| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Feb 2023 16:24:15 +0800
From: Pengfei Xu <pengfei.xu@...el.com>
To: <shy828301@...il.com>, <linux-kernel@...r.kernel.org>
CC: <naoya.horiguchi@....com>, <hughd@...gle.com>,
<kirill.shutemov@...ux.intel.com>, <heng.su@...el.com>,
<pengfei.xu@...el.com>, <willy@...radead.org>, <osalvador@...e.de>,
<peterx@...hat.com>, <akpm@...ux-foundation.org>
Subject: [Syzkaller & bisect] There is "split_huge_page_to_list" WARNING in
v6.2-rc7 kernel
Hi Yang Shi and kernel expert,
Greeting!
There is "split_huge_page_to_list" WARNING in v6.2-rc7 kernel in guest.
[ 30.076996] Injecting memory failure for pfn 0x18eef at process virtual address 0x20cef000
[ 30.077554] page:000000005a337492 refcount:2 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x18e00
[ 30.078118] head:000000005a337492 order:9 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
[ 30.078632] flags: 0xfffffc0010001(locked|head|node=0|zone=1|lastcpupid=0x1fffff)
[ 30.079065] raw: 000fffffc0010001 0000000000000000 dead000000000122 0000000000000000
[ 30.079507] raw: 0000000000000000 0000000000000000 00000002ffffffff 0000000000000000
[ 30.079940] page dumped because: VM_WARN_ON_ONCE_FOLIO(is_hzp)
[ 30.080449] ------------[ cut here ]------------
[ 30.080715] WARNING: CPU: 1 PID: 517 at mm/huge_memory.c:2667 split_huge_page_to_list+0x1629/0x3970
[ 30.081257] Modules linked in:
[ 30.081452] CPU: 1 PID: 517 Comm: repro Not tainted 6.2.0-rc7-4ec5183ec486 #1
[ 30.081891] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 30.082530] RIP: 0010:split_huge_page_to_list+0x1629/0x3970
[ 30.082863] Code: 31 ff 44 89 e6 e8 d7 aa a2 ff 45 84 e4 75 1d e8 6d a9 a2 ff 48 c7 c6 e0 6b 79 85 48 89 df e8 fe b8 e5 ff c6 05 03 2d 98 05 01 <0f> 0b 41 bd f
[ 30.083879] RSP: 0018:ffff8880135b7af8 EFLAGS: 00010246
[ 30.084189] RAX: 0000000000000000 RBX: ffffea0000638000 RCX: ffffffff813dde2e
[ 30.084765] RDX: 0000000000000000 RSI: ffff88800f758000 RDI: 0000000000000002
[ 30.085359] RBP: ffff8880135b7c78 R08: ffffed100d9a62b2 R09: ffffed100d9a62b2
[ 30.085825] R10: ffff88806cd3158b R11: ffffed100d9a62b1 R12: 0000000000000000
[ 30.086227] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8880135b7c50
[ 30.086628] FS: 00007efdb7675740(0000) GS:ffff88806cd00000(0000) knlGS:0000000000000000
[ 30.087083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 30.087445] CR2: 00007efdb779a580 CR3: 0000000016be0005 CR4: 0000000000770ee0
[ 30.087916] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 30.088334] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
[ 30.088738] PKRU: 55555554
[ 30.088902] Call Trace:
[ 30.089055] <TASK>
[ 30.089190] ? rcu_read_lock_sched_held+0xa9/0xd0
[ 30.089487] ? __pfx_rcu_read_lock_sched_held+0x10/0x10
[ 30.089812] ? rcu_read_lock_sched_held+0xa9/0xd0
[ 30.090237] ? __this_cpu_preempt_check+0x20/0x30
[ 30.090545] ? __pfx_split_huge_page_to_list+0x10/0x10
[ 30.090848] ? __this_cpu_preempt_check+0x20/0x30
[ 30.091148] ? lock_is_held_type+0xe6/0x140
[ 30.091618] ? mark_held_locks+0xb7/0x140
[ 30.091882] ? write_comp_data+0x2f/0x90
[ 30.092135] try_to_split_thp_page+0xbc/0x450
[ 30.092425] memory_failure+0xcfc/0x2ac0
[ 30.092675] ? __pfx_memory_failure+0x10/0x10
[ 30.092943] ? _printk+0xc/0xdc
[ 30.093156] ? __pfx__printk+0x10/0x10
[ 30.093384] ? write_comp_data+0x2f/0x90
[ 30.093633] ? __sanitizer_cov_trace_pc+0x25/0x60
[ 30.093922] ? write_comp_data+0x2f/0x90
[ 30.094172] do_madvise.cold.55+0x187/0x1a5
[ 30.094435] ? lockdep_hardirqs_on+0x8a/0x110
[ 30.094706] ? __pfx_do_madvise+0x10/0x10
[ 30.094960] ? write_comp_data+0x2f/0x90
[ 30.095207] ? __sanitizer_cov_trace_pc+0x25/0x60
[ 30.095496] ? __audit_syscall_entry+0x3e4/0x550
[ 30.095786] __x64_sys_madvise+0xb3/0x120
[ 30.096032] ? syscall_enter_from_user_mode+0x51/0x60
[ 30.096357] do_syscall_64+0x3b/0x90
[ 30.096585] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 30.096895] RIP: 0033:0x7efdb779a59d
[ 30.097174] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 8
[ 30.098195] RSP: 002b:00007ffdbd086878 EFLAGS: 00000217 ORIG_RAX: 000000000000001c
[ 30.098623] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efdb779a59d
[ 30.099027] RDX: 0000000000000064 RSI: 0000000000003000 RDI: 0000000020cef000
[ 30.099429] RBP: 00007ffdbd086880 R08: 00007ffdbd0868b0 R09: 00007ffdbd0868b0
[ 30.099831] R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000401180
[ 30.100232] R13: 00007ffdbd0869a0 R14: 0000000000000000 R15: 0000000000000000
[ 30.100672] </TASK>
[ 30.100814] irq event stamp: 1591
[ 30.101014] hardirqs last enabled at (1599): [<ffffffff813dd0a1>] __up_console_sem+0x91/0xb0
[ 30.101507] hardirqs last disabled at (1606): [<ffffffff813dd086>] __up_console_sem+0x76/0xb0
[ 30.101994] softirqs last enabled at (1104): [<ffffffff8536af3f>] __do_softirq+0x53f/0x836
[ 30.102472] softirqs last disabled at (1017): [<ffffffff812498b0>] irq_exit_rcu+0x100/0x140
[ 30.102956] ---[ end trace 0000000000000000 ]---
[ 30.103229] Memory failure: 0x18eef: recovery action for unsplit thp: Ignored
Bisect and found the first bad commit is:
4966455d9100236fd6dd72b0cd00818435fdb25d
mm: hwpoison: handle non-anonymous THP correctly
Made the "revert above commit on top of v6.2-rc7 kernel" failed, so it's
just a clue for above issue.
Checked https://syzkaller.appspot.com/bug?id=904dd6aad6dd746b275792875fc52385eac81f04
didn't give the above commit info due to timeout.
Reproduced code from syzkaller, kconfig, bisect info, v6.2-rc7 reproduced
dmesg are in attached.
v6.2-rc7 bzImage and bisect detailed info is in link:
https://github.com/xupengfe/syzkaller_logs/tree/main/230206_205324_split_huge_page_to_list
How to reproduce this issue:
If you need the reproduced virtual machine environment:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh // it needs qemu-system-x86_64 and I used v7.1.0
// start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
// You could change the bzImage_xxx as you want
In vm and login with root, there is no password for root.
After login vm successfully, you could transfer reproduced binary to the VM
by below way, and reproduce the problem:
scp -P 10023 reproduced_binary root@...alhost:/root/
Get the bzImage:
target kernel:
Please use the provided kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage //x should equal or less than cpu num your pc has
Fill the bzImage file into above start3.sh to load the target kernel vm.
Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version,
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl
make
make install
I hope it's helpful.
Thanks!
BR.
View attachment "repro.c" of type "text/plain" (7295 bytes)
View attachment "bisect_info.log" of type "text/plain" (3842 bytes)
View attachment "kconfig" of type "text/plain" (287948 bytes)
View attachment "4ec5183ec48656cec489c49f989c508b68b518e3_dmesg.log" of type "text/plain" (388154 bytes)
Powered by blists - more mailing lists