ci starts bisection 2025-07-08 18:57:10.838329982 +0000 UTC m=+11496.371773904 bisecting cause commit starting from 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a building syzkaller on 4f67c4aece4f5794be20c6bc99c177e44b1320e8 fetch other tags and check if the commit is present ensuring issue is reproducible on original commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: f6d3ad5b8a9538c02a1f4328a4ace1953eaff631a6453eea1fb4accc5725eb0c run #0: crashed: stack segment fault in mtree_range_walk run #1: crashed: WARNING: bad unlock balance in query_matching_vma run #2: crashed: general protection fault in mas_next_slot run #3: crashed: general protection fault in mas_next_slot run #4: crashed: general protection fault in mas_next_slot run #5: crashed: stack segment fault in mtree_range_walk run #6: crashed: general protection fault in vma_start_read run #7: crashed: stack segment fault in mtree_range_walk run #8: crashed: WARNING: bad unlock balance in query_vma_teardown run #9: crashed: general protection fault in mas_next_slot run #10: crashed: general protection fault in mas_next_slot run #11: crashed: general protection fault in mas_next_slot run #12: crashed: general protection fault in mas_start run #13: crashed: general protection fault in mas_next_slot run #14: crashed: WARNING: refcount bug in vma_start_read run #15: crashed: general protection fault in mas_start run #16: crashed: general protection fault in mas_next_slot run #17: crashed: general protection fault in mas_next_slot run #18: crashed: stack segment fault in mtree_range_walk run #19: crashed: WARNING: bad unlock balance in query_matching_vma representative crash: stack segment fault in mtree_range_walk, types: [DoS] check whether we can drop unnecessary instrumentation disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan locking], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b9d6725dad3add446dbea946e2456c93d941090f167b57c993ea95822d71149a run #0: crashed: WARNING: bad unlock balance in query_matching_vma run #1: crashed: WARNING: bad unlock balance in query_matching_vma run #2: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #3: crashed: WARNING: bad unlock balance in query_matching_vma run #4: crashed: WARNING: lock held when returning to user space in get_next_vma run #5: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl run #6: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl run #7: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl run #8: crashed: WARNING: bad unlock balance in query_matching_vma run #9: crashed: WARNING: bad unlock balance in query_matching_vma representative crash: WARNING: bad unlock balance in query_matching_vma, types: [LOCKDEP] the bug reproduces without the instrumentation disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed kconfig minimization: base=4095 full=8499 leaves diff=2184 split chunks (needed=false): <2184> split chunk #0 of len 2184 into 5 parts testing without sub-chunk 1/5 disabling configs for [hang memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 4aa6ca095cc19a93d83ed58f8f676a46db0f2dd1af7b8a36e1f77757991718fe run #0: crashed: WARNING: lock held when returning to user space in get_next_vma run #1: crashed: WARNING: bad unlock balance in query_matching_vma run #2: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #4: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #6: crashed: WARNING: lock held when returning to user space in get_next_vma run #7: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #8: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #9: crashed: WARNING: lock held when returning to user space in get_next_vma representative crash: WARNING: lock held when returning to user space in get_next_vma, types: [LOCKDEP MEMORY_SAFETY_BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan locking], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 1cd34ece23cb8ef6accbd9d7b4dd7e44327e0527379f3b516995a112d7190041 run #0: crashed: WARNING: bad unlock balance in query_matching_vma run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #7: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #9: crashed: WARNING: bad unlock balance in query_matching_vma representative crash: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk, types: [UNKNOWN LOCKDEP] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [hang memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 581d8dbd062bd835b5b5ac175690785fe308d6941a30dae91304a792df24c644 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #3: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #6: crashed: WARNING: lock held when returning to user space in get_next_vma run #7: crashed: WARNING: bad unlock balance in query_matching_vma run #8: crashed: WARNING: lock held when returning to user space in get_next_vma run #9: crashed: WARNING: lock held when returning to user space in get_next_vma representative crash: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk, types: [UNKNOWN LOCKDEP] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning kasan], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 9a9d0145a967716b659f25403d7cf91f3fc70693679ae1dc14158a5e7e1e2106 run #0: crashed: WARNING: bad unlock balance in query_matching_vma run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #4: crashed: WARNING: bad unlock balance in query_matching_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #6: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #8: crashed: WARNING: bad unlock balance in query_matching_vma run #9: crashed: BUG: unable to handle kernel paging request in lock_next_vma representative crash: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot, types: [UNKNOWN LOCKDEP] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep hang], they are not needed testing commit 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: f106e91260663389cf59fe0f16e5bc31cc7dcd8fb10b503bcc4c7c4b32e5dbcc run #0: crashed: WARNING: bad unlock balance in query_matching_vma run #1: crashed: WARNING: bad unlock balance in query_matching_vma run #2: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #3: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #4: crashed: WARNING: bad unlock balance in query_matching_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #6: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #7: basic kernel testing failed: failed to copy binary to VM: timedout after 1m0s ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor193456311" "root@10.128.10.22:./syz-executor193456311"] Executing: program /usr/bin/ssh host 10.128.10.22, user root, command sftp OpenSSH_9.2p1 Debian-2+deb12u6, OpenSSL 3.0.16 11 Feb 2025 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.10.22 [10.128.10.22] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u6 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9 debug1: compat_banner: match: OpenSSH_9.9 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 10.128.10.22:22 as 'root' debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: sntrup761x25519-sha512 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY run #8: crashed: WARNING: bad unlock balance in query_matching_vma run #9: crashed: WARNING: bad unlock balance in query_matching_vma representative crash: WARNING: bad unlock balance in query_matching_vma, types: [LOCKDEP MEMORY_SAFETY_BUG] the chunk can be dropped disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak ubsan], they are not needed picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b17cf01e86a0669d4933df5498705929ddb657db98956fe491d2de16b59f189c all runs: OK false negative chance: 0.000 # git bisect start 26ffb3d6f02cd0935fb9fa3db897767beee1cb2a 0ff41df1cb268fc69e703a08a57ee14ae967d0ca Bisecting: 11077 revisions left to test after this (roughly 14 steps) [fcd0bb8e99f7f5fbe6979b8633ed86502d822203] Merge tag 'vfs-6.16-rc2.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs testing commit fcd0bb8e99f7f5fbe6979b8633ed86502d822203 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 7a6242bec932687ffba083cf6fbd8a7d873ee39648a6dba77d3b1f16c37f5cc3 all runs: OK false negative chance: 0.000 # git bisect good fcd0bb8e99f7f5fbe6979b8633ed86502d822203 Bisecting: 5808 revisions left to test after this (roughly 13 steps) [a1f3328c0948517e624228ca0daffe4847588c9d] Merge branch 'xtensa-for-next' of git://github.com/jcmvbkbc/linux-xtensa.git testing commit a1f3328c0948517e624228ca0daffe4847588c9d gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: d0bea96e3a6d249a673413e87071bbe5ec12e4f75733e5517460b14977ad3902 run #0: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #1: crashed: WARNING: lock held when returning to user space in get_next_vma run #2: crashed: WARNING: bad unlock balance in query_matching_vma run #3: crashed: WARNING: bad unlock balance in query_matching_vma run #4: crashed: WARNING: bad unlock balance in query_matching_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #6: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #7: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #9: crashed: BUG: unable to handle kernel paging request in lock_next_vma representative crash: BUG: unable to handle kernel paging request in lock_next_vma, types: [MEMORY_SAFETY_BUG LOCKDEP] # git bisect bad a1f3328c0948517e624228ca0daffe4847588c9d Bisecting: 2632 revisions left to test after this (roughly 11 steps) [b7191581a973ab2fca45d2ca64416065f1660ae0] Merge tag 'loongarch-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson testing commit b7191581a973ab2fca45d2ca64416065f1660ae0 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 79ceabee46a17c33ce08f2a4c66cd333eee01735be324dda5770593e934c6a0b all runs: OK false negative chance: 0.000 # git bisect good b7191581a973ab2fca45d2ca64416065f1660ae0 Bisecting: 1317 revisions left to test after this (roughly 10 steps) [22b227004ce15d38555df8651ae5bc1a450d4834] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire.git testing commit 22b227004ce15d38555df8651ae5bc1a450d4834 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: e642511d2269ec79a952fd3064c582a08864cc9df66bb3128675cdddecbba227 all runs: OK false negative chance: 0.000 # git bisect good 22b227004ce15d38555df8651ae5bc1a450d4834 Bisecting: 664 revisions left to test after this (roughly 9 steps) [f8dc82309945dfa47aec90faf525cf7180472d10] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/bmc/linux.git testing commit f8dc82309945dfa47aec90faf525cf7180472d10 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b01a9a40cb2a0671da88ab335993b8f8e6b112c6c793cf8c7b4b6107ef4fae3f run #0: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #1: crashed: WARNING: bad unlock balance in query_matching_vma run #2: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #4: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #5: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #6: crashed: WARNING: bad unlock balance in query_matching_vma run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #8: crashed: WARNING: bad unlock balance in query_matching_vma run #9: crashed: BUG: unable to handle kernel paging request in lock_next_vma representative crash: BUG: unable to handle kernel paging request in lock_next_vma, types: [MEMORY_SAFETY_BUG LOCKDEP] # git bisect bad f8dc82309945dfa47aec90faf525cf7180472d10 Bisecting: 325 revisions left to test after this (roughly 8 steps) [4a2b8445140043ca4a25c9a8036ec9ebbabeb302] Merge branch 'mm-unstable' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 4a2b8445140043ca4a25c9a8036ec9ebbabeb302 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: f36c86075534d44abbeb18e4ae9c950ffcb133c4e4a2684bd8a4920b4a69db8b run #0: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #1: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #2: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #3: crashed: WARNING: lock held when returning to user space in get_next_vma run #4: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #6: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #8: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #9: crashed: WARNING: bad unlock balance in query_matching_vma representative crash: BUG: unable to handle kernel paging request in lock_next_vma, types: [MEMORY_SAFETY_BUG LOCKDEP] # git bisect bad 4a2b8445140043ca4a25c9a8036ec9ebbabeb302 Bisecting: 163 revisions left to test after this (roughly 7 steps) [b54d38dec1032138166e930f7549b97962c4c5f8] selftests/mm: remove duplicate .gitignore entries testing commit b54d38dec1032138166e930f7549b97962c4c5f8 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 3c91907a44e574fb80faae89ecc287b624e3cc41c4df1b0bba64740dec6d73ac all runs: OK false negative chance: 0.000 # git bisect good b54d38dec1032138166e930f7549b97962c4c5f8 Bisecting: 80 revisions left to test after this (roughly 6 steps) [a5cfa27f7a8a4547a0e3039fe046c0e96bfb917f] Merge branch 'for-linux-next-fixes' of https://gitlab.freedesktop.org/drm/i915/kernel testing commit a5cfa27f7a8a4547a0e3039fe046c0e96bfb917f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 013e1d977f091846bfabcea2234ed9082213acc6f8ff783c013c2a4fc1a18bc8 all runs: OK false negative chance: 0.000 # git bisect good a5cfa27f7a8a4547a0e3039fe046c0e96bfb917f Bisecting: 39 revisions left to test after this (roughly 5 steps) [9512f44193dd09fa6c01bf8a571b1662fcbfc5f8] Merge branch 'tip/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git testing commit 9512f44193dd09fa6c01bf8a571b1662fcbfc5f8 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 09a7b5be1e3897fb06224f71dd8c3fe191ffa4f8ae1c0e94f926ab46dd04b4db all runs: OK false negative chance: 0.000 # git bisect good 9512f44193dd09fa6c01bf8a571b1662fcbfc5f8 Bisecting: 19 revisions left to test after this (roughly 4 steps) [13ab1411e5a8cb41df9e079c69b5d41b5d57369d] mm, madvise: extract mm code from prctl_set_vma() to mm/madvise.c testing commit 13ab1411e5a8cb41df9e079c69b5d41b5d57369d gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 4a13e853d184bc2df50f723128c0f6ac02e4e0b3a944628c51ce632bc0799722 run #0: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #1: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #2: crashed: WARNING: bad unlock balance in query_matching_vma run #3: crashed: WARNING: lock held when returning to user space in get_next_vma run #4: crashed: WARNING: lock held when returning to user space in get_next_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #7: crashed: general protection fault in lock_next_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma run #9: crashed: BUG: unable to handle kernel paging request in lock_next_vma representative crash: BUG: unable to handle kernel paging request in lock_next_vma, types: [MEMORY_SAFETY_BUG LOCKDEP UNKNOWN] # git bisect bad 13ab1411e5a8cb41df9e079c69b5d41b5d57369d Bisecting: 9 revisions left to test after this (roughly 3 steps) [c39471f78d5eaffab156417c47caa3650022728f] selftests/proc: test PROCMAP_QUERY ioctl while vma is concurrently modified testing commit c39471f78d5eaffab156417c47caa3650022728f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 0c1a0db6bc237f8f70b833f02b9320861ef606c4bce958afecff42b6b743aa6c all runs: OK false negative chance: 0.000 # git bisect good c39471f78d5eaffab156417c47caa3650022728f Bisecting: 4 revisions left to test after this (roughly 2 steps) [d5c67bb2c5fb1b3d7a775d1099f44f1dffefb51f] mm/maps: move kmalloc() call location in do_procmap_query() out of RCU critical section testing commit d5c67bb2c5fb1b3d7a775d1099f44f1dffefb51f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: a4abe283b5ffb60f4ae47f8e34b94789ea3863bb9f9b8fa1e6d3bb5f54d0bf64 run #0: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #1: crashed: WARNING: bad unlock balance in query_matching_vma run #2: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #4: crashed: WARNING: bad unlock balance in query_matching_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #6: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #7: crashed: WARNING: bad unlock balance in query_matching_vma run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #9: crashed: WARNING: bad unlock balance in query_matching_vma representative crash: WARNING: bad unlock balance in query_matching_vma, types: [LOCKDEP MEMORY_SAFETY_BUG UNKNOWN] # git bisect bad d5c67bb2c5fb1b3d7a775d1099f44f1dffefb51f Bisecting: 2 revisions left to test after this (roughly 1 step) [e1ba4969cba15c2e2a6e337d75214c63bc7e5e81] mm/maps: read proc/pid/maps under per-vma lock testing commit e1ba4969cba15c2e2a6e337d75214c63bc7e5e81 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: d29cc0c8d5d79826dfb2e1db2ad4d4970f181c22642e2ee3c962c634525c4cc4 all runs: OK false negative chance: 0.000 # git bisect good e1ba4969cba15c2e2a6e337d75214c63bc7e5e81 Bisecting: 0 revisions left to test after this (roughly 1 step) [6772c457a86536f3496bf5b3716f34a5ac125783] fs/proc/task_mmu:: execute PROCMAP_QUERY ioctl under per-vma locks testing commit 6772c457a86536f3496bf5b3716f34a5ac125783 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 850092fd94baa7e25a79cbf8e62cf20c98bd6650d25f8879fe103dbaf1cac651 run #0: crashed: WARNING: bad unlock balance in query_matching_vma run #1: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #2: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_state_walk run #4: crashed: WARNING: bad unlock balance in query_matching_vma run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot run #6: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #7: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #8: crashed: BUG: unable to handle kernel paging request in lock_next_vma run #9: crashed: BUG: unable to handle kernel paging request in lock_next_vma representative crash: BUG: unable to handle kernel paging request in lock_next_vma, types: [MEMORY_SAFETY_BUG LOCKDEP] # git bisect bad 6772c457a86536f3496bf5b3716f34a5ac125783 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ecb110179e77337e8ceccd0f963dc431697fc9f1] mm/madvise: fixup stray mmap lock assert in anon_vma_name() testing commit ecb110179e77337e8ceccd0f963dc431697fc9f1 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 7f73fcf8a234fd5aec7425d131a0c3e957b1328595fcc4dfeca424444cede2bf all runs: OK false negative chance: 0.000 # git bisect good ecb110179e77337e8ceccd0f963dc431697fc9f1 6772c457a86536f3496bf5b3716f34a5ac125783 is the first bad commit commit 6772c457a86536f3496bf5b3716f34a5ac125783 Author: Suren Baghdasaryan Date: Tue Jun 24 12:33:59 2025 -0700 fs/proc/task_mmu:: execute PROCMAP_QUERY ioctl under per-vma locks Utilize per-vma locks to stabilize vma after lookup without taking mmap_lock during PROCMAP_QUERY ioctl execution. While we might take mmap_lock for reading during contention, we do that momentarily only to lock the vma. This change is designed to reduce mmap_lock contention and prevent PROCMAP_QUERY ioctl calls from blocking address space updates. Link: https://lkml.kernel.org/r/20250624193359.3865351-8-surenb@google.com Signed-off-by: Suren Baghdasaryan Acked-by: Andrii Nakryiko Cc: Alexey Dobriyan Cc: Christian Brauner Cc: Christophe Leroy Cc: David Hildenbrand Cc: Jann Horn Cc: Johannes Weiner Cc: Josef Bacik Cc: Kalesh Singh Cc: Liam Howlett Cc: Lorenzo Stoakes Cc: Matthew Wilcox (Oracle) Cc: Michal Hocko Cc: Oscar Salvador Cc: "Paul E . McKenney" Cc: Peter Xu Cc: Ryan Roberts Cc: Shuah Khan Cc: Thomas Weißschuh Cc: T.J. Mercier Cc: Vlastimil Babka Cc: Ye Bin Cc: Jeongjun Park Signed-off-by: Andrew Morton fs/proc/task_mmu.c | 56 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 44 insertions(+), 12 deletions(-) accumulated error probability: 0.00 culprit signature: 850092fd94baa7e25a79cbf8e62cf20c98bd6650d25f8879fe103dbaf1cac651 parent signature: 7f73fcf8a234fd5aec7425d131a0c3e957b1328595fcc4dfeca424444cede2bf revisions tested: 23, total time: 6h55m45.909875702s (build: 2h48m6.15307807s, test: 3h40m55.782702079s) first bad commit: 6772c457a86536f3496bf5b3716f34a5ac125783 fs/proc/task_mmu:: execute PROCMAP_QUERY ioctl under per-vma locks recipients (to): ["akpm@linux-foundation.org" "andrii@kernel.org" "surenb@google.com"] recipients (cc): [] crash: BUG: unable to handle kernel paging request in lock_next_vma BUG: unable to handle page fault for address: 000035558c212028 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 0 UID: 0 PID: 3363 Comm: syz.3.170 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:vma_start_read include/linux/mmap_lock.h:170 [inline] RIP: 0010:lock_next_vma+0x52/0x520 mm/mmap_lock.c:220 Code: ff ff ff e8 10 dd a7 00 48 85 c0 0f 84 92 01 00 00 48 89 c2 48 8d 45 40 48 89 44 24 10 49 8d 47 20 48 89 44 24 08 48 89 2c 24 <8b> 42 28 3b 85 20 02 00 00 0f 84 8e 02 00 00 4c 8d b2 80 00 00 00 RSP: 0018:ffffc90002327d00 EFLAGS: 00010206 RAX: ffff888101ab0ab8 RBX: 000000000000000a RCX: ffffffffffffffff RDX: 000035558c212000 RSI: ffff88810a7c7400 RDI: ffff888101ab0a98 RBP: ffff888107690a00 R08: 0000000000000003 R09: ffff88810a7c7408 R10: ffff888107690a00 R11: 0000000000000001 R12: ffff8881093be700 R13: 00007f06aa550000 R14: 00007f06aa550000 R15: ffff888101ab0a98 FS: 00007f06aa14f6c0(0000) GS:ffff8882b4c3e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000035558c212028 CR3: 000000010ff32000 CR4: 00000000003506f0 Call Trace: get_next_vma+0xa6/0xe0 fs/proc/task_mmu.c:182 query_vma_find_by_addr fs/proc/task_mmu.c:516 [inline] query_matching_vma+0x8b/0xf0 fs/proc/task_mmu.c:545 do_procmap_query fs/proc/task_mmu.c:630 [inline] procfs_procmap_ioctl+0x27d/0x6a0 fs/proc/task_mmu.c:748 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0x69/0xc0 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f06aa6de929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f06aa14f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f06aa905fa0 RCX: 00007f06aa6de929 RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003 RBP: 00007f06aa760b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f06aa905fa0 R15: 00007ffc2a22f6c8 Modules linked in: CR2: 000035558c212028 ---[ end trace 0000000000000000 ]--- RIP: 0010:vma_start_read include/linux/mmap_lock.h:170 [inline] RIP: 0010:lock_next_vma+0x52/0x520 mm/mmap_lock.c:220 Code: ff ff ff e8 10 dd a7 00 48 85 c0 0f 84 92 01 00 00 48 89 c2 48 8d 45 40 48 89 44 24 10 49 8d 47 20 48 89 44 24 08 48 89 2c 24 <8b> 42 28 3b 85 20 02 00 00 0f 84 8e 02 00 00 4c 8d b2 80 00 00 00 RSP: 0018:ffffc90002327d00 EFLAGS: 00010206 RAX: ffff888101ab0ab8 RBX: 000000000000000a RCX: ffffffffffffffff RDX: 000035558c212000 RSI: ffff88810a7c7400 RDI: ffff888101ab0a98 RBP: ffff888107690a00 R08: 0000000000000003 R09: ffff88810a7c7408 R10: ffff888107690a00 R11: 0000000000000001 R12: ffff8881093be700 R13: 00007f06aa550000 R14: 00007f06aa550000 R15: ffff888101ab0a98 FS: 00007f06aa14f6c0(0000) GS:ffff8882b4c3e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000035558c212028 CR3: 000000010ff32000 CR4: 00000000003506f0 ---------------- Code disassembly (best guess), 3 bytes skipped: 0: e8 10 dd a7 00 call 0xa7dd15 5: 48 85 c0 test %rax,%rax 8: 0f 84 92 01 00 00 je 0x1a0 e: 48 89 c2 mov %rax,%rdx 11: 48 8d 45 40 lea 0x40(%rbp),%rax 15: 48 89 44 24 10 mov %rax,0x10(%rsp) 1a: 49 8d 47 20 lea 0x20(%r15),%rax 1e: 48 89 44 24 08 mov %rax,0x8(%rsp) 23: 48 89 2c 24 mov %rbp,(%rsp) * 27: 8b 42 28 mov 0x28(%rdx),%eax <-- trapping instruction 2a: 3b 85 20 02 00 00 cmp 0x220(%rbp),%eax 30: 0f 84 8e 02 00 00 je 0x2c4 36: 4c 8d b2 80 00 00 00 lea 0x80(%rdx),%r14