2021-09-06 06:32:40

by Hao Sun

[permalink] [raw]
Subject: kernel BUG in truncate_inode_page

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 9e9fb7655ed58 Merge tag 'net-next-5.15'
git tree: upstream
console output:
https://drive.google.com/file/d/1_eEgvafiNcZHqHlmjIy4d420gQTvkf3r/view?usp=sharing
kernel config: https://drive.google.com/file/d/1zgxbwaYkrM26KEmJ-5sUZX57gfXtRrwA/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1ZLAhA14JN9prY7Fei_WWnuhNXCg8AM8C/view?usp=sharing
Syzlang reproducer:
https://drive.google.com/file/d/1TejG8gPgiAkJsKBlwFdHIADKXDK-H6j8/view?usp=sharing

If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <[email protected]>

page:ffffea0004730040 refcount:514 mapcount:1 mapping:ffff88800d7d13e8
index:0x1 pfn:0x11cc01
head:ffffea0004730000 order:9 compound_mapcount:1 compound_pincount:0
memcg:ffff888009ba2000
aops:def_blk_aops ino:fa00000
flags: 0x57ff0000001001f(locked|referenced|uptodate|dirty|lru|head|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000000 ffffea0004730001 0000000000000903 dead000000000200
raw: 0000000000000100 0000000000000000 0000000000000000 0000000000000000
head: 057ff0000001001f ffffea00044edec8 ffffea00044c2708 ffff88800d7d13e8
head: 0000000000000000 0000000000000000 0000020200000000 ffff888009ba2000
page dumped because: VM_BUG_ON_PAGE(PageTail(page))
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Movable, gfp_mask
0x13c24ca(GFP_TRANSHUGE|__GFP_THISNODE), pid 1665, ts 469126509176,
free_ts 440578020808
prep_new_page+0x16/0x50 mm/page_alloc.c:2436
get_page_from_freelist+0x64d/0x29a0 mm/page_alloc.c:4168
__alloc_pages+0xde/0x2a0 mm/page_alloc.c:5390
__alloc_pages_node include/linux/gfp.h:570 [inline]
khugepaged_alloc_page+0x4e/0xc0 mm/khugepaged.c:881
collapse_file+0x124/0x2110 mm/khugepaged.c:1655
khugepaged_scan_file mm/khugepaged.c:2051 [inline]
khugepaged_scan_mm_slot mm/khugepaged.c:2146 [inline]
khugepaged_do_scan mm/khugepaged.c:2230 [inline]
khugepaged+0x1f8a/0x3540 mm/khugepaged.c:2275
kthread+0x178/0x1b0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1346 [inline]
free_pcp_prepare+0x1d7/0x480 mm/page_alloc.c:1397
free_unref_page_prepare mm/page_alloc.c:3332 [inline]
free_unref_page+0x19/0x1c0 mm/page_alloc.c:3411
release_pages+0x212/0x1130 mm/swap.c:948
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0x60/0x1e0 mm/mmu_gather.c:249
zap_pte_range mm/memory.c:1432 [inline]
zap_pmd_range mm/memory.c:1481 [inline]
zap_pud_range mm/memory.c:1510 [inline]
zap_p4d_range mm/memory.c:1531 [inline]
unmap_page_range+0xea6/0x15c0 mm/memory.c:1552
unmap_single_vma+0xae/0x140 mm/memory.c:1597
unmap_vmas+0xed/0x190 mm/memory.c:1629
exit_mmap+0xc9/0x2a0 mm/mmap.c:3195
__mmput kernel/fork.c:1103 [inline]
mmput+0x8a/0x1a0 kernel/fork.c:1124
exit_mm kernel/exit.c:501 [inline]
do_exit+0x462/0x11c0 kernel/exit.c:812
do_group_exit+0x57/0xe0 kernel/exit.c:922
get_signal+0x1d0/0x10b0 kernel/signal.c:2823
arch_do_signal_or_restart+0xa9/0x860 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0xf2/0x280 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
do_syscall_64+0x40/0xb0 arch/x86/entry/common.c:86
------------[ cut here ]------------
kernel BUG at mm/truncate.c:213!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 27281 Comm: syz-executor Not tainted 5.14.0+ #12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:truncate_inode_page+0x5a/0x70 mm/truncate.c:213
Code: ff ff 48 89 ef e8 56 9e fd ff e8 71 2d f0 ff 89 d8 5b 5d 41 5c
c3 e8 65 2d f0 ff 48 c7 c6 20 19 2d 85 48 89 ef e8 f6 f7 03 00 <0f> 0b
bb fb ff ff ff eb d7 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00
RSP: 0018:ffffc9000361fc88 EFLAGS: 00010246
RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc90001356000
RDX: 0000000000040000 RSI: ffffffff8147479a RDI: 00000000ffffffff
RBP: ffffea0004730040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 637379735f6f6420 R12: ffff88800d7d13e8
R13: ffffc9000361fd48 R14: 0000000000000001 R15: ffffc9000361fcd0
FS: 00007f3c4f6a0700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000204001ff CR3: 000000010f099000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
truncate_inode_pages_range+0x3b9/0xc30 mm/truncate.c:397
truncate_bdev_range+0x87/0xd0 fs/block_dev.c:125
blk_ioctl_zeroout block/ioctl.c:173 [inline]
blkdev_common_ioctl+0x2c3/0xad0 block/ioctl.c:472
blkdev_ioctl+0x2c2/0x370 block/ioctl.c:583
block_ioctl+0x55/0x70 fs/block_dev.c:1421
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0xb6/0x100 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46a9a9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3c4f69fc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000078c210 RCX: 000000000046a9a9
RDX: 00000000200003c0 RSI: 000000000000127f RDI: 0000000000000004
RBP: 00000000004e4042 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c210
R13: 0000000000000000 R14: 000000000078c210 R15: 00007fff7770d6e0
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 4d3d97b8450ac449 ]---
RIP: 0010:truncate_inode_page+0x5a/0x70 mm/truncate.c:213
Code: ff ff 48 89 ef e8 56 9e fd ff e8 71 2d f0 ff 89 d8 5b 5d 41 5c
c3 e8 65 2d f0 ff 48 c7 c6 20 19 2d 85 48 89 ef e8 f6 f7 03 00 <0f> 0b
bb fb ff ff ff eb d7 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00
RSP: 0018:ffffc9000361fc88 EFLAGS: 00010246
RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc90001356000
RDX: 0000000000040000 RSI: ffffffff8147479a RDI: 00000000ffffffff
RBP: ffffea0004730040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 637379735f6f6420 R12: ffff88800d7d13e8
R13: ffffc9000361fd48 R14: 0000000000000001 R15: ffffc9000361fcd0
FS: 00007f3c4f6a0700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000204001ff CR3: 000000010f099000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554


2021-09-06 12:09:33

by Matthew Wilcox

[permalink] [raw]
Subject: Re: kernel BUG in truncate_inode_page

This is a bug in CONFIG_READ_ONLY_THP_FOR_FS.

We can see the order-9 page was allocated by khugepaged.
It belongs to a block device, so there's no knowledge of THPs in
the "filesystem".

I'm on holiday, so no patch from me. Somebody needs to figure out
where the page should have been split -- was this ioctl issued through
a read-only fd, perhaps?

On Mon, Sep 06, 2021 at 02:15:12PM +0800, Hao Sun wrote:
> Hello,
>
> When using Healer to fuzz the latest Linux kernel, the following crash
> was triggered.
>
> HEAD commit: 9e9fb7655ed58 Merge tag 'net-next-5.15'
> git tree: upstream
> console output:
> https://drive.google.com/file/d/1_eEgvafiNcZHqHlmjIy4d420gQTvkf3r/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1zgxbwaYkrM26KEmJ-5sUZX57gfXtRrwA/view?usp=sharing
> C reproducer: https://drive.google.com/file/d/1ZLAhA14JN9prY7Fei_WWnuhNXCg8AM8C/view?usp=sharing
> Syzlang reproducer:
> https://drive.google.com/file/d/1TejG8gPgiAkJsKBlwFdHIADKXDK-H6j8/view?usp=sharing
>
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <[email protected]>
>
> page:ffffea0004730040 refcount:514 mapcount:1 mapping:ffff88800d7d13e8
> index:0x1 pfn:0x11cc01
> head:ffffea0004730000 order:9 compound_mapcount:1 compound_pincount:0
> memcg:ffff888009ba2000
> aops:def_blk_aops ino:fa00000
> flags: 0x57ff0000001001f(locked|referenced|uptodate|dirty|lru|head|node=1|zone=2|lastcpupid=0x7ff)
> raw: 057ff00000000000 ffffea0004730001 0000000000000903 dead000000000200
> raw: 0000000000000100 0000000000000000 0000000000000000 0000000000000000
> head: 057ff0000001001f ffffea00044edec8 ffffea00044c2708 ffff88800d7d13e8
> head: 0000000000000000 0000000000000000 0000020200000000 ffff888009ba2000
> page dumped because: VM_BUG_ON_PAGE(PageTail(page))
> page_owner tracks the page as allocated
> page last allocated via order 9, migratetype Movable, gfp_mask
> 0x13c24ca(GFP_TRANSHUGE|__GFP_THISNODE), pid 1665, ts 469126509176,
> free_ts 440578020808
> prep_new_page+0x16/0x50 mm/page_alloc.c:2436
> get_page_from_freelist+0x64d/0x29a0 mm/page_alloc.c:4168
> __alloc_pages+0xde/0x2a0 mm/page_alloc.c:5390
> __alloc_pages_node include/linux/gfp.h:570 [inline]
> khugepaged_alloc_page+0x4e/0xc0 mm/khugepaged.c:881
> collapse_file+0x124/0x2110 mm/khugepaged.c:1655
> khugepaged_scan_file mm/khugepaged.c:2051 [inline]
> khugepaged_scan_mm_slot mm/khugepaged.c:2146 [inline]
> khugepaged_do_scan mm/khugepaged.c:2230 [inline]
> khugepaged+0x1f8a/0x3540 mm/khugepaged.c:2275
> kthread+0x178/0x1b0 kernel/kthread.c:319
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> page last free stack trace:
> reset_page_owner include/linux/page_owner.h:24 [inline]
> free_pages_prepare mm/page_alloc.c:1346 [inline]
> free_pcp_prepare+0x1d7/0x480 mm/page_alloc.c:1397
> free_unref_page_prepare mm/page_alloc.c:3332 [inline]
> free_unref_page+0x19/0x1c0 mm/page_alloc.c:3411
> release_pages+0x212/0x1130 mm/swap.c:948
> tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
> tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
> tlb_flush_mmu+0x60/0x1e0 mm/mmu_gather.c:249
> zap_pte_range mm/memory.c:1432 [inline]
> zap_pmd_range mm/memory.c:1481 [inline]
> zap_pud_range mm/memory.c:1510 [inline]
> zap_p4d_range mm/memory.c:1531 [inline]
> unmap_page_range+0xea6/0x15c0 mm/memory.c:1552
> unmap_single_vma+0xae/0x140 mm/memory.c:1597
> unmap_vmas+0xed/0x190 mm/memory.c:1629
> exit_mmap+0xc9/0x2a0 mm/mmap.c:3195
> __mmput kernel/fork.c:1103 [inline]
> mmput+0x8a/0x1a0 kernel/fork.c:1124
> exit_mm kernel/exit.c:501 [inline]
> do_exit+0x462/0x11c0 kernel/exit.c:812
> do_group_exit+0x57/0xe0 kernel/exit.c:922
> get_signal+0x1d0/0x10b0 kernel/signal.c:2823
> arch_do_signal_or_restart+0xa9/0x860 arch/x86/kernel/signal.c:865
> handle_signal_work kernel/entry/common.c:148 [inline]
> exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
> exit_to_user_mode_prepare+0xf2/0x280 kernel/entry/common.c:209
> __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
> syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
> do_syscall_64+0x40/0xb0 arch/x86/entry/common.c:86
> ------------[ cut here ]------------
> kernel BUG at mm/truncate.c:213!
> invalid opcode: 0000 [#1] PREEMPT SMP
> CPU: 1 PID: 27281 Comm: syz-executor Not tainted 5.14.0+ #12
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> RIP: 0010:truncate_inode_page+0x5a/0x70 mm/truncate.c:213
> Code: ff ff 48 89 ef e8 56 9e fd ff e8 71 2d f0 ff 89 d8 5b 5d 41 5c
> c3 e8 65 2d f0 ff 48 c7 c6 20 19 2d 85 48 89 ef e8 f6 f7 03 00 <0f> 0b
> bb fb ff ff ff eb d7 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00
> RSP: 0018:ffffc9000361fc88 EFLAGS: 00010246
> RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc90001356000
> RDX: 0000000000040000 RSI: ffffffff8147479a RDI: 00000000ffffffff
> RBP: ffffea0004730040 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 637379735f6f6420 R12: ffff88800d7d13e8
> R13: ffffc9000361fd48 R14: 0000000000000001 R15: ffffc9000361fcd0
> FS: 00007f3c4f6a0700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000204001ff CR3: 000000010f099000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> truncate_inode_pages_range+0x3b9/0xc30 mm/truncate.c:397
> truncate_bdev_range+0x87/0xd0 fs/block_dev.c:125
> blk_ioctl_zeroout block/ioctl.c:173 [inline]
> blkdev_common_ioctl+0x2c3/0xad0 block/ioctl.c:472
> blkdev_ioctl+0x2c2/0x370 block/ioctl.c:583
> block_ioctl+0x55/0x70 fs/block_dev.c:1421
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:874 [inline]
> __se_sys_ioctl fs/ioctl.c:860 [inline]
> __x64_sys_ioctl+0xb6/0x100 fs/ioctl.c:860
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x46a9a9
> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f3c4f69fc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 000000000078c210 RCX: 000000000046a9a9
> RDX: 00000000200003c0 RSI: 000000000000127f RDI: 0000000000000004
> RBP: 00000000004e4042 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c210
> R13: 0000000000000000 R14: 000000000078c210 R15: 00007fff7770d6e0
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace 4d3d97b8450ac449 ]---
> RIP: 0010:truncate_inode_page+0x5a/0x70 mm/truncate.c:213
> Code: ff ff 48 89 ef e8 56 9e fd ff e8 71 2d f0 ff 89 d8 5b 5d 41 5c
> c3 e8 65 2d f0 ff 48 c7 c6 20 19 2d 85 48 89 ef e8 f6 f7 03 00 <0f> 0b
> bb fb ff ff ff eb d7 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00
> RSP: 0018:ffffc9000361fc88 EFLAGS: 00010246
> RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc90001356000
> RDX: 0000000000040000 RSI: ffffffff8147479a RDI: 00000000ffffffff
> RBP: ffffea0004730040 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 637379735f6f6420 R12: ffff88800d7d13e8
> R13: ffffc9000361fd48 R14: 0000000000000001 R15: ffffc9000361fcd0
> FS: 00007f3c4f6a0700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000204001ff CR3: 000000010f099000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
>

2021-09-06 13:05:13

by Yu Xu

[permalink] [raw]
Subject: Re: kernel BUG in truncate_inode_page

Hi, we also reproduce such bug recently, and have sent out our patch[1].

In addition, another issue related with xfs and file THP is also
fixed[2].

Looking forward to reviews.

[1]https://patchwork.kernel.org/project/linux-mm/patch/[email protected]/
[2]https://patchwork.kernel.org/project/linux-mm/patch/[email protected]/


On 9/6/21 2:15 PM, Hao Sun wrote:
> Hello,
>
> When using Healer to fuzz the latest Linux kernel, the following crash
> was triggered.
>
> HEAD commit: 9e9fb7655ed58 Merge tag 'net-next-5.15'
> git tree: upstream
> console output:
> https://drive.google.com/file/d/1_eEgvafiNcZHqHlmjIy4d420gQTvkf3r/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1zgxbwaYkrM26KEmJ-5sUZX57gfXtRrwA/view?usp=sharing
> C reproducer: https://drive.google.com/file/d/1ZLAhA14JN9prY7Fei_WWnuhNXCg8AM8C/view?usp=sharing
> Syzlang reproducer:
> https://drive.google.com/file/d/1TejG8gPgiAkJsKBlwFdHIADKXDK-H6j8/view?usp=sharing
>
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <[email protected]>
>
> page:ffffea0004730040 refcount:514 mapcount:1 mapping:ffff88800d7d13e8
> index:0x1 pfn:0x11cc01
> head:ffffea0004730000 order:9 compound_mapcount:1 compound_pincount:0
> memcg:ffff888009ba2000
> aops:def_blk_aops ino:fa00000
> flags: 0x57ff0000001001f(locked|referenced|uptodate|dirty|lru|head|node=1|zone=2|lastcpupid=0x7ff)
> raw: 057ff00000000000 ffffea0004730001 0000000000000903 dead000000000200
> raw: 0000000000000100 0000000000000000 0000000000000000 0000000000000000
> head: 057ff0000001001f ffffea00044edec8 ffffea00044c2708 ffff88800d7d13e8
> head: 0000000000000000 0000000000000000 0000020200000000 ffff888009ba2000
> page dumped because: VM_BUG_ON_PAGE(PageTail(page))
> page_owner tracks the page as allocated
> page last allocated via order 9, migratetype Movable, gfp_mask
> 0x13c24ca(GFP_TRANSHUGE|__GFP_THISNODE), pid 1665, ts 469126509176,
> free_ts 440578020808
> prep_new_page+0x16/0x50 mm/page_alloc.c:2436
> get_page_from_freelist+0x64d/0x29a0 mm/page_alloc.c:4168
> __alloc_pages+0xde/0x2a0 mm/page_alloc.c:5390
> __alloc_pages_node include/linux/gfp.h:570 [inline]
> khugepaged_alloc_page+0x4e/0xc0 mm/khugepaged.c:881
> collapse_file+0x124/0x2110 mm/khugepaged.c:1655
> khugepaged_scan_file mm/khugepaged.c:2051 [inline]
> khugepaged_scan_mm_slot mm/khugepaged.c:2146 [inline]
> khugepaged_do_scan mm/khugepaged.c:2230 [inline]
> khugepaged+0x1f8a/0x3540 mm/khugepaged.c:2275
> kthread+0x178/0x1b0 kernel/kthread.c:319
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> page last free stack trace:
> reset_page_owner include/linux/page_owner.h:24 [inline]
> free_pages_prepare mm/page_alloc.c:1346 [inline]
> free_pcp_prepare+0x1d7/0x480 mm/page_alloc.c:1397
> free_unref_page_prepare mm/page_alloc.c:3332 [inline]
> free_unref_page+0x19/0x1c0 mm/page_alloc.c:3411
> release_pages+0x212/0x1130 mm/swap.c:948
> tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
> tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
> tlb_flush_mmu+0x60/0x1e0 mm/mmu_gather.c:249
> zap_pte_range mm/memory.c:1432 [inline]
> zap_pmd_range mm/memory.c:1481 [inline]
> zap_pud_range mm/memory.c:1510 [inline]
> zap_p4d_range mm/memory.c:1531 [inline]
> unmap_page_range+0xea6/0x15c0 mm/memory.c:1552
> unmap_single_vma+0xae/0x140 mm/memory.c:1597
> unmap_vmas+0xed/0x190 mm/memory.c:1629
> exit_mmap+0xc9/0x2a0 mm/mmap.c:3195
> __mmput kernel/fork.c:1103 [inline]
> mmput+0x8a/0x1a0 kernel/fork.c:1124
> exit_mm kernel/exit.c:501 [inline]
> do_exit+0x462/0x11c0 kernel/exit.c:812
> do_group_exit+0x57/0xe0 kernel/exit.c:922
> get_signal+0x1d0/0x10b0 kernel/signal.c:2823
> arch_do_signal_or_restart+0xa9/0x860 arch/x86/kernel/signal.c:865
> handle_signal_work kernel/entry/common.c:148 [inline]
> exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
> exit_to_user_mode_prepare+0xf2/0x280 kernel/entry/common.c:209
> __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
> syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
> do_syscall_64+0x40/0xb0 arch/x86/entry/common.c:86
> ------------[ cut here ]------------
> kernel BUG at mm/truncate.c:213!
> invalid opcode: 0000 [#1] PREEMPT SMP
> CPU: 1 PID: 27281 Comm: syz-executor Not tainted 5.14.0+ #12
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> RIP: 0010:truncate_inode_page+0x5a/0x70 mm/truncate.c:213
> Code: ff ff 48 89 ef e8 56 9e fd ff e8 71 2d f0 ff 89 d8 5b 5d 41 5c
> c3 e8 65 2d f0 ff 48 c7 c6 20 19 2d 85 48 89 ef e8 f6 f7 03 00 <0f> 0b
> bb fb ff ff ff eb d7 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00
> RSP: 0018:ffffc9000361fc88 EFLAGS: 00010246
> RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc90001356000
> RDX: 0000000000040000 RSI: ffffffff8147479a RDI: 00000000ffffffff
> RBP: ffffea0004730040 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 637379735f6f6420 R12: ffff88800d7d13e8
> R13: ffffc9000361fd48 R14: 0000000000000001 R15: ffffc9000361fcd0
> FS: 00007f3c4f6a0700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000204001ff CR3: 000000010f099000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> truncate_inode_pages_range+0x3b9/0xc30 mm/truncate.c:397
> truncate_bdev_range+0x87/0xd0 fs/block_dev.c:125
> blk_ioctl_zeroout block/ioctl.c:173 [inline]
> blkdev_common_ioctl+0x2c3/0xad0 block/ioctl.c:472
> blkdev_ioctl+0x2c2/0x370 block/ioctl.c:583
> block_ioctl+0x55/0x70 fs/block_dev.c:1421
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:874 [inline]
> __se_sys_ioctl fs/ioctl.c:860 [inline]
> __x64_sys_ioctl+0xb6/0x100 fs/ioctl.c:860
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x46a9a9
> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f3c4f69fc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 000000000078c210 RCX: 000000000046a9a9
> RDX: 00000000200003c0 RSI: 000000000000127f RDI: 0000000000000004
> RBP: 00000000004e4042 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c210
> R13: 0000000000000000 R14: 000000000078c210 R15: 00007fff7770d6e0
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace 4d3d97b8450ac449 ]---
> RIP: 0010:truncate_inode_page+0x5a/0x70 mm/truncate.c:213
> Code: ff ff 48 89 ef e8 56 9e fd ff e8 71 2d f0 ff 89 d8 5b 5d 41 5c
> c3 e8 65 2d f0 ff 48 c7 c6 20 19 2d 85 48 89 ef e8 f6 f7 03 00 <0f> 0b
> bb fb ff ff ff eb d7 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00
> RSP: 0018:ffffc9000361fc88 EFLAGS: 00010246
> RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc90001356000
> RDX: 0000000000040000 RSI: ffffffff8147479a RDI: 00000000ffffffff
> RBP: ffffea0004730040 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 637379735f6f6420 R12: ffff88800d7d13e8
> R13: ffffc9000361fd48 R14: 0000000000000001 R15: ffffc9000361fcd0
> FS: 00007f3c4f6a0700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000204001ff CR3: 000000010f099000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
>

--
Thanks,
Yu

2021-09-06 18:05:05

by Matthew Wilcox

[permalink] [raw]
Subject: Re: kernel BUG in truncate_inode_page

On Mon, Sep 06, 2021 at 08:59:17PM +0800, Yu Xu wrote:
> Hi, we also reproduce such bug recently, and have sent out our patch[1].
>
> In addition, another issue related with xfs and file THP is also
> fixed[2].
>
> Looking forward to reviews.
>
> [1]https://patchwork.kernel.org/project/linux-mm/patch/[email protected]/
> [2]https://patchwork.kernel.org/project/linux-mm/patch/[email protected]/

I had a quick look, and there are some problems with both patches.
I don't have time to do a detailed review; as I said I'm on holiday.
I'll be back in two weeks.