bisecting fixing commit since a409ed156a90093a03fe6a93721ddf4c591eac87
building syzkaller on 04201c0669446145fd9c347c5538da0ca13ff29b
testing commit a409ed156a90093a03fe6a93721ddf4c591eac87
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1ca01283cb922c934c5873a5a9dc87e419bd83ed142529dabbd300ae04e00706
run #0: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb
run #1: crashed: KASAN: use-after-free Read in lock_sock_nested
run #2: crashed: KASAN: use-after-free Read in lock_sock_nested
run #3: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb
run #4: crashed: KASAN: use-after-free Read in lock_sock_nested
run #5: crashed: KASAN: use-after-free Read in lock_sock_nested
run #6: crashed: KASAN: use-after-free Read in lock_sock_nested
run #7: crashed: KASAN: use-after-free Read in lock_sock_nested
run #8: crashed: KASAN: use-after-free Read in lock_sock_nested
run #9: crashed: KASAN: use-after-free Read in lock_sock_nested
run #10: crashed: KASAN: use-after-free Read in lock_sock_nested
run #11: crashed: WARNING: locking bug in l2cap_sock_teardown_cb
run #12: crashed: KASAN: use-after-free Read in lock_sock_nested
run #13: crashed: KASAN: use-after-free Read in lock_sock_nested
run #14: crashed: WARNING: locking bug in l2cap_sock_teardown_cb
run #15: crashed: WARNING: locking bug in l2cap_sock_teardown_cb
run #16: crashed: KASAN: use-after-free Read in lock_sock_nested
run #17: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb
run #18: crashed: KASAN: use-after-free Read in lock_sock_nested
run #19: crashed: INFO: trying to register non-static key in l2cap_sock_teardown_cb
testing current HEAD 87066fdd2e30fe9dd531125d95257c118a74617e
testing commit 87066fdd2e30fe9dd531125d95257c118a74617e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5ad28cdd5457847c013bac9c8d11be46f60446881543bfa0d4d8266b99526bec
run #0: crashed: BUG: unable to handle kernel paging request in lock_sock_nested
run #1: crashed: KASAN: use-after-free Read in lock_sock_nested
run #2: crashed: KASAN: use-after-free Read in lock_sock_nested
run #3: crashed: KASAN: use-after-free Read in lock_sock_nested
run #4: crashed: KASAN: use-after-free Read in lock_sock_nested
run #5: crashed: WARNING: locking bug in l2cap_sock_teardown_cb
run #6: crashed: KASAN: slab-out-of-bounds Read in lock_sock_nested
run #7: crashed: BUG: unable to handle kernel paging request in lock_sock_nested
run #8: crashed: KASAN: use-after-free Read in lock_sock_nested
run #9: crashed: BUG: unable to handle kernel paging request in lock_sock_nested
revisions tested: 2, total time: 20m27.372680003s (build: 11m18.26290304s, test: 8m18.460919422s)
the crash still happens on HEAD
commit msg: Revert "mm/secretmem: use refcount_t instead of atomic_t"
crash: BUG: unable to handle kernel paging request in lock_sock_nested
BUG: unable to handle page fault for address: fffffbfff327b8c2
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffe9067 P4D 23ffe9067 PUD 23ffe8067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8939 Comm: kworker/1:6 Not tainted 5.15.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0xdb/0x180 mm/kasan/generic.c:189
Code: 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 48 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 <80> 38 00 74 f2 eb d4 41 bc 08 00 00 00 48 89 ea 45 29 dc 4d 8d 1c
RSP: 0018:ffffc9000c9df910 EFLAGS: 00010086
RAX: fffffbfff327b8c2 RBX: fffffbfff327b8c3 RCX: ffffffff81524021
RDX: fffffbfff327b8c3 RSI: 0000000000000008 RDI: ffffffff993dc610
RBP: fffffbfff327b8c2 R08: 0000000000000000 R09: ffffffff993dc617
R10: fffffbfff327b8c2 R11: 000000000000000b R12: ffff888069918e40
R13: ffff888069918400 R14: 0000000000040000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff327b8c2 CR3: 000000007b434000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
 __lock_acquire+0x1041/0x53d0 kernel/locking/lockdep.c:4985
 lock_acquire kernel/locking/lockdep.c:5625 [inline]
 lock_acquire+0x1ab/0x500 kernel/locking/lockdep.c:5590
 lock_sock_nested+0x2b/0xd0 net/core/sock.c:3203
 l2cap_sock_teardown_cb+0x90/0x590 net/bluetooth/l2cap_sock.c:1528
 l2cap_chan_del+0x9b/0x8f0 net/bluetooth/l2cap_core.c:622
 l2cap_chan_close+0x180/0x990 net/bluetooth/l2cap_core.c:825
 l2cap_chan_timeout+0x125/0x280 net/bluetooth/l2cap_core.c:436
 process_one_work+0x87f/0x1470 kernel/workqueue.c:2297
 worker_thread+0x598/0x1040 kernel/workqueue.c:2444
 kthread+0x38b/0x460 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
CR2: fffffbfff327b8c2
---[ end trace 2ceaf217e3f6f163 ]---
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0xdb/0x180 mm/kasan/generic.c:189
Code: 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 48 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 <80> 38 00 74 f2 eb d4 41 bc 08 00 00 00 48 89 ea 45 29 dc 4d 8d 1c
RSP: 0018:ffffc9000c9df910 EFLAGS: 00010086
RAX: fffffbfff327b8c2 RBX: fffffbfff327b8c3 RCX: ffffffff81524021
RDX: fffffbfff327b8c3 RSI: 0000000000000008 RDI: ffffffff993dc610
RBP: fffffbfff327b8c2 R08: 0000000000000000 R09: ffffffff993dc617
R10: fffffbfff327b8c2 R11: 000000000000000b R12: ffff888069918e40
R13: ffff888069918400 R14: 0000000000040000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff327b8c2 CR3: 000000007b434000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	80 38 00             	cmpb   $0x0,(%rax)
   3:	74 f2                	je     0xfffffff7
   5:	48 89 c2             	mov    %rax,%rdx
   8:	b8 01 00 00 00       	mov    $0x1,%eax
   d:	48 85 d2             	test   %rdx,%rdx
  10:	75 56                	jne    0x68
  12:	5b                   	pop    %rbx
  13:	5d                   	pop    %rbp
  14:	41 5c                	pop    %r12
  16:	c3                   	retq
  17:	48 85 d2             	test   %rdx,%rdx
  1a:	74 5e                	je     0x7a
  1c:	48 01 ea             	add    %rbp,%rdx
  1f:	eb 09                	jmp    0x2a
  21:	48 83 c0 01          	add    $0x1,%rax
  25:	48 39 d0             	cmp    %rdx,%rax
  28:	74 50                	je     0x7a
* 2a:	80 38 00             	cmpb   $0x0,(%rax) <-- trapping instruction
  2d:	74 f2                	je     0x21
  2f:	eb d4                	jmp    0x5
  31:	41 bc 08 00 00 00    	mov    $0x8,%r12d
  37:	48 89 ea             	mov    %rbp,%rdx
  3a:	45 29 dc             	sub    %r11d,%r12d
  3d:	4d                   	rex.WRB
  3e:	8d                   	.byte 0x8d
  3f:	1c                   	.byte 0x1c