[syzbot] [mm?] WARNING: bad unlock balance in __zap_vma_range

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+d2be42d723da59b38697@syzkaller.appspotmail.com>
To: Liam.Howlett@oracle.com, akpm@linux-foundation.org,
	jannh@google.com,  linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, ljs@kernel.org,  pfalcato@suse.de,
	syzkaller-bugs@googlegroups.com, vbabka@kernel.org
Subject: [syzbot] [mm?] WARNING: bad unlock balance in __zap_vma_range
Date: Fri, 24 Apr 2026 13:00:34 -0700	[thread overview]
Message-ID: <69ebcbe2.a00a0220.7773.0005.GAE@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    c1f49dea2b8f Merge tag 'mm-hotfixes-stable-2026-04-19-00-1..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b09f16580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6a29a582d8ced859
dashboard link: https://syzkaller.appspot.com/bug?extid=d2be42d723da59b38697
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-c1f49dea.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/402c79548d6e/vmlinux-c1f49dea.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1bc39526d7f4/bzImage-c1f49dea.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d2be42d723da59b38697@syzkaller.appspotmail.com

=====================================
WARNING: bad unlock balance detected!
syzkaller #0 Not tainted
-------------------------------------
dhcpcd-run-hook/5886 is trying to release lock (rcu_read_lock) at:
[<ffffffff825b687c>] rcu_lock_release include/linux/rcupdate.h:310 [inline]
[<ffffffff825b687c>] rcu_read_unlock include/linux/rcupdate.h:869 [inline]
[<ffffffff825b687c>] pte_unmap include/linux/pgtable.h:117 [inline]
[<ffffffff825b687c>] zap_pte_range mm/memory.c:1948 [inline]
[<ffffffff825b687c>] zap_pmd_range mm/memory.c:2004 [inline]
[<ffffffff825b687c>] zap_pud_range mm/memory.c:2032 [inline]
[<ffffffff825b687c>] zap_p4d_range mm/memory.c:2053 [inline]
[<ffffffff825b687c>] __zap_vma_range+0x22dc/0x4bf0 mm/memory.c:2093
but there are no more locks to release!

other info that might help us debug this:
1 lock held by dhcpcd-run-hook/5886:
 #0: ffff88802b94b438 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:592 [inline]
 #0: ffff88802b94b438 (&mm->mmap_lock){++++}-{4:4}, at: exit_mmap+0x124/0xa10 mm/mmap.c:1284

stack backtrace:
CPU: 2 UID: 0 PID: 5886 Comm: dhcpcd-run-hook Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_unlock_imbalance_bug.part.0+0xfb/0x106 kernel/locking/lockdep.c:5298
 print_unlock_imbalance_bug kernel/locking/lockdep.c:5278 [inline]
 __lock_release kernel/locking/lockdep.c:5537 [inline]
 lock_release kernel/locking/lockdep.c:5889 [inline]
 lock_release+0x28d/0x310 kernel/locking/lockdep.c:5875
 rcu_lock_release include/linux/rcupdate.h:310 [inline]
 rcu_read_unlock include/linux/rcupdate.h:869 [inline]
 pte_unmap include/linux/pgtable.h:117 [inline]
 zap_pte_range mm/memory.c:1948 [inline]
 zap_pmd_range mm/memory.c:2004 [inline]
 zap_pud_range mm/memory.c:2032 [inline]
 zap_p4d_range mm/memory.c:2053 [inline]
 __zap_vma_range+0x22e1/0x4bf0 mm/memory.c:2093
 unmap_vmas+0x299/0x5f0 mm/memory.c:2162
 exit_mmap+0x1ef/0xa10 mm/mmap.c:1300
 __mmput+0x12a/0x410 kernel/fork.c:1178
 mmput+0x67/0x80 kernel/fork.c:1201
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x833/0x2a60 kernel/exit.c:963
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1117
 __do_sys_exit_group kernel/exit.c:1128 [inline]
 __se_sys_exit_group kernel/exit.c:1126 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1126
 x64_sys_call+0x102c/0x1530 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x10b/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4a27bab6c5
Code: Unable to access opcode bytes at 0x7f4a27bab69b.
RSP: 002b:00007ffe0faf6ed8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ffe0faf7104 RCX: 00007f4a27bab6c5
RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00007ffe0faf6fd0 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe0faf7210 R14: 00007f4a27dbb000 R15: 00005576e2150d98
 </TASK>
------------[ cut here ]------------
rrln < 0 || rrln > RCU_NEST_PMAX
WARNING: kernel/rcu/tree_plugin.h:443 at __rcu_read_unlock kernel/rcu/tree_plugin.h:443 [inline], CPU#2: dhcpcd-run-hook/5886
WARNING: kernel/rcu/tree_plugin.h:443 at __rcu_read_unlock+0x235/0x5e0 kernel/rcu/tree_plugin.h:430, CPU#2: dhcpcd-run-hook/5886
Modules linked in:
CPU: 2 UID: 0 PID: 5886 Comm: dhcpcd-run-hook Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__rcu_read_unlock kernel/rcu/tree_plugin.h:443 [inline]
RIP: 0010:__rcu_read_unlock+0x235/0x5e0 kernel/rcu/tree_plugin.h:430
Code: 74 11 c7 45 58 01 00 00 00 bf 09 00 00 00 e8 d2 70 da ff e8 cd fd 22 00 9c 58 f6 c4 02 0f 85 dd 02 00 00 fb e9 57 fe ff ff 90 <0f> 0b 90 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc e8 a4 74 88
RSP: 0018:ffffc90003387778 EFLAGS: 00010286
RAX: 00000000ffffffff RBX: ffff888025320000 RCX: ffffffff81e8a36e
RDX: 0000000000000000 RSI: ffffffff8df30d5f RDI: ffff8880253204c4
RBP: 0000000000000004 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88802b94b9b8
R13: fffffbfff21b8360 R14: 0000000000000000 R15: 00007f4a27cba000
FS:  0000000000000000(0000) GS:ffff8880d64e7000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe0faf6018 CR3: 0000000037c7b000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 rcu_read_unlock include/linux/rcupdate.h:871 [inline]
 pte_unmap include/linux/pgtable.h:117 [inline]
 zap_pte_range mm/memory.c:1948 [inline]
 zap_pmd_range mm/memory.c:2004 [inline]
 zap_pud_range mm/memory.c:2032 [inline]
 zap_p4d_range mm/memory.c:2053 [inline]
 __zap_vma_range+0x22e6/0x4bf0 mm/memory.c:2093
 unmap_vmas+0x299/0x5f0 mm/memory.c:2162
 exit_mmap+0x1ef/0xa10 mm/mmap.c:1300
 __mmput+0x12a/0x410 kernel/fork.c:1178
 mmput+0x67/0x80 kernel/fork.c:1201
 exit_mm kernel/exit.c:581 [inline]
 do_exit+0x833/0x2a60 kernel/exit.c:963
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1117
 __do_sys_exit_group kernel/exit.c:1128 [inline]
 __se_sys_exit_group kernel/exit.c:1126 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1126
 x64_sys_call+0x102c/0x1530 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x10b/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4a27bab6c5
Code: Unable to access opcode bytes at 0x7f4a27bab69b.
RSP: 002b:00007ffe0faf6ed8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ffe0faf7104 RCX: 00007f4a27bab6c5
RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00007ffe0faf6fd0 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe0faf7210 R14: 00007f4a27dbb000 R15: 00005576e2150d98
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2026-04-24 20:00 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-24 20:00 syzbot [this message]
2026-05-12 12:33 ` Forwarded: Re: [syzbot] [mm?] WARNING: bad unlock balance in __zap_vma_range syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69ebcbe2.a00a0220.7773.0005.GAE@google.com \
    --to=syzbot+d2be42d723da59b38697@syzkaller.appspotmail.com \
    --cc=Liam.Howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=jannh@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=ljs@kernel.org \
    --cc=pfalcato@suse.de \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=vbabka@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.