[syzbot] [mm?] WARNING in move_page_tables

[syzbot] [mm?] WARNING in move_page_tables

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=165fe9a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14172842580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b04c34580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-53e760d8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/584b4139c7e3/vmlinux-53e760d8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4d2474607300/bzImage-53e760d8.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com

R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005
 </TASK>
------------[ cut here ]------------
WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]
WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]
WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852
Modules linked in:
CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]
RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]
RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852
Code: 02 00 0f 85 b6 03 00 00 48 8b 2b 4c 89 f6 48 89 ef e8 e2 1b af ff 49 39 ee 0f 82 d5 cb ff ff e9 0c cc ff ff e8 1f 21 af ff 90 <0f> 0b 90 48 8b 44 24 40 48 8d 78 40 48 b8 00 00 00 00 00 fc ff df
RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645
RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007
RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000
FS:  000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 copy_vma_and_data+0x468/0x790 mm/mremap.c:1215
 move_vma+0x548/0x1780 mm/mremap.c:1282
 mremap_to+0x1b7/0x450 mm/mremap.c:1406
 do_mremap+0xfad/0x1f80 mm/mremap.c:1921
 __do_sys_mremap+0x119/0x170 mm/mremap.c:1977
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f00d0b8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9
RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000
RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [mm?] WARNING in move_page_tables

[Hillf Danton]

> Date: Tue, 12 Aug 2025 14:56:35 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=165fe9a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
> dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14172842580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b04c34580000

#syz test

--- x/mm/mremap.c
+++ y/mm/mremap.c
@@ -837,7 +837,6 @@ unsigned long move_page_tables(struct pa
 		new_pmd = alloc_new_pmd(mm, pmc->new_addr);
 		if (!new_pmd)
 			break;
-again:
 		if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {
 			if (extent == HPAGE_PMD_SIZE &&
 			    move_pgt_entry(pmc, HPAGE_PMD, old_pmd, new_pmd))
@@ -856,8 +855,9 @@ again:
 			continue;
 		if (pte_alloc(pmc->new->vm_mm, new_pmd))
 			break;
+		/* bail out to avoid clearing new_pmd */
 		if (move_ptes(pmc, extent, old_pmd, new_pmd) < 0)
-			goto again;
+			break;
 	}
 
 	mmu_notifier_invalidate_range_end(&range);
--

Re: [syzbot] [mm?] WARNING in move_page_tables

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

f888026ed8000
[    8.273850][    T1] RDX: 1ffff11004ddb14f RSI: ffffffff8de29d08 RDI: ffffffff8c162500
[    8.273857][    T1] RBP: ffff888026ed8a78 R08: 0000000000000000 R09: ffffed1020aa000d
[    8.273863][    T1] R10: ffff88810550006f R11: 0000000000000000 R12: ffffc90004edfa30
[    8.273870][    T1] R13: 0000000000000001 R14: 0000000000000007 R15: ffffc90000046f50
[    8.273876][    T1] FS:  0000000000000000(0000) GS:ffff8880d67bc000(0000) knlGS:0000000000000000
[    8.273903][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    8.273912][    T1] CR2: 0000000000000000 CR3: 000000000e380000 CR4: 0000000000352ef0
[    8.273918][    T1] Call Trace:
[    8.273957][    T1]  <TASK>
[    8.273968][    T1]  __ww_mutex_lock.constprop.0+0x1a69/0x32c0
[    8.274047][    T1]  ? virtio_gpu_plane_duplicate_state+0x6c/0xc0
[    8.274092][    T1]  ? drm_atomic_get_plane_state+0x20e/0x590
[    8.274108][    T1]  ? drm_client_modeset_commit_atomic+0x237/0x7e0
[    8.274125][    T1]  ? drm_client_modeset_commit_locked+0x14d/0x580
[    8.274141][    T1]  ? drm_fb_helper_pan_display+0x32d/0xa40
[    8.274155][    T1]  ? fb_pan_display+0x47c/0x7d0
[    8.274166][    T1]  ? rotate_all_store+0x250/0x400
[    8.274183][    T1]  ? redraw_screen+0x2c1/0x760
[    8.274201][    T1]  ? fbcon_fb_registered+0x21d/0x6a0
[    8.274213][    T1]  ? modeset_lock+0x4a0/0x6e0
[    8.274227][    T1]  ? __pfx___ww_mutex_lock.constprop.0+0x10/0x10
[    8.274239][    T1]  ? virtio_gpu_probe+0x29e/0x500
[    8.274251][    T1]  ? virtio_dev_probe+0x6a0/0xbe0
[    8.274265][    T1]  ? look_up_lock_class+0x59/0x150
[    8.274283][    T1]  ? __pfx___might_resched+0x10/0x10
[    8.274300][    T1]  ? ww_mutex_lock+0x37/0x160
[    8.274358][    T1]  ww_mutex_lock+0x37/0x160
[    8.274371][    T1]  modeset_lock+0x4a0/0x6e0
[    8.274385][    T1]  drm_modeset_lock+0x59/0x90
[    8.274399][    T1]  drm_atomic_get_crtc_state+0x100/0x450
[    8.274415][    T1]  drm_atomic_get_plane_state+0x436/0x590
[    8.274432][    T1]  drm_client_modeset_commit_atomic+0x237/0x7e0
[    8.274450][    T1]  ? rcu_is_watching+0x12/0xc0
[    8.274465][    T1]  ? trace_contention_end+0xdd/0x130
[    8.274476][    T1]  ? __pfx_drm_client_modeset_commit_atomic+0x10/0x10
[    8.274493][    T1]  ? __mutex_lock+0x1c4/0x10b0
[    8.274513][    T1]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[    8.274532][    T1]  drm_client_modeset_commit_locked+0x14d/0x580
[    8.274551][    T1]  drm_fb_helper_pan_display+0x32d/0xa40
[    8.274571][    T1]  fb_pan_display+0x47c/0x7d0
[    8.274580][    T1]  ? __pfx_drm_fb_helper_pan_display+0x10/0x10
[    8.274595][    T1]  bit_update_start+0x49/0x1f0
[    8.274607][    T1]  fbcon_switch+0xbf8/0x14c0
[    8.274621][    T1]  ? __pfx_fbcon_switch+0x10/0x10
[    8.274638][    T1]  ? __pfx_bit_cursor+0x10/0x10
[    8.274649][    T1]  ? fbcon_cursor+0x40c/0x5f0
[    8.274658][    T1]  ? vc_init+0x441/0x490
[    8.274674][    T1]  ? is_console_locked+0x9/0x20
[    8.274689][    T1]  ? con_is_visible+0x65/0x150
[    8.274705][    T1]  redraw_screen+0x2c1/0x760
[    8.274721][    T1]  ? fbcon_prepare_logo+0x8ed/0xc70
[    8.274732][    T1]  ? __pfx_redraw_screen+0x10/0x10
[    8.274753][    T1]  set_con2fb_map+0x7aa/0x1080
[    8.274773][    T1]  fbcon_fb_registered+0x21d/0x6a0
[    8.274786][    T1]  do_register_framebuffer+0x512/0x8a0
[    8.274796][    T1]  ? __pfx_do_register_framebuffer+0x10/0x10
[    8.274810][    T1]  ? find_held_lock+0x2b/0x80
[    8.274826][    T1]  register_framebuffer+0x23/0x40
[    8.274836][    T1]  __drm_fb_helper_initial_config_and_unlock+0xdb7/0x17b0
[    8.274856][    T1]  ? __mutex_unlock_slowpath+0x163/0x800
[    8.274868][    T1]  ? __pfx___drm_fb_helper_initial_config_and_unlock+0x10/0x10
[    8.274889][    T1]  drm_fb_helper_initial_config+0x44/0x60
[    8.274904][    T1]  drm_fbdev_client_hotplug+0x1a6/0x280
[    8.274917][    T1]  ? __pfx_drm_fbdev_client_hotplug+0x10/0x10
[    8.274928][    T1]  drm_client_register+0x197/0x280
[    8.274943][    T1]  drm_fbdev_client_setup+0x1bd/0x480
[    8.274956][    T1]  drm_client_setup+0x19f/0x240
[    8.274967][    T1]  virtio_gpu_probe+0x29e/0x500
[    8.274980][    T1]  virtio_dev_probe+0x6a0/0xbe0
[    8.274996][    T1]  ? __pfx_virtio_dev_probe+0x10/0x10
[    8.275009][    T1]  ? kernfs_create_link+0x1bd/0x240
[    8.275021][    T1]  ? kernfs_put+0x35/0x60
[    8.275037][    T1]  ? sysfs_do_create_link_sd+0xbb/0x140
[    8.275052][    T1]  ? sysfs_create_link+0x68/0xc0
[    8.275067][    T1]  ? __pfx_virtio_dev_probe+0x10/0x10
[    8.275082][    T1]  really_probe+0x241/0xa90
[    8.275163][    T1]  __driver_probe_device+0x1de/0x440
[    8.275175][    T1]  ? _raw_spin_unlock_irqrestore+0x52/0x80
[    8.275194][    T1]  driver_probe_device+0x4c/0x1b0
[    8.275206][    T1]  __driver_attach+0x283/0x580
[    8.275218][    T1]  ? __pfx___driver_attach+0x10/0x10
[    8.275229][    T1]  bus_for_each_dev+0x13b/0x1d0
[    8.275244][    T1]  ? __pfx_bus_for_each_dev+0x10/0x10
[    8.275260][    T1]  ? bus_add_driver+0x299/0x690
[    8.275280][    T1]  bus_add_driver+0x2e9/0x690
[    8.275297][    T1]  ? __pfx_virtio_gpu_driver_init+0x10/0x10
[    8.275314][    T1]  driver_register+0x15c/0x4b0
[    8.275326][    T1]  ? __register_virtio_driver+0x56/0x100
[    8.275340][    T1]  virtio_gpu_driver_init+0xa8/0x1b0
[    8.275368][    T1]  do_one_initcall+0x120/0x6e0
[    8.275382][    T1]  ? __pfx_do_one_initcall+0x10/0x10
[    8.275398][    T1]  ? __kmalloc_noprof+0x242/0x510
[    8.275409][    T1]  ? kasan_poison+0x12/0x50
[    8.275428][    T1]  kernel_init_freeable+0x5c2/0x910
[    8.275446][    T1]  ? __pfx_kernel_init+0x10/0x10
[    8.275464][    T1]  kernel_init+0x1c/0x2b0
[    8.275477][    T1]  ? __pfx_kernel_init+0x10/0x10
[    8.275490][    T1]  ret_from_fork+0x5d7/0x6f0
[    8.275500][    T1]  ? __pfx_kernel_init+0x10/0x10
[    8.275514][    T1]  ret_from_fork_asm+0x1a/0x30
[    8.275534][    T1]  </TASK>
[    8.275541][    T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[    8.275549][    T1] CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc1-syzkaller-g8742b2d8935f-dirty #0 PREEMPT(full) 
[    8.275562][    T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[    8.275568][    T1] Call Trace:
[    8.275572][    T1]  <TASK>
[    8.275576][    T1]  dump_stack_lvl+0x3d/0x1f0
[    8.275588][    T1]  vpanic+0x6e8/0x7a0
[    8.275605][    T1]  ? __pfx_vpanic+0x10/0x10
[    8.275625][    T1]  ? __ww_mutex_wound+0x23b/0x3e0
[    8.275635][    T1]  panic+0xca/0xd0
[    8.275651][    T1]  ? __pfx_panic+0x10/0x10
[    8.275671][    T1]  ? check_panic_on_warn+0x1f/0xb0
[    8.275681][    T1]  check_panic_on_warn+0xab/0xb0
[    8.275691][    T1]  __warn+0xf6/0x3c0
[    8.275701][    T1]  ? __ww_mutex_wound+0x23b/0x3e0
[    8.275711][    T1]  report_bug+0x3c3/0x580
[    8.275728][    T1]  ? __ww_mutex_wound+0x23b/0x3e0
[    8.275738][    T1]  handle_bug+0x184/0x210
[    8.275756][    T1]  exc_invalid_op+0x17/0x50
[    8.275769][    T1]  asm_exc_invalid_op+0x1a/0x20
[    8.275780][    T1] RIP: 0010:__ww_mutex_wound+0x23b/0x3e0
[    8.275790][    T1] Code: 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 85 01 00 00 48 8b 81 78 0a 00 00 48 85 c0 74 09 48 39 c3 74 04 90 <0f> 0b 90 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c
[    8.275800][    T1] RSP: 0000:ffffc90000046e58 EFLAGS: 00010002
[    8.275809][    T1] RAX: ffff8881054cd048 RBX: ffff888105500068 RCX: ffff888026ed8000
[    8.275816][    T1] RDX: 1ffff11004ddb14f RSI: ffffffff8de29d08 RDI: ffffffff8c162500
[    8.275823][    T1] RBP: ffff888026ed8a78 R08: 0000000000000000 R09: ffffed1020aa000d
[    8.275829][    T1] R10: ffff88810550006f R11: 0000000000000000 R12: ffffc90004edfa30
[    8.275835][    T1] R13: 0000000000000001 R14: 0000000000000007 R15: ffffc90000046f50
[    8.275849][    T1]  ? __ww_mutex_wound+0x2ed/0x3e0
[    8.275861][    T1]  __ww_mutex_lock.constprop.0+0x1a69/0x32c0
[    8.275873][    T1]  ? virtio_gpu_plane_duplicate_state+0x6c/0xc0
[    8.275886][    T1]  ? drm_atomic_get_plane_state+0x20e/0x590
[    8.275900][    T1]  ? drm_client_modeset_commit_atomic+0x237/0x7e0
[    8.275915][    T1]  ? drm_client_modeset_commit_locked+0x14d/0x580
[    8.275930][    T1]  ? drm_fb_helper_pan_display+0x32d/0xa40
[    8.275943][    T1]  ? fb_pan_display+0x47c/0x7d0
[    8.275951][    T1]  ? rotate_all_store+0x250/0x400
[    8.275968][    T1]  ? redraw_screen+0x2c1/0x760
[    8.275984][    T1]  ? fbcon_fb_registered+0x21d/0x6a0
[    8.275995][    T1]  ? modeset_lock+0x4a0/0x6e0
[    8.276008][    T1]  ? __pfx___ww_mutex_lock.constprop.0+0x10/0x10
[    8.276019][    T1]  ? virtio_gpu_probe+0x29e/0x500
[    8.276030][    T1]  ? virtio_dev_probe+0x6a0/0xbe0
[    8.276042][    T1]  ? look_up_lock_class+0x59/0x150
[    8.276058][    T1]  ? __pfx___might_resched+0x10/0x10
[    8.276131][    T1]  ? ww_mutex_lock+0x37/0x160
[    8.276157][    T1]  ww_mutex_lock+0x37/0x160
[    8.276169][    T1]  modeset_lock+0x4a0/0x6e0
[    8.276185][    T1]  drm_modeset_lock+0x59/0x90
[    8.276198][    T1]  drm_atomic_get_crtc_state+0x100/0x450
[    8.276214][    T1]  drm_atomic_get_plane_state+0x436/0x590
[    8.276230][    T1]  drm_client_modeset_commit_atomic+0x237/0x7e0
[    8.276249][    T1]  ? rcu_is_watching+0x12/0xc0
[    8.276264][    T1]  ? trace_contention_end+0xdd/0x130
[    8.276275][    T1]  ? __pfx_drm_client_modeset_commit_atomic+0x10/0x10
[    8.276290][    T1]  ? __mutex_lock+0x1c4/0x10b0
[    8.276309][    T1]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[    8.276326][    T1]  drm_client_modeset_commit_locked+0x14d/0x580
[    8.276344][    T1]  drm_fb_helper_pan_display+0x32d/0xa40
[    8.276364][    T1]  fb_pan_display+0x47c/0x7d0
[    8.276423][    T1]  ? __pfx_drm_fb_helper_pan_display+0x10/0x10
[    8.276444][    T1]  bit_update_start+0x49/0x1f0
[    8.276458][    T1]  fbcon_switch+0xbf8/0x14c0
[    8.276475][    T1]  ? __pfx_fbcon_switch+0x10/0x10
[    8.276492][    T1]  ? __pfx_bit_cursor+0x10/0x10
[    8.276509][    T1]  ? fbcon_cursor+0x40c/0x5f0
[    8.276519][    T1]  ? vc_init+0x441/0x490
[    8.276535][    T1]  ? is_console_locked+0x9/0x20
[    8.276551][    T1]  ? con_is_visible+0x65/0x150
[    8.276567][    T1]  redraw_screen+0x2c1/0x760
[    8.276584][    T1]  ? fbcon_prepare_logo+0x8ed/0xc70
[    8.276594][    T1]  ? __pfx_redraw_screen+0x10/0x10
[    8.276615][    T1]  set_con2fb_map+0x7aa/0x1080
[    8.276629][    T1]  fbcon_fb_registered+0x21d/0x6a0
[    8.276642][    T1]  do_register_framebuffer+0x512/0x8a0
[    8.276652][    T1]  ? __pfx_do_register_framebuffer+0x10/0x10
[    8.276666][    T1]  ? find_held_lock+0x2b/0x80
[    8.276682][    T1]  register_framebuffer+0x23/0x40
[    8.276691][    T1]  __drm_fb_helper_initial_config_and_unlock+0xdb7/0x17b0
[    8.276712][    T1]  ? __mutex_unlock_slowpath+0x163/0x800
[    8.276725][    T1]  ? __pfx___drm_fb_helper_initial_config_and_unlock+0x10/0x10
[    8.276750][    T1]  drm_fb_helper_initial_config+0x44/0x60
[    8.276764][    T1]  drm_fbdev_client_hotplug+0x1a6/0x280
[    8.276777][    T1]  ? __pfx_drm_fbdev_client_hotplug+0x10/0x10
[    8.276788][    T1]  drm_client_register+0x197/0x280
[    8.276804][    T1]  drm_fbdev_client_setup+0x1bd/0x480
[    8.276816][    T1]  drm_client_setup+0x19f/0x240
[    8.276828][    T1]  virtio_gpu_probe+0x29e/0x500
[    8.276843][    T1]  virtio_dev_probe+0x6a0/0xbe0
[    8.276861][    T1]  ? __pfx_virtio_dev_probe+0x10/0x10
[    8.276873][    T1]  ? kernfs_create_link+0x1bd/0x240
[    8.276886][    T1]  ? kernfs_put+0x35/0x60
[    8.276901][    T1]  ? sysfs_do_create_link_sd+0xbb/0x140
[    8.276916][    T1]  ? sysfs_create_link+0x68/0xc0
[    8.276930][    T1]  ? __pfx_virtio_dev_probe+0x10/0x10
[    8.276944][    T1]  really_probe+0x241/0xa90
[    8.276958][    T1]  __driver_probe_device+0x1de/0x440
[    8.276970][    T1]  ? _raw_spin_unlock_irqrestore+0x52/0x80
[    8.276989][    T1]  driver_probe_device+0x4c/0x1b0
[    8.277001][    T1]  __driver_attach+0x283/0x580
[    8.277014][    T1]  ? __pfx___driver_attach+0x10/0x10
[    8.277025][    T1]  bus_for_each_dev+0x13b/0x1d0
[    8.277041][    T1]  ? __pfx_bus_for_each_dev+0x10/0x10
[    8.277057][    T1]  ? bus_add_driver+0x299/0x690
[    8.277076][    T1]  bus_add_driver+0x2e9/0x690
[    8.277094][    T1]  ? __pfx_virtio_gpu_driver_init+0x10/0x10
[    8.277109][    T1]  driver_register+0x15c/0x4b0
[    8.277121][    T1]  ? __register_virtio_driver+0x56/0x100
[    8.277135][    T1]  virtio_gpu_driver_init+0xa8/0x1b0
[    8.277150][    T1]  do_one_initcall+0x120/0x6e0
[    8.277164][    T1]  ? __pfx_do_one_initcall+0x10/0x10
[    8.277179][    T1]  ? __kmalloc_noprof+0x242/0x510
[    8.277189][    T1]  ? kasan_poison+0x12/0x50
[    8.277208][    T1]  kernel_init_freeable+0x5c2/0x910
[    8.277226][    T1]  ? __pfx_kernel_init+0x10/0x10
[    8.277241][    T1]  kernel_init+0x1c/0x2b0
[    8.277254][    T1]  ? __pfx_kernel_init+0x10/0x10
[    8.277267][    T1]  ret_from_fork+0x5d7/0x6f0
[    8.277277][    T1]  ? __pfx_kernel_init+0x10/0x10
[    8.277291][    T1]  ret_from_fork_asm+0x1a/0x30
[    8.277310][    T1]  </TASK>
[    8.278140][    T1] Kernel Offset: disabled


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2874749031=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.24.4.linux-amd64'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.24.4.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at c06e8995d7
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=c06e8995d711b5a8d8fbd771826fcbfdac6f110f -X github.com/google/syzkaller/prog.gitRevisionDate=20250811-165554"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c06e8995d711b5a8d8fbd771826fcbfdac6f110f\"
/usr/bin/ld: /tmp/ccMJYSuh.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=109025a2580000


Tested on:

commit:         8742b2d8 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=127fa842580000

Re: [syzbot] [mm?] WARNING in move_page_tables

[Hillf Danton]

> Date: Tue, 12 Aug 2025 14:56:35 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=165fe9a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
> dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14172842580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b04c34580000

#syz test

--- x/mm/mremap.c
+++ y/mm/mremap.c
@@ -837,7 +837,6 @@ unsigned long move_page_tables(struct pa
 		new_pmd = alloc_new_pmd(mm, pmc->new_addr);
 		if (!new_pmd)
 			break;
-again:
 		if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {
 			if (extent == HPAGE_PMD_SIZE &&
 			    move_pgt_entry(pmc, HPAGE_PMD, old_pmd, new_pmd))
@@ -856,8 +855,9 @@ again:
 			continue;
 		if (pte_alloc(pmc->new->vm_mm, new_pmd))
 			break;
+		/* bail out to avoid clearing new_pmd */
 		if (move_ptes(pmc, extent, old_pmd, new_pmd) < 0)
-			goto again;
+			break;
 	}
 
 	mmu_notifier_invalidate_range_end(&range);
--- x/include/linux/sched.h
+++ y/include/linux/sched.h
@@ -2152,6 +2152,8 @@ static inline struct mutex *__get_task_b
 
 static inline void __set_task_blocked_on(struct task_struct *p, struct mutex *m)
 {
+	struct mutex *blocked_on = READ_ONCE(p->blocked_on);
+
 	WARN_ON_ONCE(!m);
 	/* The task should only be setting itself as blocked */
 	WARN_ON_ONCE(p != current);
@@ -2162,8 +2164,8 @@ static inline void __set_task_blocked_on
 	 * with a different mutex. Note, setting it to the same
 	 * lock repeatedly is ok.
 	 */
-	WARN_ON_ONCE(p->blocked_on && p->blocked_on != m);
-	p->blocked_on = m;
+	WARN_ON_ONCE(blocked_on && blocked_on != m);
+	WRITE_ONCE(p->blocked_on, m);
 }
 
 static inline void set_task_blocked_on(struct task_struct *p, struct mutex *m)
@@ -2174,16 +2176,19 @@ static inline void set_task_blocked_on(s
 
 static inline void __clear_task_blocked_on(struct task_struct *p, struct mutex *m)
 {
-	WARN_ON_ONCE(!m);
-	/* Currently we serialize blocked_on under the mutex::wait_lock */
-	lockdep_assert_held_once(&m->wait_lock);
-	/*
-	 * There may be cases where we re-clear already cleared
-	 * blocked_on relationships, but make sure we are not
-	 * clearing the relationship with a different lock.
-	 */
-	WARN_ON_ONCE(m && p->blocked_on && p->blocked_on != m);
-	p->blocked_on = NULL;
+	if (m) {
+		struct mutex *blocked_on = READ_ONCE(p->blocked_on);
+
+		/* Currently we serialize blocked_on under the mutex::wait_lock */
+		lockdep_assert_held_once(&m->wait_lock);
+		/*
+		 * There may be cases where we re-clear already cleared
+		 * blocked_on relationships, but make sure we are not
+		 * clearing the relationship with a different lock.
+		 */
+		WARN_ON_ONCE(blocked_on && blocked_on != m);
+	}
+	WRITE_ONCE(p->blocked_on, NULL);
 }
 
 static inline void clear_task_blocked_on(struct task_struct *p, struct mutex *m)
--- x/kernel/locking/ww_mutex.h
+++ y/kernel/locking/ww_mutex.h
@@ -342,8 +342,12 @@ static bool __ww_mutex_wound(struct MUTE
 			 * When waking up the task to wound, be sure to clear the
 			 * blocked_on pointer. Otherwise we can see circular
 			 * blocked_on relationships that can't resolve.
+			 *
+			 * NOTE: We pass NULL here instead of lock, because we
+			 * are waking the mutex owner, who may be currently
+			 * blocked on a different mutex.
 			 */
-			__clear_task_blocked_on(owner, lock);
+			__clear_task_blocked_on(owner, NULL);
 			wake_q_add(wake_q, owner);
 		}
 		return true;
--

Re: [syzbot] [mm?] WARNING in move_page_tables

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in move_page_tables

R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
R13: 00007f6b549b6038 R14: 00007f6b549b5fa0 R15: 00007fff55995d28
 </TASK>
------------[ cut here ]------------
WARNING: CPU: 2 PID: 6580 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]
WARNING: CPU: 2 PID: 6580 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]
WARNING: CPU: 2 PID: 6580 at mm/mremap.c:357 move_page_tables+0x3752/0x4580 mm/mremap.c:851
Modules linked in:
CPU: 2 UID: 0 PID: 6580 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-g8742b2d8935f-dirty #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]
RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]
RIP: 0010:move_page_tables+0x3752/0x4580 mm/mremap.c:851
Code: 00 48 8b 04 24 31 ff 0f b6 58 30 89 de e8 f6 1c af ff 84 db 0f 85 0d 01 00 00 e8 09 22 af ff e9 19 d7 ff ff e8 ff 21 af ff 90 <0f> 0b 90 48 8b 44 24 50 48 8d 78 40 48 b8 00 00 00 00 00 fc ff df
RSP: 0018:ffffc9000367f6f8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000343ec007 RCX: ffffffff820c64bc
RDX: ffff8880251d2440 RSI: ffffffff820c6fc1 RDI: 0000000000000007
RBP: ffff888034426700 R08: 0000000000000007 R09: 0000000000000000
R10: 00000000343ec007 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88802a726030 R15: ffffffff8df55480
FS:  00007f6b53df66c0(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffde7257210 CR3: 000000005332e000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 copy_vma_and_data+0x468/0x790 mm/mremap.c:1215
 move_vma+0x548/0x1780 mm/mremap.c:1282
 mremap_to+0x1b7/0x450 mm/mremap.c:1406
 do_mremap+0xfad/0x1f80 mm/mremap.c:1921
 __do_sys_mremap+0x119/0x170 mm/mremap.c:1977
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6b5478ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b53df6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
RAX: ffffffffffffffda RBX: 00007f6b549b5fa0 RCX: 00007f6b5478ebe9
RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000
RBP: 00007f6b53df6090 R08: 0000200000c00000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
R13: 00007f6b549b6038 R14: 00007f6b549b5fa0 R15: 00007fff55995d28
 </TASK>


Tested on:

commit:         8742b2d8 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b86842580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=152825a2580000

Re: [syzbot] [mm?] WARNING in move_page_tables

[Lorenzo Stoakes]

On Tue, Aug 12, 2025 at 02:56:35PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=165fe9a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
> dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14172842580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b04c34580000
>

As usual the repro doesn't repro for me.

Let's try [0] as a quick check as upstream doesn't have it yet.

[0]:https://lore.kernel.org/all/20250806145611.3962-1-dev.jain@arm.com/

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-hotfixes-unstable

> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-53e760d8.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/584b4139c7e3/vmlinux-53e760d8.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/4d2474607300/bzImage-53e760d8.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com
>
> R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005
>  </TASK>
> ------------[ cut here ]------------
> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]
> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]
> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852
> Modules linked in:
> CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]
> RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]
> RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852
> Code: 02 00 0f 85 b6 03 00 00 48 8b 2b 4c 89 f6 48 89 ef e8 e2 1b af ff 49 39 ee 0f 82 d5 cb ff ff e9 0c cc ff ff e8 1f 21 af ff 90 <0f> 0b 90 48 8b 44 24 40 48 8d 78 40 48 b8 00 00 00 00 00 fc ff df
> RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645
> RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007
> RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000
> R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000
> R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000
> FS:  000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0
> Call Trace:
>  <TASK>
>  copy_vma_and_data+0x468/0x790 mm/mremap.c:1215
>  move_vma+0x548/0x1780 mm/mremap.c:1282
>  mremap_to+0x1b7/0x450 mm/mremap.c:1406
>  do_mremap+0xfad/0x1f80 mm/mremap.c:1921
>  __do_sys_mremap+0x119/0x170 mm/mremap.c:1977
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f00d0b8ebe9
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
> RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9
> RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000
> RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000
> R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005
>  </TASK>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup

Re: [syzbot] [mm?] WARNING in move_page_tables

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com
Tested-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com

Tested on:

commit:         0db9b72d mm/userfaultfd: fix kmap_local LIFO ordering ..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-hotfixes-unstable
console output: https://syzkaller.appspot.com/x/log.txt?x=128fb5a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2323b2d6038203a5
dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [mm?] WARNING in move_page_tables

[Harry Yoo]

On Tue, Aug 12, 2025 at 02:56:35PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=165fe9a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
> dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14172842580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b04c34580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-53e760d8.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/584b4139c7e3/vmlinux-53e760d8.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/4d2474607300/bzImage-53e760d8.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com

[Cc'ing Ryan, Mikołaj, David and Peter]

I was able to reliably reproduce this (with the reproducer provided
by syzbot) and performed bisection.

The first bad commit is 0cef0bb836e mm: clear uffd-wp PTE/PMD state on
mremap(), which was introduced in v6.13.

Adding git bisect log.

# Git bisect log

$ git bisect start
# status: waiting for both good and bad commits
# bad: [19272b37aa4f83ca52bdf9c16d5d81bdd1354494] Linux 6.16-rc1
git bisect bad 19272b37aa4f83ca52bdf9c16d5d81bdd1354494
# status: waiting for good commit(s), bad commit known
# bad: [0ff41df1cb268fc69e703a08a57ee14ae967d0ca] Linux 6.15
git bisect bad 0ff41df1cb268fc69e703a08a57ee14ae967d0ca
# status: waiting for good commit(s), bad commit known
# bad: [38fec10eb60d687e30c8c6b5420d86e8149f7557] Linux 6.14
git bisect bad 38fec10eb60d687e30c8c6b5420d86e8149f7557
# status: waiting for good commit(s), bad commit known
# good: [0c3836482481200ead7b416ca80c68a29cfdaabd] Linux 6.10
git bisect good 0c3836482481200ead7b416ca80c68a29cfdaabd
# good: [77b679453d3364688ff3e5153c0be5b2b52672b7] Merge tag 'v6.12-rc3' into perf-tools-next
git bisect good 77b679453d3364688ff3e5153c0be5b2b52672b7
# good: [77b679453d3364688ff3e5153c0be5b2b52672b7] Merge tag 'v6.12-rc3' into perf-tools-next
git bisect good 77b679453d3364688ff3e5153c0be5b2b52672b7
# good: [05d5d3840b2d52619ffb79e60ab58e30a7f86037] Merge branches '20241204-sm8750_master_clks-v3-0-1a8f31a53a86@quicinc.com' and '20250106-sm8750-dispcc-v2-1-6f42beda6317@linaro.org' into arm64-for-6.14
git bisect good 05d5d3840b2d52619ffb79e60ab58e30a7f86037
# good: [05d5d3840b2d52619ffb79e60ab58e30a7f86037] Merge branches '20241204-sm8750_master_clks-v3-0-1a8f31a53a86@quicinc.com' and '20250106-sm8750-dispcc-v2-1-6f42beda6317@linaro.org' into arm64-for-6.14
git bisect good 05d5d3840b2d52619ffb79e60ab58e30a7f86037
# bad: [d0d106a2bd21499901299160744e5fe9f4c83ddb] Merge tag 'bpf-next-6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
git bisect bad d0d106a2bd21499901299160744e5fe9f4c83ddb
# bad: [d0d106a2bd21499901299160744e5fe9f4c83ddb] Merge tag 'bpf-next-6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
git bisect bad d0d106a2bd21499901299160744e5fe9f4c83ddb
# good: [4f1a62e2b3961946a924c093bc2bdd44a2a46c9d] dt-bindings: clock: qcom,sm8550-dispcc: Add SM8750 DISPCC
git bisect good 4f1a62e2b3961946a924c093bc2bdd44a2a46c9d
# good: [8817c21a45b62c17f18417efbd0b04a3805a1e23] dt-bindings: clock: qcom: Document the SM8750 TCSR Clock Controller
git bisect good 8817c21a45b62c17f18417efbd0b04a3805a1e23
# good: [f4d3d7340e719dd3d2c23ce8d6c360e2f93ba7e4] dt-bindings: clock: qcom: Add QCS615 GCC clocks
git bisect good f4d3d7340e719dd3d2c23ce8d6c360e2f93ba7e4
# good: [f4d3d7340e719dd3d2c23ce8d6c360e2f93ba7e4] dt-bindings: clock: qcom: Add QCS615 GCC clocks
git bisect good f4d3d7340e719dd3d2c23ce8d6c360e2f93ba7e4
# bad: [cf33d96f50903214226b379b3f10d1f262dae018] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
git bisect bad cf33d96f50903214226b379b3f10d1f262dae018
# good: [a603abe345d6301f04dc2ceb5fbdaa19e4c8f7da] Merge tag 'perf_urgent_for_v6.13_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good a603abe345d6301f04dc2ceb5fbdaa19e4c8f7da
# good: [79f4b6934dbd7dd6741726ba004a15e25380b8cc] wifi: iwlwifi: mvm: remove unneeded NULL pointer checks
git bisect good 79f4b6934dbd7dd6741726ba004a15e25380b8cc
# bad: [2ee738e90e80850582cbe10f34c6447965c1d87b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
git bisect bad 2ee738e90e80850582cbe10f34c6447965c1d87b
# good: [bc1e64d5403d7926a3d79fdbbdf628b69f0939a2] Merge branch 'net-use-netdev-lock-to-protect-napi'
git bisect good bc1e64d5403d7926a3d79fdbbdf628b69f0939a2
# good: [3744b08449c27bfa085aa218c4830f3996a51626] Merge branch 'pm-cpufreq'
git bisect good 3744b08449c27bfa085aa218c4830f3996a51626
# good: [a50da36562cd62b41de9bef08edbb3e8af00f118] netdev: avoid CFI problems with sock priv helpers
git bisect good a50da36562cd62b41de9bef08edbb3e8af00f118
# bad: [79a1d390f879563119bf2848b621bc7eed228c7d] Merge tag 'sound-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
git bisect bad 79a1d390f879563119bf2848b621bc7eed228c7d
# bad: [cbc5dde0a461240046e8a41c43d7c3b76d5db952] fs/proc: fix softlockup in __read_vmcore (part 2)
git bisect bad cbc5dde0a461240046e8a41c43d7c3b76d5db952
# good: [4dff389c9f1dd787e8058930b3fbd3248a6238c5] Revert "mm: zswap: fix race between [de]compression and CPU hotunplug"
git bisect good 4dff389c9f1dd787e8058930b3fbd3248a6238c5
# bad: [a32bf5bb7933fde6f39747499f8ec232b5b5400f] selftests/mm: set allocated memory to non-zero content in cow test
git bisect bad a32bf5bb7933fde6f39747499f8ec232b5b5400f
# good: [4bcf29741145e73440323e3e9af8b1a6f4961183] module: fix writing of livepatch relocations in ROX text
git bisect good 4bcf29741145e73440323e3e9af8b1a6f4961183
# bad: [0cef0bb836e3cfe00f08f9606c72abd72fe78ca3] mm: clear uffd-wp PTE/PMD state on mremap()
git bisect bad 0cef0bb836e3cfe00f08f9606c72abd72fe78ca3
# first bad commit: [0cef0bb836e3cfe00f08f9606c72abd72fe78ca3] mm: clear uffd-wp PTE/PMD state on mremap()

-- 
Cheers,
Harry / Hyeonggon

> R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005
>  </TASK>
> ------------[ cut here ]------------
> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]
> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]
> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852
> Modules linked in:
> CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full) 
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]
> RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]
> RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852
> Code: 02 00 0f 85 b6 03 00 00 48 8b 2b 4c 89 f6 48 89 ef e8 e2 1b af ff 49 39 ee 0f 82 d5 cb ff ff e9 0c cc ff ff e8 1f 21 af ff 90 <0f> 0b 90 48 8b 44 24 40 48 8d 78 40 48 b8 00 00 00 00 00 fc ff df
> RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645
> RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007
> RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000
> R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000
> R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000
> FS:  000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0
> Call Trace:
>  <TASK>
>  copy_vma_and_data+0x468/0x790 mm/mremap.c:1215
>  move_vma+0x548/0x1780 mm/mremap.c:1282
>  mremap_to+0x1b7/0x450 mm/mremap.c:1406
>  do_mremap+0xfad/0x1f80 mm/mremap.c:1921
>  __do_sys_mremap+0x119/0x170 mm/mremap.c:1977
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f00d0b8ebe9
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
> RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9
> RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000
> RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000
> R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005
>  </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
> 

Re: [syzbot] [mm?] WARNING in move_page_tables

[Harry Yoo]

On Tue, Aug 12, 2025 at 10:08:02PM -0700, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
> 
> Reported-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com
> Tested-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com
> 
> Tested on:
> 
> commit:         0db9b72d mm/userfaultfd: fix kmap_local LIFO ordering ..
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-hotfixes-unstable
> console output: https://syzkaller.appspot.com/x/log.txt?x=128fb5a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2323b2d6038203a5
> dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> 
> Note: no patches were applied.
> Note: testing is done by a robot and is best-effort only.

This looks spurious. I was able to reproduce it with the reproducer on
the same commit (the latest mm-hotfixes-unstable).

-- 
Cheers,
Harry / Hyeonggon

Re: [syzbot] [mm?] WARNING in move_page_tables

[Hillf Danton]

> Date: Tue, 12 Aug 2025 14:56:35 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=165fe9a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
> dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14172842580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b04c34580000

#syz test

--- x/include/linux/sched.h
+++ y/include/linux/sched.h
@@ -2152,6 +2152,8 @@ static inline struct mutex *__get_task_b
 
 static inline void __set_task_blocked_on(struct task_struct *p, struct mutex *m)
 {
+	struct mutex *blocked_on = READ_ONCE(p->blocked_on);
+
 	WARN_ON_ONCE(!m);
 	/* The task should only be setting itself as blocked */
 	WARN_ON_ONCE(p != current);
@@ -2162,8 +2164,8 @@ static inline void __set_task_blocked_on
 	 * with a different mutex. Note, setting it to the same
 	 * lock repeatedly is ok.
 	 */
-	WARN_ON_ONCE(p->blocked_on && p->blocked_on != m);
-	p->blocked_on = m;
+	WARN_ON_ONCE(blocked_on && blocked_on != m);
+	WRITE_ONCE(p->blocked_on, m);
 }
 
 static inline void set_task_blocked_on(struct task_struct *p, struct mutex *m)
@@ -2174,16 +2176,19 @@ static inline void set_task_blocked_on(s
 
 static inline void __clear_task_blocked_on(struct task_struct *p, struct mutex *m)
 {
-	WARN_ON_ONCE(!m);
-	/* Currently we serialize blocked_on under the mutex::wait_lock */
-	lockdep_assert_held_once(&m->wait_lock);
-	/*
-	 * There may be cases where we re-clear already cleared
-	 * blocked_on relationships, but make sure we are not
-	 * clearing the relationship with a different lock.
-	 */
-	WARN_ON_ONCE(m && p->blocked_on && p->blocked_on != m);
-	p->blocked_on = NULL;
+	if (m) {
+		struct mutex *blocked_on = READ_ONCE(p->blocked_on);
+
+		/* Currently we serialize blocked_on under the mutex::wait_lock */
+		lockdep_assert_held_once(&m->wait_lock);
+		/*
+		 * There may be cases where we re-clear already cleared
+		 * blocked_on relationships, but make sure we are not
+		 * clearing the relationship with a different lock.
+		 */
+		WARN_ON_ONCE(blocked_on && blocked_on != m);
+	}
+	WRITE_ONCE(p->blocked_on, NULL);
 }
 
 static inline void clear_task_blocked_on(struct task_struct *p, struct mutex *m)
--- x/kernel/locking/ww_mutex.h
+++ y/kernel/locking/ww_mutex.h
@@ -342,8 +342,12 @@ static bool __ww_mutex_wound(struct MUTE
 			 * When waking up the task to wound, be sure to clear the
 			 * blocked_on pointer. Otherwise we can see circular
 			 * blocked_on relationships that can't resolve.
+			 *
+			 * NOTE: We pass NULL here instead of lock, because we
+			 * are waking the mutex owner, who may be currently
+			 * blocked on a different mutex.
 			 */
-			__clear_task_blocked_on(owner, lock);
+			__clear_task_blocked_on(owner, NULL);
 			wake_q_add(wake_q, owner);
 		}
 		return true;
--- x/mm/mremap.c
+++ y/mm/mremap.c
@@ -592,6 +592,7 @@ static bool move_pgt_entry(struct pageta
 
 	switch (entry) {
 	case NORMAL_PMD:
+		*new_entry = NULL;
 		moved = move_normal_pmd(pmc, old_entry, new_entry);
 		break;
 	case NORMAL_PUD:
--

Re: [syzbot] [mm?] WARNING in move_page_tables

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

mm/mremap.c:595:28: error: invalid use of void expression


Tested on:

commit:         8742b2d8 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=176d4da2580000

Re: [syzbot] [mm?] WARNING in move_page_tables

[David Hildenbrand]

On 13.08.25 14:20, Harry Yoo wrote:
> On Tue, Aug 12, 2025 at 02:56:35PM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=165fe9a2580000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
>> dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
>> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14172842580000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b04c34580000
>>
>> Downloadable assets:
>> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-53e760d8.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/584b4139c7e3/vmlinux-53e760d8.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/4d2474607300/bzImage-53e760d8.xz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com
> 
> [Cc'ing Ryan, Mikołaj, David and Peter]
> 
> I was able to reliably reproduce this (with the reproducer provided
> by syzbot) and performed bisection.
> 
> The first bad commit is 0cef0bb836e mm: clear uffd-wp PTE/PMD state on
> mremap(), which was introduced in v6.13.
> 


Okay, so we're hitting the

	if (WARN_ON_ONCE(!pmd_none(*new_pmd)))
		return false;

in move_normal_pmd().

Given that the reproducer involves allocation fault injection during move_page_tables(),
I assume we run into this warning when we are trying to restore our previous state,
so when we call move_page_tables() the
second time from copy_vma_and_data().

Something when moving stuff back after a failed PTE table allocation is broken.


Ah, maybe I know what happens.

When we move the first time, we check "vma_has_uffd_without_event_remap(orig_vma)"
and see that "yes, this thing has uffd" and decide to move PTE level

When we move back, we check "vma_has_uffd_without_event_remap(new_vma)" and see
that "no, this thing does not have uffd" and decide to move PMD level.

But the original PTE table is still there ...

As a side-note: It's confusing to call vma_has_uffd_without_event_remap() to make
a decision during mremap to handle WP, when WP might not even be active.
We should likely slap in a uffd-wp check on the VMA as a follow-up cleanup.

#syz test

diff --git a/mm/mremap.c b/mm/mremap.c
index 33b642076205d..a9730f4373b77 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -323,6 +323,26 @@ static inline bool arch_supports_page_table_move(void)
  }
  #endif
  
+static inline bool uffd_supports_page_table_move(struct pagetable_move_control *pmc)
+{
+	/*
+	 * If we are moving VMAs that have uffd-wp registered but with
+	 * remap events disabled (new VMA will not be registered with uffd), we
+	 * need to ensure that the uffd-wp state is cleared from all pgtables.
+	 * This means recursing into lower page tables in move_page_tables().
+	 *
+	 * We setup the uffd-wp context on the new VMA after moving the page
+	 * tables succeeded, so checking the old VMA looks reasonable. However,
+	 * when we have to recover from a failed page table move attempt, we
+	 * get called with inverse VMAs. Recursing into lower page tables during
+	 * the original move but not during the recovery move will cause
+	 * trouble, because we run into already-existing page tables during
+	 * the recovery phase. Consequently, check both VMAs.
+	 */
+	return !vma_has_uffd_without_event_remap(pmc->old) &&
+	       !vma_has_uffd_without_event_remap(pmc->new);
+}
+
  #ifdef CONFIG_HAVE_MOVE_PMD
  static bool move_normal_pmd(struct pagetable_move_control *pmc,
  			pmd_t *old_pmd, pmd_t *new_pmd)
@@ -335,6 +355,8 @@ static bool move_normal_pmd(struct pagetable_move_control *pmc,
  
  	if (!arch_supports_page_table_move())
  		return false;
+	if (!uffd_supports_page_table_move(pmc))
+		return false;
  	/*
  	 * The destination pmd shouldn't be established, free_pgtables()
  	 * should have released it.
@@ -361,15 +383,6 @@ static bool move_normal_pmd(struct pagetable_move_control *pmc,
  	if (WARN_ON_ONCE(!pmd_none(*new_pmd)))
  		return false;
  
-	/* If this pmd belongs to a uffd vma with remap events disabled, we need
-	 * to ensure that the uffd-wp state is cleared from all pgtables. This
-	 * means recursing into lower page tables in move_page_tables(), and we
-	 * can reuse the existing code if we simply treat the entry as "not
-	 * moved".
-	 */
-	if (vma_has_uffd_without_event_remap(vma))
-		return false;
-
  	/*
  	 * We don't have to worry about the ordering of src and dst
  	 * ptlocks because exclusive mmap_lock prevents deadlock.
@@ -418,6 +431,8 @@ static bool move_normal_pud(struct pagetable_move_control *pmc,
  
  	if (!arch_supports_page_table_move())
  		return false;
+	if (!uffd_supports_page_table_move(pmc))
+		return false;
  	/*
  	 * The destination pud shouldn't be established, free_pgtables()
  	 * should have released it.
@@ -425,15 +440,6 @@ static bool move_normal_pud(struct pagetable_move_control *pmc,
  	if (WARN_ON_ONCE(!pud_none(*new_pud)))
  		return false;
  
-	/* If this pud belongs to a uffd vma with remap events disabled, we need
-	 * to ensure that the uffd-wp state is cleared from all pgtables. This
-	 * means recursing into lower page tables in move_page_tables(), and we
-	 * can reuse the existing code if we simply treat the entry as "not
-	 * moved".
-	 */
-	if (vma_has_uffd_without_event_remap(vma))
-		return false;
-
  	/*
  	 * We don't have to worry about the ordering of src and dst
  	 * ptlocks because exclusive mmap_lock prevents deadlock.
-- 
2.50.1

-- 
Cheers

David / dhildenb

Re: [syzbot] [mm?] WARNING in move_page_tables

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file mm/mremap.c
Hunk #1 FAILED at 323.
1 out of 5 hunks FAILED



Tested on:

commit:         c17b750b Linux 6.17-rc2
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=107dbba2580000

Re: [syzbot] [mm?] WARNING in move_page_tables

[David Hildenbrand]

On 18.08.25 14:56, syzbot wrote:
> Hello,
> 
> syzbot tried to test the proposed patch but the build/boot failed:
> 
> failed to apply patch:
> checking file mm/mremap.c
> Hunk #1 FAILED at 323.
> 1 out of 5 hunks FAILED
> 

#syz test https://github.com/davidhildenbrand/linux.git uffd-wp

-- 
Cheers

David / dhildenb

Re: [syzbot] [mm?] WARNING in move_page_tables

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com
Tested-by: syzbot+4d9a13f0797c46a29e42@syzkaller.appspotmail.com

Tested on:

commit:         eaa49d2c tmp
git tree:       https://github.com/davidhildenbrand/linux.git uffd-wp
console output: https://syzkaller.appspot.com/x/log.txt?x=151c5234580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=247d4d29e685f61c
dashboard link: https://syzkaller.appspot.com/bug?extid=4d9a13f0797c46a29e42
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.