Re: [syzbot] [mm?] general protection fault in zap_huge_pmd
From: Mike Rapoport
Date: Thu Mar 19 2026 - 01:46:08 EST
On Wed, Mar 18, 2026 at 05:26:32PM +0000, Lorenzo Stoakes (Oracle) wrote:
> +cc Mike for uffd, Harry for fix that also resolves this, see below
>
> On Wed, Mar 18, 2026 at 08:03:22AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
>
> For some reason I have to git pull --tags to get this... commit hash locally?
> Strange.
>
> > git tree: linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=119ddd52580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
> > dashboard link: https://syzkaller.appspot.com/bug?extid=de14f7701c22477db718
> > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=173b44da580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1537b8da580000
>
> @SYZKALLER guys:
>
> Note: the repro is incorrectly labelling;
>
> // ioctl$UFFDIO_CONTINUE arguments: [
> // fd: fd_uffd (resource)
> // cmd: const = 0xc020aa08 (4 bytes)
>
> as UFFDIO_CONTINUE (0x7), it's actually UFFDIO_POISION (0x8) as you can see
> from least-significant byte.
>
> It's also stating things like mmap flags wrong e.g.:
>
> /*flags=MAP_UNINITIALIZED|MAP_POPULATE|MAP_NORESERVE|MAP_NONBLOCK|MAP_HUGETLB|0x8c4b815a506002b2*/
> 0x8c4b815a5465c2b2ul,
As Andrey Vagin pointed off-list, you can run strace repro and see the
syscall arguments quite nicely :-)
> So Harry's fix resolves this,
and that's the important bit ;-P
> but we should handle this case better in zap_huge_pmd(), I will send a
> patch for that.
> Cheers, Lorenzo
--
Sincerely yours,
Mike.