel@iogearbox.net>,
kirill.shutemov@linux.intel.com, justin.he@arm.com,
linux-mm@kvack.org,
syzbot <syzbot+9301f2f33873407d5b33@syzkaller.appspotmail.com>,
"Andrii Nakryiko" <andriin@fb.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Björn Töpel" <bjorn.topel@intel.com>, bpf <bpf@vger.kernel.org>,
"David S. Miller" <davem@davemloft.net>,
hawk@kernel.org, "Jakub Kicinski" <jakub.kicinski@netronome.com>,
"John Fastabend" <john.fastabend@gmail.com>,
"Jonathan Lemon" <jonathan.lemon@gmail.com>,
"Martin KaFai Lau" <kafai@fb.com>,
linux-kernel@vger.kernel.org, "Karlsson,
Magnus" <magnus.karlsson@intel.com>,
"Network Development" <netdev@vger.kernel.org>,
"Song Liu" <songliubraving@fb.com>,
syzkaller-bugs@googlegroups.com, "Yonghong Song" <yhs@fb.com>
Subject: Re: WARNING in wp_page_copy
Date: Tue, 17 Dec 2019 22:38:09 +0000 [thread overview]
Message-ID: <20191217223808.GA14982@mbp> (raw)
In-Reply-To: <CAJ8uoz3yDK8sEE05cKA8siBi-Dc0wtbe1-zYgbz_-pd5t69j8w@mail.gmail.com>
On Tue, Dec 17, 2019 at 04:57:34PM +0100, Magnus Karlsson wrote:
> On Tue, Dec 17, 2019 at 4:40 PM Catalin Marinas <catalin.marinas@arm.com> wrote:
> > On Tue, Dec 17, 2019 at 02:27:22PM +0100, Magnus Karlsson wrote:
> > > On Mon, Dec 16, 2019 at 4:10 PM Magnus Karlsson
> > > <magnus.karlsson@gmail.com> wrote:
> > > > On Mon, Dec 16, 2019 at 4:00 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
> > > > > On Sat, Dec 14, 2019 at 08:20:07AM -0800, syzbot wrote:
> > > > > > syzbot has found a reproducer for the following crash on:
> > > > > >
> > > > > > HEAD commit: 1d1997db Revert "nfp: abm: fix memory leak in nfp_abm_u32_..
> > > > > > git tree: net-next
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1029f851e00000
> > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=cef1fd5032faee91
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=9301f2f33873407d5b33
> > > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=119d9fb1e00000
> > > > > >
> > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > Reported-by: syzbot+9301f2f33873407d5b33@syzkaller.appspotmail.com
> > > > >
> > > > > Bjorn / Magnus, given xsk below, PTAL, thanks!
> > > >
> > > > Thanks. I will take a look at it right away.
> > > >
> > > > /Magnus
> > >
> > > After looking through the syzcaller report, I have the following
> > > hypothesis that would dearly need some comments from MM-savy people
> > > out there. Syzcaller creates, using mmap, a memory area that is
> >
> > I guess that's not an anonymous mmap() since we don't seem to have a
> > struct page for src in cow_user_page() (the WARN_ON_ONCE path). Do you
> > have more information on the mmap() call?
>
> I have this from the syzcaller logs:
>
> mmap(&(0x7f0000001000/0x2000)=nil, 0x2000, 0xfffffe, 0x12, r8, 0x0)
> getsockopt$XDP_MMAP_OFFSETS(r8, 0x11b, 0x7, &(0x7f0000001300),
> &(0x7f0000000100)=0x60)
>
> The full log can be found at:
> https://syzkaller.appspot.com/x/repro.syz?x=119d9fb1e00000
Thanks. Prior to mmap, we have:
r8 = socket$xdp(0x2c, 0x3, 0x0)
So basically we have an mmap() on a socket descriptor with a subsequent
copy_to_user() writing this range. We do we even end up doing CoW on
such mapping? Maybe the socket code should also implement the .fault()
file op. It needs more digging.
--
Catalin
next prev parent reply other threads:[~2019-12-17 22:38 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-02 17:27 WARNING in wp_page_copy syzbot
2019-12-14 16:20 ` syzbot
2019-12-16 15:00 ` Daniel Borkmann
2019-12-16 15:10 ` Magnus Karlsson
2019-12-17 13:27 ` Magnus Karlsson
2019-12-17 15:40 ` Catalin Marinas
2019-12-17 15:57 ` Magnus Karlsson
2019-12-17 22:38 ` Catalin Marinas [this message]
2019-12-18 15:00 ` Magnus Karlsson
2019-12-18 15:11 ` Kirill A. Shutemov
2019-12-17 20:16 ` syzbot
2020-03-24 2:47 ` syzbot
2020-11-11 13:34 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191217223808.GA14982@mbp \
--to=catalin.marinas@arm.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bjorn.topel@intel.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=hawk@kernel.org \
--cc=jakub.kicinski@netronome.com \
--cc=john.fastabend@gmail.com \
--cc=jonathan.lemon@gmail.com \
--cc=justin.he@arm.com \
--cc=kafai@fb.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=magnus.karlsson@gmail.com \
--cc=magnus.karlsson@intel.com \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=syzbot+9301f2f33873407d5b33@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.