ci starts bisection 2025-09-07 20:05:05.926147809 +0000 UTC m=+318426.813720408
bisecting cause commit starting from 4ac65880ebca1b68495bd8704263b26c050ac010
building syzkaller on d291dd2d58a1885c00a60561048b6ceb1bf1206a
fetch other tags and check if the commit is present
ensuring issue is reproducible on original commit 4ac65880ebca1b68495bd8704263b26c050ac010

testing commit 4ac65880ebca1b68495bd8704263b26c050ac010 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 12ca9244eadea2d145cf8f85607d53551042ee865c3025516cdacce2eec06d6f
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
check whether we can drop unnecessary instrumentation
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 4ac65880ebca1b68495bd8704263b26c050ac010 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: e38a013ad5dbe47144b28ffd65acd0c6695823a3fb6aa629719f5340f248b80f
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
the bug reproduces without the instrumentation
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
kconfig minimization: base=4099 full=8507 leaves diff=2182
split chunks (needed=false): <2182>
split chunk #0 of len 2182 into 5 parts
testing without sub-chunk 1/5
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit 4ac65880ebca1b68495bd8704263b26c050ac010 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 3b9dc0e34c61992821da1af2c23f24956f912fa5cf9ffb3ce78d5ef7b243ea88
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 4ac65880ebca1b68495bd8704263b26c050ac010 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 7526c853db754b675007786007fadbfb6547598167e12b3c2689922ec1abd549
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed
testing commit 4ac65880ebca1b68495bd8704263b26c050ac010 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: af39d3f36a308fe654609199ef5b9dcf5badce588f6de818ada6feda9842cc5a
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 4ac65880ebca1b68495bd8704263b26c050ac010 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: c7bef1509211db137b21082bcd2212c58e6487e5d39e59bc575ecd81ae964f6e
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed
testing commit 4ac65880ebca1b68495bd8704263b26c050ac010 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: d64dce5cd0029d124fa347e945616f9ea407fecbd8a338d7ebfec8d0f132b665
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
the chunk can be dropped
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
picked [v6.16 v6.15 v6.14 v6.12 v6.10 v6.8 v6.6 v6.4 v6.1 v5.18 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 39 release tags
testing release v6.16
testing commit 038d61fd642278bab63ee8ef722c50d10ab01e8f gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: e200f838239e6cd89dcdd204a6a3b26cda1c9302d154a35e9133b95f64733753
all runs: OK
false negative chance: 0.000
# git bisect start 4ac65880ebca1b68495bd8704263b26c050ac010 038d61fd642278bab63ee8ef722c50d10ab01e8f
Bisecting: 9711 revisions left to test after this (roughly 13 steps)
[2d945dde7fa3f17f46349360a9f97614de9f47da] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

testing commit 2d945dde7fa3f17f46349360a9f97614de9f47da gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 0e3e1cde93d27353d8bb9d083980d9f9367f982010fd5abf22cb66e6a2b94d30
all runs: OK
false negative chance: 0.000
# git bisect good 2d945dde7fa3f17f46349360a9f97614de9f47da
Bisecting: 4847 revisions left to test after this (roughly 12 steps)
[7e2262ed11432b079fb6e5d5386adf462303a36c] Merge branch 'ti-next' of https://git.kernel.org/pub/scm/linux/kernel/git/ti/linux.git

testing commit 7e2262ed11432b079fb6e5d5386adf462303a36c gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 609851ec52aae23eb2e933f28c7c9c31149df5eb39eda08d5ec51106645deafe
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
# git bisect bad 7e2262ed11432b079fb6e5d5386adf462303a36c
Bisecting: 2431 revisions left to test after this (roughly 11 steps)
[48c4c0b684f394721b7db809e1cc282fccdb33da] Merge branch 'next/dt' into for-next

testing commit 48c4c0b684f394721b7db809e1cc282fccdb33da gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: d26f9ea8c6fb90f30f09e6189d325b0cba9422f5bc8c958355f4227832642cfa
all runs: OK
false negative chance: 0.000
# git bisect good 48c4c0b684f394721b7db809e1cc282fccdb33da
Bisecting: 1215 revisions left to test after this (roughly 10 steps)
[60d4467718d6e183796ed01371121f3baa031b07] Merge branch 'master' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/

testing commit 60d4467718d6e183796ed01371121f3baa031b07 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 151bdce99c5aaafe0bd3b006985aadd267f4536e352ed37b01db8d42af815e1e
all runs: OK
false negative chance: 0.000
# git bisect good 60d4467718d6e183796ed01371121f3baa031b07
Bisecting: 652 revisions left to test after this (roughly 9 steps)
[1e3036e1fb645aa1d92f0c3d72d5409bc8d4bd56] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux.git

testing commit 1e3036e1fb645aa1d92f0c3d72d5409bc8d4bd56 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 6f5a61aa052ed98feb90c21d68efd88318325495be0deb77e940af88efff9706
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
# git bisect bad 1e3036e1fb645aa1d92f0c3d72d5409bc8d4bd56
Bisecting: 281 revisions left to test after this (roughly 8 steps)
[e6d28cb1df588daf5b9014e881217a3b4c79f795] mm: constify arch_pick_mmap_layout() for improved const-correctness

testing commit e6d28cb1df588daf5b9014e881217a3b4c79f795 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: ca0b5486f1978ded95ae8bc97563249bc3e9fd1c380bbc80f07112a412880707
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
# git bisect bad e6d28cb1df588daf5b9014e881217a3b4c79f795
Bisecting: 140 revisions left to test after this (roughly 7 steps)
[44101cbe4cf86ab2125aa3cee9fa7a0ef9817872] mm: fix duplicate accounting of free pages in should_reclaim_retry()

testing commit 44101cbe4cf86ab2125aa3cee9fa7a0ef9817872 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: e4c6ebd95eabdb80dd5656c79396fbb0e6772b11d059473485aa0ac0d5b179ec
all runs: OK
false negative chance: 0.000
# git bisect good 44101cbe4cf86ab2125aa3cee9fa7a0ef9817872
Bisecting: 70 revisions left to test after this (roughly 6 steps)
[111bf5ad945dd2c8ab62a619bc587df7cd1cfab4] maple_tree: fix testing for 32 bit builds

testing commit 111bf5ad945dd2c8ab62a619bc587df7cd1cfab4 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: e5dd320ec7d7c8c4c825ee54135cd632b26952c02786e72c5aaabc0a3e7653a9
all runs: OK
false negative chance: 0.000
# git bisect good 111bf5ad945dd2c8ab62a619bc587df7cd1cfab4
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[92c22f6cc03ea9d5b172276d6ae45c691993b257] scatterlist: disallow non-contigous page ranges in a single SG entry

testing commit 92c22f6cc03ea9d5b172276d6ae45c691993b257 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 9e237e687c6df57117a1c945648f5a1df8ad94bfddb0d189e188043456a62a5c
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
# git bisect bad 92c22f6cc03ea9d5b172276d6ae45c691993b257
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[3b3f02f8a99250ecfca6095950d3614e3e9c207a] mm/page_alloc: reject unreasonable folio/compound page sizes in alloc_contig_range_noprof()

testing commit 3b3f02f8a99250ecfca6095950d3614e3e9c207a gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 191837f54cd6c2189a8ad51b1780aee0feb93a53cddca38ec32a91d77c31260c
all runs: OK
false negative chance: 0.000
# git bisect good 3b3f02f8a99250ecfca6095950d3614e3e9c207a
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[5d228d72d598bdfbf9c3ce9727ce974bc73c6541] fs: hugetlbfs: remove nth_page() usage within folio in adjust_range_hwpoison()

testing commit 5d228d72d598bdfbf9c3ce9727ce974bc73c6541 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: e2bee1d2dae8b4144af3126d1bebcdc9b1b17b71b8d158396017987e8dcad73b
all runs: OK
false negative chance: 0.000
# git bisect good 5d228d72d598bdfbf9c3ce9727ce974bc73c6541
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[da6b34293ff8dbb78f8b9278c9a492925bbf1f87] mm/gup: remove record_subpages()

testing commit da6b34293ff8dbb78f8b9278c9a492925bbf1f87 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: ac363bce051872fc5dabb2416a19bbe9f5e4204e045248c44b7081a799ce33f1
all runs: crashed: KASAN: null-ptr-deref Read in io_sqe_buffer_register
representative crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register, types: [KASAN-NULL-POINTER-DEREFERENCE-READ]
# git bisect bad da6b34293ff8dbb78f8b9278c9a492925bbf1f87
Bisecting: 1 revision left to test after this (roughly 1 step)
[5cb2c2fd07ba26a4d2edad062d2f6100f49b6f55] mm/pagewalk: drop nth_page() usage within folio in folio_walk_start()

testing commit 5cb2c2fd07ba26a4d2edad062d2f6100f49b6f55 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: a64423a4103d3b31c9ba2e9ee81d8db0cd342735e22908725b749fc5aa35cd49
all runs: OK
false negative chance: 0.000
# git bisect good 5cb2c2fd07ba26a4d2edad062d2f6100f49b6f55
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[17e5c9e3847844a94926ad0d3f0d583879a7a3d1] mm/gup: drop nth_page() usage within folio when recording subpages

testing commit 17e5c9e3847844a94926ad0d3f0d583879a7a3d1 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: b04b015eb3998a9489f9131460628ea418633d18435b9ce48eb41b7952fc90ec
all runs: OK
false negative chance: 0.000
# git bisect good 17e5c9e3847844a94926ad0d3f0d583879a7a3d1
da6b34293ff8dbb78f8b9278c9a492925bbf1f87 is the first bad commit
commit da6b34293ff8dbb78f8b9278c9a492925bbf1f87
Author: David Hildenbrand <david@redhat.com>
Date:   Mon Sep 1 17:03:40 2025 +0200

    mm/gup: remove record_subpages()
    
    We can just cleanup the code by calculating the #refs earlier, so we can
    just inline what remains of record_subpages().
    
    Calculate the number of references/pages ahead of times, and record them
    only once all our tests passed.
    
    Link: https://lkml.kernel.org/r/20250901150359.867252-20-david@redhat.com
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 mm/gup.c | 25 ++++++++-----------------
 1 file changed, 8 insertions(+), 17 deletions(-)

accumulated error probability: 0.00
culprit signature: ac363bce051872fc5dabb2416a19bbe9f5e4204e045248c44b7081a799ce33f1
parent  signature: b04b015eb3998a9489f9131460628ea418633d18435b9ce48eb41b7952fc90ec
revisions tested: 22, total time: 8h24m39.46230084s (build: 4h47m57.473809738s, test: 2h49m39.918917594s)
first bad commit: da6b34293ff8dbb78f8b9278c9a492925bbf1f87 mm/gup: remove record_subpages()
recipients (to): ["akpm@linux-foundation.org" "david@redhat.com" "linux-kernel@vger.kernel.org"]
recipients (cc): ["akpm@linux-foundation.org" "david@redhat.com" "jgg@ziepe.ca" "jhubbard@nvidia.com" "linux-mm@kvack.org" "peterx@redhat.com"]
crash: KASAN: null-ptr-deref Read in io_sqe_buffer_register
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: null-ptr-deref in PageCompound include/linux/page-flags.h:331 [inline]
BUG: KASAN: null-ptr-deref in io_buffer_account_pin io_uring/rsrc.c:668 [inline]
BUG: KASAN: null-ptr-deref in io_sqe_buffer_register+0x4b8/0x1b40 io_uring/rsrc.c:817
Read of size 8 at addr 0000000000000000 by task syz.3.17/2875

CPU: 0 UID: 0 PID: 2875 Comm: syz.3.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xf4/0x170 lib/dump_stack.c:120
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 PageCompound include/linux/page-flags.h:331 [inline]
 io_buffer_account_pin io_uring/rsrc.c:668 [inline]
 io_sqe_buffer_register+0x4b8/0x1b40 io_uring/rsrc.c:817
 io_sqe_buffers_register+0x31e/0x780 io_uring/rsrc.c:913
 __io_uring_register io_uring/register.c:660 [inline]
 __do_sys_io_uring_register io_uring/register.c:929 [inline]
 __se_sys_io_uring_register+0x832/0xb20 io_uring/register.c:906
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f64a280ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f64a267f038 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab
RAX: ffffffffffffffda RBX: 00007f64a2a45fa0 RCX: 00007f64a280ebe9
RDX: 00002000000002c0 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f64a2891e19 R08: 0000000000000000 R09: 0000000000000000
R10: 100000000000011a R11: 0000000000000246 R12: 0000000000000000
R13: 00007f64a2a46038 R14: 00007f64a2a45fa0 R15: 00007ffcca76bbe8
 </TASK>
==================================================================