ci starts bisection 2025-06-17 19:43:52.724102668 +0000 UTC m=+37082.047145555 bisecting cause commit starting from 050f8ad7b58d9079455af171ac279c4b9b828c11 building syzkaller on d1716036cfa39739f284316822472a6b43b964e6 fetch other tags and check if the commit is present ensuring issue is reproducible on original commit 050f8ad7b58d9079455af171ac279c4b9b828c11 testing commit 050f8ad7b58d9079455af171ac279c4b9b828c11 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: a800a10c5dd8c03f5e46e623c0074aa89bdbdbdfc142ddced8d91d0be3bf76ac all runs: crashed: WARNING: bad unlock balance in move_pgt_entry representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] check whether we can drop unnecessary instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 050f8ad7b58d9079455af171ac279c4b9b828c11 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 3f209520bb90111a428e06e280f36b2de4e4749fadc6c1cd139501a085f3d6f1 run #0: crashed: WARNING: bad unlock balance in move_pgt_entry run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] unable to determine the verdict: 9 good runs (wanted 5), for bad wanted 5 in total, got 10 kconfig minimization: base=4095 full=8370 leaves diff=2123 split chunks (needed=false): <2123> split chunk #0 of len 2123 into 5 parts testing without sub-chunk 1/5 testing commit 050f8ad7b58d9079455af171ac279c4b9b828c11 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: a43d2578901ab098baeaecc911ee83d7279099463b22553dfdff3e9120326ef2 all runs: crashed: WARNING: bad unlock balance in move_pgt_entry representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] the chunk can be dropped testing without sub-chunk 2/5 testing commit 050f8ad7b58d9079455af171ac279c4b9b828c11 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 25495332d8e64ddd3bf0570efeb872e124c4bd38c8c6f0117fe29933c710d866 all runs: crashed: WARNING: bad unlock balance in move_pgt_entry representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] the chunk can be dropped testing without sub-chunk 3/5 testing commit 050f8ad7b58d9079455af171ac279c4b9b828c11 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ec78e427e0be23ffd71cac8a13b8abaf68c7f7f2bcb81a6c44160b36b98cbd85 run #0: crashed: WARNING: bad unlock balance in move_pgt_entry run #1: crashed: WARNING: bad unlock balance in move_pgt_entry run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] testing without sub-chunk 4/5 testing commit 050f8ad7b58d9079455af171ac279c4b9b828c11 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 266d32ffb1c0a250c16a73da151fe4e6a5f66dc6ddf3e661c7f025a500e700c4 all runs: crashed: WARNING: bad unlock balance in move_pgt_entry representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] the chunk can be dropped testing without sub-chunk 5/5 testing commit 050f8ad7b58d9079455af171ac279c4b9b828c11 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 67dddaf9e25d26861123bae23a089a661034a210722064672ff7278656f20d37 all runs: crashed: WARNING: bad unlock balance in move_pgt_entry representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] the chunk can be dropped minimized to 425 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB_CORE HAMRADIO HID_LOGITECH HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_VS IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_IMON_RAW IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TOY IR_TTUSBIR ISDN ISDN_CAPI JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_PXRC JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMMON KVM_COMPAT KVM_ELIDE_TLB_FLUSH_IF_YOUNG KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_GENERIC_MEMORY_ATTRIBUTES KVM_GENERIC_MMU_NOTIFIER KVM_GENERIC_PRE_FAULT_MEMORY KVM_GENERIC_PRIVATE_MEM KVM_HYPERV KVM_MMIO KVM_MMU_LOCKLESS_AGING KVM_PRIVATE_MEM KVM_PROVE_MMU KVM_SW_PROTECTED_VM KVM_VFIO KVM_X86 KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_CLASS_MULTICOLOR LEGACY_PTYS LIBNVDIMM LINEAR_RANGES LLC LLC2 LOCALVERSION_AUTO LOGIG940_FF LOGIRUMBLEPAD2_FF LOGITECH_FF LOGIWHEELS_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MCTP MDIO_MVUSB MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MIN_HEAP MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MM_ID MODULE_SRCVERSION_ALL MOST MOST_USB_HDM MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_CRC32C NET_DEVLINK NET_DEVMEM NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SHAPER NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_SNMP NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_NAT_AMANDA NF_NAT_H323 NF_NAT_OVS NF_NAT_PPTP NF_NAT_REDIRECT NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TABLES NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV NF_TPROXY_IPV4 NF_TPROXY_IPV6 NILFS2_FS PAGE_POOL PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25] picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: facdcc58d8f9b06d6ab1ec6ca33f137d8f6e375e38250644f834023b0cb8a2bb all runs: OK false negative chance: 0.000 # git bisect start 050f8ad7b58d9079455af171ac279c4b9b828c11 0ff41df1cb268fc69e703a08a57ee14ae967d0ca Bisecting: 8475 revisions left to test after this (roughly 13 steps) [3536049822060347c8cb5a923186a8d65a8f7a48] Merge tag 'vfio-v6.16-rc1' of https://github.com/awilliam/linux-vfio testing commit 3536049822060347c8cb5a923186a8d65a8f7a48 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 0fe02d5c23f6fc8f0196c7bc2eb0168766511cc3cf65012a58f254331bcc1e4c all runs: OK false negative chance: 0.000 # git bisect good 3536049822060347c8cb5a923186a8d65a8f7a48 Bisecting: 4294 revisions left to test after this (roughly 12 steps) [5fc6c6f258b34fd0d2ff2a63b8a407a4dcbca750] Merge tag 'drm-fixes-2025-06-06' of https://gitlab.freedesktop.org/drm/kernel testing commit 5fc6c6f258b34fd0d2ff2a63b8a407a4dcbca750 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d2b2428b7a6672a5097bbc12af5955f6fda4513f364f1bd52044202709568678 all runs: OK false negative chance: 0.000 # git bisect good 5fc6c6f258b34fd0d2ff2a63b8a407a4dcbca750 Bisecting: 2160 revisions left to test after this (roughly 11 steps) [640064285a503dac7926059d0f584237cb8f4f8e] Merge branch 'for-next' of https://github.com/spacemit-com/linux testing commit 640064285a503dac7926059d0f584237cb8f4f8e gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 657f17493f994c5078e98a849426f9ac73a496707746ba546bb94ab15b6afd1d run #0: crashed: WARNING: bad unlock balance in move_pgt_entry run #1: crashed: WARNING: bad unlock balance in move_pgt_entry run #2: crashed: WARNING: bad unlock balance in move_pgt_entry run #3: crashed: WARNING: bad unlock balance in move_pgt_entry run #4: crashed: WARNING: bad unlock balance in move_pgt_entry run #5: crashed: WARNING: bad unlock balance in move_pgt_entry run #6: crashed: WARNING: bad unlock balance in move_pgt_entry run #7: crashed: WARNING: bad unlock balance in move_pgt_entry run #8: crashed: WARNING: bad unlock balance in move_pgt_entry run #9: crashed: WARNING: bad unlock balance in move_pgt_entry run #10: crashed: WARNING: bad unlock balance in move_pgt_entry run #11: crashed: WARNING: bad unlock balance in move_pgt_entry run #12: crashed: WARNING: bad unlock balance in move_pgt_entry run #13: crashed: WARNING: bad unlock balance in move_pgt_entry run #14: crashed: WARNING: bad unlock balance in move_pgt_entry run #15: crashed: WARNING: bad unlock balance in move_pgt_entry run #16: crashed: WARNING: bad unlock balance in move_pgt_entry run #17: crashed: WARNING: bad unlock balance in move_pgt_entry run #18: crashed: WARNING: bad unlock balance in move_pgt_entry run #19: OK representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] # git bisect bad 640064285a503dac7926059d0f584237cb8f4f8e Bisecting: 1062 revisions left to test after this (roughly 10 steps) [d3c82f618a9c2b764b7651afe16594ffeb50ade9] Merge tag 'mm-hotfixes-stable-2025-06-06-16-02' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit d3c82f618a9c2b764b7651afe16594ffeb50ade9 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 3cdb2f9e959bb3ff38c1c6f3629c5b5e72a9a5bc4b8c6784afdd1ffaa3e7c0b2 all runs: OK false negative chance: 0.000 # git bisect good d3c82f618a9c2b764b7651afe16594ffeb50ade9 Bisecting: 533 revisions left to test after this (roughly 9 steps) [e4d652d1fe626c688887f92838576eb7447f91c2] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux.git testing commit e4d652d1fe626c688887f92838576eb7447f91c2 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 6985eb8843586359e52981c935eb3da2792316679bf18849ac3d3dde45eeec15 all runs: OK false negative chance: 0.000 # git bisect good e4d652d1fe626c688887f92838576eb7447f91c2 Bisecting: 257 revisions left to test after this (roughly 8 steps) [b89038c5358797e8198d83c108ab38476ca0d143] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git testing commit b89038c5358797e8198d83c108ab38476ca0d143 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d3398f3ae18b23069b1e386415445032d20b7da34985ebf30ff95560634dc2da run #0: crashed: WARNING: bad unlock balance in move_pgt_entry run #1: crashed: WARNING: bad unlock balance in move_pgt_entry run #2: crashed: WARNING: bad unlock balance in move_pgt_entry run #3: ignore: lost connection to test machine run #4: crashed: WARNING: bad unlock balance in move_pgt_entry run #5: crashed: WARNING: bad unlock balance in move_pgt_entry run #6: crashed: WARNING: bad unlock balance in move_pgt_entry run #7: crashed: WARNING: bad unlock balance in move_pgt_entry run #8: crashed: WARNING: bad unlock balance in move_pgt_entry run #9: crashed: WARNING: bad unlock balance in move_pgt_entry run #10: crashed: WARNING: bad unlock balance in move_pgt_entry run #11: crashed: WARNING: bad unlock balance in move_pgt_entry run #12: crashed: WARNING: bad unlock balance in move_pgt_entry run #13: crashed: WARNING: bad unlock balance in move_pgt_entry run #14: crashed: WARNING: bad unlock balance in move_pgt_entry run #15: crashed: WARNING: bad unlock balance in move_pgt_entry run #16: crashed: WARNING: bad unlock balance in move_pgt_entry run #17: crashed: WARNING: bad unlock balance in move_pgt_entry run #18: crashed: WARNING: bad unlock balance in move_pgt_entry run #19: crashed: WARNING: bad unlock balance in move_pgt_entry representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] # git bisect bad b89038c5358797e8198d83c108ab38476ca0d143 Bisecting: 154 revisions left to test after this (roughly 7 steps) [f97971f859dd7d22e63982a493aec85d9e75a69e] mm/huge_memory: don't mark refcounted folios special in vmf_insert_folio_pud() testing commit f97971f859dd7d22e63982a493aec85d9e75a69e gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 9d000bc31a4652bfbc72c396fc8c4880f30ce373ce9a5844f91e8e6bf70c3beb run #0: crashed: WARNING: bad unlock balance in move_pgt_entry run #1: crashed: WARNING: bad unlock balance in move_pgt_entry run #2: crashed: WARNING: bad unlock balance in move_pgt_entry run #3: crashed: WARNING: bad unlock balance in move_pgt_entry run #4: crashed: WARNING: bad unlock balance in move_pgt_entry run #5: crashed: WARNING: bad unlock balance in move_pgt_entry run #6: crashed: WARNING: bad unlock balance in move_pgt_entry run #7: crashed: WARNING: bad unlock balance in move_pgt_entry run #8: crashed: WARNING: bad unlock balance in move_pgt_entry run #9: crashed: WARNING: bad unlock balance in move_pgt_entry run #10: crashed: WARNING: bad unlock balance in move_pgt_entry run #11: crashed: WARNING: bad unlock balance in move_pgt_entry run #12: crashed: WARNING: bad unlock balance in move_pgt_entry run #13: crashed: WARNING: bad unlock balance in move_pgt_entry run #14: crashed: WARNING: bad unlock balance in move_pgt_entry run #15: crashed: WARNING: bad unlock balance in move_pgt_entry run #16: crashed: WARNING: bad unlock balance in move_pgt_entry run #17: OK run #18: crashed: WARNING: bad unlock balance in move_pgt_entry run #19: crashed: WARNING: bad unlock balance in move_pgt_entry representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] # git bisect bad f97971f859dd7d22e63982a493aec85d9e75a69e Bisecting: 60 revisions left to test after this (roughly 6 steps) [e4cbb84d3ce3be4feb19b26b711b92ea9b973868] proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al testing commit e4cbb84d3ce3be4feb19b26b711b92ea9b973868 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 0fcb7f99f30aebf5df7caa43982095252c96429c1e7c3d62fa79ae8736a91184 all runs: OK false negative chance: 0.000 # git bisect good e4cbb84d3ce3be4feb19b26b711b92ea9b973868 Bisecting: 30 revisions left to test after this (roughly 5 steps) [2ac45c0c0c3ec950db2d77063d1227a14093691d] alloc_tag: add sequence number for module and iterator testing commit 2ac45c0c0c3ec950db2d77063d1227a14093691d gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 389bb1eb1cd29abc5bd2234f3fb2d12a6fa14d632eb1d05653fa2820ac85b0a1 all runs: OK false negative chance: 0.000 # git bisect good 2ac45c0c0c3ec950db2d77063d1227a14093691d Bisecting: 15 revisions left to test after this (roughly 4 steps) [24b3fa0ea7ad0d42c4665b7f3e4ed08ce9593a9b] mm: optimize mremap() by PTE batching testing commit 24b3fa0ea7ad0d42c4665b7f3e4ed08ce9593a9b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 8e1de4cf698c96af4614960c534ca92f5e48b7941a7adaf9e7969e9b01ba4c79 run #0: crashed: WARNING: bad unlock balance in move_pgt_entry run #1: crashed: WARNING: bad unlock balance in move_pgt_entry run #2: crashed: WARNING: bad unlock balance in move_pgt_entry run #3: crashed: WARNING: bad unlock balance in move_pgt_entry run #4: crashed: WARNING: bad unlock balance in move_pgt_entry run #5: crashed: WARNING: bad unlock balance in move_pgt_entry run #6: crashed: WARNING: bad unlock balance in move_pgt_entry run #7: crashed: WARNING: bad unlock balance in move_pgt_entry run #8: crashed: WARNING: bad unlock balance in move_pgt_entry run #9: crashed: WARNING: bad unlock balance in move_pgt_entry run #10: crashed: WARNING: bad unlock balance in move_pgt_entry run #11: crashed: WARNING: bad unlock balance in move_pgt_entry run #12: crashed: WARNING: bad unlock balance in move_pgt_entry run #13: crashed: WARNING: bad unlock balance in move_pgt_entry run #14: crashed: WARNING: bad unlock balance in move_pgt_entry run #15: crashed: WARNING: bad unlock balance in move_pgt_entry run #16: crashed: WARNING: bad unlock balance in move_pgt_entry run #17: crashed: WARNING: bad unlock balance in move_pgt_entry run #18: crashed: WARNING: bad unlock balance in move_pgt_entry run #19: OK representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] # git bisect bad 24b3fa0ea7ad0d42c4665b7f3e4ed08ce9593a9b Bisecting: 7 revisions left to test after this (roughly 3 steps) [f0d6f42a77e8e66838e7d1c422b32358c5c73ca4] tools/testing/selftests: add mremap() cases that merge normally testing commit f0d6f42a77e8e66838e7d1c422b32358c5c73ca4 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: dc7045bd8385a6196e5a2fab18e728e8fc4d5da30c1cd63f8a2d2f2644fc1376 all runs: crashed: WARNING: bad unlock balance in move_pgt_entry representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] # git bisect bad f0d6f42a77e8e66838e7d1c422b32358c5c73ca4 Bisecting: 3 revisions left to test after this (roughly 2 steps) [fc347ad239ab393017eca72d6ba450888ea34ac5] mm/mremap: add MREMAP_MUST_RELOCATE_ANON testing commit fc347ad239ab393017eca72d6ba450888ea34ac5 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 9fe664e4a2365815c80f08fa246a3149f95a2d81e00d99ffa1ecb4f8397f119e run #0: crashed: WARNING: bad unlock balance in move_pgt_entry run #1: crashed: WARNING: bad unlock balance in move_pgt_entry run #2: crashed: WARNING: bad unlock balance in move_pgt_entry run #3: crashed: WARNING: bad unlock balance in move_pgt_entry run #4: crashed: WARNING: bad unlock balance in move_pgt_entry run #5: crashed: WARNING: bad unlock balance in move_pgt_entry run #6: crashed: WARNING: bad unlock balance in move_pgt_entry run #7: crashed: WARNING: bad unlock balance in move_pgt_entry run #8: crashed: WARNING: bad unlock balance in move_pgt_entry run #9: crashed: WARNING: bad unlock balance in move_pgt_entry run #10: crashed: WARNING: bad unlock balance in move_pgt_entry run #11: crashed: WARNING: bad unlock balance in move_pgt_entry run #12: crashed: WARNING: bad unlock balance in move_pgt_entry run #13: crashed: WARNING: bad unlock balance in move_pgt_entry run #14: crashed: WARNING: bad unlock balance in move_pgt_entry run #15: crashed: WARNING: bad unlock balance in move_pgt_entry run #16: crashed: WARNING: bad unlock balance in move_pgt_entry run #17: crashed: WARNING: bad unlock balance in move_pgt_entry run #18: crashed: WARNING: bad unlock balance in move_pgt_entry run #19: OK representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] # git bisect bad fc347ad239ab393017eca72d6ba450888ea34ac5 Bisecting: 0 revisions left to test after this (roughly 1 step) [aaf5c23bf6a474f11f48f03bd6a9b551f4e7d45a] mm/mremap: introduce more mergeable mremap via MREMAP_RELOCATE_ANON testing commit aaf5c23bf6a474f11f48f03bd6a9b551f4e7d45a gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: febf9211ce116af13a8bd9c9568aff96caa0f2db4d76cc086f798ec1b9eaf1f3 all runs: crashed: WARNING: bad unlock balance in move_pgt_entry representative crash: WARNING: bad unlock balance in move_pgt_entry, types: [LOCKDEP] # git bisect bad aaf5c23bf6a474f11f48f03bd6a9b551f4e7d45a Bisecting: 0 revisions left to test after this (roughly 0 steps) [5f5f5eeafa5d3073138a14f2d56c459f04a8a105] alloc_tag: keep codetag iterator active between read() testing commit 5f5f5eeafa5d3073138a14f2d56c459f04a8a105 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 778069c4783a6e6cc1406e957cfc41485fae12b86d6892af4ccc912e2583ba12 all runs: OK false negative chance: 0.000 # git bisect good 5f5f5eeafa5d3073138a14f2d56c459f04a8a105 aaf5c23bf6a474f11f48f03bd6a9b551f4e7d45a is the first bad commit commit aaf5c23bf6a474f11f48f03bd6a9b551f4e7d45a Author: Lorenzo Stoakes Date: Mon Jun 9 14:26:35 2025 +0100 mm/mremap: introduce more mergeable mremap via MREMAP_RELOCATE_ANON Patch series "mm/mremap: introduce more mergeable mremap via MREMAP_RELOCATE_ANON". A longstanding issue with VMA merging of anonymous VMAs is the requirement to maintain both vma->vm_pgoff and anon_vma compatibility between merge candidates. For anonymous mappings, vma->vm_pgoff (and consequently, folio->index) refer to virtual page offsets, that is, va >> PAGE_SHIFT. However upon mremap() of an anonymous mapping that has been faulted (that is, where vma->anon_vma != NULL), we would then need to walk page tables to be able to access let alone manipulate folio->index, mapping fields to permit an update of this virtual page offset. Therefore in these instances, we do not do so, instead retaining the virtual page offset the VMA was first faulted in at as it's vma->vm_pgoff field, and of course consequently folio->index. On each occasion we use linear_page_index() to determine the appropriate offset, cleverly offset the vma->vm_pgoff field by the difference between the virtual address and actual VMA start. Doing so in effect fragments the virtual address space, meaning that we are no longer able to merge these VMAs with adjacent ones that could, at least theoretically, be merged. This also creates a difference in behaviour, often surprising to users, between mappings which are faulted and those which are not - as for the latter we adjust vma->vm_pgoff upon mremap() to aid mergeability. This is problematic firstly because this proliferates kernel allocations that are pure memory pressure - unreclaimable and unmovable - i.e. vm_area_struct, anon_vma, anon_vma_chain objects that need not exist. Secondly, mremap() exhibits an implicit uAPI in that it does not permit remaps which span multiple VMAs (though it does permit remaps that constitute a part of a single VMA). This means that a user must concern themselves with whether merges succeed or not should they wish to use mremap() in such a way which causes multiple mremap() calls to be performed upon mappings. This series provides users with an option to accept the overhead of actually updating the VMA and underlying folios via the MREMAP_RELOCATE_ANON flag. If MREMAP_RELOCATE_ANON is specified, but an ordinary merge would result in the mremap() succeeding, then no attempt is made at relocation of folios as this is not required. Even if no merge is possible upon moving of the region, vma->vm_pgoff and folio->index fields are appropriately updated in order that subsequent mremap() or mprotect() calls will succeed in merging. This flag falls back to the ordinary means of mremap() should the operation not be feasible. It also transparently undoes the operation, carefully holding rmap locks such that no racing rmap operation encounters incorrect or missing VMAs. In addition, the MREMAP_MUST_RELOCATE_ANON flag is supplied in case the user needs to know whether or not the operation succeeded - this flag is identical to MREMAP_RELOCATE_ANON, only if the operation cannot succeed, the mremap() fails with -EFAULT. Note that no-op mremap() operations (such as an unpopulated range, or a merge that would trivially succeed already) will succeed under MREMAP_MUST_RELOCATE_ANON. mremap() already walks page tables, so it isn't an order of magntitude increase in workload, but constitutes the need to walk to page table leaf level and manipulate folios. The operations all succeed under THP and in general are compatible with underlying large folios of any size. In fact, the larger the folio, the more efficient the operation is. Performance testing indicate that time taken using MREMAP_RELOCATE_ANON is on the same order of magnitude of ordinary mremap() operations, with both exhibiting time to the proportion of the mapping which is populated. Of course, mremap() operations that are entirely aligned are significantly faster as they need only move a VMA and a smaller number of higher order page tables, but this is unavoidable. Previous efforts in this area ============================= An approach addressing this issue was previously suggested by Jakub Matena in a series posted a few years ago in [0] (and discussed in a masters thesis). However this was a more general effort which attempted to always make anonymous mappings more mergeable, and therefore was not quite ready for the upstream limelight. In addition, large folio work which has occurred since requires us to carefully consider and account for this. This series is more conservative and targeted (one must specific a flag to get this behaviour) and additionally goes to great efforts to handle large folios and account all of the nitty gritty locking concerns that might arise in current kernel code. Thanks goes out to Jakub for his efforts however, and hopefully this effort to take a slightly different approach to the same problem is pleasing to him regardless :) [0]:https://lore.kernel.org/all/20220311174602.288010-1-matenajakub@gmail.com/ Use-cases ========= * ZGC is a concurrent GC shipped with OpenJDK. A prototype is being worked upon which makes use of extensive mremap() operations to perform defragmentation of objects, taking advantage of the plentiful available virtual address space in a 64-bit system. In instances where one VMA is faulted in and another not, merging is not possible, which leads to significant, unreclaimable, kernel metadata overhead and contention on the vm.max_map_count limit. This series eliminates the issue entirely. * It was indicated that Android similarly moves memory around and encounters the very same issues as ZGC. * SUSE indicate they have encountered similar issues as pertains to an internal client. Past approaches =============== In discussions at LSF/MM/BPF It was suggested that we could make this an madvise() operation, however at this point it will be too late to correctly perform the merge, requiring an unmap/remap which would be egregious. It was further suggested that we simply defer the operation to the point at which an mremap() is attempted on multiple immediately adjacent VMAs (that is - to allow VMA fragmentation up until the point where it might cause perceptible issues with uAPI). This is problematic in that in the first instance - you accrue fragmentation, and only if you were to try to move the fragmented objects again would you resolve it. Additionally you would not be able to handle the mprotect() case, and you'd have the same issue as the madvise() approach in that you'd need to essentially re-map each VMA. Additionally it would become non-trivial to correctly merge the VMAs - if there were more than 3, we would need to invent a new merging mechanism specifically for this, hold locks carefully over each to avoid them disappearing from beneath us and introduce a great deal of non-optional complexity. While imperfect, the mremap flag approach seems the least invasive most workable solution (until further rework of the anon_vma mechanism can be achieved!) Testing ======= * Significantly expanded self-tests, all of which are passing. * Explicit testing of forked cases including anon_vma reuse, all passing correctly. * Ran all self tests with MREMAP_RELOCATE_ANON forced on for all anonymous mremap()'s. * Ran heavy workloads with MREMAP_RELOCATE_ANON forced on on real hardware (kernel compilation, etc.) * Ran stress-ng --mremap 32 for an hour with MREMAP_RELOCATE_ANON forced on on real hardware. This patch (of 11): When mremap() moves a mapping around in memory, it goes to great lengths to avoid having to walk page tables as this is expensive and time-consuming. Rather, if the VMA was faulted (that is vma->anon_vma != NULL), the virtual page offset stored in the VMA at vma->vm_pgoff will remain the same, as well all the folio indexes pointed at the associated anon_vma object. This means the VMA and page tables can simply be moved and this affects the change (and if we can move page tables at a higher page table level, this is even faster). While this is efficient, it does lead to big problems with VMA merging - in essence it causes faulted anonymous VMAs to not be mergeable under many circumstances once moved. This is limiting and leads to both a proliferation of unreclaimable, unmovable kernel metadata (VMAs, anon_vma's, anon_vma_chain's) and has an impact on further use of mremap(), which has a requirement that the VMA moved (which can also be a partial range within a VMA) may span only a single VMA. This makes the mergeability or not of VMAs in effect a uAPI concern. In some use cases, users may wish to accept the overhead of actually going to the trouble of updating VMAs and folios to affect mremap() moves. Let's provide them with the choice. This patch add a new MREMAP_RELOCATE_ANON flag to do just that, which attempts to perform such an operation. If it is unable to do so, it cleanly falls back to the usual method. It carefully takes the rmap locks such that at no time will a racing rmap user encounter incorrect or missing VMAs. It is also designed to interact cleanly with the existing mremap() error fallback mechanism (inverting the remap should the page table move fail). Also, if we could merge cleanly without such a change, we do so, avoiding the overhead of the operation if it is not required. In the instance that no merge may occur when the move is performed, we still perform the folio and VMA updates to ensure that future mremap() or mprotect() calls will result in merges. In this implementation, we simply give up if we encounter large folios. A subsequent commit will extend the functionality to allow for these cases. We restrict this flag to purely anonymous memory only. We separate out the vma_had_uncowed_parents() helper function for checking in should_relocate_anon() and introduce a new function vma_maybe_has_shared_anon_folios() which combines a check against this and any forked child anon_vma's. We carefully check for pinned folios in case a caller who holds a pin might make assumptions about index, mapping fields which we are about to manipulate. Link: https://lkml.kernel.org/r/cover.1749473726.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/22a80f22ba2082b28ee0b0a925eb3dbb37c2a786.1749473726.git.lorenzo.stoakes@oracle.com Signed-off-by: Lorenzo Stoakes Cc: Baolin Wang Cc: Barry Song Cc: David Hildenbrand Cc: Dev Jain Cc: Jakub Matěna Cc: Jann Horn Cc: Liam Howlett Cc: Mariano Pache Cc: Matthew Wilcox (Oracle) Cc: Rik van Riel Cc: Ryan Roberts Cc: Suren Baghdasaryan Cc: Vlastimil Babka Cc: Wei Yang Cc: Zi Yan Signed-off-by: Andrew Morton include/linux/rmap.h | 4 + include/uapi/linux/mman.h | 1 + mm/internal.h | 1 + mm/mremap.c | 403 +++++++++++++++++++++++++++++++++++++-- mm/vma.c | 79 ++++++-- mm/vma.h | 36 +++- tools/testing/vma/vma.c | 5 +- tools/testing/vma/vma_internal.h | 38 ++++ 8 files changed, 522 insertions(+), 45 deletions(-) accumulated error probability: 0.00 culprit signature: febf9211ce116af13a8bd9c9568aff96caa0f2db4d76cc086f798ec1b9eaf1f3 parent signature: 778069c4783a6e6cc1406e957cfc41485fae12b86d6892af4ccc912e2583ba12 reproducer is flaky (0.95 repro chance estimate) revisions tested: 22, total time: 9h22m53.709125837s (build: 4h50m19.688238902s, test: 4h6m15.210582622s) first bad commit: aaf5c23bf6a474f11f48f03bd6a9b551f4e7d45a mm/mremap: introduce more mergeable mremap via MREMAP_RELOCATE_ANON recipients (to): ["akpm@linux-foundation.org" "linux-kernel@vger.kernel.org" "lorenzo.stoakes@oracle.com"] recipients (cc): ["Jason@zx2c4.com" "Liam.Howlett@oracle.com" "akpm@linux-foundation.org" "david@redhat.com" "harry.yoo@oracle.com" "jannh@google.com" "linux-mm@kvack.org" "lorenzo.stoakes@oracle.com" "pfalcato@suse.de" "riel@surriel.com" "vbabka@suse.cz"] crash: WARNING: bad unlock balance in move_pgt_entry ===================================== WARNING: bad unlock balance detected! 6.16.0-rc2-syzkaller #0 Not tainted ------------------------------------- syz.5.25/6454 is trying to release lock (&mapping->i_mmap_rwsem) at: [] i_mmap_unlock_write include/linux/fs.h:555 [inline] [] maybe_drop_rmap_locks mm/mremap.c:196 [inline] [] move_pgt_entry+0xbf7/0xd30 mm/mremap.c:632 but there are no more locks to release! other info that might help us debug this: 1 lock held by syz.5.25/6454: #0: ffff888113cab660 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:374 [inline] #0: ffff888113cab660 (&mm->mmap_lock){++++}-{4:4}, at: do_mremap mm/mremap.c:2061 [inline] #0: ffff888113cab660 (&mm->mmap_lock){++++}-{4:4}, at: __do_sys_mremap mm/mremap.c:2143 [inline] #0: ffff888113cab660 (&mm->mmap_lock){++++}-{4:4}, at: __se_sys_mremap+0x3e0/0xc40 mm/mremap.c:2111 stack backtrace: CPU: 0 UID: 0 PID: 6454 Comm: syz.5.25 Not tainted 6.16.0-rc2-syzkaller #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_unlock_imbalance_bug+0xdc/0xf0 kernel/locking/lockdep.c:5301 __lock_release kernel/locking/lockdep.c:5540 [inline] lock_release+0x269/0x3e0 kernel/locking/lockdep.c:5892 up_write+0x2d/0x420 kernel/locking/rwsem.c:1629 i_mmap_unlock_write include/linux/fs.h:555 [inline] maybe_drop_rmap_locks mm/mremap.c:196 [inline] move_pgt_entry+0xbf7/0xd30 mm/mremap.c:632 move_page_tables+0xb18/0x1a90 mm/mremap.c:1074 copy_vma_and_data mm/mremap.c:1498 [inline] move_vma+0xd13/0x1f90 mm/mremap.c:1604 mremap_to+0x7e7/0x8b0 mm/mremap.c:1797 do_mremap mm/mremap.c:2086 [inline] __do_sys_mremap mm/mremap.c:2143 [inline] __se_sys_mremap+0x901/0xc40 mm/mremap.c:2111 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a10dae929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a107fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000019 RAX: ffffffffffffffda RBX: 00007f2a10fd6080 RCX: 00007f2a10dae929 RDX: 0000000000200000 RSI: 0000000000600600 RDI: 0000200000000000 RBP: 00007f2a10e30b39 R08: 0000200000a00000 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a10fd6080 R15: 00007fff68c67ce8 ------------[ cut here ]------------ DEBUG_RWSEMS_WARN_ON((rwsem_owner(sem) != current) && !rwsem_test_oflags(sem, RWSEM_NONSPINNABLE)): count = 0x0, magic = 0xffff88812331ab18, owner = 0x0, curr 0xffff88810abc1d00, list empty WARNING: CPU: 0 PID: 6454 at kernel/locking/rwsem.c:1368 __up_write kernel/locking/rwsem.c:1367 [inline] WARNING: CPU: 0 PID: 6454 at kernel/locking/rwsem.c:1368 up_write+0x3a2/0x420 kernel/locking/rwsem.c:1630 Modules linked in: CPU: 0 UID: 0 PID: 6454 Comm: syz.5.25 Not tainted 6.16.0-rc2-syzkaller #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:__up_write kernel/locking/rwsem.c:1367 [inline] RIP: 0010:up_write+0x3a2/0x420 kernel/locking/rwsem.c:1630 Code: d0 48 c7 c7 80 24 89 85 48 c7 c6 a0 26 89 85 48 8b 14 24 4c 89 f1 4d 89 e0 4c 8b 4c 24 08 41 52 e8 63 db e9 ff 48 83 c4 08 90 <0f> 0b 90 90 e9 6d fd ff ff 48 c7 c1 f4 3d 4e 87 80 e1 07 80 c1 03 RSP: 0018:ffffc900020a7500 EFLAGS: 00010296 RAX: 1e79ad0dbfc03a00 RBX: ffff88812331ab18 RCX: ffff88810abc1d00 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002 RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffffbfff0d2d48c R12: 0000000000000000 R13: ffff88812331ab70 R14: ffff88812331ab18 R15: 1ffff11024663564 FS: 00007f2a107fe6c0(0000) GS:ffff88826d29d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2de5ffff CR3: 0000000134468000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: i_mmap_unlock_write include/linux/fs.h:555 [inline] maybe_drop_rmap_locks mm/mremap.c:196 [inline] move_pgt_entry+0xbf7/0xd30 mm/mremap.c:632 move_page_tables+0xb18/0x1a90 mm/mremap.c:1074 copy_vma_and_data mm/mremap.c:1498 [inline] move_vma+0xd13/0x1f90 mm/mremap.c:1604 mremap_to+0x7e7/0x8b0 mm/mremap.c:1797 do_mremap mm/mremap.c:2086 [inline] __do_sys_mremap mm/mremap.c:2143 [inline] __se_sys_mremap+0x901/0xc40 mm/mremap.c:2111 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2a10dae929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2a107fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000019 RAX: ffffffffffffffda RBX: 00007f2a10fd6080 RCX: 00007f2a10dae929 RDX: 0000000000200000 RSI: 0000000000600600 RDI: 0000200000000000 RBP: 00007f2a10e30b39 R08: 0000200000a00000 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2a10fd6080 R15: 00007fff68c67ce8