On Tue, Jul 21, 2020 at 01:21:47AM +0100, Matthew Wilcox wrote: > On Mon, Jul 20, 2020 at 04:51:44PM -0700, Andrew Morton wrote: > > On Sun, 19 Jul 2020 14:10:19 -0700 syzbot <syzbot+c48f34012b06c4ac67dd@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > > syzbot has found a reproducer for the following issue on: > > > > > > HEAD commit: 4c43049f Add linux-next specific files for 20200716 > > > git tree: linux-next > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12c56087100000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=2c76d72659687242 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=c48f34012b06c4ac67dd > > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1344abeb100000 > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+c48f34012b06c4ac67dd@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > Thanks. > > > > __handle_mm_fault > > ->pmd_migration_entry_wait > > ->migration_entry_to_page > > > > stumbled onto an unlocked page. > > > > I don't immediately see a cause. Perhaps Matthew's "THP prep patches", > > perhaps something else. > > That's interesting. I'm currently chasing that signature too. Of course, > almost anything can cause this. > > What I do have in my tree is a patch to turn that WARN_ON into a > VM_BUG_ON_PAGE and what I see is not just an unlocked page, but one > that's been freed. Here's an example crash: 1404 086 (25392): drop_caches: 3 1404 page:00000000c8b7c292 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x1 pfn:0xac20 1404 flags: 0x4000000000000000() 1404 raw: 4000000000000000 fffff7b501775808 fffff7b501ab7008 0000000000000000 1404 raw: 0000000000000001 0000000000000005 00000000ffffff7f 0000000000000000 1404 page dumped because: VM_BUG_ON_PAGE(!PageLocked(p)) (that's generic/086 for what it's worth, but you have to run through a number of other tests in order to hit it; even starting at generic/08[0123456] isn't enough to hit it, and it doesn't always hit) A mapcount of -128 indicates PageBuddy, but I've also seen a mapcount of 0 indicating it's still on the per-cpu freelist.
