From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2BC51C5AE59
	for <linux-mm@archiver.kernel.org>; Tue,  3 Jun 2025 17:20:30 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 960B26B04C6; Tue,  3 Jun 2025 13:20:29 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 938CB6B04C8; Tue,  3 Jun 2025 13:20:29 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 84F446B04C9; Tue,  3 Jun 2025 13:20:29 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id 66EA36B04C6
	for <linux-mm@kvack.org>; Tue,  3 Jun 2025 13:20:29 -0400 (EDT)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id 042861D7373
	for <linux-mm@kvack.org>; Tue,  3 Jun 2025 17:20:29 +0000 (UTC)
X-FDA: 83514753378.07.73EF8BB
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com [209.85.167.173])
	by imf18.hostedemail.com (Postfix) with ESMTP id C50D11C0013
	for <linux-mm@kvack.org>; Tue,  3 Jun 2025 17:20:25 +0000 (UTC)
Authentication-Results: imf18.hostedemail.com;
	dkim=pass header.d=kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=M0orxWT5;
	dmarc=none;
	spf=pass (imf18.hostedemail.com: domain of axboe@kernel.dk designates 209.85.167.173 as permitted sender) smtp.mailfrom=axboe@kernel.dk
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1748971226;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=TSSfYehOKDI+ybIJ7s0ERtfUjRzm93GR1fou52nUJzE=;
	b=oOQz+bfea24Z0IjaW3O5eHyWYNmPYP4YdfvBjvFBJP/wPzWyuULQ8GIM1OVo3UL9NLxZ5I
	b6+wnGrUIdzJ+i54My9pXEq6d0PKw3GR9ybyrOUgVllYBO2zxu3A2q7UzZXccN3ZGCrmu9
	KfEiYO2+L9JUtIjAXPMwBXxJB2BX4Cs=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748971226; a=rsa-sha256;
	cv=none;
	b=W6Td6+I9aJmR1OT+y+A6UfkJ9Vieyo7vNm8vqDuisGD/QpdrRefVkNVuYA2e5vwwmPdn7L
	nweeyOk3OaShGuGJ6k7SqzlxioIUi+iz7MoJ/608khwmc1Fsr/ekKcuW/3aTOwGwSbCFw6
	mhKmui8FRzAKroNyTcOkS6cuSWqbODE=
ARC-Authentication-Results: i=1;
	imf18.hostedemail.com;
	dkim=pass header.d=kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=M0orxWT5;
	dmarc=none;
	spf=pass (imf18.hostedemail.com: domain of axboe@kernel.dk designates 209.85.167.173 as permitted sender) smtp.mailfrom=axboe@kernel.dk
Received: by mail-oi1-f173.google.com with SMTP id 5614622812f47-400fa6eafa9so3948309b6e.1
        for <linux-mm@kvack.org>; Tue, 03 Jun 2025 10:20:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1748971224; x=1749576024; darn=kvack.org;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id:from
         :to:cc:subject:date:message-id:reply-to;
        bh=TSSfYehOKDI+ybIJ7s0ERtfUjRzm93GR1fou52nUJzE=;
        b=M0orxWT5+npX3buMSPABKX25Oo/oODnTW0/ye60AU4nXc8ZhiguC4cTl8Iy/FERNY9
         IACaStVteqwxRZpkrrvVHV4ETJT4MTl846kpUV9/tuS2n+1AsEs53JGbhWa+V3R8KThu
         IBDvUFpEv5UpjcDpDe8t6mLuBjPYVp08jfU63u+jsNVrI+KWZE4zfmG1BZ98hZOW2L+T
         sIR0Uai/56gpFft19AAJM0qaCtQf3C+y+1Y2KKbXr4D2mhPfrlJdgdllayEhJcYknPSJ
         sH5bRY0zbjk/WlZrLr+nIcO0XGccNAP+d7a9vyPjSyOrCcO0nwVLndCpF7GBtDl2aq5b
         Trbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1748971224; x=1749576024;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=TSSfYehOKDI+ybIJ7s0ERtfUjRzm93GR1fou52nUJzE=;
        b=jlOXRpkA0n5C0PA+O9QQQ6kMdgBMv2roG+HK71ze7/wLEPg3VYfXya+/bCmyqZUIh4
         IfEq8GumbLVwmnHdk2f/go96UzmpsHu4ujOyA6Wz3yjMONzaJzJiWUe5isZ8NNrkPPPf
         XiIhy6pNCNBN+IxkuHW2EL9L8jPk0dOsH29xDeCtVepgJV9mHFAHQI9mCNDTZT+Qq0dK
         mmRjh4SuT1qmKYX0ddeqFBajKToyCnFVqwbZ8JWdEKENK4NNnym6dbCn27ZbNRGG5RVa
         gQrskrSUg/8AxSCesjJ9R04HA84ecmjcZg2grYQ9eSdw3UdQjdc2bEAFP52q9ahLqbdL
         /1Sw==
X-Forwarded-Encrypted: i=1; AJvYcCWb55flxzqNhmV06w7Yxh3LOj/2yqDcUd2cwA24SwUdYBriFZ3oDFVOzAAlJSZdg63QEpAg4CYm7w==@kvack.org
X-Gm-Message-State: AOJu0Yx90LZD9fMT9siVSLro81LhGxMHxxPTE5Dlwk/mivy2VEUVYNPA
	i23AyNmWy821muk+tvfV6HRduWl8/WPKXUJ0BPXpHgkG153oC5WR47f/xkPMOXlnIOQ=
X-Gm-Gg: ASbGncvq88gvp1S1pH+P7wAHtkOho2XjH4mLA/tu3vDPA7q0PC66FEvWgFQQPl/mclW
	faArRhv5XhSZHadrwOVdPiGbrxB3wV2BtkPP2zfkSEYlRqa+VE+p4bWaUOcTuj3qW3wLF9diyrU
	xFFBgjVURJ/6BbQBh4wic/mI3gx6TErB9cSM9CN4aCfZkI/dPmQOlCpyX7P4yH8/aSmFne/Qnui
	SZgG5D5fWjmlwvZvcSMIp7Xjjs9kSEVTbi0R8EP5WuOaMya/pp33jEOWOnIU8OjMt5hTAEIzbZy
	fV6r2E36hwETQlDl2CBLJXR3enTyBP15LL3grCGQs3xuSBk=
X-Google-Smtp-Source: AGHT+IECa0Z+0O4h7VCIhY3gU2RXBqAflFUjF2aWRPf1NSdqzw3nFEv+7mXuPApUrSjiokakH0NxYA==
X-Received: by 2002:a05:6870:2107:b0:2d5:25b6:ec14 with SMTP id 586e51a60fabf-2e9212b1d72mr10552894fac.15.1748971224470;
        Tue, 03 Jun 2025 10:20:24 -0700 (PDT)
Received: from [192.168.1.116] ([96.43.243.2])
        by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4fdd7f24b74sm2292060173.143.2025.06.03.10.20.23
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 03 Jun 2025 10:20:23 -0700 (PDT)
Message-ID: <f031d35b-13e3-4dec-a89c-f221331be735@kernel.dk>
Date: Tue, 3 Jun 2025 11:20:23 -0600
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [syzbot] [mm?] kernel BUG in sanity_check_pinned_pages
To: David Hildenbrand <david@redhat.com>,
 syzbot <syzbot+1d335893772467199ab6@syzkaller.appspotmail.com>,
 akpm@linux-foundation.org, jgg@ziepe.ca, jhubbard@nvidia.com,
 linux-kernel@vger.kernel.org, linux-mm@kvack.org, peterx@redhat.com,
 syzkaller-bugs@googlegroups.com
References: <683f1551.050a0220.55ceb.0017.GAE@google.com>
 <d072f05e-576e-466d-89df-d69103074bb1@redhat.com>
Content-Language: en-US
From: Jens Axboe <axboe@kernel.dk>
In-Reply-To: <d072f05e-576e-466d-89df-d69103074bb1@redhat.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: C50D11C0013
X-Stat-Signature: d1aqhix4k4d3pkauxbbq99744u7xgxfp
X-Rspam-User: 
X-HE-Tag: 1748971225-714607
X-HE-Meta: U2FsdGVkX1+jeAuTqkoVe1HCMa7ReiWn+eLR6ajx4ipPwS6aYAgUJI643Qzcmu9lmEYrKYZra6Ha4HLJrDHeEYfwXoxqHCaH3YAx1fbkpwxPo8OKuCU7FSFaYuaQ4EgyZGEeO5o1d8LR12OjADi1cLfAoB3r8qeJyqvgncyXSNslJvhfixG+IMLZ3pjFrcDMTUa1LskShHRUr7h5E6n76SdlciOYRooeVa5aa+UfynrBH+0dYZKSS8tBgBvGmfGvv2uwSzleS4PhYqPs2uEK7H5rIw3ExjJhSSqlLnQVRCtKmTtjUc8y8Yf/so26lOVk0vS8flTDFdUwkw6dRAHRHlWHBXYSlxCDJH4huZ/kxo+jgVqwD/uqaJ63DTt/ChlTU6mG9j6agcilZTYOlMqWQ1+6YFZAiBB0E6LrnHS621xQR9M/qilFHEJPLVIORSLRCDh82QTB77iMTrt6fUomCJf22NRZIAI+86CAZhXuAKXf8KlAVmk5H4/GFAXKU0Qsm7VN8vKZpqPZVmVkTLXRddbrUA6mOS+aK61W7DfHx7+Ai29OVKDDXDBi9oS7jITpSFSiay5h9ANnnRiIB4lJ7DFkfz0WvQyaQYG26c2NvyOCntgT7ejDfWl71556hJNbhf/CnXz+O9XixTN7W5DVDdgrRrkrho1Vms/YzuDYMxOko5+aozxergqUOGzemJ1/SbcaLTWPdw1j0BH1+RTACwrCtObeyVaC2dLDkSmkjyf7pdYgoth8Tfb0sa7rNlqmTdpAwx8PveJ0CsCHdjd8nh9lz+JZ/eM71aKE+4ViiqJKkKMN4zIc/sCBBkz2VIPxZl9jTBYiDCxjawLefrqiAvRJJOv/eAi8++c2F4pitvvul1beB+w9SreZca5eJfxXR80uqv6cCIMq5+27w6312yn+Ly1lKFQUbzygvuIgdRDxShKfODSCSM+ntXTUVNj3iapD+BPUCpNMxevDsmG
 SGXuaM6I
 NLpHDSxndtFRqvNEhXaah1L+17cog+QQWZx8Tt+26MtoFCSB9mVleRuqgee7hvVlxKm+5e18uBfyiRYwQHfGpM6rhgX7ltyCN8MV5DI/kQIbiDYTrBO1wSiAZaC1pMgVFR4q4P2rwlGtTjmav8ep8uSGWIpyw6jLa1NbK+FgMBIRkBsfgyQjpuRQUyUj64XmWKrtC38Ifo6Mkpi0QsB9swmBYopbXVHuVfaOomJMkhZgyIKRRFKh+m/y7juGtsg6T97xyjtL0xtpJO5szjSkvFb13rUGJHo3VQTm3HXFA0g3UBJWgqh+y0lSMHQ4wrduky6UuqItbZKt9IR+Rvv0OZtmqfZ+lj3VuqC9OVZN9aGeMmWMIDkxB9pKeY6nKLf2IRXSb2/dQQxzNx3jSUtsTXWPmDNRpLum/Y1YL2iQs029EeWBh1hf9mSSY/9Nnn+yTWq2EW8ztZ4rGaK4QOqmqGEcVXeHzRKRndxX6bUlhiUa1TpIYTPObI2BGKvuEwBbNTAohEkMMLiXDNID1pg5wfFu9oYgaAfLs7qxOgexCChmjZ7SInPwhP70jHGjKM1Zt1WLDmb1QBfTCjLx/XwGJ+CG1EHm9OZmzR+WlNraYJ3HsbG+ARDbLKc7lo1bY3cB/g1AdckPqjHDLfIg9Re/8+EldsNMYGM+y0eXm/cNzjn7WQcnNOVPfZMwmBthbmF6Z2ZzZ80gE4gErW1u7yyw1fSATbirAmRcfS4LQHvgJNwzIWPzZ47GE4j5R4Lfte/ZNrqermlr41xp55E6+kuKW6MbDuT9/CTIAJZieCJRsgRANvv9TIWYAso4WgojtQFo5nI2V1tJq410rZWH4fT6TNVIuZwPUHrsWYrvLgtsAhCwAt9cFXj6I7oy5hBXoN5U56Q1N5tG6JI7oZb2/E9Oi3UyHzayuTZX0ei9r94HzqSCMQrPYtYVBmSWs5h7jA559UGui99P7tuZdPvHiPn8o4MUuYBIm
 IkVZxBEp
 PlcawsIy9qRY6hl5U+caiRo5FPGFsWEHh0XSFrBfNYqryBG7aPd1jw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 6/3/25 10:22 AM, David Hildenbrand wrote:
> On 03.06.25 17:31, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    d7fa1af5b33e Merge branch 'for-next/core' into for-kernelci
>> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1457d80c580000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=89c13de706fbf07a
>> dashboard link: https://syzkaller.appspot.com/bug?extid=1d335893772467199ab6
>> compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
>> userspace arch: arm64
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>>
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/da97ad659b2c/disk-d7fa1af5.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/659e123552a8/vmlinux-d7fa1af5.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/6ec5dbf4643e/Image-d7fa1af5.gz.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+1d335893772467199ab6@syzkaller.appspotmail.com
>>
>> head: ffffffff000001fe 0000000000000028 0000000000000000 0000000000000200
>> page dumped because: VM_BUG_ON_PAGE(!PageAnonExclusive(&folio->page) && !PageAnonExclusive(page))
>> ------------[ cut here ]------------
>> kernel BUG at mm/gup.c:70!
>> Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
>> Modules linked in:
>>
>> CPU: 1 UID: 0 PID: 115 Comm: kworker/u8:4 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
>> Workqueue: iou_exit io_ring_exit_work
>> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>> pc : sanity_check_pinned_pages+0x7cc/0x7d0 mm/gup.c:69
>> lr : sanity_check_pinned_pages+0x7cc/0x7d0 mm/gup.c:69
>> sp : ffff800097f17640
>> x29: ffff800097f17660 x28: dfff800000000000 x27: 1fffffbff87da000
>> x26: 05ffc0000002107c x25: 05ffc0000002107c x24: fffffdffc3ed0000
>> x23: fffffdffc3ed0000 x22: ffff800097f176e0 x21: 05ffc0000002107c
>> x20: 0000000000000000 x19: ffff800097f176e0 x18: 1fffe0003386f276
>> x17: 703e2d6f696c6f66 x16: ffff80008adbe9e4 x15: 0000000000000001
>> x14: 1fffe0003386f2e2 x13: 0000000000000000 x12: 0000000000000000
>> x11: ffff60003386f2e3 x10: 0000000000ff0100 x9 : c8ccd30be98f3f00
>> x8 : c8ccd30be98f3f00 x7 : 0000000000000001 x6 : 0000000000000001
>> x5 : ffff800097f16d58 x4 : ffff80008f415ba0 x3 : ffff8000807b4b68
>> x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000061
>> Call trace:
>>   sanity_check_pinned_pages+0x7cc/0x7d0 mm/gup.c:69 (P)
>>   unpin_user_page+0x80/0x10c mm/gup.c:191
>>   io_release_ubuf+0x84/0xf8 io_uring/rsrc.c:113
>>   io_buffer_unmap io_uring/rsrc.c:140 [inline]
>>   io_free_rsrc_node+0x250/0x57c io_uring/rsrc.c:513
>>   io_put_rsrc_node io_uring/rsrc.h:103 [inline]
>>   io_rsrc_data_free+0x148/0x298 io_uring/rsrc.c:197
>>   io_sqe_buffers_unregister+0x84/0xa0 io_uring/rsrc.c:607
>>   io_ring_ctx_free+0x48/0x430 io_uring/io_uring.c:2723
>>   io_ring_exit_work+0x6c4/0x73c io_uring/io_uring.c:2962
>>   process_one_work+0x7e8/0x156c kernel/workqueue.c:3238
>>   process_scheduled_works kernel/workqueue.c:3319 [inline]
>>   worker_thread+0x958/0xed8 kernel/workqueue.c:3400
>>   kthread+0x5fc/0x75c kernel/kthread.c:464
>>   ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
>> Code: 900523a1 910e0021 aa1703e0 97fff8a9 (d4210000)
>> ---[ end trace 0000000000000000 ]---
> 
> So we lost a PAE bit for a pinned folio.
> 
> [   97.640225][  T115] page: refcount:512 mapcount:0 mapping:0000000000000000 index:0x20000 pfn:0x13b400
> [   97.640378][  T115] head: order:9 mapcount:511 entire_mapcount:0 nr_pages_mapped:511 pincount:1
> 
> The folio is indeed pinned, and it is PTE-mapped (511 PTEs are mapped).
> 
> The page we are using for unpinning is not mapped (mapcount:0).
> 
> pfn:0x13b400 indicates that the page we are provided is actually the head page (folio->page).
> 
> 
> [   97.640414][  T115] memcg:ffff0000f36b6000
> [   97.640435][  T115] anon flags: 0x5ffc0000002107c(referenced|uptodate|dirty|lru|arch_1|head|swapbacked|node=0|zone=2|lastcpupid=0x7ff)
> [   97.640468][  T115] raw: 05ffc0000002107c fffffdffc37be1c8 fffffdffc3d75f08 ffff0000d50c0ee1
> [   97.640490][  T115] raw: 0000000000020000 0000000000000000 00000200ffffffff ffff0000f36b6000
> [   97.640514][  T115] head: 05ffc0000002107c fffffdffc37be1c8 fffffdffc3d75f08 ffff0000d50c0ee1
> [   97.640536][  T115] head: 0000000000020000 0000000000000000 00000200ffffffff ffff0000f36b6000
> [   97.640559][  T115] head: 05ffc00000010a09 fffffdffc3ed0001 000001ff000001fe 00000001ffffffff
> [   97.640581][  T115] head: ffffffff000001fe 0000000000000028 0000000000000000 0000000000000200
> [   97.640600][  T115] page dumped because: VM_BUG_ON_PAGE(!PageAnonExclusive(&folio->page) && !PageAnonExclusive(page))
> 
> So we effectively only test the head page. Here we don't have the bit
> set for that page.
> 
> 
> In gup_fast() we perform a similar sanity check, which didn't trigger
> at the time we pinned the folio. io_uring ends up calling
> io_pin_pages() where we call pin_user_pages_fast(), so GUP-fast might
> indeed trigger.
> 
> 
> What could trigger this (in weird scenarios, though) is if we used
> pin_user_page() to obtain a page, then did folio = page_folio(page)
> and called unpin_user_page(&folio->page) instead of using
> unpin_folio(). Or using any other page that we didn't pin. It would be
> a corner case, though.
> 
> Staring at io_release_ubuf(), that's also not immediately what's
> happening.
> 
> There is this coalescing code in
> io_sqe_buffer_register()->io_check_coalesce_buffer(), maybe ...
> something is going wrong there?
> 
> 
> 
> Otherwise, I could only envision (a) some random memory overwrite
> clearing the bit or (b) some weird race between GUP-fast and PAE
> clearing that we didn't run into so far. But these sanity checks have
> been around for a loooong time at this point.
> 
> Unfortunately, no reproducer :(

Too bad there's no reproducer... Since this looks recent, I'd suspect
the recent changes there. Most notably:

commit f446c6311e86618a1f81eb576b56a6266307238f
Author: Jens Axboe <axboe@kernel.dk>
Date:   Mon May 12 09:06:06 2025 -0600

    io_uring/memmap: don't use page_address() on a highmem page

which seems a bit odd, as this is arm64 and there'd be no highmem. This
went into the 6.15 kernel release. Let's hope a reproducer is
forthcoming.

-- 
Jens Axboe