bisecting cause commit starting from 5e9eeccc58f3e6bcc99b929670665d2ce047e9c9
building syzkaller on 6720fdefa085931a94cd81c6e097a59af54d362d
testing commit 5e9eeccc58f3e6bcc99b929670665d2ce047e9c9 with gcc (GCC) 8.1.0
kernel signature: 155900090f4711da0e36cabf7a4b3e10b68ff46211ed32720f93d82f10c72176
all runs: crashed: WARNING in tipc_msg_append
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 44fd05fb2c5da5bdbe73d3a84c53a49e613c9ecf26e627f4f7dcbbf8f82ae27b
all runs: OK
# git bisect start 5e9eeccc58f3e6bcc99b929670665d2ce047e9c9 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162
Bisecting: 3623 revisions left to test after this (roughly 12 steps)
[d9afbb3509900a953f5cf90bc57e793ee80c1108] Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
testing commit d9afbb3509900a953f5cf90bc57e793ee80c1108 with gcc (GCC) 8.1.0
kernel signature: 50d2babae00918fde0826fd55238c0e77b92659d5118711f43a63f7bcb9e96fc
all runs: OK
# git bisect good d9afbb3509900a953f5cf90bc57e793ee80c1108
Bisecting: 1803 revisions left to test after this (roughly 11 steps)
[098205f3c688885394ed1f670a6a7cb4a58728a3] Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue
testing commit 098205f3c688885394ed1f670a6a7cb4a58728a3 with gcc (GCC) 8.1.0
kernel signature: 16f4dbe3cff4105500e73b0484a3498a7b76b12eae58a7dee2a91245c92e8a64
all runs: OK
# git bisect good 098205f3c688885394ed1f670a6a7cb4a58728a3
Bisecting: 906 revisions left to test after this (roughly 10 steps)
[cf51abcded837ef209faa03a62b2ea44e45995e8] Merge branch 'Link-based-attach-to-netns'
testing commit cf51abcded837ef209faa03a62b2ea44e45995e8 with gcc (GCC) 8.1.0
kernel signature: a4cee8bd66839286864f8537d349b6b53edbe339b8b2e54e8f3807e9cb9dcc8b
all runs: crashed: general protection fault in __tipc_sendstream
# git bisect bad cf51abcded837ef209faa03a62b2ea44e45995e8
Bisecting: 445 revisions left to test after this (roughly 9 steps)
[5cf2740f1d45f9e17061059812d819c512bba3b8] Merge tag 'mt76-for-kvalo-2020-05-28' of https://github.com/nbd168/wireless
testing commit 5cf2740f1d45f9e17061059812d819c512bba3b8 with gcc (GCC) 8.1.0
kernel signature: 3eb8223112d3a034e2c9935bd8ed1e65e56bcec1642fba917a9e2171ce4b802d
all runs: crashed: general protection fault in __tipc_sendstream
# git bisect bad 5cf2740f1d45f9e17061059812d819c512bba3b8
Bisecting: 236 revisions left to test after this (roughly 8 steps)
[472f0a240250df443ffc4f39835e829916193ca1] mt76: mt7915: Fix build error
testing commit 472f0a240250df443ffc4f39835e829916193ca1 with gcc (GCC) 8.1.0
kernel signature: 6cad2493f42968b63bdb8f067fbcb4e641a297de0e00bb2365dbf1f5b6f2267e
all runs: OK
# git bisect good 472f0a240250df443ffc4f39835e829916193ca1
Bisecting: 118 revisions left to test after this (roughly 7 steps)
[761bc42fbecff8cfb8e529451fd0f13800d050c4] mlxsw: spectrum: Use same switch case for identical groups
testing commit 761bc42fbecff8cfb8e529451fd0f13800d050c4 with gcc (GCC) 8.1.0
kernel signature: fd8bd091e9f73056f2e9f33d59d8d877da0ff319c12fc401df00b84f02ff8747
all runs: crashed: general protection fault in __tipc_sendstream
# git bisect bad 761bc42fbecff8cfb8e529451fd0f13800d050c4
Bisecting: 58 revisions left to test after this (roughly 6 steps)
[c6ed7a5cc2d68c36287c09260dc211173e0447d7] tipc: add back link trace events
testing commit c6ed7a5cc2d68c36287c09260dc211173e0447d7 with gcc (GCC) 8.1.0
kernel signature: 35557c48e3dbf378a06a3a2e8d88b9ad8e9d52f43d7d1417654d7a253a9648e0
all runs: OK
# git bisect good c6ed7a5cc2d68c36287c09260dc211173e0447d7
Bisecting: 29 revisions left to test after this (roughly 5 steps)
[08fad438bed0ada1a3308987862327286fcbb5f5] mac80211: TX legacy rate control for Beacon frames
testing commit 08fad438bed0ada1a3308987862327286fcbb5f5 with gcc (GCC) 8.1.0
kernel signature: 778cb2b36eb069d6ef0fe72012cbe9728c91aa670c3dae6ce555413577c8c600
all runs: OK
# git bisect good 08fad438bed0ada1a3308987862327286fcbb5f5
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[d9c6de35e051c17474ec8a1fe2fdb8cd2b6f1a87] net: phy: mscc-miim: improve waiting logic
testing commit d9c6de35e051c17474ec8a1fe2fdb8cd2b6f1a87 with gcc (GCC) 8.1.0
kernel signature: 2cf3ad016ce74f43be3b9b2e5dc9013d909644736b623f184fbb655d2cb84d01
all runs: crashed: general protection fault in __tipc_sendstream
# git bisect bad d9c6de35e051c17474ec8a1fe2fdb8cd2b6f1a87
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[fb8ddaa915395c97f234340f465a4c424a7be090] Merge tag 'batadv-next-for-davem-20200526' of git://git.open-mesh.org/linux-merge
testing commit fb8ddaa915395c97f234340f465a4c424a7be090 with gcc (GCC) 8.1.0
kernel signature: ed562f1d6586a6c510ace419e67bc5e66f0eef008ff40846b6b94f0db4c0a473
all runs: crashed: general protection fault in __tipc_sendstream
# git bisect bad fb8ddaa915395c97f234340f465a4c424a7be090
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[6a862a44fd0c963f1bcb2ac9299609e1d8c011c2] Merge branch 'tipc-add-some-improvements'
testing commit 6a862a44fd0c963f1bcb2ac9299609e1d8c011c2 with gcc (GCC) 8.1.0
kernel signature: 1459e0f47ff03529dd65ec0cd6d3bf963bace6265941061222d51ca3bbd0c2aa
all runs: crashed: general protection fault in __tipc_sendstream
# git bisect bad 6a862a44fd0c963f1bcb2ac9299609e1d8c011c2
Bisecting: 1 revision left to test after this (roughly 1 step)
[03b6fefd9bb4844c75faeb10df8496794e2fd5da] tipc: add support for broadcast rcv stats dumping
testing commit 03b6fefd9bb4844c75faeb10df8496794e2fd5da with gcc (GCC) 8.1.0
kernel signature: 85ae0835351c475ed2f81392ca057726c21add5a1d99dc7b56ff07477f4babf8
all runs: OK
# git bisect good 03b6fefd9bb4844c75faeb10df8496794e2fd5da
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0a3e060f340dbe232ffa290c40f879b7f7db595b] tipc: add test for Nagle algorithm effectiveness
testing commit 0a3e060f340dbe232ffa290c40f879b7f7db595b with gcc (GCC) 8.1.0
kernel signature: ef2361470e0554cd41ea3aaa335376d34fcedba7b1d5527671437cbeb83e3b71
all runs: crashed: general protection fault in __tipc_sendstream
# git bisect bad 0a3e060f340dbe232ffa290c40f879b7f7db595b
0a3e060f340dbe232ffa290c40f879b7f7db595b is the first bad commit
commit 0a3e060f340dbe232ffa290c40f879b7f7db595b
Author: Tuong Lien <tuong.t.lien@dektech.com.au>
Date:   Tue May 26 16:38:38 2020 +0700

    tipc: add test for Nagle algorithm effectiveness
    
    When streaming in Nagle mode, we try to bundle small messages from user
    as many as possible if there is one outstanding buffer, i.e. not ACK-ed
    by the receiving side, which helps boost up the overall throughput. So,
    the algorithm's effectiveness really depends on when Nagle ACK comes or
    what the specific network latency (RTT) is, compared to the user's
    message sending rate.
    
    In a bad case, the user's sending rate is low or the network latency is
    small, there will not be many bundles, so making a Nagle ACK or waiting
    for it is not meaningful.
    For example: a user sends its messages every 100ms and the RTT is 50ms,
    then for each messages, we require one Nagle ACK but then there is only
    one user message sent without any bundles.
    
    In a better case, even if we have a few bundles (e.g. the RTT = 300ms),
    but now the user sends messages in medium size, then there will not be
    any difference at all, that says 3 x 1000-byte data messages if bundled
    will still result in 3 bundles with MTU = 1500.
    
    When Nagle is ineffective, the delay in user message sending is clearly
    wasted instead of sending directly.
    
    Besides, adding Nagle ACKs will consume some processor load on both the
    sending and receiving sides.
    
    This commit adds a test on the effectiveness of the Nagle algorithm for
    an individual connection in the network on which it actually runs.
    Particularly, upon receipt of a Nagle ACK we will compare the number of
    bundles in the backlog queue to the number of user messages which would
    be sent directly without Nagle. If the ratio is good (e.g. >= 2), Nagle
    mode will be kept for further message sending. Otherwise, we will leave
    Nagle and put a 'penalty' on the connection, so it will have to spend
    more 'one-way' messages before being able to re-enter Nagle.
    
    In addition, the 'ack-required' bit is only set when really needed that
    the number of Nagle ACKs will be reduced during Nagle mode.
    
    Testing with benchmark showed that with the patch, there was not much
    difference in throughput for small messages since the tool continuously
    sends messages without a break, so Nagle would still take in effect.
    
    Acked-by: Ying Xue <ying.xue@windriver.com>
    Acked-by: Jon Maloy <jmaloy@redhat.com>
    Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/msg.c    |  3 ---
 net/tipc/msg.h    | 14 ++++++++++--
 net/tipc/socket.c | 64 ++++++++++++++++++++++++++++++++++++++++++++-----------
 3 files changed, 64 insertions(+), 17 deletions(-)
culprit signature: ef2361470e0554cd41ea3aaa335376d34fcedba7b1d5527671437cbeb83e3b71
parent  signature: 85ae0835351c475ed2f81392ca057726c21add5a1d99dc7b56ff07477f4babf8
revisions tested: 15, total time: 3h5m50.579511525s (build: 1h27m35.748866566s, test: 1h37m15.891546134s)
first bad commit: 0a3e060f340dbe232ffa290c40f879b7f7db595b tipc: add test for Nagle algorithm effectiveness
cc: ["davem@davemloft.net" "jmaloy@redhat.com" "tuong.t.lien@dektech.com.au" "ying.xue@windriver.com"]
crash: general protection fault in __tipc_sendstream
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
CPU: 0 PID: 8439 Comm: syz-executor.3 Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__tipc_sendstream+0x8fb/0xe40 net/tipc/socket.c:1591
Code: 00 0f 85 20 04 00 00 49 8b 9d 90 02 00 00 b8 00 00 00 00 48 39 5c 24 20 48 0f 44 d8 48 8d bb c8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 fd 03 00 00 48 8b 9b c8 00 00 00 48 89 d8 48 c1
RSP: 0018:ffffc90004927800 EFLAGS: 00010202
RAX: 0000000000000019 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffc90004927d88 RDI: 00000000000000c8
RBP: dffffc0000000000 R08: ffff88808eca4348 R09: fffffbfff16ae951
R10: ffffffff8b574a87 R11: fffffbfff16ae950 R12: ffff88808eca45fe
R13: ffff88808eca40c0 R14: ffffc900049278e8 R15: 0000000000000004
FS:  00007f15941d4700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004fc610 CR3: 000000009e975000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tipc_sendstream+0x46/0x60 net/tipc/socket.c:1533
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x39d/0x790 net/socket.c:2352
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2406
 __sys_sendmmsg+0x13e/0x320 net/socket.c:2496
 __do_sys_sendmmsg net/socket.c:2525 [inline]
 __se_sys_sendmmsg net/socket.c:2522 [inline]
 __x64_sys_sendmmsg+0x94/0x100 net/socket.c:2522
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca69
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f15941d3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004fc600 RCX: 000000000045ca69
RDX: 04924924924926c8 RSI: 0000000020236fc8 RDI: 0000000000000004
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008de R14: 00000000004cba68 R15: 00007f15941d46d4
Modules linked in:
---[ end trace e8ae6c28e429c315 ]---
RIP: 0010:__tipc_sendstream+0x8fb/0xe40 net/tipc/socket.c:1591
Code: 00 0f 85 20 04 00 00 49 8b 9d 90 02 00 00 b8 00 00 00 00 48 39 5c 24 20 48 0f 44 d8 48 8d bb c8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 fd 03 00 00 48 8b 9b c8 00 00 00 48 89 d8 48 c1
RSP: 0018:ffffc90004927800 EFLAGS: 00010202
RAX: 0000000000000019 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffc90004927d88 RDI: 00000000000000c8
RBP: dffffc0000000000 R08: ffff88808eca4348 R09: fffffbfff16ae951
R10: ffffffff8b574a87 R11: fffffbfff16ae950 R12: ffff88808eca45fe
R13: ffff88808eca40c0 R14: ffffc900049278e8 R15: 0000000000000004
FS:  00007f15941d4700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564c13aaab50 CR3: 000000009e975000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400