From: syzbot ci <syzbot+ci4ae4a31c44c6107f@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, baohua@kernel.org,
baolin.wang@linux.alibaba.com, david@kernel.org,
dev.jain@arm.com, lance.yang@linux.dev, liam.howlett@oracle.com,
linux-mm@kvack.org, lorenzo.stoakes@oracle.com,
npache@redhat.com, richard.weiyang@gmail.com,
ryan.roberts@arm.com, ziy@nvidia.com
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: [syzbot ci] Re: mm/huge_memory: consolidate order-related checks into folio_check_splittable()
Date: Tue, 23 Dec 2025 09:50:59 -0800 [thread overview]
Message-ID: <694ad683.050a0220.35954c.0004.GAE@google.com> (raw)
In-Reply-To: <20251223122539.10726-1-richard.weiyang@gmail.com>
syzbot ci has tested the following series
[v2] mm/huge_memory: consolidate order-related checks into folio_check_splittable()
https://lore.kernel.org/all/20251223122539.10726-1-richard.weiyang@gmail.com
* [Patch v2] mm/huge_memory: consolidate order-related checks into folio_check_splittable()
and found the following issue:
WARNING in __folio_split
Full report is available here:
https://ci.syzbot.org/series/7e34013d-ed08-40e1-99b7-8fd118dce84f
***
WARNING in __folio_split
tree: mm-new
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git
base: c642ecda5b136882e518d8303863473c0d21ab2f
arch: amd64
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
config: https://ci.syzbot.org/builds/2edb2dc5-42c6-4557-a194-921c57fd9eb1/config
C repro: https://ci.syzbot.org/findings/8349b674-5790-4507-97cd-03697ec93cb0/c_repro
syz repro: https://ci.syzbot.org/findings/8349b674-5790-4507-97cd-03697ec93cb0/syz_repro
------------[ cut here ]------------
Tried to split an unsplittable folio
WARNING: mm/huge_memory.c:3970 at __folio_split+0xfe7/0x1370 mm/huge_memory.c:3970, CPU#1: syz.0.17/5997
Modules linked in:
CPU: 1 UID: 0 PID: 5997 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__folio_split+0xfe7/0x1370 mm/huge_memory.c:3970
Code: fe c6 05 a5 f8 3e 0d 01 90 0f 0b 90 e9 0d f4 ff ff e8 4d 78 94 ff 49 ff cd e9 d1 f4 ff ff e8 40 78 94 ff 48 8d 3d 69 47 5a 0d <67> 48 0f b9 3a 41 bd ea ff ff ff e9 7c fe ff ff 44 89 7c 24 34 44
RSP: 0018:ffffc900036d6d60 EFLAGS: 00010293
RAX: ffffffff822d4360 RBX: ffffea0005a4b008 RCX: ffff8881047fd7c0
RDX: 0000000000000000 RSI: ffffffff8e06e540 RDI: ffffffff8f878ad0
RBP: ffffc900036d6ef0 R08: ffff8881047fd7c0 R09: 0000000000000002
R10: 00000000ffffffea R11: 0000000000000000 R12: 0000000000000004
R13: 00000000ffffffea R14: ffffea0005a4b000 R15: 1ffffd4000b49603
FS: 0000555591a60500(0000) GS:ffff8882a9e32000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30d63fff CR3: 0000000100f30000 CR4: 00000000000006f0
Call Trace:
<TASK>
madvise_cold_or_pageout_pte_range+0xbf3/0x1ce0 mm/madvise.c:503
walk_pmd_range mm/pagewalk.c:130 [inline]
walk_pud_range mm/pagewalk.c:224 [inline]
walk_p4d_range mm/pagewalk.c:262 [inline]
walk_pgd_range+0x1037/0x1d30 mm/pagewalk.c:303
__walk_page_range+0x14c/0x710 mm/pagewalk.c:410
walk_page_range_vma_unsafe+0x34c/0x400 mm/pagewalk.c:714
madvise_pageout_page_range mm/madvise.c:622 [inline]
madvise_pageout mm/madvise.c:647 [inline]
madvise_vma_behavior+0x30c7/0x4420 mm/madvise.c:1366
madvise_walk_vmas+0x575/0xaf0 mm/madvise.c:1721
madvise_do_behavior+0x38e/0x550 mm/madvise.c:1937
do_madvise+0x1bc/0x270 mm/madvise.c:2030
__do_sys_madvise mm/madvise.c:2039 [inline]
__se_sys_madvise mm/madvise.c:2037 [inline]
__x64_sys_madvise+0xa7/0xc0 mm/madvise.c:2037
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff69838f7c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff82001dd8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007ff6985e5fa0 RCX: 00007ff69838f7c9
RDX: 0000000000000015 RSI: 0000000000600000 RDI: 0000200000000000
RBP: 00007ff6983f297f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ff6985e5fa0 R14: 00007ff6985e5fa0 R15: 0000000000000003
</TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
0: c6 05 a5 f8 3e 0d 01 movb $0x1,0xd3ef8a5(%rip) # 0xd3ef8ac
7: 90 nop
8: 0f 0b ud2
a: 90 nop
b: e9 0d f4 ff ff jmp 0xfffff41d
10: e8 4d 78 94 ff call 0xff947862
15: 49 ff cd dec %r13
18: e9 d1 f4 ff ff jmp 0xfffff4ee
1d: e8 40 78 94 ff call 0xff947862
22: 48 8d 3d 69 47 5a 0d lea 0xd5a4769(%rip),%rdi # 0xd5a4792
* 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2e: 41 bd ea ff ff ff mov $0xffffffea,%r13d
34: e9 7c fe ff ff jmp 0xfffffeb5
39: 44 89 7c 24 34 mov %r15d,0x34(%rsp)
3e: 44 rex.R
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
next prev parent reply other threads:[~2025-12-23 17:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-23 12:25 [Patch v2] mm/huge_memory: consolidate order-related checks into folio_check_splittable() Wei Yang
2025-12-23 17:50 ` syzbot ci [this message]
2026-01-04 2:37 ` Wei Yang
2026-01-05 16:16 ` David Hildenbrand (Red Hat)
2026-01-05 16:29 ` Lorenzo Stoakes
2026-01-05 16:52 ` Matthew Wilcox
2026-01-06 9:54 ` Wei Yang
2026-01-06 12:28 ` Zi Yan
2026-01-06 12:51 ` Wei Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=694ad683.050a0220.35954c.0004.GAE@google.com \
--to=syzbot+ci4ae4a31c44c6107f@syzkaller.appspotmail.com \
--cc=akpm@linux-foundation.org \
--cc=baohua@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=david@kernel.org \
--cc=dev.jain@arm.com \
--cc=lance.yang@linux.dev \
--cc=liam.howlett@oracle.com \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=npache@redhat.com \
--cc=richard.weiyang@gmail.com \
--cc=ryan.roberts@arm.com \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.