ci starts bisection 2023-02-06 03:39:15.910923119 +0000 UTC m=+138622.102755140 bisecting cause commit starting from 4fafd96910add124586b549ad005dcd179de8a18 building syzkaller on be607b78d7dea8ef5a0267ae7396fded7dc016d5 ensuring issue is reproducible on original commit 4fafd96910add124586b549ad005dcd179de8a18 testing commit 4fafd96910add124586b549ad005dcd179de8a18 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7bdfab9ececa1b6bfb39632d0dee45ab76c422b36cd1aceb70b6330cb55795c2 run #0: crashed: general protection fault in fib6_walk_continue run #1: crashed: kernel BUG in __tlb_remove_page_size run #2: crashed: kernel BUG in __tlb_remove_page_size run #3: crashed: BUG: Bad rss-counter state run #4: crashed: BUG: Bad rss-counter state run #5: crashed: BUG: Bad rss-counter state run #6: crashed: general protection fault in unlink_anon_vmas run #7: crashed: BUG: Bad rss-counter state run #8: crashed: kernel BUG in __tlb_remove_page_size run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in ip6table_mangle_hook run #10: crashed: BUG: Bad rss-counter state run #11: crashed: BUG: Bad rss-counter state run #12: crashed: BUG: Bad rss-counter state run #13: crashed: kernel BUG in __tlb_remove_page_size run #14: crashed: kernel BUG in __tlb_remove_page_size run #15: crashed: kernel BUG in __tlb_remove_page_size run #16: crashed: kernel BUG in __tlb_remove_page_size run #17: crashed: BUG: Bad rss-counter state run #18: crashed: kernel BUG in __tlb_remove_page_size run #19: crashed: BUG: Bad rss-counter state testing release v6.1 testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7e923b3c8e6ca446300c19382aa7bb89aa1ef7f7da3091be84bea03923cdeebb all runs: OK # git bisect start 4fafd96910add124586b549ad005dcd179de8a18 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 Bisecting: 13281 revisions left to test after this (roughly 14 steps) [a6e3e6f138058ff184d8ef5064a033b3f5fee8f8] Merge tag 'mm-nonmm-stable-2022-12-17-20-32' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit a6e3e6f138058ff184d8ef5064a033b3f5fee8f8 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 835b596162a1cc7e0292230ad23961afe811f98df25973b618a63a91a0d2b6d3 all runs: OK # git bisect good a6e3e6f138058ff184d8ef5064a033b3f5fee8f8 Bisecting: 6654 revisions left to test after this (roughly 13 steps) [46577ef6af4501f2b1c386249bc1f5d31897523e] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm.git testing commit 46577ef6af4501f2b1c386249bc1f5d31897523e gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0d801a71803b55c3bc3e95c02083e0854a4221789f47fabdca6bf3c7b4acbc46 all runs: OK # git bisect good 46577ef6af4501f2b1c386249bc1f5d31897523e Bisecting: 3308 revisions left to test after this (roughly 12 steps) [ee7c03394ee7cca0553da02f0183c80bc67d0437] Merge branch 'for-mfd-next' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd.git testing commit ee7c03394ee7cca0553da02f0183c80bc67d0437 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a7d35ac8d4179ab0e0540ea832dd82161ca1d4c401d615659fce3e3ec3e48002 run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: BUG: Bad rss-counter state run #3: crashed: kernel panic: corrupted stack end in corrupted run #4: crashed: BUG: Bad rss-counter state run #5: crashed: kernel BUG in __tlb_remove_page_size run #6: crashed: kernel BUG in __tlb_remove_page_size run #7: crashed: general protection fault in free_swap_cache run #8: crashed: kernel BUG in validate_mm_mt run #9: crashed: kernel BUG in __tlb_remove_page_size # git bisect bad ee7c03394ee7cca0553da02f0183c80bc67d0437 Bisecting: 2025 revisions left to test after this (roughly 11 steps) [15a574485700eac3b8611770d69a809b09cc8529] Merge tag 'drm-intel-gt-next-2023-02-01' of git://anongit.freedesktop.org/drm/drm-intel into drm-next testing commit 15a574485700eac3b8611770d69a809b09cc8529 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5f0b17813e6c8a0da0599f9379b8373bb88c3d4071d263f9e8f4fc7c9a45a7d5 all runs: OK # git bisect good 15a574485700eac3b8611770d69a809b09cc8529 Bisecting: 1012 revisions left to test after this (roughly 10 steps) [028fb19c6ba743ed308ba99ac325afa968795e0f] netlink: provide an ability to set default extack message testing commit 028fb19c6ba743ed308ba99ac325afa968795e0f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 97e33ea469fa10d9eca33c66739f8b28756bd7915b0324f1e2b9dba27a474d1b all runs: OK # git bisect good 028fb19c6ba743ed308ba99ac325afa968795e0f Bisecting: 370 revisions left to test after this (roughly 9 steps) [7f5c9ff883663a058ded436e08a0dd52f88ef1c6] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git testing commit 7f5c9ff883663a058ded436e08a0dd52f88ef1c6 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1e381717357cf8220afd2af4f3280828e9634774a486bac9444f23c246aabaa6 all runs: OK # git bisect good 7f5c9ff883663a058ded436e08a0dd52f88ef1c6 Bisecting: 218 revisions left to test after this (roughly 8 steps) [4020ab1690f0a4bb97da7a9d8c71869ca3aae602] Merge branch 'for-6.3/block' into for-next testing commit 4020ab1690f0a4bb97da7a9d8c71869ca3aae602 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dd3333785cff0b98d0d23eac08a7e7c9539b007f58323fb4e05599b9ae018d52 run #0: crashed: general protection fault in free_swap_cache run #1: crashed: BUG: Bad rss-counter state run #2: crashed: kernel BUG in __tlb_remove_page_size run #3: crashed: BUG: Bad rss-counter state run #4: crashed: general protection fault in unlink_anon_vmas run #5: crashed: BUG: Bad rss-counter state run #6: crashed: general protection fault in __do_fault run #7: crashed: BUG: Bad rss-counter state run #8: crashed: kernel BUG in __tlb_remove_page_size run #9: crashed: kernel BUG in __tlb_remove_page_size # git bisect bad 4020ab1690f0a4bb97da7a9d8c71869ca3aae602 Bisecting: 79 revisions left to test after this (roughly 6 steps) [0360f0d54226bb6be13cd3e2f1518907d7565f03] mm: move FOLL_PIN debug accounting under CONFIG_DEBUG_VM testing commit 0360f0d54226bb6be13cd3e2f1518907d7565f03 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b68068fcc10484ac60673ef42a51ae3dc450759aa39e01dcb9e395be8d4b80e6 run #0: crashed: BUG: Bad rss-counter state run #1: crashed: kernel BUG in __tlb_remove_page_size run #2: crashed: BUG: Bad rss-counter state run #3: crashed: BUG: Bad rss-counter state run #4: crashed: BUG: Bad rss-counter state run #5: crashed: BUG: Bad rss-counter state run #6: crashed: kernel BUG in __tlb_remove_page_size run #7: crashed: BUG: Bad rss-counter state run #8: crashed: kernel BUG in __tlb_remove_page_size run #9: crashed: kernel BUG in __tlb_remove_page_size # git bisect bad 0360f0d54226bb6be13cd3e2f1518907d7565f03 Bisecting: 35 revisions left to test after this (roughly 5 steps) [5f2779dfa7b8cc7dfd4a1b6586d86e0d193266f3] blk-iocost: avoid 64-bit division in ioc_timer_fn testing commit 5f2779dfa7b8cc7dfd4a1b6586d86e0d193266f3 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 875b0af36821ad53ab00b06a360e88c8b4b9309f7bd828b28541f1136c452f83 all runs: OK # git bisect good 5f2779dfa7b8cc7dfd4a1b6586d86e0d193266f3 Bisecting: 17 revisions left to test after this (roughly 4 steps) [0c3e09e8854bcd3f7c45de85007ed283342b3464] block, bfq: correctly raise inject limit in bfq_choose_bfqq_for_injection testing commit 0c3e09e8854bcd3f7c45de85007ed283342b3464 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1fcfbeed2c14f1fee4cca5d2e1d261226d6c273c3e7daf8aea9abc2e2acdeb61 all runs: OK # git bisect good 0c3e09e8854bcd3f7c45de85007ed283342b3464 Bisecting: 9 revisions left to test after this (roughly 3 steps) [fd20d0c1852ebb3f37ec7101feb0cdd8695f32a5] block: convert bio_map_user_iov to use iov_iter_extract_pages testing commit fd20d0c1852ebb3f37ec7101feb0cdd8695f32a5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 34dd0025dfa4657a29090a48d7d51e194bb4787fb3d9ea9483386c434d198998 run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: BUG: Bad rss-counter state run #3: crashed: kernel BUG in __tlb_remove_page_size run #4: crashed: BUG: Bad rss-counter state run #5: crashed: BUG: Bad rss-counter state run #6: crashed: BUG: Bad rss-counter state run #7: crashed: kernel BUG in __tlb_remove_page_size run #8: crashed: BUG: Bad rss-counter state run #9: crashed: kernel BUG in __tlb_remove_page_size # git bisect bad fd20d0c1852ebb3f37ec7101feb0cdd8695f32a5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [0d68ca6a7334e9c3294efc6d8ead9a54cd0554ce] block: Fix bio_flagged() so that gcc can better optimise it testing commit 0d68ca6a7334e9c3294efc6d8ead9a54cd0554ce gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 027361b66f075d38df53447a12f404bcd514caf0c8f03466d0eb1cb79fcf8325 all runs: OK # git bisect good 0d68ca6a7334e9c3294efc6d8ead9a54cd0554ce Bisecting: 1 revision left to test after this (roughly 1 step) [239a8cba3fa90144913e61efcc61ee62472603a7] block: Add BIO_PAGE_PINNED and associated infrastructure testing commit 239a8cba3fa90144913e61efcc61ee62472603a7 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b300f4ac1fe151165dc4ef1514b1eed58abc9e202c9d22f6b023a06a15685fcc all runs: OK # git bisect good 239a8cba3fa90144913e61efcc61ee62472603a7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [920756a3306a35f1c08f25207d375885bef98975] block: Convert bio_iov_iter_get_pages to use iov_iter_extract_pages testing commit 920756a3306a35f1c08f25207d375885bef98975 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6e4ffbe895efa7faf91d17430a4f086da4d8c4d549b1c922e489d5a521c58bcf run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: BUG: Bad rss-counter state run #3: crashed: BUG: Bad rss-counter state run #4: crashed: kernel BUG in __tlb_remove_page_size run #5: crashed: kernel BUG in __tlb_remove_page_size run #6: crashed: general protection fault in free_swap_cache run #7: crashed: BUG: Bad rss-counter state run #8: crashed: BUG: Bad rss-counter state run #9: crashed: kernel BUG in __tlb_remove_page_size # git bisect bad 920756a3306a35f1c08f25207d375885bef98975 920756a3306a35f1c08f25207d375885bef98975 is the first bad commit commit 920756a3306a35f1c08f25207d375885bef98975 Author: David Howells Date: Sat Jan 21 13:51:18 2023 +0100 block: Convert bio_iov_iter_get_pages to use iov_iter_extract_pages This will pin pages or leave them unaltered rather than getting a ref on them as appropriate to the iterator. The pages need to be pinned for DIO rather than having refs taken on them to prevent VM copy-on-write from malfunctioning during a concurrent fork() (the result of the I/O could otherwise end up being affected by/visible to the child process). Signed-off-by: David Howells Reviewed-by: Christoph Hellwig Reviewed-by: John Hubbard cc: Al Viro cc: Jens Axboe cc: Jan Kara cc: Matthew Wilcox cc: Logan Gunthorpe cc: linux-block@vger.kernel.org block/bio.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) culprit signature: 6e4ffbe895efa7faf91d17430a4f086da4d8c4d549b1c922e489d5a521c58bcf parent signature: b300f4ac1fe151165dc4ef1514b1eed58abc9e202c9d22f6b023a06a15685fcc revisions tested: 16, total time: 5h35m46.31352391s (build: 3h19m51.042673436s, test: 2h12m24.893408785s) first bad commit: 920756a3306a35f1c08f25207d375885bef98975 block: Convert bio_iov_iter_get_pages to use iov_iter_extract_pages recipients (to): ["dhowells@redhat.com" "hch@lst.de" "jhubbard@nvidia.com"] recipients (cc): [] crash: kernel BUG in __tlb_remove_page_size do_group_exit+0xb4/0x250 kernel/exit.c:1012 __do_sys_exit_group kernel/exit.c:1023 [inline] __se_sys_exit_group kernel/exit.c:1021 [inline] __x64_sys_exit_group+0x39/0x40 kernel/exit.c:1021 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd ------------[ cut here ]------------ kernel BUG at mm/mmu_gather.c:139! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 5657 Comm: dhcpcd-run-hook Not tainted 6.2.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 RIP: 0010:__tlb_remove_page_size+0x1e2/0x3f0 mm/mmu_gather.c:139 Code: 03 38 d0 7c 08 84 d2 0f 85 a9 01 00 00 8b 45 0c e9 21 ff ff ff 0f 0b 4c 89 ef 48 c7 c6 a0 d9 76 89 48 83 e7 fc e8 0e 21 fb ff <0f> 0b 4c 8d 73 24 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea RSP: 0018:ffffc900048bf648 EFLAGS: 00010283 RAX: 0000000000000000 RBX: ffffc900048bf9e8 RCX: ffffc900048bf518 RDX: 1ffff1100f545c25 RSI: ffffffff896b87a0 RDI: ffffffff89c27080 RBP: ffff888023efe000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffea0001c2c940 R14: 0000000000000001 R15: ffffc900048bfa10 FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f98ab9359ee CR3: 000000001d782000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __tlb_remove_page include/asm-generic/tlb.h:472 [inline] zap_pte_range mm/memory.c:1409 [inline] zap_pmd_range mm/memory.c:1529 [inline] zap_pud_range mm/memory.c:1558 [inline] zap_p4d_range mm/memory.c:1579 [inline] unmap_page_range+0xdfa/0x2d70 mm/memory.c:1600 unmap_vmas+0x21b/0x360 mm/memory.c:1685 exit_mmap+0x169/0x620 mm/mmap.c:3089 __mmput+0xf3/0x440 kernel/fork.c:1207 exec_mmap fs/exec.c:1033 [inline] begin_new_exec+0xd54/0x28a0 fs/exec.c:1292 load_elf_binary+0x677/0x4370 fs/binfmt_elf.c:996 search_binary_handler fs/exec.c:1735 [inline] exec_binprm fs/exec.c:1777 [inline] bprm_execve fs/exec.c:1851 [inline] bprm_execve+0x669/0x1560 fs/exec.c:1808 do_execveat_common+0x5fa/0x7b0 fs/exec.c:1956 do_execve fs/exec.c:2030 [inline] __do_sys_execve fs/exec.c:2106 [inline] __se_sys_execve fs/exec.c:2101 [inline] __x64_sys_execve+0x8e/0xc0 fs/exec.c:2101 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f98ab882337 Code: Unable to access opcode bytes at 0x7f98ab88230d. RSP: 002b:00007ffdff710ce8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b RAX: ffffffffffffffda RBX: 000055ddde16de60 RCX: 00007f98ab882337 RDX: 000055ddde16de80 RSI: 000055ddde16de60 RDI: 000055ddde16df08 RBP: 000055ddde16df08 R08: 000055ddde16df0d R09: 0000000000000000 R10: 0000000000000008 R11: 0000000000000246 R12: 000055ddde16de80 R13: 00007f98aba27ff4 R14: 000055ddde16de80 R15: 0000000000000000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__tlb_remove_page_size+0x1e2/0x3f0 mm/mmu_gather.c:139 Code: 03 38 d0 7c 08 84 d2 0f 85 a9 01 00 00 8b 45 0c e9 21 ff ff ff 0f 0b 4c 89 ef 48 c7 c6 a0 d9 76 89 48 83 e7 fc e8 0e 21 fb ff <0f> 0b 4c 8d 73 24 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea RSP: 0018:ffffc900048bf648 EFLAGS: 00010283 RAX: 0000000000000000 RBX: ffffc900048bf9e8 RCX: ffffc900048bf518 RDX: 1ffff1100f545c25 RSI: ffffffff896b87a0 RDI: ffffffff89c27080 RBP: ffff888023efe000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffea0001c2c940 R14: 0000000000000001 R15: ffffc900048bfa10 FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f98ab88230d CR3: 000000001d782000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400