bisecting cause commit starting from 442630f691a1537b7e0cc35e3d580222077549cb
building syzkaller on b1ebbfef72842354231950b0b33fed3170fc73b7
testing commit 442630f691a1537b7e0cc35e3d580222077549cb with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/rmap.h:LINE!
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 442630f691a1537b7e0cc35e3d580222077549cb v5.3
Bisecting: 8844 revisions left to test after this (roughly 13 steps)
[3c2edc36a77420d8be05d656019dbc8c31535992] Merge tag 'pinctrl-v5.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit 3c2edc36a77420d8be05d656019dbc8c31535992 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3c2edc36a77420d8be05d656019dbc8c31535992
Bisecting: 4398 revisions left to test after this (roughly 12 steps)
[cbafe18c71028d5e0ee1626b4776fea5d5824a78] Merge branch 'akpm' (patches from Andrew)
testing commit cbafe18c71028d5e0ee1626b4776fea5d5824a78 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good cbafe18c71028d5e0ee1626b4776fea5d5824a78
Bisecting: 2153 revisions left to test after this (roughly 11 steps)
[7ee1de23c170b0244e7245647dd2093a0b9ab26f] Merge remote-tracking branch 'hid/for-next'
testing commit 7ee1de23c170b0244e7245647dd2093a0b9ab26f with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7ee1de23c170b0244e7245647dd2093a0b9ab26f
Bisecting: 986 revisions left to test after this (roughly 10 steps)
[86e5bd4e5fee91eadcbd0e86830318015d4ea361] Merge remote-tracking branch 'drm-misc/for-linux-next'
testing commit 86e5bd4e5fee91eadcbd0e86830318015d4ea361 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 86e5bd4e5fee91eadcbd0e86830318015d4ea361
Bisecting: 499 revisions left to test after this (roughly 9 steps)
[3c5c497f80342d746f8248eabb9b727ec65bba9e] Merge remote-tracking branch 'extcon/extcon-next'
testing commit 3c5c497f80342d746f8248eabb9b727ec65bba9e with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3c5c497f80342d746f8248eabb9b727ec65bba9e
Bisecting: 231 revisions left to test after this (roughly 8 steps)
[ee8eb0d61dafe507a458989f17b790f4ebb900dd] Merge remote-tracking branch 'y2038/y2038'
testing commit ee8eb0d61dafe507a458989f17b790f4ebb900dd with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ee8eb0d61dafe507a458989f17b790f4ebb900dd
Bisecting: 115 revisions left to test after this (roughly 7 steps)
[ded01609f8ce725db7fcb2e220d8bf3c2225320e] Documentation/checkpatch: prefer stracpy/strscpy over strcpy/strlcpy/strncpy.
testing commit ded01609f8ce725db7fcb2e220d8bf3c2225320e with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/rmap.h:LINE!
# git bisect bad ded01609f8ce725db7fcb2e220d8bf3c2225320e
Bisecting: 57 revisions left to test after this (roughly 6 steps)
[482332f32f1014fe3c90e9d90f7dc0b2beef559a] mm/memunmap: don't access uninitialized memmap in memunmap_pages()
testing commit 482332f32f1014fe3c90e9d90f7dc0b2beef559a with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/rmap.h:LINE!
# git bisect bad 482332f32f1014fe3c90e9d90f7dc0b2beef559a
Bisecting: 28 revisions left to test after this (roughly 5 steps)
[d126962f803d48429d709e7f3346b9d66c2a6ed9] ocfs2-protect-extent-tree-in-the-ocfs2_prepare_inode_for_write-checkpatch-fixes
testing commit d126962f803d48429d709e7f3346b9d66c2a6ed9 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good d126962f803d48429d709e7f3346b9d66c2a6ed9
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[2df599903f450ab2f44998d003d4ab662e1ab44a] mm/mmap.c: remove a never-triggered warning in __vma_adjust()
testing commit 2df599903f450ab2f44998d003d4ab662e1ab44a with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2df599903f450ab2f44998d003d4ab662e1ab44a
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[648a9b1c79874c51ef0446a7036c3192e6299163] mm/mmap.c: prev could be retrieved from vma->vm_prev
testing commit 648a9b1c79874c51ef0446a7036c3192e6299163 with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/rmap.h:LINE!
# git bisect bad 648a9b1c79874c51ef0446a7036c3192e6299163
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[fbafc57dc756d1b88cad5fa0f3affac3aff39cd0] mm/mmap.c: fix the adjusted length error
testing commit fbafc57dc756d1b88cad5fa0f3affac3aff39cd0 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good fbafc57dc756d1b88cad5fa0f3affac3aff39cd0
Bisecting: 1 revision left to test after this (roughly 1 step)
[78ba35f5389a4dea7226c8a25e77d384c250958d] mm-rmapc-reuse-mergeable-anon_vma-as-parent-when-fork-fix
testing commit 78ba35f5389a4dea7226c8a25e77d384c250958d with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/rmap.h:LINE!
# git bisect bad 78ba35f5389a4dea7226c8a25e77d384c250958d
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[480706f51e2c3a450d2f7fc10f5af215c9d249df] mm/rmap.c: reuse mergeable anon_vma as parent when forking
testing commit 480706f51e2c3a450d2f7fc10f5af215c9d249df with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/rmap.h:LINE!
# git bisect bad 480706f51e2c3a450d2f7fc10f5af215c9d249df
480706f51e2c3a450d2f7fc10f5af215c9d249df is the first bad commit
commit 480706f51e2c3a450d2f7fc10f5af215c9d249df
Author: Wei Yang <richardw.yang@linux.intel.com>
Date:   Tue Oct 8 07:25:37 2019 +1100

    mm/rmap.c: reuse mergeable anon_vma as parent when forking
    
    In function __anon_vma_prepare(), we will try to find anon_vma if it is
    possible to reuse it.  While on fork, the logic is different.
    
    Since commit 5beb49305251 ("mm: change anon_vma linking to fix
    multi-process server scalability issue"), function anon_vma_clone() tries
    to allocate new anon_vma for child process.  But the logic here will
    allocate a new anon_vma for each vma, even in parent this vma is mergeable
    and share the same anon_vma with its sibling.  This may do better for
    scalability issue, while it is not necessary to do so especially after
    interval tree is used.
    
    Commit 7a3ef208e662 ("mm: prevent endless growth of anon_vma hierarchy")
    tries to reuse some anon_vma by counting child anon_vma and attached vmas.
    While for those mergeable anon_vmas, we can just reuse it and not
    necessary to go through the logic.
    
    After this change, kernel build test reduces 20% anon_vma allocation.
    
    Do the same kernel build test and record time:
    
    Original
    
    real    2m50.467s
    user    17m52.002s
    sys     1m51.953s
    
    real    2m48.662s
    user    17m55.464s
    sys     1m50.553s
    
    real    2m51.143s
    user    17m59.687s
    sys     1m53.600s
    
    Patched
    
    real    2m43.733s
    user    17m25.705s
    sys     1m41.791s
    
    real    2m47.146s
    user    17m47.451s
    sys     1m43.474s
    
    real    2m45.763s
    user    17m38.230s
    sys     1m42.102s
    
    System time is reduced by 8.5%.
    
    Link: http://lkml.kernel.org/r/20191004160632.30251-1-richardw.yang@linux.intel.com
    Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
    Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Acked-by: Rik van Riel <riel@surriel.com>
    Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Cc: Mike Kravetz <mike.kravetz@oracle.com>
    Cc: Matthew Wilcox <willy@infradead.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>

:040000 040000 2ccf639f7568b130ad11aa9997284d472a395dce 3e5be633f36ba40a3a9bf31edde31c0128a632d8 M	mm
revisions tested: 16, total time: 3h44m2.437787329s (build: 1h33m33.531203283s, test: 2h4m37.733984774s)
first bad commit: 480706f51e2c3a450d2f7fc10f5af215c9d249df mm/rmap.c: reuse mergeable anon_vma as parent when forking
cc: ["akpm@linux-foundation.org" "khlebnikov@yandex-team.ru" "kirill.shutemov@linux.intel.com" "mike.kravetz@oracle.com" "richardw.yang@linux.intel.com" "riel@surriel.com" "sfr@canb.auug.org.au" "willy@infradead.org"]
crash: kernel BUG at include/linux/rmap.h:LINE!
pgoff 20000 file 0000000000000000 private_data 0000000000000000
flags: 0x8100077(read|write|exec|mayread|maywrite|mayexec|account|softdirty)
------------[ cut here ]------------
kernel BUG at include/linux/rmap.h:159!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7548 Comm: syz-executor.2 Not tainted 5.4.0-rc2+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:anon_vma_merge include/linux/rmap.h:159 [inline]
RIP: 0010:__vma_adjust+0x1244/0x1aa0 mm/mmap.c:944
Code: fe ff ff 48 8b 45 b8 48 c1 e8 03 42 80 3c 30 00 0f 85 d1 07 00 00 48 8b 45 b8 4c 89 28 e9 93 fc ff ff 4c 89 e7 e8 03 2e fd ff <0f> 0b 48 8b 85 78 ff ff ff 80 38 00 0f 85 b9 07 00 00 48 8b 45 b8
RSP: 0018:ffff88808053f9c0 EFLAGS: 00010286
RAX: 0000000000000147 RBX: ffff88808048bc60 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff89dcd0e0
RBP: ffff88808053fa90 R08: ffffed1015d46159 R09: ffffed1015d46159
R10: ffffed1015d46158 R11: ffff8880aea30ac7 R12: ffff8880a5a4f988
R13: ffff8880804f7f00 R14: dffffc0000000000 R15: ffff8880a5a4f9f0
FS:  00007f1460a99700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020d06000 CR3: 00000000a3ac7000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 vma_merge+0x93d/0x1510 mm/mmap.c:1192
 mmap_region+0x2ed/0x1480 mm/mmap.c:1764
 do_mmap+0x61e/0xfc0 mm/mmap.c:1575
 do_mmap_pgoff include/linux/mm.h:2361 [inline]
 vm_mmap_pgoff+0x195/0x210 mm/util.c:496
 ksys_mmap_pgoff+0xa4/0x650 mm/mmap.c:1627
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
 __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459a59
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1460a98c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000459a59
RDX: ffffffffefffffff RSI: 0000000000004000 RDI: 0000000020196000
RBP: 000000000075bf20 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000008032 R11: 0000000000000246 R12: 00007f1460a996d4
R13: 00000000004c6176 R14: 00000000004db118 R15: 00000000ffffffff
Modules linked in:
---[ end trace 4727e214cc608a52 ]---
RIP: 0010:anon_vma_merge include/linux/rmap.h:159 [inline]
RIP: 0010:__vma_adjust+0x1244/0x1aa0 mm/mmap.c:944
Code: fe ff ff 48 8b 45 b8 48 c1 e8 03 42 80 3c 30 00 0f 85 d1 07 00 00 48 8b 45 b8 4c 89 28 e9 93 fc ff ff 4c 89 e7 e8 03 2e fd ff <0f> 0b 48 8b 85 78 ff ff ff 80 38 00 0f 85 b9 07 00 00 48 8b 45 b8
RSP: 0018:ffff88808053f9c0 EFLAGS: 00010286
RAX: 0000000000000147 RBX: ffff88808048bc60 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff89dcd0e0
RBP: ffff88808053fa90 R08: ffffed1015d46159 R09: ffffed1015d46159
R10: ffffed1015d46158 R11: ffff8880aea30ac7 R12: ffff8880a5a4f988
R13: ffff8880804f7f00 R14: dffffc0000000000 R15: ffff8880a5a4f9f0
FS:  00007f1460a99700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffef0286bd0 CR3: 00000000a3ac7000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400