On 9/10/2023 3:02 PM, Kasireddy, Vivek wrote: > Hi Fengwei, > >> >> Add udmabuf maintainers. >> >> On 9/7/2023 2:51 AM, syzbot wrote: >>> Hello, >>> >>> syzbot found the following issue on: >>> >>> HEAD commit: db906f0ca6bb Merge tag 'phy-for-6.6' of git://git.kernel.o.. >>> git tree: upstream >>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=16cbb32fa80000 >>> kernel config: >> https://syzkaller.appspot.com/x/.config?x=3bd57a1ac08277b0 >>> dashboard link: >> https://syzkaller.appspot.com/bug?extid=17a207d226b8a5fb0fd9 >>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for >> Debian) 2.40 >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11609f38680000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c1fc00680000 >>> >>> Downloadable assets: >>> disk image: https://storage.googleapis.com/syzbot- >> assets/46394f3ca3eb/disk-db906f0c.raw.xz >>> vmlinux: https://storage.googleapis.com/syzbot- >> assets/eeaa594bfd1f/vmlinux-db906f0c.xz >>> kernel image: https://storage.googleapis.com/syzbot- >> assets/5c8df8de79ec/bzImage-db906f0c.xz >>> >>> IMPORTANT: if you fix the issue, please add the following tag to the >> commit: >>> Reported-by: syzbot+17a207d226b8a5fb0fd9@xxxxxxxxxxxxxxxxxxxxxxxxx >> >> Operations from user space before kernel BUG hit: >> >> [pid 5043] >> memfd_create("\x79\x10\x35\x25\xfa\x2c\x1f\x99\xa2\xc9\x8e\xcd\x5c\xfa >> \xf6\x12\x95\x5e\xdf\x54\xe2\x3d\x0e\x7e\x46\xcd\x73\xa3\xff\x89\x3e\x >> 84\xa9\x86\x86\xa2\x46\x90\x93\x98\x4e\x05\x65\x92\x4a\x77\xce\x63\xc >> e\x9f\x32\xc8\x02\x66\x03\x07\x6d\x08\xb4\x48\x8f\x9e\xa5\x16\x8f\x61\ >> xff\xb2\x22\x8a\x15\x13\xa2\x17\x25\x21\x54\x8b\xa1\xb9\x2d\x13\xf9\x >> 6f\x67\x95\x9d\x54\xef\xca\x68\x77\xf5\xff\x75\x7f\x75\xb8\x2a\xd3"..., >> MFD_ALLOW_SEALING) = 3 >> [pid 5043] ftruncate(3, 65535) = 0 >> [pid 5043] fcntl(3, F_ADD_SEALS, >> F_SEAL_SEAL|F_SEAL_SHRINK|F_SEAL_GROW) = 0 >> [pid 5043] openat(AT_FDCWD, "/dev/udmabuf", O_RDWR) = 4 >> [pid 5043] ioctl(4, UDMABUF_CREATE, 0x20000000) = 5 >> [pid 5043] mmap(0x20667000, 16384, >> PROT_WRITE|PROT_EXEC|PROT_SEM|PROT_GROWSDOWN, >> MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 5, 0) = 0x20667000 >> >> The crash happens when test app tried to close the memfd. >> >> >> It's like test app created udmabuf above memfd. But didn't boost memfd >> refcount. >> And mmap with MAP_POPULATE make the underneath folios mapped. >> >> When memfd is closed without munmap 0x20667000, the memfd refcount >> hit zero and >> trigger evict() and hit >> VM_BUG_ON_FOLIO(folio_mapped(folio), folio); >> >> >> Related test code: >> >> res = syscall(__NR_memfd_create, /*name=*/0x20000040ul, /*flags=*/2ul); >> if (res != -1) >> r[0] = res; >> syscall(__NR_ftruncate, /*fd=*/r[0], /*len=*/0xfffful); >> syscall(__NR_fcntl, /*fd=*/r[0], /*cmd=*/0x409ul, /*seals=*/7ul); >> memcpy((void*)0x200001c0, "/dev/udmabuf\000", 13); >> res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200001c0ul, >> /*flags=*/2ul, 0); >> if (res != -1) >> r[1] = res; >> *(uint32_t*)0x20000000 = r[0]; >> *(uint32_t*)0x20000004 = 0; >> *(uint64_t*)0x20000008 = 0; >> *(uint64_t*)0x20000010 = 0x8000; >> res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40187542, >> /*arg=*/0x20000000ul); >> if (res != -1) >> r[2] = res; >> syscall(__NR_mmap, /*addr=*/0x20667000ul, /*len=*/0x4000ul, >> /*prot=*/0x100000eul, /*flags=*/0x28011ul, /*fd=*/r[2], >> /*offset=*/0ul); >> close_fds(); >> >> >> Should memfd refcount increased when create udmabuf above it? Thanks. > I think the following patch should fix this crash: > https://lists.freedesktop.org/archives/dri-devel/2023-August/418952.html Yes. This patch avoid playing with struct page when mmap memory to user space. And avoid make pages marked as mapped. Regards Yin, Fengwei > > Thanks, > Vivek >> >> Regards >> Yin, Fengwei >> >>> >>> search_binary_handler fs/exec.c:1739 [inline] >>> exec_binprm fs/exec.c:1781 [inline] >>> bprm_execve fs/exec.c:1856 [inline] >>> bprm_execve+0x80a/0x1a50 fs/exec.c:1812 >>> do_execveat_common.isra.0+0x5d3/0x740 fs/exec.c:1964 >>> do_execve fs/exec.c:2038 [inline] >>> __do_sys_execve fs/exec.c:2114 [inline] >>> __se_sys_execve fs/exec.c:2109 [inline] >>> __x64_sys_execve+0x8c/0xb0 fs/exec.c:2109 >>> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >>> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 >>> entry_SYSCALL_64_after_hwframe+0x63/0xcd >>> ------------[ cut here ]------------ >>> kernel BUG at mm/filemap.c:158! >>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN >>> CPU: 0 PID: 5043 Comm: syz-executor729 Not tainted 6.5.0-syzkaller-11275- >> gdb906f0ca6bb #0 >>> Hardware name: Google Google Compute Engine/Google Compute Engine, >> BIOS Google 07/26/2023 >>> RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158 >>> Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1 >> 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48 >> 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d >>> RSP: 0018:ffffc900039ef828 EFLAGS: 00010093 >>> RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000 >>> RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000 >>> RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a >>> R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8 >>> R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420 >>> FS: 0000555556b42380(0000) GS:ffff8880b9800000(0000) >> knlGS:0000000000000000 >>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>> CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0 >>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 >>> Call Trace: >>> <TASK> >>> __filemap_remove_folio+0x110/0x820 mm/filemap.c:227 >>> filemap_remove_folio+0xca/0x210 mm/filemap.c:260 >>> truncate_inode_folio+0x49/0x70 mm/truncate.c:195 >>> shmem_undo_range+0x365/0x1040 mm/shmem.c:1018 >>> shmem_truncate_range mm/shmem.c:1114 [inline] >>> shmem_evict_inode+0x392/0xb50 mm/shmem.c:1243 >>> evict+0x2ed/0x6b0 fs/inode.c:664 >>> iput_final fs/inode.c:1775 [inline] >>> iput.part.0+0x55e/0x7a0 fs/inode.c:1801 >>> iput+0x5c/0x80 fs/inode.c:1791 >>> dentry_unlink_inode+0x292/0x430 fs/dcache.c:401 >>> __dentry_kill+0x3b8/0x640 fs/dcache.c:607 >>> dentry_kill fs/dcache.c:733 [inline] >>> dput+0x8dd/0xfd0 fs/dcache.c:913 >>> __fput+0x536/0xa70 fs/file_table.c:392 >>> __fput_sync+0x47/0x50 fs/file_table.c:465 >>> __do_sys_close fs/open.c:1572 [inline] >>> __se_sys_close fs/open.c:1557 [inline] >>> __x64_sys_close+0x87/0xf0 fs/open.c:1557 >>> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >>> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 >>> entry_SYSCALL_64_after_hwframe+0x63/0xcd >>> RIP: 0033:0x7f6700c6aa90 >>> Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 >> 90 80 3d f1 85 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 >> 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c >>> RSP: 002b:00007ffd27935ca8 EFLAGS: 00000202 ORIG_RAX: >> 0000000000000003 >>> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6700c6aa90 >>> RDX: 0000000000000000 RSI: 0000000000004000 RDI: 0000000000000003 >>> RBP: 00007ffd27935cc0 R08: 0000000000000005 R09: 0000000000000000 >>> R10: 0000000000028011 R11: 0000000000000202 R12: 00007f6700cde5f0 >>> R13: 00007ffd27935ea8 R14: 0000000000000001 R15: 0000000000000001 >>> </TASK> >>> Modules linked in: >>> ---[ end trace 0000000000000000 ]--- >>> RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158 >>> Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1 >> 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48 >> 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d >>> RSP: 0018:ffffc900039ef828 EFLAGS: 00010093 >>> RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000 >>> RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000 >>> RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a >>> R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8 >>> R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420 >>> FS: 0000555556b42380(0000) GS:ffff8880b9800000(0000) >> knlGS:0000000000000000 >>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>> CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0 >>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 >>> >>> >>> --- >>> This report is generated by a bot. It may contain errors. >>> See https://goo.gl/tpsmEJ for more information about syzbot. >>> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. >>> >>> syzbot will keep track of this issue. See: >>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot. >>> >>> If the bug is already fixed, let syzbot know by replying with: >>> #syz fix: exact-commit-title >>> >>> If you want syzbot to run the reproducer, reply with: >>> #syz test: git://repo/address.git branch-or-commit-hash >>> If you attach or paste a git patch, syzbot will apply it before testing. >>> >>> If you want to overwrite bug's subsystems, reply with: >>> #syz set subsystems: new-subsystem >>> (See the list of subsystem names on the web dashboard) >>> >>> If the bug is a duplicate of another bug, reply with: >>> #syz dup: exact-subject-of-another-report >>> >>> If you want to undo deduplication, reply with: >>> #syz undup >>> >
