ci starts bisection 2025-09-03 19:06:46.967636853 +0000 UTC m=+41998.705520229 bisecting fixing commit since 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd building syzkaller on 402f1df054ddb07ed5bb299d08c781354eb06607 ensuring issue is reproducible on original commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0c3cee3f27f82612d01703429e85f2bd89fba7cf7e247031d5f3e96f647f1300 run #0: crashed: INFO: task hung in hugetlb_wp run #1: crashed: INFO: task hung in remove_inode_hugepages run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in remove_inode_hugepages run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_wp run #9: crashed: INFO: task hung in hugetlb_fault run #10: crashed: INFO: task hung in hugetlb_fault run #11: crashed: INFO: task hung in hugetlb_fault run #12: crashed: INFO: task hung in hugetlb_fault run #13: crashed: INFO: task hung in hugetlb_fault run #14: crashed: INFO: task hung in hugetlb_fault run #15: crashed: INFO: task hung in hugetlb_wp run #16: crashed: INFO: task hung in hugetlb_fault run #17: crashed: INFO: task hung in hugetlb_fault run #18: crashed: INFO: task hung in hugetlb_fault run #19: crashed: INFO: task hung in hugetlb_wp representative crash: INFO: task hung in hugetlb_wp, types: [HANG] check whether we can drop unnecessary instrumentation disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep memleak], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 380cf7bb38bbe707d92a2b9b1f1182de70612688b189f863cbc0865ea3842948 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in remove_inode_hugepages run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the bug reproduces without the instrumentation disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep memleak], they are not needed kconfig minimization: base=4093 full=8192 leaves diff=2140 split chunks (needed=false): <2140> split chunk #0 of len 2140 into 5 parts testing without sub-chunk 1/5 disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2cb9366e97bf091867f0746f5f3f5cfc39176287dde71be23f6344b21f12dad5 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in remove_inode_hugepages run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in remove_inode_hugepages run #8: crashed: INFO: task hung in hugetlb_wp run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep memleak], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e1441815a4c41cb894a4cf1daba2bd711bf0f083f6c914f776ae769953e0d7f run #0: crashed: INFO: task hung in remove_inode_hugepages run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_wp representative crash: INFO: task hung in remove_inode_hugepages, types: [HANG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cd372d44a5e45559a69d2d43803a98f67dc774513d2907827e8323c63a14b8ae all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [kasan locking atomic_sleep memleak ubsan bug_or_warning], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 14bd41f7e3982686a593bf63eb501172dbaa1b7da9587b0beb008df8ddea0b1b all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [atomic_sleep memleak ubsan bug_or_warning kasan locking], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 71944f2885b5a58e431d5900bdd9e44474b66c6437a5345c99896d1bf12a545b run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in remove_inode_hugepages run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the chunk can be dropped disabling configs for [atomic_sleep memleak ubsan bug_or_warning kasan locking], they are not needed testing current HEAD e6b9dce0aeeb91dfc0974ab87f02454e24566182 testing commit e6b9dce0aeeb91dfc0974ab87f02454e24566182 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 662fee758b54766a7190c58965e260aecfb0061daf7b4dbdf2589482d8000c0c all runs: OK false negative chance: 0.000 # git bisect start e6b9dce0aeeb91dfc0974ab87f02454e24566182 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd Bisecting: 37584 revisions left to test after this (roughly 15 steps) [390513642ee6763c7ada07f0a1470474986e6c1c] io_uring: always do atomic put from iowq determine whether the revision contains the guilty commit revision 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd crashed and is reachable testing commit 390513642ee6763c7ada07f0a1470474986e6c1c gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3ab7ee24448aaaf282e069213652c8dcda0a804df1054cf7e261f67040d4787c run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in remove_inode_hugepages run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_wp representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect good 390513642ee6763c7ada07f0a1470474986e6c1c Bisecting: 18812 revisions left to test after this (roughly 14 steps) [b42966552bb8d3027b66782fc1b53ce570e4d356] Merge tag 'fbdev-for-6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev determine whether the revision contains the guilty commit revision 390513642ee6763c7ada07f0a1470474986e6c1c crashed and is reachable testing commit b42966552bb8d3027b66782fc1b53ce570e4d356 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 51cf5ffab9f238d1eb2dc05e115300f8565d2b55d0bd4b62572782847f8ca974 all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect good b42966552bb8d3027b66782fc1b53ce570e4d356 Bisecting: 9412 revisions left to test after this (roughly 13 steps) [d614399b281abf3980cc9b340a5066e9f4020b5d] Merge tag 'timers-core-2025-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip determine whether the revision contains the guilty commit revision 390513642ee6763c7ada07f0a1470474986e6c1c crashed and is reachable testing commit d614399b281abf3980cc9b340a5066e9f4020b5d gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c6a8278b29d63f66d4fafa5732da1ffc90b3ad0e882360332f4af0538ca20d2 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in remove_inode_hugepages run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect good d614399b281abf3980cc9b340a5066e9f4020b5d Bisecting: 4617 revisions left to test after this (roughly 12 steps) [260f6f4fda93c8485c8037865c941b42b9cba5d2] Merge tag 'drm-next-2025-07-30' of https://gitlab.freedesktop.org/drm/kernel determine whether the revision contains the guilty commit revision 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd crashed and is reachable testing commit 260f6f4fda93c8485c8037865c941b42b9cba5d2 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7786e791e99f82e42cf0ba4ddbe5d4ff57243990052295cbe81e2d5963c4840e run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_wp run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect good 260f6f4fda93c8485c8037865c941b42b9cba5d2 Bisecting: 2392 revisions left to test after this (roughly 11 steps) [0905809b38bda1fa0b206986c44d846e46f13c1d] Merge tag 'parisc-for-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux determine whether the revision contains the guilty commit revision 390513642ee6763c7ada07f0a1470474986e6c1c crashed and is reachable testing commit 0905809b38bda1fa0b206986c44d846e46f13c1d gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 033e997ca2a6f0817988001241f6b4f89e60df8d37b8fd09eeeae3523565533a all runs: OK false negative chance: 0.000 # git bisect bad 0905809b38bda1fa0b206986c44d846e46f13c1d Bisecting: 1010 revisions left to test after this (roughly 10 steps) [2d945dde7fa3f17f46349360a9f97614de9f47da] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux determine whether the revision contains the guilty commit revision b42966552bb8d3027b66782fc1b53ce570e4d356 crashed and is reachable testing commit 2d945dde7fa3f17f46349360a9f97614de9f47da gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 31fc1a15756da4f0b3f2d13125cf6c2173ab01130e904a1c55be0ee753a7d6d7 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in remove_inode_hugepages run #9: crashed: INFO: task hung in remove_inode_hugepages representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect good 2d945dde7fa3f17f46349360a9f97614de9f47da Bisecting: 537 revisions left to test after this (roughly 9 steps) [db68e4c80d995b67a92460711038b9223166bda7] Merge tag 'v6.17-rc-part1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 determine whether the revision contains the guilty commit revision d614399b281abf3980cc9b340a5066e9f4020b5d crashed and is reachable testing commit db68e4c80d995b67a92460711038b9223166bda7 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e655a8b8c28cf6df7f057e57c613754444b1b2ca0f06f5a7d62dc62a51c3b67b all runs: OK false negative chance: 0.000 # git bisect bad db68e4c80d995b67a92460711038b9223166bda7 Bisecting: 236 revisions left to test after this (roughly 8 steps) [aabc85ee33c883243f2c506a5d88963f2456faa6] mm/damon/core: add damos->migrate_dests field determine whether the revision contains the guilty commit revision 390513642ee6763c7ada07f0a1470474986e6c1c crashed and is reachable testing commit aabc85ee33c883243f2c506a5d88963f2456faa6 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: deb48ab06be3a8fc3abd15afb6f05c4c19243577192a35bf28fbd8664d957764 all runs: OK false negative chance: 0.000 # git bisect bad aabc85ee33c883243f2c506a5d88963f2456faa6 Bisecting: 117 revisions left to test after this (roughly 7 steps) [d2ef92cd2a31ba7c0d0eb0dd5c1acf381f161fcd] mm: unexport globally copy_to_kernel_nofault determine whether the revision contains the guilty commit revision b42966552bb8d3027b66782fc1b53ce570e4d356 crashed and is reachable testing commit d2ef92cd2a31ba7c0d0eb0dd5c1acf381f161fcd gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1a9ff3e05a20fa27e0b2b743c39ea8376bb3f35c38db61e32eb6aca3b84cd9e1 all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect good d2ef92cd2a31ba7c0d0eb0dd5c1acf381f161fcd Bisecting: 58 revisions left to test after this (roughly 6 steps) [15504b1163007bbfbd9a63460d5c14737c16e96d] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() determine whether the revision contains the guilty commit revision 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd crashed and is reachable testing commit 15504b1163007bbfbd9a63460d5c14737c16e96d gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8bcda68d0e9ddd35cb1975abaec5ed756e0d0cb3010c3bc57768731cf69fcab6 all runs: OK false negative chance: 0.000 # git bisect bad 15504b1163007bbfbd9a63460d5c14737c16e96d Bisecting: 29 revisions left to test after this (roughly 5 steps) [1bc3587a88d291a37dab12d6c14aa7da53304251] mm/page_alloc: add support for initializing pageblock as isolated determine whether the revision contains the guilty commit revision d2ef92cd2a31ba7c0d0eb0dd5c1acf381f161fcd crashed and is reachable testing commit 1bc3587a88d291a37dab12d6c14aa7da53304251 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 598f51f86e6c7b2ffc80db0edb9536ab53280b4da27fff85be166c12a443782c run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlbfs_fallocate run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect good 1bc3587a88d291a37dab12d6c14aa7da53304251 Bisecting: 14 revisions left to test after this (roughly 4 steps) [c26ad45ba538434e87290c7db5a93fe11263f593] mm/debug_vm_pgtable: use a swp_entry_t input value for swap tests determine whether the revision contains the guilty commit revision 1bc3587a88d291a37dab12d6c14aa7da53304251 crashed and is reachable testing commit c26ad45ba538434e87290c7db5a93fe11263f593 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1464a95641dbd6a36d3f5100820dcdea399c7c52bd5903d2b430a06f2a11ca18 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in remove_inode_hugepages run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect good c26ad45ba538434e87290c7db5a93fe11263f593 Bisecting: 7 revisions left to test after this (roughly 3 steps) [5bd3b163e374462c05c055ff091582d757929d3f] mm: fix spelling issue in swap.h determine whether the revision contains the guilty commit revision 1bc3587a88d291a37dab12d6c14aa7da53304251 crashed and is reachable testing commit 5bd3b163e374462c05c055ff091582d757929d3f gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4b03275050ea5aa7da059f26784bbdc5f052e0af4133b4611f1b26bfd4a15570 all runs: OK false negative chance: 0.000 # git bisect bad 5bd3b163e374462c05c055ff091582d757929d3f Bisecting: 3 revisions left to test after this (roughly 2 steps) [d531fd2ccf6b5ad95b718b5748e086f8d4aacf56] mm,hugetlb: rename anon_rmap to new_anon_folio and make it boolean determine whether the revision contains the guilty commit revision 1bc3587a88d291a37dab12d6c14aa7da53304251 crashed and is reachable testing commit d531fd2ccf6b5ad95b718b5748e086f8d4aacf56 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 81cd0e6bb747818fc3b077ed204cf47575efc8b0113ed76a2885e844dd068de6 all runs: OK false negative chance: 0.000 # git bisect bad d531fd2ccf6b5ad95b718b5748e086f8d4aacf56 Bisecting: 0 revisions left to test after this (roughly 1 step) [9293fb4765527c0d2375eb441d045a5a75f5210d] mm,hugetlb: sort out folio locking in the faulting path determine whether the revision contains the guilty commit revision d2ef92cd2a31ba7c0d0eb0dd5c1acf381f161fcd crashed and is reachable testing commit 9293fb4765527c0d2375eb441d045a5a75f5210d gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 76b09f08e41633574be0b8afaae6b62bad4b284dd7c6abb9ecaff40daf492832 all runs: OK false negative chance: 0.000 # git bisect bad 9293fb4765527c0d2375eb441d045a5a75f5210d Bisecting: 0 revisions left to test after this (roughly 0 steps) [2ae1ab9934c785b855583e3eabd208d6f3ac91e1] mm,hugetlb: change mechanism to detect a COW on private mapping determine whether the revision contains the guilty commit revision d2ef92cd2a31ba7c0d0eb0dd5c1acf381f161fcd crashed and is reachable testing commit 2ae1ab9934c785b855583e3eabd208d6f3ac91e1 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ca372d80753f661d104c8900519df99124ceeaa227fadad2ee0db8c802d03157 all runs: OK false negative chance: 0.000 # git bisect bad 2ae1ab9934c785b855583e3eabd208d6f3ac91e1 2ae1ab9934c785b855583e3eabd208d6f3ac91e1 is the first bad commit commit 2ae1ab9934c785b855583e3eabd208d6f3ac91e1 Author: Oscar Salvador Date: Mon Jun 30 16:42:08 2025 +0200 mm,hugetlb: change mechanism to detect a COW on private mapping Patch series "Misc rework on hugetlb faulting path", v4. This patchset aims to give some love to the hugetlb faulting path, doing so by removing obsolete comments that are no longer true, sorting out the folio lock, and changing the mechanism we use to determine whether we are COWing a private mapping already. The most important patch of the series is #1, as it fixes a deadlock that was described in [1], where two processes were holding the same lock for the folio in the pagecache, and then deadlocked in the mutex. Note that this can also happen for anymous folios. This has been tested using this reproducer, below Looking up and locking the folio in the pagecache was done to check whether that folio was the same folio we had mapped in our pagetables, meaning that if it was different we knew that we already mapped that folio privately, so any further CoW would be made on a private mapping, which lead us to the question: __Was the reservation for that address consumed?__ That is all we care about, because if it was indeed consumed and we are the owner and we cannot allocate more folios, we need to unmap the folio from the processes pagetables and make it exclusive for us. We figured we do not need to look up the folio at all, and it is just enough to check whether the folio we have mapped is anonymous, which means we mapped it privately, so the reservation was indeed consumed. Patch#2 sorts out folio locking in the faulting path, reducing the scope of it ,only taking it when we are dealing with an anonymous folio and document it. More details in the patch. Patch#3-5 are cleanups. Here is the reproducer: #include #include #include #include #include #define PROTECTION (PROT_READ | PROT_WRITE) #define LENGTH (2UL*1024*1024) #define ADDR (void *)(0x0UL) #define FLAGS (MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB) void __read(char *addr) { int i = 0; printf("a[%d]: %c\n", i, addr[i]); } void fill(char *addr) { addr[0] = 'd'; printf("addr: %c\n", addr[0]); } int main(void) { void *addr; pid_t pid, wpid; int status; addr = mmap(ADDR, LENGTH, PROTECTION, FLAGS, -1, 0); if (addr == MAP_FAILED) { perror("mmap"); return -1; } printf("Parent faulting in RO\n"); __read(addr); sleep (10); printf("Forking\n"); pid = fork(); switch (pid) { case -1: perror("fork"); break; case 0: sleep (4); printf("Child: Faulting in\n"); fill(addr); exit(0); break; default: printf("Parent: Faulting in\n"); fill(addr); while((wpid = wait(&status)) > 0); if (munmap(addr, LENGTH)) perror("munmap"); } return 0; } You will also have to add a delay in hugetlb_wp, after releasing the mutex and before unmapping, so the window is large enough to reproduce it reliably. : --- a/mm/hugetlb.c : +++ b/mm/hugetlb.c : @@ -38,6 +38,7 @@ : #include : #include : #include : +#include : : #include : #include : @@ -6261,6 +6262,8 @@ static vm_fault_t hugetlb_wp(struct vm_fault *vmf) : hugetlb_vma_unlock_read(vma); : mutex_unlock(&hugetlb_fault_mutex_table[hash]); : : + mdelay(8000); : + : unmap_ref_private(mm, vma, old_folio, vmf->address); : : mutex_lock(&hugetlb_fault_mutex_table[hash]); This patch (of 5): hugetlb_wp() checks whether the process is trying to COW on a private mapping in order to know whether the reservation for that address was already consumed. If it was consumed and we are the ownner of the mapping, the folio will have to be unmapped from the other processes. Currently, that check is done by looking up the folio in the pagecache and compare it to the folio which is mapped in our pagetables. If it differs, it means we already mapped it privately before, consuming a reservation on the way. All we are interested in is whether the mapped folio is anonymous, so we can simplify and check for that instead. Link: https://lkml.kernel.org/r/20250630144212.156938-1-osalvador@suse.de Link: https://lkml.kernel.org/r/20250627102904.107202-1-osalvador@suse.de Link: https://lkml.kernel.org/r/20250627102904.107202-2-osalvador@suse.de Link: https://lore.kernel.org/lkml/20250513093448.592150-1-gavinguo@igalia.com/ [1] Link: https://lkml.kernel.org/r/20250630144212.156938-2-osalvador@suse.de Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Signed-off-by: Oscar Salvador Reported-by: Gavin Guo Closes: https://lore.kernel.org/lkml/20250513093448.592150-1-gavinguo@igalia.com/ Suggested-by: Peter Xu Acked-by: David Hildenbrand Cc: Muchun Song Signed-off-by: Andrew Morton mm/hugetlb.c | 88 +++++++++++++++++++++++------------------------------------- 1 file changed, 34 insertions(+), 54 deletions(-) accumulated error probability: 0.00 culprit signature: ca372d80753f661d104c8900519df99124ceeaa227fadad2ee0db8c802d03157 parent signature: 1464a95641dbd6a36d3f5100820dcdea399c7c52bd5903d2b430a06f2a11ca18 revisions tested: 24, total time: 8h28m53.390631145s (build: 4h43m32.436443787s, test: 3h15m40.964653524s) first good commit: 2ae1ab9934c785b855583e3eabd208d6f3ac91e1 mm,hugetlb: change mechanism to detect a COW on private mapping recipients (to): ["akpm@linux-foundation.org" "david@redhat.com" "osalvador@suse.de"] recipients (cc): []