lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1d7eb1b8-c28e-47b1-866b-8a125b12afbc@redhat.com>
Date: Mon, 26 May 2025 12:52:49 +0200
From: David Hildenbrand <david@...hat.com>
To: syzbot <syzbot+18bba5153739c29b88c5@...kaller.appspotmail.com>,
 Liam.Howlett@...cle.com, akpm@...ux-foundation.org, harry.yoo@...cle.com,
 linux-kernel@...r.kernel.org, linux-mm@...ck.org,
 lorenzo.stoakes@...cle.com, riel@...riel.com,
 syzkaller-bugs@...glegroups.com, vbabka@...e.cz
Subject: Re: [syzbot] [mm?] WARNING in folio_add_file_rmap_ptes

On 26.05.25 11:46, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    187899f4124a Merge branch 'for-next/core' into for-kernelci
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=12f7f9f4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=89c13de706fbf07a
> dashboard link: https://syzkaller.appspot.com/bug?extid=18bba5153739c29b88c5
> compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> userspace arch: arm64
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/ab8c5d5c6c34/disk-187899f4.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/d67a1d9c9f04/vmlinux-187899f4.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/074a891b2686/Image-187899f4.gz.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+18bba5153739c29b88c5@...kaller.appspotmail.com
> 
> page dumped because: VM_WARN_ON_FOLIO((_Generic((page), const struct page *: (const struct folio *)_compound_head(page), struct page *: (struct folio *)_compound_head(page))) != folio)
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:426 __folio_rmap_sanity_checks include/linux/rmap.h:426 [inline]
> WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:426 __folio_add_rmap mm/rmap.c:1252 [inline]
> WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:426 __folio_add_file_rmap mm/rmap.c:1620 [inline]
> WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:426 folio_add_file_rmap_ptes+0x864/0xa80 mm/rmap.c:1642
> Modules linked in:
> CPU: 1 UID: 0 PID: 10255 Comm: syz.0.668 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : __folio_rmap_sanity_checks include/linux/rmap.h:426 [inline]
> pc : __folio_add_rmap mm/rmap.c:1252 [inline]
> pc : __folio_add_file_rmap mm/rmap.c:1620 [inline]
> pc : folio_add_file_rmap_ptes+0x864/0xa80 mm/rmap.c:1642
> lr : __folio_rmap_sanity_checks include/linux/rmap.h:426 [inline]
> lr : __folio_add_rmap mm/rmap.c:1252 [inline]
> lr : __folio_add_file_rmap mm/rmap.c:1620 [inline]
> lr : folio_add_file_rmap_ptes+0x864/0xa80 mm/rmap.c:1642
> sp : ffff80009ea777f0
> x29: ffff80009ea77830 x28: ffff0000d89a43c0 x27: 0000000020010000
> x26: 002000013aaf4bc3 x25: 00000000000001f0 x24: fffffdffc3eaba30
> x23: fffffdffc3eabd00 x22: dfff800000000000 x21: 000000000020b68f
> x20: fffffdffc3eabd48 x19: fffffdffc3eaba00 x18: 00000000ffffffff
> x17: 0000000000000000 x16: ffff80008ad27e48 x15: ffff700011e740c0
> x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff
> x11: 0000000000080000 x10: 000000000000b6d5 x9 : c4bcfe0a46a0cd00
> x8 : c4bcfe0a46a0cd00 x7 : 0000000000000001 x6 : 0000000000000001
> x5 : ffff80009ea76ef8 x4 : ffff80008f415ba0 x3 : ffff800080548ef0
> x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000b8
> Call trace:
>   __folio_rmap_sanity_checks include/linux/rmap.h:426 [inline] (P)
>   __folio_add_rmap mm/rmap.c:1252 [inline] (P)
>   __folio_add_file_rmap mm/rmap.c:1620 [inline] (P)
>   folio_add_file_rmap_ptes+0x864/0xa80 mm/rmap.c:1642 (P)
>   set_pte_range+0x28c/0x434 mm/memory.c:5256
>   filemap_map_folio_range mm/filemap.c:3631 [inline]
>   filemap_map_pages+0xb50/0x1558 mm/filemap.c:3740
>   do_fault_around mm/memory.c:5476 [inline]
>   do_read_fault mm/memory.c:5509 [inline]
>   do_fault mm/memory.c:5652 [inline]
>   do_pte_missing mm/memory.c:4160 [inline]
>   handle_pte_fault mm/memory.c:5997 [inline]
>   __handle_mm_fault mm/memory.c:6140 [inline]
>   handle_mm_fault+0x2b84/0x4d18 mm/memory.c:6309
>   do_page_fault+0x428/0x1554 arch/arm64/mm/fault.c:647
>   do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:783
>   do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:919
>   el0_da+0x64/0x160 arch/arm64/kernel/entry-common.c:627
>   el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:789
>   el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> irq event stamp: 292
> hardirqs last  enabled at (291): [<ffff80008055041c>] __up_console_sem kernel/printk/printk.c:344 [inline]
> hardirqs last  enabled at (291): [<ffff80008055041c>] __console_unlock+0x70/0xc4 kernel/printk/printk.c:2885
> hardirqs last disabled at (292): [<ffff80008adb9eb8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
> softirqs last  enabled at (8): [<ffff8000801fbf10>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
> softirqs last disabled at (6): [<ffff8000801fbedc>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
> ---[ end trace 0000000000000000 ]---
> page: refcount:10 mapcount:1 mapping:00000000dc26ff10 index:0x4 pfn:0x13aae8
> head: order:2 mapcount:4 entire_mapcount:0 nr_pages_mapped:4 pincount:0
> memcg:ffff0000d4838000
> aops:bch_address_space_operations ino:1002 dentry name(?):"file1"
> flags: 0x5ffc0000000516d(locked|referenced|uptodate|lru|active|arch_1|private|head|node=0|zone=2|lastcpupid=0x7ff)
> raw: 05ffc0000000516d fffffdffc3e1bf08 fffffdffc3d17508 ffff0000f1fd18e8
> raw: 0000000000000004 ffff0000d4c1f300 0000000a00000000 ffff0000d4838000
> head: 05ffc0000000516d fffffdffc3e1bf08 fffffdffc3d17508 ffff0000f1fd18e8
> head: 0000000000000004 ffff0000d4c1f300 0000000a00000000 ffff0000d4838000
> head: 05ffc00000000202 fffffdffc3eaba01 0000000400000003 00000000ffffffff
> head: ffffffff00000003 000000000000003d 0000000000000000 0000000000000004
> page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1), const struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *: (struct folio *)_compound_head(page + nr_pages - 1))) != folio)
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:427 __folio_rmap_sanity_checks include/linux/rmap.h:427 [inline]
> WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:427 __folio_add_rmap mm/rmap.c:1252 [inline]
> WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:427 __folio_add_file_rmap mm/rmap.c:1620 [inline]
> WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:427 folio_add_file_rmap_ptes+0x890/0xa80 mm/rmap.c:1642
> Modules linked in:
> CPU: 1 UID: 0 PID: 10255 Comm: syz.0.668 Tainted: G        W           6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT
> Tainted: [W]=WARN
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : __folio_rmap_sanity_checks include/linux/rmap.h:427 [inline]
> pc : __folio_add_rmap mm/rmap.c:1252 [inline]
> pc : __folio_add_file_rmap mm/rmap.c:1620 [inline]
> pc : folio_add_file_rmap_ptes+0x890/0xa80 mm/rmap.c:1642
> lr : __folio_rmap_sanity_checks include/linux/rmap.h:427 [inline]
> lr : __folio_add_rmap mm/rmap.c:1252 [inline]
> lr : __folio_add_file_rmap mm/rmap.c:1620 [inline]
> lr : folio_add_file_rmap_ptes+0x890/0xa80 mm/rmap.c:1642
> sp : ffff80009ea777f0
> x29: ffff80009ea77830 x28: ffff0000d89a43c0 x27: 0000000020010000
> x26: 002000013aaf4bc3 x25: 00000000000001f0 x24: fffffdffc3eaba30
> x23: fffffdffc3eabd00 x22: dfff800000000000 x21: fffffdffc3eb3900
> x20: fffffdffc3eb3801 x19: fffffdffc3eaba00 x18: 00000000ffffffff
> x17: 0000000000000000 x16: ffff80008ad27e48 x15: ffff700011e740c0
> x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff
> x11: 0000000000080000 x10: 000000000002ce5f x9 : c4bcfe0a46a0cd00
> x8 : c4bcfe0a46a0cd00 x7 : 0000000000000001 x6 : 0000000000000001
> x5 : ffff80009ea76ef8 x4 : ffff80008f415ba0 x3 : ffff800080548ef0
> x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000e5
> Call trace:
>   __folio_rmap_sanity_checks include/linux/rmap.h:427 [inline] (P)
>   __folio_add_rmap mm/rmap.c:1252 [inline] (P)
>   __folio_add_file_rmap mm/rmap.c:1620 [inline] (P)
>   folio_add_file_rmap_ptes+0x890/0xa80 mm/rmap.c:1642 (P)
>   set_pte_range+0x28c/0x434 mm/memory.c:5256
>   filemap_map_folio_range mm/filemap.c:3631 [inline]
>   filemap_map_pages+0xb50/0x1558 mm/filemap.c:3740
>   do_fault_around mm/memory.c:5476 [inline]
>   do_read_fault mm/memory.c:5509 [inline]
>   do_fault mm/memory.c:5652 [inline]
>   do_pte_missing mm/memory.c:4160 [inline]
>   handle_pte_fault mm/memory.c:5997 [inline]
>   __handle_mm_fault mm/memory.c:6140 [inline]
>   handle_mm_fault+0x2b84/0x4d18 mm/memory.c:6309
>   do_page_fault+0x428/0x1554 arch/arm64/mm/fault.c:647
>   do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:783
>   do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:919
>   el0_da+0x64/0x160 arch/arm64/kernel/entry-common.c:627
>   el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:789
>   el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> irq event stamp: 928
> hardirqs last  enabled at (927): [<ffff80008055041c>] __up_console_sem kernel/printk/printk.c:344 [inline]
> hardirqs last  enabled at (927): [<ffff80008055041c>] __console_unlock+0x70/0xc4 kernel/printk/printk.c:2885
> hardirqs last disabled at (928): [<ffff80008adb9eb8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
> softirqs last  enabled at (830): [<ffff8000803cf71c>] softirq_handle_end kernel/softirq.c:425 [inline]
> softirqs last  enabled at (830): [<ffff8000803cf71c>] handle_softirqs+0xaf8/0xc88 kernel/softirq.c:607
> softirqs last disabled at (727): [<ffff800080020efc>] __do_softirq+0x14/0x20 kernel/softirq.c:613
> ---[ end trace 0000000000000000 ]---
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 10255 at ./include/linux/rmap.h:214 __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214
> Modules linked in:
> CPU: 1 UID: 0 PID: 10255 Comm: syz.0.668 Tainted: G        W           6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT
> Tainted: [W]=WARN
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214
> lr : __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214
> sp : ffff80009ea77790
> x29: ffff80009ea77790 x28: 0000000080000000 x27: 1fffffbff87d574f
> x26: 1fffffbff87d5740 x25: 1fffffbff87d5741 x24: dfff800000000000
> x23: 00000000000001f0 x22: fffffdffc3eaba78 x21: 0000000000000004
> x20: fffffdffc3eaba08 x19: fffffdffc3eaba00 x18: 00000000ffffffff
> x17: 0000000000000000 x16: ffff80008ad27e48 x15: 0000000000000001
> x14: 1fffffbff87d574d x13: 0000000000000000 x12: 0000000000000000
> x11: 0000000000080000 x10: 0000000000049002 x9 : ffff8000aa342000
> x8 : 0000000000049003 x7 : 0000000000000001 x6 : 0000000000000001
> x5 : ffff80009ea76ef8 x4 : ffff80008f415ba0 x3 : ffff800080b2596c
> x2 : 000000000000003d x1 : 00000000000001f0 x0 : 0000000000000004
> Call trace:
>   __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214 (P)
>   folio_add_return_large_mapcount include/linux/rmap.h:250 [inline]
>   __folio_add_rmap mm/rmap.c:1279 [inline]
>   __folio_add_file_rmap mm/rmap.c:1620 [inline]
>   folio_add_file_rmap_ptes+0x47c/0xa80 mm/rmap.c:1642
>   set_pte_range+0x28c/0x434 mm/memory.c:5256
>   filemap_map_folio_range mm/filemap.c:3631 [inline]
>   filemap_map_pages+0xb50/0x1558 mm/filemap.c:3740
>   do_fault_around mm/memory.c:5476 [inline]
>   do_read_fault mm/memory.c:5509 [inline]
>   do_fault mm/memory.c:5652 [inline]
>   do_pte_missing mm/memory.c:4160 [inline]
>   handle_pte_fault mm/memory.c:5997 [inline]
>   __handle_mm_fault mm/memory.c:6140 [inline]
>   handle_mm_fault+0x2b84/0x4d18 mm/memory.c:6309
>   do_page_fault+0x428/0x1554 arch/arm64/mm/fault.c:647
>   do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:783
>   do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:919
>   el0_da+0x64/0x160 arch/arm64/kernel/entry-common.c:627
>   el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:789
>   el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> irq event stamp: 1044
> hardirqs last  enabled at (1043): [<ffff80008adbc380>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]
> hardirqs last  enabled at (1043): [<ffff80008adbc380>] exit_to_kernel_mode+0xc0/0xf0 arch/arm64/kernel/entry-common.c:95
> hardirqs last disabled at (1044): [<ffff80008adb9eb8>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
> softirqs last  enabled at (1042): [<ffff8000803cf71c>] softirq_handle_end kernel/softirq.c:425 [inline]
> softirqs last  enabled at (1042): [<ffff8000803cf71c>] handle_softirqs+0xaf8/0xc88 kernel/softirq.c:607
> softirqs last disabled at (933): [<ffff800080020efc>] __do_softirq+0x14/0x20 kernel/softirq.c:613
> ---[ end trace 0000000000000000 ]---
> ------------[ cut here ]------------
> kernel BUG at mm/page_table_check.c:120!
> Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
> Modules linked in:
> CPU: 1 UID: 0 PID: 10255 Comm: syz.0.668 Tainted: G        W           6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT
> Tainted: [W]=WARN
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : page_table_check_set+0x56c/0x590 mm/page_table_check.c:120
> lr : page_table_check_set+0x56c/0x590 mm/page_table_check.c:120
> sp : ffff80009ea776a0
> x29: ffff80009ea776b0 x28: ffff80008f63c000 x27: 0000000000000001
> x26: ffff0000c08158c8 x25: 0000000000000006 x24: 0000000000000001
> x23: ffff0000c08158c8 x22: 000000000013ab14 x21: 0000000000000000
> x20: 0000000000000010 x19: 1ffff00012dfca50 x18: 00000000ffffffff
> x17: 0000000000000000 x16: ffff80008051c10c x15: 0000000000000001
> x14: 1fffe00018102b19 x13: 0000000000000000 x12: 0000000000000000
> x11: 0000000000080000 x10: 00000000000632c3 x9 : ffff8000aa342000
> x8 : 00000000000632c4 x7 : ffff800080cd13e4 x6 : 0000000000000000
> x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080cd0928
> x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000
> Call trace:
>   page_table_check_set+0x56c/0x590 mm/page_table_check.c:120 (P)
>   __page_table_check_ptes_set+0x2a8/0x2e0 mm/page_table_check.c:209
>   page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
>   __set_ptes_anysz arch/arm64/include/asm/pgtable.h:724 [inline]
>   __set_ptes+0x4a0/0x504 arch/arm64/include/asm/pgtable.h:756
>   contpte_set_ptes+0x120/0x188 arch/arm64/mm/contpte.c:273
>   set_ptes arch/arm64/include/asm/pgtable.h:1807 [inline]
>   set_pte_range+0x39c/0x434 mm/memory.c:5258
>   filemap_map_folio_range mm/filemap.c:3631 [inline]
>   filemap_map_pages+0xb50/0x1558 mm/filemap.c:3740
>   do_fault_around mm/memory.c:5476 [inline]
>   do_read_fault mm/memory.c:5509 [inline]
>   do_fault mm/memory.c:5652 [inline]
>   do_pte_missing mm/memory.c:4160 [inline]
>   handle_pte_fault mm/memory.c:5997 [inline]
>   __handle_mm_fault mm/memory.c:6140 [inline]
>   handle_mm_fault+0x2b84/0x4d18 mm/memory.c:6309
>   do_page_fault+0x428/0x1554 arch/arm64/mm/fault.c:647
>   do_translation_fault+0xc4/0x114 arch/arm64/mm/fault.c:783
>   do_mem_abort+0x70/0x194 arch/arm64/mm/fault.c:919
>   el0_da+0x64/0x160 arch/arm64/kernel/entry-common.c:627
>   el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:789
>   el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> Code: aa1603e0 97fd6781 17fffee6 97e91fd8 (d4210000)
> ---[ end trace 0000000000000000 ]---
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
> 

I'm afraid this is a duplicate of

https://syzkaller.appspot.com/bug?extid=c0673e1f1f054fac28c2

#syz dup: WARNING in __folio_rmap_sanity_checks (2)

Again, no reproducer :(

-- 
Cheers,

David / dhildenb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ