From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-il1-f198.google.com (mail-il1-f198.google.com [209.85.166.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 699351A706F for ; Mon, 30 Dec 2024 11:08:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.198 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1735556888; cv=none; b=DBRHyquiTcTdXFyFlxyOJQfupCAxFyjVT0Ej3gvwBjjwZbAsChIFk3sRB1SP3PuzqNysAhJrYQ/mcoVWPKbuck/lYkF6cWG/7PjK4SvwULm+LPzH7GrSpJ/+h3PVGhmgz9hm78q4HdC5brMZ6CzU+ZCbWICxePJeNlczofvo3vs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1735556888; c=relaxed/simple; bh=d0grxwmd7z+LDHlJr8o4ngqy78mC6mlf9lpsE1Xwdi8=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=ga5me0/m6927gejj4cQvhwAT5VoVh+xZhz4ILC1e0Nl36ndBotkxf9zSrGDeMyxs93+BcJmglnn4OvpY0FCxnzUxMae968GDuVO6pQgYCFJflGd78QqNhLGI40+ZJ1zF/TExzC8tTZqrhw6I7n79mhlryNTzUoBN4w2g1R9wO3o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.166.198 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-il1-f198.google.com with SMTP id e9e14a558f8ab-3ab68717b73so86897425ab.2 for ; Mon, 30 Dec 2024 03:08:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735556884; x=1736161684; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=w8W+fL2K/T9ePKEbuBwegGHwOTrSqY+Dvlc0udbaT7o=; b=eZnAhLYSVveVRU6zq7iJS+gKtB6nKcypE5aU216nmyEpgZ4VTZfgzsklar6g93Biuk klj/iP/BvMe0671DixYhK2Zn0PxC5GLuCf2m0jtFB/dcUoNt6hbr7LuYcdLqw5yCRaDi Y0YoSTVx71tgrcpt2rQaM1jiwe3RDpEmbTQ80CIcLVvgojmtFykpBva4fPrKbi7Geoui nFla/dZ7X1+stQ6jVuGwpJhqzJEwzA9xuH6iXCARBdhvQ+he58qitGGnA1k2CA7MGcIC envuC72o0yFOo4Q8sxyQZODM5UTInQfMLGJM6TCFOTlcWbBM+N7utRoL732fG9dvof7F WiLA== X-Forwarded-Encrypted: i=1; AJvYcCXOImU4RO0ZBDOp/amdvuIJo+bKC1kBG4eOUlNrzZuQrno6KUlyXRDJ1hvsxUxzO1fGBZMFdyh3PU75Puw=@vger.kernel.org X-Gm-Message-State: AOJu0YyT8GvhUzR08gYhiuMvXStxNWWDKsz/obJS7c2WxXap9muhtK1F 5BNaGVQBWuSItxuokBhfGiqWSOFriXe721hVeMyn5gtgBmVbpiIQ77O2r8FkqRAwC8oHm0JWpvp gg1kgKlHx7GrZnmPJVDzR0c+8wwf5ChyZ8DyIN4ZTI1YYppPIcHySdXg= X-Google-Smtp-Source: AGHT+IHMWQTlqtq7fadyozCUG4MNQZZDJYnFOj9h3+dXuEO/ngTaR8ziJzuXr6RLoLoX2ajeXjafadQ1nBbnTqJj8LJic6zWGX4T Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6e02:1ca5:b0:3a7:81c6:be7e with SMTP id e9e14a558f8ab-3c2d2d510c9mr272516795ab.13.1735556884491; Mon, 30 Dec 2024 03:08:04 -0800 (PST) Date: Mon, 30 Dec 2024 03:08:04 -0800 In-Reply-To: <20241230104052.671-1-hdanton@sina.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <67727f14.050a0220.226966.00d3.GAE@google.com> Subject: Re: [syzbot] [mm?] WARNING in __folio_rmap_sanity_checks (2) From: syzbot To: hdanton@sina.com, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in filemap_map_pages ================================================================== BUG: KASAN: use-after-free in ptep_get include/linux/pgtable.h:338 [inline] BUG: KASAN: use-after-free in filemap_map_folio_range mm/filemap.c:3632 [inline] BUG: KASAN: use-after-free in filemap_map_pages+0xefb/0x1aa0 mm/filemap.c:3753 Read of size 8 at addr ffff88807b524000 by task syz.0.16/6781 CPU: 1 UID: 0 PID: 6781 Comm: syz.0.16 Not tainted 6.13.0-rc3-next-20241220-syzkaller-05236-g8155b4ef3466-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 ptep_get include/linux/pgtable.h:338 [inline] filemap_map_folio_range mm/filemap.c:3632 [inline] filemap_map_pages+0xefb/0x1aa0 mm/filemap.c:3753 do_fault_around mm/memory.c:5351 [inline] do_read_fault mm/memory.c:5384 [inline] do_fault mm/memory.c:5527 [inline] do_pte_missing mm/memory.c:4048 [inline] handle_pte_fault+0x3888/0x5ee0 mm/memory.c:5890 __handle_mm_fault mm/memory.c:6033 [inline] handle_mm_fault+0x11f5/0x1d50 mm/memory.c:6202 faultin_page mm/gup.c:1196 [inline] __get_user_pages+0x1a92/0x4140 mm/gup.c:1491 populate_vma_page_range+0x264/0x330 mm/gup.c:1929 __mm_populate+0x27a/0x460 mm/gup.c:2032 mm_populate include/linux/mm.h:3400 [inline] vm_mmap_pgoff+0x303/0x430 mm/util.c:585 ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe41b185d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe41bff6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 00007fe41b375fa0 RCX: 00007fe41b185d29 RDX: 0000000000000002 RSI: 0000000000b36000 RDI: 0000000020000000 RBP: 00007fe41b201b08 R08: 0000000000000004 R09: 0000000000000000 R10: 0000000000028011 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fe41b375fa0 R15: 00007ffedf5c4578 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b524 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f0(buddy) raw: 00fff00000000000 ffff88813fffbed0 ffffea000088e108 0000000000000000 raw: 0000000000000000 0000000000000002 00000000f0000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6034, tgid 6034 (dhcpcd-run-hook), ts 82273930287, free_ts 120498877039 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1551 prep_new_page mm/page_alloc.c:1559 [inline] get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3477 __alloc_frozen_pages_noprof+0x292/0x710 mm/page_alloc.c:4754 alloc_pages_mpol+0x30e/0x550 mm/mempolicy.c:2270 alloc_slab_page mm/slub.c:2423 [inline] allocate_slab+0x8f/0x3a0 mm/slub.c:2587 new_slab mm/slub.c:2640 [inline] ___slab_alloc+0xc27/0x14a0 mm/slub.c:3826 __slab_alloc+0x58/0xa0 mm/slub.c:3916 __slab_alloc_node mm/slub.c:3991 [inline] slab_alloc_node mm/slub.c:4152 [inline] __do_kmalloc_node mm/slub.c:4293 [inline] __kmalloc_noprof+0x2e6/0x4c0 mm/slub.c:4306 kmalloc_noprof include/linux/slab.h:905 [inline] tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x258/0x4f0 security/tomoyo/file.c:771 security_file_open+0xac/0x250 security/security.c:3114 do_dentry_open+0x320/0x1960 fs/open.c:932 vfs_open+0x3b/0x370 fs/open.c:1085 do_open fs/namei.c:3828 [inline] path_openat+0x2c74/0x3580 fs/namei.c:3987 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1427 page last free pid 6781 tgid 6780 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_frozen_pages+0xe0d/0x10e0 mm/page_alloc.c:2660 discard_slab mm/slub.c:2684 [inline] __put_partials+0x160/0x1c0 mm/slub.c:3153 put_cpu_partial+0x17c/0x250 mm/slub.c:3228 __slab_free+0x290/0x380 mm/slub.c:4479 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4115 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_noprof+0x1d9/0x380 mm/slub.c:4171 ptlock_alloc+0x20/0x70 mm/memory.c:7045 ptlock_init include/linux/mm.h:2972 [inline] pagetable_pte_ctor include/linux/mm.h:2999 [inline] __pte_alloc_one_noprof include/asm-generic/pgalloc.h:73 [inline] pte_alloc_one+0xd3/0x510 arch/x86/mm/pgtable.c:41 __pte_alloc+0x79/0x3c0 mm/memory.c:447 do_anonymous_page mm/memory.c:4848 [inline] do_pte_missing mm/memory.c:4046 [inline] handle_pte_fault+0x4d4c/0x5ee0 mm/memory.c:5890 __handle_mm_fault mm/memory.c:6033 [inline] handle_mm_fault+0x11f5/0x1d50 mm/memory.c:6202 do_user_addr_fault arch/x86/mm/fault.c:1389 [inline] handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x2b9/0x8b0 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 Memory state around the buggy address: ffff88807b523f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b523f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807b524000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b524080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b524100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Tested on: commit: 8155b4ef Add linux-next specific files for 20241220 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1328a6df980000 kernel config: https://syzkaller.appspot.com/x/.config?x=9c90bb7161a56c88 dashboard link: https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=12ccaac4580000