| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68343875.a70a0220.253bc2.0094.GAE@google.com> Date: Mon, 26 May 2025 02:46:29 -0700 From: syzbot <syzbot+18bba5153739c29b88c5@...kaller.appspotmail.com> To: Liam.Howlett@...cle.com, akpm@...ux-foundation.org, david@...hat.com, harry.yoo@...cle.com, linux-kernel@...r.kernel.org, linux-mm@...ck.org, lorenzo.stoakes@...cle.com, riel@...riel.com, syzkaller-bugs@...glegroups.com, vbabka@...e.cz Subject: [syzbot] [mm?] WARNING in folio_add_file_rmap_ptes Hello, syzbot found the following issue on: HEAD commit: 187899f4124a Merge branch 'for-next/core' into for-kernelci git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=12f7f9f4580000 kernel config: https://syzkaller.appspot.com/x/.config?x=89c13de706fbf07a dashboard link: https://syzkaller.appspot.com/bug?extid=18bba5153739c29b88c5 compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 userspace arch: arm64 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/ab8c5d5c6c34/disk-187899f4.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/d67a1d9c9f04/vmlinux-187899f4.xz kernel image: https://storage.googleapis.com/syzbot-assets/074a891b2686/Image-187899f4.gz.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+18bba5153739c29b88c5@...kaller.appspotmail.com page dumped because: VM_WARN_ON_FOLIO((_Generic((page), const struct page *: (const struct folio *)_compound_head(page), struct page *: (struct folio *)_compound_head(page))) != folio) ------------[ cut here ]------------ WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:426 __folio_rmap_sanity_checks include/linux/rmap.h:426 [inline] WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:426 __folio_add_rmap mm/rmap.c:1252 [inline] WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:426 __folio_add_file_rmap mm/rmap.c:1620 [inline] WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:426 folio_add_file_rmap_ptes+0x864/0xa80 mm/rmap.c:1642 Modules linked in: CPU: 1 UID: 0 PID: 10255 Comm: syz.0.668 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __folio_rmap_sanity_checks include/linux/rmap.h:426 [inline] pc : __folio_add_rmap mm/rmap.c:1252 [inline] pc : __folio_add_file_rmap mm/rmap.c:1620 [inline] pc : folio_add_file_rmap_ptes+0x864/0xa80 mm/rmap.c:1642 lr : __folio_rmap_sanity_checks include/linux/rmap.h:426 [inline] lr : __folio_add_rmap mm/rmap.c:1252 [inline] lr : __folio_add_file_rmap mm/rmap.c:1620 [inline] lr : folio_add_file_rmap_ptes+0x864/0xa80 mm/rmap.c:1642 sp : ffff80009ea777f0 x29: ffff80009ea77830 x28: ffff0000d89a43c0 x27: 0000000020010000 x26: 002000013aaf4bc3 x25: 00000000000001f0 x24: fffffdffc3eaba30 x23: fffffdffc3eabd00 x22: dfff800000000000 x21: 000000000020b68f x20: fffffdffc3eabd48 x19: fffffdffc3eaba00 x18: 00000000ffffffff x17: 0000000000000000 x16: ffff80008ad27e48 x15: ffff700011e740c0 x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff x11: 0000000000080000 x10: 000000000000b6d5 x9 : c4bcfe0a46a0cd00 x8 : c4bcfe0a46a0cd00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff80009ea76ef8 x4 : ffff80008f415ba0 x3 : ffff800080548ef0 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000b8 Call trace: __folio_rmap_sanity_checks include/linux/rmap.h:426 [inline] (P) __folio_add_rmap mm/rmap.c:1252 [inline] (P) __folio_add_file_rmap mm/rmap.c:1620 [inline] (P) folio_add_file_rmap_ptes+0x864/0xa80 mm/rmap.c:1642 (P) set_pte_range+0x28c/0x434 mm/memory.c:5256 filemap_map_folio_range mm/filemap.c:3631 [inline] filemap_map_pages+0xb50/0x1558 mm/filemap.c:3740 do_fault_around mm/memory.c:5476 [inline] do_read_fault mm/memory.c:5509 [inline] do_fault mm/memory.c:5652 [inline] do_pte_missing mm/memory.c:4160 [inline] handle_pte_fault mm/memory.c:5997 [inline] __handle_mm_fault mm/memory.c:6140 [inline] handle_mm_fault+0x2b84/0x4d18 mm/memory.c:6309 do_page_fault+0x428/0x1554 arch/arm64/mm/fault.c:647 do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:783 do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:919 el0_da+0x64/0x160 arch/arm64/kernel/entry-common.c:627 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:789 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 irq event stamp: 292 hardirqs last enabled at (291): [<ffff80008055041c>] __up_console_sem kernel/printk/printk.c:344 [inline] hardirqs last enabled at (291): [<ffff80008055041c>] __console_unlock+0x70/0xc4 kernel/printk/printk.c:2885 hardirqs last disabled at (292): [<ffff80008adb9eb8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511 softirqs last enabled at (8): [<ffff8000801fbf10>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32 softirqs last disabled at (6): [<ffff8000801fbedc>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 ---[ end trace 0000000000000000 ]--- page: refcount:10 mapcount:1 mapping:00000000dc26ff10 index:0x4 pfn:0x13aae8 head: order:2 mapcount:4 entire_mapcount:0 nr_pages_mapped:4 pincount:0 memcg:ffff0000d4838000 aops:bch_address_space_operations ino:1002 dentry name(?):"file1" flags: 0x5ffc0000000516d(locked|referenced|uptodate|lru|active|arch_1|private|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc0000000516d fffffdffc3e1bf08 fffffdffc3d17508 ffff0000f1fd18e8 raw: 0000000000000004 ffff0000d4c1f300 0000000a00000000 ffff0000d4838000 head: 05ffc0000000516d fffffdffc3e1bf08 fffffdffc3d17508 ffff0000f1fd18e8 head: 0000000000000004 ffff0000d4c1f300 0000000a00000000 ffff0000d4838000 head: 05ffc00000000202 fffffdffc3eaba01 0000000400000003 00000000ffffffff head: ffffffff00000003 000000000000003d 0000000000000000 0000000000000004 page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1), const struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *: (struct folio *)_compound_head(page + nr_pages - 1))) != folio) ------------[ cut here ]------------ WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:427 __folio_rmap_sanity_checks include/linux/rmap.h:427 [inline] WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:427 __folio_add_rmap mm/rmap.c:1252 [inline] WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:427 __folio_add_file_rmap mm/rmap.c:1620 [inline] WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:427 folio_add_file_rmap_ptes+0x890/0xa80 mm/rmap.c:1642 Modules linked in: CPU: 1 UID: 0 PID: 10255 Comm: syz.0.668 Tainted: G W 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __folio_rmap_sanity_checks include/linux/rmap.h:427 [inline] pc : __folio_add_rmap mm/rmap.c:1252 [inline] pc : __folio_add_file_rmap mm/rmap.c:1620 [inline] pc : folio_add_file_rmap_ptes+0x890/0xa80 mm/rmap.c:1642 lr : __folio_rmap_sanity_checks include/linux/rmap.h:427 [inline] lr : __folio_add_rmap mm/rmap.c:1252 [inline] lr : __folio_add_file_rmap mm/rmap.c:1620 [inline] lr : folio_add_file_rmap_ptes+0x890/0xa80 mm/rmap.c:1642 sp : ffff80009ea777f0 x29: ffff80009ea77830 x28: ffff0000d89a43c0 x27: 0000000020010000 x26: 002000013aaf4bc3 x25: 00000000000001f0 x24: fffffdffc3eaba30 x23: fffffdffc3eabd00 x22: dfff800000000000 x21: fffffdffc3eb3900 x20: fffffdffc3eb3801 x19: fffffdffc3eaba00 x18: 00000000ffffffff x17: 0000000000000000 x16: ffff80008ad27e48 x15: ffff700011e740c0 x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff x11: 0000000000080000 x10: 000000000002ce5f x9 : c4bcfe0a46a0cd00 x8 : c4bcfe0a46a0cd00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff80009ea76ef8 x4 : ffff80008f415ba0 x3 : ffff800080548ef0 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000e5 Call trace: __folio_rmap_sanity_checks include/linux/rmap.h:427 [inline] (P) __folio_add_rmap mm/rmap.c:1252 [inline] (P) __folio_add_file_rmap mm/rmap.c:1620 [inline] (P) folio_add_file_rmap_ptes+0x890/0xa80 mm/rmap.c:1642 (P) set_pte_range+0x28c/0x434 mm/memory.c:5256 filemap_map_folio_range mm/filemap.c:3631 [inline] filemap_map_pages+0xb50/0x1558 mm/filemap.c:3740 do_fault_around mm/memory.c:5476 [inline] do_read_fault mm/memory.c:5509 [inline] do_fault mm/memory.c:5652 [inline] do_pte_missing mm/memory.c:4160 [inline] handle_pte_fault mm/memory.c:5997 [inline] __handle_mm_fault mm/memory.c:6140 [inline] handle_mm_fault+0x2b84/0x4d18 mm/memory.c:6309 do_page_fault+0x428/0x1554 arch/arm64/mm/fault.c:647 do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:783 do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:919 el0_da+0x64/0x160 arch/arm64/kernel/entry-common.c:627 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:789 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 irq event stamp: 928 hardirqs last enabled at (927): [<ffff80008055041c>] __up_console_sem kernel/printk/printk.c:344 [inline] hardirqs last enabled at (927): [<ffff80008055041c>] __console_unlock+0x70/0xc4 kernel/printk/printk.c:2885 hardirqs last disabled at (928): [<ffff80008adb9eb8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511 softirqs last enabled at (830): [<ffff8000803cf71c>] softirq_handle_end kernel/softirq.c:425 [inline] softirqs last enabled at (830): [<ffff8000803cf71c>] handle_softirqs+0xaf8/0xc88 kernel/softirq.c:607 softirqs last disabled at (727): [<ffff800080020efc>] __do_softirq+0x14/0x20 kernel/softirq.c:613 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:214 __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214 Modules linked in: CPU: 1 UID: 0 PID: 10255 Comm: syz.0.668 Tainted: G W 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214 lr : __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214 sp : ffff80009ea77790 x29: ffff80009ea77790 x28: 0000000080000000 x27: 1fffffbff87d574f x26: 1fffffbff87d5740 x25: 1fffffbff87d5741 x24: dfff800000000000 x23: 00000000000001f0 x22: fffffdffc3eaba78 x21: 0000000000000004 x20: fffffdffc3eaba08 x19: fffffdffc3eaba00 x18: 00000000ffffffff x17: 0000000000000000 x16: ffff80008ad27e48 x15: 0000000000000001 x14: 1fffffbff87d574d x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000080000 x10: 0000000000049002 x9 : ffff8000aa342000 x8 : 0000000000049003 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff80009ea76ef8 x4 : ffff80008f415ba0 x3 : ffff800080b2596c x2 : 000000000000003d x1 : 00000000000001f0 x0 : 0000000000000004 Call trace: __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214 (P) folio_add_return_large_mapcount include/linux/rmap.h:250 [inline] __folio_add_rmap mm/rmap.c:1279 [inline] __folio_add_file_rmap mm/rmap.c:1620 [inline] folio_add_file_rmap_ptes+0x47c/0xa80 mm/rmap.c:1642 set_pte_range+0x28c/0x434 mm/memory.c:5256 filemap_map_folio_range mm/filemap.c:3631 [inline] filemap_map_pages+0xb50/0x1558 mm/filemap.c:3740 do_fault_around mm/memory.c:5476 [inline] do_read_fault mm/memory.c:5509 [inline] do_fault mm/memory.c:5652 [inline] do_pte_missing mm/memory.c:4160 [inline] handle_pte_fault mm/memory.c:5997 [inline] __handle_mm_fault mm/memory.c:6140 [inline] handle_mm_fault+0x2b84/0x4d18 mm/memory.c:6309 do_page_fault+0x428/0x1554 arch/arm64/mm/fault.c:647 do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:783 do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:919 el0_da+0x64/0x160 arch/arm64/kernel/entry-common.c:627 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:789 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 irq event stamp: 1044 hardirqs last enabled at (1043): [<ffff80008adbc380>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline] hardirqs last enabled at (1043): [<ffff80008adbc380>] exit_to_kernel_mode+0xc0/0xf0 arch/arm64/kernel/entry-common.c:95 hardirqs last disabled at (1044): [<ffff80008adb9eb8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511 softirqs last enabled at (1042): [<ffff8000803cf71c>] softirq_handle_end kernel/softirq.c:425 [inline] softirqs last enabled at (1042): [<ffff8000803cf71c>] handle_softirqs+0xaf8/0xc88 kernel/softirq.c:607 softirqs last disabled at (933): [<ffff800080020efc>] __do_softirq+0x14/0x20 kernel/softirq.c:613 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ kernel BUG at mm/page_table_check.c:120! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 10255 Comm: syz.0.668 Tainted: G W 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : page_table_check_set+0x56c/0x590 mm/page_table_check.c:120 lr : page_table_check_set+0x56c/0x590 mm/page_table_check.c:120 sp : ffff80009ea776a0 x29: ffff80009ea776b0 x28: ffff80008f63c000 x27: 0000000000000001 x26: ffff0000c08158c8 x25: 0000000000000006 x24: 0000000000000001 x23: ffff0000c08158c8 x22: 000000000013ab14 x21: 0000000000000000 x20: 0000000000000010 x19: 1ffff00012dfca50 x18: 00000000ffffffff x17: 0000000000000000 x16: ffff80008051c10c x15: 0000000000000001 x14: 1fffe00018102b19 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000080000 x10: 00000000000632c3 x9 : ffff8000aa342000 x8 : 00000000000632c4 x7 : ffff800080cd13e4 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080cd0928 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: page_table_check_set+0x56c/0x590 mm/page_table_check.c:120 (P) __page_table_check_ptes_set+0x2a8/0x2e0 mm/page_table_check.c:209 page_table_check_ptes_set include/linux/page_table_check.h:76 [inline] __set_ptes_anysz arch/arm64/include/asm/pgtable.h:724 [inline] __set_ptes+0x4a0/0x504 arch/arm64/include/asm/pgtable.h:756 contpte_set_ptes+0x120/0x188 arch/arm64/mm/contpte.c:273 set_ptes arch/arm64/include/asm/pgtable.h:1807 [inline] set_pte_range+0x39c/0x434 mm/memory.c:5258 filemap_map_folio_range mm/filemap.c:3631 [inline] filemap_map_pages+0xb50/0x1558 mm/filemap.c:3740 do_fault_around mm/memory.c:5476 [inline] do_read_fault mm/memory.c:5509 [inline] do_fault mm/memory.c:5652 [inline] do_pte_missing mm/memory.c:4160 [inline] handle_pte_fault mm/memory.c:5997 [inline] __handle_mm_fault mm/memory.c:6140 [inline] handle_mm_fault+0x2b84/0x4d18 mm/memory.c:6309 do_page_fault+0x428/0x1554 arch/arm64/mm/fault.c:647 do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:783 do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:919 el0_da+0x64/0x160 arch/arm64/kernel/entry-common.c:627 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:789 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: aa1603e0 97fd6781 17fffee6 97e91fd8 (d4210000) ---[ end trace 0000000000000000 ]--- --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@...glegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup
Powered by blists - more mailing lists