bisecting cause commit starting from 1c200f832e14420fa770193f9871f4ce2df00d07 building syzkaller on aba2b2fb3544d9e42991237c13d8cada421deda5 testing commit 1c200f832e14420fa770193f9871f4ce2df00d07 with gcc (GCC) 10.2.1 20210217 kernel signature: 1dfbeb8bb6e81f05a3e2e8943b093273ff3ae3a25bde93d630d322147a3fee57 all runs: crashed: WARNING: ODEBUG bug in __sk_destruct testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217 kernel signature: 20a3195b0c2adea39c30d2e9f830a6fa425a34f031f28cd84a5fc4bf09ce8f4d run #0: crashed: WARNING: ODEBUG bug in __sk_destruct run #1: crashed: WARNING: ODEBUG bug in __sk_destruct run #2: OK run #3: OK run #4: crashed: WARNING: ODEBUG bug in __sk_destruct run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: 22b26ae1e3be417e2ad324e47433a262e845b6471dfc09f4fa2f647b3330df8e run #0: crashed: WARNING: ODEBUG bug in __sk_destruct run #1: crashed: WARNING: ODEBUG bug in __sk_destruct run #2: OK run #3: OK run #4: OK run #5: crashed: WARNING: ODEBUG bug in __sk_destruct run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: 8f55ba93fd53951cac9b68b979c728becbef461543abacbe99727324ff41baf6 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: crashed: WARNING: ODEBUG bug in __sk_destruct run #17: OK run #18: OK run #19: crashed: WARNING: ODEBUG bug in __sk_destruct testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217 kernel signature: f654d07eeb7c456b884d4afbd5bc4d393d1b1677ed42327eee0eaef482a1d4de all runs: OK # git bisect start 2c85ebc57b3e1817b6ce1a6b703928e113a90442 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 9594 revisions left to test after this (roughly 13 steps) [4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 10.2.1 20210217 kernel signature: c0751ea7a2c1a15199e7ca6e6d5df2d7dc937fdc4850e79fbc7501d5d57e82ca all runs: OK # git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be Bisecting: 4874 revisions left to test after this (roughly 12 steps) [6694875ef8045cdb1e6712ee9b68fe08763507d8] ext4: indicate that fast_commit is available via /sys/fs/ext4/feature/... testing commit 6694875ef8045cdb1e6712ee9b68fe08763507d8 with gcc (GCC) 10.2.1 20210217 kernel signature: f6d0fb4759c5fd1ca2de7faf586c262a09e66dd72ed84e332906355d6226ead1 run #0: crashed: WARNING: ODEBUG bug in __sk_destruct run #1: crashed: WARNING: ODEBUG bug in __sk_destruct run #2: crashed: WARNING: ODEBUG bug in __sk_destruct run #3: OK run #4: OK run #5: OK run #6: OK run #7: crashed: WARNING: ODEBUG bug in __sk_destruct run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 6694875ef8045cdb1e6712ee9b68fe08763507d8 Bisecting: 2342 revisions left to test after this (roughly 11 steps) [14c914fcb515c424177bb6848cc2858ebfe717a8] Merge tag 'wireless-drivers-next-2020-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 14c914fcb515c424177bb6848cc2858ebfe717a8 with gcc (GCC) 8.4.1 20210217 kernel signature: 3a7a0f000e944a485f54c8d9d0ebd815d36df58284f30929bbc230517726bcb4 all runs: OK # git bisect good 14c914fcb515c424177bb6848cc2858ebfe717a8 Bisecting: 1132 revisions left to test after this (roughly 10 steps) [6f78b9acf04fbf9ede7f4265e7282f9fb39d2c8c] Merge tag 'mtd/for-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux testing commit 6f78b9acf04fbf9ede7f4265e7282f9fb39d2c8c with gcc (GCC) 10.2.1 20210217 kernel signature: a52fd3aae42fb7f1914c7f081ed559f7ab2a3a6e53f85cfba39676cf9e449c1f run #0: crashed: WARNING: ODEBUG bug in __sk_destruct run #1: crashed: WARNING: ODEBUG bug in __sk_destruct run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: crashed: WARNING: ODEBUG bug in __sk_destruct run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 6f78b9acf04fbf9ede7f4265e7282f9fb39d2c8c Bisecting: 672 revisions left to test after this (roughly 9 steps) [c4cf498dc0241fa2d758dba177634268446afb06] Merge branch 'akpm' (patches from Andrew) testing commit c4cf498dc0241fa2d758dba177634268446afb06 with gcc (GCC) 10.2.1 20210217 kernel signature: 6bb01eb5bd338e58110c26f33238fc4fd74b63a4f249bc19e18e0e6ecd146770 run #0: crashed: WARNING: ODEBUG bug in __sk_destruct run #1: crashed: WARNING: ODEBUG bug in __sk_destruct run #2: crashed: WARNING: ODEBUG bug in __sk_destruct run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad c4cf498dc0241fa2d758dba177634268446afb06 Bisecting: 268 revisions left to test after this (roughly 8 steps) [ee92e4f1f95eb7b8820299f10fc5fba16d85cece] net/mlx5: Add NIC TX domain namespace testing commit ee92e4f1f95eb7b8820299f10fc5fba16d85cece with gcc (GCC) 8.4.1 20210217 kernel signature: d778e593508243aff079317b72b7b0a7abb411b6fb305d6da1201c45d6ab79a0 run #0: crashed: WARNING: ODEBUG bug in __sk_destruct run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad ee92e4f1f95eb7b8820299f10fc5fba16d85cece Bisecting: 133 revisions left to test after this (roughly 7 steps) [f97db2621b41b98e6e8e0fa8271db3a600fa6335] dt-bindings: can: rcar_can: Document r8a774e1 support testing commit f97db2621b41b98e6e8e0fa8271db3a600fa6335 with gcc (GCC) 8.4.1 20210217 kernel signature: f2c24d49562122bde85bc383223065d593c6322e91e907b0a49001bb6b8ad460 run #0: crashed: WARNING: ODEBUG bug in __sk_destruct run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad f97db2621b41b98e6e8e0fa8271db3a600fa6335 Bisecting: 61 revisions left to test after this (roughly 6 steps) [321e921daa05dc32a1a89ae458169d7ef783cc84] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next testing commit 321e921daa05dc32a1a89ae458169d7ef783cc84 with gcc (GCC) 8.4.1 20210217 kernel signature: 465384a870aa8ce878c7faf3ba0b034a3f3a9dbeb7bfb01e8c87de721dfcb5ff all runs: OK # git bisect good 321e921daa05dc32a1a89ae458169d7ef783cc84 Bisecting: 30 revisions left to test after this (roughly 5 steps) [e193c3ab8302908b1378fc0606be561e976d2532] net: atlantic: implement phy downshift feature testing commit e193c3ab8302908b1378fc0606be561e976d2532 with gcc (GCC) 8.4.1 20210217 kernel signature: 7de134e6cca00d2b26810a7a1af465df51b00007413c0146d84e454a3596abb5 all runs: OK # git bisect good e193c3ab8302908b1378fc0606be561e976d2532 Bisecting: 15 revisions left to test after this (roughly 4 steps) [ff419afa43109e05d42d75629f21d9fd87f635ea] ethtool: trim policy tables testing commit ff419afa43109e05d42d75629f21d9fd87f635ea with gcc (GCC) 8.4.1 20210217 kernel signature: bdaad50ce7b4f150792f10f23a4783e89533ee8f2bdcd3d07ad5adca8f44cc3f all runs: OK # git bisect good ff419afa43109e05d42d75629f21d9fd87f635ea Bisecting: 7 revisions left to test after this (roughly 3 steps) [71e663c4a02213d1013a3def4ed10ca63769bbb2] can: c_can: reg_map_{c,d}_can: mark as __maybe_unused testing commit 71e663c4a02213d1013a3def4ed10ca63769bbb2 with gcc (GCC) 8.4.1 20210217 kernel signature: ff09bdbdae81403252b054ef84edd4cbb00d261d72e3ef0129ec0a8b936814f5 all runs: OK # git bisect good 71e663c4a02213d1013a3def4ed10ca63769bbb2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [1c47fa6b31c2683f03bc2f9174902bb7dcd35d83] can: dev: add a helper function to calculate the duration of one bit testing commit 1c47fa6b31c2683f03bc2f9174902bb7dcd35d83 with gcc (GCC) 8.4.1 20210217 kernel signature: b4f74ce8a554237108b2f2efebef60e0fc8986ed75172d5386b79109b151e226 all runs: OK # git bisect good 1c47fa6b31c2683f03bc2f9174902bb7dcd35d83 Bisecting: 1 revision left to test after this (roughly 1 step) [df73446a2882a4336cad473d8eb9d895e49f092b] dt-bindings: can: rcar_can: Add r8a7742 support testing commit df73446a2882a4336cad473d8eb9d895e49f092b with gcc (GCC) 8.4.1 20210217 kernel signature: f2c24d49562122bde85bc383223065d593c6322e91e907b0a49001bb6b8ad460 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: crashed: WARNING: ODEBUG bug in __sk_destruct run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: crashed: WARNING: ODEBUG bug in __sk_destruct run #19: OK # git bisect bad df73446a2882a4336cad473d8eb9d895e49f092b Bisecting: 0 revisions left to test after this (roughly 0 steps) [e057dd3fc20ffb3d7f150af46542a51b59b90127] can: add ISO 15765-2:2016 transport protocol testing commit e057dd3fc20ffb3d7f150af46542a51b59b90127 with gcc (GCC) 8.4.1 20210217 kernel signature: f2c24d49562122bde85bc383223065d593c6322e91e907b0a49001bb6b8ad460 run #0: crashed: WARNING: ODEBUG bug in __sk_destruct run #1: crashed: WARNING: ODEBUG bug in __sk_destruct run #2: crashed: WARNING: ODEBUG bug in __sk_destruct run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: crashed: WARNING: ODEBUG bug in __sk_destruct # git bisect bad e057dd3fc20ffb3d7f150af46542a51b59b90127 e057dd3fc20ffb3d7f150af46542a51b59b90127 is the first bad commit commit e057dd3fc20ffb3d7f150af46542a51b59b90127 Author: Oliver Hartkopp Date: Mon Sep 28 22:04:04 2020 +0200 can: add ISO 15765-2:2016 transport protocol CAN Transport Protocols offer support for segmented Point-to-Point communication between CAN nodes via two defined CAN Identifiers. As CAN frames can only transport a small amount of data bytes (max. 8 bytes for 'classic' CAN and max. 64 bytes for CAN FD) this segmentation is needed to transport longer PDUs as needed e.g. for vehicle diagnosis (UDS, ISO 14229) or IP-over-CAN traffic. This protocol driver implements data transfers according to ISO 15765-2:2016 for 'classic' CAN and CAN FD frame types. Signed-off-by: Oliver Hartkopp Link: https://lore.kernel.org/r/20200928200404.82229-1-socketcan@hartkopp.net [mkl: Removed "WITH Linux-syscall-note" from isotp.c. Fixed indention, a checkpatch warning and typos. Replaced __u{8,32} by u{8,32}. Removed always false (optlen < 0) check in isotp_setsockopt().] Signed-off-by: Marc Kleine-Budde MAINTAINERS | 1 + include/uapi/linux/can/isotp.h | 166 +++++ net/can/Kconfig | 13 + net/can/Makefile | 3 + net/can/isotp.c | 1426 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 1609 insertions(+) create mode 100644 include/uapi/linux/can/isotp.h create mode 100644 net/can/isotp.c culprit signature: f2c24d49562122bde85bc383223065d593c6322e91e907b0a49001bb6b8ad460 parent signature: b4f74ce8a554237108b2f2efebef60e0fc8986ed75172d5386b79109b151e226 Reproducer flagged being flaky revisions tested: 19, total time: 5h46m26.276403037s (build: 2h6m27.116349704s, test: 3h37m20.835765767s) first bad commit: e057dd3fc20ffb3d7f150af46542a51b59b90127 can: add ISO 15765-2:2016 transport protocol recipients (to): ["davem@davemloft.net" "kuba@kernel.org" "linux-can@vger.kernel.org" "mkl@pengutronix.de" "mkl@pengutronix.de" "netdev@vger.kernel.org" "socketcan@hartkopp.net" "socketcan@hartkopp.net"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: WARNING: ODEBUG bug in __sk_destruct ------------[ cut here ]------------ ODEBUG: free active (active state 0) object type: hrtimer hint: isotp_rx_timer_handler+0x0/0x140 include/linux/can/skb.h:55 WARNING: CPU: 1 PID: 32513 at lib/debugobjects.c:488 debug_print_object+0x197/0x2b0 lib/debugobjects.c:485 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 32513 Comm: syz-executor212 Not tainted 5.9.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x99/0xd0 lib/dump_stack.c:118 panic+0x2a9/0x532 kernel/panic.c:231 __warn.cold.12+0x25/0x32 kernel/panic.c:600 report_bug+0x1af/0x260 lib/bug.c:198 handle_bug+0x3f/0x70 arch/x86/kernel/traps.c:234 exc_invalid_op+0x13/0x40 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:debug_print_object+0x197/0x2b0 lib/debugobjects.c:485 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 e3 00 00 00 48 8b 14 dd 80 f4 4b 8b 4c 89 ee 48 c7 c7 a0 59 fd 88 e8 fe ae a9 fd <0f> 0b 83 05 8c ab 4a 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0000:ffffc90000d90cf0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: 0000000000000102 RSI: ffffffff8a2dd728 RDI: ffffffff8ee98ee0 RBP: 0000000000000001 R08: ffffed10173e6135 R09: ffffed10173e6135 R10: ffff8880b9f309a7 R11: ffffed10173e6134 R12: ffffffff8a948480 R13: ffffffff88fd5fa0 R14: ffffffff815cfee0 R15: ffff8880a4d984d8 __debug_check_no_obj_freed lib/debugobjects.c:967 [inline] debug_check_no_obj_freed+0x2d5/0x414 lib/debugobjects.c:998 free_pages_prepare mm/page_alloc.c:1214 [inline] __free_pages_ok+0x277/0xe70 mm/page_alloc.c:1471 kfree+0x53f/0x660 mm/slub.c:4116 sk_prot_free net/core/sock.c:1708 [inline] __sk_destruct+0x49b/0x6d0 net/core/sock.c:1793 rcu_do_batch kernel/rcu/tree.c:2430 [inline] rcu_core+0xafb/0x12d0 kernel/rcu/tree.c:2658 __do_softirq+0x1d5/0xa45 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xa2/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x132/0x150 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x48/0xd0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581 RIP: 0010:clear_page_erms+0x7/0x10 arch/x86/lib/clear_page_64.S:49 Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 c3 0f 1f 80 00 00 00 00 b9 00 10 00 00 31 c0 aa c3 cc cc cc cc cc cc 48 85 ff 0f 84 d9 02 00 00 48 b8 00 00 RSP: 0000:ffffc9000d7ff990 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffea00020a1800 RCX: 0000000000000ec0 RDX: 1ffff110133355bb RSI: 0000000000000200 RDI: ffff888082860140 RBP: dffffc0000000000 R08: ffffed10167c7dfe R09: ffffed10167c7dfe R10: ffff8880b3e3efef R11: ffffed10167c7dfd R12: ffff888000000000 R13: 0000160000000000 R14: ffffea00020a8000 R15: ffff8880999a9a80 clear_page arch/x86/include/asm/page_64.h:49 [inline] clear_highpage include/linux/highmem.h:283 [inline] kernel_init_free_pages+0x8f/0x110 mm/page_alloc.c:1163 prep_new_page+0x157/0x240 mm/page_alloc.c:2228 get_page_from_freelist+0x1a3e/0x5d10 mm/page_alloc.c:3844 __alloc_pages_nodemask+0x2cd/0x7d0 mm/page_alloc.c:4895 __alloc_pages include/linux/gfp.h:509 [inline] __alloc_pages_node include/linux/gfp.h:522 [inline] alloc_pages_vma+0x2cb/0x4c0 mm/mempolicy.c:2219 do_huge_pmd_anonymous_page+0x2c3/0x1bf0 mm/huge_memory.c:748 create_huge_pmd mm/memory.c:4282 [inline] __handle_mm_fault mm/memory.c:4506 [inline] handle_mm_fault+0x2602/0x3aa0 mm/memory.c:4633 do_user_addr_fault+0x2c9/0x850 arch/x86/mm/fault.c:1372 handle_page_fault arch/x86/mm/fault.c:1429 [inline] exc_page_fault+0x5e/0xc0 arch/x86/mm/fault.c:1482 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:538 RIP: 0033:0x402abc Code: 00 0f 8f 9f 00 00 00 85 c0 0f 84 7f 10 00 00 83 f8 01 75 52 31 d2 b9 80 00 00 20 bf 10 00 00 00 48 b8 76 63 61 6e 30 00 00 00 <48> 89 04 25 80 00 00 20 31 c0 48 89 14 25 88 00 00 20 48 8b 35 3b RSP: 002b:00007faaa10f8300 EFLAGS: 00010246 RAX: 000000306e616376 RBX: 00000000004d04e0 RCX: 0000000020000080 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 0000000000000010 RBP: 0400000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: ffff000000000000 R13: 0600000000000000 R14: 0104000000000000 R15: 00000000004d04e8 Kernel Offset: disabled Rebooting in 86400 seconds..