Hello:
My Syzkaller reported me the following issue on:
HEAD commit: 072e51356cd5a4a1c12c1020bc054c99b98333df Merge tag 'nfs-for-5.20-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
git tree: upstream
kernel config: defconfig
compiler: gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
------------[ cut here ]------------ trying to isolate tail page WARNING: CPU: 0 PID: 6175 at mm/folio-compat.c:158 isolate_lru_page+0x130/0x140 Modules linked in: CPU: 0 PID: 6175 Comm: syz-executor.0 Not tainted 5.18.12 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:isolate_lru_page+0x130/0x140 Code: c3 89 c6 e8 22 4f f2 ff 85 db 75 0d e8 a9 4d f2 ff 44 89 e0 5b 5d 41 5c c3 e8 9c 4d f2 ff 48 c7 c7 a0 be 6a 93 e8 a9 f5 69 01 <0f> 0b eb de 66 66 2e 0f 1f 84 00 00 00 00 00 90 41 54 55 48 89 fd loop3: detected capacity change from 0 to 16383 RSP: 0018:ffff88800844f8b8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffffc90000509000 RSI: ffff8880037997c0 RDI: ffffed1001089f09 RBP: ffffea000010b040 R08: ffffffff8117b3f8 R09: 0000000000000000 R10: 0000000000000005 R11: ffffed100d2c4ead R12: 00000000fffffff0 R13: ffff88800185aff0 R14: ffffea000010b048 R15: 0000000021000000 FS: 00007f8acbd46700(0000) GS:ffff888069600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2c821000 CR3: 0000000005028005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 nfs4: Unknown parameter 'vfat' DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> madvise_cold_or_pageout_pte_range+0x43b/0x8f0 __walk_page_range+0xa48/0x1310 walk_page_range+0x14b/0x280 madvise_pageout+0x184/0x260 madvise_vma_behavior+0x843/0x13f0 do_madvise+0x310/0x5b0 __x64_sys_madvise+0x5f/0x70 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f8acc5d38bd Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8acbd45bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c RAX: ffffffffffffffda RBX: 00007f8acc6f2f60 RCX: 00007f8acc5d38bd RDX: 0000000000000015 RSI: 0000000000004000 RDI: 0000000020ffc000 RBP: 00007f8acc6400a9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffec656fb0f R14: 00007ffec656fcb0 R15: 00007f8acbd45d80 </TASK> ---[ end trace 0000000000000000 ]---
the bug was bisect to:
[a4e58cce84ee88129d5d49c064bd2852b481357] mm: introduce MADV_PAGEOUT
the C reproducer is as follows:
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
// mmap(0x1ffff000, 0x1000, PROT_NONE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
// mmap(0x20000000, 0x1000000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
// mmap(0x21000000, 0x1000, PROT_NONE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
// fd = socket(AF_PACKET, SOCK_RAW, 0x300)
intptr_t res = 0;
res = syscall(__NR_socket, 0x11ul, 3ul, 0x300);
if (res != -1)
r[0] = res;
*(uint32_t*)0x20000100 = 0x10000;
*(uint32_t*)0x20000104 = 3;
*(uint32_t*)0x20000108 = 0x80;
*(uint32_t*)0x2000010c = 0x600;
syscall(__NR_setsockopt, r[0], 0x107, 5, 0x20000100ul, 0x10ul);
// mmap(0x20ffd000, 0x30000, PROT_NONE, MAP_PRIVATE|MAP_FIXED, fd, 0)
syscall(__NR_mmap, 0x20ffd000ul, 0x30000ul, 0ul, 0x12ul, r[0], 0ul);
// madvise(0x20ffc000, 0x4000, MADV_PAGEOUT)
syscall(__NR_madvise, 0x20ffc000ul, 0x4000ul, 0x15ul);
return 0;
}
compile the repro with:
gcc -static -o repro repro.c
my QEMU startup command line is:
qemu-system-x86_64 \
-s \
-m 2G \
-smp 4 \
-kernel arch/x86/boot/bzImage \
-append "console=ttyS0 root=/dev/sda rw earlyprintk=serial" \
-drive file=../fs/stretch.img,format=raw \
-nographic \
-enable-kvm \
-monitor /dev/null
the bug can reproduce reliably under my experienment settings.
Regards,
Tianshuo
