syzbot


BUG: Bad page state

Status: upstream: reported C repro on 2023/04/16 11:16
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+d0394eeeb4816974b389@syzkaller.appspotmail.com
First crash: 337d, last: 109d
Fix bisection: failed (error log, bisect log)
  
Bug presence (1)
Date Name Commit Repro Result
2023/05/26 upstream (ToT) 0d85b27b0cc6 C [report] BUG: Bad page state
Similar bugs (15)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: Bad page state (3) usb C 3 2262d 2269d 4/26 fixed on 2018/02/02 04:39
linux-4.14 BUG: Bad page state C 9 391d 533d 0/1 upstream: reported C repro on 2022/10/03 07:33
upstream BUG: Bad page state (5) mm C 171 1847d 1860d 0/26 closed as invalid on 2019/02/27 20:53
linux-4.19 BUG: Bad page state 1 848d 848d 0/1 auto-closed as invalid on 2022/03/21 10:57
linux-4.19 BUG: Bad page state (2) 1 659d 659d 0/1 auto-obsoleted due to no activity on 2022/09/26 19:49
upstream BUG: Bad page state (7) mm 3 1297d 1354d 0/26 auto-closed as invalid on 2020/12/28 02:44
linux-6.1 BUG: Bad page state origin:upstream C 7 6d18h 296d 0/3 upstream: reported C repro on 2023/05/27 10:10
linux-4.19 BUG: Bad page state (3) C error 1 533d 533d 0/1 upstream: reported C repro on 2022/10/02 20:53
android-49 BUG: Bad page state 3 1629d 1653d 0/3 auto-closed as invalid on 2020/01/30 18:48
android-54 BUG: Bad page state C 9 1450d 1481d 0/2 auto-obsoleted due to no activity on 2022/08/26 22:10
upstream BUG: Bad page state (2) crypto 1 2304d 2300d 0/26 closed as invalid on 2017/12/06 12:57
upstream BUG: Bad page state (4) sound 1 2066d 2066d 0/26 closed as invalid on 2018/09/05 12:51
upstream BUG: Bad page state (6) mm C 2 1845d 1845d 0/26 closed as invalid on 2019/03/01 18:38
upstream BUG: Bad page state C 2 2407d 2408d 3/26 fixed on 2017/10/24 06:54
upstream BUG: Bad page state (8) mm C 7145 7h14m 1141d 1/26 upstream: reported C repro on 2021/02/01 10:07
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2023/12/31 04:47 0m bisect fix linux-5.15.y error job log (0)
2023/12/01 01:03 1h46m bisect fix linux-5.15.y job log (0) log
2023/09/08 23:14 1h12m bisect fix linux-5.15.y job log (0) log
2023/06/27 01:23 1h02m bisect fix linux-5.15.y job log (0) log

Sample crash report:
BUG: Bad page state in process jfsCommit  pfn:7a75b
page:ffffea0001e9d6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x7a75b
flags: 0xfff00000002007(locked|referenced|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002007 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff88801ddf09b0 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xc40(GFP_NOFS), pid 3519, ts 51180300687, free_ts 42598788161
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5421
 __page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
 do_read_cache_page+0x1e5/0x1040 mm/filemap.c:3448
 read_mapping_page include/linux/pagemap.h:515 [inline]
 __get_metapage+0x398/0x1070 fs/jfs/jfs_metapage.c:621
 diRead+0x5e9/0xad0 fs/jfs/jfs_imap.c:364
 jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
 jfs_fill_super+0x826/0xc70 fs/jfs/super.c:585
 mount_bdev+0x2c9/0x3f0 fs/super.c:1387
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
 vfs_get_tree+0x88/0x270 fs/super.c:1517
 do_new_mount+0x28b/0xae0 fs/namespace.c:2994
 do_mount fs/namespace.c:3337 [inline]
 __do_sys_mount fs/namespace.c:3545 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3522
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 pipe_buf_release include/linux/pipe_fs_i.h:203 [inline]
 pipe_read+0x6e4/0x12b0 fs/pipe.c:323
 call_read_iter include/linux/fs.h:2097 [inline]
 new_sync_read fs/read_write.c:404 [inline]
 vfs_read+0xa9f/0xe10 fs/read_write.c:485
 ksys_read+0x1a2/0x2c0 fs/read_write.c:623
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
Modules linked in:
CPU: 0 PID: 276 Comm: jfsCommit Not tainted 5.15.133-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 bad_page+0x14b/0x170 mm/page_alloc.c:652
 check_free_page_bad mm/page_alloc.c:1199 [inline]
 check_free_page mm/page_alloc.c:1209 [inline]
 free_pages_prepare mm/page_alloc.c:1334 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x48d/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 txUnlock+0x282/0xca0 fs/jfs/jfs_txnmgr.c:932
 txLazyCommit fs/jfs/jfs_txnmgr.c:2716 [inline]
 jfs_lazycommit+0x5cd/0xc30 fs/jfs/jfs_txnmgr.c:2766
 kthread+0x3f6/0x4f0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>
page:ffffea0001e9d6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1c pfn:0x7a75b
flags: 0xfff00000002007(locked|referenced|uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002007 dead000000000100 dead000000000122 0000000000000000
raw: 000000000000001c ffff88801ddf09b0 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xc40(GFP_NOFS), pid 3519, ts 51180300687, free_ts 42598788161
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
 __alloc_pages+0x272/0x700 mm/page_alloc.c:5421
 __page_cache_alloc+0xd4/0x4a0 mm/filemap.c:1022
 do_read_cache_page+0x1e5/0x1040 mm/filemap.c:3448
 read_mapping_page include/linux/pagemap.h:515 [inline]
 __get_metapage+0x398/0x1070 fs/jfs/jfs_metapage.c:621
 diRead+0x5e9/0xad0 fs/jfs/jfs_imap.c:364
 jfs_iget+0x88/0x3b0 fs/jfs/inode.c:35
 jfs_fill_super+0x826/0xc70 fs/jfs/super.c:585
 mount_bdev+0x2c9/0x3f0 fs/super.c:1387
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
 vfs_get_tree+0x88/0x270 fs/super.c:1517
 do_new_mount+0x28b/0xae0 fs/namespace.c:2994
 do_mount fs/namespace.c:3337 [inline]
 __do_sys_mount fs/namespace.c:3545 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3522
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
 free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
 pipe_buf_release include/linux/pipe_fs_i.h:203 [inline]
 pipe_read+0x6e4/0x12b0 fs/pipe.c:323
 call_read_iter include/linux/fs.h:2097 [inline]
 new_sync_read fs/read_write.c:404 [inline]
 vfs_read+0xa9f/0xe10 fs/read_write.c:485
 ksys_read+0x1a2/0x2c0 fs/read_write.c:623
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:1213!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 276 Comm: jfsCommit Tainted: G    B             5.15.133-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
RIP: 0010:get_page include/linux/mm.h:1213 [inline]
RIP: 0010:put_metapage+0x283/0x290 fs/jfs/jfs_metapage.c:722
Code: 03 38 c1 0f 8c f8 fe ff ff 4c 89 ff e8 c6 ed e6 fe e9 eb fe ff ff e8 7c 46 9d fe 4c 89 e7 48 c7 c6 60 e3 c0 8a e8 2d 64 d3 fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 55 41 57 41 56 41 55 41 54
RSP: 0018:ffffc900025afcc0 EFLAGS: 00010246
RAX: a97ec0437d375900 RBX: 000000000000007f RCX: ffff888019020000
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff88801ddf09b0 R08: ffffffff81d08724 R09: ffffed10173467a8
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea0001e9d6c0
R13: ffff88801ddf09d8 R14: 1ffff11003bbe13b R15: ffffea0001e9d6f4
FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3a84fd7798 CR3: 0000000076c74000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 txUnlock+0x42f/0xca0 fs/jfs/jfs_txnmgr.c:947
 txLazyCommit fs/jfs/jfs_txnmgr.c:2716 [inline]
 jfs_lazycommit+0x5cd/0xc30 fs/jfs/jfs_txnmgr.c:2766
 kthread+0x3f6/0x4f0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>
Modules linked in:
---[ end trace b221a7be7290ab2a ]---
RIP: 0010:get_page include/linux/mm.h:1213 [inline]
RIP: 0010:put_metapage+0x283/0x290 fs/jfs/jfs_metapage.c:722
Code: 03 38 c1 0f 8c f8 fe ff ff 4c 89 ff e8 c6 ed e6 fe e9 eb fe ff ff e8 7c 46 9d fe 4c 89 e7 48 c7 c6 60 e3 c0 8a e8 2d 64 d3 fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 55 41 57 41 56 41 55 41 54
RSP: 0018:ffffc900025afcc0 EFLAGS: 00010246

RAX: a97ec0437d375900 RBX: 000000000000007f RCX: ffff888019020000
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffff88801ddf09b0 R08: ffffffff81d08724 R09: ffffed10173467a8
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea0001e9d6c0
R13: ffff88801ddf09d8 R14: 1ffff11003bbe13b R15: ffffea0001e9d6f4
FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc883999b0 CR3: 0000000076c74000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/30 13:34 linux-5.15.y b911329317b4 8e26a358 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan BUG: Bad page state
2023/05/26 03:03 linux-5.15.y 1fe619a7d252 0513b3e6 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan BUG: Bad page state
2023/05/27 22:36 linux-5.15.y 1fe619a7d252 cf184559 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 BUG: Bad page state
2023/10/30 22:58 linux-5.15.y 12952a23a5da b5729d82 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan BUG: Bad page state
2023/09/30 12:42 linux-5.15.y b911329317b4 8e26a358 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan BUG: Bad page state
2023/05/26 00:11 linux-5.15.y 1fe619a7d252 0513b3e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan BUG: Bad page state
2023/04/16 14:28 linux-5.15.y 4fdad925aa1a ec410564 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 BUG: Bad page state
2023/04/16 11:16 linux-5.15.y 4fdad925aa1a ec410564 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 BUG: Bad page state
* Struck through repros no longer work on HEAD.