bisecting cause commit starting from 09d4f10a5e78d76a53e3e584f1e6a701b6d24108
building syzkaller on 0342f8c7bc656ea8ee3c45e49edeb4ee9cc12cce
testing commit 09d4f10a5e78d76a53e3e584f1e6a701b6d24108 with gcc (GCC) 8.1.0
kernel signature: 0938206b4e791b76f31836ee31a36b58f63f2a4a
all runs: crashed: KASAN: slab-out-of-bounds Write in bitmap_ip_del
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 1ee969d7f13661468cd3c50546df7d02a44feb8d
all runs: crashed: KASAN: slab-out-of-bounds Write in bitmap_ip_del
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 62267a28b2dad58027a0132855d8fe8e8510ca56
all runs: crashed: KASAN: slab-out-of-bounds Write in bitmap_ip_del
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 80cfdcae789d62694d9a04a31ab0eb3b6af24b27
all runs: OK
# git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36
Bisecting: 7848 revisions left to test after this (roughly 13 steps)
[43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0
kernel signature: 6c937d31c5c09c5fa9b9ad76b6ebd8a6c531673b
all runs: crashed: KASAN: slab-out-of-bounds Write in bitmap_ip_del
# git bisect bad 43c95d3694cc448fdf50bd53b7ff3a5bb4655883
Bisecting: 4619 revisions left to test after this (roughly 12 steps)
[8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0
kernel signature: 2d05eea6a7d947fcc17fa33e19c5f47dbec5f329
all runs: OK
# git bisect good 8f6ccf6159aed1f04c6d179f61f6fb2691261e84
Bisecting: 2306 revisions left to test after this (roughly 11 steps)
[753c8d9b7d81206bb5d011b28abe829d364b028e] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 753c8d9b7d81206bb5d011b28abe829d364b028e with gcc (GCC) 8.1.0
kernel signature: 15383aa5beaf174c0287afe1aa9ab6ec5106a8ef
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: crashed: general protection fault in send_hsr_supervision_frame
# git bisect bad 753c8d9b7d81206bb5d011b28abe829d364b028e
Bisecting: 1156 revisions left to test after this (roughly 10 steps)
[2f9b0d93a9d3ec64558537ab5d7cff820886afa4] net: ethernet: ti: cpsw: Fix suspend/resume break
testing commit 2f9b0d93a9d3ec64558537ab5d7cff820886afa4 with gcc (GCC) 8.1.0
kernel signature: aea8d9393279f614186131ac030bb93251fae40c
all runs: OK
# git bisect good 2f9b0d93a9d3ec64558537ab5d7cff820886afa4
Bisecting: 578 revisions left to test after this (roughly 9 steps)
[354d0fab649d47045517cf7cae03d653a4dcb3b8] net: hns3: add default value for tc_size and tc_offset
testing commit 354d0fab649d47045517cf7cae03d653a4dcb3b8 with gcc (GCC) 8.1.0
kernel signature: 6d46bd43e54d8d0efcbd05ace1886215307c37f9
all runs: OK
# git bisect good 354d0fab649d47045517cf7cae03d653a4dcb3b8
Bisecting: 289 revisions left to test after this (roughly 8 steps)
[52c0609258658ff35b85c654c568a50abd602ac6] bnxt_en: rename some xdp functions
testing commit 52c0609258658ff35b85c654c568a50abd602ac6 with gcc (GCC) 8.1.0
kernel signature: b7e134b318eecc0a3774f026fe10267e89f9ad83
all runs: OK
# git bisect good 52c0609258658ff35b85c654c568a50abd602ac6
Bisecting: 169 revisions left to test after this (roughly 7 steps)
[e858faf556d4e14c750ba1e8852783c6f9520a0e] tcp: Reset bytes_acked and bytes_received when disconnecting
testing commit e858faf556d4e14c750ba1e8852783c6f9520a0e with gcc (GCC) 8.1.0
kernel signature: 57af11dc938d03c7a760ce718e774453ae4a79b8
all runs: OK
# git bisect good e858faf556d4e14c750ba1e8852783c6f9520a0e
Bisecting: 84 revisions left to test after this (roughly 6 steps)
[427545b3046326cd7b4dbbd7869f08737df2ad2b] nfp: tls: count TSO segments separately for the TLS offload
testing commit 427545b3046326cd7b4dbbd7869f08737df2ad2b with gcc (GCC) 8.1.0
kernel signature: 1316d21f944af7cf514ad8927161908c095dc783
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: crashed: general protection fault in send_hsr_supervision_frame
# git bisect bad 427545b3046326cd7b4dbbd7869f08737df2ad2b
Bisecting: 48 revisions left to test after this (roughly 5 steps)
[bf0bdd1343efbbf65b4d53aef1fce14acbd79d50] xdp: fix race on generic receive path
testing commit bf0bdd1343efbbf65b4d53aef1fce14acbd79d50 with gcc (GCC) 8.1.0
kernel signature: f41431a009eadeac1a6f8c9f206e5cd402ad0ad1
all runs: OK
# git bisect good bf0bdd1343efbbf65b4d53aef1fce14acbd79d50
Bisecting: 24 revisions left to test after this (roughly 5 steps)
[7650b1a9bd693d133a3ec0548ba63e828f34e3ec] Merge branch 'mp-inner-L3'
testing commit 7650b1a9bd693d133a3ec0548ba63e828f34e3ec with gcc (GCC) 8.1.0
kernel signature: 5f09879f4352fbde22add16b5316101cb0ef277b
all runs: OK
# git bisect good 7650b1a9bd693d133a3ec0548ba63e828f34e3ec
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[88e2f2846d901e1d61e99ac1d06544d41f478430] Merge branch 'Add-MPLS-actions-to-TC'
testing commit 88e2f2846d901e1d61e99ac1d06544d41f478430 with gcc (GCC) 8.1.0
kernel signature: 16fde9ed8228f675a43990fdec5dd3af48ed0db5
all runs: OK
# git bisect good 88e2f2846d901e1d61e99ac1d06544d41f478430
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[6c6fbad6576fb19f93770feabcf2d0a30b4ae0e2] Merge branch 'sctp-tidyup'
testing commit 6c6fbad6576fb19f93770feabcf2d0a30b4ae0e2 with gcc (GCC) 8.1.0
kernel signature: 40f39f2bbd5d1341e80105d95f3cbbb92b56e9c3
all runs: OK
# git bisect good 6c6fbad6576fb19f93770feabcf2d0a30b4ae0e2
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[ff8869d5ed4e798c6dad89809689cb9d2e2ab2f8] nfp: tls: move setting ipver_vlan to a helper
testing commit ff8869d5ed4e798c6dad89809689cb9d2e2ab2f8 with gcc (GCC) 8.1.0
kernel signature: 0d823dfac4bff543e37ee8326b021f022e1b3177
failed: failed to create VM pool: failed to delete GCE image: failed to delete image: googleapi: Error 503: Internal error. Please try again or contact Google Support. (Code: '-4143943687057241350'), backendError
# git bisect skip ff8869d5ed4e798c6dad89809689cb9d2e2ab2f8
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[53601c68b8541672e026c0596a9dd8a86d96d7ab] nfp: tls: use unique connection ids instead of 4-tuple for TX
testing commit 53601c68b8541672e026c0596a9dd8a86d96d7ab with gcc (GCC) 8.1.0
kernel signature: 6dc11106edf63093c4997c1db9eabc9f85de3e7c
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: crashed: general protection fault in send_hsr_supervision_frame
# git bisect bad 53601c68b8541672e026c0596a9dd8a86d96d7ab
Bisecting: 1 revision left to test after this (roughly 1 step)
[0f93242d96ff5a04fe02c4978e8dddb014235971] nfp: tls: ignore queue limits for delete commands
testing commit 0f93242d96ff5a04fe02c4978e8dddb014235971 with gcc (GCC) 8.1.0
kernel signature: 7098d57135fa1beef7547bca1ac1cc7268cc35bf
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: crashed: general protection fault in send_hsr_supervision_frame
# git bisect bad 0f93242d96ff5a04fe02c4978e8dddb014235971
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[3cab2afb149ceedd324d14c6562224fb925252a6] sctp: remove rcu_read_lock from sctp_bind_addr_state
testing commit 3cab2afb149ceedd324d14c6562224fb925252a6 with gcc (GCC) 8.1.0
kernel signature: c9c1e18f64cfd369d02c8f90eb0be494f379465e
all runs: OK
# git bisect good 3cab2afb149ceedd324d14c6562224fb925252a6
0f93242d96ff5a04fe02c4978e8dddb014235971 is the first bad commit
commit 0f93242d96ff5a04fe02c4978e8dddb014235971
Author: Jakub Kicinski <jakub.kicinski@netronome.com>
Date:   Mon Jul 8 19:53:08 2019 -0700

    nfp: tls: ignore queue limits for delete commands
    
    We need to do our best not to drop delete commands, otherwise
    we will have stale entries in the connection table.  Ignore
    the control message queue limits for delete commands.
    
    Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
    Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/netronome/nfp/ccm.h        |  4 ++++
 drivers/net/ethernet/netronome/nfp/ccm_mbox.c   | 25 +++++++++++++++++--------
 drivers/net/ethernet/netronome/nfp/crypto/tls.c |  5 +++--
 3 files changed, 24 insertions(+), 10 deletions(-)
culprit signature: 7098d57135fa1beef7547bca1ac1cc7268cc35bf
parent  signature: c9c1e18f64cfd369d02c8f90eb0be494f379465e
revisions tested: 20, total time: 5h6m34.80344893s (build: 2h10m51.170040333s, test: 2h54m1.727821863s)
first bad commit: 0f93242d96ff5a04fe02c4978e8dddb014235971 nfp: tls: ignore queue limits for delete commands
cc: ["davem@davemloft.net" "dirk.vandermerwe@netronome.com" "jakub.kicinski@netronome.com"]
crash: general protection fault in send_hsr_supervision_frame
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.2.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:send_hsr_supervision_frame+0x30/0xf60 net/hsr/hsr_device.c:255
Code: 89 e5 41 57 41 56 41 55 49 89 fd 41 54 41 89 d4 48 89 c2 53 48 c1 ea 03 48 83 ec 50 48 89 45 d0 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 89 75 c8 0f 85 83 0c 00 00 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffff8880ae909c68 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: ffff8880770ceb40 RCX: ffffffff815611e4
RDX: 0000000000000002 RSI: 0000000000000017 RDI: 0000000000000000
RBP: ffff8880ae909ce0 R08: ffffed1015d26c88 R09: ffffed1015d26c87
R10: ffffed1015d26c87 R11: ffff8880ae93643b R12: 0000000000000000
R13: 0000000000000000 R14: ffff8880ae909db8 R15: ffff8880ae924b80
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000000a0a1f000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 hsr_announce+0xd9/0x2b0 net/hsr/hsr_device.c:339
 call_timer_fn+0x14d/0x510 kernel/time/timer.c:1322
 expire_timers kernel/time/timer.c:1366 [inline]
 __run_timers kernel/time/timer.c:1685 [inline]
 run_timer_softirq+0xc6f/0x1330 kernel/time/timer.c:1698
 __do_softirq+0x260/0x958 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x17f/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x13e/0x540 arch/x86/kernel/apic/apic.c:1068
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806
 </IRQ>
RIP: 0010:native_safe_halt+0x12/0x20 arch/x86/include/asm/irqflags.h:61
Code: 11 ff ff ff 4c 89 e7 e8 7c d4 90 fa eb 97 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 e9 07 00 00 00 0f 00 2d f0 58 5f 00 fb f4 <5d> c3 66 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 e9 07 00 00
RSP: 0018:ffff8880a98f7d70 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: ffff8880a98ea340 RCX: 0000000000000000
RDX: 1ffffffff11243e1 RSI: 0000000000000006 RDI: ffffffff88921f08
RBP: ffff8880a98f7d70 R08: 0000000000000006 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffffffff88921ef8 R14: 0000000000000001 R15: ffffffff8967cfb8
 arch_safe_halt arch/x86/include/asm/paravirt.h:156 [inline]
 default_idle+0x51/0x310 arch/x86/kernel/process.c:580
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:571
 default_idle_call+0x6d/0x90 kernel/sched/idle.c:94
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x3e4/0x590 kernel/sched/idle.c:263
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:354
 start_secondary+0x367/0x4b0 arch/x86/kernel/smpboot.c:265
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
Modules linked in:
---[ end trace 6b42100a9121a70a ]---
RIP: 0010:send_hsr_supervision_frame+0x30/0xf60 net/hsr/hsr_device.c:255
Code: 89 e5 41 57 41 56 41 55 49 89 fd 41 54 41 89 d4 48 89 c2 53 48 c1 ea 03 48 83 ec 50 48 89 45 d0 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 89 75 c8 0f 85 83 0c 00 00 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffff8880ae909c68 EFLAGS: 00010282
RAX: dffffc0000000000 RBX: ffff8880770ceb40 RCX: ffffffff815611e4
RDX: 0000000000000002 RSI: 0000000000000017 RDI: 0000000000000000
RBP: ffff8880ae909ce0 R08: ffffed1015d26c88 R09: ffffed1015d26c87
R10: ffffed1015d26c87 R11: ffff8880ae93643b R12: 0000000000000000
R13: 0000000000000000 R14: ffff8880ae909db8 R15: ffff8880ae924b80
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000000a0a1f000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400