ci starts bisection 2023-10-28 21:05:17.475864988 +0000 UTC m=+78028.759151102 bisecting cause commit starting from 888cf78c29e223fd808682f477c18cf8f61ad995 building syzkaller on 3c418d724accee0ff5b8487bdddeb5827ab216bd ensuring issue is reproducible on original commit 888cf78c29e223fd808682f477c18cf8f61ad995 testing commit 888cf78c29e223fd808682f477c18cf8f61ad995 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7c9048429699bf2ae85dace950c4031dd76af127f8366605de7e388e6a19723d all runs: crashed: general protection fault in hugetlb_vma_lock_write representative crash: general protection fault in hugetlb_vma_lock_write, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 888cf78c29e223fd808682f477c18cf8f61ad995 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7bf86d59fdded2a51f9e447cb2775a637cfc5dc96e1af6226ac75bd75670efc8 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hugetlb_vma_lock_write representative crash: BUG: unable to handle kernel NULL pointer dereference in hugetlb_vma_lock_write, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed kconfig minimization: base=3938 full=7617 leaves diff=1992 split chunks (needed=false): <1992> split chunk #0 of len 1992 into 5 parts testing without sub-chunk 1/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 888cf78c29e223fd808682f477c18cf8f61ad995 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a187872cd40a1a065db11dcf556b3c9fc549f43ab854b0d848e925c0684531d4 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hugetlb_vma_lock_write representative crash: BUG: unable to handle kernel NULL pointer dereference in hugetlb_vma_lock_write, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 888cf78c29e223fd808682f477c18cf8f61ad995 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 17a686f4b262124943c264c90e9792b1667455e396af59818844c6dd738f83fc all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in hugetlb_vma_lock_write representative crash: BUG: unable to handle kernel NULL pointer dereference in hugetlb_vma_lock_write, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 888cf78c29e223fd808682f477c18cf8f61ad995 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1bbfab075b68e8bbcff52eeb98892969d0d649ea291bc357abe97dc2dafd982c all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 888cf78c29e223fd808682f477c18cf8f61ad995 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a00e489c922635a7fe21b964bb2d7a443137cd93cd82aba1c13b08673d111405 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 888cf78c29e223fd808682f477c18cf8f61ad995 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f99a87b98648e9d10f8f21098ef0442ae7a9dc5b61e75eb1bc7507ff58133944 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed picked [v6.5 v6.4 v6.3 v6.1 v5.19 v5.17 v5.15 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 28 release tags testing release v6.5 testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9a9fed661b7999c77966d04c4d50c98143a2a538637f226b3e78fd69fcd4ce5a all runs: OK false negative chance: 0.000 # git bisect start 888cf78c29e223fd808682f477c18cf8f61ad995 2dde18cd1d8fac735875f2e4987f11817cc0bc2c Bisecting: 7828 revisions left to test after this (roughly 13 steps) [a1c19328a160c80251868dbd80066dce23d07995] Merge tag 'soc-arm-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit a1c19328a160c80251868dbd80066dce23d07995 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a56a078e222d6a8c3ad4e1298c099cbdec82f718dd22faf0209ad4ec52e30e1a all runs: OK false negative chance: 0.000 # git bisect good a1c19328a160c80251868dbd80066dce23d07995 Bisecting: 3905 revisions left to test after this (roughly 12 steps) [708283abf896dd4853e673cc8cba70acaf9bf4ea] Merge tag 'dmaengine-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine testing commit 708283abf896dd4853e673cc8cba70acaf9bf4ea gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d6a4fe855b9867fa9a9c8f5fcdf69ebba81a046874559233583bed4f053a627f all runs: OK false negative chance: 0.000 # git bisect good 708283abf896dd4853e673cc8cba70acaf9bf4ea Bisecting: 1952 revisions left to test after this (roughly 11 steps) [63a2de8d16b3ecd607c077c98f8d6cd0147ec099] Merge branch 'sparx5-leaks' testing commit 63a2de8d16b3ecd607c077c98f8d6cd0147ec099 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7c31a4ba3a66c9d8fc17845c42d3ab8fd39bff8f730baf2f9c4931b7cb1f1cf9 all runs: OK false negative chance: 0.000 # git bisect good 63a2de8d16b3ecd607c077c98f8d6cd0147ec099 Bisecting: 976 revisions left to test after this (roughly 10 steps) [f200bab3756fe81493a1b280180dafa1d9ccdcf7] phy: lynx-28g: cancel the CDR check work item on the remove path testing commit f200bab3756fe81493a1b280180dafa1d9ccdcf7 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 38c5f54cd1925ccffdb6d1f94c7bb13a028e2f0aa4a5bc152d42a8e879688a0b all runs: OK false negative chance: 0.000 # git bisect good f200bab3756fe81493a1b280180dafa1d9ccdcf7 Bisecting: 487 revisions left to test after this (roughly 9 steps) [e4078ebbddf69f5a82f164dc07d50321b7f641cf] Merge tag 'riscv-dt-for-v6.6-final' of https://git.kernel.org/pub/scm/linux/kernel/git/conor/linux into arm/fixes testing commit e4078ebbddf69f5a82f164dc07d50321b7f641cf gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cf32f5861a5481b2c3a448e991af44a888e03d7f1b1c684aceca817dd2655839 all runs: OK false negative chance: 0.000 # git bisect good e4078ebbddf69f5a82f164dc07d50321b7f641cf Bisecting: 243 revisions left to test after this (roughly 8 steps) [c3200081020d63f6c6bfd8a6db2ae8a5b99b348a] Merge tag 'block-6.6-2023-10-20' of git://git.kernel.dk/linux testing commit c3200081020d63f6c6bfd8a6db2ae8a5b99b348a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4e0627974997d1f6500566d9089933686832a9bfd62213c15657843ae75e252e all runs: OK false negative chance: 0.000 # git bisect good c3200081020d63f6c6bfd8a6db2ae8a5b99b348a Bisecting: 121 revisions left to test after this (roughly 7 steps) [7c14564010fc1d0f16ca7d39b0ff948b43344209] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit 7c14564010fc1d0f16ca7d39b0ff948b43344209 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7368c4e17f1cef1063ea6f0fdb7bd0daaaeab7183257077d9a7065de82e1d0f6 all runs: OK false negative chance: 0.000 # git bisect good 7c14564010fc1d0f16ca7d39b0ff948b43344209 Bisecting: 74 revisions left to test after this (roughly 6 steps) [53798666648af3aa0dd512c2380576627237a800] iavf: in iavf_down, disable queues when removing the driver testing commit 53798666648af3aa0dd512c2380576627237a800 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 997c082b36c7039269d6c6e3a3250fae89055a8a736643c0905a537153e274ad all runs: OK false negative chance: 0.000 # git bisect good 53798666648af3aa0dd512c2380576627237a800 Bisecting: 42 revisions left to test after this (roughly 5 steps) [c17cda15cc86e65e9725641daddcd7a63cc9ad01] Merge tag 'net-6.6-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit c17cda15cc86e65e9725641daddcd7a63cc9ad01 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3d5babb60ae059f1189e4d78ac5dd2c69983ed63232c89e29b1f7c70e114a0f1 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect bad c17cda15cc86e65e9725641daddcd7a63cc9ad01 Bisecting: 15 revisions left to test after this (roughly 4 steps) [76b7069bcc89dec33f03eb08abee165d0306b754] mm/damon/sysfs: check DAMOS regions update progress from before_terminate() testing commit 76b7069bcc89dec33f03eb08abee165d0306b754 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dfa1fd0a5c62b87d0abf542d52c439eb6c13e74c0ef6d2a1371ba6adb22be79d all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect bad 76b7069bcc89dec33f03eb08abee165d0306b754 Bisecting: 7 revisions left to test after this (roughly 3 steps) [229e2253766c7cdfe024f1fe280020cc4711087c] mm/migrate: fix do_pages_move for compat pointers testing commit 229e2253766c7cdfe024f1fe280020cc4711087c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 96ee12ad80ad3b6d58b0015d360aab78702fc5942a958d99beaefeab51b36844 all runs: OK false negative chance: 0.000 # git bisect good 229e2253766c7cdfe024f1fe280020cc4711087c Bisecting: 3 revisions left to test after this (roughly 2 steps) [2820b0f09be99f6406784b03a22dfc83e858449d] hugetlbfs: close race between MADV_DONTNEED and page fault testing commit 2820b0f09be99f6406784b03a22dfc83e858449d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bbbfbcc09af02388c3cbad99e4c4aa6cd8294a2115921cae86afb21a21084de1 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect bad 2820b0f09be99f6406784b03a22dfc83e858449d Bisecting: 1 revision left to test after this (roughly 1 step) [92fe9dcbe4e109a7ce6bab3e452210a35b0ab493] hugetlbfs: clear resv_map pointer if mmap fails testing commit 92fe9dcbe4e109a7ce6bab3e452210a35b0ab493 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1d9406bd09a091e857237e168d75d21db651d142a5577f350b26de993779f511 all runs: OK false negative chance: 0.000 # git bisect good 92fe9dcbe4e109a7ce6bab3e452210a35b0ab493 Bisecting: 0 revisions left to test after this (roughly 0 steps) [bf4916922c60f43efaa329744b3eef539aa6a2b2] hugetlbfs: extend hugetlb_vma_lock to private VMAs testing commit bf4916922c60f43efaa329744b3eef539aa6a2b2 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c7c93855f70eeafaa680a3c060e5e18a4c2a2d0292d5358aad7fa9157c1a6dd1 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] # git bisect bad bf4916922c60f43efaa329744b3eef539aa6a2b2 bf4916922c60f43efaa329744b3eef539aa6a2b2 is the first bad commit commit bf4916922c60f43efaa329744b3eef539aa6a2b2 Author: Rik van Riel Date: Thu Oct 5 23:59:07 2023 -0400 hugetlbfs: extend hugetlb_vma_lock to private VMAs Extend the locking scheme used to protect shared hugetlb mappings from truncate vs page fault races, in order to protect private hugetlb mappings (with resv_map) against MADV_DONTNEED. Add a read-write semaphore to the resv_map data structure, and use that from the hugetlb_vma_(un)lock_* functions, in preparation for closing the race between MADV_DONTNEED and page faults. Link: https://lkml.kernel.org/r/20231006040020.3677377-3-riel@surriel.com Fixes: 04ada095dcfc ("hugetlb: don't delete vma_lock in hugetlb MADV_DONTNEED processing") Signed-off-by: Rik van Riel Reviewed-by: Mike Kravetz Cc: Matthew Wilcox (Oracle) Cc: Muchun Song Cc: Signed-off-by: Andrew Morton include/linux/hugetlb.h | 6 ++++++ mm/hugetlb.c | 41 +++++++++++++++++++++++++++++++++++++---- 2 files changed, 43 insertions(+), 4 deletions(-) accumulated error probability: 0.00 culprit signature: c7c93855f70eeafaa680a3c060e5e18a4c2a2d0292d5358aad7fa9157c1a6dd1 parent signature: 1d9406bd09a091e857237e168d75d21db651d142a5577f350b26de993779f511 revisions tested: 22, total time: 4h5m6.226462554s (build: 1h12m2.322689879s, test: 2h34m17.539733149s) first bad commit: bf4916922c60f43efaa329744b3eef539aa6a2b2 hugetlbfs: extend hugetlb_vma_lock to private VMAs recipients (to): ["akpm@linux-foundation.org" "mike.kravetz@oracle.com" "riel@surriel.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final BUG: kernel NULL pointer dereference, address: 00000000000000f0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 104acc067 P4D 104acc067 PUD 10a2b1067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 1874 Comm: syz-executor.0 Not tainted 6.6.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:__lock_acquire.constprop.0+0x2f2/0x540 kernel/locking/lockdep.c:5008 Code: 0a 48 83 f8 ff 0f 85 a1 01 00 00 0f b7 45 20 66 25 ff 1f 66 89 44 24 16 0f b6 45 22 83 e0 03 88 44 24 10 e9 6d fe ff ff 89 f0 <48> 8b 44 c7 08 48 85 c0 0f 85 68 fd ff ff e9 39 fd ff ff e8 a6 9a RSP: 0018:ffffc90001717c70 EFLAGS: 00010097 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000e8 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: ffff88810a279b00 R15: 0000000000000200 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000f0 CR3: 0000000107aea000 CR4: 0000000000350ef0 Call Trace: lock_acquire kernel/locking/lockdep.c:5753 [inline] lock_acquire+0xab/0x180 kernel/locking/lockdep.c:5718 down_write+0x29/0x90 kernel/locking/rwsem.c:1573 __unmap_hugepage_range_final+0x28/0x150 mm/hugetlb.c:5445 unmap_vmas+0x66/0xa0 mm/memory.c:1731 exit_mmap+0xe7/0x3e0 mm/mmap.c:3230 __mmput kernel/fork.c:1349 [inline] mmput+0x40/0x100 kernel/fork.c:1371 exit_mm kernel/exit.c:567 [inline] do_exit+0x2e9/0xb90 kernel/exit.c:861 __do_sys_exit kernel/exit.c:991 [inline] __se_sys_exit kernel/exit.c:989 [inline] __x64_sys_exit+0x16/0x20 kernel/exit.c:989 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fd7670deae9 Code: Unable to access opcode bytes at 0x7fd7670deabf. RSP: 002b:00007fd766c61078 EFLAGS: 00000246 ORIG_RAX: 000000000000003c RAX: ffffffffffffffda RBX: 00007fd7671fdf80 RCX: 00007fd7670deae9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fd76712a47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007fd7671fdf80 R15: 00007ffdfd8ab528 Modules linked in: CR2: 00000000000000f0 ---[ end trace 0000000000000000 ]--- RIP: 0010:__lock_acquire.constprop.0+0x2f2/0x540 kernel/locking/lockdep.c:5008 Code: 0a 48 83 f8 ff 0f 85 a1 01 00 00 0f b7 45 20 66 25 ff 1f 66 89 44 24 16 0f b6 45 22 83 e0 03 88 44 24 10 e9 6d fe ff ff 89 f0 <48> 8b 44 c7 08 48 85 c0 0f 85 68 fd ff ff e9 39 fd ff ff e8 a6 9a RSP: 0018:ffffc90001717c70 EFLAGS: 00010097 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000e8 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: ffff88810a279b00 R15: 0000000000000200 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000f0 CR3: 0000000107aea000 CR4: 0000000000350ef0 ---------------- Code disassembly (best guess): 0: 0a 48 83 or -0x7d(%rax),%cl 3: f8 clc 4: ff 0f decl (%rdi) 6: 85 a1 01 00 00 0f test %esp,0xf000001(%rcx) c: b7 45 mov $0x45,%bh e: 20 66 25 and %ah,0x25(%rsi) 11: ff 1f lcall *(%rdi) 13: 66 89 44 24 16 mov %ax,0x16(%rsp) 18: 0f b6 45 22 movzbl 0x22(%rbp),%eax 1c: 83 e0 03 and $0x3,%eax 1f: 88 44 24 10 mov %al,0x10(%rsp) 23: e9 6d fe ff ff jmp 0xfffffe95 28: 89 f0 mov %esi,%eax * 2a: 48 8b 44 c7 08 mov 0x8(%rdi,%rax,8),%rax <-- trapping instruction 2f: 48 85 c0 test %rax,%rax 32: 0f 85 68 fd ff ff jne 0xfffffda0 38: e9 39 fd ff ff jmp 0xfffffd76 3d: e8 .byte 0xe8 3e: a6 cmpsb %es:(%rdi),%ds:(%rsi) 3f: 9a (bad)