syzbot


general protection fault in __pte_offset_map_lock

Status: upstream: reported C repro on 2024/05/05 18:37
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+f96e045d95fe10c0e800@syzkaller.appspotmail.com
First crash: 288d, last: 65d
Cause bisection: introduced by (bisect log) :
commit 1d65b771bc08cd054cf6d3766a72e113dc46d62f
Author: Hugh Dickins <hughd@google.com>
Date: Wed Jul 12 04:41:04 2023 +0000

  mm/khugepaged: retract_page_tables() without mmap or vma lock

Crash: BUG: unable to handle kernel NULL pointer dereference in __pte_offset_map_lock (log)
Repro: syz .config
  
Fix bisection: fixed by (bisect log) :
commit 6fa1066fc5d00cb9f1b0e83b7ff6ef98d26ba2aa
Author: Jann Horn <jannh@google.com>
Date: Mon Oct 7 21:42:04 2024 +0000

  mm/mremap: fix move_normal_pmd/retract_page_tables race

  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [mm?] general protection fault in __pte_offset_map_lock 0 (3) 2025/01/16 12:01
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in __pte_offset_map_lock mm C 2 466d 477d 25/28 fixed on 2024/01/20 21:18
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/12/25 03:16 24m retest repro linux-next OK log
2024/12/25 03:16 24m retest repro linux-next OK log
2024/12/25 03:16 26m retest repro linux-next report log
2024/12/25 02:01 30m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2024/12/25 02:01 25m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2024/12/03 16:10 25m retest repro upstream OK log
2024/10/08 15:55 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/10/08 15:55 24m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/08/23 03:57 26m retest repro upstream report log
2024/08/23 03:38 20m retest repro upstream report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2025/01/16 05:09 6h51m bisect fix upstream OK (1) job log
2024/09/24 12:03 3h32m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: slab-use-after-free in set_pending kernel/locking/qspinlock_paravirt.h:112 [inline]
BUG: KASAN: slab-use-after-free in pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:429 [inline]
BUG: KASAN: slab-use-after-free in __pv_queued_spin_lock_slowpath+0x90b/0xdb0 kernel/locking/qspinlock.c:508
Write of size 1 at addr ffff888031786c61 by task syz.4.214/6530

CPU: 0 UID: 0 PID: 6530 Comm: syz.4.214 Not tainted 6.13.0-rc1-next-20241205-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 set_pending kernel/locking/qspinlock_paravirt.h:112 [inline]
 pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:429 [inline]
 __pv_queued_spin_lock_slowpath+0x90b/0xdb0 kernel/locking/qspinlock.c:508
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline]
 queued_spin_lock_slowpath+0x42/0x50 arch/x86/include/asm/qspinlock.h:51
 queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
 do_raw_spin_lock+0x272/0x370 kernel/locking/spinlock_debug.c:116
 spin_lock include/linux/spinlock.h:351 [inline]
 __pte_offset_map_lock+0x1ba/0x300 mm/pgtable-generic.c:402
 pte_offset_map_lock include/linux/mm.h:3027 [inline]
 finish_fault+0x707/0x11d0 mm/memory.c:5240
 do_read_fault mm/memory.c:5397 [inline]
 do_fault mm/memory.c:5527 [inline]
 do_pte_missing mm/memory.c:4048 [inline]
 handle_pte_fault+0x3a13/0x5ee0 mm/memory.c:5872
 __handle_mm_fault mm/memory.c:6015 [inline]
 handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6183
 faultin_page mm/gup.c:1200 [inline]
 __get_user_pages+0x1b31/0x4370 mm/gup.c:1495
 populate_vma_page_range+0x264/0x330 mm/gup.c:1933
 __mm_populate+0x27a/0x460 mm/gup.c:2036
 mm_populate include/linux/mm.h:3389 [inline]
 vm_mmap_pgoff+0x303/0x430 mm/util.c:585
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f726e57ff19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f726f2d0058 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f726e746080 RCX: 00007f726e57ff19
RDX: b635773f06ebbeef RSI: 0000000000b36000 RDI: 0000000020000000

Crashes (90):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/12/05 23:08 linux-next af2ea8ab7a54 6e50d07b .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/06/27 16:49 upstream 24ca36a562d6 5c045c04 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/06/27 14:09 upstream 24ca36a562d6 5c045c04 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/06/27 07:12 upstream 24ca36a562d6 5c045c04 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/06/27 06:03 upstream 24ca36a562d6 5c045c04 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/06/20 14:06 upstream 2ccbdf43d5e7 dac2aa43 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/06/19 11:15 upstream 2ccbdf43d5e7 41b7e219 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/06/19 09:25 upstream 2ccbdf43d5e7 41b7e219 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/06/18 15:34 upstream 2ccbdf43d5e7 639d6cdf .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/06/17 09:25 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/06/15 21:56 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/06/15 21:54 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/06/15 21:53 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/06/15 21:45 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/06/15 21:45 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/06/15 21:25 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/06/15 21:03 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/06/15 20:50 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/06/15 20:45 upstream 2ccbdf43d5e7 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/05/29 07:33 upstream e0cce98fe279 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in __pte_offset_map_lock
2024/05/28 12:31 upstream 2bfcfd584ff5 f550015e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/05/23 22:06 upstream 8f6a15f095a6 8f98448e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/05/21 17:52 upstream 8f6a15f095a6 1014eca7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/05/18 15:49 upstream 4b377b4868ef c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in __pte_offset_map_lock
2024/05/16 12:28 upstream 3c999d1ae3c7 ef5d53ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/05/16 12:10 upstream 3c999d1ae3c7 ef5d53ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in __pte_offset_map_lock
2024/05/15 16:53 upstream 1b294a1f3561 0b3dad46 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/05/14 17:54 upstream a5131c3fdf26 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in __pte_offset_map_lock
2024/05/12 03:37 upstream cf87f46fd34d 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/05/11 22:04 upstream cf87f46fd34d 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in __pte_offset_map_lock
2024/05/11 16:36 upstream cf87f46fd34d 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in __pte_offset_map_lock
2024/05/10 13:52 upstream 448b3fe5a0ea f7c35481 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/05/10 06:01 upstream 448b3fe5a0ea de979bc2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in __pte_offset_map_lock
2024/05/09 21:45 upstream 45db3ab70092 de979bc2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/05/09 20:45 upstream 45db3ab70092 de979bc2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root general protection fault in __pte_offset_map_lock
2024/05/08 20:16 upstream 6d7ddd805123 4cf3f9b3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/05/04 06:31 upstream 3d25a941ea50 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root general protection fault in __pte_offset_map_lock
2024/05/03 20:14 upstream f03359bca01b 375d4445 .config strace log report syz [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in __pte_offset_map_lock
2024/07/09 13:51 upstream 4376e966ecb7 79d68ada .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 general protection fault in __pte_offset_map_lock
2024/05/07 21:39 upstream dccb07f2914c cb2dcc0e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 general protection fault in __pte_offset_map_lock
2024/08/07 10:37 upstream d4560686726f 9f487301 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in __pte_offset_map_lock
2024/08/02 11:09 upstream c0ecd6388360 1e9c4cf3 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in __pte_offset_map_lock
2024/06/20 20:56 upstream 50736169ecc8 c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in __pte_offset_map_lock
2024/05/07 01:37 upstream ee5b455b0ada fa7a5cf0 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in __pte_offset_map_lock
2024/06/19 00:42 upstream 2ccbdf43d5e7 c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in __pte_offset_map_lock
2024/06/16 06:13 upstream 2ccbdf43d5e7 c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in __pte_offset_map_lock
2024/07/05 07:55 linux-next 0b58e108042b dc6bbff0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in __pte_offset_map_lock
2024/12/11 01:44 linux-next af2ea8ab7a54 cfc402b4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/10 13:41 linux-next af2ea8ab7a54 cfc402b4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in __pte_offset_map_lock
2024/12/10 07:57 linux-next af2ea8ab7a54 cfc402b4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/09 22:17 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/09 20:07 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in __pte_offset_map_lock
2024/12/09 11:27 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/09 06:57 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/09 04:59 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in __pte_offset_map_lock
2024/12/09 02:37 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/08 21:20 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/07 10:20 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in __pte_offset_map_lock
2024/12/07 10:17 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/06 15:35 linux-next af2ea8ab7a54 9ac0fdc6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/06 04:12 linux-next af2ea8ab7a54 946d28f0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/05 23:35 linux-next af2ea8ab7a54 6e50d07b .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/05 22:54 linux-next af2ea8ab7a54 6e50d07b .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/12/05 17:38 linux-next af2ea8ab7a54 6e50d07b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Write in __pte_offset_map_lock
2024/05/31 02:42 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fda5695d692c 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in __pte_offset_map_lock
2024/05/08 04:36 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 1c9135d29e9e 4cf3f9b3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in __pte_offset_map_lock
2024/05/03 15:15 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 375d4445 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in __pte_offset_map_lock
2024/05/03 04:55 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6a71d2909427 ddfc15a1 .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in __pte_offset_map_lock
* Struck through repros no longer work on HEAD.