From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EA3BEC54E5D
	for <linux-mm@archiver.kernel.org>; Mon, 18 Mar 2024 21:09:26 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 889AA8E0001; Mon, 18 Mar 2024 17:09:26 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 839706B009B; Mon, 18 Mar 2024 17:09:26 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 702958E0001; Mon, 18 Mar 2024 17:09:26 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 5D69F6B009A
	for <linux-mm@kvack.org>; Mon, 18 Mar 2024 17:09:26 -0400 (EDT)
Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 131701A0A4E
	for <linux-mm@kvack.org>; Mon, 18 Mar 2024 21:09:26 +0000 (UTC)
X-FDA: 81911400732.06.7929249
Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178])
	by imf14.hostedemail.com (Postfix) with ESMTP id D238510000C
	for <linux-mm@kvack.org>; Mon, 18 Mar 2024 21:09:23 +0000 (UTC)
Authentication-Results: imf14.hostedemail.com;
	dkim=pass header.d=cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b=GMKT94Dl;
	spf=pass (imf14.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.222.178 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org;
	dmarc=pass (policy=none) header.from=cmpxchg.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710796164; a=rsa-sha256;
	cv=none;
	b=4kg5RP0v1kGKoa7I9a/Bo4qTIG9yvljUA7GRZtx5+IXmjNQsgN1X3dQGdeJYtd3i4WAGg9
	rWTnoN3taOz/EaqdqApX9vDmQzdF1AUlK9fJW16cs8u48KUzM0BeOCEj6AsF1xA9He3SHH
	EyU1PmjUHghtjtyPk+4M19Vyw0mqsIQ=
ARC-Authentication-Results: i=1;
	imf14.hostedemail.com;
	dkim=pass header.d=cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b=GMKT94Dl;
	spf=pass (imf14.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.222.178 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org;
	dmarc=pass (policy=none) header.from=cmpxchg.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1710796164;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=FOqxWMcGpNyg6Z0UKe89d8UtFLAlVDl2Ge9RAirWCRg=;
	b=BARNjEfqK80VpGlxEnC+Tozin2U7EQ/S0qyr4SvX8+oYACivwCvea/uJH0rXKI1f4v5XwR
	Qq5hQe4qmq7LBbX3KNVq0pJLTw+9glra13MurscPI9t8R2Ig4GEcynBW8dKY8G43WmLBO2
	jfOzBZiI9joABjv2ERhlMXFzsPUsIZw=
Received: by mail-qk1-f178.google.com with SMTP id af79cd13be357-7882dd2b1c9so381409385a.1
        for <linux-mm@kvack.org>; Mon, 18 Mar 2024 14:09:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cmpxchg-org.20230601.gappssmtp.com; s=20230601; t=1710796162; x=1711400962; darn=kvack.org;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:from:to
         :cc:subject:date:message-id:reply-to;
        bh=FOqxWMcGpNyg6Z0UKe89d8UtFLAlVDl2Ge9RAirWCRg=;
        b=GMKT94Dl1PCVal3i73myRHyGQo5un2U34YaSTvyDOzdgOQUf7NMZyZYO4HonifJvfy
         NI4pTVxzqj88AqFBtqDEHRIf1w2kJjjAYdok74S/YVOSvVI2Id0zQ4eIXwvsDTYETFbJ
         bbcQXwkE3ZVV45mFSHJ6HacFpbVYLn6UiIYFfdYeTxgFs/VJycQ36XvxRCATeKCftoV8
         UmDTuWjV1ald9HDTJKHqzHUdD0Ap2OdbSLtluuNSE2JR0DRIh87dcD46He7c+qT5zxNy
         iD8oRXQ6ZjA2/yKko57WPsVNNFD2FYPpnrFk4mqer9P0QFhD+4BBtOAatjY7v+26FmiF
         FTqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1710796162; x=1711400962;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=FOqxWMcGpNyg6Z0UKe89d8UtFLAlVDl2Ge9RAirWCRg=;
        b=oBejo/iCTSKhMk3WPv3026zAzk2C6d2lDjWJLgBXTh0AYru+V313157XocQlOVJdLI
         Bcgw9k8bN6fR6GOIZ0jTWNE4jFJh/SpHVu+twUoDk5TONa1IYc18xo9MbTJCxHfAdCox
         vb9uOCH9UDkWVm1K/KkCUaDJ2I6jhKPRhlPnOiGQjU7687wyfSOZliBLuL+wpxwN6aS2
         vUPQ769Fn5ggiX+6EZijVTWc3qrvXnz8PuMYCCbwe/WEbczW26qAFkLSl4JYP1S/ZlXp
         v5desnJAXR9T0t47dLM5YLsxNjKgUacNHacRHtGnqxAwJavPfaljjT+4XxlvqiAHca7f
         LrEA==
X-Forwarded-Encrypted: i=1; AJvYcCU51CjlmMMJMOYPrOsxTocwEjncChjyNMPzxPmdr96Kye19wYpGHvvIyZTn/SNpgDu6YH7OcXqnIcvo1UWZ7tsK2CY=
X-Gm-Message-State: AOJu0Yyai0u5KB3gLHw5Qvqk3mRGqIqDVNCLfIUQ/Q9J/tO5zMW2WCbQ
	hqrTF474DBDoB+Uh0EVTK+LXobeBR53VAe4pDE81eRfEBUS8iaRhXdNRooUKQhs=
X-Google-Smtp-Source: AGHT+IGmezNd7Y22mqc+VPK+jo40NclSbGwKc23t/x+1Yd4e03ws0PD4BlmbAFcaD9ucT9vdpExrYg==
X-Received: by 2002:a05:620a:1722:b0:78a:3c3:a629 with SMTP id az34-20020a05620a172200b0078a03c3a629mr1486052qkb.23.1710796162650;
        Mon, 18 Mar 2024 14:09:22 -0700 (PDT)
Received: from localhost (2603-7000-0c01-2716-da5e-d3ff-fee7-26e7.res6.spectrum.com. [2603:7000:c01:2716:da5e:d3ff:fee7:26e7])
        by smtp.gmail.com with ESMTPSA id f18-20020ae9ea12000000b007884dd207b8sm4816696qkg.55.2024.03.18.14.09.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 18 Mar 2024 14:09:21 -0700 (PDT)
Date: Mon, 18 Mar 2024 17:09:17 -0400
From: Johannes Weiner <hannes@cmpxchg.org>
To: Yosry Ahmed <yosryahmed@google.com>
Cc: Nhat Pham <nphamcs@gmail.com>,
	syzbot <syzbot+adbc983a1588b7805de3@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org, chengming.zhou@linux.dev,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	syzkaller-bugs@googlegroups.com, Barry Song <v-songbaohua@oppo.com>
Subject: Re: [syzbot] [mm?] kernel BUG in sg_init_one
Message-ID: <20240318210917.GA4210@cmpxchg.org>
References: <000000000000bbb3d80613f243a6@google.com>
 <CAKEwX=MAX0km1p43DQmKbeSy2G4dPFHiF+deH_qzqygc2Vnjig@mail.gmail.com>
 <CAJD7tkbEuFkGuQeYjKS02rQoAAKOKieAJ1P2mwukirW3e2JN9A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAJD7tkbEuFkGuQeYjKS02rQoAAKOKieAJ1P2mwukirW3e2JN9A@mail.gmail.com>
X-Rspamd-Server: rspam08
X-Rspamd-Queue-Id: D238510000C
X-Stat-Signature: apryzrodac55wx8iqmgiwchj1mcmx7ow
X-Rspam-User: 
X-HE-Tag: 1710796163-354429
X-HE-Meta: U2FsdGVkX1/xT/eDTB8lipjGGMrQbnzUlKVkMhCXaydWTx3EVZ4jk2AdhkyV6e5dH/DEpBgCPJj/Isd0EkOcG+25Dmsoq+SYn44qpARg+EmRuI0jwl90nj6QZdjW3uZ7ruyEpLvW8sn9lu/QMVKJtb86/6J9AO3t1RqOYgaVixeUWmY+snrzlKfS8WwuszxZcROAjhylMku2j4O8UQqf8AvKEVJY5FEQv5PPS2FV47aEfNUapqgBx3QoYnjErLmeRL6Fbu+DP3ESr9iRL9uahhDJr3bOyjy6ZLZCsGYzfVG8sdcbIh8fYHuF3lEZ5DQHZsEvqzLs6drXmWf3E6zWgIzbfRtYujuG8cPTI3BtS/muuWEGlvXK6dATSZxMS0hzYcCiQKWzONwqK+nwC9vcnZRXK5vqG4PSiHZja9buIlyRlUClC707Lh9fuvmLHe3FPwrrWvPdiPtMOlW+DikAsIyuJziXhny/drCURf9odHeNb74hT0us5nFI8YQoHfEwI1BrkgT5gStalX9b5El965jUeyHHwhTB4wRZAlyM76YZbY8ORiaSXkU0v+LndRTmZDAdercQxVTzJZRTJOYCxqgak/GmvPqBeJnmEjiA0aB0nt3jeAmpwdFrzf3eJTIgkUnOWEZ0X6R0ll1mBhLjqv8M51j3dYxXzJ9HTn/+mZj+pUH00Wgg9X8lb3YgDfd0IXCZwAhretLSMtdsww1HP/3kqBmdGrpS5tsh1iGr87zJ3os9hMinOnudqej+dQ2Xz4TA0QoCN40ungr5Wh/WHSb1GRd17ExvuGa/ForybewyF4HSZHnw7cHT+1bQpe1eSNMPYqrLlhhZsSQ5zn88d1GT8MwbIskjrFr6dHPy9FkEJ91cib172ajNHPAe0iI0tuVDXLVfTNr8fSd1d8imkLfgz9T+U65XQopt9bZMpwiOHCQPp+ijTZRzD3AHrUkvuMD9IOxgSU4Ojemgapd
 VJlp0Hd8
 rwSQt1WLpGmE34SptEnNyHt87utSivvPb5eXX28yGPZedZscWN1QAtz9OH5FcnBq8ILylUU59atL/yEoGCffrxljkuyoydrt56XZFLRkphZIC0NrnXvVQPDyoRMFrbi6SVr+Fr24Q54eDZGTdHoGGaQfexqbFpyCoKREmxaCQRszrEpvQOh5YfQ1vC9EhSOC8SjmCqjYRYiaGP/meyyjMIXPa4g9Kr9rpasD/3fHrqfxBWbLZqlwJA512IGgHQrcxj4oeshk3abfLOrDBVqraNb1uldsLQZxBcAUsLnrofGi7emR4DY0h7Fe63yvWldlj1MA55u6dPkIW8QrmYvIvAkvxQUjuyqzRUF1LrG6NHU82qn7vVjD/NWcTAweRse0v/wtp//G9U6FlE2mpfOKjbYBGbrzLEjD9NcoqZSQASEu8Q8pJr/CputnEZL/yGpiyyUIkIm2iMrvC2EJyersJ+kTGUABCQtVDEY76y1NKK0qzQmemPldnZyIZDF9TdSCvq5EoZy5FsdQhZT/Rs93rc0W08fZhcYmSuuxc7J+ckfkV2Dxm3wBjQX7/UK6uT6umlZDQNMP0s6zq/ipTNOeAtJNE/+xRLXMTm1dTkci3VduLRQkQC9S1RYPDZUBtyMP/tEY0xtXAoBtItodGLtid+EavsQSGokTUxwP384aATkLTlmf64H2einpdG0AIUPVla3p90qSwhqolR/U6ddY+BbqoVkHT7HtaZ1xjOLV+fPkLET6mrYKA4z4SAi5Dw8mlUQVwhbAm+lYQlRARgNvPP9ZYy6UcIuWzxHKQE+6l/Qr5rPldqX0Iw6NmrLKyoM4LsG598rosP3GT9hCHrYgWqT7P0c/qiEeedftYkLPGfcYG/lLah3gc+rhM/xIulH1fjlRyTHzTVcmG2UBX1v3Co5d2/zz/L7UY2Z0BjwJRgumIl9SAL2+E3cVAG1J+gKkYNBvSMDWjURfYpbiTmiwWDVFvDO0X
 hHv/PE3b
 RFyksWaWYcQLf97eOUOB0E3IilI5Ms29zk/LF0XFh4Y7TnzckuB0Cnp1b2Ti+Yob3bDd5rnbo2Z2VlCwuohkKw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Mon, Mar 18, 2024 at 01:17:19PM -0700, Yosry Ahmed wrote:
> On Mon, Mar 18, 2024 at 11:00 AM Nhat Pham <nphamcs@gmail.com> wrote:
> >
> > On Mon, Mar 18, 2024 at 9:58 AM syzbot
> > <syzbot+adbc983a1588b7805de3@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=13043abe180000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=19bb57c23dffc38e
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=adbc983a1588b7805de3
> > > compiler:       arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > > userspace arch: arm
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1706d231180000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13ba7959180000
> > >
> > > Downloadable assets:
> > > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-e5eb28f6.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/0a7371c63ff2/vmlinux-e5eb28f6.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/7539441b4add/zImage-e5eb28f6.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+adbc983a1588b7805de3@syzkaller.appspotmail.com
> > >
> > > ------------[ cut here ]------------
> > > kernel BUG at include/linux/scatterlist.h:187!
> >
> > Looks like the provided buffer is invalid:
> >
> > #ifdef CONFIG_DEBUG_SG
> > BUG_ON(!virt_addr_valid(buf));
> > #endif
> >
> > which is "src" from:
> >
> > sg_init_one(&input, src, entry->length);
> >
> > Looking at the surrounding code and recent history, there's this
> > commit that stands out:
> >
> > mm/zswap: remove the memcpy if acomp is not sleepable
> > (sha: 270700dd06ca41a4779c19eb46608f076bb7d40e)
> >
> > which has the effect of, IIUC, using the zpool mapped memory directly
> > as src, instead of acomp_ctx->buffer (which was previously the case,
> > as zsmalloc was not sleepable).
> >
> > This might not necessarily be a bug with that commit itself, but might
> > have revealed another bug elsewhere.
> >
> > Anyway, cc-ing the author, Barry Song, to fact check me :) Will take a
> > closer look later.
> 
> I am not a highmem expert, but the reproducer has CONFIG_HIGHMEM=y,
> and it seems like zs_map_object() may return a highmem address if the
> compressed object is entirely in a single page to avoid copying to a
> buffer:
> 
> if (off + class->size <= PAGE_SIZE) {
>    /* this object is contained entirely within a page */
>    area->vm_addr = kmap_atomic(page);
>    ret = area->vm_addr + off;
>    goto out;
> }
> 
> The virt_addr_valid() check seems to indicate that we expect a direct
> map address in sg_init_one(), right?

If the page is highmem, kmap_atomic() establishes a temporary mapping
to it in the direct map, such that we have a legit kernel pointer to
the memory. Otherwise the memcpy() in zswap also wouldn't work... Am I
missing something?