From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp153-166.sina.com.cn (smtp153-166.sina.com.cn [61.135.153.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F2C71EDA2B for ; Wed, 24 Dec 2025 02:48:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=61.135.153.166 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766544528; cv=none; b=jfEv5+3K0ZXUYJG39qIYP9QZ42uoMR45UOM02oUIOrhdnqdIFhCFAFV8Saunhu7ahs+ZDIPPPcFLucHYt7a+CJA32LRCrVj6AL7blQZDEc7KJchT78sIw29V9tt+QQ628bUNNlfo7VtTOuQnJxNCpdH5FCg9nYZthOr6B0jBO4A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766544528; c=relaxed/simple; bh=kiImL+fMLNQ+PLIlmeyW04x9lwhQouW9E4gVfUu+hR4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r6QMmPDZx0VL5lsYnSEClwe6rsm49LHkm65dZ/W6GDEvl0BzHbLjJmbOaZEZoOg22Z1QmSkJDR620Mb9cQmvZgWmVd4cPX2xK+BAc+MnR99uyo4mVl/nH1kWYmx/ILKr3j2inV54UlpEQW+RufqzMOHyp9zd5sE2LgSFBJ4wJFQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b=qyzqDueQ; arc=none smtp.client-ip=61.135.153.166 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b="qyzqDueQ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sina.com; s=201208; t=1766544520; bh=i2L2iMFnLjxnuQkYAiC+sUNqNsivueBCtwr2xnlZi+A=; h=From:Subject:Date:Message-ID; b=qyzqDueQcO2XkQOicaQP5mq4K85Rb+X+CZO2vUaLuwAS6PlMgr5KJYbW6X8oBOMUr MYSyOnWRruRSTtDoNSD/ik79n1sKG+fruXIHOEft3l1ZjVYJf+GrhRpCAeI55A2G8l ku55Ygj9N3wGfmCVA2aQuVeoUreQLfuOXf8CkFfg= X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([114.249.57.85]) by sina.com (10.54.253.33) with ESMTP id 694B5481000005CF; Wed, 24 Dec 2025 10:48:36 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 5629116685667 X-SMAIL-UIID: 80498A0643AA460DBABBC8D725F63214-20251224-104836-1 From: Hillf Danton To: "David Hildenbrand (Red Hat)" Cc: syzbot , harry.yoo@oracle.com, jannh@google.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [mm?] WARNING in folio_remove_rmap_ptes Date: Wed, 24 Dec 2025 10:48:27 +0800 Message-ID: <20251224024828.1792-1-hdanton@sina.com> In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Tue, 23 Dec 2025 09:24:05 +0100 "David Hildenbrand (Red Hat)" wrote: > On 12/23/25 06:23, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 9094662f6707 Merge tag 'ata-6.19-rc2' of git://git.kernel... > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=1411f77c580000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=a11e0f726bfb6765 > > dashboard link: https://syzkaller.appspot.com/bug?extid=b165fc2e11771c66d8ba > > compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11998b1a580000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128cdb1a580000 > > > > Downloadable assets: > > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-9094662f.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/5bec9d32a91c/vmlinux-9094662f.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/3df82e1a3cec/bzImage-9094662f.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+b165fc2e11771c66d8ba@syzkaller.appspotmail.com > > > > handle_mm_fault+0x3fe/0xad0 mm/memory.c:6580 > > do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336 > > handle_page_fault arch/x86/mm/fault.c:1476 [inline] > > exc_page_fault+0x64/0xc0 arch/x86/mm/fault.c:1532 > > asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 > > ------------[ cut here ]------------ > > WARNING: ./include/linux/rmap.h:462 at __folio_rmap_sanity_checks include/linux/rmap.h:462 [inline], CPU#1: syz.0.18/6090 > > IIUC, that's the > > if (folio_test_anon(folio) && !folio_test_ksm(folio)) { > ... > VM_WARN_ON_FOLIO(atomic_read(&anon_vma->refcount) == 0, folio); > } > > Seems to indicate that the anon_vma is no longer alive :/ > > Fortunately we have a reproducer. > > CCing Jann who addded that check "recently". > That check looks incorrect given the atomic_inc_not_zero in folio_get_anon_vma().