bisecting cause commit starting from 729e3d091984487f7aa1ebfabfe594e5b317ed0f
building syzkaller on ce441f065b6eebb166bb006dfd28ea0c6b730384
testing commit 729e3d091984487f7aa1ebfabfe594e5b317ed0f with gcc (GCC) 8.1.0
kernel signature: dc6d8406953a7a0d8002109170af72ee9569ba9a65199f9dcdc223fc0b0c5d15
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in madvise_cold_or_pageout_pte_range
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 62d20b8b6197ae7471c195155a2a57749217e92bb0aaf428ffc5859a409b4e0b
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in madvise_cold_or_pageout_pte_range
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 44bdff62c0ff46313bf49a3582e7fd2fd2c71e7f2a2f444eef4d54fab98ed8cb
all runs: crashed: general protection fault in madvise_cold_or_pageout_pte_range
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 6d6ee376e4870b2bd530ebfff64f304653869a5844abf485a2d964f309ab5346
all runs: crashed: general protection fault in madvise_cold_or_pageout_pte_range
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 6732a64ed1eb077bfd92a14bb18fa0d43171e9bec41af86fb2a9eb7525855e3a
all runs: crashed: general protection fault in madvise_cold_or_pageout_pte_range
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 1c80a9736eba55abb5c07500437bc92d828973c1ec8e9d25fea5db2ecb354ee0
all runs: crashed: general protection fault in madvise_cold_or_pageout_pte_range
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 5011cccff9fd095650d3d263b7a77fdffac90af1fa5d6a68c23f2db370772013
all runs: OK
# git bisect start 219d54332a09e8d8741c1e1982f5eae56099de85 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Bisecting: 7882 revisions left to test after this (roughly 13 steps)
[a9f8b38a071b468276a243ea3ea5a0636e848cf2] Merge tag 'for-linus-5.4-1' of git://github.com/cminyard/linux-ipmi
testing commit a9f8b38a071b468276a243ea3ea5a0636e848cf2 with gcc (GCC) 8.1.0
kernel signature: c9d96c39d8ca15885e7bfb6a2c2e094d640679abe0d33e37e424a3ee6507dff6
all runs: OK
# git bisect good a9f8b38a071b468276a243ea3ea5a0636e848cf2
Bisecting: 3941 revisions left to test after this (roughly 12 steps)
[0a3775e4f883912944481cf2ef36eb6383a9cc74] ocfs2: wait for recovering done after direct unlock request
testing commit 0a3775e4f883912944481cf2ef36eb6383a9cc74 with gcc (GCC) 8.1.0
kernel signature: f484647d7ec32ff38da8f4e3ec96223731f40325da8af6b51d9d87afe481bd5a
all runs: OK
# git bisect good 0a3775e4f883912944481cf2ef36eb6383a9cc74
Bisecting: 1972 revisions left to test after this (roughly 11 steps)
[63f9bff56beb718ac0a2eb8398a98220b1e119dc] Merge tag 'mips_fixes_5.4_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux
testing commit 63f9bff56beb718ac0a2eb8398a98220b1e119dc with gcc (GCC) 8.1.0
kernel signature: 7ce6b29ebfc20dcd633e3e22b2e58a2c127930376c655f59f4ccd504798716bd
all runs: crashed: general protection fault in madvise_cold_or_pageout_pte_range
# git bisect bad 63f9bff56beb718ac0a2eb8398a98220b1e119dc
Bisecting: 978 revisions left to test after this (roughly 10 steps)
[7bccb9f10c8f36ee791769b531ed4d28f6379aae] Merge tag 'linux-watchdog-5.4-rc1' of git://www.linux-watchdog.org/linux-watchdog
testing commit 7bccb9f10c8f36ee791769b531ed4d28f6379aae with gcc (GCC) 8.1.0
kernel signature: 8d29cecdd98e7090de5852b9543bf7a53b2377ce1ecee86095e4115e85797ce4
all runs: crashed: general protection fault in madvise_cold_or_pageout_pte_range
# git bisect bad 7bccb9f10c8f36ee791769b531ed4d28f6379aae
Bisecting: 483 revisions left to test after this (roughly 9 steps)
[351c8a09b00b5c51c8f58b016fffe51f87e2d820] Merge branch 'i2c/for-5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
testing commit 351c8a09b00b5c51c8f58b016fffe51f87e2d820 with gcc (GCC) 8.1.0
kernel signature: a17e25b973482a06ab8afe9d2b08ba69e1b6bb876ddcfb9e70a915fdaae61fd2
all runs: OK
# git bisect good 351c8a09b00b5c51c8f58b016fffe51f87e2d820
Bisecting: 222 revisions left to test after this (roughly 8 steps)
[972a2bf7dfe39ebf49dd47f68d27c416392e53b1] Merge tag 'nfs-for-5.4-1' of git://git.linux-nfs.org/projects/anna/linux-nfs
testing commit 972a2bf7dfe39ebf49dd47f68d27c416392e53b1 with gcc (GCC) 8.1.0
kernel signature: 59892ff5e7ad90e7abcebfb20a791cfe9c85fc7c440721394d5efe6db952a7dd
all runs: crashed: general protection fault in madvise_cold_or_pageout_pte_range
# git bisect bad 972a2bf7dfe39ebf49dd47f68d27c416392e53b1
Bisecting: 152 revisions left to test after this (roughly 7 steps)
[f41def397161053eb0d3ed6861ef65985efbf293] Merge tag 'ceph-for-5.4-rc1' of git://github.com/ceph/ceph-client
testing commit f41def397161053eb0d3ed6861ef65985efbf293 with gcc (GCC) 8.1.0
kernel signature: 938c8651d08f07b6bcbe48e22d133b417587cc75d702f4828513f6d87b1ffb51
all runs: OK
# git bisect good f41def397161053eb0d3ed6861ef65985efbf293
Bisecting: 76 revisions left to test after this (roughly 6 steps)
[b4ed71f557e458257e0f71b11969954acb389240] mm: treewide: clarify pgtable_page_{ctor,dtor}() naming
testing commit b4ed71f557e458257e0f71b11969954acb389240 with gcc (GCC) 8.1.0
kernel signature: 741cf4a83ba670253af0b780b301381a21907e16b3c08b5a71aed104b05163ed
all runs: crashed: general protection fault in madvise_cold_or_pageout_pte_range
# git bisect bad b4ed71f557e458257e0f71b11969954acb389240
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[ac7c3e4ff401b304489a031938dbeaab585bfe0a] compiler: enable CONFIG_OPTIMIZE_INLINING forcibly
testing commit ac7c3e4ff401b304489a031938dbeaab585bfe0a with gcc (GCC) 8.1.0
kernel signature: 5c5842e5712c9fc6a2fb9179eff92b94dbaafeba3cc0307af28cc6d68b8896c6
all runs: OK
# git bisect good ac7c3e4ff401b304489a031938dbeaab585bfe0a
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[7d0325749a6c77b075424ab9de76bcb73a118430] userfaultfd: untag user pointers
testing commit 7d0325749a6c77b075424ab9de76bcb73a118430 with gcc (GCC) 8.1.0
kernel signature: 08db5928874c94ffbcc8dcc2ff755ba1498bc5802008625db626951c3597b387
all runs: OK
# git bisect good 7d0325749a6c77b075424ab9de76bcb73a118430
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[1a4e58cce84ee88129d5d49c064bd2852b481357] mm: introduce MADV_PAGEOUT
testing commit 1a4e58cce84ee88129d5d49c064bd2852b481357 with gcc (GCC) 8.1.0
kernel signature: 19a08fde20d4bea2143bfa94cce0184fc5faab0123b23d701dbf5f39cb724a55
all runs: crashed: general protection fault in madvise_cold_pte_range
# git bisect bad 1a4e58cce84ee88129d5d49c064bd2852b481357
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[78063a9dd9637c0450cf6eacc03f42eb1295917f] tee/shm: untag user pointers in tee_shm_register
testing commit 78063a9dd9637c0450cf6eacc03f42eb1295917f with gcc (GCC) 8.1.0
kernel signature: 26d68f501363eb1febd8f07a0c0722c33d8a8ab5782362491a64a61479a4b795
all runs: OK
# git bisect good 78063a9dd9637c0450cf6eacc03f42eb1295917f
Bisecting: 2 revisions left to test after this (roughly 1 step)
[ce18d171cb7368557e6498a3ce111d7d3dc03e4d] mm: untag user pointers in mmap/munmap/mremap/brk
testing commit ce18d171cb7368557e6498a3ce111d7d3dc03e4d with gcc (GCC) 8.1.0
kernel signature: 56f6dfa275b8a6bb6d317ad3036d3621173ecefdb2ccf6e628c9e691f0078c05
all runs: OK
# git bisect good ce18d171cb7368557e6498a3ce111d7d3dc03e4d
Bisecting: 0 revisions left to test after this (roughly 1 step)
[8940b34a4e082ae11498ddae8432f2ac07685d1c] mm: change PAGEREF_RECLAIM_CLEAN with PAGE_REFRECLAIM
testing commit 8940b34a4e082ae11498ddae8432f2ac07685d1c with gcc (GCC) 8.1.0
kernel signature: ed45782f392ff555417a026adeb657645dfd85e00b27ff582a58d064f9b85c6a
all runs: OK
# git bisect good 8940b34a4e082ae11498ddae8432f2ac07685d1c
1a4e58cce84ee88129d5d49c064bd2852b481357 is the first bad commit
commit 1a4e58cce84ee88129d5d49c064bd2852b481357
Author: Minchan Kim <minchan@kernel.org>
Date:   Wed Sep 25 16:49:15 2019 -0700

    mm: introduce MADV_PAGEOUT
    
    When a process expects no accesses to a certain memory range for a long
    time, it could hint kernel that the pages can be reclaimed instantly but
    data should be preserved for future use.  This could reduce workingset
    eviction so it ends up increasing performance.
    
    This patch introduces the new MADV_PAGEOUT hint to madvise(2) syscall.
    MADV_PAGEOUT can be used by a process to mark a memory range as not
    expected to be used for a long time so that kernel reclaims *any LRU*
    pages instantly.  The hint can help kernel in deciding which pages to
    evict proactively.
    
    A note: It doesn't apply SWAP_CLUSTER_MAX LRU page isolation limit
    intentionally because it's automatically bounded by PMD size.  If PMD
    size(e.g., 256) makes some trouble, we could fix it later by limit it to
    SWAP_CLUSTER_MAX[1].
    
    - man-page material
    
    MADV_PAGEOUT (since Linux x.x)
    
    Do not expect access in the near future so pages in the specified
    regions could be reclaimed instantly regardless of memory pressure.
    Thus, access in the range after successful operation could cause
    major page fault but never lose the up-to-date contents unlike
    MADV_DONTNEED. Pages belonging to a shared mapping are only processed
    if a write access is allowed for the calling process.
    
    MADV_PAGEOUT cannot be applied to locked pages, Huge TLB pages, or
    VM_PFNMAP pages.
    
    [1] https://lore.kernel.org/lkml/20190710194719.GS29695@dhcp22.suse.cz/
    
    [minchan@kernel.org: clear PG_active on MADV_PAGEOUT]
      Link: http://lkml.kernel.org/r/20190802200643.GA181880@google.com
    [akpm@linux-foundation.org: resolve conflicts with hmm.git]
    Link: http://lkml.kernel.org/r/20190726023435.214162-5-minchan@kernel.org
    Signed-off-by: Minchan Kim <minchan@kernel.org>
    Reported-by: kbuild test robot <lkp@intel.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Cc: James E.J. Bottomley <James.Bottomley@HansenPartnership.com>
    Cc: Richard Henderson <rth@twiddle.net>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Chris Zankel <chris@zankel.net>
    Cc: Daniel Colascione <dancol@google.com>
    Cc: Dave Hansen <dave.hansen@intel.com>
    Cc: Hillf Danton <hdanton@sina.com>
    Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Cc: Oleksandr Natalenko <oleksandr@redhat.com>
    Cc: Shakeel Butt <shakeelb@google.com>
    Cc: Sonny Rao <sonnyrao@google.com>
    Cc: Suren Baghdasaryan <surenb@google.com>
    Cc: Tim Murray <timmurray@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

 arch/alpha/include/uapi/asm/mman.h     |   1 +
 arch/mips/include/uapi/asm/mman.h      |   1 +
 arch/parisc/include/uapi/asm/mman.h    |   1 +
 arch/xtensa/include/uapi/asm/mman.h    |   1 +
 include/linux/swap.h                   |   1 +
 include/uapi/asm-generic/mman-common.h |   1 +
 mm/madvise.c                           | 189 +++++++++++++++++++++++++++++++++
 mm/vmscan.c                            |  56 ++++++++++
 8 files changed, 251 insertions(+)
culprit signature: 19a08fde20d4bea2143bfa94cce0184fc5faab0123b23d701dbf5f39cb724a55
parent  signature: ed45782f392ff555417a026adeb657645dfd85e00b27ff582a58d064f9b85c6a
revisions tested: 21, total time: 4h24m20.297925339s (build: 2h9m46.056476148s, test: 2h12m17.503787931s)
first bad commit: 1a4e58cce84ee88129d5d49c064bd2852b481357 mm: introduce MADV_PAGEOUT
recipients (to): ["akpm@linux-foundation.org" "mhocko@suse.com" "minchan@kernel.org" "torvalds@linux-foundation.org"]
recipients (cc): []
crash: general protection fault in madvise_cold_pte_range
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8352 Comm: syz-executor.4 Not tainted 5.3.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:madvise_cold_pte_range+0x53/0x1e60 mm/madvise.c:299
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 25 19 00 00 48 8b 41 18 48 89 c2 48 89 45 c0 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 14 19 00 00 48 8b 45 c0 48 8d 79 10 48 89 fa 48
RSP: 0018:ffff8880861279e8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000020200000 RCX: ffff888086127b78
RDX: 0000000000000000 RSI: 0000000020000000 RDI: ffff888086127b90
RBP: ffff888086127a50 R08: ffffffff88d2b218 R09: 0000000020200000
R10: ffffffff879307c0 R11: 0000000020000000 R12: ffff8880984b7800
R13: ffff8880984b7800 R14: 0000000020000000 R15: dffffc0000000000
FS:  00007fca13330700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001590004 CR3: 000000008617a000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 walk_pmd_range mm/pagewalk.c:53 [inline]
 walk_pud_range mm/pagewalk.c:112 [inline]
 walk_p4d_range mm/pagewalk.c:139 [inline]
 walk_pgd_range mm/pagewalk.c:166 [inline]
 __walk_page_range+0xb19/0x17e0 mm/pagewalk.c:261
 walk_page_range+0x16a/0x2d0 mm/pagewalk.c:349
 madvise_pageout_page_range mm/madvise.c:608 [inline]
 madvise_pageout+0x1d6/0x360 mm/madvise.c:644
 madvise_vma mm/madvise.c:1033 [inline]
 __do_sys_madvise+0x2f4/0x1840 mm/madvise.c:1215
 __se_sys_madvise mm/madvise.c:1141 [inline]
 __x64_sys_madvise+0x6e/0xb0 mm/madvise.c:1141
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d5f9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fca1332fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 0000000000020980 RCX: 000000000045d5f9
RDX: 0000000000000015 RSI: 0000000000600003 RDI: 0000000020000000
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007fff14cc847f R14: 00007fca133309c0 R15: 000000000118cf4c
Modules linked in:
---[ end trace f64dd1e309b68180 ]---
RIP: 0010:madvise_cold_pte_range+0x53/0x1e60 mm/madvise.c:299
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 25 19 00 00 48 8b 41 18 48 89 c2 48 89 45 c0 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 14 19 00 00 48 8b 45 c0 48 8d 79 10 48 89 fa 48
RSP: 0018:ffff8880861279e8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000020200000 RCX: ffff888086127b78
RDX: 0000000000000000 RSI: 0000000020000000 RDI: ffff888086127b90
RBP: ffff888086127a50 R08: ffffffff88d2b218 R09: 0000000020200000
R10: ffffffff879307c0 R11: 0000000020000000 R12: ffff8880984b7800
R13: ffff8880984b7800 R14: 0000000020000000 R15: dffffc0000000000
FS:  00007fca13330700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1aa1c62000 CR3: 000000008617a000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400