Hi all,
I've hit the following while fuzzing with trinity on the latest -next kernel:
[ 850.305385] page:ffffea001a5a0f00 count:0 mapcount:1 mapping:dead000000000400 index:0x1ffffffffff
[ 850.306773] flags: 0x2fffff80000000()
[ 850.307175] page dumped because: VM_BUG_ON_PAGE(1 && PageTail(page))
[ 850.308027] page_owner info is not active (free page?)
[ 850.308925] ------------[ cut here ]------------
[ 850.309614] kernel BUG at include/linux/page-flags.h:326!
[ 850.310333] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 850.311176] Modules linked in:
[ 850.311650] CPU: 5 PID: 7051 Comm: trinity-c129 Not tainted 4.4.0-rc2-next-20151127-sasha-00012-gf0498ca-dirty #2661
[ 850.313115] task: ffff8806eaf08000 ti: ffff8806b1170000 task.ti: ffff8806b1170000
[ 850.314085] RIP: __munlock_pagevec (include/linux/page-flags.h:326 mm/mlock.c:296)
[ 850.315341] RSP: 0018:ffff8806b11778d0 EFLAGS: 00010046
[ 850.316086] RAX: ffff8806eaf08000 RBX: ffff8806b1177b58 RCX: 0000000000000000
[ 850.316938] RDX: 0000000000000000 RSI: 0000000000000046 RDI: ffffed00d622eef6
[ 850.317777] RBP: ffff8806b1177a20 R08: fffffbfff439eaf3 R09: ffffffffa1cf5798
[ 850.318453] R10: ffff8806f2aef9c0 R11: 1ffffffff439eaed R12: ffffea001a5a0f00
[ 850.319131] R13: dffffc0000000000 R14: ffffea001a5a0f20 R15: ffff8806b11779f8
[ 850.319807] FS: 0000000000000000(0000) GS:ffff8806fd340000(0000) knlGS:0000000000000000
[ 850.320595] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 850.321155] CR2: 00000000006e0000 CR3: 00000006e2fd2000 CR4: 00000000000406e0
[ 850.321839] Stack:
[ 850.322045] 1ffff100d622ef23 ffff88082ffd8000 ffff8806b1177b48 0000000300000000
[ 850.322811] 0000000000000003 ffff88082ffd6000 ffff8806b1177938 ffff8806b1177b58
[ 850.323570] ffffea001aadf700 0000000041b58ab3 ffffffff9e8778fa ffffffff93597a40
[ 850.324396] Call Trace:
[ 850.330731] munlock_vma_pages_range (mm/mlock.c:485)
[ 850.335325] exit_mmap (mm/mmap.c:2844)
[ 850.338123] mmput (include/linux/compiler.h:218 kernel/fork.c:750 kernel/fork.c:717)
[ 850.338591] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:92 kernel/exit.c:438 kernel/exit.c:735)
[ 850.341432] do_group_exit (kernel/exit.c:862)
[ 850.341950] SyS_exit_group (kernel/exit.c:889)
[ 850.342582] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
[ 850.343177] Code: 34 07 00 48 8b 85 f0 fe ff ff 49 8b 54 24 20 48 89 c3 83 e2 01 74 50 e8 ea 38 07 00 48 c7 c6 20 a3 4e 9c 4c 89 e7 e8 9b 6b fe ff <0f> 0b e8 d4 38 07 00 48 8b 85 d0 fe ff ff 48 8b 9d c0 fe ff ff
All code
========
0: 34 07 xor $0x7,%al
2: 00 48 8b add %cl,-0x75(%rax)
5: 85 f0 test %esi,%eax
7: fe (bad)
8: ff (bad)
9: ff 49 8b decl -0x75(%rcx)
c: 54 push %rsp
d: 24 20 and $0x20,%al
f: 48 89 c3 mov %rax,%rbx
12: 83 e2 01 and $0x1,%edx
15: 74 50 je 0x67
17: e8 ea 38 07 00 callq 0x73906
1c: 48 c7 c6 20 a3 4e 9c mov $0xffffffff9c4ea320,%rsi
23: 4c 89 e7 mov %r12,%rdi
26: e8 9b 6b fe ff callq 0xfffffffffffe6bc6
2b:* 0f 0b ud2 <-- trapping instruction
2d: e8 d4 38 07 00 callq 0x73906
32: 48 8b 85 d0 fe ff ff mov -0x130(%rbp),%rax
39: 48 8b 9d c0 fe ff ff mov -0x140(%rbp),%rbx
...
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: e8 d4 38 07 00 callq 0x738db
7: 48 8b 85 d0 fe ff ff mov -0x130(%rbp),%rax
e: 48 8b 9d c0 fe ff ff mov -0x140(%rbp),%rbx
...
[ 850.345913] RIP __munlock_pagevec (include/linux/page-flags.h:326 mm/mlock.c:296)
[ 850.346536] RSP <ffff8806b11778d0>
Thanks,
Sasha
On 11/30/2015 03:24 PM, Sasha Levin wrote:
> Hi all,
>
> I've hit the following while fuzzing with trinity on the latest -next kernel:
>
>
> [ 850.305385] page:ffffea001a5a0f00 count:0 mapcount:1 mapping:dead000000000400 index:0x1ffffffffff
> [ 850.306773] flags: 0x2fffff80000000()
> [ 850.307175] page dumped because: VM_BUG_ON_PAGE(1 && PageTail(page))
> [ 850.308027] page_owner info is not active (free page?)
> [ 850.308925] ------------[ cut here ]------------
> [ 850.309614] kernel BUG at include/linux/page-flags.h:326!
> [ 850.310333] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> [ 850.311176] Modules linked in:
> [ 850.311650] CPU: 5 PID: 7051 Comm: trinity-c129 Not tainted 4.4.0-rc2-next-20151127-sasha-00012-gf0498ca-dirty #2661
> [ 850.313115] task: ffff8806eaf08000 ti: ffff8806b1170000 task.ti: ffff8806b1170000
> [ 850.314085] RIP: __munlock_pagevec (include/linux/page-flags.h:326 mm/mlock.c:296)
That's TestClearPageMlocked(page) which has PF_NO_TAIL.
The page dump suggests the page was freed between the check triggering,
and the page being dumped. But being on munlock's pagevec should pin the
page. So a pin/unpin mismatch somewhere, together with a race?
Moreover, a PageTail(page) shouldn't even get on the pagevec,
munlock_vma_pages_range() skips tail pages. So another race that made
the page a Tail after it was added to pagevec?
Or maybe __munlock_pagevec_fill() encountered a tail page, and since it
assumes that it can't happen, there's no check. Maybe a VM_BUG_ON_PAGE()
there would catch this earlier? Could be related to "thp: allow mlocked
THP again".
Ah, __munlock_pagevec_fill() does a get_page(), which would increase
page->count on the compound head, which could also explain the mismatch.
------8<------
diff --git a/mm/mlock.c b/mm/mlock.c
index af421d8bd6da..156d2840aa62 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -393,7 +393,9 @@ static unsigned long __munlock_pagevec_fill(struct pagevec *pvec,
if (!page || page_zone_id(page) != zoneid)
break;
+ VM_BUG_ON_PAGE(PageTail(page), page);
get_page(page);
+
/*
* Increase the address that will be returned *before* the
* eventual break due to pvec becoming full by adding the page
On Mon, Nov 30, 2015 at 09:24:56AM -0500, Sasha Levin wrote:
> Hi all,
>
> I've hit the following while fuzzing with trinity on the latest -next kernel:
>
>
> [ 850.305385] page:ffffea001a5a0f00 count:0 mapcount:1 mapping:dead000000000400 index:0x1ffffffffff
> [ 850.306773] flags: 0x2fffff80000000()
> [ 850.307175] page dumped because: VM_BUG_ON_PAGE(1 && PageTail(page))
> [ 850.308027] page_owner info is not active (free page?)
Could you check this completely untested patch:
diff --git a/mm/mlock.c b/mm/mlock.c
index af421d8bd6da..9197b6721a1e 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -393,6 +393,13 @@ static unsigned long __munlock_pagevec_fill(struct pagevec *pvec,
if (!page || page_zone_id(page) != zoneid)
break;
+ /*
+ * Do not use pagevec for PTE-mapped THP,
+ * munlock_vma_pages_range() will handle them.
+ */
+ if (PageTransCompound(page))
+ break;
+
get_page(page);
/*
* Increase the address that will be returned *before* the
--
Kirill A. Shutemov
On 12/01/2015 04:38 PM, Kirill A. Shutemov wrote:
> On Mon, Nov 30, 2015 at 09:24:56AM -0500, Sasha Levin wrote:
>> > Hi all,
>> >
>> > I've hit the following while fuzzing with trinity on the latest -next kernel:
>> >
>> >
>> > [ 850.305385] page:ffffea001a5a0f00 count:0 mapcount:1 mapping:dead000000000400 index:0x1ffffffffff
>> > [ 850.306773] flags: 0x2fffff80000000()
>> > [ 850.307175] page dumped because: VM_BUG_ON_PAGE(1 && PageTail(page))
>> > [ 850.308027] page_owner info is not active (free page?)
> Could you check this completely untested patch:
>
> diff --git a/mm/mlock.c b/mm/mlock.c
> index af421d8bd6da..9197b6721a1e 100644
> --- a/mm/mlock.c
> +++ b/mm/mlock.c
> @@ -393,6 +393,13 @@ static unsigned long __munlock_pagevec_fill(struct pagevec *pvec,
> if (!page || page_zone_id(page) != zoneid)
> break;
>
> + /*
> + * Do not use pagevec for PTE-mapped THP,
> + * munlock_vma_pages_range() will handle them.
> + */
> + if (PageTransCompound(page))
> + break;
> +
> get_page(page);
> /*
> * Increase the address that will be returned *before* the
I've started seeing:
[ 1197.233931] BUG: Bad page state in process trinity-subchil pfn:110600
[ 1197.234002] page:ffffea0004418000 count:0 mapcount:0 mapping: (null) index:0x2a00 compound_mapcount: 0
[ 1197.234013] flags: 0x6fffff80144008(uptodate|head|swapbacked|mlocked)
[ 1197.234035] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 1197.234040] bad because of flags: 0x100000:(mlocked)
[ 1197.234051] Modules linked in:
[ 1197.234070] CPU: 23 PID: 4958 Comm: trinity-subchil Tainted: G B 4.4.0-rc3-next-20151203-sasha-00025-gf813aca-dirty #2691
[ 1197.234076] 1ffff1003e1a4eb2 000000003cc27d3f ffff8801f0d27610 ffffffffa2fb13f2
[ 1197.234092] 0000000041b58ab3 ffffffffae036b9b ffffffffa2fb1327 0000000000100000
[ 1197.234108] ffffffffa169ab93 000000003cc27d3f 0100000000000000 000000000018bce1
[ 1197.234124] Call Trace:
[ 1197.234142] [<ffffffffa2fb13f2>] dump_stack+0xcb/0x149
[ 1197.234156] [<ffffffffa2fb1327>] ? _atomic_dec_and_lock+0xf7/0xf7
[ 1197.234170] [<ffffffffa169ab93>] ? dump_page_badflags+0x4a3/0x590
[ 1197.234185] [<ffffffffa161d673>] bad_page+0x263/0x310
[ 1197.234206] [<ffffffffa161d410>] ? set_page_refcounted+0x1a0/0x1a0
[ 1197.234221] [<ffffffffa1777fb0>] ? mem_cgroup_move_charge_pte_range+0xa60/0xa60
[ 1197.234237] [<ffffffffa1620ef9>] free_pages_prepare+0x489/0x1700
[ 1197.234255] [<ffffffffa1778a80>] ? uncharge_list+0x590/0x5a0
[ 1197.234270] [<ffffffffa1620a70>] ? build_zonelists+0x1920/0x1920
[ 1197.234286] [<ffffffffa30247b2>] ? __list_del_entry+0x172/0x2b0
[ 1197.234299] [<ffffffffa1629053>] __free_pages_ok+0x43/0x230
[ 1197.234312] [<ffffffffa16292d2>] free_compound_page+0x92/0xa0
[ 1197.234326] [<ffffffffa17685f6>] free_transhuge_page+0x96/0xa0
[ 1197.234340] [<ffffffffa1643637>] __put_compound_page+0xc7/0xd0
[ 1197.234353] [<ffffffffa1643bef>] release_pages+0x35f/0xb10
[ 1197.234373] [<ffffffffa1643890>] ? put_pages_list+0x190/0x190
[ 1197.234428] [<ffffffffa16477fc>] ? lru_add_drain_cpu+0x49c/0x4b0
[ 1197.234442] [<ffffffffa16eecc9>] free_pages_and_swap_cache+0x49/0x410
[ 1197.234455] [<ffffffffa16a0547>] tlb_flush_mmu_free+0x97/0x130
[ 1197.234467] [<ffffffffa16a7447>] unmap_page_range+0x1877/0x1bd0
[ 1197.234480] [<ffffffffa16a5bd0>] ? vm_normal_page+0x1f0/0x1f0
[ 1197.234493] [<ffffffffa17616ee>] ? __khugepaged_exit+0x2ee/0x3a0
[ 1197.234506] [<ffffffffa16a79d7>] unmap_single_vma+0x237/0x250
[ 1197.234518] [<ffffffffa16a9e96>] unmap_vmas+0x126/0x1b0
[ 1197.234532] [<ffffffffa16c9fd0>] exit_mmap+0x2b0/0x420
[ 1197.234547] [<ffffffffa17616ee>] ? __khugepaged_exit+0x2ee/0x3a0
[ 1197.234563] [<ffffffffa16c9d20>] ? SyS_remap_file_pages+0x630/0x630
[ 1197.234575] [<ffffffffa174185d>] ? kmem_cache_free+0x26d/0x2d0
[ 1197.234592] [<ffffffffa13cf532>] ? __might_sleep+0x1f2/0x220
[ 1197.234606] [<ffffffffa13509d5>] mmput+0xe5/0x320
[ 1197.234620] [<ffffffffa13508f0>] ? sighand_ctor+0x70/0x70
[ 1197.234635] [<ffffffffa1362a39>] ? mm_update_next_owner+0x5c9/0x600
[ 1197.234649] [<ffffffffa13dde39>] ? preempt_count_add+0xe9/0x140
[ 1197.234664] [<ffffffffa13638fd>] do_exit+0xe8d/0x1540
[ 1197.234678] [<ffffffffa11693a4>] ? sched_clock+0x44/0x50
[ 1197.234693] [<ffffffffa13f058c>] ? local_clock+0x1c/0x20
[ 1197.234709] [<ffffffffa1362a70>] ? mm_update_next_owner+0x600/0x600
[ 1197.234724] [<ffffffffa1607721>] ? __context_tracking_exit+0xb1/0xc0
[ 1197.234738] [<ffffffffa160784b>] ? context_tracking_exit+0x11b/0x120
[ 1197.234754] [<ffffffffa1005e5a>] ? syscall_trace_enter_phase1+0x4aa/0x4f0
[ 1197.234771] [<ffffffffa10059b0>] ? enter_from_user_mode+0x80/0x80
[ 1197.234800] [<ffffffffa3024353>] ? check_preemption_disabled+0x233/0x250
[ 1197.234813] [<ffffffffa1364209>] do_group_exit+0x1e9/0x330
[ 1197.234825] [<ffffffffa136436d>] SyS_exit_group+0x1d/0x20
[ 1197.234842] [<ffffffffab9178d5>] entry_SYSCALL_64_fastpath+0x35/0x99
Thanks,
Sasha
On 12/04/2015 03:46 PM, Sasha Levin wrote:
> On 12/01/2015 04:38 PM, Kirill A. Shutemov wrote:
>> > On Mon, Nov 30, 2015 at 09:24:56AM -0500, Sasha Levin wrote:
>>>> >> > Hi all,
>>>> >> >
>>>> >> > I've hit the following while fuzzing with trinity on the latest -next kernel:
>>>> >> >
>>>> >> >
>>>> >> > [ 850.305385] page:ffffea001a5a0f00 count:0 mapcount:1 mapping:dead000000000400 index:0x1ffffffffff
>>>> >> > [ 850.306773] flags: 0x2fffff80000000()
>>>> >> > [ 850.307175] page dumped because: VM_BUG_ON_PAGE(1 && PageTail(page))
>>>> >> > [ 850.308027] page_owner info is not active (free page?)
>> > Could you check this completely untested patch:
>> >
>> > diff --git a/mm/mlock.c b/mm/mlock.c
>> > index af421d8bd6da..9197b6721a1e 100644
>> > --- a/mm/mlock.c
>> > +++ b/mm/mlock.c
>> > @@ -393,6 +393,13 @@ static unsigned long __munlock_pagevec_fill(struct pagevec *pvec,
>> > if (!page || page_zone_id(page) != zoneid)
>> > break;
>> >
>> > + /*
>> > + * Do not use pagevec for PTE-mapped THP,
>> > + * munlock_vma_pages_range() will handle them.
>> > + */
>> > + if (PageTransCompound(page))
>> > + break;
>> > +
>> > get_page(page);
>> > /*
>> > * Increase the address that will be returned *before* the
> I've started seeing:
And:
[ 883.470914] kernel BUG at mm/mlock.c:460!
[ 883.472612] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 883.474950] Modules linked in:
[ 883.476583] CPU: 11 PID: 15210 Comm: trinity-c191 Not tainted 4.4.0-rc3-next-20151203-sasha-00025-gf813aca-dirty #2691
[ 883.481771] task: ffff8801026b4000 ti: ffff8808a25d0000 task.ti: ffff8808a25d0000
[ 883.485068] RIP: 0010:[<ffffffff816b9d43>] [<ffffffff816b9d43>] munlock_vma_pages_range+0x2b3/0xab0
[ 883.493522] RSP: 0018:ffff8808a25d79e8 EFLAGS: 00010246
[ 883.495623] RAX: 0000000000000000 RBX: ffffea0029af2740 RCX: 0000000000000000
[ 883.498478] RDX: 1ffffd400535e4ef RSI: 0000000000000246 RDI: ffffea0029af2778
[ 883.501609] RBP: ffff8808a25d7be0 R08: fffffbfff36d4114 R09: ffffffff9b6a08a4
[ 883.504475] R10: 0000000000000001 R11: 1ffffffff36d410d R12: ffffea0029af2760
[ 883.507422] R13: ffff8808a25d7bb8 R14: dffffc0000000000 R15: ffffea0029af0000
[ 883.510004] FS: 0000000000000000(0000) GS:ffff880aa4600000(0000) knlGS:0000000000000000
[ 883.511243] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 883.512303] CR2: 0000000000639378 CR3: 0000000880b7b000 CR4: 00000000000006a0
[ 883.518040] DR0: 0000000000008ac6 DR1: 0000000000000000 DR2: 0000000000000000
[ 883.519467] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 883.520662] Stack:
[ 883.521038] ffff8811eb99db60 0000000000000002 ffff880aa7fcf000 1ffff101144baf4b
[ 883.522493] ffffed023d733b6c 0000000002c97000 000077f75da28510 0000002e00000000
[ 883.524015] ffff8808a25d7a78 ffffea002a6a495c 00007f04ffe7b000 ffffea0029af0001
[ 883.527296] Call Trace:
[ 883.528482] [<ffffffff816b9a90>] ? munlock_vma_page+0x400/0x400
[ 883.531246] [<ffffffff8144dbe0>] ? in_lock_functions+0x30/0x40
[ 883.534027] [<ffffffff813ddd1d>] ? get_parent_ip+0xd/0x40
[ 883.536351] [<ffffffff813dde39>] ? preempt_count_add+0xe9/0x140
[ 883.539045] [<ffffffff8173d597>] ? free_debug_processing+0x417/0x550
[ 883.542045] [<ffffffff818a0b45>] ? exit_aio+0x365/0x3c0
[ 883.544352] [<ffffffff816c9f11>] exit_mmap+0x1f1/0x420
[ 883.546476] [<ffffffff817616ee>] ? __khugepaged_exit+0x2ee/0x3a0
[ 883.548906] [<ffffffff816c9d20>] ? SyS_remap_file_pages+0x630/0x630
[ 883.551544] [<ffffffff8174185d>] ? kmem_cache_free+0x26d/0x2d0
[ 883.553718] [<ffffffff817616ff>] ? __khugepaged_exit+0x2ff/0x3a0
[ 883.556319] [<ffffffff81761400>] ? hugepage_madvise+0x160/0x160
[ 883.558901] [<ffffffff813cc436>] ? ___might_sleep+0xd6/0x3f0
[ 883.561232] [<ffffffff813cf532>] ? __might_sleep+0x1f2/0x220
[ 883.566857] [<ffffffff813509d5>] mmput+0xe5/0x320
[ 883.568416] [<ffffffff813508f0>] ? sighand_ctor+0x70/0x70
[ 883.570136] [<ffffffff81362a39>] ? mm_update_next_owner+0x5c9/0x600
[ 883.572272] [<ffffffff813dde39>] ? preempt_count_add+0xe9/0x140
[ 883.574501] [<ffffffff813638fd>] do_exit+0xe8d/0x1540
[ 883.577297] [<ffffffff811693a4>] ? sched_clock+0x44/0x50
[ 883.579268] [<ffffffff813f058c>] ? local_clock+0x1c/0x20
[ 883.581118] [<ffffffff81362a70>] ? mm_update_next_owner+0x600/0x600
[ 883.585181] [<ffffffff81607721>] ? __context_tracking_exit+0xb1/0xc0
[ 883.587569] [<ffffffff8160784b>] ? context_tracking_exit+0x11b/0x120
[ 883.589850] [<ffffffff81005e5a>] ? syscall_trace_enter_phase1+0x4aa/0x4f0
[ 883.592297] [<ffffffff810059b0>] ? enter_from_user_mode+0x80/0x80
[ 883.594603] [<ffffffff83024353>] ? check_preemption_disabled+0x233/0x250
[ 883.596920] [<ffffffff81364209>] do_group_exit+0x1e9/0x330
[ 883.598682] [<ffffffff8136436d>] SyS_exit_group+0x1d/0x20
[ 883.602748] [<ffffffff8b9178d5>] entry_SYSCALL_64_fastpath+0x35/0x99
[ 883.604899] Code: 3c 30 00 74 08 4c 89 ff e8 0b be 08 00 49 8b 07 a9 00 00 10 00 74 22 e8 9c c3 08 00 48 c7 c6 c0 94 b0 8b 48 89 df e8 3d 0f fe ff <0f> 0b 48 c7 c7 e0 f3 ec 8f e8 ad 71 9f 01 e8 7a c3 08 00 4c 89
[ 883.613771] RIP [<ffffffff816b9d43>] munlock_vma_pages_range+0x2b3/0xab0
[ 883.614902] RSP <ffff8808a25d79e8>
Thanks,
Sasha