KASAN: slab-use-after-free Read in filemap_map

Title	Replies (including bot)	Last reply
[syzbot] [mm?] [xfs?] KASAN: slab-use-after-free Read in filemap_map_pages	1 (3)	2025/01/01 07:20

Title

Replies (including bot)

Last reply

[syzbot] [mm?] [xfs?] KASAN: slab-use-after-free Read in filemap_map_pages

1 (3)

2025/01/01 07:20


Created	Duration	User	Patch	Repo	Result
2025/09/15 14:31	19m	retest repro		git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	report log
2025/09/15 14:31	16m	retest repro		upstream	report log
2025/06/13 11:40	23m	retest repro		linux-next	OK log
2025/06/13 10:02	23m	retest repro		linux-next	OK log
2025/06/13 10:02	39m	retest repro		linux-next	OK log
2025/06/13 10:02	25m	retest repro		linux-next	OK log
2025/06/13 10:02	23m	retest repro		linux-next	OK log
2025/03/22 15:47	9m	retest repro		linux-next	error
2025/03/22 15:47	12m	retest repro		linux-next	error
2025/03/22 15:47	13m	retest repro		linux-next	error
2025/01/01 06:50	29m	hdanton@sina.com	patch	linux-next	OK log

EXT4-fs error (device loop0): ext4_map_blocks:778: inode #15: block 3: comm syz.0.190: lblock 3 mapped to illegal pblock 3 (length 3) EXT4-fs error (device loop0): ext4_map_blocks:778: inode #15: block 3: comm syz.0.190: lblock 3 mapped to illegal pblock 3 (length 3) ================================================================== BUG: KASAN: use-after-free in __ptep_get arch/arm64/include/asm/pgtable.h:414 [inline] BUG: KASAN: use-after-free in ptep_get arch/arm64/include/asm/pgtable.h:1749 [inline] BUG: KASAN: use-after-free in filemap_map_folio_range mm/filemap.c:3666 [inline] BUG: KASAN: use-after-free in filemap_map_pages+0xa94/0x155c mm/filemap.c:3783 Read of size 8 at addr ffff0000e34c6000 by task syz.0.190/7608 CPU: 0 UID: 0 PID: 7608 Comm: syz.0.190 Not tainted 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0xb0/0x110 mm/kasan/report.c:595 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __ptep_get arch/arm64/include/asm/pgtable.h:414 [inline] ptep_get arch/arm64/include/asm/pgtable.h:1749 [inline] filemap_map_folio_range mm/filemap.c:3666 [inline] filemap_map_pages+0xa94/0x155c mm/filemap.c:3783 do_fault_around mm/memory.c:5531 [inline] do_read_fault mm/memory.c:5564 [inline] do_fault mm/memory.c:5707 [inline] do_pte_missing mm/memory.c:4234 [inline] handle_pte_fault mm/memory.c:6052 [inline] __handle_mm_fault mm/memory.c:6195 [inline] handle_mm_fault+0x2b64/0x4d34 mm/memory.c:6364 faultin_page mm/gup.c:1144 [inline] __get_user_pages+0x1f40/0x2da0 mm/gup.c:1446 populate_vma_page_range+0x258/0x348 mm/gup.c:1880 __mm_populate+0x208/0x330 mm/gup.c:1983 mm_populate include/linux/mm.h:3367 [inline] vm_mmap_pgoff+0x398/0x45c mm/util.c:585 ksys_mmap_pgoff+0x394/0x5b8 mm/mmap.c:604 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline] __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline] __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000e34c6f50 pfn:0x1234c6 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f0(buddy) raw: 05ffc00000000000 fffffdffc38d3308 fffffdffc38bdb08 0000000000000000 raw: ffff0000e34c6f50 0000000000000001 00000000f0000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000e34c5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000e34c5f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000e34c6000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000e34c6080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000e34c6100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== page: refcount:18 mapcount:1 mapping:000000000289cd7d index:0x8 pfn:0x12b280 head: order:3 mapcount:8 entire_mapcount:0 nr_pages_mapped:8 pincount:0 memcg:ffff0000c19c0c80 aops:ext4_da_aops ino:f dentry name(?):"file1" flags: 0x5ffc00000005079(locked|uptodate|dirty|lru|arch_1|private|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000005079 fffffdffc3b7f648 fffffdffc3aae508 ffff0000e38c8e48 raw: 0000000000000008 ffff0000eda65910 0000001200000000 ffff0000c19c0c80 head: 05ffc00000005079 fffffdffc3b7f648 fffffdffc3aae508 ffff0000e38c8e48 head: 0000000000000008 ffff0000eda65910 0000001200000000 ffff0000c19c0c80 head: 05ffc00000000203 fffffdffc3aca001 0000000800000007 00000000ffffffff head: ffffffff00000007 000000000000001e 0000000000000000 0000000000000008 page dumped because: VM_WARN_ON_FOLIO((_Generic((page), const struct page *: (const struct folio *)_compound_head(page), struct page *: (struct folio *)_compound_head(page))) != folio) ------------[ cut here ]------------ WARNING: CPU: 0 PID: 7608 at ./include/linux/rmap.h:426 __folio_rmap_sanity_checks+0x2c0/0x430 include/linux/rmap.h:426 Modules linked in: CPU: 0 UID: 0 PID: 7608 Comm: syz.0.190 Tainted: G B 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __folio_rmap_sanity_checks+0x2c0/0x430 include/linux/rmap.h:426 lr : __folio_rmap_sanity_checks+0x2c0/0x430 include/linux/rmap.h:426 sp : ffff8000a3d272c0 x29: ffff8000a3d272c0 x28: 00000000000001f0 x27: 0000000020010000 x26: 002400012b288bc3 x25: dfff800000000000 x24: 000000000020ac5d x23: fffffdffc3ae1808 x22: fffffdffc3aca200 x21: 0000000000000000 x20: 00000000000001f0 x19: fffffdffc3aca000 x18: 1fffe0003379be88 x17: 3030303030303020 x16: ffff80008b007230 x15: 0000000000000001 x14: 1ffff000147a4d84 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000ff0100 x9 : 7169884741f77900 x8 : 7169884741f77900 x7 : 0000000000000001 x6 : ffff800080563af4 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807de560 x2 : 0000000000000002 x1 : 0000000100000001 x0 : 00000000000000b8 Call trace: __folio_rmap_sanity_checks+0x2c0/0x430 include/linux/rmap.h:426 (P) __folio_add_rmap mm/rmap.c:1252 [inline] __folio_add_file_rmap mm/rmap.c:1620 [inline] folio_add_file_rmap_ptes+0x84/0x8e8 mm/rmap.c:1642 set_pte_range+0x2e4/0x49c mm/memory.c:5311 filemap_map_folio_range mm/filemap.c:3673 [inline] filemap_map_pages+0xb54/0x155c mm/filemap.c:3783 do_fault_around mm/memory.c:5531 [inline] do_read_fault mm/memory.c:5564 [inline] do_fault mm/memory.c:5707 [inline] do_pte_missing mm/memory.c:4234 [inline] handle_pte_fault mm/memory.c:6052 [inline] __handle_mm_fault mm/memory.c:6195 [inline] handle_mm_fault+0x2b64/0x4d34 mm/memory.c:6364 faultin_page mm/gup.c:1144 [inline] __get_user_pages+0x1f40/0x2da0 mm/gup.c:1446 populate_vma_page_range+0x258/0x348 mm/gup.c:1880 __mm_populate+0x208/0x330 mm/gup.c:1983 mm_populate include/linux/mm.h:3367 [inline] vm_mmap_pgoff+0x398/0x45c mm/util.c:585 ksys_mmap_pgoff+0x394/0x5b8 mm/mmap.c:604 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline] __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline] __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 irq event stamp: 7233 hardirqs last enabled at (7233): [<ffff80008b00487c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:86 [inline] hardirqs last enabled at (7233): [<ffff80008b00487c>] exit_to_kernel_mode+0xc0/0xf0 arch/arm64/kernel/entry-common.c:96 hardirqs last disabled at (7232): [<ffff80008b001cbc>] __el1_irq arch/arm64/kernel/entry-common.c:650 [inline] hardirqs last disabled at (7232): [<ffff80008b001cbc>] el1_interrupt+0x24/0x54 arch/arm64/kernel/entry-common.c:668 softirqs last enabled at (5898): [<ffff8000803d88a0>] softirq_handle_end kernel/softirq.c:425 [inline] softirqs last enabled at (5898): [<ffff8000803d88a0>] handle_softirqs+0xaf8/0xc88 kernel/softirq.c:607 softirqs last disabled at (5721): [<ffff800080022028>] __do_softirq+0x14/0x20 kernel/softirq.c:613 ---[ end trace 0000000000000000 ]--- page: refcount:18 mapcount:1 mapping:000000000289cd7d index:0x8 pfn:0x12b280 head: order:3 mapcount:8 entire_mapcount:0 nr_pages_mapped:8 pincount:0 memcg:ffff0000c19c0c80 aops:ext4_da_aops ino:f dentry name(?):"file1" flags: 0x5ffc00000005079(locked|uptodate|dirty|lru|arch_1|private|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000005079 fffffdffc3b7f648 fffffdffc3aae508 ffff0000e38c8e48 raw: 0000000000000008 ffff0000eda65910 0000001200000000 ffff0000c19c0c80 head: 05ffc00000005079 fffffdffc3b7f648 fffffdffc3aae508 ffff0000e38c8e48 head: 0000000000000008 ffff0000eda65910 0000001200000000 ffff0000c19c0c80 head: 05ffc00000000203 fffffdffc3aca001 0000000800000007 00000000ffffffff head: ffffffff00000007 000000000000001e 0000000000000000 0000000000000008 page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1), const struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *: (struct folio *)_compound_head(page + nr_pages - 1))) != folio) ------------[ cut here ]------------ WARNING: CPU: 0 PID: 7608 at ./include/linux/rmap.h:427 __folio_rmap_sanity_checks+0x2ec/0x430 include/linux/rmap.h:427 Modules linked in: CPU: 0 UID: 0 PID: 7608 Comm: syz.0.190 Tainted: G B W 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __folio_rmap_sanity_checks+0x2ec/0x430 include/linux/rmap.h:427 lr : __folio_rmap_sanity_checks+0x2ec/0x430 include/linux/rmap.h:427 sp : ffff8000a3d272c0 x29: ffff8000a3d272c0 x28: 00000000000001f0 x27: 0000000020010000 x26: 002400012b288bc3 x25: dfff800000000000 x24: 000000000020ac5d x23: fffffdffc3ad1e00 x22: dead000000000100 x21: 0000000000000000 x20: 00000000000001f0 x19: fffffdffc3aca000 x18: 1fffe0003379be88 x17: 3030303030303020 x16: ffff80008b007230 x15: 0000000000000001 x14: 1ffff000147a4d84 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000ff0100 x9 : 7169884741f77900 x8 : 7169884741f77900 x7 : 0000000000000001 x6 : ffff800080563af4 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807de560 x2 : 0000000000000002 x1 : 0000000000000001 x0 : 00000000000000e5 Call trace: __folio_rmap_sanity_checks+0x2ec/0x430 include/linux/rmap.h:427 (P) __folio_add_rmap mm/rmap.c:1252 [inline] __folio_add_file_rmap mm/rmap.c:1620 [inline] folio_add_file_rmap_ptes+0x84/0x8e8 mm/rmap.c:1642 set_pte_range+0x2e4/0x49c mm/memory.c:5311 filemap_map_folio_range mm/filemap.c:3673 [inline] filemap_map_pages+0xb54/0x155c mm/filemap.c:3783 do_fault_around mm/memory.c:5531 [inline] do_read_fault mm/memory.c:5564 [inline] do_fault mm/memory.c:5707 [inline] do_pte_missing mm/memory.c:4234 [inline] handle_pte_fault mm/memory.c:6052 [inline] __handle_mm_fault mm/memory.c:6195 [inline] handle_mm_fault+0x2b64/0x4d34 mm/memory.c:6364 faultin_page mm/gup.c:1144 [inline] __get_user_pages+0x1f40/0x2da0 mm/gup.c:1446 populate_vma_page_range+0x258/0x348 mm/gup.c:1880 __mm_populate+0x208/0x330 mm/gup.c:1983 mm_populate include/linux/mm.h:3367 [inline] vm_mmap_pgoff+0x398/0x45c mm/util.c:585 ksys_mmap_pgoff+0x394/0x5b8 mm/mmap.c:604 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline] __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline] __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 irq event stamp: 7233 hardirqs last enabled at (7233): [<ffff80008b00487c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:86 [inline] hardirqs last enabled at (7233): [<ffff80008b00487c>] exit_to_kernel_mode+0xc0/0xf0 arch/arm64/kernel/entry-common.c:96 hardirqs last disabled at (7232): [<ffff80008b001cbc>] __el1_irq arch/arm64/kernel/entry-common.c:650 [inline] hardirqs last disabled at (7232): [<ffff80008b001cbc>] el1_interrupt+0x24/0x54 arch/arm64/kernel/entry-common.c:668 softirqs last enabled at (5898): [<ffff8000803d88a0>] softirq_handle_end kernel/softirq.c:425 [inline] softirqs last enabled at (5898): [<ffff8000803d88a0>] handle_softirqs+0xaf8/0xc88 kernel/softirq.c:607 softirqs last disabled at (5721): [<ffff800080022028>] __do_softirq+0x14/0x20 kernel/softirq.c:613 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: CPU: 0 PID: 7608 at ./include/linux/rmap.h:214 __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214 Modules linked in: CPU: 0 UID: 0 PID: 7608 Comm: syz.0.190 Tainted: G B W 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214 lr : __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214 sp : ffff8000a3d272b0 x29: ffff8000a3d272b0 x28: 00000000000001f0 x27: 1fffffbff875940f x26: 1fffffbff8759400 x25: 1fffffbff8759401 x24: dfff800000000000 x23: 00000000000001f0 x22: fffffdffc3aca078 x21: 0000000000000008 x20: fffffdffc3aca008 x19: fffffdffc3aca000 x18: 1fffe0003379be88 x17: 3030303030303020 x16: ffff80008b007230 x15: 0000000000000001 x14: 1fffffbff875940d x13: 0000000000000000 x12: 0000000000000000 x11: ffff7fbff875940e x10: 0000000000ff0100 x9 : 0000000000000000 x8 : ffff0000cedf1e80 x7 : 0000000000000001 x6 : ffff800080563af4 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080b65b10 x2 : 000000000000001e x1 : 00000000000001f0 x0 : 0000000000000008 Call trace: __folio_large_mapcount_sanity_checks+0x3d4/0x5dc include/linux/rmap.h:214 (P) folio_add_return_large_mapcount include/linux/rmap.h:250 [inline] __folio_add_rmap mm/rmap.c:1279 [inline] __folio_add_file_rmap mm/rmap.c:1620 [inline] folio_add_file_rmap_ptes+0x344/0x8e8 mm/rmap.c:1642 set_pte_range+0x2e4/0x49c mm/memory.c:5311 filemap_map_folio_range mm/filemap.c:3673 [inline] filemap_map_pages+0xb54/0x155c mm/filemap.c:3783 do_fault_around mm/memory.c:5531 [inline] do_read_fault mm/memory.c:5564 [inline] do_fault mm/memory.c:5707 [inline] do_pte_missing mm/memory.c:4234 [inline] handle_pte_fault mm/memory.c:6052 [inline] __handle_mm_fault mm/memory.c:6195 [inline] handle_mm_fault+0x2b64/0x4d34 mm/memory.c:6364 faultin_page mm/gup.c:1144 [inline] __get_user_pages+0x1f40/0x2da0 mm/gup.c:1446 populate_vma_page_range+0x258/0x348 mm/gup.c:1880 __mm_populate+0x208/0x330 mm/gup.c:1983 mm_populate include/linux/mm.h:3367 [inline] vm_mmap_pgoff+0x398/0x45c mm/util.c:585 ksys_mmap_pgoff+0x394/0x5b8 mm/mmap.c:604 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline] __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline] __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 irq event stamp: 7233 hardirqs last enabled at (7233): [<ffff80008b00487c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:86 [inline] hardirqs last enabled at (7233): [<ffff80008b00487c>] exit_to_kernel_mode+0xc0/0xf0 arch/arm64/kernel/entry-common.c:96 hardirqs last disabled at (7232): [<ffff80008b001cbc>] __el1_irq arch/arm64/kernel/entry-common.c:650 [inline] hardirqs last disabled at (7232): [<ffff80008b001cbc>] el1_interrupt+0x24/0x54 arch/arm64/kernel/entry-common.c:668 softirqs last enabled at (5898): [<ffff8000803d88a0>] softirq_handle_end kernel/softirq.c:425 [inline] softirqs last enabled at (5898): [<ffff8000803d88a0>] handle_softirqs+0xaf8/0xc88 kernel/softirq.c:607 softirqs last disabled at (5721): [<ffff800080022028>] __do_softirq+0x14/0x20 kernel/softirq.c:613 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ kernel BUG at mm/page_table_check.c:120! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 7608 Comm: syz.0.190 Tainted: G B W 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : page_table_check_set+0x56c/0x590 mm/page_table_check.c:120 lr : page_table_check_set+0x56c/0x590 mm/page_table_check.c:120 sp : ffff8000a3d271c0 x29: ffff8000a3d271d0 x28: ffff80008fae0000 x27: 0000000000000001 x26: ffff0000c0799900 x25: 0000000000000009 x24: 0000000000000001 x23: ffff0000c0799900 x22: 000000000012b318 x21: 0000000000000000 x20: 0000000000000010 x19: 1ffff00012eb65b0 x18: 1fffe0003379be88 x17: 3030303030303020 x16: ffff80008b0062e4 x15: 0000000000000001 x14: 1fffe000180f3320 x13: 0000000000000000 x12: 0000000000000000 x11: ffff6000180f3321 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : ffff0000cedf1e80 x7 : 0000000000000001 x6 : ffff800080d16554 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080d15a98 x2 : 0000000000000000 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: page_table_check_set+0x56c/0x590 mm/page_table_check.c:120 (P) __page_table_check_ptes_set+0x2a8/0x2e0 mm/page_table_check.c:209 page_table_check_ptes_set include/linux/page_table_check.h:76 [inline] __set_ptes_anysz arch/arm64/include/asm/pgtable.h:709 [inline] __set_ptes+0x4a0/0x504 arch/arm64/include/asm/pgtable.h:741 contpte_set_ptes+0x120/0x188 arch/arm64/mm/contpte.c:464 set_ptes arch/arm64/include/asm/pgtable.h:1794 [inline] set_pte_range+0x3ec/0x49c mm/memory.c:5313 filemap_map_folio_range mm/filemap.c:3673 [inline] filemap_map_pages+0xb54/0x155c mm/filemap.c:3783 do_fault_around mm/memory.c:5531 [inline] do_read_fault mm/memory.c:5564 [inline] do_fault mm/memory.c:5707 [inline] do_pte_missing mm/memory.c:4234 [inline] handle_pte_fault mm/memory.c:6052 [inline] __handle_mm_fault mm/memory.c:6195 [inline] handle_mm_fault+0x2b64/0x4d34 mm/memory.c:6364 faultin_page mm/gup.c:1144 [inline] __get_user_pages+0x1f40/0x2da0 mm/gup.c:1446 populate_vma_page_range+0x258/0x348 mm/gup.c:1880 __mm_populate+0x208/0x330 mm/gup.c:1983 mm_populate include/linux/mm.h:3367 [inline] vm_mmap_pgoff+0x398/0x45c mm/util.c:585 ksys_mmap_pgoff+0x394/0x5b8 mm/mmap.c:604 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline] __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline] __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 Code: aa1603e0 97fd6069 17fffee6 97e86601 (d4210000) ---[ end trace 0000000000000000 ]---

Crashes (17):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/09/01 13:17	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	8f5ae30d69d7	807a3b61	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)]	ci-upstream-gce-arm64	KASAN: use-after-free Read in filemap_map_pages
2025/08/20 07:58	upstream	b19a97d57c15	79512909	.config	console log	report	syz / log			[disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)]	ci-upstream-kasan-gce-root	KASAN: use-after-free Read in filemap_map_pages
2025/10/01 07:20	upstream	50c19e20ed2e	65a0eece	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-badwrites-root	KASAN: slab-use-after-free Read in filemap_map_pages
2025/08/29 23:33	upstream	fb679c832b64	3e1beec6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	KASAN: slab-use-after-free Read in filemap_map_pages
2025/05/29 09:08	upstream	90b83efa6701	3d2f584d	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-badwrites-root	KASAN: slab-use-after-free Read in filemap_map_pages
2025/04/15 05:16	upstream	834a4a689699	0bd6db41	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: slab-use-after-free Read in filemap_map_pages
2025/02/03 17:41	upstream	2014c95afece	a21a8419	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	KASAN: slab-use-after-free Read in filemap_map_pages
2024/12/28 10:49	linux-next	8155b4ef3466	d3ccff63	.config	console log	report	syz / log			[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-linux-next-kasan-gce-root	KASAN: slab-use-after-free Read in filemap_map_pages
2024/12/28 08:59	linux-next	8155b4ef3466	d3ccff63	.config	console log	report	syz / log			[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-linux-next-kasan-gce-root	KASAN: slab-use-after-free Read in filemap_map_pages
2024/12/28 08:03	linux-next	8155b4ef3466	d3ccff63	.config	console log	report	syz / log			[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-linux-next-kasan-gce-root	KASAN: slab-use-after-free Read in filemap_map_pages
2024/12/28 07:04	linux-next	8155b4ef3466	d3ccff63	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-linux-next-kasan-gce-root	KASAN: slab-use-after-free Read in filemap_map_pages
2024/12/28 03:56	linux-next	8155b4ef3466	d3ccff63	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: slab-use-after-free Read in filemap_map_pages
2025/09/01 12:11	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	8f5ae30d69d7	807a3b61	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in filemap_map_pages
2025/07/21 08:53	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	aaef6f251176	7117feec	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in filemap_map_pages
2025/10/01 07:06	upstream	50c19e20ed2e	65a0eece	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-root	KMSAN: uninit-value in filemap_map_pages
2025/08/23 07:06	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	8f5ae30d69d7	bf27483f	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: use-after-free Read in filemap_map_pages
2025/08/18 10:21	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	8f5ae30d69d7	1804e95e	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: use-after-free Read in filemap_map_pages

Crashes (17):

Assets (help?)

2025/09/01 13:17

git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci