[syzbot] [mm?] BUG: Bad page map (8)
50 views
Skip to first unread message
syzbot
Jul 18, 2024, 6:51:28 PM (9 days ago) Jul 18
to ak...@linux-foundation.org, hu...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11321495980000
kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=113e054e980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-4d145e3f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/28dead26b828/vmlinux-4d145e3f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/079a7ff04a12/Image-4d145e3f.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ec4b7d...@syzkaller.appspotmail.com
BUG: Bad page cache in process syz-executor356 pfn:ba081
page: refcount:4 mapcount:1 mapping:000000000e551739 index:0x0 pfn:0xba081
memcg:f7f0000002c3a000
aops:shmem_aops ino:3
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002d ffffc1ffc01cd7c8 ffffc1ffc1e86288 f9f000000749ba50
raw: 0000000000000000 0000000000000000 0000000400000000 f7f0000002c3a000
page dumped because: still mapped when deleted
CPU: 0 PID: 3196 Comm: syz-executor356 Not tainted 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
__fput_sync+0x50/0x5c fs/file_table.c:507
__do_sys_close fs/open.c:1563 [inline]
__se_sys_close fs/open.c:1548 [inline]
__arm64_sys_close+0x38/0x7c fs/open.c:1548
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page cache in process syz-executor356 pfn:ba18a
page: refcount:4 mapcount:1 mapping:000000000e551739 index:0x1 pfn:0xba18a
memcg:f7f0000002c3a000
aops:shmem_aops ino:3
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002d ffffc1ffc1e82048 ffffc1ffc028a2c8 f9f000000749ba50
raw: 0000000000000001 0000000000000000 0000000400000000 f7f0000002c3a000
page dumped because: still mapped when deleted
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
__fput_sync+0x50/0x5c fs/file_table.c:507
__do_sys_close fs/open.c:1563 [inline]
__se_sys_close fs/open.c:1548 [inline]
__arm64_sys_close+0x38/0x7c fs/open.c:1548
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page map in process syz-executor356 pte:600000ba0818c3 pmd:800000047670003
page: refcount:1 mapcount:-1 mapping:0000000000000000 index:0x0 pfn:0xba081
memcg:f7f0000002c3a000
flags: 0x1ffc0000004002c(referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002c ffffc1ffc028c708 ffffc1ffc1e86288 0000000000000000
raw: 0000000000000000 0000000000000000 00000001fffffffe f7f0000002c3a000
page dumped because: bad pte
addr:00000000209a0000 vm_flags:400000f9 anon_vma:0000000000000000 mapping:f3f0000006dcee48 index:0
file:dmabuf fault:udmabuf_vm_fault mmap:dma_buf_mmap_internal read_folio:0x0
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
print_bad_pte+0x1c8/0x258 mm/memory.c:538
zap_present_folio_ptes mm/memory.c:1508 [inline]
zap_present_ptes mm/memory.c:1564 [inline]
zap_pte_range mm/memory.c:1606 [inline]
zap_pmd_range mm/memory.c:1724 [inline]
zap_pud_range mm/memory.c:1753 [inline]
zap_p4d_range mm/memory.c:1774 [inline]
unmap_page_range+0x904/0x1190 mm/memory.c:1795
unmap_single_vma.constprop.0+0x4c/0x84 mm/memory.c:1841
unmap_vmas+0x7c/0x170 mm/memory.c:1885
exit_mmap+0xc0/0x288 mm/mmap.c:3341
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page map in process syz-executor356 pte:600000ba18a8c3 pmd:800000047670003
page: refcount:1 mapcount:-1 mapping:0000000000000000 index:0x1 pfn:0xba18a
memcg:f7f0000002c3a000
flags: 0x1ffc0000004002c(referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002c ffffc1ffc1e82048 ffffc1ffc028a2c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000001fffffffe f7f0000002c3a000
page dumped because: bad pte
addr:00000000209a1000 vm_flags:400000f9 anon_vma:0000000000000000 mapping:f3f0000006dcee48 index:1
file:dmabuf fault:udmabuf_vm_fault mmap:dma_buf_mmap_internal read_folio:0x0
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
print_bad_pte+0x1c8/0x258 mm/memory.c:538
zap_present_folio_ptes mm/memory.c:1508 [inline]
zap_present_ptes mm/memory.c:1564 [inline]
zap_pte_range mm/memory.c:1606 [inline]
zap_pmd_range mm/memory.c:1724 [inline]
zap_pud_range mm/memory.c:1753 [inline]
zap_p4d_range mm/memory.c:1774 [inline]
unmap_page_range+0x904/0x1190 mm/memory.c:1795
unmap_single_vma.constprop.0+0x4c/0x84 mm/memory.c:1841
unmap_vmas+0x7c/0x170 mm/memory.c:1885
exit_mmap+0xc0/0x288 mm/mmap.c:3341
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page state in process syz-executor356 pfn:ba081
page: refcount:0 mapcount:-1 mapping:0000000000000000 index:0x0 pfn:0xba081
flags: 0x1ffc0000004000c(referenced|uptodate|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004000c dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: nonzero mapcount
Modules linked in:
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
bad_page+0x84/0x11c mm/page_alloc.c:498
free_page_is_bad_report+0x98/0xa4 mm/page_alloc.c:904
free_page_is_bad mm/page_alloc.c:914 [inline]
free_pages_prepare mm/page_alloc.c:1085 [inline]
free_unref_folios+0x4c0/0x624 mm/page_alloc.c:2637
folios_put_refs+0x108/0x284 mm/swap.c:1024
free_pages_and_swap_cache+0x14c/0x164 mm/swap_state.c:332
__tlb_batch_free_encoded_pages+0x4c/0xdc mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu mm/mmu_gather.c:373 [inline]
tlb_finish_mmu+0x84/0x200 mm/mmu_gather.c:465
exit_mmap+0x13c/0x288 mm/mmap.c:3354
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page state in process syz-executor356 pfn:ba18a
page: refcount:0 mapcount:-1 mapping:0000000000000000 index:0x1 pfn:0xba18a
flags: 0x1ffc0000004000c(referenced|uptodate|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004000c dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: nonzero mapcount
Modules linked in:
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
bad_page+0x84/0x11c mm/page_alloc.c:498
free_page_is_bad_report+0x98/0xa4 mm/page_alloc.c:904
free_page_is_bad mm/page_alloc.c:914 [inline]
free_pages_prepare mm/page_alloc.c:1085 [inline]
free_unref_folios+0x4c0/0x624 mm/page_alloc.c:2637
folios_put_refs+0x108/0x284 mm/swap.c:1024
free_pages_and_swap_cache+0x14c/0x164 mm/swap_state.c:332
__tlb_batch_free_encoded_pages+0x4c/0xdc mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu mm/mmu_gather.c:373 [inline]
tlb_finish_mmu+0x84/0x200 mm/mmu_gather.c:465
exit_mmap+0x13c/0x288 mm/mmap.c:3354
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11321495980000
kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=113e054e980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-4d145e3f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/28dead26b828/vmlinux-4d145e3f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/079a7ff04a12/Image-4d145e3f.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ec4b7d...@syzkaller.appspotmail.com
BUG: Bad page cache in process syz-executor356 pfn:ba081
page: refcount:4 mapcount:1 mapping:000000000e551739 index:0x0 pfn:0xba081
memcg:f7f0000002c3a000
aops:shmem_aops ino:3
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002d ffffc1ffc01cd7c8 ffffc1ffc1e86288 f9f000000749ba50
raw: 0000000000000000 0000000000000000 0000000400000000 f7f0000002c3a000
page dumped because: still mapped when deleted
CPU: 0 PID: 3196 Comm: syz-executor356 Not tainted 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
__fput_sync+0x50/0x5c fs/file_table.c:507
__do_sys_close fs/open.c:1563 [inline]
__se_sys_close fs/open.c:1548 [inline]
__arm64_sys_close+0x38/0x7c fs/open.c:1548
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page cache in process syz-executor356 pfn:ba18a
page: refcount:4 mapcount:1 mapping:000000000e551739 index:0x1 pfn:0xba18a
memcg:f7f0000002c3a000
aops:shmem_aops ino:3
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002d ffffc1ffc1e82048 ffffc1ffc028a2c8 f9f000000749ba50
raw: 0000000000000001 0000000000000000 0000000400000000 f7f0000002c3a000
page dumped because: still mapped when deleted
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
__fput_sync+0x50/0x5c fs/file_table.c:507
__do_sys_close fs/open.c:1563 [inline]
__se_sys_close fs/open.c:1548 [inline]
__arm64_sys_close+0x38/0x7c fs/open.c:1548
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page map in process syz-executor356 pte:600000ba0818c3 pmd:800000047670003
page: refcount:1 mapcount:-1 mapping:0000000000000000 index:0x0 pfn:0xba081
memcg:f7f0000002c3a000
flags: 0x1ffc0000004002c(referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002c ffffc1ffc028c708 ffffc1ffc1e86288 0000000000000000
raw: 0000000000000000 0000000000000000 00000001fffffffe f7f0000002c3a000
page dumped because: bad pte
addr:00000000209a0000 vm_flags:400000f9 anon_vma:0000000000000000 mapping:f3f0000006dcee48 index:0
file:dmabuf fault:udmabuf_vm_fault mmap:dma_buf_mmap_internal read_folio:0x0
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
print_bad_pte+0x1c8/0x258 mm/memory.c:538
zap_present_folio_ptes mm/memory.c:1508 [inline]
zap_present_ptes mm/memory.c:1564 [inline]
zap_pte_range mm/memory.c:1606 [inline]
zap_pmd_range mm/memory.c:1724 [inline]
zap_pud_range mm/memory.c:1753 [inline]
zap_p4d_range mm/memory.c:1774 [inline]
unmap_page_range+0x904/0x1190 mm/memory.c:1795
unmap_single_vma.constprop.0+0x4c/0x84 mm/memory.c:1841
unmap_vmas+0x7c/0x170 mm/memory.c:1885
exit_mmap+0xc0/0x288 mm/mmap.c:3341
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page map in process syz-executor356 pte:600000ba18a8c3 pmd:800000047670003
page: refcount:1 mapcount:-1 mapping:0000000000000000 index:0x1 pfn:0xba18a
memcg:f7f0000002c3a000
flags: 0x1ffc0000004002c(referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002c ffffc1ffc1e82048 ffffc1ffc028a2c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000001fffffffe f7f0000002c3a000
page dumped because: bad pte
addr:00000000209a1000 vm_flags:400000f9 anon_vma:0000000000000000 mapping:f3f0000006dcee48 index:1
file:dmabuf fault:udmabuf_vm_fault mmap:dma_buf_mmap_internal read_folio:0x0
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
print_bad_pte+0x1c8/0x258 mm/memory.c:538
zap_present_folio_ptes mm/memory.c:1508 [inline]
zap_present_ptes mm/memory.c:1564 [inline]
zap_pte_range mm/memory.c:1606 [inline]
zap_pmd_range mm/memory.c:1724 [inline]
zap_pud_range mm/memory.c:1753 [inline]
zap_p4d_range mm/memory.c:1774 [inline]
unmap_page_range+0x904/0x1190 mm/memory.c:1795
unmap_single_vma.constprop.0+0x4c/0x84 mm/memory.c:1841
unmap_vmas+0x7c/0x170 mm/memory.c:1885
exit_mmap+0xc0/0x288 mm/mmap.c:3341
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page state in process syz-executor356 pfn:ba081
page: refcount:0 mapcount:-1 mapping:0000000000000000 index:0x0 pfn:0xba081
flags: 0x1ffc0000004000c(referenced|uptodate|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004000c dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: nonzero mapcount
Modules linked in:
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
bad_page+0x84/0x11c mm/page_alloc.c:498
free_page_is_bad_report+0x98/0xa4 mm/page_alloc.c:904
free_page_is_bad mm/page_alloc.c:914 [inline]
free_pages_prepare mm/page_alloc.c:1085 [inline]
free_unref_folios+0x4c0/0x624 mm/page_alloc.c:2637
folios_put_refs+0x108/0x284 mm/swap.c:1024
free_pages_and_swap_cache+0x14c/0x164 mm/swap_state.c:332
__tlb_batch_free_encoded_pages+0x4c/0xdc mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu mm/mmu_gather.c:373 [inline]
tlb_finish_mmu+0x84/0x200 mm/mmu_gather.c:465
exit_mmap+0x13c/0x288 mm/mmap.c:3354
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page state in process syz-executor356 pfn:ba18a
page: refcount:0 mapcount:-1 mapping:0000000000000000 index:0x1 pfn:0xba18a
flags: 0x1ffc0000004000c(referenced|uptodate|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004000c dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: nonzero mapcount
Modules linked in:
CPU: 0 PID: 3196 Comm: syz-executor356 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
bad_page+0x84/0x11c mm/page_alloc.c:498
free_page_is_bad_report+0x98/0xa4 mm/page_alloc.c:904
free_page_is_bad mm/page_alloc.c:914 [inline]
free_pages_prepare mm/page_alloc.c:1085 [inline]
free_unref_folios+0x4c0/0x624 mm/page_alloc.c:2637
folios_put_refs+0x108/0x284 mm/swap.c:1024
free_pages_and_swap_cache+0x14c/0x164 mm/swap_state.c:332
__tlb_batch_free_encoded_pages+0x4c/0xdc mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu mm/mmu_gather.c:373 [inline]
tlb_finish_mmu+0x84/0x200 mm/mmu_gather.c:465
exit_mmap+0x13c/0x288 mm/mmap.c:3354
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Jul 19, 2024, 7:07:25 AM (8 days ago) Jul 19
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 18 Jul 2024 15:51:26 -0700
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d145e3f830b
--- x/include/linux/rmap.h
+++ y/include/linux/rmap.h
@@ -327,6 +327,7 @@ static __always_inline void __folio_dup_
switch (level) {
case RMAP_LEVEL_PTE:
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
atomic_inc(&page->_mapcount);
break;
@@ -419,6 +420,7 @@ static __always_inline int __folio_try_d
return -EBUSY;
}
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
if (PageAnonExclusive(page))
ClearPageAnonExclusive(page);
--- x/mm/rmap.c
+++ y/mm/rmap.c
@@ -1149,6 +1149,7 @@ static __always_inline unsigned int __fo
switch (level) {
case RMAP_LEVEL_PTE:
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
nr = atomic_inc_and_test(&page->_mapcount);
break;
@@ -1503,6 +1504,7 @@ static __always_inline void __folio_remo
switch (level) {
case RMAP_LEVEL_PTE:
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
nr = atomic_add_negative(-1, &page->_mapcount);
break;
--
> syzbot found the following issue on:
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d145e3f830b
--- x/include/linux/rmap.h
+++ y/include/linux/rmap.h
@@ -327,6 +327,7 @@ static __always_inline void __folio_dup_
switch (level) {
case RMAP_LEVEL_PTE:
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
atomic_inc(&page->_mapcount);
break;
@@ -419,6 +420,7 @@ static __always_inline int __folio_try_d
return -EBUSY;
}
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
if (PageAnonExclusive(page))
ClearPageAnonExclusive(page);
--- x/mm/rmap.c
+++ y/mm/rmap.c
@@ -1149,6 +1149,7 @@ static __always_inline unsigned int __fo
switch (level) {
case RMAP_LEVEL_PTE:
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
nr = atomic_inc_and_test(&page->_mapcount);
break;
@@ -1503,6 +1504,7 @@ static __always_inline void __folio_remo
switch (level) {
case RMAP_LEVEL_PTE:
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
nr = atomic_add_negative(-1, &page->_mapcount);
break;
--
David Hildenbrand
Jul 19, 2024, 7:21:36 AM (8 days ago) Jul 19
to syzbot, ak...@linux-foundation.org, hu...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Vivek Kasireddy
On 19.07.24 00:51, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11321495980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
> dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
> compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=113e054e980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
>
The reproducer involves udmabuf. I suspect it has to do with it.
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11321495980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
> dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
> compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=113e054e980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
>
But I'm curius, does the reproducer not trigger before 4d145e3f830b on
mainliny?
Viveks changes are not upstream yet, but I can only speculate that we
have some issue similar to the one we had with hugetlb: udmabuf doing
things with memfd/shmem pages that it shouldn't do, because it doesn't
"own" these pages.
"udmabuf: Use vmf_insert_pfn and VM_PFNMAP for handling mmap" might help.
--
Cheers,
David / dhildenb
syzbot
Jul 19, 2024, 7:44:05 AM (8 days ago) Jul 19
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
e: registered new interface driver legousbtower
[ 14.297706][ T1] usbcore: registered new interface driver usbtest
[ 14.301236][ T1] usbcore: registered new interface driver usb_ehset_test
[ 14.304304][ T1] usbcore: registered new interface driver trancevibrator
[ 14.307099][ T1] usbcore: registered new interface driver uss720
[ 14.308543][ T1] uss720: USB Parport Cable driver for Cables using the Lucent Technologies USS720 Chip
[ 14.309426][ T1] uss720: NOTE: this is a special purpose driver to allow nonstandard
[ 14.310212][ T1] uss720: protocols (eg. bitbang) over USS720 usb to parallel cables
[ 14.317207][ T1] uss720: If you just want to connect to a printer, use usblp instead
[ 14.320387][ T1] usbcore: registered new interface driver usbsevseg
[ 14.325623][ T1] usbcore: registered new interface driver yurex
[ 14.346261][ T1] usbcore: registered new interface driver chaoskey
[ 14.349153][ T1] usbcore: registered new interface driver sisusb
[ 14.357883][ T1] usbcore: registered new interface driver lvs
[ 14.363246][ T1] usbcore: registered new device driver onboard-usb-dev
[ 14.435704][ T1] dummy_hcd dummy_hcd.0: USB Host+Gadget Emulator, driver 02 May 2005
[ 14.438586][ T1] dummy_hcd dummy_hcd.0: Dummy host controller
[ 14.452253][ T1] dummy_hcd dummy_hcd.0: new USB bus registered, assigned bus number 1
[ 14.478915][ T1] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.10
[ 14.480377][ T1] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 14.482305][ T1] usb usb1: Product: Dummy host controller
[ 14.483107][ T1] usb usb1: Manufacturer: Linux 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty dummy_hcd
[ 14.484296][ T1] usb usb1: SerialNumber: dummy_hcd.0
[ 14.523742][ T1] hub 1-0:1.0: USB hub found
[ 14.527088][ T1] hub 1-0:1.0: 1 port detected
[ 14.618793][ T1] gadgetfs: USB Gadget filesystem, version 24 Aug 2004
[ 14.704674][ T1] mousedev: PS/2 mouse device common for all mice
[ 14.725075][ T1] usbcore: registered new interface driver iforce
[ 14.733727][ T1] usbcore: registered new interface driver xpad
[ 14.736935][ T1] usbcore: registered new interface driver ati_remote2
[ 14.737869][ T1] cm109: Keymap for Komunikate KIP1000 phone loaded
[ 14.741372][ T1] usbcore: registered new interface driver cm109
[ 14.743785][ T1] cm109: CM109 phone driver: 20080805 (C) Alfred E. Heggestad
[ 14.746244][ T1] usbcore: registered new interface driver ims_pcu
[ 14.748144][ T1] usbcore: registered new interface driver keyspan_remote
[ 14.815429][ T1] rtc-pl031 9010000.pl031: registered as rtc0
[ 14.829699][ T1] i2c_dev: i2c /dev entries driver
[ 14.835787][ T1] usbcore: registered new interface driver i2c-tiny-usb
[ 14.894702][ T1] device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.
[ 14.895758][ T1] device-mapper: uevent: version 1.0.3
[ 14.909774][ T1] device-mapper: ioctl: 4.48.0-ioctl (2023-03-01) initialised: dm-d...@lists.linux.dev
[ 14.923944][ T1] device-mapper: multipath round-robin: version 1.2.0 loaded
[ 14.924551][ T1] device-mapper: multipath queue-length: version 0.2.0 loaded
[ 14.925504][ T1] device-mapper: multipath service-time: version 0.3.0 loaded
[ 14.964334][ T1] ledtrig-cpu: registered to indicate activity on CPUs
[ 14.996590][ T1] iscsi: registered transport (iser)
[ 15.005451][ T1] SoftiWARP attached
[ 15.044338][ T1] hid: raw HID events driver (C) Jiri Kosina
[ 15.052186][ T1] usbcore: registered new interface driver usbhid
[ 15.052623][ T1] usbhid: USB HID core driver
[ 15.082727][ T1] usbcore: registered new interface driver es2_ap_driver
[ 15.084118][ T1] greybus: registered new driver hid
[ 15.086685][ T1] greybus: registered new driver gbphy
[ 15.088955][ T1] gb_gbphy: registered new driver usb
[ 15.138911][ T1] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available
[ 15.179956][ T1] cs_system_cfg: CoreSight Configuration manager initialised
[ 15.293156][ T1] gnss: GNSS driver registered with major 495
[ 15.885241][ T1] usbcore: registered new interface driver snd-usb-audio
[ 15.887644][ T1] usbcore: registered new interface driver snd-ua101
[ 15.890191][ T1] usbcore: registered new interface driver snd-usb-caiaq
[ 15.893217][ T1] usbcore: registered new interface driver snd-usb-6fire
[ 15.895807][ T1] usbcore: registered new interface driver snd-usb-hiface
[ 15.898509][ T1] usbcore: registered new interface driver snd-bcd2000
[ 15.903568][ T1] usbcore: registered new interface driver snd_usb_pod
[ 15.906285][ T1] usbcore: registered new interface driver snd_usb_podhd
[ 15.909046][ T1] usbcore: registered new interface driver snd_usb_toneport
[ 15.911554][ T1] usbcore: registered new interface driver snd_usb_variax
[ 16.087511][ T1] NET: Registered PF_LLC protocol family
[ 16.089481][ T1] GACT probability on
[ 16.090238][ T1] Mirror/redirect action on
[ 16.092998][ T1] Simple TC action Loaded
[ 16.122423][ T1] netem: version 1.3
[ 16.124519][ T1] u32 classifier
[ 16.125078][ T1] Performance counters on
[ 16.125772][ T1] input device check on
[ 16.126376][ T1] Actions configured
[ 16.179092][ T1] xt_time: kernel timezone is -0000
[ 16.181605][ T1] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 16.203257][ T1] gre: GRE over IPv4 demultiplexor driver
[ 16.204163][ T1] ip_gre: GRE over IPv4 tunneling driver
[ 16.264721][ T1] IPv4 over IPsec tunneling driver
[ 16.294064][ T1] Initializing XFRM netlink socket
[ 16.297117][ T1] IPsec XFRM device driver
[ 16.303386][ T1] NET: Registered PF_INET6 protocol family
[ 16.418730][ T1] Segment Routing with IPv6
[ 16.419572][ T1] RPL Segment Routing with IPv6
[ 16.424115][ T1] In-situ OAM (IOAM) with IPv6
[ 16.428352][ T1] mip6: Mobile IPv6
[ 16.466648][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 16.529372][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 16.558126][ T1] NET: Registered PF_PACKET protocol family
[ 16.559607][ T1] NET: Registered PF_KEY protocol family
[ 16.566730][ T1] can: controller area network core
[ 16.568802][ T1] NET: Registered PF_CAN protocol family
[ 16.569250][ T1] can: raw protocol
[ 16.569733][ T1] can: broadcast manager protocol
[ 16.570472][ T1] can: netlink gateway - max_hops=1
[ 16.573717][ T1] can: SAE J1939
[ 16.574698][ T1] can: isotp protocol (max_pdu_size 8300)
[ 16.582209][ T1] NET: Registered PF_KCM protocol family
[ 16.590346][ T1] l2tp_core: L2TP core driver, V2.0
[ 16.593329][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 16.594457][ T1] l2tp_netlink: L2TP netlink interface
[ 16.597132][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 16.598043][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 16.599157][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 16.607654][ T1] sctp: Hash tables configured (bind 256/256)
[ 16.622478][ T1] NET: Registered PF_RDS protocol family
[ 16.629612][ T1] Registered RDS/infiniband transport
[ 16.642670][ T1] Registered RDS/tcp transport
[ 16.648213][ T1] NET: Registered PF_SMC protocol family
[ 16.649869][ T1] 9pnet: Installing 9P2000 support
[ 16.653711][ T1] Key type dns_resolver registered
[ 16.654882][ T1] Key type ceph registered
[ 16.659347][ T1] libceph: loaded (mon/osd proto 15/24)
[ 16.668663][ T1] NET: Registered PF_VSOCK protocol family
[ 20.295912][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 1 crossnode level
[ 20.309756][ T1] registered taskstats version 1
[ 20.321210][ T1] Loading compiled-in X.509 certificates
[ 20.369974][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 6c63633801075204133449b0eb59bc21f2576981'
[ 21.380327][ T1] zswap: loaded using pool lzo/zsmalloc
[ 21.402152][ T1] Demotion targets for Node 0: null
[ 21.411574][ T1] Key type .fscrypt registered
[ 21.412362][ T1] Key type fscrypt-provisioning registered
[ 21.424092][ T1] Key type big_key registered
[ 21.425656][ T1] Key type encrypted registered
[ 21.427809][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 21.428900][ T1] Loading compiled-in module X.509 certificates
[ 21.472947][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 6c63633801075204133449b0eb59bc21f2576981'
[ 21.475516][ T1] ima: Allocated hash algorithm: sha256
[ 21.484104][ T1] ima: No architecture policies found
[ 21.490290][ T1] evm: Initialising EVM extended attributes:
[ 21.491927][ T1] evm: security.selinux (disabled)
[ 21.492648][ T1] evm: security.SMACK64
[ 21.493207][ T1] evm: security.SMACK64EXEC
[ 21.493811][ T1] evm: security.SMACK64TRANSMUTE
[ 21.494403][ T1] evm: security.SMACK64MMAP
[ 21.494964][ T1] evm: security.apparmor (disabled)
[ 21.495611][ T1] evm: security.ima
[ 21.496119][ T1] evm: security.capability
[ 21.496682][ T1] evm: HMAC attrs: 0x1
[ 21.536239][ T1] printk: legacy console [netcon0] enabled
[ 21.537332][ T1] netconsole: network logging started
[ 21.543371][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 21.572025][ T1] input: gpio-keys as /devices/platform/gpio-keys/input/input0
[ 21.608832][ T1] rdma_rxe: loaded
[ 21.626032][ T1] clk: Disabling unused clocks
[ 21.626755][ T1] PM: genpd: Disabling unused power domains
[ 21.627535][ T1] ALSA device list:
[ 21.627890][ T1] #0: Dummy 1
[ 21.628215][ T1] #1: Loopback 1
[ 21.628521][ T1] #2: Virtual MIDI Card 1
[ 21.650309][ T1] md: Skipping autodetection of RAID arrays. (raid=autodetect will force)
[ 21.843600][ T1] EXT4-fs (vda): mounted filesystem 126e38a5-b482-40da-8f06-bd78886e02c1 ro with ordered data mode. Quota mode: none.
[ 21.846818][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 253:0.
[ 21.863144][ T1] devtmpfs: mounted
[ 22.026437][ T1] Freeing unused kernel memory: 1472K
[ 22.034062][ T1] Run /sbin/init as init process
[ 22.160148][ T1] ------------[ cut here ]------------
[ 22.167295][ T1] kernel BUG at mm/rmap.c:1152!
[ 22.168319][ T1] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
[ 22.169624][ T1] Modules linked in:
[ 22.171306][ T1] CPU: 1 PID: 1 Comm: init Not tainted 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
[ 22.172600][ T1] Hardware name: linux,dummy-virt (DT)
[ 22.173409][ T1] pstate: 01400009 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 22.174329][ T1] pc : folio_add_file_rmap_ptes+0x188/0x18c
[ 22.176361][ T1] lr : set_pte_range+0xc8/0x204
[ 22.176910][ T1] sp : ffff80008297bb10
[ 22.177404][ T1] x29: ffff80008297bb10 x28: 0000000000000000 x27: ffffc1ffc009fcc0
[ 22.178589][ T1] x26: 0000000000000000 x25: ffffc1ffc009fcc0 x24: fbf0000003783d80
[ 22.179678][ T1] x23: ffffc1ffc009fcc0 x22: 0000ffff8aaa7000 x21: 0000000000000001
[ 22.180638][ T1] x20: ffff80008297bd08 x19: ffffc1ffc009fcc0 x18: ffffffffffffffff
[ 22.181621][ T1] x17: 0000000000000000 x16: 1e1e000000906d61 x15: 0000000000000001
[ 22.182685][ T1] x14: ffffffffffffffff x13: 0000000000000000 x12: ffff800081e6a3e8
[ 22.183750][ T1] x11: 0000000000000001 x10: fff00000061ad538 x9 : f0f0000004836b00
[ 22.184873][ T1] x8 : 0000000000000010 x7 : 000000000000001f x6 : ffffc1ffc0000000
[ 22.185831][ T1] x5 : 0000000000000000 x4 : 0000ffff8aaa7000 x3 : fbf0000003783d80
[ 22.186755][ T1] x2 : 0000000000000001 x1 : ffffc1ffc009fcc0 x0 : 00000000ffffffff
[ 22.188006][ T1] Call trace:
[ 22.188634][ T1] folio_add_file_rmap_ptes+0x188/0x18c
[ 22.189523][ T1] set_pte_range+0xc8/0x204
[ 22.190194][ T1] filemap_map_pages+0x1c8/0x69c
[ 22.190782][ T1] __handle_mm_fault+0xd20/0x1b30
[ 22.191394][ T1] handle_mm_fault+0x68/0x280
[ 22.191967][ T1] do_page_fault+0xf8/0x480
[ 22.192558][ T1] do_translation_fault+0xac/0xbc
[ 22.193144][ T1] do_mem_abort+0x44/0x94
[ 22.193801][ T1] el0_ia+0xa4/0x118
[ 22.194388][ T1] el0t_64_sync_handler+0xd0/0x12c
[ 22.195034][ T1] el0t_64_sync+0x19c/0x1a0
[ 22.196199][ T1] Code: 52800022 52800241 9401cc4e 17ffffd3 (d4210000)
[ 22.197334][ T1] ---[ end trace 0000000000000000 ]---
[ 22.198247][ T1] Kernel panic - not syncing: Oops - BUG: Fatal exception
[ 22.199304][ T1] SMP: stopping secondary CPUs
[ 22.200826][ T1] Kernel Offset: disabled
[ 22.201438][ T1] CPU features: 0x00,00000006,8f17bd7c,1767f6bf
[ 22.202609][ T1] Memory Limit: none
[ 22.203551][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1339368986=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at eaeb5c15a
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=arm64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=eaeb5c15ad704753a93bc8f8c7fc422d2a189581 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240711-172551'" "-tags=syz_target syz_os_linux syz_arch_arm64 " -o ./bin/linux_arm64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_arm64
aarch64-linux-gnu-g++ -o ./bin/linux_arm64/syz-executor executor/executor.cc \
-O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_arm64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"eaeb5c15ad704753a93bc8f8c7fc422d2a189581\"
/usr/lib/gcc-cross/aarch64-linux-gnu/12/../../../../aarch64-linux-gnu/bin/ld: /tmp/cc8XHKWX.o: in function `test_cover_filter()':
executor.cc:(.text+0xfabc): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/lib/gcc-cross/aarch64-linux-gnu/12/../../../../aarch64-linux-gnu/bin/ld: /tmp/cc8XHKWX.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x148): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=142afab5980000
Tested on:
commit: 4d145e3f Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
syzbot tried to test the proposed patch but the build/boot failed:
e: registered new interface driver legousbtower
[ 14.297706][ T1] usbcore: registered new interface driver usbtest
[ 14.301236][ T1] usbcore: registered new interface driver usb_ehset_test
[ 14.304304][ T1] usbcore: registered new interface driver trancevibrator
[ 14.307099][ T1] usbcore: registered new interface driver uss720
[ 14.308543][ T1] uss720: USB Parport Cable driver for Cables using the Lucent Technologies USS720 Chip
[ 14.309426][ T1] uss720: NOTE: this is a special purpose driver to allow nonstandard
[ 14.310212][ T1] uss720: protocols (eg. bitbang) over USS720 usb to parallel cables
[ 14.317207][ T1] uss720: If you just want to connect to a printer, use usblp instead
[ 14.320387][ T1] usbcore: registered new interface driver usbsevseg
[ 14.325623][ T1] usbcore: registered new interface driver yurex
[ 14.346261][ T1] usbcore: registered new interface driver chaoskey
[ 14.349153][ T1] usbcore: registered new interface driver sisusb
[ 14.357883][ T1] usbcore: registered new interface driver lvs
[ 14.363246][ T1] usbcore: registered new device driver onboard-usb-dev
[ 14.435704][ T1] dummy_hcd dummy_hcd.0: USB Host+Gadget Emulator, driver 02 May 2005
[ 14.438586][ T1] dummy_hcd dummy_hcd.0: Dummy host controller
[ 14.452253][ T1] dummy_hcd dummy_hcd.0: new USB bus registered, assigned bus number 1
[ 14.478915][ T1] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.10
[ 14.480377][ T1] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 14.482305][ T1] usb usb1: Product: Dummy host controller
[ 14.483107][ T1] usb usb1: Manufacturer: Linux 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty dummy_hcd
[ 14.484296][ T1] usb usb1: SerialNumber: dummy_hcd.0
[ 14.523742][ T1] hub 1-0:1.0: USB hub found
[ 14.527088][ T1] hub 1-0:1.0: 1 port detected
[ 14.618793][ T1] gadgetfs: USB Gadget filesystem, version 24 Aug 2004
[ 14.704674][ T1] mousedev: PS/2 mouse device common for all mice
[ 14.725075][ T1] usbcore: registered new interface driver iforce
[ 14.733727][ T1] usbcore: registered new interface driver xpad
[ 14.736935][ T1] usbcore: registered new interface driver ati_remote2
[ 14.737869][ T1] cm109: Keymap for Komunikate KIP1000 phone loaded
[ 14.741372][ T1] usbcore: registered new interface driver cm109
[ 14.743785][ T1] cm109: CM109 phone driver: 20080805 (C) Alfred E. Heggestad
[ 14.746244][ T1] usbcore: registered new interface driver ims_pcu
[ 14.748144][ T1] usbcore: registered new interface driver keyspan_remote
[ 14.815429][ T1] rtc-pl031 9010000.pl031: registered as rtc0
[ 14.829699][ T1] i2c_dev: i2c /dev entries driver
[ 14.835787][ T1] usbcore: registered new interface driver i2c-tiny-usb
[ 14.894702][ T1] device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.
[ 14.895758][ T1] device-mapper: uevent: version 1.0.3
[ 14.909774][ T1] device-mapper: ioctl: 4.48.0-ioctl (2023-03-01) initialised: dm-d...@lists.linux.dev
[ 14.923944][ T1] device-mapper: multipath round-robin: version 1.2.0 loaded
[ 14.924551][ T1] device-mapper: multipath queue-length: version 0.2.0 loaded
[ 14.925504][ T1] device-mapper: multipath service-time: version 0.3.0 loaded
[ 14.964334][ T1] ledtrig-cpu: registered to indicate activity on CPUs
[ 14.996590][ T1] iscsi: registered transport (iser)
[ 15.005451][ T1] SoftiWARP attached
[ 15.044338][ T1] hid: raw HID events driver (C) Jiri Kosina
[ 15.052186][ T1] usbcore: registered new interface driver usbhid
[ 15.052623][ T1] usbhid: USB HID core driver
[ 15.082727][ T1] usbcore: registered new interface driver es2_ap_driver
[ 15.084118][ T1] greybus: registered new driver hid
[ 15.086685][ T1] greybus: registered new driver gbphy
[ 15.088955][ T1] gb_gbphy: registered new driver usb
[ 15.138911][ T1] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available
[ 15.179956][ T1] cs_system_cfg: CoreSight Configuration manager initialised
[ 15.293156][ T1] gnss: GNSS driver registered with major 495
[ 15.885241][ T1] usbcore: registered new interface driver snd-usb-audio
[ 15.887644][ T1] usbcore: registered new interface driver snd-ua101
[ 15.890191][ T1] usbcore: registered new interface driver snd-usb-caiaq
[ 15.893217][ T1] usbcore: registered new interface driver snd-usb-6fire
[ 15.895807][ T1] usbcore: registered new interface driver snd-usb-hiface
[ 15.898509][ T1] usbcore: registered new interface driver snd-bcd2000
[ 15.903568][ T1] usbcore: registered new interface driver snd_usb_pod
[ 15.906285][ T1] usbcore: registered new interface driver snd_usb_podhd
[ 15.909046][ T1] usbcore: registered new interface driver snd_usb_toneport
[ 15.911554][ T1] usbcore: registered new interface driver snd_usb_variax
[ 16.087511][ T1] NET: Registered PF_LLC protocol family
[ 16.089481][ T1] GACT probability on
[ 16.090238][ T1] Mirror/redirect action on
[ 16.092998][ T1] Simple TC action Loaded
[ 16.122423][ T1] netem: version 1.3
[ 16.124519][ T1] u32 classifier
[ 16.125078][ T1] Performance counters on
[ 16.125772][ T1] input device check on
[ 16.126376][ T1] Actions configured
[ 16.179092][ T1] xt_time: kernel timezone is -0000
[ 16.181605][ T1] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 16.203257][ T1] gre: GRE over IPv4 demultiplexor driver
[ 16.204163][ T1] ip_gre: GRE over IPv4 tunneling driver
[ 16.264721][ T1] IPv4 over IPsec tunneling driver
[ 16.294064][ T1] Initializing XFRM netlink socket
[ 16.297117][ T1] IPsec XFRM device driver
[ 16.303386][ T1] NET: Registered PF_INET6 protocol family
[ 16.418730][ T1] Segment Routing with IPv6
[ 16.419572][ T1] RPL Segment Routing with IPv6
[ 16.424115][ T1] In-situ OAM (IOAM) with IPv6
[ 16.428352][ T1] mip6: Mobile IPv6
[ 16.466648][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 16.529372][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 16.558126][ T1] NET: Registered PF_PACKET protocol family
[ 16.559607][ T1] NET: Registered PF_KEY protocol family
[ 16.566730][ T1] can: controller area network core
[ 16.568802][ T1] NET: Registered PF_CAN protocol family
[ 16.569250][ T1] can: raw protocol
[ 16.569733][ T1] can: broadcast manager protocol
[ 16.570472][ T1] can: netlink gateway - max_hops=1
[ 16.573717][ T1] can: SAE J1939
[ 16.574698][ T1] can: isotp protocol (max_pdu_size 8300)
[ 16.582209][ T1] NET: Registered PF_KCM protocol family
[ 16.590346][ T1] l2tp_core: L2TP core driver, V2.0
[ 16.593329][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 16.594457][ T1] l2tp_netlink: L2TP netlink interface
[ 16.597132][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 16.598043][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 16.599157][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 16.607654][ T1] sctp: Hash tables configured (bind 256/256)
[ 16.622478][ T1] NET: Registered PF_RDS protocol family
[ 16.629612][ T1] Registered RDS/infiniband transport
[ 16.642670][ T1] Registered RDS/tcp transport
[ 16.648213][ T1] NET: Registered PF_SMC protocol family
[ 16.649869][ T1] 9pnet: Installing 9P2000 support
[ 16.653711][ T1] Key type dns_resolver registered
[ 16.654882][ T1] Key type ceph registered
[ 16.659347][ T1] libceph: loaded (mon/osd proto 15/24)
[ 16.668663][ T1] NET: Registered PF_VSOCK protocol family
[ 20.295912][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 1 crossnode level
[ 20.309756][ T1] registered taskstats version 1
[ 20.321210][ T1] Loading compiled-in X.509 certificates
[ 20.369974][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 6c63633801075204133449b0eb59bc21f2576981'
[ 21.380327][ T1] zswap: loaded using pool lzo/zsmalloc
[ 21.402152][ T1] Demotion targets for Node 0: null
[ 21.411574][ T1] Key type .fscrypt registered
[ 21.412362][ T1] Key type fscrypt-provisioning registered
[ 21.424092][ T1] Key type big_key registered
[ 21.425656][ T1] Key type encrypted registered
[ 21.427809][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 21.428900][ T1] Loading compiled-in module X.509 certificates
[ 21.472947][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 6c63633801075204133449b0eb59bc21f2576981'
[ 21.475516][ T1] ima: Allocated hash algorithm: sha256
[ 21.484104][ T1] ima: No architecture policies found
[ 21.490290][ T1] evm: Initialising EVM extended attributes:
[ 21.491927][ T1] evm: security.selinux (disabled)
[ 21.492648][ T1] evm: security.SMACK64
[ 21.493207][ T1] evm: security.SMACK64EXEC
[ 21.493811][ T1] evm: security.SMACK64TRANSMUTE
[ 21.494403][ T1] evm: security.SMACK64MMAP
[ 21.494964][ T1] evm: security.apparmor (disabled)
[ 21.495611][ T1] evm: security.ima
[ 21.496119][ T1] evm: security.capability
[ 21.496682][ T1] evm: HMAC attrs: 0x1
[ 21.536239][ T1] printk: legacy console [netcon0] enabled
[ 21.537332][ T1] netconsole: network logging started
[ 21.543371][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 21.572025][ T1] input: gpio-keys as /devices/platform/gpio-keys/input/input0
[ 21.608832][ T1] rdma_rxe: loaded
[ 21.626032][ T1] clk: Disabling unused clocks
[ 21.626755][ T1] PM: genpd: Disabling unused power domains
[ 21.627535][ T1] ALSA device list:
[ 21.627890][ T1] #0: Dummy 1
[ 21.628215][ T1] #1: Loopback 1
[ 21.628521][ T1] #2: Virtual MIDI Card 1
[ 21.650309][ T1] md: Skipping autodetection of RAID arrays. (raid=autodetect will force)
[ 21.843600][ T1] EXT4-fs (vda): mounted filesystem 126e38a5-b482-40da-8f06-bd78886e02c1 ro with ordered data mode. Quota mode: none.
[ 21.846818][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 253:0.
[ 21.863144][ T1] devtmpfs: mounted
[ 22.026437][ T1] Freeing unused kernel memory: 1472K
[ 22.034062][ T1] Run /sbin/init as init process
[ 22.160148][ T1] ------------[ cut here ]------------
[ 22.167295][ T1] kernel BUG at mm/rmap.c:1152!
[ 22.168319][ T1] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
[ 22.169624][ T1] Modules linked in:
[ 22.171306][ T1] CPU: 1 PID: 1 Comm: init Not tainted 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
[ 22.172600][ T1] Hardware name: linux,dummy-virt (DT)
[ 22.173409][ T1] pstate: 01400009 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 22.174329][ T1] pc : folio_add_file_rmap_ptes+0x188/0x18c
[ 22.176361][ T1] lr : set_pte_range+0xc8/0x204
[ 22.176910][ T1] sp : ffff80008297bb10
[ 22.177404][ T1] x29: ffff80008297bb10 x28: 0000000000000000 x27: ffffc1ffc009fcc0
[ 22.178589][ T1] x26: 0000000000000000 x25: ffffc1ffc009fcc0 x24: fbf0000003783d80
[ 22.179678][ T1] x23: ffffc1ffc009fcc0 x22: 0000ffff8aaa7000 x21: 0000000000000001
[ 22.180638][ T1] x20: ffff80008297bd08 x19: ffffc1ffc009fcc0 x18: ffffffffffffffff
[ 22.181621][ T1] x17: 0000000000000000 x16: 1e1e000000906d61 x15: 0000000000000001
[ 22.182685][ T1] x14: ffffffffffffffff x13: 0000000000000000 x12: ffff800081e6a3e8
[ 22.183750][ T1] x11: 0000000000000001 x10: fff00000061ad538 x9 : f0f0000004836b00
[ 22.184873][ T1] x8 : 0000000000000010 x7 : 000000000000001f x6 : ffffc1ffc0000000
[ 22.185831][ T1] x5 : 0000000000000000 x4 : 0000ffff8aaa7000 x3 : fbf0000003783d80
[ 22.186755][ T1] x2 : 0000000000000001 x1 : ffffc1ffc009fcc0 x0 : 00000000ffffffff
[ 22.188006][ T1] Call trace:
[ 22.188634][ T1] folio_add_file_rmap_ptes+0x188/0x18c
[ 22.189523][ T1] set_pte_range+0xc8/0x204
[ 22.190194][ T1] filemap_map_pages+0x1c8/0x69c
[ 22.190782][ T1] __handle_mm_fault+0xd20/0x1b30
[ 22.191394][ T1] handle_mm_fault+0x68/0x280
[ 22.191967][ T1] do_page_fault+0xf8/0x480
[ 22.192558][ T1] do_translation_fault+0xac/0xbc
[ 22.193144][ T1] do_mem_abort+0x44/0x94
[ 22.193801][ T1] el0_ia+0xa4/0x118
[ 22.194388][ T1] el0t_64_sync_handler+0xd0/0x12c
[ 22.195034][ T1] el0t_64_sync+0x19c/0x1a0
[ 22.196199][ T1] Code: 52800022 52800241 9401cc4e 17ffffd3 (d4210000)
[ 22.197334][ T1] ---[ end trace 0000000000000000 ]---
[ 22.198247][ T1] Kernel panic - not syncing: Oops - BUG: Fatal exception
[ 22.199304][ T1] SMP: stopping secondary CPUs
[ 22.200826][ T1] Kernel Offset: disabled
[ 22.201438][ T1] CPU features: 0x00,00000006,8f17bd7c,1767f6bf
[ 22.202609][ T1] Memory Limit: none
[ 22.203551][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1339368986=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at eaeb5c15a
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=arm64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=eaeb5c15ad704753a93bc8f8c7fc422d2a189581 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240711-172551'" "-tags=syz_target syz_os_linux syz_arch_arm64 " -o ./bin/linux_arm64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_arm64
aarch64-linux-gnu-g++ -o ./bin/linux_arm64/syz-executor executor/executor.cc \
-O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_arm64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"eaeb5c15ad704753a93bc8f8c7fc422d2a189581\"
/usr/lib/gcc-cross/aarch64-linux-gnu/12/../../../../aarch64-linux-gnu/bin/ld: /tmp/cc8XHKWX.o: in function `test_cover_filter()':
executor.cc:(.text+0xfabc): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/lib/gcc-cross/aarch64-linux-gnu/12/../../../../aarch64-linux-gnu/bin/ld: /tmp/cc8XHKWX.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x148): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=142afab5980000
Tested on:
commit: 4d145e3f Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=15d65ab5980000
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Hillf Danton
Jul 19, 2024, 9:01:01 AM (8 days ago) Jul 19
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 18 Jul 2024 15:51:26 -0700
> syzbot found the following issue on:
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d145e3f830b
--- x/include/linux/rmap.h
+++ y/include/linux/rmap.h
@@ -327,6 +327,7 @@ static __always_inline void __folio_dup_
switch (level) {
case RMAP_LEVEL_PTE:
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
atomic_inc(&page->_mapcount);
break;
@@ -419,6 +420,7 @@ static __always_inline int __folio_try_d
return -EBUSY;
}
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
if (PageAnonExclusive(page))
ClearPageAnonExclusive(page);
--- x/mm/rmap.c
+++ y/mm/rmap.c
@@ -1149,6 +1149,7 @@ static __always_inline unsigned int __fo
switch (level) {
case RMAP_LEVEL_PTE:
+ BUG_ON(atomic_read(&page->_mapcount) < -1);
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d145e3f830b
--- x/include/linux/rmap.h
+++ y/include/linux/rmap.h
@@ -327,6 +327,7 @@ static __always_inline void __folio_dup_
switch (level) {
case RMAP_LEVEL_PTE:
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
atomic_inc(&page->_mapcount);
break;
@@ -419,6 +420,7 @@ static __always_inline int __folio_try_d
return -EBUSY;
}
+ BUG_ON(atomic_read(&page->_mapcount) < 0);
if (!folio_test_large(folio)) {
if (PageAnonExclusive(page))
ClearPageAnonExclusive(page);
--- x/mm/rmap.c
+++ y/mm/rmap.c
@@ -1149,6 +1149,7 @@ static __always_inline unsigned int __fo
switch (level) {
case RMAP_LEVEL_PTE:
syzbot
Jul 19, 2024, 9:14:07 AM (8 days ago) Jul 19
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page cache in process syz.NUM.NUM pfn:4a961
BUG: Bad page cache in process syz.0.15 pfn:4a961
page: refcount:4 mapcount:1 mapping:000000007efdb730 index:0x0 pfn:0x4a961
memcg:f8f00000073c6000
aops:shmem_aops ino:401
raw: 0000000000000000 0000000000000000 0000000400000000 f8f00000073c6000
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
page: refcount:4 mapcount:1 mapping:000000007efdb730 index:0x1 pfn:0x4e2b7
memcg:f8f00000073c6000
aops:shmem_aops ino:401
raw: 0000000000000001 0000000000000000 0000000400000000 f8f00000073c6000
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
commit: 4d145e3f Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14caa0ad980000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page cache in process syz.NUM.NUM pfn:4a961
BUG: Bad page cache in process syz.0.15 pfn:4a961
page: refcount:4 mapcount:1 mapping:000000007efdb730 index:0x0 pfn:0x4a961
memcg:f8f00000073c6000
aops:shmem_aops ino:401
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002d ffffc1ffc01bf9c8 ffffc1ffc038adc8 f0f00000061e6ab0
raw: 0000000000000000 0000000000000000 0000000400000000 f8f00000073c6000
page dumped because: still mapped when deleted
CPU: 1 PID: 3851 Comm: syz.0.15 Not tainted 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
____fput+0x10/0x1c fs/file_table.c:450
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page cache in process syz.0.15 pfn:4e2b7
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
page: refcount:4 mapcount:1 mapping:000000007efdb730 index:0x1 pfn:0x4e2b7
memcg:f8f00000073c6000
aops:shmem_aops ino:401
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002d ffffc1ffc02a5848 ffffc1ffc02d1a88 f0f00000061e6ab0
raw: 0000000000000001 0000000000000000 0000000400000000 f8f00000073c6000
page dumped because: still mapped when deleted
CPU: 1 PID: 3851 Comm: syz.0.15 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
____fput+0x10/0x1c fs/file_table.c:450
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
Tested on:
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
commit: 4d145e3f Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14caa0ad980000
kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=10541fe1980000
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Hillf Danton
Jul 19, 2024, 7:08:43 PM (8 days ago) Jul 19
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 18 Jul 2024 15:51:26 -0700
> syzbot found the following issue on:
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d145e3f830b
--- x/mm/truncate.c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d145e3f830b
+++ y/mm/truncate.c
@@ -192,6 +192,7 @@ int truncate_inode_folio(struct address_
return -EIO;
truncate_cleanup_folio(folio);
+ BUG_ON(folio_mapped(folio));
filemap_remove_folio(folio);
return 0;
}
--
syzbot
Jul 19, 2024, 7:21:06 PM (8 days ago) Jul 19
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in truncate_inode_folio
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
kernel BUG at mm/truncate.c:195!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3864 Comm: syz.0.15 Not tainted 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
Hardware name: linux,dummy-virt (DT)
pstate: 21400009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : truncate_inode_folio mm/truncate.c:195 [inline]
pc : truncate_inode_folio+0x70/0x7c mm/truncate.c:189
lr : truncate_inode_folio+0x28/0x7c mm/truncate.c:194
sp : ffff800089763970
x29: ffff800089763970 x28: 0000000000000000 x27: ffffc1ffc01a0e00
x26: 0000000000000000 x25: ffff800089763a28 x24: ffffffffffffffff
x23: ffff800089763a30 x22: 0000000000000000 x21: f7f0000007441b18
x20: f7f0000007441b10 x19: ffffc1ffc01a0e00 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000005 x7 : f7f0000007441ba8 x6 : ffff800089763950
x5 : 0000000000000000 x4 : f9f0000005f48410 x3 : f7f0000007441ba8
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000001
Call trace:
truncate_inode_folio+0x70/0x7c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
____fput+0x10/0x1c fs/file_table.c:450
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
Code: b9405260 11000400 7100001f 54fffecd (d4210000)
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
____fput+0x10/0x1c fs/file_table.c:450
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
---[ end trace 0000000000000000 ]---
Tested on:
commit: 4d145e3f Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15ef360d980000
commit: 4d145e3f Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=16d7443d980000
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Hillf Danton
Jul 20, 2024, 1:02:38 AM (7 days ago) Jul 20
to David Hildenbrand, syzbot, hu...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Matthew Wilcox, Vivek Kasireddy
On Fri, 19 Jul 2024 13:21:30 +0200 David Hildenbrand <da...@redhat.com>
cpu1 cpu2
--- ---
evict() find folio2 in page cache
truncate_inode_folio()
truncate_cleanup_folio();
// unmap folio2 from mmA
unmap_mapping_folio(folio2);
mmap folio2 to mmB
filemap_remove_folio(folio2);
If the window exists for mapping folio to userspace while indoe is evicted,
is this report false positive?
--- ---
evict() find folio2 in page cache
truncate_inode_folio()
truncate_cleanup_folio();
// unmap folio2 from mmA
unmap_mapping_folio(folio2);
mmap folio2 to mmB
filemap_remove_folio(folio2);
If the window exists for mapping folio to userspace while indoe is evicted,
is this report false positive?
Kasireddy, Vivek
Jul 20, 2024, 2:30:59 AM (7 days ago) Jul 20
to Hillf Danton, David Hildenbrand, syzbot, hu...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Matthew Wilcox
Hi Hillf, David,
>
> On Fri, 19 Jul 2024 13:21:30 +0200 David Hildenbrand <da...@redhat.com>
> > On 19.07.24 00:51, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=11321495980000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
> > > dashboard link:
> https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
> > > compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU
> Binutils for Debian) 2.40
> > > userspace arch: arm64
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=113e054e980000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
> > >
> >
> > The reproducer involves udmabuf. I suspect it has to do with it.
> >
> > But I'm curius, does the reproducer not trigger before 4d145e3f830b on
> > mainliny?
> >
> > Viveks changes are not upstream yet, but I can only speculate that we
> > have some issue similar to the one we had with hugetlb: udmabuf doing
> > things with memfd/shmem pages that it shouldn't do, because it doesn't
> > "own" these pages.
> >
> > "udmabuf: Use vmf_insert_pfn and VM_PFNMAP for handling mmap" might
> help.
Thank you for taking a look. The above patch or other associated patches may be
fixing this bug as I cannot reproduce this issue with a few weeks old mm-unstable.
>
> cpu1 cpu2
> --- ---
> evict() find folio2 in page cache
> truncate_inode_folio()
> truncate_cleanup_folio();
> // unmap folio2 from mmA
> unmap_mapping_folio(folio2);
> mmap folio2 to mmB
> filemap_remove_folio(folio2);
>
>
> If the window exists for mapping folio to userspace while indoe is evicted,
> is this report false positive?
Yeah, this situation is possible as udmabuf currently does not handle truncation
or hole punch of the memfd after a dmabuf is created. I have tried addressing this
issue some time ago but the solution was not elegant. Need to revisit this when
time permits.
Thanks,
Vivek
>
> On Fri, 19 Jul 2024 13:21:30 +0200 David Hildenbrand <da...@redhat.com>
> > On 19.07.24 00:51, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=11321495980000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
> > > dashboard link:
> https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
> > > compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU
> Binutils for Debian) 2.40
> > > userspace arch: arm64
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=113e054e980000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
> > >
> >
> > The reproducer involves udmabuf. I suspect it has to do with it.
> >
> > But I'm curius, does the reproducer not trigger before 4d145e3f830b on
> > mainliny?
> >
> > Viveks changes are not upstream yet, but I can only speculate that we
> > have some issue similar to the one we had with hugetlb: udmabuf doing
> > things with memfd/shmem pages that it shouldn't do, because it doesn't
> > "own" these pages.
> >
> > "udmabuf: Use vmf_insert_pfn and VM_PFNMAP for handling mmap" might
> help.
fixing this bug as I cannot reproduce this issue with a few weeks old mm-unstable.
>
> cpu1 cpu2
> --- ---
> evict() find folio2 in page cache
> truncate_inode_folio()
> truncate_cleanup_folio();
> // unmap folio2 from mmA
> unmap_mapping_folio(folio2);
> mmap folio2 to mmB
> filemap_remove_folio(folio2);
>
>
> If the window exists for mapping folio to userspace while indoe is evicted,
> is this report false positive?
or hole punch of the memfd after a dmabuf is created. I have tried addressing this
issue some time ago but the solution was not elegant. Need to revisit this when
time permits.
Thanks,
Vivek
Kasireddy, Vivek
Jul 20, 2024, 2:32:37 AM (7 days ago) Jul 20
to syzbot, ak...@linux-foundation.org, hu...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
syzbot
Jul 20, 2024, 3:01:06 AM (7 days ago) Jul 20
to ak...@linux-foundation.org, hu...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, vivek.k...@intel.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+ec4b7d...@syzkaller.appspotmail.com
Tested-by: syzbot+ec4b7d...@syzkaller.appspotmail.com
Tested on:
commit: 581a87b1 fixup! mm/gup: introduce memfd_pin_folios() f..
git tree: https://gitlab.freedesktop.org/Vivek/drm-tip.git syzbot_fix_remove_inode
console output: https://syzkaller.appspot.com/x/log.txt?x=142f1179980000
kernel config: https://syzkaller.appspot.com/x/.config?x=16fdddce5d38a1c8
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+ec4b7d...@syzkaller.appspotmail.com
Tested-by: syzbot+ec4b7d...@syzkaller.appspotmail.com
Tested on:
commit: 581a87b1 fixup! mm/gup: introduce memfd_pin_folios() f..
git tree: https://gitlab.freedesktop.org/Vivek/drm-tip.git syzbot_fix_remove_inode
console output: https://syzkaller.appspot.com/x/log.txt?x=142f1179980000
kernel config: https://syzkaller.appspot.com/x/.config?x=16fdddce5d38a1c8
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Note: no patches were applied.
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Note: testing is done by a robot and is best-effort only.
David Hildenbrand
Jul 22, 2024, 9:23:57 AM (5 days ago) Jul 22
to Hillf Danton, syzbot, hu...@google.com, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Matthew Wilcox, Vivek Kasireddy
the mapcount to be logically 0 (value -1).
And if we then actually go ahead and unmap that folio from our udmabuf
page tables, we will let it go negative (and also free up the refcount
too early) resulting in all kinds of issues.
filemap_unaccount_folio() was written under the assumption that the
mapcount will only get modified when we map something via the pagecache,
not when some other code (udmabuf) looked up something from the
pagecache and then maps it to user space itself.
"Fortunately", the issue only exists with CONFIG_DEBUG_VM.
The right fix is probably to stop udmabuf from touching the mapcount
(use a PFNMAP as that patch does). Another fix would be removing that
debugging code from filemap_unaccount_folio().
I do see value in part of that debugging code. The refcount+mapcount
modifications, not so much. But the "BUG: Bad page cache in process ..."
message sounds helpful.
Hillf Danton
Jul 23, 2024, 6:37:59 AM (4 days ago) Jul 23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 18 Jul 2024 15:51:26 -0700
> syzbot found the following issue on:
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1366ab85980000
>
> HEAD commit: 4d145e3f830b Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
> git tree: upstream
#syz test upstream 4d145e3f830b
--- x/mm/rmap.c
+++ y/mm/rmap.c
@@ -1466,6 +1466,7 @@ static __always_inline void __folio_add_
void folio_add_file_rmap_ptes(struct folio *folio, struct page *page,
int nr_pages, struct vm_area_struct *vma)
{
+ BUG_ON(!folio_test_locked(folio));
__folio_add_file_rmap(folio, page, nr_pages, vma, RMAP_LEVEL_PTE);
}
--
syzbot
Jul 23, 2024, 6:52:04 AM (4 days ago) Jul 23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map
BUG: Bad page cache in process syz.0.15 pfn:4b63a
page: refcount:4 mapcount:1 mapping:000000003ee7caca index:0x0 pfn:0x4b63a
memcg:f4f00000060ad000
raw: 0000000000000000 0000000000000000 0000000400000000 f4f00000060ad000
page: refcount:4 mapcount:1 mapping:000000003ee7caca index:0x1 pfn:0x468bf
memcg:f4f00000060ad000
raw: 0000000000000001 0000000000000000 0000000400000000 f4f00000060ad000
page: refcount:1 mapcount:-1 mapping:0000000000000000 index:0x0 pfn:0x4b63a
memcg:f4f00000060ad000
raw: 0000000000000000 0000000000000000 00000001fffffffe f4f00000060ad000
BUG: Bad page map in process syz.0.15 pte:600000468bf8c3 pmd:800000043b9a003
page: refcount:1 mapcount:-1 mapping:0000000000000000 index:0x1 pfn:0x468bf
memcg:f4f00000060ad000
raw: 0000000000000001 0000000000000000 00000001fffffffe f4f00000060ad000
BUG: Bad page state in process syz.0.15 pfn:4b63a
page: refcount:0 mapcount:-1 mapping:0000000000000000 index:0x0 pfn:0x4b63a
flags: 0x1ffc0000004000c(referenced|uptodate|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
zap_pte_range mm/memory.c:1685 [inline]
page: refcount:0 mapcount:-1 mapping:0000000000000000 index:0x1 pfn:0x468bf
flags: 0x1ffc0000004000c(referenced|uptodate|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
zap_pte_range mm/memory.c:1685 [inline]
commit: 4d145e3f Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12ff8265980000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page cache in process syz.0.15 pfn:4b63a
page: refcount:4 mapcount:1 mapping:000000003ee7caca index:0x0 pfn:0x4b63a
memcg:f4f00000060ad000
aops:shmem_aops ino:401
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002d ffffc1ffc01a0988 ffffc1ffc01a2fc8 f1f00000070f2470
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 0000000000000000 0000000000000000 0000000400000000 f4f00000060ad000
page dumped because: still mapped when deleted
CPU: 1 PID: 3851 Comm: syz.0.15 Not tainted 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
____fput+0x10/0x1c fs/file_table.c:450
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page cache in process syz.0.15 pfn:468bf
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
page: refcount:4 mapcount:1 mapping:000000003ee7caca index:0x1 pfn:0x468bf
memcg:f4f00000060ad000
aops:shmem_aops ino:401
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002d ffffc1ffc02d8e88 ffffc1ffc02d7448 f1f00000070f2470
flags: 0x1ffc0000004002d(locked|referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 0000000000000001 0000000000000000 0000000400000000 f4f00000060ad000
page dumped because: still mapped when deleted
CPU: 1 PID: 3851 Comm: syz.0.15 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
filemap_unaccount_folio+0x118/0x278 mm/filemap.c:167
__filemap_remove_folio+0x3c/0x178 mm/filemap.c:231
filemap_remove_folio+0x48/0xa8 mm/filemap.c:264
truncate_inode_folio+0x30/0x4c mm/truncate.c:195
shmem_undo_range+0x208/0x620 mm/shmem.c:1012
shmem_truncate_range mm/shmem.c:1125 [inline]
shmem_evict_inode+0x130/0x2dc mm/shmem.c:1253
evict+0xb4/0x198 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput fs/inode.c:1767 [inline]
iput+0x100/0x1b8 fs/inode.c:1753
dentry_unlink_inode+0xc0/0x188 fs/dcache.c:404
__dentry_kill+0x7c/0x1d4 fs/dcache.c:607
dput.part.0+0x30/0xbc fs/dcache.c:849
dput+0x4c/0x50 fs/dcache.c:860
__fput+0x110/0x2d4 fs/file_table.c:430
____fput+0x10/0x1c fs/file_table.c:450
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
task_work_run+0x78/0xd0 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
do_notify_resume+0x134/0x164 arch/arm64/kernel/entry-common.c:151
exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
el0_svc+0xc8/0xf8 arch/arm64/kernel/entry-common.c:713
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page map in process syz.0.15 pte:6000004b63a8c3 pmd:800000043b9a003
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
page: refcount:1 mapcount:-1 mapping:0000000000000000 index:0x0 pfn:0x4b63a
memcg:f4f00000060ad000
flags: 0x1ffc0000004002c(referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002c ffffc1ffc0325848 ffffc1ffc01a2fc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001fffffffe f4f00000060ad000
page dumped because: bad pte
addr:00000000209a0000 vm_flags:400000f9 anon_vma:0000000000000000 mapping:fcf00000033edda8 index:0
file:dmabuf fault:udmabuf_vm_fault mmap:dma_buf_mmap_internal read_folio:0x0
CPU: 1 PID: 3851 Comm: syz.0.15 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
page: refcount:1 mapcount:-1 mapping:0000000000000000 index:0x1 pfn:0x468bf
memcg:f4f00000060ad000
flags: 0x1ffc0000004002c(referenced|uptodate|lru|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004002c ffffc1ffc02d8e88 ffffc1ffc02d7448 0000000000000000
raw: 0000000000000001 0000000000000000 00000001fffffffe f4f00000060ad000
page dumped because: bad pte
addr:00000000209a1000 vm_flags:400000f9 anon_vma:0000000000000000 mapping:fcf00000033edda8 index:1
file:dmabuf fault:udmabuf_vm_fault mmap:dma_buf_mmap_internal read_folio:0x0
CPU: 1 PID: 3851 Comm: syz.0.15 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
page: refcount:0 mapcount:-1 mapping:0000000000000000 index:0x0 pfn:0x4b63a
flags: 0x1ffc0000004000c(referenced|uptodate|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004000c dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: nonzero mapcount
Modules linked in:
CPU: 1 PID: 3851 Comm: syz.0.15 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: nonzero mapcount
Modules linked in:
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
bad_page+0x84/0x11c mm/page_alloc.c:498
free_page_is_bad_report+0x98/0xa4 mm/page_alloc.c:904
free_page_is_bad mm/page_alloc.c:914 [inline]
free_pages_prepare mm/page_alloc.c:1085 [inline]
free_unref_folios+0x4c0/0x624 mm/page_alloc.c:2637
folios_put_refs+0x108/0x284 mm/swap.c:1024
free_pages_and_swap_cache+0x14c/0x164 mm/swap_state.c:332
__tlb_batch_free_encoded_pages+0x4c/0xdc mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu+0x54/0xe4 mm/mmu_gather.c:373
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
bad_page+0x84/0x11c mm/page_alloc.c:498
free_page_is_bad_report+0x98/0xa4 mm/page_alloc.c:904
free_page_is_bad mm/page_alloc.c:914 [inline]
free_pages_prepare mm/page_alloc.c:1085 [inline]
free_unref_folios+0x4c0/0x624 mm/page_alloc.c:2637
folios_put_refs+0x108/0x284 mm/swap.c:1024
free_pages_and_swap_cache+0x14c/0x164 mm/swap_state.c:332
__tlb_batch_free_encoded_pages+0x4c/0xdc mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
zap_pte_range mm/memory.c:1685 [inline]
zap_pmd_range mm/memory.c:1724 [inline]
zap_pud_range mm/memory.c:1753 [inline]
zap_p4d_range mm/memory.c:1774 [inline]
unmap_page_range+0xab0/0x1190 mm/memory.c:1795
zap_pud_range mm/memory.c:1753 [inline]
zap_p4d_range mm/memory.c:1774 [inline]
unmap_single_vma.constprop.0+0x4c/0x84 mm/memory.c:1841
unmap_vmas+0x7c/0x170 mm/memory.c:1885
exit_mmap+0xc0/0x288 mm/mmap.c:3341
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
BUG: Bad page state in process syz.0.15 pfn:468bf
unmap_vmas+0x7c/0x170 mm/memory.c:1885
exit_mmap+0xc0/0x288 mm/mmap.c:3341
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
page: refcount:0 mapcount:-1 mapping:0000000000000000 index:0x1 pfn:0x468bf
flags: 0x1ffc0000004000c(referenced|uptodate|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc0000004000c dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: nonzero mapcount
Modules linked in:
CPU: 1 PID: 3851 Comm: syz.0.15 Tainted: G B 6.10.0-rc7-syzkaller-00266-g4d145e3f830b-dirty #0
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: nonzero mapcount
Modules linked in:
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
bad_page+0x84/0x11c mm/page_alloc.c:498
free_page_is_bad_report+0x98/0xa4 mm/page_alloc.c:904
free_page_is_bad mm/page_alloc.c:914 [inline]
free_pages_prepare mm/page_alloc.c:1085 [inline]
free_unref_folios+0x4c0/0x624 mm/page_alloc.c:2637
folios_put_refs+0x108/0x284 mm/swap.c:1024
free_pages_and_swap_cache+0x14c/0x164 mm/swap_state.c:332
__tlb_batch_free_encoded_pages+0x4c/0xdc mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu+0x54/0xe4 mm/mmu_gather.c:373
Call trace:
dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:317
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:114
dump_stack+0x18/0x24 lib/dump_stack.c:123
bad_page+0x84/0x11c mm/page_alloc.c:498
free_page_is_bad_report+0x98/0xa4 mm/page_alloc.c:904
free_page_is_bad mm/page_alloc.c:914 [inline]
free_pages_prepare mm/page_alloc.c:1085 [inline]
free_unref_folios+0x4c0/0x624 mm/page_alloc.c:2637
folios_put_refs+0x108/0x284 mm/swap.c:1024
free_pages_and_swap_cache+0x14c/0x164 mm/swap_state.c:332
__tlb_batch_free_encoded_pages+0x4c/0xdc mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
zap_pte_range mm/memory.c:1685 [inline]
zap_pmd_range mm/memory.c:1724 [inline]
zap_pud_range mm/memory.c:1753 [inline]
zap_p4d_range mm/memory.c:1774 [inline]
unmap_page_range+0xab0/0x1190 mm/memory.c:1795
zap_pud_range mm/memory.c:1753 [inline]
zap_p4d_range mm/memory.c:1774 [inline]
unmap_single_vma.constprop.0+0x4c/0x84 mm/memory.c:1841
unmap_vmas+0x7c/0x170 mm/memory.c:1885
exit_mmap+0xc0/0x288 mm/mmap.c:3341
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
Tested on:
unmap_vmas+0x7c/0x170 mm/memory.c:1885
exit_mmap+0xc0/0x288 mm/mmap.c:3341
__mmput+0x3c/0x170 kernel/fork.c:1346
mmput+0x50/0x5c kernel/fork.c:1368
exit_mm kernel/exit.c:567 [inline]
do_exit+0x270/0x98c kernel/exit.c:863
do_group_exit+0x34/0x90 kernel/exit.c:1025
__do_sys_exit_group kernel/exit.c:1036 [inline]
__se_sys_exit_group kernel/exit.c:1034 [inline]
pid_child_should_wake+0x0/0x5c kernel/exit.c:1034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:131
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:150
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
commit: 4d145e3f Merge tag 'i2c-for-6.10-rc8' of git://git.ker..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12ff8265980000
kernel config: https://syzkaller.appspot.com/x/.config?x=6b5a15443200e31
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=160af2b1980000
dashboard link: https://syzkaller.appspot.com/bug?extid=ec4b7d82bb051330f15a
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Reply all
Reply to author
Forward
0 new messages