bisecting cause commit starting from 00e4db51259a5f936fec1424b884f029479d3981 building syzkaller on bacaf5fa2c2671b5763d7464cd9824ab68a70758 testing commit 00e4db51259a5f936fec1424b884f029479d3981 with gcc (GCC) 8.1.0 kernel signature: 877729de17e10f171359ae7cb3c82c67c378d9c23f7dd6674d092b71465a1d1e all runs: crashed: kernel BUG at mm/khugepaged.c:LINE! testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: a7463636933553af9e74c93837c47f61d88c74bfb5409f3d3afe10330489c9e5 all runs: OK # git bisect start 00e4db51259a5f936fec1424b884f029479d3981 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 6351 revisions left to test after this (roughly 13 steps) [8186749621ed6b8fc42644c399e8c755a2b6f630] Merge tag 'drm-next-2020-08-06' of git://anongit.freedesktop.org/drm/drm testing commit 8186749621ed6b8fc42644c399e8c755a2b6f630 with gcc (GCC) 8.1.0 kernel signature: 3a7a441936f5a1c96460d68883f8e9e2660337de047ea65f9885963d16093943 all runs: OK # git bisect good 8186749621ed6b8fc42644c399e8c755a2b6f630 Bisecting: 3214 revisions left to test after this (roughly 12 steps) [3f9df56480fc8ce492fc9e988d67bdea884ed15c] Merge tag 'sound-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 3f9df56480fc8ce492fc9e988d67bdea884ed15c with gcc (GCC) 8.1.0 kernel signature: eba982a610fceadf8d00a80b190056b87d6e44c16029cfc02e252a88795d4f46 all runs: OK # git bisect good 3f9df56480fc8ce492fc9e988d67bdea884ed15c Bisecting: 1629 revisions left to test after this (roughly 11 steps) [e51418191f5a741b5f94764798c81bf69dec4806] Merge tag 'for-linus-5.9-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit e51418191f5a741b5f94764798c81bf69dec4806 with gcc (GCC) 8.1.0 kernel signature: 039253f3f11a9af042e7277b5627ceb308c31308c3c8f0fe99c8f57074999772 all runs: OK # git bisect good e51418191f5a741b5f94764798c81bf69dec4806 Bisecting: 787 revisions left to test after this (roughly 10 steps) [30185b69a2d533c4ba6ca926b8390ce7de495e29] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit 30185b69a2d533c4ba6ca926b8390ce7de495e29 with gcc (GCC) 8.1.0 kernel signature: 464b51d238484e6b2dcec2d8241ad053d23029d881fac5aaf70497aa648bba4e all runs: crashed: kernel BUG at mm/khugepaged.c:LINE! # git bisect bad 30185b69a2d533c4ba6ca926b8390ce7de495e29 Bisecting: 479 revisions left to test after this (roughly 9 steps) [75dee3b6de4ce31464ffb827b81ddb5414599159] Merge tag 'mailbox-v5.9' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit 75dee3b6de4ce31464ffb827b81ddb5414599159 with gcc (GCC) 8.1.0 kernel signature: 0f61d616a82078a1bd9ba004dba04e56a2f6b6e84a0085d42c1e60d2661f8a79 all runs: crashed: kernel BUG at mm/khugepaged.c:LINE! # git bisect bad 75dee3b6de4ce31464ffb827b81ddb5414599159 Bisecting: 199 revisions left to test after this (roughly 8 steps) [912c05720f00d039103d356a59c37dc7c3995e01] mm: vmscan: consistent update to pgrefill testing commit 912c05720f00d039103d356a59c37dc7c3995e01 with gcc (GCC) 8.1.0 kernel signature: d1d11f294026d7986736086da447eaee18720f8c489ee77302c1747a17ee0341 all runs: crashed: kernel BUG at mm/khugepaged.c:LINE! # git bisect bad 912c05720f00d039103d356a59c37dc7c3995e01 Bisecting: 80 revisions left to test after this (roughly 6 steps) [849504809f86ef43b0b12617c0a71b6c6e61cd78] mm: memcg/slab: remove unused argument by charge_slab_page() testing commit 849504809f86ef43b0b12617c0a71b6c6e61cd78 with gcc (GCC) 8.1.0 kernel signature: 6fdf98cea00148c800e3cb1022305ff161ef4e721087f5d4a0d6234a29b48f7a all runs: OK # git bisect good 849504809f86ef43b0b12617c0a71b6c6e61cd78 Bisecting: 40 revisions left to test after this (roughly 5 steps) [5dd7864094033a281aeffccaf9703468cbcfccfc] mm/vmalloc: simplify merge_or_add_vmap_area() testing commit 5dd7864094033a281aeffccaf9703468cbcfccfc with gcc (GCC) 8.1.0 kernel signature: a4c26f426b173d5970c326d21ad8cb9ca86af78192664e24495d99127ee3838a all runs: OK # git bisect good 5dd7864094033a281aeffccaf9703468cbcfccfc Bisecting: 20 revisions left to test after this (roughly 4 steps) [f27ce0e14088b23f8d54ae4a44f70307ec420e64] page_alloc: consider highatomic reserve in watermark fast testing commit f27ce0e14088b23f8d54ae4a44f70307ec420e64 with gcc (GCC) 8.1.0 kernel signature: 80ba5c82885771a6f91e5f327bce49821e7509d78dd701b11b8e2d1ca9c6f9f0 all runs: OK # git bisect good f27ce0e14088b23f8d54ae4a44f70307ec420e64 Bisecting: 10 revisions left to test after this (roughly 3 steps) [9e15afa5a87a3bf969a3b33c3dadfb8b46df42c0] mm/page_alloc: silence a KASAN false positive testing commit 9e15afa5a87a3bf969a3b33c3dadfb8b46df42c0 with gcc (GCC) 8.1.0 kernel signature: 20666cb99bb1097274ce7e27d64ffecb5af3e05504825c18dd75c192d40531ed all runs: OK # git bisect good 9e15afa5a87a3bf969a3b33c3dadfb8b46df42c0 Bisecting: 5 revisions left to test after this (roughly 3 steps) [75802ca66354a39ab8e35822747cd08b3384a99a] mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible testing commit 75802ca66354a39ab8e35822747cd08b3384a99a with gcc (GCC) 8.1.0 kernel signature: de0b8c030fa87df9a94c2fa943ed92859ab09774395c4de4fdb01baffe5d2287 all runs: OK # git bisect good 75802ca66354a39ab8e35822747cd08b3384a99a Bisecting: 2 revisions left to test after this (roughly 2 steps) [18e77600f7a1ed69f8ce46c9e11cad0985712dfa] khugepaged: retract_page_tables() remember to test exit testing commit 18e77600f7a1ed69f8ce46c9e11cad0985712dfa with gcc (GCC) 8.1.0 kernel signature: e408e0048ad1da0b7e0f9d1a2c6dbb674b54a34ca541b7da3731825867932fea all runs: OK # git bisect good 18e77600f7a1ed69f8ce46c9e11cad0985712dfa Bisecting: 0 revisions left to test after this (roughly 1 step) [238c30468f46b16d7c22df175da11109346e769c] mm/vmscan.c: fix typo testing commit 238c30468f46b16d7c22df175da11109346e769c with gcc (GCC) 8.1.0 kernel signature: bf7ef70c8046bd5c9f8bab66fcb0ee8a8e484c81a67fe31a95d6bac5f6df6950 all runs: crashed: kernel BUG at mm/khugepaged.c:LINE! # git bisect bad 238c30468f46b16d7c22df175da11109346e769c Bisecting: 0 revisions left to test after this (roughly 0 steps) [bbe98f9cadff58cdd6a4acaeba0efa8565dabe65] khugepaged: khugepaged_test_exit() check mmget_still_valid() testing commit bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 with gcc (GCC) 8.1.0 kernel signature: c1f38fc9f72e47e54b8da9e5d09367420b1d9f4e9ee9bc01d0884a3cd5eed708 all runs: crashed: kernel BUG at mm/khugepaged.c:LINE! # git bisect bad bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 is the first bad commit commit bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 Author: Hugh Dickins Date: Thu Aug 6 23:26:25 2020 -0700 khugepaged: khugepaged_test_exit() check mmget_still_valid() Move collapse_huge_page()'s mmget_still_valid() check into khugepaged_test_exit() itself. collapse_huge_page() is used for anon THP only, and earned its mmget_still_valid() check because it inserts a huge pmd entry in place of the page table's pmd entry; whereas collapse_file()'s retract_page_tables() or collapse_pte_mapped_thp() merely clears the page table's pmd entry. But core dumping without mmap lock must have been as open to mistaking a racily cleared pmd entry for a page table at physical page 0, as exit_mmap() was. And we certainly have no interest in mapping as a THP once dumping core. Fixes: 59ea6d06cfa9 ("coredump: fix race condition between collapse_huge_page() and core dumping") Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Cc: Andrea Arcangeli Cc: Song Liu Cc: Mike Kravetz Cc: Kirill A. Shutemov Cc: [4.8+] Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021217020.27773@eggly.anvils Signed-off-by: Linus Torvalds mm/khugepaged.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) culprit signature: c1f38fc9f72e47e54b8da9e5d09367420b1d9f4e9ee9bc01d0884a3cd5eed708 parent signature: e408e0048ad1da0b7e0f9d1a2c6dbb674b54a34ca541b7da3731825867932fea revisions tested: 16, total time: 3h35m45.581805841s (build: 1h17m2.875826136s, test: 2h17m20.081139382s) first bad commit: bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 khugepaged: khugepaged_test_exit() check mmget_still_valid() recipients (to): ["akpm@linux-foundation.org" "hughd@google.com" "torvalds@linux-foundation.org"] recipients (cc): [] crash: kernel BUG at mm/khugepaged.c:LINE! arg_start 7ffd51068e9d arg_end 7ffd51068eb2 env_start 7ffd51068eb2 env_end 7ffd51068fe3 binfmt ffffffff84330b00 flags cd core_state ffffc90002873d60 ioctx_table 0000000000000000 owner ffff88801bf024c0 exe_file ffff888122a5f000 ------------[ cut here ]------------ kernel BUG at mm/khugepaged.c:469! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 0 PID: 20576 Comm: syz-executor.2 Not tainted 5.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__khugepaged_enter+0x53/0x180 mm/khugepaged.c:469 Code: e8 82 74 fe ff 48 85 c0 48 89 c5 0f 84 de 00 00 00 8b 43 5c 85 c0 74 0a 48 83 bb 40 05 00 00 00 74 0a 48 89 df e8 cc da f8 ff <0f> 0b f0 48 0f ba ab 38 05 00 00 11 0f 82 f6 00 00 00 48 c7 c7 20 RSP: 0018:ffffc9000277fda8 EFLAGS: 00010286 RAX: 0000000000000367 RBX: ffff88801be5d940 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff84015cd9 RDI: 00000000ffffffff RBP: ffff888020968230 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: d2883403418fb411 R12: ffff88801be5d940 R13: fff0000000000fff R14: 0000000000000001 R15: fff000003fffffff FS: 0000000002960940(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000217ca58 CR3: 000000001beed000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: khugepaged_enter include/linux/khugepaged.h:62 [inline] do_huge_pmd_anonymous_page+0x589/0x850 mm/huge_memory.c:727 create_huge_pmd mm/memory.c:4110 [inline] __handle_mm_fault mm/memory.c:4331 [inline] handle_mm_fault+0x12dc/0x1700 mm/memory.c:4397 do_user_addr_fault arch/x86/mm/fault.c:1294 [inline] handle_page_fault arch/x86/mm/fault.c:1364 [inline] exc_page_fault+0x359/0x780 arch/x86/mm/fault.c:1417 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:538 RIP: 0033:0x4440b1 Code: 8d 15 93 82 0d 00 8b 0c 8a 8b 04 82 29 c8 c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 fa 20 48 89 f8 73 77 f6 c2 01 74 0b 0f b6 0e <88> 0f 48 ff c6 48 ff c7 f6 c2 02 74 12 0f b7 0e 66 89 0f 48 83 c6 RSP: 002b:00007ffd51066cc8 EFLAGS: 00010202 RAX: 0000000020001240 RBX: 0000000000000000 RCX: 0000000000000054 RDX: 0000000000000007 RSI: 00000000011900b0 RDI: 0000000020001240 RBP: 0000000001190090 R08: 0000000000000000 R09: 0000000000000000 R10: 00007ffd51066db0 R11: 0000000000000246 R12: 0000000001190098 R13: 000000000004aaba R14: fffffffffffffffe R15: 000000000118bf2c Modules linked in: ---[ end trace 5b084f3fb7e90065 ]--- RIP: 0010:__khugepaged_enter+0x53/0x180 mm/khugepaged.c:469 Code: e8 82 74 fe ff 48 85 c0 48 89 c5 0f 84 de 00 00 00 8b 43 5c 85 c0 74 0a 48 83 bb 40 05 00 00 00 74 0a 48 89 df e8 cc da f8 ff <0f> 0b f0 48 0f ba ab 38 05 00 00 11 0f 82 f6 00 00 00 48 c7 c7 20 RSP: 0018:ffffc9000277fda8 EFLAGS: 00010286 RAX: 0000000000000367 RBX: ffff88801be5d940 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff84015cd9 RDI: 00000000ffffffff RBP: ffff888020968230 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: d2883403418fb411 R12: ffff88801be5d940 R13: fff0000000000fff R14: 0000000000000001 R15: fff000003fffffff FS: 0000000002960940(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000217ca58 CR3: 000000001beed000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400