[v5.15] WARNING in vmacache_find
0 views
Skip to first unread message
syzbot
Oct 17, 2025, 7:56:31 AM (21 hours ago) Oct 17
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 29e53a5b1c4f Linux 5.15.194
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1116a492580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e1bb6d24ef2164eb
dashboard link: https://syzkaller.appspot.com/bug?extid=661da7313dc9ecc959b8
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6cf4d5e6e441/disk-29e53a5b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b332ae2ff099/vmlinux-29e53a5b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2f344d06d6b9/bzImage-29e53a5b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+661da7...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2965 at mm/vmacache.c:76 vmacache_find+0x55e/0x590 mm/vmacache.c:76
Modules linked in:
CPU: 0 PID: 2965 Comm: dhcpcd-run-hook Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:vmacache_find+0x55e/0x590 mm/vmacache.c:76
Code: fc ff ff e8 c4 2f ce ff 45 31 e4 e9 9e fc ff ff e8 b7 2f ce ff eb 13 e8 b0 2f ce ff eb 0c e8 a9 2f ce ff eb 05 e8 a2 2f ce ff <0f> 0b 45 31 e4 e9 7a fc ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f
RSP: 0018:ffffc900034ff4e8 EFLAGS: 00010093
RAX: ffffffff81a99a99 RBX: 00007f77a6cb4107 RCX: ffff88807dfb9dc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888065087358 R08: dffffc0000000000 R09: ffffed100f42c2b8
R10: ffffed100f42c2b8 R11: 1ffff1100f42c2b7 R12: ffff888065087318
R13: 0000000000000002 R14: ffff88807a161500 R15: ffff88807dfb9dc0
FS: 0000000000000000(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f77a6d6e286 CR3: 0000000064bdc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
<TASK>
find_vma+0xc5/0x230 mm/mmap.c:2279
stack_map_get_build_id_offset+0x2a6/0x860 kernel/bpf/stackmap.c:196
__bpf_get_stackid+0x55d/0x920 kernel/bpf/stackmap.c:294
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1465 [inline]
bpf_get_stackid_raw_tp+0x175/0x1b0 kernel/trace/bpf_trace.c:1454
bpf_prog_e95a4a16f042d2d7+0x21/0xd64
bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
__bpf_prog_run include/linux/filter.h:621 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
bpf_trace_run2+0x242/0x2d0 kernel/trace/bpf_trace.c:1915
trace_tlb_flush+0xe6/0x110 include/trace/events/tlb.h:38
switch_mm_irqs_off+0x6e3/0x9a0 arch/x86/mm/tlb.c:-1
switch_mm+0xa7/0x120 arch/x86/mm/tlb.c:323
exec_mmap+0x285/0x5c0 fs/exec.c:1024
begin_new_exec+0x7e8/0x1160 fs/exec.c:1293
load_elf_binary+0x98e/0x2890 fs/binfmt_elf.c:1001
search_binary_handler fs/exec.c:1742 [inline]
exec_binprm fs/exec.c:1783 [inline]
bprm_execve+0xa92/0x17d0 fs/exec.c:1852
do_execveat_common+0x51e/0x6d0 fs/exec.c:1957
do_execve fs/exec.c:2027 [inline]
__do_sys_execve fs/exec.c:2103 [inline]
__se_sys_execve fs/exec.c:2098 [inline]
__x64_sys_execve+0x8e/0xa0 fs/exec.c:2098
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f77a6cb4107
Code: Unable to access opcode bytes at RIP 0x7f77a6cb40dd.
RSP: 002b:00007ffd2cbea8d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00005575b0770fe0 RCX: 00007f77a6cb4107
RDX: 00005575b0771000 RSI: 00005575b0770fe0 RDI: 00005575b0771088
RBP: 00005575b0771088 R08: 00007ffd2cbeceb1 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 00005575b0771000
R13: 00007f77a6e79e8b R14: 00005575b0771000 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 29e53a5b1c4f Linux 5.15.194
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1116a492580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e1bb6d24ef2164eb
dashboard link: https://syzkaller.appspot.com/bug?extid=661da7313dc9ecc959b8
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6cf4d5e6e441/disk-29e53a5b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b332ae2ff099/vmlinux-29e53a5b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2f344d06d6b9/bzImage-29e53a5b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+661da7...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2965 at mm/vmacache.c:76 vmacache_find+0x55e/0x590 mm/vmacache.c:76
Modules linked in:
CPU: 0 PID: 2965 Comm: dhcpcd-run-hook Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:vmacache_find+0x55e/0x590 mm/vmacache.c:76
Code: fc ff ff e8 c4 2f ce ff 45 31 e4 e9 9e fc ff ff e8 b7 2f ce ff eb 13 e8 b0 2f ce ff eb 0c e8 a9 2f ce ff eb 05 e8 a2 2f ce ff <0f> 0b 45 31 e4 e9 7a fc ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f
RSP: 0018:ffffc900034ff4e8 EFLAGS: 00010093
RAX: ffffffff81a99a99 RBX: 00007f77a6cb4107 RCX: ffff88807dfb9dc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888065087358 R08: dffffc0000000000 R09: ffffed100f42c2b8
R10: ffffed100f42c2b8 R11: 1ffff1100f42c2b7 R12: ffff888065087318
R13: 0000000000000002 R14: ffff88807a161500 R15: ffff88807dfb9dc0
FS: 0000000000000000(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f77a6d6e286 CR3: 0000000064bdc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
<TASK>
find_vma+0xc5/0x230 mm/mmap.c:2279
stack_map_get_build_id_offset+0x2a6/0x860 kernel/bpf/stackmap.c:196
__bpf_get_stackid+0x55d/0x920 kernel/bpf/stackmap.c:294
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1465 [inline]
bpf_get_stackid_raw_tp+0x175/0x1b0 kernel/trace/bpf_trace.c:1454
bpf_prog_e95a4a16f042d2d7+0x21/0xd64
bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
__bpf_prog_run include/linux/filter.h:621 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
bpf_trace_run2+0x242/0x2d0 kernel/trace/bpf_trace.c:1915
trace_tlb_flush+0xe6/0x110 include/trace/events/tlb.h:38
switch_mm_irqs_off+0x6e3/0x9a0 arch/x86/mm/tlb.c:-1
switch_mm+0xa7/0x120 arch/x86/mm/tlb.c:323
exec_mmap+0x285/0x5c0 fs/exec.c:1024
begin_new_exec+0x7e8/0x1160 fs/exec.c:1293
load_elf_binary+0x98e/0x2890 fs/binfmt_elf.c:1001
search_binary_handler fs/exec.c:1742 [inline]
exec_binprm fs/exec.c:1783 [inline]
bprm_execve+0xa92/0x17d0 fs/exec.c:1852
do_execveat_common+0x51e/0x6d0 fs/exec.c:1957
do_execve fs/exec.c:2027 [inline]
__do_sys_execve fs/exec.c:2103 [inline]
__se_sys_execve fs/exec.c:2098 [inline]
__x64_sys_execve+0x8e/0xa0 fs/exec.c:2098
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f77a6cb4107
Code: Unable to access opcode bytes at RIP 0x7f77a6cb40dd.
RSP: 002b:00007ffd2cbea8d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00005575b0770fe0 RCX: 00007f77a6cb4107
RDX: 00005575b0771000 RSI: 00005575b0770fe0 RDI: 00005575b0771088
RBP: 00005575b0771088 R08: 00007ffd2cbeceb1 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 00005575b0771000
R13: 00007f77a6e79e8b R14: 00005575b0771000 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 17, 2025, 10:56:36 AM (18 hours ago) Oct 17
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 29e53a5b1c4f Linux 5.15.194
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=161935e2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6cf4d5e6e441/disk-29e53a5b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b332ae2ff099/vmlinux-29e53a5b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2f344d06d6b9/bzImage-29e53a5b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+661da7...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 10701 at mm/vmacache.c:76 vmacache_find+0x55e/0x590 mm/vmacache.c:76
Modules linked in:
CPU: 0 PID: 10701 Comm: dhcpcd-run-hook Not tainted syzkaller #0
RAX: ffffffff81a99a99 RBX: 00007f573d6ab107 RCX: ffff888027c33b80
R10: ffffed100f9de0f8 R11: 1ffff1100f9de0f7 R12: ffff888029e72108
R13: 0000000000000003 R14: ffff88807cef0700 R15: ffff888027c33b80
bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
__traceiter_tlb_flush+0x69/0xb0 include/trace/events/tlb.h:38
Code: Unable to access opcode bytes at RIP 0x7f573d6ab0dd.
RSP: 002b:00007ffdf7559c68 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000558f9c9bb080 RCX: 00007f573d6ab107
RDX: 0000558f9c9bb0a8 RSI: 0000558f9c9bb080 RDI: 0000558f9c9bb138
RBP: 0000558f9c9bb138 R08: 00007ffdf755deb4 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 0000558f9c9bb0a8
R13: 00007f573d870e8b R14: 0000558f9c9bb0a8 R15: 0000000000000000
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 29e53a5b1c4f Linux 5.15.194
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=e1bb6d24ef2164eb
dashboard link: https://syzkaller.appspot.com/bug?extid=661da7313dc9ecc959b8
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134e75e2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=661da7313dc9ecc959b8
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6cf4d5e6e441/disk-29e53a5b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b332ae2ff099/vmlinux-29e53a5b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2f344d06d6b9/bzImage-29e53a5b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+661da7...@syzkaller.appspotmail.com
------------[ cut here ]------------
Modules linked in:
CPU: 0 PID: 10701 Comm: dhcpcd-run-hook Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:vmacache_find+0x55e/0x590 mm/vmacache.c:76
Code: fc ff ff e8 c4 2f ce ff 45 31 e4 e9 9e fc ff ff e8 b7 2f ce ff eb 13 e8 b0 2f ce ff eb 0c e8 a9 2f ce ff eb 05 e8 a2 2f ce ff <0f> 0b 45 31 e4 e9 7a fc ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f
RSP: 0018:ffffc900024774a8 EFLAGS: 00010093
RIP: 0010:vmacache_find+0x55e/0x590 mm/vmacache.c:76
Code: fc ff ff e8 c4 2f ce ff 45 31 e4 e9 9e fc ff ff e8 b7 2f ce ff eb 13 e8 b0 2f ce ff eb 0c e8 a9 2f ce ff eb 05 e8 a2 2f ce ff <0f> 0b 45 31 e4 e9 7a fc ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f
RAX: ffffffff81a99a99 RBX: 00007f573d6ab107 RCX: ffff888027c33b80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888029e72148 R08: dffffc0000000000 R09: ffffed100f9de0f8
R10: ffffed100f9de0f8 R11: 1ffff1100f9de0f7 R12: ffff888029e72108
R13: 0000000000000003 R14: ffff88807cef0700 R15: ffff888027c33b80
FS: 0000000000000000(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f573d765286 CR3: 0000000022899000 CR4: 00000000003506f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
find_vma+0xc5/0x230 mm/mmap.c:2279
stack_map_get_build_id_offset+0x2a6/0x860 kernel/bpf/stackmap.c:196
__bpf_get_stackid+0x55d/0x920 kernel/bpf/stackmap.c:294
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1465 [inline]
bpf_get_stackid_raw_tp+0x175/0x1b0 kernel/trace/bpf_trace.c:1454
bpf_prog_e95a4a16f042d2d7+0x21/0x174
<TASK>
find_vma+0xc5/0x230 mm/mmap.c:2279
stack_map_get_build_id_offset+0x2a6/0x860 kernel/bpf/stackmap.c:196
__bpf_get_stackid+0x55d/0x920 kernel/bpf/stackmap.c:294
____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1465 [inline]
bpf_get_stackid_raw_tp+0x175/0x1b0 kernel/trace/bpf_trace.c:1454
bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
bpf_trace_run2+0x15b/0x2d0 kernel/trace/bpf_trace.c:1915
__bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
__traceiter_tlb_flush+0x69/0xb0 include/trace/events/tlb.h:38
trace_tlb_flush+0xe6/0x110 include/trace/events/tlb.h:38
switch_mm_irqs_off+0x6e3/0x9a0 arch/x86/mm/tlb.c:-1
switch_mm+0xa7/0x120 arch/x86/mm/tlb.c:323
exec_mmap+0x285/0x5c0 fs/exec.c:1024
begin_new_exec+0x7e8/0x1160 fs/exec.c:1293
load_elf_binary+0x98e/0x2890 fs/binfmt_elf.c:1001
search_binary_handler fs/exec.c:1742 [inline]
exec_binprm fs/exec.c:1783 [inline]
bprm_execve+0xa92/0x17d0 fs/exec.c:1852
do_execveat_common+0x51e/0x6d0 fs/exec.c:1957
do_execve fs/exec.c:2027 [inline]
__do_sys_execve fs/exec.c:2103 [inline]
__se_sys_execve fs/exec.c:2098 [inline]
__x64_sys_execve+0x8e/0xa0 fs/exec.c:2098
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f573d6ab107
switch_mm_irqs_off+0x6e3/0x9a0 arch/x86/mm/tlb.c:-1
switch_mm+0xa7/0x120 arch/x86/mm/tlb.c:323
exec_mmap+0x285/0x5c0 fs/exec.c:1024
begin_new_exec+0x7e8/0x1160 fs/exec.c:1293
load_elf_binary+0x98e/0x2890 fs/binfmt_elf.c:1001
search_binary_handler fs/exec.c:1742 [inline]
exec_binprm fs/exec.c:1783 [inline]
bprm_execve+0xa92/0x17d0 fs/exec.c:1852
do_execveat_common+0x51e/0x6d0 fs/exec.c:1957
do_execve fs/exec.c:2027 [inline]
__do_sys_execve fs/exec.c:2103 [inline]
__se_sys_execve fs/exec.c:2098 [inline]
__x64_sys_execve+0x8e/0xa0 fs/exec.c:2098
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Code: Unable to access opcode bytes at RIP 0x7f573d6ab0dd.
RSP: 002b:00007ffdf7559c68 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000558f9c9bb080 RCX: 00007f573d6ab107
RDX: 0000558f9c9bb0a8 RSI: 0000558f9c9bb080 RDI: 0000558f9c9bb138
RBP: 0000558f9c9bb138 R08: 00007ffdf755deb4 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 0000558f9c9bb0a8
R13: 00007f573d870e8b R14: 0000558f9c9bb0a8 R15: 0000000000000000
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages