Re: [syzbot] [mm?] general protection fault in zap_huge_pmd

[Mike Rapoport <rppt@kernel.org>]

On Wed, Mar 18, 2026 at 05:26:32PM +0000, Lorenzo Stoakes (Oracle) wrote:
> +cc Mike for uffd, Harry for fix that also resolves this, see below
> 
> On Wed, Mar 18, 2026 at 08:03:22AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    b84a0ebe421c Add linux-next specific files for 20260313
> 
> For some reason I have to git pull --tags to get this... commit hash locally?
> Strange.
> 
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=119ddd52580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
> > dashboard link: https://syzkaller.appspot.com/bug?extid=de14f7701c22477db718
> > compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=173b44da580000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1537b8da580000
> 
> @SYZKALLER guys:
> 
> Note: the repro is incorrectly labelling;
> 
>   //  ioctl$UFFDIO_CONTINUE arguments: [
>   //    fd: fd_uffd (resource)
>   //    cmd: const = 0xc020aa08 (4 bytes)
> 
> as UFFDIO_CONTINUE (0x7), it's actually UFFDIO_POISION (0x8) as you can see
> from least-significant byte.
> 
> It's also stating things like mmap flags wrong e.g.:
> 
>       /*flags=MAP_UNINITIALIZED|MAP_POPULATE|MAP_NORESERVE|MAP_NONBLOCK|MAP_HUGETLB|0x8c4b815a506002b2*/
>       0x8c4b815a5465c2b2ul,

As Andrey Vagin pointed off-list, you can run strace repro and see the
syscall arguments quite nicely :-)
 
> So Harry's fix resolves this,

and that's the important bit ;-P

> but we should handle this case better in zap_huge_pmd(), I will send a
> patch for that.
 
> Cheers, Lorenzo

-- 
Sincerely yours,
Mike.