ci starts bisection 2025-07-08 08:08:47.714412869 +0000 UTC m=+267022.885147451 bisecting cause commit starting from 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a building syzkaller on 4f67c4aece4f5794be20c6bc99c177e44b1320e8 ensuring issue is reproducible on original commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 454a326bfda4040622e14df1d11c0a07cefdfe5c67911cd2b0d98fbfdd400365 run #0: crashed: WARNING: bad unlock balance in query_vma_teardown run #1: crashed: WARNING: bad unlock balance in query_matching_vma run #2: crashed: general protection fault in mas_next_slot run #3: crashed: general protection fault in vma_start_read run #4: crashed: stack segment fault in mtree_range_walk run #5: crashed: general protection fault in mas_next_slot run #6: crashed: general protection fault in mas_next_slot run #7: crashed: WARNING: bad unlock balance in query_matching_vma run #8: crashed: general protection fault in mas_next_slot run #9: crashed: stack segment fault in mtree_range_walk run #10: crashed: general protection fault in mas_next_slot run #11: crashed: WARNING: lock held when returning to user space in lock_next_vma run #12: crashed: WARNING: bad unlock balance in query_matching_vma run #13: crashed: general protection fault in mas_start run #14: crashed: general protection fault in mas_next_slot run #15: crashed: stack segment fault in mtree_range_walk run #16: crashed: general protection fault in mas_next_slot run #17: crashed: WARNING: bad unlock balance in query_matching_vma run #18: crashed: WARNING: bad unlock balance in query_matching_vma run #19: crashed: general protection fault in mas_next_slot representative crash: general protection fault in mas_next_slot, types: [DoS LOCKDEP] check whether we can drop unnecessary instrumentation disabling configs for [bug_or_warning kasan atomic_sleep hang memleak ubsan], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 9f40493a07280895905860cc9874b06c745933729673e53844b85c07514836d9 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #2: crashed: WARNING: bad unlock balance in query_matching_vma run #3: crashed: WARNING: lock held when returning to user space in get_next_vma run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk run #7: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #9: crashed: WARNING: bad unlock balance in query_matching_vma representative crash: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot, types: [UNKNOWN LOCKDEP] the bug reproduces without the instrumentation disabling configs for [hang memleak ubsan bug_or_warning kasan atomic_sleep], they are not needed kconfig minimization: base=4095 full=8499 leaves diff=2184 split chunks (needed=false): <2184> split chunk #0 of len 2184 into 5 parts testing without sub-chunk 1/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: c0802f180dbabe98fc386d600e82b7ed36c7690e11d8090253c1803525ae959d run #0: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk run #2: crashed: possible deadlock in get_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #5: crashed: WARNING: lock held when returning to user space in get_next_vma run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #7: crashed: possible deadlock in get_next_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot representative crash: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk, types: [UNKNOWN LOCKDEP] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 314f696eb284b9341fb8491b13841c806fec4e6f1cea310b4cbda508ca85ca2a run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #3: crashed: WARNING: lock held when returning to user space in get_next_vma run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #6: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #9: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl representative crash: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot, types: [UNKNOWN LOCKDEP] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [hang memleak ubsan bug_or_warning kasan atomic_sleep], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 7558d00ddaf7acc255c5a9621160b52725dc8b7caa44f339f46e09bebd57b444 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #3: crashed: WARNING: bad unlock balance in query_matching_vma run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk run #7: crashed: WARNING: lock held when returning to user space in get_next_vma run #8: crashed: WARNING: lock held when returning to user space in get_next_vma run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot representative crash: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot, types: [UNKNOWN LOCKDEP] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [memleak ubsan bug_or_warning kasan atomic_sleep hang], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 678f670f00e4b0618b44f71bdcf9b44185ec9d8d43491dbf3b3bf3a0f62796e2 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #4: crashed: WARNING: bad unlock balance in query_matching_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk run #6: crashed: WARNING: lock held when returning to user space in get_next_vma run #7: crashed: WARNING: lock held when returning to user space in get_next_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk run #9: crashed: WARNING: lock held when returning to user space in get_next_vma representative crash: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot, types: [UNKNOWN LOCKDEP] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [kasan atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: fcf6d24ac8120fe86773e65bcb011452d3caa055af0eb94544b879df61a12cd8 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #5: crashed: possible deadlock in get_next_vma run #6: crashed: WARNING: lock held when returning to user space in get_next_vma run #7: crashed: WARNING: lock held when returning to user space in get_next_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #9: crashed: WARNING: lock held when returning to user space in get_next_vma representative crash: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma, types: [UNKNOWN LOCKDEP] the chunk can be dropped disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan], they are not needed picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 46aaa922bd10456d045623ff40be85c8b7b8cccffac06eb5668a18de3e4622a8 all runs: OK false negative chance: 0.000 # git bisect start 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a 0ff41df1cb268fc69e703a08a57ee14ae967d0ca Bisecting: 11077 revisions left to test after this (roughly 14 steps) [fcd0bb8e99f7f5fbe6979b8633ed86502d822203] Merge tag 'vfs-6.16-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs testing commit fcd0bb8e99f7f5fbe6979b8633ed86502d822203 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 66ee5e670ee8de9d801e65c5983c083db2bf5c6e5d8d14a44356b2c34a4e5774 all runs: OK false negative chance: 0.000 # git bisect good fcd0bb8e99f7f5fbe6979b8633ed86502d822203 Bisecting: 5808 revisions left to test after this (roughly 13 steps) [a1f3328c0948517e624228ca0daffe4847588c9d] Merge branch 'xtensa-for-next' of git://github.com/jcmvbkbc/linux-xtensa.git testing commit a1f3328c0948517e624228ca0daffe4847588c9d gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 24b8c5af79929209a4f8edccf63d1e9d9d23bfad8ddee80228457235b5a64c40 run #0: crashed: WARNING: lock held when returning to user space in get_next_vma run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #2: crashed: possible deadlock in get_next_vma run #3: crashed: WARNING: lock held when returning to user space in get_next_vma run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #9: crashed: WARNING: bad unlock balance in query_matching_vma representative crash: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot, types: [UNKNOWN LOCKDEP] # git bisect bad a1f3328c0948517e624228ca0daffe4847588c9d Bisecting: 2632 revisions left to test after this (roughly 11 steps) [b7191581a973ab2fca45d2ca64416065f1660ae0] Merge tag 'loongarch-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson testing commit b7191581a973ab2fca45d2ca64416065f1660ae0 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 13b8802c722aaa4837abab694a050bf2065efff672f15f4d3a601cb9040a92ca all runs: OK false negative chance: 0.000 # git bisect good b7191581a973ab2fca45d2ca64416065f1660ae0 Bisecting: 1317 revisions left to test after this (roughly 10 steps) [22b227004ce15d38555df8651ae5bc1a450d4834] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire.git testing commit 22b227004ce15d38555df8651ae5bc1a450d4834 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: a016be5dbfed8d727c411132a571d8fe647348f14f012ab71741dbc0bcb1f1df all runs: OK false negative chance: 0.000 # git bisect good 22b227004ce15d38555df8651ae5bc1a450d4834 Bisecting: 664 revisions left to test after this (roughly 9 steps) [f8dc82309945dfa47aec90faf525cf7180472d10] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/bmc/linux.git testing commit f8dc82309945dfa47aec90faf525cf7180472d10 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: fbc93cad5cdcd34001f4e44f8c5f1a78790fd3af39ac2893a638f109c7a381f1 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #1: crashed: possible deadlock in get_next_vma run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #7: crashed: WARNING: bad unlock balance in query_matching_vma run #8: crashed: WARNING: lock held when returning to user space in get_next_vma run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot representative crash: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot, types: [UNKNOWN LOCKDEP] # git bisect bad f8dc82309945dfa47aec90faf525cf7180472d10 Bisecting: 325 revisions left to test after this (roughly 8 steps) [4a2b8445140043ca4a25c9a8036ec9ebbabeb302] Merge branch 'mm-unstable' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 4a2b8445140043ca4a25c9a8036ec9ebbabeb302 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: bc3389ba5cd693a8ac6f21541b2ea790abe59f9763aaa92e15ac96ae6941c997 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #5: crashed: WARNING: lock held when returning to user space in get_next_vma run #6: crashed: WARNING: lock held when returning to user space in get_next_vma run #7: crashed: WARNING: lock held when returning to user space in get_next_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot representative crash: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma, types: [UNKNOWN LOCKDEP] # git bisect bad 4a2b8445140043ca4a25c9a8036ec9ebbabeb302 Bisecting: 163 revisions left to test after this (roughly 7 steps) [b54d38dec1032138166e930f7549b97962c4c5f8] selftests/mm: remove duplicate .gitignore entries testing commit b54d38dec1032138166e930f7549b97962c4c5f8 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 49f73bdf233cab20185aee385f1cd85af4b7c7e2d73d643f8789e2db16a4f8f3 all runs: OK false negative chance: 0.000 # git bisect good b54d38dec1032138166e930f7549b97962c4c5f8 Bisecting: 80 revisions left to test after this (roughly 6 steps) [a5cfa27f7a8a4547a0e3039fe046c0e96bfb917f] Merge branch 'for-linux-next-fixes' of https://gitlab.freedesktop.org/drm/i915/kernel testing commit a5cfa27f7a8a4547a0e3039fe046c0e96bfb917f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 026eb8bf35e67b7de834b633020e7a96c939e122568000cdde5c0d3e81359aae all runs: OK false negative chance: 0.000 # git bisect good a5cfa27f7a8a4547a0e3039fe046c0e96bfb917f Bisecting: 39 revisions left to test after this (roughly 5 steps) [9512f44193dd09fa6c01bf8a571b1662fcbfc5f8] Merge branch 'tip/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git testing commit 9512f44193dd09fa6c01bf8a571b1662fcbfc5f8 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ddd664b60f70219dd7b8d7f44f4904ebabbbce89444ed8b8ae2669c7c1395f99 all runs: OK false negative chance: 0.000 # git bisect good 9512f44193dd09fa6c01bf8a571b1662fcbfc5f8 Bisecting: 19 revisions left to test after this (roughly 4 steps) [13ab1411e5a8cb41df9e079c69b5d41b5d57369d] mm, madvise: extract mm code from prctl_set_vma() to mm/madvise.c testing commit 13ab1411e5a8cb41df9e079c69b5d41b5d57369d gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b5e688e1982029afa9168c79c2132d1542db1ee4d5e1a4861c07239847645c22 run #0: crashed: WARNING: lock held when returning to user space in get_next_vma run #1: crashed: WARNING: lock held when returning to user space in get_next_vma run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #3: crashed: possible deadlock in get_next_vma run #4: crashed: WARNING: lock held when returning to user space in get_next_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #6: crashed: WARNING: lock held when returning to user space in get_next_vma run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk run #9: crashed: WARNING: bad unlock balance in query_matching_vma representative crash: WARNING: lock held when returning to user space in get_next_vma, types: [LOCKDEP UNKNOWN] # git bisect bad 13ab1411e5a8cb41df9e079c69b5d41b5d57369d Bisecting: 9 revisions left to test after this (roughly 3 steps) [c39471f78d5eaffab156417c47caa3650022728f] selftests/proc: test PROCMAP_QUERY ioctl while vma is concurrently modified testing commit c39471f78d5eaffab156417c47caa3650022728f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 486e1f5ae489a3215ba7c5d52286ea3e9eab85dabcebbd6730beba77c100ae52 all runs: OK false negative chance: 0.000 # git bisect good c39471f78d5eaffab156417c47caa3650022728f Bisecting: 4 revisions left to test after this (roughly 2 steps) [d5c67bb2c5fb1b3d7a775d1099f44f1dffefb51f] mm/maps: move kmalloc() call location in do_procmap_query() out of RCU critical section testing commit d5c67bb2c5fb1b3d7a775d1099f44f1dffefb51f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: d9fb0c4fac9167daac6e71adf1e5b290a56c9229ca958fff4965da13eeac82b2 run #0: crashed: WARNING: lock held when returning to user space in get_next_vma run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #2: crashed: WARNING: lock held when returning to user space in get_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk run #4: crashed: WARNING: lock held when returning to user space in get_next_vma run #5: crashed: WARNING: bad unlock balance in query_matching_vma run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma representative crash: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma, types: [UNKNOWN LOCKDEP] # git bisect bad d5c67bb2c5fb1b3d7a775d1099f44f1dffefb51f Bisecting: 2 revisions left to test after this (roughly 1 step) [e1ba4969cba15c2e2a6e337d75214c63bc7e5e81] mm/maps: read proc/pid/maps under per-vma lock testing commit e1ba4969cba15c2e2a6e337d75214c63bc7e5e81 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ed6485be4ce3fc84c1da5dc64a42380e6f301bffbb64980c0c75bfb0a6974515 all runs: OK false negative chance: 0.000 # git bisect good e1ba4969cba15c2e2a6e337d75214c63bc7e5e81 Bisecting: 0 revisions left to test after this (roughly 1 step) [6772c457a86536f3496bf5b3716f34a5ac125783] fs/proc/task_mmu:: execute PROCMAP_QUERY ioctl under per-vma locks testing commit 6772c457a86536f3496bf5b3716f34a5ac125783 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 0107e4fdf476d8f6b952aa011842cb1103bace895ad011d127b17e74d030511a run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #1: crashed: WARNING: lock held when returning to user space in get_next_vma run #2: crashed: WARNING: lock held when returning to user space in get_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #4: crashed: WARNING: lock held when returning to user space in get_next_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #6: crashed: WARNING: lock held when returning to user space in get_next_vma run #7: crashed: WARNING: lock held when returning to user space in get_next_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot representative crash: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma, types: [UNKNOWN LOCKDEP] # git bisect bad 6772c457a86536f3496bf5b3716f34a5ac125783 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ecb110179e77337e8ceccd0f963dc431697fc9f1] mm/madvise: fixup stray mmap lock assert in anon_vma_name() testing commit ecb110179e77337e8ceccd0f963dc431697fc9f1 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 82dc27caabe74ef68cba39527957133c7a7555962d553f0285e9400b5f04b870 all runs: OK false negative chance: 0.000 # git bisect good ecb110179e77337e8ceccd0f963dc431697fc9f1 6772c457a86536f3496bf5b3716f34a5ac125783 is the first bad commit commit 6772c457a86536f3496bf5b3716f34a5ac125783 Author: Suren Baghdasaryan Date: Tue Jun 24 12:33:59 2025 -0700 fs/proc/task_mmu:: execute PROCMAP_QUERY ioctl under per-vma locks Utilize per-vma locks to stabilize vma after lookup without taking mmap_lock during PROCMAP_QUERY ioctl execution. While we might take mmap_lock for reading during contention, we do that momentarily only to lock the vma. This change is designed to reduce mmap_lock contention and prevent PROCMAP_QUERY ioctl calls from blocking address space updates. Link: https://lkml.kernel.org/r/20250624193359.3865351-8-surenb@google.com Signed-off-by: Suren Baghdasaryan Acked-by: Andrii Nakryiko Cc: Alexey Dobriyan Cc: Christian Brauner Cc: Christophe Leroy Cc: David Hildenbrand Cc: Jann Horn Cc: Johannes Weiner Cc: Josef Bacik Cc: Kalesh Singh Cc: Liam Howlett Cc: Lorenzo Stoakes Cc: Matthew Wilcox (Oracle) Cc: Michal Hocko Cc: Oscar Salvador Cc: "Paul E . McKenney" Cc: Peter Xu Cc: Ryan Roberts Cc: Shuah Khan Cc: Thomas Weißschuh Cc: T.J. Mercier Cc: Vlastimil Babka Cc: Ye Bin Cc: Jeongjun Park Signed-off-by: Andrew Morton fs/proc/task_mmu.c | 56 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 44 insertions(+), 12 deletions(-) accumulated error probability: 0.00 culprit signature: 0107e4fdf476d8f6b952aa011842cb1103bace895ad011d127b17e74d030511a parent signature: 82dc27caabe74ef68cba39527957133c7a7555962d553f0285e9400b5f04b870 revisions tested: 23, total time: 7h30m39.30235414s (build: 3h18m40.459401984s, test: 3h38m47.166863906s) first bad commit: 6772c457a86536f3496bf5b3716f34a5ac125783 fs/proc/task_mmu:: execute PROCMAP_QUERY ioctl under per-vma locks recipients (to): ["akpm@linux-foundation.org" "andrii@kernel.org" "surenb@google.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma BUG: kernel NULL pointer dereference, address: 00000000000000c4 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000010ff22067 P4D 800000010ff22067 PUD 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 0 UID: 0 PID: 2997 Comm: syz.3.47 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:check_wait_context kernel/locking/lockdep.c:4857 [inline] RIP: 0010:__lock_acquire+0x29e/0x2100 kernel/locking/lockdep.c:5190 Code: f1 02 73 10 48 69 c1 c8 00 00 00 48 8d 80 d0 3a c6 83 eb 16 83 3d 31 5c f5 08 00 75 0b 90 e8 89 42 56 00 48 8b 3c 24 90 31 c0 <0f> b6 98 c4 00 00 00 41 8b 46 20 25 ff 1f 00 00 48 0f a3 05 ea d1 RSP: 0018:ffffc9000174bb40 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff88810d6b5194 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 0000000000001626 RDI: ffff88810e6bd340 RBP: 0000000000000001 R08: 0000000000058000 R09: 0000000000008000 R10: 0000000000000000 R11: 000000000000000d R12: 0000000000000001 R13: 0000000000018000 R14: ffff88810e6bddf8 R15: 0000000000008000 FS: 00007f7f4567f6c0(0000) GS:ffff8882b4a12000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 0000000117a54000 CR4: 00000000003506f0 Call Trace: lock_acquire+0xe9/0x270 kernel/locking/lockdep.c:5871 vma_start_read include/linux/mmap_lock.h:185 [inline] lock_next_vma+0x10d/0x600 mm/mmap_lock.c:220 get_next_vma+0xa6/0xe0 fs/proc/task_mmu.c:182 query_vma_find_by_addr fs/proc/task_mmu.c:516 [inline] query_matching_vma+0x8b/0xf0 fs/proc/task_mmu.c:545 do_procmap_query fs/proc/task_mmu.c:630 [inline] procfs_procmap_ioctl+0x27d/0x6a0 fs/proc/task_mmu.c:748 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0x6c/0xc0 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa6/0x2c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7f45c0e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7f4567f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f7f45e35fa0 RCX: 00007f7f45c0e929 RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003 RBP: 00007f7f45c90b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7f45e35fa0 R15: 00007ffeca0e83e8 Modules linked in: CR2: 00000000000000c4 ---[ end trace 0000000000000000 ]--- RIP: 0010:check_wait_context kernel/locking/lockdep.c:4857 [inline] RIP: 0010:__lock_acquire+0x29e/0x2100 kernel/locking/lockdep.c:5190 Code: f1 02 73 10 48 69 c1 c8 00 00 00 48 8d 80 d0 3a c6 83 eb 16 83 3d 31 5c f5 08 00 75 0b 90 e8 89 42 56 00 48 8b 3c 24 90 31 c0 <0f> b6 98 c4 00 00 00 41 8b 46 20 25 ff 1f 00 00 48 0f a3 05 ea d1 RSP: 0018:ffffc9000174bb40 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff88810d6b5194 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 0000000000001626 RDI: ffff88810e6bd340 RBP: 0000000000000001 R08: 0000000000058000 R09: 0000000000008000 R10: 0000000000000000 R11: 000000000000000d R12: 0000000000000001 R13: 0000000000018000 R14: ffff88810e6bddf8 R15: 0000000000008000 FS: 00007f7f4567f6c0(0000) GS:ffff8882b4a12000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 0000000117a54000 CR4: 00000000003506f0 ---------------- Code disassembly (best guess): 0: f1 int1 1: 02 73 10 add 0x10(%rbx),%dh 4: 48 69 c1 c8 00 00 00 imul $0xc8,%rcx,%rax b: 48 8d 80 d0 3a c6 83 lea -0x7c39c530(%rax),%rax 12: eb 16 jmp 0x2a 14: 83 3d 31 5c f5 08 00 cmpl $0x0,0x8f55c31(%rip) # 0x8f55c4c 1b: 75 0b jne 0x28 1d: 90 nop 1e: e8 89 42 56 00 call 0x5642ac 23: 48 8b 3c 24 mov (%rsp),%rdi 27: 90 nop 28: 31 c0 xor %eax,%eax * 2a: 0f b6 98 c4 00 00 00 movzbl 0xc4(%rax),%ebx <-- trapping instruction 31: 41 8b 46 20 mov 0x20(%r14),%eax 35: 25 ff 1f 00 00 and $0x1fff,%eax 3a: 48 rex.W 3b: 0f .byte 0xf 3c: a3 .byte 0xa3 3d: 05 .byte 0x5 3e: ea (bad) 3f: d1 .byte 0xd1