Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in folio_evictable (3)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+4c7590f1cee06597e43a@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in folio_evictable (3)
Date: Fri, 13 Dec 2024 16:31:02 -0800	[thread overview]
Message-ID: <675cd1c6.050a0220.37aaf.00ba.GAE@google.com> (raw)
In-Reply-To: <20241214001514.734-1-hdanton@sina.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in __submit_bio

Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc2-syzkaller-00232-g4800575d8c0b-dirty #0 Not tainted
------------------------------------------------------
syz-executor/5695 is trying to acquire lock:
ffff888034c21438 (&q->q_usage_counter(io)#37){++++}-{0:0}, at: __submit_bio+0x2c6/0x560 block/blk-core.c:629

but task is already holding lock:
ffffffff8ea35ca0 (fs_reclaim){+.+.}-{0:0}, at: __perform_reclaim mm/page_alloc.c:3924 [inline]
ffffffff8ea35ca0 (fs_reclaim){+.+.}-{0:0}, at: __alloc_pages_direct_reclaim+0xd4/0x3c0 mm/page_alloc.c:3949

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (fs_reclaim){+.+.}-{0:0}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
       __fs_reclaim_acquire mm/page_alloc.c:3851 [inline]
       fs_reclaim_acquire+0x88/0x130 mm/page_alloc.c:3865
       might_alloc include/linux/sched/mm.h:318 [inline]
       slab_pre_alloc_hook mm/slub.c:4070 [inline]
       slab_alloc_node mm/slub.c:4148 [inline]
       __do_kmalloc_node mm/slub.c:4297 [inline]
       __kmalloc_node_noprof+0xb2/0x4d0 mm/slub.c:4304
       __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650
       sbitmap_init_node+0x2d4/0x670 lib/sbitmap.c:132
       scsi_realloc_sdev_budget_map+0x2a7/0x460 drivers/scsi/scsi_scan.c:246
       scsi_add_lun drivers/scsi/scsi_scan.c:1106 [inline]
       scsi_probe_and_add_lun+0x3173/0x4bd0 drivers/scsi/scsi_scan.c:1287
       __scsi_add_device+0x228/0x2f0 drivers/scsi/scsi_scan.c:1622
       ata_scsi_scan_host+0x236/0x740 drivers/ata/libata-scsi.c:4575
       async_run_entry_fn+0xa8/0x420 kernel/async.c:129
       process_one_work kernel/workqueue.c:3229 [inline]
       process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
       worker_thread+0x870/0xd30 kernel/workqueue.c:3391
       kthread+0x2f0/0x390 kernel/kthread.c:389
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-> #0 (&q->q_usage_counter(io)#37){++++}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3161 [inline]
       check_prevs_add kernel/locking/lockdep.c:3280 [inline]
       validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
       __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
       bio_queue_enter block/blk.h:75 [inline]
       blk_mq_submit_bio+0x1536/0x2390 block/blk-mq.c:3092
       __submit_bio+0x2c6/0x560 block/blk-core.c:629
       __submit_bio_noacct_mq block/blk-core.c:710 [inline]
       submit_bio_noacct_nocheck+0x4d3/0xe30 block/blk-core.c:739
       swap_writepage_bdev_async mm/page_io.c:451 [inline]
       __swap_writepage+0x747/0x14d0 mm/page_io.c:474
       swap_writepage+0x6ee/0xce0 mm/page_io.c:289
       pageout mm/vmscan.c:689 [inline]
       shrink_folio_list+0x3b68/0x5ca0 mm/vmscan.c:1367
       evict_folios+0x3c86/0x5800 mm/vmscan.c:4593
       try_to_shrink_lruvec+0x9a6/0xc70 mm/vmscan.c:4789
       shrink_one+0x3b9/0x850 mm/vmscan.c:4834
       shrink_many mm/vmscan.c:4897 [inline]
       lru_gen_shrink_node mm/vmscan.c:4975 [inline]
       shrink_node+0x37c5/0x3e50 mm/vmscan.c:5956
       shrink_zones mm/vmscan.c:6215 [inline]
       do_try_to_free_pages+0x78c/0x1cf0 mm/vmscan.c:6277
       try_to_free_pages+0x47c/0x1050 mm/vmscan.c:6527
       __perform_reclaim mm/page_alloc.c:3927 [inline]
       __alloc_pages_direct_reclaim+0x178/0x3c0 mm/page_alloc.c:3949
       __alloc_pages_slowpath+0x764/0x1020 mm/page_alloc.c:4380
       __alloc_pages_noprof+0x49b/0x710 mm/page_alloc.c:4764
       alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2269
       folio_alloc_mpol_noprof mm/mempolicy.c:2287 [inline]
       vma_alloc_folio_noprof+0x12e/0x230 mm/mempolicy.c:2317
       folio_prealloc+0x2e/0x170
       alloc_anon_folio mm/memory.c:4752 [inline]
       do_anonymous_page mm/memory.c:4809 [inline]
       do_pte_missing mm/memory.c:3977 [inline]
       handle_pte_fault+0x2c98/0x5ed0 mm/memory.c:5801
       __handle_mm_fault mm/memory.c:5944 [inline]
       handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6112
       do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
       handle_page_fault arch/x86/mm/fault.c:1481 [inline]
       exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1539
       asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(fs_reclaim);
                               lock(&q->q_usage_counter(io)#37);
                               lock(fs_reclaim);
  rlock(&q->q_usage_counter(io)#37);

 *** DEADLOCK ***

2 locks held by syz-executor/5695:
 #0: ffff888011d6c8e0 (&vma->vm_lock->lock){++++}-{4:4}, at: vma_start_read include/linux/mm.h:716 [inline]
 #0: ffff888011d6c8e0 (&vma->vm_lock->lock){++++}-{4:4}, at: lock_vma_under_rcu+0x34b/0x790 mm/memory.c:6278
 #1: ffffffff8ea35ca0 (fs_reclaim){+.+.}-{0:0}, at: __perform_reclaim mm/page_alloc.c:3924 [inline]
 #1: ffffffff8ea35ca0 (fs_reclaim){+.+.}-{0:0}, at: __alloc_pages_direct_reclaim+0xd4/0x3c0 mm/page_alloc.c:3949

stack backtrace:
CPU: 0 UID: 0 PID: 5695 Comm: syz-executor Not tainted 6.13.0-rc2-syzkaller-00232-g4800575d8c0b-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
 check_prev_add kernel/locking/lockdep.c:3161 [inline]
 check_prevs_add kernel/locking/lockdep.c:3280 [inline]
 validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
 bio_queue_enter block/blk.h:75 [inline]
 blk_mq_submit_bio+0x1536/0x2390 block/blk-mq.c:3092
 __submit_bio+0x2c6/0x560 block/blk-core.c:629
 __submit_bio_noacct_mq block/blk-core.c:710 [inline]
 submit_bio_noacct_nocheck+0x4d3/0xe30 block/blk-core.c:739
 swap_writepage_bdev_async mm/page_io.c:451 [inline]
 __swap_writepage+0x747/0x14d0 mm/page_io.c:474
 swap_writepage+0x6ee/0xce0 mm/page_io.c:289
 pageout mm/vmscan.c:689 [inline]
 shrink_folio_list+0x3b68/0x5ca0 mm/vmscan.c:1367
 evict_folios+0x3c86/0x5800 mm/vmscan.c:4593
 try_to_shrink_lruvec+0x9a6/0xc70 mm/vmscan.c:4789
 shrink_one+0x3b9/0x850 mm/vmscan.c:4834
 shrink_many mm/vmscan.c:4897 [inline]
 lru_gen_shrink_node mm/vmscan.c:4975 [inline]
 shrink_node+0x37c5/0x3e50 mm/vmscan.c:5956
 shrink_zones mm/vmscan.c:6215 [inline]
 do_try_to_free_pages+0x78c/0x1cf0 mm/vmscan.c:6277
 try_to_free_pages+0x47c/0x1050 mm/vmscan.c:6527
 __perform_reclaim mm/page_alloc.c:3927 [inline]
 __alloc_pages_direct_reclaim+0x178/0x3c0 mm/page_alloc.c:3949
 __alloc_pages_slowpath+0x764/0x1020 mm/page_alloc.c:4380
 __alloc_pages_noprof+0x49b/0x710 mm/page_alloc.c:4764
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2269
 folio_alloc_mpol_noprof mm/mempolicy.c:2287 [inline]
 vma_alloc_folio_noprof+0x12e/0x230 mm/mempolicy.c:2317
 folio_prealloc+0x2e/0x170
 alloc_anon_folio mm/memory.c:4752 [inline]
 do_anonymous_page mm/memory.c:4809 [inline]
 do_pte_missing mm/memory.c:3977 [inline]
 handle_pte_fault+0x2c98/0x5ed0 mm/memory.c:5801
 __handle_mm_fault mm/memory.c:5944 [inline]
 handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6112
 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fd75394f603
Code: 07 62 e1 7d 28 e7 4f 01 62 e1 7d 28 e7 57 02 62 e1 7d 28 e7 5f 03 62 e1 7d 28 e7 a7 00 10 00 00 62 e1 7d 28 e7 af 20 10 00 00 <62> e1 7d 28 e7 b7 40 10 00 00 62 e1 7d 28 e7 bf 60 10 00 00 48 83
RSP: 002b:00007fff07875f68 EFLAGS: 00010203
RAX: 00007fd74dca2aa8 RBX: 00007fff07876420 RCX: 0000000000000016
RDX: 00000000000014b0 RSI: 00007fd7520325c8 RDI: 00007fd74e170fc0
RBP: 0000000000000020 R08: ffffffffffffffe8 R09: 0000000000000000
R10: 0000000000000be6 R11: 000000000c000000 R12: 00007fd751b64010
R13: 0000000000000020 R14: 0000000000e4da98 R15: 0000000001c9b4c8
 </TASK>


Tested on:

commit:         4800575d Merge tag 'xfs-fixes-6.13-rc3' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13983be8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=fee25f93665c89ac
dashboard link: https://syzkaller.appspot.com/bug?extid=4c7590f1cee06597e43a
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1506a4f8580000

next prev parent reply	other threads:[~2024-12-14  0:31 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-26  2:41 [syzbot] [mm?] KASAN: slab-use-after-free Read in folio_evictable (3) syzbot
2024-12-13 16:18 ` syzbot
2024-12-13 19:20   ` Yu Zhao
2024-12-14  0:15   ` Hillf Danton
2024-12-14  0:31     ` syzbot [this message]
2024-12-14  0:44   ` Hillf Danton
2024-12-14  1:00     ` syzbot
2024-12-15  4:07   ` Edward Adam Davis
2024-12-15  4:22     ` syzbot
2024-12-15  4:48   ` Edward Adam Davis
2024-12-15  5:03     ` syzbot
2024-12-15  5:19   ` Edward Adam Davis
2024-12-15  5:35     ` syzbot
2024-12-15  5:59   ` Edward Adam Davis
2024-12-15  6:14     ` syzbot
2025-02-04  4:58 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=675cd1c6.050a0220.37aaf.00ba.GAE@google.com \
    --to=syzbot+4c7590f1cee06597e43a@syzkaller.appspotmail.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.