Dear Linux Kernel Experts, Hello! I am a security researcher focused on testing Linux kernel vulnerabilities. Recently, while testing the v6.13-rc5 Linux kernel, we encountered a crash related to the mm kernel module. We have successfully captured the call trace information for this crash. Unfortunately, we have not been able to reproduce the issue in our local environment, so we are unable to provide a PoC (Proof of Concept) at this time. We fully understand the complexity and importance of Linux kernel maintenance, and we would like to share this finding with you for further analysis and confirmation of the root cause. Below is a summary of the relevant information: Kernel Version: v6.13.0-rc5 Kernel Module: mm/page_alloc.c ————————————————CallTrace———————————————— WARNING: CPU: 2 PID: 18804 at mm/page_alloc.c:4240 __alloc_pages_slowpath mm/page_alloc.c:4240 [inline] WARNING: CPU: 2 PID: 18804 at mm/page_alloc.c:4240 __alloc_pages_noprof+0x1808/0x2040 mm/page_alloc.c:4766 Modules linked in: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__alloc_pages_slowpath mm/page_alloc.c:4240 [inline] RIP: 0010:__alloc_pages_noprof+0x1808/0x2040 mm/page_alloc.c:4766 Code: 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 b3 07 00 00 f6 43 2d 08 0f 84 30 ed ff ff 90 <0f> 0b 90 e9 27 ed ff ff 44 89 4c 24 38 65 8b 15 c0 89 b2 7a 89 d2 RSP: 0018:ffff888003f8e868 EFLAGS: 00010202 RAX: 0000000000000007 RBX: ffff88813e720000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88813e72002c RBP: 0000000000148c48 R08: 0000000000000801 R09: 00000000000000e6 R10: 0000000000000000 R11: ffff88813fffbc40 R12: 0000000000000000 R13: 0000000000000400 R14: 0000000000148c48 R15: 0000000000000000 FS: 00007f361ea66640(0000) GS:ffff88811b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fecaa5cd342 CR3: 0000000111a6e000 CR4: 0000000000350ef0 Call Trace: <TASK> alloc_pages_mpol_noprof+0xda/0x300 mm/mempolicy.c:2269 folio_alloc_noprof+0x1e/0x70 mm/mempolicy.c:2355 filemap_alloc_folio_noprof+0x2b2/0x2f0 mm/filemap.c:1009 __filemap_get_folio+0x16d/0x3d0 mm/filemap.c:1951 grow_dev_folio fs/buffer.c:1039 [inline] grow_buffers fs/buffer.c:1105 [inline] __getblk_slow+0x138/0x430 fs/buffer.c:1131 bdev_getblk fs/buffer.c:1431 [inline] __bread_gfp+0xea/0x2c0 fs/buffer.c:1485 sb_bread include/linux/buffer_head.h:346 [inline] fat12_ent_bread+0x231/0x3f0 fs/fat/fatent.c:86 fat_ent_read+0x624/0xaa0 fs/fat/fatent.c:368 fat_free_clusters+0x19c/0x860 fs/fat/fatent.c:568 fat_free.isra.0+0x377/0x850 fs/fat/file.c:376 fat_truncate_blocks+0x10d/0x190 fs/fat/file.c:394 fat_free_eofblocks fs/fat/inode.c:633 [inline] fat_evict_inode+0x1b1/0x260 fs/fat/inode.c:658 evict+0x337/0x7c0 fs/inode.c:796 dispose_list fs/inode.c:845 [inline] prune_icache_sb+0x189/0x290 fs/inode.c:1033 super_cache_scan+0x33d/0x510 fs/super.c:223 do_shrink_slab mm/shrinker.c:437 [inline] shrink_slab+0x43e/0x930 mm/shrinker.c:664 shrink_node_memcgs mm/vmscan.c:5931 [inline] shrink_node+0x4dd/0x15c0 mm/vmscan.c:5970 shrink_zones mm/vmscan.c:6215 [inline] do_try_to_free_pages+0x284/0x1160 mm/vmscan.c:6277 try_to_free_pages+0x1ee/0x3e0 mm/vmscan.c:6527 __perform_reclaim mm/page_alloc.c:3929 [inline] __alloc_pages_direct_reclaim mm/page_alloc.c:3951 [inline] __alloc_pages_slowpath mm/page_alloc.c:4382 [inline] __alloc_pages_noprof+0xa48/0x2040 mm/page_alloc.c:4766 alloc_pages_mpol_noprof+0xda/0x300 mm/mempolicy.c:2269 pagetable_alloc_noprof include/linux/mm.h:2899 [inline] __pte_alloc_one_noprof include/asm-generic/pgalloc.h:70 [inline] pte_alloc_one+0x20/0x1b0 arch/x86/mm/pgtable.c:33 do_fault_around mm/memory.c:5274 [inline] do_read_fault mm/memory.c:5313 [inline] do_fault mm/memory.c:5456 [inline] do_pte_missing mm/memory.c:3979 [inline] handle_pte_fault mm/memory.c:5801 [inline] __handle_mm_fault+0x15b9/0x2380 mm/memory.c:5944 handle_mm_fault+0x1c6/0x4c0 mm/memory.c:6112 faultin_page mm/gup.c:1196 [inline] __get_user_pages+0x421/0x2550 mm/gup.c:1494 populate_vma_page_range+0x16b/0x200 mm/gup.c:1932 __mm_populate+0x1c2/0x360 mm/gup.c:2035 mm_populate include/linux/mm.h:3396 [inline] vm_mmap_pgoff+0x25d/0x2f0 mm/util.c:585 ksys_mmap_pgoff+0x5a/0x480 mm/mmap.c:542 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] __x64_sys_mmap+0x108/0x170 arch/x86/kernel/sys_x86_64.c:82 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f361f7a842d Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f361ea66038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 00007f361f99c050 RCX: 00007f361f7a842d RDX: 0000000000000003 RSI: 0000000000b36000 RDI: 0000000020000000 RBP: 00007f361f867922 R08: ffffffffffffffff R09: 0000000000000000 R10: 0000000000008031 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f361f99c050 R15: 00007f361ea46000 </TASK> ————————————————CallTrace———————————————— If you need more details or additional test results, please feel free to let us know. Thank you so much for your attention! Please don't hesitate to reach out if you have any suggestions or need further communication. Best regards, Luka
