From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
To: Harry Yoo <harry.yoo@oracle.com>
Cc: "David Hildenbrand (Red Hat)" <david@kernel.org>,
Jeongjun Park <aha310510@gmail.com>,
Liam.Howlett@oracle.com, akpm@linux-foundation.org,
jannh@google.com, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, riel@surriel.com,
syzbot+b165fc2e11771c66d8ba@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, vbabka@suse.cz
Subject: Re: [syzbot] [mm?] WARNING in folio_remove_rmap_ptes
Date: Fri, 2 Jan 2026 17:46:28 +0000 [thread overview]
Message-ID: <99a5ca7c-006a-443f-909b-d6375164412e@lucifer.local> (raw)
In-Reply-To: <75ba8e22-9f00-489b-989a-373d374244f5@lucifer.local>
OK I now have a sane repro. It doesn't require a race, not even MAP_PRIVATE
file-backed VMAs, it just requires the problematic merge to occur.
This triggers both for KASAN (doesn't even need iteration) and with sufficient
iterations (to avoid re-use of anon_vma I guess?) triggers Jann's assert.
If you're using a >=6.17 kernel in your host I recommend you don't run this
locally but rather in a VM :P
Requires CONFIG_DEBUG_VM or CONFIG_KASAN to be visible.
Will follow up with proper patch. Not sure a test makes sense as we can't really
assert anything sane here, will perhaps include in commit message instead.
Cheers, Lorenzo
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#define RESERVED_PGS (100)
#define VMA_A_PGS (10)
#define VMA_B_PGS (10)
#define NUM_ITERS (1000)
static void trigger_bug(void)
{
unsigned long page_size = sysconf(_SC_PAGE_SIZE);
char *reserved, *ptr_a, *ptr_b;
/*
* The goal here is to achieve:
*
* mremap() with MREMAP_DONTUNMAP such that A and B merge:
*
* |-------------------------|
* | |
* | |-----------| |---------|
* v | unfaulted | | faulted |
* |-----------| |---------|
* B A
*
* Then unmap VMA A to trigger the bug.
*/
/* Reserve a region of memory to operate in. */
reserved = mmap(NULL, RESERVED_PGS * page_size, PROT_NONE,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (reserved == MAP_FAILED) {
perror("mmap reserved");
exit(EXIT_FAILURE);
}
/* Map VMA A into place. */
ptr_a = mmap(&reserved[page_size], VMA_A_PGS * page_size,
PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
if (ptr_a == MAP_FAILED) {
perror("mmap VMA A");
exit(EXIT_FAILURE);
}
/* Fault it in. */
ptr_a[0] = 'x';
/*
* Now move it out of the way so we can place VMA B in position,
* unfaulted.
*/
ptr_a = mremap(ptr_a, VMA_A_PGS * page_size, VMA_A_PGS * page_size,
MREMAP_FIXED | MREMAP_MAYMOVE, &reserved[50 * page_size]);
if (ptr_a == MAP_FAILED) {
perror("mremap VMA A out of the way");
exit(EXIT_FAILURE);
}
/* Map VMA B into place. */
ptr_b = mmap(&reserved[page_size + VMA_A_PGS * page_size], VMA_B_PGS * page_size,
PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
if (ptr_b == MAP_FAILED) {
perror("mmap VMA B");
exit(EXIT_FAILURE);
}
/* Now move VMA A into position with MREMAP_DONTUNMAP to trigger the bug. */
ptr_a = mremap(ptr_a, VMA_A_PGS * page_size, VMA_A_PGS * page_size,
MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP,
&reserved[page_size]);
if (ptr_a == MAP_FAILED) {
perror("mremap VMA A with MREMAP_DONTUNMAP");
exit(EXIT_FAILURE);
}
/* Finally, unmap VMA A which should trigger the bug. */
munmap(ptr_a, VMA_A_PGS * page_size);
/* Cleanup in case bug didn't trigger sufficiently visibly... */
munmap(reserved, RESERVED_PGS * page_size);
}
int main(void)
{
int i;
for (i = 0; i < NUM_ITERS; i++)
trigger_bug();
return EXIT_SUCCESS;
}
next prev parent reply other threads:[~2026-01-02 17:46 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-23 5:23 syzbot
2025-12-23 8:24 ` David Hildenbrand (Red Hat)
2025-12-24 2:48 ` Hillf Danton
2025-12-24 5:35 ` Harry Yoo
2025-12-30 22:02 ` David Hildenbrand (Red Hat)
2025-12-31 6:59 ` Harry Yoo
2026-01-01 13:09 ` Jeongjun Park
2026-01-01 13:45 ` Harry Yoo
2026-01-01 14:30 ` Jeongjun Park
2026-01-01 16:32 ` Lorenzo Stoakes
2026-01-01 17:06 ` David Hildenbrand (Red Hat)
2026-01-01 21:28 ` Lorenzo Stoakes
2026-01-02 8:14 ` Harry Yoo
2026-01-02 11:31 ` Lorenzo Stoakes
2026-01-02 15:49 ` Lorenzo Stoakes
2026-01-02 16:30 ` Lorenzo Stoakes
2026-01-02 17:46 ` Lorenzo Stoakes [this message]
2026-01-01 16:54 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=99a5ca7c-006a-443f-909b-d6375164412e@lucifer.local \
--to=lorenzo.stoakes@oracle.com \
--cc=Liam.Howlett@oracle.com \
--cc=aha310510@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=david@kernel.org \
--cc=harry.yoo@oracle.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=riel@surriel.com \
--cc=syzbot+b165fc2e11771c66d8ba@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox