On Tue, Nov 05, 2024, Andrew Morton wrote: > (cc kvm list) > > On Tue, 05 Nov 2024 02:33:25 -0800 syzbot <syzbot+e985d3026c4fd041578e@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 59b723cd2adb Linux 6.12-rc6 > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=17996587980000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717 > > dashboard link: https://syzkaller.appspot.com/bug?extid=e985d3026c4fd041578e > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > userspace arch: i386 > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > Downloadable assets: > > disk image: https://storage.googleapis.com/syzbot-assets/202d791be971/disk-59b723cd.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/9bfa02908d87/vmlinux-59b723cd.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/93c8c8740b4d/bzImage-59b723cd.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+e985d3026c4fd041578e@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > BUG: Bad page state in process syz.5.504 pfn:61f45 > > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61f45 > > flags: 0xfff00000080204(referenced|workingset|mlocked|node=0|zone=1|lastcpupid=0x7ff) > > raw: 00fff00000080204 0000000000000000 dead000000000122 0000000000000000 > > raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 > > page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set > > page_owner tracks the page as allocated > > page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 8443, tgid 8442 (syz.5.504), ts 201884660643, free_ts 201499827394 > > set_page_owner include/linux/page_owner.h:32 [inline] > > post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 > > prep_new_page mm/page_alloc.c:1545 [inline] > > get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457 > > __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733 > > alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 > > kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99 > > kvm_create_vm virt/kvm/kvm_main.c:1235 [inline] > > kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5488 [inline] > > kvm_dev_ioctl+0x12dc/0x2240 virt/kvm/kvm_main.c:5530 > > __do_compat_sys_ioctl fs/ioctl.c:1007 [inline] > > __se_compat_sys_ioctl+0x510/0xc90 fs/ioctl.c:950 > > do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] > > __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386 > > do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411 > > entry_SYSENTER_compat_after_hwframe+0x84/0x8e ... > > If the report is a duplicate of another one, reply with: > > #syz dup: exact-subject-of-another-report There's already a proposed fix (and long discussion) for this issue[*], but AFAIK there's no upstream visible report to dup this against. Ah, yep, looks like Roman was working off a Google-internal report. I'll point him at this one. [*] https://lore.kernel.org/all/20241021164837.2681358-1-roman.gushchin@xxxxxxxxx
