Re: [PATCHv3 00/29] huge tmpfs implementation using compound pages
From: Sasha Levin
Date: Thu Mar 03 2016 - 23:20:28 EST
On 03/03/2016 11:51 AM, Kirill A. Shutemov wrote:
> I consider it feature complete for initial step into upstream. I'll focus
> on validation now. I work with Sasha on that.
Hey Kirill,
I see the following two (separate) issues. I haven't hit them ever before, so
I suspect that while they seem unrelated, they are somehow caused by this series.
First:
[ 1386.011801] ==================================================================
[ 1386.011901] BUG: KASAN: use-after-free in __fget+0x4fa/0x540 at addr ffff8801afe43b34
[ 1386.011922] Read of size 4 by task syz-executor/22976
[ 1386.011939] =============================================================================
[ 1386.011959] BUG filp (Not tainted): kasan: bad access detected
[ 1386.011969] -----------------------------------------------------------------------------
[ 1386.011969]
[ 1386.011976] Disabling lock debugging due to kernel taint
[ 1386.012005] INFO: Slab 0xffffea0006bf9000 objects=19 used=16 fp=0xffff8801afe40040 flags=0x2fffff80004080
[ 1386.012027] INFO: Object 0xffff8801afe43a80 @offset=14976 fp=0xbbbbbbbbbbbbbbbb
[ 1386.012027]
[ 1386.012061] Redzone ffff8801afe43a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1386.012087] Redzone ffff8801afe43a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1386.012112] Redzone ffff8801afe43a60: 02 00 00 00 68 30 00 00 3b 55 0e 00 01 00 00 00 ....h0..;U......
[ 1386.012133] Redzone ffff8801afe43a70: 00 00 00 00 00 00 00 00 40 aa 90 ac ff ff ff ff ........@.......
[ 1386.012156] Object ffff8801afe43a80: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 1386.012181] Object ffff8801afe43a90: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 1386.012206] Object ffff8801afe43aa0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 1386.012230] Object ffff8801afe43ab0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 1386.012251] Object ffff8801afe43ac0: 00 00 00 00 00 00 00 00 70 03 8c a1 ff ff ff ff ........p.......
[ 1386.012278] Object ffff8801afe43ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1386.012298] Object ffff8801afe43ae0: 00 00 00 00 00 00 00 00 c0 65 94 ac ff ff ff ff .........e......
[ 1386.012317] Object ffff8801afe43af0: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
[ 1386.012333] Object ffff8801afe43b00: ff ff ff ff ff ff ff ff 00 e0 57 bc ff ff ff ff ..........W.....
[ 1386.012351] Object ffff8801afe43b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1386.012367] Object ffff8801afe43b20: e0 b6 93 ac ff ff ff ff 00 00 00 00 00 00 00 00 ................
[ 1386.012382] Object ffff8801afe43b30: 01 80 00 00 1e 00 04 00 01 00 00 00 00 00 00 00 ................
[ 1386.012394] Object ffff8801afe43b40: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
[ 1386.012405] Object ffff8801afe43b50: ff ff ff ff ff ff ff ff 40 35 6a bb ff ff ff ff ........@xxxxxxx
[ 1386.012416] Object ffff8801afe43b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1386.012427] Object ffff8801afe43b70: c0 c4 8c ac ff ff ff ff 78 3b e4 af 01 88 ff ff ........x;......
[ 1386.012438] Object ffff8801afe43b80: 78 3b e4 af 01 88 ff ff 00 00 00 00 00 00 00 00 x;..............
[ 1386.012450] Object ffff8801afe43b90: 38 3b e4 af 01 88 ff ff c0 df 57 bc ff ff ff ff 8;........W.....
[ 1386.012461] Object ffff8801afe43ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1386.012472] Object ffff8801afe43bb0: 20 b7 93 ac ff ff ff ff 00 00 00 00 00 00 00 00 ...............
[ 1386.012483] Object ffff8801afe43bc0: 00 00 00 00 00 00 00 00 ed 1e af de ff ff ff ff ................
[ 1386.012494] Object ffff8801afe43bd0: ff ff ff ff ff ff ff ff 40 e0 57 bc ff ff ff ff ........@.W.....
[ 1386.012506] Object ffff8801afe43be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1386.012517] Object ffff8801afe43bf0: a0 b6 93 ac ff ff ff ff 00 00 00 00 00 00 00 00 ................
[ 1386.012528] Object ffff8801afe43c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1386.012539] Object ffff8801afe43c10: 40 b6 d5 b2 00 88 ff ff 00 00 00 00 00 00 00 00 @...............
[ 1386.012550] Object ffff8801afe43c20: 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 ........ .......
[ 1386.012561] Object ffff8801afe43c30: ff ff ff ff ff ff ff ff ........
[ 1386.012572] Redzone ffff8801afe43c38: 00 00 00 00 00 00 00 00 ........
[ 1386.012583] Padding ffff8801afe43d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1386.012607] CPU: 1 PID: 22976 Comm: syz-executor Tainted: G B 4.5.0-rc6-next-20160301-sasha-00054-g4c13c38-dirty #2987
[ 1386.012636] 0000000000000000 ffff8800b2097d08 ffffffffa33db57d ffffffff00000001
[ 1386.012651] fffffbfff5e6cc08 0000000041b58ab3 ffffffffaecc1ee9 ffffffffa33db3e5
[ 1386.012666] 000000002e90934f ffff8801b1744000 ffffffffaecdeceb ffff8801afe43a80
[ 1386.012669] Call Trace:
[ 1386.012713] dump_stack (lib/dump_stack.c:53)
[ 1386.012731] ? arch_local_irq_restore (init/do_mounts.h:17)
[ 1386.012749] ? print_section (./arch/x86/include/asm/current.h:14 include/linux/kasan.h:35 mm/slub.c:481 mm/slub.c:512)
[ 1386.012763] print_trailer (mm/slub.c:670)
[ 1386.012778] object_err (mm/slub.c:677)
[ 1386.012794] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:170 mm/kasan/report.c:237)
[ 1386.012920] __asan_report_load4_noabort (mm/kasan/report.c:279)
[ 1386.012946] __fget (fs/file.c:707)
[ 1386.012996] __fget_light (fs/file.c:757)
[ 1386.013009] __fdget (fs/file.c:765)
[ 1386.013030] SyS_ioctl (include/linux/file.h:55 fs/ioctl.c:683 fs/ioctl.c:680)
[ 1386.013051] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:200)
[ 1386.013056] Memory state around the buggy address:
[ 1386.013069] ffff8801afe43a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1386.013080] ffff8801afe43a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1386.013090] >ffff8801afe43b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1386.013094] ^
[ 1386.013105] ffff8801afe43b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1386.013115] ffff8801afe43c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[ 1386.013119] ==================================================================
And second:
[ 2328.415149] ------------[ cut here ]------------
[ 2328.417960] WARNING: CPU: 2 PID: 13358 at arch/x86/mm/pat.c:986 untrack_pfn+0x24e/0x2d0
[ 2328.418852] Modules linked in:
[ 2328.419257] CPU: 2 PID: 13358 Comm: syz-executor Not tainted 4.5.0-rc6-next-20160301-sasha-00054-g4c13c38-dirty #2987
[ 2328.420445] 0000000000000000 ffff88000cad77c0 ffffffffa43db57d ffffffff00000002
[ 2328.421392] fffffbfff606cc08 0000000041b58ab3 ffffffffafcc1ee9 ffffffffa43db3e5
[ 2328.422295] ffffffffa2598b50 0000000020000000 0000000041b58ab3 ffffffffafcddf50
[ 2328.423234] Call Trace:
[ 2328.423583] dump_stack (lib/dump_stack.c:53)
[ 2328.424184] ? arch_local_irq_restore (init/do_mounts.h:17)
[ 2328.424917] ? is_module_text_address (kernel/module.c:4033)
[ 2328.425668] ? vm_insert_mixed (mm/memory.c:3737)
[ 2328.426385] ? untrack_pfn (arch/x86/mm/pat.c:986 (discriminator 3))
[ 2328.427036] __warn (kernel/panic.c:492)
[ 2328.439719] warn_slowpath_null (kernel/panic.c:528)
[ 2328.440792] untrack_pfn (arch/x86/mm/pat.c:986 (discriminator 3))
[ 2328.441606] ? track_pfn_insert (arch/x86/mm/pat.c:975)
[ 2328.442418] ? do_wp_page (mm/memory.c:1235)
[ 2328.443099] unmap_single_vma (mm/memory.c:1270)
[ 2328.443975] unmap_vmas (mm/memory.c:1320 (discriminator 3))
[ 2328.452015] exit_mmap (mm/mmap.c:2769)
[ 2328.452868] ? SyS_munmap (mm/mmap.c:2739)
[ 2328.453798] ? do_raw_spin_unlock (kernel/locking/spinlock_debug.c:160)
[ 2328.454498] ? __might_sleep (kernel/sched/core.c:7736 (discriminator 14))
[ 2328.455113] mmput (kernel/fork.c:715)
[ 2328.455666] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:92 kernel/exit.c:437 kernel/exit.c:735)
[ 2328.456251] ? mm_update_next_owner (kernel/exit.c:653)
[ 2328.456952] ? __dequeue_signal (kernel/signal.c:546)
[ 2328.457643] ? do_sigaltstack (kernel/signal.c:546)
[ 2328.458351] ? _raw_spin_unlock_irq (./arch/x86/include/asm/paravirt.h:801 include/linux/spinlock_api_smp.h:170 kernel/locking/spinlock.c:199)
[ 2328.459063] do_group_exit (include/linux/sched.h:815 kernel/exit.c:861)
[ 2328.459698] get_signal (kernel/signal.c:2327)
[ 2328.460363] do_signal (arch/x86/kernel/signal.c:784)
[ 2328.460956] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2540 kernel/locking/lockdep.c:2587)
[ 2328.461750] ? trace_hardirqs_on (kernel/locking/lockdep.c:2595)
[ 2328.462469] ? setup_sigcontext (arch/x86/kernel/signal.c:781)
[ 2328.463134] ? finish_task_switch (./arch/x86/include/asm/current.h:14 kernel/sched/core.c:2746)
[ 2328.469533] ? finish_task_switch (kernel/sched/sched.h:1101 kernel/sched/core.c:2743)
[ 2328.470303] ? rcu_read_unlock (kernel/sched/core.c:2706)
[ 2328.470966] ? SyS_futex (kernel/futex.c:3182)
[ 2328.471615] ? exit_to_usermode_loop (./arch/x86/include/asm/paravirt.h:801 arch/x86/entry/common.c:238)
[ 2328.473334] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2540 kernel/locking/lockdep.c:2587)
[ 2328.474135] exit_to_usermode_loop (arch/x86/entry/common.c:248)
[ 2328.476051] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2540 kernel/locking/lockdep.c:2587)
[ 2328.476827] syscall_return_slowpath (arch/x86/entry/common.c:283 arch/x86/entry/common.c:348)
[ 2328.478821] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:232)
[ 2328.486429] ---[ end trace be1dc5a23ab2ebe4 ]---
Thanks,
Sasha