ci starts bisection 2024-01-26 07:33:43.905802199 +0000 UTC m=+45852.836462185 bisecting cause commit starting from 8bf1262c53f50fa91fe15d01e5ef5629db55313c building syzkaller on 1e153dc8b31e685ca8495576db4f8c077585e39c fetch other tags and check if the commit is present ensuring issue is reproducible on original commit 8bf1262c53f50fa91fe15d01e5ef5629db55313c testing commit 8bf1262c53f50fa91fe15d01e5ef5629db55313c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 59b44d878ec5efdaeab1708b80dd777516ec1656f39e1f3c6f3e74628fa1b9df all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 8bf1262c53f50fa91fe15d01e5ef5629db55313c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 92d8a70a60c92e989acab451231357d46353bf22a09be9f2c1bcbf478a41dfd3 all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] the bug reproduces without the instrumentation disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=3923 full=7699 leaves diff=2021 split chunks (needed=false): <2021> split chunk #0 of len 2021 into 5 parts testing without sub-chunk 1/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 8bf1262c53f50fa91fe15d01e5ef5629db55313c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 558a95157df75fe5ecf6538d034d14b809c2a0924722f594404e7d94902aa8ac all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit 8bf1262c53f50fa91fe15d01e5ef5629db55313c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 16c22c8b2bca7422f202545cb1965d6fc9d01992f3a73c2c6924f0f1e8ce1f52 all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN KASAN], they are not needed testing commit 8bf1262c53f50fa91fe15d01e5ef5629db55313c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8a63e6f73ef11d24947d29d03866420268c38b71464c9c8dec2e20a04e4d50fd all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 8bf1262c53f50fa91fe15d01e5ef5629db55313c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b0990c436fff0bc2630759d070f65c5130a2f32ecaa60ee0833e1ee4206d90ad all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 8bf1262c53f50fa91fe15d01e5ef5629db55313c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b192f4a711944ca03320124a671e1e3858abaffec0f0f970aa8f5132a59d41dd all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] the chunk can be dropped disabling configs for [UBSAN KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed picked [v6.7 v6.6 v6.5 v6.3 v6.1 v5.19 v5.17 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 30 release tags testing release v6.7 testing commit 0dd3ee31125508cd67f7e7172247f05b7fd1753a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7be12aea4d71b888e9db43ac9915f492f46600d4672587f86ce71304863c5497 all runs: OK false negative chance: 0.000 # git bisect start 8bf1262c53f50fa91fe15d01e5ef5629db55313c 0dd3ee31125508cd67f7e7172247f05b7fd1753a Bisecting: 8463 revisions left to test after this (roughly 13 steps) [ba5afb9a84df2e6b26a1b6389b98849cd16ea757] fs: rework listmount() implementation testing commit ba5afb9a84df2e6b26a1b6389b98849cd16ea757 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b9d7b902f62607bee2c54bfafd7beff608900a2828bf1f3bd369ff898a74b0bf all runs: OK false negative chance: 0.000 # git bisect good ba5afb9a84df2e6b26a1b6389b98849cd16ea757 Bisecting: 4255 revisions left to test after this (roughly 12 steps) [5d197e97fb106c09d3d013be341e5961fd70ec8a] Merge tag 'hsi-for-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-hsi testing commit 5d197e97fb106c09d3d013be341e5961fd70ec8a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 73558de9cc7fa269c154a1818a46b97defd2107809c189adaedbe315ad9ca548 all runs: OK false negative chance: 0.000 # git bisect good 5d197e97fb106c09d3d013be341e5961fd70ec8a Bisecting: 2130 revisions left to test after this (roughly 11 steps) [a638bfbfa1f8e8fbf36d84679916c60c1382a2ef] Merge tag 'spi-fix-v6.8-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit a638bfbfa1f8e8fbf36d84679916c60c1382a2ef gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8546138b910c1d426e338e3ab68328a50fad071d486ae9cf4054c57702e4860b all runs: OK false negative chance: 0.000 # git bisect good a638bfbfa1f8e8fbf36d84679916c60c1382a2ef Bisecting: 1065 revisions left to test after this (roughly 10 steps) [49bcd02df6e861a15daaaa421410131d76fe82da] Merge branch 'for-next' of git://github.com/Xilinx/linux-xlnx.git testing commit 49bcd02df6e861a15daaaa421410131d76fe82da gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 73d0ab53da9137baea4b7d7de515714e3d908acf23b37588ec9ba7cd0a1e5808 all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] # git bisect bad 49bcd02df6e861a15daaaa421410131d76fe82da Bisecting: 532 revisions left to test after this (roughly 9 steps) [26bbc9df1a64e0fc7142b5abfc6f31e5e03e4393] mm/mmap: introduce vma_range_init() testing commit 26bbc9df1a64e0fc7142b5abfc6f31e5e03e4393 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a89e0a95aeedb5c0fb2e4b3ef797a784a96c41685d4337732a99044292375a19 all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] # git bisect bad 26bbc9df1a64e0fc7142b5abfc6f31e5e03e4393 Bisecting: 289 revisions left to test after this (roughly 8 steps) [c25b24fa72c734f8cd6c31a13548013263b26286] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit c25b24fa72c734f8cd6c31a13548013263b26286 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fbf6e27ab121caa154db7fcadc8c7c8afd54101db6b7806f3222556cb714c381 all runs: OK false negative chance: 0.000 # git bisect good c25b24fa72c734f8cd6c31a13548013263b26286 Bisecting: 139 revisions left to test after this (roughly 7 steps) [7a396820222d6d4c02057f41658b162bdcdadd0e] Merge tag 'v6.8-rc-part2-smb-client' of git://git.samba.org/sfrench/cifs-2.6 testing commit 7a396820222d6d4c02057f41658b162bdcdadd0e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1a0435553ed3c48b30f1c30afe0b4aa2f878f99e059307f40a5d185212b8fbf2 all runs: OK false negative chance: 0.000 # git bisect good 7a396820222d6d4c02057f41658b162bdcdadd0e Bisecting: 69 revisions left to test after this (roughly 6 steps) [4c137bc280640961ad1f26bb4375b2d6209761d1] uprobes: use pagesize-aligned virtual address when replacing pages testing commit 4c137bc280640961ad1f26bb4375b2d6209761d1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2d5a9abca518e735b6f0a2c16cc7ff76a8a2c1f20a94dc07ce2f32648215fd99 all runs: OK false negative chance: 0.000 # git bisect good 4c137bc280640961ad1f26bb4375b2d6209761d1 Bisecting: 34 revisions left to test after this (roughly 5 steps) [25ac2c4c536c984c67da3d026db7ec527df20cd6] mm: vmalloc: remove global vmap_area_root rb-tree testing commit 25ac2c4c536c984c67da3d026db7ec527df20cd6 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c0044a2020e86bc5364b011a18ffb405072bc0c7ed61a44ea30f5b7c3e6d7360 all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] # git bisect bad 25ac2c4c536c984c67da3d026db7ec527df20cd6 Bisecting: 17 revisions left to test after this (roughly 4 steps) [2b749569615ea284ee3d277f8254be37817af3cc] selftests/mm: ksm_tests should only MADV_HUGEPAGE valid memory testing commit 2b749569615ea284ee3d277f8254be37817af3cc gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7b157b375ce46cff9a9991ab220b3c531581921f6aaf27fc59f95e3f819f50f8 all runs: OK false negative chance: 0.000 # git bisect good 2b749569615ea284ee3d277f8254be37817af3cc Bisecting: 8 revisions left to test after this (roughly 3 steps) [184c8db9112ee2370c2d17efab76a6c2aad061bc] s390/sclp: remove unhandled memory notifier type testing commit 184c8db9112ee2370c2d17efab76a6c2aad061bc gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e9f265970c331939713027756ae0f95691776c20a00f6e5463f012af65b96a22 all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] # git bisect bad 184c8db9112ee2370c2d17efab76a6c2aad061bc Bisecting: 4 revisions left to test after this (roughly 2 steps) [be7a8289b10f82365b9a209d9db9e4aaab1a86d4] selftests/mm: run_vmtests.sh: add hugetlb_madv_vs_map testing commit be7a8289b10f82365b9a209d9db9e4aaab1a86d4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9c930dd54a65b5e6ca81a5a1cae9d8ad7c0768245bed03d6bb4baa471ba37517 all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] # git bisect bad be7a8289b10f82365b9a209d9db9e4aaab1a86d4 Bisecting: 1 revision left to test after this (roughly 1 step) [38c61fca93058635b533ad927c1d6529757424d3] mm: huge_memory: don't force huge page alignment on 32 bit testing commit 38c61fca93058635b533ad927c1d6529757424d3 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 05aa60490b02d7f53fa67ed2bd129e129769d1f39f749d00b805295a0cc2405e all runs: OK false negative chance: 0.000 # git bisect good 38c61fca93058635b533ad927c1d6529757424d3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [947b031634e7af3d265275c26ec17e2f96fdb5a1] mm/hugetlb: restore the reservation if needed testing commit 947b031634e7af3d265275c26ec17e2f96fdb5a1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eaa757aa9495b777ba189dba8b293a37c5b65fd479b993b4f68e790688ae4f15 all runs: crashed: kernel BUG in resv_map_release representative crash: kernel BUG in resv_map_release, types: [BUG] # git bisect bad 947b031634e7af3d265275c26ec17e2f96fdb5a1 947b031634e7af3d265275c26ec17e2f96fdb5a1 is the first bad commit commit 947b031634e7af3d265275c26ec17e2f96fdb5a1 Author: Breno Leitao Date: Wed Jan 17 09:10:57 2024 -0800 mm/hugetlb: restore the reservation if needed Currently there is a bug that a huge page could be stolen, and when the original owner tries to fault in it, it causes a page fault. You can achieve that by: 1) Creating a single page echo 1 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages 2) mmap() the page above with MAP_HUGETLB into (void *ptr1). * This will mark the page as reserved 3) touch the page, which causes a page fault and allocates the page * This will move the page out of the free list. * It will also unreserved the page, since there is no more free page 4) madvise(MADV_DONTNEED) the page * This will free the page, but not mark it as reserved. 5) Allocate a secondary page with mmap(MAP_HUGETLB) into (void *ptr2). * it should fail, but, since there is no more available page. * But, since the page above is not reserved, this mmap() succeed. 6) Faulting at ptr1 will cause a SIGBUS * it will try to allocate a huge page, but there is none available A full reproducer is in selftest. See https://lore.kernel.org/all/20240105155419.1939484-1-leitao@debian.org/ Fix this by restoring the reserved page if necessary. If the page being unmapped has HPAGE_RESV_OWNER set, and needs a reservation, set the restore_reserve flag, which will move the page from free to reserved. Link: https://lkml.kernel.org/r/20240117171058.2192286-1-leitao@debian.org Signed-off-by: Breno Leitao Suggested-by: Rik van Riel Cc: Lorenzo Stoakes Cc: Matthew Wilcox (Oracle) Cc: Muchun Song Cc: Rik van Riel Cc: Signed-off-by: Andrew Morton mm/hugetlb.c | 10 ++++++++++ 1 file changed, 10 insertions(+) accumulated error probability: 0.00 culprit signature: eaa757aa9495b777ba189dba8b293a37c5b65fd479b993b4f68e790688ae4f15 parent signature: 05aa60490b02d7f53fa67ed2bd129e129769d1f39f749d00b805295a0cc2405e revisions tested: 22, total time: 9h2m25.174186251s (build: 5h27m13.643657658s, test: 3h13m0.623127671s) first bad commit: 947b031634e7af3d265275c26ec17e2f96fdb5a1 mm/hugetlb: restore the reservation if needed recipients (to): ["akpm@linux-foundation.org" "akpm@linux-foundation.org" "leitao@debian.org" "linux-mm@kvack.org" "muchun.song@linux.dev"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: kernel BUG in resv_map_release ------------[ cut here ]------------ kernel BUG at mm/hugetlb.c:1129! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 0 PID: 1859 Comm: syz-executor.0 Not tainted 6.8.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 RIP: 0010:resv_map_release mm/hugetlb.c:1129 [inline] RIP: 0010:resv_map_release+0x9d/0xa0 mm/hugetlb.c:1114 Code: b9 91 fe ff 4c 39 e5 48 8b 45 00 48 89 ef 75 c8 49 83 7f 58 00 75 12 5b 4c 89 ff 5d 41 5c 41 5d 41 5e 41 5f e9 94 91 fe ff 90 <0f> 0b 90 66 0f 1f 00 48 8b 47 20 a8 80 75 12 48 8b 8f 90 00 00 00 RSP: 0018:ffffc90001947c10 EFLAGS: 00010202 RAX: ffff88810734ae60 RBX: ffff88810734ae60 RCX: 000000008040003d RDX: 000000008040003e RSI: ffff88810fee4380 RDI: ffff88810734ae60 RBP: ffff88810734ae60 R08: 000000008040003d R09: 0000000000000001 R10: 0000000000080000 R11: 0000000000000000 R12: ffff88810734ae60 R13: dead000000000122 R14: dead000000000100 R15: ffff88810734ae00 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562f25dffbc0 CR3: 0000000002447000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: remove_vma+0x23/0x60 mm/mmap.c:141 exit_mmap+0x208/0x490 mm/mmap.c:3301 __mmput kernel/fork.c:1343 [inline] mmput+0x40/0x100 kernel/fork.c:1365 exit_mm kernel/exit.c:569 [inline] do_exit+0x2f8/0xba0 kernel/exit.c:858 do_group_exit+0x32/0xa0 kernel/exit.c:1020 get_signal+0x9bb/0x9c0 kernel/signal.c:2893 arch_do_signal_or_restart+0x39/0x280 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:105 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline] syscall_exit_to_user_mode+0xed/0x1c0 kernel/entry/common.c:212 do_syscall_64+0xcd/0x210 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f9e1045cda9 Code: Unable to access opcode bytes at 0x7f9e1045cd7f. RSP: 002b:00007f9e0ffdf178 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007f9e1058bf88 RCX: 00007f9e1045cda9 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f9e1058bf88 RBP: 00007f9e1058bf80 R08: 00007f9e0ffdf6c0 R09: 00007f9e0ffdf6c0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9e1058bf8c R13: 0000000000000006 R14: 00007ffda61dad50 R15: 00007ffda61dae38 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:resv_map_release mm/hugetlb.c:1129 [inline] RIP: 0010:resv_map_release+0x9d/0xa0 mm/hugetlb.c:1114 Code: b9 91 fe ff 4c 39 e5 48 8b 45 00 48 89 ef 75 c8 49 83 7f 58 00 75 12 5b 4c 89 ff 5d 41 5c 41 5d 41 5e 41 5f e9 94 91 fe ff 90 <0f> 0b 90 66 0f 1f 00 48 8b 47 20 a8 80 75 12 48 8b 8f 90 00 00 00 RSP: 0018:ffffc90001947c10 EFLAGS: 00010202 RAX: ffff88810734ae60 RBX: ffff88810734ae60 RCX: 000000008040003d RDX: 000000008040003e RSI: ffff88810fee4380 RDI: ffff88810734ae60 RBP: ffff88810734ae60 R08: 000000008040003d R09: 0000000000000001 R10: 0000000000080000 R11: 0000000000000000 R12: ffff88810734ae60 R13: dead000000000122 R14: dead000000000100 R15: ffff88810734ae00 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562f25dffbc0 CR3: 0000000002447000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400