bisecting cause commit starting from e31736d9fae841e8a1612f263136454af10f476a building syzkaller on eef6e5808d6507716d331b9eff67fdd991be891a testing commit e31736d9fae841e8a1612f263136454af10f476a with gcc (GCC) 8.1.0 kernel signature: 2f7c4767d863986f70acba411a059acadb793b0a all runs: crashed: WARNING in wp_page_copy testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 84868fa116a17c18f7ada907b5de8db59343fb96 run #0: basic kernel testing failed: timed out run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start e31736d9fae841e8a1612f263136454af10f476a 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 6793 revisions left to test after this (roughly 13 steps) [95f1fa9e3418d50ce099e67280b5497b9c93843b] Merge tag 'trace-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 95f1fa9e3418d50ce099e67280b5497b9c93843b with gcc (GCC) 8.1.0 kernel signature: 8fedfada8731d1a186dc5e65a1931cfcc0e2d98d all runs: crashed: WARNING in wp_page_copy # git bisect bad 95f1fa9e3418d50ce099e67280b5497b9c93843b Bisecting: 3413 revisions left to test after this (roughly 12 steps) [386403a115f95997c2715691226e11a7b5cffcfd] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 386403a115f95997c2715691226e11a7b5cffcfd with gcc (GCC) 8.1.0 kernel signature: f12710c65702caf5f9d3f0349c0f3e0c30fe22d5 all runs: crashed: WARNING in wp_page_copy # git bisect bad 386403a115f95997c2715691226e11a7b5cffcfd Bisecting: 1709 revisions left to test after this (roughly 11 steps) [e20c43dbdf960e8a03381aa455ddea56504bdbc4] r8169: change mdelay to msleep in rtl_fw_write_firmware testing commit e20c43dbdf960e8a03381aa455ddea56504bdbc4 with gcc (GCC) 8.1.0 kernel signature: a5ad2795115c37e5de4e5166a574d071d51220a0 all runs: OK # git bisect good e20c43dbdf960e8a03381aa455ddea56504bdbc4 Bisecting: 901 revisions left to test after this (roughly 10 steps) [3f3c8be973af10875cfa1e7b85a535b6ba76b44f] Merge tag 'for-linus-5.5a-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 3f3c8be973af10875cfa1e7b85a535b6ba76b44f with gcc (GCC) 8.1.0 kernel signature: 736824216e1d000c78467d8675a2fe727e00765a all runs: crashed: WARNING in wp_page_copy # git bisect bad 3f3c8be973af10875cfa1e7b85a535b6ba76b44f Bisecting: 469 revisions left to test after this (roughly 9 steps) [1b88176b9c72fb4edd5920969aef94c5cd358337] Merge tag 'mtd/for-5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux testing commit 1b88176b9c72fb4edd5920969aef94c5cd358337 with gcc (GCC) 8.1.0 kernel signature: 91abeed15615c395572d533b8a5b0b6ba75ff884 all runs: OK # git bisect good 1b88176b9c72fb4edd5920969aef94c5cd358337 Bisecting: 278 revisions left to test after this (roughly 8 steps) [e25645b181ae67753f9a48e11bb5b34dcf41187d] Merge tag 'linux-kselftest-5.5-rc1-kunit' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit e25645b181ae67753f9a48e11bb5b34dcf41187d with gcc (GCC) 8.1.0 kernel signature: eaf7e223fb72082b3432fb44c446b98fb9489863 all runs: OK # git bisect good e25645b181ae67753f9a48e11bb5b34dcf41187d Bisecting: 134 revisions left to test after this (roughly 7 steps) [ea1f56fa16ae5f6e67f6ea03836b36c6053d33d1] Merge tag 's390-5.5-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux testing commit ea1f56fa16ae5f6e67f6ea03836b36c6053d33d1 with gcc (GCC) 8.1.0 kernel signature: fd87fb51fb9bec3c0f2cfa25d5acbc5933bea5f1 all runs: crashed: WARNING in wp_page_copy # git bisect bad ea1f56fa16ae5f6e67f6ea03836b36c6053d33d1 Bisecting: 47 revisions left to test after this (roughly 6 steps) [6be22809e5c8f286877127e8a24c13c959b9fb4e] Merge branches 'for-next/elf-hwcap-docs', 'for-next/smccc-conduit-cleanup', 'for-next/zone-dma', 'for-next/relax-icc_pmr_el1-sync', 'for-next/double-page-fault', 'for-next/misc', 'for-next/kselftest-arm64-signal' and 'for-next/kaslr-diagnostics' into for-next/core testing commit 6be22809e5c8f286877127e8a24c13c959b9fb4e with gcc (GCC) 8.1.0 kernel signature: f999927c1969b290f1a73c89d60a7c9799acbf0b all runs: crashed: WARNING in wp_page_copy # git bisect bad 6be22809e5c8f286877127e8a24c13c959b9fb4e Bisecting: 48 revisions left to test after this (roughly 6 steps) [51effa6d1153cd67313d183c304cdb49391d9427] Merge branch 'for-next/perf' into for-next/core testing commit 51effa6d1153cd67313d183c304cdb49391d9427 with gcc (GCC) 8.1.0 kernel signature: 2e3f5c13cd1d164099c95abc802b8a511ec7f804 all runs: OK # git bisect good 51effa6d1153cd67313d183c304cdb49391d9427 Bisecting: 36 revisions left to test after this (roughly 5 steps) [3f484ce3750f7a29c3be806e891de99aa5c4ca43] kselftest: arm64: fake_sigreturn_misaligned_sp testing commit 3f484ce3750f7a29c3be806e891de99aa5c4ca43 with gcc (GCC) 8.1.0 kernel signature: c982c5da597a642410cbc879ff04c34132081542 all runs: OK # git bisect good 3f484ce3750f7a29c3be806e891de99aa5c4ca43 Bisecting: 25 revisions left to test after this (roughly 4 steps) [918e1946c8ac2c0473eefc1dc910780178490e95] arm64: kpti: Add NVIDIA's Carmel core to the KPTI whitelist testing commit 918e1946c8ac2c0473eefc1dc910780178490e95 with gcc (GCC) 8.1.0 kernel signature: 70c127ce5c46354cd5d570e6d71c28b17f208a68 all runs: OK # git bisect good 918e1946c8ac2c0473eefc1dc910780178490e95 Bisecting: 17 revisions left to test after this (roughly 4 steps) [bff3b04460a80f425442fe8e5c6ee8c3ebef611f] arm64: mm: reserve CMA and crashkernel in ZONE_DMA32 testing commit bff3b04460a80f425442fe8e5c6ee8c3ebef611f with gcc (GCC) 8.1.0 kernel signature: e33e967f8d989189307bf2b98ceb45a89958a97b all runs: OK # git bisect good bff3b04460a80f425442fe8e5c6ee8c3ebef611f Bisecting: 12 revisions left to test after this (roughly 3 steps) [e6ea46511b1ae8c4491904c79411fcd29139af14] firmware: arm_sdei: use common SMCCC_CONDUIT_* testing commit e6ea46511b1ae8c4491904c79411fcd29139af14 with gcc (GCC) 8.1.0 kernel signature: 7fcce66c7888d667f9ad95bb14e2e3f42606d658 all runs: OK # git bisect good e6ea46511b1ae8c4491904c79411fcd29139af14 Bisecting: 8 revisions left to test after this (roughly 3 steps) [83d116c53058d505ddef051e90ab27f57015b025] mm: fix double page fault on arm64 if PTE_AF is cleared testing commit 83d116c53058d505ddef051e90ab27f57015b025 with gcc (GCC) 8.1.0 kernel signature: bb3b765e39cd1d69a82e5ca2d14baf0d6dc66fd4 all runs: crashed: WARNING in wp_page_copy # git bisect bad 83d116c53058d505ddef051e90ab27f57015b025 Bisecting: 1 revision left to test after this (roughly 1 step) [6af31226d0394691f5562eca0134262bb935fa9c] arm64: mm: implement arch_faults_on_old_pte() on arm64 testing commit 6af31226d0394691f5562eca0134262bb935fa9c with gcc (GCC) 8.1.0 kernel signature: bcfc988442ec811b022d17df411e7b9779500043 all runs: OK # git bisect good 6af31226d0394691f5562eca0134262bb935fa9c Bisecting: 0 revisions left to test after this (roughly 0 steps) [f2c4e5970cece75a895fcc45f0cd66b5a5ec0819] x86/mm: implement arch_faults_on_old_pte() stub on x86 testing commit f2c4e5970cece75a895fcc45f0cd66b5a5ec0819 with gcc (GCC) 8.1.0 kernel signature: a2108e6e6d493d0a537f5e6e2248dcdbbbd081a1 all runs: OK # git bisect good f2c4e5970cece75a895fcc45f0cd66b5a5ec0819 83d116c53058d505ddef051e90ab27f57015b025 is the first bad commit commit 83d116c53058d505ddef051e90ab27f57015b025 Author: Jia He Date: Fri Oct 11 22:09:39 2019 +0800 mm: fix double page fault on arm64 if PTE_AF is cleared When we tested pmdk unit test [1] vmmalloc_fork TEST3 on arm64 guest, there will be a double page fault in __copy_from_user_inatomic of cow_user_page. To reproduce the bug, the cmd is as follows after you deployed everything: make -C src/test/vmmalloc_fork/ TEST_TIME=60m check Below call trace is from arm64 do_page_fault for debugging purpose: [ 110.016195] Call trace: [ 110.016826] do_page_fault+0x5a4/0x690 [ 110.017812] do_mem_abort+0x50/0xb0 [ 110.018726] el1_da+0x20/0xc4 [ 110.019492] __arch_copy_from_user+0x180/0x280 [ 110.020646] do_wp_page+0xb0/0x860 [ 110.021517] __handle_mm_fault+0x994/0x1338 [ 110.022606] handle_mm_fault+0xe8/0x180 [ 110.023584] do_page_fault+0x240/0x690 [ 110.024535] do_mem_abort+0x50/0xb0 [ 110.025423] el0_da+0x20/0x24 The pte info before __copy_from_user_inatomic is (PTE_AF is cleared): [ffff9b007000] pgd=000000023d4f8003, pud=000000023da9b003, pmd=000000023d4b3003, pte=360000298607bd3 As told by Catalin: "On arm64 without hardware Access Flag, copying from user will fail because the pte is old and cannot be marked young. So we always end up with zeroed page after fork() + CoW for pfn mappings. we don't always have a hardware-managed access flag on arm64." This patch fixes it by calling pte_mkyoung. Also, the parameter is changed because vmf should be passed to cow_user_page() Add a WARN_ON_ONCE when __copy_from_user_inatomic() returns error in case there can be some obscure use-case (by Kirill). [1] https://github.com/pmem/pmdk/tree/master/src/test/vmmalloc_fork Signed-off-by: Jia He Reported-by: Yibo Cai Reviewed-by: Catalin Marinas Acked-by: Kirill A. Shutemov Signed-off-by: Catalin Marinas mm/memory.c | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 89 insertions(+), 15 deletions(-) culprit signature: bb3b765e39cd1d69a82e5ca2d14baf0d6dc66fd4 parent signature: a2108e6e6d493d0a537f5e6e2248dcdbbbd081a1 revisions tested: 18, total time: 4h16m14.959531657s (build: 1h56m5.394826986s, test: 2h18m12.084426604s) first bad commit: 83d116c53058d505ddef051e90ab27f57015b025 mm: fix double page fault on arm64 if PTE_AF is cleared cc: ["catalin.marinas@arm.com" "justin.he@arm.com" "kirill.shutemov@linux.intel.com"] crash: WARNING in wp_page_copy ------------[ cut here ]------------ WARNING: CPU: 0 PID: 9026 at mm/memory.c:2223 __kunmap_atomic include/linux/highmem.h:102 [inline] WARNING: CPU: 0 PID: 9026 at mm/memory.c:2223 copy_user_highpage include/linux/highmem.h:258 [inline] WARNING: CPU: 0 PID: 9026 at mm/memory.c:2223 cow_user_page mm/memory.c:2174 [inline] WARNING: CPU: 0 PID: 9026 at mm/memory.c:2223 wp_page_copy+0xd66/0x10d0 mm/memory.c:2393 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 9026 Comm: syz-executor.4 Not tainted 5.4.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.11+0x25/0x30 kernel/panic.c:582 report_bug+0x1b0/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:179 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 RIP: 0010:cow_user_page mm/memory.c:2223 [inline] RIP: 0010:wp_page_copy+0xd66/0x10d0 mm/memory.c:2393 Code: d5 f5 ff ff 3c 03 0f 8f cd f5 ff ff e8 b3 f9 0d 00 e9 c3 f5 ff ff e8 49 32 72 ff e9 da f5 ff ff e8 3f 32 72 ff e9 7e f5 ff ff <0f> 0b 4c 89 ef e8 10 6a 8e 05 eb a1 80 3c 02 00 0f 85 1c 03 00 00 RSP: 0018:ffff88807e1e7690 EFLAGS: 00010206 RAX: 0000000000001000 RBX: ffff88807e1e7918 RCX: 0000000000001000 RDX: 0000000000001000 RSI: 0000000020001000 RDI: ffff8880905d4000 RBP: ffff88807e1e77c0 R08: ffffed10120baa00 R09: 0000000000000000 R10: ffffed10120ba9ff R11: ffff8880905d4fff R12: ffff88809ff3c420 R13: ffff8880905d4000 R14: ffffea0002417500 R15: 0000000000000000 do_wp_page+0x1be/0x1240 mm/memory.c:2702 handle_pte_fault mm/memory.c:3939 [inline] __handle_mm_fault+0x1abc/0x33f0 mm/memory.c:4047 handle_mm_fault+0x2e7/0x810 mm/memory.c:4084 do_user_addr_fault arch/x86/mm/fault.c:1441 [inline] __do_page_fault+0x36e/0xa50 arch/x86/mm/fault.c:1506 do_page_fault+0x2d/0x3c2 arch/x86/mm/fault.c:1530 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202 RIP: 0010:copy_user_generic_unrolled+0x89/0xc0 arch/x86/lib/copy_user_64.S:91 Code: 38 4c 89 47 20 4c 89 4f 28 4c 89 57 30 4c 89 5f 38 48 8d 76 40 48 8d 7f 40 ff c9 75 b6 89 d1 83 e2 07 c1 e9 03 74 12 4c 8b 06 <4c> 89 07 48 8d 76 08 48 8d 7f 08 ff c9 75 ee 21 d2 74 10 89 d1 8a RSP: 0018:ffff88807e1e7b90 EFLAGS: 00010206 RAX: 0000000000000001 RBX: 0000000000000018 RCX: 0000000000000003 RDX: 0000000000000000 RSI: ffff88807e1e7c38 RDI: 0000000020001300 RBP: ffff88807e1e7bb8 R08: 0000000000000000 R09: ffffed100fc3cf8a R10: ffffed100fc3cf89 R11: ffff88807e1e7c4f R12: 0000000020001300 R13: ffff88807e1e7c38 R14: ffff88807e052300 R15: ffff8880a0dd2000 copy_to_user include/linux/uaccess.h:152 [inline] xsk_getsockopt+0x293/0x5e0 net/xdp/xsk.c:857 __sys_getsockopt+0x13c/0x2e0 net/socket.c:2129 __do_sys_getsockopt net/socket.c:2144 [inline] __se_sys_getsockopt net/socket.c:2141 [inline] __x64_sys_getsockopt+0xb9/0x150 net/socket.c:2141 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a909 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fbf87bdac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000045a909 RDX: 0000000000000007 RSI: 000000000000011b RDI: 000000000000000a RBP: 000000000075bf20 R08: 0000000020000100 R09: 0000000000000000 R10: 0000000020001300 R11: 0000000000000246 R12: 00007fbf87bdb6d4 R13: 00000000004c1ab5 R14: 00000000004d5f60 R15: 00000000ffffffff Kernel Offset: disabled Rebooting in 86400 seconds..