bisecting cause commit starting from 931294922e65a23e1aad6398b9ae02df74044679
building syzkaller on a8529b82fb3bb45832b08a099e7eb51707da9b37
testing commit 931294922e65a23e1aad6398b9ae02df74044679 with gcc (GCC) 10.2.1 20210217
kernel signature: 9f5377ca40d653d17b261e7f1d292f9e223d48c7c842df2df90983172cd2c461
all runs: crashed: WARNING in unsafe_follow_pfn
testing release v5.11
testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217
kernel signature: c91dd831bdc1478ecd8ea364b531db7675d35de370153360d0789f854c5ca7bb
all runs: OK
# git bisect start 931294922e65a23e1aad6398b9ae02df74044679 f40ddce88593482919761f74910f42f4b84c004b
Bisecting: 10247 revisions left to test after this (roughly 13 steps)
[826ea860bc4d119731026655c383c7773c9d2dad] mm/filemap: simplify generic_file_read_iter

testing commit 826ea860bc4d119731026655c383c7773c9d2dad with gcc (GCC) 10.2.1 20210217
kernel signature: 9883d8af9e84ee210faa82a306e16e61a1ca722ecd28b6c6c70f36ea02b54e80
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: boot failed: WARNING in kvm_wait
run #9: boot failed: WARNING in kvm_wait
# git bisect good 826ea860bc4d119731026655c383c7773c9d2dad
Bisecting: 5177 revisions left to test after this (roughly 12 steps)
[c9e6f83c14928c3c4032ca2870f91bc844c62dea] Merge remote-tracking branch 'rdma/for-next'

testing commit c9e6f83c14928c3c4032ca2870f91bc844c62dea with gcc (GCC) 10.2.1 20210217
kernel signature: 80758353baf4bb85d6a8baedb6e8d271afb444cd9c74986c2efeab2147b95d3d
all runs: OK
# git bisect good c9e6f83c14928c3c4032ca2870f91bc844c62dea
Bisecting: 2561 revisions left to test after this (roughly 11 steps)
[3135490f39a6428dc956ad5146f10f87effa5303] Merge remote-tracking branch 'block/for-next'

testing commit 3135490f39a6428dc956ad5146f10f87effa5303 with gcc (GCC) 10.2.1 20210217
kernel signature: d078c02b5230958f7906db42b0cf36f56c941a58f9410fe6ccc4c906a4218d27
all runs: OK
# git bisect good 3135490f39a6428dc956ad5146f10f87effa5303
Bisecting: 1274 revisions left to test after this (roughly 10 steps)
[56bf300743ac3d89c31bbee3a789edbd71853bcc] Merge remote-tracking branch 'char-misc/char-misc-next'

testing commit 56bf300743ac3d89c31bbee3a789edbd71853bcc with gcc (GCC) 10.2.1 20210217
kernel signature: f8742acdc4ea1249216e56fe09e0b942c1db61f5ac041f36339edf06348d52d7
all runs: OK
# git bisect good 56bf300743ac3d89c31bbee3a789edbd71853bcc
Bisecting: 575 revisions left to test after this (roughly 9 steps)
[0a718730e1341f2f716f157e1ea028ba732d2757] Merge remote-tracking branch 'scsi/for-next'

testing commit 0a718730e1341f2f716f157e1ea028ba732d2757 with gcc (GCC) 10.2.1 20210217
kernel signature: 0116d8260392959b79512d18f2468c6205dc6319c918883d289f340d30f00c7c
all runs: OK
# git bisect good 0a718730e1341f2f716f157e1ea028ba732d2757
Bisecting: 287 revisions left to test after this (roughly 8 steps)
[e45d4c429ff9339f7528f9a66500fa4b84f183e9] Merge remote-tracking branch 'mhi/mhi-next'

testing commit e45d4c429ff9339f7528f9a66500fa4b84f183e9 with gcc (GCC) 10.2.1 20210217
kernel signature: b0dd2eaef91984a7a582fee50e05021dfca4e73853cf238f7198fe8453f2178e
all runs: OK
# git bisect good e45d4c429ff9339f7528f9a66500fa4b84f183e9
Bisecting: 143 revisions left to test after this (roughly 7 steps)
[78ff04a30891276f5e3a970ad0dfb93d27a79f2a] userfaultfd: disable huge PMD sharing for MINOR registered VMAs

testing commit 78ff04a30891276f5e3a970ad0dfb93d27a79f2a with gcc (GCC) 10.2.1 20210217
kernel signature: c7e62ba1e9591ed7dc300ba619b24e8c66848b9524eb590528a256d289c12426
all runs: OK
# git bisect good 78ff04a30891276f5e3a970ad0dfb93d27a79f2a
Bisecting: 71 revisions left to test after this (roughly 6 steps)
[3773b3ee37cb2b3f8184abbce59d9adf5d041d2b] mm/sparse: minor coding style tweaks

testing commit 3773b3ee37cb2b3f8184abbce59d9adf5d041d2b with gcc (GCC) 10.2.1 20210217
kernel signature: 6df203262daf3caa961d8399673f2f41216ca8d05a3a0f53162908544785959f
all runs: OK
# git bisect good 3773b3ee37cb2b3f8184abbce59d9adf5d041d2b
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[9815089d5986fbe025863fd4c3be23b52be71da3] kernel/fork.c: fix typos

testing commit 9815089d5986fbe025863fd4c3be23b52be71da3 with gcc (GCC) 10.2.1 20210217
kernel signature: 9a019e7fe6376f7a97682bab05645401981b172df091d034f081215bd44faa77
all runs: OK
# git bisect good 9815089d5986fbe025863fd4c3be23b52be71da3
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[f466a65c17d801af66217d112d1dacdfea8fdd18] mm, page_alloc: avoid page_to_pfn() in move_freepages()

testing commit f466a65c17d801af66217d112d1dacdfea8fdd18 with gcc (GCC) 10.2.1 20210217
kernel signature: df4d3b3390886ad380939199794fb9044e12ca4845362b9350bce4de126cd77e
all runs: OK
# git bisect good f466a65c17d801af66217d112d1dacdfea8fdd18
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[d7d3d8f9586632d1cc9b86bd35284fee84841f84] mmap: make mlock_future_check() global

testing commit d7d3d8f9586632d1cc9b86bd35284fee84841f84 with gcc (GCC) 10.2.1 20210217
kernel signature: 6124876f3659a9c47af133a06fb0f1ac8c39ec3902f0222462dfc461296e1a62
all runs: crashed: WARNING in unsafe_follow_pfn
# git bisect bad d7d3d8f9586632d1cc9b86bd35284fee84841f84
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[66519ab00cd630fc8bc3c98d5fbfe770e7a45529] Merge remote-tracking branch 'iomem-mmap-vs-gup/topic/iomem-mmap-vs-gup'

testing commit 66519ab00cd630fc8bc3c98d5fbfe770e7a45529 with gcc (GCC) 10.2.1 20210217
kernel signature: 4bd7c296eac6fda2695464c991499755e841558cf6cb439f202fe89080241946
all runs: crashed: WARNING in unsafe_follow_pfn
# git bisect bad 66519ab00cd630fc8bc3c98d5fbfe770e7a45529
Bisecting: 1 revision left to test after this (roughly 1 step)
[1eabf46a776387bb6b52d1168bd49bf2645e07a9] media/videobuf1|2: Mark follow_pfn usage as unsafe

testing commit 1eabf46a776387bb6b52d1168bd49bf2645e07a9 with gcc (GCC) 10.2.1 20210217
kernel signature: 13393b729d829f2a4ade9ee057db8544adb617436f8d40be6f372942f5fe8172
run #0: crashed: WARNING in unsafe_follow_pfn
run #1: crashed: WARNING in unsafe_follow_pfn
run #2: crashed: WARNING in unsafe_follow_pfn
run #3: crashed: WARNING in unsafe_follow_pfn
run #4: crashed: WARNING in unsafe_follow_pfn
run #5: crashed: WARNING in unsafe_follow_pfn
run #6: crashed: WARNING in unsafe_follow_pfn
run #7: crashed: WARNING in unsafe_follow_pfn
run #8: boot failed: WARNING in kvm_wait
run #9: boot failed: WARNING in kvm_wait
# git bisect bad 1eabf46a776387bb6b52d1168bd49bf2645e07a9
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[d40b9fdee6dc819d8fc35f70c345cbe0394cde4c] mm: Add unsafe_follow_pfn

testing commit d40b9fdee6dc819d8fc35f70c345cbe0394cde4c with gcc (GCC) 10.2.1 20210217
kernel signature: 11b8bc562eb8a08242f01796b8d6410e7917c76e5aa38b957d0848f7aff7a114
run #0: crashed: WARNING in kvm_wait
run #1: crashed: WARNING in kvm_wait
run #2: crashed: WARNING in kvm_wait
run #3: crashed: WARNING in kvm_wait
run #4: crashed: WARNING in kvm_wait
run #5: crashed: WARNING in kvm_wait
run #6: boot failed: WARNING in kvm_wait
run #7: boot failed: WARNING in kvm_wait
run #8: boot failed: WARNING in kvm_wait
run #9: boot failed: WARNING in kvm_wait
# git bisect bad d40b9fdee6dc819d8fc35f70c345cbe0394cde4c
d40b9fdee6dc819d8fc35f70c345cbe0394cde4c is the first bad commit
commit d40b9fdee6dc819d8fc35f70c345cbe0394cde4c
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Tue Mar 16 16:33:01 2021 +0100

    mm: Add unsafe_follow_pfn
    
    Way back it was a reasonable assumptions that iomem mappings never
    change the pfn range they point at. But this has changed:
    
    - gpu drivers dynamically manage their memory nowadays, invalidating
    ptes with unmap_mapping_range when buffers get moved
    
    - contiguous dma allocations have moved from dedicated carvetouts to
    cma regions. This means if we miss the unmap the pfn might contain
    pagecache or anon memory (well anything allocated with GFP_MOVEABLE)
    
    - even /dev/mem now invalidates mappings when the kernel requests that
    iomem region when CONFIG_IO_STRICT_DEVMEM is set, see 3234ac664a87
    ("/dev/mem: Revoke mappings when a driver claims the region")
    
    Accessing pfns obtained from ptes without holding all the locks is
    therefore no longer a good idea.
    
    Unfortunately there's some users where this is not fixable (like v4l
    userptr of iomem mappings) or involves a pile of work (vfio type1
    iommu). For now annotate these as unsafe and splat appropriately.
    
    This patch adds an unsafe_follow_pfn, which later patches will then
    roll out to all appropriate places.
    
    Also mark up follow_pfn as EXPORT_SYMBOL_GPL. The only safe way to use
    that by drivers/modules is together with an mmu_notifier, and that's
    all _GPL stuff.
    
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Jason Gunthorpe <jgg@ziepe.ca>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: John Hubbard <jhubbard@nvidia.com>
    Cc: Jérôme Glisse <jglisse@redhat.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Cc: linux-mm@kvack.org
    Cc: linux-arm-kernel@lists.infradead.org
    Cc: linux-samsung-soc@vger.kernel.org
    Cc: linux-media@vger.kernel.org
    Cc: kvm@vger.kernel.org
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Link: https://patchwork.freedesktop.org/patch/msgid/20210316153303.3216674-2-daniel.vetter@ffwll.ch

 include/linux/mm.h |  2 ++
 mm/memory.c        | 34 ++++++++++++++++++++++++++++++++--
 mm/nommu.c         | 27 ++++++++++++++++++++++++++-
 security/Kconfig   | 13 +++++++++++++
 4 files changed, 73 insertions(+), 3 deletions(-)

parent commit fe07bfda2fb9cdef8a4d4008a409bb02f35f1bd8 wasn't tested
testing commit fe07bfda2fb9cdef8a4d4008a409bb02f35f1bd8 with gcc (GCC) 10.2.1 20210217
kernel signature: bb276bb968bb80560ac8b5a1a56c3339e3b55a317abab77f029307d05cd958a7
culprit signature: 11b8bc562eb8a08242f01796b8d6410e7917c76e5aa38b957d0848f7aff7a114
parent  signature: bb276bb968bb80560ac8b5a1a56c3339e3b55a317abab77f029307d05cd958a7
revisions tested: 16, total time: 4h7m5.446120147s (build: 1h52m44.775666126s, test: 2h12m15.087898173s)
first bad commit: d40b9fdee6dc819d8fc35f70c345cbe0394cde4c mm: Add unsafe_follow_pfn
recipients (to): ["akpm@linux-foundation.org" "daniel.vetter@ffwll.ch" "daniel.vetter@intel.com" "jmorris@namei.org" "linux-mm@kvack.org" "linux-security-module@vger.kernel.org" "serge@hallyn.com"]
recipients (cc): ["linux-kernel@vger.kernel.org"]
crash: WARNING in kvm_wait
------------[ cut here ]------------
raw_local_irq_restore() called with IRQs enabled
WARNING: CPU: 1 PID: 8787 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10
Modules linked in:
CPU: 1 PID: 8787 Comm: syz-executor.4 Not tainted 5.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10
Code: 24 48 c7 c7 20 68 89 88 e8 45 83 c1 ff 80 3d f7 de e6 03 00 74 01 c3 48 c7 c7 40 e1 8a 88 c6 05 e6 de e6 03 01 e8 3a 82 c1 ff <0f> 0b c3 48 39 77 10 0f 84 97 00 00 00 66 f7 47 22 f0 ff 74 4b 48
RSP: 0018:ffffc900017bf9e0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888020505040 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffffffff88de4ec0 RDI: fffff520002f7f2e
RBP: 0000000000000200 R08: 0000000000000001 R09: ffff8880ba1301a7
R10: ffffed1017426034 R11: 0000000000000001 R12: 0000000000000003
R13: ffffed10040a0a08 R14: 0000000000000001 R15: ffff8880ba135f00
FS:  00000000016af400(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd30a4af78 CR3: 0000000010c08000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 kvm_wait arch/x86/kernel/kvm.c:860 [inline]
 kvm_wait+0xc9/0xe0 arch/x86/kernel/kvm.c:837
 pv_wait arch/x86/include/asm/paravirt.h:564 [inline]
 pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:470 [inline]
 __pv_queued_spin_lock_slowpath+0x8b8/0xb40 kernel/locking/qspinlock.c:508
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:554 [inline]
 queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:85 [inline]
 do_raw_spin_lock+0x200/0x2b0 kernel/locking/spinlock_debug.c:113
 spin_lock include/linux/spinlock.h:354 [inline]
 ext4_lock_group fs/ext4/ext4.h:3383 [inline]
 __ext4_new_inode+0x2db3/0x44d0 fs/ext4/ialloc.c:1188
 ext4_mkdir+0x2aa/0x930 fs/ext4/namei.c:2804
 vfs_mkdir+0x179/0x2e0 fs/namei.c:3817
 do_mkdirat+0x20c/0x280 fs/namei.c:3842
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x465567
Code: 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd30a4c2d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 00007ffd30a4c370 RCX: 0000000000465567
RDX: 0000000000000000 RSI: 00000000000001ff RDI: 00007ffd30a4c370
RBP: 00007ffd30a4c34c R08: 0000000000000000 R09: 0000000000000006
R10: 00007ffd30a4c074 R11: 0000000000000206 R12: 0000000000000032
R13: 00000000000659be R14: 0000000000000004 R15: 00007ffd30a4c3b0