ci starts bisection 2023-10-28 02:49:48.542315919 +0000 UTC m=+12299.825602060 bisecting cause commit starting from 3a568e3a961ba330091cd031647e4c303fa0badb building syzkaller on bf285f0cf1f7863e0b0d17980de703fab89476bb ensuring issue is reproducible on original commit 3a568e3a961ba330091cd031647e4c303fa0badb testing commit 3a568e3a961ba330091cd031647e4c303fa0badb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5831f300947f22acc5d80c960774dce4b0c84adb7f21d80f63911a5ed401cfa1 all runs: crashed: general protection fault in __hugetlb_zap_begin representative crash: general protection fault in __hugetlb_zap_begin, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 3a568e3a961ba330091cd031647e4c303fa0badb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a1655cb84dbcd4a4d01753640d176b86235e4ba0da0336ec9e5645446ab4cc34 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=3930 full=7610 leaves diff=1993 split chunks (needed=false): <1993> split chunk #0 of len 1993 into 5 parts testing without sub-chunk 1/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 3a568e3a961ba330091cd031647e4c303fa0badb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 85383d879542db9d6b8b68467be8f7599eeb1679149d797f5c0a973af6533caa all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 3a568e3a961ba330091cd031647e4c303fa0badb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e79058e58d8de28ee73d10d45b29e890887e480bf3d2575e5a7da11ed37c1a79 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 3a568e3a961ba330091cd031647e4c303fa0badb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7cede896af89d0689bc28c17daf2877e35617f54413102de0366dfc7ec4704dc all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 3a568e3a961ba330091cd031647e4c303fa0badb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c541e0e5cf6ab5b17d542394dfd91104d6f6459f6e4c8b0b17ea8fbe98b408eb all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 3a568e3a961ba330091cd031647e4c303fa0badb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad7c9899e51ead37d54ea5253dcfeab8bd502a93d29b24258c813c0fe7dbb188 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed picked [v6.5 v6.4 v6.3 v6.1 v5.19 v5.17 v5.15 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 28 release tags testing release v6.5 testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bce0d6de3b71f350a9f0e0011abe7e5233656245ffe91d2cdb3700dfd8313498 all runs: OK false negative chance: 0.000 # git bisect start 3a568e3a961ba330091cd031647e4c303fa0badb 2dde18cd1d8fac735875f2e4987f11817cc0bc2c Bisecting: 7809 revisions left to test after this (roughly 13 steps) [a1c19328a160c80251868dbd80066dce23d07995] Merge tag 'soc-arm-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit a1c19328a160c80251868dbd80066dce23d07995 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: eb5c144241b0904aaa7aa7fb948e943128f8c4981f24c0d4b57d76d1c61953f3 all runs: OK false negative chance: 0.000 # git bisect good a1c19328a160c80251868dbd80066dce23d07995 Bisecting: 3886 revisions left to test after this (roughly 12 steps) [708283abf896dd4853e673cc8cba70acaf9bf4ea] Merge tag 'dmaengine-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine testing commit 708283abf896dd4853e673cc8cba70acaf9bf4ea gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 56170a8eb8de5c2497c83631f731285cc908f61cf1202a8e0abf9181622a157b all runs: OK false negative chance: 0.000 # git bisect good 708283abf896dd4853e673cc8cba70acaf9bf4ea Bisecting: 1939 revisions left to test after this (roughly 11 steps) [9fdfb15a3dbf818e06be514f4abbfc071004cbe7] Merge tag 'net-6.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 9fdfb15a3dbf818e06be514f4abbfc071004cbe7 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 521dab6ab0b833dd2d795d5ae32c86918bf0a48427a61baffc67862a5e357392 all runs: OK false negative chance: 0.000 # git bisect good 9fdfb15a3dbf818e06be514f4abbfc071004cbe7 Bisecting: 958 revisions left to test after this (roughly 10 steps) [f291209eca5eba0b4704fa0832af57b12dbc1a02] Merge tag 'net-6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit f291209eca5eba0b4704fa0832af57b12dbc1a02 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4b104ec7a921229558794fd4bb48e4af87e219fe6e4169d087f37646189b2c63 all runs: OK false negative chance: 0.000 # git bisect good f291209eca5eba0b4704fa0832af57b12dbc1a02 Bisecting: 479 revisions left to test after this (roughly 9 steps) [fbe1bf1e5ff1e3b298420d7a8434983ef8d72bd1] Revert "x86/smp: Put CPUs into INIT on shutdown if possible" testing commit fbe1bf1e5ff1e3b298420d7a8434983ef8d72bd1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2e9be8d1c953704e5c000aab116f116750b9b2fc15335a82ad7570250b81d28f all runs: OK false negative chance: 0.000 # git bisect good fbe1bf1e5ff1e3b298420d7a8434983ef8d72bd1 Bisecting: 243 revisions left to test after this (roughly 8 steps) [747b7628ca66de3806e6988d3a6e0c9c48d33694] Merge tag 'io_uring-6.6-2023-10-20' of git://git.kernel.dk/linux testing commit 747b7628ca66de3806e6988d3a6e0c9c48d33694 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c8e6f3f490aca3a34c2710495f5ebad185030a2457117854221c17a600372fc all runs: OK false negative chance: 0.000 # git bisect good 747b7628ca66de3806e6988d3a6e0c9c48d33694 Bisecting: 122 revisions left to test after this (roughly 7 steps) [05d3ef8bba77c1b5f98d941d8b2d4aeab8118ef1] Linux 6.6-rc7 testing commit 05d3ef8bba77c1b5f98d941d8b2d4aeab8118ef1 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 51eb30fe2538913c348b48a474e167b2e314e99cdfc02b994439c525d4288ded all runs: OK false negative chance: 0.000 # git bisect good 05d3ef8bba77c1b5f98d941d8b2d4aeab8118ef1 Bisecting: 75 revisions left to test after this (roughly 6 steps) [53798666648af3aa0dd512c2380576627237a800] iavf: in iavf_down, disable queues when removing the driver testing commit 53798666648af3aa0dd512c2380576627237a800 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fc51888d736061bb7af5222030795b68f850588f2b71cc81dffbc6633a466e64 all runs: OK false negative chance: 0.000 # git bisect good 53798666648af3aa0dd512c2380576627237a800 Bisecting: 36 revisions left to test after this (roughly 5 steps) [4f82870119a46b0d04d91ef4697ac4977a255a9d] Merge tag 'mm-hotfixes-stable-2023-10-24-09-40' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 4f82870119a46b0d04d91ef4697ac4977a255a9d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2d1d7f423cff9b437abf6058f1af43c736f41bcf04b73f618659d40966b76621 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect bad 4f82870119a46b0d04d91ef4697ac4977a255a9d Bisecting: 19 revisions left to test after this (roughly 4 steps) [e2de156b0d918b5ebe975577d25f9ef92379a756] selftests/mm: include mman header to access MREMAP_DONTUNMAP identifier testing commit e2de156b0d918b5ebe975577d25f9ef92379a756 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 09488784fbae900cd12132dd8a17e0716e39dc6f931fd768206176d9851c9ed2 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect bad e2de156b0d918b5ebe975577d25f9ef92379a756 Bisecting: 9 revisions left to test after this (roughly 3 steps) [969d63e1af3b3abe35a49b08218f3125131ac32f] mm: zswap: fix pool refcount bug around shrink_worker() testing commit 969d63e1af3b3abe35a49b08218f3125131ac32f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7b9732785414c38fe16df7e9f5d7dd674cac342c6cfab57bd146fd60cad092d9 all runs: OK false negative chance: 0.000 # git bisect good 969d63e1af3b3abe35a49b08218f3125131ac32f Bisecting: 4 revisions left to test after this (roughly 2 steps) [17c17567fe510857b18fe01b7a88027600e76ac6] kasan: disable kasan_non_canonical_hook() for HW tags testing commit 17c17567fe510857b18fe01b7a88027600e76ac6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4d38b1c3bd5d2462dc7c8e8ec951701f253b2408c94ad66d968cd123a7fcfa64 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect bad 17c17567fe510857b18fe01b7a88027600e76ac6 Bisecting: 2 revisions left to test after this (roughly 1 step) [bf4916922c60f43efaa329744b3eef539aa6a2b2] hugetlbfs: extend hugetlb_vma_lock to private VMAs testing commit bf4916922c60f43efaa329744b3eef539aa6a2b2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f5a8814f7d1e5708fd5e966b33a37903ecdfb307e985ca8552ed0f2707955d03 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final representative crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final, types: [UNKNOWN] # git bisect bad bf4916922c60f43efaa329744b3eef539aa6a2b2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [92fe9dcbe4e109a7ce6bab3e452210a35b0ab493] hugetlbfs: clear resv_map pointer if mmap fails testing commit 92fe9dcbe4e109a7ce6bab3e452210a35b0ab493 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 77989fbb5192038dea2ffc096abd6061af49183d790b28efce74498c24f26750 all runs: OK false negative chance: 0.000 # git bisect good 92fe9dcbe4e109a7ce6bab3e452210a35b0ab493 bf4916922c60f43efaa329744b3eef539aa6a2b2 is the first bad commit commit bf4916922c60f43efaa329744b3eef539aa6a2b2 Author: Rik van Riel Date: Thu Oct 5 23:59:07 2023 -0400 hugetlbfs: extend hugetlb_vma_lock to private VMAs Extend the locking scheme used to protect shared hugetlb mappings from truncate vs page fault races, in order to protect private hugetlb mappings (with resv_map) against MADV_DONTNEED. Add a read-write semaphore to the resv_map data structure, and use that from the hugetlb_vma_(un)lock_* functions, in preparation for closing the race between MADV_DONTNEED and page faults. Link: https://lkml.kernel.org/r/20231006040020.3677377-3-riel@surriel.com Fixes: 04ada095dcfc ("hugetlb: don't delete vma_lock in hugetlb MADV_DONTNEED processing") Signed-off-by: Rik van Riel Reviewed-by: Mike Kravetz Cc: Matthew Wilcox (Oracle) Cc: Muchun Song Cc: Signed-off-by: Andrew Morton include/linux/hugetlb.h | 6 ++++++ mm/hugetlb.c | 41 +++++++++++++++++++++++++++++++++++++---- 2 files changed, 43 insertions(+), 4 deletions(-) accumulated error probability: 0.00 culprit signature: f5a8814f7d1e5708fd5e966b33a37903ecdfb307e985ca8552ed0f2707955d03 parent signature: 77989fbb5192038dea2ffc096abd6061af49183d790b28efce74498c24f26750 revisions tested: 22, total time: 7h27m34.689592009s (build: 2h42m46.266969669s, test: 4h27m1.071329194s) first bad commit: bf4916922c60f43efaa329744b3eef539aa6a2b2 hugetlbfs: extend hugetlb_vma_lock to private VMAs recipients (to): ["akpm@linux-foundation.org" "mike.kravetz@oracle.com" "riel@surriel.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in __unmap_hugepage_range_final BUG: kernel NULL pointer dereference, address: 00000000000000f0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 103b99067 P4D 103b99067 PUD 105bc9067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 1868 Comm: syz-executor.0 Not tainted 6.6.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:__lock_acquire+0x35/0x490 kernel/locking/lockdep.c:5008 Code: 83 ec 18 65 4c 8b 35 ba cf f4 7e 83 3d 0f 85 5e 01 00 0f 84 05 02 00 00 4c 89 cb 89 cd 41 89 d5 49 89 ff 83 fe 01 77 0c 89 f0 <49> 8b 44 c7 08 48 85 c0 75 1b 4c 89 ff 31 d2 45 89 c4 e8 74 f6 ff RSP: 0018:ffffc90001a07c10 EFLAGS: 00010097 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000e8 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffff88810c249b00 R15: 00000000000000e8 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000f0 CR3: 0000000106e84000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0xd8/0x1f0 kernel/locking/lockdep.c:5753 down_write+0x29/0x80 kernel/locking/rwsem.c:1573 __unmap_hugepage_range_final+0x5a/0x1c0 mm/hugetlb.c:5445 unmap_vmas+0x6b/0xa0 mm/memory.c:1731 exit_mmap+0x1b4/0x500 mm/mmap.c:3230 __mmput+0x28/0xf0 kernel/fork.c:1349 exit_mm+0xa9/0x110 kernel/exit.c:567 do_exit+0x242/0xa50 kernel/exit.c:861 __do_sys_exit kernel/exit.c:991 [inline] __se_sys_exit kernel/exit.c:989 [inline] __x64_sys_exit+0x12/0x20 kernel/exit.c:989 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f327928cae9 Code: Unable to access opcode bytes at 0x7f327928cabf. RSP: 002b:00007f3278e0ef98 EFLAGS: 00000246 ORIG_RAX: 000000000000003c RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f327928cae9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007f32792d847a R08: 0000000000000058 R09: 0000000000000058 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f32793abf80 R15: 00007ffee81e63a8 Modules linked in: CR2: 00000000000000f0 ---[ end trace 0000000000000000 ]--- RIP: 0010:__lock_acquire+0x35/0x490 kernel/locking/lockdep.c:5008 Code: 83 ec 18 65 4c 8b 35 ba cf f4 7e 83 3d 0f 85 5e 01 00 0f 84 05 02 00 00 4c 89 cb 89 cd 41 89 d5 49 89 ff 83 fe 01 77 0c 89 f0 <49> 8b 44 c7 08 48 85 c0 75 1b 4c 89 ff 31 d2 45 89 c4 e8 74 f6 ff RSP: 0018:ffffc90001a07c10 EFLAGS: 00010097 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000e8 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffff88810c249b00 R15: 00000000000000e8 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000f0 CR3: 0000000106e84000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 83 ec 18 sub $0x18,%esp 3: 65 4c 8b 35 ba cf f4 mov %gs:0x7ef4cfba(%rip),%r14 # 0x7ef4cfc5 a: 7e b: 83 3d 0f 85 5e 01 00 cmpl $0x0,0x15e850f(%rip) # 0x15e8521 12: 0f 84 05 02 00 00 je 0x21d 18: 4c 89 cb mov %r9,%rbx 1b: 89 cd mov %ecx,%ebp 1d: 41 89 d5 mov %edx,%r13d 20: 49 89 ff mov %rdi,%r15 23: 83 fe 01 cmp $0x1,%esi 26: 77 0c ja 0x34 28: 89 f0 mov %esi,%eax * 2a: 49 8b 44 c7 08 mov 0x8(%r15,%rax,8),%rax <-- trapping instruction 2f: 48 85 c0 test %rax,%rax 32: 75 1b jne 0x4f 34: 4c 89 ff mov %r15,%rdi 37: 31 d2 xor %edx,%edx 39: 45 89 c4 mov %r8d,%r12d 3c: e8 .byte 0xe8 3d: 74 f6 je 0x35 3f: ff .byte 0xff