bisecting cause commit starting from 470dfd808ac4135f313967f9d3e107b87fc6a0b3 building syzkaller on 1a1f4bd8c48f86af4bc94a2e3a86fc0de9c52c93 testing commit 470dfd808ac4135f313967f9d3e107b87fc6a0b3 with gcc (GCC) 8.1.0 kernel signature: ff6ea4cb19364a80218f130bc46b5f16de6d246bf8484115117851ba47cb3fba all runs: crashed: BUG: receive list entry not found for dev vxcan1, id 003, mask C00007FF testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: ae997c81c8480492441e712d3c127e3da959156d4e937c464609e101fa84e28c all runs: OK # git bisect start 470dfd808ac4135f313967f9d3e107b87fc6a0b3 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 9410 revisions left to test after this (roughly 13 steps) [4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 8.1.0 kernel signature: 19d651166031891e1c42f1a0518e05f408372acef30d76f75e5b6df6eabbfcd1 all runs: OK # git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be Bisecting: 4700 revisions left to test after this (roughly 12 steps) [96485e4462604744d66bf4301557d996d80b85eb] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit 96485e4462604744d66bf4301557d996d80b85eb with gcc (GCC) 8.1.0 kernel signature: 2c097c6c9518fb1e3deccc12dee074de87aacd57e84fba0d781eb797cab19311 all runs: crashed: BUG: receive list entry not found for dev vxcan1, id 003, mask C00007FF # git bisect bad 96485e4462604744d66bf4301557d996d80b85eb Bisecting: 2332 revisions left to test after this (roughly 11 steps) [14c914fcb515c424177bb6848cc2858ebfe717a8] Merge tag 'wireless-drivers-next-2020-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 14c914fcb515c424177bb6848cc2858ebfe717a8 with gcc (GCC) 8.1.0 kernel signature: f7c8ad15c60212a4917f2b51ce11588c5b61e5fae00001f80f6deeb95e5bcdb0 all runs: OK # git bisect good 14c914fcb515c424177bb6848cc2858ebfe717a8 Bisecting: 1201 revisions left to test after this (roughly 10 steps) [9ba0d0c81284f4ec0b24529bdba2fc68b9d6a09a] io_uring: use blk_queue_nowait() to check if NOWAIT supported testing commit 9ba0d0c81284f4ec0b24529bdba2fc68b9d6a09a with gcc (GCC) 8.1.0 kernel signature: 95a267476b3e95d57dc1ee333498a197529bfe0a0f9d7c6eb303c3df63458fe5 all runs: crashed: BUG: receive list entry not found for dev vxcan1, id 003, mask C00007FF # git bisect bad 9ba0d0c81284f4ec0b24529bdba2fc68b9d6a09a Bisecting: 593 revisions left to test after this (roughly 9 steps) [c4cf498dc0241fa2d758dba177634268446afb06] Merge branch 'akpm' (patches from Andrew) testing commit c4cf498dc0241fa2d758dba177634268446afb06 with gcc (GCC) 8.1.0 kernel signature: 502d1758e7c9443ad0832e670002571cada9b5ef0e79d93ccdf3ed14629122d5 all runs: crashed: BUG: receive list entry not found for dev vxcan1, id 003, mask C00007FF # git bisect bad c4cf498dc0241fa2d758dba177634268446afb06 Bisecting: 268 revisions left to test after this (roughly 8 steps) [ee92e4f1f95eb7b8820299f10fc5fba16d85cece] net/mlx5: Add NIC TX domain namespace testing commit ee92e4f1f95eb7b8820299f10fc5fba16d85cece with gcc (GCC) 8.1.0 kernel signature: 13658e07d033f96bade2c1acfcec31e4caad03a59d6f4b0360446eb50d650e0e all runs: OK # git bisect good ee92e4f1f95eb7b8820299f10fc5fba16d85cece Bisecting: 153 revisions left to test after this (roughly 7 steps) [346e320cb2103edef709c4466a29140c4a8e527a] netfilter: nftables: allow re-computing sctp CRC-32C in 'payload' statements testing commit 346e320cb2103edef709c4466a29140c4a8e527a with gcc (GCC) 8.1.0 kernel signature: 73e41b89f0fd2c5a653f7694e7f9314aa255e2c5cfa9e05d9a70990632090e10 all runs: OK # git bisect good 346e320cb2103edef709c4466a29140c4a8e527a Bisecting: 73 revisions left to test after this (roughly 6 steps) [fefa636d815975b34afc45f50852a2810fb23ba9] Merge tag 'trace-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit fefa636d815975b34afc45f50852a2810fb23ba9 with gcc (GCC) 8.1.0 kernel signature: 9587c9d8bcbd869245558955783d341470506981a520c35136861d33dab3f411 all runs: OK # git bisect good fefa636d815975b34afc45f50852a2810fb23ba9 Bisecting: 36 revisions left to test after this (roughly 5 steps) [1e40d75ef90c5c99d9418637cd7295fa49ecb5fb] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 1e40d75ef90c5c99d9418637cd7295fa49ecb5fb with gcc (GCC) 8.1.0 kernel signature: a9340613021ea143fba8440d52def2f54077c368e54a9d8890a69203caccbabb all runs: OK # git bisect good 1e40d75ef90c5c99d9418637cd7295fa49ecb5fb Bisecting: 19 revisions left to test after this (roughly 4 steps) [2295cddf99e3f7c2be2b1160e2f5e53cc35b09be] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 2295cddf99e3f7c2be2b1160e2f5e53cc35b09be with gcc (GCC) 8.1.0 kernel signature: 525c5e3c5694d272b24e43d9b00825f9bfc5587b32be75bb9de4b6744dd79d9e all runs: OK # git bisect good 2295cddf99e3f7c2be2b1160e2f5e53cc35b09be Bisecting: 9 revisions left to test after this (roughly 3 steps) [4be92db3b5667f3a5c874a04635b037dc5e3f373] ima: Remove semicolon at the end of ima_get_binary_runtime_size() testing commit 4be92db3b5667f3a5c874a04635b037dc5e3f373 with gcc (GCC) 8.1.0 kernel signature: 422ecc5d8fc456d70c963a20ce86855bf5795034c88d7e2c821b35d7caa27004 all runs: OK # git bisect good 4be92db3b5667f3a5c874a04635b037dc5e3f373 Bisecting: 4 revisions left to test after this (roughly 2 steps) [105faa8742437c28815b2a3eb8314ebc5fd9288c] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 105faa8742437c28815b2a3eb8314ebc5fd9288c with gcc (GCC) 8.1.0 kernel signature: 1b293ab1fc61c0de4174082110f95c10edf7283613a06e3cd3c8c2015bc4f69c all runs: OK # git bisect good 105faa8742437c28815b2a3eb8314ebc5fd9288c Bisecting: 2 revisions left to test after this (roughly 1 step) [aa662fc04f5b290b3979332588bf8d812b189962] ima: Fix NULL pointer dereference in ima_file_hash testing commit aa662fc04f5b290b3979332588bf8d812b189962 with gcc (GCC) 8.1.0 kernel signature: 125af223972c7f705cd7d6e94096b5aa69ada6a34ede1812bf2326679828301a all runs: OK # git bisect good aa662fc04f5b290b3979332588bf8d812b189962 Bisecting: 0 revisions left to test after this (roughly 1 step) [9ff9b0d392ea08090cd1780fb196f36dbb586529] Merge tag 'net-next-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 9ff9b0d392ea08090cd1780fb196f36dbb586529 with gcc (GCC) 8.1.0 kernel signature: 5bd4bd308100f23687c473ea4c0a2ff448de9f81220b1082a3ae623809bbc5a3 all runs: OK # git bisect good 9ff9b0d392ea08090cd1780fb196f36dbb586529 c4cf498dc0241fa2d758dba177634268446afb06 is the first bad commit commit c4cf498dc0241fa2d758dba177634268446afb06 Merge: 9ff9b0d392ea 4d0e9df5e43d Author: Linus Torvalds Date: Fri Oct 16 11:31:55 2020 -0700 Merge branch 'akpm' (patches from Andrew) Merge more updates from Andrew Morton: "155 patches. Subsystems affected by this patch series: mm (dax, debug, thp, readahead, page-poison, util, memory-hotplug, zram, cleanups), misc, core-kernel, get_maintainer, MAINTAINERS, lib, bitops, checkpatch, binfmt, ramfs, autofs, nilfs, rapidio, panic, relay, kgdb, ubsan, romfs, and fault-injection" * emailed patches from Andrew Morton : (155 commits) lib, uaccess: add failure injection to usercopy functions lib, include/linux: add usercopy failure capability ROMFS: support inode blocks calculation ubsan: introduce CONFIG_UBSAN_LOCAL_BOUNDS for Clang sched.h: drop in_ubsan field when UBSAN is in trap mode scripts/gdb/tasks: add headers and improve spacing format scripts/gdb/proc: add struct mount & struct super_block addr in lx-mounts command kernel/relay.c: drop unneeded initialization panic: dump registers on panic_on_warn rapidio: fix the missed put_device() for rio_mport_add_riodev rapidio: fix error handling path nilfs2: fix some kernel-doc warnings for nilfs2 autofs: harden ioctl table ramfs: fix nommu mmap with gaps in the page cache mm: remove the now-unnecessary mmget_still_valid() hack mm/gup: take mmap_lock in get_dump_page() binfmt_elf, binfmt_elf_fdpic: use a VMA list snapshot coredump: rework elf/elf_fdpic vma_dump_size() into common helper coredump: refactor page range dumping into common helper coredump: let dump_emit() bail out on short writes ... .mailmap | 1 + Documentation/admin-guide/kernel-parameters.txt | 1 + Documentation/core-api/xarray.rst | 16 +- Documentation/fault-injection/fault-injection.rst | 7 +- MAINTAINERS | 6 +- arch/ia64/mm/init.c | 4 +- arch/powerpc/include/asm/book3s/64/pgtable.h | 29 +- arch/powerpc/include/asm/nohash/pgtable.h | 5 - arch/powerpc/mm/pgtable.c | 5 - arch/powerpc/platforms/powernv/memtrace.c | 2 +- arch/powerpc/platforms/pseries/hotplug-memory.c | 2 +- drivers/acpi/acpi_memhotplug.c | 3 +- drivers/base/memory.c | 3 +- drivers/base/node.c | 33 ++- drivers/block/zram/zram_drv.c | 2 +- drivers/dax/kmem.c | 50 ++-- drivers/hv/hv_balloon.c | 2 +- drivers/infiniband/core/uverbs_main.c | 3 - drivers/rapidio/devices/rio_mport_cdev.c | 18 +- drivers/s390/char/sclp_cmd.c | 2 +- drivers/vfio/pci/vfio_pci.c | 38 ++- drivers/virtio/virtio_mem.c | 3 +- drivers/xen/balloon.c | 2 +- fs/autofs/dev-ioctl.c | 8 +- fs/binfmt_elf.c | 263 ++++-------------- fs/binfmt_elf_fdpic.c | 162 ++--------- fs/configfs/dir.c | 2 +- fs/configfs/file.c | 2 +- fs/coredump.c | 236 +++++++++++++++- fs/ext4/verity.c | 4 +- fs/f2fs/verity.c | 4 +- fs/inode.c | 2 + fs/nilfs2/bmap.c | 2 +- fs/nilfs2/cpfile.c | 6 +- fs/nilfs2/page.c | 1 - fs/nilfs2/sufile.c | 4 +- fs/proc/task_mmu.c | 18 -- fs/ramfs/file-nommu.c | 2 +- fs/romfs/super.c | 1 + fs/userfaultfd.c | 28 +- include/linux/bitops.h | 13 +- include/linux/blkdev.h | 1 + include/linux/bvec.h | 6 +- include/linux/coredump.h | 11 + include/linux/fault-inject-usercopy.h | 22 ++ include/linux/fs.h | 28 +- include/linux/idr.h | 13 +- include/linux/ioport.h | 11 +- include/linux/jiffies.h | 3 +- include/linux/kernel.h | 150 +---------- include/linux/list.h | 29 +- include/linux/memory_hotplug.h | 42 +-- include/linux/minmax.h | 153 +++++++++++ include/linux/mm.h | 5 +- include/linux/mmzone.h | 17 +- include/linux/node.h | 16 +- include/linux/nodemask.h | 2 +- include/linux/page-flags.h | 6 +- include/linux/page_owner.h | 6 +- include/linux/pagemap.h | 107 +++++++- include/linux/sched.h | 2 +- include/linux/sched/mm.h | 25 -- include/linux/uaccess.h | 12 +- include/linux/vmstat.h | 2 +- include/linux/xarray.h | 22 ++ include/ras/ras_event.h | 3 + kernel/acct.c | 10 +- kernel/cgroup/cpuset.c | 2 +- kernel/dma/direct.c | 2 +- kernel/fork.c | 4 +- kernel/futex.c | 2 +- kernel/irq/timings.c | 2 +- kernel/jump_label.c | 2 +- kernel/kcsan/encoding.h | 2 +- kernel/kexec_core.c | 2 +- kernel/kexec_file.c | 2 +- kernel/kthread.c | 2 +- kernel/livepatch/state.c | 2 +- kernel/panic.c | 12 +- kernel/pid_namespace.c | 2 +- kernel/power/snapshot.c | 2 +- kernel/range.c | 3 +- kernel/relay.c | 2 +- kernel/resource.c | 110 ++++++-- kernel/smp.c | 2 +- kernel/sys.c | 2 +- kernel/user_namespace.c | 2 +- lib/Kconfig.debug | 7 + lib/Kconfig.ubsan | 14 + lib/Makefile | 1 + lib/bitmap.c | 2 +- lib/crc32.c | 2 +- lib/decompress_bunzip2.c | 2 +- lib/dynamic_queue_limits.c | 4 +- lib/earlycpio.c | 2 +- lib/fault-inject-usercopy.c | 39 +++ lib/find_bit.c | 1 + lib/hexdump.c | 1 + lib/idr.c | 9 +- lib/iov_iter.c | 5 + lib/libcrc32c.c | 2 +- lib/math/rational.c | 2 +- lib/math/reciprocal_div.c | 1 + lib/mpi/mpi-bit.c | 2 +- lib/percpu_counter.c | 2 +- lib/radix-tree.c | 2 +- lib/scatterlist.c | 2 +- lib/strncpy_from_user.c | 3 + lib/syscall.c | 2 +- lib/test_hmm.c | 2 +- lib/test_sysctl.c | 2 +- lib/test_xarray.c | 65 +++++ lib/usercopy.c | 5 +- lib/xarray.c | 208 ++++++++++++++- mm/Kconfig | 2 +- mm/compaction.c | 6 +- mm/debug_vm_pgtable.c | 207 +++++++------- mm/filemap.c | 58 ++-- mm/gup.c | 61 +++-- mm/highmem.c | 4 +- mm/huge_memory.c | 45 ++-- mm/hwpoison-inject.c | 18 +- mm/internal.h | 27 +- mm/khugepaged.c | 2 +- mm/madvise.c | 52 +--- mm/memory-failure.c | 311 ++++++++++------------ mm/memory.c | 7 +- mm/memory_hotplug.c | 211 ++++++--------- mm/memremap.c | 3 +- mm/migrate.c | 11 +- mm/mmap.c | 7 +- mm/mmu_notifier.c | 2 +- mm/page-writeback.c | 1 + mm/page_alloc.c | 241 +++++++++++------ mm/page_isolation.c | 16 +- mm/page_owner.c | 10 +- mm/page_poison.c | 20 +- mm/page_reporting.c | 4 +- mm/readahead.c | 130 ++++----- mm/rmap.c | 10 +- mm/shmem.c | 2 +- mm/shuffle.c | 2 +- mm/slab.c | 2 +- mm/slab.h | 1 - mm/slub.c | 2 +- mm/sparse.c | 2 + mm/swap_state.c | 2 +- mm/truncate.c | 6 +- mm/util.c | 3 +- mm/vmscan.c | 5 +- mm/vmstat.c | 8 +- mm/workingset.c | 2 +- scripts/Makefile.ubsan | 10 +- scripts/checkpatch.pl | 238 ++++++++++++----- scripts/const_structs.checkpatch | 3 + scripts/gdb/linux/proc.py | 15 +- scripts/gdb/linux/tasks.py | 9 +- scripts/get_maintainer.pl | 9 +- tools/testing/selftests/exec/.gitignore | 1 + tools/testing/selftests/exec/Makefile | 9 +- tools/testing/selftests/exec/load_address.c | 68 +++++ 161 files changed, 2390 insertions(+), 1724 deletions(-) create mode 100644 include/linux/fault-inject-usercopy.h create mode 100644 include/linux/minmax.h create mode 100644 lib/fault-inject-usercopy.c create mode 100644 tools/testing/selftests/exec/load_address.c revisions tested: 16, total time: 3h18m4.25047575s (build: 1h8m39.962306048s, test: 2h7m25.883394089s) first bad commit: c4cf498dc0241fa2d758dba177634268446afb06 Merge branch 'akpm' (patches from Andrew) recipients (to): ["akpm@linux-foundation.org" "clang-built-linux@googlegroups.com" "linux-mm@kvack.org" "natechancellor@gmail.com" "ndesaulniers@google.com" "torvalds@linux-foundation.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: BUG: receive list entry not found for dev vxcan1, id 003, mask C00007FF ------------[ cut here ]------------ BUG: receive list entry not found for dev vxcan1, id 003, mask C00007FF WARNING: CPU: 0 PID: 10315 at net/can/af_can.c:547 can_rx_unregister+0x1b1/0x200 net/can/af_can.c:546 Modules linked in: CPU: 0 PID: 10315 Comm: syz-executor.0 Not tainted 5.9.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:can_rx_unregister+0x1b1/0x200 net/can/af_can.c:546 Code: 18 4c 8b 4c 24 08 48 85 db 0f 85 fb fe ff ff 8b 4c 24 10 8b 54 24 14 48 c7 c6 75 a9 7b 84 48 c7 c7 38 52 79 84 e8 a1 41 3f 00 <0f> 0b 4c 89 e7 e8 65 de 55 00 e9 75 fe ff ff 8b 4c 24 10 8b 54 24 RSP: 0018:ffffc90002b43d78 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000202 RDX: 0000000000000202 RSI: ffffffff84715066 RDI: 00000000ffffffff RBP: ffff8881139d0000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88810b6e9b48 R13: ffff88810e09fa00 R14: ffff8881139d0c20 R15: 0000000000000000 FS: 000000000275e940(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556c118142a8 CR3: 000000011ddfa000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: isotp_notifier+0xd4/0x100 net/can/isotp.c:1301 call_netdevice_notifier net/core/dev.c:1734 [inline] call_netdevice_unregister_notifiers+0x76/0xa0 net/core/dev.c:1762 call_netdevice_unregister_net_notifiers net/core/dev.c:1790 [inline] unregister_netdevice_notifier+0x6a/0xb0 net/core/dev.c:1869 isotp_release+0x5a/0x1f0 net/can/isotp.c:1009 __sock_release+0x32/0xa0 net/socket.c:596 sock_close+0xf/0x20 net/socket.c:1277 __fput+0xaa/0x250 fs/file_table.c:281 task_work_run+0x68/0xb0 kernel/task_work.c:141 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:165 [inline] exit_to_user_mode_prepare+0x1d3/0x1e0 kernel/entry/common.c:192 syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:267 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417811 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fff4a489420 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000417811 RDX: 0000001b2ea20000 RSI: 0000000000000001 RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 00007fff4a489500 R11: 0000000000000293 R12: 000000000118c9a0 R13: 000000000118c9a0 R14: 00000000000003e8 R15: 000000000118bf2c