[syzbot] [bpf?] WARNING in trace_suspend_resume

[syzbot] [bpf?] WARNING in trace_suspend_resume

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    260f6f4fda93 Merge tag 'drm-next-2025-07-30' of https://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=102f69bc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=af26dbd5a30735
dashboard link: https://syzkaller.appspot.com/bug?extid=99d4fec338b62b703891
compiler:       arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/98a89b9f34e4/non_bootable_disk-260f6f4f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/091b40479433/vmlinux-260f6f4f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/54ef37cd1da7/zImage-260f6f4f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+99d4fec338b62b703891@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 4102 at mm/highmem.c:622 kunmap_local_indexed+0x20c/0x224 mm/highmem.c:622
Modules linked in:
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 0 UID: 0 PID: 4102 Comm: syz.0.84 Not tainted 6.16.0-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
Call trace: 
[<80201a24>] (dump_backtrace) from [<80201b20>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
 r7:00000000 r6:8281f77c r5:00000000 r4:8224af5c
[<80201b08>] (show_stack) from [<8021faf0>] (__dump_stack lib/dump_stack.c:94 [inline])
[<80201b08>] (show_stack) from [<8021faf0>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120)
[<8021fa9c>] (dump_stack_lvl) from [<8021fb30>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
 r5:00000000 r4:82a6bd18
[<8021fb18>] (dump_stack) from [<80202624>] (vpanic+0x10c/0x360 kernel/panic.c:440)
[<80202518>] (vpanic) from [<802028ac>] (trace_suspend_resume+0x0/0xd8 kernel/panic.c:574)
 r7:804bdb5c
[<80202878>] (panic) from [<802548dc>] (check_panic_on_warn kernel/panic.c:333 [inline])
[<80202878>] (panic) from [<802548dc>] (get_taint+0x0/0x1c kernel/panic.c:328)
 r3:8280c684 r2:00000001 r1:82231a24 r0:822393ec
[<80254868>] (check_panic_on_warn) from [<80254a40>] (__warn+0x80/0x188 kernel/panic.c:845)
[<802549c0>] (__warn) from [<80254cc0>] (warn_slowpath_fmt+0x178/0x1f4 kernel/panic.c:872)
 r8:00000009 r7:82265508 r6:df9f9d1c r5:83a93000 r4:00000000
[<80254b4c>] (warn_slowpath_fmt) from [<804bdb5c>] (kunmap_local_indexed+0x20c/0x224 mm/highmem.c:622)
 r10:00000000 r9:deb56a18 r8:debb2f48 r7:00a00000 r6:00000003 r5:83a93000
 r4:ffefd000
[<804bd950>] (kunmap_local_indexed) from [<80538be4>] (__kunmap_local include/linux/highmem-internal.h:102 [inline])
[<804bd950>] (kunmap_local_indexed) from [<80538be4>] (move_pages_pte mm/userfaultfd.c:1457 [inline])
[<804bd950>] (kunmap_local_indexed) from [<80538be4>] (move_pages+0xb24/0x19c8 mm/userfaultfd.c:1868)
 r7:00a00000 r6:00000000 r5:846e9ec4 r4:84add6c0
[<805380c0>] (move_pages) from [<805c02ec>] (userfaultfd_move fs/userfaultfd.c:1914 [inline])
[<805380c0>] (move_pages) from [<805c02ec>] (userfaultfd_ioctl+0xff8/0x21c4 fs/userfaultfd.c:2037)
 r10:84add6c0 r9:df9f9e98 r8:21000000 r7:00000001 r6:00000000 r5:20000040
 r4:85955000
[<805bf2f4>] (userfaultfd_ioctl) from [<80568ccc>] (vfs_ioctl fs/ioctl.c:51 [inline])
[<805bf2f4>] (userfaultfd_ioctl) from [<80568ccc>] (do_vfs_ioctl fs/ioctl.c:552 [inline])
[<805bf2f4>] (userfaultfd_ioctl) from [<80568ccc>] (__do_sys_ioctl fs/ioctl.c:596 [inline])
[<805bf2f4>] (userfaultfd_ioctl) from [<80568ccc>] (sys_ioctl+0x130/0xba0 fs/ioctl.c:584)
 r10:83a93000 r9:00000003 r8:85935840 r7:20000040 r6:85935841 r5:00000000
 r4:c028aa05
[<80568b9c>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdf9f9fa8 to 0xdf9f9ff0)
9fa0:                   00000000 00000000 00000003 c028aa05 20000040 00000000
9fc0: 00000000 00000000 002f6300 00000036 002e0000 00000000 00006364 76b450bc
9fe0: 76b44ec0 76b44eb0 000193a4 00131fc0
 r10:00000036 r9:83a93000 r8:8020029c r7:00000036 r6:002f6300 r5:00000000
 r4:00000000
Rebooting in 86400 seconds..


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [mm?] WARNING in trace_suspend_resume

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    f2d282e1dfb3 Merge tag 'bitmap-for-6.17' of https://github..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11709cf0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c686e0c98d241433
dashboard link: https://syzkaller.appspot.com/bug?extid=99d4fec338b62b703891
compiler:       arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15e0e2a2580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12a439bc580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/98a89b9f34e4/non_bootable_disk-f2d282e1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25cab46afcee/vmlinux-f2d282e1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/77cd04442f1b/zImage-f2d282e1.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+99d4fec338b62b703891@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 4155 at mm/highmem.c:622 kunmap_local_indexed+0x20c/0x224 mm/highmem.c:622
Modules linked in:
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 0 UID: 0 PID: 4155 Comm: syz.1.17 Not tainted 6.16.0-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
Call trace: 
[<80201a24>] (dump_backtrace) from [<80201b20>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
 r7:00000000 r6:8281f77c r5:00000000 r4:8224bc00
[<80201b08>] (show_stack) from [<8021fb00>] (__dump_stack lib/dump_stack.c:94 [inline])
[<80201b08>] (show_stack) from [<8021fb00>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120)
[<8021faac>] (dump_stack_lvl) from [<8021fb40>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
 r5:00000000 r4:82a76d18
[<8021fb28>] (dump_stack) from [<80202624>] (vpanic+0x10c/0x360 kernel/panic.c:440)
[<80202518>] (vpanic) from [<802028ac>] (trace_suspend_resume+0x0/0xd8 kernel/panic.c:574)
 r7:804be014
[<80202878>] (panic) from [<802548c4>] (check_panic_on_warn kernel/panic.c:333 [inline])
[<80202878>] (panic) from [<802548c4>] (get_taint+0x0/0x1c kernel/panic.c:328)
 r3:8280c684 r2:00000001 r1:822326d8 r0:8223a0a0
[<80254850>] (check_panic_on_warn) from [<80254a28>] (__warn+0x80/0x188 kernel/panic.c:845)
[<802549a8>] (__warn) from [<80254ca8>] (warn_slowpath_fmt+0x178/0x1f4 kernel/panic.c:872)
 r8:00000009 r7:82266338 r6:df985d14 r5:840d5400 r4:00000000
[<80254b34>] (warn_slowpath_fmt) from [<804be014>] (kunmap_local_indexed+0x20c/0x224 mm/highmem.c:622)
 r10:00000000 r9:ded86c30 r8:deb6caa4 r7:00a00000 r6:00000003 r5:840d5400
 r4:ffefd000
[<804bde08>] (kunmap_local_indexed) from [<8053ace8>] (__kunmap_local include/linux/highmem-internal.h:102 [inline])
[<804bde08>] (kunmap_local_indexed) from [<8053ace8>] (move_pages_pte mm/userfaultfd.c:1457 [inline])
[<804bde08>] (kunmap_local_indexed) from [<8053ace8>] (move_pages+0xb1c/0x1a00 mm/userfaultfd.c:1860)
 r7:00a00000 r6:00000000 r5:8490d6ac r4:ffefb000
[<8053a1cc>] (move_pages) from [<805c401c>] (userfaultfd_move fs/userfaultfd.c:1923 [inline])
[<8053a1cc>] (move_pages) from [<805c401c>] (userfaultfd_ioctl+0x1254/0x2408 fs/userfaultfd.c:2046)
 r10:8425d6c0 r9:df985e98 r8:00000001 r7:21000000 r6:00000000 r5:20000040
 r4:8486d000
[<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (vfs_ioctl fs/ioctl.c:51 [inline])
[<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (do_vfs_ioctl fs/ioctl.c:552 [inline])
[<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (__do_sys_ioctl fs/ioctl.c:596 [inline])
[<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (sys_ioctl+0x130/0xba0 fs/ioctl.c:584)
 r10:840d5400 r9:00000003 r8:8572d780 r7:20000040 r6:8572d780 r5:00000000
 r4:c028aa05
[<8056c3a4>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdf985fa8 to 0xdf985ff0)
5fa0:                   00000000 00000000 00000003 c028aa05 20000040 00000000
5fc0: 00000000 00000000 002f6300 00000036 00000000 002f62d4 00000938 00000000
5fe0: 7eb28780 7eb28770 000193dc 001321f0
 r10:00000036 r9:840d5400 r8:8020029c r7:00000036 r6:002f6300 r5:00000000
 r4:00000000
Rebooting in 86400 seconds..


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [mm?] WARNING in trace_suspend_resume

[David Hildenbrand]

On 01.08.25 12:08, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    f2d282e1dfb3 Merge tag 'bitmap-for-6.17' of https://github..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11709cf0580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c686e0c98d241433
> dashboard link: https://syzkaller.appspot.com/bug?extid=99d4fec338b62b703891
> compiler:       arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15e0e2a2580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12a439bc580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/98a89b9f34e4/non_bootable_disk-f2d282e1.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/25cab46afcee/vmlinux-f2d282e1.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/77cd04442f1b/zImage-f2d282e1.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+99d4fec338b62b703891@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 4155 at mm/highmem.c:622 kunmap_local_indexed+0x20c/0x224 mm/highmem.c:622
> Modules linked in:
> Kernel panic - not syncing: kernel: panic_on_warn set ...
> CPU: 0 UID: 0 PID: 4155 Comm: syz.1.17 Not tainted 6.16.0-syzkaller #0 PREEMPT
> Hardware name: ARM-Versatile Express
> Call trace:
> [<80201a24>] (dump_backtrace) from [<80201b20>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
>   r7:00000000 r6:8281f77c r5:00000000 r4:8224bc00
> [<80201b08>] (show_stack) from [<8021fb00>] (__dump_stack lib/dump_stack.c:94 [inline])
> [<80201b08>] (show_stack) from [<8021fb00>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120)
> [<8021faac>] (dump_stack_lvl) from [<8021fb40>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
>   r5:00000000 r4:82a76d18
> [<8021fb28>] (dump_stack) from [<80202624>] (vpanic+0x10c/0x360 kernel/panic.c:440)
> [<80202518>] (vpanic) from [<802028ac>] (trace_suspend_resume+0x0/0xd8 kernel/panic.c:574)
>   r7:804be014
> [<80202878>] (panic) from [<802548c4>] (check_panic_on_warn kernel/panic.c:333 [inline])
> [<80202878>] (panic) from [<802548c4>] (get_taint+0x0/0x1c kernel/panic.c:328)
>   r3:8280c684 r2:00000001 r1:822326d8 r0:8223a0a0
> [<80254850>] (check_panic_on_warn) from [<80254a28>] (__warn+0x80/0x188 kernel/panic.c:845)
> [<802549a8>] (__warn) from [<80254ca8>] (warn_slowpath_fmt+0x178/0x1f4 kernel/panic.c:872)
>   r8:00000009 r7:82266338 r6:df985d14 r5:840d5400 r4:00000000
> [<80254b34>] (warn_slowpath_fmt) from [<804be014>] (kunmap_local_indexed+0x20c/0x224 mm/highmem.c:622)
>   r10:00000000 r9:ded86c30 r8:deb6caa4 r7:00a00000 r6:00000003 r5:840d5400
>   r4:ffefd000
> [<804bde08>] (kunmap_local_indexed) from [<8053ace8>] (__kunmap_local include/linux/highmem-internal.h:102 [inline])
> [<804bde08>] (kunmap_local_indexed) from [<8053ace8>] (move_pages_pte mm/userfaultfd.c:1457 [inline])
> [<804bde08>] (kunmap_local_indexed) from [<8053ace8>] (move_pages+0xb1c/0x1a00 mm/userfaultfd.c:1860)
>   r7:00a00000 r6:00000000 r5:8490d6ac r4:ffefb000
> [<8053a1cc>] (move_pages) from [<805c401c>] (userfaultfd_move fs/userfaultfd.c:1923 [inline])
> [<8053a1cc>] (move_pages) from [<805c401c>] (userfaultfd_ioctl+0x1254/0x2408 fs/userfaultfd.c:2046)
>   r10:8425d6c0 r9:df985e98 r8:00000001 r7:21000000 r6:00000000 r5:20000040
>   r4:8486d000
> [<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (vfs_ioctl fs/ioctl.c:51 [inline])
> [<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (do_vfs_ioctl fs/ioctl.c:552 [inline])
> [<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (__do_sys_ioctl fs/ioctl.c:596 [inline])
> [<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (sys_ioctl+0x130/0xba0 fs/ioctl.c:584)
>   r10:840d5400 r9:00000003 r8:8572d780 r7:20000040 r6:8572d780 r5:00000000
>   r4:c028aa05
> [<8056c3a4>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
> Exception stack(0xdf985fa8 to 0xdf985ff0)
> 5fa0:                   00000000 00000000 00000003 c028aa05 20000040 00000000
> 5fc0: 00000000 00000000 002f6300 00000036 00000000 002f62d4 00000938 00000000
> 5fe0: 7eb28780 7eb28770 000193dc 001321f0
>   r10:00000036 r9:840d5400 r8:8020029c r7:00000036 r6:002f6300 r5:00000000
>   r4:00000000
> Rebooting in 86400 seconds..

Probably fixed by

	https://lore.kernel.org/r/20250731144431.773923-1-sashal@kernel.org/

#syz test

--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -1453,10 +1453,15 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd,
  		folio_unlock(src_folio);
  		folio_put(src_folio);
  	}
-	if (dst_pte)
-		pte_unmap(dst_pte);
+	/*
+	 * Unmap in reverse order (LIFO) to maintain proper kmap_local
+	 * index ordering when CONFIG_HIGHPTE is enabled. We mapped dst_pte
+	 * first, then src_pte, so we must unmap src_pte first, then dst_pte.
+	 */
  	if (src_pte)
  		pte_unmap(src_pte);
+	if (dst_pte)
+		pte_unmap(dst_pte);
  	mmu_notifier_invalidate_range_end(&range);
  	if (si)
  		put_swap_device(si);
-- 
2.39.5



-- 
Cheers,

David / dhildenb

Re: [syzbot] [mm?] WARNING in trace_suspend_resume

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+99d4fec338b62b703891@syzkaller.appspotmail.com
Tested-by: syzbot+99d4fec338b62b703891@syzkaller.appspotmail.com

Tested on:

commit:         89748acd Merge tag 'drm-next-2025-08-01' of https://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=114c39bc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e4e0e50eb954bc80
dashboard link: https://syzkaller.appspot.com/bug?extid=99d4fec338b62b703891
compiler:       arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
patch:          https://syzkaller.appspot.com/x/patch.diff?x=135daf82580000

Note: testing is done by a robot and is best-effort only.