lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 26 Jun 2024 12:40:19 +0200
From: Mateusz Guzik <mjguzik@...il.com>
To: Sidhartha Kumar <sidhartha.kumar@...cle.com>
Cc: linux-kernel@...r.kernel.org, maple-tree@...ts.infradead.org, 
	linux-mm@...ck.org, akpm@...ux-foundation.org, liam.howlett@...cle.com, 
	zhangpeng.00@...edance.com, willy@...radead.org, linux-next@...r.kernel.org
Subject: Re: [PATCH 13/18] maple_tree: simplify mas_commit_b_node()

On Tue, Jun 04, 2024 at 10:41:40AM -0700, Sidhartha Kumar wrote:
> Use mas->store_type to simplify the logic of identifying the type of
> write.
> 
> Signed-off-by: Sidhartha Kumar <sidhartha.kumar@...cle.com>
> ---
>  lib/maple_tree.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/lib/maple_tree.c b/lib/maple_tree.c
> index 314691fd1c67..faadddbe2086 100644
> --- a/lib/maple_tree.c
> +++ b/lib/maple_tree.c
> @@ -3437,12 +3437,10 @@ static noinline_for_kasan int mas_commit_b_node(struct ma_wr_state *wr_mas,
>  	enum maple_type b_type = b_node->type;
>  
>  	old_enode = wr_mas->mas->node;
> -	if ((b_end < mt_min_slots[b_type]) &&
> -	    (!mte_is_root(old_enode)) &&
> -	    (mas_mt_height(wr_mas->mas) > 1))
> +	if (wr_mas->mas->store_type == wr_rebalance)
>  		return mas_rebalance(wr_mas->mas, b_node);
>  
> -	if (b_end >= mt_slots[b_type])
> +	if (wr_mas->mas->store_type == wr_split_store)
>  		return mas_split(wr_mas->mas, b_node);
>  
>  	if (mas_reuse_node(wr_mas, b_node, end))


This reliably results in "kernel BUG at mm/mmap.c:3412!".

bt below

reliably reproduces as follows: spawn "perf top", hit enter twice to
disassemble a func. tui hangs indefinitely, console shows the splat
below.

I verified going one commit down produces a working kernel.

kernel BUG at mm/mmap.c:3412!
[   35.820042] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[   35.821101] CPU: 4 PID: 1066 Comm: perf-top-UI Tainted: G        W          6.10.0-rc5-00304-g30e5748b1d44 #155
[   35.822929] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
[   35.824957] RIP: 0010:exit_mmap+0x392/0x3a0
[   35.825794] Code: ef e8 02 9f fe ff eb d7 be 01 00 00 00 48 89 ef e8 73 a3 fe ff eb be 31 f6 48 89 ef
e8 a7 a2 fe ff eb a8 0f 0b e9 75 fe ff ff <0f> 0b e8 a7 b2 c1 00 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90
[   35.829141] RSP: 0018:ff7fe6c8c2393c40 EFLAGS: 00010293
[   35.830103] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   35.831398] RDX: ff39fe34499c3c00 RSI: 0000000000000001 RDI: ff39fe34499c3c08
[   35.832705] RBP: ff39fe3441a28580 R08: 000000000000000c R09: 0000000000000060
[   35.834010] R10: ff39fe3450ad5600 R11: 0000000000000000 R12: 00000000000000e8
[   35.835295] R13: 0000000000003593 R14: ff39fe3441a28628 R15: ff39fe3441a285c0
[   35.836569] FS:  0000000000000000(0000) GS:ff39fe39a7700000(0000) knlGS:0000000000000000
[   35.838042] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   35.839093] CR2: 00007efd624f39ed CR3: 000000010130e001 CR4: 0000000000371ef0
[   35.840389] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   35.841892] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[   35.843182] Call Trace:
[   35.843646]  <TASK>
[   35.844051]  ? die+0x36/0x90
[   35.844602]  ? do_trap+0xdd/0x100
[   35.845226]  ? exit_mmap+0x392/0x3a0
[   35.845915]  ? do_error_trap+0x65/0x80
[   35.846614]  ? exit_mmap+0x392/0x3a0
[   35.847287]  ? exc_invalid_op+0x50/0x70
[   35.847999]  ? exit_mmap+0x392/0x3a0
[   35.848662]  ? asm_exc_invalid_op+0x1a/0x20
[   35.849437]  ? exit_mmap+0x392/0x3a0
[   35.850120]  __mmput+0x3d/0x130
[   35.850713]  begin_new_exec+0x4ed/0xb00
[   35.851428]  ? load_elf_phdrs+0x6c/0xc0
[   35.852150]  load_elf_binary+0x2ca/0x15a0
[   35.852890]  ? __kernel_read+0x1d8/0x2f0
[   35.853621]  ? __kernel_read+0x1d8/0x2f0
[   35.854348]  ? load_misc_binary+0x1f6/0x310
[   35.855113]  bprm_execve+0x243/0x600
[   35.855784]  do_execveat_common.isra.0+0x1bd/0x220
[   35.856672]  __x64_sys_execve+0x36/0x40
[   35.857384]  do_syscall_64+0x52/0x150
[   35.858088]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   35.859014] RIP: 0033:0x7efd624f3a17
[   35.859677] Code: Unable to access opcode bytes at 0x7efd624f39ed.
[   35.860790] RSP: 002b:00007efd48bf8dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
[   35.862170] RAX: ffffffffffffffda RBX: 000055e5736a44e3 RCX: 00007efd624f3a17
[   35.863472] RDX: 000055e59c315000 RSI: 00007efd48bf9050 RDI: 000055e5736a44e3
[   35.864768] RBP: 00007efd48bf8e40 R08: 0000000000000000 R09: 00007efd48c006c0
[   35.866475] R10: 00007efd62430e50 R11: 0000000000000202 R12: 00007efd48bf9050
[   35.868167] R13: 000055e59c315000 R14: 0000000000000001 R15: 0000000000000001
[   35.869873]  </TASK>
[   35.870676] Modules linked in:
[   35.871944] ---[ end trace 0000000000000000 ]---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ