On Thu, Mar 23, 2017 at 7:02 PM, Mike Kravetz <mike.kravetz@xxxxxxxxxx> wrote: > On 03/23/2017 10:25 AM, Mike Kravetz wrote: >> On 03/23/2017 03:19 AM, Dmitry Vyukov wrote: >>> Hello, >>> >>> I've got the following BUG while running syzkaller fuzzer. >>> Note the injected kmalloc failure, most likely it's the root cause. >> >> Thanks Dmitry, >> >> The BUG indicates someone called region_chg() in the process of adding >> a hugetlbfs page reservation, but did not complete this 'two step' >> process with a call to region_add() or region_abort(). Most likely a >> missed call in an error path somewhere. :( >> >> I'll try to track this down. The hint of 'injected kmalloc failure' >> should help. > > Actually, in this case I believe the bug is in hugetlb_reserve_pages. > It calls region_chg(), but gets an error due to the injected kmalloc > failure. At this point, the resv_map->adds_in_progress is 0 as it > should be. However, the error path for hugetlb_reserve_pages calls > region_abort() which will unconditionally decrement adds_in_progress. > So, adds_in_progress goes negative and we eventually BUG. :( > > I'll look for other misuses of region_chg()/region_add()/region_abort() > and put together a patch. > > Dmitry, is there some way to run the fuzzer with kmalloc failure injection > and target the hugetlbfs code? I'm suspect we could flush out other bugs. > I noticed one other you discovered, and will look at that next. syzkaller systematically targets all of the kernel code. So far I've seen only these 2 involving hugetlbfs code. I don't think we need to do anything special for hugetlbfs. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
