[syzbot] [mm?] BUG: Bad page state in page_cache_ra_order

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-5bc10186.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/db0c2eeb9aae/vmlinux-5bc10186.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7bef337ab40d/bzImage-5bc10186.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7b3842...@syzkaller.appspotmail.com

BUG: Bad page state in process syz-executor356 pfn:35e01
page does not match folio
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x35e01
ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0000d78000 00000000ffffffff ffffffffffffffff
raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero pincount
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5919, tgid 5919 (syz-executor356), ts 42998011464, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718
prep_new_page mm/page_alloc.c:1726 [inline]
get_page_from_freelist+0x135c/0x3920 mm/page_alloc.c:3688
__alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4970
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301
alloc_pages_noprof mm/mempolicy.c:2392 [inline]
folio_alloc_noprof+0x20/0x2d0 mm/mempolicy.c:2402
filemap_alloc_folio_noprof+0x3a1/0x470 mm/filemap.c:1007
ractl_alloc_folio mm/readahead.c:186 [inline]
ra_alloc_folio mm/readahead.c:441 [inline]
page_cache_ra_order+0x4c0/0xd00 mm/readahead.c:509
do_sync_mmap_readahead mm/filemap.c:3225 [inline]
filemap_fault+0x1a5e/0x2740 mm/filemap.c:3403
__do_fault+0x10a/0x490 mm/memory.c:5098
do_shared_fault mm/memory.c:5582 [inline]
do_fault mm/memory.c:5656 [inline]
do_pte_missing+0x1a6/0x3fb0 mm/memory.c:4160
handle_pte_fault mm/memory.c:5997 [inline]
__handle_mm_fault+0x103d/0x2a40 mm/memory.c:6140
handle_mm_fault+0x3fe/0xad0 mm/memory.c:6309
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1337
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page_owner free stack trace missing
Modules linked in:
CPU: 3 UID: 0 PID: 5919 Comm: syz-executor356 Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
bad_page+0xb3/0x1f0 mm/page_alloc.c:505
free_tail_page_prepare+0x44f/0x5b0 mm/page_alloc.c:1000
free_pages_prepare mm/page_alloc.c:1238 [inline]
__free_frozen_pages+0x96a/0xff0 mm/page_alloc.c:2725
__folio_put+0x329/0x450 mm/swap.c:112
folio_put_refs include/linux/mm.h:1600 [inline]
filemap_free_folio+0x132/0x170 mm/filemap.c:235
delete_from_page_cache_batch+0x741/0x9b0 mm/filemap.c:339
truncate_inode_pages_range+0x279/0xe30 mm/truncate.c:376
kill_bdev block/bdev.c:91 [inline]
blkdev_flush_mapping+0xfb/0x290 block/bdev.c:712
blkdev_put_whole+0xc4/0xf0 block/bdev.c:719
bdev_release+0x47e/0x6d0 block/bdev.c:1144
blkdev_release+0x15/0x20 block/fops.c:660
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1111
x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe721146d09
Code: Unable to access opcode bytes at 0x7fe721146cdf.
RSP: 002b:00007fff045c05b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe721146d09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fe7211c12b0 R08: ffffffffffffffb8 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe7211c12b0
R13: 0000000000000000 R14: 00007fe7211c1d00 R15: 00007fe721117f60
</TASK>
BUG: Bad page state in process syz-executor356 pfn:35e00
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x35e00
head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000049(locked|uptodate|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 5919, tgid 5919 (syz-executor356), ts 42998011464, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718
prep_new_page mm/page_alloc.c:1726 [inline]
get_page_from_freelist+0x135c/0x3920 mm/page_alloc.c:3688
__alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4970
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301
alloc_pages_noprof mm/mempolicy.c:2392 [inline]
folio_alloc_noprof+0x20/0x2d0 mm/mempolicy.c:2402
filemap_alloc_folio_noprof+0x3a1/0x470 mm/filemap.c:1007
ractl_alloc_folio mm/readahead.c:186 [inline]
ra_alloc_folio mm/readahead.c:441 [inline]
page_cache_ra_order+0x4c0/0xd00 mm/readahead.c:509
do_sync_mmap_readahead mm/filemap.c:3225 [inline]
filemap_fault+0x1a5e/0x2740 mm/filemap.c:3403
__do_fault+0x10a/0x490 mm/memory.c:5098
do_shared_fault mm/memory.c:5582 [inline]
do_fault mm/memory.c:5656 [inline]
do_pte_missing+0x1a6/0x3fb0 mm/memory.c:4160
handle_pte_fault mm/memory.c:5997 [inline]
__handle_mm_fault+0x103d/0x2a40 mm/memory.c:6140
handle_mm_fault+0x3fe/0xad0 mm/memory.c:6309
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1337
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page_owner free stack trace missing
Modules linked in:
CPU: 2 UID: 0 PID: 5919 Comm: syz-executor356 Tainted: G B 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
bad_page+0xb3/0x1f0 mm/page_alloc.c:505
free_page_is_bad_report mm/page_alloc.c:938 [inline]
free_page_is_bad mm/page_alloc.c:948 [inline]
free_pages_prepare mm/page_alloc.c:1254 [inline]
__free_frozen_pages+0x76e/0xff0 mm/page_alloc.c:2725
__folio_put+0x329/0x450 mm/swap.c:112
folio_put_refs include/linux/mm.h:1600 [inline]
filemap_free_folio+0x132/0x170 mm/filemap.c:235
delete_from_page_cache_batch+0x741/0x9b0 mm/filemap.c:339
truncate_inode_pages_range+0x279/0xe30 mm/truncate.c:376
kill_bdev block/bdev.c:91 [inline]
blkdev_flush_mapping+0xfb/0x290 block/bdev.c:712
blkdev_put_whole+0xc4/0xf0 block/bdev.c:719
bdev_release+0x47e/0x6d0 block/bdev.c:1144
blkdev_release+0x15/0x20 block/fops.c:660
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1111
x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe721146d09
Code: Unable to access opcode bytes at 0x7fe721146cdf.
RSP: 002b:00007fff045c05b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe721146d09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fe7211c12b0 R08: ffffffffffffffb8 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe7211c12b0
R13: 0000000000000000 R14: 00007fe7211c1d00 R15: 00007fe721117f60
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Hillf Danton]

On Thu, 01 May 2025 09:23:23 -0700

> syzbot found the following issue on:
>
> HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

#syz test

--- x/block/bdev.c
+++ y/block/bdev.c
@@ -88,7 +88,9 @@ static void kill_bdev(struct block_devic
return;

invalidate_bh_lrus();
+ filemap_invalidate_lock(mapping);
truncate_inode_pages(mapping, 0);
+ filemap_invalidate_unlock(mapping);
}

/* Invalidate clean unused buffers and pagecache. */
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

_pgtable ]: Validating architecture page table helpers
[ 18.960143][ T1] Key type .fscrypt registered
[ 18.963394][ T1] Key type fscrypt-provisioning registered
[ 18.997093][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 19.015868][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 19.020415][ T1] Key type big_key registered
[ 19.028071][ T1] Key type encrypted registered
[ 19.031538][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 19.034968][ T1] Loading compiled-in module X.509 certificates
[ 19.064977][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 5ffa98226aab18898f938e23c71e38ddbdc3d6be'
[ 19.071363][ T1] ima: Allocated hash algorithm: sha256
[ 19.074921][ T1] ima: No architecture policies found
[ 19.078073][ T1] evm: Initialising EVM extended attributes:
[ 19.081136][ T1] evm: security.selinux
[ 19.083318][ T1] evm: security.SMACK64 (disabled)
[ 19.085959][ T1] evm: security.SMACK64EXEC (disabled)
[ 19.088774][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 19.091720][ T1] evm: security.SMACK64MMAP (disabled)
[ 19.094549][ T1] evm: security.apparmor (disabled)
[ 19.097192][ T1] evm: security.ima
[ 19.099109][ T1] evm: security.capability
[ 19.101316][ T1] evm: HMAC attrs: 0x1
[ 19.105400][ T1] PM: Magic number: 9:757:52
[ 19.108017][ T1] gadget gadget.3: hash matches
[ 19.111074][ T1] printk: legacy console [netcon0] enabled
[ 19.114174][ T1] netconsole: network logging started
[ 19.117496][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 19.123577][ T1] rdma_rxe: loaded
[ 19.126289][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 19.132568][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 19.137040][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 19.141979][ T64] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 19.144278][ T1] clk: Disabling unused clocks
[ 19.147093][ T64] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 19.149365][ T1] ALSA device list:
[ 19.156335][ T1] #0: Dummy 1
[ 19.158671][ T1] #1: Loopback 1
[ 19.161218][ T1] #2: Virtual MIDI Card 1
[ 19.168255][ T1] md: Waiting for all devices to be available before autodetect
[ 19.171325][ T1] md: If you don't use raid, use raid=noautodetect
[ 19.173752][ T1] md: Autodetecting RAID arrays.
[ 19.175815][ T1] md: autorun ...
[ 19.177419][ T1] md: ... autorun DONE.
[ 19.184183][ T1]
[ 19.184924][ T1] ============================================
[ 19.186790][ T1] WARNING: possible recursive locking detected
[ 19.188720][ T1] 6.15.0-rc4-syzkaller-gebd297a2affa-dirty #0 Not tainted
[ 19.190708][ T1] --------------------------------------------
[ 19.192499][ T1] swapper/0/1 is trying to acquire lock:
[ 19.194144][ T1] ffff88801fa8f0c0 (mapping.invalidate_lock){+.+.}-{4:4}, at: set_blocksize+0x2c7/0x540
[ 19.196953][ T1]
[ 19.196953][ T1] but task is already holding lock:
[ 19.199108][ T1] ffff88801fa8f0c0 (mapping.invalidate_lock){+.+.}-{4:4}, at: set_blocksize+0x20f/0x540
[ 19.201846][ T1]
[ 19.201846][ T1] other info that might help us debug this:
[ 19.204121][ T1] Possible unsafe locking scenario:
[ 19.204121][ T1]
[ 19.206228][ T1] CPU0
[ 19.207168][ T1] ----
[ 19.208188][ T1] lock(mapping.invalidate_lock);
[ 19.209671][ T1] lock(mapping.invalidate_lock);
[ 19.211139][ T1]
[ 19.211139][ T1] *** DEADLOCK ***
[ 19.211139][ T1]
[ 19.213468][ T1] May be due to missing lock nesting notation
[ 19.213468][ T1]
[ 19.215860][ T1] 3 locks held by swapper/0/1:
[ 19.217308][ T1] #0: ffff88802b51a0e0 (&type->s_umount_key#24/1){+.+.}-{4:4}, at: alloc_super+0x235/0xbd0
[ 19.220365][ T1] #1: ffff88801fa8ef20 (&sb->s_type->i_mutex_key#7){+.+.}-{4:4}, at: set_blocksize+0x1e0/0x540
[ 19.223505][ T1] #2: ffff88801fa8f0c0 (mapping.invalidate_lock){+.+.}-{4:4}, at: set_blocksize+0x20f/0x540
[ 19.226605][ T1]
[ 19.226605][ T1] stack backtrace:
[ 19.228455][ T1] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.15.0-rc4-syzkaller-gebd297a2affa-dirty #0 PREEMPT(full)
[ 19.228469][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 19.228475][ T1] Call Trace:
[ 19.228480][ T1] <TASK>
[ 19.228484][ T1] dump_stack_lvl+0x116/0x1f0
[ 19.228527][ T1] print_deadlock_bug+0x1e9/0x240
[ 19.228542][ T1] __lock_acquire+0xff7/0x1ba0
[ 19.228559][ T1] lock_acquire+0x179/0x350
[ 19.228573][ T1] ? set_blocksize+0x2c7/0x540
[ 19.228584][ T1] ? __pfx___might_resched+0x10/0x10
[ 19.228597][ T1] ? smp_call_function_many_cond+0x524/0x1290
[ 19.228610][ T1] down_write+0x92/0x200
[ 19.228622][ T1] ? set_blocksize+0x2c7/0x540
[ 19.228632][ T1] ? __pfx_down_write+0x10/0x10
[ 19.228645][ T1] ? __pfx_invalidate_bh_lru+0x10/0x10
[ 19.228661][ T1] ? __pfx_has_bh_in_lru+0x10/0x10
[ 19.228675][ T1] ? on_each_cpu_cond_mask+0x5a/0x90
[ 19.228686][ T1] set_blocksize+0x2c7/0x540
[ 19.228697][ T1] sb_set_blocksize+0xca/0x1d0
[ 19.228708][ T1] ext4_fill_super+0x8b4/0xb020
[ 19.228722][ T1] ? snprintf+0xc7/0x100
[ 19.228732][ T1] ? __pfx_snprintf+0x10/0x10
[ 19.228742][ T1] ? __pfx_ext4_fill_super+0x10/0x10
[ 19.228751][ T1] ? do_raw_spin_lock+0x12c/0x2b0
[ 19.228761][ T1] ? find_held_lock+0x2b/0x80
[ 19.228772][ T1] ? set_blocksize+0x43f/0x540
[ 19.228783][ T1] ? sb_set_blocksize+0x176/0x1d0
[ 19.228793][ T1] ? setup_bdev_super+0x369/0x730
[ 19.228807][ T1] get_tree_bdev_flags+0x389/0x620
[ 19.228821][ T1] ? __pfx_ext4_fill_super+0x10/0x10
[ 19.228831][ T1] ? __pfx_get_tree_bdev_flags+0x10/0x10
[ 19.228847][ T1] ? bpf_lsm_capable+0x9/0x10
[ 19.228856][ T1] ? security_capable+0x7e/0x260
[ 19.228867][ T1] vfs_get_tree+0x8b/0x340
[ 19.228879][ T1] path_mount+0x14d4/0x1f20
[ 19.228890][ T1] ? kmem_cache_free+0x2d4/0x4d0
[ 19.228905][ T1] ? __pfx_path_mount+0x10/0x10
[ 19.228916][ T1] ? putname+0x154/0x1a0
[ 19.228926][ T1] init_mount+0xbe/0x110
[ 19.228958][ T1] ? __pfx_init_mount+0x10/0x10
[ 19.228969][ T1] ? list_bdev_fs_names+0x10d/0x170
[ 19.228982][ T1] do_mount_root+0x22a/0x540
[ 19.228994][ T1] mount_root_generic+0x199/0x690
[ 19.229007][ T1] ? __pfx_mount_root_generic+0x10/0x10
[ 19.229019][ T1] ? __asan_memcpy+0x3c/0x60
[ 19.229033][ T1] ? getname_kernel+0x21b/0x370
[ 19.229044][ T1] mount_root+0x243/0x480
[ 19.229054][ T1] ? kmem_cache_alloc_noprof+0x21e/0x3b0
[ 19.229071][ T1] ? __pfx_mount_root+0x10/0x10
[ 19.229082][ T1] ? __asan_memcpy+0x3c/0x60
[ 19.229095][ T1] ? getname_kernel+0x21b/0x370
[ 19.229106][ T1] prepare_namespace+0xe2/0x3f0
[ 19.229121][ T1] ? __pfx_prepare_namespace+0x10/0x10
[ 19.229133][ T1] ? fput+0x70/0xf0
[ 19.229143][ T1] kernel_init_freeable+0x705/0x900
[ 19.229154][ T1] ? __pfx_kernel_init+0x10/0x10
[ 19.229168][ T1] kernel_init+0x1c/0x2b0
[ 19.229181][ T1] ? __pfx_kernel_init+0x10/0x10
[ 19.229194][ T1] ret_from_fork+0x45/0x80
[ 19.229204][ T1] ? __pfx_kernel_init+0x10/0x10
[ 19.229218][ T1] ret_from_fork_asm+0x1a/0x30
[ 19.229235][ T1] </TASK>
[ 81.482424][ T64] cfg80211: failed to load regulatory.db
[ 286.281965][ T41] INFO: task swapper/0:1 blocked for more than 143 seconds.
[ 286.284156][ T41] Not tainted 6.15.0-rc4-syzkaller-gebd297a2affa-dirty #0
[ 286.286388][ T41] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 286.288911][ T41] task:swapper/0 state:D stack:22520 pid:1 tgid:1 ppid:0 task_flags:0x0140 flags:0x00004002
[ 286.292445][ T41] Call Trace:
[ 286.293501][ T41] <TASK>
[ 286.294421][ T41] __schedule+0x116f/0x5de0
[ 286.295775][ T41] ? lock_release+0x201/0x2f0
[ 286.297172][ T41] ? rcu_is_watching+0x12/0xc0
[ 286.298603][ T41] ? trace_sched_exit_tp+0xde/0x130
[ 286.300147][ T41] ? __pfx___schedule+0x10/0x10
[ 286.301615][ T41] ? schedule+0x2d7/0x3a0
[ 286.302953][ T41] ? rcu_is_watching+0x12/0xc0
[ 286.304387][ T41] ? lock_release+0x201/0x2f0
[ 286.305836][ T41] schedule+0xe7/0x3a0
[ 286.307106][ T41] schedule_preempt_disabled+0x13/0x30
[ 286.308826][ T41] rwsem_down_write_slowpath+0x524/0x1310
[ 286.310541][ T41] ? __pfx_rwsem_down_write_slowpath+0x10/0x10
[ 286.312447][ T41] ? __pfx___might_resched+0x10/0x10
[ 286.314090][ T41] ? smp_call_function_many_cond+0x524/0x1290
[ 286.315957][ T41] down_write+0x1d6/0x200
[ 286.317252][ T41] ? __pfx_down_write+0x10/0x10
[ 286.318812][ T41] ? __pfx_invalidate_bh_lru+0x10/0x10
[ 286.320534][ T41] ? __pfx_has_bh_in_lru+0x10/0x10
[ 286.322210][ T41] ? on_each_cpu_cond_mask+0x5a/0x90
[ 286.323906][ T41] set_blocksize+0x2c7/0x540
[ 286.325357][ T41] sb_set_blocksize+0xca/0x1d0
[ 286.326869][ T41] ext4_fill_super+0x8b4/0xb020
[ 286.328395][ T41] ? snprintf+0xc7/0x100
[ 286.329760][ T41] ? __pfx_snprintf+0x10/0x10
[ 286.331242][ T41] ? __pfx_ext4_fill_super+0x10/0x10
[ 286.332970][ T41] ? do_raw_spin_lock+0x12c/0x2b0
[ 286.334602][ T41] ? find_held_lock+0x2b/0x80
[ 286.336083][ T41] ? set_blocksize+0x43f/0x540
[ 286.337596][ T41] ? sb_set_blocksize+0x176/0x1d0
[ 286.339191][ T41] ? setup_bdev_super+0x369/0x730
[ 286.340773][ T41] get_tree_bdev_flags+0x389/0x620
[ 286.342447][ T41] ? __pfx_ext4_fill_super+0x10/0x10
[ 286.344107][ T41] ? __pfx_get_tree_bdev_flags+0x10/0x10
[ 286.345871][ T41] ? bpf_lsm_capable+0x9/0x10
[ 286.347344][ T41] ? security_capable+0x7e/0x260
[ 286.348910][ T41] vfs_get_tree+0x8b/0x340
[ 286.350330][ T41] path_mount+0x14d4/0x1f20
[ 286.351768][ T41] ? kmem_cache_free+0x2d4/0x4d0
[ 286.353369][ T41] ? __pfx_path_mount+0x10/0x10
[ 286.354935][ T41] ? putname+0x154/0x1a0
[ 286.356280][ T41] init_mount+0xbe/0x110
[ 286.357635][ T41] ? __pfx_init_mount+0x10/0x10
[ 286.359186][ T41] ? list_bdev_fs_names+0x10d/0x170
[ 286.360819][ T41] do_mount_root+0x22a/0x540
[ 286.362350][ T41] mount_root_generic+0x199/0x690
[ 286.363959][ T41] ? __pfx_mount_root_generic+0x10/0x10
[ 286.365694][ T41] ? __asan_memcpy+0x3c/0x60
[ 286.367173][ T41] ? getname_kernel+0x21b/0x370
[ 286.368720][ T41] mount_root+0x243/0x480
[ 286.370203][ T41] ? kmem_cache_alloc_noprof+0x21e/0x3b0
[ 286.372064][ T41] ? __pfx_mount_root+0x10/0x10
[ 286.373629][ T41] ? __asan_memcpy+0x3c/0x60
[ 286.375086][ T41] ? getname_kernel+0x21b/0x370
[ 286.376619][ T41] prepare_namespace+0xe2/0x3f0
[ 286.378165][ T41] ? __pfx_prepare_namespace+0x10/0x10
[ 286.379885][ T41] ? fput+0x70/0xf0
[ 286.381122][ T41] kernel_init_freeable+0x705/0x900
[ 286.382830][ T41] ? __pfx_kernel_init+0x10/0x10
[ 286.384413][ T41] kernel_init+0x1c/0x2b0
[ 286.385808][ T41] ? __pfx_kernel_init+0x10/0x10
[ 286.387388][ T41] ret_from_fork+0x45/0x80
[ 286.388808][ T41] ? __pfx_kernel_init+0x10/0x10
[ 286.390457][ T41] ret_from_fork_asm+0x1a/0x30
[ 286.392028][ T41] </TASK>
[ 286.393125][ T41] INFO: lockdep is turned off.
[ 286.394664][ T41] Kernel panic - not syncing: hung_task: blocked tasks
[ 286.396810][ T41] CPU: 3 UID: 0 PID: 41 Comm: khungtaskd Not tainted 6.15.0-rc4-syzkaller-gebd297a2affa-dirty #0 PREEMPT(full)
[ 286.400476][ T41] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 286.404020][ T41] Call Trace:
[ 286.405169][ T41] <TASK>
[ 286.406133][ T41] dump_stack_lvl+0x3d/0x1f0
[ 286.407615][ T41] panic+0x71c/0x800
[ 286.408912][ T41] ? __pfx_panic+0x10/0x10
[ 286.410428][ T41] ? rcu_is_watching+0x12/0xc0
[ 286.411948][ T41] ? rcu_is_watching+0x12/0xc0
[ 286.413468][ T41] ? watchdog+0xdda/0x12c0
[ 286.414892][ T41] ? watchdog+0xdcd/0x12c0
[ 286.416296][ T41] watchdog+0xdeb/0x12c0
[ 286.417642][ T41] ? __pfx_watchdog+0x10/0x10
[ 286.419134][ T41] ? lockdep_hardirqs_on+0x7c/0x110
[ 286.420764][ T41] ? __kthread_parkme+0x19e/0x250
[ 286.422370][ T41] ? __pfx_watchdog+0x10/0x10
[ 286.423864][ T41] kthread+0x3c2/0x780
[ 286.425148][ T41] ? __pfx_kthread+0x10/0x10
[ 286.426607][ T41] ? __pfx_kthread+0x10/0x10
[ 286.428061][ T41] ? __pfx_kthread+0x10/0x10
[ 286.429544][ T41] ? __pfx_kthread+0x10/0x10
[ 286.431050][ T41] ? rcu_is_watching+0x12/0xc0
[ 286.432676][ T41] ? __pfx_kthread+0x10/0x10
[ 286.434145][ T41] ret_from_fork+0x45/0x80
[ 286.435555][ T41] ? __pfx_kthread+0x10/0x10
[ 286.437021][ T41] ret_from_fork_asm+0x1a/0x30
[ 286.438545][ T41] </TASK>
[ 286.440143][ T41] Kernel Offset: disabled
[ 286.441519][ T41] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.7.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.7.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.7'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build137835052=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c6b4fb3992
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c6b4fb399236b655a39701fd51c33522caa06811 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250425-123509'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c6b4fb399236b655a39701fd51c33522caa06811\"
/usr/bin/ld: /tmp/cccPF3Tm.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=160b3f74580000


Tested on:

commit: ebd297a2 Merge tag 'net-6.15-rc5' of git://git.kernel...
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=ca17f2d2ba38f7a0

dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1481939b980000

[Hillf Danton]

On Thu, 01 May 2025 09:23:23 -0700

> syzbot found the following issue on:
>
> HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

#syz test

--- x/block/bdev.c
+++ y/block/bdev.c

@@ -707,9 +707,16 @@ static void bd_end_claim(struct block_de

static void blkdev_flush_mapping(struct block_device *bdev)
{
+ struct address_space *mapping = bdev->bd_mapping;
+
WARN_ON_ONCE(bdev->bd_holders);
sync_blockdev(bdev);
- kill_bdev(bdev);
+ filemap_invalidate_lock(mapping);
+ if (!mapping_empty(mapping)) {
+ invalidate_bh_lrus();
+ truncate_inode_pages(mapping, 0);
+ }
+ filemap_invalidate_unlock(mapping);
bdev_write_inode(bdev);
}

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page state in page_cache_ra_order

BUG: Bad page state in process syz.0.16 pfn:4e001

page does not match folio

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x4e001

ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000000 ffffea0001380000 00000000ffffffff ffffffffffffffff

raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero pincount
page_owner tracks the page as allocated

page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6527, tgid 6527 (syz.0.16), ts 94244842343, free_ts 59432072975

page last free pid 6022 tgid 6022 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1262 [inline]
__free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2725
vfree+0x176/0x960 mm/vmalloc.c:3383
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535

__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102

get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 3 UID: 0 PID: 6527 Comm: syz.0.16 Not tainted 6.15.0-rc4-syzkaller-gebd297a2affa-dirty #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
bad_page+0xb3/0x1f0 mm/page_alloc.c:505
free_tail_page_prepare+0x44f/0x5b0 mm/page_alloc.c:1000
free_pages_prepare mm/page_alloc.c:1238 [inline]
__free_frozen_pages+0x96a/0xff0 mm/page_alloc.c:2725
__folio_put+0x329/0x450 mm/swap.c:112
folio_put_refs include/linux/mm.h:1600 [inline]
filemap_free_folio+0x132/0x170 mm/filemap.c:235
delete_from_page_cache_batch+0x741/0x9b0 mm/filemap.c:339
truncate_inode_pages_range+0x279/0xe30 mm/truncate.c:376

blkdev_flush_mapping+0xe9/0x280 block/bdev.c:717
blkdev_put_whole+0xc4/0xf0 block/bdev.c:726
bdev_release+0x47e/0x6d0 block/bdev.c:1151

blkdev_release+0x15/0x20 block/fops.c:660
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1111
x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f9fe6f8e969
Code: Unable to access opcode bytes at 0x7f9fe6f8e93f.
RSP: 002b:00007ffdca8b3c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9fe6f8e969
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00000006ca8b3d8f R09: 00007f9fe717d260
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9fe717d260 R14: 0000000000000003 R15: 00007ffdca8b3d50
</TASK>
BUG: Bad page state in process syz.0.16 pfn:4e000
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4e000

head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000049(locked|uptodate|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated

page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6527, tgid 6527 (syz.0.16), ts 94244842343, free_ts 59432061555

page last free pid 6022 tgid 6022 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1262 [inline]
__free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2725
vfree+0x176/0x960 mm/vmalloc.c:3383
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535

__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102

get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:
CPU: 2 UID: 0 PID: 6527 Comm: syz.0.16 Tainted: G B 6.15.0-rc4-syzkaller-gebd297a2affa-dirty #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
bad_page+0xb3/0x1f0 mm/page_alloc.c:505
free_page_is_bad_report mm/page_alloc.c:938 [inline]
free_page_is_bad mm/page_alloc.c:948 [inline]
free_pages_prepare mm/page_alloc.c:1254 [inline]
__free_frozen_pages+0x76e/0xff0 mm/page_alloc.c:2725
__folio_put+0x329/0x450 mm/swap.c:112
folio_put_refs include/linux/mm.h:1600 [inline]
filemap_free_folio+0x132/0x170 mm/filemap.c:235
delete_from_page_cache_batch+0x741/0x9b0 mm/filemap.c:339
truncate_inode_pages_range+0x279/0xe30 mm/truncate.c:376

blkdev_flush_mapping+0xe9/0x280 block/bdev.c:717
blkdev_put_whole+0xc4/0xf0 block/bdev.c:726
bdev_release+0x47e/0x6d0 block/bdev.c:1151

blkdev_release+0x15/0x20 block/fops.c:660
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1111
x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f9fe6f8e969
Code: Unable to access opcode bytes at 0x7f9fe6f8e93f.
RSP: 002b:00007ffdca8b3c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9fe6f8e969
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00000006ca8b3d8f R09: 00007f9fe717d260
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9fe717d260 R14: 0000000000000003 R15: 00007ffdca8b3d50
</TASK>

Tested on:

commit: ebd297a2 Merge tag 'net-6.15-rc5' of git://git.kernel...

git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=124eb02f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca17f2d2ba38f7a0

dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13e0b774580000

[Hillf Danton]

On Thu, 01 May 2025 09:23:23 -0700

> syzbot found the following issue on:
>
> HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

#syz test

--- x/block/bdev.c
+++ y/block/bdev.c
@@ -707,9 +707,16 @@ static void bd_end_claim(struct block_de

static void blkdev_flush_mapping(struct block_device *bdev)
{
+ struct address_space *mapping = bdev->bd_mapping;
+
WARN_ON_ONCE(bdev->bd_holders);
sync_blockdev(bdev);
- kill_bdev(bdev);
+ filemap_invalidate_lock(mapping);
+ if (!mapping_empty(mapping)) {
+ invalidate_bh_lrus();
+ truncate_inode_pages(mapping, 0);
+ }
+ filemap_invalidate_unlock(mapping);
bdev_write_inode(bdev);
}

--- x/mm/gup.c
+++ y/mm/gup.c
@@ -105,17 +105,18 @@ retry:

static void gup_put_folio(struct folio *folio, int refs, unsigned int flags)
{
- if (flags & FOLL_PIN) {
+ if (flags & FOLL_GET)
+ folio_put_refs(folio, refs);
+ else if (flags & FOLL_PIN) {
if (is_zero_folio(folio))
return;
node_stat_mod_folio(folio, NR_FOLL_PIN_RELEASED, refs);
- if (folio_has_pincount(folio))
+ if (folio_has_pincount(folio)) {
atomic_sub(refs, &folio->_pincount);
- else
+ folio_put_refs(folio, refs);
+ } else
refs *= GUP_PIN_COUNTING_BIAS;
}
-
- folio_put_refs(folio, refs);
}

/**
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page state in page_cache_ra_order

BUG: Bad page state in process syz.0.16 pfn:4ae01

page does not match folio

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x4ae01

ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000000 ffffea00012b8000 00000000ffffffff ffffffffffffffff

raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero pincount
page_owner tracks the page as allocated

page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6528, tgid 6528 (syz.0.16), ts 96978401088, free_ts 60314976314

page last free pid 6017 tgid 6017 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1262 [inline]
__free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2725
vfree+0x176/0x960 mm/vmalloc.c:3383
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:

CPU: 1 UID: 0 PID: 6529 Comm: syz.0.16 Not tainted 6.15.0-rc4-syzkaller-gebd297a2affa-dirty #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
bad_page+0xb3/0x1f0 mm/page_alloc.c:505
free_tail_page_prepare+0x44f/0x5b0 mm/page_alloc.c:1000
free_pages_prepare mm/page_alloc.c:1238 [inline]
__free_frozen_pages+0x96a/0xff0 mm/page_alloc.c:2725
__folio_put+0x329/0x450 mm/swap.c:112
folio_put_refs include/linux/mm.h:1600 [inline]
filemap_free_folio+0x132/0x170 mm/filemap.c:235
delete_from_page_cache_batch+0x741/0x9b0 mm/filemap.c:339
truncate_inode_pages_range+0x279/0xe30 mm/truncate.c:376
blkdev_flush_mapping+0xe9/0x280 block/bdev.c:717
blkdev_put_whole+0xc4/0xf0 block/bdev.c:726
bdev_release+0x47e/0x6d0 block/bdev.c:1151
blkdev_release+0x15/0x20 block/fops.c:660
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102

get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f62ebd8e969
Code: Unable to access opcode bytes at 0x7f62ebd8e93f.
RSP: 002b:00007f62eccc30e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f62ebfb5fa8 RCX: 00007f62ebd8e969
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f62ebfb5fa8
RBP: 00007f62ebfb5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f62ebfb5fac
R13: 0000000000000000 R14: 00007ffdd5f711a0 R15: 00007ffdd5f71288
</TASK>
BUG: Bad page state in process syz.0.16 pfn:4ae00
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ae00

head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000049(locked|uptodate|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated

page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6528, tgid 6528 (syz.0.16), ts 96978401088, free_ts 60314965608

page last free pid 6017 tgid 6017 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1262 [inline]
__free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2725
vfree+0x176/0x960 mm/vmalloc.c:3383
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:

CPU: 2 UID: 0 PID: 6529 Comm: syz.0.16 Tainted: G B 6.15.0-rc4-syzkaller-gebd297a2affa-dirty #0 PREEMPT(full)

get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f62ebd8e969
Code: Unable to access opcode bytes at 0x7f62ebd8e93f.
RSP: 002b:00007f62eccc30e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f62ebfb5fa8 RCX: 00007f62ebd8e969
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f62ebfb5fa8
RBP: 00007f62ebfb5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f62ebfb5fac
R13: 0000000000000000 R14: 00007ffdd5f711a0 R15: 00007ffdd5f71288

</TASK>


Tested on:

commit: ebd297a2 Merge tag 'net-6.15-rc5' of git://git.kernel...

git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142de774580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca17f2d2ba38f7a0

dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10f21f74580000

[Hillf Danton]

On Thu, 01 May 2025 09:23:23 -0700

> syzbot found the following issue on:
>
> HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

#syz test

--- x/mm/page_alloc.c
+++ y/mm/page_alloc.c
@@ -4991,6 +4991,10 @@ out:

trace_mm_page_alloc(page, order, alloc_gfp, ac.migratetype);
kmsan_alloc_page(page, order, alloc_gfp);
+ if (IS_ENABLED(CONFIG_64BIT) && page) {
+ struct folio *folio = page_folio(page);
+ BUG_ON(atomic_read(&folio->_pincount));
+ }

return page;
}
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

068818][ T0] ACPI: RSDP 0x00000000000F5190 000014 (v00 BOCHS )
[ 0.072899][ T0] ACPI: RSDT 0x000000007FFE2925 000048 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.078676][ T0] ACPI: FACP 0x000000007FFE1B2C 0000F4 (v03 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.084482][ T0] ACPI: DSDT 0x000000007FFDF040 002AEC (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.090663][ T0] ACPI: FACS 0x000000007FFDF000 000040
[ 0.094100][ T0] ACPI: APIC 0x000000007FFE1C20 0000B0 (v03 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.099885][ T0] ACPI: HPET 0x000000007FFE1CD0 000038 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.105824][ T0] ACPI: SRAT 0x000000007FFE1D08 000178 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.111602][ T0] ACPI: MCFG 0x000000007FFE1E80 00003C (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.117336][ T0] ACPI: DMAR 0x000000007FFE1EBC 0000C0 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.123170][ T0] ACPI: SSDT 0x000000007FFE1F7C 0008A1 (v01 BOCHS NVDIMM 00000001 BXPC 00000001)
[ 0.128948][ T0] ACPI: NFIT 0x000000007FFE281D 0000E0 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.134762][ T0] ACPI: WAET 0x000000007FFE28FD 000028 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.140519][ T0] ACPI: Reserving FACP table memory at [mem 0x7ffe1b2c-0x7ffe1c1f]
[ 0.145407][ T0] ACPI: Reserving DSDT table memory at [mem 0x7ffdf040-0x7ffe1b2b]
[ 0.150272][ T0] ACPI: Reserving FACS table memory at [mem 0x7ffdf000-0x7ffdf03f]
[ 0.155103][ T0] ACPI: Reserving APIC table memory at [mem 0x7ffe1c20-0x7ffe1ccf]
[ 0.159951][ T0] ACPI: Reserving HPET table memory at [mem 0x7ffe1cd0-0x7ffe1d07]
[ 0.164803][ T0] ACPI: Reserving SRAT table memory at [mem 0x7ffe1d08-0x7ffe1e7f]
[ 0.169688][ T0] ACPI: Reserving MCFG table memory at [mem 0x7ffe1e80-0x7ffe1ebb]
[ 0.174515][ T0] ACPI: Reserving DMAR table memory at [mem 0x7ffe1ebc-0x7ffe1f7b]
[ 0.179372][ T0] ACPI: Reserving SSDT table memory at [mem 0x7ffe1f7c-0x7ffe281c]
[ 0.184230][ T0] ACPI: Reserving NFIT table memory at [mem 0x7ffe281d-0x7ffe28fc]
[ 0.189069][ T0] ACPI: Reserving WAET table memory at [mem 0x7ffe28fd-0x7ffe2924]
[ 0.194370][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff]
[ 0.198626][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00100000-0x7fffffff]
[ 0.202892][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0x17fffffff]
[ 0.207289][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x180000000-0x183ffffff] non-volatile
[ 0.212410][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x180000000-0x57fffffff] hotplug
[ 0.217205][ T0] NUMA: Node 0 [mem 0x00001000-0x0009ffff] + [mem 0x00100000-0x7fffffff] -> [mem 0x00001000-0x7fffffff]
[ 0.224074][ T0] NUMA: Node 0 [mem 0x00001000-0x7fffffff] + [mem 0x100000000-0x17fffffff] -> [mem 0x00001000-0x17fffffff]
[ 0.231124][ T0] Faking node 0 at [mem 0x0000000000001000-0x00000000ffffffff] (4095MB)
[ 0.236269][ T0] Faking node 1 at [mem 0x0000000100000000-0x000000017fffffff] (2048MB)
[ 0.241797][ T0] NODE_DATA(0) allocated [mem 0x7ffd7400-0x7ffdcfff]
[ 0.245886][ T0] NODE_DATA(1) allocated [mem 0x17fff7400-0x17fffcfff]
[ 0.266117][ T0] Zone ranges:
[ 0.268234][ T0] DMA [mem 0x0000000000001000-0x0000000000ffffff]
[ 0.272595][ T0] DMA32 [mem 0x0000000001000000-0x00000000ffffffff]
[ 0.276920][ T0] Normal [mem 0x0000000100000000-0x000000017fffffff]
[ 0.281265][ T0] Device empty
[ 0.283523][ T0] Movable zone start for each node
[ 0.286649][ T0] Early memory node ranges
[ 0.289362][ T0] node 0: [mem 0x0000000000001000-0x000000000009efff]
[ 0.293795][ T0] node 0: [mem 0x0000000000100000-0x000000007ffdcfff]
[ 0.298212][ T0] node 1: [mem 0x0000000100000000-0x000000017fffffff]
[ 0.302637][ T0] Initmem setup node 0 [mem 0x0000000000001000-0x000000007ffdcfff]
[ 0.307549][ T0] Initmem setup node 1 [mem 0x0000000100000000-0x000000017fffffff]
[ 0.312485][ T0] On node 0, zone DMA: 1 pages in unavailable ranges
[ 0.316851][ T0] On node 0, zone DMA: 97 pages in unavailable ranges
[ 0.372092][ T0] On node 1, zone Normal: 35 pages in unavailable ranges
[ 0.537077][ T0] kasan: KernelAddressSanitizer initialized
[ 0.548737][ T0] ACPI: PM-Timer IO Port: 0x608
[ 0.552729][ T0] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[ 0.558491][ T0] IOAPIC[0]: apic_id 0, version 32, address 0xfec00000, GSI 0-23
[ 0.564712][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[ 0.570522][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[ 0.576498][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[ 0.582531][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.588710][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.594796][ T0] ACPI: Using ACPI (MADT) for SMP configuration information
[ 0.600603][ T0] ACPI: HPET id: 0x8086a201 base: 0xfed00000
[ 0.605220][ T0] TSC deadline timer available
[ 0.608936][ T0] CPU topo: Max. logical packages: 2
[ 0.613282][ T0] CPU topo: Max. logical dies: 2
[ 0.617554][ T0] CPU topo: Max. dies per package: 1
[ 0.621924][ T0] CPU topo: Max. threads per core: 2
[ 0.626307][ T0] CPU topo: Num. cores per package: 2
[ 0.630942][ T0] CPU topo: Num. threads per package: 4
[ 0.635434][ T0] CPU topo: Allowing 4 present CPUs plus 4 hotplug CPUs
[ 0.641189][ T0] kvm-guest: APIC: eoi() replaced with kvm_guest_apic_eoi_write()
[ 0.647680][ T0] kvm-guest: KVM setup pv remote TLB flush
[ 0.652398][ T0] kvm-guest: setup PV sched yield
[ 0.656549][ T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.663361][ T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x000fffff]
[ 0.670164][ T0] PM: hibernation: Registered nosave memory: [mem 0x7ffdd000-0xffffffff]
[ 0.677174][ T0] [mem 0xc0000000-0xfed1bfff] available for PCI devices
[ 0.682102][ T0] Booting paravirtualized kernel on KVM
[ 0.685781][ T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.747592][ T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:8 nr_cpu_ids:8 nr_node_ids:2
[ 0.755074][ T0] percpu: Embedded 69 pages/cpu s245512 r8192 d28920 u1048576
[ 0.760109][ T0] kvm-guest: PV spinlocks enabled
[ 0.763196][ T0] PV qspinlock hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.768644][ T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=64 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=32 rose.rose_ndevs=32 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=32 max_loop=32 nbds_max=32 panic_on_warn
[ 0.773120][ T0] Unknown kernel command line parameters "spec_store_bypass_disable=prctl nbds_max=32", will be passed to user space.
[ 0.841187][ T0] random: crng init done
[ 0.843925][ T0] printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes
[ 0.850451][ T0] software IO TLB: area num 8.
[ 0.877944][ T0] Fallback order for Node 0: 0 1
[ 0.877964][ T0] Fallback order for Node 1: 1 0
[ 0.877978][ T0] Built 2 zonelists, mobility grouping on. Total pages: 1048443
[ 0.890242][ T0] Policy zone: Normal
[ 0.893142][ T0] mem auto-init: stack:all(zero), heap alloc:on, heap free:off
[ 0.897550][ T0] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.902260][ T0] stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear)
[ 1.214633][ T0] ------------[ cut here ]------------
[ 1.217852][ T0] kernel BUG at mm/page_alloc.c:4996!
[ 1.220930][ T0] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 1.224574][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.15.0-rc4-syzkaller-gb6a218ff8b88-dirty #0 PREEMPT(undef)
[ 1.231268][ T0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 1.237627][ T0] RIP: 0010:__alloc_frozen_pages_noprof+0x1404/0x2520
[ 1.242184][ T0] Code: 0f 8f 21 f2 ff ff 8b 84 24 84 00 00 00 65 8b 15 42 c7 8f 11 83 c8 60 81 e2 00 01 ff 00 41 0f 45 c5 41 89 c5 e9 fe f1 ff ff 90 <0f> 0b 65 4c 8b 25 0a c7 8f 11 48 b8 00 00 00 00 00 fc ff df 49 8d
[ 1.253449][ T0] RSP: 0000:ffffffff8e0079f8 EFLAGS: 00010086
[ 1.256874][ T0] RAX: 00000000dead0000 RBX: ffffea00006d1040 RCX: ffffffff821407e6
[ 1.261855][ T0] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffea00006d109c
[ 1.266392][ T0] RBP: ffffea00006d109c R08: 0000000000000000 R09: fffff940000da213
[ 1.270965][ T0] R10: ffffea00006d109f R11: dffffc0000000000 R12: 1ffffffff1c00f54
[ 1.276225][ T0] R13: 0000000000000015 R14: ffffea00006d1040 R15: 0000000000252000
[ 1.281956][ T0] FS: 0000000000000000(0000) GS:ffff8880d69e2000(0000) knlGS:0000000000000000
[ 1.288351][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.293167][ T0] CR2: ffff88817ffff000 CR3: 000000000e180000 CR4: 00000000000000b0
[ 1.298931][ T0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1.304731][ T0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1.310543][ T0] Call Trace:
[ 1.312870][ T0] <TASK>
[ 1.314588][ T0] ? unwind_next_frame+0x3fe/0x20a0
[ 1.317597][ T0] ? common_startup_64+0x13e/0x148
[ 1.320519][ T0] ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 1.324051][ T0] ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[ 1.327730][ T0] ? __lock_acquire+0xaa4/0x1ba0
[ 1.330584][ T0] ? stack_trace_save+0x8e/0xc0
[ 1.333356][ T0] ? __pfx_stack_trace_save+0x10/0x10
[ 1.336385][ T0] new_slab+0x94/0x340
[ 1.338711][ T0] ___slab_alloc+0xd9c/0x1940
[ 1.341338][ T0] ? do_kmem_cache_create+0x1b3/0x730
[ 1.344384][ T0] ? new_slab+0x2d1/0x340
[ 1.346813][ T0] ? do_kmem_cache_create+0x1b3/0x730
[ 1.349994][ T0] ? __slab_alloc.constprop.0+0x56/0xb0
[ 1.353155][ T0] __slab_alloc.constprop.0+0x56/0xb0
[ 1.356234][ T0] kmem_cache_alloc_node_noprof+0xf5/0x3b0
[ 1.359629][ T0] ? do_kmem_cache_create+0x1b3/0x730
[ 1.362867][ T0] do_kmem_cache_create+0x1b3/0x730
[ 1.365861][ T0] create_boot_cache+0xba/0x140
[ 1.369050][ T0] new_kmalloc_cache+0x104/0x260
[ 1.371932][ T0] create_kmalloc_caches+0x31/0x50
[ 1.374850][ T0] kmem_cache_init+0x118/0x180
[ 1.377572][ T0] mm_core_init+0x123/0x220
[ 1.380169][ T0] start_kernel+0x197/0x4d0
[ 1.382673][ T0] x86_64_start_reservations+0x18/0x30
[ 1.385804][ T0] x86_64_start_kernel+0xb0/0xc0
[ 1.388641][ T0] common_startup_64+0x13e/0x148
[ 1.391477][ T0] </TASK>
[ 1.393164][ T0] Modules linked in:
[ 1.395366][ T0] ---[ end trace 0000000000000000 ]---
[ 1.398754][ T0] RIP: 0010:__alloc_frozen_pages_noprof+0x1404/0x2520
[ 1.403234][ T0] Code: 0f 8f 21 f2 ff ff 8b 84 24 84 00 00 00 65 8b 15 42 c7 8f 11 83 c8 60 81 e2 00 01 ff 00 41 0f 45 c5 41 89 c5 e9 fe f1 ff ff 90 <0f> 0b 65 4c 8b 25 0a c7 8f 11 48 b8 00 00 00 00 00 fc ff df 49 8d
[ 1.414886][ T0] RSP: 0000:ffffffff8e0079f8 EFLAGS: 00010086
[ 1.418676][ T0] RAX: 00000000dead0000 RBX: ffffea00006d1040 RCX: ffffffff821407e6
[ 1.423528][ T0] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffea00006d109c
[ 1.428395][ T0] RBP: ffffea00006d109c R08: 0000000000000000 R09: fffff940000da213
[ 1.434348][ T0] R10: ffffea00006d109f R11: dffffc0000000000 R12: 1ffffffff1c00f54
[ 1.439111][ T0] R13: 0000000000000015 R14: ffffea00006d1040 R15: 0000000000252000
[ 1.443746][ T0] FS: 0000000000000000(0000) GS:ffff8880d69e2000(0000) knlGS:0000000000000000
[ 1.449598][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.453405][ T0] CR2: ffff88817ffff000 CR3: 000000000e180000 CR4: 00000000000000b0
[ 1.458118][ T0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1.462997][ T0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1.467716][ T0] Kernel panic - not syncing: Fatal exception
[ 1.472707][ T0] Rebooting in 86400 seconds..

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1408207977=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c6b4fb399

nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c6b4fb399236b655a39701fd51c33522caa06811 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250425-123509'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c6b4fb399236b655a39701fd51c33522caa06811\"

/usr/bin/ld: /tmp/ccx3kK0j.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=12cb1774580000


Tested on:

commit: b6a218ff Merge tag 'pm-6.15-rc5' of git://git.kernel.o..

git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=ca17f2d2ba38f7a0

dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1738f774580000

[Hillf Danton]

On Thu, 01 May 2025 09:23:23 -0700

> syzbot found the following issue on:
>
> HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

#syz test

--- x/mm/page_alloc.c
+++ y/mm/page_alloc.c
@@ -4991,6 +4991,10 @@ out:

trace_mm_page_alloc(page, order, alloc_gfp, ac.migratetype);
kmsan_alloc_page(page, order, alloc_gfp);
+ if (IS_ENABLED(CONFIG_64BIT) && page) {
+ struct folio *folio = page_folio(page);

+ atomic_set(&folio->_pincount, 0);
+ }

return page;
}
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

page)
[ 2.038932][ T0] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes, vmalloc hugepage)
[ 2.045289][ T0] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes, vmalloc)
[ 2.047511][ T0] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes, vmalloc)
[ 2.058085][ T0] Running RCU synchronous self tests
[ 2.060824][ T0] Running RCU synchronous self tests
[ 2.065914][ T1] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.60GHz (family: 0x6, model: 0x6a, stepping: 0x6)
[ 2.067336][ T1] Performance Events: unsupported CPU family 6 model 106 no PMU driver, software events only.
[ 2.067553][ T1] signal: max sigframe size: 3632
[ 2.071766][ T1] rcu: Hierarchical SRCU implementation.
[ 2.075644][ T1] rcu: Max phase no-delay instances is 1000.
[ 2.078665][ T1] Timer migration: 2 hierarchy levels; 8 children per group; 1 crossnode level
[ 2.092923][ T1] NMI watchdog: Perf NMI watchdog permanently disabled
[ 2.107441][ T1] smp: Bringing up secondary CPUs ...
[ 2.113280][ T1] smpboot: x86: Booting SMP configuration:
[ 2.116314][ T1] .... node #0, CPUs: #2
[ 2.127675][ T1] #1 #3
[ 2.137504][ T1] smp: Brought up 2 nodes, 4 CPUs
[ 2.140134][ T1] smpboot: Total of 4 processors activated (20800.19 BogoMIPS)
[ 2.146262][ T1] Memory: 2933020K/4193772K available (171030K kernel code, 41416K rwdata, 39624K rodata, 27132K init, 120336K bss, 1157332K reserved, 0K cma-reserved)
[ 2.148752][ T1] devtmpfs: initialized
[ 2.151771][ T1] x86/mm: Memory block size: 128MB
[ 2.191210][ T1] Running RCU synchronous self tests
[ 2.194030][ T1] Running RCU synchronous self tests
[ 2.197772][ T1] Running RCU Tasks wait API self tests
[ 2.317559][ T1] Running RCU Tasks Trace wait API self tests
[ 2.377536][ T1] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 2.387361][ T1] posixtimers hash table entries: 4096 (order: 6, 294912 bytes, vmalloc)
[ 2.398618][ T1] futex hash table entries: 2048 (order: 6, 262144 bytes, vmalloc)
[ 2.411226][ T1] PM: RTC time: 00:43:25, date: 2025-05-03
[ 2.434489][ T1] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 2.447374][ T1] audit: initializing netlink subsys (disabled)
[ 2.447904][ T40] audit: type=2000 audit(1746233006.122:1): state=initialized audit_enabled=0 res=1
[ 2.452195][ T1] thermal_sys: Registered thermal governor 'step_wise'
[ 2.457397][ T39] Callback from call_rcu_tasks_trace() invoked.
[ 2.464513][ T1] cpuidle: using governor menu
[ 2.467870][ T1] NET: Registered PF_QIPCRTR protocol family
[ 2.481944][ T1] dca service started, version 1.12.1
[ 2.486211][ T1] PCI: ECAM [mem 0xb0000000-0xbfffffff] (base 0xb0000000) for domain 0000 [bus 00-ff]
[ 2.487421][ T1] PCI: ECAM [mem 0xb0000000-0xbfffffff] reserved as E820 entry
[ 2.557442][ T38] Callback from call_rcu_tasks() invoked.
[ 2.594084][ T1] PCI: Using configuration type 1 for base access
[ 2.608729][ T1] HugeTLB: allocation took 0ms with hugepage_allocation_threads=1
[ 2.613153][ T1] HugeTLB: registered 1.00 GiB page size, pre-allocated 0 pages
[ 2.613153][ T1] HugeTLB: 16380 KiB vmemmap can be freed for a 1.00 GiB page
[ 2.617371][ T1] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[ 2.622304][ T1] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page
[ 2.648450][ T1] cryptd: max_cpu_qlen set to 1000
[ 2.657359][ T1] raid6: skipped pq benchmark and selected avx512x4
[ 2.657359][ T1] raid6: using avx512x2 recovery algorithm
[ 2.659260][ T1] ACPI: Added _OSI(Module Device)
[ 2.662468][ T1] ACPI: Added _OSI(Processor Device)
[ 2.665870][ T1] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 2.677416][ T1] ACPI: Added _OSI(Processor Aggregator Device)
[ 2.790948][ T1] ACPI: 2 ACPI AML tables successfully acquired and loaded
[ 2.844227][ T1] ACPI: Interpreter enabled
[ 2.846912][ T1] ACPI: PM: (supports S0 S3 S4 S5)
[ 2.847374][ T1] ACPI: Using IOAPIC for interrupt routing
[ 2.850856][ T1] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[ 2.856311][ T1] PCI: Using E820 reservations for host bridge windows
[ 2.861318][ T1] ACPI: Enabled 4 GPEs in block 00 to 3F
[ 2.904041][ T1] non-paged memory
[ 2.906435][ T1] list_del corruption. next->prev should be ffffea000080d610, but was 000000000080d610. (next=ffffea000080d750)
[ 2.907336][ T1] ------------[ cut here ]------------
[ 2.907336][ T1] kernel BUG at lib/list_debug.c:65!
[ 2.907336][ T1] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 2.907336][ T1] CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.15.0-rc4-syzkaller-gb6a218ff8b88-dirty #0 PREEMPT(full)
[ 2.907336][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 2.907336][ T1] RIP: 0010:__list_del_entry_valid_or_report+0x1b3/0x200
[ 2.907336][ T1] Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 4b 49 8b 54 24 08 4c 89 e1 48 89 de 48 c7 c7 c0 87 f4 8b e8 7e 49 c4 fc 90 <0f> 0b e8 a6 79 4a fd e9 6b fe ff ff 48 89 df e8 99 79 4a fd e9 7d
[ 2.907336][ T1] RSP: 0000:ffffc90000046da0 EFLAGS: 00010082
[ 2.907336][ T1] RAX: 000000000000006d RBX: ffffea000080d610 RCX: ffffffff819a90e9
[ 2.907336][ T1] RDX: 0000000000000000 RSI: ffffffff819b0f76 RDI: 0000000000000005
[ 2.907336][ T1] RBP: ffffea000080d758 R08: 0000000000000005 R09: 0000000000000000
[ 2.907336][ T1] R10: 0000000080000002 R11: 0000000000000000 R12: ffffea000080d750
[ 2.907336][ T1] R13: ffff88801b49b600 R14: ffffea000080d740 R15: ffffea000080d600
[ 2.907336][ T1] FS: 0000000000000000(0000) GS:ffff8880d6ae2000(0000) knlGS:0000000000000000
[ 2.907336][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.907336][ T1] CR2: 0000000000000000 CR3: 000000000e180000 CR4: 0000000000350ef0
[ 2.907336][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.907336][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.907336][ T1] Call Trace:
[ 2.907336][ T1] <TASK>
[ 2.907336][ T1] get_partial_node.part.0+0x8f/0x360
[ 2.907336][ T1] ___slab_alloc+0x673/0x1940
[ 2.907336][ T1] ? acpi_ut_create_internal_object_dbg+0x78/0x3f0
[ 2.907336][ T1] ? new_slab+0x2e1/0x340
[ 2.907336][ T1] ? acpi_ut_create_internal_object_dbg+0x78/0x3f0
[ 2.907336][ T1] ? __slab_alloc.constprop.0+0x56/0xb0
[ 2.907336][ T1] __slab_alloc.constprop.0+0x56/0xb0
[ 2.907336][ T1] kmem_cache_alloc_noprof+0xef/0x3b0
[ 2.907336][ T1] ? acpi_ut_update_ref_count.part.0+0x149/0xd70
[ 2.907336][ T1] ? acpi_ut_create_internal_object_dbg+0x78/0x3f0
[ 2.907336][ T1] acpi_ut_create_internal_object_dbg+0x78/0x3f0
[ 2.907336][ T1] acpi_ds_create_operand+0x30b/0x880
[ 2.907336][ T1] ? __pfx_acpi_ds_create_operand+0x10/0x10
[ 2.907336][ T1] ? __pfx_acpi_ut_update_object_reference+0x10/0x10
[ 2.907336][ T1] ? __pfx_acpi_ut_update_object_reference+0x10/0x10
[ 2.907336][ T1] acpi_ds_eval_data_object_operands+0x108/0x540
[ 2.907336][ T1] ? __pfx_acpi_ds_eval_data_object_operands+0x10/0x10
[ 2.907336][ T1] ? __pfx_acpi_ds_create_node+0x10/0x10
[ 2.907336][ T1] ? __sanitizer_cov_trace_switch+0x54/0x90
[ 2.907336][ T1] acpi_ds_exec_end_op+0xde1/0x1460
[ 2.907336][ T1] ? __pfx_acpi_ds_exec_end_op+0x10/0x10
[ 2.907336][ T1] acpi_ps_parse_loop+0x425/0x1d00
[ 2.907336][ T1] ? __pfx_acpi_ps_parse_loop+0x10/0x10
[ 2.907336][ T1] ? acpi_ns_get_normalized_pathname+0x97/0xd0
[ 2.907336][ T1] ? acpi_ds_call_control_method+0x91/0x700
[ 2.907336][ T1] acpi_ps_parse_aml+0x3c1/0xcb0
[ 2.907336][ T1] acpi_ps_execute_method+0x55a/0xb30
[ 2.907336][ T1] ? acpi_ut_acquire_mutex+0x125/0x1d0
[ 2.907336][ T1] acpi_ns_evaluate+0x76c/0xca0
[ 2.907336][ T1] ? kasan_save_track+0x14/0x30
[ 2.907336][ T1] acpi_ut_evaluate_object+0xda/0x4a0
[ 2.907336][ T1] acpi_rs_get_method_data+0x84/0xf0
[ 2.907336][ T1] ? __pfx_acpi_rs_get_method_data+0x10/0x10
[ 2.907336][ T1] ? __pfx_acpi_dev_process_resource+0x10/0x10
[ 2.907336][ T1] acpi_walk_resources+0x15b/0x1e0
[ 2.907336][ T1] ? __pfx_acpi_walk_resources+0x10/0x10
[ 2.907336][ T1] ? acpi_get_handle+0x185/0x270
[ 2.907336][ T1] acpi_dev_get_resources+0x1d2/0x260
[ 2.907336][ T1] ? __pfx_acpi_check_serial_bus_slave+0x10/0x10
[ 2.907336][ T1] ? __pfx_acpi_dev_get_resources+0x10/0x10
[ 2.907336][ T1] ? __pfx___acpi_match_device.constprop.0+0x10/0x10
[ 2.907336][ T1] ? __pfx_acpi_check_serial_bus_slave+0x10/0x10
[ 2.907336][ T1] ? __pfx_acpi_has_method+0x10/0x10
[ 2.907336][ T1] ? strstr+0x109/0x170
[ 2.907336][ T1] acpi_init_device_object+0xba4/0x1970
[ 2.907336][ T1] ? __pfx_acpi_init_device_object+0x10/0x10
[ 2.907336][ T1] acpi_add_single_object+0xea/0x1b80
[ 2.907336][ T1] ? acpi_ns_get_node+0x5d/0x70
[ 2.907336][ T1] ? __pfx_acpi_add_single_object+0x10/0x10
[ 2.907336][ T1] ? acpi_has_method+0x85/0xc0
[ 2.907336][ T1] ? __pfx_acpi_has_method+0x10/0x10
[ 2.907336][ T1] ? acpi_os_signal_semaphore+0x76/0xa0
[ 2.907336][ T1] ? acpi_ut_release_mutex+0xe8/0x190
[ 2.907336][ T1] acpi_bus_check_add+0x23f/0x910
[ 2.907336][ T1] ? __pfx_acpi_bus_check_add+0x10/0x10
[ 2.907336][ T1] ? _raw_spin_unlock_irqrestore+0x52/0x80
[ 2.907336][ T1] ? lockdep_hardirqs_on+0x7c/0x110
[ 2.907336][ T1] ? up+0xcb/0x140
[ 2.907336][ T1] ? __pfx_up+0x10/0x10
[ 2.907336][ T1] ? _raw_spin_unlock_irqrestore+0x52/0x80
[ 2.907336][ T1] ? acpi_os_signal_semaphore+0x76/0xa0
[ 2.907336][ T1] acpi_ns_walk_namespace+0x405/0x5b0
[ 2.907336][ T1] ? __pfx_acpi_bus_check_add_1+0x10/0x10
[ 2.907336][ T1] ? __pfx_acpi_bus_check_add_1+0x10/0x10
[ 2.907336][ T1] acpi_walk_namespace+0x110/0x130
[ 2.907336][ T1] acpi_bus_scan+0x3e8/0x4a0
[ 2.907336][ T1] ? __pfx_acpi_bus_scan+0x10/0x10
[ 2.907336][ T1] ? acpi_update_all_gpes+0xeb/0x240
[ 2.907336][ T1] ? __pfx_acpi_update_all_gpes+0x10/0x10
[ 2.907336][ T1] ? acpi_ut_release_mutex+0xe8/0x190
[ 2.907336][ T1] acpi_scan_init+0x244/0x760
[ 2.907336][ T1] ? __pfx_acpi_scan_init+0x10/0x10
[ 2.907336][ T1] ? internal_create_groups+0x11a/0x150
[ 2.907336][ T1] ? bus_register+0x123/0x6a0
[ 2.907336][ T1] acpi_init+0x426/0xb80
[ 2.907336][ T1] ? __pfx_acpi_init+0x10/0x10
[ 2.907336][ T1] ? _raw_spin_unlock_irqrestore+0x3b/0x80
[ 2.907336][ T1] ? add_device_randomness+0xb7/0xf0
[ 2.907336][ T1] ? __pfx_fbmem_init+0x10/0x10
[ 2.907336][ T1] ? __pfx_acpi_init+0x10/0x10
[ 2.907336][ T1] do_one_initcall+0x120/0x6e0
[ 2.907336][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 2.907336][ T1] ? trace_kmalloc+0x2b/0xd0
[ 2.907336][ T1] ? __kmalloc_noprof+0x242/0x510
[ 2.907336][ T1] kernel_init_freeable+0x5c2/0x900
[ 2.907336][ T1] ? __pfx_kernel_init+0x10/0x10
[ 2.907336][ T1] kernel_init+0x1c/0x2b0
[ 2.907336][ T1] ? __pfx_kernel_init+0x10/0x10
[ 2.907336][ T1] ret_from_fork+0x45/0x80
[ 2.907336][ T1] ? __pfx_kernel_init+0x10/0x10
[ 2.907336][ T1] ret_from_fork_asm+0x1a/0x30
[ 2.907336][ T1] </TASK>
[ 2.907336][ T1] Modules linked in:
[ 2.907336][ T1] ---[ end trace 0000000000000000 ]---
[ 2.907336][ T1] RIP: 0010:__list_del_entry_valid_or_report+0x1b3/0x200
[ 2.907336][ T1] Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 4b 49 8b 54 24 08 4c 89 e1 48 89 de 48 c7 c7 c0 87 f4 8b e8 7e 49 c4 fc 90 <0f> 0b e8 a6 79 4a fd e9 6b fe ff ff 48 89 df e8 99 79 4a fd e9 7d
[ 2.907336][ T1] RSP: 0000:ffffc90000046da0 EFLAGS: 00010082
[ 2.907336][ T1] RAX: 000000000000006d RBX: ffffea000080d610 RCX: ffffffff819a90e9
[ 2.907336][ T1] RDX: 0000000000000000 RSI: ffffffff819b0f76 RDI: 0000000000000005
[ 2.907336][ T1] RBP: ffffea000080d758 R08: 0000000000000005 R09: 0000000000000000
[ 2.907336][ T1] R10: 0000000080000002 R11: 0000000000000000 R12: ffffea000080d750
[ 2.907336][ T1] R13: ffff88801b49b600 R14: ffffea000080d740 R15: ffffea000080d600
[ 2.907336][ T1] FS: 0000000000000000(0000) GS:ffff8880d6ae2000(0000) knlGS:0000000000000000
[ 2.907336][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.907336][ T1] CR2: 0000000000000000 CR3: 000000000e180000 CR4: 0000000000350ef0
[ 2.907336][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.907336][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.907336][ T1] Kernel panic - not syncing: Fatal exception
[ 2.907336][ T1] Rebooting in 86400 seconds..

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1629730015=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c6b4fb399
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c6b4fb399236b655a39701fd51c33522caa06811 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250425-123509'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c6b4fb399236b655a39701fd51c33522caa06811\"

/usr/bin/ld: /tmp/cciuSsoo.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=111c539b980000

Tested on:

commit: b6a218ff Merge tag 'pm-6.15-rc5' of git://git.kernel.o..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=ca17f2d2ba38f7a0

dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1106f774580000

[Hillf Danton]

On Thu, 01 May 2025 09:23:23 -0700

> syzbot found the following issue on:
>
> HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

#syz test

--- x/mm/page_alloc.c
+++ y/mm/page_alloc.c

@@ -1725,7 +1725,7 @@ static void prep_new_page(struct page *p
{
post_alloc_hook(page, order, gfp_flags);

- if (order && (gfp_flags & __GFP_COMP))
+ if (order && ((gfp_flags & __GFP_COMP) || IS_ENABLED(CONFIG_64BIT)))
prep_compound_page(page, order);

/*
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

PC 00000001 BXPC 00000001)
[ 0.088060][ T0] ACPI: FACP 0x000000007FFE1B2C 0000F4 (v03 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.094133][ T0] ACPI: DSDT 0x000000007FFDF040 002AEC (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.099978][ T0] ACPI: FACS 0x000000007FFDF000 000040
[ 0.103348][ T0] ACPI: APIC 0x000000007FFE1C20 0000B0 (v03 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.109833][ T0] ACPI: HPET 0x000000007FFE1CD0 000038 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.116038][ T0] ACPI: SRAT 0x000000007FFE1D08 000178 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.121813][ T0] ACPI: MCFG 0x000000007FFE1E80 00003C (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.127622][ T0] ACPI: DMAR 0x000000007FFE1EBC 0000C0 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.134260][ T0] ACPI: SSDT 0x000000007FFE1F7C 0008A1 (v01 BOCHS NVDIMM 00000001 BXPC 00000001)
[ 0.140094][ T0] ACPI: NFIT 0x000000007FFE281D 0000E0 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.145921][ T0] ACPI: WAET 0x000000007FFE28FD 000028 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.151741][ T0] ACPI: Reserving FACP table memory at [mem 0x7ffe1b2c-0x7ffe1c1f]
[ 0.157216][ T0] ACPI: Reserving DSDT table memory at [mem 0x7ffdf040-0x7ffe1b2b]
[ 0.162909][ T0] ACPI: Reserving FACS table memory at [mem 0x7ffdf000-0x7ffdf03f]
[ 0.168552][ T0] ACPI: Reserving APIC table memory at [mem 0x7ffe1c20-0x7ffe1ccf]
[ 0.174438][ T0] ACPI: Reserving HPET table memory at [mem 0x7ffe1cd0-0x7ffe1d07]
[ 0.181196][ T0] ACPI: Reserving SRAT table memory at [mem 0x7ffe1d08-0x7ffe1e7f]
[ 0.193129][ T0] ACPI: Reserving MCFG table memory at [mem 0x7ffe1e80-0x7ffe1ebb]
[ 0.198373][ T0] ACPI: Reserving DMAR table memory at [mem 0x7ffe1ebc-0x7ffe1f7b]
[ 0.203686][ T0] ACPI: Reserving SSDT table memory at [mem 0x7ffe1f7c-0x7ffe281c]
[ 0.208931][ T0] ACPI: Reserving NFIT table memory at [mem 0x7ffe281d-0x7ffe28fc]
[ 0.214571][ T0] ACPI: Reserving WAET table memory at [mem 0x7ffe28fd-0x7ffe2924]
[ 0.219893][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00000000-0x0009ffff]
[ 0.224126][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x00100000-0x7fffffff]
[ 0.228351][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x100000000-0x17fffffff]
[ 0.232651][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x180000000-0x183ffffff] non-volatile
[ 0.237745][ T0] ACPI: SRAT: Node 0 PXM 0 [mem 0x180000000-0x57fffffff] hotplug
[ 0.242562][ T0] NUMA: Node 0 [mem 0x00001000-0x0009ffff] + [mem 0x00100000-0x7fffffff] -> [mem 0x00001000-0x7fffffff]
[ 0.249692][ T0] NUMA: Node 0 [mem 0x00001000-0x7fffffff] + [mem 0x100000000-0x17fffffff] -> [mem 0x00001000-0x17fffffff]
[ 0.256916][ T0] Faking node 0 at [mem 0x0000000000001000-0x00000000ffffffff] (4095MB)
[ 0.262089][ T0] Faking node 1 at [mem 0x0000000100000000-0x000000017fffffff] (2048MB)
[ 0.267856][ T0] NODE_DATA(0) allocated [mem 0x7ffd7400-0x7ffdcfff]
[ 0.272272][ T0] NODE_DATA(1) allocated [mem 0x17fff7400-0x17fffcfff]
[ 0.295403][ T0] Zone ranges:
[ 0.298021][ T0] DMA [mem 0x0000000000001000-0x0000000000ffffff]
[ 0.302746][ T0] DMA32 [mem 0x0000000001000000-0x00000000ffffffff]
[ 0.307235][ T0] Normal [mem 0x0000000100000000-0x000000017fffffff]
[ 0.311961][ T0] Device empty
[ 0.314812][ T0] Movable zone start for each node
[ 0.318751][ T0] Early memory node ranges
[ 0.322138][ T0] node 0: [mem 0x0000000000001000-0x000000000009efff]
[ 0.327414][ T0] node 0: [mem 0x0000000000100000-0x000000007ffdcfff]
[ 0.331845][ T0] node 1: [mem 0x0000000100000000-0x000000017fffffff]
[ 0.336284][ T0] Initmem setup node 0 [mem 0x0000000000001000-0x000000007ffdcfff]
[ 0.341199][ T0] Initmem setup node 1 [mem 0x0000000100000000-0x000000017fffffff]
[ 0.346646][ T0] On node 0, zone DMA: 1 pages in unavailable ranges
[ 0.351958][ T0] On node 0, zone DMA: 97 pages in unavailable ranges
[ 0.420925][ T0] On node 1, zone Normal: 35 pages in unavailable ranges
[ 0.583331][ T0] kasan: KernelAddressSanitizer initialized
[ 0.592132][ T0] ACPI: PM-Timer IO Port: 0x608
[ 0.595160][ T0] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[ 0.599524][ T0] IOAPIC[0]: apic_id 0, version 32, address 0xfec00000, GSI 0-23
[ 0.604294][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[ 0.609296][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[ 0.613935][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[ 0.618570][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.623323][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.628210][ T0] ACPI: Using ACPI (MADT) for SMP configuration information
[ 0.632741][ T0] ACPI: HPET id: 0x8086a201 base: 0xfed00000
[ 0.636460][ T0] TSC deadline timer available
[ 0.639404][ T0] CPU topo: Max. logical packages: 2
[ 0.642770][ T0] CPU topo: Max. logical dies: 2
[ 0.646150][ T0] CPU topo: Max. dies per package: 1
[ 0.649519][ T0] CPU topo: Max. threads per core: 2
[ 0.652908][ T0] CPU topo: Num. cores per package: 2
[ 0.656439][ T0] CPU topo: Num. threads per package: 4
[ 0.659955][ T0] CPU topo: Allowing 4 present CPUs plus 4 hotplug CPUs
[ 0.664357][ T0] kvm-guest: APIC: eoi() replaced with kvm_guest_apic_eoi_write()
[ 0.669294][ T0] kvm-guest: KVM setup pv remote TLB flush
[ 0.672863][ T0] kvm-guest: setup PV sched yield
[ 0.676026][ T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.681205][ T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x000fffff]
[ 0.686442][ T0] PM: hibernation: Registered nosave memory: [mem 0x7ffdd000-0xffffffff]
[ 0.691621][ T0] [mem 0xc0000000-0xfed1bfff] available for PCI devices
[ 0.695923][ T0] Booting paravirtualized kernel on KVM
[ 0.699327][ T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.758588][ T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:8 nr_cpu_ids:8 nr_node_ids:2
[ 0.766332][ T0] percpu: Embedded 69 pages/cpu s245512 r8192 d28920 u1048576
[ 0.771194][ T0] kvm-guest: PV spinlocks enabled
[ 0.774214][ T0] PV qspinlock hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.779181][ T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=64 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=32 rose.rose_ndevs=32 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=32 max_loop=32 nbds_max=32 panic_on_warn
[ 0.783256][ T0] Unknown kernel command line parameters "spec_store_bypass_disable=prctl nbds_max=32", will be passed to user space.
[ 0.847916][ T0] random: crng init done
[ 0.850560][ T0] printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes
[ 0.856441][ T0] software IO TLB: area num 8.
[ 0.885594][ T0] Fallback order for Node 0: 0 1
[ 0.885614][ T0] Fallback order for Node 1: 1 0
[ 0.885628][ T0] Built 2 zonelists, mobility grouping on. Total pages: 1048443
[ 0.895824][ T0] Policy zone: Normal
[ 0.898721][ T0] mem auto-init: stack:all(zero), heap alloc:on, heap free:off
[ 0.903109][ T0] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.907530][ T0] stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear)
[ 1.175223][ T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=8, Nodes=2
[ 1.183811][ T0] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x27f pfn:0x1ba7f
[ 1.188953][ T0] head: order:10 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1.193897][ T0] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 1.198196][ T0] raw: 00fff00000000000 ffffea00006e0001 ffffea00006e9fc8 dead000000000400
[ 1.203084][ T0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 1.207986][ T0] head: 00fff00000000040 0000000000000000 dead000000000122 0000000000000000
[ 1.212924][ T0] head: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 1.217877][ T0] head: 00fff0000000000a ffffea00006e0001 00000000ffffffff 00000000ffffffff
[ 1.222839][ T0] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000400
[ 1.227784][ T0] page dumped because: VM_BUG_ON_PAGE(PageTail(page))
[ 1.231726][ T0] ------------[ cut here ]------------
[ 1.234861][ T0] kernel BUG at mm/internal.h:492!
[ 1.237753][ T0] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 1.241379][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.15.0-rc4-syzkaller-gb6a218ff8b88-dirty #0 PREEMPT(undef)
[ 1.248001][ T0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 1.254202][ T0] RIP: 0010:make_alloc_exact+0xf0/0x310
[ 1.257331][ T0] Code: 38 00 0f 85 f1 01 00 00 48 8b 45 08 a8 01 75 0a 66 90 48 89 e8 48 39 c5 74 1e 48 c7 c6 c0 ea 9b 8b 48 89 ef e8 91 02 f1 ff 90 <0f> 0b f7 c5 ff 0f 00 00 0f 84 50 01 00 00 4c 8d 75 34 be 04 00 00
[ 1.268638][ T0] RSP: 0000:ffffffff8e007da8 EFLAGS: 00010093
[ 1.272081][ T0] RAX: 0000000000000000 RBX: ffffea00006ea000 RCX: ffffffff819a90e9
[ 1.276605][ T0] RDX: ffffffff8e097740 RSI: ffffffff8212f74f RDI: 0000000000000005
[ 1.281134][ T0] RBP: ffffea00006e9fc0 R08: 0000000000000005 R09: 0000000000000000
[ 1.285654][ T0] R10: 0000000000000001 R11: 0000000000000001 R12: ffffea00006e0000
[ 1.290222][ T0] R13: ffff88801b800000 R14: 0000000000280000 R15: dffffc0000000000
[ 1.294752][ T0] FS: 0000000000000000(0000) GS:ffff8880d69e2000(0000) knlGS:0000000000000000
[ 1.299867][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.303616][ T0] CR2: ffff88817ffff000 CR3: 000000000e180000 CR4: 00000000000000b0
[ 1.308197][ T0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1.312735][ T0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1.317277][ T0] Call Trace:
[ 1.319101][ T0] <TASK>
[ 1.320721][ T0] alloc_pages_exact_nid_noprof+0x1e1/0x310
[ 1.324241][ T0] ? __pfx_alloc_pages_exact_nid_noprof+0x10/0x10
[ 1.327904][ T0] ? lock_acquire+0x179/0x350
[ 1.330558][ T0] ? find_held_lock+0x2b/0x80
[ 1.333246][ T0] init_section_page_ext+0x114/0x1e0
[ 1.336418][ T0] page_ext_init+0x5c0/0xab0
[ 1.339059][ T0] mm_core_init+0x13c/0x220
[ 1.341615][ T0] start_kernel+0x197/0x4d0
[ 1.344190][ T0] x86_64_start_reservations+0x18/0x30
[ 1.347296][ T0] x86_64_start_kernel+0xb0/0xc0
[ 1.350108][ T0] common_startup_64+0x13e/0x148
[ 1.352938][ T0] </TASK>
[ 1.354656][ T0] Modules linked in:
[ 1.356875][ T0] ---[ end trace 0000000000000000 ]---
[ 1.360018][ T0] RIP: 0010:make_alloc_exact+0xf0/0x310
[ 1.363231][ T0] Code: 38 00 0f 85 f1 01 00 00 48 8b 45 08 a8 01 75 0a 66 90 48 89 e8 48 39 c5 74 1e 48 c7 c6 c0 ea 9b 8b 48 89 ef e8 91 02 f1 ff 90 <0f> 0b f7 c5 ff 0f 00 00 0f 84 50 01 00 00 4c 8d 75 34 be 04 00 00
[ 1.374672][ T0] RSP: 0000:ffffffff8e007da8 EFLAGS: 00010093
[ 1.378196][ T0] RAX: 0000000000000000 RBX: ffffea00006ea000 RCX: ffffffff819a90e9
[ 1.382805][ T0] RDX: ffffffff8e097740 RSI: ffffffff8212f74f RDI: 0000000000000005
[ 1.387418][ T0] RBP: ffffea00006e9fc0 R08: 0000000000000005 R09: 0000000000000000
[ 1.392036][ T0] R10: 0000000000000001 R11: 0000000000000001 R12: ffffea00006e0000
[ 1.396666][ T0] R13: ffff88801b800000 R14: 0000000000280000 R15: dffffc0000000000
[ 1.401324][ T0] FS: 0000000000000000(0000) GS:ffff8880d69e2000(0000) knlGS:0000000000000000
[ 1.406529][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.410368][ T0] CR2: ffff88817ffff000 CR3: 000000000e180000 CR4: 00000000000000b0
[ 1.415019][ T0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1.419639][ T0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1.424249][ T0] Kernel panic - not syncing: Fatal exception
[ 1.428011][ T0] Rebooting in 86400 seconds..

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1084914610=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c6b4fb399
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c6b4fb399236b655a39701fd51c33522caa06811 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250425-123509'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c6b4fb399236b655a39701fd51c33522caa06811\"

/usr/bin/ld: /tmp/ccxskk81.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=164318d4580000

Tested on:

commit: b6a218ff Merge tag 'pm-6.15-rc5' of git://git.kernel.o..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=ca17f2d2ba38f7a0

dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=149df774580000

[Hillf Danton]

On Thu, 01 May 2025 09:23:23 -0700

> syzbot found the following issue on:
>
> HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

#syz test

--- x/mm/page_alloc.c
+++ y/mm/page_alloc.c

@@ -1727,6 +1727,10 @@ static void prep_new_page(struct page *p

if (order && (gfp_flags & __GFP_COMP))

prep_compound_page(page, order);
+ if (order && IS_ENABLED(CONFIG_64BIT)) {
+ struct folio *folio = (struct folio *)page;

+ atomic_set(&folio->_pincount, 0);
+ }

/*
* page is set pfmemalloc when ALLOC_NO_WATERMARKS was necessary to
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: Bad page state in prep_new_page

BUG: Bad page state in process syz.0.16 pfn:4be01

page does not match folio

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x4be01

ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000000 ffffea00012f8000 00000000ffffffff ffffffffffffffff

raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero pincount
page_owner tracks the page as allocated

page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6495, tgid 6495 (syz.0.16), ts 89599699971, free_ts 84897122939

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718

prep_new_page+0x16/0xb0 mm/page_alloc.c:1726
get_page_from_freelist+0x135b/0x3800 mm/page_alloc.c:3692
__alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4974

alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301
alloc_pages_noprof mm/mempolicy.c:2392 [inline]
folio_alloc_noprof+0x20/0x2d0 mm/mempolicy.c:2402
filemap_alloc_folio_noprof+0x3a1/0x470 mm/filemap.c:1007
ractl_alloc_folio mm/readahead.c:186 [inline]
ra_alloc_folio mm/readahead.c:441 [inline]
page_cache_ra_order+0x4c0/0xd00 mm/readahead.c:509
do_sync_mmap_readahead mm/filemap.c:3225 [inline]
filemap_fault+0x1a5e/0x2740 mm/filemap.c:3403
__do_fault+0x10a/0x490 mm/memory.c:5098
do_shared_fault mm/memory.c:5582 [inline]
do_fault mm/memory.c:5656 [inline]
do_pte_missing+0x1a6/0x3fb0 mm/memory.c:4160
handle_pte_fault mm/memory.c:5997 [inline]
__handle_mm_fault+0x103d/0x2a40 mm/memory.c:6140
handle_mm_fault+0x3fe/0xad0 mm/memory.c:6309
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1337
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

page last free pid 6330 tgid 6330 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1262 [inline]

__free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2729

vfree+0x176/0x960 mm/vmalloc.c:3383
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:

CPU: 1 UID: 0 PID: 6495 Comm: syz.0.16 Not tainted 6.15.0-rc4-syzkaller-g95d3481af6dc-dirty #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
bad_page+0xb3/0x1f0 mm/page_alloc.c:505
free_tail_page_prepare+0x44f/0x5b0 mm/page_alloc.c:1000
free_pages_prepare mm/page_alloc.c:1238 [inline]

__free_frozen_pages+0x96a/0xff0 mm/page_alloc.c:2729

__folio_put+0x329/0x450 mm/swap.c:112
folio_put_refs include/linux/mm.h:1600 [inline]
filemap_free_folio+0x132/0x170 mm/filemap.c:235
delete_from_page_cache_batch+0x741/0x9b0 mm/filemap.c:339
truncate_inode_pages_range+0x279/0xe30 mm/truncate.c:376

kill_bdev block/bdev.c:91 [inline]
blkdev_flush_mapping+0xfb/0x290 block/bdev.c:712
blkdev_put_whole+0xc4/0xf0 block/bdev.c:719
bdev_release+0x47e/0x6d0 block/bdev.c:1144

blkdev_release+0x15/0x20 block/fops.c:660
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102

__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1111
x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fa53558e969
Code: Unable to access opcode bytes at 0x7fa53558e93f.
RSP: 002b:00007ffdfd5c04e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa53558e969

RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: 00000006fd5c05df R09: 00007fa53577d260

R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000

R13: 00007fa53577d260 R14: 0000000000000003 R15: 00007ffdfd5c05a0
</TASK>
BUG: Bad page state in process syz.0.16 pfn:4be00
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4be00

head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000049(locked|uptodate|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000

raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000

head: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated

page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6495, tgid 6495 (syz.0.16), ts 89599699971, free_ts 84897115361

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718

prep_new_page+0x16/0xb0 mm/page_alloc.c:1726
get_page_from_freelist+0x135b/0x3800 mm/page_alloc.c:3692
__alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4974

alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301
alloc_pages_noprof mm/mempolicy.c:2392 [inline]
folio_alloc_noprof+0x20/0x2d0 mm/mempolicy.c:2402
filemap_alloc_folio_noprof+0x3a1/0x470 mm/filemap.c:1007
ractl_alloc_folio mm/readahead.c:186 [inline]
ra_alloc_folio mm/readahead.c:441 [inline]
page_cache_ra_order+0x4c0/0xd00 mm/readahead.c:509
do_sync_mmap_readahead mm/filemap.c:3225 [inline]
filemap_fault+0x1a5e/0x2740 mm/filemap.c:3403
__do_fault+0x10a/0x490 mm/memory.c:5098
do_shared_fault mm/memory.c:5582 [inline]
do_fault mm/memory.c:5656 [inline]
do_pte_missing+0x1a6/0x3fb0 mm/memory.c:4160
handle_pte_fault mm/memory.c:5997 [inline]
__handle_mm_fault+0x103d/0x2a40 mm/memory.c:6140
handle_mm_fault+0x3fe/0xad0 mm/memory.c:6309
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1337
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

page last free pid 6330 tgid 6330 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1262 [inline]

__free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2729

vfree+0x176/0x960 mm/vmalloc.c:3383
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:

CPU: 0 UID: 0 PID: 6495 Comm: syz.0.16 Tainted: G B 6.15.0-rc4-syzkaller-g95d3481af6dc-dirty #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
bad_page+0xb3/0x1f0 mm/page_alloc.c:505
free_page_is_bad_report mm/page_alloc.c:938 [inline]
free_page_is_bad mm/page_alloc.c:948 [inline]
free_pages_prepare mm/page_alloc.c:1254 [inline]

__free_frozen_pages+0x76e/0xff0 mm/page_alloc.c:2729

__folio_put+0x329/0x450 mm/swap.c:112
folio_put_refs include/linux/mm.h:1600 [inline]
filemap_free_folio+0x132/0x170 mm/filemap.c:235
delete_from_page_cache_batch+0x741/0x9b0 mm/filemap.c:339
truncate_inode_pages_range+0x279/0xe30 mm/truncate.c:376

kill_bdev block/bdev.c:91 [inline]
blkdev_flush_mapping+0xfb/0x290 block/bdev.c:712
blkdev_put_whole+0xc4/0xf0 block/bdev.c:719
bdev_release+0x47e/0x6d0 block/bdev.c:1144

blkdev_release+0x15/0x20 block/fops.c:660
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102

__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1111
x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fa53558e969
Code: Unable to access opcode bytes at 0x7fa53558e93f.
RSP: 002b:00007ffdfd5c04e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa53558e969

RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: 00000006fd5c05df R09: 00007fa53577d260

R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000

R13: 00007fa53577d260 R14: 0000000000000003 R15: 00007ffdfd5c05a0
</TASK>


Tested on:

commit: 95d3481a Merge tag 'spi-fix-v6.15-rc4' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=177498d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca17f2d2ba38f7a0

dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15719774580000

[Hillf Danton]

On Thu, 01 May 2025 09:23:23 -0700

> syzbot found the following issue on:
>
> HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

#syz test

--- x/mm/page_alloc.c
+++ y/mm/page_alloc.c

@@ -1723,6 +1723,10 @@ inline void post_alloc_hook(struct page
static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags,
unsigned int alloc_flags)
{

+ if (order && IS_ENABLED(CONFIG_64BIT)) {
+ struct folio *folio = (struct folio *)page;
+ atomic_set(&folio->_pincount, 0);
+ }

post_alloc_hook(page, order, gfp_flags);

if (order && (gfp_flags & __GFP_COMP))

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page state in prep_new_page

BUG: Bad page state in process syz.0.16 pfn:40601

page does not match folio

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x40601

ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000000 ffffea0001018000 00000000ffffffff ffffffffffffffff

raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: nonzero pincount
page_owner tracks the page as allocated

page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6525, tgid 6525 (syz.0.16), ts 94203508565, free_ts 89349943790

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718

prep_new_page+0xa0/0xe0 mm/page_alloc.c:1730

get_page_from_freelist+0x135b/0x3800 mm/page_alloc.c:3692
__alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4974
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301
alloc_pages_noprof mm/mempolicy.c:2392 [inline]
folio_alloc_noprof+0x20/0x2d0 mm/mempolicy.c:2402
filemap_alloc_folio_noprof+0x3a1/0x470 mm/filemap.c:1007
ractl_alloc_folio mm/readahead.c:186 [inline]
ra_alloc_folio mm/readahead.c:441 [inline]
page_cache_ra_order+0x4c0/0xd00 mm/readahead.c:509
do_sync_mmap_readahead mm/filemap.c:3225 [inline]
filemap_fault+0x1a5e/0x2740 mm/filemap.c:3403
__do_fault+0x10a/0x490 mm/memory.c:5098
do_shared_fault mm/memory.c:5582 [inline]
do_fault mm/memory.c:5656 [inline]
do_pte_missing+0x1a6/0x3fb0 mm/memory.c:4160
handle_pte_fault mm/memory.c:5997 [inline]
__handle_mm_fault+0x103d/0x2a40 mm/memory.c:6140
handle_mm_fault+0x3fe/0xad0 mm/memory.c:6309
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1337
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

page last free pid 6394 tgid 6394 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1262 [inline]
__free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2729
vfree+0x176/0x960 mm/vmalloc.c:3383
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:

CPU: 1 UID: 0 PID: 6526 Comm: syz.0.16 Not tainted 6.15.0-rc4-syzkaller-g95d3481af6dc-dirty #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
bad_page+0xb3/0x1f0 mm/page_alloc.c:505
free_tail_page_prepare+0x44f/0x5b0 mm/page_alloc.c:1000
free_pages_prepare mm/page_alloc.c:1238 [inline]
__free_frozen_pages+0x96a/0xff0 mm/page_alloc.c:2729
__folio_put+0x329/0x450 mm/swap.c:112
folio_put_refs include/linux/mm.h:1600 [inline]
filemap_free_folio+0x132/0x170 mm/filemap.c:235
delete_from_page_cache_batch+0x741/0x9b0 mm/filemap.c:339
truncate_inode_pages_range+0x279/0xe30 mm/truncate.c:376
kill_bdev block/bdev.c:91 [inline]
blkdev_flush_mapping+0xfb/0x290 block/bdev.c:712
blkdev_put_whole+0xc4/0xf0 block/bdev.c:719
bdev_release+0x47e/0x6d0 block/bdev.c:1144
blkdev_release+0x15/0x20 block/fops.c:660
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102

get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fa3d358e969
Code: Unable to access opcode bytes at 0x7fa3d358e93f.
RSP: 002b:00007fa3d446b0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fa3d37b5fa8 RCX: 00007fa3d358e969
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa3d37b5fa8
RBP: 00007fa3d37b5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa3d37b5fac
R13: 0000000000000000 R14: 00007ffd90b4bb40 R15: 00007ffd90b4bc28
</TASK>
BUG: Bad page state in process syz.0.16 pfn:40600
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40600

head: order:0 mapcount:0 entire_mapcount:1 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000049(locked|uptodate|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000049 dead000000000100 dead000000000122 0000000000000000
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
head: 00fff00000000000 0000000000000000 00000000ffffffff 0000000000000000
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated

page last allocated via order 9, migratetype Unmovable, gfp_mask 0x152c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6525, tgid 6525 (syz.0.16), ts 94203508565, free_ts 89349938505

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718

prep_new_page+0xa0/0xe0 mm/page_alloc.c:1730

get_page_from_freelist+0x135b/0x3800 mm/page_alloc.c:3692
__alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4974
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301
alloc_pages_noprof mm/mempolicy.c:2392 [inline]
folio_alloc_noprof+0x20/0x2d0 mm/mempolicy.c:2402
filemap_alloc_folio_noprof+0x3a1/0x470 mm/filemap.c:1007
ractl_alloc_folio mm/readahead.c:186 [inline]
ra_alloc_folio mm/readahead.c:441 [inline]
page_cache_ra_order+0x4c0/0xd00 mm/readahead.c:509
do_sync_mmap_readahead mm/filemap.c:3225 [inline]
filemap_fault+0x1a5e/0x2740 mm/filemap.c:3403
__do_fault+0x10a/0x490 mm/memory.c:5098
do_shared_fault mm/memory.c:5582 [inline]
do_fault mm/memory.c:5656 [inline]
do_pte_missing+0x1a6/0x3fb0 mm/memory.c:4160
handle_pte_fault mm/memory.c:5997 [inline]
__handle_mm_fault+0x103d/0x2a40 mm/memory.c:6140
handle_mm_fault+0x3fe/0xad0 mm/memory.c:6309
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1337
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

page last free pid 6394 tgid 6394 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1262 [inline]
__free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2729
vfree+0x176/0x960 mm/vmalloc.c:3383
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Modules linked in:

CPU: 0 UID: 0 PID: 6526 Comm: syz.0.16 Tainted: G B 6.15.0-rc4-syzkaller-g95d3481af6dc-dirty #0 PREEMPT(full)

get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fa3d358e969
Code: Unable to access opcode bytes at 0x7fa3d358e93f.
RSP: 002b:00007fa3d446b0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fa3d37b5fa8 RCX: 00007fa3d358e969
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa3d37b5fa8
RBP: 00007fa3d37b5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa3d37b5fac
R13: 0000000000000000 R14: 00007ffd90b4bb40 R15: 00007ffd90b4bc28
</TASK>


Tested on:

commit: 95d3481a Merge tag 'spi-fix-v6.15-rc4' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=155a98d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ca17f2d2ba38f7a0

dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=176a98d4580000

[Hillf Danton]

On Thu, 01 May 2025 09:23:23 -0700

> syzbot found the following issue on:
>
> HEAD commit: 5bc1018675ec Merge tag 'pci-v6.15-fixes-3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=175930d4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9f5bd2a76d9d0b4e
> dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b72374580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12781270580000

#syz test

--- x/mm/readahead.c
+++ y/mm/readahead.c
@@ -186,6 +186,8 @@ static struct folio *ractl_alloc_folio(s
folio = filemap_alloc_folio(gfp_mask, order);
if (folio && ractl->dropbehind)
__folio_set_dropbehind(folio);
+ if (folio && IS_ENABLED(CONFIG_64BIT))
+ atomic_set(&folio->_pincount, 0);

return folio;
}
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

EXEC (disabled)
[ 22.481730][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 22.485666][ T1] evm: security.SMACK64MMAP (disabled)
[ 22.489224][ T1] evm: security.apparmor (disabled)
[ 22.492684][ T1] evm: security.ima
[ 22.495141][ T1] evm: security.capability
[ 22.498056][ T1] evm: HMAC attrs: 0x1
[ 22.504042][ T1] PM: Magic number: 9:345:23
[ 22.507301][ T1] video4linux vbi43: hash matches
[ 22.510770][ T1] gadget gadget.32: hash matches
[ 22.515003][ T1] printk: legacy console [netcon0] enabled
[ 22.518877][ T1] netconsole: network logging started
[ 22.523237][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 22.532220][ T1] rdma_rxe: loaded
[ 22.536188][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 22.544732][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 22.550553][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 22.557101][ T838] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 22.563921][ T1] clk: Disabling unused clocks
[ 22.563938][ T838] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 22.567256][ T1] ALSA device list:
[ 22.575868][ T1] #0: Dummy 1
[ 22.578140][ T1] #1: Loopback 1
[ 22.580682][ T1] #2: Virtual MIDI Card 1
[ 22.587838][ T1] md: Waiting for all devices to be available before autodetect
[ 22.590848][ T1] md: If you don't use raid, use raid=noautodetect
[ 22.593626][ T1] md: Autodetecting RAID arrays.
[ 22.595734][ T1] md: autorun ...
[ 22.597177][ T1] md: ... autorun DONE.
[ 22.638506][ T1] EXT4-fs (sda1): mounted filesystem b4773fba-1738-4da0-8a90-0fe043d0a496 ro with ordered data mode. Quota mode: none.
[ 22.644832][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 22.650043][ T1] devtmpfs: mounted
[ 22.741058][ T1] Freeing unused kernel image (initmem) memory: 27132K
[ 22.744578][ T1] Write protecting the kernel read-only data: 212992k
[ 22.768906][ T1] Freeing unused kernel image (text/rodata gap) memory: 1000K
[ 22.779726][ T1] Freeing unused kernel image (rodata/data gap) memory: 1336K
[ 22.935360][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 22.944857][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 22.949433][ T1] Run /sbin/init as init process
[ 22.969151][ T1] ==================================================================
[ 22.972476][ T1] BUG: KASAN: user-memory-access in lru_add+0x192/0xd70
[ 22.975136][ T1] Read of size 8 at addr 00000000320bb7c0 by task init/1
[ 22.977923][ T1]
[ 22.978936][ T1] CPU: 2 UID: 0 PID: 1 Comm: init Not tainted 6.15.0-rc4-syzkaller-g95d3481af6dc-dirty #0 PREEMPT(full)
[ 22.978958][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 22.978968][ T1] Call Trace:
[ 22.978975][ T1] <TASK>
[ 22.978982][ T1] dump_stack_lvl+0x116/0x1f0
[ 22.979046][ T1] kasan_report+0xe0/0x110
[ 22.979061][ T1] ? lru_add+0x192/0xd70
[ 22.979078][ T1] kasan_check_range+0xef/0x1a0
[ 22.979097][ T1] lru_add+0x192/0xd70
[ 22.979114][ T1] folio_batch_move_lru+0x112/0x3b0
[ 22.979131][ T1] ? __pfx_lru_add+0x10/0x10
[ 22.979148][ T1] ? __pfx_folio_batch_move_lru+0x10/0x10
[ 22.979165][ T1] ? __pfx___filemap_add_folio+0x10/0x10
[ 22.979186][ T1] __folio_batch_add_and_move+0x369/0xc90
[ 22.979225][ T1] ? __pfx_lru_add+0x10/0x10
[ 22.979240][ T1] ? const_folio_flags+0x5b/0x100
[ 22.979257][ T1] filemap_add_folio+0x1bb/0x220
[ 22.979274][ T1] ? __pfx_filemap_add_folio+0x10/0x10
[ 22.979292][ T1] ? page_cache_ra_unbounded+0x3fb/0x750
[ 22.979309][ T1] page_cache_ra_unbounded+0x305/0x750
[ 22.979328][ T1] page_cache_ra_order+0x961/0xcb0
[ 22.979348][ T1] page_cache_async_ra+0x5cb/0x8a0
[ 22.979365][ T1] filemap_readahead.isra.0+0x11c/0x190
[ 22.979390][ T1] ? __pfx_filemap_readahead.isra.0+0x10/0x10
[ 22.979425][ T1] filemap_get_pages+0x2c1/0x1c20
[ 22.979444][ T1] ? __lock_acquire+0x5ca/0x1ba0
[ 22.979469][ T1] ? __pfx_filemap_get_pages+0x10/0x10
[ 22.979488][ T1] ? atime_needs_update+0x8b/0x710
[ 22.979508][ T1] ? __pfx___might_resched+0x10/0x10
[ 22.979531][ T1] filemap_read+0x3d2/0xe90
[ 22.979552][ T1] ? __pfx_filemap_read+0x10/0x10
[ 22.979576][ T1] ? _raw_spin_unlock_irqrestore+0x3b/0x80
[ 22.979593][ T1] ? stack_depot_save_flags+0x3e6/0xa50
[ 22.979616][ T1] generic_file_read_iter+0x344/0x450
[ 22.979634][ T1] ? kasan_save_stack+0x33/0x60
[ 22.979657][ T1] ? kasan_save_track+0x14/0x30
[ 22.979680][ T1] ext4_file_read_iter+0x1d6/0x6a0
[ 22.979705][ T1] __kernel_read+0x3f0/0xb60
[ 22.979728][ T1] ? __pfx___kernel_read+0x10/0x10
[ 22.979755][ T1] integrity_kernel_read+0x7e/0xb0
[ 22.979773][ T1] ? __pfx_integrity_kernel_read+0x10/0x10
[ 22.979790][ T1] ? __local_bh_enable_ip+0xa4/0x120
[ 22.979809][ T1] ? kernel_fpu_end+0x5e/0x70
[ 22.979827][ T1] ? _sha256_update+0xc8/0xf0
[ 22.979846][ T1] ima_calc_file_hash_tfm+0x2c7/0x3d0
[ 22.979868][ T1] ? __pfx_ima_calc_file_hash_tfm+0x10/0x10
[ 22.979899][ T1] ? ext4_getattr+0x33d/0x8b0
[ 22.979923][ T1] ? ima_alloc_tfm+0x21a/0x2e0
[ 22.979943][ T1] ? ext4_file_getattr+0x25f/0x380
[ 22.979958][ T1] ima_calc_file_hash+0x1ba/0x490
[ 22.979981][ T1] ima_collect_measurement+0x897/0xa40
[ 22.980006][ T1] ? __pfx_ima_collect_measurement+0x10/0x10
[ 22.980030][ T1] ? __pfx___up_read+0x10/0x10
[ 22.980049][ T1] ? __pfx_ext4_xattr_get+0x10/0x10
[ 22.980070][ T1] ? xattr_resolve_name+0x27b/0x3f0
[ 22.980094][ T1] ? vfs_getxattr_alloc+0xec/0x340
[ 22.980119][ T1] ? ima_get_hash_algo+0x27c/0x400
[ 22.980137][ T1] ? __pfx_ima_get_hash_algo+0x10/0x10
[ 22.980157][ T1] ? process_measurement+0x11fa/0x23e0
[ 22.980175][ T1] process_measurement+0x11fa/0x23e0
[ 22.980196][ T1] ? avc_has_perm_noaudit+0x149/0x3b0
[ 22.980211][ T1] ? __pfx_process_measurement+0x10/0x10
[ 22.980233][ T1] ? __pfx_avc_has_perm+0x10/0x10
[ 22.980246][ T1] ? avc_has_perm+0x11a/0x1c0
[ 22.980260][ T1] ? __pfx_avc_has_perm+0x10/0x10
[ 22.980284][ T1] ? file_map_prot_check+0x1eb/0x360
[ 22.980301][ T1] ima_file_mmap+0x1a8/0x1d0
[ 22.980321][ T1] ? __pfx_ima_file_mmap+0x10/0x10
[ 22.980342][ T1] security_mmap_file+0x88c/0x990
[ 22.980365][ T1] vm_mmap_pgoff+0xec/0x450
[ 22.980384][ T1] ? __pfx_vm_mmap_pgoff+0x10/0x10
[ 22.980406][ T1] vm_mmap+0x8e/0xc0
[ 22.980429][ T1] elf_load+0x19a/0x890
[ 22.980457][ T1] load_elf_binary+0x35e7/0x4f80
[ 22.980491][ T1] ? __pfx_load_elf_binary+0x10/0x10
[ 22.980514][ T1] ? find_held_lock+0x2b/0x80
[ 22.980531][ T1] ? bprm_execve+0x8a2/0x1650
[ 22.980554][ T1] bprm_execve+0x8c0/0x1650
[ 22.980577][ T1] ? __pfx_bprm_execve+0x10/0x10
[ 22.980598][ T1] ? copy_strings_kernel+0x153/0x190
[ 22.980620][ T1] kernel_execve+0x2ef/0x3b0
[ 22.980640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 22.980664][ T1] kernel_init+0x14a/0x2b0
[ 22.980685][ T1] ? __pfx_kernel_init+0x10/0x10
[ 22.980706][ T1] ret_from_fork+0x45/0x80
[ 22.980720][ T1] ? __pfx_kernel_init+0x10/0x10
[ 22.980741][ T1] ret_from_fork_asm+0x1a/0x30
[ 22.980768][ T1] </TASK>
[ 22.980774][ T1] ==================================================================
[ 23.168879][ T1] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 23.171855][ T1] CPU: 2 UID: 0 PID: 1 Comm: init Not tainted 6.15.0-rc4-syzkaller-g95d3481af6dc-dirty #0 PREEMPT(full)
[ 23.176379][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 23.180688][ T1] Call Trace:
[ 23.182122][ T1] <TASK>
[ 23.183403][ T1] dump_stack_lvl+0x3d/0x1f0
[ 23.185409][ T1] panic+0x71c/0x800
[ 23.187090][ T1] ? __pfx_panic+0x10/0x10
[ 23.188969][ T1] ? __pfx__printk+0x10/0x10
[ 23.190938][ T1] ? end_report+0x4c/0x170
[ 23.192832][ T1] ? check_panic_on_warn+0x1f/0xb0
[ 23.194953][ T1] ? lru_add+0x192/0xd70
[ 23.196745][ T1] check_panic_on_warn+0xab/0xb0
[ 23.198798][ T1] end_report+0x107/0x170
[ 23.200620][ T1] kasan_report+0xee/0x110
[ 23.202514][ T1] ? lru_add+0x192/0xd70
[ 23.204296][ T1] kasan_check_range+0xef/0x1a0
[ 23.206317][ T1] lru_add+0x192/0xd70
[ 23.208019][ T1] folio_batch_move_lru+0x112/0x3b0
[ 23.210132][ T1] ? __pfx_lru_add+0x10/0x10
[ 23.212067][ T1] ? __pfx_folio_batch_move_lru+0x10/0x10
[ 23.214409][ T1] ? __pfx___filemap_add_folio+0x10/0x10
[ 23.216747][ T1] __folio_batch_add_and_move+0x369/0xc90
[ 23.219103][ T1] ? __pfx_lru_add+0x10/0x10
[ 23.221059][ T1] ? const_folio_flags+0x5b/0x100
[ 23.223259][ T1] filemap_add_folio+0x1bb/0x220
[ 23.225339][ T1] ? __pfx_filemap_add_folio+0x10/0x10
[ 23.227645][ T1] ? page_cache_ra_unbounded+0x3fb/0x750
[ 23.229983][ T1] page_cache_ra_unbounded+0x305/0x750
[ 23.232345][ T1] page_cache_ra_order+0x961/0xcb0
[ 23.234487][ T1] page_cache_async_ra+0x5cb/0x8a0
[ 23.236650][ T1] filemap_readahead.isra.0+0x11c/0x190
[ 23.238986][ T1] ? __pfx_filemap_readahead.isra.0+0x10/0x10
[ 23.241621][ T1] filemap_get_pages+0x2c1/0x1c20
[ 23.243762][ T1] ? __lock_acquire+0x5ca/0x1ba0
[ 23.245838][ T1] ? __pfx_filemap_get_pages+0x10/0x10
[ 23.248105][ T1] ? atime_needs_update+0x8b/0x710
[ 23.250285][ T1] ? __pfx___might_resched+0x10/0x10
[ 23.252510][ T1] filemap_read+0x3d2/0xe90
[ 23.254388][ T1] ? __pfx_filemap_read+0x10/0x10
[ 23.256516][ T1] ? _raw_spin_unlock_irqrestore+0x3b/0x80
[ 23.258926][ T1] ? stack_depot_save_flags+0x3e6/0xa50
[ 23.261292][ T1] generic_file_read_iter+0x344/0x450
[ 23.263521][ T1] ? kasan_save_stack+0x33/0x60
[ 23.265545][ T1] ? kasan_save_track+0x14/0x30
[ 23.267568][ T1] ext4_file_read_iter+0x1d6/0x6a0
[ 23.269722][ T1] __kernel_read+0x3f0/0xb60
[ 23.271661][ T1] ? __pfx___kernel_read+0x10/0x10
[ 23.273820][ T1] integrity_kernel_read+0x7e/0xb0
[ 23.275991][ T1] ? __pfx_integrity_kernel_read+0x10/0x10
[ 23.278446][ T1] ? __local_bh_enable_ip+0xa4/0x120
[ 23.280677][ T1] ? kernel_fpu_end+0x5e/0x70
[ 23.282652][ T1] ? _sha256_update+0xc8/0xf0
[ 23.284695][ T1] ima_calc_file_hash_tfm+0x2c7/0x3d0
[ 23.286936][ T1] ? __pfx_ima_calc_file_hash_tfm+0x10/0x10
[ 23.289425][ T1] ? ext4_getattr+0x33d/0x8b0
[ 23.291389][ T1] ? ima_alloc_tfm+0x21a/0x2e0
[ 23.293368][ T1] ? ext4_file_getattr+0x25f/0x380
[ 23.295493][ T1] ima_calc_file_hash+0x1ba/0x490
[ 23.297597][ T1] ima_collect_measurement+0x897/0xa40
[ 23.299865][ T1] ? __pfx_ima_collect_measurement+0x10/0x10
[ 23.302357][ T1] ? __pfx___up_read+0x10/0x10
[ 23.304358][ T1] ? __pfx_ext4_xattr_get+0x10/0x10
[ 23.306502][ T1] ? xattr_resolve_name+0x27b/0x3f0
[ 23.308664][ T1] ? vfs_getxattr_alloc+0xec/0x340
[ 23.310837][ T1] ? ima_get_hash_algo+0x27c/0x400
[ 23.312976][ T1] ? __pfx_ima_get_hash_algo+0x10/0x10
[ 23.315246][ T1] ? process_measurement+0x11fa/0x23e0
[ 23.317504][ T1] process_measurement+0x11fa/0x23e0
[ 23.319690][ T1] ? avc_has_perm_noaudit+0x149/0x3b0
[ 23.321944][ T1] ? __pfx_process_measurement+0x10/0x10
[ 23.324293][ T1] ? __pfx_avc_has_perm+0x10/0x10
[ 23.326158][ T1] ? avc_has_perm+0x11a/0x1c0
[ 23.327938][ T1] ? __pfx_avc_has_perm+0x10/0x10
[ 23.330041][ T1] ? file_map_prot_check+0x1eb/0x360
[ 23.332243][ T1] ima_file_mmap+0x1a8/0x1d0
[ 23.334106][ T1] ? __pfx_ima_file_mmap+0x10/0x10
[ 23.336153][ T1] security_mmap_file+0x88c/0x990
[ 23.338258][ T1] vm_mmap_pgoff+0xec/0x450
[ 23.340181][ T1] ? __pfx_vm_mmap_pgoff+0x10/0x10
[ 23.342347][ T1] vm_mmap+0x8e/0xc0
[ 23.343995][ T1] elf_load+0x19a/0x890
[ 23.345725][ T1] load_elf_binary+0x35e7/0x4f80
[ 23.347891][ T1] ? __pfx_load_elf_binary+0x10/0x10
[ 23.350128][ T1] ? find_held_lock+0x2b/0x80
[ 23.352067][ T1] ? bprm_execve+0x8a2/0x1650
[ 23.354013][ T1] bprm_execve+0x8c0/0x1650
[ 23.355923][ T1] ? __pfx_bprm_execve+0x10/0x10
[ 23.357981][ T1] ? copy_strings_kernel+0x153/0x190
[ 23.360182][ T1] kernel_execve+0x2ef/0x3b0
[ 23.362124][ T1] ? __pfx_kernel_init+0x10/0x10
[ 23.364188][ T1] kernel_init+0x14a/0x2b0
[ 23.366047][ T1] ? __pfx_kernel_init+0x10/0x10
[ 23.368110][ T1] ret_from_fork+0x45/0x80
[ 23.369970][ T1] ? __pfx_kernel_init+0x10/0x10
[ 23.372037][ T1] ret_from_fork_asm+0x1a/0x30
[ 23.374051][ T1] </TASK>
[ 23.376076][ T1] Kernel Offset: disabled
[ 23.377924][ T1] Rebooting in 86400 seconds..

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3760460994=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c6b4fb399
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c6b4fb399236b655a39701fd51c33522caa06811 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250425-123509'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c6b4fb399236b655a39701fd51c33522caa06811\"

/usr/bin/ld: /tmp/ccqfTbRm.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=160920f4580000


Tested on:

commit: 95d3481a Merge tag 'spi-fix-v6.15-rc4' of git://git.ke..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=ca17f2d2ba38f7a0

dashboard link: https://syzkaller.appspot.com/bug?extid=7b3842775c9ce6b69efc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=160e20f4580000

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.