bisecting cause commit starting from 49d05fe2c9d1b4a27761c9807fec39b8155bef9e building syzkaller on 7bb222f7bcce6f16c2e110f4c3270e009aaf55e7 testing commit 49d05fe2c9d1b4a27761c9807fec39b8155bef9e with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: slab-out-of-bounds Read in class_equal run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: KASAN: slab-out-of-bounds Read in class_equal run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: KASAN: use-after-free Read in class_equal run #7: crashed: kernel panic: corrupted stack end in corrupted run #8: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle run #9: crashed: KASAN: use-after-free Read in class_equal testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in class_equal run #1: crashed: KASAN: slab-out-of-bounds Read in class_equal run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: KASAN: use-after-free Read in class_equal run #5: crashed: KASAN: use-after-free Read in class_equal run #6: crashed: KASAN: slab-out-of-bounds Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: KASAN: use-after-free Read in class_equal run #9: crashed: KASAN: slab-out-of-bounds Read in class_equal testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: crashed: WARNING: ODEBUG bug in del_timer testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in strp_done testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: kernel panic: corrupted stack end in corrupted run #2: crashed: unexpected kernel reboot run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: KASAN: slab-out-of-bounds Read in class_equal run #5: crashed: KASAN: use-after-free Read in class_equal run #6: crashed: KASAN: use-after-free Read in class_equal run #7: crashed: kernel panic: corrupted stack end in corrupted run #8: crashed: KASAN: slab-out-of-bounds Read in class_equal run #9: crashed: kernel panic: corrupted stack end in corrupted testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in psock_map_pop run #1: crashed: KASAN: use-after-free Read in psock_map_pop run #2: crashed: KASAN: use-after-free Read in psock_map_pop run #3: crashed: KASAN: use-after-free Read in psock_map_pop run #4: crashed: KASAN: use-after-free Read in psock_map_pop run #5: crashed: KASAN: use-after-free Read in psock_map_pop run #6: crashed: KASAN: use-after-free Read in psock_map_pop run #7: crashed: KASAN: use-after-free Read in psock_map_pop run #8: OK run #9: OK testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in psock_map_pop run #1: crashed: KASAN: use-after-free Read in psock_map_pop run #2: crashed: KASAN: use-after-free Read in psock_map_pop run #3: crashed: KASAN: use-after-free Read in psock_map_pop run #4: crashed: KASAN: use-after-free Read in psock_map_pop run #5: crashed: KASAN: use-after-free Read in psock_map_pop run #6: crashed: KASAN: use-after-free Read in psock_map_pop run #7: crashed: KASAN: use-after-free Read in psock_map_pop run #8: OK run #9: OK testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.18 v4.17 Bisecting: 7032 revisions left to test after this (roughly 13 steps) [3036bc45364f98515a2c446d7fac2c34dcfbeff4] Merge tag 'media/v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 3036bc45364f98515a2c446d7fac2c34dcfbeff4 with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect good 3036bc45364f98515a2c446d7fac2c34dcfbeff4 Bisecting: 3348 revisions left to test after this (roughly 12 steps) [721afaa2aeb860067decdddadc84ed16f42f2048] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc testing commit 721afaa2aeb860067decdddadc84ed16f42f2048 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 721afaa2aeb860067decdddadc84ed16f42f2048 Bisecting: 1674 revisions left to test after this (roughly 11 steps) [7b72717a20bba8bdd01b14c0460be7d15061cd6b] iw_cxgb4: correctly enforce the max reg_mr depth testing commit 7b72717a20bba8bdd01b14c0460be7d15061cd6b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7b72717a20bba8bdd01b14c0460be7d15061cd6b Bisecting: 837 revisions left to test after this (roughly 10 steps) [47f7dc4b845a9fe60c53b84b8c88cf14efd0de7f] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 47f7dc4b845a9fe60c53b84b8c88cf14efd0de7f with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in psock_map_pop run #1: crashed: KASAN: use-after-free Read in psock_map_pop run #2: crashed: KASAN: use-after-free Read in psock_map_pop run #3: crashed: KASAN: use-after-free Read in psock_map_pop run #4: crashed: KASAN: use-after-free Read in psock_map_pop run #5: crashed: KASAN: use-after-free Read in psock_map_pop run #6: crashed: KASAN: use-after-free Read in psock_map_pop run #7: OK run #8: OK run #9: crashed: KASAN: use-after-free Read in psock_map_pop # git bisect bad 47f7dc4b845a9fe60c53b84b8c88cf14efd0de7f Bisecting: 414 revisions left to test after this (roughly 9 steps) [4e33d7d47943aaa84a5904472cf2f9c6d6b0a6ca] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 4e33d7d47943aaa84a5904472cf2f9c6d6b0a6ca with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in psock_map_pop run #1: crashed: KASAN: use-after-free Read in psock_map_pop run #2: crashed: KASAN: use-after-free Read in psock_map_pop run #3: crashed: KASAN: use-after-free Read in psock_map_pop run #4: crashed: KASAN: use-after-free Read in psock_map_pop run #5: crashed: KASAN: use-after-free Read in psock_map_pop run #6: crashed: KASAN: use-after-free Read in psock_map_pop run #7: crashed: KASAN: use-after-free Read in psock_map_pop run #8: OK run #9: OK # git bisect bad 4e33d7d47943aaa84a5904472cf2f9c6d6b0a6ca Bisecting: 202 revisions left to test after this (roughly 8 steps) [d7d5388679312b7a7b6377e38e2b8fb06a82d84e] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit d7d5388679312b7a7b6377e38e2b8fb06a82d84e with gcc (GCC) 8.1.0 all runs: OK # git bisect good d7d5388679312b7a7b6377e38e2b8fb06a82d84e Bisecting: 101 revisions left to test after this (roughly 7 steps) [d3bc0e67f8525760479e88a51e87bb0c026e40f3] Merge tag 'for-4.18-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit d3bc0e67f8525760479e88a51e87bb0c026e40f3 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d3bc0e67f8525760479e88a51e87bb0c026e40f3 Bisecting: 50 revisions left to test after this (roughly 6 steps) [484c016d9392786ce5c74017c206c706f29f823d] bnx2x: Fix receiving tx-timeout in error or recovery state. testing commit 484c016d9392786ce5c74017c206c706f29f823d with gcc (GCC) 8.1.0 run #0: crashed: WARNING: ODEBUG bug in sock_hash_free run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 484c016d9392786ce5c74017c206c706f29f823d Bisecting: 24 revisions left to test after this (roughly 5 steps) [12bd45b3a9fd6988444fdeb998750ee8ffaaf11b] Merge branch 'xdp-flush' testing commit 12bd45b3a9fd6988444fdeb998750ee8ffaaf11b with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in bpf_tcp_close run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 12bd45b3a9fd6988444fdeb998750ee8ffaaf11b Bisecting: 13 revisions left to test after this (roughly 4 steps) [2d2595719a97c876f35b1e60e5768e58753b268c] nfp: cast sizeof() to int when comparing with error code testing commit 2d2595719a97c876f35b1e60e5768e58753b268c with gcc (GCC) 8.1.0 run #0: crashed: WARNING: ODEBUG bug in sock_hash_free run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 2d2595719a97c876f35b1e60e5768e58753b268c Bisecting: 5 revisions left to test after this (roughly 3 steps) [094bdaddf129417ee5e5d885d2fe76a5adfada0f] Merge branch 'lan78xx-minor-fixes' testing commit 094bdaddf129417ee5e5d885d2fe76a5adfada0f with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in bpf_tcp_close run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 094bdaddf129417ee5e5d885d2fe76a5adfada0f Bisecting: 2 revisions left to test after this (roughly 2 steps) [4a27327b156e1e543c839a9358ba885564729ae7] net: lan78xx: Add support for VLAN filtering. testing commit 4a27327b156e1e543c839a9358ba885564729ae7 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4a27327b156e1e543c839a9358ba885564729ae7 Bisecting: 0 revisions left to test after this (roughly 1 step) [9343ac87f2a4e09bf6e27b5f31e72e9e3a82abff] net: lan78xx: Use s/w csum check on VLANs without tag stripping testing commit 9343ac87f2a4e09bf6e27b5f31e72e9e3a82abff with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in bpf_tcp_close run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 9343ac87f2a4e09bf6e27b5f31e72e9e3a82abff Bisecting: 0 revisions left to test after this (roughly 0 steps) [ec21ecf0aad27956dc64475e5acd78f3575df462] net: lan78xx: Add support for VLAN tag stripping. testing commit ec21ecf0aad27956dc64475e5acd78f3575df462 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ec21ecf0aad27956dc64475e5acd78f3575df462 9343ac87f2a4e09bf6e27b5f31e72e9e3a82abff is the first bad commit commit 9343ac87f2a4e09bf6e27b5f31e72e9e3a82abff Author: Dave Stevenson Date: Mon Jun 25 15:07:15 2018 +0100 net: lan78xx: Use s/w csum check on VLANs without tag stripping Observations of VLANs dropping packets due to invalid checksums when not offloading VLAN tag receive. With VLAN tag stripping enabled no issue is observed. Drop back to s/w checksums if VLAN offload is disabled. Signed-off-by: Dave Stevenson Signed-off-by: David S. Miller :040000 040000 83531f168210fcbd431a8053ee0d564c86576ecb a4d533f0879dea459d006f9a1c372f9c4fe4abeb M drivers revisions tested: 22, total time: 5h26m59.861777757s (build: 2h2m12.621576672s, test: 3h18m11.794127183s) first bad commit: 9343ac87f2a4e09bf6e27b5f31e72e9e3a82abff net: lan78xx: Use s/w csum check on VLANs without tag stripping cc: ["dave.stevenson@raspberrypi.org" "davem@davemloft.net" "linux-kernel@vger.kernel.org" "linux-usb@vger.kernel.org" "netdev@vger.kernel.org" "unglinuxdriver@microchip.com" "woojung.huh@microchip.com"] crash: general protection fault in bpf_tcp_close kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 24591 Comm: syz-executor.0 Not tainted 4.18.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__write_once_size /./include/linux/compiler.h:215 [inline] RIP: 0010:__hlist_del /./include/linux/list.h:649 [inline] RIP: 0010:hlist_del_rcu /./include/linux/rculist.h:440 [inline] RIP: 0010:bpf_tcp_close+0x58e/0xbb0 /kernel/bpf/sockmap.c:271 Code: 85 5d 04 00 00 4c 8d 48 18 48 8b 48 10 4c 89 ce 48 c1 ee 03 42 80 3c 3e 00 0f 85 1e 04 00 00 48 8b 70 18 48 89 f7 48 c1 ef 03 <42> 80 3c 3f 00 0f 85 66 04 00 00 48 85 c9 48 89 0e 74 1a 48 8d 79 RSP: 0018:ffff880085dc7cd0 EFLAGS: 00010a02 RAX: ffff88009783b0c0 RBX: ffff8800a1b82200 RCX: 0000000000000000 RDX: 1ffff10014370440 RSI: dead000000000200 RDI: 1bd5a00000000040 RBP: ffff880085dc7d48 R08: ffffed0012f9161d R09: ffff88009783b0d8 R10: ffffed0012f9161c R11: ffff880097c8b0e3 R12: ffff88009956a220 R13: 0000000000000000 R14: ffff8800a1b82218 R15: dffffc0000000000 FS: 000000000270c940(0000) GS:ffff8800aed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9db6b43e70 CR3: 000000009e4f6000 CR4: 00000000001406e0 Call Trace: inet_release+0xd9/0x1c0 /net/ipv4/af_inet.c:427 inet6_release+0x46/0x60 /net/ipv6/af_inet6.c:459 __sock_release+0xc2/0x230 /net/socket.c:603 sock_close+0x10/0x20 /net/socket.c:1186 __fput+0x238/0x780 /fs/file_table.c:209 ____fput+0x9/0x10 /fs/file_table.c:243 task_work_run+0x111/0x180 /kernel/task_work.c:113 tracehook_notify_resume /./include/linux/tracehook.h:192 [inline] exit_to_usermode_loop+0x1a4/0x200 /arch/x86/entry/common.c:166 prepare_exit_to_usermode /arch/x86/entry/common.c:197 [inline] syscall_return_slowpath /arch/x86/entry/common.c:268 [inline] do_syscall_64+0x407/0x4d0 /arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x413501 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffec80be340 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413501 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff R10: 00007ffec80be420 R11: 0000000000000293 R12: 000000000075bf20 R13: 000000000001f05c R14: 0000000000761178 R15: ffffffffffffffff Modules linked in: ---[ end trace 12bec80efa9d22c8 ]--- RIP: 0010:__write_once_size /./include/linux/compiler.h:215 [inline] RIP: 0010:__hlist_del /./include/linux/list.h:649 [inline] RIP: 0010:hlist_del_rcu /./include/linux/rculist.h:440 [inline] RIP: 0010:bpf_tcp_close+0x58e/0xbb0 /kernel/bpf/sockmap.c:271 Code: 85 5d 04 00 00 4c 8d 48 18 48 8b 48 10 4c 89 ce 48 c1 ee 03 42 80 3c 3e 00 0f 85 1e 04 00 00 48 8b 70 18 48 89 f7 48 c1 ef 03 <42> 80 3c 3f 00 0f 85 66 04 00 00 48 85 c9 48 89 0e 74 1a 48 8d 79 RSP: 0018:ffff880085dc7cd0 EFLAGS: 00010a02 RAX: ffff88009783b0c0 RBX: ffff8800a1b82200 RCX: 0000000000000000 RDX: 1ffff10014370440 RSI: dead000000000200 RDI: 1bd5a00000000040 RBP: ffff880085dc7d48 R08: ffffed0012f9161d R09: ffff88009783b0d8 R10: ffffed0012f9161c R11: ffff880097c8b0e3 R12: ffff88009956a220 R13: 0000000000000000 R14: ffff8800a1b82218 R15: dffffc0000000000 FS: 000000000270c940(0000) GS:ffff8800aed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9db6b43e70 CR3: 000000009e4f6000 CR4: 00000000001406e0