From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 978B6238166 for ; Tue, 23 Dec 2025 08:24:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766478253; cv=none; b=gkc/rfs4wFkFaZvK7pK84xg00pExnKfsh88FMD3kIqz6kKbjrmUTls9Gr9Gk43dtBjiBXccy/k6OUpU8G2icAnj+KtWcLmIoBIwbglKbeeoKbn/LG+QfRHfENQ0QQ+ulMVABPNkYTCGpTcmLFmI2M4MVq5w7nab4SQT2TNTEp54= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766478253; c=relaxed/simple; bh=Cu3hVNe+vn/1Nl8EO/Jpn+yDlDMHQ7A+fr4A4oihm3A=; h=Message-ID:Date:MIME-Version:Subject:To:References:From:Cc: In-Reply-To:Content-Type; b=egwstC3WxJcAkvkFW4oIWujcHM/RLcAaaEwpI7zBAvL4YcCxwr+xDDWwroL87ZLbKvZxY8secQ+d0KoBgt1S9Q6pbsJrdCdsijGfXGsFQ5WNEY1DovgSp0bSeJ2k/uXLWI8m9QKVM3Dfl+GoXnWL0SEaEpZEvVPCREIq61zjmQ0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=S0htOP/1; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="S0htOP/1" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C416DC113D0; Tue, 23 Dec 2025 08:24:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1766478253; bh=Cu3hVNe+vn/1Nl8EO/Jpn+yDlDMHQ7A+fr4A4oihm3A=; h=Date:Subject:To:References:From:Cc:In-Reply-To:From; b=S0htOP/1hh+2+c0XDJCBoL+dghPzhL1R9kZzGVyZU6rVMqjG5dwiHsMwoEgTNMzFg N4dQlHUmbzlfVEdWMhNV177ArYMuuqtx4qSRvc9sVCsrz/RJ9y5G02k5atCmKJ3KFm u9ieYeGjqSK7ar4CAb5mOihvdbVxpSnHWUKEB7K8LsDPuW3hmzRfO6Y++y+KlzEa71 sa/JVa+IccYVlwR6ZY7T1nZiQZq9JnsnO5AtzqvsrFmMYbRu3OSyGCmHYfunSjoK6m xW1lJZX8VpTAhwpsX69APtL+OEmkVhhghu25+2oHMiRZYVcDxKd8yWNFtN5JZ155f2 ItZyQnBnhuOgQ== Message-ID: Date: Tue, 23 Dec 2025 09:24:05 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] WARNING in folio_remove_rmap_ptes To: syzbot , Liam.Howlett@oracle.com, akpm@linux-foundation.org, harry.yoo@oracle.com, jannh@google.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, riel@surriel.com, syzkaller-bugs@googlegroups.com, vbabka@suse.cz References: <694a2745.050a0220.19928e.0017.GAE@google.com> From: "David Hildenbrand (Red Hat)" Content-Language: en-US Cc: Jann Horn In-Reply-To: <694a2745.050a0220.19928e.0017.GAE@google.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 12/23/25 06:23, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 9094662f6707 Merge tag 'ata-6.19-rc2' of git://git.kernel... > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1411f77c580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a11e0f726bfb6765 > dashboard link: https://syzkaller.appspot.com/bug?extid=b165fc2e11771c66d8ba > compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11998b1a580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128cdb1a580000 > > Downloadable assets: > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-9094662f.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/5bec9d32a91c/vmlinux-9094662f.xz > kernel image: https://storage.googleapis.com/syzbot-assets/3df82e1a3cec/bzImage-9094662f.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+b165fc2e11771c66d8ba@syzkaller.appspotmail.com > > handle_mm_fault+0x3fe/0xad0 mm/memory.c:6580 > do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336 > handle_page_fault arch/x86/mm/fault.c:1476 [inline] > exc_page_fault+0x64/0xc0 arch/x86/mm/fault.c:1532 > asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 > ------------[ cut here ]------------ > WARNING: ./include/linux/rmap.h:462 at __folio_rmap_sanity_checks include/linux/rmap.h:462 [inline], CPU#1: syz.0.18/6090 IIUC, that's the if (folio_test_anon(folio) && !folio_test_ksm(folio)) { ... VM_WARN_ON_FOLIO(atomic_read(&anon_vma->refcount) == 0, folio); } Seems to indicate that the anon_vma is no longer alive :/ Fortunately we have a reproducer. CCing Jann who addded that check "recently". -- Cheers David