bisecting cause commit starting from 22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16
building syzkaller on 7bb222f7bcce6f16c2e110f4c3270e009aaf55e7
testing commit 22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16 with gcc (GCC) 8.1.0
run #0: crashed: BUG: Bad rss-counter state
run #1: crashed: BUG: Bad rss-counter state
run #2: crashed: BUG: Bad rss-counter state
run #3: crashed: BUG: Bad rss-counter state
run #4: crashed: WARNING in __mmdrop
run #5: crashed: WARNING in __mmdrop
run #6: crashed: BUG: Bad rss-counter state
run #7: crashed: WARNING in __mmdrop
run #8: crashed: BUG: Bad rss-counter state
run #9: crashed: BUG: Bad rss-counter state
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16 v5.2
Bisecting: 5788 revisions left to test after this (roughly 13 steps)
[2c207985f354dfb549e5a543102a3e084eea81f6] mm/oom_kill.c: remove redundant OOM score normalization in select_bad_process()
testing commit 2c207985f354dfb549e5a543102a3e084eea81f6 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2c207985f354dfb549e5a543102a3e084eea81f6
Bisecting: 3045 revisions left to test after this (roughly 12 steps)
[168869492e7009b6861b615f1d030c99bc805e83] docs: kbuild: fix build with pdf and fix some minor issues
testing commit 168869492e7009b6861b615f1d030c99bc805e83 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 168869492e7009b6861b615f1d030c99bc805e83
Bisecting: 1371 revisions left to test after this (roughly 11 steps)
[d7929c1e13e3788e7cb741d75b5baec5e53eff21] Merge branch 'drm-next' into drm-next-5.3
testing commit d7929c1e13e3788e7cb741d75b5baec5e53eff21 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good d7929c1e13e3788e7cb741d75b5baec5e53eff21
Bisecting: 678 revisions left to test after this (roughly 10 steps)
[9637d517347e80ee2fe1c5d8ce45ba1b88d8b5cd] Merge tag 'for-linus-20190715' of git://git.kernel.dk/linux-block
testing commit 9637d517347e80ee2fe1c5d8ce45ba1b88d8b5cd with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9637d517347e80ee2fe1c5d8ce45ba1b88d8b5cd
Bisecting: 312 revisions left to test after this (roughly 8 steps)
[47ebe00b684c2bc183a766bc33c8b5943bc0df85] Merge tag 'dmaengine-5.3-rc1' of git://git.infradead.org/users/vkoul/slave-dma
testing commit 47ebe00b684c2bc183a766bc33c8b5943bc0df85 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 47ebe00b684c2bc183a766bc33c8b5943bc0df85
Bisecting: 158 revisions left to test after this (roughly 7 steps)
[dfe1d3a2830d607bbd66bae8bb86ae7ffde04f38] Merge branches 'clk-bulk-optional', 'clk-kirkwood', 'clk-socfpga' and 'clk-docs' into clk-next
testing commit dfe1d3a2830d607bbd66bae8bb86ae7ffde04f38 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good dfe1d3a2830d607bbd66bae8bb86ae7ffde04f38
Bisecting: 63 revisions left to test after this (roughly 6 steps)
[916f562fb28a49457d3d99d156ca415b50d6750e] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit 916f562fb28a49457d3d99d156ca415b50d6750e with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 916f562fb28a49457d3d99d156ca415b50d6750e
Bisecting: 38 revisions left to test after this (roughly 5 steps)
[7636b7589f81940c6d6518786f93de74495575fa] Merge tag 'rpmsg-v5.3' of git://github.com/andersson/remoteproc
testing commit 7636b7589f81940c6d6518786f93de74495575fa with gcc (GCC) 8.1.0
run #0: crashed: WARNING in __mmdrop
run #1: crashed: WARNING in __mmdrop
run #2: crashed: BUG: Bad rss-counter state
run #3: crashed: BUG: Bad rss-counter state
run #4: crashed: WARNING in __mmdrop
run #5: crashed: WARNING in __mmdrop
run #6: crashed: WARNING in __mmdrop
run #7: crashed: BUG: Bad rss-counter state
run #8: crashed: WARNING in __mmdrop
run #9: crashed: BUG: Bad rss-counter state
# git bisect bad 7636b7589f81940c6d6518786f93de74495575fa
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[edcd69ab9a323b7ac7a86e1c44b6c9c46598391f] iommu: Add virtio-iommu driver
testing commit edcd69ab9a323b7ac7a86e1c44b6c9c46598391f with gcc (GCC) 8.1.0
run #0: crashed: BUG: Bad rss-counter state
run #1: crashed: BUG: Bad rss-counter state
run #2: crashed: BUG: Bad rss-counter state
run #3: crashed: KASAN: use-after-free Read in finish_task_switch
run #4: crashed: WARNING in __mmdrop
run #5: crashed: WARNING in __mmdrop
run #6: crashed: WARNING in __mmdrop
run #7: crashed: BUG: Bad rss-counter state
run #8: crashed: WARNING in __mmdrop
run #9: crashed: WARNING in __mmdrop
# git bisect bad edcd69ab9a323b7ac7a86e1c44b6c9c46598391f
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[7f466032dc9e5a61217f22ea34b2df932786bbfc] vhost: access vq metadata through kernel virtual address
testing commit 7f466032dc9e5a61217f22ea34b2df932786bbfc with gcc (GCC) 8.1.0
run #0: crashed: WARNING in __mmdrop
run #1: crashed: WARNING in __mmdrop
run #2: crashed: BUG: Bad rss-counter state
run #3: crashed: WARNING in __mmdrop
run #4: crashed: BUG: Bad rss-counter state
run #5: crashed: WARNING in __mmdrop
run #6: crashed: WARNING in __mmdrop
run #7: crashed: BUG: Bad rss-counter state
run #8: crashed: BUG: Bad rss-counter state
run #9: crashed: WARNING in __mmdrop
# git bisect bad 7f466032dc9e5a61217f22ea34b2df932786bbfc
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[9b5e830b7120847da6c636af2d101f8380e73fa0] vhost: rename vq_iotlb_prefetch() to vq_meta_prefetch()
testing commit 9b5e830b7120847da6c636af2d101f8380e73fa0 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9b5e830b7120847da6c636af2d101f8380e73fa0
Bisecting: 0 revisions left to test after this (roughly 1 step)
[feebcaeac79ad86fb289ef55fa92f4a97ab8314e] vhost: factor out setting vring addr and num
testing commit feebcaeac79ad86fb289ef55fa92f4a97ab8314e with gcc (GCC) 8.1.0
all runs: OK
# git bisect good feebcaeac79ad86fb289ef55fa92f4a97ab8314e
7f466032dc9e5a61217f22ea34b2df932786bbfc is the first bad commit
commit 7f466032dc9e5a61217f22ea34b2df932786bbfc
Author: Jason Wang <jasowang@redhat.com>
Date:   Fri May 24 04:12:18 2019 -0400

    vhost: access vq metadata through kernel virtual address
    
    It was noticed that the copy_to/from_user() friends that was used to
    access virtqueue metdata tends to be very expensive for dataplane
    implementation like vhost since it involves lots of software checks,
    speculation barriers, hardware feature toggling (e.g SMAP). The
    extra cost will be more obvious when transferring small packets since
    the time spent on metadata accessing become more significant.
    
    This patch tries to eliminate those overheads by accessing them
    through direct mapping of those pages. Invalidation callbacks is
    implemented for co-operation with general VM management (swap, KSM,
    THP or NUMA balancing). We will try to get the direct mapping of vq
    metadata before each round of packet processing if it doesn't
    exist. If we fail, we will simplely fallback to copy_to/from_user()
    friends.
    
    This invalidation and direct mapping access are synchronized through
    spinlock and RCU. All matedata accessing through direct map is
    protected by RCU, and the setup or invalidation are done under
    spinlock.
    
    This method might does not work for high mem page which requires
    temporary mapping so we just fallback to normal
    copy_to/from_user() and may not for arch that has virtual tagged cache
    since extra cache flushing is needed to eliminate the alias. This will
    result complex logic and bad performance. For those archs, this patch
    simply go for copy_to/from_user() friends. This is done by ruling out
    kernel mapping codes through ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE.
    
    Note that this is only done when device IOTLB is not enabled. We
    could use similar method to optimize IOTLB in the future.
    
    Tests shows at most about 23% improvement on TX PPS when using
    virtio-user + vhost_net + xdp1 + TAP on 2.6GHz Broadwell:
    
            SMAP on | SMAP off
    Before: 5.2Mpps | 7.1Mpps
    After:  6.4Mpps | 8.2Mpps
    
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: James Bottomley <James.Bottomley@hansenpartnership.com>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: David Miller <davem@davemloft.net>
    Cc: Jerome Glisse <jglisse@redhat.com>
    Cc: linux-mm@kvack.org
    Cc: linux-arm-kernel@lists.infradead.org
    Cc: linux-parisc@vger.kernel.org
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

:040000 040000 c368bf7940686a2134ad239d743eb0f5846c15cf 26c5227d261b8ee18909d17eb2dd9631fe1c5b2b M	drivers
revisions tested: 14, total time: 3h26m58.032152526s (build: 1h20m53.944152816s, test: 2h1m9.305356245s)
first bad commit: 7f466032dc9e5a61217f22ea34b2df932786bbfc vhost: access vq metadata through kernel virtual address
cc: ["aarcange@redhat.com" "davem@davemloft.net" "hch@infradead.org" "james.bottomley@hansenpartnership.com" "jasowang@redhat.com" "jglisse@redhat.com" "linux-arm-kernel@lists.infradead.org" "linux-mm@kvack.org" "linux-parisc@vger.kernel.org" "mst@redhat.com"]
crash: WARNING in __mmdrop
WARNING: CPU: 1 PID: 8822 at kernel/fork.c:673 __mmdrop+0x1ec/0x290 /kernel/fork.c:671
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 8822 Comm: syz-executor.2 Not tainted 5.2.0-rc2+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack /lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 /lib/dump_stack.c:113
 panic+0x212/0x4cb /kernel/panic.c:219
 __warn.cold.8+0x1b/0x38 /kernel/panic.c:576
 report_bug+0x1a4/0x200 /lib/bug.c:186
 fixup_bug /arch/x86/kernel/traps.c:179 [inline]
 do_error_trap+0x11b/0x200 /arch/x86/kernel/traps.c:272
 do_invalid_op+0x36/0x40 /arch/x86/kernel/traps.c:291
 invalid_op+0x14/0x20 /arch/x86/entry/entry_64.S:986
RIP: 0010:__mmdrop+0x1ec/0x290 /kernel/fork.c:673
Code: d8 00 00 00 74 18 48 8b 3d a1 07 f3 07 48 89 de e8 19 4b 5b 00 5b 41 5c 41 5d 41 5e 5d c3 4c 89 e7 e8 48 c3 26 00 eb de 0f 0b <0f> 0b e9 9c fe ff ff 0f 0b e9 5b fe ff ff 4c 89 e7 e8 7e 91 5b 00
RSP: 0018:ffff88808ea57a90 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88808c61d400 RCX: ffffffff813c652f
RDX: 1ffff11013088c8d RSI: 0000000000000004 RDI: ffff888098446468
RBP: ffff88808ea57ab0 R08: ffffed10118c3a8c R09: ffffed10118c3a8b
R10: ffffed10118c3a8b R11: ffff88808c61d45f R12: ffff888098446040
R13: ffff8880a4109340 R14: 0000000000000310 R15: ffff88808c61d400
 mmdrop /./include/linux/sched/mm.h:49 [inline]
 __mmput /kernel/fork.c:1069 [inline]
 mmput+0x321/0x3f0 /kernel/fork.c:1080
 exit_mm /kernel/exit.c:547 [inline]
 do_exit+0x934/0x2e80 /kernel/exit.c:864
 do_group_exit+0xf4/0x2f0 /kernel/exit.c:981
 get_signal+0x339/0x1b70 /kernel/signal.c:2638
 do_signal+0x87/0x1940 /arch/x86/kernel/signal.c:815
 exit_to_usermode_loop+0x114/0x200 /arch/x86/entry/common.c:164
 prepare_exit_to_usermode /arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath /arch/x86/entry/common.c:279 [inline]
 do_syscall_64+0x447/0x530 /arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459819
Code: Bad RIP value.
RSP: 002b:00007f701c712c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000459819
RDX: 00000000200023c0 RSI: 000000004028af11 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f701c7136d4
R13: 00000000004c4722 R14: 00000000004d87d0 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..