bisecting cause commit starting from 08897940f458ee55416cf80ab13d2d8b9f20038e
building syzkaller on 912f5df7fadf1d0214995def5446208d0f26c54b
testing commit 08897940f458ee55416cf80ab13d2d8b9f20038e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 70a3a8f46b0c7acdee2af8ecaf434764c2f046cd3d1364e475a58b2defc415fb
all runs: crashed: WARNING in binder_alloc_vma_close
testing release v5.18
testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2ef16f5040e0da5ac81cb2d40ff619d48adc52442c79421a81c1c423e3af438c
all runs: OK
# git bisect start 08897940f458ee55416cf80ab13d2d8b9f20038e 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
Bisecting: 10081 revisions left to test after this (roughly 13 steps)
[6f664045c8688c40ad0591abd6ab89db9ecd7945] Merge tag 'mm-nonmm-stable-2022-05-26' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

testing commit 6f664045c8688c40ad0591abd6ab89db9ecd7945
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 718be30d4880085d6e01917fc7747d5980a8b428d561f37e36430bc3e32d87e6
all runs: OK
# git bisect good 6f664045c8688c40ad0591abd6ab89db9ecd7945
Bisecting: 5062 revisions left to test after this (roughly 12 steps)
[d289f4cb0f7f16b1821364e6c13808e37bf3b527] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux-mem-ctrl.git

testing commit d289f4cb0f7f16b1821364e6c13808e37bf3b527
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d63aad99524ad0a905e52536df063092c39c0058bdc6715577d7446bd9c030c1
all runs: OK
# git bisect good d289f4cb0f7f16b1821364e6c13808e37bf3b527
Bisecting: 2583 revisions left to test after this (roughly 11 steps)
[7a5b54022c08afdb09a904a996041166b3169568] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input.git

testing commit 7a5b54022c08afdb09a904a996041166b3169568
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3e45c53bbf3e062e6bc0ca1832accd32bb2f71ca942a7daa1b5ecae872b81e7b
all runs: OK
# git bisect good 7a5b54022c08afdb09a904a996041166b3169568
Bisecting: 1399 revisions left to test after this (roughly 10 steps)
[165e85e36ceaa77484eae9c62222642900b3a6b7] Merge branch 'icc-next' of git://git.kernel.org/pub/scm/linux/kernel/git/djakov/icc.git

testing commit 165e85e36ceaa77484eae9c62222642900b3a6b7
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 92ba77a68a802fb69de9a6269f1c9679f9994c4426a869a464e71b0e890546d5
all runs: OK
# git bisect good 165e85e36ceaa77484eae9c62222642900b3a6b7
Bisecting: 700 revisions left to test after this (roughly 10 steps)
[a7ad421b47e636ec2f1772cb809c93048ce0acff] Merge branch 'rust-next' of https://github.com/Rust-for-Linux/linux.git

testing commit a7ad421b47e636ec2f1772cb809c93048ce0acff
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 559356560aab82668726169c08cf4626a9838f6c98bfe2349fbfdfbbde822881
all runs: OK
# git bisect good a7ad421b47e636ec2f1772cb809c93048ce0acff
Bisecting: 354 revisions left to test after this (roughly 9 steps)
[8b3452cdabacfcfe3b627b2d735ed4411ce40ca2] Merge branch 'mm-nonmm-unstable' into mm-everything

testing commit 8b3452cdabacfcfe3b627b2d735ed4411ce40ca2
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 309db49d955d9486d73ed4fb2f67c5d240ad44a121f1eb66731d4560dae6e04a
all runs: crashed: WARNING in binder_alloc_vma_close
# git bisect bad 8b3452cdabacfcfe3b627b2d735ed4411ce40ca2
Bisecting: 172 revisions left to test after this (roughly 8 steps)
[cdee181ae03b779d433f832e8cc15e0eac32bc86] mm: shrinkers: add scan interface for shrinker debugfs

testing commit cdee181ae03b779d433f832e8cc15e0eac32bc86
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1244ff29273ab075d9f6a963108203182f2fed4db56279ed913efcd3350b9247
all runs: crashed: WARNING in binder_alloc_vma_close
# git bisect bad cdee181ae03b779d433f832e8cc15e0eac32bc86
Bisecting: 86 revisions left to test after this (roughly 7 steps)
[92398dd53b562ef6ab44c4fce1321852a81a252e] mm/mmap: reorganize munmap to use maple states

testing commit 92398dd53b562ef6ab44c4fce1321852a81a252e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e8995c347b502e56a2b7e1a0f1c28b936b30fbf3bc705b895b29a167ecfedc77
all runs: crashed: WARNING in binder_alloc_vma_close
# git bisect bad 92398dd53b562ef6ab44c4fce1321852a81a252e
Bisecting: 42 revisions left to test after this (roughly 6 steps)
[efc8dabe57739bfe42561f94193a441c889e1b9a] maple_tree: fix potential out of range offset on mas_next()/mas_prev()

testing commit efc8dabe57739bfe42561f94193a441c889e1b9a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 30c795cac170717a0c7897a88902ec14f75a60a7a9aa68966adc363b7cd1cef9
all runs: crashed: WARNING in binder_alloc_vma_close
# git bisect bad efc8dabe57739bfe42561f94193a441c889e1b9a
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[0c24e061196c21d53328d60f4ad0e5a2b3183343] mm: kmemleak: add rbtree and store physical address for objects allocated with PA

testing commit 0c24e061196c21d53328d60f4ad0e5a2b3183343
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 99c1b37448e20ee2c46ea379a7f7ce00dd369191483fcac1b54489e0301c73ba
all runs: OK
# git bisect good 0c24e061196c21d53328d60f4ad0e5a2b3183343
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[6eed9f808effaba9f0711fe3f9447575f75c6d52] Merge branch 'mm-stable' into mm-unstable

testing commit 6eed9f808effaba9f0711fe3f9447575f75c6d52
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f0704803d0bf602d9e3122b64493feb9f178560b1e56ce41bc80182ae9a86b6b
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 6eed9f808effaba9f0711fe3f9447575f75c6d52
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[472a68df605b149ca58e931b4936e3136f5ecca0] android: binder: stop saving a pointer to the VMA

testing commit 472a68df605b149ca58e931b4936e3136f5ecca0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: eeb7dec7f8a5658b3ef465390477d2acc335c22d2f5fe212dc446c563822571e
all runs: crashed: WARNING in binder_alloc_vma_close
# git bisect bad 472a68df605b149ca58e931b4936e3136f5ecca0
Bisecting: 2 revisions left to test after this (roughly 1 step)
[dd13f5d1fec6dc2e128794004771312e1d0bce36] mm/page_vma_mapped.c: check possible huge PMD map with transhuge_vma_suitable()

testing commit dd13f5d1fec6dc2e128794004771312e1d0bce36
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2bef9c6d7a4af70d4f68e857b830c588e27d99439af42bd7bb7cac5ca76acd53
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good dd13f5d1fec6dc2e128794004771312e1d0bce36
Bisecting: 0 revisions left to test after this (roughly 1 step)
[b5e56929b27496129d27b824618b985f91489d03] mips: rename mt_init to mips_mt_init

testing commit b5e56929b27496129d27b824618b985f91489d03
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3ddd3623ab13a5610df17b23638d6e717be2c37ebc736ee62239c70a75bfedaf
all runs: OK
# git bisect good b5e56929b27496129d27b824618b985f91489d03
472a68df605b149ca58e931b4936e3136f5ecca0 is the first bad commit
commit 472a68df605b149ca58e931b4936e3136f5ecca0
Author: Liam R. Howlett <Liam.Howlett@oracle.com>
Date:   Mon Jun 20 21:09:09 2022 -0400

    android: binder: stop saving a pointer to the VMA
    
    Do not record a pointer to a VMA outside of the mmap_lock for later use.
    This is unsafe and there are a number of failure paths *after* the
    recorded VMA pointer may be freed during setup.  There is no callback to
    the driver to clear the saved pointer from generic mm code.  Furthermore,
    the VMA pointer may become stale if any number of VMA operations end up
    freeing the VMA so saving it was fragile to being with.
    
    Instead, change the binder_alloc struct to record the start address of the
    VMA and use vma_lookup() to get the vma when needed.  Add lockdep
    mmap_lock checks on updates to the vma pointer to ensure the lock is held
    and depend on that lock for synchronization of readers and writers - which
    was already the case anyways, so the smp_wmb()/smp_rmb() was not
    necessary.
    
    Link: https://lkml.kernel.org/r/20220621140212.vpkio64idahetbyf@revolver
    Fixes: da1b9564e85b ("android: binder: fix the race mmap and alloc_new_buf_locked")
    Reported-by: syzbot+58b51ac2b04e388ab7b0@syzkaller.appspotmail.com
    Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
    Cc: Minchan Kim <minchan@kernel.org>
    Cc: Christian Brauner (Microsoft) <brauner@kernel.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Hridya Valsaraju <hridya@google.com>
    Cc: Joel Fernandes <joel@joelfernandes.org>
    Cc: Martijn Coenen <maco@android.com>
    Cc: Suren Baghdasaryan <surenb@google.com>
    Cc: Todd Kjos <tkjos@android.com>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 drivers/android/binder_alloc.c | 30 ++++++++++++++----------------
 drivers/android/binder_alloc.h |  2 +-
 2 files changed, 15 insertions(+), 17 deletions(-)

culprit signature: eeb7dec7f8a5658b3ef465390477d2acc335c22d2f5fe212dc446c563822571e
parent  signature: 3ddd3623ab13a5610df17b23638d6e717be2c37ebc736ee62239c70a75bfedaf
revisions tested: 16, total time: 4h1m32.065397776s (build: 1h50m18.540836621s, test: 2h9m27.525365609s)
first bad commit: 472a68df605b149ca58e931b4936e3136f5ecca0 android: binder: stop saving a pointer to the VMA
recipients (to): ["akpm@linux-foundation.org" "arve@android.com" "brauner@kernel.org" "gregkh@linuxfoundation.org" "hridya@google.com" "joel@joelfernandes.org" "liam.howlett@oracle.com" "linux-kernel@vger.kernel.org" "maco@android.com" "surenb@google.com" "tkjos@android.com"]
recipients (cc): []
crash: WARNING in binder_alloc_vma_close
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4102 at include/linux/mmap_lock.h:161 mmap_assert_write_locked include/linux/mmap_lock.h:161 [inline]
WARNING: CPU: 1 PID: 4102 at include/linux/mmap_lock.h:161 binder_alloc_set_vma drivers/android/binder_alloc.c:323 [inline]
WARNING: CPU: 1 PID: 4102 at include/linux/mmap_lock.h:161 binder_alloc_vma_close+0xdf/0x120 drivers/android/binder_alloc.c:970
Modules linked in:
CPU: 1 PID: 4102 Comm: syz-executor.0 Not tainted 5.19.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mmap_assert_write_locked include/linux/mmap_lock.h:161 [inline]
RIP: 0010:binder_alloc_set_vma drivers/android/binder_alloc.c:323 [inline]
RIP: 0010:binder_alloc_vma_close+0xdf/0x120 drivers/android/binder_alloc.c:970
Code: ea 03 80 3c 02 00 75 55 48 c7 83 90 00 00 00 00 00 00 00 5b 5d 41 5c c3 48 8d bd 28 01 00 00 31 f6 e8 45 11 25 02 85 c0 75 89 <0f> 0b eb 85 48 89 ef e8 e5 e5 1e fb 0f 0b 48 c7 c7 4c 66 eb 8c e8
RSP: 0018:ffffc90002ddfdc8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888079f421e0 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff890bc120 RDI: ffffffff89645600
RBP: ffff88807abf9c00 R08: 0000000020ffe000 R09: 0000000000000008
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000002 R14: dffffc0000000000 R15: 0000000000000001
FS:  00007fdf40f17700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6b3652b097 CR3: 000000007f024000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 remove_vma+0x9b/0x140 mm/mmap.c:190
 remove_vma_list mm/mmap.c:2647 [inline]
 __do_munmap+0x5b2/0x1010 mm/mmap.c:2885
 __vm_munmap+0xd8/0x1b0 mm/mmap.c:2905
 __do_sys_munmap mm/mmap.c:2930 [inline]
 __se_sys_munmap mm/mmap.c:2927 [inline]
 __x64_sys_munmap+0x50/0x70 mm/mmap.c:2927
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fdf3fe89109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdf40f17168 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 00007fdf3ff9bf60 RCX: 00007fdf3fe89109
RDX: 0000000000000000 RSI: 0000000000004000 RDI: 0000000020ffa000
RBP: 00007fdf3fee305d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc3091569f R14: 00007fdf40f17300 R15: 0000000000022000
 </TASK>