From: Oleg Nesterov <oleg@redhat.com>
To: syzbot <syzbot+61ce80689253f42e6d80@syzkaller.appspotmail.com>
Cc: bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
mhiramat@kernel.org, mingo@redhat.com, peterz@infradead.org,
syzkaller-bugs@googlegroups.com, tglx@kernel.org, x86@kernel.org
Subject: Re: [syzbot] [trace?] general protection fault in mtree_load
Date: Mon, 22 Jun 2026 15:04:16 +0200 [thread overview]
Message-ID: <ajky0IbEvV_UDj2a@redhat.com> (raw)
In-Reply-To: <6a38dd47.713c5d62.148f7.000c.GAE@google.com>
On 06/21, syzbot wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 6b5a2b7d9bc1 Merge tag 'trace-tools-v7.2' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16d56986580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ea6584355d75e0cd
> dashboard link: https://syzkaller.appspot.com/bug?extid=61ce80689253f42e6d80
> compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-6b5a2b7d.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/b3cb0499fbe9/vmlinux-6b5a2b7d.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/47cfbe57f6ea/bzImage-6b5a2b7d.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+61ce80689253f42e6d80@syzkaller.appspotmail.com
>
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
> CPU: 3 UID: 0 PID: 24402 Comm: syz.4.5217 Tainted: G L syzkaller #0 PREEMPT(full)
> Tainted: [L]=SOFTLOCKUP
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:mas_root lib/maple_tree.c:759 [inline]
> RIP: 0010:mas_start lib/maple_tree.c:1179 [inline]
> RIP: 0010:mtree_load+0x16d/0xa90 lib/maple_tree.c:5657
> Code: 00 00 00 00 48 c7 44 24 78 ff ff ff ff e8 6b bd 84 f6 48 8b 5c 24 50 c6 84 24 9c 00 00 00 00 48 8d 7b 48 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 d6 08 00 00 48 8b 5b 48 e8 6f 1a 08 00 31 ff
> RSP: 0018:ffffc900039c76d8 EFLAGS: 00010206
> RAX: 0000000000000011 RBX: 0000000000000040 RCX: ffffffff8b848746
> RDX: ffff888041b6a540 RSI: ffffffff8b848775 RDI: 0000000000000088
> RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000001
> R10: 0000000000000001 R11: 000000000000751b R12: dffffc0000000000
> R13: ffff88802693adc0 R14: 00001fff904365a7 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff8880d665f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f44aa04f156 CR3: 00000000364d5000 CR4: 0000000000352ef0
> Call Trace:
> <TASK>
> vma_lookup include/linux/mm.h:4204 [inline]
> __in_uprobe_trampoline arch/x86/kernel/uprobes.c:766 [inline]
> __is_optimized arch/x86/kernel/uprobes.c:1056 [inline]
> is_optimized arch/x86/kernel/uprobes.c:1067 [inline]
> set_orig_insn+0x1ec/0x2a0 arch/x86/kernel/uprobes.c:1098
> remove_breakpoint kernel/events/uprobes.c:1185 [inline]
> register_for_each_vma+0xbb7/0xdb0 kernel/events/uprobes.c:1318
> uprobe_unregister_nosync+0x12a/0x1c0 kernel/events/uprobes.c:1343
> bpf_uprobe_unregister kernel/trace/bpf_trace.c:2936 [inline]
> bpf_uprobe_multi_link_release+0xb3/0x1c0 kernel/trace/bpf_trace.c:2947
> bpf_link_free+0xec/0x4a0 kernel/bpf/syscall.c:3273
> bpf_link_put_direct kernel/bpf/syscall.c:3326 [inline]
> bpf_link_release+0x5d/0x80 kernel/bpf/syscall.c:3333
> __fput+0x3ff/0xb50 fs/file_table.c:512
> task_work_run+0x150/0x240 kernel/task_work.c:233
> exit_task_work include/linux/task_work.h:40 [inline]
current->mm is already NULL, the exiting task has already passed exit_mm().
Hopefully
[PATCHv4 01/13] uprobes/x86: Use proper mm_struct in __in_uprobe_trampoline
https://lore.kernel.org/all/20260526205840.173790-2-jolsa@kernel.org/
should help...
Oleg.
prev parent reply other threads:[~2026-06-22 13:04 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 6:59 [syzbot] [trace?] general protection fault in mtree_load syzbot
2026-06-22 13:04 ` Oleg Nesterov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajky0IbEvV_UDj2a@redhat.com \
--to=oleg@redhat.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=syzbot+61ce80689253f42e6d80@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.