On 01.08.25 12:08, syzbot wrote:
syzbot has found a reproducer for the following issue on: HEAD commit: f2d282e1dfb3 Merge tag 'bitmap-for-6.17' of https://github.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11709cf0580000 kernel config: https://syzkaller.appspot.com/x/.config?x=c686e0c98d241433 dashboard link: https://syzkaller.appspot.com/bug?extid=99d4fec338b62b703891 compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 userspace arch: arm syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15e0e2a2580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a439bc580000 Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/98a89b9f34e4/non_bootable_disk-f2d282e1.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/25cab46afcee/vmlinux-f2d282e1.xz kernel image: https://storage.googleapis.com/syzbot-assets/77cd04442f1b/zImage-f2d282e1.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+99d4fec338b62b703891@xxxxxxxxxxxxxxxxxxxxxxxxx ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4155 at mm/highmem.c:622 kunmap_local_indexed+0x20c/0x224 mm/highmem.c:622 Modules linked in: Kernel panic - not syncing: kernel: panic_on_warn set ... CPU: 0 UID: 0 PID: 4155 Comm: syz.1.17 Not tainted 6.16.0-syzkaller #0 PREEMPT Hardware name: ARM-Versatile Express Call trace: [<80201a24>] (dump_backtrace) from [<80201b20>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257) r7:00000000 r6:8281f77c r5:00000000 r4:8224bc00 [<80201b08>] (show_stack) from [<8021fb00>] (__dump_stack lib/dump_stack.c:94 [inline]) [<80201b08>] (show_stack) from [<8021fb00>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120) [<8021faac>] (dump_stack_lvl) from [<8021fb40>] (dump_stack+0x18/0x1c lib/dump_stack.c:129) r5:00000000 r4:82a76d18 [<8021fb28>] (dump_stack) from [<80202624>] (vpanic+0x10c/0x360 kernel/panic.c:440) [<80202518>] (vpanic) from [<802028ac>] (trace_suspend_resume+0x0/0xd8 kernel/panic.c:574) r7:804be014 [<80202878>] (panic) from [<802548c4>] (check_panic_on_warn kernel/panic.c:333 [inline]) [<80202878>] (panic) from [<802548c4>] (get_taint+0x0/0x1c kernel/panic.c:328) r3:8280c684 r2:00000001 r1:822326d8 r0:8223a0a0 [<80254850>] (check_panic_on_warn) from [<80254a28>] (__warn+0x80/0x188 kernel/panic.c:845) [<802549a8>] (__warn) from [<80254ca8>] (warn_slowpath_fmt+0x178/0x1f4 kernel/panic.c:872) r8:00000009 r7:82266338 r6:df985d14 r5:840d5400 r4:00000000 [<80254b34>] (warn_slowpath_fmt) from [<804be014>] (kunmap_local_indexed+0x20c/0x224 mm/highmem.c:622) r10:00000000 r9:ded86c30 r8:deb6caa4 r7:00a00000 r6:00000003 r5:840d5400 r4:ffefd000 [<804bde08>] (kunmap_local_indexed) from [<8053ace8>] (__kunmap_local include/linux/highmem-internal.h:102 [inline]) [<804bde08>] (kunmap_local_indexed) from [<8053ace8>] (move_pages_pte mm/userfaultfd.c:1457 [inline]) [<804bde08>] (kunmap_local_indexed) from [<8053ace8>] (move_pages+0xb1c/0x1a00 mm/userfaultfd.c:1860) r7:00a00000 r6:00000000 r5:8490d6ac r4:ffefb000 [<8053a1cc>] (move_pages) from [<805c401c>] (userfaultfd_move fs/userfaultfd.c:1923 [inline]) [<8053a1cc>] (move_pages) from [<805c401c>] (userfaultfd_ioctl+0x1254/0x2408 fs/userfaultfd.c:2046) r10:8425d6c0 r9:df985e98 r8:00000001 r7:21000000 r6:00000000 r5:20000040 r4:8486d000 [<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (vfs_ioctl fs/ioctl.c:51 [inline]) [<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (do_vfs_ioctl fs/ioctl.c:552 [inline]) [<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (__do_sys_ioctl fs/ioctl.c:596 [inline]) [<805c2dc8>] (userfaultfd_ioctl) from [<8056c4d4>] (sys_ioctl+0x130/0xba0 fs/ioctl.c:584) r10:840d5400 r9:00000003 r8:8572d780 r7:20000040 r6:8572d780 r5:00000000 r4:c028aa05 [<8056c3a4>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xdf985fa8 to 0xdf985ff0) 5fa0: 00000000 00000000 00000003 c028aa05 20000040 00000000 5fc0: 00000000 00000000 002f6300 00000036 00000000 002f62d4 00000938 00000000 5fe0: 7eb28780 7eb28770 000193dc 001321f0 r10:00000036 r9:840d5400 r8:8020029c r7:00000036 r6:002f6300 r5:00000000 r4:00000000 Rebooting in 86400 seconds..
Probably fixed by https://lore.kernel.org/r/20250731144431.773923-1-sashal@xxxxxxxxxx/ #syz test --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1453,10 +1453,15 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, folio_unlock(src_folio); folio_put(src_folio); } - if (dst_pte) - pte_unmap(dst_pte); + /* + * Unmap in reverse order (LIFO) to maintain proper kmap_local + * index ordering when CONFIG_HIGHPTE is enabled. We mapped dst_pte + * first, then src_pte, so we must unmap src_pte first, then dst_pte. + */ if (src_pte) pte_unmap(src_pte); + if (dst_pte) + pte_unmap(dst_pte); mmu_notifier_invalidate_range_end(&range); if (si) put_swap_device(si); -- 2.39.5 -- Cheers, David / dhildenb
