bisecting fixing commit since a8205e310011f09cc73cd577d7b0074c57b9bb54
building syzkaller on abf9ba4fc75d9b29af15625d44dcfc1360fad3b7
testing commit a8205e310011f09cc73cd577d7b0074c57b9bb54 with gcc (GCC) 8.1.0
kernel signature: e5574701ed32d205fd97b5d0d0ffae3989b263a132e5f1d7a2bbee2909f32b56
run #0: crashed: WARNING in anon_vma_interval_tree_verify
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in find_lock_task_mm
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted
run #3: crashed: BUG: unable to handle kernel paging request in cfb_imageblit
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in do_exit
run #5: crashed: unexpected kernel reboot
run #6: crashed: general protection fault in task_numa_free
run #7: crashed: BUG: unable to handle kernel paging request in wait_consider_task
run #8: crashed: PANIC: double fault in __switch_to_asm
run #9: crashed: kernel panic: Fatal exception
testing current HEAD 583090b1b8232e6eae243a9009699666153a13a9
testing commit 583090b1b8232e6eae243a9009699666153a13a9 with gcc (GCC) 8.1.0
kernel signature: f9b95188ae36f0e2704db3186af8ec18c798533a9d859878a0720ac0fb24b1a9
run #0: crashed: BUG: Bad page map
run #1: crashed: general protection fault in tomoyo_task_free
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in futex_wake
run #3: crashed: WARNING: refcount bug in rcu_core
run #4: crashed: BUG: unable to handle kernel paging request in set_next_entity
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in enqueue_entity
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in do_swap_page
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in do_swap_page
run #8: crashed: BUG: corrupted list in tty_write_lock
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in set_next_entity
revisions tested: 2, total time: 22m2.615200413s (build: 9m52.194167284s, test: 11m46.973432483s)
the crash still happens on HEAD
commit msg: Merge tag 'block5.9-2020-10-08' of git://git.kernel.dk/linux-block
crash: BUG: unable to handle kernel NULL pointer dereference in set_next_entity
BUG: kernel NULL pointer dereference, address: 0000000000000038
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 880dc067 P4D 880dc067 PUD 880d9067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 24655 Comm: syz-executor.2 Not tainted 5.9.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:rb_erase_cached include/linux/rbtree.h:147 [inline]
RIP: 0010:__dequeue_entity kernel/sched/fair.c:607 [inline]
RIP: 0010:set_next_entity+0x95/0x270 kernel/sched/fair.c:4398
Code: 00 72 d5 0f 1f 44 00 00 eb ce 49 8d 7c 24 18 be ff ff ff ff e8 7c 7b e3 01 85 c0 75 a2 0f 0b eb 9e 0f 1f 44 00 00 4c 8d 63 10 <4c> 3b 65 38 48 8d 75 30 74 6e 4c 89 e7 e8 d9 41 b3 00 ba 01 00 00
RSP: 0018:ffffc9000bd8bd68 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff8880001025c0 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffff8880001025c0 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000151 R09: 0000000000021000
R10: 0000000000000000 R11: 0000000000021000 R12: ffff8880001025d0
R13: ffff88812c02dbc0 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000002ac4940(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 00000000880dd000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 pick_next_task_fair+0x207/0x350 kernel/sched/fair.c:7051
 pick_next_task kernel/sched/core.c:4344 [inline]
 __schedule+0x26f/0x8a0 kernel/sched/core.c:4495
 schedule+0x37/0xe0 kernel/sched/core.c:4602
 freezable_schedule arch/x86/include/asm/paravirt.h:780 [inline]
 do_nanosleep+0xa7/0x1b0 kernel/time/hrtimer.c:1883
 hrtimer_nanosleep+0x8c/0x130 kernel/time/hrtimer.c:1936
 __do_sys_nanosleep kernel/time/hrtimer.c:1970 [inline]
 __se_sys_nanosleep kernel/time/hrtimer.c:1957 [inline]
 __x64_sys_nanosleep+0x91/0xd0 kernel/time/hrtimer.c:1957
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45ba81
Code: 75 14 b8 23 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 84 cf fb ff c3 48 83 ec 08 e8 ea 46 00 00 48 89 04 24 b8 23 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 33 47 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffcfab7e750 EFLAGS: 00000293 ORIG_RAX: 0000000000000023
RAX: ffffffffffffffda RBX: 000000000003765d RCX: 000000000045ba81
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffcfab7e760
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ffcfab7e860 R11: 0000000000000293 R12: 000000000118cf40
R13: 000000000118d940 R14: ffffffffffffffff R15: 000000000118cf4c
Modules linked in:
CR2: 0000000000000038
---[ end trace 555c8d616a4911d1 ]---
RIP: 0010:rb_erase_cached include/linux/rbtree.h:147 [inline]
RIP: 0010:__dequeue_entity kernel/sched/fair.c:607 [inline]
RIP: 0010:set_next_entity+0x95/0x270 kernel/sched/fair.c:4398
Code: 00 72 d5 0f 1f 44 00 00 eb ce 49 8d 7c 24 18 be ff ff ff ff e8 7c 7b e3 01 85 c0 75 a2 0f 0b eb 9e 0f 1f 44 00 00 4c 8d 63 10 <4c> 3b 65 38 48 8d 75 30 74 6e 4c 89 e7 e8 d9 41 b3 00 ba 01 00 00
RSP: 0018:ffffc9000bd8bd68 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff8880001025c0 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffff8880001025c0 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000151 R09: 0000000000021000
R10: 0000000000000000 R11: 0000000000021000 R12: ffff8880001025d0
R13: ffff88812c02dbc0 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000002ac4940(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 00000000880dd000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400