bisecting fixing commit since 893af1c79e42e53af0da22165b46eea135af0613
building syzkaller on 74d61399c29bb1e38da47fa7fd02a80f06639f7f
testing commit 893af1c79e42e53af0da22165b46eea135af0613 with gcc (GCC) 8.1.0
kernel signature: d0977d3917c6167270c695d4f6fa6db8d3e647b7
all runs: crashed: general protection fault in packet_lookup_frame
testing current HEAD 174651bdf802a2139065e8e31ce950e2f3fc4a94
testing commit 174651bdf802a2139065e8e31ce950e2f3fc4a94 with gcc (GCC) 8.1.0
kernel signature: 3c462f63e0e4b047d9d3ec6abbde64497c042f26
all runs: OK
# git bisect start 174651bdf802a2139065e8e31ce950e2f3fc4a94 893af1c79e42e53af0da22165b46eea135af0613
Bisecting: 1383 revisions left to test after this (roughly 11 steps)
[0c6905197c5ba2bb481058a74c235394a4203e8a] scsi: core: try to get module before removing device
testing commit 0c6905197c5ba2bb481058a74c235394a4203e8a with gcc (GCC) 8.1.0
kernel signature: a519f1025da254b6a3c9c30971d1f969e51248ec
all runs: OK
# git bisect bad 0c6905197c5ba2bb481058a74c235394a4203e8a
Bisecting: 691 revisions left to test after this (roughly 10 steps)
[941431c491a68e0428bdfb46bbe4cbc52f7bfabb] mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
testing commit 941431c491a68e0428bdfb46bbe4cbc52f7bfabb with gcc (GCC) 8.1.0
kernel signature: 4830056eb7cdc80395600730c804932ffbcdef4f
all runs: OK
# git bisect bad 941431c491a68e0428bdfb46bbe4cbc52f7bfabb
Bisecting: 345 revisions left to test after this (roughly 9 steps)
[ce1c894e1e89101169c1ea6fb084d25dc44898fc] intel_th: pci: Add support for another Lewisburg PCH
testing commit ce1c894e1e89101169c1ea6fb084d25dc44898fc with gcc (GCC) 8.1.0
kernel signature: eb1caf2499339853ab940b509139c772d7be72f3
all runs: OK
# git bisect bad ce1c894e1e89101169c1ea6fb084d25dc44898fc
Bisecting: 172 revisions left to test after this (roughly 8 steps)
[e89bb758c030150f6cf0a990011f109258b815dd] team: Add vlan tx offload to hw_enc_features
testing commit e89bb758c030150f6cf0a990011f109258b815dd with gcc (GCC) 8.1.0
kernel signature: 3abfe9758549dc9e0a6f2b181fa0242334c9f907
all runs: OK
# git bisect bad e89bb758c030150f6cf0a990011f109258b815dd
Bisecting: 85 revisions left to test after this (roughly 7 steps)
[2bc73d91411423dd7092596f9c0f91d3ea5a9e26] KVM: Fix leak vCPU's VMCS value into other pCPU
testing commit 2bc73d91411423dd7092596f9c0f91d3ea5a9e26 with gcc (GCC) 8.1.0
kernel signature: 7f6b1deac711be16c3ea3289bc9c9d674b7fe583
all runs: crashed: general protection fault in packet_lookup_frame
# git bisect good 2bc73d91411423dd7092596f9c0f91d3ea5a9e26
Bisecting: 42 revisions left to test after this (roughly 6 steps)
[3435e025ed71f4b3243e0c5209e2669d79ceff96] scsi: hpsa: correct scsi command status issue after reset
testing commit 3435e025ed71f4b3243e0c5209e2669d79ceff96 with gcc (GCC) 8.1.0
kernel signature: 7f31c176daebc650027fd56d01d4447b0ebc8a07
all runs: crashed: general protection fault in packet_lookup_frame
# git bisect good 3435e025ed71f4b3243e0c5209e2669d79ceff96
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[367d103a4a937cfdb2fbccdb860099cdb8487180] iio: adc: max9611: Fix temperature reading in probe
testing commit 367d103a4a937cfdb2fbccdb860099cdb8487180 with gcc (GCC) 8.1.0
kernel signature: 0bd50065d5570aac52e9c07f99f13ef461dff6ce
all runs: crashed: general protection fault in packet_lookup_frame
# git bisect good 367d103a4a937cfdb2fbccdb860099cdb8487180
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[30b9da0ec2a2f93b2f78ee54732185ce30c19df3] arm64: ftrace: Ensure module ftrace trampoline is coherent with I-side
testing commit 30b9da0ec2a2f93b2f78ee54732185ce30c19df3 with gcc (GCC) 8.1.0
kernel signature: 686e1bb4505650fb95c9b5bf0b5dc00ac4d8a0de
all runs: crashed: general protection fault in packet_lookup_frame
# git bisect good 30b9da0ec2a2f93b2f78ee54732185ce30c19df3
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[d61d8ea9ca1296fcdf1ed2eb979a18c09bce5581] bonding: Add vlan tx offload to hw_enc_features
testing commit d61d8ea9ca1296fcdf1ed2eb979a18c09bce5581 with gcc (GCC) 8.1.0
kernel signature: e129c739930c4fd45065c6d54186dc6e21bee4cf
all runs: crashed: general protection fault in packet_lookup_frame
# git bisect good d61d8ea9ca1296fcdf1ed2eb979a18c09bce5581
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[154e6bc497c9c4dd4c8ce41a10615dbe474135cf] net/packet: fix race in tpacket_snd()
testing commit 154e6bc497c9c4dd4c8ce41a10615dbe474135cf with gcc (GCC) 8.1.0
kernel signature: 5a37652c331b06f160d5cef0da490280be953095
all runs: OK
# git bisect bad 154e6bc497c9c4dd4c8ce41a10615dbe474135cf
Bisecting: 0 revisions left to test after this (roughly 1 step)
[f588dccfc13714bed02c036dde2daf16e625b499] net/mlx4_en: fix a memory leak bug
testing commit f588dccfc13714bed02c036dde2daf16e625b499 with gcc (GCC) 8.1.0
kernel signature: 90d68e7e24105913c0afe13c465ca58669bf82ab
run #0: crashed: general protection fault in packet_lookup_frame
run #1: crashed: general protection fault in packet_lookup_frame
run #2: crashed: general protection fault in packet_lookup_frame
run #3: crashed: general protection fault in packet_lookup_frame
run #4: crashed: general protection fault in packet_lookup_frame
run #5: crashed: general protection fault in packet_lookup_frame
run #6: crashed: general protection fault in packet_lookup_frame
run #7: crashed: general protection fault in packet_lookup_frame
run #8: crashed: general protection fault in packet_lookup_frame
run #9: OK
# git bisect good f588dccfc13714bed02c036dde2daf16e625b499
154e6bc497c9c4dd4c8ce41a10615dbe474135cf is the first bad commit
commit 154e6bc497c9c4dd4c8ce41a10615dbe474135cf
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Aug 14 02:11:57 2019 -0700

    net/packet: fix race in tpacket_snd()
    
    [ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ]
    
    packet_sendmsg() checks tx_ring.pg_vec to decide
    if it must call tpacket_snd().
    
    Problem is that the check is lockless, meaning another thread
    can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
    tx_ring.pg_vec back to NULL.
    
    Given that tpacket_snd() grabs pg_vec_lock mutex, we can
    perform the check again to solve the race.
    
    syzbot reported :
    
    kasan: CONFIG_KASAN_INLINE enabled
    kasan: GPF could be caused by NULL-ptr deref or user memory access
    general protection fault: 0000 [#1] PREEMPT SMP KASAN
    CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
    Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
    RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
    RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
    RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
    RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
    R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
    R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
    FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     packet_current_frame net/packet/af_packet.c:487 [inline]
     tpacket_snd net/packet/af_packet.c:2667 [inline]
     packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
     sock_sendmsg_nosec net/socket.c:637 [inline]
     sock_sendmsg+0xd7/0x130 net/socket.c:657
     ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
     __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
     __do_sys_sendmmsg net/socket.c:2442 [inline]
     __se_sys_sendmmsg net/socket.c:2439 [inline]
     __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
     do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
     entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/packet/af_packet.c | 7 +++++++
 1 file changed, 7 insertions(+)
kernel signature:   5a37652c331b06f160d5cef0da490280be953095
previous signature: 90d68e7e24105913c0afe13c465ca58669bf82ab
revisions tested: 13, total time: 3h23m54.033656395s (build: 1h48m52.91018566s, test: 1h30m30.719252566s)
first good commit: 154e6bc497c9c4dd4c8ce41a10615dbe474135cf net/packet: fix race in tpacket_snd()
cc: ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org" "jgg@ziepe.ca" "linux-kernel@vger.kernel.org" "maxime.chevallier@bootlin.com" "netdev@vger.kernel.org" "nhorman@tuxdriver.com" "nicolas.dichtel@6wind.com" "willemb@google.com" "yuehaibing@huawei.com"]