[syzbot] [mm?] BUG: Bad page map (7)

[syzbot] [mm?] BUG: Bad page map (7)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    3f86ed6ec0b3 Merge tag 'arc-6.6-rc1' of git://git.kernel.o..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=142a0e00680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ff0db7a15ba54ead
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17ff1fa8680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1445ba2fa80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/15ea526c030f/disk-3f86ed6e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e8f0baca67e5/vmlinux-3f86ed6e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e39fafbb687d/bzImage-3f86ed6e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f82bb81a1d50/mount_0.gz

The issue was bisected to:

commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
Author: Yin Fengwei <fengwei.yin@intel.com>
Date:   Wed Aug 2 15:14:05 2023 +0000

    filemap: batch PTE mappings

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13c37c58680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10237c58680000
console output: https://syzkaller.appspot.com/x/log.txt?x=17c37c58680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+55cc72f8cc3a549119df@syzkaller.appspotmail.com
Fixes: 617c28ecab22 ("filemap: batch PTE mappings")

BUG: Bad page map in process syz-executor332  pte:fffff8ce8c120 pmd:79462067
page:ffffea0001cc5cc0 refcount:9 mapcount:-1 mapping:ffff8880774b1b50 index:0x3 pfn:0x73173
head:ffffea0001cc5c00 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888015e5a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001cc5c01 dead000000000122 dead000000000400
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00007c9948 ffff888013245030 ffff8880774b1b50
head: 0000000000000000 ffff888027450e00 00000009ffffffff ffff888015e5a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5036, tgid 5036 (syz-executor332), ts 61415422939, free_ts 21789924659
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4439
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880774b1b50 index:5
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5036 Comm: syz-executor332 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff93b1d0eb9
Code: Unable to access opcode bytes at 0x7ff93b1d0e8f.
RSP: 002b:00007ffc50f66f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 0000000000000003 RCX: 00007ff93b1d0eb9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffc50f67188 R14: 0000000000000001 R15: 00007ffc50f66f50
 </TASK>
BUG: Bad page map in process syz-executor332  pte:fffff8ce8d120 pmd:79462067
page:ffffea0001cc5c80 refcount:9 mapcount:-1 mapping:ffff8880774b1b50 index:0x2 pfn:0x73172
head:ffffea0001cc5c00 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888015e5a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001cc5c01 ffffea0001cc5c90 ffffea0001cc5c90
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00007c9948 ffff888013245030 ffff8880774b1b50
head: 0000000000000000 ffff888027450e00 00000009ffffffff ffff888015e5a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5036, tgid 5036 (syz-executor332), ts 61415422939, free_ts 21789914922
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4439
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880774b1b50 index:6
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5036 Comm: syz-executor332 Tainted: G    B              6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff93b1d0eb9
Code: Unable to access opcode bytes at 0x7ff93b1d0e8f.
RSP: 002b:00007ffc50f66f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 0000000000000003 RCX: 00007ff93b1d0eb9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffc50f67188 R14: 0000000000000001 R15: 00007ffc50f66f50
 </TASK>
BUG: Bad page map in process syz-executor332  pte:fffff8ce8e120 pmd:79462067
page:ffffea0001cc5c40 refcount:9 mapcount:-1 mapping:ffff8880774b1b50 index:0x1 pfn:0x73171
head:ffffea0001cc5c00 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888015e5a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001cc5c01 dead000000000122 fffffffdffffffff
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea00007c9948 ffff888013245030 ffff8880774b1b50
head: 0000000000000000 ffff888027450e00 00000009ffffffff ffff888015e5a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5036, tgid 5036 (syz-executor332), ts 61415422939, free_ts 21789904946
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4439
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:979
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3294
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6355
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880774b1b50 index:7
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5036 Comm: syz-executor332 Tainted: G    B              6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff93b1d0eb9
Code: Unable to access opcode bytes at 0x7ff93b1d0e8f.
RSP: 002b:00007ffc50f66f08 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 0000000000000003 RCX: 00007ff93b1d0eb9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffc50f67188 R14: 0000000000000001 R15: 00007ffc50f66f50
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Matthew Wilcox]

On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
> Author: Yin Fengwei <fengwei.yin@intel.com>
> Date:   Wed Aug 2 15:14:05 2023 +0000
> 
>     filemap: batch PTE mappings

Hmm ... I don't know if this is the bug, but ...

#syz test

diff --git a/mm/filemap.c b/mm/filemap.c
index 582f5317ff71..580d0b2b1a7c 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3506,7 +3506,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
 		if (count) {
 			set_pte_range(vmf, folio, page, count, addr);
 			folio_ref_add(folio, count);
-			if (in_range(vmf->address, addr, count))
+			if (in_range(vmf->address, addr, count * PAGE_SIZE))
 				ret = VM_FAULT_NOPAGE;
 		}
 
@@ -3520,7 +3520,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
 	if (count) {
 		set_pte_range(vmf, folio, page, count, addr);
 		folio_ref_add(folio, count);
-		if (in_range(vmf->address, addr, count))
+		if (in_range(vmf->address, addr, count * PAGE_SIZE))
 			ret = VM_FAULT_NOPAGE;
 	}
 

Re: [syzbot] [mm?] BUG: Bad page map (7)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map

BUG: Bad page map in process syz-executor.0  pte:fffff9b7dc120 pmd:1ce8f067
page:ffffea00019208c0 refcount:9 mapcount:-1 mapping:ffff8880766e5190 index:0x3 pfn:0x64823
head:ffffea0001920800 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88801d8b4000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001920801 dead000000000122 dead000000000400
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a08288 ffff88807acd1030 ffff8880766e5190
head: 0000000000000000 ffff888019789200 00000009ffffffff ffff88801d8b4000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5453, tgid 5452 (syz-executor.0), ts 76204282340, free_ts 15924727179
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880766e5190 index:5
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5453 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4cbf47cae9
Code: Unable to access opcode bytes at 0x7f4cbf47cabf.
RSP: 002b:00007f4cc01920c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f4cbf59bf80 RCX: 00007f4cbf47cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f4cbf4c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4cbf59bf80 R15: 00007fff582f4a98
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff9b7dd120 pmd:1ce8f067
page:ffffea0001920880 refcount:9 mapcount:-1 mapping:ffff8880766e5190 index:0x2 pfn:0x64822
head:ffffea0001920800 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88801d8b4000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001920801 ffffea0001920890 ffffea0001920890
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a08288 ffff88807acd1030 ffff8880766e5190
head: 0000000000000000 ffff888019789200 00000009ffffffff ffff88801d8b4000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5453, tgid 5452 (syz-executor.0), ts 76204282340, free_ts 15924721374
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880766e5190 index:6
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5453 Comm: syz-executor.0 Tainted: G    B              6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4cbf47cae9
Code: Unable to access opcode bytes at 0x7f4cbf47cabf.
RSP: 002b:00007f4cc01920c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f4cbf59bf80 RCX: 00007f4cbf47cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f4cbf4c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4cbf59bf80 R15: 00007fff582f4a98
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff9b7de120 pmd:1ce8f067
page:ffffea0001920840 refcount:9 mapcount:-1 mapping:ffff8880766e5190 index:0x1 pfn:0x64821
head:ffffea0001920800 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88801d8b4000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001920801 dead000000000122 fffffffdffffffff
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a08288 ffff88807acd1030 ffff8880766e5190
head: 0000000000000000 ffff888019789200 00000009ffffffff ffff88801d8b4000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5453, tgid 5452 (syz-executor.0), ts 76204282340, free_ts 15924715505
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff8880766e5190 index:7
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5453 Comm: syz-executor.0 Tainted: G    B              6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4cbf47cae9
Code: Unable to access opcode bytes at 0x7f4cbf47cabf.
RSP: 002b:00007f4cc01920c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f4cbf59bf80 RCX: 00007f4cbf47cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f4cbf4c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4cbf59bf80 R15: 00007fff582f4a98
 </TASK>


Tested on:

commit:         a3c57ab7 iov_iter: Kunit tests for page extraction
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16a308d8680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1037a92c680000

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Yin, Fengwei]

Hi Matthew,

On Sun, Sep 10, 2023 at 04:02:32AM +0100, Matthew Wilcox wrote:
> On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
> > commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
> > Author: Yin Fengwei <fengwei.yin@intel.com>
> > Date:   Wed Aug 2 15:14:05 2023 +0000
> > 
> >     filemap: batch PTE mappings
> 
> Hmm ... I don't know if this is the bug, but ...
This is Fengwei. Sorry for replying with my private email. I can't access
my compony email now.
Yes. This is a bug. But I think it just impact the performance.

I will look at this regression. Thanks and sorry for the trouble.


Regards
Yin, Fengwei

> 
> #syz test
> 
> diff --git a/mm/filemap.c b/mm/filemap.c
> index 582f5317ff71..580d0b2b1a7c 100644
> --- a/mm/filemap.c
> +++ b/mm/filemap.c
> @@ -3506,7 +3506,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
>  		if (count) {
>  			set_pte_range(vmf, folio, page, count, addr);
>  			folio_ref_add(folio, count);
> -			if (in_range(vmf->address, addr, count))
> +			if (in_range(vmf->address, addr, count * PAGE_SIZE))
>  				ret = VM_FAULT_NOPAGE;
>  		}
>  
> @@ -3520,7 +3520,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
>  	if (count) {
>  		set_pte_range(vmf, folio, page, count, addr);
>  		folio_ref_add(folio, count);
> -		if (in_range(vmf->address, addr, count))
> +		if (in_range(vmf->address, addr, count * PAGE_SIZE))
>  			ret = VM_FAULT_NOPAGE;
>  	}
>  
> 
> 

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Yin Fengwei]

On 9/10/23 01:12, syzbot wrote:
> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
> Author: Yin Fengwei <fengwei.yin@intel.com>
> Date:   Wed Aug 2 15:14:05 2023 +0000
> 
>     filemap: batch PTE mappings

#syz test

diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
index a629b1b9f65a6..2701b47efa8f7 100644
--- a/arch/x86/include/asm/pgtable_64.h
+++ b/arch/x86/include/asm/pgtable_64.h
@@ -168,6 +168,28 @@ static inline void native_pgd_clear(pgd_t *pgd)
        native_set_pgd(pgd, native_make_pgd(0));
 }
 
+static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
+               pte_t *ptep, pte_t pte, unsigned int nr)
+{
+       bool protnone = (pte_flags(pte) & (_PAGE_PROTNONE | _PAGE_PRESENT))
+                       == _PAGE_PROTNONE;
+
+       page_table_check_ptes_set(mm, ptep, pte, nr);
+
+       for(;;) {
+               native_set_pte(ptep, pte);
+               if (--nr == 0)
+                       break;
+
+               ptep++;
+               if (protnone)
+                       pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
+               else
+                       pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+       }
+}
+#define set_ptes set_ptes
+
 /*
  * Conversion functions: convert a page and protection to a page entry,
  * and a page entry and page directory to the page they refer to.

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Yin Fengwei]

Hi Matthew,

On 9/10/23 11:02, Matthew Wilcox wrote:
> On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
>> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
>> Author: Yin Fengwei <fengwei.yin@intel.com>
>> Date:   Wed Aug 2 15:14:05 2023 +0000
>>
>>     filemap: batch PTE mappings
> 
> Hmm ... I don't know if this is the bug, but ...
I do think we should merge your patch here. LKP already noticed some performance
regressions. I suppose this patch can fix some of them.


I root caused the this "bad page map" issue in my local env. It's related with pte
with protnone on x86_64. So if pte is not protnone, advancing pte by adding
1UL << PFN_PTE_SHIFT is correct. But if pte is protnone, should subtract
1UL << PFN_PTE_SHIFT. I saw pfn_pte() had pfn ^= protnone_mask() and just realized
it.


The producer mmap with PROT_NONE and then trigger SIGXFSZ and create core file.
That will cause GUP with FOLL_FORCE and create protnone pte.

I submitted request to sysbot to test the fixing worked on my local env. Thanks.


Regards
Yin, Fengwei

> 
> #syz test
> 
> diff --git a/mm/filemap.c b/mm/filemap.c
> index 582f5317ff71..580d0b2b1a7c 100644
> --- a/mm/filemap.c
> +++ b/mm/filemap.c
> @@ -3506,7 +3506,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
>  		if (count) {
>  			set_pte_range(vmf, folio, page, count, addr);
>  			folio_ref_add(folio, count);
> -			if (in_range(vmf->address, addr, count))
> +			if (in_range(vmf->address, addr, count * PAGE_SIZE))
>  				ret = VM_FAULT_NOPAGE;
>  		}
>  
> @@ -3520,7 +3520,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
>  	if (count) {
>  		set_pte_range(vmf, folio, page, count, addr);
>  		folio_ref_add(folio, count);
> -		if (in_range(vmf->address, addr, count))
> +		if (in_range(vmf->address, addr, count * PAGE_SIZE))
>  			ret = VM_FAULT_NOPAGE;
>  	}
>  
> 

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Yin Fengwei]

On 9/11/23 15:24, Yin Fengwei wrote:
> Hi Matthew,
> 
> On 9/10/23 11:02, Matthew Wilcox wrote:
>> On Sat, Sep 09, 2023 at 10:12:48AM -0700, syzbot wrote:
>>> commit 617c28ecab22d98a3809370eb6cb50fa24b7bfe1
>>> Author: Yin Fengwei <fengwei.yin@intel.com>
>>> Date:   Wed Aug 2 15:14:05 2023 +0000
>>>
>>>     filemap: batch PTE mappings
>>
>> Hmm ... I don't know if this is the bug, but ...
> I do think we should merge your patch here. LKP already noticed some performance
> regressions. I suppose this patch can fix some of them.
I will verify this patch to see whether the regressions noticed by LKP can be
fixed. Will keep you updated for any progress. Thanks.


Regards
Yin, Fengwei

> 
> 
> I root caused the this "bad page map" issue in my local env. It's related with pte
> with protnone on x86_64. So if pte is not protnone, advancing pte by adding
> 1UL << PFN_PTE_SHIFT is correct. But if pte is protnone, should subtract
> 1UL << PFN_PTE_SHIFT. I saw pfn_pte() had pfn ^= protnone_mask() and just realized
> it.
> 
> 
> The producer mmap with PROT_NONE and then trigger SIGXFSZ and create core file.
> That will cause GUP with FOLL_FORCE and create protnone pte.
> 
> I submitted request to sysbot to test the fixing worked on my local env. Thanks.
> 
> 
> Regards
> Yin, Fengwei
> 
>>
>> #syz test
>>
>> diff --git a/mm/filemap.c b/mm/filemap.c
>> index 582f5317ff71..580d0b2b1a7c 100644
>> --- a/mm/filemap.c
>> +++ b/mm/filemap.c
>> @@ -3506,7 +3506,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
>>  		if (count) {
>>  			set_pte_range(vmf, folio, page, count, addr);
>>  			folio_ref_add(folio, count);
>> -			if (in_range(vmf->address, addr, count))
>> +			if (in_range(vmf->address, addr, count * PAGE_SIZE))
>>  				ret = VM_FAULT_NOPAGE;
>>  		}
>>  
>> @@ -3520,7 +3520,7 @@ static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
>>  	if (count) {
>>  		set_pte_range(vmf, folio, page, count, addr);
>>  		folio_ref_add(folio, count);
>> -		if (in_range(vmf->address, addr, count))
>> +		if (in_range(vmf->address, addr, count * PAGE_SIZE))
>>  			ret = VM_FAULT_NOPAGE;
>>  	}
>>  
>>

Re: [syzbot] [mm?] BUG: Bad page map (7)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+55cc72f8cc3a549119df@syzkaller.appspotmail.com

Tested on:

commit:         0bb80ecc Linux 6.6-rc1
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174c0ad8680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=13f2a37749f07ab2
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1421990c680000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Matthew Wilcox]

On Mon, Sep 11, 2023 at 03:12:27PM +0800, Yin Fengwei wrote:
>  
> +static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> +               pte_t *ptep, pte_t pte, unsigned int nr)
> +{
> +       bool protnone = (pte_flags(pte) & (_PAGE_PROTNONE | _PAGE_PRESENT))
> +                       == _PAGE_PROTNONE;
> +
> +       page_table_check_ptes_set(mm, ptep, pte, nr);
> +
> +       for(;;) {
> +               native_set_pte(ptep, pte);
> +               if (--nr == 0)
> +                       break;
> +
> +               ptep++;
> +               if (protnone)
> +                       pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> +               else
> +                       pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> +       }
> +}
> +#define set_ptes set_ptes

Thanks for figuring this out.  I don't think I would have been able to!

I think this solution probably breaks pgtable-2level configs,
unfortunately.  How about this?  If other architectures decide to adopt
the inverted page table entry in the future, it'll work for them too.

#syz test

diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h
index e9482a11ac52..a89be3e9b032 100644
--- a/arch/x86/include/asm/pgtable-2level.h
+++ b/arch/x86/include/asm/pgtable-2level.h
@@ -123,9 +123,6 @@ static inline u64 flip_protnone_guard(u64 oldval, u64 val, u64 mask)
 	return val;
 }
 
-static inline bool __pte_needs_invert(u64 val)
-{
-	return false;
-}
+#define __pte_needs_invert(val)	false
 
 #endif /* _ASM_X86_PGTABLE_2LEVEL_H */
diff --git a/arch/x86/include/asm/pgtable-invert.h b/arch/x86/include/asm/pgtable-invert.h
index a0c1525f1b6f..f21726add655 100644
--- a/arch/x86/include/asm/pgtable-invert.h
+++ b/arch/x86/include/asm/pgtable-invert.h
@@ -17,6 +17,7 @@ static inline bool __pte_needs_invert(u64 val)
 {
 	return val && !(val & _PAGE_PRESENT);
 }
+#define __pte_needs_invert __pte_needs_invert
 
 /* Get a mask to xor with the page table entry to get the correct pfn. */
 static inline u64 protnone_mask(u64 val)
diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
index 1fba072b3dac..34b12e94b850 100644
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
 #define arch_flush_lazy_mmu_mode()	do {} while (0)
 #endif
 
+#ifndef __pte_needs_invert
+#define __pte_needs_invert(pte)	false
+#endif
+
 #ifndef set_ptes
 /**
  * set_ptes - Map consecutive pages to a contiguous range of addresses.
@@ -231,7 +235,10 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
 		if (--nr == 0)
 			break;
 		ptep++;
-		pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+		if (__pte_needs_invert(pte_val(pte)))
+			pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
+		else
+			pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
 	}
 	arch_leave_lazy_mmu_mode();
 }

Re: [syzbot] [mm?] BUG: Bad page map (7)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+55cc72f8cc3a549119df@syzkaller.appspotmail.com

Tested on:

commit:         0bb80ecc Linux 6.6-rc1
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1010b50c680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=13f2a37749f07ab2
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=155d6578680000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Dave Hansen]

On 9/11/23 06:26, Matthew Wilcox wrote:
> @@ -231,7 +235,10 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>  		if (--nr == 0)
>  			break;
>  		ptep++;
> -		pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> +		if (__pte_needs_invert(pte_val(pte)))
> +			pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> +		else
> +			pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
>  	}
>  	arch_leave_lazy_mmu_mode();
>  }

This is much better than a whole x86 fork of set_ptes().  But it's still
a bit wonky because it exposes the PTE inversion logic to generic code.

Could we do something like this instead?  It'll (probably) end up
repeating the PTE inversion logic each way though the loop, so it's less
efficient than what you have above.  But unless I buggered something, it
"just works" without exposing any of the inversion logic to generic code.

The trick is that pte_pfn() undoes the inversion and then pfn_pte()
re-does it on each trip through the loop.

static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
                pte_t *ptep, pte_t pte, unsigned int nr)
{
	pgprot_t prot = pte_pgprot(x);
	unsigned long pfn = pte_pfn(pte);

        page_table_check_ptes_set(mm, ptep, pte, nr);

        arch_enter_lazy_mmu_mode();
        for (;;) {
                set_pte(ptep, pte);
                if (--nr == 0)
                        break;
                ptep++;
		pfn++;
                pte = pfn_pte(pfn, pgprot);
        }
        arch_leave_lazy_mmu_mode();
}

Obviously completely untested. :)

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Matthew Wilcox]

On Mon, Sep 11, 2023 at 08:34:57AM -0700, Dave Hansen wrote:
> On 9/11/23 06:26, Matthew Wilcox wrote:
> > @@ -231,7 +235,10 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> >  		if (--nr == 0)
> >  			break;
> >  		ptep++;
> > -		pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> > +		if (__pte_needs_invert(pte_val(pte)))
> > +			pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> > +		else
> > +			pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> >  	}
> >  	arch_leave_lazy_mmu_mode();
> >  }
> 
> This is much better than a whole x86 fork of set_ptes().  But it's still
> a bit wonky because it exposes the PTE inversion logic to generic code.

I saw that as an advantage ... let people know that it exists as a
concept.

> static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>                 pte_t *ptep, pte_t pte, unsigned int nr)
> {
> 	pgprot_t prot = pte_pgprot(x);
> 	unsigned long pfn = pte_pfn(pte);
> 
>         page_table_check_ptes_set(mm, ptep, pte, nr);
> 
>         arch_enter_lazy_mmu_mode();
>         for (;;) {
>                 set_pte(ptep, pte);
>                 if (--nr == 0)
>                         break;
>                 ptep++;
> 		pfn++;
>                 pte = pfn_pte(pfn, pgprot);
>         }
>         arch_leave_lazy_mmu_mode();
> }
> 
> Obviously completely untested. :)

After fixing your two typos, this assembles to 176 bytes more code than
my version.  Not sure that's great.

How about this?  Keeps the inverted knowledge entirely in arch/x86.
Compiles to exactly the same code as the version I sent earlier.

diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index d6ad98ca1288..c9781b8b14af 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -955,6 +955,14 @@ static inline int pte_same(pte_t a, pte_t b)
 	return a.pte == b.pte;
 }
 
+static inline pte_t pte_next(pte_t pte)
+{
+	if (__pte_needs_invert(pte_val(pte)))
+		return __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
+	return __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+}
+#define pte_next	pte_next
+
 static inline int pte_present(pte_t a)
 {
 	return pte_flags(a) & (_PAGE_PRESENT | _PAGE_PROTNONE);
diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
index 1fba072b3dac..7a932ed59c27 100644
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
 #define arch_flush_lazy_mmu_mode()	do {} while (0)
 #endif
 
+#ifndef pte_next
+#define pte_next(pte)	((pte) + (1UL << PFN_PTE_SHIFT))
+#endif
+
 #ifndef set_ptes
 /**
  * set_ptes - Map consecutive pages to a contiguous range of addresses.
@@ -231,7 +235,7 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
 		if (--nr == 0)
 			break;
 		ptep++;
-		pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+		pte = pte_next(pte);
 	}
 	arch_leave_lazy_mmu_mode();
 }

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Dave Hansen]

On 9/11/23 09:44, Matthew Wilcox wrote:
>> static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>>                 pte_t *ptep, pte_t pte, unsigned int nr)
>> {
>> 	pgprot_t prot = pte_pgprot(x);
>> 	unsigned long pfn = pte_pfn(pte);
>>
>>         page_table_check_ptes_set(mm, ptep, pte, nr);
>>
>>         arch_enter_lazy_mmu_mode();
>>         for (;;) {
>>                 set_pte(ptep, pte);
>>                 if (--nr == 0)
>>                         break;
>>                 ptep++;
>> 		pfn++;
>>                 pte = pfn_pte(pfn, pgprot);
>>         }
>>         arch_leave_lazy_mmu_mode();
>> }
>>
>> Obviously completely untested. 😄
> After fixing your two typos, this assembles to 176 bytes more code than
> my version.  Not sure that's great.

Heh, only two? ;)

Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
much.  I'd much rather have that than another window into x86 goofiness
to maintain.

Does that 176 bytes translate into meaningful performance, or is it just
a bunch of register bit twiddling that the CPU will sail through?

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Matthew Wilcox]

On Mon, Sep 11, 2023 at 09:55:37AM -0700, Dave Hansen wrote:
> On 9/11/23 09:44, Matthew Wilcox wrote:
> > After fixing your two typos, this assembles to 176 bytes more code than
> > my version.  Not sure that's great.
> 
> Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
> much.  I'd much rather have that than another window into x86 goofiness
> to maintain.
> 
> Does that 176 bytes translate into meaningful performance, or is it just
> a bunch of register bit twiddling that the CPU will sail through?

I'm ... not sure how to tell.  It's 1120 bytes vs 944 bytes and crawling
through that much x86 assembly isn't my idea of a great time.  I can
send you objdump -dr for all three options if you like?  Maybe there's
a quick way to compare them that I've never known about.

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Dave Hansen]

On 9/11/23 12:12, Matthew Wilcox wrote:
> On Mon, Sep 11, 2023 at 09:55:37AM -0700, Dave Hansen wrote:
>> On 9/11/23 09:44, Matthew Wilcox wrote:
>>> After fixing your two typos, this assembles to 176 bytes more code than
>>> my version.  Not sure that's great.
>> Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
>> much.  I'd much rather have that than another window into x86 goofiness
>> to maintain.
>>
>> Does that 176 bytes translate into meaningful performance, or is it just
>> a bunch of register bit twiddling that the CPU will sail through?
> I'm ... not sure how to tell.  It's 1120 bytes vs 944 bytes and crawling
> through that much x86 assembly isn't my idea of a great time.  I can
> send you objdump -dr for all three options if you like?  Maybe there's
> a quick way to compare them that I've never known about.

Working patches would be great if you're got 'em handy, plus your
.config and generally what compiler you're on.

I'll see if there's anything silly happening that's causing the
generated code to blow up.

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Matthew Wilcox]

On Mon, Sep 11, 2023 at 01:22:51PM -0700, Dave Hansen wrote:
> On 9/11/23 12:12, Matthew Wilcox wrote:
> > On Mon, Sep 11, 2023 at 09:55:37AM -0700, Dave Hansen wrote:
> >> On 9/11/23 09:44, Matthew Wilcox wrote:
> >>> After fixing your two typos, this assembles to 176 bytes more code than
> >>> my version.  Not sure that's great.
> >> Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
> >> much.  I'd much rather have that than another window into x86 goofiness
> >> to maintain.
> >>
> >> Does that 176 bytes translate into meaningful performance, or is it just
> >> a bunch of register bit twiddling that the CPU will sail through?
> > I'm ... not sure how to tell.  It's 1120 bytes vs 944 bytes and crawling
> > through that much x86 assembly isn't my idea of a great time.  I can
> > send you objdump -dr for all three options if you like?  Maybe there's
> > a quick way to compare them that I've never known about.
> 
> Working patches would be great if you're got 'em handy, plus your
> .config and generally what compiler you're on.

gcc (Debian 13.2.0-2) 13.2.0

I don't think there's anything particularly strange about my .config

If you compile this patch as-is, you'll get your preferred code.
Remove the #define DH and you get mine.

I would say that 176 bytes is 3 cachelines of I$, which isn't free,
even if all the insns in it can be executed while the CPU is waiting
for cache misses.  This ought to be a pretty tight loop anyway; we're
just filling in adjacent PTEs.  There may not be many spare cycles
for "free" uops to execute.

diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index d6ad98ca1288..c9781b8b14af 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -955,6 +955,14 @@ static inline int pte_same(pte_t a, pte_t b)
 	return a.pte == b.pte;
 }
 
+static inline pte_t pte_next(pte_t pte)
+{
+	if (__pte_needs_invert(pte_val(pte)))
+		return __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
+	return __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+}
+#define pte_next	pte_next
+
 static inline int pte_present(pte_t a)
 {
 	return pte_flags(a) & (_PAGE_PRESENT | _PAGE_PROTNONE);
diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
index 1fba072b3dac..25333cf3c865 100644
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
 #define arch_flush_lazy_mmu_mode()	do {} while (0)
 #endif
 
+#ifndef pte_next
+#define pte_next(pte)	((pte) + (1UL << PFN_PTE_SHIFT))
+#endif
+
 #ifndef set_ptes
 /**
  * set_ptes - Map consecutive pages to a contiguous range of addresses.
@@ -223,6 +227,11 @@ static inline int pmd_young(pmd_t pmd)
 static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
 		pte_t *ptep, pte_t pte, unsigned int nr)
 {
+#define DH
+#ifdef DH
+	pgprot_t prot = pte_pgprot(pte);
+	unsigned long pfn = pte_pfn(pte);
+#endif
 	page_table_check_ptes_set(mm, ptep, pte, nr);
 
 	arch_enter_lazy_mmu_mode();
@@ -231,7 +240,12 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
 		if (--nr == 0)
 			break;
 		ptep++;
-		pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+#ifdef DH
+		pfn++;
+		pte = pfn_pte(pfn, prot);
+#else
+		pte = pte_next(pte);
+#endif
 	}
 	arch_leave_lazy_mmu_mode();
 }

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Dave Hansen]

On 9/11/23 21:59, Matthew Wilcox wrote:
> I don't think there's anything particularly strange about my .config

I just saw some DEBUG_VM #ifdefs around the area and wondered if any of
them were to blame for the bloat.

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Dave Hansen]

On 9/11/23 21:59, Matthew Wilcox wrote:
> On Mon, Sep 11, 2023 at 01:22:51PM -0700, Dave Hansen wrote:
>> On 9/11/23 12:12, Matthew Wilcox wrote:
>>> On Mon, Sep 11, 2023 at 09:55:37AM -0700, Dave Hansen wrote:
>>>> On 9/11/23 09:44, Matthew Wilcox wrote:
>>>>> After fixing your two typos, this assembles to 176 bytes more code than
>>>>> my version.  Not sure that's great.
>>>> Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
>>>> much.  I'd much rather have that than another window into x86 goofiness
>>>> to maintain.
>>>>
>>>> Does that 176 bytes translate into meaningful performance, or is it just
>>>> a bunch of register bit twiddling that the CPU will sail through?
>>> I'm ... not sure how to tell.  It's 1120 bytes vs 944 bytes and crawling
>>> through that much x86 assembly isn't my idea of a great time.  I can
>>> send you objdump -dr for all three options if you like?  Maybe there's
>>> a quick way to compare them that I've never known about.
>> Working patches would be great if you're got 'em handy, plus your
>> .config and generally what compiler you're on.
> gcc (Debian 13.2.0-2) 13.2.0
> 
> I don't think there's anything particularly strange about my .config
> 
> If you compile this patch as-is, you'll get your preferred code.
> Remove the #define DH and you get mine.
> 
> I would say that 176 bytes is 3 cachelines of I$, which isn't free,
> even if all the insns in it can be executed while the CPU is waiting
> for cache misses.  This ought to be a pretty tight loop anyway; we're
> just filling in adjacent PTEs.  There may not be many spare cycles
> for "free" uops to execute.

Thanks for that!

I went poking at it a bit.  One remarkable thing is how many pv_ops
calls there are.  Those are definitely keeping the compiler from helping
is out here too much.

Your version has 9 pv_ops calls while mine has 6.  So mine may have more
instructions in _this_ function, but it could easily be made up for by
call overhead and extra instructions in the pv_ops.

Also, I went looking for a way to poke at set_ptes() and profile it a
bit and get some actual numbers.  It seems like in most cases it would
be limited to use via fault around.  Is there some other way to poke at
it easily?

So, in the end, I see code which is not (as far as I can see) in a hot
path, and (again, to me) there's no compelling performance argument one
way or another.

I still like my version.  *Known* simplicity and uniformity win out in
my book over unknown performance benefits.

But, fixing the bug is the most important thing.  I don't feel strongly
about it to NAK your version either.

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Yin Fengwei]

Hi Matthew,

On 9/12/23 12:59, Matthew Wilcox wrote:
> On Mon, Sep 11, 2023 at 01:22:51PM -0700, Dave Hansen wrote:
>> On 9/11/23 12:12, Matthew Wilcox wrote:
>>> On Mon, Sep 11, 2023 at 09:55:37AM -0700, Dave Hansen wrote:
>>>> On 9/11/23 09:44, Matthew Wilcox wrote:
>>>>> After fixing your two typos, this assembles to 176 bytes more code than
>>>>> my version.  Not sure that's great.
>>>> Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
>>>> much.  I'd much rather have that than another window into x86 goofiness
>>>> to maintain.
>>>>
>>>> Does that 176 bytes translate into meaningful performance, or is it just
>>>> a bunch of register bit twiddling that the CPU will sail through?
>>> I'm ... not sure how to tell.  It's 1120 bytes vs 944 bytes and crawling
>>> through that much x86 assembly isn't my idea of a great time.  I can
>>> send you objdump -dr for all three options if you like?  Maybe there's
>>> a quick way to compare them that I've never known about.
>>
>> Working patches would be great if you're got 'em handy, plus your
>> .config and generally what compiler you're on.
> 
> gcc (Debian 13.2.0-2) 13.2.0
> 
> I don't think there's anything particularly strange about my .config
> 
> If you compile this patch as-is, you'll get your preferred code.
> Remove the #define DH and you get mine.
> 
> I would say that 176 bytes is 3 cachelines of I$, which isn't free,
> even if all the insns in it can be executed while the CPU is waiting
> for cache misses.  This ought to be a pretty tight loop anyway; we're
> just filling in adjacent PTEs.  There may not be many spare cycles
> for "free" uops to execute.
> 
> diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
> index d6ad98ca1288..c9781b8b14af 100644
> --- a/arch/x86/include/asm/pgtable.h
> +++ b/arch/x86/include/asm/pgtable.h
> @@ -955,6 +955,14 @@ static inline int pte_same(pte_t a, pte_t b)
>  	return a.pte == b.pte;
>  }
>  
> +static inline pte_t pte_next(pte_t pte)
> +{
> +	if (__pte_needs_invert(pte_val(pte)))
> +		return __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> +	return __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> +}
> +#define pte_next	pte_next
> +
>  static inline int pte_present(pte_t a)
>  {
>  	return pte_flags(a) & (_PAGE_PRESENT | _PAGE_PROTNONE);
> diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
> index 1fba072b3dac..25333cf3c865 100644
> --- a/include/linux/pgtable.h
> +++ b/include/linux/pgtable.h
> @@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
>  #define arch_flush_lazy_mmu_mode()	do {} while (0)
>  #endif
>  
> +#ifndef pte_next
> +#define pte_next(pte)	((pte) + (1UL << PFN_PTE_SHIFT))
> +#endif
> +
>  #ifndef set_ptes
>  /**
>   * set_ptes - Map consecutive pages to a contiguous range of addresses.
> @@ -223,6 +227,11 @@ static inline int pmd_young(pmd_t pmd)
>  static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>  		pte_t *ptep, pte_t pte, unsigned int nr)
>  {
> +#define DH
> +#ifdef DH
> +	pgprot_t prot = pte_pgprot(pte);
> +	unsigned long pfn = pte_pfn(pte);
> +#endif
>  	page_table_check_ptes_set(mm, ptep, pte, nr);
>  
>  	arch_enter_lazy_mmu_mode();
> @@ -231,7 +240,12 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>  		if (--nr == 0)
>  			break;
>  		ptep++;
> -		pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> +#ifdef DH
> +		pfn++;
> +		pte = pfn_pte(pfn, prot);
> +#else
> +		pte = pte_next(pte);
> +#endif
>  	}
>  	arch_leave_lazy_mmu_mode();
>  }

I checked the commit message of 6b28baca9b1f0d4a42b865da7a05b1c81424bd5c:
    The invert is done by pte/pmd_modify and pfn/pmd/pud_pte for PROTNONE and
    pte/pmd/pud_pfn undo it.
    
    This assume that no code path touches the PFN part of a PTE directly
    without using these primitives.

So maybe we should always use these APIs even we make x86 specific set_ptes()?

I will find a test machine to measure the performance difference of these two
versions by using xfs + will-it-scale. Will keep you guys updated.


Regards
Yin, Fengwei

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Yin Fengwei]

On 9/14/23 15:33, Yin Fengwei wrote:
> Hi Matthew,
> 
> On 9/12/23 12:59, Matthew Wilcox wrote:
>> On Mon, Sep 11, 2023 at 01:22:51PM -0700, Dave Hansen wrote:
>>> On 9/11/23 12:12, Matthew Wilcox wrote:
>>>> On Mon, Sep 11, 2023 at 09:55:37AM -0700, Dave Hansen wrote:
>>>>> On 9/11/23 09:44, Matthew Wilcox wrote:
>>>>>> After fixing your two typos, this assembles to 176 bytes more code than
>>>>>> my version.  Not sure that's great.
>>>>> Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
>>>>> much.  I'd much rather have that than another window into x86 goofiness
>>>>> to maintain.
>>>>>
>>>>> Does that 176 bytes translate into meaningful performance, or is it just
>>>>> a bunch of register bit twiddling that the CPU will sail through?
>>>> I'm ... not sure how to tell.  It's 1120 bytes vs 944 bytes and crawling
>>>> through that much x86 assembly isn't my idea of a great time.  I can
>>>> send you objdump -dr for all three options if you like?  Maybe there's
>>>> a quick way to compare them that I've never known about.
>>>
>>> Working patches would be great if you're got 'em handy, plus your
>>> .config and generally what compiler you're on.
>>
>> gcc (Debian 13.2.0-2) 13.2.0
>>
>> I don't think there's anything particularly strange about my .config
>>
>> If you compile this patch as-is, you'll get your preferred code.
>> Remove the #define DH and you get mine.
>>
>> I would say that 176 bytes is 3 cachelines of I$, which isn't free,
>> even if all the insns in it can be executed while the CPU is waiting
>> for cache misses.  This ought to be a pretty tight loop anyway; we're
>> just filling in adjacent PTEs.  There may not be many spare cycles
>> for "free" uops to execute.
>>
>> diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
>> index d6ad98ca1288..c9781b8b14af 100644
>> --- a/arch/x86/include/asm/pgtable.h
>> +++ b/arch/x86/include/asm/pgtable.h
>> @@ -955,6 +955,14 @@ static inline int pte_same(pte_t a, pte_t b)
>>  	return a.pte == b.pte;
>>  }
>>  
>> +static inline pte_t pte_next(pte_t pte)
>> +{
>> +	if (__pte_needs_invert(pte_val(pte)))
>> +		return __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
>> +	return __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
>> +}
>> +#define pte_next	pte_next
>> +
>>  static inline int pte_present(pte_t a)
>>  {
>>  	return pte_flags(a) & (_PAGE_PRESENT | _PAGE_PROTNONE);
>> diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
>> index 1fba072b3dac..25333cf3c865 100644
>> --- a/include/linux/pgtable.h
>> +++ b/include/linux/pgtable.h
>> @@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
>>  #define arch_flush_lazy_mmu_mode()	do {} while (0)
>>  #endif
>>  
>> +#ifndef pte_next
>> +#define pte_next(pte)	((pte) + (1UL << PFN_PTE_SHIFT))
>> +#endif
>> +
>>  #ifndef set_ptes
>>  /**
>>   * set_ptes - Map consecutive pages to a contiguous range of addresses.
>> @@ -223,6 +227,11 @@ static inline int pmd_young(pmd_t pmd)
>>  static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>>  		pte_t *ptep, pte_t pte, unsigned int nr)
>>  {
>> +#define DH
>> +#ifdef DH
>> +	pgprot_t prot = pte_pgprot(pte);
>> +	unsigned long pfn = pte_pfn(pte);
>> +#endif
>>  	page_table_check_ptes_set(mm, ptep, pte, nr);
>>  
>>  	arch_enter_lazy_mmu_mode();
>> @@ -231,7 +240,12 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>>  		if (--nr == 0)
>>  			break;
>>  		ptep++;
>> -		pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
>> +#ifdef DH
>> +		pfn++;
>> +		pte = pfn_pte(pfn, prot);
>> +#else
>> +		pte = pte_next(pte);
>> +#endif
>>  	}
>>  	arch_leave_lazy_mmu_mode();
>>  }
> 
> I checked the commit message of 6b28baca9b1f0d4a42b865da7a05b1c81424bd5c:
>     The invert is done by pte/pmd_modify and pfn/pmd/pud_pte for PROTNONE and
>     pte/pmd/pud_pfn undo it.
>     
>     This assume that no code path touches the PFN part of a PTE directly
>     without using these primitives.
> 
> So maybe we should always use these APIs even we make x86 specific set_ptes()?
> 
> I will find a test machine to measure the performance difference of these two
> versions by using xfs + will-it-scale. Will keep you guys updated.
I run the test from here (https://github.com/antonblanchard/will-it-scale/pull/37)
on an IceLake with 48C/96T + 192G RAM.


The host filesystem is ext4 (I can't change it to xfs). So I create a diskimage,
format it as xfs and mount it to test directory.


The test result is like following:
	Matthew's version			Dave's version
run1	379045929				375241566
run2	377870413				373950068
run3	378623159				371884035
run4	376890127				372391340
avg	378107407				373366752.3			-1.23%
stddev	0.20%					0.40%

run1,2,3,4 uses: page_fault4_processes -s 2 -t 96


run5	9696280					9599164
run6	9683840					9579984
run7	9684832					9595912
run8	9697936					9617408
avg	9690722					9598117				-0.96%
stddev	0%					0%

run5,6,7,8 uses: page_fault4_processes -s 2 -t 1


Conclusion: Dave's version is a little slower than Matthew's version. But the difference
is very small from what I can tell. Let me know if you have any question. Thanks.


Regards
Yin, Fengwei

> 
> 
> Regards
> Yin, Fengwei

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Yin Fengwei]

Hi Matthew,

On 9/14/23 15:33, Yin Fengwei wrote:
> Hi Matthew,
> 
> On 9/12/23 12:59, Matthew Wilcox wrote:
>> On Mon, Sep 11, 2023 at 01:22:51PM -0700, Dave Hansen wrote:
>>> On 9/11/23 12:12, Matthew Wilcox wrote:
>>>> On Mon, Sep 11, 2023 at 09:55:37AM -0700, Dave Hansen wrote:
>>>>> On 9/11/23 09:44, Matthew Wilcox wrote:
>>>>>> After fixing your two typos, this assembles to 176 bytes more code than
>>>>>> my version.  Not sure that's great.
>>>>> Maybe I'm a fool, but 176 bytes of text bloat isn't scaring me off too
>>>>> much.  I'd much rather have that than another window into x86 goofiness
>>>>> to maintain.
>>>>>
>>>>> Does that 176 bytes translate into meaningful performance, or is it just
>>>>> a bunch of register bit twiddling that the CPU will sail through?
>>>> I'm ... not sure how to tell.  It's 1120 bytes vs 944 bytes and crawling
>>>> through that much x86 assembly isn't my idea of a great time.  I can
>>>> send you objdump -dr for all three options if you like?  Maybe there's
>>>> a quick way to compare them that I've never known about.
>>>
>>> Working patches would be great if you're got 'em handy, plus your
>>> .config and generally what compiler you're on.
>>
>> gcc (Debian 13.2.0-2) 13.2.0
>>
>> I don't think there's anything particularly strange about my .config
>>
>> If you compile this patch as-is, you'll get your preferred code.
>> Remove the #define DH and you get mine.
>>
>> I would say that 176 bytes is 3 cachelines of I$, which isn't free,
>> even if all the insns in it can be executed while the CPU is waiting
>> for cache misses.  This ought to be a pretty tight loop anyway; we're
>> just filling in adjacent PTEs.  There may not be many spare cycles
>> for "free" uops to execute.
>>
>> diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
>> index d6ad98ca1288..c9781b8b14af 100644
>> --- a/arch/x86/include/asm/pgtable.h
>> +++ b/arch/x86/include/asm/pgtable.h
>> @@ -955,6 +955,14 @@ static inline int pte_same(pte_t a, pte_t b)
>>  	return a.pte == b.pte;
>>  }
>>  
>> +static inline pte_t pte_next(pte_t pte)
>> +{
>> +	if (__pte_needs_invert(pte_val(pte)))
>> +		return __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
>> +	return __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
>> +}
>> +#define pte_next	pte_next
>> +
>>  static inline int pte_present(pte_t a)
>>  {
>>  	return pte_flags(a) & (_PAGE_PRESENT | _PAGE_PROTNONE);
>> diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
>> index 1fba072b3dac..25333cf3c865 100644
>> --- a/include/linux/pgtable.h
>> +++ b/include/linux/pgtable.h
>> @@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
>>  #define arch_flush_lazy_mmu_mode()	do {} while (0)
>>  #endif
>>  
>> +#ifndef pte_next
>> +#define pte_next(pte)	((pte) + (1UL << PFN_PTE_SHIFT))
>> +#endif
>> +
>>  #ifndef set_ptes
>>  /**
>>   * set_ptes - Map consecutive pages to a contiguous range of addresses.
>> @@ -223,6 +227,11 @@ static inline int pmd_young(pmd_t pmd)
>>  static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>>  		pte_t *ptep, pte_t pte, unsigned int nr)
>>  {
>> +#define DH
>> +#ifdef DH
>> +	pgprot_t prot = pte_pgprot(pte);
>> +	unsigned long pfn = pte_pfn(pte);
>> +#endif
>>  	page_table_check_ptes_set(mm, ptep, pte, nr);
>>  
>>  	arch_enter_lazy_mmu_mode();
>> @@ -231,7 +240,12 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
>>  		if (--nr == 0)
>>  			break;
>>  		ptep++;
>> -		pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
>> +#ifdef DH
>> +		pfn++;
>> +		pte = pfn_pte(pfn, prot);
>> +#else
>> +		pte = pte_next(pte);
>> +#endif
>>  	}
>>  	arch_leave_lazy_mmu_mode();
>>  }
> 
> I checked the commit message of 6b28baca9b1f0d4a42b865da7a05b1c81424bd5c:
>     The invert is done by pte/pmd_modify and pfn/pmd/pud_pte for PROTNONE and
>     pte/pmd/pud_pfn undo it.
>     
>     This assume that no code path touches the PFN part of a PTE directly
>     without using these primitives.
> 
> So maybe we should always use these APIs even we make x86 specific set_ptes()?
> 
> I will find a test machine to measure the performance difference of these two
> versions by using xfs + will-it-scale. Will keep you guys updated.
I'd like to move this bug fixing forward. Based on the test result here:
https://lore.kernel.org/linux-mm/124631ab-eb4c-6584-12d4-f3c91e69c873@intel.com/
There is very small performance delta between your version and Dave's.

What do you think if we propose to merge Dave's version? Or do I need collect
more data? Thanks.


Regards
Yin, Fengwei

> 
> 
> Regards
> Yin, Fengwei

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Dave Hansen]

On 9/18/23 18:11, Yin Fengwei wrote:
>> I will find a test machine to measure the performance difference of these two
>> versions by using xfs + will-it-scale. Will keep you guys updated.
> I'd like to move this bug fixing forward. Based on the test result here:
> https://lore.kernel.org/linux-mm/124631ab-eb4c-6584-12d4-f3c91e69c873@intel.com/
> There is very small performance delta between your version and Dave's.
> 
> What do you think if we propose to merge Dave's version? Or do I need collect
> more data? Thanks.

I honestly don't feel that strongly about my version versus Matthew's.
I like mine, but I'll happily ack either approach.

The thing I care about the most is getting the bug fixed ... quickly. :)

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Yin Fengwei]

On 9/20/23 00:11, Dave Hansen wrote:
> On 9/18/23 18:11, Yin Fengwei wrote:
>>> I will find a test machine to measure the performance difference of these two
>>> versions by using xfs + will-it-scale. Will keep you guys updated.
>> I'd like to move this bug fixing forward. Based on the test result here:
>> https://lore.kernel.org/linux-mm/124631ab-eb4c-6584-12d4-f3c91e69c873@intel.com/
>> There is very small performance delta between your version and Dave's.
>>
>> What do you think if we propose to merge Dave's version? Or do I need collect
>> more data? Thanks.
> 
> I honestly don't feel that strongly about my version versus Matthew's.
> I like mine, but I'll happily ack either approach.
> 
> The thing I care about the most is getting the bug fixed ... quickly. :)
Same in my side.

Regarding the performance delta is very small, I thought we should follow the
commit message of 6b28baca9b1f0d4a42b865da7a05b1c81424bd5c:
    The invert is done by pte/pmd_modify and pfn/pmd/pud_pte for PROTNONE and
    pte/pmd/pud_pfn undo it.
    
    This assume that no code path touches the PFN part of a PTE directly
    without using these primitives.


Regards
Yin, Fengwei

Re: [syzbot] [mm?] BUG: Bad page map (7)

[Matthew Wilcox]

On Wed, Sep 20, 2023 at 09:29:18AM +0800, Yin Fengwei wrote:
> 
> 
> On 9/20/23 00:11, Dave Hansen wrote:
> > On 9/18/23 18:11, Yin Fengwei wrote:
> >>> I will find a test machine to measure the performance difference of these two
> >>> versions by using xfs + will-it-scale. Will keep you guys updated.
> >> I'd like to move this bug fixing forward. Based on the test result here:
> >> https://lore.kernel.org/linux-mm/124631ab-eb4c-6584-12d4-f3c91e69c873@intel.com/
> >> There is very small performance delta between your version and Dave's.
> >>
> >> What do you think if we propose to merge Dave's version? Or do I need collect
> >> more data? Thanks.
> > 
> > I honestly don't feel that strongly about my version versus Matthew's.
> > I like mine, but I'll happily ack either approach.
> > 
> > The thing I care about the most is getting the bug fixed ... quickly. :)
> Same in my side.

I'm just redoing the commit message now.

Re: [syzbot] [mm?] BUG: Bad page map (7)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map

BUG: Bad page map in process syz-executor.0  pte:fffff99a98120 pmd:1fbee067
page:ffffea00019959c0 refcount:9 mapcount:-1 mapping:ffff88807736c9d0 index:0x3 pfn:0x66567
head:ffffea0001995900 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88802112c000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001995901 dead000000000122 dead000000000400
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c1b9c8 ffff888020f3a030 ffff88807736c9d0
head: 0000000000000000 ffff8880146f3b80 00000009ffffffff ffff88802112c000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5463, tgid 5461 (syz-executor.0), ts 75822700865, free_ts 14932935563
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807736c9d0 index:5
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5463 Comm: syz-executor.0 Not tainted 6.6.0-rc1-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3a06c7cae9
Code: Unable to access opcode bytes at 0x7f3a06c7cabf.
RSP: 002b:00007f3a07a010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f3a06d9bf80 RCX: 00007f3a06c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f3a06cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f3a06d9bf80 R15: 00007fffc30ea648
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff99a99120 pmd:1fbee067
page:ffffea0001995980 refcount:9 mapcount:-1 mapping:ffff88807736c9d0 index:0x2 pfn:0x66566
head:ffffea0001995900 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88802112c000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001995901 ffffea0001995990 ffffea0001995990
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c1b9c8 ffff888020f3a030 ffff88807736c9d0
head: 0000000000000000 ffff8880146f3b80 00000009ffffffff ffff88802112c000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5463, tgid 5461 (syz-executor.0), ts 75822700865, free_ts 14932929861
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807736c9d0 index:6
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5463 Comm: syz-executor.0 Tainted: G    B              6.6.0-rc1-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3a06c7cae9
Code: Unable to access opcode bytes at 0x7f3a06c7cabf.
RSP: 002b:00007f3a07a010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f3a06d9bf80 RCX: 00007f3a06c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f3a06cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f3a06d9bf80 R15: 00007fffc30ea648
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff99a9a120 pmd:1fbee067
page:ffffea0001995940 refcount:9 mapcount:-1 mapping:ffff88807736c9d0 index:0x1 pfn:0x66565
head:ffffea0001995900 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88802112c000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001995901 dead000000000122 fffffffdffffffff
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001c1b9c8 ffff888020f3a030 ffff88807736c9d0
head: 0000000000000000 ffff8880146f3b80 00000009ffffffff ffff88802112c000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5463, tgid 5461 (syz-executor.0), ts 75822700865, free_ts 14932924004
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807736c9d0 index:7
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5463 Comm: syz-executor.0 Tainted: G    B              6.6.0-rc1-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3a06c7cae9
Code: Unable to access opcode bytes at 0x7f3a06c7cabf.
RSP: 002b:00007f3a07a010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f3a06d9bf80 RCX: 00007f3a06c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f3a06cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f3a06d9bf80 R15: 00007fffc30ea648
 </TASK>


Tested on:

commit:         0bb80ecc Linux 6.6-rc1
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16cb00e8680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=13f2a37749f07ab2
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12510d08680000

Re: [syzbot] [mm?] BUG: Bad page map (7)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map

BUG: Bad page map in process syz-executor.0  pte:fffff9a4fc120 pmd:27564067
page:ffffea000196c0c0 refcount:9 mapcount:-1 mapping:ffff888076fc0410 index:0x3 pfn:0x65b03
head:ffffea000196c000 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888021424000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000196c001 dead000000000122 dead000000000400
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a0bbc8 ffff88802087a030 ffff888076fc0410
head: 0000000000000000 ffff88801c0ae900 00000009ffffffff ffff888021424000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5455, tgid 5454 (syz-executor.0), ts 80410050199, free_ts 55464708323
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 release_pages+0x642/0x23f0 mm/swap.c:1008
 tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
 tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
 tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
 zap_page_range_single+0x451/0x510 mm/memory.c:1768
 madvise_dontneed_single_vma mm/madvise.c:825 [inline]
 madvise_dontneed_free mm/madvise.c:906 [inline]
 madvise_vma_behavior mm/madvise.c:1045 [inline]
 madvise_walk_vmas mm/madvise.c:1270 [inline]
 do_madvise+0x23f0/0x45d0 mm/madvise.c:1450
 __do_sys_madvise mm/madvise.c:1463 [inline]
 __se_sys_madvise mm/madvise.c:1461 [inline]
 __x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1461
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888076fc0410 index:5
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5455 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6cb8c7cae9
Code: Unable to access opcode bytes at 0x7f6cb8c7cabf.
RSP: 002b:00007f6cb9a470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f6cb8d9bf80 RCX: 00007f6cb8c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f6cb8cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6cb8d9bf80 R15: 00007ffdc7779988
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff9a4fd120 pmd:27564067
page:ffffea000196c080 refcount:9 mapcount:-1 mapping:ffff888076fc0410 index:0x2 pfn:0x65b02
head:ffffea000196c000 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888021424000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000196c001 ffffea000196c090 ffffea000196c090
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a0bbc8 ffff88802087a030 ffff888076fc0410
head: 0000000000000000 ffff88801c0ae900 00000009ffffffff ffff888021424000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5455, tgid 5454 (syz-executor.0), ts 80410050199, free_ts 55464708323
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 release_pages+0x642/0x23f0 mm/swap.c:1008
 tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
 tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
 tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
 zap_page_range_single+0x451/0x510 mm/memory.c:1768
 madvise_dontneed_single_vma mm/madvise.c:825 [inline]
 madvise_dontneed_free mm/madvise.c:906 [inline]
 madvise_vma_behavior mm/madvise.c:1045 [inline]
 madvise_walk_vmas mm/madvise.c:1270 [inline]
 do_madvise+0x23f0/0x45d0 mm/madvise.c:1450
 __do_sys_madvise mm/madvise.c:1463 [inline]
 __se_sys_madvise mm/madvise.c:1461 [inline]
 __x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1461
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888076fc0410 index:6
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5455 Comm: syz-executor.0 Tainted: G    B              6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6cb8c7cae9
Code: Unable to access opcode bytes at 0x7f6cb8c7cabf.
RSP: 002b:00007f6cb9a470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f6cb8d9bf80 RCX: 00007f6cb8c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f6cb8cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6cb8d9bf80 R15: 00007ffdc7779988
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff9a4fe120 pmd:27564067
page:ffffea000196c040 refcount:9 mapcount:-1 mapping:ffff888076fc0410 index:0x1 pfn:0x65b01
head:ffffea000196c000 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888021424000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea000196c001 dead000000000122 fffffffdffffffff
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a0bbc8 ffff88802087a030 ffff888076fc0410
head: 0000000000000000 ffff88801c0ae900 00000009ffffffff ffff888021424000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5455, tgid 5454 (syz-executor.0), ts 80410050199, free_ts 55464708323
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 release_pages+0x642/0x23f0 mm/swap.c:1008
 tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
 tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
 tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
 zap_page_range_single+0x451/0x510 mm/memory.c:1768
 madvise_dontneed_single_vma mm/madvise.c:825 [inline]
 madvise_dontneed_free mm/madvise.c:906 [inline]
 madvise_vma_behavior mm/madvise.c:1045 [inline]
 madvise_walk_vmas mm/madvise.c:1270 [inline]
 do_madvise+0x23f0/0x45d0 mm/madvise.c:1450
 __do_sys_madvise mm/madvise.c:1463 [inline]
 __se_sys_madvise mm/madvise.c:1461 [inline]
 __x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1461
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888076fc0410 index:7
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5455 Comm: syz-executor.0 Tainted: G    B              6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6cb8c7cae9
Code: Unable to access opcode bytes at 0x7f6cb8c7cabf.
RSP: 002b:00007f6cb9a470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f6cb8d9bf80 RCX: 00007f6cb8c7cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f6cb8cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6cb8d9bf80 R15: 00007ffdc7779988
 </TASK>


Tested on:

commit:         535a265d Merge tag 'perf-tools-for-v6.6-1-2023-09-05' ..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10d27178680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15b641dc680000

Re: [syzbot] [mm?] BUG: Bad page map (7)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map

BUG: Bad page map in process syz-executor.0  pte:fffff9af08120 pmd:29f05067
page:ffffea0001943dc0 refcount:9 mapcount:-1 mapping:ffff88807726d190 index:0x3 pfn:0x650f7
head:ffffea0001943d00 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff88801fe7a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001943d01 dead000000000122 dead000000000400
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a3d488 ffff888078c81030 ffff88807726d190
head: 0000000000000000 ffff8880228b4280 00000009ffffffff ffff88801fe7a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 76195790660, free_ts 16216492891
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807726d190 index:5
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5452 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f484f27cae9
Code: Unable to access opcode bytes at 0x7f484f27cabf.
RSP: 002b:00007f48500a30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f484f39bf80 RCX: 00007f484f27cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f484f2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f484f39bf80 R15: 00007fff133f0e78
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff9af09120 pmd:29f05067
page:ffffea0001943d80 refcount:9 mapcount:-1 mapping:ffff88807726d190 index:0x2 pfn:0x650f6
head:ffffea0001943d00 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff88801fe7a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001943d01 ffffea0001943d90 ffffea0001943d90
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a3d488 ffff888078c81030 ffff88807726d190
head: 0000000000000000 ffff8880228b4280 00000009ffffffff ffff88801fe7a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 76195790660, free_ts 16216486903
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807726d190 index:6
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5452 Comm: syz-executor.0 Tainted: G    B              6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f484f27cae9
Code: Unable to access opcode bytes at 0x7f484f27cabf.
RSP: 002b:00007f48500a30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f484f39bf80 RCX: 00007f484f27cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f484f2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f484f39bf80 R15: 00007fff133f0e78
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff9af0a120 pmd:29f05067
page:ffffea0001943d40 refcount:9 mapcount:-1 mapping:ffff88807726d190 index:0x1 pfn:0x650f5
head:ffffea0001943d00 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff88801fe7a000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea0001943d01 dead000000000122 fffffffdffffffff
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001a3d488 ffff888078c81030 ffff88807726d190
head: 0000000000000000 ffff8880228b4280 00000009ffffffff ffff88801fe7a000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5452, tgid 5451 (syz-executor.0), ts 76195790660, free_ts 16216480753
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff88807726d190 index:7
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5452 Comm: syz-executor.0 Tainted: G    B              6.5.0-syzkaller-13150-g535a265d7f0d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f484f27cae9
Code: Unable to access opcode bytes at 0x7f484f27cabf.
RSP: 002b:00007f48500a30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f484f39bf80 RCX: 00007f484f27cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f484f2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f484f39bf80 R15: 00007fff133f0e78
 </TASK>


Tested on:

commit:         535a265d Merge tag 'perf-tools-for-v6.6-1-2023-09-05' ..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=17052190680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11052190680000

Re: [syzbot] [mm?] BUG: Bad page map (7)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: Bad page map

BUG: Bad page map in process syz-executor.0  pte:fffff9a91c120 pmd:7ef9e067
page:ffffea000195b8c0 refcount:9 mapcount:-1 mapping:ffff888075b15190 index:0x3 pfn:0x656e3
head:ffffea000195b800 order:2 entire_mapcount:0 nr_pages_mapped:8388607 pincount:0
memcg:ffff888023d52000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000195b801 dead000000000122 dead000000000400
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001b3b948 ffff8880142af030 ffff888075b15190
head: 0000000000000000 ffff8880295fbc80 00000009ffffffff ffff888023d52000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5456, tgid 5455 (syz-executor.0), ts 78822082874, free_ts 15468294632
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020006000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075b15190 index:5
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5456 Comm: syz-executor.0 Not tainted 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f766007cae9
Code: Unable to access opcode bytes at 0x7f766007cabf.
RSP: 002b:00007f7660d270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f766019bf80 RCX: 00007f766007cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f76600c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f766019bf80 R15: 00007fff3bbb47b8
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff9a91d120 pmd:7ef9e067
page:ffffea000195b880 refcount:9 mapcount:-1 mapping:ffff888075b15190 index:0x2 pfn:0x656e2
head:ffffea000195b800 order:2 entire_mapcount:0 nr_pages_mapped:8388606 pincount:0
memcg:ffff888023d52000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea000195b801 ffffea000195b890 ffffea000195b890
raw: 0000000000000001 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001b3b948 ffff8880142af030 ffff888075b15190
head: 0000000000000000 ffff8880295fbc80 00000009ffffffff ffff888023d52000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5456, tgid 5455 (syz-executor.0), ts 78822082874, free_ts 15468288757
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020007000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075b15190 index:6
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 1 PID: 5456 Comm: syz-executor.0 Tainted: G    B              6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f766007cae9
Code: Unable to access opcode bytes at 0x7f766007cabf.
RSP: 002b:00007f7660d270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f766019bf80 RCX: 00007f766007cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f76600c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f766019bf80 R15: 00007fff3bbb47b8
 </TASK>
BUG: Bad page map in process syz-executor.0  pte:fffff9a91e120 pmd:7ef9e067
page:ffffea000195b840 refcount:9 mapcount:-1 mapping:ffff888075b15190 index:0x1 pfn:0x656e1
head:ffffea000195b800 order:2 entire_mapcount:0 nr_pages_mapped:8388605 pincount:0
memcg:ffff888023d52000
aops:xfs_address_space_operations ino:244a dentry name:"bus"
flags: 0xfff0000000816c(referenced|uptodate|lru|active|private|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000202 ffffea000195b801 dead000000000122 fffffffdffffffff
raw: 0000000400000000 0000000000000000 00000000fffffffe 0000000000000000
head: 00fff0000000816c ffffea0001b3b948 ffff8880142af030 ffff888075b15190
head: 0000000000000000 ffff8880295fbc80 00000009ffffffff ffff888023d52000
page dumped because: bad pte
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Movable, gfp_mask 0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 5456, tgid 5455 (syz-executor.0), ts 78822082874, free_ts 15468282901
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4426
 folio_alloc+0x1e/0x60 mm/mempolicy.c:2308
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:976
 ra_alloc_folio mm/readahead.c:468 [inline]
 page_cache_ra_order+0x423/0xcc0 mm/readahead.c:524
 do_sync_mmap_readahead+0x444/0x850
 filemap_fault+0x7d3/0x1710 mm/filemap.c:3291
 __xfs_filemap_fault+0x286/0x960 fs/xfs/xfs_file.c:1354
 __do_fault+0x133/0x4e0 mm/memory.c:4204
 do_read_fault mm/memory.c:4568 [inline]
 do_fault mm/memory.c:4705 [inline]
 do_pte_missing mm/memory.c:3669 [inline]
 handle_pte_fault mm/memory.c:4978 [inline]
 __handle_mm_fault mm/memory.c:5119 [inline]
 handle_mm_fault+0x48d2/0x6200 mm/memory.c:5284
 faultin_page mm/gup.c:956 [inline]
 __get_user_pages+0x6bd/0x15e0 mm/gup.c:1239
 __get_user_pages_locked mm/gup.c:1504 [inline]
 get_dump_page+0x146/0x2b0 mm/gup.c:2018
 dump_user_range+0x126/0x910 fs/coredump.c:913
 elf_core_dump+0x3b75/0x4490 fs/binfmt_elf.c:2142
 do_coredump+0x1b73/0x2ab0 fs/coredump.c:764
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ac/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x440/0x5d0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
addr:0000000020008000 vm_flags:080000d0 anon_vma:0000000000000000 mapping:ffff888075b15190 index:7
file:bus fault:xfs_filemap_fault mmap:xfs_file_mmap read_folio:xfs_vm_read_folio
CPU: 0 PID: 5456 Comm: syz-executor.0 Tainted: G    B              6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_bad_pte+0x581/0x5c0 mm/memory.c:535
 zap_pte_range mm/memory.c:1458 [inline]
 zap_pmd_range mm/memory.c:1573 [inline]
 zap_pud_range mm/memory.c:1602 [inline]
 zap_p4d_range mm/memory.c:1623 [inline]
 unmap_page_range+0x1a76/0x3300 mm/memory.c:1644
 unmap_vmas+0x209/0x3a0 mm/memory.c:1731
 exit_mmap+0x297/0xc50 mm/mmap.c:3210
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 get_signal+0x175d/0x1840 kernel/signal.c:2892
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop+0x6a/0x100 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f766007cae9
Code: Unable to access opcode bytes at 0x7f766007cabf.
RSP: 002b:00007f7660d270c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffe5 RBX: 00007f766019bf80 RCX: 00007f766007cae9
RDX: 0000000000000002 RSI: 0000000020000300 RDI: 0000000000000007
RBP: 00007f76600c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f766019bf80 R15: 00007fff3bbb47b8
 </TASK>


Tested on:

commit:         a3c57ab7 iov_iter: Kunit tests for page extraction
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1264dfec680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10734fafa80000

Re: [syzbot] [mm?] BUG: Bad page map (7)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

6128][    T1] Bluetooth: CMTP socket layer initialized
[   11.167105][    T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[   11.168195][    T1] Bluetooth: HIDP socket layer initialized
[   11.172202][    T1] NET: Registered PF_RXRPC protocol family
[   11.173221][    T1] Key type rxrpc registered
[   11.174103][    T1] Key type rxrpc_s registered
[   11.175373][    T1] NET: Registered PF_KCM protocol family
[   11.177012][    T1] lec:lane_module_init: lec.c: initialized
[   11.178099][    T1] mpoa:atm_mpoa_init: mpc.c: initialized
[   11.179340][    T1] l2tp_core: L2TP core driver, V2.0
[   11.180274][    T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[   11.181142][    T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[   11.182523][    T1] l2tp_netlink: L2TP netlink interface
[   11.183484][    T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[   11.184413][    T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[   11.185606][    T1] NET: Registered PF_PHONET protocol family
[   11.186593][    T1] 8021q: 802.1Q VLAN Support v1.8
[   11.200112][    T1] DCCP: Activated CCID 2 (TCP-like)
[   11.201028][    T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[   11.202450][    T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   11.204370][    T1] sctp: Hash tables configured (bind 32/56)
[   11.206695][    T1] NET: Registered PF_RDS protocol family
[   11.208580][    T1] Registered RDS/infiniband transport
[   11.209974][    T1] Registered RDS/tcp transport
[   11.210991][    T1] tipc: Activated (version 2.0.0)
[   11.211996][    T1] NET: Registered PF_TIPC protocol family
[   11.213362][    T1] tipc: Started in single node mode
[   11.215000][    T1] NET: Registered PF_SMC protocol family
[   11.216427][    T1] 9pnet: Installing 9P2000 support
[   11.218072][    T1] NET: Registered PF_CAIF protocol family
[   11.224698][    T1] NET: Registered PF_IEEE802154 protocol family
[   11.225896][    T1] Key type dns_resolver registered
[   11.227373][    T1] Key type ceph registered
[   11.228473][    T1] libceph: loaded (mon/osd proto 15/24)
[   11.230827][    T1] batman_adv: B.A.T.M.A.N. advanced 2023.3 (compatibility version 15) loaded
[   11.232604][    T1] openvswitch: Open vSwitch switching datapath
[   11.235717][    T1] NET: Registered PF_VSOCK protocol family
[   11.236769][    T1] mpls_gso: MPLS GSO support
[   11.243298][    T1] start plist test
[   11.247904][    T1] end plist test
[   11.253615][    T1] IPI shorthand broadcast: enabled
[   11.254447][    T1] AVX2 version of gcm_enc/dec engaged.
[   11.255539][    T1] AES CTR mode by8 optimization enabled
[   12.602761][    T1] sched_clock: Marking stable (12570027239, 29094014)->(12607351949, -8230696)
[   12.606252][    T1] registered taskstats version 1
[   12.616134][    T1] Loading compiled-in X.509 certificates
[   12.621456][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 0fcda5d31b9f9e23b67f9531e962fbe56b39254a'
[   12.627580][    T1] zswap: loaded using pool lzo/zbud
[   12.790353][    T1] debug_vm_pgtable: [debug_vm_pgtable         ]: Validating architecture page table helpers
[   14.931835][    T1] Key type .fscrypt registered
[   14.936714][    T1] Key type fscrypt-provisioning registered
[   14.948499][    T1] kAFS: Red Hat AFS client v0.1 registering.
[   14.968179][    T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[   14.976514][    T1] Key type big_key registered
[   14.983726][    T1] Key type encrypted registered
[   14.988784][    T1] ima: No TPM chip found, activating TPM-bypass!
[   14.995300][    T1] Loading compiled-in module X.509 certificates
[   15.004766][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 0fcda5d31b9f9e23b67f9531e962fbe56b39254a'
[   15.015603][    T1] ima: Allocated hash algorithm: sha256
[   15.021319][    T1] ima: No architecture policies found
[   15.026950][    T1] evm: Initialising EVM extended attributes:
[   15.032950][    T1] evm: security.selinux (disabled)
[   15.038150][    T1] evm: security.SMACK64
[   15.042312][    T1] evm: security.SMACK64EXEC
[   15.046787][    T1] evm: security.SMACK64TRANSMUTE
[   15.051729][    T1] evm: security.SMACK64MMAP
[   15.056388][    T1] evm: security.apparmor (disabled)
[   15.062008][    T1] evm: security.ima
[   15.065787][    T1] evm: security.capability
[   15.072963][    T1] evm: HMAC attrs: 0x1
[   15.078819][    T1] PM:   Magic number: 7:6:660
[   15.084338][    T1] block ram13: hash matches
[   15.088945][    T1] tty ptyeb: hash matches
[   15.095332][    T1] printk: console [netcon0] enabled
[   15.100612][    T1] netconsole: network logging started
[   15.106370][    T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[   15.113617][    T1] rdma_rxe: loaded
[   15.118018][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   15.128407][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   15.135560][   T27] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   15.139271][    T1] clk: Disabling unused clocks
[   15.146516][   T27] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[   15.149815][    T1] ALSA device list:
[   15.149823][    T1]   #0: Dummy 1
[   15.165921][    T1]   #1: Loopback 1
[   15.169835][    T1]   #2: Virtual MIDI Card 1
[   15.176161][    T1] md: Waiting for all devices to be available before autodetect
[   15.184171][    T1] md: If you don't use raid, use raid=noautodetect
[   15.190736][    T1] md: Autodetecting RAID arrays.
[   15.195704][    T1] md: autorun ...
[   15.199351][    T1] md: ... autorun DONE.
[   15.221012][    T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[   15.233646][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   15.242842][    T1] devtmpfs: mounted
[   15.334482][    T1] Freeing unused kernel image (initmem) memory: 2888K
[   15.341305][    T1] Write protecting the kernel read-only data: 196608k
[   15.351574][    T1] Freeing unused kernel image (rodata/data gap) memory: 1744K
[   15.456635][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   15.470328][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   15.480231][    T1] Run /sbin/init as init process
[   15.485161][    T1]   with arguments:
[   15.488944][    T1]     /sbin/init
[   15.492542][    T1]   with environment:
[   15.496505][    T1]     HOME=/
[   15.499813][    T1]     TERM=linux
[   15.503335][    T1]     spec_store_bypass_disable=prctl
[   15.508699][    T1]     BOOT_IMAGE=/boot/bzImage
[   15.527423][    T1] ------------[ cut here ]------------
[   15.533025][    T1] kernel BUG at mm/page_table_check.c:121!
[   15.538936][    T1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[   15.544990][    T1] CPU: 1 PID: 1 Comm: init Not tainted 6.5.0-syzkaller-12921-ga3c57ab79a06-dirty #0
[   15.554359][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
[   15.564598][    T1] RIP: 0010:page_table_check_set+0x592/0x860
[   15.570694][    T1] Code: ff e8 22 c9 9a ff 48 ff cb e9 5d fd ff ff e8 15 c9 9a ff 48 ff cb 49 89 df e9 dd fd ff ff e8 05 c9 9a ff 0f 0b e8 fe c8 9a ff <0f> 0b e8 f7 c8 9a ff 0f 0b e8 f0 c8 9a ff 0f 0b e8 e9 c8 9a ff 0f
[   15.590306][    T1] RSP: 0000:ffffc90000067738 EFLAGS: 00010293
[   15.596503][    T1] RAX: ffffffff81f2ddf2 RBX: ffff88801aa3cec0 RCX: ffff888015e60000
[   15.604482][    T1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[   15.612475][    T1] RBP: 0000000000000001 R08: ffffffff81f2dc65 R09: 1ffff110035479d8
[   15.620471][    T1] R10: dffffc0000000000 R11: ffffed10035479d9 R12: ffff88801aa3ce80
[   15.628441][    T1] R13: 0000000000000020 R14: 1ffffffff23ec5fc R15: 0000000000000000
[   15.636433][    T1] FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[   15.645376][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.651953][    T1] CR2: 00007fade5d58d20 CR3: 000000001b89b000 CR4: 00000000003506e0
[   15.659929][    T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   15.667892][    T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   15.675879][    T1] Call Trace:
[   15.679152][    T1]  <TASK>
[   15.682078][    T1]  ? __die_body+0x8b/0xe0
[   15.686493][    T1]  ? die+0xa1/0xd0
[   15.690250][    T1]  ? do_trap+0x153/0x380
[   15.694486][    T1]  ? page_table_check_set+0x592/0x860
[   15.699880][    T1]  ? do_error_trap+0x1dc/0x2c0
[   15.704670][    T1]  ? page_table_check_set+0x592/0x860
[   15.710059][    T1]  ? do_int3+0x50/0x50
[   15.714134][    T1]  ? handle_invalid_op+0x34/0x40
[   15.719095][    T1]  ? page_table_check_set+0x592/0x860
[   15.724474][    T1]  ? exc_invalid_op+0x33/0x50
[   15.729226][    T1]  ? asm_exc_invalid_op+0x1a/0x20
[   15.734259][    T1]  ? page_table_check_set+0x405/0x860
[   15.739663][    T1]  ? page_table_check_set+0x592/0x860
[   15.745064][    T1]  ? page_table_check_set+0x592/0x860
[   15.750435][    T1]  ? page_table_check_set+0x592/0x860
[   15.755814][    T1]  __page_table_check_ptes_set+0x220/0x280
[   15.761624][    T1]  ? __page_table_check_pud_clear+0xb0/0xb0
[   15.767533][    T1]  ? folio_add_file_rmap_range+0x55e/0x840
[   15.773354][    T1]  set_pte_range+0x8fa/0x920
[   15.777936][    T1]  ? xas_find+0x339/0xaa0
[   15.782274][    T1]  ? mm_counter_file+0x2c0/0x2c0
[   15.787206][    T1]  ? next_uptodate_folio+0xa5d/0xb10
[   15.792473][    T1]  filemap_map_pages+0xc23/0x1560
[   15.797501][    T1]  ? filemap_read_folio+0x770/0x770
[   15.802683][    T1]  ? __lock_acquire+0x7f70/0x7f70
[   15.807696][    T1]  ? pte_offset_map_nolock+0x137/0x1e0
[   15.813228][    T1]  ? kasan_save_stack+0x4f/0x60
[   15.818073][    T1]  ? __kasan_record_aux_stack+0xad/0xc0
[   15.823601][    T1]  ? call_rcu+0x167/0xa70
[   15.827909][    T1]  ? task_work_run+0x24a/0x300
[   15.832656][    T1]  ? exit_to_user_mode_prepare+0xb1/0x140
[   15.838445][    T1]  ? filemap_read_folio+0x770/0x770
[   15.843648][    T1]  handle_mm_fault+0x47dd/0x6200
[   15.848599][    T1]  ? numa_migrate_prep+0x380/0x380
[   15.853694][    T1]  ? rcu_is_watching+0x15/0xb0
[   15.858436][    T1]  ? rcu_is_watching+0x15/0xb0
[   15.863180][    T1]  ? lock_release+0xbf/0x9d0
[   15.867781][    T1]  ? mtree_range_walk+0x6a0/0x7e0
[   15.872813][    T1]  ? __lock_acquire+0x7f70/0x7f70
[   15.877831][    T1]  ? lock_vma_under_rcu+0x2cf/0x6c0
[   15.883024][    T1]  ? __init_rwsem+0x160/0x160
[   15.887692][    T1]  ? mas_walk+0x224/0x260
[   15.892006][    T1]  ? lock_vma_under_rcu+0x5ab/0x6c0
[   15.897207][    T1]  ? rcu_is_watching+0x15/0xb0
[   15.901978][    T1]  exc_page_fault+0x455/0x860
[   15.906664][    T1]  asm_exc_page_fault+0x26/0x30
[   15.911500][    T1] RIP: 0033:0x7fade5d58d20
[   15.915921][    T1] Code: Unable to access opcode bytes at 0x7fade5d58cf6.
[   15.922916][    T1] RSP: 002b:00007fffac073220 EFLAGS: 00010202
[   15.928965][    T1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   15.936940][    T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   15.944904][    T1] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   15.952888][    T1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   15.960847][    T1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   15.968987][    T1]  </TASK>
[   15.972178][    T1] Modules linked in:
[   15.976221][    T1] ---[ end trace 0000000000000000 ]---
[   15.981728][    T1] RIP: 0010:page_table_check_set+0x592/0x860
[   15.987742][    T1] Code: ff e8 22 c9 9a ff 48 ff cb e9 5d fd ff ff e8 15 c9 9a ff 48 ff cb 49 89 df e9 dd fd ff ff e8 05 c9 9a ff 0f 0b e8 fe c8 9a ff <0f> 0b e8 f7 c8 9a ff 0f 0b e8 f0 c8 9a ff 0f 0b e8 e9 c8 9a ff 0f
[   16.007555][    T1] RSP: 0000:ffffc90000067738 EFLAGS: 00010293
[   16.013643][    T1] RAX: ffffffff81f2ddf2 RBX: ffff88801aa3cec0 RCX: ffff888015e60000
[   16.021641][    T1] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[   16.029615][    T1] RBP: 0000000000000001 R08: ffffffff81f2dc65 R09: 1ffff110035479d8
[   16.037570][    T1] R10: dffffc0000000000 R11: ffffed10035479d9 R12: ffff88801aa3ce80
[   16.045595][    T1] R13: 0000000000000020 R14: 1ffffffff23ec5fc R15: 0000000000000000
[   16.053591][    T1] FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[   16.062632][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   16.069231][    T1] CR2: 00007fade5d58cf6 CR3: 000000001b89b000 CR4: 00000000003506e0
[   16.077285][    T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   16.085270][    T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   16.093277][    T1] Kernel panic - not syncing: Fatal exception
[   16.099524][    T1] Kernel Offset: disabled
[   16.103871][    T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build283487419=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at 8bc9053e8
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bc9053e88dacf57f5ce550da040d31895eb9626 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230904-115818'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"8bc9053e88dacf57f5ce550da040d31895eb9626\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14f77e1c680000


Tested on:

commit:         a3c57ab7 iov_iter: Kunit tests for page extraction
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=50ac7dadde9e1c0e
dashboard link: https://syzkaller.appspot.com/bug?extid=55cc72f8cc3a549119df
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15f413fc680000