kernel BUG in __filemap_add_folio
5 views
Skip to first unread message
Dileep Sankhla
Nov 4, 2025, 2:57:28 AMNov 4
to syzbot+4d3cc3...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
syzbot
Nov 4, 2025, 4:40:05 AMNov 4
to dileepsa...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in mpage_readahead
------------[ cut here ]------------
kernel BUG at ./include/linux/pagemap.h:1398!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 15896 Comm: syz.2.4490 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__readahead_folio include/linux/pagemap.h:1398 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1424 [inline]
RIP: 0010:mpage_readahead+0x399/0x590 fs/mpage.c:367
Code: 24 84 c0 74 08 3c 03 0f 8e 61 01 00 00 44 8b 7b 20 89 ef 44 89 fe e8 f6 a2 72 ff 41 39 ef 0f 83 9f fd ff ff e8 68 a8 72 ff 90 <0f> 0b e8 60 a8 72 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1
RSP: 0018:ffffc90010c6f640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc90010c6faf8 RCX: ffffffff8248e65a
RDX: ffff888029b1c880 RSI: ffffffff8248e668 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc90010c6fb1c R14: fffff5200218df63 R15: 0000000000000001
FS: 000055555fc7a500(0000) GS:ffff8881246b5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2dc63fff CR3: 0000000029c5c000 CR4: 00000000003526f0
Call Trace:
<TASK>
read_pages+0x1c4/0xc70 mm/readahead.c:160
page_cache_ra_unbounded+0x5d2/0x7d0 mm/readahead.c:264
do_page_cache_ra mm/readahead.c:327 [inline]
page_cache_ra_order+0xa28/0xd60 mm/readahead.c:532
do_sync_mmap_readahead mm/filemap.c:3304 [inline]
filemap_fault+0x152e/0x2930 mm/filemap.c:3445
__do_fault+0x10d/0x490 mm/memory.c:5152
do_shared_fault mm/memory.c:5637 [inline]
do_fault mm/memory.c:5711 [inline]
do_pte_missing+0x1a6/0x3ba0 mm/memory.c:4234
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault+0x152a/0x2a50 mm/memory.c:6195
handle_mm_fault+0x589/0xd10 mm/memory.c:6364
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x5c/0xb0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7ffbdbb58088
Code: 66 89 74 17 02 88 0f c3 c5 fa 6f 06 c5 fa 6f 4c 16 f0 c5 fa 7f 07 c5 fa 7f 4c 17 f0 c3 0f 1f 44 00 00 48 8b 4c 16 f8 48 8b 36 <48> 89 37 48 89 4c 17 f8 c3 62 e1 fe 28 6f 54 16 ff 62 e1 fe 28 6f
RSP: 002b:00007fff9dac8778 EFLAGS: 00010202
RAX: 0000200000000080 RBX: 0000000000000004 RCX: 0030626c6c756e2f
RDX: 000000000000000c RSI: 6c756e2f7665642f RDI: 0000200000000080
RBP: 00007ffbdbdd7da0 R08: 0000001b2eb20000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000009 R12: 00007ffbdbdd5fac
R13: 00007ffbdbdd5fa0 R14: fffffffffffffffe R15: 00007fff9dac8890
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__readahead_folio include/linux/pagemap.h:1398 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1424 [inline]
RIP: 0010:mpage_readahead+0x399/0x590 fs/mpage.c:367
Code: 24 84 c0 74 08 3c 03 0f 8e 61 01 00 00 44 8b 7b 20 89 ef 44 89 fe e8 f6 a2 72 ff 41 39 ef 0f 83 9f fd ff ff e8 68 a8 72 ff 90 <0f> 0b e8 60 a8 72 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1
RSP: 0018:ffffc90010c6f640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc90010c6faf8 RCX: ffffffff8248e65a
RDX: ffff888029b1c880 RSI: ffffffff8248e668 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc90010c6fb1c R14: fffff5200218df63 R15: 0000000000000001
FS: 000055555fc7a500(0000) GS:ffff8881246b5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555704e95c8 CR3: 0000000029c5c000 CR4: 00000000003526f0
Tested on:
commit: 9dd1835e Merge tag 'dma-mapping-6.17-2025-09-09' of gi..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10cdc114580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c53bac41b8ca5327
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=103ee342580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in mpage_readahead
------------[ cut here ]------------
kernel BUG at ./include/linux/pagemap.h:1398!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 15896 Comm: syz.2.4490 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__readahead_folio include/linux/pagemap.h:1398 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1424 [inline]
RIP: 0010:mpage_readahead+0x399/0x590 fs/mpage.c:367
Code: 24 84 c0 74 08 3c 03 0f 8e 61 01 00 00 44 8b 7b 20 89 ef 44 89 fe e8 f6 a2 72 ff 41 39 ef 0f 83 9f fd ff ff e8 68 a8 72 ff 90 <0f> 0b e8 60 a8 72 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1
RSP: 0018:ffffc90010c6f640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc90010c6faf8 RCX: ffffffff8248e65a
RDX: ffff888029b1c880 RSI: ffffffff8248e668 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc90010c6fb1c R14: fffff5200218df63 R15: 0000000000000001
FS: 000055555fc7a500(0000) GS:ffff8881246b5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2dc63fff CR3: 0000000029c5c000 CR4: 00000000003526f0
Call Trace:
<TASK>
read_pages+0x1c4/0xc70 mm/readahead.c:160
page_cache_ra_unbounded+0x5d2/0x7d0 mm/readahead.c:264
do_page_cache_ra mm/readahead.c:327 [inline]
page_cache_ra_order+0xa28/0xd60 mm/readahead.c:532
do_sync_mmap_readahead mm/filemap.c:3304 [inline]
filemap_fault+0x152e/0x2930 mm/filemap.c:3445
__do_fault+0x10d/0x490 mm/memory.c:5152
do_shared_fault mm/memory.c:5637 [inline]
do_fault mm/memory.c:5711 [inline]
do_pte_missing+0x1a6/0x3ba0 mm/memory.c:4234
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault+0x152a/0x2a50 mm/memory.c:6195
handle_mm_fault+0x589/0xd10 mm/memory.c:6364
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x5c/0xb0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7ffbdbb58088
Code: 66 89 74 17 02 88 0f c3 c5 fa 6f 06 c5 fa 6f 4c 16 f0 c5 fa 7f 07 c5 fa 7f 4c 17 f0 c3 0f 1f 44 00 00 48 8b 4c 16 f8 48 8b 36 <48> 89 37 48 89 4c 17 f8 c3 62 e1 fe 28 6f 54 16 ff 62 e1 fe 28 6f
RSP: 002b:00007fff9dac8778 EFLAGS: 00010202
RAX: 0000200000000080 RBX: 0000000000000004 RCX: 0030626c6c756e2f
RDX: 000000000000000c RSI: 6c756e2f7665642f RDI: 0000200000000080
RBP: 00007ffbdbdd7da0 R08: 0000001b2eb20000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000009 R12: 00007ffbdbdd5fac
R13: 00007ffbdbdd5fa0 R14: fffffffffffffffe R15: 00007fff9dac8890
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__readahead_folio include/linux/pagemap.h:1398 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1424 [inline]
RIP: 0010:mpage_readahead+0x399/0x590 fs/mpage.c:367
Code: 24 84 c0 74 08 3c 03 0f 8e 61 01 00 00 44 8b 7b 20 89 ef 44 89 fe e8 f6 a2 72 ff 41 39 ef 0f 83 9f fd ff ff e8 68 a8 72 ff 90 <0f> 0b e8 60 a8 72 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1
RSP: 0018:ffffc90010c6f640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc90010c6faf8 RCX: ffffffff8248e65a
RDX: ffff888029b1c880 RSI: ffffffff8248e668 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc90010c6fb1c R14: fffff5200218df63 R15: 0000000000000001
FS: 000055555fc7a500(0000) GS:ffff8881246b5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555704e95c8 CR3: 0000000029c5c000 CR4: 00000000003526f0
Tested on:
commit: 9dd1835e Merge tag 'dma-mapping-6.17-2025-09-09' of gi..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10cdc114580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c53bac41b8ca5327
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=103ee342580000
Dileep Sankhla
Dec 10, 2025, 6:49:05 AM (6 days ago) Dec 10
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Dec 10, 2025, 7:22:05 AM (6 days ago) Dec 10
to dileepsa...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in set_blocksize
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task syz.0.1117:9015 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.1117 state:D stack:27296 pid:9015 tgid:9012 ppid:6400 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1139/0x6150 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:6960
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7017
rwsem_down_write_slowpath+0x521/0x1310 kernel/locking/rwsem.c:1185
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write+0x1d6/0x200 kernel/locking/rwsem.c:1591
filemap_invalidate_lock include/linux/fs.h:1082 [inline]
set_blocksize+0x20f/0x500 block/bdev.c:204
blkdev_bszset+0x19b/0x240 block/ioctl.c:634
blkdev_ioctl+0x2ef/0x6e0 block/ioctl.c:773
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f939698eba9
RSP: 002b:00007f93978b0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f9396bd5fa0 RCX: 00007f939698eba9
RDX: 0000200000000980 RSI: 0000000040081271 RDI: 0000000000000005
RBP: 00007f9396a11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9396bd6038 R14: 00007f9396bd5fa0 R15: 00007ffd57bc7cc8
</TASK>
INFO: task syz.1.1118:9013 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.1118 state:D stack:27536 pid:9013 tgid:9013 ppid:6399 task_flags:0x440040 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x1139/0x6150 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:6960
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7017
rwsem_down_read_slowpath+0x64b/0xbf0 kernel/locking/rwsem.c:1086
__down_read_common kernel/locking/rwsem.c:1261 [inline]
__down_read kernel/locking/rwsem.c:1274 [inline]
down_read+0xef/0x460 kernel/locking/rwsem.c:1539
filemap_invalidate_lock_shared include/linux/fs.h:1092 [inline]
page_cache_ra_unbounded+0x20c/0x9e0 mm/readahead.c:233
do_page_cache_ra mm/readahead.c:332 [inline]
page_cache_ra_order+0x9c8/0xd80 mm/readahead.c:536
do_sync_mmap_readahead mm/filemap.c:3400 [inline]
filemap_fault+0x16ac/0x29d0 mm/filemap.c:3549
__do_fault+0x10d/0x490 mm/memory.c:5320
do_shared_fault mm/memory.c:5819 [inline]
do_fault+0x302/0x1ad0 mm/memory.c:5893
do_pte_missing mm/memory.c:4401 [inline]
handle_pte_fault mm/memory.c:6273 [inline]
__handle_mm_fault+0x1919/0x2bb0 mm/memory.c:6411
handle_mm_fault+0x3fe/0xad0 mm/memory.c:6580
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x64/0xc0 arch/x86/mm/fault.c:1532
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f55be158088
RSP: 002b:00007ffe04457bf8 EFLAGS: 00010202
RAX: 0000200000000080 RBX: 0000000000000004 RCX: 0030626c6c756e2f
RDX: 000000000000000c RSI: 6c756e2f7665642f RDI: 0000200000000080
RBP: 00007f55be3d7da0 R08: 0000001b33920000 R09: 0000000000000001
RDX: 000000000000000c RSI: 6c756e2f7665642f RDI: 0000200000000080
R10: 0000000000000001 R11: 0000000000000009 R12: 00007f55be3d5fac
R13: 00007f55be3d5fa0 R14: fffffffffffffffe R15: 00007ffe04457d10
</TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x133/0x180 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xe66/0x1180 kernel/hung_task.c:515
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:82
Code: 86 6c 02 c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 13 69 1f 00 fb f4 <e9> cc 35 03 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffc90000197de8 EFLAGS: 000002c6
RAX: 000000000003249c RBX: 0000000000000001 RCX: ffffffff8b6af6d9
RDX: ffffed10170a673e RSI: ffffffff8bf29c80 RDI: ffffffff819335dd
RBP: ffffed1003b56498 R08: 0000000000000000 R09: ffffed10170a673d
R10: ffff8880b85339eb R11: 0000000000005e25 R12: 0000000000000001
R13: ffff88801dab24c0 R14: ffffffff908653d0 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff888124a4e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555cc735c8 CR3: 000000005dfbe000 CR4: 00000000003526f0
Call Trace:
<TASK>
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x13/0x20 arch/x86/kernel/process.c:767
default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x38d/0x510 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
start_secondary+0x21d/0x2d0 arch/x86/kernel/smpboot.c:312
common_startup_64+0x13e/0x148
</TASK>
Tested on:
commit: 0048fbb4 Merge tag 'locking-futex-2025-12-10' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12b6deb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=219582171d92591c
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=163fda1a580000
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
7:28 AM (9 hours ago) 7:28 AM
to linux-...@vger.kernel.org, sta...@vger.kernel.org, syzkall...@googlegroups.com, wangjin...@gmail.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in __filemap_add_folio
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7df/0x1170 mm/page_alloc.c:2943
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0x79c/0x15f0 kernel/rcu/tree.c:2857
handle_softirqs+0x219/0x950 kernel/softirq.c:622
run_ksoftirqd kernel/softirq.c:1063 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:1055
smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
------------[ cut here ]------------
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
kernel BUG at mm/filemap.c:858!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 6821 Comm: syz.1.76 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__filemap_add_folio+0xf29/0x11b0 mm/filemap.c:858
Code: 9b c6 ff 48 c7 c6 c0 e9 99 8b 4c 89 ef e8 0f 74 11 00 90 0f 0b e8 47 9b c6 ff 48 c7 c6 20 ea 99 8b 4c 89 ef e8 f8 73 11 00 90 <0f> 0b e8 30 9b c6 ff 90 0f 0b 90 e9 1c fc ff ff e8 22 9b c6 ff 48
RSP: 0018:ffffc900033af840 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880737fc980 RSI: ffffffff81f7ebf8 RDI: ffff8880737fce04
RBP: 0000000000112cc0 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff908689d7 R11: 0000000000000000 R12: 0000000000000002
R13: ffffea0001ce4980 R14: 0000000000000000 R15: 0000000000000000
FS: 000055557770b500(0000) GS:ffff888124a48000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9aef15c000 CR3: 000000002ee4c000 CR4: 00000000003526f0
Call Trace:
<TASK>
filemap_add_folio+0x19a/0x610 mm/filemap.c:966
ra_alloc_folio mm/readahead.c:453 [inline]
page_cache_ra_order+0x637/0xed0 mm/readahead.c:512
do_sync_mmap_readahead mm/filemap.c:3400 [inline]
filemap_fault+0x16ac/0x29d0 mm/filemap.c:3549
__do_fault+0x10d/0x490 mm/memory.c:5320
do_shared_fault mm/memory.c:5819 [inline]
do_fault+0x302/0x1ad0 mm/memory.c:5893
do_pte_missing mm/memory.c:4401 [inline]
handle_pte_fault mm/memory.c:6273 [inline]
__handle_mm_fault+0x1919/0x2bb0 mm/memory.c:6411
handle_mm_fault+0x3fe/0xad0 mm/memory.c:6580
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x64/0xc0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f8af1a55171
filemap_fault+0x16ac/0x29d0 mm/filemap.c:3549
__do_fault+0x10d/0x490 mm/memory.c:5320
do_shared_fault mm/memory.c:5819 [inline]
do_fault+0x302/0x1ad0 mm/memory.c:5893
do_pte_missing mm/memory.c:4401 [inline]
handle_pte_fault mm/memory.c:6273 [inline]
__handle_mm_fault+0x1919/0x2bb0 mm/memory.c:6411
handle_mm_fault+0x3fe/0xad0 mm/memory.c:6580
do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x64/0xc0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
Code: 48 8b 54 24 08 48 85 d2 74 17 8b 44 24 18 0f c8 89 c0 48 89 44 24 18 48 83 fa 01 0f 85 b3 01 00 00 48 8b 44 24 10 8b 54 24 18 <89> 10 e9 15 fd ff ff 48 8b 44 24 10 8b 10 48 8b 44 24 08 48 85 c0
RSP: 002b:00007ffc7d678bf0 EFLAGS: 00010246
RAX: 0000200000000980 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 0000000000004000 RSI: 0000000000000000 RDI: 000055557770b3c8
RBP: 00007ffc7d678cf8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000002 R12: 00007f8af1dd5fac
R13: 00007f8af1dd5fa0 R14: fffffffffffffffe R15: 00007ffc7d678d40
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__filemap_add_folio+0xf29/0x11b0 mm/filemap.c:858
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 9b c6 ff 48 c7 c6 c0 e9 99 8b 4c 89 ef e8 0f 74 11 00 90 0f 0b e8 47 9b c6 ff 48 c7 c6 20 ea 99 8b 4c 89 ef e8 f8 73 11 00 90 <0f> 0b e8 30 9b c6 ff 90 0f 0b 90 e9 1c fc ff ff e8 22 9b c6 ff 48
RSP: 0018:ffffc900033af840 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880737fc980 RSI: ffffffff81f7ebf8 RDI: ffff8880737fce04
RBP: 0000000000112cc0 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff908689d7 R11: 0000000000000000 R12: 0000000000000002
R13: ffffea0001ce4980 R14: 0000000000000000 R15: 0000000000000000
FS: 000055557770b500(0000) GS:ffff888124a48000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f772b5d7dac CR3: 000000002ee4c000 CR4: 00000000003526f0
Tested on:
commit: 40fbbd64 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10715dc2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=495547a782e37c4f
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Reply all
Reply to author
Forward
0 new messages