Greeting, FYI, we noticed the following commit (built with gcc-9): commit: afcc9fb8741f26773a381ac1e159e0172344b7d5 ("[PATCH v3 13/15] mm/pte_ref: free user PTE page table pages") url: https://github.com/0day-ci/linux/commits/Qi-Zheng/Free-user-PTE-page-table-pages/20211110-185837 base: https://github.com/hnaz/linux-mm master patch link: https://lore.kernel.org/linux-doc/20211110105428.32458-14-zhengqi.arch@bytedance.com in testcase: boot on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): +------------------------------------------+------------+------------+ | | e249f0fa9a | afcc9fb874 | +------------------------------------------+------------+------------+ | boot_successes | 16 | 0 | | boot_failures | 0 | 14 | | kernel_BUG_at_include/linux/pte_ref.h | 0 | 14 | | invalid_opcode:#[##] | 0 | 14 | | RIP:destroy_args | 0 | 14 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 14 | +------------------------------------------+------------+------------+ If you fix the issue, kindly add following tag Reported-by: kernel test robot [ 7.245922][ T1] kernel BUG at include/linux/pte_ref.h:56! [ 7.269161][ T1] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 7.271019][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc7-mm1-00448-gafcc9fb8741f #1 [ 7.273761][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 7.276418][ T1] RIP: 0010:destroy_args (include/linux/pte_ref.h:56 include/linux/pte_ref.h:123 mm/debug_vm_pgtable.c:1051) [ 7.277992][ T1] Code: 6b 58 4c 8b 2b 49 8b 3c 24 e8 c6 38 b4 fe 48 c1 e0 06 48 03 05 aa eb 4c ff 8b 50 30 81 e2 00 02 00 f0 81 fa 00 00 00 f0 74 02 <0f> 0b f0 83 68 20 01 75 15 48 89 ea 4c 89 e6 4c 89 ef 48 81 e2 00 All code ======== 0: 6b 58 4c 8b imul $0xffffff8b,0x4c(%rax),%ebx 4: 2b 49 8b sub -0x75(%rcx),%ecx 7: 3c 24 cmp $0x24,%al 9: e8 c6 38 b4 fe callq 0xfffffffffeb438d4 e: 48 c1 e0 06 shl $0x6,%rax 12: 48 03 05 aa eb 4c ff add -0xb31456(%rip),%rax # 0xffffffffff4cebc3 19: 8b 50 30 mov 0x30(%rax),%edx 1c: 81 e2 00 02 00 f0 and $0xf0000200,%edx 22: 81 fa 00 00 00 f0 cmp $0xf0000000,%edx 28: 74 02 je 0x2c 2a:* 0f 0b ud2 <-- trapping instruction 2c: f0 83 68 20 01 lock subl $0x1,0x20(%rax) 31: 75 15 jne 0x48 33: 48 89 ea mov %rbp,%rdx 36: 4c 89 e6 mov %r12,%rsi 39: 4c 89 ef mov %r13,%rdi 3c: 48 rex.W 3d: 81 .byte 0x81 3e: e2 00 loop 0x40 Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: f0 83 68 20 01 lock subl $0x1,0x20(%rax) 7: 75 15 jne 0x1e 9: 48 89 ea mov %rbp,%rdx c: 4c 89 e6 mov %r12,%rsi f: 4c 89 ef mov %r13,%rdi 12: 48 rex.W 13: 81 .byte 0x81 14: e2 00 loop 0x16 [ 7.283473][ T1] RSP: 0000:ffffc90000013da0 EFLAGS: 00010206 [ 7.285295][ T1] RAX: ffffea0000000000 RBX: ffffc90000013dc8 RCX: 0000000000000000 [ 7.287675][ T1] RDX: 00000000f0000200 RSI: ffffffff823848b5 RDI: 0000000000000000 [ 7.290056][ T1] RBP: 000024b4af3bd000 R08: 0000000000000001 R09: 0000000000000040 [ 7.292449][ T1] R10: ffff88842fc2fb60 R11: ffffc90000013d00 R12: ffff88812da63000 [ 7.294926][ T1] R13: ffff88810ca08c00 R14: 0000000140000067 R15: 0000000000000027 [ 7.297349][ T1] FS: 0000000000000000(0000) GS:ffff88842fc00000(0000) knlGS:0000000000000000 [ 7.300020][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7.301949][ T1] CR2: 0000000000000000 CR3: 0000000002612000 CR4: 00000000000006f0 [ 7.304153][ T1] Call Trace: [ 7.306975][ T1] [ 7.307966][ T1] debug_vm_pgtable (mm/debug_vm_pgtable.c:1334) [ 7.309435][ T1] ? init_args (mm/debug_vm_pgtable.c:1241) [ 7.310773][ T1] do_one_initcall (init/main.c:1303) [ 7.312212][ T1] kernel_init_freeable (init/main.c:1377 init/main.c:1394 init/main.c:1413 init/main.c:1618) [ 7.313728][ T1] ? rest_init (init/main.c:1499) [ 7.315002][ T1] kernel_init (init/main.c:1509) [ 7.316368][ T1] ret_from_fork (arch/x86/entry/entry_64.S:301) [ 7.317692][ T1] [ 7.318697][ T1] Modules linked in: [ 7.320060][ T1] ---[ end trace 1f2bbe378e842286 ]--- [ 7.321766][ T1] RIP: 0010:destroy_args (include/linux/pte_ref.h:56 include/linux/pte_ref.h:123 mm/debug_vm_pgtable.c:1051) [ 7.323325][ T1] Code: 6b 58 4c 8b 2b 49 8b 3c 24 e8 c6 38 b4 fe 48 c1 e0 06 48 03 05 aa eb 4c ff 8b 50 30 81 e2 00 02 00 f0 81 fa 00 00 00 f0 74 02 <0f> 0b f0 83 68 20 01 75 15 48 89 ea 4c 89 e6 4c 89 ef 48 81 e2 00 All code ======== 0: 6b 58 4c 8b imul $0xffffff8b,0x4c(%rax),%ebx 4: 2b 49 8b sub -0x75(%rcx),%ecx 7: 3c 24 cmp $0x24,%al 9: e8 c6 38 b4 fe callq 0xfffffffffeb438d4 e: 48 c1 e0 06 shl $0x6,%rax 12: 48 03 05 aa eb 4c ff add -0xb31456(%rip),%rax # 0xffffffffff4cebc3 19: 8b 50 30 mov 0x30(%rax),%edx 1c: 81 e2 00 02 00 f0 and $0xf0000200,%edx 22: 81 fa 00 00 00 f0 cmp $0xf0000000,%edx 28: 74 02 je 0x2c 2a:* 0f 0b ud2 <-- trapping instruction 2c: f0 83 68 20 01 lock subl $0x1,0x20(%rax) 31: 75 15 jne 0x48 33: 48 89 ea mov %rbp,%rdx 36: 4c 89 e6 mov %r12,%rsi 39: 4c 89 ef mov %r13,%rdi 3c: 48 rex.W 3d: 81 .byte 0x81 3e: e2 00 loop 0x40 Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: f0 83 68 20 01 lock subl $0x1,0x20(%rax) 7: 75 15 jne 0x1e 9: 48 89 ea mov %rbp,%rdx c: 4c 89 e6 mov %r12,%rsi f: 4c 89 ef mov %r13,%rdi 12: 48 rex.W 13: 81 .byte 0x81 14: e2 00 loop 0x16 To reproduce: # build kernel cd linux cp config-5.15.0-rc7-mm1-00448-gafcc9fb8741f .config make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k job-script # job-script is attached in this email # if come across any failure that blocks the test, # please remove ~/.lkp and /lkp dir to run from a clean state. --- 0DAY/LKP+ Test Infrastructure Open Source Technology Center https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation Thanks, Oliver Sang