syzbot

 sign-in | mailing list | source | docs
🐞 Open [993] Subsystems 🐞 Fixed [5244] 🐞 Invalid [12515] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: unable to handle kernel paging request in clear_page_erms (5)

Status: moderation: reported on 2023/10/23 23:39
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+a25c2bef11a9ba847215@syzkaller.appspotmail.com
First crash: 190d, last: 85d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in clear_page_erms (3) mm 2 1020d 1026d 0/26 auto-closed as invalid on 2021/10/09 21:56
upstream BUG: unable to handle kernel paging request in clear_page_erms (4) mm arch 1 915d 911d 0/26 auto-closed as invalid on 2022/01/23 00:56
linux-4.19 BUG: unable to handle kernel paging request in clear_page_erms 1 843d 843d 0/1 auto-closed as invalid on 2022/05/04 22:20
upstream BUG: unable to handle kernel paging request in clear_page_erms (2) mm 1 1093d 1075d 0/26 auto-closed as invalid on 2021/06/28 09:14
upstream BUG: unable to handle kernel paging request in clear_page_erms mm 1 1450d 1446d 0/26 auto-closed as invalid on 2020/08/05 10:45

Sample crash report:
BUG: unable to handle page fault for address: ffff88801fb8e000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 12c01067 P4D 12c01067 PUD 12c02067 PMD 1f5fa063 PTE 800fffffe0471060
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5107 Comm: syz-executor.2 Not tainted 6.6.0-syzkaller-14142-g90b0c2b2edd1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:clear_page_erms+0xb/0x10 arch/x86/lib/clear_page_64.S:50
Code: 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa b9 00 10 00 00 31 c0 <f3> aa c3 66 90 f3 0f 1e fa 48 83 f9 40 73 36 83 f9 08 73 0f 85 c9
RSP: 0018:ffffc9000443f2f8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000001000
RDX: ffffea00007ee380 RSI: ffff888000000000 RDI: ffff88801fb8e000
RBP: ffffea00007ee380 R08: 0000160000000000 R09: 0000000000000000
R10: ffffed1003f71c00 R11: dffffc0000000000 R12: 0000000000000000
R13: ffffea00007ee3c0 R14: 0000000000000001 R15: 0000000000000000
FS:  0000555556c03480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88801fb8e000 CR3: 000000007c039000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 clear_page arch/x86/include/asm/page_64.h:53 [inline]
 clear_highpage_kasan_tagged include/linux/highmem.h:248 [inline]
 kernel_init_pages mm/page_alloc.c:1072 [inline]
 post_alloc_hook+0x1a3/0x340 mm/page_alloc.c:1535
 prep_new_page mm/page_alloc.c:1544 [inline]
 get_page_from_freelist+0xa25/0x36c0 mm/page_alloc.c:3312
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4568
 __alloc_pages_bulk+0x77a/0x1110 mm/page_alloc.c:4516
 alloc_pages_bulk_array_mempolicy+0x21e/0x400 mm/mempolicy.c:2296
 vm_area_alloc_pages mm/vmalloc.c:3028 [inline]
 __vmalloc_area_node mm/vmalloc.c:3139 [inline]
 __vmalloc_node_range+0x10b8/0x1bf0 mm/vmalloc.c:3320
 __vmalloc_node mm/vmalloc.c:3385 [inline]
 vzalloc+0x6b/0x80 mm/vmalloc.c:3458
 xt_counters_alloc+0x4c/0x70 net/netfilter/x_tables.c:1379
 __do_replace+0x9a/0x9c0 net/ipv4/netfilter/arp_tables.c:894
 do_replace net/ipv6/netfilter/ip6_tables.c:1154 [inline]
 do_ip6t_set_ctl+0x956/0xbf0 net/ipv6/netfilter/ip6_tables.c:1636
 nf_setsockopt+0x87/0xe0 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x12b/0x190 net/ipv6/ipv6_sockglue.c:1005
 tcp_setsockopt+0x9d/0x100 net/ipv4/tcp.c:3704
 do_sock_setsockopt+0x222/0x470 net/socket.c:2315
 __sys_setsockopt+0x1a6/0x270 net/socket.c:2338
 __do_sys_setsockopt net/socket.c:2347 [inline]
 __se_sys_setsockopt net/socket.c:2344 [inline]
 __x64_sys_setsockopt+0xbd/0x150 net/socket.c:2344
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f86af27e83a
Code: ff ff ff c3 0f 1f 40 00 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 b0 ff ff ff f7
RSP: 002b:00007f86af4bf668 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007f86af4bf6f0 RCX: 00007f86af27e83a
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
RBP: 0000000000000003 R08: 00000000000003b8 R09: 0079746972756365
R10: 00007f86af3786a0 R11: 0000000000000206 R12: 00007f86af378640
R13: 00007f86af4bf68c R14: 0000000000000000 R15: 00007f86af378d00
 </TASK>
Modules linked in:
CR2: ffff88801fb8e000
---[ end trace 0000000000000000 ]---
RIP: 0010:clear_page_erms+0xb/0x10 arch/x86/lib/clear_page_64.S:50
Code: 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa b9 00 10 00 00 31 c0 <f3> aa c3 66 90 f3 0f 1e fa 48 83 f9 40 73 36 83 f9 08 73 0f 85 c9
RSP: 0018:ffffc9000443f2f8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000001000
RDX: ffffea00007ee380 RSI: ffff888000000000 RDI: ffff88801fb8e000
RBP: ffffea00007ee380 R08: 0000160000000000 R09: 0000000000000000
R10: ffffed1003f71c00 R11: dffffc0000000000 R12: 0000000000000000
R13: ffffea00007ee3c0 R14: 0000000000000001 R15: 0000000000000000
FS:  0000555556c03480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88801fb8e000 CR3: 000000007c039000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 89 47 20          	mov    %rax,0x20(%rdi)
   4:	48 89 47 28          	mov    %rax,0x28(%rdi)
   8:	48 89 47 30          	mov    %rax,0x30(%rdi)
   c:	48 89 47 38          	mov    %rax,0x38(%rdi)
  10:	48 8d 7f 40          	lea    0x40(%rdi),%rdi
  14:	75 d9                	jne    0xffffffef
  16:	90                   	nop
  17:	c3                   	ret
  18:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  1f:	f3 0f 1e fa          	endbr64
  23:	b9 00 10 00 00       	mov    $0x1000,%ecx
  28:	31 c0                	xor    %eax,%eax
* 2a:	f3 aa                	rep stos %al,%es:(%rdi) <-- trapping instruction
  2c:	c3                   	ret
  2d:	66 90                	xchg   %ax,%ax
  2f:	f3 0f 1e fa          	endbr64
  33:	48 83 f9 40          	cmp    $0x40,%rcx
  37:	73 36                	jae    0x6f
  39:	83 f9 08             	cmp    $0x8,%ecx
  3c:	73 0f                	jae    0x4d
  3e:	85 c9                	test   %ecx,%ecx

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/11/04 23:34 upstream 90b0c2b2edd1 500bfdc4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: unable to handle kernel paging request in clear_page_erms
2023/10/19 23:34 upstream dd72f9c7e512 42e1d524 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: unable to handle kernel paging request in clear_page_erms
2024/02/01 16:11 upstream 6764c317b6bb 81024119 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: unable to handle kernel paging request in clear_page_erms
2023/12/10 00:16 upstream b10a3ccaf6e3 28b24332 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: unable to handle kernel paging request in clear_page_erms
* Struck through repros no longer work on HEAD.