[v5.15] Internal error in mm_release
2 views
Skip to first unread message
syzbot
Aug 13, 2025, 12:01:31 AM8/13/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c79648372d02 Linux 5.15.189
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1483cc34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e47345638b85bd0
dashboard link: https://syzkaller.appspot.com/bug?extid=7ee4651d2db83a5b6a2b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ab49562317a/disk-c7964837.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e847ec1e38d3/vmlinux-c7964837.xz
kernel image: https://storage.googleapis.com/syzbot-assets/263158c6371c/Image-c7964837.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7ee465...@syzkaller.appspotmail.com
Internal error: Oops - BTI: 0000000036000001 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4221 Comm: syz.3.25 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 42400405 (nZcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=jc)
pc : mm_release+0x1c8/0x314 kernel/fork.c:1415
lr : __uaccess_mask_ptr arch/arm64/include/asm/uaccess.h:244 [inline]
lr : mm_release+0x1ac/0x314 kernel/fork.c:1414
sp : ffff80001fd577f0
x29: ffff80001fd577f0 x28: dfff800000000000 x27: ffff0000d8742370
x26: 0000000000400544 x25: 0000002000018000 x24: 1fffe0001b0e8434
x23: dfff800000000000 x22: 0000000020000180 x21: 0000000000000001
x20: ffff0000d87421a0 x19: ffff0000d8741b40 x18: 0000000000000000
x17: 0000000000000002 x16: ffff80000817ac7c x15: 00000000fffffe00
x14: 0000000000ff0100 x13: 1ffff0000282e06b x12: 0000000000ff0100
x11: 0000000020000180 x10: 0000ffffffffffff x9 : 0000000020000180
x8 : 00000000fffffff2 x7 : ffff800008750ed4 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000001
x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
mm_release+0x1c8/0x314 kernel/fork.c:1414
exit_mm_release+0x30/0x40 kernel/fork.c:1432
exit_mm+0xa4/0x684 kernel/exit.c:488
do_exit+0x4ec/0x1f58 kernel/exit.c:870
do_group_exit+0x100/0x268 kernel/exit.c:997
get_signal+0x73c/0x1340 kernel/signal.c:2900
do_signal arch/arm64/kernel/signal.c:893 [inline]
do_notify_resume+0x35c/0x3128 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xf0/0x1e0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: ea2a013f 9a9f02cb d503229f b8000968 (38776b08)
---[ end trace effd23847c07404e ]---
----------------
Code disassembly (best guess):
0: ea2a013f bics xzr, x9, x10
4: 9a9f02cb csel x11, x22, xzr, eq // eq = none
8: d503229f csdb
c: b8000968 sttr w8, [x11]
* 10: 38776b08 ldrb w8, [x24, x23] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c79648372d02 Linux 5.15.189
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1483cc34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e47345638b85bd0
dashboard link: https://syzkaller.appspot.com/bug?extid=7ee4651d2db83a5b6a2b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ab49562317a/disk-c7964837.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e847ec1e38d3/vmlinux-c7964837.xz
kernel image: https://storage.googleapis.com/syzbot-assets/263158c6371c/Image-c7964837.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7ee465...@syzkaller.appspotmail.com
Internal error: Oops - BTI: 0000000036000001 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4221 Comm: syz.3.25 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 42400405 (nZcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=jc)
pc : mm_release+0x1c8/0x314 kernel/fork.c:1415
lr : __uaccess_mask_ptr arch/arm64/include/asm/uaccess.h:244 [inline]
lr : mm_release+0x1ac/0x314 kernel/fork.c:1414
sp : ffff80001fd577f0
x29: ffff80001fd577f0 x28: dfff800000000000 x27: ffff0000d8742370
x26: 0000000000400544 x25: 0000002000018000 x24: 1fffe0001b0e8434
x23: dfff800000000000 x22: 0000000020000180 x21: 0000000000000001
x20: ffff0000d87421a0 x19: ffff0000d8741b40 x18: 0000000000000000
x17: 0000000000000002 x16: ffff80000817ac7c x15: 00000000fffffe00
x14: 0000000000ff0100 x13: 1ffff0000282e06b x12: 0000000000ff0100
x11: 0000000020000180 x10: 0000ffffffffffff x9 : 0000000020000180
x8 : 00000000fffffff2 x7 : ffff800008750ed4 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000001
x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
mm_release+0x1c8/0x314 kernel/fork.c:1414
exit_mm_release+0x30/0x40 kernel/fork.c:1432
exit_mm+0xa4/0x684 kernel/exit.c:488
do_exit+0x4ec/0x1f58 kernel/exit.c:870
do_group_exit+0x100/0x268 kernel/exit.c:997
get_signal+0x73c/0x1340 kernel/signal.c:2900
do_signal arch/arm64/kernel/signal.c:893 [inline]
do_notify_resume+0x35c/0x3128 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xf0/0x1e0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: ea2a013f 9a9f02cb d503229f b8000968 (38776b08)
---[ end trace effd23847c07404e ]---
----------------
Code disassembly (best guess):
0: ea2a013f bics xzr, x9, x10
4: 9a9f02cb csel x11, x22, xzr, eq // eq = none
8: d503229f csdb
c: b8000968 sttr w8, [x11]
* 10: 38776b08 ldrb w8, [x24, x23] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Aug 13, 2025, 11:36:29 AM8/13/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: c79648372d02 Linux 5.15.189
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=101775a2580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a32af0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ab49562317a/disk-c7964837.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e847ec1e38d3/vmlinux-c7964837.xz
kernel image: https://storage.googleapis.com/syzbot-assets/263158c6371c/Image-c7964837.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7ee465...@syzkaller.appspotmail.com
Internal error: Oops - BTI: 0000000036000001 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4233 Comm: syz.0.17 Not tainted 5.15.189-syzkaller #0
x29: ffff80001fd877f0 x28: dfff800000000000 x27: ffff0000d4302370
x26: 0000000000400444 x25: 0000002000018000 x24: 1fffe0001a860434
x17: 0000000000000000 x16: ffff80000817ac7c x15: 00000000fffffe00
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: c79648372d02 Linux 5.15.189
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9e47345638b85bd0
dashboard link: https://syzkaller.appspot.com/bug?extid=7ee4651d2db83a5b6a2b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1558a5a2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=7ee4651d2db83a5b6a2b
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a32af0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ab49562317a/disk-c7964837.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e847ec1e38d3/vmlinux-c7964837.xz
kernel image: https://storage.googleapis.com/syzbot-assets/263158c6371c/Image-c7964837.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7ee465...@syzkaller.appspotmail.com
Internal error: Oops - BTI: 0000000036000001 [#1] PREEMPT SMP
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 42400405 (nZcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=jc)
pc : mm_release+0x1c8/0x314 kernel/fork.c:1415
lr : __uaccess_mask_ptr arch/arm64/include/asm/uaccess.h:244 [inline]
lr : mm_release+0x1ac/0x314 kernel/fork.c:1414
sp : ffff80001fd877f0
pstate: 42400405 (nZcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=jc)
pc : mm_release+0x1c8/0x314 kernel/fork.c:1415
lr : __uaccess_mask_ptr arch/arm64/include/asm/uaccess.h:244 [inline]
lr : mm_release+0x1ac/0x314 kernel/fork.c:1414
x29: ffff80001fd877f0 x28: dfff800000000000 x27: ffff0000d4302370
x26: 0000000000400444 x25: 0000002000018000 x24: 1fffe0001a860434
x23: dfff800000000000 x22: 0000000020000180 x21: 0000000000000001
x20: ffff0000d43021a0 x19: ffff0000d4301b40 x18: 0000000000000000
x17: 0000000000000000 x16: ffff80000817ac7c x15: 00000000fffffe00
x14: 0000000000ff0100 x13: 1ffff0000282e06b x12: 0000000000ff0100
x11: 0000000020000180 x10: 0000ffffffffffff x9 : 0000000020000180
x8 : 00000000fffffff2 x7 : ffff800008750ed4 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000001
x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
mm_release+0x1c8/0x314 kernel/fork.c:1414
exit_mm_release+0x30/0x40 kernel/fork.c:1432
exit_mm+0xa4/0x684 kernel/exit.c:488
do_exit+0x4ec/0x1f58 kernel/exit.c:870
do_group_exit+0x100/0x268 kernel/exit.c:997
get_signal+0x73c/0x1340 kernel/signal.c:2900
do_signal arch/arm64/kernel/signal.c:893 [inline]
do_notify_resume+0x35c/0x3128 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xf0/0x1e0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: ea2a013f 9a9f02cb d503229f b8000968 (38776b08)
---[ end trace 6a146c196bbf1d03 ]---
x11: 0000000020000180 x10: 0000ffffffffffff x9 : 0000000020000180
x8 : 00000000fffffff2 x7 : ffff800008750ed4 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000001
x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
mm_release+0x1c8/0x314 kernel/fork.c:1414
exit_mm_release+0x30/0x40 kernel/fork.c:1432
exit_mm+0xa4/0x684 kernel/exit.c:488
do_exit+0x4ec/0x1f58 kernel/exit.c:870
do_group_exit+0x100/0x268 kernel/exit.c:997
get_signal+0x73c/0x1340 kernel/signal.c:2900
do_signal arch/arm64/kernel/signal.c:893 [inline]
do_notify_resume+0x35c/0x3128 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xf0/0x1e0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: ea2a013f 9a9f02cb d503229f b8000968 (38776b08)
----------------
Code disassembly (best guess):
0: ea2a013f bics xzr, x9, x10
4: 9a9f02cb csel x11, x22, xzr, eq // eq = none
8: d503229f csdb
c: b8000968 sttr w8, [x11]
* 10: 38776b08 ldrb w8, [x24, x23] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
Code disassembly (best guess):
0: ea2a013f bics xzr, x9, x10
4: 9a9f02cb csel x11, x22, xzr, eq // eq = none
8: d503229f csdb
c: b8000968 sttr w8, [x11]
* 10: 38776b08 ldrb w8, [x24, x23] <-- trapping instruction
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages