iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6fc54303aa
linux/include/trace/events
History
Ivan Orlov 2ce0bdfebc mm: khugepaged: fix kernel BUG in hpage_collapse_scan_file() 
Syzkaller reported the following issue:

kernel BUG at mm/khugepaged.c:1823!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5097 Comm: syz-executor220 Not tainted 6.2.0-syzkaller-13154-g857f1268a591 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
RIP: 0010:collapse_file mm/khugepaged.c:1823 [inline]
RIP: 0010:hpage_collapse_scan_file+0x67c8/0x7580 mm/khugepaged.c:2233
Code: 00 00 89 de e8 c9 66 a3 ff 31 ff 89 de e8 c0 66 a3 ff 45 84 f6 0f 85 28 0d 00 00 e8 22 64 a3 ff e9 dc f7 ff ff e8 18 64 a3 ff <0f> 0b f3 0f 1e fa e8 0d 64 a3 ff e9 93 f6 ff ff f3 0f 1e fa 4c 89
RSP: 0018:ffffc90003dff4e0 EFLAGS: 00010093
RAX: ffffffff81e95988 RBX: 00000000000001c1 RCX: ffff8880205b3a80
RDX: 0000000000000000 RSI: 00000000000001c0 RDI: 00000000000001c1
RBP: ffffc90003dff830 R08: ffffffff81e90e67 R09: fffffbfff1a433c3
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffffc90003dff6c0 R14: 00000000000001c0 R15: 0000000000000000
FS:  00007fdbae5ee700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdbae6901e0 CR3: 000000007b2dd000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 madvise_collapse+0x721/0xf50 mm/khugepaged.c:2693
 madvise_vma_behavior mm/madvise.c:1086 [inline]
 madvise_walk_vmas mm/madvise.c:1260 [inline]
 do_madvise+0x9e5/0x4680 mm/madvise.c:1439
 __do_sys_madvise mm/madvise.c:1452 [inline]
 __se_sys_madvise mm/madvise.c:1450 [inline]
 __x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1450
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The xas_store() call during page cache scanning can potentially translate
'xas' into the error state (with the reproducer provided by the syzkaller
the error code is -ENOMEM).  However, there are no further checks after
the 'xas_store', and the next call of 'xas_next' at the start of the
scanning cycle doesn't increase the xa_index, and the issue occurs.

This patch will add the xarray state error checking after the xas_store()
and the corresponding result error code.

Tested via syzbot.

[akpm@linux-foundation.org: update include/trace/events/huge_memory.h's SCAN_STATUS]
Link: https://lkml.kernel.org/r/20230329145330.23191-1-ivan.orlov0322@gmail.com
Link: https://syzkaller.appspot.com/bug?id=7d6bb3760e026ece7524500fe44fb024a0e959fc
Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
Reported-by: syzbot+9578faa5475acb35fa50@syzkaller.appspotmail.com
Tested-by: Zach O'Keefe <zokeefe@google.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: Himadri Pandya <himadrispandya@gmail.com>
Cc: Ivan Orlov <ivan.orlov0322@gmail.com>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Song Liu <songliubraving@fb.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-04-18 16:29:43 -07:00
..
9p.h 9p fid refcount: add a 9p_fid_ref tracepoint 2022-07-02 18:52:21 +09:00
afs.h afs: Fix access after dec in put functions 2022-08-02 18:21:29 +01:00
alarmtimer.h
asoc.h ASoC: soc-core: tidyup jack.h 2020-11-30 12:54:01 +00:00
avc.h
bcache.h block: remove superfluous param in blk_fill_rwbs() 2021-02-22 06:37:41 -07:00
block.h block: introduce block_rq_error tracepoint 2022-02-11 10:00:16 -07:00
bpf_test_run.h
bridge.h net: bridge: Add a tracepoint for MDB overflows 2023-02-06 08:48:25 +00:00
btrfs.h btrfs: introduce size class to block group allocator 2023-02-13 17:50:34 +01:00
cachefiles.h fscache,cachefiles: add prepare_ondemand_read() callback 2022-12-07 10:56:29 +08:00
cgroup.h cgroup: Trace event cgroup id fields should be u64 2021-12-01 07:23:35 -10:00
clk.h clk: Add trace events for rate requests 2022-12-07 13:54:09 -08:00
cma.h trace: cma: remove unnecessary event class cma_alloc_class 2023-04-05 19:42:58 -07:00
compaction.h tracing: incorrect gfp_t conversion 2022-05-13 07:20:18 -07:00
context_tracking.h
cpuhp.h
damon.h mm/damon: hide kernel pointer from tracepoint event 2022-01-15 16:30:33 +02:00
devfreq.h
devlink.h devlink: Fix TP_STRUCT_entry in trace of devlink health report 2023-02-15 19:15:44 -08:00
dlm.h fs: dlm: add dst nodeid for msg tracing 2022-11-21 09:45:49 -06:00
dma_fence.h treewide: Add missing semicolons to __assign_str uses 2021-06-30 09:19:14 -04:00
erofs.h erofs: remove unused EROFS_GET_BLOCKS_RAW flag 2023-02-15 08:11:26 +08:00
error_report.h panic: use error_report_end tracepoint on warnings 2022-01-20 08:52:55 +02:00
ext4.h ext4: disable fast-commit of encrypted dir operations 2022-12-08 21:49:24 -05:00
f2fs.h f2fs: use iostat_lat_type directly as a parameter in the iostat_update_and_unbind_ctx() 2023-02-07 10:39:28 -08:00
fib6.h tracing/ipv4/ipv6: Use static array for name field in fib*_lookup_table event 2022-07-15 13:35:59 -04:00
fib.h tracing/ipv4/ipv6: Use static array for name field in fib*_lookup_table event 2022-07-15 13:35:59 -04:00
filelock.h
filemap.h filemap: Convert tracing of page cache operations to folio 2022-01-04 13:15:33 -05:00
fs_dax.h
fscache.h fscache: Fix oops due to race with cookie_lru and use_cookie 2022-12-07 11:49:18 -08:00
fsi_master_aspeed.h fsi: Add trace events in initialization path 2022-02-21 19:38:54 +10:30
fsi_master_ast_cf.h
fsi_master_gpio.h
fsi.h fsi: Add trace events in initialization path 2022-02-21 19:38:54 +10:30
gpio.h
gpu_mem.h
habanalabs.h habanalabs: define events to trace PCI LBW access 2023-01-26 11:52:11 +02:00
host1x.h
huge_memory.h mm: khugepaged: fix kernel BUG in hpage_collapse_scan_file() 2023-04-18 16:29:43 -07:00
hwmon.h
i2c_slave.h i2c: add tracepoints for I2C slave events 2022-03-20 00:11:05 +01:00
i2c.h
ib_mad.h IB/mad: Don't call to function that might sleep while in atomic context 2022-11-10 10:57:15 +02:00
ib_umad.h
initcall.h
intel_ifs.h trace: platform/x86/intel/ifs: Add trace point to track Intel IFS operations 2022-05-12 15:35:29 +02:00
intel_ish.h
intel-sst.h
io_uring.h io_uring: trace local task work run 2022-09-21 10:30:42 -06:00
iocost.h blk-iocost: Trace vtime_base_rate instead of vtime_rate 2022-12-01 07:44:12 -07:00
iommu.h iommu: Remove detach_dev callback 2023-01-13 16:39:18 +01:00
ipi.h
irq_matrix.h
irq.h
iscsi.h scsi: iscsi: tracing: Use the new __vstring() helper 2022-07-19 11:20:25 -04:00
jbd2.h jbd2: use the correct print format 2022-12-08 21:49:12 -05:00
kmem.h mm: convert mm's rss stats into percpu_counter 2022-11-30 15:58:40 -08:00
ksm.h mm: add tracepoints to ksm 2023-03-28 16:20:08 -07:00
kvm.h KVM: x86/mmu: rename trace function name for asynchronous page fault 2022-08-10 15:08:26 -04:00
kyber.h kyber: avoid q->disk dereferences in trace points 2021-10-15 21:02:57 -06:00
libata.h ata: libata: add qc->flags in ata_qc_complete_template tracepoint 2022-06-17 16:30:03 +09:00
lock.h locking/mutex: Make contention tracepoints more consistent wrt adaptive spinning 2022-04-05 10:24:36 +02:00
maple_tree.h Maple Tree: add new data structure 2022-09-26 19:46:13 -07:00
mce.h
mctp.h mctp: Add SIOCMCTP{ALLOC,DROP}TAG ioctls for tag control 2022-02-09 12:00:11 +00:00
mdio.h
migrate.h mm/migration: add trace events for base page and HugeTLB migrations 2022-03-24 19:06:45 -07:00
mlxsw.h
mmap_lock.h mm: mmap_lock: use DECLARE_EVENT_CLASS and DEFINE_EVENT_FN 2021-11-06 13:30:36 -07:00
mmap.h mm: mmap: remove newline at the end of the trace 2023-03-23 17:18:36 -07:00
mmc.h
mmflags.h kasan: remove PG_skip_kasan_poison flag 2023-03-28 16:20:16 -07:00
module.h
mptcp.h mptcp: dump infinite_map field in mptcp_dump_mpext 2022-04-23 11:51:05 +01:00
napi.h
nbd.h
neigh.h neighbor: tracing: Have neigh_create event use __string() 2022-07-15 13:35:59 -04:00
net_probe_common.h
net.h net: Print hashed skb addresses for all net and qdisc events 2022-06-27 11:57:06 +01:00
netfs.h netfs: Add a function to consolidate beginning a read 2022-03-18 09:29:05 +00:00
netlink.h netlink: add tracepoint at NL_SET_ERR_MSG 2021-02-04 18:05:59 -08:00
nilfs2.h fs/nilfs2: Use the enum req_op and blk_opf_t types 2022-07-14 12:14:33 -06:00
nmi.h
objagg.h
oom.h
osnoise.h tracing: Fix spelling in osnoise tracer "interferences" -> "interference" 2021-06-28 14:12:27 -04:00
page_isolation.h
page_pool.h mm, tracing: unify PFN format strings 2021-06-29 10:53:52 -07:00
page_ref.h mm: introduce PAGEFLAGS_MASK to replace ((1UL << NR_PAGEFLAGS) - 1) 2021-09-08 11:50:24 -07:00
pagemap.h mm/lru: Convert __pagevec_lru_add_fn to take a folio 2021-10-18 07:49:40 -04:00
percpu.h include/trace/events/percpu.h: cleanup for "percpu: improve percpu_alloc_percpu event trace" 2022-05-25 10:47:48 -07:00
power_cpu_migrate.h
power.h cpuidle: Add cpu_idle_miss trace event 2022-08-03 17:50:58 +02:00
preemptirq.h
printk.h
pwc.h
pwm.h pwm/tracing: Also record trace events for failed API calls 2022-12-06 12:46:23 +01:00
qdisc.h net: Print hashed skb addresses for all net and qdisc events 2022-06-27 11:57:06 +01:00
qla.h scsi: qla2xxx: tracing: Use the new __vstring() helper 2022-07-19 11:20:25 -04:00
qrtr.h
rcu.h rcu: Refactor rcu_barrier() empty-list handling 2022-02-08 10:12:28 -08:00
rdma_core.h
regulator.h
rpcgss.h SUNRPC: Record gss_wrap() errors in svcauth_gss_wrap_priv() 2023-02-20 09:20:25 -05:00
rpcrdma.h trace: Relocate event helper files 2022-12-10 11:01:12 -05:00
rpm.h
rseq.h tracing/rseq: Add mm_cid field to rseq_update 2022-12-27 12:52:15 +01:00
rtc.h
rv.h rv/monitor: Add the wwnr monitor 2022-07-30 14:01:30 -04:00
rwmmio.h asm-generic/io: Add _RET_IP_ to MMIO trace for more accurate debug info 2022-11-21 22:02:10 +01:00
rxrpc.h rxrpc: Fix overproduction of wakeups to recvmsg() 2023-02-20 08:33:25 +01:00
sched.h sched/tracing: Append prev_state to tp args instead 2022-05-12 00:37:11 +02:00
scmi.h include: trace: Add platform and channel instance references 2023-01-20 11:40:57 +00:00
scsi.h scsi: trace: Print driver_tag and scheduler_tag in SCSI trace 2022-06-21 21:43:23 -04:00
sctp.h
signal.h
siox.h
skb.h net: add location to trace_consume_skb() 2023-02-20 08:28:49 +00:00
smbus.h
sock.h net/sock: Introduce trace_sk_data_ready() 2023-01-23 11:26:50 +00:00
sof_intel.h ASoC: SOF: Intel: replace dev_vdbg with tracepoints 2022-09-19 15:44:06 +01:00
sof.h ASoC: SOF: replace ipc4-loader dev_vdbg with tracepoints 2022-09-19 15:44:08 +01:00
spi.h spi: Enable tracing of the SPI setup CS selection 2021-05-26 21:22:13 +01:00
spmi.h spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 2022-07-24 16:16:44 +02:00
sunrpc.h SUNRPC: Clean up the svc_xprt_flags() macro 2023-02-20 09:20:54 -05:00
sunvnet.h
swiotlb.h swiotlb: make the swiotlb_init interface more useful 2022-04-18 07:21:11 +02:00
syscalls.h
target.h
task.h
tcp.h tcp: Add tracepoint for tcp_set_ca_state 2022-04-07 20:33:15 -07:00
tegra_apb_dma.h
thermal_power_allocator.h
thermal_pressure.h arch_topology: Trace the update thermal pressure 2022-05-06 09:57:38 +02:00
thermal.h drivers/thermal/cpufreq_cooling : Refactor thermal_power_cpu_get_power tracing 2022-07-28 17:29:42 +02:00
thp.h mm/migration: add trace events for THP migrations 2022-03-24 19:06:45 -07:00
timer.h tracing/timer: Add missing argument documentation of trace points 2022-04-14 16:14:49 +02:00
tlb.h
udp.h
ufs.h scsi: ufs: core: Enable power management for wlun 2021-05-10 22:28:20 -04:00
v4l2.h
vb2.h
vmalloc.h mm: vmalloc: add free_vmap_area_noflush trace event 2022-11-08 17:37:17 -08:00
vmscan.h tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate 2022-05-19 14:08:55 -07:00
vsock_virtio_transport_common.h virtio/vsock: update trace event for SEQPACKET 2021-06-11 13:32:47 -07:00
watchdog.h watchdog: Add tracing events for the most usual watchdog events 2022-10-12 09:47:02 +02:00
wbt.h
workqueue.h workqueue: Fix type of cpu in trace event 2022-06-07 07:09:47 -10:00
writeback.h remove congestion tracking framework 2022-03-22 15:57:01 -07:00
xdp.h xdp: Extend xdp_redirect_map with broadcast support 2021-05-26 09:46:16 +02:00
xen.h x86/mm/tlb: Flush remote and local TLBs concurrently 2021-03-06 12:59:10 +01:00