bisecting fixing commit since b4a5ea09b29371c2e6a10783faa3593428404343 building syzkaller on 68fc921ad90a9ed3604448913e66d02ea8d11de6 testing commit b4a5ea09b29371c2e6a10783faa3593428404343 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6a097fa36126c64b761e5297579ef5c063e7749a6e2b446c09ae227029775eb2 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #2: crashed: kernel BUG in workingset_activation run #3: crashed: kernel BUG in workingset_activation run #4: crashed: kernel BUG in workingset_activation run #5: crashed: kernel BUG in workingset_activation run #6: crashed: kernel BUG in workingset_activation run #7: crashed: kernel BUG in workingset_activation run #8: crashed: kernel BUG in workingset_activation run #9: crashed: kernel BUG in workingset_activation run #10: crashed: kernel BUG in workingset_activation run #11: crashed: kernel BUG in workingset_activation run #12: crashed: kernel BUG in workingset_activation run #13: crashed: kernel BUG in workingset_activation run #14: crashed: kernel BUG in workingset_activation run #15: crashed: kernel BUG in workingset_activation run #16: crashed: kernel BUG in workingset_activation run #17: crashed: kernel BUG in workingset_activation run #18: crashed: kernel BUG in workingset_activation run #19: crashed: kernel BUG in workingset_activation testing current HEAD d928e8f3af38abc8d2d56d9329a8280f7af5f10e testing commit d928e8f3af38abc8d2d56d9329a8280f7af5f10e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dc1efc9a0e94707e50b17b007f7ea9c2fe3c93aa9d6e0f69c66df17ebb002760 all runs: crashed: kernel BUG in workingset_activation revisions tested: 2, total time: 20m46.314475348s (build: 12m8.921219388s, test: 8m13.126867199s) the crash still happens on HEAD commit msg: Merge tag 'gfs2-v5.18-rc4-fix3' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 crash: kernel BUG in workingset_activation __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2523 qlink_free mm/kasan/quarantine.c:157 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:749 [inline] slab_alloc_node mm/slub.c:3217 [inline] slab_alloc mm/slub.c:3225 [inline] __kmem_cache_alloc_lru mm/slub.c:3232 [inline] kmem_cache_alloc+0x204/0x3b0 mm/slub.c:3242 getname_flags.part.0+0x4a/0x440 fs/namei.c:138 vfs_fstatat+0x35/0x70 fs/stat.c:254 __do_sys_newfstatat+0x72/0xd0 fs/stat.c:425 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae ------------[ cut here ]------------ kernel BUG at include/linux/memcontrol.h:472! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 8133 Comm: syz-executor.0 Not tainted 5.18.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:folio_memcg_rcu include/linux/memcontrol.h:472 [inline] RIP: 0010:workingset_activation+0x455/0x550 mm/workingset.c:413 Code: df 48 c1 e8 03 80 3c 10 00 0f 85 ec 00 00 00 48 8b 05 4f 8a 0b 0b e9 64 fd ff ff 48 c7 c6 a0 23 f6 88 48 89 ef e8 fb 00 00 00 <0f> 0b 0f 0b e9 4f fc ff ff 48 c7 c6 00 26 f6 88 48 89 ef e8 e3 00 RSP: 0018:ffffc9000455f770 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffea0000534200 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88801113420a RBP: ffffea0000534200 R08: 0000000000000029 R09: ffffc9000455f317 R10: fffff520008abe62 R11: 0000000000000001 R12: 0000000000000000 R13: ffff8880b9e34d00 R14: 0000000000000003 R15: ffff8880b9e34d30 FS: 0000555556f27400(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000200000 CR3: 0000000023b62000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: folio_mark_accessed+0x494/0xb60 mm/swap.c:440 handle_changed_spte arch/x86/kvm/mmu/tdp_mmu.c:609 [inline] handle_removed_pt arch/x86/kvm/mmu/tdp_mmu.c:493 [inline] __handle_changed_spte+0x765/0x1010 arch/x86/kvm/mmu/tdp_mmu.c:600 handle_changed_spte arch/x86/kvm/mmu/tdp_mmu.c:607 [inline] handle_removed_pt arch/x86/kvm/mmu/tdp_mmu.c:493 [inline] __handle_changed_spte+0x755/0x1010 arch/x86/kvm/mmu/tdp_mmu.c:600 __tdp_mmu_set_spte+0x14a/0x780 arch/x86/kvm/mmu/tdp_mmu.c:742 _tdp_mmu_set_spte arch/x86/kvm/mmu/tdp_mmu.c:758 [inline] tdp_mmu_set_spte arch/x86/kvm/mmu/tdp_mmu.c:767 [inline] __tdp_mmu_zap_root+0x532/0x5a0 arch/x86/kvm/mmu/tdp_mmu.c:873 tdp_mmu_zap_root+0xe2/0x240 arch/x86/kvm/mmu/tdp_mmu.c:909 kvm_tdp_mmu_zap_all+0xe0/0x120 arch/x86/kvm/mmu/tdp_mmu.c:1017 kvm_mmu_zap_all+0x1e8/0x240 arch/x86/kvm/mmu/mmu.c:6106 kvm_flush_shadow_all arch/x86/kvm/../../../virt/kvm/kvm_main.c:366 [inline] kvm_mmu_notifier_release+0x4e/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:836 mmu_notifier_unregister+0xfe/0x330 mm/mmu_notifier.c:838 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1236 [inline] kvm_put_kvm+0x395/0xaa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1284 kvm_vcpu_release+0x49/0x70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3703 __fput+0x1f5/0x8c0 fs/file_table.c:317 task_work_run+0xc0/0x160 kernel/task_work.c:164 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294 do_syscall_64+0x42/0x80 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd50943bc8b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd92bbeb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000009 RCX: 00007fd50943bc8b RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008 RBP: 00007fd50959d960 R08: 0000000000000000 R09: 00007fd5095a06f0 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000026d9e R13: 00007ffd92bbec70 R14: 00007ffd92bbec90 R15: 0000000000000032 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:folio_memcg_rcu include/linux/memcontrol.h:472 [inline] RIP: 0010:workingset_activation+0x455/0x550 mm/workingset.c:413 Code: df 48 c1 e8 03 80 3c 10 00 0f 85 ec 00 00 00 48 8b 05 4f 8a 0b 0b e9 64 fd ff ff 48 c7 c6 a0 23 f6 88 48 89 ef e8 fb 00 00 00 <0f> 0b 0f 0b e9 4f fc ff ff 48 c7 c6 00 26 f6 88 48 89 ef e8 e3 00 RSP: 0018:ffffc9000455f770 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffea0000534200 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88801113420a RBP: ffffea0000534200 R08: 0000000000000029 R09: ffffc9000455f317 R10: fffff520008abe62 R11: 0000000000000001 R12: 0000000000000000 R13: ffff8880b9e34d00 R14: 0000000000000003 R15: ffff8880b9e34d30 FS: 0000555556f27400(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000200000 CR3: 0000000023b62000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400