bisecting cause commit starting from 34d1d36073ea4d4c532e8c8345627a9702be799e
building syzkaller on 0fc5c330fea4b4129567aaa44ea5a134cb850bbb
testing commit 34d1d36073ea4d4c532e8c8345627a9702be799e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b8b55ef7a22f579a221c3e8327fee16b0ec50c5831f37f6d011f66004d8cfb6b
all runs: crashed: KASAN: null-ptr-deref Read in hugepage_vma_check
testing release v5.18
testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0160e713564ddc4ba446b48915a0da96b0dcef472610cd89b568e2beb974d42e
all runs: OK
# git bisect start 34d1d36073ea4d4c532e8c8345627a9702be799e 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
Bisecting: 9729 revisions left to test after this (roughly 13 steps)
[bf9095424d027e942e1d1ee74977e17b7df8e455] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

testing commit bf9095424d027e942e1d1ee74977e17b7df8e455
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 75cf5e013da54bf08f985a3a60b19a96d56e34f1be4cd68ea208d2e34a8f1d93
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good bf9095424d027e942e1d1ee74977e17b7df8e455
Bisecting: 4868 revisions left to test after this (roughly 12 steps)
[6c0d09d9374c025f503d33bcef5f656e3f1dd349] Merge branch 'dt-bindings-dp83867-add-binding-for-io_impedance_ctrl-nvmem-cell'

testing commit 6c0d09d9374c025f503d33bcef5f656e3f1dd349
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9107057d7b0315892f05dab8b8c88443f191e90b8e3f499d891f2928fa0e62f2
all runs: OK
# git bisect good 6c0d09d9374c025f503d33bcef5f656e3f1dd349
Bisecting: 2453 revisions left to test after this (roughly 11 steps)
[3d76d093616b3dde3626ad2b910612dbb6c8b2b1] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git

testing commit 3d76d093616b3dde3626ad2b910612dbb6c8b2b1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c74600c4c4934634b420309b3f77833384295809911b25b2c80d093ff1827bc0
all runs: OK
# git bisect good 3d76d093616b3dde3626ad2b910612dbb6c8b2b1
Bisecting: 1224 revisions left to test after this (roughly 10 steps)
[55a7c9596399b1f21d626cd1eed933e98b6a690f] Merge branch 'driver-core-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git

testing commit 55a7c9596399b1f21d626cd1eed933e98b6a690f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c9488f9f58ad8bb3bc1aa8bbbee9abfa829bb2f9fb76b969e9788466693d2046
all runs: OK
# git bisect good 55a7c9596399b1f21d626cd1eed933e98b6a690f
Bisecting: 608 revisions left to test after this (roughly 9 steps)
[4074f61c3d5063e91c2675cbae26ac4bda897f8d] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git

testing commit 4074f61c3d5063e91c2675cbae26ac4bda897f8d
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d86d40d2d3be53203e9329a15d97b383343a97b0dd6c65858df24a891ff58b74
all runs: OK
# git bisect good 4074f61c3d5063e91c2675cbae26ac4bda897f8d
Bisecting: 306 revisions left to test after this (roughly 8 steps)
[a2fa9869735edad0df54317d72667c0f27e55e20] Merge branch 'mm-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

testing commit a2fa9869735edad0df54317d72667c0f27e55e20
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: df10b83b6d42b2db350b2b10c5cee3614477e024f257e2e8b6dc58bf50a9782a
all runs: OK
# git bisect good a2fa9869735edad0df54317d72667c0f27e55e20
Bisecting: 153 revisions left to test after this (roughly 7 steps)
[399ade8af56d2bda5271c6997b893334fb5ae445] mm: refactor of vma_merge()

testing commit 399ade8af56d2bda5271c6997b893334fb5ae445
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 002967ffa6e9b4d9c2509c9552c124979bc602338020bbff6cabaf5c1a2186c2
all runs: OK
# git bisect good 399ade8af56d2bda5271c6997b893334fb5ae445
Bisecting: 76 revisions left to test after this (roughly 6 steps)
[148d24fa8eec26f8ff223684fa70a60494ea0ced] mm/swap: optimise lru_add_drain_cpu()

testing commit 148d24fa8eec26f8ff223684fa70a60494ea0ced
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d42ad34db6c7c359bb558aca5dbe9ece1be52f083ea32f8389133118be527b5c
all runs: crashed: KASAN: null-ptr-deref Read in hugepage_vma_check
# git bisect bad 148d24fa8eec26f8ff223684fa70a60494ea0ced
Bisecting: 38 revisions left to test after this (roughly 5 steps)
[b08d7f1be16a74be849bf13276ede58a7ebcab0c] mm/damon/schemes: add 'LRU_PRIO' DAMOS action

testing commit b08d7f1be16a74be849bf13276ede58a7ebcab0c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d322e86fc5bd28db8cc3089d4514b4d870e282d328444120fb1544de9d8f93f2
all runs: OK
# git bisect good b08d7f1be16a74be849bf13276ede58a7ebcab0c
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[37c4fbc818d91c6de0169bda2e15ee2bc39efb98] mm: thp: kill __transhuge_page_enabled()

testing commit 37c4fbc818d91c6de0169bda2e15ee2bc39efb98
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: afa66a275d834a646f3fad1f76d52cb968ff7ceeb75d7f51ad5ff0aad1b0dca4
all runs: crashed: KASAN: null-ptr-deref Read in hugepage_vma_check
# git bisect bad 37c4fbc818d91c6de0169bda2e15ee2bc39efb98
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[6f82e9cdd859b4c1b4595480ea8024d3a638f37a] userfaultfd: update documentation to describe /dev/userfaultfd

testing commit 6f82e9cdd859b4c1b4595480ea8024d3a638f37a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 10df2328842397156f53c2206ad9d0c19230a0e761b903e99efc247af1b721ac
all runs: OK
# git bisect good 6f82e9cdd859b4c1b4595480ea8024d3a638f37a
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[c7f43cc88627866b15d1aa50266f03d69e0e9199] mm/mlock: drop dead code in count_mm_mlocked_page_nr()

testing commit c7f43cc88627866b15d1aa50266f03d69e0e9199
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9b3a41ad4ef3fed24f176c298f8b1fd2cc5e86d5dc0c4784cf82fa202f2c69fe
all runs: OK
# git bisect good c7f43cc88627866b15d1aa50266f03d69e0e9199
Bisecting: 2 revisions left to test after this (roughly 1 step)
[201c0587b32cbbf7957288c3c85b92ed67935702] mm: thp: consolidate vma size check to transhuge_vma_suitable

testing commit 201c0587b32cbbf7957288c3c85b92ed67935702
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: aa2b724a9b2c14fdb2c5bf8080879a9f6dd13e49a63b42af0a555db501751fd9
all runs: OK
# git bisect good 201c0587b32cbbf7957288c3c85b92ed67935702
Bisecting: 0 revisions left to test after this (roughly 1 step)
[0a44ebaaa3f3ecfacd2744467957882eabd92cec] mm: thp: kill transparent_hugepage_active()

testing commit 0a44ebaaa3f3ecfacd2744467957882eabd92cec
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 02f8aa2ed3da6695ac58f247e4e9c0cc7f7f089ee6d038b685c3cd613365b59c
all runs: crashed: KASAN: null-ptr-deref Read in hugepage_vma_check
# git bisect bad 0a44ebaaa3f3ecfacd2744467957882eabd92cec
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[806e4d91686ed9b8ef070aba39f84cf6125e8406] mm: khugepaged: better comments for anon vma check in hugepage_vma_revalidate

testing commit 806e4d91686ed9b8ef070aba39f84cf6125e8406
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5335c1e1a571ba301d26bffc61daedb8ae792aed2caccfdb8063a783b07e31c2
all runs: OK
# git bisect good 806e4d91686ed9b8ef070aba39f84cf6125e8406
0a44ebaaa3f3ecfacd2744467957882eabd92cec is the first bad commit
commit 0a44ebaaa3f3ecfacd2744467957882eabd92cec
Author: Yang Shi <shy828301@gmail.com>
Date:   Thu Jun 16 10:48:37 2022 -0700

    mm: thp: kill transparent_hugepage_active()
    
    The transparent_hugepage_active() was introduced to show THP eligibility
    bit in smaps in proc, smaps is the only user.  But it actually does the
    similar check as hugepage_vma_check() which is used by khugepaged.  We
    definitely don't have to maintain two similar checks, so kill
    transparent_hugepage_active().
    
    This patch also fixed the wrong behavior for VM_NO_KHUGEPAGED vmas.
    
    Also move hugepage_vma_check() to huge_memory.c and huge_mm.h since it
    is not only for khugepaged anymore.
    
    Link: https://lkml.kernel.org/r/20220616174840.1202070-5-shy828301@gmail.com
    Signed-off-by: Yang Shi <shy828301@gmail.com>
    Reviewed-by: Zach O'Keefe <zokeefe@google.com>
    Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Cc: Matthew Wilcox <willy@infradead.org>
    Cc: Miaohe Lin <linmiaohe@huawei.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 fs/proc/task_mmu.c         |  2 +-
 include/linux/huge_mm.h    | 16 +++++++++------
 include/linux/khugepaged.h |  2 --
 mm/huge_memory.c           | 50 +++++++++++++++++++++++++++++++++++++---------
 mm/khugepaged.c            | 48 ++++----------------------------------------
 5 files changed, 56 insertions(+), 62 deletions(-)

culprit signature: 02f8aa2ed3da6695ac58f247e4e9c0cc7f7f089ee6d038b685c3cd613365b59c
parent  signature: 5335c1e1a571ba301d26bffc61daedb8ae792aed2caccfdb8063a783b07e31c2
revisions tested: 17, total time: 4h2m16.299546565s (build: 1h53m17.437980852s, test: 2h7m11.96900166s)
first bad commit: 0a44ebaaa3f3ecfacd2744467957882eabd92cec mm: thp: kill transparent_hugepage_active()
recipients (to): ["akpm@linux-foundation.org" "shy828301@gmail.com" "zokeefe@google.com"]
recipients (cc): []
crash: KASAN: null-ptr-deref Read in hugepage_vma_check
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
BUG: KASAN: null-ptr-deref in transhuge_vma_enabled include/linux/huge_mm.h:154 [inline]
BUG: KASAN: null-ptr-deref in hugepage_vma_check+0x59/0x600 mm/huge_memory.c:76
Read of size 8 at addr 00000000000005a8 by task syz-executor.0/4099

CPU: 1 PID: 4099 Comm: syz-executor.0 Not tainted 5.19.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_report mm/kasan/report.c:432 [inline]
 kasan_report.cold+0x61/0x1c6 mm/kasan/report.c:491
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
 transhuge_vma_enabled include/linux/huge_mm.h:154 [inline]
 hugepage_vma_check+0x59/0x600 mm/huge_memory.c:76
 show_smap+0x1a9/0x400 fs/proc/task_mmu.c:866
 traverse.part.0+0xbb/0x510 fs/seq_file.c:111
 traverse fs/seq_file.c:101 [inline]
 seq_read_iter+0x7a1/0x1040 fs/seq_file.c:195
 seq_read+0x294/0x410 fs/seq_file.c:162
 do_loop_readv_writev fs/read_write.c:763 [inline]
 do_loop_readv_writev fs/read_write.c:750 [inline]
 do_iter_read+0x3e7/0x690 fs/read_write.c:805
 vfs_readv+0xc3/0x130 fs/read_write.c:923
 do_preadv fs/read_write.c:1015 [inline]
 __do_sys_preadv fs/read_write.c:1065 [inline]
 __se_sys_preadv fs/read_write.c:1060 [inline]
 __x64_sys_preadv+0x1d1/0x290 fs/read_write.c:1060
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7efea0889109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efea19f2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007efea099bf60 RCX: 00007efea0889109
RDX: 0000000000000001 RSI: 00000000200006c0 RDI: 0000000000000003
RBP: 00007efea08e305d R08: 0000000000000000 R09: 0000000000000000
R10: 00000000fffffffe R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd5e070d5f R14: 00007efea19f2300 R15: 0000000000022000
 </TASK>
==================================================================