Re: [syzbot] [mm?] WARNING in __page_table_check_ptes_set (3)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    4b4362973b6f Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=13c4d67e580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f52fb4a6d220c448
dashboard link: https://syzkaller.appspot.com/bug?extid=18d274a59b87cf80e86d
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15aab6ec580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1789c6ec580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cdc9dd8cab69/disk-4b436297.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6bb74747f86d/vmlinux-4b436297.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a20d7153214f/Image-4b436297.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+18d274a59b87cf80e86d@xxxxxxxxxxxxxxxxxxxxxxxxx

------------[ cut here ]------------
WARNING: mm/page_table_check.c:191 at page_table_check_pte_flags mm/page_table_check.c:191 [inline], CPU#0: syz.0.17/4918
WARNING: mm/page_table_check.c:191 at __page_table_check_ptes_set+0x24c/0x254 mm/page_table_check.c:207, CPU#0: syz.0.17/4918
Modules linked in:
CPU: 0 UID: 0 PID: 4918 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : page_table_check_pte_flags mm/page_table_check.c:191 [inline]
pc : __page_table_check_ptes_set+0x24c/0x254 mm/page_table_check.c:207
lr : page_table_check_pte_flags mm/page_table_check.c:191 [inline]
lr : __page_table_check_ptes_set+0x24c/0x254 mm/page_table_check.c:207
sp : ffff800099487420
x29: ffff800099487430 x28: 1ffff00013290efb x27: fffffdffc3a3b640
x26: ffff8000994877d8 x25: 04a8000128ed9f43 x24: 0408000000000000
x23: 0408000000000000 x22: ffff0000dd901f80 x21: ffff0000d0bc0ff0
x20: 0000000000000001 x19: 04a8000128ed9f43 x18: 00000000ffffffff
x17: ffff80008a186c80 x16: ffff80008a4a3638 x15: ffff0000c4c80b50
x14: ffff0000c4c80b30 x13: 0000000000000001 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000001
x8 : 0000000000000000 x7 : ffff800080af57c0 x6 : 0000000000000000
x5 : 0000000000000030 x4 : 0000000000000001 x3 : ffff800080c10240
x2 : 0408000000000000 x1 : ffff0000c4c80000 x0 : 0000000000000000
Call trace:
 page_table_check_pte_flags mm/page_table_check.c:191 [inline] (P)
 __page_table_check_ptes_set+0x24c/0x254 mm/page_table_check.c:207 (P)
 page_table_check_ptes_set include/linux/page_table_check.h:83 [inline]
 __set_ptes_anysz+0x4dc/0x51c arch/arm64/include/asm/pgtable.h:681
 __set_ptes arch/arm64/include/asm/pgtable.h:714 [inline]
 set_ptes arch/arm64/include/asm/pgtable.h:1782 [inline]
 do_swap_page+0x2464/0x4348 mm/memory.c:5128
 handle_pte_fault mm/memory.c:6414 [inline]
 __handle_mm_fault mm/memory.c:6549 [inline]
 handle_mm_fault+0xd80/0x245c mm/memory.c:6718
 faultin_page mm/gup.c:1126 [inline]
 __get_user_pages+0x678/0x20f0 mm/gup.c:1428
 populate_vma_page_range+0x260/0x358 mm/gup.c:1860
 __mm_populate+0x200/0x324 mm/gup.c:1963
 do_mlock+0x52c/0x630 mm/mlock.c:659
 __do_sys_mlock mm/mlock.c:667 [inline]
 __se_sys_mlock mm/mlock.c:665 [inline]
 __arm64_sys_mlock+0x60/0x78 mm/mlock.c:665
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:740
 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:759
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
irq event stamp: 960
hardirqs last  enabled at (959): [<ffff8000867c300c>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last  enabled at (959): [<ffff8000867c300c>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:198
hardirqs last disabled at (960): [<ffff80008679e6f8>] el1_brk64+0x20/0x54 arch/arm64/kernel/entry-common.c:429
softirqs last  enabled at (156): [<ffff800080137ce0>] local_bh_enable include/linux/bottom_half.h:33 [inline]
softirqs last  enabled at (156): [<ffff800080137ce0>] put_cpu_fpsimd_context arch/arm64/kernel/fpsimd.c:251 [inline]
softirqs last  enabled at (156): [<ffff800080137ce0>] do_sve_acc+0x22c/0x3b8 arch/arm64/kernel/fpsimd.c:1360
softirqs last disabled at (154): [<ffff800080137bc0>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last disabled at (154): [<ffff800080137bc0>] get_cpu_fpsimd_context arch/arm64/kernel/fpsimd.c:234 [inline]
softirqs last disabled at (154): [<ffff800080137bc0>] do_sve_acc+0x10c/0x3b8 arch/arm64/kernel/fpsimd.c:1346
---[ end trace 0000000000000000 ]---


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.