bisecting fixing commit since b4a5ea09b29371c2e6a10783faa3593428404343 building syzkaller on 68fc921ad90a9ed3604448913e66d02ea8d11de6 testing commit b4a5ea09b29371c2e6a10783faa3593428404343 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5a1031e598548cfa2facc0efa4dfc7204f1782dd58400ee528c882f544000ef7 run #0: crashed: kernel BUG in workingset_activation run #1: crashed: kernel BUG in workingset_activation run #2: crashed: kernel BUG in workingset_activation run #3: crashed: kernel BUG in workingset_activation run #4: crashed: kernel BUG in workingset_activation run #5: crashed: kernel BUG in workingset_activation run #6: crashed: kernel BUG in workingset_activation run #7: crashed: kernel BUG in workingset_activation run #8: crashed: kernel BUG in workingset_activation run #9: crashed: kernel BUG in workingset_activation run #10: crashed: kernel BUG in workingset_activation run #11: crashed: kernel BUG in workingset_activation run #12: crashed: kernel BUG in workingset_activation run #13: crashed: kernel BUG in workingset_activation run #14: crashed: kernel BUG in workingset_activation run #15: crashed: kernel BUG in workingset_activation run #16: crashed: kernel BUG in workingset_activation run #17: crashed: kernel BUG in workingset_activation run #18: crashed: kernel BUG in workingset_activation run #19: basic kernel testing failed: failed to copy binary to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor201591051" "root@10.128.1.119:./syz-executor201591051"] Warning: Permanently added '10.128.1.119' (ECDSA) to the list of known hosts. testing current HEAD b13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3 testing commit b13baccc3850ca8b8cccbf8ed9912dbaa0fdf7f3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dec9e7ce582f24c667a36d995356d047dc60d1803b0a78f0d594da69739e3c0f all runs: crashed: kernel BUG in workingset_activation revisions tested: 2, total time: 24m20.030252272s (build: 12m36.125238858s, test: 11m14.055502392s) the crash still happens on HEAD commit msg: Linux 5.19-rc2 crash: kernel BUG in workingset_activation __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:750 [inline] slab_alloc_node mm/slub.c:3214 [inline] slab_alloc mm/slub.c:3222 [inline] __kmem_cache_alloc_lru mm/slub.c:3229 [inline] kmem_cache_alloc_lru+0x255/0x720 mm/slub.c:3246 alloc_inode_sb include/linux/fs.h:2965 [inline] ext4_alloc_inode+0x1c/0x640 fs/ext4/super.c:1327 alloc_inode+0x56/0x1e0 fs/inode.c:260 new_inode_pseudo fs/inode.c:1018 [inline] new_inode+0x1a/0x2d0 fs/inode.c:1047 __ext4_new_inode+0x2eb/0x45f0 fs/ext4/ialloc.c:960 ext4_mkdir+0x2aa/0x930 fs/ext4/namei.c:2955 vfs_mkdir+0x17d/0x330 fs/namei.c:3975 do_mkdirat+0x20f/0x280 fs/namei.c:4001 __do_sys_mkdir fs/namei.c:4021 [inline] __se_sys_mkdir fs/namei.c:4019 [inline] __x64_sys_mkdir+0xd0/0x120 fs/namei.c:4019 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 ------------[ cut here ]------------ kernel BUG at include/linux/memcontrol.h:478! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8790 Comm: syz-executor.0 Not tainted 5.19.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:folio_memcg_rcu include/linux/memcontrol.h:478 [inline] RIP: 0010:workingset_activation+0x455/0x550 mm/workingset.c:413 Code: df 48 c1 e8 03 80 3c 10 00 0f 85 ec 00 00 00 48 8b 05 1f 57 2c 0b e9 64 fd ff ff 48 c7 c6 60 9e f6 88 48 89 ef e8 fb 00 00 00 <0f> 0b 0f 0b e9 4f fc ff ff 48 c7 c6 c0 a0 f6 88 48 89 ef e8 e3 00 RSP: 0018:ffffc90006eaf770 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffea0001e7bc00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888012e7bc0a RBP: ffffea0001e7bc00 R08: 0000000000000018 R09: ffff8880b9f2792b R10: ffffed10173e4f25 R11: 0000000000000001 R12: 0000000000000000 R13: ffff8880b9f34bc0 R14: 0000000000000003 R15: ffff8880b9f34bf0 FS: 0000555556a8f400(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000200000 CR3: 0000000079aa8000 CR4: 00000000003526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: folio_mark_accessed+0x494/0xb60 mm/swap.c:440 handle_changed_spte arch/x86/kvm/mmu/tdp_mmu.c:609 [inline] handle_removed_pt arch/x86/kvm/mmu/tdp_mmu.c:493 [inline] __handle_changed_spte+0x765/0x1090 arch/x86/kvm/mmu/tdp_mmu.c:600 handle_changed_spte arch/x86/kvm/mmu/tdp_mmu.c:607 [inline] handle_removed_pt arch/x86/kvm/mmu/tdp_mmu.c:493 [inline] __handle_changed_spte+0x755/0x1090 arch/x86/kvm/mmu/tdp_mmu.c:600 __tdp_mmu_set_spte+0x14a/0x780 arch/x86/kvm/mmu/tdp_mmu.c:742 _tdp_mmu_set_spte arch/x86/kvm/mmu/tdp_mmu.c:758 [inline] tdp_mmu_set_spte arch/x86/kvm/mmu/tdp_mmu.c:767 [inline] __tdp_mmu_zap_root+0x532/0x5a0 arch/x86/kvm/mmu/tdp_mmu.c:873 tdp_mmu_zap_root+0xe2/0x240 arch/x86/kvm/mmu/tdp_mmu.c:909 kvm_tdp_mmu_zap_all+0xe0/0x120 arch/x86/kvm/mmu/tdp_mmu.c:1017 kvm_mmu_zap_all+0x1e8/0x240 arch/x86/kvm/mmu/mmu.c:6121 kvm_flush_shadow_all arch/x86/kvm/../../../virt/kvm/kvm_main.c:366 [inline] kvm_mmu_notifier_release+0x4e/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:836 mmu_notifier_unregister+0xfe/0x330 mm/mmu_notifier.c:838 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1237 [inline] kvm_put_kvm+0x395/0xaa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1285 kvm_vcpu_release+0x49/0x70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3704 __fput+0x1f5/0x8c0 fs/file_table.c:317 task_work_run+0xc0/0x160 kernel/task_work.c:177 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0x80 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7ff4c9a3bc8b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fff94b3d240 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000009 RCX: 00007ff4c9a3bc8b RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008 RBP: 00007ff4c9b9d960 R08: 0000000000000000 R09: 00007ff4c9ba06f0 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000004a6cf R13: 00007fff94b3d340 R14: 00007fff94b3d360 R15: 0000000000000032 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:folio_memcg_rcu include/linux/memcontrol.h:478 [inline] RIP: 0010:workingset_activation+0x455/0x550 mm/workingset.c:413 Code: df 48 c1 e8 03 80 3c 10 00 0f 85 ec 00 00 00 48 8b 05 1f 57 2c 0b e9 64 fd ff ff 48 c7 c6 60 9e f6 88 48 89 ef e8 fb 00 00 00 <0f> 0b 0f 0b e9 4f fc ff ff 48 c7 c6 c0 a0 f6 88 48 89 ef e8 e3 00 RSP: 0018:ffffc90006eaf770 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffea0001e7bc00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888012e7bc0a RBP: ffffea0001e7bc00 R08: 0000000000000018 R09: ffff8880b9f2792b R10: ffffed10173e4f25 R11: 0000000000000001 R12: 0000000000000000 R13: ffff8880b9f34bc0 R14: 0000000000000003 R15: ffff8880b9f34bf0 FS: 0000555556a8f400(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000200000 CR3: 0000000079aa8000 CR4: 00000000003526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400