Re: [syzbot] BUG: unable to handle kernel paging request in percpu_counter_add_batch
From: Mark Rutland
Date: Fri Oct 21 2022 - 05:57:28 EST
On Thu, Oct 20, 2022 at 07:44:27PM -0700, Andrew Morton wrote:
> On Thu, 20 Oct 2022 19:24:40 -0700 syzbot <syzbot+96e659d35b9d6b541152@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Well. freeque() messes with ns->percpu_msg_hdrs but msg_exit_ns()
> already did percpu_counter_destroy(&ns->percpu_msg_hdrs);
>
> I'm thinking something like this?
>
> --- a/ipc/msg.c~a
> +++ a/ipc/msg.c
> @@ -1329,11 +1329,11 @@ fail_msg_bytes:
> #ifdef CONFIG_IPC_NS
> void msg_exit_ns(struct ipc_namespace *ns)
> {
> - percpu_counter_destroy(&ns->percpu_msg_bytes);
> - percpu_counter_destroy(&ns->percpu_msg_hdrs);
> free_ipcs(ns, &msg_ids(ns), freeque);
> idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr);
> rhashtable_destroy(&ns->ids[IPC_MSG_IDS].key_ht);
> + percpu_counter_destroy(&ns->percpu_msg_bytes);
> + percpu_counter_destroy(&ns->percpu_msg_hdrs);
> }
> #endif
That seems to fix the issue for me, testing with the reproducer in my prior
reply. Previously that would trigger within seconds, and with the above applied
I couldn't get it to trigger after 15+ minutes of repeated test runs.
FWIW:
Tested-by: Mark Rutland <mark.rutland@xxxxxxx>
Thanks,
Mark.