Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4590051imm; Tue, 9 Oct 2018 01:55:05 -0700 (PDT) X-Google-Smtp-Source: ACcGV604EchafMZB4fqpLhO9V377Q5cuWInTreEPneVVfdB5YBcXOodoItlqFrl7CVTDDIAwBhLT X-Received: by 2002:a17:902:b695:: with SMTP id c21-v6mr27693808pls.167.1539075305144; Tue, 09 Oct 2018 01:55:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539075305; cv=none; d=google.com; s=arc-20160816; b=DZTj6AtFmAxpsRFsYsSMGN4/GGXRzLKSsaMdU6lVPWg8CWPEvjQRjQJcCx1+fQf/h6 hOpX2Qkj7FNWwbR6fjTRu1dC2jnjTzOZrh9v8RRdL+yw2DL7/pNXpy/+DIDwKHxSwOHg Xbv3KPLaRGE7N0wsjFcmp5eJ7OQ2Gl2fEPzAMVvpL+YZnKQkbmZtDulOgOCBFvpIWZ20 0QAiyZ6+TKn3BlNzhS+0P1+jGj+RFCJfgSkuuvbzDERs9CqZTDZJY0TdVfNGnnKRPw7r mqwX4feyFMoh/dJgt6GBs0aRMEqbqDkAcu8HYDUv96nMyKpdUeTwipel5TKJa7oYo8Bn iImQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:mime-version:date:references :in-reply-to:subject:cc:to:from; bh=0eqS6gq7mzBzPOszUV1lx3HfMky1NqCwj2Wq+AoCnSc=; b=JGMWFNFfHxz2E66xCr7B2mHLkLBCsua2YgBeZVcAUtL7MxjaNNrnF30FhUT0bNpdIL vZhW4HtPmwqn+nCbqq+q+DvqnP0QJ37FHxNrnWTgqSoBrx7O/WuzaOZiOm56ebY2i10z SAEbjQHdrJ0gFZXJlxxxc/Pr/c4XU+mQ9mBAztOKHevedUCWlNHQwQ5YQle3tTV02T3z 9PAm2gpp7EzF+yT+9J7939PhggDSti09eIKvRfHexzGr19cPgTqgBqx9kSngttoCCp+o Unno2ZEc0TpujbCabtB2a+w9M4DbRxLV/9xKaiuefVoifSTAZnW2GQs0uspO7H1gqb17 DfMQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d10-v6si20144199pgh.385.2018.10.09.01.54.50; Tue, 09 Oct 2018 01:55:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726649AbeJIQJ0 (ORCPT + 99 others); Tue, 9 Oct 2018 12:09:26 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33946 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725861AbeJIQJ0 (ORCPT ); Tue, 9 Oct 2018 12:09:26 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w998njpw061782 for ; Tue, 9 Oct 2018 04:53:34 -0400 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0b-001b2d01.pphosted.com with ESMTP id 2n0rmmseua-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 09 Oct 2018 04:53:33 -0400 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 9 Oct 2018 09:53:31 +0100 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 9 Oct 2018 09:53:27 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w998rQGR7864780 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 9 Oct 2018 08:53:26 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BF761AE055; Tue, 9 Oct 2018 11:52:11 +0100 (BST) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DD21AAE051; Tue, 9 Oct 2018 11:52:09 +0100 (BST) Received: from skywalker (unknown [9.124.31.179]) by d06av26.portsmouth.uk.ibm.com (Postfix) with SMTP; Tue, 9 Oct 2018 11:52:09 +0100 (BST) Received: (nullmailer pid 15387 invoked by uid 1000); Tue, 09 Oct 2018 08:53:23 -0000 From: "Aneesh Kumar K.V" To: Willem de Bruijn , syzbot+1577fbe983d20fe2e88f@syzkaller.appspotmail.com Cc: David Miller , Eric Dumazet , Alexey Kuznetsov , LKML , Network Development , syzkaller-bugs@googlegroups.com, Hideaki YOSHIFUJI , Andrew Morton , kirill.shutemov@linux.intel.com Subject: Re: general protection fault in __handle_mm_fault In-Reply-To: References: <0000000000009d47b2057782bab4@google.com> Date: Tue, 09 Oct 2018 14:23:23 +0530 MIME-Version: 1.0 Content-Type: text/plain X-TM-AS-GCONF: 00 x-cbid: 18100908-0020-0000-0000-000002D17442 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18100908-0021-0000-0000-0000211FDDD5 Message-Id: <87va6bwlfg.fsf@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-10-09_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810090092 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Willem de Bruijn writes: > On Mon, Oct 8, 2018 at 12:10 PM Willem de Bruijn > wrote: >> >> On Fri, Oct 5, 2018 at 6:27 PM syzbot >> wrote: >> > >> > Hello, >> > >> > syzbot found the following crash on: >> > >> > HEAD commit: 25bcda3e8b9f Add linux-next specific files for 20181004 >> > git tree: linux-next >> > console output: https://syzkaller.appspot.com/x/log.txt?x=130e3bf1400000 >> > kernel config: https://syzkaller.appspot.com/x/.config?x=603d7f9140c3368a >> > dashboard link: https://syzkaller.appspot.com/bug?extid=1577fbe983d20fe2e88f >> > compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127e88d6400000 >> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13cdb67e400000 >> >> > RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 >> > arch/x86/lib/copy_user_64.S:180 >> > Code: 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 31 c0 0f 1f 00 c3 0f 1f >> > 80 00 00 00 00 0f 1f 00 83 fa 40 0f 82 70 ff ff ff 89 d1 a4 31 c0 0f >> > 1f 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 83 >> > RSP: 0018:ffff8801bbe675b8 EFLAGS: 00010202 >> > RAX: 0000000000000000 RBX: 0000000000007a50 RCX: 0000000000001b40 >> > RDX: 0000000000007a50 RSI: 0000000020077000 RDI: ffff8801ce615f10 >> > RBP: ffff8801bbe675f0 R08: ffffed0039cc2f4a R09: ffffed0039cc2f4a >> > R10: ffffed0039cc2f49 R11: ffff8801ce617a4f R12: 0000000020078b40 >> > R13: 00000000200710f0 R14: ffff8801ce610000 R15: 00007ffffffff000 >> > _copy_from_iter_full+0x263/0xc20 lib/iov_iter.c:724 >> > copy_from_iter_full include/linux/uio.h:124 [inline] >> > skb_do_copy_data_nocache include/net/sock.h:1951 [inline] >> > skb_copy_to_page_nocache include/net/sock.h:1977 [inline] >> > tcp_sendmsg_locked+0x159e/0x3f90 net/ipv4/tcp.c:1338 >> >> This started on next-20181004. It still happens as of next-20181008. >> >> It does not trigger on next 20181003. It does not occur if >> CONFIG_DEBUG_KOBJECT is disabled. > > Bisected to commit e4d0c281a4c9 ("mm/memory.c: recheck page table > entry with page table lock held"). > > Verified to not trigger on next-20181008 after reverting that commit. Can you check with this patch diff --git a/mm/memory.c b/mm/memory.c index fa8894c70575..15c417e8e31d 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -3505,14 +3505,17 @@ static vm_fault_t do_fault(struct vm_fault *vmf) * The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */ if (!vma->vm_ops->fault) { - /* - * pmd entries won't be marked none during a R/M/W cycle. + * If we find a migration pmd entry or a none pmd entry, which + * should never happen, return SIGBUS */ - if (unlikely(pmd_none(*vmf->pmd))) + if (unlikely(!pmd_present(*vmf->pmd))) ret = VM_FAULT_SIGBUS; else { - vmf->ptl = pte_lockptr(vmf->vma->vm_mm, vmf->pmd); + vmf->pte = pte_offset_map_lock(vmf->vma->vm_mm, + vmf->pmd, + vmf->address, + &vmf->ptl); /* * Make sure this is not a temporary clearing of pte * by holding ptl and checking again. A R/M/W update @@ -3520,12 +3523,12 @@ static vm_fault_t do_fault(struct vm_fault *vmf) * we don't have concurrent modification by hardware * followed by an update. */ - spin_lock(vmf->ptl); if (unlikely(pte_none(*vmf->pte))) ret = VM_FAULT_SIGBUS; else ret = VM_FAULT_NOPAGE; - spin_unlock(vmf->ptl); + + pte_unmap_unlock(vmf->pte, vmf->ptl); } } else if (!(vmf->flags & FAULT_FLAG_WRITE)) ret = do_read_fault(vmf);