bisecting cause commit starting from 9004fd387338b1104499b2c52ef5729a32c408f0
building syzkaller on 70b76c1d627711cc3ef109af16d6cb7429a61fe3
testing commit 9004fd387338b1104499b2c52ef5729a32c408f0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0e20c3c8bf2530203de34d6aeb21ea9b3ef65bb4aaf4d68aa340caa3b41ee69f
all runs: crashed: kernel BUG in vmf_insert_pfn_prot
testing release v5.14
testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8c219514f33cf5f7e995cffb6643e798eb9f0e406da2dbcbb7423680d5a3f503
all runs: OK
# git bisect start 9004fd387338b1104499b2c52ef5729a32c408f0 7d2a07b769330c34b4deabeed939325c77a7ec2f
Bisecting: 7129 revisions left to test after this (roughly 13 steps)
[32b47072f319bb65e9afad59e78153d83496f1f5] Merge tag 'defconfig-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

testing commit 32b47072f319bb65e9afad59e78153d83496f1f5
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 027fd2a46adefc4ac05cf1c2a2256bf2cc5e482b45ec6f92618882fbac7a7ae7
all runs: OK
# git bisect good 32b47072f319bb65e9afad59e78153d83496f1f5
Bisecting: 3547 revisions left to test after this (roughly 12 steps)
[0aa2516017123a7c35a2c0c35c4dc7727579b8a3] Merge tag 'dmaengine-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine

testing commit 0aa2516017123a7c35a2c0c35c4dc7727579b8a3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: cad3d3be7809cf9424d992d421dea3b125f10634e4e34a551427213d3b85fa1d
run #0: basic kernel testing failed: KFENCE: use-after-free in kvm_fastop_exception
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 0aa2516017123a7c35a2c0c35c4dc7727579b8a3
Bisecting: 1720 revisions left to test after this (roughly 11 steps)
[1890cd1c519093fe21c1fe403bd05d1af570262f] Merge branch 'master' of git://linuxtv.org/mchehab/media-next.git

testing commit 1890cd1c519093fe21c1fe403bd05d1af570262f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0e93ef0fc6a9ea8ccfa87ceb4d78b7eaf9920c28b0b41fb437d65c92c633003c
all runs: OK
# git bisect good 1890cd1c519093fe21c1fe403bd05d1af570262f
Bisecting: 831 revisions left to test after this (roughly 10 steps)
[3dd531d63d5f6a0549a08ad7f75116208e70be7c] Merge branch 'auto-latest' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git

testing commit 3dd531d63d5f6a0549a08ad7f75116208e70be7c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 88d4a4c8635931b2665c81799f98c33f22f6a1636e899ca76988685466801922
all runs: crashed: kernel BUG in vmf_insert_pfn_prot
# git bisect bad 3dd531d63d5f6a0549a08ad7f75116208e70be7c
Bisecting: 398 revisions left to test after this (roughly 9 steps)
[950bb70d41a4da7c0ff72f0ea6c20dd703a49c7a] Merge branch 'drm-next' of https://gitlab.freedesktop.org/agd5f/linux

testing commit 950bb70d41a4da7c0ff72f0ea6c20dd703a49c7a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
./include/drm/ttm/ttm_device.h:274:19: error: duplicate member 'pinned'
# git bisect skip 950bb70d41a4da7c0ff72f0ea6c20dd703a49c7a
Bisecting: 398 revisions left to test after this (roughly 9 steps)
[c2d2f98850665a85bb64374bd8de0d19f9390656] devlink: Delete not-used single parameter notification APIs

testing commit c2d2f98850665a85bb64374bd8de0d19f9390656
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: bb15a4e875b4a685159cc11e851c620441823f0aa3b6c8b71fbaf2242a70c0f6
all runs: OK
# git bisect good c2d2f98850665a85bb64374bd8de0d19f9390656
Bisecting: 398 revisions left to test after this (roughly 9 steps)
[8bc92f667aa4bfec3167745fa7b9ec296cfb4d16] drm/r128: switch from 'pci_' to 'dma_' API

testing commit 8bc92f667aa4bfec3167745fa7b9ec296cfb4d16
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b433b21eaddfaf1cc9f9deda3a061ac6df3e549fca634481a0a7302e1a4fa970
all runs: crashed: kernel BUG in vmf_insert_pfn_prot
# git bisect bad 8bc92f667aa4bfec3167745fa7b9ec296cfb4d16
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[820a2ab23d5eab4ccfb82581eda8ad4acf18458f] drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk (v2)

testing commit 820a2ab23d5eab4ccfb82581eda8ad4acf18458f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f6a63581dfd5316ce6f63473055488a9201064baaf2e84e56d2302e1ffca7ec0
all runs: crashed: kernel BUG in vmf_insert_pfn_prot
# git bisect bad 820a2ab23d5eab4ccfb82581eda8ad4acf18458f
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[32a4eb04d59ae8d5bb5baa5a8528e31094ae8e84] drm/fourcc: Add macros to determine the modifier vendor

testing commit 32a4eb04d59ae8d5bb5baa5a8528e31094ae8e84
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e8f697843144a81da0d81658d87646a179d69bf35f243a30e33d774d233f5375
all runs: crashed: kernel BUG in vmf_insert_pfn_prot
# git bisect bad 32a4eb04d59ae8d5bb5baa5a8528e31094ae8e84
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[45d9c8dde4cd8589f9180309ec60f0da2ce486e4] drm/vgem: use shmem helpers

testing commit 45d9c8dde4cd8589f9180309ec60f0da2ce486e4
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 40cbcf1c226409fc8cae34d885ac95809bef4f5c3ee740fab0ecf362d14d7cca
all runs: crashed: kernel BUG in vmf_insert_pfn_prot
# git bisect bad 45d9c8dde4cd8589f9180309ec60f0da2ce486e4
Bisecting: 0 revisions left to test after this (roughly 1 step)
[804b6e5ee613b019b942ba6be52cccecd9d33655] drm/shmem-helpers: Allocate wc pages on x86

testing commit 804b6e5ee613b019b942ba6be52cccecd9d33655
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 83543e171c6eba7678f561c589b8541d5efecbdb84a920e45d00660a49d29782
all runs: crashed: kernel BUG in vmf_insert_pfn_prot
# git bisect bad 804b6e5ee613b019b942ba6be52cccecd9d33655
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[8b93d1d7dbd578fd296e70008b29c0f62d09d7cb] drm/shmem-helper: Switch to vmf_insert_pfn

testing commit 8b93d1d7dbd578fd296e70008b29c0f62d09d7cb
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 362901194bf2f00a4ef254d8e3f4fe03c80f1370e3289ce9dda66ae11655c289
all runs: crashed: kernel BUG in vmf_insert_pfn_prot
# git bisect bad 8b93d1d7dbd578fd296e70008b29c0f62d09d7cb
8b93d1d7dbd578fd296e70008b29c0f62d09d7cb is the first bad commit
commit 8b93d1d7dbd578fd296e70008b29c0f62d09d7cb
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Thu Aug 12 15:14:10 2021 +0200

    drm/shmem-helper: Switch to vmf_insert_pfn
    
    We want to stop gup, which isn't the case if we use vmf_insert_page
    and VM_MIXEDMAP, because that does not set pte_special.
    
    The motivation here is to stop get_user_pages from working on buffer
    object mmaps in general. Quoting some discussion with Thomas:
    
    On Thu, Jul 22, 2021 at 08:22:43PM +0200, Thomas Zimmermann wrote:
    > Am 13.07.21 um 22:51 schrieb Daniel Vetter:
    > > We want to stop gup, which isn't the case if we use vmf_insert_page
    >
    > What is gup?
    
    get_user_pages. It pins memory wherever it is, which badly wreaks at least
    ttm and could also cause trouble with cma allocations. In both cases
    becaue we can't move/reuse these pages anymore.
    
    Now get_user_pages fails when the memory isn't considered "normal", like
    with VM_PFNMAP and using vm_insert_pfn. For consistency across all dma-buf
    I'm trying (together with Christian König) to roll this out everywhere,
    for fewer surprises.
    
    E.g. for 5.14 iirc we merged a patch to do the same for ttm, where it
    closes an actual bug (ttm gets really badly confused when there's suddenly
    pinned pages where it thought it can move them).
    
    cma allcoations already use VM_PFNMAP (because that's what dma_mmap is
    using underneath), as is anything that's using remap_pfn_range. Worst case
    we have to revert this patch for shmem helpers if it breaks something, but
    I hope that's not the case. On the ttm side we've also had some fallout
    that we needed to paper over with clever tricks.
    v2: With this shmem gem helpers now definitely need CONFIG_MMU (0day)
    
    v3: add more depends on MMU. For usb drivers this is a bit awkward,
    but really it's correct: To be able to provide a contig mapping of
    buffers to userspace on !MMU platforms we'd need to use the cma
    helpers for these drivers on those platforms. As-is this wont work.
    
    Also not exactly sure why vm_insert_page doesn't go boom, because that
    definitely wont fly in practice since the pages are non-contig to
    begin with.
    
    v4: Explain the entire motivation a lot more (Thomas)
    
    Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Cc: Maxime Ripard <mripard@kernel.org>
    Cc: Thomas Zimmermann <tzimmermann@suse.de>
    Cc: David Airlie <airlied@linux.ie>
    Cc: Daniel Vetter <daniel@ffwll.ch>
    Link: https://patchwork.freedesktop.org/patch/msgid/20210812131412.2487363-2-daniel.vetter@ffwll.ch

 drivers/gpu/drm/Kconfig                | 2 +-
 drivers/gpu/drm/drm_gem_shmem_helper.c | 4 ++--
 drivers/gpu/drm/gud/Kconfig            | 2 +-
 drivers/gpu/drm/tiny/Kconfig           | 4 ++--
 drivers/gpu/drm/udl/Kconfig            | 1 +
 5 files changed, 7 insertions(+), 6 deletions(-)

parent commit c7782443a88926a4f938f0193041616328cf2db2 wasn't tested
testing commit c7782443a88926a4f938f0193041616328cf2db2
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 55c1746f64138b9e84888c15b6f9dc67a545128dbd85076d94e28746b34f1124
culprit signature: 362901194bf2f00a4ef254d8e3f4fe03c80f1370e3289ce9dda66ae11655c289
parent  signature: 55c1746f64138b9e84888c15b6f9dc67a545128dbd85076d94e28746b34f1124
revisions tested: 13, total time: 2h47m51.073628865s (build: 1h35m13.838719655s, test: 1h10m59.318883218s)
first bad commit: 8b93d1d7dbd578fd296e70008b29c0f62d09d7cb drm/shmem-helper: Switch to vmf_insert_pfn
recipients (to): ["daniel.vetter@ffwll.ch" "daniel.vetter@intel.com" "tzimmermann@suse.de"]
recipients (cc): []
crash: kernel BUG in vmf_insert_pfn_prot
------------[ cut here ]------------
kernel BUG at mm/memory.c:2117!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 10175 Comm: syz-executor.3 Not tainted 5.14.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:vmf_insert_pfn_prot+0x183/0x2f0 mm/memory.c:2117
Code: 00 0f 85 41 01 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 0b 0f 0b 48 89 c2 83 e2 28 48 83 fa 20 0f 85 23 ff ff ff <0f> 0b 48 b8 ff ff ff ff ff ff 0f 00 4c 21 e8 49 39 c5 0f 85 16 ff
RSP: 0000:ffffc9000acdfc10 EFLAGS: 00010246
RAX: 0000000008140476 RBX: 1ffff9200159bf82 RCX: 1ffff1100651f44c
RDX: 0000000000000020 RSI: 0000000000000000 RDI: ffff8880328fa260
RBP: ffff8880328fa210 R08: 0000000000000000 R09: ffff88801b10ca37
R10: ffffed1003621946 R11: 0000000000000000 R12: 0000000020000000
R13: 000000000001b000 R14: ffff888145bd4000 R15: ffff88801b10ca30
FS:  0000555556e3a400(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000601 CR3: 000000001bad6000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 drm_gem_shmem_fault+0x1af/0x250 drivers/gpu/drm/drm_gem_shmem_helper.c:545
 __do_fault+0xed/0x390 mm/memory.c:3857
 do_cow_fault mm/memory.c:4201 [inline]
 do_fault mm/memory.c:4302 [inline]
 handle_pte_fault mm/memory.c:4558 [inline]
 __handle_mm_fault+0xf30/0x41c0 mm/memory.c:4693
 handle_mm_fault+0x166/0x5e0 mm/memory.c:4791
 do_user_addr_fault+0x2dc/0xcd0 arch/x86/mm/fault.c:1390
 handle_page_fault arch/x86/mm/fault.c:1475 [inline]
 exc_page_fault+0x5a/0xc0 arch/x86/mm/fault.c:1531
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:568
RIP: 0033:0x7f42108d5b46
Code: 82 63 01 00 00 48 89 d1 f3 a4 c3 80 fa 08 73 12 80 fa 04 73 1e 80 fa 01 77 26 72 05 0f b6 0e 88 0f c3 48 8b 4c 16 f8 48 8b 36 <48> 89 4c 17 f8 48 89 37 c3 8b 4c 16 fc 8b 36 89 4c 17 fc 89 37 c3
RSP: 002b:00007ffdef56a258 EFLAGS: 00010202
RAX: 0000000020000600 RBX: 0000000000000000 RCX: 003162662f766564
RDX: 0000000000000009 RSI: 3162662f7665642f RDI: 0000000020000600
RBP: 00007ffdef56a318 R08: 00007f4210de3000 R09: 0000001b2c020038
R10: 00007ffdef56a330 R11: 0000000000000000 R12: 0000000000000000
R13: 00000000000003e8 R14: 00007f42109def80 R15: 000000000000fa49
Modules linked in:
---[ end trace 0873da29e527abc1 ]---
RIP: 0010:vmf_insert_pfn_prot+0x183/0x2f0 mm/memory.c:2117
Code: 00 0f 85 41 01 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 0b 0f 0b 48 89 c2 83 e2 28 48 83 fa 20 0f 85 23 ff ff ff <0f> 0b 48 b8 ff ff ff ff ff ff 0f 00 4c 21 e8 49 39 c5 0f 85 16 ff
RSP: 0000:ffffc9000acdfc10 EFLAGS: 00010246

RAX: 0000000008140476 RBX: 1ffff9200159bf82 RCX: 1ffff1100651f44c
RDX: 0000000000000020 RSI: 0000000000000000 RDI: ffff8880328fa260
RBP: ffff8880328fa210 R08: 0000000000000000 R09: ffff88801b10ca37
R10: ffffed1003621946 R11: 0000000000000000 R12: 0000000020000000
R13: 000000000001b000 R14: ffff888145bd4000 R15: ffff88801b10ca30
FS:  0000555556e3a400(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6a59956000 CR3: 000000001bad6000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400