Re: [syzbot] [mm?] WARNING in move_page_tables

[Harry Yoo <harry.yoo@oracle.com>]

On Tue, Aug 12, 2025 at 02:56:35PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=165fe9a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
> dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14172842580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b04c34580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-53e760d8.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/584b4139c7e3/vmlinux-53e760d8.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/4d2474607300/bzImage-53e760d8.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com

[Cc'ing Ryan, Mikołaj, David and Peter]

I was able to reliably reproduce this (with the reproducer provided
by syzbot) and performed bisection.

The first bad commit is 0cef0bb836e mm: clear uffd-wp PTE/PMD state on
mremap(), which was introduced in v6.13.

Adding git bisect log.

# Git bisect log

$ git bisect start
# status: waiting for both good and bad commits
# bad: [19272b37aa4f83ca52bdf9c16d5d81bdd1354494] Linux 6.16-rc1
git bisect bad 19272b37aa4f83ca52bdf9c16d5d81bdd1354494
# status: waiting for good commit(s), bad commit known
# bad: [0ff41df1cb268fc69e703a08a57ee14ae967d0ca] Linux 6.15
git bisect bad 0ff41df1cb268fc69e703a08a57ee14ae967d0ca
# status: waiting for good commit(s), bad commit known
# bad: [38fec10eb60d687e30c8c6b5420d86e8149f7557] Linux 6.14
git bisect bad 38fec10eb60d687e30c8c6b5420d86e8149f7557
# status: waiting for good commit(s), bad commit known
# good: [0c3836482481200ead7b416ca80c68a29cfdaabd] Linux 6.10
git bisect good 0c3836482481200ead7b416ca80c68a29cfdaabd
# good: [77b679453d3364688ff3e5153c0be5b2b52672b7] Merge tag 'v6.12-rc3' into perf-tools-next
git bisect good 77b679453d3364688ff3e5153c0be5b2b52672b7
# good: [77b679453d3364688ff3e5153c0be5b2b52672b7] Merge tag 'v6.12-rc3' into perf-tools-next
git bisect good 77b679453d3364688ff3e5153c0be5b2b52672b7
# good: [05d5d3840b2d52619ffb79e60ab58e30a7f86037] Merge branches '20241204-sm8750_master_clks-v3-0-1a8f31a53a86@quicinc.com' and '20250106-sm8750-dispcc-v2-1-6f42beda6317@linaro.org' into arm64-for-6.14
git bisect good 05d5d3840b2d52619ffb79e60ab58e30a7f86037
# good: [05d5d3840b2d52619ffb79e60ab58e30a7f86037] Merge branches '20241204-sm8750_master_clks-v3-0-1a8f31a53a86@quicinc.com' and '20250106-sm8750-dispcc-v2-1-6f42beda6317@linaro.org' into arm64-for-6.14
git bisect good 05d5d3840b2d52619ffb79e60ab58e30a7f86037
# bad: [d0d106a2bd21499901299160744e5fe9f4c83ddb] Merge tag 'bpf-next-6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
git bisect bad d0d106a2bd21499901299160744e5fe9f4c83ddb
# bad: [d0d106a2bd21499901299160744e5fe9f4c83ddb] Merge tag 'bpf-next-6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
git bisect bad d0d106a2bd21499901299160744e5fe9f4c83ddb
# good: [4f1a62e2b3961946a924c093bc2bdd44a2a46c9d] dt-bindings: clock: qcom,sm8550-dispcc: Add SM8750 DISPCC
git bisect good 4f1a62e2b3961946a924c093bc2bdd44a2a46c9d
# good: [8817c21a45b62c17f18417efbd0b04a3805a1e23] dt-bindings: clock: qcom: Document the SM8750 TCSR Clock Controller
git bisect good 8817c21a45b62c17f18417efbd0b04a3805a1e23
# good: [f4d3d7340e719dd3d2c23ce8d6c360e2f93ba7e4] dt-bindings: clock: qcom: Add QCS615 GCC clocks
git bisect good f4d3d7340e719dd3d2c23ce8d6c360e2f93ba7e4
# good: [f4d3d7340e719dd3d2c23ce8d6c360e2f93ba7e4] dt-bindings: clock: qcom: Add QCS615 GCC clocks
git bisect good f4d3d7340e719dd3d2c23ce8d6c360e2f93ba7e4
# bad: [cf33d96f50903214226b379b3f10d1f262dae018] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
git bisect bad cf33d96f50903214226b379b3f10d1f262dae018
# good: [a603abe345d6301f04dc2ceb5fbdaa19e4c8f7da] Merge tag 'perf_urgent_for_v6.13_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good a603abe345d6301f04dc2ceb5fbdaa19e4c8f7da
# good: [79f4b6934dbd7dd6741726ba004a15e25380b8cc] wifi: iwlwifi: mvm: remove unneeded NULL pointer checks
git bisect good 79f4b6934dbd7dd6741726ba004a15e25380b8cc
# bad: [2ee738e90e80850582cbe10f34c6447965c1d87b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
git bisect bad 2ee738e90e80850582cbe10f34c6447965c1d87b
# good: [bc1e64d5403d7926a3d79fdbbdf628b69f0939a2] Merge branch 'net-use-netdev-lock-to-protect-napi'
git bisect good bc1e64d5403d7926a3d79fdbbdf628b69f0939a2
# good: [3744b08449c27bfa085aa218c4830f3996a51626] Merge branch 'pm-cpufreq'
git bisect good 3744b08449c27bfa085aa218c4830f3996a51626
# good: [a50da36562cd62b41de9bef08edbb3e8af00f118] netdev: avoid CFI problems with sock priv helpers
git bisect good a50da36562cd62b41de9bef08edbb3e8af00f118
# bad: [79a1d390f879563119bf2848b621bc7eed228c7d] Merge tag 'sound-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
git bisect bad 79a1d390f879563119bf2848b621bc7eed228c7d
# bad: [cbc5dde0a461240046e8a41c43d7c3b76d5db952] fs/proc: fix softlockup in __read_vmcore (part 2)
git bisect bad cbc5dde0a461240046e8a41c43d7c3b76d5db952
# good: [4dff389c9f1dd787e8058930b3fbd3248a6238c5] Revert "mm: zswap: fix race between [de]compression and CPU hotunplug"
git bisect good 4dff389c9f1dd787e8058930b3fbd3248a6238c5
# bad: [a32bf5bb7933fde6f39747499f8ec232b5b5400f] selftests/mm: set allocated memory to non-zero content in cow test
git bisect bad a32bf5bb7933fde6f39747499f8ec232b5b5400f
# good: [4bcf29741145e73440323e3e9af8b1a6f4961183] module: fix writing of livepatch relocations in ROX text
git bisect good 4bcf29741145e73440323e3e9af8b1a6f4961183
# bad: [0cef0bb836e3cfe00f08f9606c72abd72fe78ca3] mm: clear uffd-wp PTE/PMD state on mremap()
git bisect bad 0cef0bb836e3cfe00f08f9606c72abd72fe78ca3
# first bad commit: [0cef0bb836e3cfe00f08f9606c72abd72fe78ca3] mm: clear uffd-wp PTE/PMD state on mremap()

-- 
Cheers,
Harry / Hyeonggon

> R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005
>  </TASK>
> ------------[ cut here ]------------
> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]
> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]
> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852
> Modules linked in:
> CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full) 
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]
> RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]
> RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852
> Code: 02 00 0f 85 b6 03 00 00 48 8b 2b 4c 89 f6 48 89 ef e8 e2 1b af ff 49 39 ee 0f 82 d5 cb ff ff e9 0c cc ff ff e8 1f 21 af ff 90 <0f> 0b 90 48 8b 44 24 40 48 8d 78 40 48 b8 00 00 00 00 00 fc ff df
> RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645
> RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007
> RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000
> R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000
> R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000
> FS:  000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0
> Call Trace:
>  <TASK>
>  copy_vma_and_data+0x468/0x790 mm/mremap.c:1215
>  move_vma+0x548/0x1780 mm/mremap.c:1282
>  mremap_to+0x1b7/0x450 mm/mremap.c:1406
>  do_mremap+0xfad/0x1f80 mm/mremap.c:1921
>  __do_sys_mremap+0x119/0x170 mm/mremap.c:1977
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f00d0b8ebe9
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
> RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9
> RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000
> RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000
> R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005
>  </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
>