[syzbot ci] Re: mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
0 views
Skip to first unread message
syzbot ci
Jun 22, 2026, 1:01:26 PM (2 days ago) Jun 22
to ak...@linux-foundation.org, da...@kernel.org, han...@cmpxchg.org, jack...@google.com, ker...@oss.qualcomm.com, ketan....@oss.qualcomm.com, li...@infradead.org, linux-...@vger.kernel.org, linu...@kvack.org, l...@kernel.org, lui...@redhat.com, mho...@suse.com, rp...@kernel.org, sta...@vger.kernel.org, sur...@google.com, vba...@kernel.org, wi...@infradead.org, z...@nvidia.com, syz...@lists.linux.dev, syzkall...@googlegroups.com
syzbot ci has tested the following series
[v2] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
https://lore.kernel.org/all/20260622-page_ext...@oss.qualcomm.com
* [PATCH v2] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
and found the following issue:
WARNING in depot_fetch_stack
Full report is available here:
https://ci.syzbot.org/series/092dd7dc-cb78-46b6-8703-6044fff2631d
***
WARNING in depot_fetch_stack
tree: mm-new
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git
base: e1201ff76176ef666b13d1a4ec6b6190ddc6abc8
arch: amd64
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
config: https://ci.syzbot.org/builds/18f461a2-7098-44bc-9d42-634b56ba48d9/config
------------[ cut here ]------------
!refcount_read(&stack->count)
WARNING: lib/stackdepot.c:517 at depot_fetch_stack+0x91/0xa0, CPU#0: kworker/u9:4/1114
Modules linked in:
CPU: 0 UID: 0 PID: 1114 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: events_unbound call_usermodehelper_exec_work
RIP: 0010:depot_fetch_stack+0x91/0xa0
Code: 39 f5 72 d0 48 8d 3d 7e 1b 4d 0b 89 ee 44 89 f2 89 d9 67 48 0f b9 3a 31 c0 5b 41 5e 5d e9 87 67 b8 06 cc 90 0f 0b 90 eb ee 90 <0f> 0b 90 eb e8 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90
RSP: 0000:ffffc900079a6ce0 EFLAGS: 00010246
RAX: ffff888168b94000 RBX: 0000000000000ce0 RCX: 0000000000000067
RDX: 0000000000000000 RSI: ffffffff8e215937 RDI: ffffffff8c28ab20
RBP: 0000000000000067 R08: ffff88810495a407 R09: 1ffff1102092b480
R10: dffffc0000000000 R11: ffffed102092b481 R12: 00000000019c0068
R13: 0000000000000001 R14: 000000000000010f R15: ffff88810afb1dc0
FS: 0000000000000000(0000) GS:ffff88818dcb5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000e74a000 CR4: 00000000000006f0
Call Trace:
<TASK>
__set_page_owner+0x140/0x4c0
post_alloc_hook+0x1f9/0x250
get_page_from_freelist+0x21fa/0x2270
__alloc_frozen_pages_noprof+0x18d/0x380
alloc_pages_mpol+0x212/0x380
alloc_pages_noprof+0xac/0x2a0
get_free_pages_noprof+0xf/0x80
__kasan_populate_vmalloc+0x38/0x1c0
alloc_vmap_area+0xd1a/0x1420
__get_vm_area_node+0x1f2/0x300
__vmalloc_node_range_noprof+0x358/0x1730
__vmalloc_node_noprof+0xc2/0x100
dup_task_struct+0x28e/0x830
copy_process+0x79d/0x4380
kernel_clone+0x2d7/0x940
user_mode_thread+0x110/0x180
call_usermodehelper_exec_work+0x5c/0x230
process_scheduled_works+0xa8e/0x14e0
worker_thread+0xa47/0xfb0
kthread+0x389/0x470
ret_from_fork+0x514/0xb70
ret_from_fork_asm+0x1a/0x30
</TASK>
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syz...@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzk...@googlegroups.com.
To test a patch for this bug, please reply with `#syz test`
(should be on a separate line).
The patch should be attached to the email.
Note: arguments like custom git repos and branches are not supported.
[v2] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
https://lore.kernel.org/all/20260622-page_ext...@oss.qualcomm.com
* [PATCH v2] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
and found the following issue:
WARNING in depot_fetch_stack
Full report is available here:
https://ci.syzbot.org/series/092dd7dc-cb78-46b6-8703-6044fff2631d
***
WARNING in depot_fetch_stack
tree: mm-new
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git
base: e1201ff76176ef666b13d1a4ec6b6190ddc6abc8
arch: amd64
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
config: https://ci.syzbot.org/builds/18f461a2-7098-44bc-9d42-634b56ba48d9/config
------------[ cut here ]------------
!refcount_read(&stack->count)
WARNING: lib/stackdepot.c:517 at depot_fetch_stack+0x91/0xa0, CPU#0: kworker/u9:4/1114
Modules linked in:
CPU: 0 UID: 0 PID: 1114 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: events_unbound call_usermodehelper_exec_work
RIP: 0010:depot_fetch_stack+0x91/0xa0
Code: 39 f5 72 d0 48 8d 3d 7e 1b 4d 0b 89 ee 44 89 f2 89 d9 67 48 0f b9 3a 31 c0 5b 41 5e 5d e9 87 67 b8 06 cc 90 0f 0b 90 eb ee 90 <0f> 0b 90 eb e8 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90
RSP: 0000:ffffc900079a6ce0 EFLAGS: 00010246
RAX: ffff888168b94000 RBX: 0000000000000ce0 RCX: 0000000000000067
RDX: 0000000000000000 RSI: ffffffff8e215937 RDI: ffffffff8c28ab20
RBP: 0000000000000067 R08: ffff88810495a407 R09: 1ffff1102092b480
R10: dffffc0000000000 R11: ffffed102092b481 R12: 00000000019c0068
R13: 0000000000000001 R14: 000000000000010f R15: ffff88810afb1dc0
FS: 0000000000000000(0000) GS:ffff88818dcb5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000e74a000 CR4: 00000000000006f0
Call Trace:
<TASK>
__set_page_owner+0x140/0x4c0
post_alloc_hook+0x1f9/0x250
get_page_from_freelist+0x21fa/0x2270
__alloc_frozen_pages_noprof+0x18d/0x380
alloc_pages_mpol+0x212/0x380
alloc_pages_noprof+0xac/0x2a0
get_free_pages_noprof+0xf/0x80
__kasan_populate_vmalloc+0x38/0x1c0
alloc_vmap_area+0xd1a/0x1420
__get_vm_area_node+0x1f2/0x300
__vmalloc_node_range_noprof+0x358/0x1730
__vmalloc_node_noprof+0xc2/0x100
dup_task_struct+0x28e/0x830
copy_process+0x79d/0x4380
kernel_clone+0x2d7/0x940
user_mode_thread+0x110/0x180
call_usermodehelper_exec_work+0x5c/0x230
process_scheduled_works+0xa8e/0x14e0
worker_thread+0xa47/0xfb0
kthread+0x389/0x470
ret_from_fork+0x514/0xb70
ret_from_fork_asm+0x1a/0x30
</TASK>
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syz...@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzk...@googlegroups.com.
To test a patch for this bug, please reply with `#syz test`
(should be on a separate line).
The patch should be attached to the email.
Note: arguments like custom git repos and branches are not supported.
Zi Yan
Jun 22, 2026, 3:36:36 PM (2 days ago) Jun 22
to syzbot ci, ak...@linux-foundation.org, da...@kernel.org, han...@cmpxchg.org, jack...@google.com, ker...@oss.qualcomm.com, ketan....@oss.qualcomm.com, li...@infradead.org, linux-...@vger.kernel.org, linu...@kvack.org, l...@kernel.org, lui...@redhat.com, mho...@suse.com, rp...@kernel.org, sta...@vger.kernel.org, sur...@google.com, vba...@kernel.org, wi...@infradead.org, syz...@lists.linux.dev, syzkall...@googlegroups.com
Best Regards,
Yan, Zi
syzbot ci
Jun 22, 2026, 4:25:01 PM (2 days ago) Jun 22
to z...@nvidia.com, ak...@linux-foundation.org, da...@kernel.org, han...@cmpxchg.org, jack...@google.com, ker...@oss.qualcomm.com, ketan....@oss.qualcomm.com, li...@infradead.org, linux-...@vger.kernel.org, linu...@kvack.org, l...@kernel.org, lui...@redhat.com, mho...@suse.com, rp...@kernel.org, sta...@vger.kernel.org, sur...@google.com, syz...@lists.linux.dev, syzkall...@googlegroups.com, vba...@kernel.org, wi...@infradead.org, syz...@lists.linux.dev, syzkall...@googlegroups.com
syzbot ci has tested the suggested fix patch on top of the following series:
[v2] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
https://lore.kernel.org/all/20260622-page_ext...@oss.qualcomm.com
Patch: https://ci.syzbot.org/jobs/c1b2fffb-acae-4bd1-b00c-622d37f59120/patch
Testing results:
* [build 0] Build Patched: passed
* [build 0] Boot test: Patched: passed
Full report is available here:
https://ci.syzbot.org/session/e38844bc-7d59-4cf9-ac06-b987a2745fb3
[v2] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access
https://lore.kernel.org/all/20260622-page_ext...@oss.qualcomm.com
Testing results:
* [build 0] Build Patched: passed
* [build 0] Boot test: Patched: passed
Full report is available here:
Ketan Kishore
Jun 23, 2026, 2:54:12 AM (yesterday) Jun 23
to Zi Yan, syzbot ci, ak...@linux-foundation.org, da...@kernel.org, han...@cmpxchg.org, jack...@google.com, ker...@oss.qualcomm.com, li...@infradead.org, linux-...@vger.kernel.org, linu...@kvack.org, l...@kernel.org, lui...@redhat.com, mho...@suse.com, rp...@kernel.org, sta...@vger.kernel.org, sur...@google.com, vba...@kernel.org, wi...@infradead.org, syz...@lists.linux.dev, syzkall...@googlegroups.com
Thankyou Yan.
i missed the post increment change from the last v2.
i am posting a v3 with pre incerement.
- if (iter->index++ >= count)
+ if (++iter->index >= count)
i think that is aligned with the fix you suggested.
Thank you
Ketan
i missed the post increment change from the last v2.
i am posting a v3 with pre incerement.
- if (iter->index++ >= count)
+ if (++iter->index >= count)
i think that is aligned with the fix you suggested.
Thank you
Ketan
Reply all
Reply to author
Forward
0 new messages