bisecting cause commit starting from 14240d4c5b25d087529691ccf4d7ea256f26cfdf building syzkaller on b22a7ec30951c01f7f54f811b7f636987c86b0ca testing commit 14240d4c5b25d087529691ccf4d7ea256f26cfdf with gcc (GCC) 8.1.0 kernel signature: fd174baf6b0ef249ae887a2cc1c161a5569486d8b211c355bd04b4d306ca3072 all runs: crashed: UBSAN: shift-out-of-bounds in tcf_police_init testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 48a44b356059ba46606be11d05f4af2fd4977ae6064a111f191a24ab366037c1 all runs: crashed: UBSAN: shift-out-of-bounds in tcf_police_init testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 22aa95b7e7e6aea83bcbde6ee96bb510036c390ecb1edc1d673d8134021fdfef all runs: crashed: UBSAN: shift-out-of-bounds in tcf_police_init testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: f5d9faac2087b090050e744a65f37f315c08f987da9cd1b89f915d62396835a7 all runs: crashed: UBSAN: shift-out-of-bounds in tcf_police_init testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: c44a15efe9f4dddfd3265e3ee72039e8fedc8e1a971752bf1b7899bdd24b69bf all runs: crashed: UBSAN: undefined-behaviour in tcf_police_init testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 0965e741efe2c9a43f96ed4ce7756181094148b594e50125c1ef55585450eb5a all runs: crashed: UBSAN: undefined-behaviour in tcf_police_init testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: dc0e86cd1e84b0f0c4d2d664ac1a48c712bc8a201fcae8c2993a60e9b2ae998d all runs: crashed: UBSAN: undefined-behaviour in tcf_police_init testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: b037b1dd21cfbbefec3369d9afc20b2628ba8eb7e83fdf09374888aacb7ba29f all runs: crashed: UBSAN: undefined-behaviour in tcf_police_init testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 93349bcc046589cc66751b3d8ad6ba9fb4ca2c06a1b85b534c498825df415deb all runs: OK # git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36 Bisecting: 7848 revisions left to test after this (roughly 13 steps) [43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0 kernel signature: 4b747527b370f278b80d519a08704a1fc4ac66ba20bd6b27f495df0b418aff47 all runs: OK # git bisect good 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 Bisecting: 3922 revisions left to test after this (roughly 12 steps) [0e2a5b5bd9a6aaec85df347dd71432a1d2d10763] Merge branch 'parisc-5.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux testing commit 0e2a5b5bd9a6aaec85df347dd71432a1d2d10763 with gcc (GCC) 8.1.0 kernel signature: 06dcfd250fb274a9fe2fb07378c6eb8a4e95f2d219b45ef696d8b7c7d9a2cb11 all runs: OK # git bisect good 0e2a5b5bd9a6aaec85df347dd71432a1d2d10763 Bisecting: 1961 revisions left to test after this (roughly 11 steps) [12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea] perf record: Fix module size on s390 testing commit 12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea with gcc (GCC) 8.1.0 kernel signature: c4a5150bcf96ab1856acb6f19de3303af1db0fe4daaec11fc4c37746faa28403 all runs: OK # git bisect good 12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea Bisecting: 984 revisions left to test after this (roughly 10 steps) [85d8d3b172eb37b23dcdbe9fa7a85e343642bfea] Merge tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux testing commit 85d8d3b172eb37b23dcdbe9fa7a85e343642bfea with gcc (GCC) 8.1.0 kernel signature: a6aaaa64abec79bd8cddb84ef667b4c604e7f718b70c2b19fcd42d00f5b29a58 all runs: OK # git bisect good 85d8d3b172eb37b23dcdbe9fa7a85e343642bfea Bisecting: 496 revisions left to test after this (roughly 9 steps) [6525771f58cbc6ab97b5cff9069865cde8283346] Merge tag 'arc-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc testing commit 6525771f58cbc6ab97b5cff9069865cde8283346 with gcc (GCC) 8.1.0 kernel signature: 9a462afe28ae01e0cddc669c0d79ba61e80d3dbeb517e7d823252aadfad2fef2 all runs: OK # git bisect good 6525771f58cbc6ab97b5cff9069865cde8283346 Bisecting: 251 revisions left to test after this (roughly 8 steps) [345464fb760d1b772e891538b498e111c588b692] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 345464fb760d1b772e891538b498e111c588b692 with gcc (GCC) 8.1.0 kernel signature: e54ea1d71c5d55336ccad843207187169acce277788afbdc38229b71e384ba35 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: general protection fault in batadv_iv_ogm_queue_add reproducer seems to be flaky # git bisect bad 345464fb760d1b772e891538b498e111c588b692 Bisecting: 123 revisions left to test after this (roughly 7 steps) [31bb5feb0d2809e60f0f27dc7703417129b814bf] Merge branch 'akpm' (patches from Andrew) testing commit 31bb5feb0d2809e60f0f27dc7703417129b814bf with gcc (GCC) 8.1.0 kernel signature: a2f474923c549ed4daf678ac94ad9f5314847975e53b63ebc364e04cc18ca8ed all runs: OK # git bisect good 31bb5feb0d2809e60f0f27dc7703417129b814bf Bisecting: 61 revisions left to test after this (roughly 6 steps) [879c3808a4a126d271c4f39cd93f6252c72340bf] Merge branch 'net-aquantia-fixes-on-vlan-filters-and-other-conditions' testing commit 879c3808a4a126d271c4f39cd93f6252c72340bf with gcc (GCC) 8.1.0 kernel signature: 8621540b9608b5ea4318cfc98b8e8f649895519151397c8fcdb672a716f2b4ad all runs: OK # git bisect good 879c3808a4a126d271c4f39cd93f6252c72340bf Bisecting: 38 revisions left to test after this (roughly 5 steps) [eea173097dfbb44855e3cf03c09eb5a665c20438] Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit eea173097dfbb44855e3cf03c09eb5a665c20438 with gcc (GCC) 8.1.0 kernel signature: 99e3f3ff6517bdc478cdab638e75b8d85c9ce7bf9800a71eb94584ec18e21660 all runs: OK # git bisect good eea173097dfbb44855e3cf03c09eb5a665c20438 Bisecting: 19 revisions left to test after this (roughly 4 steps) [9eb4b5180d33c827f16829644ae0cd7382ecdb82] tools/power turbostat: update version number testing commit 9eb4b5180d33c827f16829644ae0cd7382ecdb82 with gcc (GCC) 8.1.0 kernel signature: bbb486cb9347c6eb7a03c7c3da8be7cd10a0a89f21409524c0af5b1ddfc4c578 all runs: OK # git bisect good 9eb4b5180d33c827f16829644ae0cd7382ecdb82 Bisecting: 7 revisions left to test after this (roughly 3 steps) [9f159ae07f07fc540290f21937231034f554bdd7] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 9f159ae07f07fc540290f21937231034f554bdd7 with gcc (GCC) 8.1.0 kernel signature: 5358ced9ef7b670e3c04275a18d32a53aaaeaba64abcabf777cd422bd39ee51d all runs: OK # git bisect good 9f159ae07f07fc540290f21937231034f554bdd7 Bisecting: 3 revisions left to test after this (roughly 2 steps) [02a3f0d5a70a865d55c4b7cb2e327cb30491f7fd] tc-testing: don't hardcode 'ip' in nsPlugin.py testing commit 02a3f0d5a70a865d55c4b7cb2e327cb30491f7fd with gcc (GCC) 8.1.0 kernel signature: 8621540b9608b5ea4318cfc98b8e8f649895519151397c8fcdb672a716f2b4ad all runs: OK # git bisect good 02a3f0d5a70a865d55c4b7cb2e327cb30491f7fd Bisecting: 1 revision left to test after this (roughly 1 step) [dd7078f05e1b774a9e8c9f117101d97e4ccd0691] enetc: Add missing call to 'pci_free_irq_vectors()' in probe and remove functions testing commit dd7078f05e1b774a9e8c9f117101d97e4ccd0691 with gcc (GCC) 8.1.0 kernel signature: 8621540b9608b5ea4318cfc98b8e8f649895519151397c8fcdb672a716f2b4ad all runs: OK # git bisect good dd7078f05e1b774a9e8c9f117101d97e4ccd0691 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e1e54ec7fb55501c33b117c111cb0a045b8eded2] net: seeq: Fix the function used to release some memory in an error handling path testing commit e1e54ec7fb55501c33b117c111cb0a045b8eded2 with gcc (GCC) 8.1.0 kernel signature: 8621540b9608b5ea4318cfc98b8e8f649895519151397c8fcdb672a716f2b4ad all runs: OK # git bisect good e1e54ec7fb55501c33b117c111cb0a045b8eded2 345464fb760d1b772e891538b498e111c588b692 is the first bad commit commit 345464fb760d1b772e891538b498e111c588b692 Merge: 9f159ae07f07 e1e54ec7fb55 Author: Linus Torvalds Date: Sun Sep 1 18:45:28 2019 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from David Miller: 1) Fix some length checks during OGM processing in batman-adv, from Sven Eckelmann. 2) Fix regression that caused netfilter conntrack sysctls to not be per-netns any more. From Florian Westphal. 3) Use after free in netpoll, from Feng Sun. 4) Guard destruction of pfifo_fast per-cpu qdisc stats with qdisc_is_percpu_stats(), from Davide Caratti. Similar bug is fixed in pfifo_fast_enqueue(). 5) Fix memory leak in mld_del_delrec(), from Eric Dumazet. 6) Handle neigh events on internal ports correctly in nfp, from John Hurley. 7) Clear SKB timestamp in NF flow table code so that it does not confuse fq scheduler. From Florian Westphal. 8) taprio destroy can crash if it is invoked in a failure path of taprio_init(), because the list head isn't setup properly yet and the list del is unconditional. Perform the list add earlier to address this. From Vladimir Oltean. 9) Make sure to reapply vlan filters on device up, in aquantia driver. From Dmitry Bogdanov. 10) sgiseeq driver releases DMA memory using free_page() instead of dma_free_attrs(). From Christophe JAILLET. * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits) net: seeq: Fix the function used to release some memory in an error handling path enetc: Add missing call to 'pci_free_irq_vectors()' in probe and remove functions net: bcmgenet: use ethtool_op_get_ts_info() tc-testing: don't hardcode 'ip' in nsPlugin.py net: dsa: microchip: add KSZ8563 compatibility string dt-bindings: net: dsa: document additional Microchip KSZ8563 switch net: aquantia: fix out of memory condition on rx side net: aquantia: linkstate irq should be oneshot net: aquantia: reapply vlan filters on up net: aquantia: fix limit of vlan filters net: aquantia: fix removal of vlan 0 net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate taprio: Set default link speed to 10 Mbps in taprio_set_picos_per_byte taprio: Fix kernel panic in taprio_destroy net: dsa: microchip: fill regmap_config name rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2] net: stmmac: dwmac-rk: Don't fail if phy regulator is absent amd-xgbe: Fix error path in xgbe_mod_init() netfilter: nft_meta_bridge: Fix get NFT_META_BRI_IIFVPROTO in network byteorder mac80211: Correctly set noencrypt for PAE frames ... Documentation/devicetree/bindings/net/dsa/ksz.txt | 1 + Documentation/devicetree/bindings/net/macb.txt | 4 +- drivers/net/dsa/microchip/ksz9477_spi.c | 1 + drivers/net/dsa/microchip/ksz_common.h | 1 + drivers/net/ethernet/amd/xgbe/xgbe-main.c | 10 +- .../net/ethernet/aquantia/atlantic/aq_filters.c | 5 +- drivers/net/ethernet/aquantia/atlantic/aq_main.c | 4 + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 +- drivers/net/ethernet/aquantia/atlantic/aq_vec.c | 3 +- drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 + drivers/net/ethernet/cadence/macb_main.c | 2 +- drivers/net/ethernet/freescale/enetc/enetc_ptp.c | 5 +- drivers/net/ethernet/ibm/ibmvnic.c | 6 +- drivers/net/ethernet/marvell/sky2.c | 7 + drivers/net/ethernet/netronome/nfp/bpf/jit.c | 17 +- .../net/ethernet/netronome/nfp/flower/offload.c | 7 +- .../ethernet/netronome/nfp/flower/tunnel_conf.c | 8 +- drivers/net/ethernet/seeq/sgiseeq.c | 7 +- drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 6 +- drivers/net/phy/phy-c45.c | 26 ++ drivers/net/phy/phy.c | 2 +- drivers/net/usb/r8152.c | 5 +- drivers/net/wireless/intel/iwlwifi/cfg/22000.c | 24 ++ drivers/net/wireless/intel/iwlwifi/iwl-config.h | 2 + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 4 + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 7 +- include/linux/phy.h | 1 + include/net/act_api.h | 4 +- include/net/psample.h | 1 + include/trace/events/rxrpc.h | 59 ++-- kernel/bpf/core.c | 8 +- net/batman-adv/bat_iv_ogm.c | 20 +- net/batman-adv/bat_v_ogm.c | 18 +- net/bridge/netfilter/nft_meta_bridge.c | 2 +- net/core/netpoll.c | 6 +- net/dsa/tag_8021q.c | 2 + net/ipv4/tcp.c | 30 +- net/ipv4/tcp_output.c | 3 +- net/ipv6/mcast.c | 5 +- net/mac80211/rx.c | 6 +- net/netfilter/nf_conntrack_ftp.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 5 + net/netfilter/nf_flow_table_ip.c | 3 +- net/netfilter/xt_physdev.c | 6 +- net/openvswitch/conntrack.c | 5 + net/openvswitch/flow.c | 160 ++++++----- net/openvswitch/flow.h | 1 + net/psample/psample.c | 2 +- net/rds/recv.c | 5 +- net/rxrpc/af_rxrpc.c | 3 - net/rxrpc/ar-internal.h | 17 +- net/rxrpc/call_event.c | 8 +- net/rxrpc/call_object.c | 33 ++- net/rxrpc/conn_client.c | 44 +++ net/rxrpc/conn_event.c | 6 +- net/rxrpc/conn_object.c | 2 +- net/rxrpc/input.c | 304 +++++++++++---------- net/rxrpc/local_event.c | 4 +- net/rxrpc/local_object.c | 5 +- net/rxrpc/output.c | 6 +- net/rxrpc/peer_event.c | 10 +- net/rxrpc/protocol.h | 9 + net/rxrpc/recvmsg.c | 47 ++-- net/rxrpc/rxkad.c | 32 +-- net/rxrpc/sendmsg.c | 13 +- net/rxrpc/skbuff.c | 40 ++- net/sched/act_bpf.c | 2 +- net/sched/act_connmark.c | 2 +- net/sched/act_csum.c | 2 +- net/sched/act_ct.c | 2 +- net/sched/act_ctinfo.c | 2 +- net/sched/act_gact.c | 2 +- net/sched/act_ife.c | 2 +- net/sched/act_ipt.c | 11 +- net/sched/act_mirred.c | 2 +- net/sched/act_mpls.c | 2 +- net/sched/act_nat.c | 2 +- net/sched/act_pedit.c | 2 +- net/sched/act_police.c | 2 +- net/sched/act_sample.c | 8 +- net/sched/act_simple.c | 2 +- net/sched/act_skbedit.c | 2 +- net/sched/act_skbmod.c | 2 +- net/sched/act_tunnel_key.c | 2 +- net/sched/act_vlan.c | 2 +- net/sched/sch_cbs.c | 19 +- net/sched/sch_generic.c | 19 +- net/sched/sch_taprio.c | 31 ++- .../selftests/tc-testing/plugin-lib/nsPlugin.py | 22 +- 89 files changed, 761 insertions(+), 487 deletions(-) Reproducer flagged being flaky revisions tested: 23, total time: 4h56m41.52844783s (build: 2h7m9.073972423s, test: 2h46m54.116721536s) first bad commit: 345464fb760d1b772e891538b498e111c588b692 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net recipients (to): ["torvalds@linux-foundation.org"] recipients (cc): [] crash: general protection fault in batadv_iv_ogm_queue_add kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 5.3.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:605 Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 99 0b 00 00 RSP: 0018:ffff8880b5157aa8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8880b4798b40 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: ffff8880b5157bc0 R08: ffff888098089b80 R09: 0000000000000001 R10: ffffed1016a2af8c R11: 0000000000000003 R12: ffff888098089b80 R13: dffffc0000000000 R14: ffffed101301137e R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555e16f97618 CR3: 00000000a4248000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: batadv_iv_ogm_schedule+0xb47/0xe80 net/batman-adv/bat_iv_ogm.c:813 batadv_iv_send_outstanding_bat_ogm_packet+0x570/0x7d0 net/batman-adv/bat_iv_ogm.c:1675 process_one_work+0x7d2/0x1560 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: ---[ end trace c1b749d253670edc ]--- RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:605 Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 99 0b 00 00 RSP: 0018:ffff8880b5157aa8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8880b4798b40 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: ffff8880b5157bc0 R08: ffff888098089b80 R09: 0000000000000001 R10: ffffed1016a2af8c R11: 0000000000000003 R12: ffff888098089b80 R13: dffffc0000000000 R14: ffffed101301137e R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff8880ba200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555e16f9ff28 CR3: 00000000af9cd000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400