| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+CK2bBsdvrftSR0eEPsqyB=eny-64-qjnGqn1puPe=fduz4eQ@mail.gmail.com> Date: Sat, 7 Feb 2026 12:43:32 -0500 From: Pasha Tatashin <pasha.tatashin@...een.com> To: syzbot <syzbot+227179d5a8a87e9df90d@...kaller.appspotmail.com> Cc: akpm@...ux-foundation.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [mm?] kernel BUG in page_table_check_set (2) On Thu, Feb 5, 2026 at 5:40 PM syzbot <syzbot+227179d5a8a87e9df90d@...kaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 099ba40b1bd9 riscv: lib: optimize strlen loop efficiency > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next > console output: https://syzkaller.appspot.com/x/log.txt?x=158c8b22580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=781a4eb07921464d > dashboard link: https://syzkaller.appspot.com/bug?extid=227179d5a8a87e9df90d > compiler: riscv64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44 > userspace arch: riscv64 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-099ba40b.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/38fcde8ce410/vmlinux-099ba40b.xz > kernel image: https://storage.googleapis.com/syzbot-assets/9246b4696c47/Image-099ba40b.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+227179d5a8a87e9df90d@...kaller.appspotmail.com > > ------------[ cut here ]------------ > kernel BUG at [] mm/page_table_check.c:118! BUG_ON(atomic_inc_return(&ptc->anon_map_count) > 1 && rw); Looks like on MADV_COLD we end-up with false sharing on an anonymous page likely for a short period of time. Pasha > Kernel BUG [#1] > Modules linked in: > CPU: 0 UID: 0 PID: 7886 Comm: syz.4.1009 Tainted: G L syzkaller #0 PREEMPT > Tainted: [L]=SOFTLOCKUP > Hardware name: riscv-virtio,qemu (DT) > epc : page_table_check_set+0xa74/0xd30 mm/page_table_check.c:118 > ra : page_table_check_set+0xa74/0xd30 mm/page_table_check.c:118 > epc : ffffffff80bfcb7c ra : ffffffff80bfcb7c sp : ffff8f8000cb6860 > gp : ffffffff89f9df20 tp : ffffaf801c80b500 t0 : 0000000000000000 > t1 : fffff5ef026b8409 t2 : ffffffff9136c6e8 s0 : ffff8f8000cb68e0 > s1 : 0000000000000001 a0 : 0000000000000001 a1 : 0000000000000000 > a2 : 0000000000080000 a3 : ffffffff80bfcb7c a4 : ffff8f800b83a948 > a5 : 000000000007f948 a6 : 0000000000000003 a7 : ffffaf80135c204b > s2 : 00000000000b5a00 s3 : 0000000000000000 s4 : ffffaf80135c2000 > s5 : 0000000000000001 s6 : 0000000000000001 s7 : dfffffff00000000 > s8 : 0000000000007fff s9 : ffffffff88825fa0 s10: 0000000000000000 > s11: ffffffff8a0b5d80 t3 : 0000000000000001 t4 : fffff5ef026b8409 > t5 : fffff5ef026b840a t6 : 0000000000000002 ssp : 0000000000000000 > status: 0000000200000120 badaddr: ffffffff80bfcb7c cause: 0000000000000003 > [<ffffffff80bfcb7c>] page_table_check_set+0xa74/0xd30 mm/page_table_check.c:118 > [<ffffffff80bfd300>] __page_table_check_ptes_set+0x264/0x47c mm/page_table_check.c:212 > [<ffffffff80b5e6c2>] page_table_check_ptes_set include/linux/page_table_check.h:76 [inline] > [<ffffffff80b5e6c2>] set_ptes arch/riscv/include/asm/pgtable.h:640 [inline] > [<ffffffff80b5e6c2>] remove_migration_pte+0x1136/0x2494 mm/migrate.c:436 > [<ffffffff80a0df26>] rmap_walk_anon+0x30e/0x690 mm/rmap.c:2861 > [<ffffffff80a27da6>] rmap_walk_locked+0xa6/0xcc mm/rmap.c:2977 > [<ffffffff80b69a0a>] remove_migration_ptes+0x18a/0x1bc mm/migrate.c:470 > [<ffffffff80b90dc0>] remap_page mm/huge_memory.c:3434 [inline] > [<ffffffff80b90dc0>] __folio_split+0xeb4/0x16f8 mm/huge_memory.c:4069 > [<ffffffff80b91ae2>] __split_huge_page_to_list_to_order+0x7e/0x140 mm/huge_memory.c:4200 > [<ffffffff80b9554a>] split_huge_page_to_list_to_order include/linux/huge_mm.h:385 [inline] > [<ffffffff80b9554a>] split_folio_to_list+0x22/0x30 mm/huge_memory.c:4264 > [<ffffffff80ab469a>] madvise_cold_or_pageout_pte_range+0x1862/0x2400 mm/madvise.c:412 > [<ffffffff80a03002>] walk_pmd_range mm/pagewalk.c:130 [inline] > [<ffffffff80a03002>] walk_pud_range mm/pagewalk.c:224 [inline] > [<ffffffff80a03002>] walk_p4d_range mm/pagewalk.c:262 [inline] > [<ffffffff80a03002>] walk_pgd_range+0xcc6/0x1f84 mm/pagewalk.c:303 > [<ffffffff80a043f8>] __walk_page_range+0x138/0x7a8 mm/pagewalk.c:410 > [<ffffffff80a05cf2>] walk_page_range_vma_unsafe+0x212/0x868 mm/pagewalk.c:714 > [<ffffffff80a063a2>] walk_page_range_vma+0x5a/0x84 mm/pagewalk.c:724 > [<ffffffff80aadfe8>] madvise_cold_page_range mm/madvise.c:586 [inline] > [<ffffffff80aadfe8>] madvise_cold+0x1a4/0x5f4 mm/madvise.c:606 > [<ffffffff80ab66c0>] madvise_vma_behavior+0x1188/0x251c mm/madvise.c:1364 > [<ffffffff80ab7c8e>] madvise_walk_vmas+0x23a/0x970 mm/madvise.c:1721 > [<ffffffff80ab85ae>] madvise_do_behavior+0x1ea/0x5c0 mm/madvise.c:1937 > [<ffffffff80ab94c6>] do_madvise+0x18a/0x22c mm/madvise.c:2030 > [<ffffffff80ab95f0>] __do_sys_madvise mm/madvise.c:2039 [inline] > [<ffffffff80ab95f0>] __se_sys_madvise mm/madvise.c:2037 [inline] > [<ffffffff80ab95f0>] __riscv_sys_madvise+0x88/0xdc mm/madvise.c:2037 > [<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112 > [<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344 > [<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232 > Code: 7097 ff90 80e7 4580 81e3 e004 8097 ff90 80e7 9380 (9002) 8097 > ---[ end trace 0000000000000000 ]--- > ---------------- > Code disassembly (best guess): > 0: ff907097 auipc ra,0xff907 > 4: 458080e7 jalr 1112(ra) # 0xff907458 > 8: e00481e3 beqz s1,0xfffffffffffffe0a > c: ff908097 auipc ra,0xff908 > 10: 938080e7 jalr -1736(ra) # 0xff907944 > * 14: 9002 ebreak <-- trapping instruction > 16: 9780 .short 0x8097 > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@...glegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup
Powered by blists - more mailing lists