[v6.1] BUG: unable to handle kernel paging request in folio_write_one
5 views
Skip to first unread message
syzbot
Jun 25, 2025, 4:19:30 PM6/25/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 58485ff1a74f Linux 6.1.141
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13419b70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d93c21c25e641edc
dashboard link: https://syzkaller.appspot.com/bug?extid=aa35b43b3f588d74a579
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/13b062afcec7/disk-58485ff1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fdd4e489be2a/vmlinux-58485ff1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/08bebb6045ec/Image-58485ff1.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa35b4...@syzkaller.appspotmail.com
metapage_write_end_io: I/O error
ERROR: (device loop2): diWrite: ixpxd invalid
ERROR: (device loop2): remounting filesystem as read-only
ERROR: (device loop2): txAbort:
Unable to handle kernel paging request at virtual address dfff800000000037
KASAN: null-ptr-deref in range [0x00000000000001b8-0x00000000000001bf]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000037] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4465 Comm: syz.2.21 Not tainted 6.1.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : folio_write_one+0x284/0x5ac mm/page-writeback.c:2543
lr : __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:27 [inline]
lr : arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]
lr : arch_atomic_inc include/linux/atomic/atomic-arch-fallback.h:424 [inline]
lr : atomic_inc include/linux/atomic/atomic-instrumented.h:191 [inline]
lr : page_ref_inc include/linux/page_ref.h:158 [inline]
lr : folio_ref_inc include/linux/page_ref.h:165 [inline]
lr : folio_get include/linux/mm.h:1136 [inline]
lr : folio_write_one+0x274/0x5ac mm/page-writeback.c:2542
sp : ffff800020e07260
x29: ffff800020e07360 x28: 1fffff80006bbd00 x27: 1fffff80006bbd01
x26: dfff800000000000 x25: ffff7000041c0e50 x24: 00000000000001b8
x23: fffffc00035de834 x22: ffff800020e072a0 x21: fffffc00035de808
x20: 0000000000000000 x19: fffffc00035de800 x18: ffff800011a7bce0
x17: 1fffe00033ee2f76 x16: ffff8000082d0750 x15: 0000000040000000
x14: 0000000000000002 x13: 1ffff00002a0e0b1 x12: 0000000000080000
x11: 0000000000025dc8 x10: ffff8000237e9000 x9 : ffff8000086f90a0
x8 : 0000000000000037 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000008 x3 : ffff8000086f9094
x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000001
Call trace:
folio_write_one+0x284/0x5ac mm/page-writeback.c:2543
write_one_page include/linux/pagemap.h:1104 [inline]
force_metapage+0x254/0x5a4 fs/jfs/jfs_metapage.c:703
txForce fs/jfs/jfs_txnmgr.c:2215 [inline]
txCommit+0x3578/0x3bec fs/jfs/jfs_txnmgr.c:1315
duplicateIXtree+0x238/0x3e8 fs/jfs/jfs_imap.c:3019
diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
diAllocAG+0x1314/0x1890 fs/jfs/jfs_imap.c:1669
diAlloc+0x17c/0x15cc fs/jfs/jfs_imap.c:1590
ialloc+0x80/0x7b0 fs/jfs/jfs_inode.c:56
jfs_mkdir+0x170/0x8b4 fs/jfs/namei.c:225
vfs_mkdir+0x314/0x4d4 fs/namei.c:4106
do_mkdirat+0x1b4/0x3e0 fs/namei.c:4131
__do_sys_mkdirat fs/namei.c:4146 [inline]
__se_sys_mkdirat fs/namei.c:4144 [inline]
__arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4144
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 52800028 b82802ff 9106e318 d343ff08 (387a6908)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 52800028 mov w8, #0x1 // #1
4: b82802ff stadd w8, [x23]
8: 9106e318 add x24, x24, #0x1b8
c: d343ff08 lsr x8, x24, #3
* 10: 387a6908 ldrb w8, [x8, x26] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 58485ff1a74f Linux 6.1.141
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13419b70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d93c21c25e641edc
dashboard link: https://syzkaller.appspot.com/bug?extid=aa35b43b3f588d74a579
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/13b062afcec7/disk-58485ff1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fdd4e489be2a/vmlinux-58485ff1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/08bebb6045ec/Image-58485ff1.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa35b4...@syzkaller.appspotmail.com
metapage_write_end_io: I/O error
ERROR: (device loop2): diWrite: ixpxd invalid
ERROR: (device loop2): remounting filesystem as read-only
ERROR: (device loop2): txAbort:
Unable to handle kernel paging request at virtual address dfff800000000037
KASAN: null-ptr-deref in range [0x00000000000001b8-0x00000000000001bf]
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000037] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4465 Comm: syz.2.21 Not tainted 6.1.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : folio_write_one+0x284/0x5ac mm/page-writeback.c:2543
lr : __lse_atomic_add arch/arm64/include/asm/atomic_lse.h:27 [inline]
lr : arch_atomic_add arch/arm64/include/asm/atomic.h:28 [inline]
lr : arch_atomic_inc include/linux/atomic/atomic-arch-fallback.h:424 [inline]
lr : atomic_inc include/linux/atomic/atomic-instrumented.h:191 [inline]
lr : page_ref_inc include/linux/page_ref.h:158 [inline]
lr : folio_ref_inc include/linux/page_ref.h:165 [inline]
lr : folio_get include/linux/mm.h:1136 [inline]
lr : folio_write_one+0x274/0x5ac mm/page-writeback.c:2542
sp : ffff800020e07260
x29: ffff800020e07360 x28: 1fffff80006bbd00 x27: 1fffff80006bbd01
x26: dfff800000000000 x25: ffff7000041c0e50 x24: 00000000000001b8
x23: fffffc00035de834 x22: ffff800020e072a0 x21: fffffc00035de808
x20: 0000000000000000 x19: fffffc00035de800 x18: ffff800011a7bce0
x17: 1fffe00033ee2f76 x16: ffff8000082d0750 x15: 0000000040000000
x14: 0000000000000002 x13: 1ffff00002a0e0b1 x12: 0000000000080000
x11: 0000000000025dc8 x10: ffff8000237e9000 x9 : ffff8000086f90a0
x8 : 0000000000000037 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000008 x3 : ffff8000086f9094
x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000001
Call trace:
folio_write_one+0x284/0x5ac mm/page-writeback.c:2543
write_one_page include/linux/pagemap.h:1104 [inline]
force_metapage+0x254/0x5a4 fs/jfs/jfs_metapage.c:703
txForce fs/jfs/jfs_txnmgr.c:2215 [inline]
txCommit+0x3578/0x3bec fs/jfs/jfs_txnmgr.c:1315
duplicateIXtree+0x238/0x3e8 fs/jfs/jfs_imap.c:3019
diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
diAllocAG+0x1314/0x1890 fs/jfs/jfs_imap.c:1669
diAlloc+0x17c/0x15cc fs/jfs/jfs_imap.c:1590
ialloc+0x80/0x7b0 fs/jfs/jfs_inode.c:56
jfs_mkdir+0x170/0x8b4 fs/jfs/namei.c:225
vfs_mkdir+0x314/0x4d4 fs/namei.c:4106
do_mkdirat+0x1b4/0x3e0 fs/namei.c:4131
__do_sys_mkdirat fs/namei.c:4146 [inline]
__se_sys_mkdirat fs/namei.c:4144 [inline]
__arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4144
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 52800028 b82802ff 9106e318 d343ff08 (387a6908)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 52800028 mov w8, #0x1 // #1
4: b82802ff stadd w8, [x23]
8: 9106e318 add x24, x24, #0x1b8
c: d343ff08 lsr x8, x24, #3
* 10: 387a6908 ldrb w8, [x8, x26] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 3, 2025, 4:19:22 PM10/3/25
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages