Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3541737pxb; Mon, 24 Jan 2022 11:48:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJwr7uKsu8N6bSjvbTUuGXBPqO/9AU4Jhc/LDYkzJw+1Qw9Eb6Glt4a1JOgNVxV+BEg/TaKv X-Received: by 2002:a17:902:8ec9:b0:149:8864:cfd4 with SMTP id x9-20020a1709028ec900b001498864cfd4mr15701553plo.16.1643053712978; Mon, 24 Jan 2022 11:48:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643053712; cv=none; d=google.com; s=arc-20160816; b=nCCnx8o85KL+A0JBIuSOQPEG+xMQugOJXwswTSSdERmwqu3Qd+i1C583YusKjFROI5 LNVPbl24AsAi++Al9TLVarRff9OsxojpyeS56QWk8K3zRenpec6wGdneptGUt5Fm0piB V2jPKjJS/5w/1/uZAKEvKs/SREIUdqN+3Il3W7eIVYBNn9zN3Ln2s7pIKSDFDfbEiO6+ l06blHFSG9Xl0DKDmBlediBikvggMqGh/ppyOis15Mh/fKu/ZHSoE1jNReHpCsosLTX4 UPiTMA3hKJU3YQkg2j3bQs3Lp8bO3StBBi53L8pm/IHMvVd0kmsW6ryEGWKsRfzY3TOo sdQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=QsKXVrw3F9lsxKkyvC/zU4uBfnyL7GghuKOugyivPGg=; b=FRlxUnsXM+XOHvDL1HxzrjWFoQLggJBl9tZ2J2zivW4qFJkif6sREGRL80ZQid22KR gbckxPsjnmz+GHbBQe3lE7WuJPDbhEwLqkYqipT1dCDopMEJxWpN6nz6Sf3J+V6doAUc 6w+vCmpEBQM0Pkm/xrFC1UoUJywG6DLumtOcbUVQLAYdCNH16wBRUgwUHQ5t8bNpsPYY Gt0NuTFQaEf7U/FR7zBkS9tZXsCQL3MhM80Ch3j8vX8OKXpwF2hir4aOtiyMfaABMwTt JbqDZmHwwZbVs8C2Z4ayqdEERdyeW+Z8fBe1lNrcTMRRMzSBelCPE4f87V9dVDq20a/x PaWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=atoDIWiX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a18si8337263plh.461.2022.01.24.11.48.20; Mon, 24 Jan 2022 11:48:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=atoDIWiX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244801AbiAXR77 (ORCPT + 99 others); Mon, 24 Jan 2022 12:59:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244797AbiAXR75 (ORCPT ); Mon, 24 Jan 2022 12:59:57 -0500 Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D23AC06173B; Mon, 24 Jan 2022 09:59:57 -0800 (PST) Received: by mail-lf1-x12b.google.com with SMTP id b14so51649439lff.3; Mon, 24 Jan 2022 09:59:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QsKXVrw3F9lsxKkyvC/zU4uBfnyL7GghuKOugyivPGg=; b=atoDIWiXRXzO2zgMjOO4EYNXE6CRElkM/2OZOgAY2s45Y+UHV5GTmIVx3sv9xRCo18 ZXvU4wM/afAaItzf/aged/MaiYFmzom3v89hwqW5bXtM2ADd/sNryCuABt/GPAPB73YP VN59N9Cd2NW/F2L34Fs4hPSGkrkOH/3mk0Y89uMmNXy2YKTEJOYjdzyUHzLxa6QJPrTy 0wJ5H+NARAVTSXFoMwzcUFzn8tgf0DELPMbdX6dnzLnPMpo/HllaeUSewtUvHoYLnuZS h0ZkdWH0ywlZbO4z9401dVwkmiMbXj5ODLWqPqZQqw/sHfB7B4pJDccFUT2bM7hvE6Dp /Vsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QsKXVrw3F9lsxKkyvC/zU4uBfnyL7GghuKOugyivPGg=; b=xkcQhI+uncRuuDO8Md+tBhozEFHbOb2EAYVrzOD2HFzBeIGA7GRzYzlco+yu4JaK2r YPFzEYtLiZvKLLWh3EPj0AXxstnpDAlmx6unOdYxLLxjEQgteFxaFcy9MmjR4u14zmzd 9DNr6JHe6QymhsTyfq7gw7wigpj6RDci5PcPGorDudqOTC0krVerNbj+r+dxKNO4/URs pXhA6kVkOSX7cRrdVXY004+/W8Obl4k8WVJEgvUi7mxFnf6fAW6xB0/Zi/RnVdX5zwQe fJF1BA0y43Efb6jVp9TghBkIkgmKuE+FJCrqYMPxnZFp+sGEnwGwMNllRDlLhU+aUWLP QYZw== X-Gm-Message-State: AOAM531WkUwI8KOBmBJb59R9OQaaR+LGqmKs4Y13P+E8q3TNA3D784/C 3KaixRJYf+ZePSMbiiZ4iJ7LZ3H4K6ZSVabSpchUYv1yx+TjIA== X-Received: by 2002:a05:6512:1681:: with SMTP id bu1mr13902600lfb.499.1643047195689; Mon, 24 Jan 2022 09:59:55 -0800 (PST) MIME-Version: 1.0 References: <000000000000588c2c05aa156b2b@google.com> <00000000000087569605b8928ce3@google.com> In-Reply-To: From: Vegard Nossum Date: Mon, 24 Jan 2022 18:59:43 +0100 Message-ID: Subject: Re: kernel BUG at mm/vmalloc.c:LINE! (2) To: Dmitry Vyukov Cc: syzbot , Andrew Morton , andrii@kernel.org, Alexei Starovoitov , =?UTF-8?B?QmrDtnJuIFTDtnBlbA==?= , Borislav Petkov , bpf , Daniel Borkmann , Dave Hansen , David Miller , Jesper Dangaard Brouer , "H. Peter Anvin" , John Fastabend , jonathan.lemon@gmail.com, Martin KaFai Lau , KP Singh , Jakub Kicinski , LKML , Linux-MM , Andy Lutomirski , "Karlsson, Magnus" , marekx.majtyka@intel.com, Ingo Molnar , Ingo Molnar , netdev , Peter Zijlstra , Song Liu , syzkaller-bugs , Thomas Gleixner , "the arch/x86 maintainers" , Yonghong Song Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 11 Jan 2021 at 10:16, Dmitry Vyukov wrote: > > On Sun, Jan 10, 2021 at 10:34 PM syzbot > wrote: > > > > syzbot suspects this issue was fixed by commit: > > > > commit 537cf4e3cc2f6cc9088dcd6162de573f603adc29 > > Author: Magnus Karlsson > > Date: Fri Nov 20 11:53:39 2020 +0000 > > > > xsk: Fix umem cleanup bug at socket destruct > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=139f3dfb500000 > > start commit: e87d24fc Merge branch 'net-iucv-fixes-2020-11-09' > > git tree: net > > kernel config: https://syzkaller.appspot.com/x/.config?x=61033507391c77ff > > dashboard link: https://syzkaller.appspot.com/bug?extid=5f326d255ca648131f87 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d10006500000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=126c9eaa500000 > > > > If the result looks correct, please mark the issue as fixed by replying with: > > > > #syz fix: xsk: Fix umem cleanup bug at socket destruct > > > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > FTR, the bisection log looks clean, but this does not look like the > fix for this. The reproducer does not destroy sockets. I think it's the correct fix. The crash report also has this, which shows the reproducer does actually destroy sockets: xdp_umem_addr_unmap net/xdp/xdp_umem.c:44 [inline] xdp_umem_release net/xdp/xdp_umem.c:62 [inline] xdp_put_umem+0x113/0x330 net/xdp/xdp_umem.c:80 xsk_destruct net/xdp/xsk.c:1150 [inline] xsk_destruct+0xc0/0xf0 net/xdp/xsk.c:1142 __sk_destruct+0x4b/0x8f0 net/core/sock.c:1759 rcu_do_batch kernel/rcu/tree.c:2476 [inline] I've tested the reproducer on both 537cf4e3cc2f and 537cf4e3cc2f^ and it only reproduces on 537cf4e3cc2f^ here (with the same stack trace as the syzbot report). The repro I used was https://syzkaller.appspot.com/text?tag=ReproSyz&x=10d10006500000 which is just: r0 = socket$xdp(0x2c, 0x3, 0x0) setsockopt$XDP_UMEM_REG(r0, 0x11b, 0x4, &(0x7f0000000040)={&(0x7f0000000000)=""/2, 0x1000000, 0x1000}, 0x20) so the socket definitely gets created/destroyed. Feel free to undo if you disagree: #syz fix: xsk: Fix umem cleanup bug at socket destruct Vegard