From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D282C5AD49 for ; Tue, 3 Jun 2025 17:36:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AB6F86B04D4; Tue, 3 Jun 2025 13:36:20 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A8EA86B04D6; Tue, 3 Jun 2025 13:36:20 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9A56B6B04D7; Tue, 3 Jun 2025 13:36:20 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 79A566B04D4 for ; Tue, 3 Jun 2025 13:36:20 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 23A89EE835 for ; Tue, 3 Jun 2025 17:36:20 +0000 (UTC) X-FDA: 83514793320.26.4541969 Received: from mail-io1-f53.google.com (mail-io1-f53.google.com [209.85.166.53]) by imf30.hostedemail.com (Postfix) with ESMTP id 0AD978000D for ; Tue, 3 Jun 2025 17:36:17 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=J+HUYmqd; spf=pass (imf30.hostedemail.com: domain of axboe@kernel.dk designates 209.85.166.53 as permitted sender) smtp.mailfrom=axboe@kernel.dk; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1748972178; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=VcU0BCt4xlJ9f8wUASZuzHivb1+7NV73NPCxvWuG0g0=; b=cOlELV5xz2K3S9hkrHSLf3zuT1yjaTKz6BMFMsuCqq7389LV+6fcw4fhpf1TigNPSHsc8h wPayY3A0+B79QNzbgyZ40vquKq6MQmPwY095c7gJ5QHmnCI58oe+KY3oP9XUiRnNpzrANN pzFjsoXvFWJ9SUQh2rbDL82DlU4bsbY= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=J+HUYmqd; spf=pass (imf30.hostedemail.com: domain of axboe@kernel.dk designates 209.85.166.53 as permitted sender) smtp.mailfrom=axboe@kernel.dk; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748972178; a=rsa-sha256; cv=none; b=ojcBaLq9UdSHIKUiR8FDSoFDMjtmmXJj74+JZayhWcrmMLUbUtLlrgOsbps2kHMzn5muGB LZMSynsNr2B7sl8Kc5MIoOb5ZdHpDrDvmONdg7pVM3jC+t6rto+sjljltcPL0jaD5aM8xG M8MMy+etTKClwc/jCc8ETl6xnxs+UKw= Received: by mail-io1-f53.google.com with SMTP id ca18e2360f4ac-86d0bd7ebb5so69465639f.0 for ; Tue, 03 Jun 2025 10:36:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1748972176; x=1749576976; darn=kvack.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=VcU0BCt4xlJ9f8wUASZuzHivb1+7NV73NPCxvWuG0g0=; b=J+HUYmqdaS73YQPBJn88ojngfv8MhnT2fsWTCnIVJGwdjNQfkae9R2oasIiEsb0pSx xb3KRUBhrUuKRw42pjfSRXw2c7SVO3z+aoVHGugRTLJHKooAqWDxQvt5BXvBy8JoYTh/ 3phR7rWIpIBXD5A+aIXHHAMLSrvFTplN+0Lrx2OfYssCF0cV5Ar0y9l3BV9wxvrbBSEl jzOIYf2UFCV30ZPR/dUjlsqThL4vOjCWUtAK4quY3kyqagGVrhiYk2A0alEYlpYLqWxF Pc73zeNIyQY8iT8N8VHbHJd0LC83tn5dUmZomQxX8dHb6RF1QzU5/FuX8F74WJWMWOw7 PO7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748972176; x=1749576976; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VcU0BCt4xlJ9f8wUASZuzHivb1+7NV73NPCxvWuG0g0=; b=s3OFJgMSiyHTXD3H4Qg3lAcsVcHjRIin56go3IV2BiK5gpPdbbl1uCR8vMqiNXjRma DNgdnDFkl4ikKHncuit9Ei3sM1oNI72Qc4kCySsgZ1I7zFg6iGYopozSNS8LKKqGZV2q UGHqlPMarKFiogzEp5tcMXLO4VtO2RAQ1Y+GFJztlNywxZ8m1vjUUmNXhv8Y3Fz+mMnJ Q9p2OR/biYsk5ZKFyPY5r7TeZymEdQgje4o6edhb3eKTsZwkY2bR9Bq1ZqfGdWpmQyqM IoTbp/SyS/exc7lvNliL+OzG4UxCDImJe15gl9a/avfxiY2HPefwY2XXt+9ahkRvyfgX JvCQ== X-Forwarded-Encrypted: i=1; AJvYcCVF9pHXW6DwHtld97yhgi0ZrcPXhPW0MsGVtVwZBxS0B6wbFT7rj6FPT0si7F+JZVJfjoTEmEYOMQ==@kvack.org X-Gm-Message-State: AOJu0YwBsrUwoBtfx7iqjxxzdiVh3boh3VBNbO4eoavXkN9DQRAgiuE5 2HH5XMNEQCTrkuUIt35xxRVUD/46FtgaCMhvkqAzqnoTGimqJgMEaY3Q+abae0PVjEI= X-Gm-Gg: ASbGncsNp927vGIKJhB4Pb82k4KiOEAH4NgVV1IY7PJwYTvoD/K3RfHMbgWVT1ySGS8 +CWZojH2c2lVjO/yBZGVmz00/n5sbsx6PiBTmGu7ttWLWd9JzGk8s4UKoc2lVLVpVuh5biUE0AB m1D5mIrLoihlANMshkpXUgGvnxbYh/Jbv9QfXF2jrIapotXEzfI4yBhUQzHC/+JrplY+f7suJn8 bBumESHtly/UoVL//TRJxX4dQVO/28asq+u3G4pDuhPt8n6tTZnwGxar7qrxvN4UPMgWyWW3vcd q1IUWyqsfTFAnX0zg+GrD2luvm7WGHEggwoeg6UcJGKJBhFupksvbwwjvQ== X-Google-Smtp-Source: AGHT+IHpoK5JzWzUDvIu7zqFT14Rq1mGp4aa7Jqz+X2iyapEBfPRS+cayWhwGwPjJjpSZQ0DwfO9Ng== X-Received: by 2002:a05:6e02:3a04:b0:3dc:7240:94a6 with SMTP id e9e14a558f8ab-3dda33367a8mr117336095ab.3.1748972176351; Tue, 03 Jun 2025 10:36:16 -0700 (PDT) Received: from [192.168.1.116] ([96.43.243.2]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4fdd7ed91c3sm2315392173.81.2025.06.03.10.36.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 03 Jun 2025 10:36:15 -0700 (PDT) Message-ID: Date: Tue, 3 Jun 2025 11:36:15 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] kernel BUG in sanity_check_pinned_pages To: David Hildenbrand , syzbot , akpm@linux-foundation.org, jgg@ziepe.ca, jhubbard@nvidia.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, peterx@redhat.com, syzkaller-bugs@googlegroups.com, Catalin Marinas References: <683f1551.050a0220.55ceb.0017.GAE@google.com> <0859bb24-2d98-4420-b0bc-e5a60ba0dedd@redhat.com> Content-Language: en-US From: Jens Axboe In-Reply-To: <0859bb24-2d98-4420-b0bc-e5a60ba0dedd@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspam-User: X-Stat-Signature: tnw56zkqir88x8f1dy7b7uwf7z3jozth X-Rspamd-Queue-Id: 0AD978000D X-Rspamd-Server: rspam11 X-HE-Tag: 1748972177-979409 X-HE-Meta: U2FsdGVkX19CvuV16P1FbqCkig8cAi2ytEBnJlB7uG3uCuQ2CrqdGfugIw3fbrSzwKq9lCxaq+VC3gbnRmvRJghRcHWwCITRE2v/MR0m1A3aF6OzBIuWxpup6f3veTw05HvrmlW3RduijayviaNIGWEsl/HPEYuPi30wJCV2tkc2KCBLthyzcqxR8Txqmg9RmERLdiGSgdEjZb10kvb1C2YuI7/uHEAwSYCqytYUHAD8XjC3TIK88jDk5NxiQ4canNET3w/BtgsGeFM+vqVEPlFqa2sCBmxzr64Qu0sv4qkQ9FV2jsKQPyVEPF71o1j7qJ/oGLxSJJKbHSsUb+HC8mT/0CmjqYqW3jggOcyEo5WrrLvG3iPn/legzEneFks4u9dWNESbOopgTMLNi5Rl9Qc6FsTxlSwpoOvFe03obv/5KsgBaRLqqJX8FT7Np2rQa36QyNzHP1i+kPhRJ1tePB7ufmFQeD+hjljCdBU/bZAtaZ2D8lhyqUW7mbqZOwLVeJO2Y0t5zkDAJMhhsdnc1dXj13LDpcJIavj72h7+yvswzvASiKHcJr+SoeCGqxoLc3uarQNBa/Fce+A6tIQHgUmkmPp2x1yI2VEiDgeW2iyldY525iMWXedOMlU9N097psoUJeajzO0uZ/JdgIM55j0ShrBXJ2RzA4wJDGLyBt8lFvT8gT381N7WWLogpnyilzE/9iXRPsGFu0Vzy/3/hj+qb5isR1QEFJE52crvRiWev+KyEpK/1cKmShRvBtEOByC/QZEcXE0aPMbGyBQ6tujM6ETnx/Tqm08tGw2BZPgihivbQl8vgkoVBPDoKIb9sgtHPgqOZnU6MhEHMdjn4AIsr9h10P0T+WsG0k1xNjQ+WbtROlpW+z3h+GC8pIFNhWOPTcXj4xILYxUDq1rEfDiPavvQdJ0jSg5Vt6Gbd6SaLgJuIO/pOqs3zcNLqqlT1fygadQZqtAIkm2ljNi +mIsnxYa koNsbFoZ8iiQN+t68Guj8j5+DOh6uZPmd6cFVN39pYhkazl5fc2Y3fuT8iv+2S4S8KbkDbou3O0KQLM7WBIAA9qzlTF7Q1XOio40iQLTvpX/9smrBS8QIOy4AlQ8p3/UX9bfYLENaXBgZ/EjUObOpQtkPt2/ShImMcZe30E+pD5wkDQzAngIZIM+2GqPe7CgrtTJjKPeZ5TqslxsbyB2+HSMp0YeYH7SGFM/ghBArvS0uQ1hJ9YLnRWrlCNXxnYueV4H15upwohlT34tBTJaq1vFP/0J5IOPxMR6ns9ULqINOX6KoDeEkx0I5191pVvtvCXv803CLJ4ZYSHrc8rNpw2R65rbEP88JZjugMFCOlI8APMOH36f/w2g8UoXS7GVVgl4lx/GNgXEWJYqSfphwZA9yansB0YmTPwYzcfcgChF4JFworU8X6KMqoeejy8ddOy5vCcDLVANOMjXIcYmjDg+TWKEwbZrKOCJuVQ2+ZTtTe8oDIO7WepweJKkQjlrJCV1X67NVFFBYMPugDPIi21GD1Wo6S9MLsGnkzTNb3zyJscrTEaWfpGk/NlKMXq8JSUuluHNXYqi/6lAuUltpah67Ae9m+p6riXqzkFLC1hnIkXPOPO6ifpUzjDho4DRoO2w7ISHIYdd7EeECzmyLbdIJ3KiI9eV9HogVIF8i2AApuNBCPOeK5CPw2ODkQsdGdL6PYT4Hy2qBm1ugPt0YvCH1mW+mlCxCd+sshVV+LQwDWqAPGkv7KI/EVJP8SbkpY67koLZs7JDd3aBoLwvrhzJeyDjU78wZH+25Uf7GYr5Ltc11HASTNoy10/mgzB5/UE/e9Ofm0SW333+y9BCivqGDVgG7gxfekxqht7WHvpvOGPYSQ8WXYdMhX+EEo6nU0lyxygokTHvDjG06+ZjKE7hfOq6XtP5s4ohPfcFNilXTktVyVdkq5N8JLzR/19dkfySKX37tFtW3RX6/cx0VSyrTZZWM sQVa9fQc Jg36pqBLI6MDb0DDKjZPDvxdT7z34QeMIYL0SKaTn19TwtdTtPG+pujS7Wkf6jAoY4UdSis9vt4= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 6/3/25 11:25 AM, David Hildenbrand wrote: > On 03.06.25 19:20, Jens Axboe wrote: >> On 6/3/25 10:22 AM, David Hildenbrand wrote: >>> On 03.06.25 17:31, syzbot wrote: >>>> Hello, >>>> >>>> syzbot found the following issue on: >>>> >>>> HEAD commit:    d7fa1af5b33e Merge branch 'for-next/core' into for-kernelci >>>> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1457d80c580000 >>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=89c13de706fbf07a >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=1d335893772467199ab6 >>>> compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 >>>> userspace arch: arm64 >>>> >>>> Unfortunately, I don't have any reproducer for this issue yet. >>>> >>>> Downloadable assets: >>>> disk image: https://storage.googleapis.com/syzbot-assets/da97ad659b2c/disk-d7fa1af5.raw.xz >>>> vmlinux: https://storage.googleapis.com/syzbot-assets/659e123552a8/vmlinux-d7fa1af5.xz >>>> kernel image: https://storage.googleapis.com/syzbot-assets/6ec5dbf4643e/Image-d7fa1af5.gz.xz >>>> >>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: >>>> Reported-by: syzbot+1d335893772467199ab6@syzkaller.appspotmail.com >>>> >>>> head: ffffffff000001fe 0000000000000028 0000000000000000 0000000000000200 >>>> page dumped because: VM_BUG_ON_PAGE(!PageAnonExclusive(&folio->page) && !PageAnonExclusive(page)) >>>> ------------[ cut here ]------------ >>>> kernel BUG at mm/gup.c:70! >>>> Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP >>>> Modules linked in: >>>> >>>> CPU: 1 UID: 0 PID: 115 Comm: kworker/u8:4 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT >>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 >>>> Workqueue: iou_exit io_ring_exit_work >>>> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) >>>> pc : sanity_check_pinned_pages+0x7cc/0x7d0 mm/gup.c:69 >>>> lr : sanity_check_pinned_pages+0x7cc/0x7d0 mm/gup.c:69 >>>> sp : ffff800097f17640 >>>> x29: ffff800097f17660 x28: dfff800000000000 x27: 1fffffbff87da000 >>>> x26: 05ffc0000002107c x25: 05ffc0000002107c x24: fffffdffc3ed0000 >>>> x23: fffffdffc3ed0000 x22: ffff800097f176e0 x21: 05ffc0000002107c >>>> x20: 0000000000000000 x19: ffff800097f176e0 x18: 1fffe0003386f276 >>>> x17: 703e2d6f696c6f66 x16: ffff80008adbe9e4 x15: 0000000000000001 >>>> x14: 1fffe0003386f2e2 x13: 0000000000000000 x12: 0000000000000000 >>>> x11: ffff60003386f2e3 x10: 0000000000ff0100 x9 : c8ccd30be98f3f00 >>>> x8 : c8ccd30be98f3f00 x7 : 0000000000000001 x6 : 0000000000000001 >>>> x5 : ffff800097f16d58 x4 : ffff80008f415ba0 x3 : ffff8000807b4b68 >>>> x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000061 >>>> Call trace: >>>>    sanity_check_pinned_pages+0x7cc/0x7d0 mm/gup.c:69 (P) >>>>    unpin_user_page+0x80/0x10c mm/gup.c:191 >>>>    io_release_ubuf+0x84/0xf8 io_uring/rsrc.c:113 >>>>    io_buffer_unmap io_uring/rsrc.c:140 [inline] >>>>    io_free_rsrc_node+0x250/0x57c io_uring/rsrc.c:513 >>>>    io_put_rsrc_node io_uring/rsrc.h:103 [inline] >>>>    io_rsrc_data_free+0x148/0x298 io_uring/rsrc.c:197 >>>>    io_sqe_buffers_unregister+0x84/0xa0 io_uring/rsrc.c:607 >>>>    io_ring_ctx_free+0x48/0x430 io_uring/io_uring.c:2723 >>>>    io_ring_exit_work+0x6c4/0x73c io_uring/io_uring.c:2962 >>>>    process_one_work+0x7e8/0x156c kernel/workqueue.c:3238 >>>>    process_scheduled_works kernel/workqueue.c:3319 [inline] >>>>    worker_thread+0x958/0xed8 kernel/workqueue.c:3400 >>>>    kthread+0x5fc/0x75c kernel/kthread.c:464 >>>>    ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 >>>> Code: 900523a1 910e0021 aa1703e0 97fff8a9 (d4210000) >>>> ---[ end trace 0000000000000000 ]--- >>> >>> So we lost a PAE bit for a pinned folio. >>> >>> [   97.640225][  T115] page: refcount:512 mapcount:0 mapping:0000000000000000 index:0x20000 pfn:0x13b400 >>> [   97.640378][  T115] head: order:9 mapcount:511 entire_mapcount:0 nr_pages_mapped:511 pincount:1 >>> >>> The folio is indeed pinned, and it is PTE-mapped (511 PTEs are mapped). >>> >>> The page we are using for unpinning is not mapped (mapcount:0). >>> >>> pfn:0x13b400 indicates that the page we are provided is actually the head page (folio->page). >>> >>> >>> [   97.640414][  T115] memcg:ffff0000f36b6000 >>> [   97.640435][  T115] anon flags: 0x5ffc0000002107c(referenced|uptodate|dirty|lru|arch_1|head|swapbacked|node=0|zone=2|lastcpupid=0x7ff) >>> [   97.640468][  T115] raw: 05ffc0000002107c fffffdffc37be1c8 fffffdffc3d75f08 ffff0000d50c0ee1 >>> [   97.640490][  T115] raw: 0000000000020000 0000000000000000 00000200ffffffff ffff0000f36b6000 >>> [   97.640514][  T115] head: 05ffc0000002107c fffffdffc37be1c8 fffffdffc3d75f08 ffff0000d50c0ee1 >>> [   97.640536][  T115] head: 0000000000020000 0000000000000000 00000200ffffffff ffff0000f36b6000 >>> [   97.640559][  T115] head: 05ffc00000010a09 fffffdffc3ed0001 000001ff000001fe 00000001ffffffff >>> [   97.640581][  T115] head: ffffffff000001fe 0000000000000028 0000000000000000 0000000000000200 >>> [   97.640600][  T115] page dumped because: VM_BUG_ON_PAGE(!PageAnonExclusive(&folio->page) && !PageAnonExclusive(page)) >>> >>> So we effectively only test the head page. Here we don't have the bit >>> set for that page. >>> >>> >>> In gup_fast() we perform a similar sanity check, which didn't trigger >>> at the time we pinned the folio. io_uring ends up calling >>> io_pin_pages() where we call pin_user_pages_fast(), so GUP-fast might >>> indeed trigger. >>> >>> >>> What could trigger this (in weird scenarios, though) is if we used >>> pin_user_page() to obtain a page, then did folio = page_folio(page) >>> and called unpin_user_page(&folio->page) instead of using >>> unpin_folio(). Or using any other page that we didn't pin. It would be >>> a corner case, though. >>> >>> Staring at io_release_ubuf(), that's also not immediately what's >>> happening. >>> >>> There is this coalescing code in >>> io_sqe_buffer_register()->io_check_coalesce_buffer(), maybe ... >>> something is going wrong there? >>> >>> >>> >>> Otherwise, I could only envision (a) some random memory overwrite >>> clearing the bit or (b) some weird race between GUP-fast and PAE >>> clearing that we didn't run into so far. But these sanity checks have >>> been around for a loooong time at this point. >>> >>> Unfortunately, no reproducer :( >> >> Too bad there's no reproducer... Since this looks recent, I'd suspect >> the recent changes there. Most notably: >> >> commit f446c6311e86618a1f81eb576b56a6266307238f >> Author: Jens Axboe >> Date:   Mon May 12 09:06:06 2025 -0600 >> >>      io_uring/memmap: don't use page_address() on a highmem page >> >> which seems a bit odd, as this is arm64 and there'd be no highmem. This >> went into the 6.15 kernel release. Let's hope a reproducer is >> forthcoming. > > Yeah, that does not really look problematic. > > Interestingly, this was found in > >     git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci > > Hm. Yep, pulled that into 6.15 as released, and got a few mm/ changes in there. So perhaps related? -- Jens Axboe