ci starts bisection 2022-11-12 22:03:27.62543787 +0000 UTC m=+195171.682961850
bisecting cause commit starting from f8f60f322f0640c8edda2942ca5f84b7a27c417a
building syzkaller on 3ead01ade920906b89aff0066a9d5e922ee270c8
ensuring issue is reproducible on original commit f8f60f322f0640c8edda2942ca5f84b7a27c417a

testing commit f8f60f322f0640c8edda2942ca5f84b7a27c417a gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5c1de8eba47296ea90d5b70c011fe84375908402ee5e4a435d0fd0f8f4652c07
all runs: crashed: general protection fault in shm_close
testing release v6.0
testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b280e1f0a67c6553363aac831a330caa3b07c50c7710e6f416acefe92f2b38db
all runs: OK
# git bisect start f8f60f322f0640c8edda2942ca5f84b7a27c417a 4fe89d07dcc2804c8b562f6c7896a45643d34b2f
Bisecting: 10347 revisions left to test after this (roughly 13 steps)
[27bc50fc90647bbf7b734c3fc306a5e61350da53] Merge tag 'mm-stable-2022-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

testing commit 27bc50fc90647bbf7b734c3fc306a5e61350da53 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1e087c1a7542256b82f094529aa630aa9736048a4cdc82756168a86187073964
all runs: boot failed: WARNING in cpumask_next_wrap
# git bisect skip 27bc50fc90647bbf7b734c3fc306a5e61350da53
Bisecting: 10347 revisions left to test after this (roughly 13 steps)
[c52f0935ef5f5ade564a8ff1c32a7df2ea279811] dt-bindings: mmc: mtk-sd: add Inline Crypto Engine clock

testing commit c52f0935ef5f5ade564a8ff1c32a7df2ea279811 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b36568f02215447d3a29f68bfb3a6af38c1d48ff001cf6c565b92f108fdb9079
all runs: OK
# git bisect good c52f0935ef5f5ade564a8ff1c32a7df2ea279811
Bisecting: 3907 revisions left to test after this (roughly 12 steps)
[66500d0e2e5c9b64fc5d3f4879e2140572e1b386] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git

testing commit 66500d0e2e5c9b64fc5d3f4879e2140572e1b386 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f6afc675e06f2d00717d9f137cb59e812cfc237e3ba75230210fca393d2a4389
all runs: crashed: general protection fault in shm_close
# git bisect bad 66500d0e2e5c9b64fc5d3f4879e2140572e1b386
Bisecting: 1660 revisions left to test after this (roughly 11 steps)
[4b98744b5c13d25f2dc72671a124ab63998af1b2] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git

testing commit 4b98744b5c13d25f2dc72671a124ab63998af1b2 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1e0dc88a13165f02fa3d19f899b55a991c56b57a519961ff7e5e56a2869e49ee
all runs: crashed: general protection fault in shm_close
# git bisect bad 4b98744b5c13d25f2dc72671a124ab63998af1b2
Bisecting: 1049 revisions left to test after this (roughly 10 steps)
[1a8192bed934bf322a2b6a60ce2f6206f7a5c4c5] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap.git

testing commit 1a8192bed934bf322a2b6a60ce2f6206f7a5c4c5 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 027bc70cf6fab438086b87432bd58be402228179142f8ed828218c3141e90325
all runs: crashed: general protection fault in shm_close
# git bisect bad 1a8192bed934bf322a2b6a60ce2f6206f7a5c4c5
Bisecting: 391 revisions left to test after this (roughly 9 steps)
[7e98316a23737267677ed41935b4a603687d6fc2] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git

testing commit 7e98316a23737267677ed41935b4a603687d6fc2 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 318670859dab773fbcdc3b5faf29fc74972984da878457f0c7a6e2ae742301ad
all runs: crashed: general protection fault in shm_close
# git bisect bad 7e98316a23737267677ed41935b4a603687d6fc2
Bisecting: 192 revisions left to test after this (roughly 8 steps)
[1d232620054f3b8f1d8262a9479102097fecb964] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git

testing commit 1d232620054f3b8f1d8262a9479102097fecb964 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 74161ea0998721e4d304f0de1625ee2a63d8dbeb9a535012432d5b7c79c3ef37
all runs: crashed: general protection fault in shm_close
# git bisect bad 1d232620054f3b8f1d8262a9479102097fecb964
Bisecting: 100 revisions left to test after this (roughly 7 steps)
[23569b5652ee8e8e55a12f7835f59af6f3cefc30] net: macvlan: fix memory leaks of macvlan_common_newlink

testing commit 23569b5652ee8e8e55a12f7835f59af6f3cefc30 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3a2f75f80eb1ee4a06f618e2385d08722b643c9330ab85dc30cc58287ca08ff5
all runs: OK
# git bisect good 23569b5652ee8e8e55a12f7835f59af6f3cefc30
Bisecting: 55 revisions left to test after this (roughly 6 steps)
[1767a722a708f1fa3b9af39eb091d79101f8c086] Merge tag 'for-6.1-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

testing commit 1767a722a708f1fa3b9af39eb091d79101f8c086 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f901041c465d74a6faf8157585d52d77f37a017e6af778374d7d7426d142fac1
all runs: OK
# git bisect good 1767a722a708f1fa3b9af39eb091d79101f8c086
Bisecting: 27 revisions left to test after this (roughly 5 steps)
[e10e698a0dc20cc5fd3ecff7f6b3f178312a442c] hugetlb: don't delete vma_lock in hugetlb MADV_DONTNEED processing

testing commit e10e698a0dc20cc5fd3ecff7f6b3f178312a442c gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e7f7e2787e5aeeb0b100c354abae7287f106e01689bb60b1f0a0653677953ccc
all runs: crashed: general protection fault in shm_close
# git bisect bad e10e698a0dc20cc5fd3ecff7f6b3f178312a442c
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[83d0edfa04eeca46b3eff554fb42b2fefe97bdf1] kmsan: make sure PREEMPT_RT is off

testing commit 83d0edfa04eeca46b3eff554fb42b2fefe97bdf1 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a3a66714c0458964875fe4d8e54c44cadc106b0599826ace4954d856f86af339
all runs: OK
# git bisect good 83d0edfa04eeca46b3eff554fb42b2fefe97bdf1
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[1de09a7281edecfdba19b3a07417f6d65243ab5f] mm/damon/dbgfs: check if rm_contexts input is for a real context

testing commit 1de09a7281edecfdba19b3a07417f6d65243ab5f gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f9f0a5af3f184c450631d19e5274416f23a546c71f19edf3ce992611f22cf7e2
all runs: OK
# git bisect good 1de09a7281edecfdba19b3a07417f6d65243ab5f
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[20b15cf5b04ca3a220091af3b377f31cf720c44d] mm: khugepaged: allow page allocation fallback to eligible nodes

testing commit 20b15cf5b04ca3a220091af3b377f31cf720c44d gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b86c807f72ba5a8681265f1f60474b7a7262bed3df6936e5bd1528611d86f712
all runs: OK
# git bisect good 20b15cf5b04ca3a220091af3b377f31cf720c44d
Bisecting: 1 revision left to test after this (roughly 1 step)
[f34bfc35156c484a27908f86216d6b7d100090cc] mm/page_exit: fix kernel doc warning in page_ext_put()

testing commit f34bfc35156c484a27908f86216d6b7d100090cc gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: a580d1213fbe14bcd84ee81ee24464d945ed19c86c7c1aba7dea439db705ff5f
all runs: OK
# git bisect good f34bfc35156c484a27908f86216d6b7d100090cc
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[6a892ddb84e542931554f4ee9a528190003b23a0] ipc/shm: call underlying open/close vm_ops

testing commit 6a892ddb84e542931554f4ee9a528190003b23a0 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3f6409646797b3989d66f7304595c94e9c89abc516679af8860ec882bb88db05
all runs: crashed: general protection fault in shm_close
# git bisect bad 6a892ddb84e542931554f4ee9a528190003b23a0
6a892ddb84e542931554f4ee9a528190003b23a0 is the first bad commit
commit 6a892ddb84e542931554f4ee9a528190003b23a0
Author: Mike Kravetz <mike.kravetz@oracle.com>
Date:   Wed Nov 9 16:21:50 2022 -0800

    ipc/shm: call underlying open/close vm_ops
    
    Shared memory segments can be created that are backed by hugetlb pages.
    When this happens, the vmas associated with any mappings (shmat) are
    marked VM_HUGETLB, yet the vm_ops for such mappings are provided by
    ipc/shm (shm_vm_ops).  There is a mechanism to call the underlying
    hugetlb vm_ops, and this is done for most operations.  However, it is
    not done for open and close.
    
    This was not an issue until the introduction of the hugetlb vma_lock.
    This lock structure is pointed to by vm_private_data and the open/close
    vm_ops help maintain this structure.  The special hugetlb routine
    called at fork took care of structure updates at fork time.  However,
    vma_splitting is not properly handled for ipc shared memory mappings
    backed by hugetlb pages.  This can result in a "kernel NULL pointer
    dereference" BUG or use after free as two vmas point to the same lock
    structure.
    
    Update the shm open and close routines to always call the underlying
    open and close routines.
    
    Link: https://lkml.kernel.org/r/20221110002150.440055-1-mike.kravetz@oracle.com
    Fixes: 8d9bfb260814 ("hugetlb: add vma based lock for pmd sharing")
    Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
    Reported-by: Doug Nelson <doug.nelson@intel.com>
    Cc: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
    Cc: "Eric W . Biederman" <ebiederm@xmission.com>
    Cc: Manfred Spraul <manfred@colorfullife.com>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: Miaohe Lin <linmiaohe@huawei.com>
    Cc: Michal Hocko <mhocko@suse.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 ipc/shm.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

culprit signature: 3f6409646797b3989d66f7304595c94e9c89abc516679af8860ec882bb88db05
parent  signature: a580d1213fbe14bcd84ee81ee24464d945ed19c86c7c1aba7dea439db705ff5f
revisions tested: 17, total time: 4h32m51.766817267s (build: 2h25m44.626050039s, test: 2h4m58.098282736s)
first bad commit: 6a892ddb84e542931554f4ee9a528190003b23a0 ipc/shm: call underlying open/close vm_ops
recipients (to): ["akpm@linux-foundation.org" "linux-kernel@vger.kernel.org" "mike.kravetz@oracle.com"]
recipients (cc): ["akpm@linux-foundation.org" "alexander.mikhalitsyn@virtuozzo.com" "manfred@colorfullife.com"]
crash: general protection fault in shm_close
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 4191 Comm: syz-executor.0 Not tainted 6.1.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:shm_close+0xb8/0x580 ipc/shm.c:378
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 64 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 5d 18 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 23 04 00 00 48 8b 43 08 48 85 c0 74 05 4c 89 ef
RSP: 0018:ffffc9000469fbb8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000008
RBP: ffff8881476ba980 R08: 0000000000000001 R09: ffff8880171036ef
R10: ffffed1002e206dd R11: 0000000000000000 R12: ffff88801697c000
R13: ffff888025c05870 R14: 0000000000000008 R15: ffff888025c05870
FS:  00007f6d00995700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6cffda80c0 CR3: 0000000021126000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 shm_mmap+0x189/0x220 ipc/shm.c:604
 call_mmap include/linux/fs.h:2196 [inline]
 mmap_region+0x565/0x1a60 mm/mmap.c:2625
 do_mmap+0x5a6/0xd30 mm/mmap.c:1412
 do_shmat+0xa69/0xc70 ipc/shm.c:1661
 __do_sys_shmat ipc/shm.c:1697 [inline]
 __se_sys_shmat ipc/shm.c:1692 [inline]
 __x64_sys_shmat+0xc4/0x140 ipc/shm.c:1692
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6cffc8b639
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6d00995168 EFLAGS: 00000246 ORIG_RAX: 000000000000001e
RAX: ffffffffffffffda RBX: 00007f6cffdabf80 RCX: 00007f6cffc8b639
RDX: ffffffffffffcfff RSI: 0000000020000000 RDI: 0000000000000008
RBP: 00007f6cffce67e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffef05a67ff R14: 00007f6d00995300 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:shm_close+0xb8/0x580 ipc/shm.c:378
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 64 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 5d 18 48 8d 7b 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 23 04 00 00 48 8b 43 08 48 85 c0 74 05 4c 89 ef
RSP: 0018:ffffc9000469fbb8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000008 RDI: 0000000000000008
RBP: ffff8881476ba980 R08: 0000000000000001 R09: ffff8880171036ef
R10: ffffed1002e206dd R11: 0000000000000000 R12: ffff88801697c000
R13: ffff888025c05870 R14: 0000000000000008 R15: ffff888025c05870
FS:  00007f6d00995700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6cffda80c0 CR3: 0000000021126000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 89 fa             	mov    %rdi,%rdx
   3:	48 c1 ea 03          	shr    $0x3,%rdx
   7:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   b:	0f 85 64 04 00 00    	jne    0x475
  11:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  18:	fc ff df
  1b:	48 8b 5d 18          	mov    0x18(%rbp),%rbx
  1f:	48 8d 7b 08          	lea    0x8(%rbx),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 23 04 00 00    	jne    0x457
  34:	48 8b 43 08          	mov    0x8(%rbx),%rax
  38:	48 85 c0             	test   %rax,%rax
  3b:	74 05                	je     0x42
  3d:	4c 89 ef             	mov    %r13,%rdi