> >Hello, > >syzbot has tested the proposed patch but the reproducer is still triggering an issue: >kernel BUG at arch/x86/mm/physaddr.c:LINE! > >------------[ cut here ]------------ >kernel BUG at arch/x86/mm/physaddr.c:28! >invalid opcode: 0000 [#1] PREEMPT SMP KASAN >CPU: 0 PID: 6975 Comm: syz-executor.2 Not tainted 5.9.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 >RIP: 0010:__phys_addr+0xa7/0x110 arch/x86/mm/physaddr.c:28 >Code: 92 7d 09 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 10 8e 3f 00 48 85 db 75 0d e8 66 91 3f 00 4c 89 e0 5b 5d 41 5c c3 e8 59 91 3f 00 <0f> 0b e8 52 91 3f 00 48 c7 c0 10 50 a9 89 48 ba 00 00 00 00 00 fc >RSP: 0018:ffffc900055e7a18 EFLAGS: 00010293 >RAX: 0000000000000000 RBX: 0000007700000000 RCX: ffffffff8134b948 >RDX: ffff8880a83c8280 RSI: ffffffff8134b9a7 RDI: 0000000000000006 >RBP: 0000007780000000 R08: 0000000000000001 R09: ffffffff8c5f4a57 >R10: 0000007780000000 R11: 0000000000000000 R12: 000077f700000000 >R13: ffffc900055e7a80 R14: 0000000000000200 R15: dffffc0000000000 >FS: 000000000221c940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 >CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >CR2: 0000000000749198 CR3: 00000000a7df1000 CR4: 00000000001506f0 >DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: > virt_to_head_page include/linux/mm.h:848 [inline] qlink_to_cache mm/kasan/quarantine.c:128 [inline] > qlist_free_all+0xd9/0x170 mm/kasan/quarantine.c:165 > quarantine_reduce+0x17e/0x200 mm/kasan/quarantine.c:261 > __kasan_kmalloc.constprop.0+0x9e/0xd0 mm/kasan/common.c:442 slab_post_alloc_hook mm/slab.h:518 [inline] slab_alloc_node mm/slab.c:3254 [inline] > kmem_cache_alloc_node_trace+0x144/0x3f0 mm/slab.c:3592 kmalloc_node include/linux/slab.h:572 [inline] kzalloc_node include/linux/slab.h:677 [inline] > __get_vm_area_node+0x126/0x3b0 mm/vmalloc.c:2075 __vmalloc_node_range mm/vmalloc.c:2506 [inline] __vmalloc_node mm/vmalloc.c:2554 [inline] > vzalloc+0xf2/0x1a0 mm/vmalloc.c:2607 > do_ipt_get_ctl+0x613/0x9d0 net/ipv4/netfilter/ip_tables.c:800 > nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116 ip_getsockopt net/ipv4/ip_sockglue.c:1778 [inline] > ip_getsockopt+0x164/0x1c0 net/ipv4/ip_sockglue.c:1757 > tcp_getsockopt+0x86/0xd0 net/ipv4/tcp.c:3876 > __sys_getsockopt+0x219/0x4c0 net/socket.c:2173 __do_sys_getsockopt net/socket.c:2188 [inline] __se_sys_getsockopt net/socket.c:2185 [inline] > __x64_sys_getsockopt+0xba/0x150 net/socket.c:2185 > do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 >RIP: 0033:0x4600ca >Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 3d 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 1a 89 fb ff c3 66 0f 1f 84 00 00 00 00 00 >RSP: 002b:00007fff61ca7778 EFLAGS: 00000216 ORIG_RAX: 0000000000000037 >RAX: ffffffffffffffda RBX: 00007fff61ca77a0 RCX: 00000000004600ca >RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003 >RBP: 0000000000749e60 R08: 00007fff61ca779c R09: 0000000000004000 >R10: 00007fff61ca7800 R11: 0000000000000216 R12: 00007fff61ca7800 >R13: 0000000000000003 R14: 00000000007497a0 R15: 0000000000000000 Modules linked in: >---[ end trace 58c08b00b19487d8 ]--- >RIP: 0010:__phys_addr+0xa7/0x110 arch/x86/mm/physaddr.c:28 >Code: 92 7d 09 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 10 8e 3f 00 48 85 db 75 0d e8 66 91 3f 00 4c 89 e0 5b 5d 41 5c c3 e8 59 91 3f 00 <0f> 0b e8 52 91 3f 00 48 c7 c0 10 50 a9 89 48 ba 00 00 00 00 00 fc >RSP: 0018:ffffc900055e7a18 EFLAGS: 00010293 >RAX: 0000000000000000 RBX: 0000007700000000 RCX: ffffffff8134b948 >RDX: ffff8880a83c8280 RSI: ffffffff8134b9a7 RDI: 0000000000000006 >RBP: 0000007780000000 R08: 0000000000000001 R09: ffffffff8c5f4a57 >R10: 0000007780000000 R11: 0000000000000000 R12: 000077f700000000 >R13: ffffc900055e7a80 R14: 0000000000000200 R15: dffffc0000000000 >FS: 000000000221c940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 >CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >CR2: 0000000000749198 CR3: 00000000a7df1000 CR4: 00000000001506f0 >DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > >Tested on: > >commit: 152d246f mmap: revert mm-mmap-merge-vma-after-call_mmap-if.. >git tree: https://github.com/Linmiaohe/linux vma_merge_fix >console output: https://syzkaller.appspot.com/x/log.txt?x=162e6cc5900000 >kernel config: https://syzkaller.appspot.com/x/.config?x=3c5f6ce8d5b68299 >dashboard link: https://syzkaller.appspot.com/bug?extid=c5d5a51dcbb558ca0cb5 >compiler: gcc (GCC) 10.1.0-syz 20200507 > I revert my previous commit altogether, d70cec8983241a ("mm: mmap: merge vma after call_mmap() if possible "), but there is still irrelevant issue. And with my previous commit and proposed patch, the origin general protection fault in unlink_file_vma disappeared. So I think this is another issue and the origin issue is fixed with my patch. Thanks.