[syzbot] [mm?] kernel BUG in page_table_check_set (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+227179d5a8a87e9df90d@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	 linux-mm@kvack.org, pasha.tatashin@soleen.com,
	 syzkaller-bugs@googlegroups.com
Subject: [syzbot] [mm?] kernel BUG in page_table_check_set (2)
Date: Thu, 05 Feb 2026 14:40:34 -0800	[thread overview]
Message-ID: <69851c62.a00a0220.37c87e.002e.GAE@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    099ba40b1bd9 riscv: lib: optimize strlen loop efficiency
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git for-next
console output: https://syzkaller.appspot.com/x/log.txt?x=158c8b22580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=781a4eb07921464d
dashboard link: https://syzkaller.appspot.com/bug?extid=227179d5a8a87e9df90d
compiler:       riscv64-linux-gnu-gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: riscv64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-099ba40b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/38fcde8ce410/vmlinux-099ba40b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9246b4696c47/Image-099ba40b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+227179d5a8a87e9df90d@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at [] mm/page_table_check.c:118!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 7886 Comm: syz.4.1009 Tainted: G             L      syzkaller #0 PREEMPT 
Tainted: [L]=SOFTLOCKUP
Hardware name: riscv-virtio,qemu (DT)
epc : page_table_check_set+0xa74/0xd30 mm/page_table_check.c:118
 ra : page_table_check_set+0xa74/0xd30 mm/page_table_check.c:118
epc : ffffffff80bfcb7c ra : ffffffff80bfcb7c sp : ffff8f8000cb6860
 gp : ffffffff89f9df20 tp : ffffaf801c80b500 t0 : 0000000000000000
 t1 : fffff5ef026b8409 t2 : ffffffff9136c6e8 s0 : ffff8f8000cb68e0
 s1 : 0000000000000001 a0 : 0000000000000001 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff80bfcb7c a4 : ffff8f800b83a948
 a5 : 000000000007f948 a6 : 0000000000000003 a7 : ffffaf80135c204b
 s2 : 00000000000b5a00 s3 : 0000000000000000 s4 : ffffaf80135c2000
 s5 : 0000000000000001 s6 : 0000000000000001 s7 : dfffffff00000000
 s8 : 0000000000007fff s9 : ffffffff88825fa0 s10: 0000000000000000
 s11: ffffffff8a0b5d80 t3 : 0000000000000001 t4 : fffff5ef026b8409
 t5 : fffff5ef026b840a t6 : 0000000000000002 ssp : 0000000000000000
status: 0000000200000120 badaddr: ffffffff80bfcb7c cause: 0000000000000003
[<ffffffff80bfcb7c>] page_table_check_set+0xa74/0xd30 mm/page_table_check.c:118
[<ffffffff80bfd300>] __page_table_check_ptes_set+0x264/0x47c mm/page_table_check.c:212
[<ffffffff80b5e6c2>] page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
[<ffffffff80b5e6c2>] set_ptes arch/riscv/include/asm/pgtable.h:640 [inline]
[<ffffffff80b5e6c2>] remove_migration_pte+0x1136/0x2494 mm/migrate.c:436
[<ffffffff80a0df26>] rmap_walk_anon+0x30e/0x690 mm/rmap.c:2861
[<ffffffff80a27da6>] rmap_walk_locked+0xa6/0xcc mm/rmap.c:2977
[<ffffffff80b69a0a>] remove_migration_ptes+0x18a/0x1bc mm/migrate.c:470
[<ffffffff80b90dc0>] remap_page mm/huge_memory.c:3434 [inline]
[<ffffffff80b90dc0>] __folio_split+0xeb4/0x16f8 mm/huge_memory.c:4069
[<ffffffff80b91ae2>] __split_huge_page_to_list_to_order+0x7e/0x140 mm/huge_memory.c:4200
[<ffffffff80b9554a>] split_huge_page_to_list_to_order include/linux/huge_mm.h:385 [inline]
[<ffffffff80b9554a>] split_folio_to_list+0x22/0x30 mm/huge_memory.c:4264
[<ffffffff80ab469a>] madvise_cold_or_pageout_pte_range+0x1862/0x2400 mm/madvise.c:412
[<ffffffff80a03002>] walk_pmd_range mm/pagewalk.c:130 [inline]
[<ffffffff80a03002>] walk_pud_range mm/pagewalk.c:224 [inline]
[<ffffffff80a03002>] walk_p4d_range mm/pagewalk.c:262 [inline]
[<ffffffff80a03002>] walk_pgd_range+0xcc6/0x1f84 mm/pagewalk.c:303
[<ffffffff80a043f8>] __walk_page_range+0x138/0x7a8 mm/pagewalk.c:410
[<ffffffff80a05cf2>] walk_page_range_vma_unsafe+0x212/0x868 mm/pagewalk.c:714
[<ffffffff80a063a2>] walk_page_range_vma+0x5a/0x84 mm/pagewalk.c:724
[<ffffffff80aadfe8>] madvise_cold_page_range mm/madvise.c:586 [inline]
[<ffffffff80aadfe8>] madvise_cold+0x1a4/0x5f4 mm/madvise.c:606
[<ffffffff80ab66c0>] madvise_vma_behavior+0x1188/0x251c mm/madvise.c:1364
[<ffffffff80ab7c8e>] madvise_walk_vmas+0x23a/0x970 mm/madvise.c:1721
[<ffffffff80ab85ae>] madvise_do_behavior+0x1ea/0x5c0 mm/madvise.c:1937
[<ffffffff80ab94c6>] do_madvise+0x18a/0x22c mm/madvise.c:2030
[<ffffffff80ab95f0>] __do_sys_madvise mm/madvise.c:2039 [inline]
[<ffffffff80ab95f0>] __se_sys_madvise mm/madvise.c:2037 [inline]
[<ffffffff80ab95f0>] __riscv_sys_madvise+0x88/0xdc mm/madvise.c:2037
[<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
[<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
[<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
Code: 7097 ff90 80e7 4580 81e3 e004 8097 ff90 80e7 9380 (9002) 8097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	ff907097          	auipc	ra,0xff907
   4:	458080e7          	jalr	1112(ra) # 0xff907458
   8:	e00481e3          	beqz	s1,0xfffffffffffffe0a
   c:	ff908097          	auipc	ra,0xff908
  10:	938080e7          	jalr	-1736(ra) # 0xff907944
* 14:	9002                	ebreak <-- trapping instruction
  16:	9780                	.short	0x8097


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2026-02-05 22:40 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-05 22:40 syzbot [this message]
2026-02-07 17:43 ` [syzbot] [mm?] kernel BUG in page_table_check_set (2) Pasha Tatashin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69851c62.a00a0220.37c87e.002e.GAE@google.com \
    --to=syzbot+227179d5a8a87e9df90d@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=pasha.tatashin@soleen.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.