[syzbot] [mm?] kernel BUG in __page_table_check_zero (3)
1 view
Skip to first unread message
syzbot
4:59 PM (6 hours ago) 4:59 PM
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, pasha.t...@soleen.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 18be4ca5cb4e riscv: lib: optimize strlen loop efficiency
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10c59b3a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=781a4eb07921464d
dashboard link: https://syzkaller.appspot.com/bug?extid=2b5fe617654be3d8848b
compiler: riscv64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: riscv64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-18be4ca5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6b87a8d77c4/vmlinux-18be4ca5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d5126373321c/Image-18be4ca5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2b5fe6...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at [] mm/page_table_check.c:142!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 3940 Comm: syz.1.16 Not tainted syzkaller #0 PREEMPT
Hardware name: riscv-virtio,qemu (DT)
epc : __page_table_check_zero+0x396/0x544 mm/page_table_check.c:142
ra : __page_table_check_zero+0x396/0x544 mm/page_table_check.c:142
epc : ffffffff80bfdcce ra : ffffffff80bfdcce sp : ffff8f800af273e0
gp : ffffffff89f9df20 tp : ffffaf8013f64f80 t0 : ffff8f800af27380
t1 : fffff5ef0269a409 t2 : 0000000000000000 s0 : ffff8f800af27450
s1 : ffffaf80134d2048 a0 : 0000000000000005 a1 : 0000000000000000
a2 : 0000000000000002 a3 : ffffffff80bfdcce a4 : 0000000000000000
a5 : ffffaf8013f65f80 a6 : 0000000000000003 a7 : ffffaf80134d204b
s2 : 0000000000000001 s3 : 0000000000000000 s4 : ffffaf80134d2000
s5 : dfffffff00000000 s6 : 00000000000b2a00 s7 : 0000000000000200
s8 : 0000000000000009 s9 : 0000000000007fff s10: fffffffef1416bb0
s11: ffffffff8a0b5d80 t3 : 0000000000000001 t4 : fffff5ef0269a409
t5 : fffff5ef0269a40a t6 : 0000000000000002 ssp : 0000000000000000
status: 0000000200000120 badaddr: ffffffff80bfdcce cause: 0000000000000003
[<ffffffff80bfdcce>] __page_table_check_zero+0x396/0x544 mm/page_table_check.c:142
[<ffffffff80a775b6>] page_table_check_free include/linux/page_table_check.h:43 [inline]
[<ffffffff80a775b6>] free_pages_prepare mm/page_alloc.c:1434 [inline]
[<ffffffff80a775b6>] free_unref_folios+0xa22/0x1dc8 mm/page_alloc.c:3030
[<ffffffff808aac84>] folios_put_refs+0x41c/0x61c mm/swap.c:1002
[<ffffffff80ac4cec>] free_pages_and_swap_cache+0x29c/0x480 mm/swap_state.c:358
[<ffffffff809e9980>] __tlb_batch_free_encoded_pages+0xe4/0x25c mm/mmu_gather.c:137
[<ffffffff809ec4e4>] tlb_batch_pages_flush mm/mmu_gather.c:150 [inline]
[<ffffffff809ec4e4>] tlb_flush_mmu_free mm/mmu_gather.c:398 [inline]
[<ffffffff809ec4e4>] tlb_flush_mmu mm/mmu_gather.c:405 [inline]
[<ffffffff809ec4e4>] tlb_finish_mmu+0x188/0x824 mm/mmu_gather.c:530
[<ffffffff809e631e>] exit_mmap+0x396/0xca8 mm/mmap.c:1290
[<ffffffff8013b6aa>] __mmput+0x106/0x3d0 kernel/fork.c:1173
[<ffffffff8013b9e8>] mmput+0x74/0x88 kernel/fork.c:1196
[<ffffffff8015b08e>] exit_mm kernel/exit.c:581 [inline]
[<ffffffff8015b08e>] do_exit+0x792/0x2828 kernel/exit.c:959
[<ffffffff8015d578>] __do_sys_exit kernel/exit.c:1079 [inline]
[<ffffffff8015d578>] __se_sys_exit kernel/exit.c:1077 [inline]
[<ffffffff8015d578>] __riscv_sys_exit+0x48/0x54 kernel/exit.c:1077
[<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
[<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
[<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
Code: 7f80 8526 c0ef ec3f 8a2a b791 6097 ff90 80e7 7e60 (9002) 6097
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 7f80 flw fs0,56(a5)
2: 8526 mv a0,s1
4: ec3fc0ef jal 0xffffffffffffcec6
8: 8a2a mv s4,a0
a: b791 j 0xffffffffffffff4e
c: ff906097 auipc ra,0xff906
10: 7e6080e7 jalr 2022(ra) # 0xff9067f2
* 14: 9002 ebreak <-- trapping instruction
16: 9760 .short 0x6097
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 18be4ca5cb4e riscv: lib: optimize strlen loop efficiency
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10c59b3a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=781a4eb07921464d
dashboard link: https://syzkaller.appspot.com/bug?extid=2b5fe617654be3d8848b
compiler: riscv64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: riscv64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-18be4ca5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6b87a8d77c4/vmlinux-18be4ca5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d5126373321c/Image-18be4ca5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2b5fe6...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at [] mm/page_table_check.c:142!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 3940 Comm: syz.1.16 Not tainted syzkaller #0 PREEMPT
Hardware name: riscv-virtio,qemu (DT)
epc : __page_table_check_zero+0x396/0x544 mm/page_table_check.c:142
ra : __page_table_check_zero+0x396/0x544 mm/page_table_check.c:142
epc : ffffffff80bfdcce ra : ffffffff80bfdcce sp : ffff8f800af273e0
gp : ffffffff89f9df20 tp : ffffaf8013f64f80 t0 : ffff8f800af27380
t1 : fffff5ef0269a409 t2 : 0000000000000000 s0 : ffff8f800af27450
s1 : ffffaf80134d2048 a0 : 0000000000000005 a1 : 0000000000000000
a2 : 0000000000000002 a3 : ffffffff80bfdcce a4 : 0000000000000000
a5 : ffffaf8013f65f80 a6 : 0000000000000003 a7 : ffffaf80134d204b
s2 : 0000000000000001 s3 : 0000000000000000 s4 : ffffaf80134d2000
s5 : dfffffff00000000 s6 : 00000000000b2a00 s7 : 0000000000000200
s8 : 0000000000000009 s9 : 0000000000007fff s10: fffffffef1416bb0
s11: ffffffff8a0b5d80 t3 : 0000000000000001 t4 : fffff5ef0269a409
t5 : fffff5ef0269a40a t6 : 0000000000000002 ssp : 0000000000000000
status: 0000000200000120 badaddr: ffffffff80bfdcce cause: 0000000000000003
[<ffffffff80bfdcce>] __page_table_check_zero+0x396/0x544 mm/page_table_check.c:142
[<ffffffff80a775b6>] page_table_check_free include/linux/page_table_check.h:43 [inline]
[<ffffffff80a775b6>] free_pages_prepare mm/page_alloc.c:1434 [inline]
[<ffffffff80a775b6>] free_unref_folios+0xa22/0x1dc8 mm/page_alloc.c:3030
[<ffffffff808aac84>] folios_put_refs+0x41c/0x61c mm/swap.c:1002
[<ffffffff80ac4cec>] free_pages_and_swap_cache+0x29c/0x480 mm/swap_state.c:358
[<ffffffff809e9980>] __tlb_batch_free_encoded_pages+0xe4/0x25c mm/mmu_gather.c:137
[<ffffffff809ec4e4>] tlb_batch_pages_flush mm/mmu_gather.c:150 [inline]
[<ffffffff809ec4e4>] tlb_flush_mmu_free mm/mmu_gather.c:398 [inline]
[<ffffffff809ec4e4>] tlb_flush_mmu mm/mmu_gather.c:405 [inline]
[<ffffffff809ec4e4>] tlb_finish_mmu+0x188/0x824 mm/mmu_gather.c:530
[<ffffffff809e631e>] exit_mmap+0x396/0xca8 mm/mmap.c:1290
[<ffffffff8013b6aa>] __mmput+0x106/0x3d0 kernel/fork.c:1173
[<ffffffff8013b9e8>] mmput+0x74/0x88 kernel/fork.c:1196
[<ffffffff8015b08e>] exit_mm kernel/exit.c:581 [inline]
[<ffffffff8015b08e>] do_exit+0x792/0x2828 kernel/exit.c:959
[<ffffffff8015d578>] __do_sys_exit kernel/exit.c:1079 [inline]
[<ffffffff8015d578>] __se_sys_exit kernel/exit.c:1077 [inline]
[<ffffffff8015d578>] __riscv_sys_exit+0x48/0x54 kernel/exit.c:1077
[<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
[<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
[<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
Code: 7f80 8526 c0ef ec3f 8a2a b791 6097 ff90 80e7 7e60 (9002) 6097
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 7f80 flw fs0,56(a5)
2: 8526 mv a0,s1
4: ec3fc0ef jal 0xffffffffffffcec6
8: 8a2a mv s4,a0
a: b791 j 0xffffffffffffff4e
c: ff906097 auipc ra,0xff906
10: 7e6080e7 jalr 2022(ra) # 0xff9067f2
* 14: 9002 ebreak <-- trapping instruction
16: 9760 .short 0x6097
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages