bisecting fixing commit since 68d7a45eec101bc1550294c0e675a490c047b2e5 building syzkaller on b0e8efcb4b0aac61f4647a76bbe54a5d38a370ba testing commit 68d7a45eec101bc1550294c0e675a490c047b2e5 with gcc (GCC) 8.1.0 kernel signature: b6f30f6cb0e68feb2a56e9942f83c7c285820985 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free testing current HEAD e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b testing commit e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b with gcc (GCC) 8.1.0 kernel signature: c771ae5a43c7e6b79aef27548cd0c16921d5d708 all runs: OK # git bisect start e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b 68d7a45eec101bc1550294c0e675a490c047b2e5 Bisecting: 2030 revisions left to test after this (roughly 11 steps) [7342208d184f19a629231b57495ca7b3093ed280] x86/boot: Preserve boot_params.secure_boot from sanitizing testing commit 7342208d184f19a629231b57495ca7b3093ed280 with gcc (GCC) 8.1.0 kernel signature: 423e9c1e3cc793120b0c4e1ecdeb5402389af076 all runs: OK # git bisect bad 7342208d184f19a629231b57495ca7b3093ed280 Bisecting: 1015 revisions left to test after this (roughly 10 steps) [881758675907d24777742a39c74f1b221b5f0e62] selftests/timers: Add missing fflush(stdout) calls testing commit 881758675907d24777742a39c74f1b221b5f0e62 with gcc (GCC) 8.1.0 kernel signature: 09fc5fcf06bea645020dd338602541dac6a7d4ca all runs: OK # git bisect bad 881758675907d24777742a39c74f1b221b5f0e62 Bisecting: 507 revisions left to test after this (roughly 9 steps) [b4bde70731bda883987507c96bae07599228b39b] KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes testing commit b4bde70731bda883987507c96bae07599228b39b with gcc (GCC) 8.1.0 kernel signature: 6a45ae27a6f44c8cf2be8847f8425f2e32e0ceba all runs: OK # git bisect bad b4bde70731bda883987507c96bae07599228b39b Bisecting: 253 revisions left to test after this (roughly 8 steps) [6831e342160b8319801291aeb2ad8d5164176b25] i2c: i2c-stm32f7: Fix SDADEL minimum formula testing commit 6831e342160b8319801291aeb2ad8d5164176b25 with gcc (GCC) 8.1.0 kernel signature: 6bbf6da5e4f15923abadce576d7df0ae3514ca62 all runs: OK # git bisect bad 6831e342160b8319801291aeb2ad8d5164176b25 Bisecting: 126 revisions left to test after this (roughly 7 steps) [fd8e4afb2812bce3ceef6cfad9a08cdaf63f06d3] ipv4: set the tcp_min_rtt_wlen range from 0 to one day testing commit fd8e4afb2812bce3ceef6cfad9a08cdaf63f06d3 with gcc (GCC) 8.1.0 kernel signature: 04129185ba402ce893c86fb2dcaaf5150d6cbfb8 all runs: OK # git bisect bad fd8e4afb2812bce3ceef6cfad9a08cdaf63f06d3 Bisecting: 62 revisions left to test after this (roughly 6 steps) [98ae85677ebfac2fa2243a9c954d96ea58c08e85] mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n testing commit 98ae85677ebfac2fa2243a9c954d96ea58c08e85 with gcc (GCC) 8.1.0 kernel signature: 8b68a3854df6c2b67bedfc571a70bd4f95a313d2 run #0: crashed: BUG: unable to handle kernel paging request in slhc_free run #1: crashed: BUG: unable to handle kernel paging request in slhc_free run #2: crashed: BUG: unable to handle kernel paging request in slhc_free run #3: crashed: BUG: unable to handle kernel paging request in slhc_free run #4: crashed: BUG: unable to handle kernel paging request in slhc_free run #5: crashed: BUG: unable to handle kernel paging request in slhc_free run #6: crashed: BUG: unable to handle kernel run #7: crashed: BUG: unable to handle kernel paging request in slhc_free run #8: crashed: BUG: unable to handle kernel paging request in slhc_free run #9: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect good 98ae85677ebfac2fa2243a9c954d96ea58c08e85 Bisecting: 31 revisions left to test after this (roughly 5 steps) [261eff5dd5b67d9424f2ac5f1f95e89fbdc50b3b] Revert "drm/i915/fbdev: Actually configure untiled displays" testing commit 261eff5dd5b67d9424f2ac5f1f95e89fbdc50b3b with gcc (GCC) 8.1.0 kernel signature: 55fc956d7bed4f760ae921fe615d704eda2f8f5f all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect good 261eff5dd5b67d9424f2ac5f1f95e89fbdc50b3b Bisecting: 15 revisions left to test after this (roughly 4 steps) [13af7118da01f6daf6a1aa4cdddc4836952472c3] tipc: check bearer name with right length in tipc_nl_compat_bearer_enable testing commit 13af7118da01f6daf6a1aa4cdddc4836952472c3 with gcc (GCC) 8.1.0 kernel signature: 6a34208ff757707cf403b41f9f5f3de389d34ac4 all runs: OK # git bisect bad 13af7118da01f6daf6a1aa4cdddc4836952472c3 Bisecting: 7 revisions left to test after this (roughly 3 steps) [01b6f50f90387c1f020bcf3cd684d24e3f0c16c5] intel_th: gth: Fix an off-by-one in output unassigning testing commit 01b6f50f90387c1f020bcf3cd684d24e3f0c16c5 with gcc (GCC) 8.1.0 kernel signature: 57ac49f2b9d8060fc428eccf668efcf2a5c6b875 all runs: OK # git bisect bad 01b6f50f90387c1f020bcf3cd684d24e3f0c16c5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [d9d262229d646ca28d3aaca2b46906d92f9b6c6f] ext4: fix some error pointer dereferences testing commit d9d262229d646ca28d3aaca2b46906d92f9b6c6f with gcc (GCC) 8.1.0 kernel signature: 2b5f1d5b8ceacb38d5e50c964cc7c8a0401e7357 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect good d9d262229d646ca28d3aaca2b46906d92f9b6c6f Bisecting: 1 revision left to test after this (roughly 1 step) [7dabc887d133afce32a58c022cb114c53d156e21] tipc: handle the err returned from cmd header function testing commit 7dabc887d133afce32a58c022cb114c53d156e21 with gcc (GCC) 8.1.0 kernel signature: 6cbf6277c853656d8a2f5a94a4ca1458e9e2c55d all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect good 7dabc887d133afce32a58c022cb114c53d156e21 Bisecting: 0 revisions left to test after this (roughly 0 steps) [da0bbf51bdcb043fad034b6ccabc0775bd5397bc] slip: make slhc_free() silently accept an error pointer testing commit da0bbf51bdcb043fad034b6ccabc0775bd5397bc with gcc (GCC) 8.1.0 kernel signature: 045ff5b7bf52a971ab07c4b6e49d222e2ec87ef9 all runs: OK # git bisect bad da0bbf51bdcb043fad034b6ccabc0775bd5397bc da0bbf51bdcb043fad034b6ccabc0775bd5397bc is the first bad commit commit da0bbf51bdcb043fad034b6ccabc0775bd5397bc Author: Linus Torvalds Date: Thu Apr 25 16:13:58 2019 -0700 slip: make slhc_free() silently accept an error pointer commit baf76f0c58aec435a3a864075b8f6d8ee5d1f17e upstream. This way, slhc_free() accepts what slhc_init() returns, whether that is an error or not. In particular, the pattern in sl_alloc_bufs() is slcomp = slhc_init(16, 16); ... slhc_free(slcomp); for the error handling path, and rather than complicate that code, just make it ok to always free what was returned by the init function. That's what the code used to do before commit 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely") when slhc_init() just returned NULL for the error case, with no actual indication of the details of the error. Reported-by: syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely") Acked-by: Ben Hutchings Cc: David Miller Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman drivers/net/slip/slhc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) culprit signature: 045ff5b7bf52a971ab07c4b6e49d222e2ec87ef9 parent signature: 6cbf6277c853656d8a2f5a94a4ca1458e9e2c55d revisions tested: 14, total time: 3h58m28.810510716s (build: 2h1m23.880985438s, test: 1h55m36.311057073s) first good commit: da0bbf51bdcb043fad034b6ccabc0775bd5397bc slip: make slhc_free() silently accept an error pointer cc: ["ben@decadent.org.uk" "gregkh@linuxfoundation.org" "torvalds@linux-foundation.org"]