ci starts bisection 2023-04-29 12:21:04.644086972 +0000 UTC m=+54333.206161506 bisecting cause commit starting from 92e815cf07ed24ee1c51b122f24ffcf2964b4b13 building syzkaller on 62df2017e3b1edd786a4c737bd4ccba2b4581d88 ensuring issue is reproducible on original commit 92e815cf07ed24ee1c51b122f24ffcf2964b4b13 testing commit 92e815cf07ed24ee1c51b122f24ffcf2964b4b13 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c38504c4fb02d61f22b21e24e6fe61aa3f2b0b172b8c95850e9a468ddbdd0bca all runs: crashed: WARNING in track_pfn_remap testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 06a25fdabac688ae113052d8848afd670ac032cc4cc41de0c0078c2e87d71c32 all runs: OK # git bisect start 92e815cf07ed24ee1c51b122f24ffcf2964b4b13 457391b0380335d5e9a5babdec90ac53928b23b4 Bisecting: 6456 revisions left to test after this (roughly 13 steps) [6e98b09da931a00bf4e0477d0fa52748bf28fcce] Merge tag 'net-next-6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 6e98b09da931a00bf4e0477d0fa52748bf28fcce gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ff38cc15b5c409b161222a0e63d8ed023cf401e1665b6dba75ee4f510907d604 all runs: OK # git bisect good 6e98b09da931a00bf4e0477d0fa52748bf28fcce Bisecting: 3232 revisions left to test after this (roughly 12 steps) [af31890c03255a6af4de96cb7215ba20015ed7d5] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git testing commit af31890c03255a6af4de96cb7215ba20015ed7d5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3ab0c4a8f4d76e9a3f2cc69dcdb76a6dde98b7f10db6ff37a6ec34fd1ccd7921 all runs: crashed: WARNING in track_pfn_remap # git bisect bad af31890c03255a6af4de96cb7215ba20015ed7d5 Bisecting: 1587 revisions left to test after this (roughly 11 steps) [97b2ff294381d05e59294a931c4db55276470cb5] Merge tag 'staging-6.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 97b2ff294381d05e59294a931c4db55276470cb5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0ced709ae9df3f3d2c828e83cefc3d9e7d6f554f599923324b7d97f3543feb81 all runs: OK # git bisect good 97b2ff294381d05e59294a931c4db55276470cb5 Bisecting: 945 revisions left to test after this (roughly 10 steps) [91ec4b0d11fe115581ce2835300558802ce55e6c] Merge tag 'mips_6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit 91ec4b0d11fe115581ce2835300558802ce55e6c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0e08843c6126f46daed8a96826b9fb9b9ead69f6f6510c45077d40dd98b1749e all runs: OK # git bisect good 91ec4b0d11fe115581ce2835300558802ce55e6c Bisecting: 473 revisions left to test after this (roughly 9 steps) [04ca3d93155ce54c56ba31bdf86d69029f3b1b56] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git testing commit 04ca3d93155ce54c56ba31bdf86d69029f3b1b56 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8b44dcf253ca68c9fe2e26d69c5db625656ea00c8e43b7d8e19588b9af68ef2f all runs: crashed: WARNING in track_pfn_remap # git bisect bad 04ca3d93155ce54c56ba31bdf86d69029f3b1b56 Bisecting: 235 revisions left to test after this (roughly 8 steps) [9fad9aee1f267a8ad1f86b87ae70b2c4d6796164] memcg: sleep during flushing stats in safe contexts testing commit 9fad9aee1f267a8ad1f86b87ae70b2c4d6796164 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d8866068c97d31bffc650b1933f0670150f086a9a5b3fcdef554c7d121f16fe3 all runs: OK # git bisect good 9fad9aee1f267a8ad1f86b87ae70b2c4d6796164 Bisecting: 117 revisions left to test after this (roughly 7 steps) [4bf4f155bfbc77a12ad2c9e12d9f57718adb9a5c] mm: correct arg in reclaim_pages()/reclaim_clean_pages_from_list() testing commit 4bf4f155bfbc77a12ad2c9e12d9f57718adb9a5c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a7a4557ab7c1677cc626632b0895d00f8b25a2bbb13e942a56f38ec46ad63a5b all runs: OK # git bisect good 4bf4f155bfbc77a12ad2c9e12d9f57718adb9a5c Bisecting: 67 revisions left to test after this (roughly 6 steps) [d88f2f72ca89ead8743ee15e547274ba248e7c59] mailmap: add entries for Paul Mackerras testing commit d88f2f72ca89ead8743ee15e547274ba248e7c59 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ee4776707f0ad3b6b0f7fe8849eef2b59dec9fd49c4237bad4349c0b4c938deb all runs: OK # git bisect good d88f2f72ca89ead8743ee15e547274ba248e7c59 Bisecting: 41 revisions left to test after this (roughly 5 steps) [ab5b54974e22b72798cd33bfd51845070795e936] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc.git testing commit ab5b54974e22b72798cd33bfd51845070795e936 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ce31fcbfa0fcca466d82450e6fb39d148cb532fb6f20dffd0371c325d0cec3f9 all runs: crashed: WARNING in track_pfn_remap # git bisect bad ab5b54974e22b72798cd33bfd51845070795e936 Bisecting: 12 revisions left to test after this (roughly 4 steps) [6b008640db7355d8de6ac18f74cedd7ccc92684f] mm: move 'mmap_min_addr' logic from callers into vm_unmapped_area() testing commit 6b008640db7355d8de6ac18f74cedd7ccc92684f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 13bd0e543db5e5ae70a64e6a27b7c9e38c457a671bd9a1a858fb2b9b5ae3dc00 all runs: OK # git bisect good 6b008640db7355d8de6ac18f74cedd7ccc92684f Bisecting: 6 revisions left to test after this (roughly 3 steps) [33afd4b76393627477e878b3b195d606e585d816] Merge tag 'mm-nonmm-stable-2023-04-27-16-01' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 33afd4b76393627477e878b3b195d606e585d816 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c5994a4a467326a9b5cbd1abdd5670708034834f38b484609600ed2fdd8638e1 all runs: OK # git bisect good 33afd4b76393627477e878b3b195d606e585d816 Bisecting: 3 revisions left to test after this (roughly 2 steps) [fd19ed3a9203998b4647289488fcd12943d38e3b] mm/shmem: Fix race in shmem_undo_range w/THP testing commit fd19ed3a9203998b4647289488fcd12943d38e3b gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c261692c182a8d5455f4916996b6df941a85bfd10c9cf0731d3b8bc9d39c9593 all runs: crashed: WARNING in track_pfn_remap # git bisect bad fd19ed3a9203998b4647289488fcd12943d38e3b Bisecting: 0 revisions left to test after this (roughly 1 step) [13bb43fc87ab777560eb033db24a9c5db0ca7b2c] kasan: hw_tags: avoid invalid virt_to_page() testing commit 13bb43fc87ab777560eb033db24a9c5db0ca7b2c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 238f3a50a920bad726893ed054da94ecc52df48577e2fef2ba59f5aac290050e all runs: crashed: WARNING in track_pfn_remap # git bisect bad 13bb43fc87ab777560eb033db24a9c5db0ca7b2c Bisecting: 0 revisions left to test after this (roughly 0 steps) [4406ea87ff2003e2c233c208ca7e23d90f6a6fba] mm: keep memory type same on DEVMEM Page-Fault testing commit 4406ea87ff2003e2c233c208ca7e23d90f6a6fba gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c6c206a4bcf562b74af5ddd3ee311756a9a73868a72cb0da805a362867928907 all runs: crashed: WARNING in track_pfn_remap # git bisect bad 4406ea87ff2003e2c233c208ca7e23d90f6a6fba 4406ea87ff2003e2c233c208ca7e23d90f6a6fba is the first bad commit commit 4406ea87ff2003e2c233c208ca7e23d90f6a6fba Author: buddy.zhang Date: Sun Mar 19 11:37:50 2023 +0800 mm: keep memory type same on DEVMEM Page-Fault On X86 architecture, supports memory type on Page-table, such as PTE is PAT/PCD/PWD, which can setup up Memory Type as WC/WB/WT/UC etc. Then, Virtual address from userspace or kernel space can map to same physical page, if each page table has different memory type, then it's confused to have more memory type for same physical page. On DEVMEM, the 'remap_pfn_range()' keep memory type same on different mapping. But if it happen on Page-Fault route, such as code: 19 static vm_fault_t vm_fault(struct vm_fault *vmf) 20 { 21 struct vm_area_struct *vma = vmf->vma; 22 unsigned long address = vmf->address; 23 struct page *fault_page; 24 unsigned long pfn; 25 int r; 26 27 /* Allocate Page as DEVMEM */ 28 fault_page = alloc_page(GFP_KERNEL); 29 if (!fault_page) { 30 printk("ERROR: NO Free Memory from DEVMEM.\n"); 31 r = -ENOMEM; 32 goto err_alloc; 33 } 34 pfn = page_to_pfn(fault_page); 35 36 /* Clear PAT Attribute */ 37 pgprot_val(vma->vm_page_prot) &= ~(_PAGE_PCD | _PAGE_PWT | _PAGE_PAT); 38 39 /* Change Memory Type for Direct-Mapping Area */ 40 arch_io_reserve_memtype_wc(PFN_PHYS(pfn), PAGE_SIZE); 41 pgprot_val(vma->vm_page_prot) |= cachemode2protval(_PAGE_CACHE_MODE_WT); 42 43 /* Establish pte and INC _mapcount for page */ 44 vm_flags_set(vma, VM_MIXEDMAP); 45 if (vm_insert_page(vma, address, fault_page)) 46 return -EAGAIN; 47 48 /* Add refcount for page */ 49 atomic_inc(&fault_page->_refcount); 50 /* bind fault page */ 51 vmf->page = fault_page; 52 53 return 0; 54 55 err_alloc: 56 return r; 57 } 58 59 static const struct vm_operations_struct BiscuitOS_vm_ops = { 60 .fault = vm_fault, 61 }; 62 63 static int BiscuitOS_mmap(struct file *filp, struct vm_area_struct *vma) 64 { 65 /* setup vm_ops */ 66 vma->vm_ops = &BiscuitOS_vm_ops; 67 68 return 0; 69 } If invoke arch_io_reserve_memtype_wc() on Line-40, and modify memory type as WC for Direct-Mapping area, and then setup meory type as WT on Line-41, then invoke 'vm_insert_page()' to create mapping, so you can see: | <----- Usespace -----> | <- Kernel space -> | ----+------+---+-------------+---+---+------------+-- | | | | | | | ----+------+---+-------------+---+---+------------+-- WT| |WC o-------o o--------o WT| |WC V V -------------------+--------+------------------------ | DEVMEM | -------------------+--------+------------------------ Physical Address Space For this case, OS should check memory type before mapping on 'vm_insert_page()', and keep memory type same, so add check on function: 07 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr, 08 struct page *page) 09 { 10 if (addr < vma->vm_start || addr >= vma->vm_end) 11 return -EFAULT; 12 if (!page_count(page)) 13 return -EINVAL; 14 if (!(vma->vm_flags & VM_MIXEDMAP)) { 15 BUG_ON(mmap_read_trylock(vma->vm_mm)); 16 BUG_ON(vma->vm_flags & VM_PFNMAP); 17 vm_flags_set(vma, VM_MIXEDMAP); 18 } 19 if (track_pfn_remap(vma, &vma->vm_page_prot, 20 page_to_pfn(page), addr, PAGE_SIZE)) 21 return -EINVAL; 22 return insert_page(vma, addr, page, vma->vm_page_prot); 23 } And line 19 to 21, when mapping different memory type on this route, the 'track_pfn_remap()' will notify error and change request as current, e.g. x86/PAT: APP:88 map pfn RAM range req write-through for [mem 0x025c1000-0x025c1fff], got write-combining And then, we can keep memory type same on Page-fault route for DEVMEM, the end: | <----- Usespace -----> | <- Kernel space -> | ----+------+---+-------------+---+---+------------+-- | | | | | | | ----+------+---+-------------+---+---+------------+-- WT| |WC o---(X)----o----------o |WC V -------------------+--------+------------------------ | DEVMEM | -------------------+--------+------------------------ Link: https://lkml.kernel.org/r/20230319033750.475200-1-buddy.zhang@biscuitos.cn Signed-off-by: Buddy Zhang Cc: Dan Williams Cc: Juergen Gross Cc: Konstantin Khlebnikov Cc: Suresh Siddha Cc: Venkatesh Pallipadi Signed-off-by: Andrew Morton mm/memory.c | 3 +++ 1 file changed, 3 insertions(+) parent commit ef832747a82dfbc22a3702219cc716f449b24e4a wasn't tested testing commit ef832747a82dfbc22a3702219cc716f449b24e4a gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d94c77a6c830514f1adb8c44bb6438de3d2be6a95875a3c08666d7336b27a982 culprit signature: c6c206a4bcf562b74af5ddd3ee311756a9a73868a72cb0da805a362867928907 parent signature: d94c77a6c830514f1adb8c44bb6438de3d2be6a95875a3c08666d7336b27a982 revisions tested: 16, total time: 4h46m44.312969916s (build: 2h38m30.674259413s, test: 2h5m9.815685225s) first bad commit: 4406ea87ff2003e2c233c208ca7e23d90f6a6fba mm: keep memory type same on DEVMEM Page-Fault recipients (to): ["akpm@linux-foundation.org" "buddy.zhang@biscuitos.cn"] recipients (cc): [] crash: WARNING in track_pfn_remap binder: 5436:5437 ioctl c0306201 20001480 returned -14 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 5437 at include/linux/mmap_lock.h:161 mmap_assert_write_locked include/linux/mmap_lock.h:161 [inline] WARNING: CPU: 1 PID: 5437 at include/linux/mmap_lock.h:161 vm_flags_set include/linux/mm.h:661 [inline] WARNING: CPU: 1 PID: 5437 at include/linux/mmap_lock.h:161 track_pfn_remap+0x25f/0x2d0 arch/x86/mm/pat/memtype.c:1002 Modules linked in: CPU: 1 PID: 5437 Comm: syz-executor.0 Not tainted 6.3.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 RIP: 0010:mmap_assert_write_locked include/linux/mmap_lock.h:161 [inline] RIP: 0010:vm_flags_set include/linux/mm.h:661 [inline] RIP: 0010:track_pfn_remap+0x25f/0x2d0 arch/x86/mm/pat/memtype.c:1002 Code: 89 f2 5b 31 c9 4c 89 c6 5d 41 5c 41 5d 41 5e e9 57 f7 ff ff 48 8d bd 98 01 00 00 31 f6 e8 49 ad f8 07 85 c0 0f 85 51 ff ff ff <0f> 0b e9 4a ff ff ff 48 89 ef e8 32 a2 75 00 0f 0b 48 89 0c 24 e8 RSP: 0018:ffffc900045ef3f8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000001000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff896ba120 RDI: ffffffff89c26da0 RBP: ffff88807b525340 R08: 0000000000000000 R09: ffffffff8b642aa3 R10: fffffbfff16c8554 R11: 0000000000000027 R12: ffff888021406718 R13: 0000000000000000 R14: ffff888021406700 R15: ffffea0001e49e74 FS: 00007f05dd898700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000018b5a000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vm_insert_page+0x2ab/0x530 mm/memory.c:1992 binder_update_page_range+0x25e/0x1140 drivers/android/binder_alloc.c:260 binder_alloc_new_buf_locked drivers/android/binder_alloc.c:487 [inline] binder_alloc_new_buf+0x52d/0x1e00 drivers/android/binder_alloc.c:571 binder_transaction+0x2086/0x8d90 drivers/android/binder.c:3207 binder_thread_write+0x9ec/0x2e20 drivers/android/binder.c:3991 binder_ioctl_write_read drivers/android/binder.c:5047 [inline] binder_ioctl+0x23eb/0x5940 drivers/android/binder.c:5333 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x123/0x190 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f05dca8c169 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f05dd898168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f05dcbabf80 RCX: 00007f05dca8c169 RDX: 0000000020000100 RSI: 00000000c0306201 RDI: 0000000000000004 RBP: 00007f05dcae7ca1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe38b212ef R14: 00007f05dd898300 R15: 0000000000022000