From: Lance Yang <lance.yang@linux.dev>
To: syzbot <syzbot+8961cb270ae74b4129fb@syzkaller.appspotmail.com>,
david@kernel.org, ljs@kernel.org, willy@infradead.org
Cc: baolin.wang@linux.alibaba.com, npache@redhat.com,
linux-mm@kvack.org, baohua@kernel.org, ryan.roberts@arm.com,
syzkaller-bugs@googlegroups.com, dev.jain@arm.com,
ziy@nvidia.com, linux-kernel@vger.kernel.org,
Liam.Howlett@oracle.com, akpm@linux-foundation.org
Subject: Re: [syzbot] [mm?] kernel BUG in collapse_scan_file
Date: Thu, 19 Mar 2026 16:05:38 +0800 [thread overview]
Message-ID: <e92ca212-9ada-4cd0-8d54-2f433d6d47a1@linux.dev> (raw)
In-Reply-To: <69bba3c0.050a0220.227207.002b.GAE@google.com>
Ccing Willy
IIUC, this is a dup of the earlier report[1], which I looked into back
in January. The root cause is the same: collapse_file() calls
xas_lock_irq() without resetting the xas state first, tripping the
XAS_INVALID() assertion:
#define xas_lock_irq(xas) xa_lock_irq(XAS_INVALID(xas)->xa)
static inline struct xa_state *XAS_INVALID(struct xa_state *xas)
{
XA_NODE_BUG_ON(xas->xa_node, xas_valid(xas));
return xas;
}
Added by commit:
commit 43b00759f21b10142094d1ae5ff65cbb368953a3
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date: Sun Dec 14 10:53:31 2025 -0500
XArray: Add extra debugging check to xas_lock and friends
While tracking down a recent bug, we discovered somewhere that had
forgotten to call xas_reset() before calling xas_lock(). Add a debug
check to be sure that doesn't happen in future and fix all the
places in
the test suite which were carelessly doing just this.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
I posted a HACK fix at the time[2], but David pointed out that Willy
had mentioned it likely needs more thought[3].
[1]
https://lore.kernel.org/all/69757ea0.a00a0220.33ccc7.0017.GAE@google.com/
[2] https://lore.kernel.org/all/20260125121001.32733-1-lance.yang@linux.dev/
[3]
https://lore.kernel.org/all/7bce9231-714c-424a-a4e3-dd42734fb767@kernel.org/
Thanks,
Lance
On 2026/3/19 15:20, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 95c541ddfb08 Add linux-next specific files for 20260316
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=15ccc216580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ed431987028345c6
> dashboard link: https://syzkaller.appspot.com/bug?extid=8961cb270ae74b4129fb
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12f778da580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12cc006a580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/c40f27ad73d8/disk-95c541dd.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/bd811888f684/vmlinux-95c541dd.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/3b72363d7dbd/bzImage-95c541dd.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8961cb270ae74b4129fb@syzkaller.appspotmail.com
>
> node ffff88805d558b00 offset 0 parent ffff88805d558840 shift 0 count 3 values 0 array ffff88807a8195c0 list ffff88805d558b18 ffff88805d558b18 marks 0 0 0
> ------------[ cut here ]------------
> kernel BUG at ./include/linux/xarray.h:1441!
> Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
> CPU: 0 UID: 0 PID: 6001 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
> RIP: 0010:XAS_INVALID include/linux/xarray.h:1441 [inline]
> RIP: 0010:collapse_file mm/khugepaged.c:2055 [inline]
> RIP: 0010:collapse_scan_file+0x4f98/0x5230 mm/khugepaged.c:2404
> Code: ff 4c 89 e7 48 c7 c6 60 b2 dc 8b e8 82 62 f1 fe 90 0f 0b 48 85 db 0f 84 03 01 00 00 e8 71 e5 8f ff 48 89 df e8 a9 20 7b 09 90 <0f> 0b e8 61 e5 8f ff 48 89 df 48 c7 c6 60 b2 dc 8b e8 52 62 f1 fe
> RSP: 0018:ffffc90003826e20 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff88805d558b00 RCX: a13f20bd39c5a100
> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> RBP: ffffc90003827130 R08: ffffc90003826ba7 R09: 1ffff92000704d74
> R10: dffffc0000000000 R11: fffff52000704d75 R12: ffffea0001b678f0
> R13: dffffc0000000000 R14: 0000000000000000 R15: ffffc90003827010
> FS: 000055557e3c2500(0000) GS:ffff888125437000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000020000000b000 CR3: 000000007ac66000 CR4: 00000000003526f0
> Call Trace:
> <TASK>
> collapse_single_pmd+0x22b/0x4510 mm/khugepaged.c:2437
> madvise_collapse+0x34c/0x820 mm/khugepaged.c:2859
> madvise_vma_behavior+0x1094/0x4460 mm/madvise.c:1362
> madvise_walk_vmas+0x573/0xae0 mm/madvise.c:1711
> madvise_do_behavior+0x386/0x540 mm/madvise.c:1927
> do_madvise+0x1fa/0x2e0 mm/madvise.c:2020
> __do_sys_madvise mm/madvise.c:2029 [inline]
> __se_sys_madvise mm/madvise.c:2027 [inline]
> __x64_sys_madvise+0xa6/0xc0 mm/madvise.c:2027
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f90d419c799
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd50711398 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
> RAX: ffffffffffffffda RBX: 00007f90d4415fa0 RCX: 00007f90d419c799
> RDX: 0000000000000019 RSI: 0000000000600003 RDI: 0000200000000000
> RBP: 00007f90d4232c99 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f90d4415fac R14: 00007f90d4415fa0 R15: 00007f90d4415fa0
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:XAS_INVALID include/linux/xarray.h:1441 [inline]
> RIP: 0010:collapse_file mm/khugepaged.c:2055 [inline]
> RIP: 0010:collapse_scan_file+0x4f98/0x5230 mm/khugepaged.c:2404
> Code: ff 4c 89 e7 48 c7 c6 60 b2 dc 8b e8 82 62 f1 fe 90 0f 0b 48 85 db 0f 84 03 01 00 00 e8 71 e5 8f ff 48 89 df e8 a9 20 7b 09 90 <0f> 0b e8 61 e5 8f ff 48 89 df 48 c7 c6 60 b2 dc 8b e8 52 62 f1 fe
> RSP: 0018:ffffc90003826e20 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff88805d558b00 RCX: a13f20bd39c5a100
> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> RBP: ffffc90003827130 R08: ffffc90003826ba7 R09: 1ffff92000704d74
> R10: dffffc0000000000 R11: fffff52000704d75 R12: ffffea0001b678f0
> R13: dffffc0000000000 R14: 0000000000000000 R15: ffffc90003827010
> FS: 000055557e3c2500(0000) GS:ffff888125537000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f8156602000 CR3: 000000007ac66000 CR4: 00000000003526f0
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
next prev parent reply other threads:[~2026-03-19 8:05 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 7:20 [syzbot] [mm?] kernel BUG in collapse_scan_file syzbot
2026-03-19 7:22 ` David Hildenbrand (Arm)
2026-03-19 8:05 ` Lance Yang [this message]
2026-03-19 8:53 ` Lorenzo Stoakes (Oracle)
2026-03-19 9:00 ` David Hildenbrand (Arm)
2026-03-19 9:14 ` Lance Yang
2026-03-19 9:21 ` David Hildenbrand (Arm)
2026-03-19 10:27 ` Lorenzo Stoakes (Oracle)
2026-03-19 10:59 ` David Hildenbrand (Arm)
2026-03-19 11:07 ` Lorenzo Stoakes (Oracle)
2026-03-19 11:10 ` David Hildenbrand (Arm)
2026-03-19 11:12 ` Lorenzo Stoakes (Oracle)
2026-03-19 10:56 ` Vlastimil Babka
2026-03-19 11:04 ` Lorenzo Stoakes (Oracle)
2026-03-19 12:17 ` Mark Brown
2026-03-20 12:39 ` Mark Brown
2026-03-20 13:17 ` Lorenzo Stoakes (Oracle)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e92ca212-9ada-4cd0-8d54-2f433d6d47a1@linux.dev \
--to=lance.yang@linux.dev \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=baohua@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=david@kernel.org \
--cc=dev.jain@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=npache@redhat.com \
--cc=ryan.roberts@arm.com \
--cc=syzbot+8961cb270ae74b4129fb@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willy@infradead.org \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.