Since at linux-next-20230217 trying to start the stellaris game launcher from steam leads to the following error in dmesg and the launcher fails to start (starting the game from its executable works) [ 63.551594] traps: CompositorTileW[3139] trap int3 ip:55c9ffd5355d sp:7fe1b59f5820 error:0 in Launcher[55c9fce63000+6878000] [ 63.641816] traps: Launcher[3058] trap int3 ip:5631e292b55d sp:7ffcb8eb2f60 error:0 in Launcher[5631dfa3b000+6878000] [ 64.728133] traps: CompositorTileW[3308] trap int3 ip:55b9f07c655d sp:7f43789f6820 error:0 in Launcher[55b9ed8d6000+6878000] [ 64.768268] traps: Launcher[3226] trap int3 ip:560004dae55d sp:7ffc246aa570 error:0 in Launcher[560001ebe000+6878000] A bisect between 6.2-rc8 and next-20230220 showed commit 2286a6914c776ec34cd97e4573b1466d055cb9de to be the culprit. Unfortunately reverting this in next-20230220 is not possible due to other commits related to vma_iterator.
I added a printk statement to at the start of do_mprotect_pkey (in linux-next-20230220 where the error occurs and in linux-6.2 where it doen't): static int do_mprotect_pkey(unsigned long start, size_t len, unsigned long prot, int pkey) { printk(KERN_INFO "do_mprotect_pkey:start = 0x%lx len = 0x%lx prot = 0x%lx pkey = %d\n", start, len, prot, pkey); It shows that just before the error a call to do_mprotect_pkey with prot = PROT_NONE occurs for an usually large len = 0x1000000: 2023-02-21T00:26:47.640716+01:00 lisa kernel: [ 75.463085][ T3589] do_mprotect_pkey:start = 0x27d200400000 len = 0x1000000 prot = 0x0 pkey = -1 2023-02-21T00:26:47.640720+01:00 lisa kernel: [ 75.463100][ T3589] traps: CompositorTileW[3589] trap int3 ip:55d216de955d sp:7f6c4a9f3820 error:0 in Launcher[55d213ef9000+6878000] The call to do_mprotect_pkey with PROT_NONE and len = 0x1000000 is also present in linux-6.2 where the error does not occur.
I added some more printk to do_mprotect_fixup in next-20230220 diff --git a/mm/mprotect.c b/mm/mprotect.c index 1d4843c97c2a..3c85417e951e 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -702,6 +702,9 @@ mprotect_fixup(struct vma_iterator *vmi, struct mmu_gather *tlb, static int do_mprotect_pkey(unsigned long start, size_t len, unsigned long prot, int pkey) { + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_pkey:start = 0x%lx len = 0x%lx prot = 0x%lx pkey = %d\n", + start, len, prot, pkey); unsigned long nstart, end, tmp, reqprot; struct vm_area_struct *vma, *prev; int error; @@ -779,6 +782,8 @@ static int do_mprotect_pkey(unsigned long start, size_t len, if (vma->vm_start != tmp) { error = -ENOMEM; + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_fixup: break0\n"); break; } @@ -800,37 +805,57 @@ static int do_mprotect_pkey(unsigned long start, size_t len, /* newflags >> 4 shift VM_MAY% in place of VM_% */ if ((newflags & ~(newflags >> 4)) & VM_ACCESS_FLAGS) { error = -EACCES; + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_fixup: break1\n"); break; } if (map_deny_write_exec(vma, newflags)) { error = -EACCES; + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_fixup: break2\n"); goto out; } /* Allow architectures to sanity-check the new flags */ if (!arch_validate_flags(newflags)) { error = -EINVAL; + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_fixup: break3\n"); break; } error = security_file_mprotect(vma, reqprot, prot); - if (error) + if (error) { + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_fixup: break4\n"); break; + } tmp = vma->vm_end; if (tmp > end) tmp = end; if (vma->vm_ops && vma->vm_ops->mprotect) { + if(len == 0x1000000) + printk(KERN_INFO "do_mprotect_pkey: calling vm_ops->mprotect\n"); error = vma->vm_ops->mprotect(vma, nstart, tmp, newflags); - if (error) + if (error) { + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_fixup: break5\n"); break; + } } + if (len == 0x1000000) + printk(KERN_INFO "calling mprotect_fixup: vma=%px prev=%px nstart=0x%lx tmp=0x%lx, newflags=0x%lx\n", + vma, prev, nstart, tmp, newflags); error = mprotect_fixup(&vmi, &tlb, vma, &prev, nstart, tmp, newflags); - if (error) + if (error) { + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_fixup: break6\n"); break; + } nstart = tmp; prot = reqprot; @@ -841,6 +866,8 @@ static int do_mprotect_pkey(unsigned long start, size_t len, error = -ENOMEM; out: + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_pkey: returning %d\n", error); mmap_write_unlock(current->mm); return error; } This gives when starting the stellaris launcher: 54.400637] do_mprotect_pkey:start = 0x136e00400000 len = 0x1000000 prot = 0x0 pkey = -1 [ 54.400642] do_mprotect_pkey: calling mprotect_fixup: nstart=0x136e00400000 tmp=0x136e00401000, newflags=0x8100070 [ 54.400643] do_mprotect_pkey: calling mprotect_fixup: nstart=0x136e00401000 tmp=0x136e00402000, newflags=0x8100070 [ 54.400653] do_mprotect_fixup: break0 [ 54.400654] do_mprotect_pkey: returning -12 [ 54.400657] traps: CompositorTileW[3673] trap int3 ip:55905c97c55d sp:7f6abe3f5820 error:0 in Launcher[559059a8c000+6878000] [ 56.049798] do_mprotect_pkey:start = 0x3bb600400000 len = 0x1000000 prot = 0x0 pkey = -1 [ 56.049802] do_mprotect_pkey: calling mprotect_fixup: nstart=0x3bb600400000 tmp=0x3bb600401000, newflags=0x8100070 [ 56.049804] do_mprotect_pkey: calling mprotect_fixup: nstart=0x3bb600401000 tmp=0x3bb600402000, newflags=0x8100070 [ 56.049812] do_mprotect_fixup: break0 [ 56.049812] do_mprotect_pkey: returning -12 A similar instrumentation in linux-6.2 gives: [ 63.915426] do_mprotect_pkey:start = 0x38e400400000 len = 0x1000000 prot = 0x0 pkey = -1 [ 63.915431] do_mprotect_pkey: calling mprotect_fixup: nstart=0x38e400400000 tmp=0x38e400401000, newflags=0x8100070 [ 63.915432] do_mprotect_pkey: calling mprotect_fixup: nstart=0x38e400401000 tmp=0x38e400402000, newflags=0x8100070 [ 63.915443] do_mprotect_pkey: calling mprotect_fixup: nstart=0x38e400404000 tmp=0x38e400601000, newflags=0x8100070 [ 63.915453] do_mprotect_pkey: calling mprotect_fixup: nstart=0x38e400601000 tmp=0x38e400604000, newflags=0x8100070 [ 63.915455] do_mprotect_pkey: calling mprotect_fixup: nstart=0x38e400604000 tmp=0x38e401214000, newflags=0x8100070 [ 63.915458] do_mprotect_pkey: calling mprotect_fixup: nstart=0x38e401214000 tmp=0x38e401400000, newflags=0x8000070 [ 63.915459] do_mprotect_fixup: returning 0 So it seems that the for_each_vma_range loop has a problem when there are holes in the memory range.
I added some printk and now it seems that the loop iteration is confused by a vma_merge done by mprotect_fixup Instrumentation: diff --git a/mm/mprotect.c b/mm/mprotect.c index 1d4843c97c2a..c20c419c35a5 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -702,14 +702,17 @@ mprotect_fixup(struct vma_iterator *vmi, struct mmu_gather *tlb, static int do_mprotect_pkey(unsigned long start, size_t len, unsigned long prot, int pkey) { + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_pkey:start = 0x%lx len = 0x%lx prot = 0x%lx pkey = %d\n", + start, len, prot, pkey); unsigned long nstart, end, tmp, reqprot; - struct vm_area_struct *vma, *prev; + struct vm_area_struct *vma, *prev, *test_vma; int error; const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP); const bool rier = (current->personality & READ_IMPLIES_EXEC) && (prot & PROT_READ); struct mmu_gather tlb; - struct vma_iterator vmi; + struct vma_iterator vmi, test_vmi; start = untagged_addr(start); @@ -741,6 +744,14 @@ static int do_mprotect_pkey(unsigned long start, size_t len, if ((pkey != -1) && !mm_pkey_is_allocated(current->mm, pkey)) goto out; + if (len == 0x1000000) { + vma_iter_init(&test_vmi, current->mm, start); + for_each_vma_range(test_vmi, test_vma, end) { + printk(KERN_INFO "do_mprotect_pkey: test_vma->vm_start=0x%lx test_vma->vm_end=0x%lx\n", + test_vma->vm_start, test_vma->vm_end); + } + } + vma_iter_init(&vmi, current->mm, start); vma = vma_find(&vmi, end); error = -ENOMEM; @@ -776,9 +787,17 @@ static int do_mprotect_pkey(unsigned long start, size_t len, unsigned long mask_off_old_flags; unsigned long newflags; int new_vma_pkey; + if (len == 0x1000000) { + printk(KERN_INFO "for_each_vma_range: vma->vm_start=0x%lx vma->vm_end=0x%lx nstart=0x%lx tmp=0x%lx", + vma->vm_start, vma->vm_end, nstart, tmp); + } if (vma->vm_start != tmp) { error = -ENOMEM; + if (len == 0x1000000) { + printk(KERN_INFO "do_mprotect_fixup: break0: vma->vma_start=0x%lx tmp=0x%lx\n", + vma->vm_start, tmp); + } break; } @@ -815,25 +834,44 @@ static int do_mprotect_pkey(unsigned long start, size_t len, } error = security_file_mprotect(vma, reqprot, prot); - if (error) + if (error) { break; + } tmp = vma->vm_end; if (tmp > end) tmp = end; if (vma->vm_ops && vma->vm_ops->mprotect) { + if(len == 0x1000000) + printk(KERN_INFO "do_mprotect_pkey: calling vm_ops->mprotect\n"); error = vma->vm_ops->mprotect(vma, nstart, tmp, newflags); - if (error) + if (error) { break; + } } + if (len == 0x1000000) { + printk(KERN_INFO "calling mprotect_fixup: vma=%px prev=%px nstart=0x%lx tmp=0x%lx, newflags=0x%lx\n", + vma, prev, nstart, tmp, newflags); + printk(KERN_INFO "do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x%lx\n", + vma_iter_addr(&vmi)); + } error = mprotect_fixup(&vmi, &tlb, vma, &prev, nstart, tmp, newflags); - if (error) + if (len == 0x1000000) { + printk(KERN_INFO "do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x%lx\n", + vma_iter_addr(&vmi)); + } + if (error) { break; + } nstart = tmp; prot = reqprot; + if (len == 0x1000000) { + printk(KERN_INFO "do_mprotect_pkey: end of loop prev=%px nstart=0x%lx tmp=0x%lx", + prev, nstart, tmp); + } } tlb_finish_mmu(&tlb); @@ -841,6 +879,8 @@ static int do_mprotect_pkey(unsigned long start, size_t len, error = -ENOMEM; out: + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_pkey: returning %d\n", error); mmap_write_unlock(current->mm); return error; } Result: [ 55.676523] do_mprotect_pkey:start = 0x14e000400000 len = 0x1000000 prot = 0x0 pkey = -1 The test iteration shows that the memory has no holes: [ 55.676527] do_mprotect_pkey: test_vma->vm_start=0x14e0002e9000 test_vma->vm_end=0x14e000401000 [ 55.676529] do_mprotect_pkey: test_vma->vm_start=0x14e000401000 test_vma->vm_end=0x14e000402000 [ 55.676530] do_mprotect_pkey: test_vma->vm_start=0x14e000402000 test_vma->vm_end=0x14e000404000 [ 55.676530] do_mprotect_pkey: test_vma->vm_start=0x14e000404000 test_vma->vm_end=0x14e000601000 [ 55.676531] do_mprotect_pkey: test_vma->vm_start=0x14e000601000 test_vma->vm_end=0x14e000604000 [ 55.676532] do_mprotect_pkey: test_vma->vm_start=0x14e000604000 test_vma->vm_end=0x14e001214000 [ 55.676533] do_mprotect_pkey: test_vma->vm_start=0x14e001214000 test_vma->vm_end=0x14e001401000 [ 55.676535] for_each_vma_range: vma->vm_start=0x14e0002e9000 vma->vm_end=0x14e000401000 nstart=0x14e000400000 tmp=0x14e0002e9000 [ 55.676536] calling mprotect_fixup: vma=ffff9e727478a630 prev=ffff9e727478a630 nstart=0x14e000400000 tmp=0x14e000401000, newflags=0x8100070 [ 55.676538] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x14e0002e9000 [ 55.676539] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x14e0002e9000 [ 55.676539] do_mprotect_pkey: end of loop prev=ffff9e727478a630 nstart=0x14e000401000 tmp=0x14e000401000 [ 55.676540] for_each_vma_range: vma->vm_start=0x14e000401000 vma->vm_end=0x14e000402000 nstart=0x14e000401000 tmp=0x14e000401000 [ 55.676541] calling mprotect_fixup: vma=ffff9e727c907b40 prev=ffff9e727478a630 nstart=0x14e000401000 tmp=0x14e000402000, newflags=0x8100070 [ 55.676542] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x14e000401000 [ 55.676552] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x14e0002e9000 [ 55.676553] do_mprotect_pkey: end of loop prev=ffff9e727478a630 nstart=0x14e000402000 tmp=0x14e000402000 [ 55.676554] for_each_vma_range: vma->vm_start=0x14e000404000 vma->vm_end=0x14e000601000 nstart=0x14e000402000 tmp=0x14e000402000 [ 55.676555] do_mprotect_fixup: break0: vma->vma_start=0x14e000404000 tmp=0x14e000402000 [ 55.676556] do_mprotect_pkey: returning -12
For testing purposes I removed the check at the start of the for_each_vma_range loop. Now the loop finishes but there are other errors: Instrumentation: diff --git a/mm/mprotect.c b/mm/mprotect.c index 1d4843c97c2a..f3321cadac89 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -702,14 +702,17 @@ mprotect_fixup(struct vma_iterator *vmi, struct mmu_gather *tlb, static int do_mprotect_pkey(unsigned long start, size_t len, unsigned long prot, int pkey) { + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_pkey:start = 0x%lx len = 0x%lx prot = 0x%lx pkey = %d\n", + start, len, prot, pkey); unsigned long nstart, end, tmp, reqprot; - struct vm_area_struct *vma, *prev; + struct vm_area_struct *vma, *prev, *test_vma; int error; const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP); const bool rier = (current->personality & READ_IMPLIES_EXEC) && (prot & PROT_READ); struct mmu_gather tlb; - struct vma_iterator vmi; + struct vma_iterator vmi, test_vmi; start = untagged_addr(start); @@ -741,6 +744,14 @@ static int do_mprotect_pkey(unsigned long start, size_t len, if ((pkey != -1) && !mm_pkey_is_allocated(current->mm, pkey)) goto out; + if (len == 0x1000000) { + vma_iter_init(&test_vmi, current->mm, start); + for_each_vma_range(test_vmi, test_vma, end) { + printk(KERN_INFO "do_mprotect_pkey: test_vma->vm_start=0x%lx test_vma->vm_end=0x%lx\n", + test_vma->vm_start, test_vma->vm_end); + } + } + vma_iter_init(&vmi, current->mm, start); vma = vma_find(&vmi, end); error = -ENOMEM; @@ -776,10 +787,17 @@ static int do_mprotect_pkey(unsigned long start, size_t len, unsigned long mask_off_old_flags; unsigned long newflags; int new_vma_pkey; + if (len == 0x1000000) { + printk(KERN_INFO "for_each_vma_range: vma->vm_start=0x%lx vma->vm_end=0x%lx nstart=0x%lx tmp=0x%lx", + vma->vm_start, vma->vm_end, nstart, tmp); + } - if (vma->vm_start != tmp) { - error = -ENOMEM; - break; + if (len == 0x1000000) { + } else { + if (vma->vm_start != tmp) { + error = -ENOMEM; + break; + } } /* Does the application expect PROT_READ to imply PROT_EXEC */ @@ -815,8 +833,9 @@ static int do_mprotect_pkey(unsigned long start, size_t len, } error = security_file_mprotect(vma, reqprot, prot); - if (error) + if (error) { break; + } tmp = vma->vm_end; if (tmp > end) @@ -824,23 +843,50 @@ static int do_mprotect_pkey(unsigned long start, size_t len, if (vma->vm_ops && vma->vm_ops->mprotect) { error = vma->vm_ops->mprotect(vma, nstart, tmp, newflags); - if (error) + if (error) { break; + } } + if (len == 0x1000000) { + printk(KERN_INFO "calling mprotect_fixup: vma=%px prev=%px nstart=0x%lx tmp=0x%lx, newflags=0x%lx\n", + vma, prev, nstart, tmp, newflags); + printk(KERN_INFO "do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x%lx\n", + vma_iter_addr(&vmi)); + } error = mprotect_fixup(&vmi, &tlb, vma, &prev, nstart, tmp, newflags); - if (error) + if (len == 0x1000000) { + printk(KERN_INFO "do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x%lx\n", + vma_iter_addr(&vmi)); + } + if (error) { break; + } nstart = tmp; prot = reqprot; + if (len == 0x1000000) { + printk(KERN_INFO "do_mprotect_pkey: end of loop prev=%px nstart=0x%lx tmp=0x%lx", + prev, nstart, tmp); + } } tlb_finish_mmu(&tlb); + if (len == 0x1000000) { + vma_iter_init(&test_vmi, current->mm, start); + printk(KERN_INFO "do_mprotect_pkey: memory area after possible merges\n"); + for_each_vma_range(test_vmi, test_vma, end) { + printk(KERN_INFO "do_mprotect_pkey: test_vma->vm_start=0x%lx test_vma->vm_end=0x%lx\n", + test_vma->vm_start, test_vma->vm_end); + } + } + if (vma_iter_end(&vmi) < end) error = -ENOMEM; out: + if (len == 0x1000000) + printk(KERN_INFO "do_mprotect_pkey: returning %d\n", error); mmap_write_unlock(current->mm); return error; } Result: [ 35.000962][ T3059] do_mprotect_pkey:start = 0xb0e00400000 len = 0x1000000 prot = 0x0 pkey = -1 This is the vma_range before any merges: [ 35.000972][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e002e9000 test_vma->vm_end=0xb0e00401000 [ 35.000973][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e00401000 test_vma->vm_end=0xb0e00402000 [ 35.000975][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e00402000 test_vma->vm_end=0xb0e00404000 [ 35.000976][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e00404000 test_vma->vm_end=0xb0e00601000 [ 35.000977][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e00601000 test_vma->vm_end=0xb0e00604000 [ 35.000977][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e00604000 test_vma->vm_end=0xb0e01214000 [ 35.000978][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e01214000 test_vma->vm_end=0xb0e01401000 [ 35.000979][ T3059] for_each_vma_range: vma->vm_start=0xb0e002e9000 vma->vm_end=0xb0e00401000 nstart=0xb0e00400000 tmp=0xb0e002e9000 [ 35.000980][ T3059] calling mprotect_fixup: vma=ffff9e906cdc2990 prev=ffff9e906cdc2990 nstart=0xb0e00400000 tmp=0xb0e00401000, newflags=0x8100070 [ 35.000982][ T3059] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0xb0e002e9000 [ 35.000983][ T3059] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0xb0e002e9000 [ 35.000983][ T3059] do_mprotect_pkey: end of loop prev=ffff9e906cdc2990 nstart=0xb0e00401000 tmp=0xb0e00401000 [ 35.000984][ T3059] for_each_vma_range: vma->vm_start=0xb0e00401000 vma->vm_end=0xb0e00402000 nstart=0xb0e00401000 tmp=0xb0e00401000 [ 35.000985][ T3059] calling mprotect_fixup: vma=ffff9e909cc293f0 prev=ffff9e906cdc2990 nstart=0xb0e00401000 tmp=0xb0e00402000, newflags=0x8100070 [ 35.000986][ T3059] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0xb0e00401000 [ 35.001004][ T3059] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0xb0e002e9000 [ 35.001004][ T3059] do_mprotect_pkey: end of loop prev=ffff9e906cdc2990 nstart=0xb0e00402000 tmp=0xb0e00402000 [ 35.001005][ T3059] for_each_vma_range: vma->vm_start=0xb0e00404000 vma->vm_end=0xb0e00601000 nstart=0xb0e00402000 tmp=0xb0e00402000 [ 35.001006][ T3059] calling mprotect_fixup: vma=ffff9e906cdc2870 prev=ffff9e906cdc2990 nstart=0xb0e00402000 tmp=0xb0e00601000, newflags=0x8100070 [ 35.001007][ T3059] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0xb0e00404000 [ 35.001015][ T3059] ------------[ cut here ]------------ [ 35.001016][ T3059] WARNING: CPU: 7 PID: 3059 at mm/mmap.c:2163 __split_vma+0x2f1/0x320 [ 35.001027][ T3059] Modules linked in: ccm rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac bnep cpufreq_conservative cpufreq_powersave cpufreq_userspace nls_ascii nls_cp437 vfat fat snd_ctl_led btusb btrtl btbcm btintel btmtk bluetooth snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi uvcvideo jitterentropy_rng videobuf2_vmalloc snd_hda_intel videobuf2_memops snd_intel_dspcfg snd_soc_dmic snd_acp3x_pdm_dma uvc snd_acp3x_rn snd_hda_codec videobuf2_v4l2 sha512_generic snd_hwdep snd_soc_core snd_hda_core videodev joydev snd_pcm_oss snd_acp_pci msi_wmi snd_mixer_oss snd_pcm ctr drbg ecdh_generic ecc videobuf2_common edac_mce_amd rapl sparse_keymap snd_rn_pci_acp3x wmi_bmof snd_timer battery snd_acp_config snd k10temp snd_soc_acpi soundcore ccp snd_pci_acp3x ac hid_sensor_prox hid_sensor_magn_3d hid_sensor_als hid_sensor_accel_3d hid_sensor_gyro_3d evdev hid_sensor_trigger industrialio_triggered_buffer hid_multitouch button kfifo_buf industrialio acpi_cpufreq amd_pmc hid_sensor_iio_common [ 35.001078][ T3059] serio_raw mt7921e mt7921_common mt76_connac_lib mt76 mac80211 libarc4 cfg80211 rfkill msr fuse efi_pstore configfs efivarfs autofs4 ext4 crc32c_generic crc16 mbcache jbd2 usbhid amdgpu nvme drm_ttm_helper ttm nvme_core gpu_sched t10_pi i2c_algo_bit xhci_pci drm_buddy r8169 xhci_hcd drm_display_helper crc64_rocksoft realtek hid_sensor_hub crc64 mdio_devres mfd_core hid_generic drm_kms_helper psmouse crc32c_intel usbcore syscopyarea crc_t10dif i2c_hid_acpi amd_sfh sysfillrect libphy i2c_hid crct10dif_generic sysimgblt i2c_piix4 usb_common crct10dif_common cec hid i2c_designware_platform i2c_designware_core [ 35.001116][ T3059] CPU: 7 PID: 3059 Comm: CompositorTileW Not tainted 6.2.0-rc8-next-20230220-dirty #421 [ 35.001118][ T3059] Hardware name: Micro-Star International Co., Ltd. Alpha 15 B5EEK/MS-158L, BIOS E158LAMS.107 11/10/2021 [ 35.001120][ T3059] RIP: 0010:__split_vma+0x2f1/0x320 [ 35.001122][ T3059] Code: f6 48 8d 7c 24 10 e8 ee e2 ff ff eb a1 4c 89 64 24 38 48 85 c0 0f 85 a2 fe ff ff e9 57 ff ff ff 4c 89 f7 e8 81 bc 5e 00 eb c6 <0f> 0b 48 3b 6b 08 0f 82 41 fd ff ff 0f 0b e9 3a fd ff ff 41 bd f4 [ 35.001124][ T3059] RSP: 0018:ffffb0db8584fcb0 EFLAGS: 00010206 [ 35.001125][ T3059] RAX: 0000000000000000 RBX: ffff9e906cdc2870 RCX: 0000000000000001 [ 35.001126][ T3059] RDX: 00000b0e00402000 RSI: ffff9e906cdc2870 RDI: ffffb0db8584fe00 [ 35.001127][ T3059] RBP: 00000b0e00402000 R08: 000000000000fffa R09: 0000000000000000 [ 35.001127][ T3059] R10: ffff9e906cdc2870 R11: ffffb0db8584fdf8 R12: 00000b0e00601000 [ 35.001128][ T3059] R13: 0000000000000000 R14: ffffb0db8584fe00 R15: 0000000000000000 [ 35.001129][ T3059] FS: 00007f23c97f66c0(0000) GS:ffff9e929e7c0000(0000) knlGS:0000000000000000 [ 35.001130][ T3059] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.001131][ T3059] CR2: 00001ed350c96000 CR3: 00000001bceca000 CR4: 0000000000750ee0 [ 35.001131][ T3059] PKRU: 55555554 [ 35.001132][ T3059] Call Trace: [ 35.001134][ T3059] <TASK> [ 35.001139][ T3059] mprotect_fixup+0x2dc/0x390 [ 35.001142][ T3059] do_mprotect_pkey+0x476/0x7e0 [ 35.001145][ T3059] __x64_sys_mprotect+0x16/0x30 [ 35.001147][ T3059] do_syscall_64+0x3a/0x90 [ 35.001152][ T3059] entry_SYSCALL_64_after_hwframe+0x4b/0xb5 [ 35.001157][ T3059] RIP: 0033:0x7f23d093f7b7 [ 35.001159][ T3059] Code: 73 01 c3 48 8b 0d 49 06 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 19 06 0d 00 f7 d8 64 89 01 48 [ 35.001160][ T3059] RSP: 002b:00007f23c97f4818 EFLAGS: 00000202 ORIG_RAX: 000000000000000a [ 35.001161][ T3059] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f23d093f7b7 [ 35.001162][ T3059] RDX: 0000000000000000 RSI: 0000000001000000 RDI: 00000b0e00400000 [ 35.001163][ T3059] RBP: 00007f23c97f4850 R08: 0000000000000040 R09: 0000000000000001 [ 35.001163][ T3059] R10: 00000b0e00401020 R11: 0000000000000202 R12: 00000b0e00400000 [ 35.001164][ T3059] R13: 0000000000000000 R14: 0000000001000000 R15: 0000000000000000 [ 35.001167][ T3059] </TASK> [ 35.001167][ T3059] ---[ end trace 0000000000000000 ]--- [ 35.001173][ T3059] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0xb0e00402000 [ 35.001173][ T3059] do_mprotect_pkey: end of loop prev=ffff9e906cdc2870 nstart=0xb0e00601000 tmp=0xb0e00601000 [ 35.001174][ T3059] for_each_vma_range: vma->vm_start=0xb0e00601000 vma->vm_end=0xb0e00604000 nstart=0xb0e00601000 tmp=0xb0e00601000 [ 35.001175][ T3059] calling mprotect_fixup: vma=ffff9e8ff80266c0 prev=ffff9e906cdc2870 nstart=0xb0e00601000 tmp=0xb0e00604000, newflags=0x8100070 [ 35.001176][ T3059] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0xb0e00601000 [ 35.001177][ T3059] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0xb0e00601000 [ 35.001177][ T3059] do_mprotect_pkey: end of loop prev=ffff9e8ff80266c0 nstart=0xb0e00604000 tmp=0xb0e00604000 [ 35.001178][ T3059] for_each_vma_range: vma->vm_start=0xb0e00604000 vma->vm_end=0xb0e01214000 nstart=0xb0e00604000 tmp=0xb0e00604000 [ 35.001179][ T3059] calling mprotect_fixup: vma=ffff9e9077784b40 prev=ffff9e8ff80266c0 nstart=0xb0e00604000 tmp=0xb0e01214000, newflags=0x8100070 [ 35.001180][ T3059] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0xb0e00604000 [ 35.001182][ T3059] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0xb0e00604000 [ 35.001183][ T3059] do_mprotect_pkey: end of loop prev=ffff9e9077784b40 nstart=0xb0e01214000 tmp=0xb0e01214000 [ 35.001183][ T3059] for_each_vma_range: vma->vm_start=0xb0e01214000 vma->vm_end=0xb0e01401000 nstart=0xb0e01214000 tmp=0xb0e01214000 [ 35.001184][ T3059] calling mprotect_fixup: vma=ffff9e90b5a41480 prev=ffff9e9077784b40 nstart=0xb0e01214000 tmp=0xb0e01400000, newflags=0x8000070 [ 35.001185][ T3059] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0xb0e01214000 [ 35.001185][ T3059] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0xb0e01214000 [ 35.001186][ T3059] do_mprotect_pkey: end of loop prev=ffff9e90b5a41480 nstart=0xb0e01400000 tmp=0xb0e01400000 This is the vma_range after merges: [ 35.001186][ T3059] do_mprotect_pkey: memory area after possible merges [ 35.001187][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e002e9000 test_vma->vm_end=0xb0e00404000 Here we have start > end: [ 35.001187][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e00404000 test_vma->vm_end=0xb0e00402000 This is overlapping with the previous ranges: [ 35.001188][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e00402000 test_vma->vm_end=0xb0e00601000 [ 35.001188][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e00601000 test_vma->vm_end=0xb0e00604000 [ 35.001189][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e00604000 test_vma->vm_end=0xb0e01214000 [ 35.001189][ T3059] do_mprotect_pkey: test_vma->vm_start=0xb0e01214000 test_vma->vm_end=0xb0e01401000 [ 35.001190][ T3059] do_mprotect_pkey: returning 0 [ 35.014932][ T3141] ServiceWorker t[3141]: segfault at 33f40079f000 ip 00007f23d099110a sp 00007f23c2eaa058 error 6 in libc.so.6[7f23d0864000+155000] likely on CPU 13 (core 6, socket 0) [ 35.014961][ T3141] Code: c5 fe 7f 07 c5 fe 7f 47 20 c5 fe 7f 47 40 c5 fe 7f 47 60 c5 f8 77 c3 66 0f 1f 84 00 00 00 00 00 40 0f b6 c6 48 89 d1 48 89 fa <f3> aa 48 89 d0 c5 f8 77 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 [ 36.682835][ T3233] do_mprotect_pkey:start = 0x8f400400000 len = 0x1000000 prot = 0x0 pkey = -1 [ 36.682839][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f4002e9000 test_vma->vm_end=0x8f400401000 [ 36.682840][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f400401000 test_vma->vm_end=0x8f400402000 [ 36.682841][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f400402000 test_vma->vm_end=0x8f400404000 [ 36.682842][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f400404000 test_vma->vm_end=0x8f400601000 [ 36.682842][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f400601000 test_vma->vm_end=0x8f400604000 [ 36.682843][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f400604000 test_vma->vm_end=0x8f401214000 [ 36.682843][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f401214000 test_vma->vm_end=0x8f401401000 [ 36.682844][ T3233] for_each_vma_range: vma->vm_start=0x8f4002e9000 vma->vm_end=0x8f400401000 nstart=0x8f400400000 tmp=0x8f4002e9000 [ 36.682844][ T3233] calling mprotect_fixup: vma=ffff9e90ae93c6c0 prev=ffff9e90ae93c6c0 nstart=0x8f400400000 tmp=0x8f400401000, newflags=0x8100070 [ 36.682846][ T3233] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x8f4002e9000 [ 36.682847][ T3233] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x8f4002e9000 [ 36.682847][ T3233] do_mprotect_pkey: end of loop prev=ffff9e90ae93c6c0 nstart=0x8f400401000 tmp=0x8f400401000 [ 36.682848][ T3233] for_each_vma_range: vma->vm_start=0x8f400401000 vma->vm_end=0x8f400402000 nstart=0x8f400401000 tmp=0x8f400401000 [ 36.682848][ T3233] calling mprotect_fixup: vma=ffff9e90ae93c750 prev=ffff9e90ae93c6c0 nstart=0x8f400401000 tmp=0x8f400402000, newflags=0x8100070 [ 36.682849][ T3233] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x8f400401000 [ 36.682857][ T3233] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x8f4002e9000 [ 36.682857][ T3233] do_mprotect_pkey: end of loop prev=ffff9e90ae93c6c0 nstart=0x8f400402000 tmp=0x8f400402000 [ 36.682858][ T3233] for_each_vma_range: vma->vm_start=0x8f400404000 vma->vm_end=0x8f400601000 nstart=0x8f400402000 tmp=0x8f400402000 [ 36.682858][ T3233] calling mprotect_fixup: vma=ffff9e90ae93cd80 prev=ffff9e90ae93c6c0 nstart=0x8f400402000 tmp=0x8f400601000, newflags=0x8100070 [ 36.682859][ T3233] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x8f400404000 [ 36.682865][ T3233] ------------[ cut here ]------------ [ 36.682866][ T3233] WARNING: CPU: 8 PID: 3233 at mm/mmap.c:2163 __split_vma+0x2f1/0x320 [ 36.682872][ T3233] Modules linked in: ccm rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac bnep cpufreq_conservative cpufreq_powersave cpufreq_userspace nls_ascii nls_cp437 vfat fat snd_ctl_led btusb btrtl btbcm btintel btmtk bluetooth snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi uvcvideo jitterentropy_rng videobuf2_vmalloc snd_hda_intel videobuf2_memops snd_intel_dspcfg snd_soc_dmic snd_acp3x_pdm_dma uvc snd_acp3x_rn snd_hda_codec videobuf2_v4l2 sha512_generic snd_hwdep snd_soc_core snd_hda_core videodev joydev snd_pcm_oss snd_acp_pci msi_wmi snd_mixer_oss snd_pcm ctr drbg ecdh_generic ecc videobuf2_common edac_mce_amd rapl sparse_keymap snd_rn_pci_acp3x wmi_bmof snd_timer battery snd_acp_config snd k10temp snd_soc_acpi soundcore ccp snd_pci_acp3x ac hid_sensor_prox hid_sensor_magn_3d hid_sensor_als hid_sensor_accel_3d hid_sensor_gyro_3d evdev hid_sensor_trigger industrialio_triggered_buffer hid_multitouch button kfifo_buf industrialio acpi_cpufreq amd_pmc hid_sensor_iio_common [ 36.682904][ T3233] serio_raw mt7921e mt7921_common mt76_connac_lib mt76 mac80211 libarc4 cfg80211 rfkill msr fuse efi_pstore configfs efivarfs autofs4 ext4 crc32c_generic crc16 mbcache jbd2 usbhid amdgpu nvme drm_ttm_helper ttm nvme_core gpu_sched t10_pi i2c_algo_bit xhci_pci drm_buddy r8169 xhci_hcd drm_display_helper crc64_rocksoft realtek hid_sensor_hub crc64 mdio_devres mfd_core hid_generic drm_kms_helper psmouse crc32c_intel usbcore syscopyarea crc_t10dif i2c_hid_acpi amd_sfh sysfillrect libphy i2c_hid crct10dif_generic sysimgblt i2c_piix4 usb_common crct10dif_common cec hid i2c_designware_platform i2c_designware_core [ 36.682929][ T3233] CPU: 8 PID: 3233 Comm: CompositorTileW Tainted: G W 6.2.0-rc8-next-20230220-dirty #421 [ 36.682930][ T3233] Hardware name: Micro-Star International Co., Ltd. Alpha 15 B5EEK/MS-158L, BIOS E158LAMS.107 11/10/2021 [ 36.682931][ T3233] RIP: 0010:__split_vma+0x2f1/0x320 [ 36.682933][ T3233] Code: f6 48 8d 7c 24 10 e8 ee e2 ff ff eb a1 4c 89 64 24 38 48 85 c0 0f 85 a2 fe ff ff e9 57 ff ff ff 4c 89 f7 e8 81 bc 5e 00 eb c6 <0f> 0b 48 3b 6b 08 0f 82 41 fd ff ff 0f 0b e9 3a fd ff ff 41 bd f4 [ 36.682934][ T3233] RSP: 0018:ffffb0db85bcfcb0 EFLAGS: 00010206 [ 36.682935][ T3233] RAX: 0000000000000000 RBX: ffff9e90ae93cd80 RCX: 0000000000000001 [ 36.682936][ T3233] RDX: 000008f400402000 RSI: ffff9e90ae93cd80 RDI: ffffb0db85bcfe00 [ 36.682937][ T3233] RBP: 000008f400402000 R08: 000000000000fffa R09: 0000000000000000 [ 36.682937][ T3233] R10: ffff9e90ae93cd80 R11: ffffb0db85bcfdf8 R12: 000008f400601000 [ 36.682938][ T3233] R13: 0000000000000000 R14: ffffb0db85bcfe00 R15: 0000000000000000 [ 36.682939][ T3233] FS: 00007fa2215f56c0(0000) GS:ffff9e929e800000(0000) knlGS:0000000000000000 [ 36.682939][ T3233] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.682940][ T3233] CR2: 00007fa21b25a000 CR3: 000000020cd6e000 CR4: 0000000000750ee0 [ 36.682941][ T3233] PKRU: 55555554 [ 36.682941][ T3233] Call Trace: [ 36.682943][ T3233] <TASK> [ 36.682945][ T3233] mprotect_fixup+0x2dc/0x390 [ 36.682948][ T3233] do_mprotect_pkey+0x476/0x7e0 [ 36.682950][ T3233] __x64_sys_mprotect+0x16/0x30 [ 36.682952][ T3233] do_syscall_64+0x3a/0x90 [ 36.682955][ T3233] entry_SYSCALL_64_after_hwframe+0x4b/0xb5 [ 36.682958][ T3233] RIP: 0033:0x7fa228f007b7 [ 36.682959][ T3233] Code: 73 01 c3 48 8b 0d 49 06 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 19 06 0d 00 f7 d8 64 89 01 48 [ 36.682960][ T3233] RSP: 002b:00007fa2215f3818 EFLAGS: 00000202 ORIG_RAX: 000000000000000a [ 36.682961][ T3233] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa228f007b7 [ 36.682961][ T3233] RDX: 0000000000000000 RSI: 0000000001000000 RDI: 000008f400400000 [ 36.682962][ T3233] RBP: 00007fa2215f3850 R08: 0000000000000040 R09: 0000000000000001 [ 36.682962][ T3233] R10: 000008f400401020 R11: 0000000000000202 R12: 000008f400400000 [ 36.682963][ T3233] R13: 0000000000000000 R14: 0000000001000000 R15: 0000000000000000 [ 36.682965][ T3233] </TASK> [ 36.682965][ T3233] ---[ end trace 0000000000000000 ]--- [ 36.682969][ T3233] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x8f400402000 [ 36.682970][ T3233] do_mprotect_pkey: end of loop prev=ffff9e90ae93cd80 nstart=0x8f400601000 tmp=0x8f400601000 [ 36.682970][ T3233] for_each_vma_range: vma->vm_start=0x8f400601000 vma->vm_end=0x8f400604000 nstart=0x8f400601000 tmp=0x8f400601000 [ 36.682971][ T3233] calling mprotect_fixup: vma=ffff9e90ae930c60 prev=ffff9e90ae93cd80 nstart=0x8f400601000 tmp=0x8f400604000, newflags=0x8100070 [ 36.682972][ T3233] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x8f400601000 [ 36.682972][ T3233] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x8f400601000 [ 36.682973][ T3233] do_mprotect_pkey: end of loop prev=ffff9e90ae930c60 nstart=0x8f400604000 tmp=0x8f400604000 [ 36.682973][ T3233] for_each_vma_range: vma->vm_start=0x8f400604000 vma->vm_end=0x8f401214000 nstart=0x8f400604000 tmp=0x8f400604000 [ 36.682974][ T3233] calling mprotect_fixup: vma=ffff9e90ae930000 prev=ffff9e90ae930c60 nstart=0x8f400604000 tmp=0x8f401214000, newflags=0x8100070 [ 36.682974][ T3233] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x8f400604000 [ 36.682976][ T3233] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x8f400604000 [ 36.682976][ T3233] do_mprotect_pkey: end of loop prev=ffff9e90ae930000 nstart=0x8f401214000 tmp=0x8f401214000 [ 36.682976][ T3233] for_each_vma_range: vma->vm_start=0x8f401214000 vma->vm_end=0x8f401401000 nstart=0x8f401214000 tmp=0x8f401214000 [ 36.682977][ T3233] calling mprotect_fixup: vma=ffff9e90ad3a76c0 prev=ffff9e90ae930000 nstart=0x8f401214000 tmp=0x8f401400000, newflags=0x8000070 [ 36.682977][ T3233] do_mprotect_pkey: before mprotect_fixup: vma_iter_addr(&vmi)=0x8f401214000 [ 36.682978][ T3233] do_mprotect_pkey: after mprotect_fixup: vma_iter_addr(&vmi)=0x8f401214000 [ 36.682978][ T3233] do_mprotect_pkey: end of loop prev=ffff9e90ad3a76c0 nstart=0x8f401400000 tmp=0x8f401400000 Here we have the same problem as before: [ 36.682978][ T3233] do_mprotect_pkey: memory area after possible merges [ 36.682979][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f4002e9000 test_vma->vm_end=0x8f400404000 [ 36.682979][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f400404000 test_vma->vm_end=0x8f400402000 [ 36.682980][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f400402000 test_vma->vm_end=0x8f400601000 [ 36.682980][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f400601000 test_vma->vm_end=0x8f400604000 [ 36.682980][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f400604000 test_vma->vm_end=0x8f401214000 [ 36.682981][ T3233] do_mprotect_pkey: test_vma->vm_start=0x8f401214000 test_vma->vm_end=0x8f401401000 [ 36.682981][ T3233] do_mprotect_pkey: returning 0 This bug might be caused by the errors above, though I'm not sure exactly how: [ 49.378683][ T3258] ------------[ cut here ]------------ [ 49.378686][ T3258] kernel BUG at mm/mmap.c:3062! [ 49.378693][ T3258] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 49.378696][ T3258] CPU: 6 PID: 3258 Comm: ThreadPoolForeg Tainted: G W 6.2.0-rc8-next-20230220-dirty #421 [ 49.378698][ T3258] Hardware name: Micro-Star International Co., Ltd. Alpha 15 B5EEK/MS-158L, BIOS E158LAMS.107 11/10/2021 [ 49.378700][ T3258] RIP: 0010:exit_mmap+0x1ab/0x1c0 [ 49.378706][ T3258] Code: 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc 4c 89 ef e8 b4 c6 ea ff eb bf 4c 89 e7 e8 9a a0 03 00 e9 ac fe ff ff <0f> 0b e8 0e 99 60 00 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 [ 49.378708][ T3258] RSP: 0018:ffffb0db85c87c90 EFLAGS: 00010202 [ 49.378710][ T3258] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 49.378711][ T3258] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 49.378713][ T3258] RBP: 0000000000000509 R08: 0000000000000000 R09: 0000000000000000 [ 49.378714][ T3258] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9e8ff8a050c0 [ 49.378715][ T3258] R13: ffff9e8ff8a05130 R14: 0000000000015b6e R15: ffff9e90d123a5f0 [ 49.378716][ T3258] FS: 0000000000000000(0000) GS:ffff9e929e780000(0000) knlGS:0000000000000000 [ 49.378718][ T3258] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 49.378719][ T3258] CR2: 0000564412d138b0 CR3: 0000000166214000 CR4: 0000000000750ee0 [ 49.378721][ T3258] PKRU: 55555554 [ 49.378721][ T3258] Call Trace: [ 49.378723][ T3258] <TASK> [ 49.378726][ T3258] __mmput+0x36/0x120 [ 49.378730][ T3258] do_exit+0x2af/0xa30 [ 49.378732][ T3258] ? hrtimer_cancel+0xc/0x20 [ 49.378736][ T3258] ? futex_wait+0x236/0x250 [ 49.378739][ T3258] do_group_exit+0x28/0x80 [ 49.378741][ T3258] get_signal+0x89b/0x8a0 [ 49.378744][ T3258] arch_do_signal_or_restart+0x25/0x260 [ 49.378748][ T3258] exit_to_user_mode_prepare+0xc9/0x180 [ 49.378751][ T3258] syscall_exit_to_user_mode+0x12/0x40 [ 49.378755][ T3258] do_syscall_64+0x46/0x90 [ 49.378758][ T3258] entry_SYSCALL_64_after_hwframe+0x4b/0xb5 [ 49.378761][ T3258] RIP: 0033:0x7fa228e84d36 [ 49.378763][ T3258] Code: Unable to access opcode bytes at 0x7fa228e84d0c. [ 49.378764][ T3258] RSP: 002b:00007fa219fe63e0 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 49.378766][ T3258] RAX: fffffffffffffdfc RBX: 0000000000000000 RCX: 00007fa228e84d36 [ 49.378767][ T3258] RDX: 0000000000000000 RSI: 0000000000000089 RDI: 00007fa219fe6650 [ 49.378768][ T3258] RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000ffffffff [ 49.378769][ T3258] R10: 00007fa219fe64f0 R11: 0000000000000246 R12: 0000000000000000 [ 49.378770][ T3258] R13: 00007fa219fe6600 R14: 00007fa219fe6650 R15: 0000000000000000 [ 49.378772][ T3258] </TASK> [ 49.378773][ T3258] Modules linked in: ccm rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac bnep cpufreq_conservative cpufreq_powersave cpufreq_userspace nls_ascii nls_cp437 vfat fat snd_ctl_led btusb btrtl btbcm btintel btmtk bluetooth snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi uvcvideo jitterentropy_rng videobuf2_vmalloc snd_hda_intel videobuf2_memops snd_intel_dspcfg snd_soc_dmic snd_acp3x_pdm_dma uvc snd_acp3x_rn snd_hda_codec videobuf2_v4l2 sha512_generic snd_hwdep snd_soc_core snd_hda_core videodev joydev snd_pcm_oss snd_acp_pci msi_wmi snd_mixer_oss snd_pcm ctr drbg ecdh_generic ecc videobuf2_common edac_mce_amd rapl sparse_keymap snd_rn_pci_acp3x wmi_bmof snd_timer battery snd_acp_config snd k10temp snd_soc_acpi soundcore ccp snd_pci_acp3x ac hid_sensor_prox hid_sensor_magn_3d hid_sensor_als hid_sensor_accel_3d hid_sensor_gyro_3d evdev hid_sensor_trigger industrialio_triggered_buffer hid_multitouch button kfifo_buf industrialio acpi_cpufreq amd_pmc hid_sensor_iio_common [ 49.378816][ T3258] serio_raw mt7921e mt7921_common mt76_connac_lib mt76 mac80211 libarc4 cfg80211 rfkill msr fuse efi_pstore configfs efivarfs autofs4 ext4 crc32c_generic crc16 mbcache jbd2 usbhid amdgpu nvme drm_ttm_helper ttm nvme_core gpu_sched t10_pi i2c_algo_bit xhci_pci drm_buddy r8169 xhci_hcd drm_display_helper crc64_rocksoft realtek hid_sensor_hub crc64 mdio_devres mfd_core hid_generic drm_kms_helper psmouse crc32c_intel usbcore syscopyarea crc_t10dif i2c_hid_acpi amd_sfh sysfillrect libphy i2c_hid crct10dif_generic sysimgblt i2c_piix4 usb_common crct10dif_common cec hid i2c_designware_platform i2c_designware_core [ 49.378849][ T3258] ---[ end trace 0000000000000000 ]---
This fixes the problem for me in next-20230220 diff --git a/mm/mprotect.c b/mm/mprotect.c index 1d4843c97c2a..f70f9a7b545e 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -832,6 +832,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len, if (error) break; + tmp = prev->vm_end; nstart = tmp; prot = reqprot; } Next I'll try to construct a simpler testcase without steam and stellaris.
(switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). On Wed, 22 Feb 2023 18:27:37 +0000 bugzilla-daemon@kernel.org wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=217061 > > --- Comment #5 from spasswolf@web.de --- > This fixes the problem for me in next-20230220 > > diff --git a/mm/mprotect.c b/mm/mprotect.c > index 1d4843c97c2a..f70f9a7b545e 100644 > --- a/mm/mprotect.c > +++ b/mm/mprotect.c > @@ -832,6 +832,7 @@ static int do_mprotect_pkey(unsigned long start, size_t > len, > if (error) > break; > > + tmp = prev->vm_end; > nstart = tmp; > prot = reqprot; > } > > Next I'll try to construct a simpler testcase without steam and stellaris. Thanks for figuring this out. Liam, this has been bisected to 2286a6914c776e ("mm: change mprotect_fixup to vma iterator"). Please take a look?
Am Donnerstag, dem 23.02.2023 um 12:04 -0800 schrieb Andrew Morton: > (switched to email. Please respond via emailed reply-to-all, not via > the > bugzilla web interface). > > On Wed, 22 Feb 2023 18:27:37 +0000 bugzilla-daemon@kernel.org wrote: > > > https://bugzilla.kernel.org/show_bug.cgi?id=217061 > > > > --- Comment #5 from spasswolf@web.de --- > > This fixes the problem for me in next-20230220 > > > > diff --git a/mm/mprotect.c b/mm/mprotect.c > > index 1d4843c97c2a..f70f9a7b545e 100644 > > --- a/mm/mprotect.c > > +++ b/mm/mprotect.c > > @@ -832,6 +832,7 @@ static int do_mprotect_pkey(unsigned long > > start, size_t > > len, > > if (error) > > break; > > > > + tmp = prev->vm_end; > > nstart = tmp; > > prot = reqprot; > > } > > > > Next I'll try to construct a simpler testcase without steam and > > stellaris. > > Thanks for figuring this out. > > Liam, this has been bisected to 2286a6914c776e ("mm: change > mprotect_fixup to vma iterator"). Please take a look? > While a still don't have a simple example for this bug I can at least explain what it takes to trigger it: The memory area for which mprotect is called must have (at least) 3 vm_area_struct of which the first to must be mergeable. Then the following happens in the for_each_vma_range loop inside do_mprotect_pkey: At the beggining of the loop vma points to the first vm_area_struct. Then mprotect_fixup is called and merges our first two vm_area_structs but tmp still points to the beginning of the second vm_area_struct. At the beginning of the next iteration vma already points to the third vm_area_struct and so the check vma->vm_start != tmp gives a false error. Setting tmp=prev->vm_end after mprotect fixup sets tmp to the beginning of the next unprocessed vma and fixes this error.
* Bert Karwatzki <spasswolf@web.de> [230223 15:36]: > Am Donnerstag, dem 23.02.2023 um 12:04 -0800 schrieb Andrew Morton: > > (switched to email. Please respond via emailed reply-to-all, not via > > the > > bugzilla web interface). > > > > On Wed, 22 Feb 2023 18:27:37 +0000 bugzilla-daemon@kernel.org wrote: > > > > > https://bugzilla.kernel.org/show_bug.cgi?id=217061 > > > > > > --- Comment #5 from spasswolf@web.de --- > > > This fixes the problem for me in next-20230220 > > > > > > diff --git a/mm/mprotect.c b/mm/mprotect.c > > > index 1d4843c97c2a..f70f9a7b545e 100644 > > > --- a/mm/mprotect.c > > > +++ b/mm/mprotect.c > > > @@ -832,6 +832,7 @@ static int do_mprotect_pkey(unsigned long > > > start, size_t > > > len, > > > if (error) > > > break; > > > > > > + tmp = prev->vm_end; > > > nstart = tmp; > > > prot = reqprot; > > > } > > > > > > Next I'll try to construct a simpler testcase without steam and > > > stellaris. > > > > Thanks for figuring this out. > > > > Liam, this has been bisected to 2286a6914c776e ("mm: change > > mprotect_fixup to vma iterator"). Please take a look? > > > While a still don't have a simple example for this bug I can at least > explain what it takes to trigger it: > The memory area for which mprotect is called must have (at least) 3 > vm_area_struct of which the first to must be mergeable. Then the > following happens in the for_each_vma_range loop inside > do_mprotect_pkey: > At the beggining of the loop vma points to the first vm_area_struct. > Then mprotect_fixup is called and merges our first two vm_area_structs > but tmp still points to the beginning of the second vm_area_struct. At > the beginning of the next iteration vma already points to the third > vm_area_struct and so the check vma->vm_start != tmp gives a false > error. > Setting tmp=prev->vm_end after mprotect fixup sets tmp to the > beginning of the next unprocessed vma and fixes this error. > Thank you for the analysis. Just for clarity, tmp is used to ensure there isn't a hole in the range we are iterating over. I don't particularly like how this was done, but I tried (unsuccessfully) not to break it. It looks like I've missed the case where a merge succeeds and so tmp is now out of sync with the iterator. I would change this tmp = prev->vm_end idea slightly and use the vma iterator end location: tmp = vma_iter_end(&vmi); I'll send out a patch once I test this. Thanks, Liam
... > > Just for clarity, tmp is used to ensure there isn't a hole in the range > we are iterating over. I don't particularly like how this was done, but > I tried (unsuccessfully) not to break it. > > It looks like I've missed the case where a merge succeeds and so tmp is > now out of sync with the iterator. > > I would change this tmp = prev->vm_end idea slightly and use the vma > iterator end location: > > tmp = vma_iter_end(&vmi); > > I'll send out a patch once I test this. The patch has been sent out and I've submitted my testing to LTP: https://github.com/linux-test-project/ltp/commit/3cbaaddf6f785d91aeb370beb75d0623f8c48624 The testcase is mprotect05 Thanks, Liam