ci starts bisection 2025-07-15 00:41:50.748310797 +0000 UTC m=+40497.089038078
bisecting cause commit starting from a62b7a37e6fcf4a675b1548e7c168b96ec836442
building syzkaller on 3cda49cfaa8556b73277ccd7e75952f0f2de2d74
fetch other tags and check if the commit is present
ensuring issue is reproducible on original commit a62b7a37e6fcf4a675b1548e7c168b96ec836442

testing commit a62b7a37e6fcf4a675b1548e7c168b96ec836442 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 7f8e11650bed8b7b0200a0cdf4bc5a3e80ddc594471f878d0cef01245f868119
run #0: crashed: WARNING: bad unlock balance in query_matching_vma
run #1: crashed: WARNING: lock held when returning to user space in lock_next_vma
run #2: crashed: WARNING: bad unlock balance in query_matching_vma
run #3: crashed: WARNING: bad unlock balance in query_matching_vma
run #4: crashed: possible deadlock in lock_next_vma
run #5: crashed: WARNING: bad unlock balance in query_matching_vma
run #6: crashed: WARNING: lock held when returning to user space in lock_next_vma
run #7: crashed: WARNING: bad unlock balance in query_matching_vma
run #8: crashed: WARNING: bad unlock balance in query_matching_vma
run #9: crashed: WARNING: bad unlock balance in query_matching_vma
run #10: crashed: WARNING: bad unlock balance in query_matching_vma
run #11: crashed: WARNING: bad unlock balance in query_matching_vma
run #12: crashed: stack segment fault in mtree_range_walk
run #13: crashed: general protection fault in mas_start
run #14: crashed: WARNING: lock held when returning to user space in lock_next_vma
run #15: crashed: WARNING: bad unlock balance in query_matching_vma
run #16: crashed: general protection fault in mas_start
run #17: crashed: WARNING: bad unlock balance in query_matching_vma
run #18: crashed: WARNING in mas_next_slot
run #19: crashed: WARNING: bad unlock balance in query_matching_vma
representative crash: WARNING: bad unlock balance in query_matching_vma, types: [LOCKDEP]
check whether we can drop unnecessary instrumentation
disabling configs for [hang memleak ubsan bug_or_warning kasan atomic_sleep], they are not needed
testing commit a62b7a37e6fcf4a675b1548e7c168b96ec836442 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 1ddca017aece08b1f37ffa4ba5ca3ec42013c27e13767c0d6f53e4f0acb21790
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #1: crashed: WARNING: lock held when returning to user space in get_next_vma
run #2: crashed: WARNING: lock held when returning to user space in get_next_vma
run #3: crashed: possible deadlock in get_next_vma
run #4: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl
run #5: crashed: WARNING: bad unlock balance in query_matching_vma
run #6: crashed: WARNING: bad unlock balance in query_matching_vma
run #7: crashed: WARNING: bad unlock balance in query_matching_vma
run #8: crashed: possible deadlock in get_next_vma
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk
representative crash: WARNING: lock held when returning to user space in get_next_vma, types: [LOCKDEP]
the bug reproduces without the instrumentation
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan], they are not needed
kconfig minimization: base=4095 full=8505 leaves diff=2188
split chunks (needed=false): <2188>
split chunk #0 of len 2188 into 5 parts
testing without sub-chunk 1/5
disabling configs for [hang memleak ubsan bug_or_warning kasan atomic_sleep], they are not needed
testing commit a62b7a37e6fcf4a675b1548e7c168b96ec836442 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 102aa3170fb28b1945ee94ed9863bdde1c402cb7bc1256179f50c7f8dd34b4a2
run #0: crashed: WARNING: bad unlock balance in query_matching_vma
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #2: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl
run #3: crashed: WARNING: lock held when returning to user space in get_next_vma
run #4: crashed: WARNING: bad unlock balance in query_matching_vma
run #5: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl
run #6: crashed: WARNING: bad unlock balance in query_matching_vma
run #7: crashed: WARNING: bad unlock balance in query_matching_vma
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
representative crash: WARNING: bad unlock balance in query_matching_vma, types: [LOCKDEP NULL-POINTER-DEREFERENCE]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [hang memleak ubsan bug_or_warning kasan atomic_sleep], they are not needed
testing commit a62b7a37e6fcf4a675b1548e7c168b96ec836442 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 807bdcc508667498860cb56ab2550da927e3feda6404e175f8a25852001f98a4
run #0: crashed: WARNING: lock held when returning to user space in get_next_vma
run #1: crashed: WARNING: lock held when returning to user space in get_next_vma
run #2: crashed: WARNING: bad unlock balance in query_matching_vma
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #4: crashed: WARNING: bad unlock balance in query_matching_vma
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #6: crashed: possible deadlock in get_next_vma
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #8: crashed: WARNING: lock held when returning to user space in get_next_vma
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
representative crash: WARNING: lock held when returning to user space in get_next_vma, types: [LOCKDEP NULL-POINTER-DEREFERENCE]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [memleak ubsan bug_or_warning kasan atomic_sleep hang], they are not needed
testing commit a62b7a37e6fcf4a675b1548e7c168b96ec836442 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 451c771630a54b0b971fb85b49fb37630d5a491fbb50715eb8da80ed3b1cf255
run #0: crashed: WARNING: lock held when returning to user space in get_next_vma
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #2: crashed: WARNING: bad unlock balance in query_matching_vma
run #3: crashed: WARNING: lock held when returning to user space in get_next_vma
run #4: crashed: WARNING: lock held when returning to user space in get_next_vma
run #5: crashed: WARNING: bad unlock balance in query_matching_vma
run #6: crashed: WARNING: bad unlock balance in query_matching_vma
run #7: crashed: possible deadlock in get_next_vma
run #8: crashed: WARNING: lock held when returning to user space in get_next_vma
run #9: crashed: WARNING: lock held when returning to user space in get_next_vma
representative crash: WARNING: lock held when returning to user space in get_next_vma, types: [LOCKDEP]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [kasan atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit a62b7a37e6fcf4a675b1548e7c168b96ec836442 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 662c5d2983cead0e8c92878c3c9c5b419de9af25fbd2bf81f66d08a7a1ee7717
run #0: crashed: possible deadlock in get_next_vma
run #1: crashed: possible deadlock in get_next_vma
run #2: crashed: WARNING: bad unlock balance in query_matching_vma
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #4: crashed: possible deadlock in get_next_vma
run #5: crashed: WARNING: bad unlock balance in query_matching_vma
run #6: crashed: WARNING: bad unlock balance in query_matching_vma
run #7: crashed: WARNING: bad unlock balance in query_matching_vma
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #9: crashed: possible deadlock in get_next_vma
representative crash: possible deadlock in get_next_vma, types: [LOCKDEP]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan], they are not needed
testing commit a62b7a37e6fcf4a675b1548e7c168b96ec836442 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 8e512115fe17084fa21cf801c02a7e6853d87570d9c4f6aad13d1250451c0ad7
run #0: crashed: WARNING: lock held when returning to user space in get_next_vma
run #1: crashed: WARNING: bad unlock balance in query_matching_vma
run #2: crashed: possible deadlock in get_next_vma
run #3: crashed: WARNING: bad unlock balance in query_matching_vma
run #4: crashed: possible deadlock in get_next_vma
run #5: crashed: WARNING: bad unlock balance in query_matching_vma
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #7: crashed: WARNING: lock held when returning to user space in get_next_vma
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #9: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl
representative crash: WARNING: lock held when returning to user space in get_next_vma, types: [LOCKDEP]
the chunk can be dropped
disabling configs for [ubsan bug_or_warning kasan atomic_sleep hang memleak], they are not needed
picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags
testing release v6.15
testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 086b6c3e38c9d42edfdf238577ea09fc346f575f84dfa505e36c530cd58c0a37
all runs: OK
false negative chance: 0.000
# git bisect start a62b7a37e6fcf4a675b1548e7c168b96ec836442 0ff41df1cb268fc69e703a08a57ee14ae967d0ca
Bisecting: 12116 revisions left to test after this (roughly 14 steps)
[64980441d26995ea5599958740dbf6d791e81e27] Merge tag 'bpf-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

testing commit 64980441d26995ea5599958740dbf6d791e81e27 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: e4c5d9da48b0fd3a9d3192a4b915274c3b8bb4fe055c03654387a46b1982450d
all runs: OK
false negative chance: 0.000
# git bisect good 64980441d26995ea5599958740dbf6d791e81e27
Bisecting: 6146 revisions left to test after this (roughly 13 steps)
[3fb4ce586ffd0635c5002bb434b5e1a931e03fb4] Merge branch 'docs-next' of git://git.lwn.net/linux.git

testing commit 3fb4ce586ffd0635c5002bb434b5e1a931e03fb4 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 864811c2ffd9bfb3a7a1690acddb3dc26f1bbf12ddfb7f33924439fbc153fb35
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #1: crashed: WARNING: bad unlock balance in query_matching_vma
run #2: crashed: WARNING: bad unlock balance in query_matching_vma
run #3: crashed: WARNING: lock held when returning to user space in get_next_vma
run #4: crashed: WARNING: bad unlock balance in query_matching_vma
run #5: crashed: WARNING: bad unlock balance in query_matching_vma
run #6: crashed: WARNING: bad unlock balance in query_matching_vma
run #7: crashed: WARNING: lock held when returning to user space in get_next_vma
run #8: crashed: WARNING: bad unlock balance in query_matching_vma
run #9: crashed: WARNING: lock held when returning to user space in get_next_vma
representative crash: WARNING: bad unlock balance in query_matching_vma, types: [LOCKDEP]
# git bisect bad 3fb4ce586ffd0635c5002bb434b5e1a931e03fb4
Bisecting: 2986 revisions left to test after this (roughly 12 steps)
[5c54d6a00fa797289b6b7b5abf9b0f710a3c8fe7] btrfs: don't use token set/get accessors for btrfs_item members

testing commit 5c54d6a00fa797289b6b7b5abf9b0f710a3c8fe7 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: f0a9394587ba6c7d67b1dce5698f0c1c424bf1c617fac3d0b5e0a5312333f72c
all runs: OK
false negative chance: 0.000
# git bisect good 5c54d6a00fa797289b6b7b5abf9b0f710a3c8fe7
Bisecting: 1543 revisions left to test after this (roughly 11 steps)
[3c5ed92f7caf8d88c26cb39c0b5fc4a7245628c0] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-omap.git

testing commit 3c5ed92f7caf8d88c26cb39c0b5fc4a7245628c0 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 085678a05608e45eb4c76f2373a6f3d24ecab0b687c5017c0a795f78cc5e375b
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #1: crashed: possible deadlock in get_next_vma
run #2: crashed: possible deadlock in get_next_vma
run #3: crashed: WARNING: lock held when returning to user space in get_next_vma
run #4: crashed: WARNING: bad unlock balance in query_matching_vma
run #5: crashed: WARNING: bad unlock balance in query_matching_vma
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #7: crashed: WARNING: lock held when returning to user space in get_next_vma
run #8: crashed: WARNING: bad unlock balance in query_matching_vma
run #9: crashed: WARNING: bad unlock balance in query_matching_vma
representative crash: possible deadlock in get_next_vma, types: [LOCKDEP]
# git bisect bad 3c5ed92f7caf8d88c26cb39c0b5fc4a7245628c0
Bisecting: 739 revisions left to test after this (roughly 10 steps)
[dac70e151c64311c322759527f64a83412ecc9d8] Merge branch 'mm-nonmm-stable' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

testing commit dac70e151c64311c322759527f64a83412ecc9d8 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 0a5efe5fe4fbe7d53e04da56070ccde724d4e5f3c8428f7dd12dc7eb08fde6fd
all runs: OK
false negative chance: 0.000
# git bisect good dac70e151c64311c322759527f64a83412ecc9d8
Bisecting: 373 revisions left to test after this (roughly 9 steps)
[7b2cb52d0f85afaafe36577eabeedd40ac18bf2e] Merge branch 'for-next/perf' of git://git.kernel.org/pub/scm/linux/kernel/git/will/linux.git

testing commit 7b2cb52d0f85afaafe36577eabeedd40ac18bf2e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: c4d4a33fa80559e544e4a5d913c69bb716a3097697e000afe1d1f9532a820c61
run #0: crashed: WARNING: lock held when returning to user space in get_next_vma
run #1: crashed: WARNING: lock held when returning to user space in get_next_vma
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #3: crashed: WARNING: bad unlock balance in query_matching_vma
run #4: crashed: possible deadlock in get_next_vma
run #5: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl
run #6: crashed: possible deadlock in get_next_vma
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #8: crashed: WARNING: lock held when returning to user space in get_next_vma
run #9: crashed: possible deadlock in get_next_vma
representative crash: WARNING: lock held when returning to user space in get_next_vma, types: [LOCKDEP]
# git bisect bad 7b2cb52d0f85afaafe36577eabeedd40ac18bf2e
Bisecting: 191 revisions left to test after this (roughly 8 steps)
[779937480418261c0c0589b29697d1b943d4b878] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git

testing commit 779937480418261c0c0589b29697d1b943d4b878 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: e32b776eaca2fd4b0719242e304f305e67c83ce32a326ca811feae50dfcc921c
run #0: crashed: possible deadlock in get_next_vma
run #1: crashed: WARNING: lock held when returning to user space in get_next_vma
run #2: crashed: possible deadlock in get_next_vma
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #6: crashed: WARNING: lock held when returning to user space in get_next_vma
run #7: crashed: WARNING: bad unlock balance in query_matching_vma
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #9: crashed: possible deadlock in get_next_vma
representative crash: possible deadlock in get_next_vma, types: [LOCKDEP NULL-POINTER-DEREFERENCE]
# git bisect bad 779937480418261c0c0589b29697d1b943d4b878
Bisecting: 86 revisions left to test after this (roughly 7 steps)
[ea87f6450449181eaaad3103cd8956f792e9a069] mm/page-flags: remove folio_mapping_flags()

testing commit ea87f6450449181eaaad3103cd8956f792e9a069 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 1d6171e14837fe280b13bd7723d12a456f5567d8a329696c7f2999caaf048df9
run #0: basic kernel testing failed: failed to copy syz-executor to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-executor" "root@10.128.1.72:./syz-executor"]: exit status 255
Executing: program /usr/bin/ssh host 10.128.1.72, user root, command sftp
OpenSSH_9.2p1 Debian-2+deb12u6, OpenSSL 3.0.16 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to 10.128.1.72 [10.128.1.72] port 22.
debug1: connect to address 10.128.1.72 port 22: Connection timed out
ssh: connect to host 10.128.1.72 port 22: Connection timed out
scp: Connection closed

run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
false negative chance: 0.000
# git bisect good ea87f6450449181eaaad3103cd8956f792e9a069
Bisecting: 43 revisions left to test after this (roughly 6 steps)
[bd3ac3e81d3c3c4febcd2b617d9dbb7164583189] mm, vmstat: remove the NR_WRITEBACK_TEMP node_stat_item counter

testing commit bd3ac3e81d3c3c4febcd2b617d9dbb7164583189 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 5b795b616ddf8a46094640af51f6f569b4e50ab986a66184b77f85ad64ea6edc
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #1: crashed: WARNING: bad unlock balance in query_matching_vma
run #2: crashed: WARNING: lock held when returning to user space in get_next_vma
run #3: crashed: possible deadlock in get_next_vma
run #4: crashed: WARNING: bad unlock balance in query_matching_vma
run #5: crashed: WARNING: lock held when returning to user space in get_next_vma
run #6: crashed: WARNING: bad unlock balance in query_matching_vma
run #7: crashed: WARNING: lock held when returning to user space in get_next_vma
run #8: crashed: possible deadlock in get_next_vma
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
representative crash: WARNING: bad unlock balance in query_matching_vma, types: [LOCKDEP]
# git bisect bad bd3ac3e81d3c3c4febcd2b617d9dbb7164583189
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[0bfd7d4e14e54fa61b736117170b7ce718354b2e] mm/vmscan: make __node_reclaim() more generic

testing commit 0bfd7d4e14e54fa61b736117170b7ce718354b2e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 15b4baae27289b946cbea23071a2f674ad94751e8a845ef15bb4e202c3cbd0a5
all runs: OK
false negative chance: 0.000
# git bisect good 0bfd7d4e14e54fa61b736117170b7ce718354b2e
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[bc9820326fc9259090be25b303103273100df395] samples/damon/wsse: rename to have damon_sample_ prefix

testing commit bc9820326fc9259090be25b303103273100df395 gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: e0524d54296cb239ab5ab223aaeadaff9c4901631ad3612fa88606b30d415adb
run #0: crashed: WARNING: lock held when returning to user space in get_next_vma
run #1: crashed: WARNING: lock held when returning to user space in get_next_vma
run #2: crashed: WARNING: bad unlock balance in query_matching_vma
run #3: crashed: possible deadlock in get_next_vma
run #4: crashed: possible deadlock in get_next_vma
run #5: crashed: possible deadlock in get_next_vma
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #7: crashed: WARNING: bad unlock balance in query_matching_vma
run #8: crashed: WARNING: bad unlock balance in procfs_procmap_ioctl
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
representative crash: WARNING: lock held when returning to user space in get_next_vma, types: [LOCKDEP]
# git bisect bad bc9820326fc9259090be25b303103273100df395
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[122b854f81c0ed361243a200c173d7711ee47f6b] selftests/proc: test PROCMAP_QUERY ioctl while vma is concurrently modified

testing commit 122b854f81c0ed361243a200c173d7711ee47f6b gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: c60218de7fb4cd6e1079bebb1e1dc212847910ce754df4e042b9aa7d024da205
all runs: OK
false negative chance: 0.000
# git bisect good 122b854f81c0ed361243a200c173d7711ee47f6b
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[ee805a6f9009f68419371a3951f1a1005ad6c54e] fs/proc/task_mmu: read proc/pid/maps under per-vma lock

testing commit ee805a6f9009f68419371a3951f1a1005ad6c54e gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 5b0a133c4df574816a0fb0bcfabf178af96f7503899a4f48a4143f345c0382cb
all runs: OK
false negative chance: 0.000
# git bisect good ee805a6f9009f68419371a3951f1a1005ad6c54e
Bisecting: 0 revisions left to test after this (roughly 1 step)
[0163463f9dcc965060c5f51de69727d1b21d2b2b] mm/mglru: stop try_to_inc_min_seq() if the oldest generation LRU lists are not empty

testing commit 0163463f9dcc965060c5f51de69727d1b21d2b2b gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 91723ebce58a77eb890f5245ab7922ae7e3b2e94ccafe6c4b27f579a6bbecd8d
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #1: crashed: WARNING: bad unlock balance in query_matching_vma
run #2: crashed: WARNING: bad unlock balance in query_matching_vma
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #5: crashed: possible deadlock in get_next_vma
run #6: crashed: WARNING: bad unlock balance in query_matching_vma
run #7: crashed: WARNING: bad unlock balance in query_matching_vma
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in lock_next_vma
run #9: crashed: WARNING: lock held when returning to user space in get_next_vma
representative crash: WARNING: bad unlock balance in query_matching_vma, types: [LOCKDEP NULL-POINTER-DEREFERENCE]
# git bisect bad 0163463f9dcc965060c5f51de69727d1b21d2b2b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[fb8a9ee1f05345b1fae37902d32d954d2150437b] fs/proc/task_mmu: execute PROCMAP_QUERY ioctl under per-vma locks

testing commit fb8a9ee1f05345b1fae37902d32d954d2150437b gcc
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
kernel signature: 6e457e6031a02c6b3c44ac298bdbb421efa97d64fba9f3feaaeb92ba0c724cdd
run #0: crashed: possible deadlock in get_next_vma
run #1: crashed: WARNING: lock held when returning to user space in get_next_vma
run #2: crashed: WARNING: bad unlock balance in query_matching_vma
run #3: crashed: WARNING: lock held when returning to user space in get_next_vma
run #4: crashed: possible deadlock in get_next_vma
run #5: crashed: WARNING: bad unlock balance in query_matching_vma
run #6: crashed: possible deadlock in get_next_vma
run #7: crashed: WARNING: bad unlock balance in query_matching_vma
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in mas_next_slot
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in mtree_range_walk
representative crash: possible deadlock in get_next_vma, types: [LOCKDEP]
# git bisect bad fb8a9ee1f05345b1fae37902d32d954d2150437b
fb8a9ee1f05345b1fae37902d32d954d2150437b is the first bad commit
commit fb8a9ee1f05345b1fae37902d32d954d2150437b
Author: Suren Baghdasaryan <surenb@google.com>
Date:   Thu Jul 3 23:07:26 2025 -0700

    fs/proc/task_mmu: execute PROCMAP_QUERY ioctl under per-vma locks
    
    Utilize per-vma locks to stabilize vma after lookup without taking
    mmap_lock during PROCMAP_QUERY ioctl execution.  While we might take
    mmap_lock for reading during contention, we do that momentarily only to
    lock the vma.
    
    This change is designed to reduce mmap_lock contention and prevent
    PROCMAP_QUERY ioctl calls from blocking address space updates.
    
    Link: https://lkml.kernel.org/r/20250704060727.724817-9-surenb@google.com
    Signed-off-by: Suren Baghdasaryan <surenb@google.com>
    Acked-by: Andrii Nakryiko <andrii@kernel.org>
    Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
    Cc: Alexey Dobriyan <adobriyan@gmail.com>
    Cc: Christian Brauner <brauner@kernel.org>
    Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
    Cc: David Hildenbrand <david@redhat.com>
    Cc: Jann Horn <jannh@google.com>
    Cc: Jeongjun Park <aha310510@gmail.com>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Josef Bacik <josef@toxicpanda.com>
    Cc: Kalesh Singh <kaleshsingh@google.com>
    Cc: Liam Howlett <liam.howlett@oracle.com>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: Michal Hocko <mhocko@kernel.org>
    Cc: Oscar Salvador <osalvador@suse.de>
    Cc: "Paul E . McKenney" <paulmck@kernel.org>
    Cc: Peter Xu <peterx@redhat.com>
    Cc: Ryan Roberts <ryan.roberts@arm.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: Thomas Weißschuh <linux@weissschuh.net>
    Cc: T.J. Mercier <tjmercier@google.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Ye Bin <yebin10@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 fs/proc/task_mmu.c | 60 +++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 48 insertions(+), 12 deletions(-)

accumulated error probability: 0.00
culprit signature: 6e457e6031a02c6b3c44ac298bdbb421efa97d64fba9f3feaaeb92ba0c724cdd
parent  signature: 5b0a133c4df574816a0fb0bcfabf178af96f7503899a4f48a4143f345c0382cb
revisions tested: 23, total time: 9h26m7.243835673s (build: 4h33m59.549374065s, test: 3h55m1.474357945s)
first bad commit: fb8a9ee1f05345b1fae37902d32d954d2150437b fs/proc/task_mmu: execute PROCMAP_QUERY ioctl under per-vma locks
recipients (to): ["akpm@linux-foundation.org" "andrii@kernel.org" "lorenzo.stoakes@oracle.com" "surenb@google.com"]
recipients (cc): []
crash: possible deadlock in get_next_vma
======================================================
WARNING: possible circular locking dependency detected
6.16.0-rc5-syzkaller #0 Not tainted
------------------------------------------------------
syz.3.68/3046 is trying to acquire lock:
ffff88810a3c5520 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock_killable+0x13/0x110 include/linux/mmap_lock.h:432

but task is already holding lock:
ffff88810878ad88 (vm_lock){++++}-{0:0}, at: get_next_vma+0xa6/0xe0 fs/proc/task_mmu.c:182

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (vm_lock){++++}-{0:0}:
       __vma_enter_locked+0x75/0xf0 mm/mmap_lock.c:63
       __vma_start_write+0x13/0x70 mm/mmap_lock.c:87
       vma_start_write include/linux/mmap_lock.h:267 [inline]
       vma_expand+0x8a/0x210 mm/vma.c:1131
       relocate_vma_down+0x27f/0x380 mm/vma_exec.c:58
       setup_arg_pages+0x307/0x490 fs/exec.c:690
       load_elf_binary+0x38c/0xd50 fs/binfmt_elf.c:1013
       search_binary_handler fs/exec.c:1670 [inline]
       exec_binprm fs/exec.c:1702 [inline]
       bprm_execve+0x38b/0x5e0 fs/exec.c:1754
       kernel_execve+0x1c1/0x210 fs/exec.c:1920
       try_to_run_init_process+0x9/0x40 init/main.c:1402
       kernel_init+0x96/0x120 init/main.c:1530
       ret_from_fork+0x152/0x240 arch/x86/kernel/process.c:148
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

-> #0 (&mm->mmap_lock){++++}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3168 [inline]
       check_prevs_add kernel/locking/lockdep.c:3287 [inline]
       validate_chain kernel/locking/lockdep.c:3911 [inline]
       __lock_acquire+0x12e6/0x2100 kernel/locking/lockdep.c:5240
       lock_acquire+0xe9/0x270 kernel/locking/lockdep.c:5871
       down_read_killable+0x37/0x120 kernel/locking/rwsem.c:1547
       mmap_read_lock_killable+0x13/0x110 include/linux/mmap_lock.h:432
       lock_vma_under_mmap_lock mm/mmap_lock.c:189 [inline]
       lock_next_vma+0x3af/0x600 mm/mmap_lock.c:264
       get_next_vma+0xa6/0xe0 fs/proc/task_mmu.c:182
       query_vma_find_by_addr fs/proc/task_mmu.c:512 [inline]
       query_matching_vma+0xf9/0x1c0 fs/proc/task_mmu.c:544
       do_procmap_query fs/proc/task_mmu.c:629 [inline]
       procfs_procmap_ioctl+0x282/0x6a0 fs/proc/task_mmu.c:747
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:907 [inline]
       __se_sys_ioctl+0x6c/0xc0 fs/ioctl.c:893
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xa6/0x2c0 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  rlock(vm_lock);
                               lock(&mm->mmap_lock);
                               lock(vm_lock);
  rlock(&mm->mmap_lock);

 *** DEADLOCK ***

1 lock held by syz.3.68/3046:
 #0: ffff88810878ad88 (vm_lock){++++}-{0:0}, at: get_next_vma+0xa6/0xe0 fs/proc/task_mmu.c:182

stack backtrace:
CPU: 0 UID: 0 PID: 3046 Comm: syz.3.68 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xad/0x110 lib/dump_stack.c:120
 print_circular_bug+0x29b/0x2b0 kernel/locking/lockdep.c:2046
 check_noncircular+0x10e/0x130 kernel/locking/lockdep.c:2178
 check_prev_add kernel/locking/lockdep.c:3168 [inline]
 check_prevs_add kernel/locking/lockdep.c:3287 [inline]
 validate_chain kernel/locking/lockdep.c:3911 [inline]
 __lock_acquire+0x12e6/0x2100 kernel/locking/lockdep.c:5240
 lock_acquire+0xe9/0x270 kernel/locking/lockdep.c:5871
 down_read_killable+0x37/0x120 kernel/locking/rwsem.c:1547
 mmap_read_lock_killable+0x13/0x110 include/linux/mmap_lock.h:432
 lock_vma_under_mmap_lock mm/mmap_lock.c:189 [inline]
 lock_next_vma+0x3af/0x600 mm/mmap_lock.c:264
 get_next_vma+0xa6/0xe0 fs/proc/task_mmu.c:182
 query_vma_find_by_addr fs/proc/task_mmu.c:512 [inline]
 query_matching_vma+0xf9/0x1c0 fs/proc/task_mmu.c:544
 do_procmap_query fs/proc/task_mmu.c:629 [inline]
 procfs_procmap_ioctl+0x282/0x6a0 fs/proc/task_mmu.c:747
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0x6c/0xc0 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xa6/0x2c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa463d9e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa46380f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa463fc5fa0 RCX: 00007fa463d9e929
RDX: 0000200000000180 RSI: 00000000c0686611 RDI: 0000000000000003
RBP: 00007fa463e20b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fa463fc5fa0 R15: 00007fffd77369c8
 </TASK>