[moderation] [mm?] general protection fault in vma_start_read
2 views
Skip to first unread message
syzbot
Jul 17, 2025, 6:15:39 AM7/17/25
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a62b7a37e6fc Add linux-next specific files for 20250711
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=105d50f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7d42120e19faaef
dashboard link: https://syzkaller.appspot.com/bug?extid=1993462df7e77e477d5f
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
CC: [Liam.H...@oracle.com ak...@linux-foundation.org linux-...@vger.kernel.org linu...@kvack.org lorenzo...@oracle.com shakee...@linux.dev sur...@google.com vba...@suse.cz]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/691b5f8ab5b1/disk-a62b7a37.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/47d1a209784d/vmlinux-a62b7a37.xz
kernel image: https://storage.googleapis.com/syzbot-assets/eb70d73c9e55/bzImage-a62b7a37.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+199346...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xe0c0fc3d800002f2: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0x060801ec00001790-0x060801ec00001797]
CPU: 0 UID: 0 PID: 21055 Comm: syz.2.7038 Not tainted 6.16.0-rc5-next-20250711-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:vma_start_read+0x84/0x3b0 include/linux/mmap_lock.h:170
Code: c1 e9 03 48 b8 f1 f1 f1 f1 04 f3 f3 f3 48 89 0c 24 4a 89 04 29 e8 dc a9 b5 ff 4c 8d 73 28 4c 89 f0 48 c1 e8 03 48 89 44 24 18 <42> 0f b6 04 28 84 c0 0f 85 4d 02 00 00 48 89 5c 24 10 4c 89 74 24
RSP: 0018:ffffc9000477fa20 EFLAGS: 00010203
RAX: 00c1003d800002f2 RBX: 060801ec0000176d RCX: ffff888050580000
RDX: 0000000000000000 RSI: 060801ec0000176d RDI: ffff88806e70a800
RBP: ffffc9000477fad0 R08: ffff888050580000 R09: 0000000000000004
R10: 0000000000000003 R11: 0000000000000000 R12: ffff88805aee1340
R13: dffffc0000000000 R14: 060801ec00001795 R15: ffff88806e70a800
FS: 00007f6a5ea0b6c0(0000) GS:ffff88812578f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2680beee9c CR3: 0000000031712000 CR4: 00000000003526f0
Call Trace:
<TASK>
lock_next_vma+0x146/0xdc0 mm/mmap_lock.c:220
get_next_vma fs/proc/task_mmu.c:182 [inline]
query_vma_find_by_addr fs/proc/task_mmu.c:512 [inline]
query_matching_vma+0x319/0x5c0 fs/proc/task_mmu.c:544
do_procmap_query fs/proc/task_mmu.c:629 [inline]
procfs_procmap_ioctl+0x3f9/0xd50 fs/proc/task_mmu.c:747
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6a5db8e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6a5ea0b038 EFLAGS: 00000246
ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6a5ddb6160 RCX: 00007f6a5db8e929
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 000000000000000d
RBP: 00007f6a5dc10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f6a5ddb6160 R15: 00007ffe29ea1ec8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:vma_start_read+0x84/0x3b0 include/linux/mmap_lock.h:170
Code: c1 e9 03 48 b8 f1 f1 f1 f1 04 f3 f3 f3 48 89 0c 24 4a 89 04 29 e8 dc a9 b5 ff 4c 8d 73 28 4c 89 f0 48 c1 e8 03 48 89 44 24 18 <42> 0f b6 04 28 84 c0 0f 85 4d 02 00 00 48 89 5c 24 10 4c 89 74 24
RSP: 0018:ffffc9000477fa20 EFLAGS: 00010203
----------------
Code disassembly (best guess):
0: c1 e9 03 shr $0x3,%ecx
3: 48 b8 f1 f1 f1 f1 04 movabs $0xf3f3f304f1f1f1f1,%rax
a: f3 f3 f3
d: 48 89 0c 24 mov %rcx,(%rsp)
11: 4a 89 04 29 mov %rax,(%rcx,%r13,1)
15: e8 dc a9 b5 ff call 0xffb5a9f6
1a: 4c 8d 73 28 lea 0x28(%rbx),%r14
1e: 4c 89 f0 mov %r14,%rax
21: 48 c1 e8 03 shr $0x3,%rax
25: 48 89 44 24 18 mov %rax,0x18(%rsp)
* 2a: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 4d 02 00 00 jne 0x284
37: 48 89 5c 24 10 mov %rbx,0x10(%rsp)
3c: 4c rex.WR
3d: 89 .byte 0x89
3e: 74 24 je 0x64
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: a62b7a37e6fc Add linux-next specific files for 20250711
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=105d50f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7d42120e19faaef
dashboard link: https://syzkaller.appspot.com/bug?extid=1993462df7e77e477d5f
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
CC: [Liam.H...@oracle.com ak...@linux-foundation.org linux-...@vger.kernel.org linu...@kvack.org lorenzo...@oracle.com shakee...@linux.dev sur...@google.com vba...@suse.cz]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/691b5f8ab5b1/disk-a62b7a37.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/47d1a209784d/vmlinux-a62b7a37.xz
kernel image: https://storage.googleapis.com/syzbot-assets/eb70d73c9e55/bzImage-a62b7a37.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+199346...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xe0c0fc3d800002f2: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0x060801ec00001790-0x060801ec00001797]
CPU: 0 UID: 0 PID: 21055 Comm: syz.2.7038 Not tainted 6.16.0-rc5-next-20250711-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:vma_start_read+0x84/0x3b0 include/linux/mmap_lock.h:170
Code: c1 e9 03 48 b8 f1 f1 f1 f1 04 f3 f3 f3 48 89 0c 24 4a 89 04 29 e8 dc a9 b5 ff 4c 8d 73 28 4c 89 f0 48 c1 e8 03 48 89 44 24 18 <42> 0f b6 04 28 84 c0 0f 85 4d 02 00 00 48 89 5c 24 10 4c 89 74 24
RSP: 0018:ffffc9000477fa20 EFLAGS: 00010203
RAX: 00c1003d800002f2 RBX: 060801ec0000176d RCX: ffff888050580000
RDX: 0000000000000000 RSI: 060801ec0000176d RDI: ffff88806e70a800
RBP: ffffc9000477fad0 R08: ffff888050580000 R09: 0000000000000004
R10: 0000000000000003 R11: 0000000000000000 R12: ffff88805aee1340
R13: dffffc0000000000 R14: 060801ec00001795 R15: ffff88806e70a800
FS: 00007f6a5ea0b6c0(0000) GS:ffff88812578f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2680beee9c CR3: 0000000031712000 CR4: 00000000003526f0
Call Trace:
<TASK>
lock_next_vma+0x146/0xdc0 mm/mmap_lock.c:220
get_next_vma fs/proc/task_mmu.c:182 [inline]
query_vma_find_by_addr fs/proc/task_mmu.c:512 [inline]
query_matching_vma+0x319/0x5c0 fs/proc/task_mmu.c:544
do_procmap_query fs/proc/task_mmu.c:629 [inline]
procfs_procmap_ioctl+0x3f9/0xd50 fs/proc/task_mmu.c:747
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6a5db8e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6a5ea0b038 EFLAGS: 00000246
ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6a5ddb6160 RCX: 00007f6a5db8e929
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 000000000000000d
RBP: 00007f6a5dc10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f6a5ddb6160 R15: 00007ffe29ea1ec8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:vma_start_read+0x84/0x3b0 include/linux/mmap_lock.h:170
Code: c1 e9 03 48 b8 f1 f1 f1 f1 04 f3 f3 f3 48 89 0c 24 4a 89 04 29 e8 dc a9 b5 ff 4c 8d 73 28 4c 89 f0 48 c1 e8 03 48 89 44 24 18 <42> 0f b6 04 28 84 c0 0f 85 4d 02 00 00 48 89 5c 24 10 4c 89 74 24
RSP: 0018:ffffc9000477fa20 EFLAGS: 00010203
----------------
Code disassembly (best guess):
0: c1 e9 03 shr $0x3,%ecx
3: 48 b8 f1 f1 f1 f1 04 movabs $0xf3f3f304f1f1f1f1,%rax
a: f3 f3 f3
d: 48 89 0c 24 mov %rcx,(%rsp)
11: 4a 89 04 29 mov %rax,(%rcx,%r13,1)
15: e8 dc a9 b5 ff call 0xffb5a9f6
1a: 4c 8d 73 28 lea 0x28(%rbx),%r14
1e: 4c 89 f0 mov %r14,%rax
21: 48 c1 e8 03 shr $0x3,%rax
25: 48 89 44 24 18 mov %rax,0x18(%rsp)
* 2a: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 4d 02 00 00 jne 0x284
37: 48 89 5c 24 10 mov %rbx,0x10(%rsp)
3c: 4c rex.WR
3d: 89 .byte 0x89
3e: 74 24 je 0x64
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 11, 2025, 6:11:22 AM10/11/25
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages