ci starts bisection 2024-01-06 15:33:22.140548051 +0000 UTC m=+75483.359829681 bisecting fixing commit since 9b6de136b5f0158c60844f85286a593cb70fb364 building syzkaller on fc59b78e3174009510ed15f20665e7ab2435ebee ensuring issue is reproducible on original commit 9b6de136b5f0158c60844f85286a593cb70fb364 testing commit 9b6de136b5f0158c60844f85286a593cb70fb364 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b73207a37ac717ae3407e4525e0ca998d96f92f74bb3b3177d64de5ebec7a88e all runs: crashed: general protection fault in __hugetlb_zap_begin representative crash: general protection fault in __hugetlb_zap_begin, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 9b6de136b5f0158c60844f85286a593cb70fb364 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 31d94b6d3bf6bff0490dce232695e89e725374231893bf972f0c32671125154e all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=3915 full=7651 leaves diff=2009 split chunks (needed=false): <2009> split chunk #0 of len 2009 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 9b6de136b5f0158c60844f85286a593cb70fb364 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7c1a06631244b46814775a95c39d5d3168464262a2da885ac0e60b7ea19429c6 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 9b6de136b5f0158c60844f85286a593cb70fb364 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ca10daed98973da45e7c703cdde222b7148807442f6a4ebf6c55345bf0b9aaa4 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 9b6de136b5f0158c60844f85286a593cb70fb364 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a7c6ffcc2fb0087f4998572da745f3c6069173a3cc18e100efbbebdf43d85938 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 9b6de136b5f0158c60844f85286a593cb70fb364 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d83c9992084ca986772bda12001a723611a3c621ba28505afcf2c766ab3a816b all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 9b6de136b5f0158c60844f85286a593cb70fb364 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7fd8f8ff389caa9c682a4267dfa89c9fc6c8550e5c09e3f6120e9e6d7393bd90 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] the chunk can be dropped disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing current HEAD 95c8a35f1c017327eab3b6a2ff5c04255737c856 testing commit 95c8a35f1c017327eab3b6a2ff5c04255737c856 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0a9cae8a3b3166fc904025dcf47abb3360d6e0c15455e92ddbb4269aaf5eae8f all runs: OK false negative chance: 0.000 # git bisect start 95c8a35f1c017327eab3b6a2ff5c04255737c856 9b6de136b5f0158c60844f85286a593cb70fb364 Bisecting: 892 revisions left to test after this (roughly 10 steps) [d71369dbe0c5c1217dc681d6871b7918b2996de6] Merge tag 'block-6.7-2023-12-08' of git://git.kernel.dk/linux determine whether the revision contains the guilty commit revision 9b6de136b5f0158c60844f85286a593cb70fb364 crashed and is reachable testing commit d71369dbe0c5c1217dc681d6871b7918b2996de6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 54d3f9675f0cfb7f654912a11868f4c7146dbaf3ac56246091e5ab72c03032de all runs: OK false negative chance: 0.000 # git bisect bad d71369dbe0c5c1217dc681d6871b7918b2996de6 Bisecting: 473 revisions left to test after this (roughly 9 steps) [c9a925b7bcd9552f19ba50519c6a49ed7ca61691] Merge tag 'io_uring-6.7-2023-11-30' of git://git.kernel.dk/linux determine whether the revision contains the guilty commit revision 9b6de136b5f0158c60844f85286a593cb70fb364 crashed and is reachable testing commit c9a925b7bcd9552f19ba50519c6a49ed7ca61691 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 44c36ac54bc911301c007caa3a4481b4f1817f4139f4696047a93e7b33ce5b82 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect good c9a925b7bcd9552f19ba50519c6a49ed7ca61691 Bisecting: 244 revisions left to test after this (roughly 8 steps) [5e3f5b81de80c98338bcb47c233aebefee5a4801] Merge tag 'net-6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net determine whether the revision contains the guilty commit revision c9a925b7bcd9552f19ba50519c6a49ed7ca61691 crashed and is reachable testing commit 5e3f5b81de80c98338bcb47c233aebefee5a4801 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 18185130b68277d8640935db1694e8880f54a99cac77de9e87e8bdb998e36ae5 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect good 5e3f5b81de80c98338bcb47c233aebefee5a4801 Bisecting: 129 revisions left to test after this (roughly 7 steps) [4df7c5fde316820286dfa6d203a1005d7fbe007d] Merge tag 'riscv-for-linus-6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux determine whether the revision contains the guilty commit revision c9a925b7bcd9552f19ba50519c6a49ed7ca61691 crashed and is reachable testing commit 4df7c5fde316820286dfa6d203a1005d7fbe007d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 60340886d4b7d0480b74a44d628a8ad5d723fef518b4b05a2e55097ab9bc22dc all runs: OK false negative chance: 0.000 # git bisect bad 4df7c5fde316820286dfa6d203a1005d7fbe007d Bisecting: 51 revisions left to test after this (roughly 6 steps) [fd1e5745f87a9e06974d2f42d22b3e1682c99105] Merge tag 'v6.7-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes determine whether the revision contains the guilty commit revision 9b6de136b5f0158c60844f85286a593cb70fb364 crashed and is reachable testing commit fd1e5745f87a9e06974d2f42d22b3e1682c99105 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 586b72d58d35b47ff39882b7bda0ac97a0ab0b512861c57d3e617b68472d450b all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect good fd1e5745f87a9e06974d2f42d22b3e1682c99105 Bisecting: 25 revisions left to test after this (roughly 5 steps) [73424d00dc63ba681856e06cfb0a5abbdb62e2b5] highmem: fix a memory copy problem in memcpy_from_folio determine whether the revision contains the guilty commit revision 9b6de136b5f0158c60844f85286a593cb70fb364 crashed and is reachable testing commit 73424d00dc63ba681856e06cfb0a5abbdb62e2b5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8786ceb00b694d732a1c3e358f912611b1726bae7534c00737acc84a0b4907db all runs: OK false negative chance: 0.000 # git bisect bad 73424d00dc63ba681856e06cfb0a5abbdb62e2b5 Bisecting: 12 revisions left to test after this (roughly 4 steps) [001002e73712cdf6b8d9a103648cda3040ad7647] mm/memory_hotplug: add missing mem_hotplug_lock determine whether the revision contains the guilty commit revision 9b6de136b5f0158c60844f85286a593cb70fb364 crashed and is reachable testing commit 001002e73712cdf6b8d9a103648cda3040ad7647 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ce2a7621a21f61272ebd59e833a4431e858c51327aade51d993f7ee59dcc7b0a all runs: OK false negative chance: 0.000 # git bisect bad 001002e73712cdf6b8d9a103648cda3040ad7647 Bisecting: 6 revisions left to test after this (roughly 3 steps) [5f79489a73d77419d18952e0258efbd5ecb74770] mm: kmem: properly initialize local objcg variable in current_obj_cgroup() determine whether the revision contains the guilty commit revision 9b6de136b5f0158c60844f85286a593cb70fb364 crashed and is reachable testing commit 5f79489a73d77419d18952e0258efbd5ecb74770 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 988e86f7e8f6af5c497c143a2b05ff69e7f5bff286198ebf1decbb05a6bb95d8 all runs: OK false negative chance: 0.000 # git bisect bad 5f79489a73d77419d18952e0258efbd5ecb74770 Bisecting: 2 revisions left to test after this (roughly 2 steps) [727d16f1993bcf46ee2888c13e3fc1463babed8d] mm/memory.c:zap_pte_range() print bad swap entry determine whether the revision contains the guilty commit revision 9b6de136b5f0158c60844f85286a593cb70fb364 crashed and is reachable testing commit 727d16f1993bcf46ee2888c13e3fc1463babed8d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 62f5d0572c3a89dd4b9a9ae232ffd8c09365f74755f27d13967129c1ae300976 all runs: OK false negative chance: 0.000 # git bisect bad 727d16f1993bcf46ee2888c13e3fc1463babed8d Bisecting: 0 revisions left to test after this (roughly 1 step) [187da0f8250aa94bd96266096aef6f694e0b4cd2] hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write determine whether the revision contains the guilty commit revision 9b6de136b5f0158c60844f85286a593cb70fb364 crashed and is reachable testing commit 187da0f8250aa94bd96266096aef6f694e0b4cd2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fc4e947e08d387f55ac563f1c992e71dfc520b81a103245b993ae26dbfeb7536 all runs: OK false negative chance: 0.000 # git bisect bad 187da0f8250aa94bd96266096aef6f694e0b4cd2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b197d16669831d3e3240e2b6a3e4f9cf0331d58e] MAINTAINERS: add Andrew Morton for lib/* determine whether the revision contains the guilty commit revision 9b6de136b5f0158c60844f85286a593cb70fb364 crashed and is reachable testing commit b197d16669831d3e3240e2b6a3e4f9cf0331d58e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d51bdea2b3596cd15280c99750b1defb400c57cf1d2115aa2354326ffc8af23d all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin representative crash: BUG: unable to handle kernel NULL pointer dereference in __hugetlb_zap_begin, types: [UNKNOWN] # git bisect good b197d16669831d3e3240e2b6a3e4f9cf0331d58e 187da0f8250aa94bd96266096aef6f694e0b4cd2 is the first bad commit commit 187da0f8250aa94bd96266096aef6f694e0b4cd2 Author: Mike Kravetz Date: Mon Nov 13 17:20:33 2023 -0800 hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write The routine __vma_private_lock tests for the existence of a reserve map associated with a private hugetlb mapping. A pointer to the reserve map is in vma->vm_private_data. __vma_private_lock was checking the pointer for NULL. However, it is possible that the low bits of the pointer could be used as flags. In such instances, vm_private_data is not NULL and not a valid pointer. This results in the null-ptr-deref reported by syzbot: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef] CPU: 0 PID: 5048 Comm: syz-executor139 Not tainted 6.6.0-rc7-syzkaller-00142-g88 8cf78c29e2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 1 0/09/2023 RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004 ... Call Trace: lock_acquire kernel/locking/lockdep.c:5753 [inline] lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718 down_write+0x93/0x200 kernel/locking/rwsem.c:1573 hugetlb_vma_lock_write mm/hugetlb.c:300 [inline] hugetlb_vma_lock_write+0xae/0x100 mm/hugetlb.c:291 __hugetlb_zap_begin+0x1e9/0x2b0 mm/hugetlb.c:5447 hugetlb_zap_begin include/linux/hugetlb.h:258 [inline] unmap_vmas+0x2f4/0x470 mm/memory.c:1733 exit_mmap+0x1ad/0xa60 mm/mmap.c:3230 __mmput+0x12a/0x4d0 kernel/fork.c:1349 mmput+0x62/0x70 kernel/fork.c:1371 exit_mm kernel/exit.c:567 [inline] do_exit+0x9ad/0x2a20 kernel/exit.c:861 __do_sys_exit kernel/exit.c:991 [inline] __se_sys_exit kernel/exit.c:989 [inline] __x64_sys_exit+0x42/0x50 kernel/exit.c:989 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Mask off low bit flags before checking for NULL pointer. In addition, the reserve map only 'belongs' to the OWNER (parent in parent/child relationships) so also check for the OWNER flag. Link: https://lkml.kernel.org/r/20231114012033.259600-1-mike.kravetz@oracle.com Reported-by: syzbot+6ada951e7c0f7bc8a71e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/00000000000078d1e00608d7878b@google.com/ Fixes: bf4916922c60 ("hugetlbfs: extend hugetlb_vma_lock to private VMAs") Signed-off-by: Mike Kravetz Reviewed-by: Rik van Riel Cc: Edward Adam Davis Cc: Muchun Song Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Tom Rix Cc: Signed-off-by: Andrew Morton include/linux/hugetlb.h | 5 +---- mm/hugetlb.c | 7 +++++++ 2 files changed, 8 insertions(+), 4 deletions(-) accumulated error probability: 0.00 culprit signature: fc4e947e08d387f55ac563f1c992e71dfc520b81a103245b993ae26dbfeb7536 parent signature: d51bdea2b3596cd15280c99750b1defb400c57cf1d2115aa2354326ffc8af23d revisions tested: 19, total time: 6h4m42.415109042s (build: 2h4m23.374315302s, test: 3h35m52.612940789s) first good commit: 187da0f8250aa94bd96266096aef6f694e0b4cd2 hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write recipients (to): ["akpm@linux-foundation.org" "mike.kravetz@oracle.com" "riel@surriel.com"] recipients (cc): []