bisecting fixing commit since e7c124bd04631973a3cc0df19ab881b56d8a2d50
building syzkaller on 6cc879d4712dbaf6e97f01250e2f4906c07b24b8
testing commit e7c124bd04631973a3cc0df19ab881b56d8a2d50
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b276f2a3e0c7d820aa61aec159c3e095c93dbc91d99d42e22fa0d4ffc23d7626
all runs: crashed: WARNING in page_counter_cancel
testing current HEAD 169387e2aa291a4e3cb856053730fe99d6cec06f
testing commit 169387e2aa291a4e3cb856053730fe99d6cec06f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 13a413b19c2d5aba6d6f74ca69bb134d388499d6bebc8a2ff3d945164c2e91fe
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect start 169387e2aa291a4e3cb856053730fe99d6cec06f e7c124bd04631973a3cc0df19ab881b56d8a2d50
Bisecting: 6174 revisions left to test after this (roughly 13 steps)
[fa722ecb93c22f084c9a9913469a940a8f0e1d5b] Merge tag 'mfd-next-5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd

testing commit fa722ecb93c22f084c9a9913469a940a8f0e1d5b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 79a87dcfee93c653f4cdc4776f192ae55c63650c31f4e72aeb5d02205916a5de
all runs: OK
# git bisect bad fa722ecb93c22f084c9a9913469a940a8f0e1d5b
Bisecting: 3158 revisions left to test after this (roughly 12 steps)
[9bcbf894b6872216ef61faf17248ec234e3db6bc] Merge tag 'media/v5.17-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

testing commit 9bcbf894b6872216ef61faf17248ec234e3db6bc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b0e62751591bf1baad96ea31d5828654a72de96b752eb8a21ad2157172a3983e
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: crashed: WARNING in page_counter_cancel
run #2: crashed: WARNING in page_counter_cancel
run #3: crashed: WARNING in page_counter_cancel
run #4: crashed: WARNING in page_counter_cancel
run #5: crashed: WARNING in page_counter_cancel
run #6: crashed: WARNING in page_counter_cancel
run #7: crashed: WARNING in page_counter_cancel
run #8: crashed: WARNING in page_counter_cancel
run #9: crashed: WARNING in page_counter_cancel
# git bisect good 9bcbf894b6872216ef61faf17248ec234e3db6bc
Bisecting: 1560 revisions left to test after this (roughly 11 steps)
[f2b551fad8d8f2ac5e1f810ad595298381e0b0c5] Merge tag 'wireless-drivers-next-2021-12-23' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next

testing commit f2b551fad8d8f2ac5e1f810ad595298381e0b0c5
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 24670257345383d36d46166bb815d43b031d1863899d0a2b7d505ea283eb11cf
all runs: crashed: WARNING in page_counter_cancel
# git bisect good f2b551fad8d8f2ac5e1f810ad595298381e0b0c5
Bisecting: 781 revisions left to test after this (roughly 10 steps)
[b35b6d4d71365fbfb6f2cc8edc331b3882ca817e] Merge tag 'pm-5.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

testing commit b35b6d4d71365fbfb6f2cc8edc331b3882ca817e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e46c570c1a0c56ace12213fc594afde6d6d1116f96ea1f0ab1a661b33ace0e8f
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad b35b6d4d71365fbfb6f2cc8edc331b3882ca817e
Bisecting: 389 revisions left to test after this (roughly 9 steps)
[be23511eb5c460db42bb29c2c208667a27163b10] net/mlx5e: Refactor set_pflag_cqe_based_moder

testing commit be23511eb5c460db42bb29c2c208667a27163b10
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e7022ac8c1a7d9387e7f189dccda4213945f2401da385a148bc9af42da3bde80
all runs: crashed: WARNING in page_counter_cancel
# git bisect good be23511eb5c460db42bb29c2c208667a27163b10
Bisecting: 194 revisions left to test after this (roughly 8 steps)
[3aa440503be5ee1c63b63ec5da41c50e56bd9ae4] bnx2x: Remove useless DMA-32 fallback configuration

testing commit 3aa440503be5ee1c63b63ec5da41c50e56bd9ae4
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 23dd2777c19e1309de99398e53316b6cbbc683c7ed84e2cd1e65d8c9cae7bad0
all runs: crashed: WARNING in page_counter_cancel
# git bisect good 3aa440503be5ee1c63b63ec5da41c50e56bd9ae4
Bisecting: 125 revisions left to test after this (roughly 7 steps)
[70df8e1bdc941431af2370270f5140291dcbb282] Merge branches 'acpi-tables', 'acpi-numa', 'acpi-sysfs', 'acpi-cppc', 'acpi-thermal' and 'acpi-battery'

testing commit 70df8e1bdc941431af2370270f5140291dcbb282
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 79e931869adf1283e594d34c1d94eb2b7b25ccf10e5eb3614a6c643349e9d69b
all runs: crashed: WARNING in page_counter_cancel
# git bisect good 70df8e1bdc941431af2370270f5140291dcbb282
Bisecting: 62 revisions left to test after this (roughly 6 steps)
[bca21755b9fc00dbe371994b53389eb5d70b8e72] Merge tag 'acpi-5.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

testing commit bca21755b9fc00dbe371994b53389eb5d70b8e72
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 59646203221b00721cbc72c68a61a9c4766c81dddc90cc27c72266ffd87c9785
all runs: OK
# git bisect bad bca21755b9fc00dbe371994b53389eb5d70b8e72
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[14676c04783c6363b71072c01b42bb7838eb56eb] Merge tag 'mlx5-fixes-2022-01-06' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux

testing commit 14676c04783c6363b71072c01b42bb7838eb56eb
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: cc9f56b97a5908ff362ff2bc435b06ca85d472b5f478e0f96cfe4a1b4fb080a0
all runs: crashed: WARNING in page_counter_cancel
# git bisect good 14676c04783c6363b71072c01b42bb7838eb56eb
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[f4bb93a82f94a1e23e532f0b4b1859f1f4605968] Merge tag 'linux-can-fixes-for-5.16-20220109' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

testing commit f4bb93a82f94a1e23e532f0b4b1859f1f4605968
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f3a388778b17019c49f078f2fe4d7ea9d88149a7d97633991d014c1bb5bebb88
all runs: OK
# git bisect bad f4bb93a82f94a1e23e532f0b4b1859f1f4605968
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[9371937092d5fd502032c1bb4475b36b39b1f1b3] ax25: uninitialized variable in ax25_setsockopt()

testing commit 9371937092d5fd502032c1bb4475b36b39b1f1b3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 6bf401645dc2d35abb410baec26000b8d838337331c10dd13bd7bafbacaec0c6
all runs: OK
# git bisect bad 9371937092d5fd502032c1bb4475b36b39b1f1b3
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[fff63521cd6e197738db9297076d83b4081ac80f] Merge branch 'mptcp-fixes'

testing commit fff63521cd6e197738db9297076d83b4081ac80f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a6ddcc9ead3d89715d5eafaf356db4565dd17c87f918c1e52b32b3525c33c2c5
all runs: OK
# git bisect bad fff63521cd6e197738db9297076d83b4081ac80f
Bisecting: 1 revision left to test after this (roughly 1 step)
[110b6d1fe98fd7af9893992459b651594d789293] mptcp: fix a DSS option writing error

testing commit 110b6d1fe98fd7af9893992459b651594d789293
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0c216b1f893b9f4418e9534dc10d6f5b57306346a7900538ffed31e1bf51c197
all runs: crashed: WARNING in page_counter_cancel
# git bisect good 110b6d1fe98fd7af9893992459b651594d789293
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[269bda9e7da48eafb599d01c96199caa2f7547e5] mptcp: Check reclaim amount before reducing allocation

testing commit 269bda9e7da48eafb599d01c96199caa2f7547e5
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a6ddcc9ead3d89715d5eafaf356db4565dd17c87f918c1e52b32b3525c33c2c5
all runs: OK
# git bisect bad 269bda9e7da48eafb599d01c96199caa2f7547e5
269bda9e7da48eafb599d01c96199caa2f7547e5 is the first bad commit
commit 269bda9e7da48eafb599d01c96199caa2f7547e5
Author: Mat Martineau <mathew.j.martineau@linux.intel.com>
Date:   Thu Jan 6 14:06:38 2022 -0800

    mptcp: Check reclaim amount before reducing allocation
    
    syzbot found a page counter underflow that was triggered by MPTCP's
    reclaim code:
    
    page_counter underflow: -4294964789 nr_pages=4294967295
    WARNING: CPU: 2 PID: 3785 at mm/page_counter.c:56 page_counter_cancel+0xcf/0xe0 mm/page_counter.c:56
    Modules linked in:
    CPU: 2 PID: 3785 Comm: kworker/2:6 Not tainted 5.16.0-rc1-syzkaller #0
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
    Workqueue: events mptcp_worker
    
    RIP: 0010:page_counter_cancel+0xcf/0xe0 mm/page_counter.c:56
    Code: c7 04 24 00 00 00 00 45 31 f6 eb 97 e8 2a 2b b5 ff 4c 89 ea 48 89 ee 48 c7 c7 00 9e b8 89 c6 05 a0 c1 ba 0b 01 e8 95 e4 4b 07 <0f> 0b eb a8 4c 89 e7 e8 25 5a fb ff eb c7 0f 1f 00 41 56 41 55 49
    RSP: 0018:ffffc90002d4f918 EFLAGS: 00010082
    
    RAX: 0000000000000000 RBX: ffff88806a494120 RCX: 0000000000000000
    RDX: ffff8880688c41c0 RSI: ffffffff815e8f28 RDI: fffff520005a9f15
    RBP: ffffffff000009cb R08: 0000000000000000 R09: 0000000000000000
    R10: ffffffff815e2cfe R11: 0000000000000000 R12: ffff88806a494120
    R13: 00000000ffffffff R14: 0000000000000000 R15: 0000000000000001
    FS:  0000000000000000(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000001b2de21000 CR3: 000000005ad59000 CR4: 0000000000150ee0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     page_counter_uncharge+0x2e/0x60 mm/page_counter.c:160
     drain_stock+0xc1/0x180 mm/memcontrol.c:2219
     refill_stock+0x139/0x2f0 mm/memcontrol.c:2271
     __sk_mem_reduce_allocated+0x24d/0x550 net/core/sock.c:2945
     __mptcp_rmem_reclaim net/mptcp/protocol.c:167 [inline]
     __mptcp_mem_reclaim_partial+0x124/0x410 net/mptcp/protocol.c:975
     mptcp_mem_reclaim_partial net/mptcp/protocol.c:982 [inline]
     mptcp_alloc_tx_skb net/mptcp/protocol.c:1212 [inline]
     mptcp_sendmsg_frag+0x18c6/0x2190 net/mptcp/protocol.c:1279
     __mptcp_push_pending+0x232/0x720 net/mptcp/protocol.c:1545
     mptcp_release_cb+0xfe/0x200 net/mptcp/protocol.c:2975
     release_sock+0xb4/0x1b0 net/core/sock.c:3306
     mptcp_worker+0x51e/0xc10 net/mptcp/protocol.c:2443
     process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
     worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
     kthread+0x405/0x4f0 kernel/kthread.c:327
     ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
     </TASK>
    
    __mptcp_mem_reclaim_partial() could call __mptcp_rmem_reclaim() with a
    negative value, which passed that negative value to
    __sk_mem_reduce_allocated() and triggered the splat above.
    
    Check for a reclaim amount that is positive and large enough for
    __mptcp_rmem_reclaim() to actually adjust rmem_fwd_alloc (much like
    the sk_mem_reclaim_partial() code the function is based on).
    
    v2: Use '>' instead of '>=', since SK_MEM_QUANTUM - 1 would get
    right-shifted into nothing by __mptcp_rmem_reclaim.
    
    Fixes: 6511882cdd82 ("mptcp: allocate fwd memory separately on the rx and tx path")
    Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/252
    Reported-and-tested-by: syzbot+bc9e2d2dbcb347dd215a@syzkaller.appspotmail.com
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Michal Hocko <mhocko@suse.com>
    Acked-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/mptcp/protocol.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

culprit signature: a6ddcc9ead3d89715d5eafaf356db4565dd17c87f918c1e52b32b3525c33c2c5
parent  signature: 0c216b1f893b9f4418e9534dc10d6f5b57306346a7900538ffed31e1bf51c197
revisions tested: 16, total time: 3h7m4.835773406s (build: 1h48m8.820144533s, test: 1h17m4.407914274s)
first good commit: 269bda9e7da48eafb599d01c96199caa2f7547e5 mptcp: Check reclaim amount before reducing allocation
recipients (to): ["davem@davemloft.net" "mathew.j.martineau@linux.intel.com" "pabeni@redhat.com" "syzbot+bc9e2d2dbcb347dd215a@syzkaller.appspotmail.com"]
recipients (cc): []