syzbot


BUG: unable to handle kernel paging request in clear_page_erms (4)

Status: auto-closed as invalid on 2022/01/23 00:56
Subsystems: mm arch
[Documentation on labels]
Reported-by: syzbot+1d31a1e01bc7df57fe44@syzkaller.appspotmail.com
First crash: 886d, last: 886d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in clear_page_erms (3) mm 2 991d 998d 0/26 auto-closed as invalid on 2021/10/09 21:56
linux-4.19 BUG: unable to handle kernel paging request in clear_page_erms 1 814d 814d 0/1 auto-closed as invalid on 2022/05/04 22:20
upstream BUG: unable to handle kernel paging request in clear_page_erms (2) mm 1 1065d 1047d 0/26 auto-closed as invalid on 2021/06/28 09:14
upstream BUG: unable to handle kernel paging request in clear_page_erms (5) mm 4 56d 157d 0/26 moderation: reported on 2023/10/23 23:39
upstream BUG: unable to handle kernel paging request in clear_page_erms mm 1 1422d 1418d 0/26 auto-closed as invalid on 2020/08/05 10:45

Sample crash report:
BUG: unable to handle page fault for address: ffff888142bbc000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 10e01067 P4D 10e01067 PUD 146fb7063 PMD 12a063 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8018 Comm: syz-executor.2 Not tainted 5.15.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:clear_page_erms+0x7/0x10
Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 <f3> aa c3 cc cc cc cc cc cc 55 41 57 41 56 41 55 41 54 53 48 83 ec
RSP: 0018:ffffc900062370e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880b1c216b8 RCX: 0000000000001000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888142bbc000
RBP: 1ffff110163842d7 R08: dffffc0000000000 R09: ffffed1028577800
R10: fffff94000a15de7 R11: 0000000000000000 R12: 0000000000000001
R13: 0005088000000000 R14: ffffea00050aef00 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888142bbc000 CR3: 000000003a28d000 CR4: 00000000003506e0
Call Trace:
 clear_page arch/x86/include/asm/page_64.h:49 [inline]
 clear_highpage include/linux/highmem.h:181 [inline]
 kernel_init_free_pages+0x8c/0x100 mm/page_alloc.c:1278
 post_alloc_hook+0x102/0x220 mm/page_alloc.c:2414
 prep_new_page mm/page_alloc.c:2424 [inline]
 get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4153
 __alloc_pages+0x255/0x580 mm/page_alloc.c:5375
 __get_free_pages+0x8/0x30 mm/page_alloc.c:5412
 tlb_next_batch mm/mmu_gather.c:29 [inline]
 __tlb_remove_page_size+0x1f5/0x3d0 mm/mmu_gather.c:83
 __tlb_remove_page include/asm-generic/tlb.h:440 [inline]
 zap_pte_range+0x9b0/0x1b90 mm/memory.c:1365
 zap_pmd_range mm/memory.c:1481 [inline]
 zap_pud_range mm/memory.c:1510 [inline]
 zap_p4d_range mm/memory.c:1531 [inline]
 unmap_page_range+0x745/0xa20 mm/memory.c:1552
 unmap_vmas+0x202/0x390 mm/memory.c:1629
 exit_mmap+0x3c6/0x6f0 mm/mmap.c:3171
 __mmput+0x111/0x3a0 kernel/fork.c:1115
 exit_mm+0x63e/0x7a0 kernel/exit.c:501
 do_exit+0x682/0x24e0 kernel/exit.c:812
 do_group_exit+0x168/0x2d0 kernel/exit.c:922
 get_signal+0x16b0/0x2090 kernel/signal.c:2855
 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:865
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300
 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f6065e0aa39
Code: Unable to access opcode bytes at RIP 0x7f6065e0aa0f.
RSP: 002b:00007f6063380218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007f6065f0df68 RCX: 00007f6065e0aa39
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f6065f0df6c
RBP: 00007f6065f0df60 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000040 R11: 0000000000000246 R12: 00007f6065f0df6c
R13: 00007ffcc282387f R14: 00007f6063380300 R15: 0000000000022000
Modules linked in:
CR2: ffff888142bbc000
---[ end trace 02cb942355cce065 ]---
RIP: 0010:clear_page_erms+0x7/0x10
Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 <f3> aa c3 cc cc cc cc cc cc 55 41 57 41 56 41 55 41 54 53 48 83 ec
RSP: 0018:ffffc900062370e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880b1c216b8 RCX: 0000000000001000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888142bbc000
RBP: 1ffff110163842d7 R08: dffffc0000000000 R09: ffffed1028577800
R10: fffff94000a15de7 R11: 0000000000000000 R12: 0000000000000001
R13: 0005088000000000 R14: ffffea00050aef00 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888142bbc000 CR3: 000000003a28d000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
   0:	48 89 47 18          	mov    %rax,0x18(%rdi)
   4:	48 89 47 20          	mov    %rax,0x20(%rdi)
   8:	48 89 47 28          	mov    %rax,0x28(%rdi)
   c:	48 89 47 30          	mov    %rax,0x30(%rdi)
  10:	48 89 47 38          	mov    %rax,0x38(%rdi)
  14:	48 8d 7f 40          	lea    0x40(%rdi),%rdi
  18:	75 d9                	jne    0xfffffff3
  1a:	90                   	nop
  1b:	c3                   	retq
  1c:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  23:	b9 00 10 00 00       	mov    $0x1000,%ecx
  28:	31 c0                	xor    %eax,%eax
* 2a:	f3 aa                	rep stos %al,%es:(%rdi) <-- trapping instruction
  2c:	c3                   	retq
  2d:	cc                   	int3
  2e:	cc                   	int3
  2f:	cc                   	int3
  30:	cc                   	int3
  31:	cc                   	int3
  32:	cc                   	int3
  33:	55                   	push   %rbp
  34:	41 57                	push   %r15
  36:	41 56                	push   %r14
  38:	41 55                	push   %r13
  3a:	41 54                	push   %r12
  3c:	53                   	push   %rbx
  3d:	48                   	rex.W
  3e:	83                   	.byte 0x83
  3f:	ec                   	in     (%dx),%al

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/10/25 00:55 upstream 6c62666d8879 282f03fb .config console log report info ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in clear_page_erms
* Struck through repros no longer work on HEAD.