bisecting cause commit starting from 6012273897fefb12566580efedee10bb06e5e6ed
building syzkaller on 1719ee24e741afb177677e9644f1c74aef1060fb
testing commit 6012273897fefb12566580efedee10bb06e5e6ed
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d35b4db1aef8979646570c6e669c5a48c5f7f9f12680f9d7b172d6d5e4edabfd
run #0: crashed: kernel BUG in binder_alloc_deferred_release
run #1: crashed: kernel BUG in binder_alloc_deferred_release
run #2: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #3: crashed: kernel BUG in binder_alloc_deferred_release
run #4: crashed: kernel BUG in binder_alloc_deferred_release
run #5: crashed: kernel BUG in binder_alloc_deferred_release
run #6: crashed: kernel BUG in binder_alloc_deferred_release
run #7: crashed: kernel BUG in binder_alloc_deferred_release
run #8: crashed: kernel BUG in binder_alloc_deferred_release
run #9: crashed: kernel BUG in binder_alloc_deferred_release
run #10: crashed: kernel BUG in binder_alloc_deferred_release
run #11: crashed: kernel BUG in binder_alloc_deferred_release
run #12: crashed: kernel BUG in binder_alloc_deferred_release
run #13: crashed: kernel BUG in binder_alloc_deferred_release
run #14: crashed: kernel BUG in binder_alloc_deferred_release
run #15: crashed: kernel BUG in binder_alloc_deferred_release
run #16: crashed: kernel BUG in binder_alloc_deferred_release
run #17: crashed: kernel BUG in binder_alloc_deferred_release
run #18: crashed: kernel BUG in binder_alloc_deferred_release
run #19: crashed: kernel BUG in binder_alloc_deferred_release
testing release v5.18
testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a2850c602aae1678e4ff16b0d6f73786a65eb2a31cb1935f0c8ad66fdeb13622
all runs: OK
# git bisect start 6012273897fefb12566580efedee10bb06e5e6ed 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
Bisecting: 8985 revisions left to test after this (roughly 13 steps)
[ecf0aa5317b0ad6bb015128a5b763c954fd58708] Merge tag 'arm-multiplatform-5.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

testing commit ecf0aa5317b0ad6bb015128a5b763c954fd58708
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 787470891b5a61cd8d17ebabed2b867dbc68bdda09aa1afe106051860ef61e62
all runs: OK
# git bisect good ecf0aa5317b0ad6bb015128a5b763c954fd58708
Bisecting: 4485 revisions left to test after this (roughly 12 steps)
[6f9b5ed8caddfbc94af8307c557ed57a8ec5c65c] Merge tag 'char-misc-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

testing commit 6f9b5ed8caddfbc94af8307c557ed57a8ec5c65c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 900286704ffc4d7c31b616f27cc972927f552737d435b5d579538e536b684569
run #0: boot failed: INFO: task hung in add_early_randomness
run #1: boot failed: INFO: task hung in add_early_randomness
run #2: boot failed: INFO: task hung in add_early_randomness
run #3: boot failed: INFO: task hung in add_early_randomness
run #4: boot failed: INFO: task hung in add_early_randomness
run #5: boot failed: INFO: task hung in add_early_randomness
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 6f9b5ed8caddfbc94af8307c557ed57a8ec5c65c
Bisecting: 2278 revisions left to test after this (roughly 11 steps)
[9dee097b6e618047258305cd9409c6988b62051d] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git

testing commit 9dee097b6e618047258305cd9409c6988b62051d
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 680430996519a2abaddb31c433c9805cd74a37add9c6f38f117eda17f208b419
all runs: OK
# git bisect good 9dee097b6e618047258305cd9409c6988b62051d
Bisecting: 1047 revisions left to test after this (roughly 10 steps)
[b901bbbc6d72937bbebc0e5a8ef184c0c2640143] Merge branch 'next' of git://git.kernel.org/pub/scm/virt/kvm/kvm.git

testing commit b901bbbc6d72937bbebc0e5a8ef184c0c2640143
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5b3eceb4e3071a4fafdda484547a605f12e6369dbf83d65b259bbe7ac9e1bc64
all runs: OK
# git bisect good b901bbbc6d72937bbebc0e5a8ef184c0c2640143
Bisecting: 528 revisions left to test after this (roughly 9 steps)
[5bb4dddc4352ead9fbe7deb4853b529ab8a20b65] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git

testing commit 5bb4dddc4352ead9fbe7deb4853b529ab8a20b65
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e6b95d687b1243e5ef7b639d4fae69e6ffeed6ad401ad34ed0443e4ade83a021
all runs: OK
# git bisect good 5bb4dddc4352ead9fbe7deb4853b529ab8a20b65
Bisecting: 261 revisions left to test after this (roughly 8 steps)
[9d27f2f1487a84c93a4fab1b9f577999c9c33723] Merge branch 'mm-nonmm-unstable' into mm-everything

testing commit 9d27f2f1487a84c93a4fab1b9f577999c9c33723
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3f4afe2ce65ac6890ae55413aa11b90fc0fabb74cfeb6dd5629306711dbb0b35
all runs: crashed: kernel BUG in binder_alloc_deferred_release
# git bisect bad 9d27f2f1487a84c93a4fab1b9f577999c9c33723
Bisecting: 133 revisions left to test after this (roughly 7 steps)
[83b0383613b9d9d6b8c79f65289907872e703295] mm: shrinkers: add scan interface for shrinker debugfs

testing commit 83b0383613b9d9d6b8c79f65289907872e703295
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b06eb5b26953497faa0ac845741a0b8ac02e13a8604b1d56159a0a8dd6d6601b
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: crashed: kernel BUG in binder_alloc_deferred_release
run #2: crashed: kernel BUG in binder_alloc_deferred_release
run #3: crashed: kernel BUG in binder_alloc_deferred_release
run #4: crashed: kernel BUG in binder_alloc_deferred_release
run #5: crashed: kernel BUG in binder_alloc_deferred_release
run #6: crashed: kernel BUG in binder_alloc_deferred_release
run #7: crashed: kernel BUG in binder_alloc_deferred_release
run #8: crashed: kernel BUG in binder_alloc_deferred_release
run #9: crashed: kernel BUG in binder_alloc_deferred_release
# git bisect bad 83b0383613b9d9d6b8c79f65289907872e703295
Bisecting: 66 revisions left to test after this (roughly 6 steps)
[a581451a449a14682a66d27506e0b821d0124b48] sched: use maple tree iterator to walk VMAs

testing commit a581451a449a14682a66d27506e0b821d0124b48
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0a0dd0b2cab8c148def7974019e20720f88b9aff2af13e23c146c60d8a2c68c1
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: crashed: kernel BUG in binder_alloc_deferred_release
run #2: crashed: kernel BUG in binder_alloc_deferred_release
run #3: crashed: kernel BUG in binder_alloc_deferred_release
run #4: crashed: kernel BUG in binder_alloc_deferred_release
run #5: crashed: kernel BUG in binder_alloc_deferred_release
run #6: crashed: kernel BUG in binder_alloc_deferred_release
run #7: crashed: kernel BUG in binder_alloc_deferred_release
run #8: crashed: kernel BUG in binder_alloc_deferred_release
run #9: crashed: kernel BUG in binder_alloc_deferred_release
# git bisect bad a581451a449a14682a66d27506e0b821d0124b48
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[54f2ba0991154263319fa7571af377d71dff81f8] xen: use vma_lookup() in privcmd_ioctl_mmap()

testing commit 54f2ba0991154263319fa7571af377d71dff81f8
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b6b24426d33cdbac1433adaa047c4c7fd923b52179a4be550b894aa51b8de21e
all runs: crashed: kernel BUG in binder_alloc_deferred_release
# git bisect bad 54f2ba0991154263319fa7571af377d71dff81f8
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[f10059e8ae13bc52cbc3ad1ea7320cfd27f17894] radix tree test suite: add lockdep_is_held to header

testing commit f10059e8ae13bc52cbc3ad1ea7320cfd27f17894
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5f64986cf26ee42aac65e1b9289f3246bb0d4024d603413704d2b5f5e9e3e5ea
all runs: OK
# git bisect good f10059e8ae13bc52cbc3ad1ea7320cfd27f17894
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[af55b23c986c52b8c932d42eb45af6003c6ad3f0] mm/mmap: use the maple tree in find_vma() instead of the rbtree.

testing commit af55b23c986c52b8c932d42eb45af6003c6ad3f0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 559a90f02d40795e119114b7ee18f37f46e0d1148cbc5407f7b6ac73f60f94ff
all runs: crashed: kernel BUG in binder_alloc_deferred_release
# git bisect bad af55b23c986c52b8c932d42eb45af6003c6ad3f0
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[a9c6edbd93f4fd94987dfe0549c0455f13644443] mapletree: build fix

testing commit a9c6edbd93f4fd94987dfe0549c0455f13644443
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ceffab90e988c2cae8027062cca185566b1e316defab7c88fc5cddafa35364e1
all runs: crashed: kernel BUG in binder_alloc_deferred_release
# git bisect bad a9c6edbd93f4fd94987dfe0549c0455f13644443
Bisecting: 1 revision left to test after this (roughly 1 step)
[a9885c9dae02038e5e6dfba57f42a03ec950c78f] test_maple_tree: add null expansion tests

testing commit a9885c9dae02038e5e6dfba57f42a03ec950c78f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9091056ed467d45ae90c0490a7ece4bcb28e2b018853080b0eaa7b7ecdbead58
all runs: OK
# git bisect good a9885c9dae02038e5e6dfba57f42a03ec950c78f
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[42086abba43463fbf495cb80173600284b4c4e8c] mm: start tracking VMAs with maple tree

testing commit 42086abba43463fbf495cb80173600284b4c4e8c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 226b6660d6bdf7cdec6b2f013d63606516e85cae14a29325ebd8028928ac61f6
all runs: crashed: kernel BUG in binder_alloc_deferred_release
# git bisect bad 42086abba43463fbf495cb80173600284b4c4e8c
42086abba43463fbf495cb80173600284b4c4e8c is the first bad commit
commit 42086abba43463fbf495cb80173600284b4c4e8c
Author: Liam R. Howlett <Liam.Howlett@Oracle.com>
Date:   Tue Jun 14 12:00:27 2022 -0700

    mm: start tracking VMAs with maple tree
    
    Start tracking the VMAs with the new maple tree structure in parallel with
    the rb_tree.  Add debug and trace events for maple tree operations and
    duplicate the rb_tree that is created on forks into the maple tree.
    
    The maple tree is added to the mm_struct including the mm_init struct,
    added support in required mm/mmap functions, added tracking in kernel/fork
    for process forking, and used to find the unmapped_area and checked
    against what the rbtree finds.
    
    This also moves the mmap_lock() in exit_mmap() since the oom reaper call
    does walk the VMAs.  Otherwise lockdep will be unhappy if oom happens.
    
    Link: https://lkml.kernel.org/r/20220504010716.661115-10-Liam.Howlett@oracle.com
    Signed-off-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
    Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: David Howells <dhowells@redhat.com>
    Cc: SeongJae Park <sj@kernel.org>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Will Deacon <will@kernel.org>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 arch/x86/kernel/tboot.c     |   1 +
 drivers/firmware/efi/efi.c  |   1 +
 include/linux/mm.h          |   2 +
 include/linux/mm_types.h    |   3 +
 include/trace/events/mmap.h |  73 ++++++++++
 kernel/fork.c               |  20 ++-
 mm/init-mm.c                |   2 +
 mm/mmap.c                   | 318 ++++++++++++++++++++++++++++++++++++++++----
 8 files changed, 394 insertions(+), 26 deletions(-)

culprit signature: 226b6660d6bdf7cdec6b2f013d63606516e85cae14a29325ebd8028928ac61f6
parent  signature: 9091056ed467d45ae90c0490a7ece4bcb28e2b018853080b0eaa7b7ecdbead58
revisions tested: 16, total time: 3h45m15.040128072s (build: 1h47m29.556103959s, test: 1h55m59.985523294s)
first bad commit: 42086abba43463fbf495cb80173600284b4c4e8c mm: start tracking VMAs with maple tree
recipients (to): ["akpm@linux-foundation.org" "liam.howlett@oracle.com" "willy@infradead.org"]
recipients (cc): []
crash: kernel BUG in binder_alloc_deferred_release
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
------------[ cut here ]------------
kernel BUG at drivers/android/binder_alloc.c:820!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 27 Comm: kworker/1:1 Not tainted 5.19.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/13/2022
Workqueue: events binder_deferred_func
RIP: 0010:binder_alloc_deferred_release+0x4c7/0x690 drivers/android/binder_alloc.c:820
Code: 48 c7 c6 40 51 f9 89 48 c7 c7 00 6d 7c 8c e8 30 34 4a fd 85 c0 0f 85 5a 9c 1e 02 48 83 c4 40 5b 5d 41 5c 41 5d 41 5e 41 5f c3 <0f> 0b c7 44 24 10 00 00 00 00 e9 5f ff ff ff 48 89 ef e8 b2 c7 bc
RSP: 0018:ffffc90000a2fbd8 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: ffff88801e88b9e0 RCX: 0000000000000000
RDX: 1ffff11003d1174e RSI: ffffffff890bc120 RDI: ffff88801e88ba70
RBP: ffff88801e88b800 R08: 0000000000000000 R09: ffffffff8cebe057
R10: fffffbfff19d7c0a R11: 0000000000000000 R12: ffff88801e88bad8
R13: ffff88806da35d10 R14: ffff88801e88b858 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f31f5b42ff8 CR3: 000000002111d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 binder_free_proc drivers/android/binder.c:4766 [inline]
 binder_proc_dec_tmpref drivers/android/binder.c:1433 [inline]
 binder_proc_dec_tmpref+0x21e/0x420 drivers/android/binder.c:1426
 binder_deferred_release drivers/android/binder.c:5761 [inline]
 binder_deferred_func+0xc30/0xfc0 drivers/android/binder.c:5788
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:binder_alloc_deferred_release+0x4c7/0x690 drivers/android/binder_alloc.c:820
Code: 48 c7 c6 40 51 f9 89 48 c7 c7 00 6d 7c 8c e8 30 34 4a fd 85 c0 0f 85 5a 9c 1e 02 48 83 c4 40 5b 5d 41 5c 41 5d 41 5e 41 5f c3 <0f> 0b c7 44 24 10 00 00 00 00 e9 5f ff ff ff 48 89 ef e8 b2 c7 bc
RSP: 0018:ffffc90000a2fbd8 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: ffff88801e88b9e0 RCX: 0000000000000000
RDX: 1ffff11003d1174e RSI: ffffffff890bc120 RDI: ffff88801e88ba70
RBP: ffff88801e88b800 R08: 0000000000000000 R09: ffffffff8cebe057
R10: fffffbfff19d7c0a R11: 0000000000000000 R12: ffff88801e88bad8
R13: ffff88806da35d10 R14: ffff88801e88b858 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f31f5b42ff8 CR3: 0000000025ab9000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400