bisecting cause commit starting from 7e63420847ae5f1036e4f7c42f0b3282e73efbc2
building syzkaller on 99a9604483616177d7cd7d3e092ce42a3eaff74a
testing commit 7e63420847ae5f1036e4f7c42f0b3282e73efbc2 with gcc (GCC) 8.1.0
kernel signature: 7575e32662a179041aebc5a8c0534a009d1a99324e4eb857d84f9b16a3c75112
all runs: crashed: WARNING: bad unlock balance in __get_user_pages_remote
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 237984b5b110da05cfb505a5b427a47a9986f5cd26e91ff57913792fb6898a1b
all runs: OK
# git bisect start 7e63420847ae5f1036e4f7c42f0b3282e73efbc2 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 5723 revisions left to test after this (roughly 13 steps)
[98f3b56fa62a61f1d4d6a5fdd035f0b03be1e93f] kasan: add test for invalid size in memmove
testing commit 98f3b56fa62a61f1d4d6a5fdd035f0b03be1e93f with gcc (GCC) 8.1.0
kernel signature: 9be8cb775008928a72cff8e17c21877e6a17d8dc2fffe6455c07a22aaf300255
all runs: crashed: WARNING: bad unlock balance in __get_user_pages_remote
# git bisect bad 98f3b56fa62a61f1d4d6a5fdd035f0b03be1e93f
Bisecting: 2859 revisions left to test after this (roughly 12 steps)
[645c248d6fc4350562766fefd8ba1d7defe4b5e7] Merge tag '5.7-rc-smb3-fixes-part1' of git://git.samba.org/sfrench/cifs-2.6
testing commit 645c248d6fc4350562766fefd8ba1d7defe4b5e7 with gcc (GCC) 8.1.0
kernel signature: 5e03e6a7d988faea97197f13c2147bcd32c8528924438ad585de49bf92e33515
all runs: OK
# git bisect good 645c248d6fc4350562766fefd8ba1d7defe4b5e7
Bisecting: 1429 revisions left to test after this (roughly 11 steps)
[24ee86511b01f73a1ef1dd8a8a2e685e5ec03bfe] Merge branch 'nfp-type'
testing commit 24ee86511b01f73a1ef1dd8a8a2e685e5ec03bfe with gcc (GCC) 8.1.0
kernel signature: e643d831b69422cd5a5e56c54656cc7d51bcabbf0a58923e6ab7b81a04df5bea
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect good 24ee86511b01f73a1ef1dd8a8a2e685e5ec03bfe
Bisecting: 714 revisions left to test after this (roughly 10 steps)
[2a8c2c1a0264ebf80787f53d7aa8c661b336a07f] ionic: move debugfs add/delete to match alloc/free
testing commit 2a8c2c1a0264ebf80787f53d7aa8c661b336a07f with gcc (GCC) 8.1.0
kernel signature: de7d3f21e8ac38a2f1f973b9d7711d021e2991ff37b7dd0bbc498ec8d39c0716
all runs: OK
# git bisect good 2a8c2c1a0264ebf80787f53d7aa8c661b336a07f
Bisecting: 323 revisions left to test after this (roughly 9 steps)
[dba43fc4ba2fed63e898867fa973c69c37623939] Merge tag 'platform-drivers-x86-v5.7-1' of git://git.infradead.org/linux-platform-drivers-x86
testing commit dba43fc4ba2fed63e898867fa973c69c37623939 with gcc (GCC) 8.1.0
kernel signature: 576174fa34877c28b4042e3d55f825a39a806d4a292d3320ec65e00b20b806ce
all runs: OK
# git bisect good dba43fc4ba2fed63e898867fa973c69c37623939
Bisecting: 161 revisions left to test after this (roughly 7 steps)
[60d79ab33c4cc3c7b563cadea9e5bcf43e6e3951] Merge branch 'net-dsa-b53-and-bcm_sf2-updates-for-7278'
testing commit 60d79ab33c4cc3c7b563cadea9e5bcf43e6e3951 with gcc (GCC) 8.1.0
kernel signature: b1de16d98cf273381575cbe550233e3a8aee1ae6d776681f85372913a017b0ff
all runs: OK
# git bisect good 60d79ab33c4cc3c7b563cadea9e5bcf43e6e3951
Bisecting: 80 revisions left to test after this (roughly 6 steps)
[0f8e2db4ead59a79db4cd79d978f8a3cf85e870c] mm/filemap.c: remove unused argument from shrink_readahead_size_eio()
testing commit 0f8e2db4ead59a79db4cd79d978f8a3cf85e870c with gcc (GCC) 8.1.0
kernel signature: 39c8c51ee783714d945ac98a883ace8a647247071ece2e3796c977544511be62
all runs: OK
# git bisect good 0f8e2db4ead59a79db4cd79d978f8a3cf85e870c
Bisecting: 40 revisions left to test after this (roughly 5 steps)
[8965aa28cdf0e5c25b44c9da0f0fbb49c4c0d7a0] memcg: css_tryget_online cleanups
testing commit 8965aa28cdf0e5c25b44c9da0f0fbb49c4c0d7a0 with gcc (GCC) 8.1.0
kernel signature: 7abce55b520f681251dc2dbdc432286b4dad657254e1c473d70f7b165bea7aea
all runs: OK
# git bisect good 8965aa28cdf0e5c25b44c9da0f0fbb49c4c0d7a0
Bisecting: 20 revisions left to test after this (roughly 4 steps)
[c9a0dad162014182867f81b28bb7a4b691d65595] powerpc/mm: use helper fault_signal_pending()
testing commit c9a0dad162014182867f81b28bb7a4b691d65595 with gcc (GCC) 8.1.0
kernel signature: 1bedb07d151ad942ffe00a721432aa85a1e2d1e11014b418973155ae76da7138
all runs: OK
# git bisect good c9a0dad162014182867f81b28bb7a4b691d65595
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[86a76331d94c4cfa72fe1831dbe4b492f66fdb81] mm: clarify a confusing comment for remap_pfn_range()
testing commit 86a76331d94c4cfa72fe1831dbe4b492f66fdb81 with gcc (GCC) 8.1.0
kernel signature: 3fbf6a096232ec7d858b95451599c5349074423b5b78166a19231d16a2246a67
all runs: crashed: WARNING: bad unlock balance in __get_user_pages_remote
# git bisect bad 86a76331d94c4cfa72fe1831dbe4b492f66fdb81
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[c270a7eedcf278304e05ebd2c96807487c97db61] mm: introduce FAULT_FLAG_INTERRUPTIBLE
testing commit c270a7eedcf278304e05ebd2c96807487c97db61 with gcc (GCC) 8.1.0
kernel signature: 6bf075da69d0288d314384332a73fc34416ac6f4b97531c19752dd85978d339f
all runs: OK
# git bisect good c270a7eedcf278304e05ebd2c96807487c97db61
Bisecting: 2 revisions left to test after this (roughly 1 step)
[4426e945df588f2878affddf88a51259200f7e29] mm/gup: allow VM_FAULT_RETRY for multiple times
testing commit 4426e945df588f2878affddf88a51259200f7e29 with gcc (GCC) 8.1.0
kernel signature: dd0d7d013710857d812c5f559959f7e8d93b831b2d13d9124a04aa1f74daab20
all runs: OK
# git bisect good 4426e945df588f2878affddf88a51259200f7e29
Bisecting: 0 revisions left to test after this (roughly 1 step)
[3e69ad081c18d138fc7fd0f1ceef3b055ab10549] mm/userfaultfd: honor FAULT_FLAG_KILLABLE in fault path
testing commit 3e69ad081c18d138fc7fd0f1ceef3b055ab10549 with gcc (GCC) 8.1.0
kernel signature: b8669fb96a5a14f24731afc10798eab6acf59d835e3d58eda311aa1923822611
all runs: crashed: WARNING: bad unlock balance in __get_user_pages_remote
# git bisect bad 3e69ad081c18d138fc7fd0f1ceef3b055ab10549
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[71335f37c5e8ec9225285206f7f875057b9737ad] mm/gup: allow to react to fatal signals
testing commit 71335f37c5e8ec9225285206f7f875057b9737ad with gcc (GCC) 8.1.0
kernel signature: 564d862b6b05b91d7ceda9dd6f90784c30e7834e21dd51a140294af55bf58998
all runs: crashed: WARNING: bad unlock balance in __get_user_pages_remote
# git bisect bad 71335f37c5e8ec9225285206f7f875057b9737ad
71335f37c5e8ec9225285206f7f875057b9737ad is the first bad commit
commit 71335f37c5e8ec9225285206f7f875057b9737ad
Author: Peter Xu <peterx@redhat.com>
Date:   Wed Apr 1 21:08:53 2020 -0700

    mm/gup: allow to react to fatal signals
    
    The existing gup code does not react to the fatal signals in many code
    paths.  For example, in one retry path of gup we're still using
    down_read() rather than down_read_killable().  Also, when doing page
    faults we don't pass in FAULT_FLAG_KILLABLE as well, which means that
    within the faulting process we'll wait in non-killable way as well.  These
    were spotted by Linus during the code review of some other patches.
    
    Let's allow the gup code to react to fatal signals to improve the
    responsiveness of threads when during gup and being killed.
    
    Signed-off-by: Peter Xu <peterx@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Tested-by: Brian Geffon <bgeffon@google.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Bobby Powers <bobbypowers@gmail.com>
    Cc: David Hildenbrand <david@redhat.com>
    Cc: Denis Plotnikov <dplotnikov@virtuozzo.com>
    Cc: "Dr . David Alan Gilbert" <dgilbert@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Jerome Glisse <jglisse@redhat.com>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: "Kirill A . Shutemov" <kirill@shutemov.name>
    Cc: Martin Cracauer <cracauer@cons.org>
    Cc: Marty McFadden <mcfadden8@llnl.gov>
    Cc: Matthew Wilcox <willy@infradead.org>
    Cc: Maya Gokhale <gokhale2@llnl.gov>
    Cc: Mel Gorman <mgorman@suse.de>
    Cc: Mike Kravetz <mike.kravetz@oracle.com>
    Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
    Cc: Pavel Emelyanov <xemul@openvz.org>
    Link: http://lkml.kernel.org/r/20200220160256.9887-1-peterx@redhat.com
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 mm/gup.c     | 12 +++++++++---
 mm/hugetlb.c |  3 ++-
 2 files changed, 11 insertions(+), 4 deletions(-)
culprit signature: 564d862b6b05b91d7ceda9dd6f90784c30e7834e21dd51a140294af55bf58998
parent  signature: dd0d7d013710857d812c5f559959f7e8d93b831b2d13d9124a04aa1f74daab20
revisions tested: 16, total time: 3h44m51.128104565s (build: 1h36m36.221211671s, test: 2h7m12.420456751s)
first bad commit: 71335f37c5e8ec9225285206f7f875057b9737ad mm/gup: allow to react to fatal signals
cc: ["akpm@linux-foundation.org" "bgeffon@google.com" "peterx@redhat.com" "torvalds@linux-foundation.org"]
crash: WARNING: bad unlock balance in __get_user_pages_remote
=====================================
WARNING: bad unlock balance detected!
5.6.0-syzkaller #0 Not tainted
-------------------------------------
syz-executor.3/8510 is trying to release lock (&mm->mmap_sem) at:
[<ffffffff818ddd1f>] __get_user_pages_locked mm/gup.c:1366 [inline]
[<ffffffff818ddd1f>] __get_user_pages_remote+0x33f/0x430 mm/gup.c:1831
but there are no more locks to release!

other info that might help us debug this:
no locks held by syz-executor.3/8510.

stack backtrace:
CPU: 0 PID: 8510 Comm: syz-executor.3 Not tainted 5.6.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 __lock_release kernel/locking/lockdep.c:4633 [inline]
 lock_release+0x5aa/0x7f0 kernel/locking/lockdep.c:4941
 up_read+0x79/0x740 kernel/locking/rwsem.c:1573
 __get_user_pages_locked mm/gup.c:1366 [inline]
 __get_user_pages_remote+0x33f/0x430 mm/gup.c:1831
 process_vm_rw_single_vec mm/process_vm_access.c:108 [inline]
 process_vm_rw_core.isra.1+0x3a9/0x7a0 mm/process_vm_access.c:218
 process_vm_rw+0x1be/0x1f0 mm/process_vm_access.c:286
 __do_sys_process_vm_writev mm/process_vm_access.c:308 [inline]
 __se_sys_process_vm_writev mm/process_vm_access.c:303 [inline]
 __x64_sys_process_vm_writev+0xda/0x1b0 mm/process_vm_access.c:303
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c879
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fecdeeecc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000137
RAX: ffffffffffffffda RBX: 00007fecdeeed6d4 RCX: 000000000045c879
RDX: 0000000000000001 RSI: 0000000020c22000 RDI: 0000000000000004
RBP: 000000000076bf00 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000020c22fa0 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000085d R14: 00000000004cb1ee R15: 000000000076bf0c