ci2 starts bisection 2024-01-10 17:21:09.757980302 +0000 UTC m=+8632.047087674 bisecting fixing commit since 4a61839152cc3e9e00ac059d73a28d148d622b30 building syzkaller on c4ac074caa7ae68aef44c619a09b02832cc91f35 ensuring issue is reproducible on original commit 4a61839152cc3e9e00ac059d73a28d148d622b30 testing commit 4a61839152cc3e9e00ac059d73a28d148d622b30 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: db74c99eef9dd6ac28620d56fb2f3574a88b3b0440200e5fa8ccb2912bc0b247 all runs: crashed: general protection fault in __unmap_hugepage_range_final representative crash: general protection fault in __unmap_hugepage_range_final, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 4a61839152cc3e9e00ac059d73a28d148d622b30 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 85a320cc88bba1f6376f5b7c339711d17efc4c3792e30ddd14939f612e028b09 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed kconfig minimization: base=3820 full=7526 leaves diff=1996 split chunks (needed=false): <1996> split chunk #0 of len 1996 into 5 parts testing without sub-chunk 1/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 4a61839152cc3e9e00ac059d73a28d148d622b30 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5ac0259142e4b6d93bd64075a7ee8957496785ea3e4d12e6d3d64b137053436a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 4a61839152cc3e9e00ac059d73a28d148d622b30 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a5136b4b2b74e651ec2e5e8927075e3c83e7726ea3550079768672fb4e75eea8 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 4a61839152cc3e9e00ac059d73a28d148d622b30 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: df4ae85734bf1b9dc2f618d1c130ade0a82b1b659294a1fbdaab38c7ea711270 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 4a61839152cc3e9e00ac059d73a28d148d622b30 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bfebf177a97b082f6174d35c8fe86881e3a9e5365a3610a3605d78775014d8cf all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 4a61839152cc3e9e00ac059d73a28d148d622b30 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b86612eae1beb4c22089701d889fcf104c7ac20f20cf76df7442920f16ed80f9 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] the chunk can be dropped disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing current HEAD 7c58bfa711cb556ef1edc48e7dfa6d84e5fb8912 testing commit 7c58bfa711cb556ef1edc48e7dfa6d84e5fb8912 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 53b26d11a0c4f4d45cf589bfdb2ac60b910b20fb289b5c0fd132dd054173c114 all runs: OK false negative chance: 0.000 # git bisect start 7c58bfa711cb556ef1edc48e7dfa6d84e5fb8912 4a61839152cc3e9e00ac059d73a28d148d622b30 Bisecting: 839 revisions left to test after this (roughly 10 steps) [8025fd0706c850e3b296dd2947c0e0e3c08d6d7d] net: axienet: Fix check for partial TX checksum determine whether the revision contains the guilty commit revision 4a61839152cc3e9e00ac059d73a28d148d622b30 crashed and is reachable testing commit 8025fd0706c850e3b296dd2947c0e0e3c08d6d7d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0ed77db2fb0748e2046c99e0aa2301106e9f8135d71dfe99887053936f729775 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] # git bisect good 8025fd0706c850e3b296dd2947c0e0e3c08d6d7d Bisecting: 419 revisions left to test after this (roughly 9 steps) [5fb6772cb573b18ee90bf87d45e7fa744c89abb2] stmmac: dwmac-loongson: Add architecture dependency determine whether the revision contains the guilty commit revision 4a61839152cc3e9e00ac059d73a28d148d622b30 crashed and is reachable testing commit 5fb6772cb573b18ee90bf87d45e7fa744c89abb2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7efc7ddc57185bbe562cdcff5a8dd52b4c8c698727a9d0ebad75ae4efd0e8810 all runs: OK false negative chance: 0.000 # git bisect bad 5fb6772cb573b18ee90bf87d45e7fa744c89abb2 Bisecting: 209 revisions left to test after this (roughly 8 steps) [9fc81912fcdbf04aa0e5f562778bec72128207c0] net: bnxt: fix a potential use-after-free in bnxt_init_tc determine whether the revision contains the guilty commit revision 4a61839152cc3e9e00ac059d73a28d148d622b30 crashed and is reachable testing commit 9fc81912fcdbf04aa0e5f562778bec72128207c0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2352836b5c48b1fb901e6e6a75f339653648b3f3fce5f9d5835607e645aba697 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] # git bisect good 9fc81912fcdbf04aa0e5f562778bec72128207c0 Bisecting: 104 revisions left to test after this (roughly 7 steps) [df4aa7e84d00e316a0e24a698d1922116e2379be] tracing: Set actual size after ring buffer resize determine whether the revision contains the guilty commit revision 4a61839152cc3e9e00ac059d73a28d148d622b30 crashed and is reachable testing commit df4aa7e84d00e316a0e24a698d1922116e2379be gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f9205d7cf75fa7954c7c1006ea55c627390bd2b63fb29733b3582f1a5bfd94b8 all runs: OK false negative chance: 0.000 # git bisect bad df4aa7e84d00e316a0e24a698d1922116e2379be Bisecting: 52 revisions left to test after this (roughly 6 steps) [4d8cc87d1845b85ad15dbbd88e7bceaf2bfa7eed] scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle() determine whether the revision contains the guilty commit revision 9fc81912fcdbf04aa0e5f562778bec72128207c0 crashed and is reachable testing commit 4d8cc87d1845b85ad15dbbd88e7bceaf2bfa7eed gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d0d62fd4248ddb8b564b50dc36c1cedf4bc70256b4eb078ee41a618fa53ef6d7 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] # git bisect good 4d8cc87d1845b85ad15dbbd88e7bceaf2bfa7eed Bisecting: 26 revisions left to test after this (roughly 5 steps) [b00b50091693918c91ca12a99b699cb126b7023d] tracing: Fix incomplete locking when disabling buffered events determine whether the revision contains the guilty commit revision 9fc81912fcdbf04aa0e5f562778bec72128207c0 crashed and is reachable testing commit b00b50091693918c91ca12a99b699cb126b7023d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ce849aa6ca8fc634780a3608c3c5afbe60686f3d47a543bed141a30a2e4c73a4 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final run #9: boot failed: can't ssh into the instance representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] # git bisect good b00b50091693918c91ca12a99b699cb126b7023d Bisecting: 13 revisions left to test after this (roughly 4 steps) [e1d4f02a68d31f4ecd1f93a0104b7cad768aaebf] arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names determine whether the revision contains the guilty commit revision 8025fd0706c850e3b296dd2947c0e0e3c08d6d7d crashed and is reachable testing commit e1d4f02a68d31f4ecd1f93a0104b7cad768aaebf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5cc0e7c3b78ec1ab93131d96f39c119bfaa30908fb7a5e7fbebf0ab2835a333f all runs: OK false negative chance: 0.000 # git bisect bad e1d4f02a68d31f4ecd1f93a0104b7cad768aaebf Bisecting: 6 revisions left to test after this (roughly 3 steps) [574a6db80f3eff7cb3a27aa92d126a69895a285d] hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write determine whether the revision contains the guilty commit revision 4a61839152cc3e9e00ac059d73a28d148d622b30 crashed and is reachable testing commit 574a6db80f3eff7cb3a27aa92d126a69895a285d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 67312f59be473b3ced1382096b6627f0aafbceb021588236f0ce20dd29a8132c all runs: OK false negative chance: 0.000 # git bisect bad 574a6db80f3eff7cb3a27aa92d126a69895a285d Bisecting: 2 revisions left to test after this (roughly 2 steps) [1c1c6d5c7e14c98336433195de5de38ab16116d6] r8169: fix rtl8125b PAUSE frames blasting when suspended determine whether the revision contains the guilty commit revision 8025fd0706c850e3b296dd2947c0e0e3c08d6d7d crashed and is reachable testing commit 1c1c6d5c7e14c98336433195de5de38ab16116d6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d37e0025eda6c1a734bbdd4499a622124cbcee0e3d1b2b5f726ecbeb3e4b947a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] # git bisect good 1c1c6d5c7e14c98336433195de5de38ab16116d6 Bisecting: 0 revisions left to test after this (roughly 1 step) [f5e6958919e0d70e3be8c30dfafae02ee16cfbf0] platform/surface: aggregator: fix recv_buf() return value determine whether the revision contains the guilty commit revision 4a61839152cc3e9e00ac059d73a28d148d622b30 crashed and is reachable testing commit f5e6958919e0d70e3be8c30dfafae02ee16cfbf0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1577e9fdff5dec398ffc74432d88cb9400438706dac7f93c750bec00ed55f5b4 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] # git bisect good f5e6958919e0d70e3be8c30dfafae02ee16cfbf0 574a6db80f3eff7cb3a27aa92d126a69895a285d is the first bad commit commit 574a6db80f3eff7cb3a27aa92d126a69895a285d Author: Mike Kravetz Date: Mon Nov 13 17:20:33 2023 -0800 hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write commit 187da0f8250aa94bd96266096aef6f694e0b4cd2 upstream. The routine __vma_private_lock tests for the existence of a reserve map associated with a private hugetlb mapping. A pointer to the reserve map is in vma->vm_private_data. __vma_private_lock was checking the pointer for NULL. However, it is possible that the low bits of the pointer could be used as flags. In such instances, vm_private_data is not NULL and not a valid pointer. This results in the null-ptr-deref reported by syzbot: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef] CPU: 0 PID: 5048 Comm: syz-executor139 Not tainted 6.6.0-rc7-syzkaller-00142-g88 8cf78c29e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 1 0/09/2023 RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004 ... Call Trace: lock_acquire kernel/locking/lockdep.c:5753 [inline] lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718 down_write+0x93/0x200 kernel/locking/rwsem.c:1573 hugetlb_vma_lock_write mm/hugetlb.c:300 [inline] hugetlb_vma_lock_write+0xae/0x100 mm/hugetlb.c:291 __hugetlb_zap_begin+0x1e9/0x2b0 mm/hugetlb.c:5447 hugetlb_zap_begin include/linux/hugetlb.h:258 [inline] unmap_vmas+0x2f4/0x470 mm/memory.c:1733 exit_mmap+0x1ad/0xa60 mm/mmap.c:3230 __mmput+0x12a/0x4d0 kernel/fork.c:1349 mmput+0x62/0x70 kernel/fork.c:1371 exit_mm kernel/exit.c:567 [inline] do_exit+0x9ad/0x2a20 kernel/exit.c:861 __do_sys_exit kernel/exit.c:991 [inline] __se_sys_exit kernel/exit.c:989 [inline] __x64_sys_exit+0x42/0x50 kernel/exit.c:989 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Mask off low bit flags before checking for NULL pointer. In addition, the reserve map only 'belongs' to the OWNER (parent in parent/child relationships) so also check for the OWNER flag. Link: https://lkml.kernel.org/r/20231114012033.259600-1-mike.kravetz@oracle.com Reported-by: syzbot+6ada951e7c0f7bc8a71e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/00000000000078d1e00608d7878b@google.com/ Fixes: bf4916922c60 ("hugetlbfs: extend hugetlb_vma_lock to private VMAs") Signed-off-by: Mike Kravetz Reviewed-by: Rik van Riel Cc: Edward Adam Davis Cc: Muchun Song Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Tom Rix Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman include/linux/hugetlb.h | 5 +---- mm/hugetlb.c | 7 +++++++ 2 files changed, 8 insertions(+), 4 deletions(-) accumulated error probability: 0.00 culprit signature: 67312f59be473b3ced1382096b6627f0aafbceb021588236f0ce20dd29a8132c parent signature: 1577e9fdff5dec398ffc74432d88cb9400438706dac7f93c750bec00ed55f5b4 revisions tested: 18, total time: 3h22m18.838299198s (build: 58m54.828856879s, test: 2h17m13.26278979s) first good commit: 574a6db80f3eff7cb3a27aa92d126a69895a285d hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write recipients (to): ["akpm@linux-foundation.org" "gregkh@linuxfoundation.org" "mike.kravetz@oracle.com" "riel@surriel.com"] recipients (cc): []