Hello, syzbot found the following issue on: HEAD commit: 6a71d2909427 Merge branch 'for-next/core' into for-kernelci git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=12fa897f180000 kernel config: https://syzkaller.appspot.com/x/.config?x=fca646cf17cc616b dashboard link: https://syzkaller.appspot.com/bug?extid=f96e045d95fe10c0e800 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 userspace arch: arm64 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=159169df180000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15396354980000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/c77d21fa1405/disk-6a71d290.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/429fcd369816/vmlinux-6a71d290.xz kernel image: https://storage.googleapis.com/syzbot-assets/d3d8a4b85112/Image-6a71d290.gz.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f96e045d95fe10c0e800@xxxxxxxxxxxxxxxxxxxxxxxxx Unable to handle kernel paging request at virtual address ffff7fbff7e00005 KASAN: probably wild-memory-access in range [0xfffffdffbf000028-0xfffffdffbf00002f] Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000001ad5bd000 [ffff7fbff7e00005] pgd=0000000000000000, p4d=1000000233f68003, pud=1000000233f67003, pmd=1000000233f66003, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 9675 Comm: syz-executor299 Not tainted 6.9.0-rc4-syzkaller-g6a71d2909427 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 pstate: 80401005 (Nzcv daif +PAN -UAO -TCO -DIT +SSBS BTYPE=--) pc : ptlock_ptr include/linux/mm.h:2889 [inline] pc : pte_lockptr include/linux/mm.h:2913 [inline] pc : __pte_offset_map_lock+0x15c/0x2ac mm/pgtable-generic.c:372 lr : __pte_offset_map_lock+0xe0/0x2ac sp : ffff80009ff26ea0 x29: ffff80009ff26f60 x28: fffeffffc0000000 x27: 0000000020e00000 x26: fffffdffbf000028 x25: ffff700013fe4ddc x24: ffff80009ff26f00 x23: 1ffff00013fe4de4 x22: ffff80009ff26f20 x21: ffff0000d0854838 x20: dfff800000000000 x19: 0000000000000000 x18: 1fffe00018c6a29c x17: ffff80008ee7d000 x16: ffff80008ae725bc x15: 0000000000000002 x14: ffff80008ee80668 x13: dfff800000000000 x12: 00000000afeb9c68 x11: 1fffe0001a10a907 x10: ffffc1ffc0000000 x9 : 0000000000000000 x8 : 1fffffbff7e00005 x7 : ffff800080952aac x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002 x2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff80008e8179a0 Call trace: ptlock_ptr include/linux/mm.h:2889 [inline] pte_lockptr include/linux/mm.h:2913 [inline] __pte_offset_map_lock+0x15c/0x2ac mm/pgtable-generic.c:372 pte_offset_map_lock include/linux/mm.h:2978 [inline] zap_pte_range mm/memory.c:1584 [inline] zap_pmd_range mm/memory.c:1722 [inline] zap_pud_range mm/memory.c:1751 [inline] zap_p4d_range mm/memory.c:1772 [inline] unmap_page_range+0x8a8/0x2f5c mm/memory.c:1793 unmap_single_vma mm/memory.c:1839 [inline] unmap_vmas+0x378/0x598 mm/memory.c:1883 exit_mmap+0x214/0xd74 mm/mmap.c:3267 __mmput+0xec/0x390 kernel/fork.c:1345 mmput+0x70/0xac kernel/fork.c:1367 exit_mm+0x148/0x210 kernel/exit.c:569 do_exit+0x468/0x1ac8 kernel/exit.c:865 do_group_exit+0x194/0x22c kernel/exit.c:1027 get_signal+0x1414/0x1530 kernel/signal.c:2911 do_signal+0x238/0x3e8c arch/arm64/kernel/signal.c:1308 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:713 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Code: aa09a908 8b481b48 9100a11a d343ff48 (38746908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: aa09a908 orr x8, x8, x9, lsl #42 4: 8b481b48 add x8, x26, x8, lsr #6 8: 9100a11a add x26, x8, #0x28 c: d343ff48 lsr x8, x26, #3 * 10: 38746908 ldrb w8, [x8, x20] <-- trapping instruction --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup
