Re: [syzbot] [usb] kernel BUG in __page_table_check_zero

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+7a9bbb158a7a1071eb27@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	yuran.pereira@hotmail.com
Subject: Re: [syzbot] [usb] kernel BUG in __page_table_check_zero
Date: Fri, 10 Nov 2023 07:38:04 -0800	[thread overview]
Message-ID: <0000000000002fbb830609ce1b6b@google.com> (raw)
In-Reply-To: <GV1PR10MB656399107C3F56D67CBE65C2E8AEA@GV1PR10MB6563.EURPRD10.PROD.OUTLOOK.COM>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in __page_table_check_zero

RBP: 00007f6cf0ffe120 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000011012 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007f6cf1d9bf80 R15: 00007ffc98ff0338
 </TASK>
==> if* vma_use_count 1
------------[ cut here ]------------
kernel BUG at mm/page_table_check.c:146!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5467 Comm: syz-executor.0 Not tainted 6.6.0-syzkaller-15859-g89cdf9d55601-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__page_table_check_zero+0x2d5/0x4a0 mm/page_table_check.c:146
Code: 98 ff 48 ff cb e9 b5 fd ff ff e8 e6 9f 98 ff 48 ff cb e9 27 fe ff ff e8 d9 9f 98 ff 0f 0b e8 d2 9f 98 ff 0f 0b e8 cb 9f 98 ff <0f> 0b f3 0f 1e fa 4c 89 f6 48 81 e6 ff 0f 00 00 31 ff e8 f4 a3 98
RSP: 0018:ffffc900049f7800 EFLAGS: 00010293
RAX: ffffffff81f620c5 RBX: dffffc0000000000 RCX: ffff8880263f1dc0
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8880160ea044
RBP: ffff8880160ea044 R08: ffff8880160ea047 R09: 1ffff11002c1d408
R10: dffffc0000000000 R11: ffffed1002c1d409 R12: 0000000000000000
R13: 1ffffffff243299c R14: 000000000000000a R15: ffff8880160ea000
FS:  00007f6cf0ffe6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f9eb7b1680 CR3: 000000001d34c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 page_table_check_free include/linux/page_table_check.h:41 [inline]
 free_pages_prepare mm/page_alloc.c:1138 [inline]
 __free_pages_ok+0xc43/0xd70 mm/page_alloc.c:1267
 dec_usb_memory_use_count+0x259/0x350 drivers/usb/core/devio.c:198
 usbdev_mmap+0x89e/0x9d0
 call_mmap include/linux/fs.h:2025 [inline]
 mmap_region+0xef2/0x2240 mm/mmap.c:2851
 do_mmap+0x8d3/0xfa0 mm/mmap.c:1379
 vm_mmap_pgoff+0x1dc/0x410 mm/util.c:546
 ksys_mmap_pgoff+0x4ff/0x6d0 mm/mmap.c:1425
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f6cf1c7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6cf0ffe0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f6cf1d9bf80 RCX: 00007f6cf1c7cae9
RDX: 0000000001000002 RSI: 0000000000400000 RDI: 0000000020000000
RBP: 00007f6cf0ffe120 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000011012 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007f6cf1d9bf80 R15: 00007ffc98ff0338
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__page_table_check_zero+0x2d5/0x4a0 mm/page_table_check.c:146
Code: 98 ff 48 ff cb e9 b5 fd ff ff e8 e6 9f 98 ff 48 ff cb e9 27 fe ff ff e8 d9 9f 98 ff 0f 0b e8 d2 9f 98 ff 0f 0b e8 cb 9f 98 ff <0f> 0b f3 0f 1e fa 4c 89 f6 48 81 e6 ff 0f 00 00 31 ff e8 f4 a3 98
RSP: 0018:ffffc900049f7800 EFLAGS: 00010293
RAX: ffffffff81f620c5 RBX: dffffc0000000000 RCX: ffff8880263f1dc0
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8880160ea044
RBP: ffff8880160ea044 R08: ffff8880160ea047 R09: 1ffff11002c1d408
R10: dffffc0000000000 R11: ffffed1002c1d409 R12: 0000000000000000
R13: 1ffffffff243299c R14: 000000000000000a R15: ffff8880160ea000
FS:  00007f6cf0ffe6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f9eb7b1680 CR3: 000000001d34c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit:         89cdf9d5 Merge tag 'net-6.7-rc1' of git://git.kernel.o..
git tree:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=107ab1c0e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=97c84b399d02b00b
dashboard link: https://syzkaller.appspot.com/bug?extid=7a9bbb158a7a1071eb27
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17f7a747680000

next      parent reply	other threads:[~2023-11-10 19:40 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <GV1PR10MB656399107C3F56D67CBE65C2E8AEA@GV1PR10MB6563.EURPRD10.PROD.OUTLOOK.COM>
2023-11-10 15:38 ` syzbot [this message]
     [not found] <GV1PR10MB6563D9C05186E24A90AE343AE8AEA@GV1PR10MB6563.EURPRD10.PROD.OUTLOOK.COM>
2023-11-10 18:34 ` [syzbot] [usb] kernel BUG in __page_table_check_zero syzbot
     [not found] <GV1PR10MB6563F922C09444C8FEAF0C58E8AEA@GV1PR10MB6563.EURPRD10.PROD.OUTLOOK.COM>
2023-11-10 17:51 ` syzbot
2023-05-21 16:20 [syzbot] [mm?] " syzbot
2024-10-20 18:12 ` [syzbot] [usb] " syzbot
2024-10-20 20:31   ` Linus Torvalds
2024-10-21 14:17     ` Jann Horn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000002fbb830609ce1b6b@google.com \
    --to=syzbot+7a9bbb158a7a1071eb27@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yuran.pereira@hotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.