[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZVUeWvO4ypVmqlyX@casper.infradead.org>
Date: Wed, 15 Nov 2023 19:39:06 +0000
From: Matthew Wilcox <willy@...radead.org>
To: Hugh Dickins <hughd@...gle.com>
Cc: linux-arm-kernel@...ts.infradead.org, akpm@...ux-foundation.org,
linux-kernel@...r.kernel.org, linux-mm@...ck.org,
syzkaller-bugs@...glegroups.com, jose.pekkarinen@...hound.fi
Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in
__pte_offset_map_lock
On Thu, Oct 26, 2023 at 11:07:35PM -0700, Hugh Dickins wrote:
> I've spent a while worrying over this report, but have not been able
> glean much from it: I'm not at all familiar with arm64 debugging, so
> cannot deduce anything from the registers shown, though suspect they
> would shed good light on it; but it may just be a waste of time, since
> it was on a transient 6.6-rc6-based for-kernelci branch from last week.
>
> If I read right, the reproducer is exercising MADV_PAGEOUT (splitting
> huge pages) and MADV_COLLAPSE (assembling huge pages), on mmaps
> MAP_FIXED MAP_SHARED MAP_ANONYMOUS i.e. shmem.
>
> Suspicion falls on my 6.6-rc1 mm/khugepaged.c changes; but I don't see
> what's wrong, and shall probably give up and ignore this - unless an
> arm64 expert can take it further, or syzbot reproduces it on x86 on a
> known tree.
Just to tie the two threads together ... it looks to me like what's
happening is __pte_offset_map_lock() is racing with pagetable_pte_dtor().
That is, we're walking the page tables, find a pmd, look up its
page/ptdesc, but because CONFIG_LOCKDEP is enabled, ptdesc->ptl is a
pointer to a lock, and that pointer is NULL.
More discussion here:
https://lore.kernel.org/linux-mm/ZVUWLgFgu+jE3QmW@casper.infradead.org/T/#t
Powered by blists - more mailing lists