ci starts bisection 2024-12-11 11:20:47.744424096 +0000 UTC m=+98.857244632 bisecting fixing commit since 850925a8133c73c4a2453c360b2c3beb3bab67c9 building syzkaller on 65e8686b0e9e909b6ea5629f95a9b14e81927872 ensuring issue is reproducible on original commit 850925a8133c73c4a2453c360b2c3beb3bab67c9 testing commit 850925a8133c73c4a2453c360b2c3beb3bab67c9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f9750c0d9ac6c4f7a970ae1fe1fcc1e8bbf858ec425effb62979a528550fefdc all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 850925a8133c73c4a2453c360b2c3beb3bab67c9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a32bdfcc0efce7a7b8376db4790c1cb139720956edf098fefbb030beeaa60bfb all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] the bug reproduces without the instrumentation disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=4045 full=8193 leaves diff=2110 split chunks (needed=false): <2110> split chunk #0 of len 2110 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 850925a8133c73c4a2453c360b2c3beb3bab67c9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eb3678852c592b6d72b909f69b745d2d89e45843b6a570c0f18b0cad7d5942bf all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 850925a8133c73c4a2453c360b2c3beb3bab67c9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6f56b67adfa716d95a88aa73a50168aa627285d85e68fcd706a01f3d357ba0c9 all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit 850925a8133c73c4a2453c360b2c3beb3bab67c9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 90e67bfa4f2bf79bc5bbf14756f36638256c77ed61500fdde6621d15546c9ca0 all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN KASAN LOCKDEP], they are not needed testing commit 850925a8133c73c4a2453c360b2c3beb3bab67c9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 18389d7ff28ff5fe67dfbffb474f9405e360e3c8acdbb4dd148fff06effaa87b all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 850925a8133c73c4a2453c360b2c3beb3bab67c9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1f10b6d688d9bac0818675fa3d66e023b8136d2c51da4e5d57d95c8f0a61fa24 all runs: OK false negative chance: 0.000 minimized to 422 configs; suspects: [ARCH_ENABLE_MEMORY_HOTREMOVE ATM BCMA BLK_DEV_ZONED BPF_SYSCALL CARDBUS CFG80211 CFG80211_WEXT CMA COMMON_CLK CONTIG_ALLOC DVB_CORE EXTCON FB GPIOLIB HID_ZEROPLUS I2C_MUX IIO IOMMUFD IRQ_REMAP KVM KVM_INTEL LIBNVDIMM MEDIA_ANALOG_TV_SUPPORT MEDIA_CAMERA_SUPPORT MEDIA_CEC_SUPPORT MEDIA_CONTROLLER MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_VIPERBOARD NOP_USB_XCEIV PARPORT PCCARD PCMCIA PHONET RADIO_ADAPTERS RADIO_SI470X RADIO_SI4713 RC_CORE RFKILL SND SOUND SPI SSB TAP TARGET_CORE TUN USB_AMD5536UDC USB_ATM USB_CDNSP_HOST USB_CDNSP_PCI USB_CDNS_HOST USB_CDNS_SUPPORT USB_CHAOSKEY USB_CHIPIDEA USB_CHIPIDEA_GENERIC USB_CHIPIDEA_HOST USB_CHIPIDEA_MSM USB_CHIPIDEA_NPCM USB_CHIPIDEA_PCI USB_CHIPIDEA_UDC USB_CONFIGFS USB_CONFIGFS_ACM USB_CONFIGFS_ECM USB_CONFIGFS_ECM_SUBSET USB_CONFIGFS_EEM USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_MIDI2 USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_TCM USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_PHONET USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CONN_GPIO USB_CXACRU USB_CYPRESS_CY7C63 USB_CYTHERM USB_DSBR USB_DUMMY_HCD USB_DWC2 USB_DWC2_HOST USB_DWC2_PCI USB_DWC3 USB_DWC3_GADGET USB_DWC3_HAPS USB_DWC3_OF_SIMPLE USB_DWC3_PCI USB_DWC3_ULPI USB_DYNAMIC_MINORS USB_EG20T USB_EHCI_FSL USB_EHCI_HCD_PLATFORM USB_EHCI_ROOT_HUB_TT USB_EHSET_TEST_FIXTURE USB_EMI26 USB_EMI62 USB_EPSON2888 USB_EZUSB_FX2 USB_FEW_INIT_RETRIES USB_F_ACM USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_MIDI2 USB_F_NCM USB_F_OBEX USB_F_PHONET USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_TCM USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET USB_GADGETFS USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_GL860 USB_GOKU USB_GR_UDC USB_GSPCA USB_GSPCA_BENQ USB_GSPCA_CONEX USB_GSPCA_CPIA1 USB_GSPCA_DTCS033 USB_GSPCA_ETOMS USB_GSPCA_FINEPIX USB_GSPCA_JEILINJ USB_GSPCA_JL2005BCD USB_GSPCA_KINECT USB_GSPCA_KONICA USB_GSPCA_MARS USB_GSPCA_MR97310A USB_GSPCA_NW80X USB_GSPCA_OV519 USB_GSPCA_OV534 USB_GSPCA_OV534_9 USB_GSPCA_PAC207 USB_GSPCA_PAC7302 USB_GSPCA_PAC7311 USB_GSPCA_SE401 USB_GSPCA_SN9C2028 USB_GSPCA_SN9C20X USB_GSPCA_SONIXB USB_GSPCA_SONIXJ USB_GSPCA_SPCA1528 USB_GSPCA_SPCA500 USB_GSPCA_SPCA501 USB_GSPCA_SPCA505 USB_GSPCA_SPCA506 USB_GSPCA_SPCA508 USB_GSPCA_SPCA561 USB_GSPCA_SQ905 USB_GSPCA_SQ905C USB_GSPCA_SQ930X USB_GSPCA_STK014 USB_GSPCA_STK1135 USB_GSPCA_STV0680 USB_GSPCA_SUNPLUS USB_GSPCA_T613 USB_GSPCA_TOPRO USB_GSPCA_TOUPTEK USB_GSPCA_TV8532 USB_GSPCA_VC032X USB_GSPCA_VICAM USB_GSPCA_XIRLINK_CIT USB_GSPCA_ZC3XX USB_HACKRF USB_HCD_BCMA USB_HCD_SSB USB_HSIC_USB3503 USB_HSIC_USB4604 USB_HSO USB_HUB_USB251XB USB_IDMOUSE USB_IOWARRIOR USB_IPHETH USB_ISIGHTFW USB_ISP116X_HCD USB_ISP1301 USB_ISP1760 USB_ISP1760_DUAL_ROLE USB_ISP1760_HCD USB_ISP1761_UDC USB_KAWETH USB_KC2190 USB_KEENE USB_LAN78XX USB_LCD USB_LD USB_LEDS_TRIGGER_USBPORT USB_LED_TRIG USB_LEGOTOWER USB_LGM_PHY USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_M5602 USB_MA901 USB_MAX3420_UDC USB_MAX3421_HCD USB_MDC800 USB_MICROTEK USB_MR800 USB_MSI2500 USB_MUSB_DUAL_ROLE USB_MUSB_HDRC USB_MV_U3D USB_MV_UDC USB_NET2272 USB_NET2272_DMA USB_NET2280 USB_NET_AQC111 USB_NET_AX88179_178A USB_NET_AX8817X USB_NET_CDCETHER USB_NET_CDC_EEM USB_NET_CDC_MBIM USB_NET_CDC_NCM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_CH9200 USB_NET_CX82310_ETH USB_NET_DM9601 USB_NET_GL620A USB_NET_HUAWEI_CDC_NCM USB_NET_INT51X1 USB_NET_KALMIA USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_QMI_WWAN USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_OXU210HP_HCD USB_PEGASUS USB_PULSE8_CEC USB_PWC USB_PWC_INPUT_EVDEV USB_PXA27X USB_R8A66597 USB_R8A66597_HCD USB_RAINSHADOW_CEC USB_RAREMONO USB_RAW_GADGET USB_RTL8150 USB_RTL8152 USB_RTL8153_ECM USB_S2255 USB_SERIAL USB_SERIAL_AIRCABLE USB_SERIAL_ARK3116 USB_SERIAL_BELKIN USB_SERIAL_CH341 USB_SERIAL_CONSOLE USB_SERIAL_CP210X USB_SERIAL_CYBERJACK USB_SERIAL_CYPRESS_M8 USB_SERIAL_DEBUG USB_SERIAL_DIGI_ACCELEPORT USB_SERIAL_EDGEPORT USB_SERIAL_EDGEPORT_TI USB_SERIAL_EMPEG USB_SERIAL_F81232 USB_SERIAL_F8153X USB_SERIAL_FTDI_SIO USB_SERIAL_GARMIN USB_SERIAL_GENERIC USB_SERIAL_IPAQ USB_SERIAL_IPW USB_SERIAL_IR USB_SERIAL_IUU USB_SERIAL_KEYSPAN USB_SERIAL_KEYSPAN_PDA USB_SERIAL_KLSI USB_SERIAL_KOBIL_SCT USB_SERIAL_MCT_U232 USB_SERIAL_METRO USB_SERIAL_MOS7715_PARPORT USB_SERIAL_MOS7720 USB_SERIAL_MOS7840 USB_SERIAL_MXUPORT USB_SERIAL_NAVMAN USB_SERIAL_OMNINET USB_SERIAL_OPTICON USB_SERIAL_OPTION USB_SERIAL_OTI6858 USB_SERIAL_PL2303 USB_SERIAL_QCAUX USB_SERIAL_QT2 USB_SERIAL_QUALCOMM USB_SERIAL_SAFE USB_SERIAL_SIERRAWIRELESS USB_SERIAL_SIMPLE USB_SERIAL_SPCP8X5 USB_SERIAL_SSU100 USB_SERIAL_SYMBOL USB_SERIAL_TI USB_SERIAL_UPD78F0730 USB_SERIAL_VISOR USB_SERIAL_WHITEHEAT USB_SERIAL_WISHBONE USB_SERIAL_WWAN USB_SERIAL_XR USB_SERIAL_XSENS_MT USB_SEVSEG USB_SI470X USB_SI4713 USB_SIERRA_NET USB_SISUSBVGA USB_SL811_CS USB_SL811_HCD USB_SL811_HCD_ISO USB_SNP_CORE USB_SPEEDTOUCH USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_ENE_UB6250 USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_STV06XX USB_TEST USB_TMC USB_TRANCEVIBRATOR USB_UAS USB_UEAGLEATM USB_ULPI_BUS USB_USBNET USB_USS720 USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_VIDEO_CLASS USB_VIDEO_CLASS_INPUT_EVDEV USB_VL600 USB_WDM USB_XHCI_DBGCAP USB_XHCI_PCI_RENESAS USB_XHCI_PLATFORM USB_XUSBATM USB_YUREX USERFAULTFD USERIO USERMODE_DRIVER USER_RETURN_NOTIFIER UVC_COMMON U_SERIAL_CONSOLE V4L2_MEM2MEM_DEV V4L_TEST_DRIVERS VALIDATE_FS_PARSER VDPA VDPA_SIM VDPA_SIM_BLOCK VDPA_SIM_NET VETH VFIO VFIO_DEVICE_CDEV VFIO_PCI VFIO_PCI_CORE VFIO_PCI_INTX VFIO_PCI_MMAP VFIO_VIRQFD VGASTATE VHOST VHOST_CROSS_ENDIAN_LEGACY VHOST_IOTLB VHOST_NET VHOST_RING VHOST_TASK VHOST_VDPA VHOST_VSOCK VIDEO VIDEOBUF2_CORE VIDEOBUF2_DMA_CONTIG VIDEOBUF2_DMA_SG VIDEOBUF2_MEMOPS VIDEOBUF2_V4L2 VIDEOBUF2_VMALLOC VIDEOMODE_HELPERS VIDEO_AU0828 VIDEO_AU0828_RC VIDEO_AU0828_V4L2 VIDEO_CS53L32A VIDEO_CX231XX VIDEO_CX231XX_ALSA VIDEO_CX231XX_DVB VIDEO_CX231XX_RC VIDEO_CX2341X VIDEO_CX25840 VIDEO_DEV VIDEO_EM28XX VIDEO_EM28XX_ALSA VIDEO_EM28XX_DVB VIDEO_EM28XX_RC VIDEO_EM28XX_V4L2 VIDEO_GO7007 VIDEO_GO7007_LOADER VIDEO_GO7007_USB VIDEO_GO7007_USB_S2250_BOARD VIDEO_HDPVR VIDEO_MSP3400 VIDEO_PVRUSB2 VIDEO_PVRUSB2_DVB VIDEO_PVRUSB2_SYSFS VIDEO_SAA711X VIDEO_STK1160 VIDEO_TUNER VIDEO_TVEEPROM VIDEO_USBTV VIDEO_V4L2_I2C VIDEO_V4L2_SUBDEV_API VIDEO_V4L2_TPG VIDEO_VICODEC VIDEO_VIM2M VIDEO_VIMC VIDEO_VIVID VIDEO_VIVID_CEC VIDEO_WM8775 VIPERBOARD_ADC VIRTIO_BALLOON VIRTIO_DMA_SHARED_BUFFER VIRTIO_MEM VIRTIO_MMIO VIRTIO_MMIO_CMDLINE_DEVICES VIRTIO_PMEM VIRTIO_VDPA VIRTIO_VSOCKETS VIRTIO_VSOCKETS_COMMON VIRT_WIFI VLAN_8021Q VLAN_8021Q_GVRP VLAN_8021Q_MVRP VMAP_PFN VMWARE_VMCI VMXNET3 VP_VDPA VSOCKETS VSOCKETS_DIAG VSOCKETS_LOOPBACK VSOCKMON VT_HW_CONSOLE_BINDING VXFS_FS WANT_DEV_COREDUMP WEXT_CORE WEXT_PRIV WEXT_PROC WIREGUARD WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ADMTEK WLAN_VENDOR_SILABS X86_SGX X86_SGX_KVM X86_USER_SHADOW_STACK X86_X2APIC X86_X32_ABI XDP_SOCKETS XDP_SOCKETS_DIAG XFRM_ESPINTCP XFRM_INTERFACE XFRM_IPCOMP XFRM_MIGRATE XFRM_OFFLOAD XFRM_STATISTICS XFRM_SUB_POLICY XFRM_USER_COMPAT XFS_FS XFS_POSIX_ACL XFS_QUOTA XFS_RT XILLYBUS_CLASS XILLYUSB XOR_BLOCKS YENTA YENTA_ENE_TUNE YENTA_O2 YENTA_RICOH YENTA_TI YENTA_TOSHIBA Z3FOLD Z3FOLD_DEPRECATED ZEROPLUS_FF ZLIB_DEFLATE ZONEFS_FS ZPOOL ZRAM ZRAM_BACKEND_FORCE_LZO ZRAM_BACKEND_LZO ZRAM_DEF_COMP_LZO ZSMALLOC ZSTD_COMPRESS ZSWAP ZSWAP_COMPRESSOR_DEFAULT_842 ZSWAP_DEFAULT_ON ZSWAP_SHRINKER_DEFAULT_ON ZSWAP_ZPOOL_DEFAULT_Z3FOLD_DEPRECATED] disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing current HEAD f92f4749861b06fed908d336b4dee1326003291b testing commit f92f4749861b06fed908d336b4dee1326003291b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a66842d0ca3f72b8dd89c20ce44fcd821fbe98b00e1a8b310e4be5a77ca9d224 all runs: OK false negative chance: 0.000 # git bisect start f92f4749861b06fed908d336b4dee1326003291b 850925a8133c73c4a2453c360b2c3beb3bab67c9 Bisecting: 6790 revisions left to test after this (roughly 13 steps) [55ae3eef10ae813616bd8a421e318d4b0e2f4a0b] Merge tag 'i2c-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit 55ae3eef10ae813616bd8a421e318d4b0e2f4a0b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f50f9801301cbb46a88873ab881d5bc84d379d35c6d0cb33b65887c6efc4e384 all runs: OK false negative chance: 0.000 # git bisect bad 55ae3eef10ae813616bd8a421e318d4b0e2f4a0b Bisecting: 3419 revisions left to test after this (roughly 12 steps) [b57807cbbf36f17448cdb42e69a949aa76605440] Merge tag 'hid-for-linus-2024111801' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit b57807cbbf36f17448cdb42e69a949aa76605440 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3d667d783b7593092834e0a76b845f539eb578f56f16c4a3d4b246aceae70075 all runs: OK false negative chance: 0.000 # git bisect bad b57807cbbf36f17448cdb42e69a949aa76605440 Bisecting: 1617 revisions left to test after this (roughly 11 steps) [0338cd9c22d1bce7dc4a6641d4215a50f476f429] Merge tag 's390-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit 0338cd9c22d1bce7dc4a6641d4215a50f476f429 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1c16564707f844bb5f5a737cfdefcab0b4e3444676e40827b818958d2dafe2d0 all runs: OK false negative chance: 0.000 # git bisect bad 0338cd9c22d1bce7dc4a6641d4215a50f476f429 Bisecting: 873 revisions left to test after this (roughly 10 steps) [dd0896e77d89686c0736485c5ed4d115e99eaa0c] btrfs: update stale comment for struct btrfs_delayed_ref_node::add_list determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit dd0896e77d89686c0736485c5ed4d115e99eaa0c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 41458615a3cbe2f949bb9999b71458c9b954d597d854404337fe9e5f80fb42fd all runs: OK false negative chance: 0.000 # git bisect bad dd0896e77d89686c0736485c5ed4d115e99eaa0c Bisecting: 436 revisions left to test after this (roughly 9 steps) [725f31f300e300a9d94976bd8f1db6e746f95f63] thermal/of: support thermal zones w/o trips subnode determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit 725f31f300e300a9d94976bd8f1db6e746f95f63 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 96dfd3d8bd5dcd8cf58a8c98bd799327de494bc166d7cc9751a2d72641a3c8af all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] # git bisect good 725f31f300e300a9d94976bd8f1db6e746f95f63 Bisecting: 211 revisions left to test after this (roughly 8 steps) [50643bbc9eb697636d08ccabb54f1b7d57941910] Merge tag 'sound-6.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit 50643bbc9eb697636d08ccabb54f1b7d57941910 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1d96db0d211782c22f1bae4f25c5850e688ed9993819c84c21e354265a2a4897 all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] # git bisect good 50643bbc9eb697636d08ccabb54f1b7d57941910 Bisecting: 105 revisions left to test after this (roughly 7 steps) [90275a7762c85bde21c0884404993ed20e265d86] btrfs: zstd: make the compression path to handle sector size < page size determine whether the revision contains the guilty commit revision 725f31f300e300a9d94976bd8f1db6e746f95f63 crashed and is reachable testing commit 90275a7762c85bde21c0884404993ed20e265d86 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 33a8ae6fbe4994de779a57e668c62cd3a26cf9d971a7315a5b18d87a675d881a all runs: OK false negative chance: 0.000 # git bisect bad 90275a7762c85bde21c0884404993ed20e265d86 Bisecting: 52 revisions left to test after this (roughly 6 steps) [023d4fc00fdeac9c73b6c1da2d720eade48db020] Merge tag 'staging-6.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging determine whether the revision contains the guilty commit revision 725f31f300e300a9d94976bd8f1db6e746f95f63 crashed and is reachable testing commit 023d4fc00fdeac9c73b6c1da2d720eade48db020 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: be458d961ffeb82adb823a367628719fa1339903e24588d73eeb9939623df09c all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] # git bisect good 023d4fc00fdeac9c73b6c1da2d720eade48db020 Bisecting: 32 revisions left to test after this (roughly 5 steps) [c289f4de8e479251b64988839fd0e87f246e03a2] mailmap: add entry for Thorsten Blum determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit c289f4de8e479251b64988839fd0e87f246e03a2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cfa0bb644a4e656f47f8a9c9a4bf1c4f2b3278ef7f1d737e196d8dd55b9afdef all runs: OK false negative chance: 0.000 # git bisect bad c289f4de8e479251b64988839fd0e87f246e03a2 Bisecting: 9 revisions left to test after this (roughly 3 steps) [faa242b1d2a97143150bdc50d5b61fd70fcd17cd] mm/mlock: set the correct prev on failure determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit faa242b1d2a97143150bdc50d5b61fd70fcd17cd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f445227a55568eec0b5e390de942c90e569bc38a983600bcad1202c85c51f7be all runs: OK false negative chance: 0.000 # git bisect bad faa242b1d2a97143150bdc50d5b61fd70fcd17cd Bisecting: 4 revisions left to test after this (roughly 2 steps) [0fb4a7ad270b3b209e510eb9dc5b07bf02b7edaf] mm: refactor map_deny_write_exec() determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit 0fb4a7ad270b3b209e510eb9dc5b07bf02b7edaf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eb8442fbd949de86e74d1d8a05ebd3603e200ad2f3fcbe5b354051c72109aa1c all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] # git bisect good 0fb4a7ad270b3b209e510eb9dc5b07bf02b7edaf Bisecting: 2 revisions left to test after this (roughly 1 step) [5de195060b2e251a835f622759550e6202167641] mm: resolve faulty mmap_region() error path behaviour determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit 5de195060b2e251a835f622759550e6202167641 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b083b6de2dacbd67c76ed0f19c46181b2410ff60db6a70050f285ace86b086cc all runs: OK false negative chance: 0.000 # git bisect bad 5de195060b2e251a835f622759550e6202167641 Bisecting: 0 revisions left to test after this (roughly 0 steps) [5baf8b037debf4ec60108ccfeccb8636d1dbad81] mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling determine whether the revision contains the guilty commit revision 850925a8133c73c4a2453c360b2c3beb3bab67c9 crashed and is reachable testing commit 5baf8b037debf4ec60108ccfeccb8636d1dbad81 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 35b2513e838ec87f483f6c2587c34263a92496f50b2a99a3d10a4fc20bf96ac9 all runs: crashed: kernel BUG in __page_table_check_zero representative crash: kernel BUG in __page_table_check_zero, types: [BUG] # git bisect good 5baf8b037debf4ec60108ccfeccb8636d1dbad81 5de195060b2e251a835f622759550e6202167641 is the first bad commit commit 5de195060b2e251a835f622759550e6202167641 Author: Lorenzo Stoakes Date: Tue Oct 29 18:11:48 2024 +0000 mm: resolve faulty mmap_region() error path behaviour The mmap_region() function is somewhat terrifying, with spaghetti-like control flow and numerous means by which issues can arise and incomplete state, memory leaks and other unpleasantness can occur. A large amount of the complexity arises from trying to handle errors late in the process of mapping a VMA, which forms the basis of recently observed issues with resource leaks and observable inconsistent state. Taking advantage of previous patches in this series we move a number of checks earlier in the code, simplifying things by moving the core of the logic into a static internal function __mmap_region(). Doing this allows us to perform a number of checks up front before we do any real work, and allows us to unwind the writable unmap check unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE validation unconditionally also. We move a number of things here: 1. We preallocate memory for the iterator before we call the file-backed memory hook, allowing us to exit early and avoid having to perform complicated and error-prone close/free logic. We carefully free iterator state on both success and error paths. 2. The enclosing mmap_region() function handles the mapping_map_writable() logic early. Previously the logic had the mapping_map_writable() at the point of mapping a newly allocated file-backed VMA, and a matching mapping_unmap_writable() on success and error paths. We now do this unconditionally if this is a file-backed, shared writable mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however doing so does not invalidate the seal check we just performed, and we in any case always decrement the counter in the wrapper. We perform a debug assert to ensure a driver does not attempt to do the opposite. 3. We also move arch_validate_flags() up into the mmap_region() function. This is only relevant on arm64 and sparc64, and the check is only meaningful for SPARC with ADI enabled. We explicitly add a warning for this arch if a driver invalidates this check, though the code ought eventually to be fixed to eliminate the need for this. With all of these measures in place, we no longer need to explicitly close the VMA on error paths, as we place all checks which might fail prior to a call to any driver mmap hook. This eliminates an entire class of errors, makes the code easier to reason about and more robust. Link: https://lkml.kernel.org/r/6e0becb36d2f5472053ac5d544c0edfe9b899e25.1730224667.git.lorenzo.stoakes@oracle.com Fixes: deb0f6562884 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails") Signed-off-by: Lorenzo Stoakes Reported-by: Jann Horn Reviewed-by: Liam R. Howlett Reviewed-by: Vlastimil Babka Tested-by: Mark Brown Cc: Andreas Larsson Cc: Catalin Marinas Cc: David S. Miller Cc: Helge Deller Cc: James E.J. Bottomley Cc: Linus Torvalds Cc: Peter Xu Cc: Will Deacon Cc: Signed-off-by: Andrew Morton mm/mmap.c | 119 ++++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 65 insertions(+), 54 deletions(-) accumulated error probability: 0.00 culprit signature: b083b6de2dacbd67c76ed0f19c46181b2410ff60db6a70050f285ace86b086cc parent signature: 35b2513e838ec87f483f6c2587c34263a92496f50b2a99a3d10a4fc20bf96ac9 revisions tested: 21, total time: 4h37m12.871389632s (build: 1h46m6.959908988s, test: 2h30m55.207702659s) first good commit: 5de195060b2e251a835f622759550e6202167641 mm: resolve faulty mmap_region() error path behaviour recipients (to): ["akpm@linux-foundation.org" "broonie@kernel.org" "liam.howlett@oracle.com" "lorenzo.stoakes@oracle.com" "vbabka@suse.cz"] recipients (cc): []