[syzbot] [cgroups?] [mm?] BUG: unable to handle kernel paging request in percpu_ref_get_many (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+3109abc43c8fcf15212b@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, cgroups@vger.kernel.org,
	hannes@cmpxchg.org,  linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, mhocko@kernel.org,  muchun.song@linux.dev,
	roman.gushchin@linux.dev, shakeel.butt@linux.dev,
	 syzkaller-bugs@googlegroups.com
Subject: [syzbot] [cgroups?] [mm?] BUG: unable to handle kernel paging request in percpu_ref_get_many (2)
Date: Sat, 24 May 2025 17:43:29 -0700	[thread overview]
Message-ID: <683267b1.a70a0220.253bc2.007b.GAE@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    d7fa1af5b33e Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=155428e8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=89c13de706fbf07a
dashboard link: https://syzkaller.appspot.com/bug?extid=3109abc43c8fcf15212b
compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/da97ad659b2c/disk-d7fa1af5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/659e123552a8/vmlinux-d7fa1af5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6ec5dbf4643e/Image-d7fa1af5.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3109abc43c8fcf15212b@syzkaller.appspotmail.com

Unable to handle kernel paging request at virtual address fffe8001ffe7cc00
KASAN: maybe wild-memory-access in range [0xfff8000fff3e6000-0xfff8000fff3e6007]
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000002079fa000
[fffe8001ffe7cc00] pgd=0000000000000000, p4d=1000000210124003, pud=0000000000000000
Internal error: Oops: 0000000096000004 [#1]  SMP
Modules linked in:
CPU: 0 UID: 0 PID: 6597 Comm: udevd Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 404000c5 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __percpu_add_case_64 arch/arm64/include/asm/percpu.h:127 [inline]
pc : percpu_ref_get_many+0xc4/0x1f4 include/linux/percpu-refcount.h:205
lr : rcu_read_lock include/linux/rcupdate.h:842 [inline]
lr : percpu_ref_get_many+0x3c/0x1f4 include/linux/percpu-refcount.h:202
sp : ffff8000a42973a0
x29: ffff8000a42973b0 x28: 0000000000000000 x27: 0000000000000000
x26: dfff800000000000 x25: ffff8000a42974e0 x24: ffff00019c365780
x23: ffff00019c365738 x22: 1fffe000193557a1 x21: dfff800000000000
x20: ffff0000c9aabd08 x19: 0000000000000001 x18: 0000000000000000
x17: 0000000000000000 x16: ffff80008adbe9e4 x15: 0000000000000001
x14: 1fffe00019b16b33 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000087fac5b3 x10: 0000000000000003 x9 : ffff80010d0e8000
x8 : fffe8001ffe7cc00 x7 : ffff800080c9fbbc x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000008 x1 : ffff80008b3ebc40 x0 : 0000000000000001
Call trace:
 percpu_ref_get_many+0xc4/0x1f4 include/linux/percpu-refcount.h:205 (P)
 percpu_ref_get include/linux/percpu-refcount.h:222 [inline]
 obj_cgroup_get include/linux/memcontrol.h:760 [inline]
 replace_stock_objcg mm/memcontrol.c:2774 [inline]
 refill_obj_stock+0x150/0x470 mm/memcontrol.c:2952
 obj_cgroup_uncharge mm/memcontrol.c:3015 [inline]
 __memcg_slab_free_hook+0x110/0x228 mm/memcontrol.c:3102
 memcg_slab_free_hook mm/slub.c:2205 [inline]
 slab_free mm/slub.c:4639 [inline]
 kmem_cache_free+0x270/0x550 mm/slub.c:4744
 anon_vma_chain_free mm/rmap.c:147 [inline]
 unlink_anon_vmas+0x224/0x520 mm/rmap.c:421
 free_pgtables+0x200/0x63c mm/memory.c:370
 vms_clear_ptes+0x358/0x45c mm/vma.c:1189
 vms_complete_munmap_vmas+0x1d4/0x7e4 mm/vma.c:1233
 do_vmi_align_munmap+0x2c4/0x310 mm/vma.c:1492
 do_vmi_munmap+0x1dc/0x260 mm/vma.c:1540
 __vm_munmap+0x218/0x390 mm/vma.c:3013
 __do_sys_munmap mm/mmap.c:1084 [inline]
 __se_sys_munmap mm/mmap.c:1081 [inline]
 __arm64_sys_munmap+0x64/0x7c mm/mmap.c:1081
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Code: 11000529 b9000289 d538d089 8b080128 (f833011f) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	11000529 	add	w9, w9, #0x1
   4:	b9000289 	str	w9, [x20]
   8:	d538d089 	mrs	x9, tpidr_el1
   c:	8b080128 	add	x8, x9, x8
* 10:	f833011f 	stadd	x19, [x8] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2025-05-25  0:43 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-25  0:43 syzbot [this message]
2025-05-25  4:35 ` [syzbot] [cgroups?] [mm?] BUG: unable to handle kernel paging request in percpu_ref_get_many (2) Shakeel Butt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=683267b1.a70a0220.253bc2.007b.GAE@google.com \
    --to=syzbot+3109abc43c8fcf15212b@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=cgroups@vger.kernel.org \
    --cc=hannes@cmpxchg.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@kernel.org \
    --cc=muchun.song@linux.dev \
    --cc=roman.gushchin@linux.dev \
    --cc=shakeel.butt@linux.dev \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.