From patchwork Thu Jan 9 07:00:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liu Shixin X-Patchwork-Id: 13932124 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69417E77199 for ; Thu, 9 Jan 2025 07:05:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 028FB6B0088; Thu, 9 Jan 2025 02:05:59 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id EF3476B0089; Thu, 9 Jan 2025 02:05:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D94B96B008A; Thu, 9 Jan 2025 02:05:58 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id B6BD66B0088 for ; Thu, 9 Jan 2025 02:05:58 -0500 (EST) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 591D7C1766 for ; Thu, 9 Jan 2025 07:05:58 +0000 (UTC) X-FDA: 82987028796.28.6E6B38F Received: from szxga07-in.huawei.com (szxga07-in.huawei.com [45.249.212.35]) by imf05.hostedemail.com (Postfix) with ESMTP id 146F310000A for ; Thu, 9 Jan 2025 07:05:54 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=none; spf=pass (imf05.hostedemail.com: domain of liushixin2@huawei.com designates 45.249.212.35 as permitted sender) smtp.mailfrom=liushixin2@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1736406356; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=olAxJ9yBxr7rutOb1FBBfRbP09jAl9CxRrOiTxtMNdU=; b=k1+BxcrVzAPqlAlyjEKw6vUMqdnvFlyW6i+H6xIo+DoAIzDClEJ9CDLw1s2cICNeYrACVj 98sV0dMokJfcniKW7aNyMp/PdbgT4ORX9aMVtUeWIksPfY09VCj/hr6T9Ojm95Bca1hGbg EHqfoc+FkmcZ19KDuzY+sTQq9Mt5Hq4= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736406356; a=rsa-sha256; cv=none; b=yg3iYxzZoY3iQ3uDF4pHZF2y3vV1AbwK7AV06Yj2xK0Ezjh17iHfKJzGEJY0zVVsUr2qH4 S/Uvth4JyxjT/jWdetPnyBlfWHMu3+JoBfwQbU1lkrYODQa29Z46WtlqhZV3HU7SQR4LMK /IHp/J9Bd1sIOn2T2XotgPc0xpbCk0w= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=none; spf=pass (imf05.hostedemail.com: domain of liushixin2@huawei.com designates 45.249.212.35 as permitted sender) smtp.mailfrom=liushixin2@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com Received: from mail.maildlp.com (unknown [172.19.88.214]) by szxga07-in.huawei.com (SkyGuard) with ESMTP id 4YTG253x0Bz1V4WM; Thu, 9 Jan 2025 15:02:37 +0800 (CST) Received: from kwepemg200013.china.huawei.com (unknown [7.202.181.64]) by mail.maildlp.com (Postfix) with ESMTPS id 990D91A016C; Thu, 9 Jan 2025 15:05:40 +0800 (CST) Received: from huawei.com (10.175.113.32) by kwepemg200013.china.huawei.com (7.202.181.64) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 9 Jan 2025 15:05:39 +0800 From: Liu Shixin To: Andrew Morton , Chengming Zhou , Matthew Wilcox , Kefeng Wang , Nanyong Sun , Muchun Song , Qi Zheng , Johannes Weiner , Yang Shi CC: , , Liu Shixin Subject: [PATCH] mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma Date: Thu, 9 Jan 2025 15:00:59 +0800 Message-ID: <20250109070059.369257-1-liushixin2@huawei.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Originating-IP: [10.175.113.32] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To kwepemg200013.china.huawei.com (7.202.181.64) X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 146F310000A X-Stat-Signature: 1rcpdrhsktct1kr1owj4udhim8z9noxg X-Rspam-User: X-HE-Tag: 1736406354-630220 X-HE-Meta: U2FsdGVkX1/4EN65pNBRYI1OjfVWoAP3XWt6UeuqeWP6HukDuHUKFiF76ZsPN+HZnRGavnD7xJ8LSBQSSgf+AeWSWgiuZjjLXgZ246+0xnZbNk4/hiCU0CmHlvd6asJEJxrdFbzWEylSdErIRZRCMhX/cewdCLkj9y7l/jnpmpLFVrDFxXAEYwL0Ai+U59tHLsyf0xTMBqFwDmfX1dxBRzWW/tRmsc5BWjw6yT03VyZY8eLHpPyYQ5K/LkKsQtURAKbtC5zt68pDcgkpMp6VwV63714iQj6+NMjHRregCnD8oAazRuK3+VpJWN1k4eYHbjCIPz7VRDISNENA/PLITCjxhDoHP+KEnE8MmkNcPKCmly7bzjPGRU+aVjfpbf9kPYF4VRdgm5KNwKKXebWmUMNi/iYuI5x/PHl8EaOWIwvDPrvyRNLP6fjADSED80IUPqog3f5zddB+x1+BaTgZaQGyhT3d1XqFc3g+XHzdSKaLbc6VINJmVJn6lXCqrY6sZPjG5pbatVSacWdwJXbE70OiArF6D668ZZZWkErZ3qRKGyirv+UWzUXrG8tfuYcfMhmmsEIGBPbMUldg//YehcCMagSek0MEztlEWN1AT/lBnqNs01La8AAAxpdWqgeuldFIbQh/kc8pEXQNYqCQVNyL2LrRjoVPqcRO1O+W7kIRd5KSRKmTBReJuEmzS72d8INkmIFxsnIOY69NUxPAn0TkALKu2DcxYWS0Jn476mC3IjaSPUq9qHR5/9oKur3hShc3nbi0x4G234opEbNUT1Hv2J3asHhCI71UwMaYwAlVumyZETr9qjsvooXtzDOSIpZ7kx4vqbNPGBvPbWUaAhF4KQZqrkTSerFNsY2nY/Ys29F/JY7YgJLcoyPsAUzY+H6+eE23ZflvC8OuGuAz8Rf8WeYXALmeIv7pIThCx+JU58aLCyOPZzkmpASP0xKPsQKo7j/EwowNECYne4I cjBRWl1H bwP5Q5xkejArl0xBc1CcmRUM+2nIm80St4JqcVK0t7Hsb75M+z1VQlYtQBLIpmikQqZQNk6j85QsHJkGEvD6RCgPd7WSR1KpXheWsi1xplCu+19tDdU62piNoe8mI1gFwtJzNasvHxHqMIhLjujQa9lMpyJWSYbBsdaMP8eE5xjMWCKwJNPcZd+/wZ63/0VN2OCco X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: syzkaller reported such a BUG_ON(): ------------[ cut here ]------------ kernel BUG at mm/khugepaged.c:1835! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP ... CPU: 6 UID: 0 PID: 8009 Comm: syz.15.106 Kdump: loaded Tainted: G W 6.13.0-rc6 #22 Tainted: [W]=WARN Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : collapse_file+0xa44/0x1400 lr : collapse_file+0x88/0x1400 sp : ffff80008afe3a60 ... Call trace: collapse_file+0xa44/0x1400 (P) hpage_collapse_scan_file+0x278/0x400 madvise_collapse+0x1bc/0x678 madvise_vma_behavior+0x32c/0x448 madvise_walk_vmas.constprop.0+0xbc/0x140 do_madvise.part.0+0xdc/0x2c8 __arm64_sys_madvise+0x68/0x88 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 This indicates that the pgoff is unaligned. After analysis, I confirm the vma is mapped to /dev/zero. Such a vma certainly has vm_file, but it is set to anonymous by mmap_zero(). So even if it's mmapped by 2m-unaligned, it can pass the check in thp_vma_allowable_order() as it is an anonymous-mmap, but then be collapsed as a file-mmap. It seems the problem has existed for a long time, but actually, since we have khugepaged_max_ptes_none check before, we will skip collapse it as it is /dev/zero and so has no present page. But commit d8ea7cc8547c limit the check for only khugepaged, so the BUG_ON() can be triggered by madvise_collapse(). Add vma_is_anonymous() check to make such vma be processed by hpage_collapse_scan_pmd(). Fixes: d8ea7cc8547c ("mm/khugepaged: add flag to predicate khugepaged-only behavior") Signed-off-by: Liu Shixin --- mm/khugepaged.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 653dbb1ff05c..eb9d240e42e8 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -2422,7 +2422,8 @@ static unsigned int khugepaged_scan_mm_slot(unsigned int pages, int *result, VM_BUG_ON(khugepaged_scan.address < hstart || khugepaged_scan.address + HPAGE_PMD_SIZE > hend); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file && + !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, khugepaged_scan.address); @@ -2768,7 +2769,8 @@ int madvise_collapse(struct vm_area_struct *vma, struct vm_area_struct **prev, mmap_assert_locked(mm); memset(cc->node_load, 0, sizeof(cc->node_load)); nodes_clear(cc->alloc_nmask); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file && + !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, addr);