Re: linux-next: not-present page at swap_vma_readahead()

From: Qian Cai
Date: Sun Jul 19 2020 - 22:12:37 EST

On Mon, Jul 20, 2020 at 12:37:30AM +0000, Huang, Ying wrote:
> Hi,
>
> Sorry for late reply. I found a problem in the swap readahead code. Can you help to check whether it can fix this?

Unfortunately, I can still reproduce it easily after applied the patch.

# git clone https://gitlab.com/cailca/linux-mm
# git checkout v5.8-rc1 -- *.sh
# dnf -y install tar wget golang libseccomp-devel jq
# ./runc.sh

[ 575.517290][T28667] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.522901][T28650] BUG: KASAN: slab-out-of-bounds in swapin_readahead+0x780/0xbd8
swap_vma_readahead at mm/swap_state.c:758
(inlined by) swapin_readahead at mm/swap_state.c:802
[ 575.522928][T28650] Read of size 8 at addr ffff0089a603ffe8 by task trinity-c92/28650
[ 575.522947][T28650] CPU: 126 PID: 28650 Comm: trinity-c92 Not tainted 5.8.0-rc5-next-20200717+ #1
[ 575.522958][T28650] Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS L50_5.13_1.11 06/18/2019
[ 575.522966][T28650] Call trace:
[ 575.529895][T28667] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.535819][T28590] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.535829][T28590] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.535836][T28590] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.537424][T28650] dump_backtrace+0x0/0x398
[ 575.537438][T28650] show_stack+0x14/0x20
[ 575.545308][T28667] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.554134][T28650] dump_stack+0x140/0x1c8
[ 575.554148][T28650] print_address_description.constprop.10+0x54/0x550
[ 575.554159][T28650] kasan_report+0x134/0x1b8
[ 575.554173][T28650] __asan_report_load8_noabort+0x2c/0x50
[ 575.559496][T28588] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.559506][T28588] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.559513][T28588] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.562203][T28586] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.562215][T28586] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.562223][T28586] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.665163][T28560] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.671260][T28650] swapin_readahead+0x780/0xbd8
[ 575.671280][T28650] do_swap_page+0xb1c/0x1a78
do_swap_page at mm/memory.c:3166
[ 575.678067][T28560] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.682774][T28650] handle_mm_fault+0xfd0/0x2c50
handle_pte_fault at mm/memory.c:4234
(inlined by) __handle_mm_fault at mm/memory.c:4368
(inlined by) handle_mm_fault at mm/memory.c:4466
[ 575.682789][T28650] do_page_fault+0x230/0x818
[ 575.682804][T28650] do_translation_fault+0x90/0xb0
[ 575.682819][T28650] do_mem_abort+0x64/0x180
[ 575.687259][T28560] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.694051][T28650] el1_sync_handler+0x188/0x1b8
[ 575.694064][T28650] el1_sync+0x7c/0x100
[ 575.694079][T28650] strncpy_from_user+0x270/0x3e8
[ 575.694100][T28650] getname_flags+0x80/0x330
[ 575.698001][T28827] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.698048][T28827] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.698056][T28827] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.755679][T28620] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.757304][T28650] user_path_at_empty+0x2c/0x60
[ 575.764131][T28620] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.768782][T28650] do_linkat+0x10c/0x528
[ 575.768792][T28650] __arm64_sys_linkat+0xa0/0xf8
[ 575.768802][T28650] do_el0_svc+0x124/0x228
[ 575.768812][T28650] el0_sync_handler+0x260/0x410
[ 575.768820][T28650] el0_sytack+0x24/0x50+0x14/0x20
[ 5ap file entry 58_object+0x58/0x968c/0x1880
[ 575.779790][T28650] __alloc_percpu_gfp+0x14/0x20
[ 575.779799][T28650] qdisc_alloc+0x2bc/0xb98
[ 575.779809][T28650] qdisc_create_dflt+0x60/0x748
[ 575.803406][T28643] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.806107][T28650] mq_init+0x1a0/0x3b8
[ 575.806120][T28650] qdisc_create_dflt+0xc8/0x748
[ 575.811321][T28643] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.815788][T28650] dev_activate+0x488/0x8b8
[ 575.815806][T28650] __dev_open+0x240/0x360
[ 575.820848][T28643] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 575.827542][T28650] __dev_change_flags+0x344/0x480
[ 575.827553][T28650] dev_change_flags+0x74/0x140
[ 575.906574][T28650] do_setlink+0x7c8/0x2760
[ 575.910856][T28650] __rtnl_newlink+0x80c/0x1000
[ 575.915481][T28650] rtnl_newlink+0x68/0xa0
[ 575.919671][T28650] rtnetlink_rcv_msg+0x394/0xa48
[ 575.924477][T28650] netlink_rcv_skb+0x19c/0x340
[ 575.929103][T28650] rtnetlink_rcv+0x14/0x20
[ 575.933380][T28650] netlink_unicast+0x3ec/0x5e0
[ 575.938005][T28650] netlink_sendmsg+0x63c/0xa60
[ 575.942632][T28650] ____sys_sendmsg+0x5b0/0x740
[ 575.947261][T28650] ___sys_sendmsg+0xec/0x160
[ 575.949053][T28716] futex_wake_op: trinity-c158 tries to shift op by -1; fix this program
[ 575.951712][T28650] __sys_sendmsg+0xb8/0x130
[ 575.951727][T28650] __arm64_sys_sendmsg+0x6c/0x98
[ 575.969052][T28650] do_el0_svc+0x124/0x228
[ 575.973248][T28650] el0_sync_handler+0x260/0x410
[ 575.977959][T28650] el0_sync+0x140/0x180
[ 575.981974][T28650] Last call_rcu():
[ 575.985557][T28650] kasan_save_stack+0x24/0x50
[ 575.990099][T28650] kasan_record_aux_stack+0xe0/0x110
[ 575.995249][T28650] call_rcu+0x114/0x680
[ 575.999273][T28650] put_object+0x84/0xc0
[ 576.003303][T28650] __delete_object+0xc4/0x110
[ 576.007848][T28650] delete_object_full+0x18/0x20
[ 576.012565][T28650] kmemleak_free+0x2c/0x38
[ 576.016844][T28650] slab_free_freelist_hook+0x190/0x298
[ 576.022158][T28650] kmem_cache_free+0x128/0x518
[ 576.026775][T28650] file_free_rcu+0x68/0xb0
[ 576.031045][T28650] rcu_core+0x8b8/0xf90
[ 576.035059][T28650] rcu_core_si+0xc/0x18
[ 576.039079][T28650] efi_header_end+0x358/0x14d4
[ 576.043712][T28650] Second to last call_rcu():
[ 576.048176][T28650] kasan_save_stack+0x24/0x50
[ 576.052723][T28650] kasan_record_aux_stack+0xe0/0x110
[ 576.057871][T28650] call_rcu+0x114/0x680
[ 576.057998][T28976] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.061888][T28650] put_object+0x84/0xc0
[ 576.061898][T28650] __delete_object+0xc4/0x110
[ 576.061906][T28650] delete_object_full+0x18/0x20
[ 576.061917][T28650] kmemleak_free+0x2c/0x38
[ 576.061925][T28650] slab_free_freelist_hook+0x190/0x298
[ 576.061933][T28650] kmem_cache_free+0x128/0x518
[ 576.061950][T28650] putname+0xb8/0x108
[ 576.065453][T28678] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.065462][T28678] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.065470][T28678] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.068777][T28976] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.072740][T28650] do_sys_openat2+0x26c/0x4c0
[ 576.072753][T28650] do_sys_open+0xa4/0xf8
[ 576.077404][T28976] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.082097][T28650] __arm64_sys_openat+0x88/0xc8
[ 576.082107][T+0x260/0x410
[ 6.082138][T28650s to the cache kted 336 bytes to 576.082157][T28ntry 58025a5a5a5a5a5a
[ 576.120513][T28650] page:00000000e119790b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8a2603
[ 576.127826][T28675] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.131821][T28650] flags: 0x7ffff800000200(slab)
[ 576.131835][T28650] raw: 007ffff800000200 ffffffe0223a3908 ffffffe02234c948 ffff000000322480
[ 576.131845][T28650] raw: 0000000000000000 00000000005b005b 00000001ffffffff 0000000000000000
[ 576.131853][T28650] page dumped because: kasan: bad access detected
[ 576.131865][T28650] Memory state around the buggy address:
[ 576.131875][T28650] ffff0089a603fe80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 576.131884][T28650] ffff0089a603ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 576.131894][T28650] >ffff0089a603ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 576.131900][T28650] ^
[ 576.131908][T28650] ffff0089a6040000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 576.131917][T28650] ffff0089a6040080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 576.131923][T28650] ==================================================================
[ 576.131928][T28650] Disabling lock debugging due to kernel taint
[ 576.132028][T28650] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.132038][T28650] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.132046][T28650] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.281114][T28912] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.286297][T28675] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.293442][T28912] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a
[ 576.293451][T28912] get_swap_device: Bad swap file entry 58025a5a5a5a5a5a

> From b6cad43ad3cf63d73e539e3eaadd4ec9d2744dc6 Mon Sep 17 00:00:00 2001
> From: Huang Ying <ying.huang@xxxxxxxxx>
> Date: Fri, 10 Jul 2020 17:27:45 +0800
> Subject: [PATCH] dbg: Fix a logic hole in swap_ra_info()
>
> ---
> mm/swap_state.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/mm/swap_state.c b/mm/swap_state.c
> index 05889e8e3c97..8481c15829b2 100644
> --- a/mm/swap_state.c
> +++ b/mm/swap_state.c
> @@ -669,12 +669,11 @@ static void swap_ra_info(struct vm_fault *vmf,
> pte_t *tpte;
> #endif
>
> + ra_info->win = 1;
> max_win = 1 << min_t(unsigned int, READ_ONCE(page_cluster),
> SWAP_RA_ORDER_CEILING);
> - if (max_win == 1) {
> - ra_info->win = 1;
> + if (max_win == 1)
> return;
> - }
>
> faddr = vmf->address;
> orig_pte = pte = pte_offset_map(vmf->pmd, faddr);
> --
> 2.27.0
>