From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8495CD711DD for ; Wed, 20 Nov 2024 18:38:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F25976B009C; Wed, 20 Nov 2024 13:38:48 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id ED53F6B00A0; Wed, 20 Nov 2024 13:38:48 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D4F126B00A1; Wed, 20 Nov 2024 13:38:48 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id B09966B009C for ; Wed, 20 Nov 2024 13:38:48 -0500 (EST) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 502E580F33 for ; Wed, 20 Nov 2024 18:38:48 +0000 (UTC) X-FDA: 82807333266.12.1A7636A Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf12.hostedemail.com (Postfix) with ESMTP id 9F6B74001E for ; Wed, 20 Nov 2024 18:38:22 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=Tq1h8FdI; spf=pass (imf12.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1732127775; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+EwWFa+oJ50TsSitG9vuWmc1jUW/Wlmo17AdZ9ZTB3k=; b=Bnzkr3Z/laL/FaOGC1498iWKVkltHOP3bqvivnMJ6X0JajShve7RIAjjaGZ4dxyjvPqj3R nv37FogunGrgFWJhQaLQp6xB0V8fwYNvJfQXyH67AOzt4aTAQGq/1sS7KHfO7U5NTP4xzv q/0tCXQxc3cKqrwA/GKNfDhs0D24rCI= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1732127775; a=rsa-sha256; cv=none; b=I7Qi492ID0eVtSWqarUWPG5qKjrjBR9L96B5Lg5r+SSpU8fqEaOyXvACvJ9KAHnXQlzSk3 Rwj7Q4yScjLbPO03EsiVgsGWwBUzoJGhuU7pU+ueFrQ8xIOpwYj+u8K0WAhf35DSGlEqDR RVQ7yXvYzVYFt1VBHmb37+Mz17RA51M= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=Tq1h8FdI; spf=pass (imf12.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1732127925; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=+EwWFa+oJ50TsSitG9vuWmc1jUW/Wlmo17AdZ9ZTB3k=; b=Tq1h8FdIxpcSkZGGybGIGXX4wbdP76nHVsCkuGpezzCCtixcMK17R2KJoIFe2PSXygHj+X mmzwY5m/dhJ3AvVFup+oVdUkYhn45h5nXKianbkBZJEaXUsFbBRaLvBDJSRz6PhPQDiJyw kcw0lzC2+DtIMFzqZqxmetljekRqxEQ= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-136-EQBnwkHnPOmEnBzujLdUew-1; Wed, 20 Nov 2024 13:38:43 -0500 X-MC-Unique: EQBnwkHnPOmEnBzujLdUew-1 X-Mimecast-MFC-AGG-ID: EQBnwkHnPOmEnBzujLdUew Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-3822ecd84b3so2185379f8f.3 for ; Wed, 20 Nov 2024 10:38:43 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732127922; x=1732732722; h=content-transfer-encoding:in-reply-to:organization:autocrypt :content-language:references:to:from:subject:user-agent:mime-version :date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+EwWFa+oJ50TsSitG9vuWmc1jUW/Wlmo17AdZ9ZTB3k=; b=qRbCHAaaYe6+rTJU/NtFeXv5+z0A95Hi4WTPbGGz+UcMDxY9hhv5pfdzk/b5QoxK+Q rdQLMNd3uYkaCDdUMI3nkwhIMObbK+H+zLmsZqVQvTsUgMyF0BIe0ST3kGulI32h4fN9 X115fDDFsFB9F7AgF+VIF0Q33Z1ZaQkH49hDltpKU7ftGSmKABtyBRsFhSPWr+++Dup6 InoFbMWm3YaUkNyVBX2YX1IMk0MgN67tM3wuKwwmrBeNcUbs4bkSDRPFX6wom+fF8Ht2 OBd2C0mmli4LRQCZw+eJtHFEXcWFhziiS0cMlmo16zBp+wL3DUKo1ZOjo85eTHyGMa86 6c8w== X-Forwarded-Encrypted: i=1; AJvYcCWzeqnJnZXAJO93fMIUDy5fErXhWIq1XQK1CRzBGI7ZXSKw4weS5S2nUz/awUBtIh0BBSyRuVqv2g==@kvack.org X-Gm-Message-State: AOJu0Yxy3WyrGsKjlP12INZTmfKSQsIk/8Zl2iDaKJjjLKnQBUAwDT1S hFwB6c6obwnOGwfaAoZM19CrSNbUWBb6GUsSj4yRMF0jpgJfLRXc/g3Qct5GSWJVNucJGX7rrA/ UveLQHiWUtrPhJqzPiiKjdBdr12Ln7x94GtxSA+ndDCzPwnvg X-Gm-Gg: ASbGnctFXcBoroLrBoiUrAMc0MasQyM3o5GhjT2V6ES1MCKcnpEf59608IyxJjtpJ8G bLCbQPUZUiKa0DbxuGQWX0es7ukWqryzPoUBJyUcTLkEYrsiI4Pgb/fH7fjx7jPxQV6+/I8O7LS vPIMAJHpKVWcviU1rqjQK1oHeGWq6wGqFwwAsXZVN/A7mFc8OjNUaujOAD4htPpOGx1UQZ7ny1G baaDqh/tJXLCIXJgZgljHQP08tZUCus4sfzM2C6y+TifX+E7Q0l7f7sGIULBsxhvead6lx64+o5 XapLzUUgKiGXolGOBvJOzrHLhsSFhpb5dnQ9ZAAKKEAaGfZ5R5u8Fp8/x1FF107JGdGEnslUorv 6Iw== X-Received: by 2002:a5d:588f:0:b0:382:d0b:179a with SMTP id ffacd0b85a97d-38254ae0456mr2739622f8f.6.1732127922236; Wed, 20 Nov 2024 10:38:42 -0800 (PST) X-Google-Smtp-Source: AGHT+IENlz3e7Yy/b/UQkMqIYJJ65O8k0AnlfB46VzLFYLs9WPMNqPldgeQwpFChZnf9dnvU63avew== X-Received: by 2002:a5d:588f:0:b0:382:d0b:179a with SMTP id ffacd0b85a97d-38254ae0456mr2739613f8f.6.1732127921817; Wed, 20 Nov 2024 10:38:41 -0800 (PST) Received: from ?IPV6:2003:cb:c705:4200:ce79:acf6:d832:60df? (p200300cbc7054200ce79acf6d83260df.dip0.t-ipconnect.de. [2003:cb:c705:4200:ce79:acf6:d832:60df]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38254933d39sm2802027f8f.83.2024.11.20.10.38.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 20 Nov 2024 10:38:40 -0800 (PST) Message-ID: Date: Wed, 20 Nov 2024 19:38:39 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] general protection fault in do_migrate_pages From: David Hildenbrand To: syzbot , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com References: <673d2696.050a0220.3c9d61.012f.GAE@google.com> <13aa3ca2-00a3-4b9f-a052-261d873f017d@redhat.com> <252adf0e-9a0b-4419-88eb-e94adc5c2320@redhat.com> Autocrypt: addr=david@redhat.com; keydata= xsFNBFXLn5EBEAC+zYvAFJxCBY9Tr1xZgcESmxVNI/0ffzE/ZQOiHJl6mGkmA1R7/uUpiCjJ dBrn+lhhOYjjNefFQou6478faXE6o2AhmebqT4KiQoUQFV4R7y1KMEKoSyy8hQaK1umALTdL QZLQMzNE74ap+GDK0wnacPQFpcG1AE9RMq3aeErY5tujekBS32jfC/7AnH7I0v1v1TbbK3Gp XNeiN4QroO+5qaSr0ID2sz5jtBLRb15RMre27E1ImpaIv2Jw8NJgW0k/D1RyKCwaTsgRdwuK Kx/Y91XuSBdz0uOyU/S8kM1+ag0wvsGlpBVxRR/xw/E8M7TEwuCZQArqqTCmkG6HGcXFT0V9 PXFNNgV5jXMQRwU0O/ztJIQqsE5LsUomE//bLwzj9IVsaQpKDqW6TAPjcdBDPLHvriq7kGjt WhVhdl0qEYB8lkBEU7V2Yb+SYhmhpDrti9Fq1EsmhiHSkxJcGREoMK/63r9WLZYI3+4W2rAc UucZa4OT27U5ZISjNg3Ev0rxU5UH2/pT4wJCfxwocmqaRr6UYmrtZmND89X0KigoFD/XSeVv jwBRNjPAubK9/k5NoRrYqztM9W6sJqrH8+UWZ1Idd/DdmogJh0gNC0+N42Za9yBRURfIdKSb B3JfpUqcWwE7vUaYrHG1nw54pLUoPG6sAA7Mehl3nd4pZUALHwARAQABzSREYXZpZCBIaWxk ZW5icmFuZCA8ZGF2aWRAcmVkaGF0LmNvbT7CwZgEEwEIAEICGwMGCwkIBwMCBhUIAgkKCwQW AgMBAh4BAheAAhkBFiEEG9nKrXNcTDpGDfzKTd4Q9wD/g1oFAl8Ox4kFCRKpKXgACgkQTd4Q 9wD/g1oHcA//a6Tj7SBNjFNM1iNhWUo1lxAja0lpSodSnB2g4FCZ4R61SBR4l/psBL73xktp rDHrx4aSpwkRP6Epu6mLvhlfjmkRG4OynJ5HG1gfv7RJJfnUdUM1z5kdS8JBrOhMJS2c/gPf wv1TGRq2XdMPnfY2o0CxRqpcLkx4vBODvJGl2mQyJF/gPepdDfcT8/PY9BJ7FL6Hrq1gnAo4 3Iv9qV0JiT2wmZciNyYQhmA1V6dyTRiQ4YAc31zOo2IM+xisPzeSHgw3ONY/XhYvfZ9r7W1l pNQdc2G+o4Di9NPFHQQhDw3YTRR1opJaTlRDzxYxzU6ZnUUBghxt9cwUWTpfCktkMZiPSDGd KgQBjnweV2jw9UOTxjb4LXqDjmSNkjDdQUOU69jGMUXgihvo4zhYcMX8F5gWdRtMR7DzW/YE BgVcyxNkMIXoY1aYj6npHYiNQesQlqjU6azjbH70/SXKM5tNRplgW8TNprMDuntdvV9wNkFs 9TyM02V5aWxFfI42+aivc4KEw69SE9KXwC7FSf5wXzuTot97N9Phj/Z3+jx443jo2NR34XgF 89cct7wJMjOF7bBefo0fPPZQuIma0Zym71cP61OP/i11ahNye6HGKfxGCOcs5wW9kRQEk8P9 M/k2wt3mt/fCQnuP/mWutNPt95w9wSsUyATLmtNrwccz63XOwU0EVcufkQEQAOfX3n0g0fZz Bgm/S2zF/kxQKCEKP8ID+Vz8sy2GpDvveBq4H2Y34XWsT1zLJdvqPI4af4ZSMxuerWjXbVWb T6d4odQIG0fKx4F8NccDqbgHeZRNajXeeJ3R7gAzvWvQNLz4piHrO/B4tf8svmRBL0ZB5P5A 2uhdwLU3NZuK22zpNn4is87BPWF8HhY0L5fafgDMOqnf4guJVJPYNPhUFzXUbPqOKOkL8ojk CXxkOFHAbjstSK5Ca3fKquY3rdX3DNo+EL7FvAiw1mUtS+5GeYE+RMnDCsVFm/C7kY8c2d0G NWkB9pJM5+mnIoFNxy7YBcldYATVeOHoY4LyaUWNnAvFYWp08dHWfZo9WCiJMuTfgtH9tc75 7QanMVdPt6fDK8UUXIBLQ2TWr/sQKE9xtFuEmoQGlE1l6bGaDnnMLcYu+Asp3kDT0w4zYGsx 5r6XQVRH4+5N6eHZiaeYtFOujp5n+pjBaQK7wUUjDilPQ5QMzIuCL4YjVoylWiBNknvQWBXS lQCWmavOT9sttGQXdPCC5ynI+1ymZC1ORZKANLnRAb0NH/UCzcsstw2TAkFnMEbo9Zu9w7Kv AxBQXWeXhJI9XQssfrf4Gusdqx8nPEpfOqCtbbwJMATbHyqLt7/oz/5deGuwxgb65pWIzufa N7eop7uh+6bezi+rugUI+w6DABEBAAHCwXwEGAEIACYCGwwWIQQb2cqtc1xMOkYN/MpN3hD3 AP+DWgUCXw7HsgUJEqkpoQAKCRBN3hD3AP+DWrrpD/4qS3dyVRxDcDHIlmguXjC1Q5tZTwNB boaBTPHSy/Nksu0eY7x6HfQJ3xajVH32Ms6t1trDQmPx2iP5+7iDsb7OKAb5eOS8h+BEBDeq 3ecsQDv0fFJOA9ag5O3LLNk+3x3q7e0uo06XMaY7UHS341ozXUUI7wC7iKfoUTv03iO9El5f XpNMx/YrIMduZ2+nd9Di7o5+KIwlb2mAB9sTNHdMrXesX8eBL6T9b+MZJk+mZuPxKNVfEQMQ a5SxUEADIPQTPNvBewdeI80yeOCrN+Zzwy/Mrx9EPeu59Y5vSJOx/z6OUImD/GhX7Xvkt3kq Er5KTrJz3++B6SH9pum9PuoE/k+nntJkNMmQpR4MCBaV/J9gIOPGodDKnjdng+mXliF3Ptu6 3oxc2RCyGzTlxyMwuc2U5Q7KtUNTdDe8T0uE+9b8BLMVQDDfJjqY0VVqSUwImzTDLX9S4g/8 kC4HRcclk8hpyhY2jKGluZO0awwTIMgVEzmTyBphDg/Gx7dZU1Xf8HFuE+UZ5UDHDTnwgv7E th6RC9+WrhDNspZ9fJjKWRbveQgUFCpe1sa77LAw+XFrKmBHXp9ZVIe90RMe2tRL06BGiRZr jPrnvUsUUsjRoRNJjKKA/REq+sAnhkNPPZ/NNMjaZ5b8Tovi8C0tmxiCHaQYqj7G2rgnT0kt WNyWQQ== Organization: Red Hat In-Reply-To: <252adf0e-9a0b-4419-88eb-e94adc5c2320@redhat.com> X-Mimecast-Spam-Score: 1 X-Mimecast-MFC-PROC-ID: pMsCbrPK4sXmLCfbBUJq0rIweLAvZcCbUpqe-oFsuu0_1732127922 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 9F6B74001E X-Stat-Signature: p1mo5hwk9qc8siem7oruhkdtdszm8nx8 X-HE-Tag: 1732127902-831714 X-HE-Meta: U2FsdGVkX1+hoIpHSj4QJEitzLYvePbLu5tHDk4HDkrY8dwG4Zej2byIaFNwLdiuZ2+nUwXse1Qw95OjfDfbK6LTr9H0CaJREQXdopTf0U0ao6Xlw/pmbJU6gIgclm7YriGsoubhSQEmIdbcmdmP3G6eKNmlu0zjEoq11raqRwUAt8D24Az94ufNKs0z0rg9b8wLN40Ttrh5/HqwQRxyZRudBsipkeGCb4AJRMEf7fQeQMSv0Qk9uq6a0J7ka9ySA2X4RLJrWCuI0jbPLToNIbJFCH2kvoBiDS+jAfpls4DPoMHmOih1n8yjhHBXsFeVw69Idj4KT4ojPDeNiPU1KW2d/zRD/HgWSEnhIid9f7A9ApH/f8YLXNtuNNikMRGY05sWeKc7lj9OsM+pybcy8/MhdCpQm8/tZsolCvxgEWkVeUIezy/MY5kncxJie50B11/Ri7eCbXyXxIz6Cu+yhPA78lqFzLzEngVY9m9sIQw5i9j5cKCEsmcFikWmLMpGn/Fx0zWUDv3j2ChPVwX7QznZvGfJw/EUdYSiS0IYr/aMufB1dQvhpshcIIkWDpgF/Av5mreZy3X0DPgL7yN2mGy1LFRnL8pDzyM/wcztSNCbTgVuTeoef4xxtq3jR8hBWs2IMFJxJOvLtAst/6+b/t9P+vFnIA2R0eSLVhk3iXAhCq0y3KHQ1qjfNkZvAovA20+7P4obk4JHvr4XZMC7AT4oHmxbQVYnJ9dODYpQJzXAmIfUlxTN9m61FdG/vxAGyuEmfx5bletSL0sMhKfGGUadAUKC52A/ZCYSxtX7/7TU1JdVM+9QbFFmzWS/C6wv5s3f7XsTBheuwJIChZT06wXUmSwZc4R057xjwmj1sIZS4qRHPmUg7il4KSi4d0hzUvJ7khdOMy1o5/eB58Vbhb3IYMjFmoMwqN1xigs54KGPuoC5JD7j1/ViWSpZc499UKR7OgWmjGKE9Oij6G0 7u83+gow wJbXJjGiTFAY39NsHd94fSEkUYiE2WAWBZvPlsPaVHtrku+/j5hfxXvcWcW6FWJNS+7IZ2fpLl3LebYRv4iVJPasL/vNrsZVbBHsmW+jvbwwx7mE8IaQXz/Rej124dX1YfOCQ77Z4fB+epWi/JeQOS+Btloa7ATE84yZ1KMhRr+lDUh2LyimRhlPcaJXVIgR3srfkVZdCTbWiP87KwIMICRxEAEMMwxGLMSsvzhof/xmQBS2LtTSBaL/08GbP6rt7FCM7xbwb2Hq+qISRAgPzUlxjkZA4djq3K3kMFujD/wIwf7IOkQi1Xg9qLc2dUFHWcCEqUUSeU3xoWE0NwwAYepQfGv9umVPBwvmNXCSQ1S945wnOso4lrRH80eqlUuGPoxhY89iDWYXKfJoueZROmQC8ZFqhT1/TRu3rDRqmBJCw6T5yaU3HU+Rbz5fhTEw0CoTQFi9l1xHBXQFriDOPQMd9SV0QmclA9rkL5Dx71272Y9wz5qLUHOxVDcY4YLSLiowo8Z80gmVEV1LPBmw0eU9KQcURNsx3QSB3yoTQf3fo3ZxIkOUAH31Y/gYq5ZrilLo0EF4Pqtb4QTm8BYJNJoBM1oTxNDEGIAm6m7WtX9OTO6J2hSpg7s0FhOxQSDXiUktL1rsadWgPM9133DlM3fjTBvG35AOI1RXtPSRBu/ZqkFjL2ezP/vmAhXyAVQU9Rjwy87LagleFMEI4VhDwbOrYkfS9n79CQw5Fmltz4W9vq2wA7b589HB4Js5oBb82oxOb7jDgbF2gLc+DH8Y7plSj+CGLJbUbjQikLLcr3ZI+VGOi1AX5woBF/MnDxdMp5vhn5avgm9ykke3VdpY24k53NOW9Atr+stUwp3pNi86yrkZnwoIXj8TVZngdXzlpHHQOTtHs0/9Z9g9WU4LhszHtEEbOiz726QPINAHu7IF5Ps1bYwoYrIVwWi+shOdLBW+CMYQksHLFlZHQ+y5biw4M8TTZ Qtnrx1Be Vd/HXm0uKEHdNdpb2t//bSnyJhOc1LmKif34DtmDQu93VfnbZeu1XnhzF1woLk1RCCEFKiuI7ko= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 20.11.24 19:11, David Hildenbrand wrote: > On 20.11.24 17:39, David Hildenbrand wrote: >> On 20.11.24 16:38, David Hildenbrand wrote: >>> On 20.11.24 01:00, syzbot wrote: >>>> Hello, >>>> >>>> syzbot found the following issue on: >>>> >>>> HEAD commit: f868cd251776 Merge tag 'drm-fixes-2024-11-16' of https://g.. >>>> git tree: upstream >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=15473cc0580000 >>>> kernel config: https://syzkaller.appspot.com/x/.config?x=ff8e8187a30080b5 >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=3511625422f7aa637f0d >>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 >>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17e8d130580000 >>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=159c71a7980000 >>>> >>>> Downloadable assets: >>>> disk image: https://storage.googleapis.com/syzbot-assets/a0d46da55993/disk-f868cd25.raw.xz >>>> vmlinux: https://storage.googleapis.com/syzbot-assets/da57ef4813fd/vmlinux-f868cd25.xz >>>> kernel image: https://storage.googleapis.com/syzbot-assets/3cdde892ea08/bzImage-f868cd25.xz >>>> >>>> IMPORTANT: if you fix the issue, please add the following tag to the commit: >>>> Reported-by: syzbot+3511625422f7aa637f0d@syzkaller.appspotmail.com >>>> >>>> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI >>>> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] >>>> CPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0 >>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 >>>> RIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline] >>>> RIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194 >>>> Code: 8b 54 24 30 41 83 c8 10 80 3a 00 4d 63 c0 0f 85 d1 02 00 00 48 89 c1 48 8b 54 24 18 48 be 00 00 00 00 00 fc ff df 48 c1 e9 03 <80> 3c 31 00 48 8b 92 b0 00 00 00 0f 85 74 02 00 00 48 8b 30 49 89 >>>> RSP: 0018:ffffc9000375fd08 EFLAGS: 00010246 >>>> RAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000 >>>> RDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044 >>>> RBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1 >>>> R10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003 >>>> R13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8 >>>> FS: 00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 >>>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>>> CR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0 >>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >>>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 >>>> Call Trace: >>>> >>>> kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709 >>>> __do_sys_migrate_pages mm/mempolicy.c:1727 [inline] >>>> __se_sys_migrate_pages mm/mempolicy.c:1723 [inline] >>>> __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723 >>>> do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>>> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 >>>> entry_SYSCALL_64_after_hwframe+0x77/0x7f >>>> RIP: 0033:0x7fedcca74af9 >>>> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 >>>> RSP: 002b:00007ffe4d85c278 EFLAGS: 00000206 ORIG_RAX: 0000000000000100 >>>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fedcca74af9 >>>> RDX: 0000000020000000 RSI: 000000000000005a RDI: 0000000000001786 >>>> RBP: 0000000000010bf2 R08: 0000000000006080 R09: 0000000000000006 >>>> R10: 0000000020000040 R11: 0000000000000206 R12: 00007ffe4d85c28c >>>> R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 >>>> >>>> Modules linked in: >>>> ---[ end trace 0000000000000000 ]--- >>>> RIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline] >>>> RIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194 >>>> Code: 8b 54 24 30 41 83 c8 10 80 3a 00 4d 63 c0 0f 85 d1 02 00 00 48 89 c1 48 8b 54 24 18 48 be 00 00 00 00 00 fc ff df 48 c1 e9 03 <80> 3c 31 00 48 8b 92 b0 00 00 00 0f 85 74 02 00 00 48 8b 30 49 89 >>>> RSP: 0018:ffffc9000375fd08 EFLAGS: 00010246 >>>> RAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000 >>>> RDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044 >>>> RBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1 >>>> R10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003 >>>> R13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8 >>>> FS: 00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 >>>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>>> CR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0 >>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >>>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 >>>> ---------------- >>>> Code disassembly (best guess): >>>> 0: 8b 54 24 30 mov 0x30(%rsp),%edx >>>> 4: 41 83 c8 10 or $0x10,%r8d >>>> 8: 80 3a 00 cmpb $0x0,(%rdx) >>>> b: 4d 63 c0 movslq %r8d,%r8 >>>> e: 0f 85 d1 02 00 00 jne 0x2e5 >>>> 14: 48 89 c1 mov %rax,%rcx >>>> 17: 48 8b 54 24 18 mov 0x18(%rsp),%rdx >>>> 1c: 48 be 00 00 00 00 00 movabs $0xdffffc0000000000,%rsi >>>> 23: fc ff df >>>> 26: 48 c1 e9 03 shr $0x3,%rcx >>>> * 2a: 80 3c 31 00 cmpb $0x0,(%rcx,%rsi,1) <-- trapping instruction >>>> 2e: 48 8b 92 b0 00 00 00 mov 0xb0(%rdx),%rdx >>>> 35: 0f 85 74 02 00 00 jne 0x2af >>>> 3b: 48 8b 30 mov (%rax),%rsi >>>> 3e: 49 rex.WB >>>> 3f: 89 .byte 0x89 >>>> >>> >>> Hmmm, there is not much meat in this report :) >>> >>> The reproducer seems to execute migrate_pages() in a fork'ed child >>> process, and kills that process after a while. Not 100% sure if the >>> concurrent killing of the process is relevant. >>> >>> Before the child process calls migrate_pages(), it executes >>> MADV_DONTFORK on the complete address space (funny, I wonder what that >>> does ...) and then calls clone3() without CLONE_VM. >>> >> >> After running it for a while in a VM with the given config: >> >> [ 827.514143][T37171] Oops: general protection fault, probably for >> non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI >> [ 827.516614][T37171] KASAN: null-ptr-deref in range >> [0x0000000000000000-0x0000000000000007] >> [ 827.518162][T37171] CPU: 4 UID: 0 PID: 37171 Comm: repro4 Not tainted >> 6.12.0-rc7-00187-gf868cd251776 #99 >> [ 827.519935][T37171] Hardware name: QEMU Standard PC (Q35 + ICH9, >> 2009), BIOS 1.16.3-2.fc40 04/01/2014 >> [ 827.521648][T37171] RIP: 0010:do_migrate_pages+0x404/0x6e0 >> [ 827.522774][T37171] Code: 10 80 39 00 4d 63 c0 0f 85 9b 02 00 00 48 >> be 00 00 00 00 00 fc ff df 48 8b 4c 24 28 48 8b 91 b0 00 00 00 48 89 c1 >> 48 c1 e9 03 <80> 3c 31 00 0f 85 95 02 00 00 48 8b 30 49 89 d9 48 8b 4c >> 24 08 48 >> [ 827.526342][T37171] RSP: 0018:ffffc90028157ce8 EFLAGS: 00010256 >> [ 827.527480][T37171] RAX: 0000000000000000 RBX: ffffc90028157d68 RCX: >> 0000000000000000 >> [ 827.528942][T37171] RDX: 00007ffffffff000 RSI: dffffc0000000000 RDI: >> ffff88811dcd8444 >> [ 827.530406][T37171] RBP: 0000000000000003 R08: 0000000000000014 R09: >> ffff88811dcd8ad8 >> [ 827.531865][T37171] R10: ffffffff903e668f R11: 0000000000000000 R12: >> ffffc90028157e80 >> [ 827.533341][T37171] R13: ffff8881f3a2b0a8 R14: ffffc90028157e28 R15: >> ffffc90028157e88 >> [ 827.534806][T37171] FS: 00007f096d49f740(0000) >> GS:ffff8881f4a00000(0000) knlGS:0000000000000000 >> [ 827.536452][T37171] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> [ 827.537672][T37171] CR2: 00007ff2dcb96810 CR3: 00000001eed18000 CR4: >> 0000000000750ef0 >> [ 827.539135][T37171] PKRU: 55555554 >> [ 827.539799][T37171] Call Trace: >> [ 827.540407][T37171] >> [ 827.540965][T37171] ? die_addr.cold+0x8/0xd >> [ 827.541823][T37171] ? exc_general_protection+0x147/0x240 >> [ 827.542888][T37171] ? asm_exc_general_protection+0x26/0x30 >> [ 827.543960][T37171] ? do_migrate_pages+0x404/0x6e0 >> [ 827.544915][T37171] ? do_migrate_pages+0x3cd/0x6e0 >> [ 827.545873][T37171] ? __pfx_do_migrate_pages+0x10/0x10 >> [ 827.546895][T37171] ? do_raw_spin_lock+0x12a/0x2b0 >> [ 827.547854][T37171] ? apparmor_capable+0x11c/0x3b0 >> [ 827.548818][T37171] ? srso_alias_return_thunk+0x5/0xfbef5 >> [ 827.549878][T37171] ? srso_alias_return_thunk+0x5/0xfbef5 >> [ 827.550937][T37171] ? security_capable+0x80/0x260 >> [ 827.551893][T37171] kernel_migrate_pages+0x5b7/0x750 >> [ 827.552891][T37171] ? __pfx_kernel_migrate_pages+0x10/0x10 >> [ 827.553975][T37171] ? srso_alias_return_thunk+0x5/0xfbef5 >> [ 827.555028][T37171] ? rcu_is_watching+0x12/0xc0 >> [ 827.555938][T37171] ? srso_alias_return_thunk+0x5/0xfbef5 >> [ 827.557000][T37171] __x64_sys_migrate_pages+0x96/0x100 >> [ 827.558022][T37171] ? srso_alias_return_thunk+0x5/0xfbef5 >> [ 827.559077][T37171] ? lockdep_hardirqs_on+0x7b/0x110 >> [ 827.560052][T37171] do_syscall_64+0xc7/0x250 >> [ 827.560909][T37171] entry_SYSCALL_64_after_hwframe+0x77/0x7f > > .. digging further, we call migrate_pages() with the pid of a process > we created using clone3(!CLONE_VM). > > The crashing code is likely: > > vma = find_vma(mm, 0); > 722c: e8 00 00 00 00 call 7231 > 7231: 48 8b 7c 24 28 mov 0x28(%rsp),%rdi > 7236: 31 f6 xor %esi,%esi > 7238: e8 00 00 00 00 call 723d > flags | MPOL_MF_DISCONTIG_OK, &pagelist); > 723d: 44 8b 44 24 3c mov 0x3c(%rsp),%r8d > nr_failed = queue_pages_range(mm, vma->vm_start, mm->task_size, &nmask, > 7242: 48 8b 4c 24 40 mov 0x40(%rsp),%rcx > flags | MPOL_MF_DISCONTIG_OK, &pagelist); > 7247: 41 83 c8 10 or $0x10,%r8d > nr_failed = queue_pages_range(mm, vma->vm_start, mm->task_size, &nmask, > 724b: 80 39 00 cmpb $0x0,(%rcx) > 724e: 4d 63 c0 movslq %r8d,%r8 > 7251: 0f 85 9b 02 00 00 jne 74f2 > 7257: 48 be 00 00 00 00 00 movabs $0xdffffc0000000000,%rsi > 725e: fc ff df > 7261: 48 8b 4c 24 28 mov 0x28(%rsp),%rcx > 7266: 48 8b 91 b0 00 00 00 mov 0xb0(%rcx),%rdx > 726d: 48 89 c1 mov %rax,%rcx > 7270: 48 c1 e9 03 shr $0x3,%rcx > 7274: 80 3c 31 00 cmpb $0x0,(%rcx,%rsi,1) > > <--- we seem toc rash here > > 7278: 0f 85 95 02 00 00 jne 7513 > 727e: 48 8b 30 mov (%rax),%rsi > 7281: 49 89 d9 mov %rbx,%r9 > 7284: 48 8b 4c 24 08 mov 0x8(%rsp),%rcx > 7289: 48 8b 7c 24 28 mov 0x28(%rsp),%rdi > 728e: e8 8d 9a ff ff call d20 > 7293: 48 89 44 24 30 mov %rax,0x30(%rsp) > 7298: e9 c4 00 00 00 jmp 7361 > up_read(&mm->mmap_lock); > 729d: e8 00 00 00 00 call 72a2 > 72a2: 4c 89 ef mov %r13,%rdi > 72a5: e8 00 00 00 00 call 72aa > > > Which would be do_migrate_pages()->migrate_to_node(): > > mmap_read_lock(mm); > vma = find_vma(mm, 0); > nr_failed = queue_pages_range(mm, vma->vm_start, mm->task_size, &nmask, > flags | MPOL_MF_DISCONTIG_OK, &pagelist); > mmap_read_unlock(mm); > > ... and it seems to fail before calling queue_pages_range() :/ > > Did we, for some reason get a vma=NULL, because someone is concurrently tearing down the MM? I think that's exactly what's happening. Will send a fix after testing it. -- Cheers, David / dhildenb