Re: [syzbot] [mm?] kernel BUG in filemap_unaccount_folio
From: Yin, Fengwei
Date: Sun Sep 10 2023 - 07:53:55 EST
On 9/10/2023 3:02 PM, Kasireddy, Vivek wrote:
> Hi Fengwei,
>
>>
>> Add udmabuf maintainers.
>>
>> On 9/7/2023 2:51 AM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit: db906f0ca6bb Merge tag 'phy-for-6.6' of git://git.kernel.o..
>>> git tree: upstream
>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=16cbb32fa80000
>>> kernel config:
>> https://syzkaller.appspot.com/x/.config?x=3bd57a1ac08277b0
>>> dashboard link:
>> https://syzkaller.appspot.com/bug?extid=17a207d226b8a5fb0fd9
>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for
>> Debian) 2.40
>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11609f38680000
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c1fc00680000
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-
>> assets/46394f3ca3eb/disk-db906f0c.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-
>> assets/eeaa594bfd1f/vmlinux-db906f0c.xz
>>> kernel image: https://storage.googleapis.com/syzbot-
>> assets/5c8df8de79ec/bzImage-db906f0c.xz
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the
>> commit:
>>> Reported-by: syzbot+17a207d226b8a5fb0fd9@xxxxxxxxxxxxxxxxxxxxxxxxx
>>
>> Operations from user space before kernel BUG hit:
>>
>> [pid 5043]
>> memfd_create("\x79\x10\x35\x25\xfa\x2c\x1f\x99\xa2\xc9\x8e\xcd\x5c\xfa
>> \xf6\x12\x95\x5e\xdf\x54\xe2\x3d\x0e\x7e\x46\xcd\x73\xa3\xff\x89\x3e\x
>> 84\xa9\x86\x86\xa2\x46\x90\x93\x98\x4e\x05\x65\x92\x4a\x77\xce\x63\xc
>> e\x9f\x32\xc8\x02\x66\x03\x07\x6d\x08\xb4\x48\x8f\x9e\xa5\x16\x8f\x61\
>> xff\xb2\x22\x8a\x15\x13\xa2\x17\x25\x21\x54\x8b\xa1\xb9\x2d\x13\xf9\x
>> 6f\x67\x95\x9d\x54\xef\xca\x68\x77\xf5\xff\x75\x7f\x75\xb8\x2a\xd3"...,
>> MFD_ALLOW_SEALING) = 3
>> [pid 5043] ftruncate(3, 65535) = 0
>> [pid 5043] fcntl(3, F_ADD_SEALS,
>> F_SEAL_SEAL|F_SEAL_SHRINK|F_SEAL_GROW) = 0
>> [pid 5043] openat(AT_FDCWD, "/dev/udmabuf", O_RDWR) = 4
>> [pid 5043] ioctl(4, UDMABUF_CREATE, 0x20000000) = 5
>> [pid 5043] mmap(0x20667000, 16384,
>> PROT_WRITE|PROT_EXEC|PROT_SEM|PROT_GROWSDOWN,
>> MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 5, 0) = 0x20667000
>>
>> The crash happens when test app tried to close the memfd.
>>
>>
>> It's like test app created udmabuf above memfd. But didn't boost memfd
>> refcount.
>> And mmap with MAP_POPULATE make the underneath folios mapped.
>>
>> When memfd is closed without munmap 0x20667000, the memfd refcount
>> hit zero and
>> trigger evict() and hit
>> VM_BUG_ON_FOLIO(folio_mapped(folio), folio);
>>
>>
>> Related test code:
>>
>> res = syscall(__NR_memfd_create, /*name=*/0x20000040ul, /*flags=*/2ul);
>> if (res != -1)
>> r[0] = res;
>> syscall(__NR_ftruncate, /*fd=*/r[0], /*len=*/0xfffful);
>> syscall(__NR_fcntl, /*fd=*/r[0], /*cmd=*/0x409ul, /*seals=*/7ul);
>> memcpy((void*)0x200001c0, "/dev/udmabuf\000", 13);
>> res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200001c0ul,
>> /*flags=*/2ul, 0);
>> if (res != -1)
>> r[1] = res;
>> *(uint32_t*)0x20000000 = r[0];
>> *(uint32_t*)0x20000004 = 0;
>> *(uint64_t*)0x20000008 = 0;
>> *(uint64_t*)0x20000010 = 0x8000;
>> res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40187542,
>> /*arg=*/0x20000000ul);
>> if (res != -1)
>> r[2] = res;
>> syscall(__NR_mmap, /*addr=*/0x20667000ul, /*len=*/0x4000ul,
>> /*prot=*/0x100000eul, /*flags=*/0x28011ul, /*fd=*/r[2],
>> /*offset=*/0ul);
>> close_fds();
>>
>>
>> Should memfd refcount increased when create udmabuf above it? Thanks.
> I think the following patch should fix this crash:
> https://lists.freedesktop.org/archives/dri-devel/2023-August/418952.html
Yes. This patch avoid playing with struct page when mmap memory to user
space. And avoid make pages marked as mapped.
Regards
Yin, Fengwei
>
> Thanks,
> Vivek
>>
>> Regards
>> Yin, Fengwei
>>
>>>
>>> search_binary_handler fs/exec.c:1739 [inline]
>>> exec_binprm fs/exec.c:1781 [inline]
>>> bprm_execve fs/exec.c:1856 [inline]
>>> bprm_execve+0x80a/0x1a50 fs/exec.c:1812
>>> do_execveat_common.isra.0+0x5d3/0x740 fs/exec.c:1964
>>> do_execve fs/exec.c:2038 [inline]
>>> __do_sys_execve fs/exec.c:2114 [inline]
>>> __se_sys_execve fs/exec.c:2109 [inline]
>>> __x64_sys_execve+0x8c/0xb0 fs/exec.c:2109
>>> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>>> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>>> ------------[ cut here ]------------
>>> kernel BUG at mm/filemap.c:158!
>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>>> CPU: 0 PID: 5043 Comm: syz-executor729 Not tainted 6.5.0-syzkaller-11275-
>> gdb906f0ca6bb #0
>>> Hardware name: Google Google Compute Engine/Google Compute Engine,
>> BIOS Google 07/26/2023
>>> RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158
>>> Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1
>> 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48
>> 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d
>>> RSP: 0018:ffffc900039ef828 EFLAGS: 00010093
>>> RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000
>>> RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000
>>> RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a
>>> R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8
>>> R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420
>>> FS: 0000555556b42380(0000) GS:ffff8880b9800000(0000)
>> knlGS:0000000000000000
>>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0
>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>> Call Trace:
>>> <TASK>
>>> __filemap_remove_folio+0x110/0x820 mm/filemap.c:227
>>> filemap_remove_folio+0xca/0x210 mm/filemap.c:260
>>> truncate_inode_folio+0x49/0x70 mm/truncate.c:195
>>> shmem_undo_range+0x365/0x1040 mm/shmem.c:1018
>>> shmem_truncate_range mm/shmem.c:1114 [inline]
>>> shmem_evict_inode+0x392/0xb50 mm/shmem.c:1243
>>> evict+0x2ed/0x6b0 fs/inode.c:664
>>> iput_final fs/inode.c:1775 [inline]
>>> iput.part.0+0x55e/0x7a0 fs/inode.c:1801
>>> iput+0x5c/0x80 fs/inode.c:1791
>>> dentry_unlink_inode+0x292/0x430 fs/dcache.c:401
>>> __dentry_kill+0x3b8/0x640 fs/dcache.c:607
>>> dentry_kill fs/dcache.c:733 [inline]
>>> dput+0x8dd/0xfd0 fs/dcache.c:913
>>> __fput+0x536/0xa70 fs/file_table.c:392
>>> __fput_sync+0x47/0x50 fs/file_table.c:465
>>> __do_sys_close fs/open.c:1572 [inline]
>>> __se_sys_close fs/open.c:1557 [inline]
>>> __x64_sys_close+0x87/0xf0 fs/open.c:1557
>>> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>>> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>>> RIP: 0033:0x7f6700c6aa90
>>> Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66
>> 90 80 3d f1 85 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3
>> 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
>>> RSP: 002b:00007ffd27935ca8 EFLAGS: 00000202 ORIG_RAX:
>> 0000000000000003
>>> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6700c6aa90
>>> RDX: 0000000000000000 RSI: 0000000000004000 RDI: 0000000000000003
>>> RBP: 00007ffd27935cc0 R08: 0000000000000005 R09: 0000000000000000
>>> R10: 0000000000028011 R11: 0000000000000202 R12: 00007f6700cde5f0
>>> R13: 00007ffd27935ea8 R14: 0000000000000001 R15: 0000000000000001
>>> </TASK>
>>> Modules linked in:
>>> ---[ end trace 0000000000000000 ]---
>>> RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158
>>> Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1
>> 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48
>> 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d
>>> RSP: 0018:ffffc900039ef828 EFLAGS: 00010093
>>> RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000
>>> RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000
>>> RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a
>>> R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8
>>> R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420
>>> FS: 0000555556b42380(0000) GS:ffff8880b9800000(0000)
>> knlGS:0000000000000000
>>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0
>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>>
>>>
>>> ---
>>> This report is generated by a bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for more information about syzbot.
>>> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
>>>
>>> syzbot will keep track of this issue. See:
>>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>>>
>>> If the bug is already fixed, let syzbot know by replying with:
>>> #syz fix: exact-commit-title
>>>
>>> If you want syzbot to run the reproducer, reply with:
>>> #syz test: git://repo/address.git branch-or-commit-hash
>>> If you attach or paste a git patch, syzbot will apply it before testing.
>>>
>>> If you want to overwrite bug's subsystems, reply with:
>>> #syz set subsystems: new-subsystem
>>> (See the list of subsystem names on the web dashboard)
>>>
>>> If the bug is a duplicate of another bug, reply with:
>>> #syz dup: exact-subject-of-another-report
>>>
>>> If you want to undo deduplication, reply with:
>>> #syz undup
>>>
>