bisecting cause commit starting from e44f65fd666c73944d6f2462cea0559ce5508721 building syzkaller on 510951950dc0ee69cfdaf746061d3dbe31b49fd8 testing commit e44f65fd666c73944d6f2462cea0559ce5508721 with gcc (GCC) 8.1.0 kernel signature: 34fbc51d6f071974113e424e722a4d432c2f36240bc886524bdd2b89ca69dec6 run #0: crashed: general protection fault in free_netdev run #1: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor973418868" "root@10.128.15.211:./syz-executor973418868"]: exit status 1 Connection timed out during banner exchange lost connection run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: fbbe94f1fe98ec5d9ebab60be559b696516be05b8cd43cdf2cb5a5d696bc2edb all runs: OK # git bisect start e44f65fd666c73944d6f2462cea0559ce5508721 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Bisecting: 8247 revisions left to test after this (roughly 13 steps) [a0a4d17e02a80a74a63c7cbb7bc8cea2f0b7d8b1] Merge branch 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux testing commit a0a4d17e02a80a74a63c7cbb7bc8cea2f0b7d8b1 with gcc (GCC) 8.1.0 kernel signature: 2dc9098651640f3abb8491cc038a0de5af2d09445e1f27522b9272b5a1cf2204 run #0: crashed: general protection fault in collapse_huge_page run #1: crashed: general protection fault in collapse_huge_page run #2: crashed: general protection fault in collapse_huge_page run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad a0a4d17e02a80a74a63c7cbb7bc8cea2f0b7d8b1 Bisecting: 4068 revisions left to test after this (roughly 12 steps) [09587a09ada2ed7c39aedfa2681152b5ac5641ee] arm64: mm: use ARCH_HAS_DEBUG_WX instead of arch defined testing commit 09587a09ada2ed7c39aedfa2681152b5ac5641ee with gcc (GCC) 8.1.0 kernel signature: b8098f14f4fe2c18f40ea8489226092b969ab53ed3429c5ff49b9f8aab198501 run #0: crashed: general protection fault in collapse_huge_page run #1: crashed: general protection fault in collapse_huge_page run #2: crashed: general protection fault in collapse_huge_page run #3: crashed: general protection fault in collapse_huge_page run #4: OK run #5: crashed: general protection fault in collapse_huge_page run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 09587a09ada2ed7c39aedfa2681152b5ac5641ee Bisecting: 2192 revisions left to test after this (roughly 11 steps) [cfa3b8068b09f25037146bfd5eed041b78878bee] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit cfa3b8068b09f25037146bfd5eed041b78878bee with gcc (GCC) 8.1.0 kernel signature: 191a09dcedb5bcb2f211df2b295a82e29409bcc1c3941951e7369e3b36cc5446 all runs: OK # git bisect good cfa3b8068b09f25037146bfd5eed041b78878bee Bisecting: 1106 revisions left to test after this (roughly 10 steps) [a1fb548962397bb8609bb46e566809a9a1b30044] Merge tag 'drm-intel-next-2020-04-30' of git://anongit.freedesktop.org/drm/drm-intel into drm-next testing commit a1fb548962397bb8609bb46e566809a9a1b30044 with gcc (GCC) 8.1.0 kernel signature: fa6f3ad5f934b10f3ac3e7f050249d49db74127ad784d5656d2c1989f3c587b4 all runs: OK # git bisect good a1fb548962397bb8609bb46e566809a9a1b30044 Bisecting: 634 revisions left to test after this (roughly 9 steps) [750a02ab8d3c49ca7d23102be90d3d1db19e2827] Merge tag 'for-5.8/block-2020-06-01' of git://git.kernel.dk/linux-block testing commit 750a02ab8d3c49ca7d23102be90d3d1db19e2827 with gcc (GCC) 8.1.0 kernel signature: 35c391ba699baa042d2b48305496c46abb0ddd25c58319b7520ca68a552e2558 all runs: OK # git bisect good 750a02ab8d3c49ca7d23102be90d3d1db19e2827 Bisecting: 277 revisions left to test after this (roughly 8 steps) [16d91548d1057691979de4686693f0ff92f46000] Merge tag 'xfs-5.8-merge-8' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit 16d91548d1057691979de4686693f0ff92f46000 with gcc (GCC) 8.1.0 kernel signature: 9c8a5ffe0031faf41057655c08013371dc11497725670e794902bf35284559f4 all runs: OK # git bisect good 16d91548d1057691979de4686693f0ff92f46000 Bisecting: 136 revisions left to test after this (roughly 7 steps) [f3cdc8ae116e27d84e1f33c7a2995960cebb73ac] Merge tag 'for-5.8-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit f3cdc8ae116e27d84e1f33c7a2995960cebb73ac with gcc (GCC) 8.1.0 kernel signature: 6a5e4aa34ce650fc3e70bd08c5531cbac183ba4b03d2c219a352dbba2a7076de all runs: OK # git bisect good f3cdc8ae116e27d84e1f33c7a2995960cebb73ac Bisecting: 68 revisions left to test after this (roughly 6 steps) [ffe945e633b527d5a4577b42cbadec3c7cbcf096] khugepaged: do not stop collapse if less than half PTEs are referenced testing commit ffe945e633b527d5a4577b42cbadec3c7cbcf096 with gcc (GCC) 8.1.0 kernel signature: 1a15b46a83a7be62595ff02b720aee0b46d910c93e15ee595a82901d29ccffae run #0: crashed: general protection fault in collapse_huge_page run #1: crashed: general protection fault in collapse_huge_page run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad ffe945e633b527d5a4577b42cbadec3c7cbcf096 Bisecting: 33 revisions left to test after this (roughly 5 steps) [bc9331a19d758706493cbebba67ca70382edddac] mm: rename free_area_init_node() to free_area_init_memoryless_node() testing commit bc9331a19d758706493cbebba67ca70382edddac with gcc (GCC) 8.1.0 kernel signature: 1230fb3a1727b45a78393283d2ac16ddb7dfe8daf86a1ff8ef3ca8027d659daa all runs: OK # git bisect good bc9331a19d758706493cbebba67ca70382edddac Bisecting: 16 revisions left to test after this (roughly 4 steps) [01c0bfe061f309b848d51619f20495ee2acd7727] mm: rename gfpflags_to_migratetype to gfp_migratetype for same convention testing commit 01c0bfe061f309b848d51619f20495ee2acd7727 with gcc (GCC) 8.1.0 kernel signature: 9cb8121ff429f48e7878f651bf1ff9385b5cd6b538c30c5c32b9080d05adbdb2 all runs: OK # git bisect good 01c0bfe061f309b848d51619f20495ee2acd7727 Bisecting: 8 revisions left to test after this (roughly 3 steps) [f1b192b117cd418bacf42a9583d7a01855a18fe5] padata: initialize earlier testing commit f1b192b117cd418bacf42a9583d7a01855a18fe5 with gcc (GCC) 8.1.0 kernel signature: 7d771a5209de01ef314bfb85b88df7ae63fbeee9fdfa1791afb7ed938309935a all runs: OK # git bisect good f1b192b117cd418bacf42a9583d7a01855a18fe5 Bisecting: 4 revisions left to test after this (roughly 2 steps) [e44431498f5fbf427f139aa413cf381b4fa3a600] mm: parallelize deferred_init_memmap() testing commit e44431498f5fbf427f139aa413cf381b4fa3a600 with gcc (GCC) 8.1.0 kernel signature: 3f6762aca289ce14005b9b75a3682bf484263d6ab91e041aa66c89f2b0c9bee1 all runs: OK # git bisect good e44431498f5fbf427f139aa413cf381b4fa3a600 Bisecting: 2 revisions left to test after this (roughly 1 step) [ec3b39c731897aa03873094cd277d009341cd7c4] padata: document multithreaded jobs testing commit ec3b39c731897aa03873094cd277d009341cd7c4 with gcc (GCC) 8.1.0 kernel signature: e7ac8d7e7edf71763355f4fb5897ebe16a42c2b0cbbcebebe55853dd733874aa all runs: OK # git bisect good ec3b39c731897aa03873094cd277d009341cd7c4 Bisecting: 0 revisions left to test after this (roughly 1 step) [e0c13f9761df8f97cf5e81495d12ecbc4075684a] khugepaged: add self test testing commit e0c13f9761df8f97cf5e81495d12ecbc4075684a with gcc (GCC) 8.1.0 kernel signature: 0ddf623ce6e01d4302654e1002abefec0f86949c01b904f8994af84c79275153 all runs: OK # git bisect good e0c13f9761df8f97cf5e81495d12ecbc4075684a ffe945e633b527d5a4577b42cbadec3c7cbcf096 is the first bad commit commit ffe945e633b527d5a4577b42cbadec3c7cbcf096 Author: Kirill A. Shutemov Date: Wed Jun 3 16:00:09 2020 -0700 khugepaged: do not stop collapse if less than half PTEs are referenced __collapse_huge_page_swapin() checks the number of referenced PTE to decide if the memory range is hot enough to justify swapin. We have few problems with the approach: - It is way too late: we can do the check much earlier and safe time. khugepaged_scan_pmd() already knows if we have any pages to swap in and number of referenced page. - It stops collapse altogether if there's not enough referenced pages, not only swappingin. Fix it by making the right check early. We also can avoid additional page table scanning if khugepaged_scan_pmd() haven't found any swap entries. Fixes: 0db501f7a34c ("mm, thp: convert from optimistic swapin collapsing to conservative") Signed-off-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Tested-by: Zi Yan Reviewed-by: William Kucharski Reviewed-by: Zi Yan Acked-by: Yang Shi Cc: Andrea Arcangeli Cc: John Hubbard Cc: Mike Kravetz Cc: Ralph Campbell Link: http://lkml.kernel.org/r/20200416160026.16538-3-kirill.shutemov@linux.intel.com Signed-off-by: Linus Torvalds mm/khugepaged.c | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) culprit signature: 1a15b46a83a7be62595ff02b720aee0b46d910c93e15ee595a82901d29ccffae parent signature: 0ddf623ce6e01d4302654e1002abefec0f86949c01b904f8994af84c79275153 revisions tested: 16, total time: 4h41m28.16858087s (build: 1h42m20.471674722s, test: 2h57m10.664015166s) first bad commit: ffe945e633b527d5a4577b42cbadec3c7cbcf096 khugepaged: do not stop collapse if less than half PTEs are referenced cc: ["akpm@linux-foundation.org" "kirill.shutemov@linux.intel.com" "torvalds@linux-foundation.org" "william.kucharski@oracle.com" "yang.shi@linux.alibaba.com" "ziy@nvidia.com"] crash: general protection fault in collapse_huge_page general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 1153 Comm: khugepaged Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:collapse_huge_page+0x4f2/0x3410 mm/khugepaged.c:1022 Code: 00 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b6 2e 00 00 48 8b 89 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ca 48 c1 ea 03 <80> 3c 02 00 0f 85 79 2e 00 00 48 8b 39 48 83 c7 08 e8 f8 41 8f 05 RSP: 0018:ffffc90004c97ac8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8880917e2300 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff8881e7e28800 RDI: ffff8880a87ac2d8 RBP: ffffc90004c97cb0 R08: 1ffffffff11a897a R09: ffffed10122fc508 R10: ffff8880917e283f R11: ffffed10122fc507 R12: ffffc90004c97c88 R13: ffff8880917e23b8 R14: ffffea0008478000 R15: 1ffff92000992f71 FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd07ee219c CR3: 00000002104db000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: khugepaged_scan_pmd mm/khugepaged.c:1245 [inline] khugepaged_scan_mm_slot mm/khugepaged.c:2015 [inline] khugepaged_do_scan mm/khugepaged.c:2096 [inline] khugepaged+0x26da/0x32f0 mm/khugepaged.c:2141 kthread+0x340/0x410 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Modules linked in: ---[ end trace 202466df293c4f0c ]--- RIP: 0010:collapse_huge_page+0x4f2/0x3410 mm/khugepaged.c:1022 Code: 00 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b6 2e 00 00 48 8b 89 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ca 48 c1 ea 03 <80> 3c 02 00 0f 85 79 2e 00 00 48 8b 39 48 83 c7 08 e8 f8 41 8f 05 RSP: 0018:ffffc90004c97ac8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8880917e2300 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff8881e7e28800 RDI: ffff8880a87ac2d8 RBP: ffffc90004c97cb0 R08: 1ffffffff11a897a R09: ffffed10122fc508 R10: ffff8880917e283f R11: ffffed10122fc507 R12: ffffc90004c97c88 R13: ffff8880917e23b8 R14: ffffea0008478000 R15: 1ffff92000992f71 FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9c54ad2740 CR3: 0000000094d1d000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400