bisecting cause commit starting from 647060f3b592d3c8df0c85dd887557b03e6ea897 building syzkaller on d4f4eca56fbea6f58a4d5adfd19cb5e0dc32fe46 testing commit 647060f3b592d3c8df0c85dd887557b03e6ea897 with gcc (GCC) 8.1.0 kernel signature: 615a2932af749cdbeb68026831cb533ac74f4e594c01b716effa29ce4422b7f0 all runs: crashed: kernel BUG in split_huge_page_to_list testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 395a614079c9030036488f72c030c4708fae86b9aba956ca15d15003efd3a593 all runs: OK # git bisect start 647060f3b592d3c8df0c85dd887557b03e6ea897 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 9465 revisions left to test after this (roughly 13 steps) [84e010ec8f8668c579b78a27b0e81a49ac6c837a] Merge tag 'backlight-next-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight testing commit 84e010ec8f8668c579b78a27b0e81a49ac6c837a with gcc (GCC) 8.1.0 kernel signature: 5c2407fe4b584d04dd52fb84552a61ecfac3d30c19eb9db74e7b875a78360202 all runs: OK # git bisect good 84e010ec8f8668c579b78a27b0e81a49ac6c837a Bisecting: 4737 revisions left to test after this (roughly 12 steps) [9348b73c2e1bfea74ccd4a44fb4ccc7276ab9623] mm: don't play games with pinned pages in clear_page_refs testing commit 9348b73c2e1bfea74ccd4a44fb4ccc7276ab9623 with gcc (GCC) 8.1.0 kernel signature: 0c74d32b44671683209ad6bed5657b24bd9d338481ecca388c60daf4d36f40bb all runs: OK # git bisect good 9348b73c2e1bfea74ccd4a44fb4ccc7276ab9623 Bisecting: 2463 revisions left to test after this (roughly 11 steps) [124021c2d4a296c775a5b259930bc1a19b95b87b] Merge remote-tracking branch 'crypto/master' testing commit 124021c2d4a296c775a5b259930bc1a19b95b87b with gcc (GCC) 8.1.0 kernel signature: dc5d24cd83d88b17a21622ce34518781805d120bb4c25e73c924d5ea869bca67 all runs: OK # git bisect good 124021c2d4a296c775a5b259930bc1a19b95b87b Bisecting: 1223 revisions left to test after this (roughly 10 steps) [c02683140a9aa6a8207d23d4b7fe5fb1b9a90c18] Merge remote-tracking branch 'spi/for-next' testing commit c02683140a9aa6a8207d23d4b7fe5fb1b9a90c18 with gcc (GCC) 8.1.0 kernel signature: 90bbd1158d87b47f6735a98489b3a7ec88cf81be05ec85b53846ac2a9f7a9ec0 all runs: OK # git bisect good c02683140a9aa6a8207d23d4b7fe5fb1b9a90c18 Bisecting: 618 revisions left to test after this (roughly 9 steps) [2bdf8202558c414a43ecaffc24181526e12a0922] Merge remote-tracking branch 'thunderbolt/next' testing commit 2bdf8202558c414a43ecaffc24181526e12a0922 with gcc (GCC) 8.1.0 kernel signature: 5fe84c2e8d13319ffb2e3e2f5761ae1359cd779f80d20e2f6a5f7de433829ceb all runs: OK # git bisect good 2bdf8202558c414a43ecaffc24181526e12a0922 Bisecting: 307 revisions left to test after this (roughly 8 steps) [2b6b0c826680335be0fd31cd43320a9ab7d843b6] Merge remote-tracking branch 'rtc/rtc-next' testing commit 2b6b0c826680335be0fd31cd43320a9ab7d843b6 with gcc (GCC) 8.1.0 kernel signature: a78c250ce439deb524c7cbc8c765cd1378ba5e8880e43c51f10bfb3a7b90acac all runs: OK # git bisect good 2b6b0c826680335be0fd31cd43320a9ab7d843b6 Bisecting: 153 revisions left to test after this (roughly 7 steps) [1f8ba0613af0c5eb9d2dac9bed3692fbb81029cc] x86, kfence: enable KFENCE for x86 testing commit 1f8ba0613af0c5eb9d2dac9bed3692fbb81029cc with gcc (GCC) 8.1.0 kernel signature: 4d8bda7940996c790ac5ab8558c136c1edd231dca7939b559d39aa23baa332ef all runs: crashed: kernel BUG in split_huge_page_to_list # git bisect bad 1f8ba0613af0c5eb9d2dac9bed3692fbb81029cc Bisecting: 76 revisions left to test after this (roughly 6 steps) [4ea35fc5cd2619e336b312f33ac34e81fc2603ce] kasan: add compiler barriers to KUNIT_EXPECT_KASAN_FAIL testing commit 4ea35fc5cd2619e336b312f33ac34e81fc2603ce with gcc (GCC) 8.1.0 kernel signature: 8f0bbbe17b14a9060f138d3cc3d04ccb04c39366de5f44731784bfa485f75bc2 all runs: crashed: kernel BUG in split_huge_page_to_list # git bisect bad 4ea35fc5cd2619e336b312f33ac34e81fc2603ce Bisecting: 38 revisions left to test after this (roughly 5 steps) [1131f0c2d2c68cd451527ef18ef919ffea658fbb] mm, slub: stop freeing kmem_cache_node structures on node offline testing commit 1131f0c2d2c68cd451527ef18ef919ffea658fbb with gcc (GCC) 8.1.0 kernel signature: 094a9bce194ef322c5a649329c52145733931ea86b00ff61708f7be23a7f8c70 all runs: OK # git bisect good 1131f0c2d2c68cd451527ef18ef919ffea658fbb Bisecting: 19 revisions left to test after this (roughly 4 steps) [930625198a35b774137d769312c9df65b89bcbc3] mm: memcontrol: make the slab calculation consistent testing commit 930625198a35b774137d769312c9df65b89bcbc3 with gcc (GCC) 8.1.0 kernel signature: a9d270568df363476a6fb08e9a66f3df14c7e54d32210f55a279eff1cbd4453c all runs: OK # git bisect good 930625198a35b774137d769312c9df65b89bcbc3 Bisecting: 9 revisions left to test after this (roughly 3 steps) [3f8c2aae5d454f0868f540db8ffc591d02bbd034] mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas() testing commit 3f8c2aae5d454f0868f540db8ffc591d02bbd034 with gcc (GCC) 8.1.0 kernel signature: daad5ae6f94f167ce4f837b40dea7cc5e886b907668bdef12a0c2629928c05eb all runs: OK # git bisect good 3f8c2aae5d454f0868f540db8ffc591d02bbd034 Bisecting: 4 revisions left to test after this (roughly 2 steps) [f99984f35e15790cf24435418cdeda6bb6cf3bca] kasan: clean up comments in tests testing commit f99984f35e15790cf24435418cdeda6bb6cf3bca with gcc (GCC) 8.1.0 kernel signature: 8f0bbbe17b14a9060f138d3cc3d04ccb04c39366de5f44731784bfa485f75bc2 all runs: crashed: kernel BUG in split_huge_page_to_list # git bisect bad f99984f35e15790cf24435418cdeda6bb6cf3bca Bisecting: 2 revisions left to test after this (roughly 1 step) [e8eaf50dd374313d3ad8da39ef00469fc11a5d75] mm/page_reporting: use list_entry_is_head() in page_reporting_cycle() testing commit e8eaf50dd374313d3ad8da39ef00469fc11a5d75 with gcc (GCC) 8.1.0 kernel signature: 8f0bbbe17b14a9060f138d3cc3d04ccb04c39366de5f44731784bfa485f75bc2 all runs: crashed: kernel BUG in split_huge_page_to_list # git bisect bad e8eaf50dd374313d3ad8da39ef00469fc11a5d75 Bisecting: 0 revisions left to test after this (roughly 0 steps) [fbdbae3da30a149a55a5f1883bbbe17a27660e05] mm: mremap: unlink anon_vmas when mremap with MREMAP_DONTUNMAP success testing commit fbdbae3da30a149a55a5f1883bbbe17a27660e05 with gcc (GCC) 8.1.0 kernel signature: 8f0bbbe17b14a9060f138d3cc3d04ccb04c39366de5f44731784bfa485f75bc2 all runs: crashed: kernel BUG in split_huge_page_to_list # git bisect bad fbdbae3da30a149a55a5f1883bbbe17a27660e05 fbdbae3da30a149a55a5f1883bbbe17a27660e05 is the first bad commit commit fbdbae3da30a149a55a5f1883bbbe17a27660e05 Author: Li Xinhai Date: Wed Jan 20 08:54:00 2021 +1100 mm: mremap: unlink anon_vmas when mremap with MREMAP_DONTUNMAP success mremap with MREMAP_DONTUNMAP will move all page table entries to new vma, which means all pages allocated for the old vma are not relevant to it anymore, and the relevant anon_vma links needs to be unlinked, in nature the old vma is much like been freshly created and have no pages been fault in. But we should not do unlink, if the new vma has effectively merged with the old one. Link: https://lkml.kernel.org/r/20210119075126.3513154-2-lixinhai.lxh@gmail.com Signed-off-by: Li Xinhai Cc: Brian Geffon Cc: Lokesh Gidra Cc: Minchan Kim Cc: Kirill A. Shutemov Cc: Vlastimil Babka Cc: Andrea Arcangeli Signed-off-by: Andrew Morton Signed-off-by: Stephen Rothwell mm/mremap.c | 7 +++++++ 1 file changed, 7 insertions(+) culprit signature: 8f0bbbe17b14a9060f138d3cc3d04ccb04c39366de5f44731784bfa485f75bc2 parent signature: daad5ae6f94f167ce4f837b40dea7cc5e886b907668bdef12a0c2629928c05eb revisions tested: 16, total time: 3h0m19.957258744s (build: 1h15m31.511248963s, test: 1h43m11.96678243s) first bad commit: fbdbae3da30a149a55a5f1883bbbe17a27660e05 mm: mremap: unlink anon_vmas when mremap with MREMAP_DONTUNMAP success recipients (to): ["akpm@linux-foundation.org" "lixinhai.lxh@gmail.com" "sfr@canb.auug.org.au"] recipients (cc): [] crash: kernel BUG in split_huge_page_to_list page dumped because: VM_BUG_ON_PAGE(!unmap_success) ------------[ cut here ]------------ kernel BUG at mm/huge_memory.c:2349! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 10247 Comm: syz-executor.2 Not tainted 5.11.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:unmap_page mm/huge_memory.c:2349 [inline] RIP: 0010:split_huge_page_to_list+0x600/0x1320 mm/huge_memory.c:2718 Code: 4c 89 ff e8 a2 cc f8 ff 0f 0b 48 c7 c6 88 eb 6d 84 4c 89 ff e8 91 cc f8 ff 0f 0b 48 c7 c6 28 76 6e 84 4c 89 ff e8 80 cc f8 ff <0f> 0b 48 c7 c6 48 76 6e 84 4c 89 ff e8 6f cc f8 ff 0f 0b 49 8b 87 RSP: 0018:ffffc9000306bb00 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88810015ee60 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff8493ec1e RDI: 00000000ffffffff RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000 R13: ffff88810cf0ba28 R14: ffffea0004808000 R15: ffffea0004808000 FS: 00007f3d0e60f700(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d937665160 CR3: 000000011e67e000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: split_huge_page include/linux/huge_mm.h:187 [inline] madvise_free_pte_range+0x322/0x8e0 mm/madvise.c:633 walk_pmd_range mm/pagewalk.c:89 [inline] walk_pud_range mm/pagewalk.c:160 [inline] walk_p4d_range mm/pagewalk.c:193 [inline] walk_pgd_range mm/pagewalk.c:229 [inline] __walk_page_range+0x32e/0x970 mm/pagewalk.c:331 walk_page_range+0xc2/0x170 mm/pagewalk.c:427 madvise_free_single_vma+0x177/0x200 mm/madvise.c:731 madvise_dontneed_free mm/madvise.c:819 [inline] madvise_vma mm/madvise.c:936 [inline] do_madvise+0x497/0xde0 mm/madvise.c:1132 __do_sys_madvise mm/madvise.c:1158 [inline] __se_sys_madvise mm/madvise.c:1156 [inline] __x64_sys_madvise+0x21/0x30 mm/madvise.c:1156 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e219 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f3d0e60ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000001c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e219 RDX: 0000000000000008 RSI: 0000000000c00000 RDI: 0000000020400000 RBP: 000000000119bfc0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c R13: 00007ffc3a32e31f R14: 00007f3d0e60f9c0 R15: 000000000119bf8c Modules linked in: ---[ end trace 0dbc2abf5d608179 ]--- RIP: 0010:unmap_page mm/huge_memory.c:2349 [inline] RIP: 0010:split_huge_page_to_list+0x600/0x1320 mm/huge_memory.c:2718 Code: 4c 89 ff e8 a2 cc f8 ff 0f 0b 48 c7 c6 88 eb 6d 84 4c 89 ff e8 91 cc f8 ff 0f 0b 48 c7 c6 28 76 6e 84 4c 89 ff e8 80 cc f8 ff <0f> 0b 48 c7 c6 48 76 6e 84 4c 89 ff e8 6f cc f8 ff 0f 0b 49 8b 87 RSP: 0018:ffffc9000306bb00 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88810015ee60 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff8493ec1e RDI: 00000000ffffffff RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000 R13: ffff88810cf0ba28 R14: ffffea0004808000 R15: ffffea0004808000 FS: 00007f3d0e60f700(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d937665160 CR3: 000000011e67e000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400