bisecting cause commit starting from 8632e9b5645bbc2331d21d892b0d6961c1a08429 building syzkaller on 3f3c557402456696073f79aafa65b4d7fa2b8794 testing commit 8632e9b5645bbc2331d21d892b0d6961c1a08429 with gcc (GCC) 8.1.0 kernel signature: 10ba3e8b5427df3ac3e3ad5313f048dfc66e2e058daea5be973162f675db5237 all runs: crashed: WARNING in __vm_enough_memory testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 969c2b7628ad900644cb3f7991a45e2e3ddc00578f8306ee4c8af712fa82f054 all runs: OK # git bisect start 8632e9b5645bbc2331d21d892b0d6961c1a08429 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 6951 revisions left to test after this (roughly 13 steps) [4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0 kernel signature: 8f80b0db8fe1857c78c68a91ff28c26016facd144d40dde17265d83f936e5d68 all runs: OK # git bisect good 4646de87d32526ee87b46c2e0130413367fb5362 Bisecting: 3449 revisions left to test after this (roughly 12 steps) [79f51b7b9c4719303f758ae8406c4e5997ed6aa3] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 79f51b7b9c4719303f758ae8406c4e5997ed6aa3 with gcc (GCC) 8.1.0 kernel signature: 318159b9ca1a626204cb2dc3c2dcbe564614f21e60324b84c8550aaacd1332c6 all runs: crashed: WARNING in __vm_enough_memory # git bisect bad 79f51b7b9c4719303f758ae8406c4e5997ed6aa3 Bisecting: 1689 revisions left to test after this (roughly 11 steps) [919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc with gcc (GCC) 8.1.0 kernel signature: cd9d0c5c9c73b24e59177c46afc0165bae7ab744beb6f01596b56fe52911deb2 all runs: OK # git bisect good 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc Bisecting: 913 revisions left to test after this (roughly 10 steps) [bc3b3f4bfbded031a11c4284106adddbfacd05bb] Merge tag 'pinctrl-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit bc3b3f4bfbded031a11c4284106adddbfacd05bb with gcc (GCC) 8.1.0 kernel signature: 378402ddddb2a9204436d373d7aa063f742abf2cf6f365bba233aeeab589bca7 all runs: crashed: WARNING in __vm_enough_memory # git bisect bad bc3b3f4bfbded031a11c4284106adddbfacd05bb Bisecting: 398 revisions left to test after this (roughly 9 steps) [f14a9532ee30c68a56ff502c382860f674cc180c] Merge tag 'x86-urgent-2020-04-02' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit f14a9532ee30c68a56ff502c382860f674cc180c with gcc (GCC) 8.1.0 kernel signature: 6aa570e4d6a181bfb571f0152a9e5b957cad03628cf6a59f226c677a4e07f6d6 all runs: crashed: WARNING in __vm_enough_memory # git bisect bad f14a9532ee30c68a56ff502c382860f674cc180c Bisecting: 163 revisions left to test after this (roughly 8 steps) [7be97138e7276c71cc9ad1752dcb502d28f4400d] Merge tag 'xfs-5.7-merge-8' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit 7be97138e7276c71cc9ad1752dcb502d28f4400d with gcc (GCC) 8.1.0 kernel signature: 3ae3d800f475939a0b8520f36ea5aca5f51d37b01aabbb1b7974473395210d2c all runs: OK # git bisect good 7be97138e7276c71cc9ad1752dcb502d28f4400d Bisecting: 81 revisions left to test after this (roughly 6 steps) [b44437723cbcb5acd64ed25a4938b95fbb9bfccb] mm/vma: move VM_NO_KHUGEPAGED into generic header testing commit b44437723cbcb5acd64ed25a4938b95fbb9bfccb with gcc (GCC) 8.1.0 kernel signature: d86d25112a3b55acf5163d830dddccb94dd20f2869612e160ac5565e374d5724 all runs: OK # git bisect good b44437723cbcb5acd64ed25a4938b95fbb9bfccb Bisecting: 40 revisions left to test after this (roughly 5 steps) [5644e1fbbfe15ad06785502bbfe5751223e5841d] mm/vmscan.c: fix data races using kswapd_classzone_idx testing commit 5644e1fbbfe15ad06785502bbfe5751223e5841d with gcc (GCC) 8.1.0 kernel signature: bd4904ba5c802f2aa02ca0718ed890f69c7790934712fb1d44d1d1088d9bf32c all runs: crashed: WARNING in __vm_enough_memory # git bisect bad 5644e1fbbfe15ad06785502bbfe5751223e5841d Bisecting: 20 revisions left to test after this (roughly 4 steps) [86a76331d94c4cfa72fe1831dbe4b492f66fdb81] mm: clarify a confusing comment for remap_pfn_range() testing commit 86a76331d94c4cfa72fe1831dbe4b492f66fdb81 with gcc (GCC) 8.1.0 kernel signature: 6fd9319a84bfafef5b3db7515d61a72f4f2967f38270cff9041529f7c0aa9956 all runs: OK # git bisect good 86a76331d94c4cfa72fe1831dbe4b492f66fdb81 Bisecting: 10 revisions left to test after this (roughly 3 steps) [8cceeff48f23eede76de995df08cf665182ec8fb] kasan: detect negative size in memory operation function testing commit 8cceeff48f23eede76de995df08cf665182ec8fb with gcc (GCC) 8.1.0 kernel signature: 15cd5da02e73bc1782d2480e9897db48ca3e8ed0c50845e5f49be015b051372f all runs: crashed: WARNING in __vm_enough_memory # git bisect bad 8cceeff48f23eede76de995df08cf665182ec8fb Bisecting: 4 revisions left to test after this (roughly 2 steps) [0c28759ee3c91fa8ae14d7672b781b979be274e1] selftests: add MREMAP_DONTUNMAP selftest testing commit 0c28759ee3c91fa8ae14d7672b781b979be274e1 with gcc (GCC) 8.1.0 kernel signature: 60046770ec8309c183bda6b6a517d14e3757d2b70faf7a642a3914ca09cda062 all runs: crashed: WARNING in __vm_enough_memory # git bisect bad 0c28759ee3c91fa8ae14d7672b781b979be274e1 Bisecting: 2 revisions left to test after this (roughly 1 step) [baceaf1c8b99080ae5274d7262df8b09fa981762] mmap: remove inline of vm_unmapped_area testing commit baceaf1c8b99080ae5274d7262df8b09fa981762 with gcc (GCC) 8.1.0 kernel signature: f89dda38c1d26ca78bcf71a71444577f916411578db2eee4307803a359d152b7 all runs: OK # git bisect good baceaf1c8b99080ae5274d7262df8b09fa981762 Bisecting: 0 revisions left to test after this (roughly 1 step) [e346b3813067d4b17383f975f197a9aa28a3b077] mm/mremap: add MREMAP_DONTUNMAP to mremap() testing commit e346b3813067d4b17383f975f197a9aa28a3b077 with gcc (GCC) 8.1.0 kernel signature: a9c73e770cedc62545ff60e8db1adf27e999c9c0374caebd62780e0ebeb4023d all runs: crashed: WARNING in __vm_enough_memory # git bisect bad e346b3813067d4b17383f975f197a9aa28a3b077 Bisecting: 0 revisions left to test after this (roughly 0 steps) [df529cabb7a2553bbeb7bab725776f62fdcec972] mm: mmap: add trace point of vm_unmapped_area testing commit df529cabb7a2553bbeb7bab725776f62fdcec972 with gcc (GCC) 8.1.0 kernel signature: 1a9798b1f8ad51f0de7d6b7247ff17b3e9e6557281afac2dc776c21003d275ee all runs: OK # git bisect good df529cabb7a2553bbeb7bab725776f62fdcec972 e346b3813067d4b17383f975f197a9aa28a3b077 is the first bad commit commit e346b3813067d4b17383f975f197a9aa28a3b077 Author: Brian Geffon Date: Wed Apr 1 21:09:17 2020 -0700 mm/mremap: add MREMAP_DONTUNMAP to mremap() When remapping an anonymous, private mapping, if MREMAP_DONTUNMAP is set, the source mapping will not be removed. The remap operation will be performed as it would have been normally by moving over the page tables to the new mapping. The old vma will have any locked flags cleared, have no pagetables, and any userfaultfds that were watching that range will continue watching it. For a mapping that is shared or not anonymous, MREMAP_DONTUNMAP will cause the mremap() call to fail. Because MREMAP_DONTUNMAP always results in moving a VMA you MUST use the MREMAP_MAYMOVE flag, it's not possible to resize a VMA while also moving with MREMAP_DONTUNMAP so old_len must always be equal to the new_len otherwise it will return -EINVAL. We hope to use this in Chrome OS where with userfaultfd we could write an anonymous mapping to disk without having to STOP the process or worry about VMA permission changes. This feature also has a use case in Android, Lokesh Gidra has said that "As part of using userfaultfd for GC, We'll have to move the physical pages of the java heap to a separate location. For this purpose mremap will be used. Without the MREMAP_DONTUNMAP flag, when I mremap the java heap, its virtual mapping will be removed as well. Therefore, we'll require performing mmap immediately after. This is not only time consuming but also opens a time window where a native thread may call mmap and reserve the java heap's address range for its own usage. This flag solves the problem." [bgeffon@google.com: v6] Link: http://lkml.kernel.org/r/20200218173221.237674-1-bgeffon@google.com [bgeffon@google.com: v7] Link: http://lkml.kernel.org/r/20200221174248.244748-1-bgeffon@google.com Signed-off-by: Brian Geffon Signed-off-by: Andrew Morton Tested-by: Lokesh Gidra Reviewed-by: Minchan Kim Acked-by: Kirill A. Shutemov Acked-by: Vlastimil Babka Cc: "Michael S . Tsirkin" Cc: Arnd Bergmann Cc: Andy Lutomirski Cc: Will Deacon Cc: Andrea Arcangeli Cc: Sonny Rao Cc: Minchan Kim Cc: Joel Fernandes Cc: Yu Zhao Cc: Jesse Barnes Cc: Nathan Chancellor Cc: Florian Weimer Link: http://lkml.kernel.org/r/20200207201856.46070-1-bgeffon@google.com Signed-off-by: Linus Torvalds include/uapi/linux/mman.h | 5 +-- mm/mremap.c | 90 ++++++++++++++++++++++++++++++++++++----------- 2 files changed, 72 insertions(+), 23 deletions(-) culprit signature: a9c73e770cedc62545ff60e8db1adf27e999c9c0374caebd62780e0ebeb4023d parent signature: 1a9798b1f8ad51f0de7d6b7247ff17b3e9e6557281afac2dc776c21003d275ee revisions tested: 16, total time: 3h19m54.137113319s (build: 1h31m5.89915057s, test: 1h47m45.513843166s) first bad commit: e346b3813067d4b17383f975f197a9aa28a3b077 mm/mremap: add MREMAP_DONTUNMAP to mremap() cc: ["akpm@linux-foundation.org" "bgeffon@google.com" "kirill.shutemov@linux.intel.com" "lokeshgidra@google.com" "minchan@kernel.org" "torvalds@linux-foundation.org" "vbabka@suse.cz"] crash: WARNING in __vm_enough_memory ------------[ cut here ]------------ memory commitment underflow WARNING: CPU: 0 PID: 7327 at mm/util.c:803 __vm_enough_memory+0x26c/0x2e0 mm/util.c:801 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 7327 Comm: syz-executor.4 Not tainted 5.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x26 kernel/panic.c:582 report_bug+0x1ad/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:175 [inline] do_error_trap+0x123/0x210 arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:__vm_enough_memory+0x26c/0x2e0 mm/util.c:801 Code: ea 02 48 29 d0 e9 3b ff ff ff 80 3d 74 c5 2d 08 00 0f 85 55 fe ff ff 48 c7 c7 e0 79 92 87 c6 05 60 c5 2d 08 01 e8 d0 b2 b3 ff <0f> 0b e9 3b fe ff ff 48 c7 c7 40 22 e4 88 e8 31 50 12 00 e9 54 fe RSP: 0018:ffffc900017f7a70 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffffff88e42240 RCX: 0000000000000006 RDX: 1ffffffff11a866c RSI: 0000000000000008 RDI: 0000000000000282 RBP: 0000000000000009 R08: 0000000000000001 R09: fffffbfff16a4ba7 R10: fffffbfff16a4ba6 R11: ffffffff8b525d37 R12: ffffffffffffd597 R13: ffff888092d780c0 R14: 0000000000000001 R15: 0000000000000c5b dup_mmap kernel/fork.c:541 [inline] dup_mm+0x5a3/0x1100 kernel/fork.c:1361 copy_mm kernel/fork.c:1417 [inline] copy_process+0x2d20/0x6a80 kernel/fork.c:2082 _do_fork+0xf8/0xc00 kernel/fork.c:2431 __do_sys_clone kernel/fork.c:2586 [inline] __se_sys_clone kernel/fork.c:2567 [inline] __x64_sys_clone+0x168/0x1e0 kernel/fork.c:2567 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45ae5a Code: f7 d8 64 89 04 25 d4 02 00 00 64 4c 8b 0c 25 10 00 00 00 31 d2 4d 8d 91 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 f5 00 00 00 85 c0 41 89 c5 0f 85 fc 00 00 RSP: 002b:00007ffe5153ef40 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 00007ffe5153ef40 RCX: 000000000045ae5a RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 00007ffe5153ef80 R08: 0000000000000001 R09: 00000000013b6940 R10: 00000000013b6c10 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffe5153efd0 Kernel Offset: disabled Rebooting in 86400 seconds..