bisecting cause commit starting from 12d61c6996999e6562cbbed5f270d572248a11c5 building syzkaller on d01bb02a96019cda0fa8c46e5c6d5eb66a273f17 testing commit 12d61c6996999e6562cbbed5f270d572248a11c5 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in mpage_prepare_extent_to_map testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 12d61c6996999e6562cbbed5f270d572248a11c5 v5.3 Bisecting: 10431 revisions left to test after this (roughly 13 steps) [45824fc0da6e46cc5d563105e1eaaf3098a686f9] Merge tag 'powerpc-5.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 45824fc0da6e46cc5d563105e1eaaf3098a686f9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 45824fc0da6e46cc5d563105e1eaaf3098a686f9 Bisecting: 5164 revisions left to test after this (roughly 12 steps) [c2dd2464ff1f616a0cdbefad6a6639f56a4e49fd] Merge remote-tracking branch 'btrfs/for-next' testing commit c2dd2464ff1f616a0cdbefad6a6639f56a4e49fd with gcc (GCC) 8.1.0 all runs: OK # git bisect good c2dd2464ff1f616a0cdbefad6a6639f56a4e49fd Bisecting: 2734 revisions left to test after this (roughly 11 steps) [f8593384f83f59ca4f3f0d1c497c93bcab5b0975] Merge remote-tracking branch 'drm/drm-next' testing commit f8593384f83f59ca4f3f0d1c497c93bcab5b0975 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f8593384f83f59ca4f3f0d1c497c93bcab5b0975 Bisecting: 1450 revisions left to test after this (roughly 11 steps) [bb37e920150463775d51f634700e7759abd60db7] Merge remote-tracking branch 'spi/for-next' testing commit bb37e920150463775d51f634700e7759abd60db7 with gcc (GCC) 8.1.0 all runs: OK # git bisect good bb37e920150463775d51f634700e7759abd60db7 Bisecting: 676 revisions left to test after this (roughly 10 steps) [79091b2c2963e73287ae50dfe339dbea9e28952b] Merge remote-tracking branch 'staging/staging-next' testing commit 79091b2c2963e73287ae50dfe339dbea9e28952b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 79091b2c2963e73287ae50dfe339dbea9e28952b Bisecting: 348 revisions left to test after this (roughly 8 steps) [16b285237aa37cc302fc3bab2d391f55a076665d] Merge remote-tracking branch 'coresight/next' testing commit 16b285237aa37cc302fc3bab2d391f55a076665d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 16b285237aa37cc302fc3bab2d391f55a076665d Bisecting: 190 revisions left to test after this (roughly 8 steps) [a5bdff2875e93e2858c497dd02cc0227946799c2] Merge remote-tracking branch 'cel/cel-next' testing commit a5bdff2875e93e2858c497dd02cc0227946799c2 with gcc (GCC) 8.1.0 all runs: OK # git bisect good a5bdff2875e93e2858c497dd02cc0227946799c2 Bisecting: 95 revisions left to test after this (roughly 7 steps) [7e7501ee7f7848fbd6f14454eb77a4008898c704] mm/memcontrol: use vmstat names for printing statistics testing commit 7e7501ee7f7848fbd6f14454eb77a4008898c704 with gcc (GCC) 8.1.0 mm/userfaultfd.c:262:40: error: ‘h’ undeclared (first use in this function) # git bisect skip 7e7501ee7f7848fbd6f14454eb77a4008898c704 Bisecting: 94 revisions left to test after this (roughly 7 steps) [7ba0d6c927b5ad9660e2e730b465481b5b0ddfe4] mm/vmstat: reduce zone lock hold time when reading /proc/pagetypeinfo testing commit 7ba0d6c927b5ad9660e2e730b465481b5b0ddfe4 with gcc (GCC) 8.1.0 mm/userfaultfd.c:262:40: error: ‘h’ undeclared (first use in this function) # git bisect skip 7ba0d6c927b5ad9660e2e730b465481b5b0ddfe4 Bisecting: 94 revisions left to test after this (roughly 7 steps) [bd079fff838847c5b3d9d3ababb3738a564f617d] mm/thp: make set_huge_zero_page() return void testing commit bd079fff838847c5b3d9d3ababb3738a564f617d with gcc (GCC) 8.1.0 mm/userfaultfd.c:262:40: error: ‘h’ undeclared (first use in this function) # git bisect skip bd079fff838847c5b3d9d3ababb3738a564f617d Bisecting: 94 revisions left to test after this (roughly 7 steps) [f4c2491ec2ed86b645be05e2b6f53f9543e3ec86] ipc/msg.c: consolidate all xxxctl_down() functions testing commit f4c2491ec2ed86b645be05e2b6f53f9543e3ec86 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in mpage_prepare_extent_to_map # git bisect bad f4c2491ec2ed86b645be05e2b6f53f9543e3ec86 Bisecting: 69 revisions left to test after this (roughly 6 steps) [03709636be1b92215956965963488f2519e1c4a5] selftests: vm: add fragment CONFIG_TEST_VMALLOC testing commit 03709636be1b92215956965963488f2519e1c4a5 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in mpage_prepare_extent_to_map # git bisect bad 03709636be1b92215956965963488f2519e1c4a5 Bisecting: 34 revisions left to test after this (roughly 5 steps) [a52671865cee20df379f8a00f8ee0b46e95511ab] mm/mmap.c: prev could be retrieved from vma->vm_prev testing commit a52671865cee20df379f8a00f8ee0b46e95511ab with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in mpage_prepare_extent_to_map # git bisect bad a52671865cee20df379f8a00f8ee0b46e95511ab Bisecting: 17 revisions left to test after this (roughly 4 steps) [63fb6a59245b2b3aa0a81a4356273310c8077d73] mm/slub.c: update comments testing commit 63fb6a59245b2b3aa0a81a4356273310c8077d73 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in mpage_prepare_extent_to_map # git bisect bad 63fb6a59245b2b3aa0a81a4356273310c8077d73 Bisecting: 8 revisions left to test after this (roughly 3 steps) [13488c0fcc46a58df26bd0a2f681ccdc92f5cf7e] ocfs2: protect extent tree in ocfs2_prepare_inode_for_write() testing commit 13488c0fcc46a58df26bd0a2f681ccdc92f5cf7e with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in mpage_prepare_extent_to_map # git bisect bad 13488c0fcc46a58df26bd0a2f681ccdc92f5cf7e Bisecting: 3 revisions left to test after this (roughly 2 steps) [79eaa349194cac86fcd0e127fdf176a13a1248ae] mm: memcontrol: fix NULL-ptr deref in percpu stats flush testing commit 79eaa349194cac86fcd0e127fdf176a13a1248ae with gcc (GCC) 8.1.0 run #0: crashed: INFO: task hung in mpage_prepare_extent_to_map run #1: crashed: INFO: task hung in mpage_prepare_extent_to_map run #2: crashed: INFO: task hung in mpage_prepare_extent_to_map run #3: crashed: INFO: task hung in mpage_prepare_extent_to_map run #4: crashed: INFO: task hung in mpage_prepare_extent_to_map run #5: crashed: INFO: task hung in mpage_prepare_extent_to_map run #6: crashed: INFO: task hung in mpage_prepare_extent_to_map run #7: crashed: INFO: task hung in mpage_prepare_extent_to_map run #8: crashed: INFO: task hung in mpage_prepare_extent_to_map run #9: OK # git bisect bad 79eaa349194cac86fcd0e127fdf176a13a1248ae Bisecting: 2 revisions left to test after this (roughly 1 step) [87c469b00169075aa83d70ac7a38d00224954651] /proc/kpageflags: do not use uninitialized struct pages testing commit 87c469b00169075aa83d70ac7a38d00224954651 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 87c469b00169075aa83d70ac7a38d00224954651 Bisecting: 1 revision left to test after this (roughly 1 step) [9c61acffe2b8833152041f7b6a02d1d0a17fd378] mm,thp: recheck each page before collapsing file THP testing commit 9c61acffe2b8833152041f7b6a02d1d0a17fd378 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: WARNING in collapse_file run #1: basic kernel testing failed: WARNING in collapse_file run #2: basic kernel testing failed: WARNING in collapse_file run #3: basic kernel testing failed: WARNING in collapse_file run #4: basic kernel testing failed: WARNING in collapse_file run #5: crashed: WARNING in collapse_file run #6: crashed: WARNING in collapse_file run #7: crashed: WARNING in collapse_file run #8: crashed: WARNING in collapse_file run #9: crashed: WARNING in collapse_file # git bisect bad 9c61acffe2b8833152041f7b6a02d1d0a17fd378 9c61acffe2b8833152041f7b6a02d1d0a17fd378 is the first bad commit commit 9c61acffe2b8833152041f7b6a02d1d0a17fd378 Author: Song Liu Date: Wed Oct 23 11:24:28 2019 +1100 mm,thp: recheck each page before collapsing file THP In collapse_file(), for !is_shmem case, current check cannot guarantee the locked page is up-to-date. Specifically, xas_unlock_irq() should not be called before lock_page() and get_page(); and it is necessary to recheck PageUptodate() after locking the page. With this bug and CONFIG_READ_ONLY_THP_FOR_FS=y, madvise(HUGE)'ed .text may contain corrupted data. This is because khugepaged mistakenly collapses some not up-to-date sub pages into a huge page, and assumes the huge page is up-to-date. This will NOT corrupt data in the disk, because the page is read-only and never written back. Fix this by properly checking PageUptodate() after locking the page. This check replaces "VM_BUG_ON_PAGE(!PageUptodate(page), page);". Also, move PageDirty() check after locking the page. Current khugepaged only collapse read-only .text. Therefore, the page could only be dirty if it hasn't been flushed since first write. In such case, calls filemap_flush() and defer the collapse. Link: http://lkml.kernel.org/r/20191018180345.4188310-1-songliubraving@fb.com Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS") Signed-off-by: Song Liu Acked-by: Johannes Weiner Cc: Kirill A. Shutemov Cc: Hugh Dickins Cc: William Kucharski Signed-off-by: Andrew Morton Signed-off-by: Stephen Rothwell :040000 040000 64ef2b707a22ae2cb6ac656f247281a994042d15 93798e2b4aa4a1d8037bf3f1d4441f601971db45 M mm revisions tested: 20, total time: 4h18m5.481681374s (build: 1h50m46.351857278s, test: 2h21m16.364954154s) first bad commit: 9c61acffe2b8833152041f7b6a02d1d0a17fd378 mm,thp: recheck each page before collapsing file THP cc: ["akpm@linux-foundation.org" "hannes@cmpxchg.org" "hughd@google.com" "kirill.shutemov@linux.intel.com" "sfr@canb.auug.org.au" "songliubraving@fb.com" "william.kucharski@oracle.com"] crash: WARNING in collapse_file ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1077 at mm/khugepaged.c:1643 collapse_file+0x1ea8/0x3150 mm/khugepaged.c:1660 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 1077 Comm: khugepaged Not tainted 5.4.0-rc4+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.11+0x25/0x30 kernel/panic.c:582 report_bug+0x1b0/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:179 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 RIP: 0010:collapse_file+0x1ea8/0x3150 mm/khugepaged.c:1643 Code: ff e8 7c f5 61 ff e9 fc f4 ff ff 48 8b b5 50 fe ff ff 31 c9 ba 01 00 00 00 48 8b bd 80 fe ff ff e8 4d d3 ef ff e9 cc f2 ff ff <0f> 0b 48 8b bb 20 ff ff ff c7 85 40 fe ff ff 00 00 00 00 e9 39 eb RSP: 0018:ffff8880a7e67aa8 EFLAGS: 00010202 RAX: 01fffc000000201f RBX: ffff8880a7e67c78 RCX: ffffffff819e5670 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffea00023f2c80 RBP: ffff8880a7e67ca0 R08: fffff9400047e591 R09: fffff9400047e591 R10: fffff9400047e590 R11: ffffea00023f2c87 R12: ffffea00023f2c80 R13: ffffea00023f2c80 R14: dffffc0000000000 R15: ffffea00020a8000 khugepaged_scan_file mm/khugepaged.c:1881 [inline] khugepaged_scan_mm_slot mm/khugepaged.c:1979 [inline] khugepaged_do_scan mm/khugepaged.c:2063 [inline] khugepaged+0x2134/0x3440 mm/khugepaged.c:2108 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Kernel Offset: disabled Rebooting in 86400 seconds..