ci2 starts bisection 2024-09-06 19:25:58.634069717 +0000 UTC m=+15272.297925284 bisecting fixing commit since 256abd8e550ce977b728be79a74e1729438b4948 building syzkaller on 2a40360c27f1cd827c9fa0183aa402ef505d07db ensuring issue is reproducible on original commit 256abd8e550ce977b728be79a74e1729438b4948 testing commit 256abd8e550ce977b728be79a74e1729438b4948 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fff2d6b8ba2d3bd907fad49c5b5a83c3177450236e7fac3ca97bc903c0178fac run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: kernel BUG in folio_unlock run #7: crashed: kernel BUG in folio_unlock run #8: crashed: kernel BUG in folio_unlock run #9: crashed: kernel BUG in folio_unlock run #10: crashed: kernel BUG in folio_unlock run #11: crashed: kernel BUG in folio_unlock run #12: crashed: kernel BUG in folio_unlock run #13: crashed: kernel BUG in folio_unlock run #14: crashed: kernel BUG in folio_unlock run #15: crashed: kernel BUG in folio_unlock run #16: crashed: kernel BUG in folio_unlock run #17: crashed: kernel BUG in folio_unlock run #18: crashed: kernel BUG in folio_unlock run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 256abd8e550ce977b728be79a74e1729438b4948 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1b1a3a31c1208dcd30f8f5e200c4a416c6105a429424e1ed93c175d279337174 run #0: crashed: kernel BUG in folio_unlock run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: kernel BUG in folio_unlock, types: [BUG] unable to determine the verdict: 9 good runs (wanted 5), for bad wanted 5 in total, got 10 kconfig minimization: base=4037 full=8033 leaves diff=2000 split chunks (needed=false): <2000> split chunk #0 of len 2000 into 5 parts testing without sub-chunk 1/5 testing commit 256abd8e550ce977b728be79a74e1729438b4948 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f444e7469da019f8a760ee28f6bdf0f6b991563bc5bf1a19c760b558b14ea23a all runs: OK false negative chance: 0.000 testing without sub-chunk 2/5 testing commit 256abd8e550ce977b728be79a74e1729438b4948 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7c598f12b2218c591b4f3981df980c6365d737ad0cb314d3c1fa5a0ed3922c7e all runs: crashed: kernel BUG in folio_unlock representative crash: kernel BUG in folio_unlock, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 testing commit 256abd8e550ce977b728be79a74e1729438b4948 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: efe4b2b4ca1ce9867dc7068f51d09381d3cca896f01bf08ddd0029e539e11f17 run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: kernel BUG in folio_unlock, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 testing commit 256abd8e550ce977b728be79a74e1729438b4948 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d695bf01bace25b9d0f62e5e58b4cf7344e4aba04792cef6817cfdab79eeb614 run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: kernel BUG in folio_unlock run #7: crashed: kernel BUG in folio_unlock run #8: crashed: kernel BUG in folio_unlock run #9: crashed: kernel BUG in folio_unlock run #10: crashed: kernel BUG in folio_unlock run #11: crashed: kernel BUG in folio_unlock run #12: crashed: kernel BUG in folio_unlock run #13: OK run #14: crashed: kernel BUG in folio_unlock run #15: crashed: kernel BUG in folio_unlock run #16: OK run #17: OK run #18: OK run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 testing commit 256abd8e550ce977b728be79a74e1729438b4948 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 26f471601ee42005821378dc266fb70c2428111b93380c0055653aee27a58e7d run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: kernel BUG in folio_unlock run #7: crashed: kernel BUG in folio_unlock run #8: OK run #9: crashed: kernel BUG in folio_unlock run #10: OK run #11: crashed: kernel BUG in folio_unlock run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] the chunk can be dropped minimized to 400 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_NHLT ACPI_PLATFORM_PROFILE ADDRESS_MASKING ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMIGA_PARTITION ANDROID_BINDERFS ANDROID_BINDER_IPC ANON_VMA_NAME APERTURE_HELPERS AR5523 ARCH_ENABLE_MEMORY_HOTREMOVE ARCH_ENABLE_THP_MIGRATION ARCH_USES_PG_UNCACHED ARCH_WANT_PMD_MKWRITE ASM_MODVERSIONS ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AUXILIARY_BUS AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCACHEFS_DEBUG BCACHEFS_ERASURE_CODING BCACHEFS_FS BCACHEFS_POSIX_ACL BCACHEFS_QUOTA BCACHEFS_SIX_OPTIMISTIC_SPIN BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP_PUNT_BIO BLK_CGROUP_RWSTAT BLK_DEV_BSGLIB BLK_DEV_INITRD BLK_DEV_INTEGRITY BLK_DEV_INTEGRITY_T10 BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_DEV_ZONED BLK_ICQ BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_WBT BLK_WBT_MQ BONDING BOOT_VESA_SUPPORT BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_STREAM_PARSER BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_NF_EBTABLES_LEGACY BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_CMTP BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_POLL_SYNC BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_HIDP BT_INTEL BT_LE BT_LEDS BT_LE_L2CAP_ECRED BT_MRVL BT_MRVL_SDIO BT_MSFTEXT BT_MTK BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_NETLINK CAN_PEAK_USB CAN_RAW CAN_RX_OFFLOAD CAN_SLCAN CAN_VCAN CAN_VXCAN CAPI_TRACE CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_BPF CHARGER_BQ24190 CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLOSURES CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MBYTES CMDLINE_PARTITION COMEDI COMEDI_DT9812 COMEDI_NI_USB6501 COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC4 CRC64 CRC64_ROCKSOFT CRC7 CRC8 CRC_ITU_T CRC_T10DIF CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_ARIA CRYPTO_ARIA_AESNI_AVX_X86_64 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32 CRYPTO_CRC32C_INTEL CRYPTO_CRC32_PCLMUL CRYPTO_CRC64_ROCKSOFT CRYPTO_CRCT10DIF CRYPTO_CRCT10DIF_PCLMUL CRYPTO_CRYPTD CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_HCTR2 CRYPTO_KDF800108_CTR CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LRW CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_POLYVAL CRYPTO_POLYVAL_CLMUL_NI CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM3_AVX_X86_64 CRYPTO_SM4_AESNI_AVX2_X86_64 CRYPTO_SM4_AESNI_AVX_X86_64 CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCTR CRYPTO_XXHASH CUSE CYPRESS_FIRMWARE DAMON DAMON_PADDR DAMON_RECLAIM DAMON_VADDR DAX DCA DCB DEFAULT_PFIFO_FAST DEVICE_MIGRATION DEVICE_PRIVATE DEV_COREDUMP DEV_DAX DLN2_ADC DMABUF_HEAPS DMABUF_HEAPS_CMA DMABUF_HEAPS_SYSTEM DMABUF_MOVE_NOTIFY DMA_CMA DMA_ENGINE_RAID DMA_OPS DM_AUDIT DM_BIO_PRISON DM_BUFIO DM_CACHE DM_CACHE_SMQ DM_CLONE DM_CRYPT DM_FLAKEY DM_INTEGRITY DM_MULTIPATH DM_MULTIPATH_QL DM_MULTIPATH_ST DM_PERSISTENT_DATA DM_RAID DM_SNAPSHOT DM_THIN_PROVISIONING DM_UEVENT DM_VERITY DM_VERITY_FEC DM_WRITECACHE DM_ZONED DRAGONRISE_FF DRM DRM_BOCHS DRM_BUDDY DRM_CIRRUS_QEMU DRM_DEBUG_MM DRM_DISPLAY_DP_AUX_BUS DRM_DISPLAY_DP_HELPER DRM_DISPLAY_HDCP_HELPER DRM_DISPLAY_HDMI_HELPER DRM_DISPLAY_HELPER DRM_FBDEV_EMULATION ENCRYPTED_KEYS EXTCON FSCACHE FUSE_FS GPIOLIB HAMRADIO HID_DRAGONRISE IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ ISDN ISDN_CAPI LIBNVDIMM MAC80211 MAC80211_DEBUGFS MAC80211_LEDS MEDIA_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MMC MTD NET_CLS_U32 NET_SCH_DEFAULT PARTITION_ADVANCED RFKILL SERIAL_DEV_BUS TLS TLS_DEVICE TRANSPARENT_HUGEPAGE TRUSTED_KEYS USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH X86_X32_ABI ZONE_DEVICE] testing current HEAD b831f83e40a24f07c8dcba5be408d93beedc820f testing commit b831f83e40a24f07c8dcba5be408d93beedc820f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: da0e0d78f8784caf60009fc1faa3233eb25db9657a9ce52a35fcfbf1e699b553 all runs: OK false negative chance: 0.000 # git bisect start b831f83e40a24f07c8dcba5be408d93beedc820f 256abd8e550ce977b728be79a74e1729438b4948 Bisecting: 6743 revisions left to test after this (roughly 13 steps) [b3ce7a30847a54a7f96a35e609303d8afecd460b] Merge tag 'drm-next-2024-07-18' of https://gitlab.freedesktop.org/drm/kernel determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit b3ce7a30847a54a7f96a35e609303d8afecd460b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8c785805e852c5188dc987aeb898d720b5bce884fa13eea3d51bbbc7f605609e run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: kernel BUG in folio_unlock run #7: crashed: kernel BUG in folio_unlock run #8: OK run #9: crashed: kernel BUG in folio_unlock run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] # git bisect good b3ce7a30847a54a7f96a35e609303d8afecd460b Bisecting: 3465 revisions left to test after this (roughly 12 steps) [7846b618e0a4c3e08888099d1d4512722b39ca99] Merge tag 'rtc-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit 7846b618e0a4c3e08888099d1d4512722b39ca99 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 442b9c97985bd0bbec4e670aa994bae2dd0f8d6e0dbadaa116458b5901c847a8 run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: kernel BUG in folio_unlock run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] # git bisect good 7846b618e0a4c3e08888099d1d4512722b39ca99 Bisecting: 1767 revisions left to test after this (roughly 11 steps) [53f6619554fb1edf8d7599b560d44dbea085c730] bcachefs: BCH_SB_MEMBER_INVALID determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit 53f6619554fb1edf8d7599b560d44dbea085c730 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: edbae1be3b9e8308a7c9e9991921a1a8f8fb6031ab23b714955b0c57ceff2836 run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: kernel BUG in folio_unlock run #7: crashed: kernel BUG in folio_unlock run #8: crashed: kernel BUG in folio_unlock run #9: crashed: kernel BUG in folio_unlock run #10: crashed: kernel BUG in folio_unlock run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] # git bisect good 53f6619554fb1edf8d7599b560d44dbea085c730 Bisecting: 884 revisions left to test after this (roughly 10 steps) [60cb1da6ed4a62ec8331e25ad4be87115cd28feb] Merge tag 'rust-fixes-6.11' of https://github.com/Rust-for-Linux/linux determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit 60cb1da6ed4a62ec8331e25ad4be87115cd28feb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e3840219521659619dc6b64299ec286bcd856b6f366632b21885e3573dccddf6 all runs: OK false negative chance: 0.000 # git bisect bad 60cb1da6ed4a62ec8331e25ad4be87115cd28feb Bisecting: 441 revisions left to test after this (roughly 9 steps) [74efed51e0a4d62f998f806c307778b47fc73395] usbnet: ipheth: do not stop RX on failing RX callback determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit 74efed51e0a4d62f998f806c307778b47fc73395 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9005f1a2632fdd131c78cc778774b1d0a0047eb4361060c6627588d140e427b0 all runs: OK false negative chance: 0.000 # git bisect bad 74efed51e0a4d62f998f806c307778b47fc73395 Bisecting: 216 revisions left to test after this (roughly 8 steps) [66242ef25eedc5b48d46c4b60f5d453763adf2b8] Merge tag 's390-6.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit 66242ef25eedc5b48d46c4b60f5d453763adf2b8 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fcf921d57b2c2f4ce1af5659939c9b961d403030c3af78fb507fcc10d035d8f1 run #0: crashed: WARNING in call_timer_fn run #1: crashed: lost connection to test machine run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: WARNING in call_timer_fn, types: [WARNING UNKNOWN] unable to determine the verdict: 18 good runs (wanted 15), for bad wanted 10 in total, got 20 # git bisect skip 66242ef25eedc5b48d46c4b60f5d453763adf2b8 Bisecting: 216 revisions left to test after this (roughly 8 steps) [85ba108a529d99c82e814eaf782a9443acf5eaed] net: stmmac: dwmac4: fix PCS duplex mode decode determine whether the revision contains the guilty commit revision b3ce7a30847a54a7f96a35e609303d8afecd460b crashed and is reachable testing commit 85ba108a529d99c82e814eaf782a9443acf5eaed gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 14b511e315b2639defc0b917ca10bcbbb1632a76cb23e81e5fe19eb33fdc199b all runs: OK false negative chance: 0.000 # git bisect bad 85ba108a529d99c82e814eaf782a9443acf5eaed Bisecting: 98 revisions left to test after this (roughly 7 steps) [25010bfdf8bbedc64c5c04d18f846412f5367d26] Merge branch 'mptcp-fix-duplicate-data-handling' determine whether the revision contains the guilty commit revision b3ce7a30847a54a7f96a35e609303d8afecd460b crashed and is reachable testing commit 25010bfdf8bbedc64c5c04d18f846412f5367d26 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e8820990c5d35e911db1dd7daecd58d5fc6d802cfd0fd24536434316c901cb8 run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: kernel BUG in folio_unlock run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] # git bisect good 25010bfdf8bbedc64c5c04d18f846412f5367d26 Bisecting: 52 revisions left to test after this (roughly 6 steps) [c91a7dee0555f6f9d3702d86312382e4c4729d0a] Merge tag 'chrome-platform-fixes-for-v6.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit c91a7dee0555f6f9d3702d86312382e4c4729d0a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9700a4faa6ead30417734adac652367b63e14b4435958dc2c54868da58a1778d run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: lost connection to test machine run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] # git bisect good c91a7dee0555f6f9d3702d86312382e4c4729d0a Bisecting: 26 revisions left to test after this (roughly 5 steps) [16dc75e500a37bc9a2fcc39d0c776a90ca06a34f] Merge branch 'mptcp-fix-endpoints-with-signal-and-subflow-flags' determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit 16dc75e500a37bc9a2fcc39d0c776a90ca06a34f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d037002d6e3343f3d1f341fb162f273aed2cbb2cec1c5162a17c53b89bb18eeb all runs: OK false negative chance: 0.000 # git bisect bad 16dc75e500a37bc9a2fcc39d0c776a90ca06a34f Bisecting: 9 revisions left to test after this (roughly 4 steps) [e4fc196f5ba36eb7b9758cf2c73df49a44199895] Merge tag 'for-6.11-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit e4fc196f5ba36eb7b9758cf2c73df49a44199895 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 58e659e9c466a7daf2b8edfd9f0174c581a8f7520cf69ac12cdd1c4132880001 all runs: OK false negative chance: 0.000 # git bisect bad e4fc196f5ba36eb7b9758cf2c73df49a44199895 Bisecting: 7 revisions left to test after this (roughly 3 steps) [e254e0c5baeae28717d1b312821e6ded29e7d969] Merge tag 'perf-tools-fixes-for-v6.11-2024-07-30' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools determine whether the revision contains the guilty commit revision c91a7dee0555f6f9d3702d86312382e4c4729d0a crashed and is reachable testing commit e254e0c5baeae28717d1b312821e6ded29e7d969 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d96556a49617770c631ef23b445e87d0ed13dc926855dd20e236e438e91273f6 run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: kernel BUG in folio_unlock run #7: crashed: kernel BUG in folio_unlock run #8: crashed: kernel BUG in folio_unlock run #9: crashed: kernel BUG in folio_unlock run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] # git bisect good e254e0c5baeae28717d1b312821e6ded29e7d969 Bisecting: 3 revisions left to test after this (roughly 2 steps) [d89c285d28491d8f10534c262ac9e6bdcbe1b4d2] btrfs: do not subtract delalloc from avail bytes determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit d89c285d28491d8f10534c262ac9e6bdcbe1b4d2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9e7a698863ac68aa81328bccd8261504835c72990ff677e265c77530e570843a run #0: basic kernel testing failed: no output from test machine run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK false negative chance: 0.000 # git bisect bad d89c285d28491d8f10534c262ac9e6bdcbe1b4d2 Bisecting: 1 revision left to test after this (roughly 1 step) [de9f46cb0044a9b9f825d7695ae235863461dc00] btrfs: fix corrupt read due to bad offset of a compressed extent map determine whether the revision contains the guilty commit revision 256abd8e550ce977b728be79a74e1729438b4948 crashed and is reachable testing commit de9f46cb0044a9b9f825d7695ae235863461dc00 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b387df12b3af726a43db7d8d705932ace7c44f962fdfdbf75b3ace4acfe290b1 run #0: crashed: kernel BUG in folio_unlock run #1: crashed: kernel BUG in folio_unlock run #2: crashed: kernel BUG in folio_unlock run #3: crashed: kernel BUG in folio_unlock run #4: crashed: kernel BUG in folio_unlock run #5: crashed: kernel BUG in folio_unlock run #6: crashed: kernel BUG in folio_unlock run #7: crashed: kernel BUG in folio_unlock run #8: crashed: kernel BUG in folio_unlock run #9: crashed: kernel BUG in folio_unlock run #10: crashed: kernel BUG in folio_unlock run #11: crashed: kernel BUG in folio_unlock run #12: crashed: kernel BUG in folio_unlock run #13: OK run #14: OK run #15: crashed: kernel BUG in folio_unlock run #16: OK run #17: OK run #18: OK run #19: OK representative crash: kernel BUG in folio_unlock, types: [BUG] # git bisect good de9f46cb0044a9b9f825d7695ae235863461dc00 Bisecting: 0 revisions left to test after this (roughly 0 steps) [478574370bef7951fbd9ef5155537d6cbed49472] btrfs: make cow_file_range_inline() honor locked_page on error determine whether the revision contains the guilty commit revision de9f46cb0044a9b9f825d7695ae235863461dc00 crashed and is reachable testing commit 478574370bef7951fbd9ef5155537d6cbed49472 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1ce04a91ea1ef6d9ce328572a7007448284e48cb963f1d50e10c14c323606af2 all runs: OK false negative chance: 0.000 # git bisect bad 478574370bef7951fbd9ef5155537d6cbed49472 478574370bef7951fbd9ef5155537d6cbed49472 is the first bad commit commit 478574370bef7951fbd9ef5155537d6cbed49472 Author: Boris Burkov Date: Mon Jul 22 16:49:45 2024 -0700 btrfs: make cow_file_range_inline() honor locked_page on error The btrfs buffered write path runs through __extent_writepage() which has some tricky return value handling for writepage_delalloc(). Specifically, when that returns 1, we exit, but for other return values we continue and end up calling btrfs_folio_end_all_writers(). If the folio has been unlocked (note that we check the PageLocked bit at the start of __extent_writepage()), this results in an assert panic like this one from syzbot: BTRFS: error (device loop0 state EAL) in free_log_tree:3267: errno=-5 IO failure BTRFS warning (device loop0 state EAL): Skipping commit of aborted transaction. BTRFS: error (device loop0 state EAL) in cleanup_transaction:2018: errno=-5 IO failure assertion failed: folio_test_locked(folio), in fs/btrfs/subpage.c:871 ------------[ cut here ]------------ kernel BUG at fs/btrfs/subpage.c:871! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 5090 Comm: syz-executor225 Not tainted 6.10.0-syzkaller-05505-gb1bc554e009e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 RIP: 0010:btrfs_folio_end_all_writers+0x55b/0x610 fs/btrfs/subpage.c:871 Code: e9 d3 fb ff ff e8 25 22 c2 fd 48 c7 c7 c0 3c 0e 8c 48 c7 c6 80 3d 0e 8c 48 c7 c2 60 3c 0e 8c b9 67 03 00 00 e8 66 47 ad 07 90 <0f> 0b e8 6e 45 b0 07 4c 89 ff be 08 00 00 00 e8 21 12 25 fe 4c 89 RSP: 0018:ffffc900033d72e0 EFLAGS: 00010246 RAX: 0000000000000045 RBX: 00fff0000000402c RCX: 663b7a08c50a0a00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc900033d73b0 R08: ffffffff8176b98c R09: 1ffff9200067adfc R10: dffffc0000000000 R11: fffff5200067adfd R12: 0000000000000001 R13: dffffc0000000000 R14: 0000000000000000 R15: ffffea0001cbee80 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5f076012f8 CR3: 000000000e134000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __extent_writepage fs/btrfs/extent_io.c:1597 [inline] extent_write_cache_pages fs/btrfs/extent_io.c:2251 [inline] btrfs_writepages+0x14d7/0x2760 fs/btrfs/extent_io.c:2373 do_writepages+0x359/0x870 mm/page-writeback.c:2656 filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397 __filemap_fdatawrite_range mm/filemap.c:430 [inline] __filemap_fdatawrite mm/filemap.c:436 [inline] filemap_flush+0xdf/0x130 mm/filemap.c:463 btrfs_release_file+0x117/0x130 fs/btrfs/file.c:1547 __fput+0x24a/0x8a0 fs/file_table.c:422 task_work_run+0x24f/0x310 kernel/task_work.c:222 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x27f0 kernel/exit.c:877 do_group_exit+0x207/0x2c0 kernel/exit.c:1026 __do_sys_exit_group kernel/exit.c:1037 [inline] __se_sys_exit_group kernel/exit.c:1035 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5f075b70c9 Code: Unable to access opcode bytes at 0x7f5f075b709f. I was hitting the same issue by doing hundreds of accelerated runs of generic/475, which also hits IO errors by design. I instrumented that reproducer with bpftrace and found that the undesirable folio_unlock was coming from the following callstack: folio_unlock+5 __process_pages_contig+475 cow_file_range_inline.constprop.0+230 cow_file_range+803 btrfs_run_delalloc_range+566 writepage_delalloc+332 __extent_writepage # inlined in my stacktrace, but I added it here extent_write_cache_pages+622 Looking at the bisected-to patch in the syzbot report, Josef realized that the logic of the cow_file_range_inline error path subtly changing. In the past, on error, it jumped to out_unlock in cow_file_range(), which honors the locked_page, so when we ultimately call folio_end_all_writers(), the folio of interest is still locked. After the change, we always unlocked ignoring the locked_page, on both success and error. On the success path, this all results in returning 1 to __extent_writepage(), which skips the folio_end_all_writers() call, which makes it OK to have unlocked. Fix the bug by wiring the locked_page into cow_file_range_inline() and only setting locked_page to NULL on success. Reported-by: syzbot+a14d8ac9af3a2a4fd0c8@syzkaller.appspotmail.com Fixes: 0586d0a89e77 ("btrfs: move extent bit and page cleanup into cow_file_range_inline") CC: stable@vger.kernel.org # 6.10+ Reviewed-by: Qu Wenruo Signed-off-by: Boris Burkov Signed-off-by: David Sterba fs/btrfs/inode.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) accumulated error probability: 0.00 culprit signature: 1ce04a91ea1ef6d9ce328572a7007448284e48cb963f1d50e10c14c323606af2 parent signature: b387df12b3af726a43db7d8d705932ace7c44f962fdfdbf75b3ace4acfe290b1 reproducer is flaky (0.37 repro chance estimate) revisions tested: 23, total time: 5h58m1.587616894s (build: 2h6m22.314293088s, test: 3h41m44.109680507s) first good commit: 478574370bef7951fbd9ef5155537d6cbed49472 btrfs: make cow_file_range_inline() honor locked_page on error recipients (to): ["boris@bur.io" "dsterba@suse.com" "wqu@suse.com"] recipients (cc): []