bisecting cause commit starting from 6012273897fefb12566580efedee10bb06e5e6ed building syzkaller on 1719ee24e741afb177677e9644f1c74aef1060fb testing commit 6012273897fefb12566580efedee10bb06e5e6ed compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d35b4db1aef8979646570c6e669c5a48c5f7f9f12680f9d7b172d6d5e4edabfd run #0: crashed: kernel BUG in binder_alloc_deferred_release run #1: crashed: kernel BUG in binder_alloc_deferred_release run #2: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #3: crashed: kernel BUG in binder_alloc_deferred_release run #4: crashed: kernel BUG in binder_alloc_deferred_release run #5: crashed: kernel BUG in binder_alloc_deferred_release run #6: crashed: kernel BUG in binder_alloc_deferred_release run #7: crashed: kernel BUG in binder_alloc_deferred_release run #8: crashed: kernel BUG in binder_alloc_deferred_release run #9: crashed: kernel BUG in binder_alloc_deferred_release run #10: crashed: kernel BUG in binder_alloc_deferred_release run #11: crashed: kernel BUG in binder_alloc_deferred_release run #12: crashed: kernel BUG in binder_alloc_deferred_release run #13: crashed: kernel BUG in binder_alloc_deferred_release run #14: crashed: kernel BUG in binder_alloc_deferred_release run #15: crashed: kernel BUG in binder_alloc_deferred_release run #16: crashed: kernel BUG in binder_alloc_deferred_release run #17: crashed: kernel BUG in binder_alloc_deferred_release run #18: crashed: kernel BUG in binder_alloc_deferred_release run #19: crashed: kernel BUG in binder_alloc_deferred_release testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a2850c602aae1678e4ff16b0d6f73786a65eb2a31cb1935f0c8ad66fdeb13622 all runs: OK # git bisect start 6012273897fefb12566580efedee10bb06e5e6ed 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 8985 revisions left to test after this (roughly 13 steps) [ecf0aa5317b0ad6bb015128a5b763c954fd58708] Merge tag 'arm-multiplatform-5.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit ecf0aa5317b0ad6bb015128a5b763c954fd58708 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 787470891b5a61cd8d17ebabed2b867dbc68bdda09aa1afe106051860ef61e62 all runs: OK # git bisect good ecf0aa5317b0ad6bb015128a5b763c954fd58708 Bisecting: 4485 revisions left to test after this (roughly 12 steps) [6f9b5ed8caddfbc94af8307c557ed57a8ec5c65c] Merge tag 'char-misc-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 6f9b5ed8caddfbc94af8307c557ed57a8ec5c65c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 900286704ffc4d7c31b616f27cc972927f552737d435b5d579538e536b684569 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 6f9b5ed8caddfbc94af8307c557ed57a8ec5c65c Bisecting: 2278 revisions left to test after this (roughly 11 steps) [9dee097b6e618047258305cd9409c6988b62051d] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git testing commit 9dee097b6e618047258305cd9409c6988b62051d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 680430996519a2abaddb31c433c9805cd74a37add9c6f38f117eda17f208b419 all runs: OK # git bisect good 9dee097b6e618047258305cd9409c6988b62051d Bisecting: 1047 revisions left to test after this (roughly 10 steps) [b901bbbc6d72937bbebc0e5a8ef184c0c2640143] Merge branch 'next' of git://git.kernel.org/pub/scm/virt/kvm/kvm.git testing commit b901bbbc6d72937bbebc0e5a8ef184c0c2640143 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5b3eceb4e3071a4fafdda484547a605f12e6369dbf83d65b259bbe7ac9e1bc64 all runs: OK # git bisect good b901bbbc6d72937bbebc0e5a8ef184c0c2640143 Bisecting: 528 revisions left to test after this (roughly 9 steps) [5bb4dddc4352ead9fbe7deb4853b529ab8a20b65] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git testing commit 5bb4dddc4352ead9fbe7deb4853b529ab8a20b65 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e6b95d687b1243e5ef7b639d4fae69e6ffeed6ad401ad34ed0443e4ade83a021 all runs: OK # git bisect good 5bb4dddc4352ead9fbe7deb4853b529ab8a20b65 Bisecting: 261 revisions left to test after this (roughly 8 steps) [9d27f2f1487a84c93a4fab1b9f577999c9c33723] Merge branch 'mm-nonmm-unstable' into mm-everything testing commit 9d27f2f1487a84c93a4fab1b9f577999c9c33723 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3f4afe2ce65ac6890ae55413aa11b90fc0fabb74cfeb6dd5629306711dbb0b35 all runs: crashed: kernel BUG in binder_alloc_deferred_release # git bisect bad 9d27f2f1487a84c93a4fab1b9f577999c9c33723 Bisecting: 133 revisions left to test after this (roughly 7 steps) [83b0383613b9d9d6b8c79f65289907872e703295] mm: shrinkers: add scan interface for shrinker debugfs testing commit 83b0383613b9d9d6b8c79f65289907872e703295 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b06eb5b26953497faa0ac845741a0b8ac02e13a8604b1d56159a0a8dd6d6601b run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: crashed: kernel BUG in binder_alloc_deferred_release run #2: crashed: kernel BUG in binder_alloc_deferred_release run #3: crashed: kernel BUG in binder_alloc_deferred_release run #4: crashed: kernel BUG in binder_alloc_deferred_release run #5: crashed: kernel BUG in binder_alloc_deferred_release run #6: crashed: kernel BUG in binder_alloc_deferred_release run #7: crashed: kernel BUG in binder_alloc_deferred_release run #8: crashed: kernel BUG in binder_alloc_deferred_release run #9: crashed: kernel BUG in binder_alloc_deferred_release # git bisect bad 83b0383613b9d9d6b8c79f65289907872e703295 Bisecting: 66 revisions left to test after this (roughly 6 steps) [a581451a449a14682a66d27506e0b821d0124b48] sched: use maple tree iterator to walk VMAs testing commit a581451a449a14682a66d27506e0b821d0124b48 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0a0dd0b2cab8c148def7974019e20720f88b9aff2af13e23c146c60d8a2c68c1 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: kernel BUG in binder_alloc_deferred_release run #2: crashed: kernel BUG in binder_alloc_deferred_release run #3: crashed: kernel BUG in binder_alloc_deferred_release run #4: crashed: kernel BUG in binder_alloc_deferred_release run #5: crashed: kernel BUG in binder_alloc_deferred_release run #6: crashed: kernel BUG in binder_alloc_deferred_release run #7: crashed: kernel BUG in binder_alloc_deferred_release run #8: crashed: kernel BUG in binder_alloc_deferred_release run #9: crashed: kernel BUG in binder_alloc_deferred_release # git bisect bad a581451a449a14682a66d27506e0b821d0124b48 Bisecting: 32 revisions left to test after this (roughly 5 steps) [54f2ba0991154263319fa7571af377d71dff81f8] xen: use vma_lookup() in privcmd_ioctl_mmap() testing commit 54f2ba0991154263319fa7571af377d71dff81f8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b6b24426d33cdbac1433adaa047c4c7fd923b52179a4be550b894aa51b8de21e all runs: crashed: kernel BUG in binder_alloc_deferred_release # git bisect bad 54f2ba0991154263319fa7571af377d71dff81f8 Bisecting: 16 revisions left to test after this (roughly 4 steps) [f10059e8ae13bc52cbc3ad1ea7320cfd27f17894] radix tree test suite: add lockdep_is_held to header testing commit f10059e8ae13bc52cbc3ad1ea7320cfd27f17894 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5f64986cf26ee42aac65e1b9289f3246bb0d4024d603413704d2b5f5e9e3e5ea all runs: OK # git bisect good f10059e8ae13bc52cbc3ad1ea7320cfd27f17894 Bisecting: 8 revisions left to test after this (roughly 3 steps) [af55b23c986c52b8c932d42eb45af6003c6ad3f0] mm/mmap: use the maple tree in find_vma() instead of the rbtree. testing commit af55b23c986c52b8c932d42eb45af6003c6ad3f0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 559a90f02d40795e119114b7ee18f37f46e0d1148cbc5407f7b6ac73f60f94ff all runs: crashed: kernel BUG in binder_alloc_deferred_release # git bisect bad af55b23c986c52b8c932d42eb45af6003c6ad3f0 Bisecting: 3 revisions left to test after this (roughly 2 steps) [a9c6edbd93f4fd94987dfe0549c0455f13644443] mapletree: build fix testing commit a9c6edbd93f4fd94987dfe0549c0455f13644443 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ceffab90e988c2cae8027062cca185566b1e316defab7c88fc5cddafa35364e1 all runs: crashed: kernel BUG in binder_alloc_deferred_release # git bisect bad a9c6edbd93f4fd94987dfe0549c0455f13644443 Bisecting: 1 revision left to test after this (roughly 1 step) [a9885c9dae02038e5e6dfba57f42a03ec950c78f] test_maple_tree: add null expansion tests testing commit a9885c9dae02038e5e6dfba57f42a03ec950c78f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9091056ed467d45ae90c0490a7ece4bcb28e2b018853080b0eaa7b7ecdbead58 all runs: OK # git bisect good a9885c9dae02038e5e6dfba57f42a03ec950c78f Bisecting: 0 revisions left to test after this (roughly 0 steps) [42086abba43463fbf495cb80173600284b4c4e8c] mm: start tracking VMAs with maple tree testing commit 42086abba43463fbf495cb80173600284b4c4e8c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 226b6660d6bdf7cdec6b2f013d63606516e85cae14a29325ebd8028928ac61f6 all runs: crashed: kernel BUG in binder_alloc_deferred_release # git bisect bad 42086abba43463fbf495cb80173600284b4c4e8c 42086abba43463fbf495cb80173600284b4c4e8c is the first bad commit commit 42086abba43463fbf495cb80173600284b4c4e8c Author: Liam R. Howlett Date: Tue Jun 14 12:00:27 2022 -0700 mm: start tracking VMAs with maple tree Start tracking the VMAs with the new maple tree structure in parallel with the rb_tree. Add debug and trace events for maple tree operations and duplicate the rb_tree that is created on forks into the maple tree. The maple tree is added to the mm_struct including the mm_init struct, added support in required mm/mmap functions, added tracking in kernel/fork for process forking, and used to find the unmapped_area and checked against what the rbtree finds. This also moves the mmap_lock() in exit_mmap() since the oom reaper call does walk the VMAs. Otherwise lockdep will be unhappy if oom happens. Link: https://lkml.kernel.org/r/20220504010716.661115-10-Liam.Howlett@oracle.com Signed-off-by: Liam R. Howlett Signed-off-by: Matthew Wilcox (Oracle) Cc: Catalin Marinas Cc: David Howells Cc: SeongJae Park Cc: Vlastimil Babka Cc: Will Deacon Cc: Davidlohr Bueso Signed-off-by: Andrew Morton arch/x86/kernel/tboot.c | 1 + drivers/firmware/efi/efi.c | 1 + include/linux/mm.h | 2 + include/linux/mm_types.h | 3 + include/trace/events/mmap.h | 73 ++++++++++ kernel/fork.c | 20 ++- mm/init-mm.c | 2 + mm/mmap.c | 318 ++++++++++++++++++++++++++++++++++++++++---- 8 files changed, 394 insertions(+), 26 deletions(-) culprit signature: 226b6660d6bdf7cdec6b2f013d63606516e85cae14a29325ebd8028928ac61f6 parent signature: 9091056ed467d45ae90c0490a7ece4bcb28e2b018853080b0eaa7b7ecdbead58 revisions tested: 16, total time: 3h45m15.040128072s (build: 1h47m29.556103959s, test: 1h55m59.985523294s) first bad commit: 42086abba43463fbf495cb80173600284b4c4e8c mm: start tracking VMAs with maple tree recipients (to): ["akpm@linux-foundation.org" "liam.howlett@oracle.com" "willy@infradead.org"] recipients (cc): [] crash: kernel BUG in binder_alloc_deferred_release IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready ------------[ cut here ]------------ kernel BUG at drivers/android/binder_alloc.c:820! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 27 Comm: kworker/1:1 Not tainted 5.19.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/13/2022 Workqueue: events binder_deferred_func RIP: 0010:binder_alloc_deferred_release+0x4c7/0x690 drivers/android/binder_alloc.c:820 Code: 48 c7 c6 40 51 f9 89 48 c7 c7 00 6d 7c 8c e8 30 34 4a fd 85 c0 0f 85 5a 9c 1e 02 48 83 c4 40 5b 5d 41 5c 41 5d 41 5e 41 5f c3 <0f> 0b c7 44 24 10 00 00 00 00 e9 5f ff ff ff 48 89 ef e8 b2 c7 bc RSP: 0018:ffffc90000a2fbd8 EFLAGS: 00010282 RAX: dffffc0000000000 RBX: ffff88801e88b9e0 RCX: 0000000000000000 RDX: 1ffff11003d1174e RSI: ffffffff890bc120 RDI: ffff88801e88ba70 RBP: ffff88801e88b800 R08: 0000000000000000 R09: ffffffff8cebe057 R10: fffffbfff19d7c0a R11: 0000000000000000 R12: ffff88801e88bad8 R13: ffff88806da35d10 R14: ffff88801e88b858 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f31f5b42ff8 CR3: 000000002111d000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: binder_free_proc drivers/android/binder.c:4766 [inline] binder_proc_dec_tmpref drivers/android/binder.c:1433 [inline] binder_proc_dec_tmpref+0x21e/0x420 drivers/android/binder.c:1426 binder_deferred_release drivers/android/binder.c:5761 [inline] binder_deferred_func+0xc30/0xfc0 drivers/android/binder.c:5788 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289 worker_thread+0x598/0xec0 kernel/workqueue.c:2436 kthread+0x299/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:binder_alloc_deferred_release+0x4c7/0x690 drivers/android/binder_alloc.c:820 Code: 48 c7 c6 40 51 f9 89 48 c7 c7 00 6d 7c 8c e8 30 34 4a fd 85 c0 0f 85 5a 9c 1e 02 48 83 c4 40 5b 5d 41 5c 41 5d 41 5e 41 5f c3 <0f> 0b c7 44 24 10 00 00 00 00 e9 5f ff ff ff 48 89 ef e8 b2 c7 bc RSP: 0018:ffffc90000a2fbd8 EFLAGS: 00010282 RAX: dffffc0000000000 RBX: ffff88801e88b9e0 RCX: 0000000000000000 RDX: 1ffff11003d1174e RSI: ffffffff890bc120 RDI: ffff88801e88ba70 RBP: ffff88801e88b800 R08: 0000000000000000 R09: ffffffff8cebe057 R10: fffffbfff19d7c0a R11: 0000000000000000 R12: ffff88801e88bad8 R13: ffff88806da35d10 R14: ffff88801e88b858 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f31f5b42ff8 CR3: 0000000025ab9000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400