From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail-vk0-f70.google.com (mail-vk0-f70.google.com [209.85.213.70])
	by kanga.kvack.org (Postfix) with ESMTP id 67E116B0038
	for <linux-mm@kvack.org>; Thu, 23 Mar 2017 14:02:32 -0400 (EDT)
Received: by mail-vk0-f70.google.com with SMTP id j137so2952357vke.3
        for <linux-mm@kvack.org>; Thu, 23 Mar 2017 11:02:32 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com. [156.151.31.81])
        by mx.google.com with ESMTPS id h18si1949441vkh.240.2017.03.23.11.02.31
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 23 Mar 2017 11:02:31 -0700 (PDT)
Subject: Re: mm: BUG in resv_map_release
References: <CACT4Y+Z-trVe0Oqzs8c+mTG6_iL7hPBBFgOm0p0iQsCz9Q2qiw@mail.gmail.com>
 <a10eb28c-305d-3547-8df1-7a2216473e09@oracle.com>
From: Mike Kravetz <mike.kravetz@oracle.com>
Message-ID: <888af92c-1d20-d9f4-a425-c720d1179756@oracle.com>
Date: Thu, 23 Mar 2017 11:02:22 -0700
MIME-Version: 1.0
In-Reply-To: <a10eb28c-305d-3547-8df1-7a2216473e09@oracle.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: owner-linux-mm@kvack.org
List-ID: <linux-mm.kvack.org>
To: Dmitry Vyukov <dvyukov@google.com>, nyc@holomorphy.com, Andrew Morton <akpm@linux-foundation.org>, Michal Hocko <mhocko@suse.com>, "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, Andrea Arcangeli <aarcange@redhat.com>, "linux-mm@kvack.org" <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, Andrey Ryabinin <aryabinin@virtuozzo.com>

On 03/23/2017 10:25 AM, Mike Kravetz wrote:
> On 03/23/2017 03:19 AM, Dmitry Vyukov wrote:
>> Hello,
>>
>> I've got the following BUG while running syzkaller fuzzer.
>> Note the injected kmalloc failure, most likely it's the root cause.
> 
> Thanks  Dmitry,
> 
> The BUG indicates someone called region_chg() in the process of adding
> a hugetlbfs page reservation, but did not complete this 'two step'
> process with a call to region_add() or region_abort().  Most likely a
> missed call in an error path somewhere.  :(
> 
> I'll try to track this down.  The hint of 'injected kmalloc failure'
> should help.

Actually, in this case I believe the bug is in hugetlb_reserve_pages.
It calls region_chg(), but gets an error due to the injected kmalloc
failure.  At this point, the resv_map->adds_in_progress is 0 as it
should be.  However, the error path for hugetlb_reserve_pages calls
region_abort() which will unconditionally decrement adds_in_progress.
So, adds_in_progress goes negative and we eventually BUG.  :(

I'll look for other misuses of region_chg()/region_add()/region_abort()
and put together a patch.

Dmitry, is there some way to run the fuzzer with kmalloc failure injection
and target the hugetlbfs code?  I'm suspect we could flush out other bugs.
I noticed one other you discovered, and will look at that next.

-- 
Mike Kravetz

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>