ci starts bisection 2023-12-24 04:14:16.286920248 +0000 UTC m=+121283.883685456 bisecting cause commit starting from 39676dfe52331dba909c617f213fdb21015c8d10 building syzkaller on fb427a0782000106c62de76d251e5a02de5406a9 ensuring issue is reproducible on original commit 39676dfe52331dba909c617f213fdb21015c8d10 testing commit 39676dfe52331dba909c617f213fdb21015c8d10 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bd658f6ab3e2cf522f75c9a1ebf3712d44be0e9121cb81e98983fb443aa9b3b4 all runs: crashed: general protection fault in scatterwalk_copychunks representative crash: general protection fault in scatterwalk_copychunks, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 39676dfe52331dba909c617f213fdb21015c8d10 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 68a7de39d1272196742b0c87428ca0049277d7fe0b3be3f419538c34fa445a42 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed kconfig minimization: base=3923 full=7679 leaves diff=2009 split chunks (needed=false): <2009> split chunk #0 of len 2009 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 39676dfe52331dba909c617f213fdb21015c8d10 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9d407915ad386c7f6088651c8cf0ab53004a329f5b373b5aca756f2faf8673b2 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 39676dfe52331dba909c617f213fdb21015c8d10 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c58055bdfaeb9e8230cd0076328adfcc4420dd794d49b50509cb4a4b41d8c0a9 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 39676dfe52331dba909c617f213fdb21015c8d10 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f6890a19dc0a4003c596ab5dab6a48f9a9154d89a87544721ddef916076762cb all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 39676dfe52331dba909c617f213fdb21015c8d10 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c9a935ece4c25fbf6a0444320ba80356071687557198610f62a817243827f770 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 39676dfe52331dba909c617f213fdb21015c8d10 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4ed0d0dec3c4de926aaa2a8ed2580864fae2eaebe6cd6028236c75e0de82a7b4 all runs: OK false negative chance: 0.000 minimized to 401 configs; suspects: [ARCH_ENABLE_MEMORY_HOTREMOVE ATM BCMA BLK_DEV_ZONED BPF_SYSCALL CARDBUS CFG80211 CFG80211_WEXT CMA COMMON_CLK CONTIG_ALLOC CRYPTO_842 CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_LZO CRYPTO_ZSTD DVB_CORE EXTCON FB GPIOLIB HID_ZEROPLUS I2C_MUX IIO IOMMUFD IRQ_REMAP KVM KVM_INTEL LIBNVDIMM MEDIA_ANALOG_TV_SUPPORT MEDIA_CAMERA_SUPPORT MEDIA_CEC_SUPPORT MEDIA_CONTROLLER MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_VIPERBOARD PARPORT PCCARD PCMCIA PHONET RADIO_ADAPTERS RADIO_SI470X RADIO_SI4713 RC_CORE RFKILL SND SOUND SPI SSB TAP TARGET_CORE TUN USB_AMD5536UDC USB_ATM USB_CONFIGFS USB_CONFIGFS_F_FS USB_CONFIGFS_F_HID USB_CONFIGFS_F_LB_SS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_TCM USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_PHONET USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CXACRU USB_CYPRESS_CY7C63 USB_CYTHERM USB_DSBR USB_DUMMY_HCD USB_DWC2 USB_DWC2_HOST USB_DWC2_PCI USB_DWC3 USB_DWC3_GADGET USB_DWC3_OF_SIMPLE USB_DWC3_PCI USB_DWC3_ULPI USB_DYNAMIC_MINORS USB_EG20T USB_EHCI_HCD_PLATFORM USB_EHCI_ROOT_HUB_TT USB_EHSET_TEST_FIXTURE USB_EMI26 USB_EMI62 USB_EPSON2888 USB_EZUSB_FX2 USB_FEW_INIT_RETRIES USB_F_ACM USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_NCM USB_F_OBEX USB_F_PHONET USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_TCM USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET USB_GADGETFS USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_GL860 USB_GOKU USB_GPIO_VBUS USB_GR_UDC USB_GSPCA USB_GSPCA_BENQ USB_GSPCA_CONEX USB_GSPCA_CPIA1 USB_GSPCA_DTCS033 USB_GSPCA_ETOMS USB_GSPCA_FINEPIX USB_GSPCA_JEILINJ USB_GSPCA_JL2005BCD USB_GSPCA_KINECT USB_GSPCA_KONICA USB_GSPCA_MARS USB_GSPCA_MR97310A USB_GSPCA_NW80X USB_GSPCA_OV519 USB_GSPCA_OV534 USB_GSPCA_OV534_9 USB_GSPCA_PAC207 USB_GSPCA_PAC7302 USB_GSPCA_PAC7311 USB_GSPCA_SE401 USB_GSPCA_SN9C2028 USB_GSPCA_SN9C20X USB_GSPCA_SONIXB USB_GSPCA_SONIXJ USB_GSPCA_SPCA1528 USB_GSPCA_SPCA500 USB_GSPCA_SPCA501 USB_GSPCA_SPCA505 USB_GSPCA_SPCA506 USB_GSPCA_SPCA508 USB_GSPCA_SPCA561 USB_GSPCA_SQ905 USB_GSPCA_SQ905C USB_GSPCA_SQ930X USB_GSPCA_STK014 USB_GSPCA_STK1135 USB_GSPCA_STV0680 USB_GSPCA_SUNPLUS USB_GSPCA_T613 USB_GSPCA_TOPRO USB_GSPCA_TOUPTEK USB_GSPCA_TV8532 USB_GSPCA_VC032X USB_GSPCA_VICAM USB_GSPCA_XIRLINK_CIT USB_GSPCA_ZC3XX USB_HACKRF USB_HCD_BCMA USB_HCD_SSB USB_HSIC_USB3503 USB_HSIC_USB4604 USB_HSO USB_HUB_USB251XB USB_IDMOUSE USB_IOWARRIOR USB_IPHETH USB_ISIGHTFW USB_ISP116X_HCD USB_ISP1301 USB_ISP1760 USB_ISP1760_DUAL_ROLE USB_ISP1760_HCD USB_ISP1761_UDC USB_KAWETH USB_KC2190 USB_KEENE USB_LAN78XX USB_LCD USB_LD USB_LEDS_TRIGGER_USBPORT USB_LED_TRIG USB_LEGOTOWER USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_M5602 USB_MA901 USB_MAX3421_HCD USB_MDC800 USB_MICROTEK USB_MR800 USB_MSI2500 USB_MUSB_DUAL_ROLE USB_MUSB_HDRC USB_MV_U3D USB_MV_UDC USB_NET2272 USB_NET2272_DMA USB_NET2280 USB_NET_AX88179_178A USB_NET_AX8817X USB_NET_CDCETHER USB_NET_CDC_EEM USB_NET_CDC_MBIM USB_NET_CDC_NCM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_CH9200 USB_NET_CX82310_ETH USB_NET_DM9601 USB_NET_GL620A USB_NET_HUAWEI_CDC_NCM USB_NET_INT51X1 USB_NET_KALMIA USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_QMI_WWAN USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_OXU210HP_HCD USB_PEGASUS USB_PULSE8_CEC USB_PWC USB_PWC_INPUT_EVDEV USB_PXA27X USB_R8A66597 USB_R8A66597_HCD USB_RAINSHADOW_CEC USB_RAREMONO USB_RAW_GADGET USB_RTL8150 USB_RTL8152 USB_RTL8153_ECM USB_S2255 USB_SERIAL USB_SERIAL_AIRCABLE USB_SERIAL_ARK3116 USB_SERIAL_BELKIN USB_SERIAL_CH341 USB_SERIAL_CONSOLE USB_SERIAL_CP210X USB_SERIAL_CYBERJACK USB_SERIAL_CYPRESS_M8 USB_SERIAL_DEBUG USB_SERIAL_DIGI_ACCELEPORT USB_SERIAL_EDGEPORT USB_SERIAL_EDGEPORT_TI USB_SERIAL_EMPEG USB_SERIAL_F81232 USB_SERIAL_F8153X USB_SERIAL_FTDI_SIO USB_SERIAL_GARMIN USB_SERIAL_GENERIC USB_SERIAL_IPAQ USB_SERIAL_IPW USB_SERIAL_IR USB_SERIAL_IUU USB_SERIAL_KEYSPAN USB_SERIAL_KEYSPAN_PDA USB_SERIAL_KLSI USB_SERIAL_KOBIL_SCT USB_SERIAL_MCT_U232 USB_SERIAL_METRO USB_SERIAL_MOS7715_PARPORT USB_SERIAL_MOS7720 USB_SERIAL_MOS7840 USB_SERIAL_MXUPORT USB_SERIAL_NAVMAN USB_SERIAL_OMNINET USB_SERIAL_OPTICON USB_SERIAL_OPTION USB_SERIAL_OTI6858 USB_SERIAL_PL2303 USB_SERIAL_QCAUX USB_SERIAL_QT2 USB_SERIAL_QUALCOMM USB_SERIAL_SAFE USB_SERIAL_SIERRAWIRELESS USB_SERIAL_SIMPLE USB_SERIAL_SPCP8X5 USB_SERIAL_SSU100 USB_SERIAL_SYMBOL USB_SERIAL_TI USB_SERIAL_UPD78F0730 USB_SERIAL_VISOR USB_SERIAL_WHITEHEAT USB_SERIAL_WISHBONE USB_SERIAL_WWAN USB_SERIAL_XR USB_SERIAL_XSENS_MT USB_SEVSEG USB_SI470X USB_SI4713 USB_SIERRA_NET USB_SISUSBVGA USB_SL811_CS USB_SL811_HCD USB_SL811_HCD_ISO USB_SNP_CORE USB_SPEEDTOUCH USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_ENE_UB6250 USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_STV06XX USB_TEST USB_TMC USB_TRANCEVIBRATOR USB_UAS USB_UEAGLEATM USB_ULPI_BUS USB_USBNET USB_USS720 USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_VIDEO_CLASS USB_VIDEO_CLASS_INPUT_EVDEV USB_VL600 USB_WDM USB_XHCI_DBGCAP USB_XHCI_PLATFORM USB_XUSBATM USB_YUREX USERFAULTFD USERIO USERMODE_DRIVER USER_RETURN_NOTIFIER UVC_COMMON U_SERIAL_CONSOLE V4L2_MEM2MEM_DEV V4L_TEST_DRIVERS VALIDATE_FS_PARSER VDPA VDPA_SIM VDPA_SIM_BLOCK VDPA_SIM_NET VDPA_USER VETH VFIO VFIO_DEVICE_CDEV VFIO_PCI VFIO_PCI_CORE VFIO_PCI_INTX VFIO_PCI_MMAP VFIO_VIRQFD VGASTATE VHOST VHOST_CROSS_ENDIAN_LEGACY VHOST_IOTLB VHOST_NET VHOST_RING VHOST_TASK VHOST_VDPA VHOST_VSOCK VIDEOBUF2_CORE VIDEOBUF2_DMA_CONTIG VIDEOBUF2_DMA_SG VIDEOBUF2_MEMOPS VIDEOBUF2_V4L2 VIDEOBUF2_VMALLOC VIDEOMODE_HELPERS VIDEO_AU0828 VIDEO_AU0828_RC VIDEO_AU0828_V4L2 VIDEO_CMDLINE VIDEO_CS53L32A VIDEO_CX231XX VIDEO_CX231XX_ALSA VIDEO_CX231XX_DVB VIDEO_CX231XX_RC VIDEO_CX2341X VIDEO_CX25840 VIDEO_DEV VIDEO_EM28XX VIDEO_EM28XX_ALSA VIDEO_EM28XX_DVB VIDEO_EM28XX_RC VIDEO_EM28XX_V4L2 VIDEO_GO7007 VIDEO_GO7007_LOADER VIDEO_GO7007_USB VIDEO_GO7007_USB_S2250_BOARD VIDEO_HDPVR VIDEO_MSP3400 VIDEO_NOMODESET VIDEO_PVRUSB2 VIDEO_PVRUSB2_DVB VIDEO_PVRUSB2_SYSFS VIDEO_SAA711X VIDEO_STK1160 VIDEO_TUNER VIDEO_TVEEPROM VIDEO_USBTV VIDEO_V4L2_I2C VIDEO_V4L2_SUBDEV_API VIDEO_V4L2_TPG VIDEO_VICODEC VIDEO_VIM2M VIDEO_VIMC VIDEO_VIVID VIDEO_VIVID_CEC VIDEO_WM8775 VIPERBOARD_ADC VIRTIO_BALLOON VIRTIO_DMA_SHARED_BUFFER VIRTIO_MEM VIRTIO_MMIO VIRTIO_MMIO_CMDLINE_DEVICES VIRTIO_PCI_ADMIN_LEGACY VIRTIO_PMEM VIRTIO_VDPA VIRTIO_VSOCKETS VIRTIO_VSOCKETS_COMMON VIRT_WIFI VLAN_8021Q VLAN_8021Q_GVRP VLAN_8021Q_MVRP VMAP_PFN VMWARE_VMCI VMXNET3 VP_VDPA VSOCKETS VSOCKETS_DIAG VSOCKETS_LOOPBACK VSOCKMON VT_HW_CONSOLE_BINDING VXFS_FS WANT_DEV_COREDUMP WEXT_CORE WEXT_PRIV WEXT_PROC WIREGUARD WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ADMTEK WLAN_VENDOR_PURELIFI WLAN_VENDOR_SILABS X86_HAVE_PAE X86_SGX X86_SGX_KVM X86_USER_SHADOW_STACK X86_X2APIC X86_X32_ABI XARRAY_MULTI XDP_SOCKETS XDP_SOCKETS_DIAG XFRM_ESPINTCP XFRM_INTERFACE XFRM_IPCOMP XFRM_MIGRATE XFRM_OFFLOAD XFRM_STATISTICS XFRM_SUB_POLICY XFRM_USER_COMPAT XFS_FS XFS_POSIX_ACL XFS_QUOTA XFS_RT XOR_BLOCKS YENTA YENTA_ENE_TUNE YENTA_O2 YENTA_RICOH YENTA_TI YENTA_TOSHIBA ZEROPLUS_FF ZLIB_DEFLATE ZONEFS_FS ZPOOL ZRAM ZRAM_DEF_COMP_LZORLE ZSMALLOC ZSTD_COMPRESS ZSWAP ZSWAP_COMPRESSOR_DEFAULT_LZO ZSWAP_DEFAULT_ON ZSWAP_ZPOOL_DEFAULT_ZSMALLOC] disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed picked [v6.6 v6.5 v6.4 v6.2 v6.0 v5.18 v5.16 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 29 release tags testing release v6.6 testing commit ffc253263a1375a65fa6c9f62a893e9767fbebfa gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b040fbb5bb4efcd19588551cb98b7947709b416ffe29bbf5d4dcb55ad32606eb all runs: OK false negative chance: 0.000 # git bisect start 39676dfe52331dba909c617f213fdb21015c8d10 ffc253263a1375a65fa6c9f62a893e9767fbebfa Bisecting: 14139 revisions left to test after this (roughly 14 steps) [be47c8e326c2375200473e442f3481c386a955c4] Merge tag 'soundwire-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire testing commit be47c8e326c2375200473e442f3481c386a955c4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6d0658cf0b9f05c6857699e7aee6dd4235d4f37a6c7801d14fcd4f064d6d7961 all runs: OK false negative chance: 0.000 # git bisect good be47c8e326c2375200473e442f3481c386a955c4 Bisecting: 7047 revisions left to test after this (roughly 13 steps) [82820c01aa7745871dbd1b16607864d53ac69c28] Merge branch 'vfs.all' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git testing commit 82820c01aa7745871dbd1b16607864d53ac69c28 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dc9032dd9f7b014075e9a655713f2408d1a572dbae15a3fe0698576c4dc7f56a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect bad 82820c01aa7745871dbd1b16607864d53ac69c28 Bisecting: 3545 revisions left to test after this (roughly 12 steps) [21b73ffcc62ab772bc06e3e90bd87eff5e9e8ed4] Merge tag 'usb-6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit 21b73ffcc62ab772bc06e3e90bd87eff5e9e8ed4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4b80ba3f15114debed2edb0f024aab3a02a6ce748f437655da95cf94ac831ac4 all runs: OK false negative chance: 0.000 # git bisect good 21b73ffcc62ab772bc06e3e90bd87eff5e9e8ed4 Bisecting: 1549 revisions left to test after this (roughly 11 steps) [a0a5fae2ff1a31d85c213ee7b912632013d3f782] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git testing commit a0a5fae2ff1a31d85c213ee7b912632013d3f782 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 16543a3e27d40497b4f3e3a5ec807bee831f7aa32a4055a22a11b377a96ecb44 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect bad a0a5fae2ff1a31d85c213ee7b912632013d3f782 Bisecting: 938 revisions left to test after this (roughly 10 steps) [9a63d5058dd3545969ac8e825b34949c0e65376e] Merge branch 'mm-everything' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 9a63d5058dd3545969ac8e825b34949c0e65376e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2caf00f3decb9e00ce7127685866e507d0d818c36693556acf38c46425c93ee3 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect bad 9a63d5058dd3545969ac8e825b34949c0e65376e Bisecting: 527 revisions left to test after this (roughly 9 steps) [f202b75080f451829f6f4e782d337d5b64585b9f] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git testing commit f202b75080f451829f6f4e782d337d5b64585b9f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 57ca9e5138e228839262e67b64c35e87fd453f04bb2f247e4241351867c6d41e all runs: OK false negative chance: 0.000 # git bisect good f202b75080f451829f6f4e782d337d5b64585b9f Bisecting: 263 revisions left to test after this (roughly 8 steps) [876ecc3eca4bade9e7d0f805600ead586cb3a238] kasan: clean up and rename ____kasan_kmalloc testing commit 876ecc3eca4bade9e7d0f805600ead586cb3a238 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5ba629c732e57009f998e87ce02e6eb40ef3487c784fc8f73a1b65f127855d93 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect bad 876ecc3eca4bade9e7d0f805600ead586cb3a238 Bisecting: 131 revisions left to test after this (roughly 7 steps) [f1762cb3eaea34add3655ecd0be9a77aca4e884c] mm/damon/core-test: add a unit test for the feedback loop algorithm testing commit f1762cb3eaea34add3655ecd0be9a77aca4e884c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 063c0708def5482f1fba91e393b7f2195f6b514ac3bb1d032966d528575534f0 all runs: OK false negative chance: 0.000 # git bisect good f1762cb3eaea34add3655ecd0be9a77aca4e884c Bisecting: 65 revisions left to test after this (roughly 6 steps) [45f8bd6c235a4782a62a7f7e2419e4b3046091d5] buffer: handle large folios in __block_write_begin_int() testing commit 45f8bd6c235a4782a62a7f7e2419e4b3046091d5 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bba9044ffb23a0a6380f85feab69794d4fdff427160dee503792155aef6b0190 all runs: OK false negative chance: 0.000 # git bisect good 45f8bd6c235a4782a62a7f7e2419e4b3046091d5 Bisecting: 32 revisions left to test after this (roughly 5 steps) [4dc0ce9028d343cfc387d123fd8a4f2c1072b199] mm: pass a folio to swap_readpage_fs() testing commit 4dc0ce9028d343cfc387d123fd8a4f2c1072b199 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3280f4ef527c516f5ec88c07ed56ea93732a7f1f80fe57fc71ef675f7f037c2f all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect bad 4dc0ce9028d343cfc387d123fd8a4f2c1072b199 Bisecting: 16 revisions left to test after this (roughly 4 steps) [d209f5c37aad3519cb406a86a1d51d91be0c0443] mm: convert collapse_huge_page() to use a folio testing commit d209f5c37aad3519cb406a86a1d51d91be0c0443 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 90b98876547b9b578f65bb4390a8da64d2ea41454f68309306312f744b1a268f all runs: OK false negative chance: 0.000 # git bisect good d209f5c37aad3519cb406a86a1d51d91be0c0443 Bisecting: 8 revisions left to test after this (roughly 3 steps) [b221eb99a1086d0fbfa3b8cc29de4d5c7366f069] mm/zswap: refactor out __zswap_load() testing commit b221eb99a1086d0fbfa3b8cc29de4d5c7366f069 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6f98f05ef2671787e14d0627f73f5a2a29fdb9186f03d4bdf4a36f7a51286bd4 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect bad b221eb99a1086d0fbfa3b8cc29de4d5c7366f069 Bisecting: 3 revisions left to test after this (roughly 2 steps) [679e3118cd9db1a5f7f03f1e7368e85a6bd0a212] mm/ksm: add tracepoint for ksm advisor testing commit 679e3118cd9db1a5f7f03f1e7368e85a6bd0a212 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0e12f422854791612d5220990779310baf33012190ade797352110d3dfabc465 all runs: OK false negative chance: 0.000 # git bisect good 679e3118cd9db1a5f7f03f1e7368e85a6bd0a212 Bisecting: 1 revision left to test after this (roughly 1 step) [7bc134496bbbaacb0d4423b819da4eca850a839d] mm/zswap: change dstmem size to one page testing commit 7bc134496bbbaacb0d4423b819da4eca850a839d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8ea595c3f529e4dd956b39397611a4ea2957efc58837a5b1f22348c6bc71863f all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks representative crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks, types: [UNKNOWN] # git bisect bad 7bc134496bbbaacb0d4423b819da4eca850a839d Bisecting: 0 revisions left to test after this (roughly 0 steps) [0540593cc7204d537b9ed143be5f63828c3dc4f8] mm/ksm: document ksm advisor and its sysfs knobs testing commit 0540593cc7204d537b9ed143be5f63828c3dc4f8 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 50869abd372e2ab4cd852383b3a471292f3a0abc12570c6678b476d62f0b0a31 all runs: OK false negative chance: 0.000 # git bisect good 0540593cc7204d537b9ed143be5f63828c3dc4f8 7bc134496bbbaacb0d4423b819da4eca850a839d is the first bad commit commit 7bc134496bbbaacb0d4423b819da4eca850a839d Author: Chengming Zhou Date: Mon Dec 18 11:50:31 2023 +0000 mm/zswap: change dstmem size to one page Patch series "mm/zswap: dstmem reuse optimizations and cleanups", v3. The problem this series tries to optimize is that zswap_load() and zswap_writeback_entry() have to malloc a temporary memory to support !zpool_can_sleep_mapped(). We can avoid it by reusing the percpu crypto_acomp_ctx->dstmem, which is also used by zswap_store() and protected by the same percpu crypto_acomp_ctx->mutex. This patch (of 6): Change the dstmem size from 2 * PAGE_SIZE to only one page since we only need at most one page when compress, and the "dlen" is also PAGE_SIZE in acomp_request_set_params(). If the output size > PAGE_SIZE we don't wanna store the output in zswap anyway. So change it to one page, and delete the stale comment. There is not any history about the reason why we needed 2 pages, it has been 2 * PAGE_SIZE since the time zswap was first merged. According to Yosry and Nhat, one potential reason is that we used to store a zswap header containing the swap entry in the compressed page for writeback purposes, but we don't do that anymore. This patch works good in kernel build testing even when the input data doesn't compress at all (i.e. dlen == PAGE_SIZE), which we can see from the bpftrace tool: bpftrace -e 'k:zpool_malloc {@[(uint32)arg1==4096]=count()}' @[1]: 2 @[0]: 12011430 Link: https://lkml.kernel.org/r/20231213-zswap-dstmem-v3-0-4eac09b94ece@bytedance.com Link: https://lkml.kernel.org/r/20231213-zswap-dstmem-v3-1-4eac09b94ece@bytedance.com Signed-off-by: Chengming Zhou Reviewed-by: Yosry Ahmed Reviewed-by: Nhat Pham Acked-by: Chris Li (Google) Cc: Chengming Zhou Cc: Dan Streetman Cc: Johannes Weiner Cc: Seth Jennings Cc: Vitaly Wool Signed-off-by: Andrew Morton mm/zswap.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) accumulated error probability: 0.00 culprit signature: 8ea595c3f529e4dd956b39397611a4ea2957efc58837a5b1f22348c6bc71863f parent signature: 50869abd372e2ab4cd852383b3a471292f3a0abc12570c6678b476d62f0b0a31 revisions tested: 23, total time: 3h55m15.99569129s (build: 1h33m19.827705589s, test: 2h6m27.179188605s) first bad commit: 7bc134496bbbaacb0d4423b819da4eca850a839d mm/zswap: change dstmem size to one page recipients (to): ["akpm@linux-foundation.org" "chrisl@kernel.org" "nphamcs@gmail.com" "yosryahmed@google.com" "zhouchengming@bytedance.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in scatterwalk_copychunks BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1172fb067 P4D 1172fb067 PUD 1172fa067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 2799 Comm: syz-executor.0 Not tainted 6.7.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:63 [inline] RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:83 [inline] RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:72 [inline] RIP: 0010:scatterwalk_copychunks+0x111/0x160 crypto/scatterwalk.c:50 Code: ff ff 01 da 89 db 49 39 df 41 89 56 08 74 46 8b 47 0c 49 01 dc 49 29 df 03 47 08 39 c2 72 da e8 35 6e 07 00 48 89 c7 49 89 06 <8b> 40 08 41 89 46 08 89 c2 03 47 0c e9 10 ff ff ff 48 89 fe 4c 89 RSP: 0018:ffffc90005597710 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000001000 RCX: 0000000000000000 RDX: 0000000000001000 RSI: ffffc90006d83000 RDI: 0000000000000000 RBP: 0000000000000001 R08: ee62b060177e79bb R09: 0491b0a3b67464e6 R10: 78fbfbe0669080c7 R11: 82d8bd1b6060f805 R12: ffffc90006d83000 R13: 0000000000001000 R14: ffffc90005597750 R15: 0000000000000014 FS: 00007fb3702ef6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 00000001173fb000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: scatterwalk_map_and_copy+0x84/0xa0 crypto/scatterwalk.c:67 scomp_acomp_comp_decomp+0xc6/0x110 crypto/scompress.c:149 crypto_acomp_compress include/crypto/acompress.h:302 [inline] zswap_store+0x417/0xd70 mm/zswap.c:1674 swap_writepage+0x2e/0xb0 mm/page_io.c:198 pageout+0x11b/0x2f0 mm/vmscan.c:656 shrink_folio_list+0xcef/0xf10 mm/vmscan.c:1319 reclaim_folio_list+0x7f/0x120 mm/vmscan.c:2104 reclaim_pages+0x150/0x1c0 mm/vmscan.c:2140 madvise_cold_or_pageout_pte_range+0x2fa/0x620 mm/madvise.c:526 walk_pmd_range mm/pagewalk.c:143 [inline] walk_pud_range mm/pagewalk.c:221 [inline] walk_p4d_range mm/pagewalk.c:256 [inline] walk_pgd_range+0x415/0x720 mm/pagewalk.c:293 __walk_page_range+0x200/0x220 mm/pagewalk.c:395 walk_page_range+0x1df/0x2e0 mm/pagewalk.c:521 madvise_pageout_page_range mm/madvise.c:585 [inline] madvise_pageout+0xff/0x260 mm/madvise.c:612 madvise_vma_behavior mm/madvise.c:1031 [inline] madvise_walk_vmas mm/madvise.c:1260 [inline] do_madvise+0x6f2/0xfb0 mm/madvise.c:1440 __do_sys_madvise mm/madvise.c:1453 [inline] __se_sys_madvise mm/madvise.c:1451 [inline] __x64_sys_madvise+0x27/0x30 mm/madvise.c:1451 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fb37076cce9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb3702ef0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c RAX: ffffffffffffffda RBX: 00007fb37088bf80 RCX: 00007fb37076cce9 RDX: 0000000000000015 RSI: 0000000000c00304 RDI: 0000000020000000 RBP: 00007fb3707b947a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fb37088bf80 R15: 00007ffef11347d8 Modules linked in: CR2: 0000000000000008 ---[ end trace 0000000000000000 ]--- RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:63 [inline] RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:83 [inline] RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:72 [inline] RIP: 0010:scatterwalk_copychunks+0x111/0x160 crypto/scatterwalk.c:50 Code: ff ff 01 da 89 db 49 39 df 41 89 56 08 74 46 8b 47 0c 49 01 dc 49 29 df 03 47 08 39 c2 72 da e8 35 6e 07 00 48 89 c7 49 89 06 <8b> 40 08 41 89 46 08 89 c2 03 47 0c e9 10 ff ff ff 48 89 fe 4c 89 RSP: 0018:ffffc90005597710 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000001000 RCX: 0000000000000000 RDX: 0000000000001000 RSI: ffffc90006d83000 RDI: 0000000000000000 RBP: 0000000000000001 R08: ee62b060177e79bb R09: 0491b0a3b67464e6 R10: 78fbfbe0669080c7 R11: 82d8bd1b6060f805 R12: ffffc90006d83000 R13: 0000000000001000 R14: ffffc90005597750 R15: 0000000000000014 FS: 00007fb3702ef6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 00000001173fb000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: ff 01 incl (%rcx) 2: da 89 db 49 39 df fimull -0x20c6b625(%rcx) 8: 41 89 56 08 mov %edx,0x8(%r14) c: 74 46 je 0x54 e: 8b 47 0c mov 0xc(%rdi),%eax 11: 49 01 dc add %rbx,%r12 14: 49 29 df sub %rbx,%r15 17: 03 47 08 add 0x8(%rdi),%eax 1a: 39 c2 cmp %eax,%edx 1c: 72 da jb 0xfffffff8 1e: e8 35 6e 07 00 call 0x76e58 23: 48 89 c7 mov %rax,%rdi 26: 49 89 06 mov %rax,(%r14) * 29: 8b 40 08 mov 0x8(%rax),%eax <-- trapping instruction 2c: 41 89 46 08 mov %eax,0x8(%r14) 30: 89 c2 mov %eax,%edx 32: 03 47 0c add 0xc(%rdi),%eax 35: e9 10 ff ff ff jmp 0xffffff4a 3a: 48 89 fe mov %rdi,%rsi 3d: 4c rex.WR 3e: 89 .byte 0x89