ci starts bisection 2025-06-02 13:05:32.121729891 +0000 UTC m=+45.148722515 bisecting cause commit starting from cd2e103d57e5615f9bb027d772f93b9efd567224 building syzkaller on 3d2f584ddab119da50e8a8d26765aa98d3b33c02 ensuring issue is reproducible on original commit cd2e103d57e5615f9bb027d772f93b9efd567224 testing commit cd2e103d57e5615f9bb027d772f93b9efd567224 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: af27d361894c9627af55b23a59615c81b8a3bc65e550e41edf0308d0c8ec3655 all runs: crashed: WARNING in vma_modify representative crash: WARNING in vma_modify, types: [WARNING] check whether we can drop unnecessary instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit cd2e103d57e5615f9bb027d772f93b9efd567224 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 10d9d4e63f5839f527efef49087bfcec1dfe1653eb5000224b80ec2156736629 all runs: crashed: WARNING in vma_modify representative crash: WARNING in vma_modify, types: [WARNING] the bug reproduces without the instrumentation disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=4091 full=8359 leaves diff=2131 split chunks (needed=false): <2131> split chunk #0 of len 2131 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit cd2e103d57e5615f9bb027d772f93b9efd567224 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 53af5746a6c8d2d81cfd6cd988aebb68b366c5e401f0b31b14196c0ac76657b6 all runs: crashed: WARNING in vma_modify representative crash: WARNING in vma_modify, types: [WARNING] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit cd2e103d57e5615f9bb027d772f93b9efd567224 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 4c8b2850376f366b5efcd8312f19d2c7f7bd60306b1bc501d567af6cc29b0b40 all runs: crashed: WARNING in vma_modify representative crash: WARNING in vma_modify, types: [WARNING] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit cd2e103d57e5615f9bb027d772f93b9efd567224 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 2f6448f12cb1eadb15c73d4f5f27a218cdc96a42aee52c2a3965714aba20d6e0 all runs: crashed: WARNING in vma_modify representative crash: WARNING in vma_modify, types: [WARNING] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit cd2e103d57e5615f9bb027d772f93b9efd567224 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 6e1820f1513fa11b3d785822605de8329a6271c827d274449395034814201bd3 all runs: crashed: WARNING in vma_modify representative crash: WARNING in vma_modify, types: [WARNING] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit cd2e103d57e5615f9bb027d772f93b9efd567224 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: f02e1ea949f2bf69ea37d8fcea3f16efde6ff88d89cb05c4515a874f74bef03e all runs: crashed: WARNING in vma_modify representative crash: WARNING in vma_modify, types: [WARNING] the chunk can be dropped disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: db5f196ba404153c569fb7a6d17c504e3007a6c5202340a8b2e943e22f9c7202 all runs: crashed: WARNING in vma_merge_existing_range representative crash: WARNING in vma_merge_existing_range, types: [WARNING] testing release v6.14 testing commit 38fec10eb60d687e30c8c6b5420d86e8149f7557 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 793802f0b5b093744b54e085d993c091b3cdddaf04e8d4d2524bae86aaf6dc95 all runs: crashed: WARNING in vma_merge_existing_range representative crash: WARNING in vma_merge_existing_range, types: [WARNING] testing release v6.13 testing commit ffd294d346d185b70e28b1a28abe367bbfe53c04 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ea6817bbcc5da9b57aa008646ab6a1ca0b40ddc78f8c1a45e45206c061d6ed96 all runs: OK false negative chance: 0.000 # git bisect start 38fec10eb60d687e30c8c6b5420d86e8149f7557 ffd294d346d185b70e28b1a28abe367bbfe53c04 Bisecting: 6039 revisions left to test after this (roughly 13 steps) [2c8d2a510c15c003749e43ac2b8e1bc79a7a00d6] Merge tag 'sound-6.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 2c8d2a510c15c003749e43ac2b8e1bc79a7a00d6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 196bfa08d5fe6fd0b071e65a0abe4003a70edc683c5fa53f5aab9d21dee2c274 all runs: OK false negative chance: 0.000 # git bisect good 2c8d2a510c15c003749e43ac2b8e1bc79a7a00d6 Bisecting: 3064 revisions left to test after this (roughly 12 steps) [9ff28f2fad67e173ed25b8c3a183b15da5445d2d] Merge tag 'loongarch-6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson testing commit 9ff28f2fad67e173ed25b8c3a183b15da5445d2d gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 204061f329197dad98604190f1c299291131edab5bc1befbf97fcfb07ab9b754 all runs: OK false negative chance: 0.000 # git bisect good 9ff28f2fad67e173ed25b8c3a183b15da5445d2d Bisecting: 1532 revisions left to test after this (roughly 11 steps) [243899076c3efdf98d8e922a802896424a597580] Merge tag 'rust-fixes-6.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ojeda/linux testing commit 243899076c3efdf98d8e922a802896424a597580 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d8398294b4cbb669744f82d660ca17f7b51a7393d6e17166ed6e421e68f78645 all runs: OK false negative chance: 0.000 # git bisect good 243899076c3efdf98d8e922a802896424a597580 Bisecting: 764 revisions left to test after this (roughly 10 steps) [5872cca23a017aae01d0b2f82346907169f7aa01] Merge tag 'exfat-for-6.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat testing commit 5872cca23a017aae01d0b2f82346907169f7aa01 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 7779e84781f18423cf7c7c5d48250dab6efab0ee98cee6d975ad1957d99b62ba all runs: OK false negative chance: 0.000 # git bisect good 5872cca23a017aae01d0b2f82346907169f7aa01 Bisecting: 366 revisions left to test after this (roughly 9 steps) [4003c9e78778e93188a09d6043a74f7154449d43] Merge tag 'net-6.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 4003c9e78778e93188a09d6043a74f7154449d43 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: eb014faa46c6eda371e459f25372cb408642f3b430308b5f9d92727e648e0737 all runs: crashed: WARNING in vma_merge_existing_range representative crash: WARNING in vma_merge_existing_range, types: [WARNING] # git bisect bad 4003c9e78778e93188a09d6043a74f7154449d43 Bisecting: 214 revisions left to test after this (roughly 8 steps) [b7c90e3e717abff6fe06445b98be306b732bbd2b] Merge tag 'x86-urgent-2025-03-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit b7c90e3e717abff6fe06445b98be306b732bbd2b gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d9acd4b6f85a56f03a4226ad6a7991d7ff3a2d434c133b8b689c50f275b23c5d all runs: OK false negative chance: 0.000 # git bisect good b7c90e3e717abff6fe06445b98be306b732bbd2b Bisecting: 108 revisions left to test after this (roughly 7 steps) [0dc1f314f854257eb64dcea604a42a55225453a9] Merge tag 'usb-6.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit 0dc1f314f854257eb64dcea604a42a55225453a9 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: b6e740ac144c104b2be72974b071149e831bc4d607c357a610d1a737e33aad99 all runs: crashed: WARNING in vma_merge_existing_range representative crash: WARNING in vma_merge_existing_range, types: [WARNING] # git bisect bad 0dc1f314f854257eb64dcea604a42a55225453a9 Bisecting: 54 revisions left to test after this (roughly 6 steps) [a382b06d297e78ed7ac67afd0d8e8690406ac4ca] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit a382b06d297e78ed7ac67afd0d8e8690406ac4ca gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 0cf98b6503a55c152eb7a20c33679625a3d58aac6b99b2d1332cb48453de1b1c all runs: crashed: WARNING in vma_merge_existing_range representative crash: WARNING in vma_merge_existing_range, types: [WARNING] # git bisect bad a382b06d297e78ed7ac67afd0d8e8690406ac4ca Bisecting: 25 revisions left to test after this (roughly 5 steps) [927e926d72d9155fde3264459fe9bfd7b5e40d28] userfaultfd: fix PTE unmapping stack-allocated PTE copies testing commit 927e926d72d9155fde3264459fe9bfd7b5e40d28 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: bdc5485d1fffa048880da2333e38f8b6c88e88593d2d6105709bd59c08ecb14b all runs: crashed: WARNING in vma_merge_existing_range representative crash: WARNING in vma_merge_existing_range, types: [WARNING] # git bisect bad 927e926d72d9155fde3264459fe9bfd7b5e40d28 Bisecting: 12 revisions left to test after this (roughly 4 steps) [47b16d0462a460000b8f05dfb1292377ac48f3ca] mm: abort vma_modify() on merge out of memory failure testing commit 47b16d0462a460000b8f05dfb1292377ac48f3ca gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 57d6d4162fad6fb7f23482def99d84d7c38c997e5078f1e3a0edb9abffff458e all runs: crashed: WARNING in vma_merge_existing_range representative crash: WARNING in vma_merge_existing_range, types: [WARNING] # git bisect bad 47b16d0462a460000b8f05dfb1292377ac48f3ca Bisecting: 5 revisions left to test after this (roughly 3 steps) [773b9a6aa6d38894b95088e3ed6f8a701d9f50fd] mm: memory-hotplug: check folio ref count first in do_migrate_range testing commit 773b9a6aa6d38894b95088e3ed6f8a701d9f50fd gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 58e75fa79cc6bdc58eab54a14c86698e07e15e15898af220e3578e5ad0171035 all runs: OK false negative chance: 0.000 # git bisect good 773b9a6aa6d38894b95088e3ed6f8a701d9f50fd Bisecting: 2 revisions left to test after this (roughly 2 steps) [19fac3c93991502a22c5132824c40b6a2e64b136] dma: kmsan: export kmsan_handle_dma() for modules testing commit 19fac3c93991502a22c5132824c40b6a2e64b136 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 2b37ab5d161c6f06a132259d2cde2ad18b36c7ab8539060d5f7ebd28d0447611 all runs: OK false negative chance: 0.000 # git bisect good 19fac3c93991502a22c5132824c40b6a2e64b136 Bisecting: 0 revisions left to test after this (roughly 1 step) [67bab13307c83fb742c2556b06cdc39dbad27f07] mm/hugetlb: wait for hugetlb folios to be freed testing commit 67bab13307c83fb742c2556b06cdc39dbad27f07 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 1d098c5b17341b29e545aafcabbeb311f35ff7899eed74a42f6d14b150ec33a7 all runs: OK false negative chance: 0.000 # git bisect good 67bab13307c83fb742c2556b06cdc39dbad27f07 47b16d0462a460000b8f05dfb1292377ac48f3ca is the first bad commit commit 47b16d0462a460000b8f05dfb1292377ac48f3ca Author: Lorenzo Stoakes Date: Sat Feb 22 16:19:52 2025 +0000 mm: abort vma_modify() on merge out of memory failure The remainder of vma_modify() relies upon the vmg state remaining pristine after a merge attempt. Usually this is the case, however in the one edge case scenario of a merge attempt failing not due to the specified range being unmergeable, but rather due to an out of memory error arising when attempting to commit the merge, this assumption becomes untrue. This results in vmg->start, end being modified, and thus the proceeding attempts to split the VMA will be done with invalid start/end values. Thankfully, it is likely practically impossible for us to hit this in reality, as it would require a maple tree node pre-allocation failure that would likely never happen due to it being 'too small to fail', i.e. the kernel would simply keep retrying reclaim until it succeeded. However, this scenario remains theoretically possible, and what we are doing here is wrong so we must correct it. The safest option is, when this scenario occurs, to simply give up the operation. If we cannot allocate memory to merge, then we cannot allocate memory to split either (perhaps moreso!). Any scenario where this would be happening would be under very extreme (likely fatal) memory pressure, so it's best we give up early. So there is no doubt it is appropriate to simply bail out in this scenario. However, in general we must if at all possible never assume VMG state is stable after a merge attempt, since merge operations update VMG fields. As a result, additionally also make this clear by storing start, end in local variables. The issue was reported originally by syzkaller, and by Brad Spengler (via an off-list discussion), and in both instances it manifested as a triggering of the assert: VM_WARN_ON_VMG(start >= end, vmg); In vma_merge_existing_range(). It seems at least one scenario in which this is occurring is one in which the merge being attempted is due to an madvise() across multiple VMAs which looks like this: start end |<------>| |----------|------| | vma | next | |----------|------| When madvise_walk_vmas() is invoked, we first find vma in the above (determining prev to be equal to vma as we are offset into vma), and then enter the loop. We determine the end of vma that forms part of the range we are madvise()'ing by setting 'tmp' to this value: /* Here vma->vm_start <= start < (end|vma->vm_end) */ tmp = vma->vm_end; We then invoke the madvise() operation via visit(), letting prev get updated to point to vma as part of the operation: /* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */ error = visit(vma, &prev, start, tmp, arg); Where the visit() function pointer in this instance is madvise_vma_behavior(). As observed in syzkaller reports, it is ultimately madvise_update_vma() that is invoked, calling vma_modify_flags_name() and vma_modify() in turn. Then, in vma_modify(), we attempt the merge: merged = vma_merge_existing_range(vmg); if (merged) return merged; We invoke this with vmg->start, end set to start, tmp as such: start tmp |<--->| |----------|------| | vma | next | |----------|------| We find ourselves in the merge right scenario, but the one in which we cannot remove the middle (we are offset into vma). Here we have a special case where vmg->start, end get set to perhaps unintuitive values - we intended to shrink the middle VMA and expand the next. This means vmg->start, end are set to... vma->vm_start, start. Now the commit_merge() fails, and vmg->start, end are left like this. This means we return to the rest of vma_modify() with vmg->start, end (here denoted as start', end') set as: start' end' |<-->| |----------|------| | vma | next | |----------|------| So we now erroneously try to split accordingly. This is where the unfortunate stuff begins. We start with: /* Split any preceding portion of the VMA. */ if (vma->vm_start < vmg->start) { ... } This doesn't trigger as we are no longer offset into vma at the start. But then we invoke: /* Split any trailing portion of the VMA. */ if (vma->vm_end > vmg->end) { ... } Which does get invoked. This leaves us with: start' end' |<-->| |----|-----|------| | vma| new | next | |----|-----|------| We then return ultimately to madvise_walk_vmas(). Here 'new' is unknown, and putting back the values known in this function we are faced with: start tmp end | | | |----|-----|------| | vma| new | next | |----|-----|------| prev Then: start = tmp; So: start end | | |----|-----|------| | vma| new | next | |----|-----|------| prev The following code does not cause anything to happen: if (prev && start < prev->vm_end) start = prev->vm_end; if (start >= end) break; And then we invoke: if (prev) vma = find_vma(mm, prev->vm_end); Which is where a problem occurs - we don't know about 'new' so we essentially look for the vma after prev, which is new, whereas we actually intended to discover next! So we end up with: start end | | |----|-----|------| |prev| vma | next | |----|-----|------| And we have successfully bypassed all of the checks madvise_walk_vmas() has to ensure early exit should we end up moving out of range. We loop around, and hit: /* Here vma->vm_start <= start < (end|vma->vm_end) */ tmp = vma->vm_end; Oh dear. Now we have: tmp start end | | |----|-----|------| |prev| vma | next | |----|-----|------| We then invoke: /* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */ error = visit(vma, &prev, start, tmp, arg); Where start == tmp. That is, a zero range. This is not good. We invoke visit() which is madvise_vma_behavior() which does not check the range (for good reason, it assumes all checks have been done before it was called), which in turn finally calls madvise_update_vma(). The madvise_update_vma() function calls vma_modify_flags_name() in turn, which ultimately invokes vma_modify() with... start == end. vma_modify() calls vma_merge_existing_range() and finally we hit: VM_WARN_ON_VMG(start >= end, vmg); Which triggers, as start == end. While it might be useful to add some CONFIG_DEBUG_VM asserts in these instances to catch this kind of error, since we have just eliminated any possibility of that happening, we will add such asserts separately as to reduce churn and aid backporting. Link: https://lkml.kernel.org/r/20250222161952.41957-1-lorenzo.stoakes@oracle.com Fixes: 2f1c6611b0a8 ("mm: introduce vma_merge_struct and abstract vma_merge(),vma_modify()") Signed-off-by: Lorenzo Stoakes Tested-by: Brad Spengler Reported-by: Brad Spengler Reported-by: syzbot+46423ed8fa1f1148c6e4@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/6774c98f.050a0220.25abdd.0991.GAE@google.com/ Cc: Jann Horn Cc: Liam Howlett Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton mm/vma.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) accumulated error probability: 0.00 culprit signature: 57d6d4162fad6fb7f23482def99d84d7c38c997e5078f1e3a0edb9abffff458e parent signature: 1d098c5b17341b29e545aafcabbeb311f35ff7899eed74a42f6d14b150ec33a7 revisions tested: 23, total time: 10h51m1.404974147s (build: 6h56m18.669493949s, test: 3h26m48.180845024s) first bad commit: 47b16d0462a460000b8f05dfb1292377ac48f3ca mm: abort vma_modify() on merge out of memory failure recipients (to): ["akpm@linux-foundation.org" "brad.spengler@opensrcsec.com" "lorenzo.stoakes@oracle.com"] recipients (cc): [] crash: WARNING in vma_merge_existing_range 7fcd248c8000-7fcd249acfff: ffff88810fadbf00 7fcd249ad000-7fcd249b5fff: ffff88810fadb820 7fcd249b6000-7fcd249b9fff: 0000000000000000 7fcd249ba000-7fcd249bbfff: ffff88810fadb280 7fcd249bc000-7fcd249bdfff: ffff88810fadb320 7fcd249be000-7fcd249bffff: ffff88810fadb780 7fcd249c0000-7fcd2551dfff: ffff88810fadbe60 7fcd2551e000-7ffc516a1fff: 0000000000000000 7ffc516a2000-7ffc516c2fff: ffff88810fadbb40 7ffc516c3000-ffffffffffffffff: 0000000000000000 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 2896 at mm/vma.c:734 vma_merge_existing_range+0x625/0x690 mm/vma.c:734 Modules linked in: CPU: 0 UID: 0 PID: 2896 Comm: syz.3.16 Not tainted 6.14.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:vma_merge_existing_range+0x625/0x690 mm/vma.c:734 Code: 6c 62 43 82 48 89 1c 24 4c 89 fb 41 89 ef 4c 89 ed 49 89 c5 e8 dc 4e fc ff 4c 89 e8 49 89 ed 44 89 fd 49 89 df 48 8b 1c 24 90 <0f> 0b 90 e9 92 fa ff ff 90 0f 0b 90 e9 14 fc ff ff 90 0f 0b 90 e9 RSP: 0018:ffffc90002277cf0 EFLAGS: 00010286 RAX: 0000200000000000 RBX: ffffc90002277d90 RCX: ffffffffffffffff RDX: 0000000000000002 RSI: 00000000ffffdfff RDI: 00000000ffffffff RBP: 0000000000000001 R08: 0000000000001fff R09: ffffffff82695020 R10: 0000000000005ffd R11: 00000000ffffdfff R12: 0000200000800000 R13: ffff88810fadb3c0 R14: 0000200000800001 R15: ffff88810fadb3c0 FS: 00007fcd2422f6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2c45ffff CR3: 000000010f6e0000 CR4: 0000000000350ef0 Call Trace: vma_modify+0x1b/0xc0 mm/vma.c:1517 vma_modify_flags+0x93/0xc0 mm/vma.c:1551 mlock_fixup+0xa3/0x130 mm/mlock.c:481 apply_mlockall_flags+0x15b/0x190 mm/mlock.c:734 __ia32_sys_munlockall+0x43/0xf0 mm/mlock.c:780 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xe2/0x210 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcd247be969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcd2422f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000098 RAX: ffffffffffffffda RBX: 00007fcd249e5fa0 RCX: 00007fcd247be969 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fcd2422f090 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 00007fcd249e5fa0 R15: 00007ffc516c0dd8