[syzbot] [mm?] kernel BUG in __free_one_page (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+43235b3002d58852ea38@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, axelrasmussen@google.com,
	baohua@kernel.org,  bhe@redhat.com, chrisl@kernel.org,
	kasong@tencent.com,  linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, nphamcs@gmail.com,
	 shikemeng@huaweicloud.com, syzkaller-bugs@googlegroups.com,
	 weixugc@google.com, yuanchu@google.com
Subject: [syzbot] [mm?] kernel BUG in __free_one_page (2)
Date: Mon, 15 Sep 2025 22:40:27 -0700	[thread overview]
Message-ID: <68c8f84b.050a0220.2ff435.03bc.GAE@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    8736259279a3 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1107e934580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9ed0a6d7c80843e9
dashboard link: https://syzkaller.appspot.com/bug?extid=43235b3002d58852ea38
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=137f3362580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=109f6b12580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/025c082a7762/disk-87362592.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/606f903fe4d2/vmlinux-87362592.xz
kernel image: https://storage.googleapis.com/syzbot-assets/23ea2634f398/Image-87362592.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+43235b3002d58852ea38@syzkaller.appspotmail.com

raw: 05ffc00000200000 fffffdffc3207008 ffff0001fea8cba0 0000000000000000
raw: 0000000000000000 0000000000000004 00000001f0000000 0000000000000000
page dumped because: VM_BUG_ON_PAGE(page_count(buddy) != 0)
------------[ cut here ]------------
kernel BUG at mm/internal.h:664!
Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
Modules linked in:
CPU: 0 UID: 0 PID: 6702 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : page_is_buddy mm/internal.h:664 [inline]
pc : find_buddy_page_pfn mm/internal.h:716 [inline]
pc : __free_one_page+0x8b8/0x988 mm/page_alloc.c:969
lr : page_is_buddy mm/internal.h:664 [inline]
lr : find_buddy_page_pfn mm/internal.h:716 [inline]
lr : __free_one_page+0x8b8/0x988 mm/page_alloc.c:969
sp : ffff8000a0ac71f0
x29: ffff8000a0ac7210 x28: fffffdffc3c88034 x27: fffffdffc3c88000
x26: 0000000000132200 x25: 0000000000000000 x24: 0000000000000004
x23: 0000000000132210 x22: dfff800000000000 x21: fffffdffc3c88400
x20: 0000000000000000 x19: ffff0001fea8c880 x18: 00000000ffffffff
x17: 3030303030303030 x16: ffff80008b0155d8 x15: 0000000000000001
x14: 1fffe000337976f2 x13: 0000000000000000 x12: 0000000000000000
x11: ffff6000337976f3 x10: 0000000000ff0100 x9 : e31af28274316600
x8 : e31af28274316600 x7 : ffff800080563530 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff8000807de30c
x2 : 0000000000000001 x1 : 0000000100000001 x0 : 000000000000003b
Call trace:
 page_is_buddy mm/internal.h:664 [inline] (P)
 find_buddy_page_pfn mm/internal.h:716 [inline] (P)
 __free_one_page+0x8b8/0x988 mm/page_alloc.c:969 (P)
 split_large_buddy+0x108/0x1d0 mm/page_alloc.c:1512
 free_one_page+0x94/0x2e0 mm/page_alloc.c:1559
 free_unref_folios+0x6b0/0x1454 mm/page_alloc.c:2959
 folios_put_refs+0x608/0x718 mm/swap.c:997
 folios_put include/linux/mm.h:1419 [inline]
 __folio_batch_release+0x78/0xb0 mm/swap.c:1057
 folio_batch_release include/linux/pagevec.h:101 [inline]
 truncate_inode_pages_range+0x2f8/0xe18 mm/truncate.c:383
 truncate_inode_pages+0x2c/0x3c mm/truncate.c:460
 kill_bdev block/bdev.c:91 [inline]
 blkdev_flush_mapping+0xfc/0x254 block/bdev.c:712
 blkdev_put_whole block/bdev.c:719 [inline]
 bdev_release+0x478/0x654 block/bdev.c:1144
 blkdev_release+0x20/0x34 block/fops.c:699
 __fput+0x340/0x75c fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x524/0x1a14 kernel/exit.c:961
 do_group_exit+0x194/0x22c kernel/exit.c:1102
 __do_sys_exit_group kernel/exit.c:1113 [inline]
 __se_sys_exit_group kernel/exit.c:1111 [inline]
 pid_child_should_wake+0x0/0x1dc kernel/exit.c:1111
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Code: 90052f41 913e0021 aa1b03e0 97d585d0 (d4210000) 
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

                 reply	other threads:[~2025-09-16  5:40 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=68c8f84b.050a0220.2ff435.03bc.GAE@google.com \
    --to=syzbot+43235b3002d58852ea38@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=axelrasmussen@google.com \
    --cc=baohua@kernel.org \
    --cc=bhe@redhat.com \
    --cc=chrisl@kernel.org \
    --cc=kasong@tencent.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=nphamcs@gmail.com \
    --cc=shikemeng@huaweicloud.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=weixugc@google.com \
    --cc=yuanchu@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.