Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: df8ef36a21db281bc4932e3d5c933d5bbb9a4217 ("[RFC PATCH v3 4/6] [PATCH 4/6] mm: adjust page offset in mremap")
url: https://github.com/intel-lab-lkp/linux/commits/Jakub-Mat-na/Removing-limitations-of-merging-anonymous-VMAs/20220516-205637
base: https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/execve
patch link: https://lore.kernel.org/linux-mm/20220516125405.1675-5-matenajakub@gmail.com

in testcase: stress-ng
version: stress-ng-x86_64-0.11-06_20220516
with following parameters:

	nr_threads: 10%
	disk: 1HDD
	testtime: 60s
	fs: ext4
	class: vm
	test: mremap
	cpufreq_governor: performance
	ucode: 0xb000280



on test machine: 96 threads 2 sockets Ice Lake with 256G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@intel.com>


[   75.109565][ T5714] kernel BUG at lib/list_debug.c:54!
[   75.114893][ T5714] invalid opcode: 0000 [#1] SMP NOPTI
[   75.120309][ T5714] CPU: 76 PID: 5714 Comm: stress-ng Not tainted 5.18.0-rc2-00007-gdf8ef36a21db #1
[ 75.129545][ T5714] RIP: 0010:__list_del_entry_valid.cold (lib/list_debug.c:54 (discriminator 3)) 
[ 75.136019][ T5714] Code: e8 e7 b5 fe ff 0f 0b 48 89 fe 48 c7 c7 80 80 59 82 e8 d6 b5 fe ff 0f 0b 48 89 d1 48 c7 c7 40 81 59 82 4c 89 c2 e8 c2 b5 fe ff <0f> 0b 48 89 f2 48 89 fe 48 c7 c7 f0 80 59 82 e8 ae b5 fe ff 0f 0b
All code
========
   0:	e8 e7 b5 fe ff       	callq  0xfffffffffffeb5ec
   5:	0f 0b                	ud2    
   7:	48 89 fe             	mov    %rdi,%rsi
   a:	48 c7 c7 80 80 59 82 	mov    $0xffffffff82598080,%rdi
  11:	e8 d6 b5 fe ff       	callq  0xfffffffffffeb5ec
  16:	0f 0b                	ud2    
  18:	48 89 d1             	mov    %rdx,%rcx
  1b:	48 c7 c7 40 81 59 82 	mov    $0xffffffff82598140,%rdi
  22:	4c 89 c2             	mov    %r8,%rdx
  25:	e8 c2 b5 fe ff       	callq  0xfffffffffffeb5ec
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	48 89 f2             	mov    %rsi,%rdx
  2f:	48 89 fe             	mov    %rdi,%rsi
  32:	48 c7 c7 f0 80 59 82 	mov    $0xffffffff825980f0,%rdi
  39:	e8 ae b5 fe ff       	callq  0xfffffffffffeb5ec
  3e:	0f 0b                	ud2    

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	48 89 f2             	mov    %rsi,%rdx
   5:	48 89 fe             	mov    %rdi,%rsi
   8:	48 c7 c7 f0 80 59 82 	mov    $0xffffffff825980f0,%rdi
   f:	e8 ae b5 fe ff       	callq  0xfffffffffffeb5c2
  14:	0f 0b                	ud2    
[   75.155902][ T5714] RSP: 0018:ffa000002439bc60 EFLAGS: 00010046
[   75.162055][ T5714] RAX: 000000000000006d RBX: ff1100407ce65000 RCX: 0000000000000000
[   75.170120][ T5714] RDX: 0000000000000000 RSI: ff11003fc891b740 RDI: ff11003fc891b740
[   75.178188][ T5714] RBP: ffd4000084068000 R08: 0000000000000000 R09: 00000000ffff7fff
[   75.186257][ T5714] R10: ffa000002439ba98 R11: ffffffff82bd8368 R12: ff11000108c13018
[   75.194328][ T5714] R13: 0000000000000286 R14: 00007f0434110000 R15: ff1100407ce658c8
[   75.202398][ T5714] FS:  00007f0437ca9740(0000) GS:ff11003fc8900000(0000) knlGS:0000000000000000
[   75.211432][ T5714] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   75.218126][ T5714] CR2: 00007f0437f4f6dd CR3: 000000407c358002 CR4: 0000000000771ee0
[   75.226214][ T5714] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   75.234289][ T5714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   75.242364][ T5714] PKRU: 55555554
[   75.246010][ T5714] Call Trace:
[   75.249402][ T5714]  <TASK>
[ 75.252448][ T5714] free_transhuge_page (include/linux/list.h:134 include/linux/list.h:148 mm/huge_memory.c:2634) 
[ 75.257577][ T5714] release_pages (include/linux/mm.h:898 mm/swap.c:119 mm/swap.c:946) 
[ 75.262277][ T5714] ? free_p4d_range (mm/memory.c:318) 
[ 75.267150][ T5714] ? native_flush_tlb_local (arch/x86/include/asm/special_insns.h:48 (discriminator 9) arch/x86/mm/tlb.c:1165 (discriminator 9)) 
[ 75.272636][ T5714] ? flush_tlb_func (arch/x86/include/asm/paravirt.h:71 arch/x86/mm/tlb.c:1170 arch/x86/mm/tlb.c:842) 
[ 75.277517][ T5714] tlb_finish_mmu (mm/mmu_gather.c:51 mm/mmu_gather.c:243 mm/mmu_gather.c:250 mm/mmu_gather.c:341) 
[ 75.282228][ T5714] unmap_region (mm/mmap.c:2651 (discriminator 8)) 
[ 75.286765][ T5714] __do_munmap (include/linux/mm.h:2075 mm/mmap.c:2619 mm/mmap.c:2864) 
[ 75.291294][ T5714] mremap_to (mm/mremap.c:898) 
[ 75.295655][ T5714] __do_sys_mremap (mm/mremap.c:1042) 
[ 75.300535][ T5714] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 75.305069][ T5714] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) 
[   75.311082][ T5714] RIP: 0033:0x7f0438036a4a
[ 75.315618][ T5714] Code: 73 01 c3 48 8b 0d 46 04 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 19 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 16 04 0c 00 f7 d8 64 89 01 48
All code
========
   0:	73 01                	jae    0x3
   2:	c3                   	retq   
   3:	48 8b 0d 46 04 0c 00 	mov    0xc0446(%rip),%rcx        # 0xc0450
   a:	f7 d8                	neg    %eax
   c:	64 89 01             	mov    %eax,%fs:(%rcx)
   f:	48 83 c8 ff          	or     $0xffffffffffffffff,%rax
  13:	c3                   	retq   
  14:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  1b:	00 00 00 
  1e:	66 90                	xchg   %ax,%ax
  20:	49 89 ca             	mov    %rcx,%r10
  23:	b8 19 00 00 00       	mov    $0x19,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq   
  33:	48 8b 0d 16 04 0c 00 	mov    0xc0416(%rip),%rcx        # 0xc0450
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	retq   
   9:	48 8b 0d 16 04 0c 00 	mov    0xc0416(%rip),%rcx        # 0xc0426
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
[   75.335612][ T5714] RSP: 002b:00007fffa46364f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
[   75.344156][ T5714] RAX: ffffffffffffffda RBX: 0000000000000064 RCX: 00007f0438036a4a
[   75.352262][ T5714] RDX: 000000000071c400 RSI: 0000000000e38800 RDI: 00007f04339f3000
[   75.360364][ T5714] RBP: 000000000071c400 R08: 00007f0434f46000 R09: 0000000000000000
[   75.368466][ T5714] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000003
[   75.376558][ T5714] R13: 00007fffa4636580 R14: 000000000071d400 R15: 00007f0434f46000
[   75.384650][ T5714]  </TASK>
[   75.387783][ T5714] Modules linked in: kmem dm_mod binfmt_misc device_dax nd_pmem nd_btt dax_pmem ipmi_ssif btrfs ast blake2b_generic drm_vram_helper xor drm_ttm_helper ttm raid6_pq zstd_compress drm_kms_helper libcrc32c syscopyarea nvme sysfillrect sd_mod sysimgblt nvme_core fb_sys_fops intel_rapl_msr intel_rapl_common sg x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm t10_pi irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel crc64_rocksoft_generic rapl ahci intel_cstate libahci crc64_rocksoft intel_uncore crc64 drm ioatdma libata joydev dca wmi acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler nfit libnvdimm acpi_pad acpi_power_meter ip_tables
[   75.449256][ T5714] ---[ end trace 0000000000000000 ]---
[ 75.466176][ T5714] RIP: 0010:__list_del_entry_valid.cold (lib/list_debug.c:54 (discriminator 3)) 
[ 75.472732][ T5714] Code: e8 e7 b5 fe ff 0f 0b 48 89 fe 48 c7 c7 80 80 59 82 e8 d6 b5 fe ff 0f 0b 48 89 d1 48 c7 c7 40 81 59 82 4c 89 c2 e8 c2 b5 fe ff <0f> 0b 48 89 f2 48 89 fe 48 c7 c7 f0 80 59 82 e8 ae b5 fe ff 0f 0b
All code
========
   0:	e8 e7 b5 fe ff       	callq  0xfffffffffffeb5ec
   5:	0f 0b                	ud2    
   7:	48 89 fe             	mov    %rdi,%rsi
   a:	48 c7 c7 80 80 59 82 	mov    $0xffffffff82598080,%rdi
  11:	e8 d6 b5 fe ff       	callq  0xfffffffffffeb5ec
  16:	0f 0b                	ud2    
  18:	48 89 d1             	mov    %rdx,%rcx
  1b:	48 c7 c7 40 81 59 82 	mov    $0xffffffff82598140,%rdi
  22:	4c 89 c2             	mov    %r8,%rdx
  25:	e8 c2 b5 fe ff       	callq  0xfffffffffffeb5ec
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	48 89 f2             	mov    %rsi,%rdx
  2f:	48 89 fe             	mov    %rdi,%rsi
  32:	48 c7 c7 f0 80 59 82 	mov    $0xffffffff825980f0,%rdi
  39:	e8 ae b5 fe ff       	callq  0xfffffffffffeb5ec
  3e:	0f 0b                	ud2    

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	48 89 f2             	mov    %rsi,%rdx
   5:	48 89 fe             	mov    %rdi,%rsi
   8:	48 c7 c7 f0 80 59 82 	mov    $0xffffffff825980f0,%rdi
   f:	e8 ae b5 fe ff       	callq  0xfffffffffffeb5c2
  14:	0f 0b                	ud2    


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp