bisecting cause commit starting from cb71b93c2dc36d18a8b05245973328d018272cdf
building syzkaller on 95cb00d1ffccfb9043ac5d91ff8103bbb9befae8
testing commit cb71b93c2dc36d18a8b05245973328d018272cdf
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 328e2d5fe700f12700ff2d669ba0bdee615b1de6516d35724417c4671eae5703
all runs: crashed: WARNING in page_counter_cancel
testing release v5.18
testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 10aac9a8f1ccfe7c2ef7621e6f363e1ca795206967ee573e59f31cb4b2bf7f79
all runs: OK
# git bisect start cb71b93c2dc36d18a8b05245973328d018272cdf 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
Bisecting: 10621 revisions left to test after this (roughly 13 steps)
[9d004b2f4fea97cde123e7f1939b80e77bf2e695] Merge tag 'cxl-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl

testing commit 9d004b2f4fea97cde123e7f1939b80e77bf2e695
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: cf7d8dda1bc9388c35b54eb9cb753438e1f41cc5adef329001f5feb2d5f3ec25
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 9d004b2f4fea97cde123e7f1939b80e77bf2e695
Bisecting: 5301 revisions left to test after this (roughly 12 steps)
[b4c48ce837dc0122ed62b423c334b620cf8ff81b] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux.git

testing commit b4c48ce837dc0122ed62b423c334b620cf8ff81b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9b00f71a538bcd3b22f6a9a1994a22e31516eb4e284400b109a4d0f2ba92d74c
all runs: OK
# git bisect good b4c48ce837dc0122ed62b423c334b620cf8ff81b
Bisecting: 2582 revisions left to test after this (roughly 11 steps)
[c2e609e496f8195af2b789511f24a00546bb976e] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git

testing commit c2e609e496f8195af2b789511f24a00546bb976e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c31c0e6c09aa1b7b95eec605a3e0c89a3ff8c1293e8da371400b908103b1f272
all runs: OK
# git bisect good c2e609e496f8195af2b789511f24a00546bb976e
Bisecting: 1245 revisions left to test after this (roughly 10 steps)
[f38c55f14bf7f4b2abc621e53d4f2ec05693b8d9] Merge branch 'tty-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git

testing commit f38c55f14bf7f4b2abc621e53d4f2ec05693b8d9
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5dc232a3065c730190c2f05a081262aded14baf4836f20258ba4e2cb96d594d5
all runs: OK
# git bisect good f38c55f14bf7f4b2abc621e53d4f2ec05693b8d9
Bisecting: 621 revisions left to test after this (roughly 9 steps)
[f0b534a439397a673ea84327da9a89b557417d20] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl.git

testing commit f0b534a439397a673ea84327da9a89b557417d20
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3a408a84eef6a3539c52d41d967b36113ecb1b7a5fefd7e05f20559acf9475eb
all runs: OK
# git bisect good f0b534a439397a673ea84327da9a89b557417d20
Bisecting: 307 revisions left to test after this (roughly 8 steps)
[ee8804b7b3e6c5f45ddeafa3273f673bd4524110] Merge branch 'mm-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

testing commit ee8804b7b3e6c5f45ddeafa3273f673bd4524110
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e2e7890af174b843caa13b3c1cf9afad3aa1ece9ebe0c2850da200424102e2a1
all runs: OK
# git bisect good ee8804b7b3e6c5f45ddeafa3273f673bd4524110
Bisecting: 153 revisions left to test after this (roughly 7 steps)
[e6369794355535a6ede873c3633dfc91bf1932b9] mm/damon/schemes: add 'LRU_PRIO' DAMOS action

testing commit e6369794355535a6ede873c3633dfc91bf1932b9
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0a4c659729bacdcd50751f1f902f894821fcf611b85bb306134ffc9b8044fb85
all runs: crashed: WARNING in page_counter_cancel
# git bisect bad e6369794355535a6ede873c3633dfc91bf1932b9
Bisecting: 76 revisions left to test after this (roughly 6 steps)
[e23cb70bcbef5c189790042d1d6d89e33308c386] mm: remove the vma linked list

testing commit e23cb70bcbef5c189790042d1d6d89e33308c386
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b1d7cc264f3f0a07587ccb275f11d251263c34e3ccef551c8519f65c467b86fd
all runs: crashed: WARNING in page_counter_cancel
# git bisect bad e23cb70bcbef5c189790042d1d6d89e33308c386
Bisecting: 38 revisions left to test after this (roughly 5 steps)
[392e35bc64f10697f255c7ed6548cd5a480f37d0] mm/mmap: reorganize munmap to use maple states

testing commit 392e35bc64f10697f255c7ed6548cd5a480f37d0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8f11257706daeeb2b6ead1737c719da3103cfbd1cac507d2516edac7aebbdc2f
all runs: crashed: WARNING in page_counter_cancel
# git bisect bad 392e35bc64f10697f255c7ed6548cd5a480f37d0
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[985ab5390e3d29c368e9f2401219f530b1965aa8] mm: add VMA iterator

testing commit 985ab5390e3d29c368e9f2401219f530b1965aa8
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 05fbfcd73f3ac4bf49a47f9f1d0ece5936a7065681b5a00e0ad1b15b0f5da9d1
all runs: crashed: WARNING in page_counter_cancel
# git bisect bad 985ab5390e3d29c368e9f2401219f530b1965aa8
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[df33742a4ad9a39e02608aca11c6eb1ddf3afbe0] Maple Tree: add new data structure

testing commit df33742a4ad9a39e02608aca11c6eb1ddf3afbe0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4fe2b932b72a99e5534c7f39e71e5443ef96a6209c5b17aa1737c282aae39cc4
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good df33742a4ad9a39e02608aca11c6eb1ddf3afbe0
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[11945bc29b2590896b1cab890d9dcc443c3b0bbc] radix tree test suite: add support for slab bulk APIs

testing commit 11945bc29b2590896b1cab890d9dcc443c3b0bbc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3118ec940c96ed8b7153438fbc5089819c17c881c6901f0f5577ea1e2f5d41a8
all runs: OK
# git bisect good 11945bc29b2590896b1cab890d9dcc443c3b0bbc
Bisecting: 2 revisions left to test after this (roughly 1 step)
[209e6c246b0ab3fa8df81299104284bcc27bc1b6] lib/test_maple_tree: add testing for maple tree

testing commit 209e6c246b0ab3fa8df81299104284bcc27bc1b6
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 16213f6e99095c30da1c2183d4ffa27d917a74dd949740b6e8706feb4d0308c0
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 209e6c246b0ab3fa8df81299104284bcc27bc1b6
Bisecting: 0 revisions left to test after this (roughly 1 step)
[2ee236fe53a8e2ab54679c74e8a1fb77e55b29bb] mm: start tracking VMAs with maple tree

testing commit 2ee236fe53a8e2ab54679c74e8a1fb77e55b29bb
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2138b2bb9d5b431671925625d106f4a2b581f071be282b8cfad0628b0a8c0b9b
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: crashed: WARNING in page_counter_cancel
run #2: crashed: WARNING in page_counter_cancel
run #3: crashed: WARNING in page_counter_cancel
run #4: crashed: WARNING in page_counter_cancel
run #5: crashed: WARNING in page_counter_cancel
run #6: crashed: WARNING in page_counter_cancel
run #7: crashed: WARNING in page_counter_cancel
run #8: crashed: WARNING in page_counter_cancel
run #9: crashed: WARNING in page_counter_cancel
# git bisect bad 2ee236fe53a8e2ab54679c74e8a1fb77e55b29bb
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[9400b59d2e5546fc603bf7047336fe76e1065c52] test_maple_tree: add test for spanning store of entire range

testing commit 9400b59d2e5546fc603bf7047336fe76e1065c52
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: eb972e2d672ed665a5d88cec6ed1f7e02e6e0df48d54004b126fba9ceadde5bb
all runs: OK
# git bisect good 9400b59d2e5546fc603bf7047336fe76e1065c52
2ee236fe53a8e2ab54679c74e8a1fb77e55b29bb is the first bad commit
commit 2ee236fe53a8e2ab54679c74e8a1fb77e55b29bb
Author: Liam R. Howlett <Liam.Howlett@Oracle.com>
Date:   Tue Jun 21 20:46:53 2022 +0000

    mm: start tracking VMAs with maple tree
    
    Start tracking the VMAs with the new maple tree structure in parallel with
    the rb_tree.  Add debug and trace events for maple tree operations and
    duplicate the rb_tree that is created on forks into the maple tree.
    
    The maple tree is added to the mm_struct including the mm_init struct,
    added support in required mm/mmap functions, added tracking in kernel/fork
    for process forking, and used to find the unmapped_area and checked
    against what the rbtree finds.
    
    This also moves the mmap_lock() in exit_mmap() since the oom reaper call
    does walk the VMAs.  Otherwise lockdep will be unhappy if oom happens.
    
    Link: https://lkml.kernel.org/r/20220504010716.661115-10-Liam.Howlett@oracle.com
    Link: https://lkml.kernel.org/r/20220621204632.3370049-9-Liam.Howlett@oracle.com
    Signed-off-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
    Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: David Howells <dhowells@redhat.com>
    Cc: SeongJae Park <sj@kernel.org>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Will Deacon <will@kernel.org>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 arch/x86/kernel/tboot.c     |   1 +
 drivers/firmware/efi/efi.c  |   1 +
 include/linux/mm.h          |   5 +
 include/linux/mm_types.h    |   3 +
 include/trace/events/mmap.h |  73 ++++++++++
 kernel/fork.c               |  20 ++-
 mm/init-mm.c                |   2 +
 mm/mmap.c                   | 320 ++++++++++++++++++++++++++++++++++++++++----
 mm/nommu.c                  |  13 ++
 9 files changed, 412 insertions(+), 26 deletions(-)

culprit signature: 2138b2bb9d5b431671925625d106f4a2b581f071be282b8cfad0628b0a8c0b9b
parent  signature: eb972e2d672ed665a5d88cec6ed1f7e02e6e0df48d54004b126fba9ceadde5bb
revisions tested: 17, total time: 4h15m19.091638379s (build: 1h54m0.125448584s, test: 2h19m34.687825896s)
first bad commit: 2ee236fe53a8e2ab54679c74e8a1fb77e55b29bb mm: start tracking VMAs with maple tree
recipients (to): ["akpm@linux-foundation.org" "liam.howlett@oracle.com" "willy@infradead.org"]
recipients (cc): []
crash: WARNING in page_counter_cancel
------------[ cut here ]------------
page_counter underflow: -512 nr_pages=1536
WARNING: CPU: 0 PID: 4094 at mm/page_counter.c:56 page_counter_cancel+0x91/0xa0 mm/page_counter.c:56
Modules linked in:
CPU: 0 PID: 4094 Comm: syz-executor.0 Not tainted 5.19.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
RIP: 0010:page_counter_cancel+0x91/0xa0 mm/page_counter.c:56
Code: 00 00 00 48 89 ef 5d 45 31 c0 41 5c 4c 89 c6 e9 75 fd ff ff 4c 89 e2 48 c7 c7 80 f6 18 89 c6 05 27 30 22 0b 01 e8 23 45 af 06 <0f> 0b eb a9 48 89 ef e8 73 87 fb ff eb c3 90 48 85 ff 74 7b 41 55
RSP: 0018:ffffc90002e1f940 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88814a3ed268 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff89646380 RDI: fffff520005c3f1a
RBP: ffff88814a3ed268 R08: 0000000000000001 R09: ffff8880b9c34047
R10: ffffed1017386808 R11: 0000000000000001 R12: 0000000000000600
R13: ffff8880201e5300 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd3b9a13ff8 CR3: 000000006e24e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 page_counter_uncharge+0x24/0x50 mm/page_counter.c:159
 hugetlb_cgroup_uncharge_counter+0xaf/0x330 mm/hugetlb_cgroup.c:432
 hugetlb_vm_op_close+0x35b/0x5f0 mm/hugetlb.c:4603
 remove_vma+0x9b/0x140 mm/mmap.c:190
 exit_mmap+0x1f5/0x540 mm/mmap.c:3415
 __mmput+0xf3/0x440 kernel/fork.c:1201
 exit_mm kernel/exit.c:510 [inline]
 do_exit+0x8ef/0x2480 kernel/exit.c:782
 do_group_exit+0xb2/0x2a0 kernel/exit.c:925
 get_signal+0x1c76/0x2030 kernel/signal.c:2857
 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fd3b8889199
Code: Unable to access opcode bytes at RIP 0x7fd3b888916f.
RSP: 002b:00007fd3b9a14218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fd3b899bf68 RCX: 00007fd3b8889199
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fd3b899bf6c
RBP: 00007fd3b899bf60 R08: 00007ffe5dee2080 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 00007fd3b899bf6c
R13: 00007ffe5de6894f R14: 00007fd3b9a14300 R15: 0000000000022000
 </TASK>