ci2 starts bisection 2025-09-04 02:03:06.895937839 +0000 UTC m=+101.884911664
bisecting fixing commit since 3594f306da129190de25938b823f353ef7f9e322
building syzkaller on c4a9548758bac1c6dc231afd7543b5e8c5b6a65e
ensuring issue is reproducible on original commit 3594f306da129190de25938b823f353ef7f9e322

testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 37cef5ba56c96dc1059d3491066257ed8ebe190412122e3e1496bb49e49e8dc2
all runs: crashed: kernel BUG in hpage_collapse_scan_file
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
check whether we can drop unnecessary instrumentation
disabling configs for [hang memleak ubsan kasan locking atomic_sleep], they are not needed
testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 070caccefa186843c41a33b64c144c7720859d18f14c3fa41baf6378c588f849
all runs: crashed: kernel BUG in hpage_collapse_scan_file
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
the bug reproduces without the instrumentation
disabling configs for [memleak ubsan kasan locking atomic_sleep hang], they are not needed
kconfig minimization: base=7505 full=9787 leaves diff=2010
split chunks (needed=false): <2010>
split chunk #0 of len 2010 into 5 parts
testing without sub-chunk 1/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 7efd9199886e35d5458f3a76bec08a18247452bc08beaef223308530fd08cf75
all runs: crashed: kernel BUG in hpage_collapse_scan_file
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [memleak ubsan kasan locking atomic_sleep hang], they are not needed
testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 80665066aa54f9b3879a359b27c2311363b7f6946a6db9e2120c5e2e95ff7195
all runs: crashed: kernel BUG in hpage_collapse_scan_file
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: a668b06fc366319ef0426e0693a6a1fd88fdf84a9be736ea38fc193c2c9e126c
all runs: crashed: kernel BUG in hpage_collapse_scan_file
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [kasan locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 4be3fa17890e4b814ed897b3531dcd732cd49a6d0ccfff0495fd9fc9e350b5d5
all runs: crashed: kernel BUG in hpage_collapse_scan_file
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [locking atomic_sleep hang memleak ubsan kasan], they are not needed
testing commit 3594f306da129190de25938b823f353ef7f9e322 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 9e80318521d8b91f6c49537b2634a651ec65a8d3fe5aeccceac8b78035324b6a
all runs: crashed: kernel BUG in hpage_collapse_scan_file
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
the chunk can be dropped
disabling configs for [ubsan kasan locking atomic_sleep hang memleak], they are not needed
testing current HEAD f89b6e15694c1e24f78d889b29a54d46e5267413
testing commit f89b6e15694c1e24f78d889b29a54d46e5267413 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 54058561e3c1e270fb0e8439dc60be50654b2ac906ce440dbd4c0d1ece557b03
all runs: OK
false negative chance: 0.000
# git bisect start f89b6e15694c1e24f78d889b29a54d46e5267413 3594f306da129190de25938b823f353ef7f9e322
Bisecting: 368 revisions left to test after this (roughly 9 steps)
[5d9f9125432a34665e366b5d074fb0383e93092f] ktest.pl: Prevent recursion of default variable options

determine whether the revision contains the guilty commit
revision 3594f306da129190de25938b823f353ef7f9e322 crashed and is reachable
testing commit 5d9f9125432a34665e366b5d074fb0383e93092f gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 0d22733dad46e8dce26cc94405c998f2d65700bd9b9ce31b7304615655ea054a
all runs: OK
false negative chance: 0.000
# git bisect bad 5d9f9125432a34665e366b5d074fb0383e93092f
Bisecting: 184 revisions left to test after this (roughly 8 steps)
[f7997dde3f64efc11b3b398c99466fb4be140038] module: Restore the moduleparam prefix length check

determine whether the revision contains the guilty commit
revision 3594f306da129190de25938b823f353ef7f9e322 crashed and is reachable
testing commit f7997dde3f64efc11b3b398c99466fb4be140038 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 2113980dfc1680f96992a0b4737d8eb36302c6a504f3a23f9ca8f8cd311cccd1
all runs: OK
false negative chance: 0.000
# git bisect bad f7997dde3f64efc11b3b398c99466fb4be140038
Bisecting: 91 revisions left to test after this (roughly 7 steps)
[e6edc77c7baf8a622351bcc0ddb428a34a6f5142] samples: mei: Fix building on musl libc

determine whether the revision contains the guilty commit
revision 3594f306da129190de25938b823f353ef7f9e322 crashed and is reachable
testing commit e6edc77c7baf8a622351bcc0ddb428a34a6f5142 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: e3cfdb2a3fe750a51ad8d2d935ae2fa1facc1e803a8172314b001f40746888d2
all runs: OK
false negative chance: 0.000
# git bisect bad e6edc77c7baf8a622351bcc0ddb428a34a6f5142
Bisecting: 45 revisions left to test after this (roughly 6 steps)
[5b0864018759d586f7d3737895bca6a9973adefe] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach

determine whether the revision contains the guilty commit
revision 3594f306da129190de25938b823f353ef7f9e322 crashed and is reachable
testing commit 5b0864018759d586f7d3737895bca6a9973adefe gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 17e08ddeb5c838798c041a3804e0f2eec71bc81abbb25054a83804643f1284c9
run #0: crashed: kernel BUG in hpage_collapse_scan_file
run #1: crashed: kernel BUG in hpage_collapse_scan_file
run #2: crashed: kernel BUG in hpage_collapse_scan_file
run #3: crashed: kernel BUG in hpage_collapse_scan_file
run #4: crashed: kernel BUG in hpage_collapse_scan_file
run #5: crashed: kernel BUG in hpage_collapse_scan_file
run #6: crashed: kernel BUG in hpage_collapse_scan_file
run #7: crashed: kernel BUG in hpage_collapse_scan_file
run #8: crashed: kernel BUG in hpage_collapse_scan_file
run #9: boot failed: BUG: unable to handle kernel NULL pointer dereference in net_rx_action
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
# git bisect good 5b0864018759d586f7d3737895bca6a9973adefe
Bisecting: 22 revisions left to test after this (roughly 5 steps)
[bbcfb8131f34b0bf820c57172d4de76dfe07b3cc] ASoC: ops: dynamically allocate struct snd_ctl_elem_value

determine whether the revision contains the guilty commit
revision 5b0864018759d586f7d3737895bca6a9973adefe crashed and is reachable
testing commit bbcfb8131f34b0bf820c57172d4de76dfe07b3cc gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 691fc094f701fd509416e8e90409df8eb687849f3916517452db8923f705f857
all runs: OK
false negative chance: 0.000
# git bisect bad bbcfb8131f34b0bf820c57172d4de76dfe07b3cc
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[0346dbe08ed707f04200d5a95d43de175eb66b43] erofs: simplify z_erofs_transform_plain()

determine whether the revision contains the guilty commit
revision 5b0864018759d586f7d3737895bca6a9973adefe crashed and is reachable
testing commit 0346dbe08ed707f04200d5a95d43de175eb66b43 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 2ac20961c55b62bdde894fdb5e95bbf615da938fee2754947879d1d196a59822
all runs: OK
false negative chance: 0.000
# git bisect bad 0346dbe08ed707f04200d5a95d43de175eb66b43
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[0d750f7df7d9e1116790621c278155f5d1bf0b05] ALSA: hda: Add missing NVIDIA HDA codec IDs

determine whether the revision contains the guilty commit
revision 5b0864018759d586f7d3737895bca6a9973adefe crashed and is reachable
testing commit 0d750f7df7d9e1116790621c278155f5d1bf0b05 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: b4bea0309875b884725fb553e3871b5f32a9ae238f42e02bdc0f0dfe88074fbd
all runs: crashed: kernel BUG in hpage_collapse_scan_file
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
# git bisect good 0d750f7df7d9e1116790621c278155f5d1bf0b05
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[869d35e23944f48c75cd2b34a00a7630e1c73a13] erofs: get rid of debug_one_dentry()

determine whether the revision contains the guilty commit
revision 5b0864018759d586f7d3737895bca6a9973adefe crashed and is reachable
testing commit 869d35e23944f48c75cd2b34a00a7630e1c73a13 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 527ff4ce72bba70f0b1a800605c444ecb082ab860ea4b62f756647041a9ea682
all runs: OK
false negative chance: 0.000
# git bisect bad 869d35e23944f48c75cd2b34a00a7630e1c73a13
Bisecting: 0 revisions left to test after this (roughly 1 step)
[c5273a8111b27418a552c32b740b1f53681be65b] mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma

determine whether the revision contains the guilty commit
revision 5b0864018759d586f7d3737895bca6a9973adefe crashed and is reachable
testing commit c5273a8111b27418a552c32b740b1f53681be65b gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 461dce7584189713343fc55a473cee2f93948f4df3b90a39c0f181b8cec99675
all runs: OK
false negative chance: 0.000
# git bisect bad c5273a8111b27418a552c32b740b1f53681be65b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f9a77c85d1fbdef34fe5d29df540abd76697842b] drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x

determine whether the revision contains the guilty commit
revision 5b0864018759d586f7d3737895bca6a9973adefe crashed and is reachable
testing commit f9a77c85d1fbdef34fe5d29df540abd76697842b gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 4cde284a19e5ba00ed8415e84a22afb1644d4d2a53049d468261f6ff361236a5
all runs: crashed: kernel BUG in hpage_collapse_scan_file
representative crash: kernel BUG in hpage_collapse_scan_file, types: [BUG]
# git bisect good f9a77c85d1fbdef34fe5d29df540abd76697842b
c5273a8111b27418a552c32b740b1f53681be65b is the first bad commit
commit c5273a8111b27418a552c32b740b1f53681be65b
Author: Liu Shixin <liushixin2@huawei.com>
Date:   Sat Jan 11 11:45:11 2025 +0800

    mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma
    
    commit f1897f2f08b28ae59476d8b73374b08f856973af upstream.
    
    syzkaller reported such a BUG_ON():
    
     ------------[ cut here ]------------
     kernel BUG at mm/khugepaged.c:1835!
     Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
     ...
     CPU: 6 UID: 0 PID: 8009 Comm: syz.15.106 Kdump: loaded Tainted: G        W          6.13.0-rc6 #22
     Tainted: [W]=WARN
     Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
     pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : collapse_file+0xa44/0x1400
     lr : collapse_file+0x88/0x1400
     sp : ffff80008afe3a60
     ...
     Call trace:
      collapse_file+0xa44/0x1400 (P)
      hpage_collapse_scan_file+0x278/0x400
      madvise_collapse+0x1bc/0x678
      madvise_vma_behavior+0x32c/0x448
      madvise_walk_vmas.constprop.0+0xbc/0x140
      do_madvise.part.0+0xdc/0x2c8
      __arm64_sys_madvise+0x68/0x88
      invoke_syscall+0x50/0x120
      el0_svc_common.constprop.0+0xc8/0xf0
      do_el0_svc+0x24/0x38
      el0_svc+0x34/0x128
      el0t_64_sync_handler+0xc8/0xd0
      el0t_64_sync+0x190/0x198
    
    This indicates that the pgoff is unaligned.  After analysis, I confirm the
    vma is mapped to /dev/zero.  Such a vma certainly has vm_file, but it is
    set to anonymous by mmap_zero().  So even if it's mmapped by 2m-unaligned,
    it can pass the check in thp_vma_allowable_order() as it is an
    anonymous-mmap, but then be collapsed as a file-mmap.
    
    It seems the problem has existed for a long time, but actually, since we
    have khugepaged_max_ptes_none check before, we will skip collapse it as it
    is /dev/zero and so has no present page.  But commit d8ea7cc8547c limit
    the check for only khugepaged, so the BUG_ON() can be triggered by
    madvise_collapse().
    
    Add vma_is_anonymous() check to make such vma be processed by
    hpage_collapse_scan_pmd().
    
    Link: https://lkml.kernel.org/r/20250111034511.2223353-1-liushixin2@huawei.com
    Fixes: d8ea7cc8547c ("mm/khugepaged: add flag to predicate khugepaged-only behavior")
    Signed-off-by: Liu Shixin <liushixin2@huawei.com>
    Reviewed-by: Yang Shi <yang@os.amperecomputing.com>
    Acked-by: David Hildenbrand <david@redhat.com>
    Cc: Chengming Zhou <chengming.zhou@linux.dev>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
    Cc: Mattew Wilcox <willy@infradead.org>
    Cc: Muchun Song <muchun.song@linux.dev>
    Cc: Nanyong Sun <sunnanyong@huawei.com>
    Cc: Qi Zheng <zhengqi.arch@bytedance.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    [acsjakub: backport, clean apply]
    Signed-off-by: Jakub Acs <acsjakub@amazon.de>
    Cc: linux-mm@kvack.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 mm/khugepaged.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

accumulated error probability: 0.00
culprit signature: 461dce7584189713343fc55a473cee2f93948f4df3b90a39c0f181b8cec99675
parent  signature: 4cde284a19e5ba00ed8415e84a22afb1644d4d2a53049d468261f6ff361236a5
revisions tested: 18, total time: 7h45m10.517736672s (build: 3h5m2.345564505s, test: 3h6m19.1146796s)
first good commit: c5273a8111b27418a552c32b740b1f53681be65b mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma
recipients (to): ["acsjakub@amazon.de" "akpm@linux-foundation.org" "david@redhat.com" "gregkh@linuxfoundation.org" "liushixin2@huawei.com" "yang@os.amperecomputing.com"]
recipients (cc): []