On 03/23/2017 10:25 AM, Mike Kravetz wrote: > On 03/23/2017 03:19 AM, Dmitry Vyukov wrote: >> Hello, >> >> I've got the following BUG while running syzkaller fuzzer. >> Note the injected kmalloc failure, most likely it's the root cause. > > Thanks Dmitry, > > The BUG indicates someone called region_chg() in the process of adding > a hugetlbfs page reservation, but did not complete this 'two step' > process with a call to region_add() or region_abort(). Most likely a > missed call in an error path somewhere. :( > > I'll try to track this down. The hint of 'injected kmalloc failure' > should help.
Actually, in this case I believe the bug is in hugetlb_reserve_pages. It calls region_chg(), but gets an error due to the injected kmalloc failure. At this point, the resv_map->adds_in_progress is 0 as it should be. However, the error path for hugetlb_reserve_pages calls region_abort() which will unconditionally decrement adds_in_progress. So, adds_in_progress goes negative and we eventually BUG. :( I'll look for other misuses of region_chg()/region_add()/region_abort() and put together a patch. Dmitry, is there some way to run the fuzzer with kmalloc failure injection and target the hugetlbfs code? I'm suspect we could flush out other bugs. I noticed one other you discovered, and will look at that next. -- Mike Kravetz
