Fuzzers are unhappy. Thoughts?
[34944.838318][T48906] BUG: unable to handle page fault for address: ffff888cb196bfe8
[34944.845970][T48906] #PF: supervisor read access in kernel mode
[34944.847199][T50168] futex_wake_op: trinity-c58 tries to shift op by -1; fix this program
[34944.851855][T48906] #PF: error_code(0x0000) - not-present page
[34944.851866][T48906] PGD f63401067 P4D f63401067 PUD 1079630067 PMD 10794a3067 PTE 800ffff34e694060
[34944.874964][T48906] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
[34944.881289][T48906] CPU: 72 PID: 48906 Comm: trinity-c85 Tainted: G L 5.7.0-rc1-next-20200414+ #8
[34944.891559][T48906] Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019
[34944.900860][T48906] RIP: 0010:swapin_readahead+0x40a/0x85f
swap_vma_readahead at mm/swap_state.c:741
(inlined by) swapin_readahead at mm/swap_state.c:785
[34944.906394][T48906] Code: 6c 24 70 44 8b 64 24 0c 4c 89 6c 24 18 eb 13 41 83 c4 01 49 83 c6 08 44 3b 64 24 20 0f 84 38 03 00 00 4c 89 f7 e8 66 74 04 00 <4d> 8b 3e 49 f7 c7 9f ff ff ff 74 d9 48 c7 c7 a0 83 23 91 e8 4e 74
[34944.925989][T48906] RSP: 0018:ffffc9002622f620 EFLAGS: 00010246
[34944.931960][T48906] RAX: 0000000000000000 RBX: ffffc9002622f8d8 RCX: ffffffff902370aa
[34944.939849][T48906] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888cb196bfe8
[34944.947737][T48906] RBP: ffffc9002622f758 R08: 0000000000000000 R09: ffffed112d8078e7
[34944.955625][T48906] R10: ffff88896c03c737 R11: ffffed112d8078e6 R12: 0000000000000000
[34944.963580][T48906] R13: ffffc9002622f690 R14: ffff888cb196bfe8 R15: ffff888cb196c000
[34944.971479][T48906] FS: 00007f17c465a740(0000) GS:ffff889032c00000(0000) knlGS:0000000000000000
[34944.980329][T48906] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[34944.986820][T48906] CR2: ffff888cb196bfe8 CR3: 0000000c17964000 CR4: 00000000003406e0
[34944.994709][T48906] Call Trace:
[34944.997895][T48906] ? exit_swap_address_space+0x160/0x160
[34945.003429][T48906] ? lookup_swap_cache+0x144/0x410
[34945.008516][T48906] ? swapcache_prepare+0x20/0x20
[34945.013352][T48906] do_swap_page+0x4ef/0xe70
do_swap_page at mm/memory.c:3141
[34945.017751][T48906] ? unmap_mapping_range+0x30/0x30
[34945.022763][T48906] __handle_mm_fault+0xb80/0xbe0
[34945.027601][T48906] ? copy_page_range+0x420/0x420
[34945.032438][T48906] handle_mm_fault+0xdc/0x2e0
[34945.037013][T48906] do_page_fault+0x2cb/0x9d7
[34945.041607][T48906] page_fault+0x34/0x40
[34945.045655][T48906] RIP: 0010:strncpy_from_user+0xc9/0x2a0
[34945.051184][T48906] Code: 14 00 00 4c 01 e8 0f 92 c1 0f 82 45 01 00 00 48 39 c2 0f 82 3c 01 00 00 0f 01 cb 0f ae e8 49 83 fd 07 0f 86 b7 01 00 00 31 f6 <49> 8b 14 24 85 f6 0f 85 9b 01 00 00 49 8d 45 f8 4c 89 6d c0 49 89
[34945.070775][T48906] RSP: 0018:ffffc9002622fb28 EFLAGS: 00050246
[34945.076742][T48906] RAX: 0000000000000fe0 RBX: ffff888c17830040 RCX: 0000000000000000
[34945.084626][T48906] RDX: 00007ffffffff000 RSI: 0000000000000000 RDI: ffff888c178314d0
[34945.092516][T48906] RBP: ffffc9002622fb70 R08: 0000000000000fe0 R09: fffff940065ea9e1
[34945.100402][T48906] R10: ffffea0032f54f07 R11: fffff940065ea9e0 R12: 0000000000000000
[34945.108288][T48906] R13: 0000000000000fe0 R14: ffff888cbd53c060 R15: 0000000000000fe0
[34945.116184][T48906] ? strncpy_from_user+0x96/0x2a0
[34945.121106][T48906] getname_flags+0x6a/0x220
[34945.125502][T48906] do_renameat2+0x17c/0x7e0
[34945.129895][T48906] ? user_path_create+0x40/0x40
[34945.134642][T48906] ? register_lock_class+0xb40/0xb40
[34945.139824][T48906] ? match_held_lock+0x20/0x250
[34945.144569][T48906] ? find_held_lock+0xca/0xf0
[34945.149140][T48906] ? __kasan_check_read+0x11/0x20
[34945.154062][T48906] ? perf_syscall_enter+0xf9/0x370
[34945.159065][T48906] ? lock_downgrade+0x3e0/0x3e0
[34945.163804][T48906] ? check_flags.part.28+0x86/0x220
[34945.168896][T48906] ? rcu_read_lock_sched_held+0xac/0xe0
[34945.174339][T48906] ? do_syscall_64+0x79/0xaf0
[34945.178907][T48906] ? rcu_read_lock_bh_held+0xc0/0xc0
[34945.184091][T48906] __x64_sys_rename+0x3b/0x50
[34945.188659][T48906] do_syscall_64+0xcc/0xaf0
[34945.193050][T48906] ? perf_call_bpf_enter+0x1a0/0x1a0
[34945.198230][T48906] ? syscall_return_slowpath+0x580/0x580
[34945.203760][T48906] ? entry_SYSCALL_64_after_hwframe+0x3e/0xb3
[34945.209725][T48906] ? trace_hardirqs_off_caller+0x3a/0x150
[34945.215340][T48906] ? trace_hardirqs_off_thunk+0x1a/0x1c
[34945.220780][T48906] entry_SYSCALL_64_after_hwframe+0x49/0xb3
[34945.226568][T48906] RIP: 0033:0x7f17c3f5c839
[34945.230872][T48906] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[34945.250461][T48906] RSP: 002b:00007fff822be2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
[34945.258802][T48906] RAX: ffffffffffffffda RBX: 0000000000000052 RCX: 00007f17c3f5c839
[34945.266685][T48906] RDX: 00000000000000e8 RSI: 0000000000000000 RDI: 0000000000000000
> On Apr 14, 2020, at 10:01 PM, Huang, Ying <[email protected]> wrote:
>
> Is it possible to bisect this?
Yes, I’ll need to find a quick reproducer first by analyzing the fuzzer’s last logs.
>
> Because the crash point is identified, it may be helpful to collect and
> analyze the status of the faulting page table and readahead ptes. But I
> am not familiar with the ARM64 architecture. So I cannot help much
> here.
It happens for x86 as well where the trace is in the first email of this thread.
> On Apr 14, 2020, at 10:32 AM, Qian Cai <[email protected]> wrote:
>
> Fuzzers are unhappy. Thoughts?
This is rather to reproduce. All the traces so far are from copy_from_user() to trigger a page fault,
and then it dereferences a bad pte in swap_vma_readahead(),
for (i = 0, pte = ra_info.ptes; i < ra_info.nr_pte;
i++, pte++) {
pentry = *pte; <— crashed here.
if (pte_none(pentry))
[12561.167450][ T8470] Unable to handle kernel paging request at virtual address ffff000eec8dffe8
[12561.176391][ T8470] Mem abort info:
[12561.179916][ T8470] ESR = 0x96000007
[12561.183702][ T8470] EC = 0x25: DABT (current EL), IL = 32 bits
[12561.189897][ T8470] SET = 0, FnV = 0
[12561.193681][ T8470] EA = 0, S1PTW = 0
[12561.197622][ T8470] Data abort info:
[12561.201232][ T8470] ISV = 0, ISS = 0x00000007
[12561.205905][ T8470] CM = 0, WnR = 0
[12561.209605][ T8470] swapper pgtable: 64k pages, 48-bit VAs, pgdp=00000000813d0000
[12561.217231][ T8470] [ffff000eec8dffe8] pgd=00000097fcfd0003, pud=00000097fcfd0003, pmd=00000097fcc10003, pte=0068000f6c8d0712
[12561.229049][ T8470] Internal error: Oops: 96000007 [#1] SMP
[12561.234628][ T8470] Modules linked in: nfnetlink thunderx2_pmu processor ip_tables xfs libcrc32c sd_mod ahci libahci mlx5_core libata dm_mirror dm_region_hash dm_log dm_mod efivarfs
[12561.250854][ T8470] CPU: 147 PID: 8470 Comm: trinity-c147 Tainted: G L 5.7.0-rc1-next-20200414 #5
[12561.261031][ T8470] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[12561.271472][ T8470] pstate: 60400009 (nZCv daif +PAN -UAO)
[12561.276978][ T8470] pc : swap_vma_readahead+0x360/0x568
[12561.282207][ T8470] lr : swap_vma_readahead+0x360/0x568
[12561.287442][ T8470] sp : e4ff000eec8af7f0
[12561.291461][ T8470] x29: e4ff000eec8af8b0 x28: 0dff000eec868ce0
[12561.297476][ T8470] x27: 0000000000000000 x26: 0400000000000001
[12561.303490][ T8470] x25: e4ff000eec8afa48 x24: ffff000eec8dffe8
[12561.309503][ T8470] x23: e4ff000eec8af80c x22: 0dff000eec868c30
[12561.315517][ T8470] x21: e4ff000eec8afa30 x20: 0000000000000000
[12561.321529][ T8470] x19: 0000000000100cca x18: 0000000000000000
[12561.327541][ T8470] x17: 0000000000000000 x16: 0000000000000000
[12561.333553][ T8470] x15: 0000000000000000 x14: 0000000000000000
[12561.339567][ T8470] x13: 0000000000000000 x12: 0000000000000000
[12561.345580][ T8470] x11: 00000000000000e4 x10: ffff8000eec8af82
[12561.351593][ T8470] x9 : ffff8000eec8af81 x8 : 0000000000000001
[12561.357605][ T8470] x7 : 0000000000000000 x6 : 0000000000000000
[12561.363617][ T8470] x5 : e4ff000eec8af848 x4 : e4ff000eec8af850
[12561.369630][ T8470] x3 : ffff90001042ec64 x2 : 0000000000000000
[12561.375648][ T8470] x1 : 0000000000000008 x0 : 0000000000000001
[12561.381679][ T8470] Call trace:
[12561.384849][ T8470] swap_vma_readahead+0x360/0x568
[12561.389747][ T8470] swapin_readahead+0x9c/0xc0
[12561.394308][ T8470] do_swap_page+0x314/0xccc
[12561.398684][ T8470] handle_pte_fault+0x7a0/0x14d0
[12561.403494][ T8470] handle_mm_fault+0x4ac/0x5d0
[12561.408143][ T8470] do_page_fault+0x45c/0x708
[12561.412626][ T8470] do_translation_fault+0x60/0x98
[12561.417535][ T8470] do_mem_abort+0x58/0xf4
[12561.421754][ T8470] el1_sync_handler+0x9c/0x100
[12561.426403][ T8470] el1_sync+0xb4/0x180
[12561.430360][ T8470] __arch_copy_from_user+0x24/0x240
[12561.435446][ T8470] __arm64_sys_recvmmsg+0xa0/0x1a8
[12561.440433][ T8470] do_el0_svc+0x128/0x1dc
[12561.444641][ T8470] el0_sync_handler+0x150/0x250
[12561.449365][ T8470] el0_sync+0x164/0x180
[12561.453408][ T8470] Code: 6b08029f 54000842 aa1803e0 940101ef (f9400308)
[12561.460883][ T8470] ---[ end trace d7b340909510bdcf ]---
[12561.466220][ T8470] Kernel panic - not syncing: Fatal exception
[12561.472743][ T8470] SMP: stopping secondary CPUs
[12561.477581][ T8470] Kernel Offset: disabled
[12561.481770][ T8470] CPU features: 0x006002,61000c38
[12561.486648][ T8470] Memory Limit: none
[12561.490729][ T8470] ---[ end Kernel panic - not syncing: Fatal exception ]---
>
> [34944.838318][T48906] BUG: unable to handle page fault for address: ffff888cb196bfe8
> [34944.845970][T48906] #PF: supervisor read access in kernel mode
> [34944.847199][T50168] futex_wake_op: trinity-c58 tries to shift op by -1; fix this program
> [34944.851855][T48906] #PF: error_code(0x0000) - not-present page
> [34944.851866][T48906] PGD f63401067 P4D f63401067 PUD 1079630067 PMD 10794a3067 PTE 800ffff34e694060
> [34944.874964][T48906] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
> [34944.881289][T48906] CPU: 72 PID: 48906 Comm: trinity-c85 Tainted: G L 5.7.0-rc1-next-20200414+ #8
> [34944.891559][T48906] Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019
> [34944.900860][T48906] RIP: 0010:swapin_readahead+0x40a/0x85f
> swap_vma_readahead at mm/swap_state.c:741
> (inlined by) swapin_readahead at mm/swap_state.c:785
> [34944.906394][T48906] Code: 6c 24 70 44 8b 64 24 0c 4c 89 6c 24 18 eb 13 41 83 c4 01 49 83 c6 08 44 3b 64 24 20 0f 84 38 03 00 00 4c 89 f7 e8 66 74 04 00 <4d> 8b 3e 49 f7 c7 9f ff ff ff 74 d9 48 c7 c7 a0 83 23 91 e8 4e 74
> [34944.925989][T48906] RSP: 0018:ffffc9002622f620 EFLAGS: 00010246
> [34944.931960][T48906] RAX: 0000000000000000 RBX: ffffc9002622f8d8 RCX: ffffffff902370aa
> [34944.939849][T48906] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888cb196bfe8
> [34944.947737][T48906] RBP: ffffc9002622f758 R08: 0000000000000000 R09: ffffed112d8078e7
> [34944.955625][T48906] R10: ffff88896c03c737 R11: ffffed112d8078e6 R12: 0000000000000000
> [34944.963580][T48906] R13: ffffc9002622f690 R14: ffff888cb196bfe8 R15: ffff888cb196c000
> [34944.971479][T48906] FS: 00007f17c465a740(0000) GS:ffff889032c00000(0000) knlGS:0000000000000000
> [34944.980329][T48906] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [34944.986820][T48906] CR2: ffff888cb196bfe8 CR3: 0000000c17964000 CR4: 00000000003406e0
> [34944.994709][T48906] Call Trace:
> [34944.997895][T48906] ? exit_swap_address_space+0x160/0x160
> [34945.003429][T48906] ? lookup_swap_cache+0x144/0x410
> [34945.008516][T48906] ? swapcache_prepare+0x20/0x20
> [34945.013352][T48906] do_swap_page+0x4ef/0xe70
> do_swap_page at mm/memory.c:3141
> [34945.017751][T48906] ? unmap_mapping_range+0x30/0x30
> [34945.022763][T48906] __handle_mm_fault+0xb80/0xbe0
> [34945.027601][T48906] ? copy_page_range+0x420/0x420
> [34945.032438][T48906] handle_mm_fault+0xdc/0x2e0
> [34945.037013][T48906] do_page_fault+0x2cb/0x9d7
> [34945.041607][T48906] page_fault+0x34/0x40
> [34945.045655][T48906] RIP: 0010:strncpy_from_user+0xc9/0x2a0
> [34945.051184][T48906] Code: 14 00 00 4c 01 e8 0f 92 c1 0f 82 45 01 00 00 48 39 c2 0f 82 3c 01 00 00 0f 01 cb 0f ae e8 49 83 fd 07 0f 86 b7 01 00 00 31 f6 <49> 8b 14 24 85 f6 0f 85 9b 01 00 00 49 8d 45 f8 4c 89 6d c0 49 89
> [34945.070775][T48906] RSP: 0018:ffffc9002622fb28 EFLAGS: 00050246
> [34945.076742][T48906] RAX: 0000000000000fe0 RBX: ffff888c17830040 RCX: 0000000000000000
> [34945.084626][T48906] RDX: 00007ffffffff000 RSI: 0000000000000000 RDI: ffff888c178314d0
> [34945.092516][T48906] RBP: ffffc9002622fb70 R08: 0000000000000fe0 R09: fffff940065ea9e1
> [34945.100402][T48906] R10: ffffea0032f54f07 R11: fffff940065ea9e0 R12: 0000000000000000
> [34945.108288][T48906] R13: 0000000000000fe0 R14: ffff888cbd53c060 R15: 0000000000000fe0
> [34945.116184][T48906] ? strncpy_from_user+0x96/0x2a0
> [34945.121106][T48906] getname_flags+0x6a/0x220
> [34945.125502][T48906] do_renameat2+0x17c/0x7e0
> [34945.129895][T48906] ? user_path_create+0x40/0x40
> [34945.134642][T48906] ? register_lock_class+0xb40/0xb40
> [34945.139824][T48906] ? match_held_lock+0x20/0x250
> [34945.144569][T48906] ? find_held_lock+0xca/0xf0
> [34945.149140][T48906] ? __kasan_check_read+0x11/0x20
> [34945.154062][T48906] ? perf_syscall_enter+0xf9/0x370
> [34945.159065][T48906] ? lock_downgrade+0x3e0/0x3e0
> [34945.163804][T48906] ? check_flags.part.28+0x86/0x220
> [34945.168896][T48906] ? rcu_read_lock_sched_held+0xac/0xe0
> [34945.174339][T48906] ? do_syscall_64+0x79/0xaf0
> [34945.178907][T48906] ? rcu_read_lock_bh_held+0xc0/0xc0
> [34945.184091][T48906] __x64_sys_rename+0x3b/0x50
> [34945.188659][T48906] do_syscall_64+0xcc/0xaf0
> [34945.193050][T48906] ? perf_call_bpf_enter+0x1a0/0x1a0
> [34945.198230][T48906] ? syscall_return_slowpath+0x580/0x580
> [34945.203760][T48906] ? entry_SYSCALL_64_after_hwframe+0x3e/0xb3
> [34945.209725][T48906] ? trace_hardirqs_off_caller+0x3a/0x150
> [34945.215340][T48906] ? trace_hardirqs_off_thunk+0x1a/0x1c
> [34945.220780][T48906] entry_SYSCALL_64_after_hwframe+0x49/0xb3
> [34945.226568][T48906] RIP: 0033:0x7f17c3f5c839
> [34945.230872][T48906] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
> [34945.250461][T48906] RSP: 002b:00007fff822be2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
> [34945.258802][T48906] RAX: ffffffffffffffda RBX: 0000000000000052 RCX: 00007f17c3f5c839
> [34945.266685][T48906] RDX: 00000000000000e8 RSI: 0000000000000000 RDI: 0000000000000000
Qian Cai <[email protected]> writes:
>> On Apr 14, 2020, at 10:32 AM, Qian Cai <[email protected]> wrote:
>>
>> Fuzzers are unhappy. Thoughts?
>
> This is rather to reproduce. All the traces so far are from copy_from_user() to trigger a page fault,
> and then it dereferences a bad pte in swap_vma_readahead(),
>
> for (i = 0, pte = ra_info.ptes; i < ra_info.nr_pte;
> i++, pte++) {
> pentry = *pte; <— crashed here.
> if (pte_none(pentry))
Is it possible to bisect this?
Because the crash point is identified, it may be helpful to collect and
analyze the status of the faulting page table and readahead ptes. But I
am not familiar with the ARM64 architecture. So I cannot help much
here.
Best Regards,
Huang, Ying
Qian Cai <[email protected]> writes:
>> On Apr 14, 2020, at 10:01 PM, Huang, Ying <[email protected]> wrote:
>>
>> Is it possible to bisect this?
>
> Yes, I’ll need to find a quick reproducer first by analyzing the fuzzer’s last logs.
Can you share the reproducer to me when it's available? Or the command
line you used to reproduce it now?
>>
>> Because the crash point is identified, it may be helpful to collect and
>> analyze the status of the faulting page table and readahead ptes. But I
>> am not familiar with the ARM64 architecture. So I cannot help much
>> here.
>
> It happens for x86 as well where the trace is in the first email of this thread.
Got it! Thanks!
Best Regards,
Huang, Ying
> On Apr 15, 2020, at 4:54 AM, Huang, Ying <[email protected]> wrote:
>
> Qian Cai <[email protected]> writes:
>
>>> On Apr 14, 2020, at 10:01 PM, Huang, Ying <[email protected]> wrote:
>>>
>>> Is it possible to bisect this?
>>
>> Yes, I’ll need to find a quick reproducer first by analyzing the fuzzer’s last logs.
>
> Can you share the reproducer to me when it's available? Or the command
> line you used to reproduce it now?
Sure, the current reproducer is running a fuzzer inside a container,
(It requires runc to be installed first.)
https://raw.githubusercontent.com/cailca/linux-mm/master/runc.sh
On Wed, Apr 15, 2020 at 10:01:53AM +0800, Huang, Ying wrote:
> Qian Cai <[email protected]> writes:
>
> >> On Apr 14, 2020, at 10:32 AM, Qian Cai <[email protected]> wrote:
> >>
> >> Fuzzers are unhappy. Thoughts?
> >
> > This is rather to reproduce. All the traces so far are from copy_from_user() to trigger a page fault,
> > and then it dereferences a bad pte in swap_vma_readahead(),
> >
> > for (i = 0, pte = ra_info.ptes; i < ra_info.nr_pte;
> > i++, pte++) {
> > pentry = *pte; <— crashed here.
> > if (pte_none(pentry))
>
> Is it possible to bisect this?
>
> Because the crash point is identified, it may be helpful to collect and
> analyze the status of the faulting page table and readahead ptes. But I
> am not familiar with the ARM64 architecture. So I cannot help much
> here.
Ying, looks like the bug is still there today which manifests itself
into a different form. Looking at the logs, I believe it was involved
with swapoff(). Any other thought? I still have not found time to bisect
this yet.
[ 785.477183][ T8727] BUG: KASAN: slab-out-of-bounds in swapin_readahead+0x7b8/0xbc0
swap_vma_readahead at mm/swap_state.c:759
(inlined by) swapin_readahead at mm/swap_state.c:803
[ 785.484752][ T8727] Read of size 8 at addr ffff00886ecaffe8 by task trinity-c35/8727
[ 785.492488][ T8727]
[ 785.494675][ T8727] CPU: 35 PID: 8727 Comm: trinity-c35 Not tainted 5.7.0-next-20200610 #3
[ 785.502942][ T8727] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 785.513387][ T8727] Call trace:
[ 785.516538][ T8727] dump_backtrace+0x0/0x398
[ 785.520891][ T8727] show_stack+0x14/0x20
[ 785.524900][ T8727] dump_stack+0x140/0x1b8
[ 785.529087][ T8727] print_address_description.isra.12+0x54/0x4a8
[ 785.535185][ T8727] kasan_report+0x134/0x1b8
[ 785.539545][ T8727] __asan_report_load8_noabort+0x2c/0x50
[ 785.545036][ T8727] swapin_readahead+0x7b8/0xbc0
[ 785.549745][ T8727] do_swap_page+0xb1c/0x19a0
[ 785.554195][ T8727] handle_mm_fault+0xf10/0x2b30
[ 785.558905][ T8727] do_page_fault+0x230/0x908
[ 785.563354][ T8727] do_translation_fault+0xe0/0x108
[ 785.568323][ T8727] do_mem_abort+0x64/0x180
[ 785.572597][ T8727] el1_sync_handler+0x188/0x1b8
[ 785.577305][ T8727] el1_sync+0x7c/0x100
[ 785.581232][ T8727] __arch_copy_to_user+0xc4/0x158
[ 785.586115][ T8727] __arm64_sys_sysinfo+0x2c/0xd0
[ 785.590912][ T8727] do_el0_svc+0x124/0x220
[ 785.595100][ T8727] el0_sync_handler+0x260/0x408
[ 785.599807][ T8727] el0_sync+0x140/0x180
[ 785.603818][ T8727]
[ 785.606007][ T8727] Allocated by task 8673:
[ 785.610193][ T8727] save_stack+0x24/0x50
[ 785.614208][ T8727] __kasan_kmalloc.isra.13+0xc4/0xe0
[ 785.619350][ T8727] kasan_slab_alloc+0x14/0x20
[ 785.623885][ T8727] slab_post_alloc_hook+0x50/0xa8
[ 785.628769][ T8727] kmem_cache_alloc+0x18c/0x438
[ 785.633479][ T8727] create_object+0x58/0x960
[ 785.637844][ T8727] kmemleak_alloc+0x2c/0x38
[ 785.642205][ T8727] slab_post_alloc_hook+0x70/0xa8
[ 785.647089][ T8727] kmem_cache_alloc_trace+0x178/0x308
[ 785.652322][ T8727] refill_pi_state_cache.part.10+0x3c/0x1a8
[ 785.658073][ T8727] futex_lock_pi+0x404/0x5e0
[ 785.662519][ T8727] do_futex+0x790/0x1448
[ 785.666618][ T8727] __arm64_sys_futex+0x204/0x588
[ 785.671411][ T8727] do_el0_svc+0x124/0x220
[ 785.675603][ T8727] el0_sync_handler+0x260/0x408
[ 785.680312][ T8727] el0_sync+0x140/0x180
[ 785.684322][ T8727]
[ 785.686510][ T8727] Freed by task 0:
[ 785.690088][ T8727] save_stack+0x24/0x50
[ 785.694104][ T8727] __kasan_slab_free+0x124/0x198
[ 785.698899][ T8727] kasan_slab_free+0x10/0x18
[ 785.703340][ T8727] slab_free_freelist_hook+0x110/0x298
[ 785.708648][ T8727] kmem_cache_free+0xc8/0x3e0
[ 785.713175][ T8727] free_object_rcu+0x1e0/0x3b8
[ 785.717796][ T8727] rcu_core+0x8bc/0xf40
[ 785.721810][ T8727] rcu_core_si+0xc/0x18
[ 785.725825][ T8727] efi_header_end+0x2d8/0x1204
[ 785.730442][ T8727]
[ 785.732625][ T8727] The buggy address belongs to the object at ffff00886ecafd28
[ 785.732625][ T8727] which belongs to the cache kmemleak_object of size 368
[ 785.746875][ T8727] The buggy address is located 336 bytes to the right of
[ 785.746875][ T8727] 368-byte region [ffff00886ecafd28, ffff00886ecafe98)
[ 785.760519][ T8727] The buggy address belongs to the page:
[ 785.766009][ T8727] page:ffffffe021fbb280 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00886ecaa8c8
[ 785.776268][ T8727] flags: 0x7ffff800000200(slab)
[ 785.780971][ T8727] raw: 007ffff800000200 ffffffe0222c12c8 ffffffe0223a1488 ffff000000323080
[ 785.789410][ T8727] raw: ffff00886ecaa8c8 00000000005b001d 00000001ffffffff 0000000000000000
[ 785.797849][ T8727] page dumped because: kasan: bad access85.811794][ T87270886ecaff00: fc fc fc fc fc fc ^
[ 785.842727] ffff00886ecb0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 785.858703][ T8727] ==================================================================
[ 785.866621][ T8727] Disabling lock debugging due to kernel taint
[ 785.872714][ T8727] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 785.879523][ T8727] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 785.886322][ T8727] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
Hi,
Sorry for late reply. I found a problem in the swap readahead code. Can you help to check whether it can fix this?
Best Regards,
Huang, Ying
________________________________________
From: Qian Cai [[email protected]]
Sent: Tuesday, June 16, 2020 9:13 AM
To: Huang, Ying
Cc: Linux-MM; LKML; Minchan Kim; Hugh Dickins; Andrew Morton
Subject: Re: linux-next: not-present page at swap_vma_readahead()
On Wed, Apr 15, 2020 at 10:01:53AM +0800, Huang, Ying wrote:
> Qian Cai <[email protected]> writes:
>
> >> On Apr 14, 2020, at 10:32 AM, Qian Cai <[email protected]> wrote:
> >>
> >> Fuzzers are unhappy. Thoughts?
> >
> > This is rather to reproduce. All the traces so far are from copy_from_user() to trigger a page fault,
> > and then it dereferences a bad pte in swap_vma_readahead(),
> >
> > for (i = 0, pte = ra_info.ptes; i < ra_info.nr_pte;
> > i++, pte++) {
> > pentry = *pte; <? crashed here.
> > if (pte_none(pentry))
>
> Is it possible to bisect this?
>
> Because the crash point is identified, it may be helpful to collect and
> analyze the status of the faulting page table and readahead ptes. But I
> am not familiar with the ARM64 architecture. So I cannot help much
> here.
Ying, looks like the bug is still there today which manifests itself
into a different form. Looking at the logs, I believe it was involved
with swapoff(). Any other thought? I still have not found time to bisect
this yet.
[ 785.477183][ T8727] BUG: KASAN: slab-out-of-bounds in swapin_readahead+0x7b8/0xbc0
swap_vma_readahead at mm/swap_state.c:759
(inlined by) swapin_readahead at mm/swap_state.c:803
[ 785.484752][ T8727] Read of size 8 at addr ffff00886ecaffe8 by task trinity-c35/8727
[ 785.492488][ T8727]
[ 785.494675][ T8727] CPU: 35 PID: 8727 Comm: trinity-c35 Not tainted 5.7.0-next-20200610 #3
[ 785.502942][ T8727] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 785.513387][ T8727] Call trace:
[ 785.516538][ T8727] dump_backtrace+0x0/0x398
[ 785.520891][ T8727] show_stack+0x14/0x20
[ 785.524900][ T8727] dump_stack+0x140/0x1b8
[ 785.529087][ T8727] print_address_description.isra.12+0x54/0x4a8
[ 785.535185][ T8727] kasan_report+0x134/0x1b8
[ 785.539545][ T8727] __asan_report_load8_noabort+0x2c/0x50
[ 785.545036][ T8727] swapin_readahead+0x7b8/0xbc0
[ 785.549745][ T8727] do_swap_page+0xb1c/0x19a0
[ 785.554195][ T8727] handle_mm_fault+0xf10/0x2b30
[ 785.558905][ T8727] do_page_fault+0x230/0x908
[ 785.563354][ T8727] do_translation_fault+0xe0/0x108
[ 785.568323][ T8727] do_mem_abort+0x64/0x180
[ 785.572597][ T8727] el1_sync_handler+0x188/0x1b8
[ 785.577305][ T8727] el1_sync+0x7c/0x100
[ 785.581232][ T8727] __arch_copy_to_user+0xc4/0x158
[ 785.586115][ T8727] __arm64_sys_sysinfo+0x2c/0xd0
[ 785.590912][ T8727] do_el0_svc+0x124/0x220
[ 785.595100][ T8727] el0_sync_handler+0x260/0x408
[ 785.599807][ T8727] el0_sync+0x140/0x180
[ 785.603818][ T8727]
[ 785.606007][ T8727] Allocated by task 8673:
[ 785.610193][ T8727] save_stack+0x24/0x50
[ 785.614208][ T8727] __kasan_kmalloc.isra.13+0xc4/0xe0
[ 785.619350][ T8727] kasan_slab_alloc+0x14/0x20
[ 785.623885][ T8727] slab_post_alloc_hook+0x50/0xa8
[ 785.628769][ T8727] kmem_cache_alloc+0x18c/0x438
[ 785.633479][ T8727] create_object+0x58/0x960
[ 785.637844][ T8727] kmemleak_alloc+0x2c/0x38
[ 785.642205][ T8727] slab_post_alloc_hook+0x70/0xa8
[ 785.647089][ T8727] kmem_cache_alloc_trace+0x178/0x308
[ 785.652322][ T8727] refill_pi_state_cache.part.10+0x3c/0x1a8
[ 785.658073][ T8727] futex_lock_pi+0x404/0x5e0
[ 785.662519][ T8727] do_futex+0x790/0x1448
[ 785.666618][ T8727] __arm64_sys_futex+0x204/0x588
[ 785.671411][ T8727] do_el0_svc+0x124/0x220
[ 785.675603][ T8727] el0_sync_handler+0x260/0x408
[ 785.680312][ T8727] el0_sync+0x140/0x180
[ 785.684322][ T8727]
[ 785.686510][ T8727] Freed by task 0:
[ 785.690088][ T8727] save_stack+0x24/0x50
[ 785.694104][ T8727] __kasan_slab_free+0x124/0x198
[ 785.698899][ T8727] kasan_slab_free+0x10/0x18
[ 785.703340][ T8727] slab_free_freelist_hook+0x110/0x298
[ 785.708648][ T8727] kmem_cache_free+0xc8/0x3e0
[ 785.713175][ T8727] free_object_rcu+0x1e0/0x3b8
[ 785.717796][ T8727] rcu_core+0x8bc/0xf40
[ 785.721810][ T8727] rcu_core_si+0xc/0x18
[ 785.725825][ T8727] efi_header_end+0x2d8/0x1204
[ 785.730442][ T8727]
[ 785.732625][ T8727] The buggy address belongs to the object at ffff00886ecafd28
[ 785.732625][ T8727] which belongs to the cache kmemleak_object of size 368
[ 785.746875][ T8727] The buggy address is located 336 bytes to the right of
[ 785.746875][ T8727] 368-byte region [ffff00886ecafd28, ffff00886ecafe98)
[ 785.760519][ T8727] The buggy address belongs to the page:
[ 785.766009][ T8727] page:ffffffe021fbb280 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00886ecaa8c8
[ 785.776268][ T8727] flags: 0x7ffff800000200(slab)
[ 785.780971][ T8727] raw: 007ffff800000200 ffffffe0222c12c8 ffffffe0223a1488 ffff000000323080
[ 785.789410][ T8727] raw: ffff00886ecaa8c8 00000000005b001d 00000001ffffffff 0000000000000000
[ 785.797849][ T8727] page dumped because: kasan: bad access85.811794][ T87270886ecaff00: fc fc fc fc fc fc ^
[ 785.842727] ffff00886ecb0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 785.858703][ T8727] ==================================================================
[ 785.866621][ T8727] Disabling lock debugging due to kernel taint
[ 785.872714][ T8727] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 785.879523][ T8727] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 785.886322][ T8727] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
On Mon, Jul 20, 2020 at 12:37:30AM +0000, Huang, Ying wrote:
> Hi,
>
> Sorry for late reply. I found a problem in the swap readahead code. Can you help to check whether it can fix this?
Unfortunately, I can still reproduce it easily after applied the patch.
# git clone https://gitlab.com/cailca/linux-mm
# git checkout v5.8-rc1 -- *.sh
# dnf -y install tar wget golang libseccomp-devel jq
# ./runc.sh
[ 575.517290][T28667] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.522901][T28650] BUG: KASAN: slab-out-of-bounds in swapin_readahead+0x780/0xbd8
swap_vma_readahead at mm/swap_state.c:758
(inlined by) swapin_readahead at mm/swap_state.c:802
[ 575.522928][T28650] Read of size 8 at addr ffff0089a603ffe8 by task trinity-c92/28650
[ 575.522947][T28650] CPU: 126 PID: 28650 Comm: trinity-c92 Not tainted 5.8.0-rc5-next-20200717+ #1
[ 575.522958][T28650] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 575.522966][T28650] Call trace:
[ 575.529895][T28667] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.535819][T28590] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.535829][T28590] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.535836][T28590] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.537424][T28650] dump_backtrace+0x0/0x398
[ 575.537438][T28650] show_stack+0x14/0x20
[ 575.545308][T28667] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.554134][T28650] dump_stack+0x140/0x1c8
[ 575.554148][T28650] print_address_description.constprop.10+0x54/0x550
[ 575.554159][T28650] kasan_report+0x134/0x1b8
[ 575.554173][T28650] __asan_report_load8_noabort+0x2c/0x50
[ 575.559496][T28588] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.559506][T28588] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.559513][T28588] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.562203][T28586] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.562215][T28586] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.562223][T28586] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.665163][T28560] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.671260][T28650] swapin_readahead+0x780/0xbd8
[ 575.671280][T28650] do_swap_page+0xb1c/0x1a78
do_swap_page at mm/memory.c:3166
[ 575.678067][T28560] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.682774][T28650] handle_mm_fault+0xfd0/0x2c50
handle_pte_fault at mm/memory.c:4234
(inlined by) __handle_mm_fault at mm/memory.c:4368
(inlined by) handle_mm_fault at mm/memory.c:4466
[ 575.682789][T28650] do_page_fault+0x230/0x818
[ 575.682804][T28650] do_translation_fault+0x90/0xb0
[ 575.682819][T28650] do_mem_abort+0x64/0x180
[ 575.687259][T28560] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.694051][T28650] el1_sync_handler+0x188/0x1b8
[ 575.694064][T28650] el1_sync+0x7c/0x100
[ 575.694079][T28650] strncpy_from_user+0x270/0x3e8
[ 575.694100][T28650] getname_flags+0x80/0x330
[ 575.698001][T28827] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.698048][T28827] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.698056][T28827] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.755679][T28620] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.757304][T28650] user_path_at_empty+0x2c/0x60
[ 575.764131][T28620] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.768782][T28650] do_linkat+0x10c/0x528
[ 575.768792][T28650] __arm64_sys_linkat+0xa0/0xf8
[ 575.768802][T28650] do_el0_svc+0x124/0x228
[ 575.768812][T28650] el0_sync_handler+0x260/0x410
[ 575.768820][T28650] el0_sytack+0x24/0x50+0x14/0x20
[ 5ap file entry 58_object+0x58/0x968c/0x1880
[ 575.779790][T28650] __alloc_percpu_gfp+0x14/0x20
[ 575.779799][T28650] qdisc_alloc+0x2bc/0xb98
[ 575.779809][T28650] qdisc_create_dflt+0x60/0x748
[ 575.803406][T28643] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.806107][T28650] mq_init+0x1a0/0x3b8
[ 575.806120][T28650] qdisc_create_dflt+0xc8/0x748
[ 575.811321][T28643] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.815788][T28650] dev_activate+0x488/0x8b8
[ 575.815806][T28650] __dev_open+0x240/0x360
[ 575.820848][T28643] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.827542][T28650] __dev_change_flags+0x344/0x480
[ 575.827553][T28650] dev_change_flags+0x74/0x140
[ 575.906574][T28650] do_setlink+0x7c8/0x2760
[ 575.910856][T28650] __rtnl_newlink+0x80c/0x1000
[ 575.915481][T28650] rtnl_newlink+0x68/0xa0
[ 575.919671][T28650] rtnetlink_rcv_msg+0x394/0xa48
[ 575.924477][T28650] netlink_rcv_skb+0x19c/0x340
[ 575.929103][T28650] rtnetlink_rcv+0x14/0x20
[ 575.933380][T28650] netlink_unicast+0x3ec/0x5e0
[ 575.938005][T28650] netlink_sendmsg+0x63c/0xa60
[ 575.942632][T28650] ____sys_sendmsg+0x5b0/0x740
[ 575.947261][T28650] ___sys_sendmsg+0xec/0x160
[ 575.949053][T28716] futex_wake_op: trinity-c158 tries to shift op by -1; fix this program
[ 575.951712][T28650] __sys_sendmsg+0xb8/0x130
[ 575.951727][T28650] __arm64_sys_sendmsg+0x6c/0x98
[ 575.969052][T28650] do_el0_svc+0x124/0x228
[ 575.973248][T28650] el0_sync_handler+0x260/0x410
[ 575.977959][T28650] el0_sync+0x140/0x180
[ 575.981974][T28650] Last call_rcu():
[ 575.985557][T28650] kasan_save_stack+0x24/0x50
[ 575.990099][T28650] kasan_record_aux_stack+0xe0/0x110
[ 575.995249][T28650] call_rcu+0x114/0x680
[ 575.999273][T28650] put_object+0x84/0xc0
[ 576.003303][T28650] __delete_object+0xc4/0x110
[ 576.007848][T28650] delete_object_full+0x18/0x20
[ 576.012565][T28650] kmemleak_free+0x2c/0x38
[ 576.016844][T28650] slab_free_freelist_hook+0x190/0x298
[ 576.022158][T28650] kmem_cache_free+0x128/0x518
[ 576.026775][T28650] file_free_rcu+0x68/0xb0
[ 576.031045][T28650] rcu_core+0x8b8/0xf90
[ 576.035059][T28650] rcu_core_si+0xc/0x18
[ 576.039079][T28650] efi_header_end+0x358/0x14d4
[ 576.043712][T28650] Second to last call_rcu():
[ 576.048176][T28650] kasan_save_stack+0x24/0x50
[ 576.052723][T28650] kasan_record_aux_stack+0xe0/0x110
[ 576.057871][T28650] call_rcu+0x114/0x680
[ 576.057998][T28976] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.061888][T28650] put_object+0x84/0xc0
[ 576.061898][T28650] __delete_object+0xc4/0x110
[ 576.061906][T28650] delete_object_full+0x18/0x20
[ 576.061917][T28650] kmemleak_free+0x2c/0x38
[ 576.061925][T28650] slab_free_freelist_hook+0x190/0x298
[ 576.061933][T28650] kmem_cache_free+0x128/0x518
[ 576.061950][T28650] putname+0xb8/0x108
[ 576.065453][T28678] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.065462][T28678] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.065470][T28678] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.068777][T28976] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.072740][T28650] do_sys_openat2+0x26c/0x4c0
[ 576.072753][T28650] do_sys_open+0xa4/0xf8
[ 576.077404][T28976] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.082097][T28650] __arm64_sys_openat+0x88/0xc8
[ 576.082107][T+0x260/0x410
[ 6.082138][T28650s to the cache kted 336 bytes to 576.082157][T28ntry 58025a5a5a5a5a5a
[ 576.120513][T28650] page:00000000e119790b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8a2603
[ 576.127826][T28675] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.131821][T28650] flags: 0x7ffff800000200(slab)
[ 576.131835][T28650] raw: 007ffff800000200 ffffffe0223a3908 ffffffe02234c948 ffff000000322480
[ 576.131845][T28650] raw: 0000000000000000 00000000005b005b 00000001ffffffff 0000000000000000
[ 576.131853][T28650] page dumped because: kasan: bad access detected
[ 576.131865][T28650] Memory state around the buggy address:
[ 576.131875][T28650] ffff0089a603fe80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 576.131884][T28650] ffff0089a603ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 576.131894][T28650] >ffff0089a603ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 576.131900][T28650] ^
[ 576.131908][T28650] ffff0089a6040000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 576.131917][T28650] ffff0089a6040080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 576.131923][T28650] ==================================================================
[ 576.131928][T28650] Disabling lock debugging due to kernel taint
[ 576.132028][T28650] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.132038][T28650] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.132046][T28650] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.281114][T28912] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.286297][T28675] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.293442][T28912] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.293451][T28912] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> From b6cad43ad3cf63d73e539e3eaadd4ec9d2744dc6 Mon Sep 17 00:00:00 2001
> From: Huang Ying <[email protected]>
> Date: Fri, 10 Jul 2020 17:27:45 +0800
> Subject: [PATCH] dbg: Fix a logic hole in swap_ra_info()
>
> ---
> mm/swap_state.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/mm/swap_state.c b/mm/swap_state.c
> index 05889e8e3c97..8481c15829b2 100644
> --- a/mm/swap_state.c
> +++ b/mm/swap_state.c
> @@ -669,12 +669,11 @@ static void swap_ra_info(struct vm_fault *vmf,
> pte_t *tpte;
> #endif
>
> + ra_info->win = 1;
> max_win = 1 << min_t(unsigned int, READ_ONCE(page_cluster),
> SWAP_RA_ORDER_CEILING);
> - if (max_win == 1) {
> - ra_info->win = 1;
> + if (max_win == 1)
> return;
> - }
>
> faddr = vmf->address;
> orig_pte = pte = pte_offset_map(vmf->pmd, faddr);
> --
> 2.27.0
>
Thanks! Can you try the dbg patch attached? That will print more debugging information when abnormal PTE pointer is detected.
Best Regards,
Huang, Ying
________________________________________
From: Qian Cai [[email protected]]
Sent: Monday, July 20, 2020 10:12 AM
To: Huang, Ying
Cc: Linux-MM; LKML; Minchan Kim; Hugh Dickins; Andrew Morton
Subject: Re: linux-next: not-present page at swap_vma_readahead()
On Mon, Jul 20, 2020 at 12:37:30AM +0000, Huang, Ying wrote:
> Hi,
>
> Sorry for late reply. I found a problem in the swap readahead code. Can you help to check whether it can fix this?
Unfortunately, I can still reproduce it easily after applied the patch.
# git clone https://gitlab.com/cailca/linux-mm
# git checkout v5.8-rc1 -- *.sh
# dnf -y install tar wget golang libseccomp-devel jq
# ./runc.sh
[ 575.517290][T28667] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.522901][T28650] BUG: KASAN: slab-out-of-bounds in swapin_readahead+0x780/0xbd8
swap_vma_readahead at mm/swap_state.c:758
(inlined by) swapin_readahead at mm/swap_state.c:802
[ 575.522928][T28650] Read of size 8 at addr ffff0089a603ffe8 by task trinity-c92/28650
[ 575.522947][T28650] CPU: 126 PID: 28650 Comm: trinity-c92 Not tainted 5.8.0-rc5-next-20200717+ #1
[ 575.522958][T28650] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 575.522966][T28650] Call trace:
[ 575.529895][T28667] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.535819][T28590] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.535829][T28590] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.535836][T28590] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.537424][T28650] dump_backtrace+0x0/0x398
[ 575.537438][T28650] show_stack+0x14/0x20
[ 575.545308][T28667] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.554134][T28650] dump_stack+0x140/0x1c8
[ 575.554148][T28650] print_address_description.constprop.10+0x54/0x550
[ 575.554159][T28650] kasan_report+0x134/0x1b8
[ 575.554173][T28650] __asan_report_load8_noabort+0x2c/0x50
[ 575.559496][T28588] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.559506][T28588] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.559513][T28588] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.562203][T28586] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.562215][T28586] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.562223][T28586] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.665163][T28560] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.671260][T28650] swapin_readahead+0x780/0xbd8
[ 575.671280][T28650] do_swap_page+0xb1c/0x1a78
do_swap_page at mm/memory.c:3166
[ 575.678067][T28560] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.682774][T28650] handle_mm_fault+0xfd0/0x2c50
handle_pte_fault at mm/memory.c:4234
(inlined by) __handle_mm_fault at mm/memory.c:4368
(inlined by) handle_mm_fault at mm/memory.c:4466
[ 575.682789][T28650] do_page_fault+0x230/0x818
[ 575.682804][T28650] do_translation_fault+0x90/0xb0
[ 575.682819][T28650] do_mem_abort+0x64/0x180
[ 575.687259][T28560] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.694051][T28650] el1_sync_handler+0x188/0x1b8
[ 575.694064][T28650] el1_sync+0x7c/0x100
[ 575.694079][T28650] strncpy_from_user+0x270/0x3e8
[ 575.694100][T28650] getname_flags+0x80/0x330
[ 575.698001][T28827] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.698048][T28827] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.698056][T28827] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.755679][T28620] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.757304][T28650] user_path_at_empty+0x2c/0x60
[ 575.764131][T28620] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.768782][T28650] do_linkat+0x10c/0x528
[ 575.768792][T28650] __arm64_sys_linkat+0xa0/0xf8
[ 575.768802][T28650] do_el0_svc+0x124/0x228
[ 575.768812][T28650] el0_sync_handler+0x260/0x410
[ 575.768820][T28650] el0_sytack+0x24/0x50+0x14/0x20
[ 5ap file entry 58_object+0x58/0x968c/0x1880
[ 575.779790][T28650] __alloc_percpu_gfp+0x14/0x20
[ 575.779799][T28650] qdisc_alloc+0x2bc/0xb98
[ 575.779809][T28650] qdisc_create_dflt+0x60/0x748
[ 575.803406][T28643] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.806107][T28650] mq_init+0x1a0/0x3b8
[ 575.806120][T28650] qdisc_create_dflt+0xc8/0x748
[ 575.811321][T28643] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.815788][T28650] dev_activate+0x488/0x8b8
[ 575.815806][T28650] __dev_open+0x240/0x360
[ 575.820848][T28643] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.827542][T28650] __dev_change_flags+0x344/0x480
[ 575.827553][T28650] dev_change_flags+0x74/0x140
[ 575.906574][T28650] do_setlink+0x7c8/0x2760
[ 575.910856][T28650] __rtnl_newlink+0x80c/0x1000
[ 575.915481][T28650] rtnl_newlink+0x68/0xa0
[ 575.919671][T28650] rtnetlink_rcv_msg+0x394/0xa48
[ 575.924477][T28650] netlink_rcv_skb+0x19c/0x340
[ 575.929103][T28650] rtnetlink_rcv+0x14/0x20
[ 575.933380][T28650] netlink_unicast+0x3ec/0x5e0
[ 575.938005][T28650] netlink_sendmsg+0x63c/0xa60
[ 575.942632][T28650] ____sys_sendmsg+0x5b0/0x740
[ 575.947261][T28650] ___sys_sendmsg+0xec/0x160
[ 575.949053][T28716] futex_wake_op: trinity-c158 tries to shift op by -1; fix this program
[ 575.951712][T28650] __sys_sendmsg+0xb8/0x130
[ 575.951727][T28650] __arm64_sys_sendmsg+0x6c/0x98
[ 575.969052][T28650] do_el0_svc+0x124/0x228
[ 575.973248][T28650] el0_sync_handler+0x260/0x410
[ 575.977959][T28650] el0_sync+0x140/0x180
[ 575.981974][T28650] Last call_rcu():
[ 575.985557][T28650] kasan_save_stack+0x24/0x50
[ 575.990099][T28650] kasan_record_aux_stack+0xe0/0x110
[ 575.995249][T28650] call_rcu+0x114/0x680
[ 575.999273][T28650] put_object+0x84/0xc0
[ 576.003303][T28650] __delete_object+0xc4/0x110
[ 576.007848][T28650] delete_object_full+0x18/0x20
[ 576.012565][T28650] kmemleak_free+0x2c/0x38
[ 576.016844][T28650] slab_free_freelist_hook+0x190/0x298
[ 576.022158][T28650] kmem_cache_free+0x128/0x518
[ 576.026775][T28650] file_free_rcu+0x68/0xb0
[ 576.031045][T28650] rcu_core+0x8b8/0xf90
[ 576.035059][T28650] rcu_core_si+0xc/0x18
[ 576.039079][T28650] efi_header_end+0x358/0x14d4
[ 576.043712][T28650] Second to last call_rcu():
[ 576.048176][T28650] kasan_save_stack+0x24/0x50
[ 576.052723][T28650] kasan_record_aux_stack+0xe0/0x110
[ 576.057871][T28650] call_rcu+0x114/0x680
[ 576.057998][T28976] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.061888][T28650] put_object+0x84/0xc0
[ 576.061898][T28650] __delete_object+0xc4/0x110
[ 576.061906][T28650] delete_object_full+0x18/0x20
[ 576.061917][T28650] kmemleak_free+0x2c/0x38
[ 576.061925][T28650] slab_free_freelist_hook+0x190/0x298
[ 576.061933][T28650] kmem_cache_free+0x128/0x518
[ 576.061950][T28650] putname+0xb8/0x108
[ 576.065453][T28678] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.065462][T28678] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.065470][T28678] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.068777][T28976] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.072740][T28650] do_sys_openat2+0x26c/0x4c0
[ 576.072753][T28650] do_sys_open+0xa4/0xf8
[ 576.077404][T28976] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.082097][T28650] __arm64_sys_openat+0x88/0xc8
[ 576.082107][T+0x260/0x410
[ 6.082138][T28650s to the cache kted 336 bytes to 576.082157][T28ntry 58025a5a5a5a5a5a
[ 576.120513][T28650] page:00000000e119790b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8a2603
[ 576.127826][T28675] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.131821][T28650] flags: 0x7ffff800000200(slab)
[ 576.131835][T28650] raw: 007ffff800000200 ffffffe0223a3908 ffffffe02234c948 ffff000000322480
[ 576.131845][T28650] raw: 0000000000000000 00000000005b005b 00000001ffffffff 0000000000000000
[ 576.131853][T28650] page dumped because: kasan: bad access detected
[ 576.131865][T28650] Memory state around the buggy address:
[ 576.131875][T28650] ffff0089a603fe80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 576.131884][T28650] ffff0089a603ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 576.131894][T28650] >ffff0089a603ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 576.131900][T28650] ^
[ 576.131908][T28650] ffff0089a6040000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 576.131917][T28650] ffff0089a6040080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 576.131923][T28650] ==================================================================
[ 576.131928][T28650] Disabling lock debugging due to kernel taint
[ 576.132028][T28650] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.132038][T28650] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.132046][T28650] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.281114][T28912] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.286297][T28675] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.293442][T28912] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.293451][T28912] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> From b6cad43ad3cf63d73e539e3eaadd4ec9d2744dc6 Mon Sep 17 00:00:00 2001
> From: Huang Ying <[email protected]>
> Date: Fri, 10 Jul 2020 17:27:45 +0800
> Subject: [PATCH] dbg: Fix a logic hole in swap_ra_info()
>
> ---
> mm/swap_state.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/mm/swap_state.c b/mm/swap_state.c
> index 05889e8e3c97..8481c15829b2 100644
> --- a/mm/swap_state.c
> +++ b/mm/swap_state.c
> @@ -669,12 +669,11 @@ static void swap_ra_info(struct vm_fault *vmf,
> pte_t *tpte;
> #endif
>
> + ra_info->win = 1;
> max_win = 1 << min_t(unsigned int, READ_ONCE(page_cluster),
> SWAP_RA_ORDER_CEILING);
> - if (max_win == 1) {
> - ra_info->win = 1;
> + if (max_win == 1)
> return;
> - }
>
> faddr = vmf->address;
> orig_pte = pte = pte_offset_map(vmf->pmd, faddr);
> --
> 2.27.0
>
On Mon, Jul 20, 2020 at 03:32:59AM +0000, Huang, Ying wrote:
> Thanks! Can you try the dbg patch attached? That will print more debugging information when abnormal PTE pointer is detected.
Here with both of your patches applied,
[ 183.627876][ T3959] ra_info: 8, 3, 4, 00000000aabe3209
[ 183.633160][ T3959] i: 0, pte: 00000000aabe3209, faddr: 0
[ 183.638574][ T3959] ra_info: 8, 3, 4, 00000000aabe3209
[ 183.643787][ T3959] i: 1, pte: 0000000006e61f24, faddr: 0
[ 183.649189][ T3959] ra_info: 8, 3, 4, 00000000aabe3209
[ 183.654371][ T3959] i: 2, pte: 00000000ce16a68e, faddr: 0
[ 183.851372][ T3839] ra_info: 8, 3, 4, 0000000085efad17
[ 183.856550][ T3839] i: 0, pte: 0000000085efad17, faddr: 0
[ 183.862503][ T3839] ==================================================================
[ 183.870563][ T3839] BUG: KASAN: slab-out-of-bounds in swapin_readahead+0x840/0xd60
[ 183.878147][ T3839] Read of size 8 at addr ffff008919f1ffe8 by task trinity-c128/3839
[ 183.886001][ T3839] CPU: 9 PID: 3839 Comm: trinity-c128 Not tainted 5.8.0-rc5-next-20200717+ #2
[ 183.894710][ T3839] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 183.905157][ T3839] Call trace:
[ 183.908314][ T3839] dump_backtrace+0x0/0x398
[ 183.912680][ T3839] show_stack+0x14/0x20
[ 183.916704][ T3839] dump_stack+0x140/0x1c8
[ 183.920910][ T3839] print_address_description.constprop.10+0x54/0x550
[ 183.927454][ T3839] kasan_report+0x134/0x1b8
[ 183.931833][ T3839] __asan_report_load8_noabort+0x2c/0x50
[ 183.937334][ T3839] swapin_readahead+0x840/0xd60
[ 183.942049][ T3839] do_swap_page+0xb1c/0x1a78
[ 183.946508][ T3839] handle_mm_fault+0xfd0/0x2c50
[ 183.948789][ T3754] ra_info: 8, 3, 4, 00000000d0b6ebd5
[ 183.951229][ T3839] do_page_fault+0x230/0x818
[ 183.956402][ T3754] i: 0, pte: 00000000d0b6ebd5, faddr: 0
[ 183.960896][ T3839] do_translation_fault+0x90/0xb0
[ 183.966330][ T3754] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 183.971172][ T3839] do_mem_abort+0x64/0x180
[ 183.971192][ T3839] el0_sync_handler+0x2a0/0x410
[ 183.971207][ T3839] el0_sync+0x140/0x180
[ 183.977984][ T3754] ra_info: 8, 3, 4, 00000000d0b6ebd5
[ 183.977997][ T3754] i: 1, pte: 00000000530a7b17, faddr: 0
[ 183.982278][ T3839] Allocated by task 3699:
[ 183.982296][ T3839] kasan_save_stack+0x24/0x50
[ 183.982310][ T3839] __kasan_kmalloc.isra.10+0xc4/0xe0
[ 183.987003][ T3754] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 183.987019][ T3754] ra_info: 8, 3, 4, 00000000d0b6ebd5
[ 183.991033][ T3839] kasan_slab_alloc+0x14/0x20
[ 183.991048][ T3839] slab_post_alloc_hook+0x58/0x5d0
[ 183.991064][ T3839] kmem_cache_alloc+0x19c/0x448
[ 183.996185][ T3754] i: 2, pte: 00000000031f0751, faddr: 0
[ 183.996200][ T3754] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 184.001617][ T3839] create_object+0x58/0x960
[ 184.001639][ T3839] kmemleak_alloc+0x2c/0x38
[ 184.001657][ T3839] slab_post_alloc_hook+0x78/0x5d0
[ 184.025674][ T3830] ra_info: 8, 3, 4, 00000000d77f2b57
[ 184.027442][ T3839] kmem_cache_alloc+0x19c/0x448
[ 184.032002][ T3830] i: 0, pte: 0026 (3737) used g 184.047047][ T193][ T3839] co T3932] i: 0, pt59417][ T3932] i: 1, pte: 00000000e38ee039, faddr: 0
[ 184.059424][ T3932] ra_info: 8, 3, 4, 000000004ae69ce9
[ 184.059431][ T3932] i: 2, pte: 0000000035544c25, faddr: 0
[ 184.062563][ T3830] ra_info: 8, 3, 4, 00000000d77f2b57
[ 184.067511][ T3839] _do_fork+0x128/0x11f8
[ 184.072663][ T3830] i: 2, pte: 000000002f241b20, faddr: 0
[ 184.077369][ T3839] __do_sys_clone+0xac/0xd8
[ 184.110993][ T3997] ra_info: 8, 3, 4, 00000000d40684b7
[ 184.113421][ T3839] __arm64_sys_clone+0xa0/0xf8
[ 184.116524][ T3832] ra_info: 8, 3, 4, 00000000b572965a
[ 184.116534][ T3832] i: 0, pte: 00000000b572965a, faddr: 0
[ 184.116541][ T3832] ra_info: 8, 3, 4, 00000000b572965a
[ 184.116549][ T3832] i: 1, pte: 000000007c91cc64, faddr: 0
[ 184.116556][ T3832] ra_info: 8, 3, 4, 00000000b572965a
[ 184.116563][ T3832] i: 2, pte: 0000000024f944e4, faddr: 0
[ 184.118541][ T3997] i: 0, pte: 00000000d40684b7, faddr: 0
[ 184.118552][ T3997] ra_info: 8, 3, 4, 00000000d40684b7
[ 184.123956][ T3839] do_el0_svc+0x124/0x228
[ 184.123970][ T3839] el0_sync_handler+0x260/0x410
[ 184.123988][ T3839] el0_sync+0x140/0x180
[ 184.129119][ T3997] i: 1, pte: 0000000035d81ad0, faddr: 0
[ 184.134523][ T3839] The buggy address belongs to the object at ffff008919f1fd28
[ 184.134523][ T3839] which belongs to the cache kmemleak_object of size 368
[ 184.134535][ T3839] The buggy address is located 336 bytes to the right of
[ 184.134535][ T3839] 368-byte region [ffff008919f1fd28, ffff008919f1fe98)
[ 184.134542][ T3839] The buggy address belongs to the page:
[ 184.139678][ T3997] ra_info: 8, 3, 4, 00000000d40684b7
[ 184.142537][ T3814] ra_info: 8, 3, 4, 000000005be43c1f
[ 184.142548][ T3814] i: 0, pte: 000000005be43c1f, faddr: 0
[ 184.142555][ T3814] ra_info: 8, 3, 4, 000000005be43c1f
[ 184.142563][ T3814] i: 1, pte: 00000000f65153b4, faddr: 0
[ 184.142570][ T3814] ra_info: 8, 3, 4, 000000005be43c1f
[ 184.142577][ T3814] i: 2, pte: 0000000057432c18, faddr: 0
[ 184.145074][ T3839] page:00000000ab369b24 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8999f1
[ 184.145085][ T3839] flags: 0x7ffff800000200(slab)
[ 184.145097][ T3839] raw: 007ffff800000200 ffffffe0222685c8 ffffffe022268848 ffff000000322480
[ 184.145107][ T3839] raw: 0000000000000000 00000000005b005b 00000001ffffffff 0000000000000000
[ 184.145117][ T3839] page dumped because: kasan: bad access detected
[ 184.150249][ T3997] i: 2, pte: 0000000073c2aff0, faddr: 0
[ 184.154339][ T3839] Memory state around the buggy address:
[ 184.154347][ T3839] ffff008919f1fe80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 184.154353][ T3839] ffff008919f1ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 184.154359][ T3839] >ffff008919f1ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 184.154366][ T3839] ^
[ 184.171894][ T3831] ra_info: 8, 3, 4, 00000000cf472abe
[ 184.173847][ T3839] ffff008919f20000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 184.178980][ T3831] i: 0, pte: 00000000cf472abe, faddr: 0
[ 184.184366][ T3839] ffff008919f20080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 184.184370][ T3839] ==================================================================
[ 184.184374][ T3839] Disabling lock debugging due to kernel taint
[ 184.184407][ T3839] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 184.184415][ T3839] ra_info: 8, 3, 4, 0000000085efad17
[ 184.184420][ T3839] i: 1, pte: 00000000e75f3a33, faddr: 0
[ 184.184425][ T3839] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 184.184445][ T3839] ra_info: 8, 3, 4, 0000000085efad17
[ 184.189580][ T3831] ra_info: 8, 3, 4, 00000000cf472abe
[ 184.194979][ T3839] i: 2, pte: 0000000076a382e8, faddr: 0
[ 184.194985][ T3839] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 184.211498][ T3749] ra_info: 8, 3, 4, 000000001c9e06b8
[ 184.216321][ T3831] i: 1, pte: 00000000d0a5b31e, faddr: 0
[ 184.220485][ T3749] i: 0, pte: 000000001c9e06b8, faddr: 0
[ 184.220499][ T3749] ra_info: 8, 3, 4, 000000001c9e06b8
[ 184.225255][ T3831] ra_info: 8, 3, 4, 00000000cf472abe
[ 184.229226][ T3749] i: 1, pte: 000000003db42685, faddr: 0
[ 184.229238][ T3749] ra_info: 8, 3, 4, 000000001c9e06b8
[ 184.234658][ T3831] i: 2, pte: 000000002ff7eea4, faddr: 0
[ 184.248902][ T3749] i: 2, pte: 00000000f6f36e76, faddr: 0
[ 184.278122][ T3946] ra_info: 8, 3, 4, 0000000084aa2721
[ 184.279536][ T3720] trinity-c9 (3720) used greatest stack depth: 19440 bytes left
[ 184.283740][ T3946] i: 0, pte: 0000000084aa2721, faddr: 0
[ 184.283746][ T3946] ra_info: 8, 3, 4, 0000000084aa2721
[ 184.283751][ T3946] i: 1, pte: 00000000baf34b7a, faddr: 0
[ 184.283757][ T3946] ra_info: 8, 3, 4, 0000000084aa2721
[ 184.283762][ T3946] i: 2, pte: 0000000097da2f82, faddr: 0
[ 184.311719][ T3789] ra_info: 8, 3, 4, 00000000642615f8
[ 184.346297][ T3846] ra_info: 8, 3, 4, 00000000bfc701b4
[ 184.348700][ T3789] i: 0, pte: 00000000642615f8, faddr: 0
[ 184.357498][ T3846] i: 0, pte: 00000000bfc701b4, faddr: 0
[ 184.362168][ T3789] ra_info: 8, 3, 4, 00000000642615f8
[ 184.370076][ T3846] ra_info: 8, 3, 4, 00000000bfc701b4
[ 184.377998][ T3789] i: 1, pte: 000000002e399dd1, faddr: 0
[ 184.378008][ T3789] ra_info: 8, 3, 4, 00000000642615f8
[ 184.385317][ T3846] i: 1, pte: 000000002f17c4d4, faddr: 0
[ 184.385324][ T3846] ra_info: 8, 3, 4, 00000000bfc701b4
[ 184.390452][ T3789] i: 2, pte: 000000006b9fd0f4, faddr: 0
[ 184.398368][ T3846] i: 2, pte: 00000000b6695126, faddr: 0
>
> > From b6cad43ad3cf63d73e539e3eaadd4ec9d2744dc6 Mon Sep 17 00:00:00 2001
> > From: Huang Ying <[email protected]>
> > Date: Fri, 10 Jul 2020 17:27:45 +0800
> > Subject: [PATCH] dbg: Fix a logic hole in swap_ra_info()
> >
> > ---
> > mm/swap_state.c | 5 ++---
> > 1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/mm/swap_state.c b/mm/swap_state.c
> > index 05889e8e3c97..8481c15829b2 100644
> > --- a/mm/swap_state.c
> > +++ b/mm/swap_state.c
> > @@ -669,12 +669,11 @@ static void swap_ra_info(struct vm_fault *vmf,
> > pte_t *tpte;
> > #endif
> >
> > + ra_info->win = 1;
> > max_win = 1 << min_t(unsigned int, READ_ONCE(page_cluster),
> > SWAP_RA_ORDER_CEILING);
> > - if (max_win == 1) {
> > - ra_info->win = 1;
> > + if (max_win == 1)
> > return;
> > - }
> >
> > faddr = vmf->address;
> > orig_pte = pte = pte_offset_map(vmf->pmd, faddr);
> > --
> > 2.27.0
> >
>
> From 3ca7a9ba58541d8692d3f83cbded2ad17be23359 Mon Sep 17 00:00:00 2001
> From: Huang Ying <[email protected]>
> Date: Mon, 20 Jul 2020 11:29:38 +0800
> Subject: [PATCH] dbg: dump upon abnormal pte values
>
> ---
> mm/swap_state.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/mm/swap_state.c b/mm/swap_state.c
> index 05889e8e3c97..c1973136d035 100644
> --- a/mm/swap_state.c
> +++ b/mm/swap_state.c
> @@ -756,6 +756,17 @@ static struct page *swap_vma_readahead(swp_entry_t fentry, gfp_t gfp_mask,
> blk_start_plug(&plug);
> for (i = 0, pte = ra_info.ptes; i < ra_info.nr_pte;
> i++, pte++) {
> + pte_t *tpte = pte_offset_map(vmf->pmd, vmf->address);
> +
> + if (((unsigned long)pte >> PAGE_SHIFT) !=
> + ((unsigned long)tpte >> PAGE_SHIFT)) {
> + pr_info("ra_info: %d, %d, %d, %p\n",
> + ra_info.win, ra_info.offset, ra_info.nr_pte,
> + ra_info.ptes);
> + pr_info("i: %d, pte: %p, faddr: %lx\n", i, pte,
> + vmf->address);
> + }
> + pte_unmap(tpte);
> pentry = *pte;
> if (pte_none(pentry))
> continue;
> --
> 2.27.0
>
Qian Cai <[email protected]> writes:
> On Mon, Jul 20, 2020 at 03:32:59AM +0000, Huang, Ying wrote:
>> Thanks! Can you try the dbg patch attached? That will print more debugging information when abnormal PTE pointer is detected.
>
> Here with both of your patches applied,
>
> [ 183.627876][ T3959] ra_info: 8, 3, 4, 00000000aabe3209
> [ 183.633160][ T3959] i: 0, pte: 00000000aabe3209, faddr: 0
> [ 183.638574][ T3959] ra_info: 8, 3, 4, 00000000aabe3209
> [ 183.643787][ T3959] i: 1, pte: 0000000006e61f24, faddr: 0
> [ 183.649189][ T3959] ra_info: 8, 3, 4, 00000000aabe3209
> [ 183.654371][ T3959] i: 2, pte: 00000000ce16a68e, faddr: 0
> [ 183.851372][ T3839] ra_info: 8, 3, 4, 0000000085efad17
> [ 183.856550][ T3839] i: 0, pte: 0000000085efad17, faddr: 0
> [ 183.862503][ T3839] ==================================================================
> [ 183.870563][ T3839] BUG: KASAN: slab-out-of-bounds in swapin_readahead+0x840/0xd60
> [ 183.878147][ T3839] Read of size 8 at addr ffff008919f1ffe8 by task trinity-c128/3839
> [ 183.886001][ T3839] CPU: 9 PID: 3839 Comm: trinity-c128 Not tainted 5.8.0-rc5-next-20200717+ #2
> [ 183.894710][ T3839] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
> [ 183.905157][ T3839] Call trace:
> [ 183.908314][ T3839] dump_backtrace+0x0/0x398
> [ 183.912680][ T3839] show_stack+0x14/0x20
> [ 183.916704][ T3839] dump_stack+0x140/0x1c8
> [ 183.920910][ T3839] print_address_description.constprop.10+0x54/0x550
> [ 183.927454][ T3839] kasan_report+0x134/0x1b8
> [ 183.931833][ T3839] __asan_report_load8_noabort+0x2c/0x50
> [ 183.937334][ T3839] swapin_readahead+0x840/0xd60
> [ 183.942049][ T3839] do_swap_page+0xb1c/0x1a78
> [ 183.946508][ T3839] handle_mm_fault+0xfd0/0x2c50
> [ 183.948789][ T3754] ra_info: 8, 3, 4, 00000000d0b6ebd5
> [ 183.951229][ T3839] do_page_fault+0x230/0x818
> [ 183.956402][ T3754] i: 0, pte: 00000000d0b6ebd5, faddr: 0
> [ 183.960896][ T3839] do_translation_fault+0x90/0xb0
> [ 183.966330][ T3754] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [ 183.971172][ T3839] do_mem_abort+0x64/0x180
> [ 183.971192][ T3839] el0_sync_handler+0x2a0/0x410
> [ 183.971207][ T3839] el0_sync+0x140/0x180
> [ 183.977984][ T3754] ra_info: 8, 3, 4, 00000000d0b6ebd5
> [ 183.977997][ T3754] i: 1, pte: 00000000530a7b17, faddr: 0
> [ 183.982278][ T3839] Allocated by task 3699:
> [ 183.982296][ T3839] kasan_save_stack+0x24/0x50
> [ 183.982310][ T3839] __kasan_kmalloc.isra.10+0xc4/0xe0
> [ 183.987003][ T3754] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [ 183.987019][ T3754] ra_info: 8, 3, 4, 00000000d0b6ebd5
> [ 183.991033][ T3839] kasan_slab_alloc+0x14/0x20
> [ 183.991048][ T3839] slab_post_alloc_hook+0x58/0x5d0
> [ 183.991064][ T3839] kmem_cache_alloc+0x19c/0x448
> [ 183.996185][ T3754] i: 2, pte: 00000000031f0751, faddr: 0
> [ 183.996200][ T3754] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [ 184.001617][ T3839] create_object+0x58/0x960
> [ 184.001639][ T3839] kmemleak_alloc+0x2c/0x38
> [ 184.001657][ T3839] slab_post_alloc_hook+0x78/0x5d0
> [ 184.025674][ T3830] ra_info: 8, 3, 4, 00000000d77f2b57
> [ 184.027442][ T3839] kmem_cache_alloc+0x19c/0x448
> [ 184.032002][ T3830] i: 0, pte: 0026 (3737) used g 184.047047][ T193][ T3839] co T3932] i: 0, pt59417][ T3932] i: 1, pte: 00000000e38ee039, faddr: 0
> [ 184.059424][ T3932] ra_info: 8, 3, 4, 000000004ae69ce9
> [ 184.059431][ T3932] i: 2, pte: 0000000035544c25, faddr: 0
> [ 184.062563][ T3830] ra_info: 8, 3, 4, 00000000d77f2b57
> [ 184.067511][ T3839] _do_fork+0x128/0x11f8
> [ 184.072663][ T3830] i: 2, pte: 000000002f241b20, faddr: 0
> [ 184.077369][ T3839] __do_sys_clone+0xac/0xd8
> [ 184.110993][ T3997] ra_info: 8, 3, 4, 00000000d40684b7
> [ 184.113421][ T3839] __arm64_sys_clone+0xa0/0xf8
This appears to run on ARM64. Can you help to try this on x86? I'm
not familiar with ARM.
Best Regards,
Huang, Ying
> [ 184.116524][ T3832] ra_info: 8, 3, 4, 00000000b572965a
> [ 184.116534][ T3832] i: 0, pte: 00000000b572965a, faddr: 0
> [ 184.116541][ T3832] ra_info: 8, 3, 4, 00000000b572965a
> [ 184.116549][ T3832] i: 1, pte: 000000007c91cc64, faddr: 0
> [ 184.116556][ T3832] ra_info: 8, 3, 4, 00000000b572965a
> [ 184.116563][ T3832] i: 2, pte: 0000000024f944e4, faddr: 0
> [ 184.118541][ T3997] i: 0, pte: 00000000d40684b7, faddr: 0
> [ 184.118552][ T3997] ra_info: 8, 3, 4, 00000000d40684b7
> [ 184.123956][ T3839] do_el0_svc+0x124/0x228
> [ 184.123970][ T3839] el0_sync_handler+0x260/0x410
> [ 184.123988][ T3839] el0_sync+0x140/0x180
> [ 184.129119][ T3997] i: 1, pte: 0000000035d81ad0, faddr: 0
> [ 184.134523][ T3839] The buggy address belongs to the object at ffff008919f1fd28
> [ 184.134523][ T3839] which belongs to the cache kmemleak_object of size 368
> [ 184.134535][ T3839] The buggy address is located 336 bytes to the right of
> [ 184.134535][ T3839] 368-byte region [ffff008919f1fd28, ffff008919f1fe98)
> [ 184.134542][ T3839] The buggy address belongs to the page:
> [ 184.139678][ T3997] ra_info: 8, 3, 4, 00000000d40684b7
> [ 184.142537][ T3814] ra_info: 8, 3, 4, 000000005be43c1f
> [ 184.142548][ T3814] i: 0, pte: 000000005be43c1f, faddr: 0
> [ 184.142555][ T3814] ra_info: 8, 3, 4, 000000005be43c1f
> [ 184.142563][ T3814] i: 1, pte: 00000000f65153b4, faddr: 0
> [ 184.142570][ T3814] ra_info: 8, 3, 4, 000000005be43c1f
> [ 184.142577][ T3814] i: 2, pte: 0000000057432c18, faddr: 0
> [ 184.145074][ T3839] page:00000000ab369b24 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8999f1
> [ 184.145085][ T3839] flags: 0x7ffff800000200(slab)
> [ 184.145097][ T3839] raw: 007ffff800000200 ffffffe0222685c8 ffffffe022268848 ffff000000322480
> [ 184.145107][ T3839] raw: 0000000000000000 00000000005b005b 00000001ffffffff 0000000000000000
> [ 184.145117][ T3839] page dumped because: kasan: bad access detected
> [ 184.150249][ T3997] i: 2, pte: 0000000073c2aff0, faddr: 0
> [ 184.154339][ T3839] Memory state around the buggy address:
> [ 184.154347][ T3839] ffff008919f1fe80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 184.154353][ T3839] ffff008919f1ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 184.154359][ T3839] >ffff008919f1ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 184.154366][ T3839] ^
> [ 184.171894][ T3831] ra_info: 8, 3, 4, 00000000cf472abe
> [ 184.173847][ T3839] ffff008919f20000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 184.178980][ T3831] i: 0, pte: 00000000cf472abe, faddr: 0
> [ 184.184366][ T3839] ffff008919f20080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 184.184370][ T3839] ==================================================================
> [ 184.184374][ T3839] Disabling lock debugging due to kernel taint
> [ 184.184407][ T3839] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [ 184.184415][ T3839] ra_info: 8, 3, 4, 0000000085efad17
> [ 184.184420][ T3839] i: 1, pte: 00000000e75f3a33, faddr: 0
> [ 184.184425][ T3839] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [ 184.184445][ T3839] ra_info: 8, 3, 4, 0000000085efad17
> [ 184.189580][ T3831] ra_info: 8, 3, 4, 00000000cf472abe
> [ 184.194979][ T3839] i: 2, pte: 0000000076a382e8, faddr: 0
> [ 184.194985][ T3839] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
> [ 184.211498][ T3749] ra_info: 8, 3, 4, 000000001c9e06b8
> [ 184.216321][ T3831] i: 1, pte: 00000000d0a5b31e, faddr: 0
> [ 184.220485][ T3749] i: 0, pte: 000000001c9e06b8, faddr: 0
> [ 184.220499][ T3749] ra_info: 8, 3, 4, 000000001c9e06b8
> [ 184.225255][ T3831] ra_info: 8, 3, 4, 00000000cf472abe
> [ 184.229226][ T3749] i: 1, pte: 000000003db42685, faddr: 0
> [ 184.229238][ T3749] ra_info: 8, 3, 4, 000000001c9e06b8
> [ 184.234658][ T3831] i: 2, pte: 000000002ff7eea4, faddr: 0
> [ 184.248902][ T3749] i: 2, pte: 00000000f6f36e76, faddr: 0
> [ 184.278122][ T3946] ra_info: 8, 3, 4, 0000000084aa2721
> [ 184.279536][ T3720] trinity-c9 (3720) used greatest stack depth: 19440 bytes left
> [ 184.283740][ T3946] i: 0, pte: 0000000084aa2721, faddr: 0
> [ 184.283746][ T3946] ra_info: 8, 3, 4, 0000000084aa2721
> [ 184.283751][ T3946] i: 1, pte: 00000000baf34b7a, faddr: 0
> [ 184.283757][ T3946] ra_info: 8, 3, 4, 0000000084aa2721
> [ 184.283762][ T3946] i: 2, pte: 0000000097da2f82, faddr: 0
> [ 184.311719][ T3789] ra_info: 8, 3, 4, 00000000642615f8
> [ 184.346297][ T3846] ra_info: 8, 3, 4, 00000000bfc701b4
> [ 184.348700][ T3789] i: 0, pte: 00000000642615f8, faddr: 0
> [ 184.357498][ T3846] i: 0, pte: 00000000bfc701b4, faddr: 0
> [ 184.362168][ T3789] ra_info: 8, 3, 4, 00000000642615f8
> [ 184.370076][ T3846] ra_info: 8, 3, 4, 00000000bfc701b4
> [ 184.377998][ T3789] i: 1, pte: 000000002e399dd1, faddr: 0
> [ 184.378008][ T3789] ra_info: 8, 3, 4, 00000000642615f8
> [ 184.385317][ T3846] i: 1, pte: 000000002f17c4d4, faddr: 0
> [ 184.385324][ T3846] ra_info: 8, 3, 4, 00000000bfc701b4
> [ 184.390452][ T3789] i: 2, pte: 000000006b9fd0f4, faddr: 0
> [ 184.398368][ T3846] i: 2, pte: 00000000b6695126, faddr: 0
>
>>
>> > From b6cad43ad3cf63d73e539e3eaadd4ec9d2744dc6 Mon Sep 17 00:00:00 2001
>> > From: Huang Ying <[email protected]>
>> > Date: Fri, 10 Jul 2020 17:27:45 +0800
>> > Subject: [PATCH] dbg: Fix a logic hole in swap_ra_info()
>> >
>> > ---
>> > mm/swap_state.c | 5 ++---
>> > 1 file changed, 2 insertions(+), 3 deletions(-)
>> >
>> > diff --git a/mm/swap_state.c b/mm/swap_state.c
>> > index 05889e8e3c97..8481c15829b2 100644
>> > --- a/mm/swap_state.c
>> > +++ b/mm/swap_state.c
>> > @@ -669,12 +669,11 @@ static void swap_ra_info(struct vm_fault *vmf,
>> > pte_t *tpte;
>> > #endif
>> >
>> > + ra_info->win = 1;
>> > max_win = 1 << min_t(unsigned int, READ_ONCE(page_cluster),
>> > SWAP_RA_ORDER_CEILING);
>> > - if (max_win == 1) {
>> > - ra_info->win = 1;
>> > + if (max_win == 1)
>> > return;
>> > - }
>> >
>> > faddr = vmf->address;
>> > orig_pte = pte = pte_offset_map(vmf->pmd, faddr);
>> > --
>> > 2.27.0
>> >
>>
>
>> From 3ca7a9ba58541d8692d3f83cbded2ad17be23359 Mon Sep 17 00:00:00 2001
>> From: Huang Ying <[email protected]>
>> Date: Mon, 20 Jul 2020 11:29:38 +0800
>> Subject: [PATCH] dbg: dump upon abnormal pte values
>>
>> ---
>> mm/swap_state.c | 11 +++++++++++
>> 1 file changed, 11 insertions(+)
>>
>> diff --git a/mm/swap_state.c b/mm/swap_state.c
>> index 05889e8e3c97..c1973136d035 100644
>> --- a/mm/swap_state.c
>> +++ b/mm/swap_state.c
>> @@ -756,6 +756,17 @@ static struct page *swap_vma_readahead(swp_entry_t fentry, gfp_t gfp_mask,
>> blk_start_plug(&plug);
>> for (i = 0, pte = ra_info.ptes; i < ra_info.nr_pte;
>> i++, pte++) {
>> + pte_t *tpte = pte_offset_map(vmf->pmd, vmf->address);
>> +
>> + if (((unsigned long)pte >> PAGE_SHIFT) !=
>> + ((unsigned long)tpte >> PAGE_SHIFT)) {
>> + pr_info("ra_info: %d, %d, %d, %p\n",
>> + ra_info.win, ra_info.offset, ra_info.nr_pte,
>> + ra_info.ptes);
>> + pr_info("i: %d, pte: %p, faddr: %lx\n", i, pte,
>> + vmf->address);
>> + }
>> + pte_unmap(tpte);
>> pentry = *pte;
>> if (pte_none(pentry))
>> continue;
>> --
>> 2.27.0
>>