On Tue 21-12-21 15:57:36, Andrew Morton wrote: > On Sat, 18 Dec 2021 06:04:22 -0800 syzbot <syzbot+bc9e2d2dbcb347dd215a@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > syzbot has found a reproducer for the following issue on: > > > > HEAD commit: fbf252e09678 Add linux-next specific files for 20211216 > > git tree: linux-next > > console output: https://syzkaller.appspot.com/x/log.txt?x=1797de99b00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=7fcbb9aa19a433c8 > > dashboard link: https://syzkaller.appspot.com/bug?extid=bc9e2d2dbcb347dd215a > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=135d179db00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=113edb6db00000 > > Useful to have that, thanks. > > I'm suspecting that mptcp is doing something strange. Yes. > Could I as the > developers to please take a look? > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+bc9e2d2dbcb347dd215a@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > R13: 00007ffdeb858640 R14: 00007ffdeb858680 R15: 0000000000000004 > > </TASK> > > ------------[ cut here ]------------ > > page_counter underflow: -4294966651 nr_pages=4294967295 __mptcp_mem_reclaim_partial is trying to uncharge (via __sk_mem_reduce_allocated) negative amount. nr_pages has overflown when converted from int to unsigned int (-1). I would say that __mptcp_mem_reclaim_partial has evaluated reclaimable = mptcp_sk(sk)->rmem_fwd_alloc - sk_unused_reserved_mem(sk) to 0 and __mptcp_rmem_reclaim(sk, reclaimable - 1) made it -1. -- Michal Hocko SUSE Labs
