syzbot

 sign-in | mailing list | source | docs
🐞 Open [118]
🐞 Fixed [70]
🐞 Invalid [150]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
💬 Send us feedback

BUG: Bad page map (3)

Status: premoderation: reported on 2024/07/12 00:18
Reported-by: syzbot+a17eb6fa0d100f35b5a7@syzkaller.appspotmail.com
First crash: 66d, last: 66d
Similar bugs (18)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 BUG: Bad page map 1 559d 559d 0/2 auto-obsoleted due to no activity on 2023/06/05 15:46
linux-4.19 BUG: Bad page map (3) 1 790d 790d 0/1 auto-obsoleted due to no activity on 2022/11/15 21:40
upstream BUG: Bad page map (5) mm io-uring C 35 611d 869d 22/28 fixed on 2023/02/24 13:50
android-5-15 BUG: Bad page map 1 73d 73d 0/2 premoderation: reported on 2024/07/05 11:03
linux-4.19 BUG: Bad page map (2) 10 977d 1157d 0/1 auto-closed as invalid on 2022/05/13 11:22
android-54 BUG: Bad page map (3) 10 102d 218d 0/2 auto-obsoleted due to no activity on 2024/09/04 10:38
upstream BUG: Bad page map (2) mm syz 127 2203d 2259d 0/28 closed as invalid on 2018/09/05 12:51
upstream BUG: Bad page map (8) mm C 1 63d 59d 0/28 upstream: reported C repro on 2024/07/18 22:51
android-5-10 BUG: Bad page map (2) 1 340d 340d 0/2 auto-obsoleted due to no activity on 2024/01/10 02:50
upstream BUG: Bad page map mm 1 2262d 2262d 0/28 closed as invalid on 2018/07/08 13:28
upstream BUG: Bad page map (3) kernel 4 2072d 2198d 0/28 auto-closed as invalid on 2019/07/13 00:02
linux-4.19 BUG: Bad page map 2 1474d 1532d 0/1 auto-closed as invalid on 2021/01/01 08:20
upstream BUG: Bad page map (7) mm C done 19 351d 373d 25/28 fixed on 2023/12/21 03:45
android-54 BUG: Bad page map (2) 7 340d 458d 0/2 auto-obsoleted due to no activity on 2024/01/10 18:32
upstream BUG: Bad page map (4) mm 39 1018d 1655d 0/28 auto-closed as invalid on 2022/04/02 04:25
linux-4.14 BUG: Bad page map 1 1520d 1520d 0/1 auto-closed as invalid on 2020/11/16 16:05
upstream BUG: Bad page map (6) mm 1 525d 521d 0/28 auto-obsoleted due to no activity on 2023/07/09 13:20
android-54 BUG: Bad page map 1 753d 753d 0/2 auto-obsoleted due to no activity on 2022/12/23 04:05

Sample crash report:
BUG: Bad page map in process syz.4.4460  pte:100000000 pmd:110d4e067
addr:0000000020201000 vm_flags:000000fe anon_vma:0000000000000000 mapping:ffff88810b404cd0 index:201
file:dev/zero fault:shmem_fault mmap:shmem_mmap readpage:0x0
CPU: 0 PID: 17809 Comm: syz.4.4460 Not tainted 5.10.218-syzkaller-00638-g3feee789f446 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 dump_stack+0x15/0x17 lib/dump_stack.c:135
 print_bad_pte+0x543/0x560 mm/memory.c:568
 zap_pte_range mm/memory.c:1365 [inline]
 zap_pmd_range mm/memory.c:1435 [inline]
 zap_pud_range mm/memory.c:1464 [inline]
 zap_p4d_range mm/memory.c:1485 [inline]
 unmap_page_range+0x17f2/0x23b0 mm/memory.c:1506
 unmap_single_vma mm/memory.c:1551 [inline]
 unmap_vmas+0x37f/0x4f0 mm/memory.c:1583
 exit_mmap+0x2f2/0x5c0 mm/mmap.c:3355
 __mmput+0x95/0x2d0 kernel/fork.c:1153
 mmput+0x59/0x170 kernel/fork.c:1176
 exit_mm kernel/exit.c:537 [inline]
 do_exit+0xbda/0x2a50 kernel/exit.c:848
 do_group_exit+0x141/0x310 kernel/exit.c:983
 get_signal+0x10a0/0x1410 kernel/signal.c:2782
 arch_do_signal_or_restart+0xbd/0x17c0 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop+0x9b/0xd0 kernel/entry/common.c:169
 exit_to_user_mode_prepare kernel/entry/common.c:199 [inline]
 syscall_exit_to_user_mode+0xa2/0x1a0 kernel/entry/common.c:274
 do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f0b6c661bd9
Code: Unable to access opcode bytes at RIP 0x7f0b6c661baf.
RSP: 002b:00007f0b6b8c20f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f0b6c7f0040 RCX: 00007f0b6c661bd9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f0b6c7f0040
RBP: 00007f0b6c7f0038 R08: 00007f0b6b8c26c0 R09: 00007f0b6b8c26c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0b6c7f0044
R13: 000000000000006e R14: 00007fff25180280 R15: 00007fff25180368
BUG: Bad page cache in process syz.4.4460  pfn:12d365
page:ffffea0004b4d940 refcount:3 mapcount:1 mapping:ffff88810b404cd0 index:0x201 pfn:0x12d365
aops:shmem_aops ino:c1b
flags: 0x4000000000080017(locked|referenced|uptodate|lru|swapbacked)
raw: 4000000000080017 ffffea0004c2f288 ffff88810b054000 ffff88810b404cd0
raw: 0000000000000201 0000000000000000 0000000300000000 ffff88810b0b4000
page dumped because: still mapped when deleted
page->mem_cgroup:ffff88810b0b4000
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 17806, ts 757797293257, free_ts 757757364336
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x166/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5348
 __alloc_pages include/linux/gfp.h:544 [inline]
 __alloc_pages_node include/linux/gfp.h:557 [inline]
 alloc_pages_node include/linux/gfp.h:571 [inline]
 alloc_pages include/linux/gfp.h:590 [inline]
 shmem_alloc_page+0x257/0x420 mm/shmem.c:1580
 shmem_alloc_and_acct_page+0x395/0x8e0 mm/shmem.c:1605
 shmem_getpage_gfp+0x891/0x2480 mm/shmem.c:1918
 shmem_fault+0x2d4/0x7b0 mm/shmem.c:2139
 __do_fault mm/memory.c:4036 [inline]
 do_read_fault mm/memory.c:4371 [inline]
 do_fault mm/memory.c:4499 [inline]
 handle_pte_fault+0x23a9/0x3e30 mm/memory.c:4763
 __handle_mm_fault mm/memory.c:4916 [inline]
 handle_mm_fault+0x11d6/0x1a10 mm/memory.c:5330
 faultin_page mm/gup.c:902 [inline]
 __get_user_pages+0xb31/0x11b0 mm/gup.c:1121
 populate_vma_page_range mm/gup.c:1454 [inline]
 __mm_populate+0x363/0x520 mm/gup.c:1502
 mm_populate include/linux/mm.h:2768 [inline]
 vm_mmap_pgoff+0x264/0x390 mm/util.c:548
 ksys_mmap_pgoff+0xf8/0x1f0 mm/mmap.c:1701
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
 __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86
 do_syscall_64+0x34/0x70
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 free_pcp_prepare mm/page_alloc.c:1421 [inline]
 free_unref_page_prepare+0x2ae/0x2d0 mm/page_alloc.c:3336
 free_unref_page_list+0x122/0xb20 mm/page_alloc.c:3443
 release_pages+0xea0/0xef0 mm/swap.c:1103
 __pagevec_release+0x84/0x100 mm/swap.c:1123
 pagevec_release include/linux/pagevec.h:88 [inline]
 shmem_undo_range+0x7d1/0x1a60 mm/shmem.c:965
 shmem_truncate_range mm/shmem.c:1069 [inline]
 shmem_evict_inode+0x215/0x9d0 mm/shmem.c:1169
 evict+0x2a3/0x6c0 fs/inode.c:577
 iput_final fs/inode.c:1697 [inline]
 iput+0x632/0x7e0 fs/inode.c:1723
 dentry_unlink_inode+0x2e5/0x3d0 fs/dcache.c:374
 __dentry_kill+0x447/0x650 fs/dcache.c:579
 dentry_kill+0xc0/0x2a0
 dput+0x40/0x80 fs/dcache.c:879
 __fput+0x4f4/0x760 fs/file_table.c:294
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x129/0x190 kernel/task_work.c:165
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xc83/0x2a50 kernel/exit.c:861
CPU: 0 PID: 17809 Comm: syz.4.4460 Tainted: G    B             5.10.218-syzkaller-00638-g3feee789f446 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 dump_stack+0x15/0x17 lib/dump_stack.c:135
 unaccount_page_cache_page+0x752/0xa80 mm/filemap.c:185
 __delete_from_page_cache+0xd0/0x5d0 mm/filemap.c:243
 delete_from_page_cache+0xb6/0xf0 mm/filemap.c:279
 truncate_inode_page+0x5d/0x70 mm/truncate.c:225
 shmem_undo_range+0x696/0x1a60 mm/shmem.c:960
 shmem_truncate_range mm/shmem.c:1069 [inline]
 shmem_evict_inode+0x215/0x9d0 mm/shmem.c:1169
 evict+0x2a3/0x6c0 fs/inode.c:577
 iput_final fs/inode.c:1697 [inline]
 iput+0x632/0x7e0 fs/inode.c:1723
 dentry_unlink_inode+0x2e5/0x3d0 fs/dcache.c:374
 __dentry_kill+0x447/0x650 fs/dcache.c:579
 dentry_kill+0xc0/0x2a0
 dput+0x40/0x80 fs/dcache.c:879
 __fput+0x4f4/0x760 fs/file_table.c:294
 ____fput+0x15/0x20 fs/file_table.c:314
 task_work_run+0x129/0x190 kernel/task_work.c:165
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xc83/0x2a50 kernel/exit.c:861
 do_group_exit+0x141/0x310 kernel/exit.c:983
 get_signal+0x10a0/0x1410 kernel/signal.c:2782
 arch_do_signal_or_restart+0xbd/0x17c0 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop+0x9b/0xd0 kernel/entry/common.c:169
 exit_to_user_mode_prepare kernel/entry/common.c:199 [inline]
 syscall_exit_to_user_mode+0xa2/0x1a0 kernel/entry/common.c:274
 do_syscall_64+0x40/0x70 arch/x86/entry/common.c:56
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f0b6c661bd9
Code: Unable to access opcode bytes at RIP 0x7f0b6c661baf.
RSP: 002b:00007f0b6b8c20f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f0b6c7f0040 RCX: 00007f0b6c661bd9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f0b6c7f0040
RBP: 00007f0b6c7f0038 R08: 00007f0b6b8c26c0 R09: 00007f0b6b8c26c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0b6c7f0044
R13: 000000000000006e R14: 00007fff25180280 R15: 00007fff25180368

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/07/12 00:17 android13-5.10-lts 3feee789f446 eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-10 BUG: Bad page map
* Struck through repros no longer work on HEAD.