Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1862171rwb; Wed, 5 Oct 2022 06:02:53 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4SCpk7CRcoZSR0kO+uK5tCSJnRIMQKPsUhosZ0CNwfbkYG4vIVsdeMbvHYcj+/O5Da+9LE X-Received: by 2002:a05:6402:5024:b0:440:e4ad:f7b6 with SMTP id p36-20020a056402502400b00440e4adf7b6mr28786730eda.358.1664974973215; Wed, 05 Oct 2022 06:02:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664974973; cv=none; d=google.com; s=arc-20160816; b=ctQmbggi+x9kwAMhKh5EsVeHA2iCN/+D7ngyxZxTnmGgSeQREVCiQHnPfeWUn6kO/F QVmn5wML614sseGrBETKDFNGkn1PHNNlI0/BqX/z3XYj70ErWSKVfO9LHkZL0J8vUxxr yNymQa0GNR5Cdbt/GvZ1bDEg2XHEv2347xVVTITSy4RU9/HkgQAzLSdt/YzmUxX+t4cC xctGIF2QsuwXDyqlpP5Ey34bOuC01W/YBWFH7UKtGf1EcmGSvKlQqSx16Ut5CVSddf2h PeHYOrRm4JafWGuUYGOj4MRgigyj8xNYALvmFf4v56dTwoIv9DnubJvFkXqKcTeue9Pf jcjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=U9B9CWxkeLW9e8TN/3gInxY6NK9Ld99c5BEkDuhXOhc=; b=QjDH3laI8j7bc1B6EKaDiHeBwJBoVSKRQXnBGYgCiaWO4nVeLPikl5zRLy1GDTnyAH Y5UQwgTWJ+K1Dl0p5bkqBVGqv7ldk1ZBy3mj+3wpul/sVNDeK4nlRRGbe/tt+yKLfx0R ozyAfzCuM2IBN5eEgkmQBrncYF1dGhbK2Q4R8Lzapj2LQAnB0d3vhbBW88b4x73r+BIv b3GjR90pnIA4u4QSARBY1oZTCeIQTp7JUL0tCyIrdlE4kabZAqAxL7EgU6ILOoeKL8cg 3uhJxfWylnzhVBdScLsJPNA/uMYWubkNjPVTG1CdvTFOb/moqnLbdAYWxvs3sjVaEWLZ bLjQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y7-20020a50eb87000000b004593fb0c125si5257813edr.103.2022.10.05.06.02.20; Wed, 05 Oct 2022 06:02:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229926AbiJEMjH (ORCPT + 99 others); Wed, 5 Oct 2022 08:39:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39186 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229507AbiJEMjE (ORCPT ); Wed, 5 Oct 2022 08:39:04 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6E6615788D for ; Wed, 5 Oct 2022 05:39:03 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CCCB8113E; Wed, 5 Oct 2022 05:39:09 -0700 (PDT) Received: from [10.1.197.78] (unknown [10.1.197.78]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 271383F792; Wed, 5 Oct 2022 05:39:01 -0700 (PDT) Message-ID: <830e8c64-0118-9a2d-5dcf-5cad55425dc2@arm.com> Date: Wed, 5 Oct 2022 13:38:55 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Subject: Re: [syzbot] KASAN: invalid-access Read in copy_page Content-Language: en-GB To: Andrey Konovalov , Catalin Marinas Cc: Linux ARM , LKML , syzkaller-bugs , tongtiangen@huawei.com, Vincenzo Frascino , Kefeng Wang , Will Deacon , syzbot , Evgenii Stepanov , Peter Collingbourne , Dmitry Vyukov References: <0000000000004387dc05e5888ae5@google.com> From: James Morse In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi guys, On 27/09/2022 17:55, Andrey Konovalov wrote: > On Tue, Sep 6, 2022 at 6:23 PM Catalin Marinas wrote: >> >> On Tue, Sep 06, 2022 at 04:39:57PM +0200, Andrey Konovalov wrote: >>> On Tue, Sep 6, 2022 at 4:29 PM Catalin Marinas wrote: >>>>>> Does it take long to reproduce this kasan warning? >>>>> >>>>> syzbot finds several such cases every day (200 crashes for the past 35 days): >>>>> https://syzkaller.appspot.com/bug?extid=c2c79c6d6eddc5262b77 >>>>> So once it reaches the tested tree, we should have an answer within a day. >>> >>> To be specific, this syzkaller instance fuzzes the mainline, so the >>> patch with the WARN_ON needs to end up there. >>> >>> If this is unacceptable, perhaps, we could switch the MTE syzkaller >>> instance to the arm64 testing tree. >> >> It needs some more digging first. My first guess was that a PROT_MTE >> page was mapped into the user address space and the task repainted it >> but I don't think that's the case. > syzkaller still keeps hitting this issue and I was wondering if you > have any ideas of what could be wrong here? > >> Since I can't find the kernel boot log for these runs, is there any kind >> of swap enabled? I'm trying to narrow down where the problem may be. > > I don't think there is. I've reproduced this with the latest qemu and v6.0 kernel using ubuntu 15.04 user-space. The reproducer is just to log in once its booted. The vm has swap, and I've turned the memory down low enough to force it to swap. The round trip time is about 15 minutes. I've not managed to reproduce it without swap, or with more memory. (but it may be a timing thing) Below is one example of tag corruption that affected page-cache memory that wouldn't be swapped: -------------------%<------------------- [49488.484420] BUG: KASAN: invalid-access in __arch_copy_to_user+0x180/0x240 [49488.487122] Read at addr f1ff00000ad48000 by task apt-config/5041 [49488.488614] Pointer tag: [f1], memory tag: [fe] [49488.490921] CPU: 1 PID: 5041 Comm: apt-config Not tainted 6.0.0 #14546 [49488.492364] Hardware name: linux,dummy-virt (DT) [49488.493790] Call trace: [49488.494640] dump_backtrace.part.0+0xd0/0xe0 [49488.495811] show_stack+0x18/0x50 [49488.496785] dump_stack_lvl+0x68/0x84 [49488.497781] print_report+0x104/0x604 [49488.498790] kasan_report+0x8c/0xb0 [49488.499758] __do_kernel_fault+0x11c/0x1bc [49488.500801] do_tag_check_fault+0x78/0x90 [49488.501830] do_mem_abort+0x44/0x9c [49488.502813] el1_abort+0x40/0x60 [49488.503839] el1h_64_sync_handler+0xb0/0xd0 [49488.504880] el1h_64_sync+0x64/0x68 [49488.505847] __arch_copy_to_user+0x180/0x240 [49488.506917] _copy_to_iter+0x68/0x5c0 [49488.507918] copy_page_to_iter+0xac/0x33c [49488.508943] filemap_read+0x1b4/0x3b0 [49488.509936] generic_file_read_iter+0x108/0x1a0 [49488.511033] ext4_file_read_iter+0x58/0x1f0 [49488.512078] vfs_read+0x1f8/0x2a0 [49488.513031] ksys_read+0x68/0xf4 [49488.513978] __arm64_sys_read+0x1c/0x2c [49488.514998] invoke_syscall+0x48/0x114 [49488.516046] el0_svc_common.constprop.0+0x44/0xec [49488.517153] do_el0_svc+0x2c/0xc0 [49488.518120] el0_svc+0x2c/0xb4 [49488.519041] el0t_64_sync_handler+0xb8/0xc0 [49488.520080] el0t_64_sync+0x198/0x19c [49488.522268] The buggy address belongs to the physical page: [49488.523778] page:00000000db6e19d9 refcount:20 mapcount:18 mapping:0000000052573be9 index:0x0 pfn:0x4ad48 [49488.524938] memcg:faff000002c70000 [49488.525430] aops:ext4_da_aops ino:8061 dentry name:"libc-2.21.so" [49488.526289] flags: 0x1ffc38002020876(referenced|uptodate|lru|active|workingset|arch_1|mappedtodisk|arch_2|node=0|zone=0|lastcpupid=0x7ff|kasantag=0xe) CMA [49488.527947] raw: 01ffc38002020876 fffffc00002b5248 fffffc00002b51c8 f8ff00000335c760 [49488.528325] raw: 0000000000000000 0000000000000000 0000001400000011 faff000002c70000 [49488.528669] page dumped because: kasan: bad access detected [49488.529615] Memory state around the buggy address: [49488.531027] ffff00000ad47e00: f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 [49488.532442] ffff00000ad47f00: f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 [49488.533922] >ffff00000ad48000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [49488.535259] ^ [49488.536292] ffff00000ad48100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [49488.537628] ffff00000ad48200: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [49488.539015] ================================================================== [49488.603970] Disabling lock debugging due to kernel taint -------------------%<------------------- Thanks, James