bisecting cause commit starting from f9e425e99b0756c1479042afe761073779df2a30
building syzkaller on 0d27f508b6b35d3b12b9fafebd40a1f36950c8f3
testing commit f9e425e99b0756c1479042afe761073779df2a30 with gcc (GCC) 8.1.0
kernel signature: 3a1294925b978de46ba2d4256d986f654169f67a6c57cdc115920f4c7ede4ad9
all runs: crashed: kernel BUG at net/core/dev.c:LINE!
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0
kernel signature: fb1c0b2e91835929cb645c88cf58a714a071d8e490a0b3dfc7b42acc326c8c3c
all runs: crashed: kernel BUG at net/core/dev.c:LINE!
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 39c621b39ccefedec643947c68ba28d49091573cb669a2f45b8e946c80b6c197
all runs: crashed: kernel BUG at net/core/dev.c:LINE!
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 59f5b673ce3cd326d5e1ed39383e68070637e1baba3010a3f9cc283e0fc072cc
all runs: crashed: kernel BUG at net/core/dev.c:LINE!
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 2483a7186389e7ff1972f184a65605fb7220be38bc40615cfd0a7932d6e31d01
all runs: crashed: WARNING in hsr_addr_subst_dest
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: e720dbda7c60701e4e380d0e33fed3f6959fca89b4ec483d21d01140afd40982
all runs: crashed: WARNING in hsr_addr_subst_dest
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 28098bb82685de9b9415acf783175a33b8e2903c61ccbfa2b83ed7da8a8e07a8
all runs: crashed: WARNING in hsr_addr_subst_dest
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: d0c485f629fd708e5588a02cf20b468d0d8a76168a758e6be0a5e0742487ccab
all runs: crashed: WARNING in hsr_addr_subst_dest
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 5cf7ed2e1c2ddc5440fc9c4e2d95233ae95512e91f07e78162b9424a52c18552
run #0: crashed: WARNING in hsr_addr_subst_dest
run #1: crashed: WARNING in hsr_addr_subst_dest
run #2: crashed: WARNING in hsr_addr_subst_dest
run #3: crashed: WARNING in hsr_addr_subst_dest
run #4: crashed: WARNING in hsr_addr_subst_dest
run #5: crashed: WARNING in hsr_addr_subst_dest
run #6: crashed: kernel BUG at net/core/dev.c:LINE!
run #7: crashed: WARNING in hsr_addr_subst_dest
run #8: crashed: kernel BUG at net/core/dev.c:LINE!
run #9: crashed: kernel BUG at net/core/dev.c:LINE!
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: d12953400419a706cbfc740269ac5600d19c7363ee2fe63bf71944904346ebdc
all runs: crashed: WARNING in hsr_addr_subst_dest
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: dcd9c79b7eff25792f71abfb5a7ff15de85460a1b7d083de769d31f8bd8eccc9
run #0: crashed: WARNING in hsr_addr_subst_dest
run #1: crashed: kernel BUG at net/core/dev.c:LINE!
run #2: crashed: WARNING in hsr_addr_subst_dest
run #3: crashed: kernel BUG at net/core/dev.c:LINE!
run #4: crashed: kernel BUG at net/core/dev.c:LINE!
run #5: crashed: WARNING in hsr_addr_subst_dest
run #6: crashed: WARNING in hsr_addr_subst_dest
run #7: crashed: WARNING in hsr_addr_subst_dest
run #8: crashed: kernel BUG at net/core/dev.c:LINE!
run #9: crashed: WARNING in hsr_addr_subst_dest
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: a951498cd48a7d8227fc2f71c63e03371034a52aa15318b4e9e37c68b1c92c9f
run #0: crashed: WARNING in hsr_addr_subst_dest
run #1: crashed: WARNING in hsr_addr_subst_dest
run #2: crashed: WARNING in hsr_addr_subst_dest
run #3: crashed: WARNING in hsr_addr_subst_dest
run #4: crashed: WARNING in hsr_addr_subst_dest
run #5: crashed: WARNING in hsr_addr_subst_dest
run #6: crashed: WARNING in hsr_addr_subst_dest
run #7: crashed: WARNING in hsr_addr_subst_dest
run #8: crashed: kernel BUG at net/core/dev.c:LINE!
run #9: crashed: kernel BUG at net/core/dev.c:LINE!
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: 08eea28d45fc5026d323bffdd6da80db024dfa527e1767db4bd14ec14e15fd1f
run #0: crashed: WARNING in hsr_addr_subst_dest
run #1: crashed: kernel BUG at net/core/dev.c:LINE!
run #2: crashed: WARNING in hsr_addr_subst_dest
run #3: crashed: WARNING in hsr_addr_subst_dest
run #4: crashed: WARNING in hsr_addr_subst_dest
run #5: crashed: WARNING in hsr_addr_subst_dest
run #6: crashed: WARNING in hsr_addr_subst_dest
run #7: crashed: WARNING in hsr_addr_subst_dest
run #8: crashed: WARNING in hsr_addr_subst_dest
run #9: crashed: WARNING in hsr_addr_subst_dest
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: eab087452213a9dd82f89a51c686705a162cab5a996ab3a43c02f52565c0d298
all runs: OK
# git bisect start 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d 94710cac0ef4ee177a63b5227664b38c95bbf703
Bisecting: 7596 revisions left to test after this (roughly 13 steps)
[db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0
kernel signature: c5810d74fcbaf2a1afb6a0b5b188ef49c7bc43f3074e752f7da07d5f6522cc8e
all runs: OK
# git bisect good db06f826ec12bf0701ea7fc0a3c0aa00b84417c8
Bisecting: 3768 revisions left to test after this (roughly 12 steps)
[cd9b44f90763c3367e8dd0601849ffb028e8ba52] Merge branch 'akpm' (patches from Andrew)
testing commit cd9b44f90763c3367e8dd0601849ffb028e8ba52 with gcc (GCC) 8.1.0
kernel signature: 979625973a4f65cc1d350d2ca6f000d1eb76666bf4a7fddea71ae669ee2d7112
all runs: OK
# git bisect good cd9b44f90763c3367e8dd0601849ffb028e8ba52
Bisecting: 1886 revisions left to test after this (roughly 11 steps)
[4290d5b9ca018be10c7582524f7500df731bfab0] Merge tag 'for-linus-4.19b-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
testing commit 4290d5b9ca018be10c7582524f7500df731bfab0 with gcc (GCC) 8.1.0
kernel signature: 0e59136ac781e526446e9c799437f795cf42198a44621866110f2e7de04062e7
all runs: OK
# git bisect good 4290d5b9ca018be10c7582524f7500df731bfab0
Bisecting: 942 revisions left to test after this (roughly 10 steps)
[576156bb01a62c1f64b32b416593862bb34bddaa] Merge branch 'for-upstream/malidp-fixes' of git://linux-arm.org/linux-ld into drm-fixes
testing commit 576156bb01a62c1f64b32b416593862bb34bddaa with gcc (GCC) 8.1.0
kernel signature: 3d0f44808679602e7e3c637c3f76046d92c904a8f0f60e7c94e58811e3f985b8
all runs: OK
# git bisect good 576156bb01a62c1f64b32b416593862bb34bddaa
Bisecting: 470 revisions left to test after this (roughly 9 steps)
[4fbeba43b9b6f76a270108edcf5305dc1882a478] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
testing commit 4fbeba43b9b6f76a270108edcf5305dc1882a478 with gcc (GCC) 8.1.0
kernel signature: 4d19bff7173d654532b7f962268fd90b6228858debe0985b1dc4c3501c3ab166
all runs: OK
# git bisect good 4fbeba43b9b6f76a270108edcf5305dc1882a478
Bisecting: 218 revisions left to test after this (roughly 8 steps)
[90ad18418c2d3db23ee827cdd74fed2ca9b70a18] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit 90ad18418c2d3db23ee827cdd74fed2ca9b70a18 with gcc (GCC) 8.1.0
kernel signature: 65ba54718370a79e3b7b96df0b7fda259599b8abab99da571fec5665d806ec5a
all runs: crashed: WARNING in hsr_addr_subst_dest
# git bisect bad 90ad18418c2d3db23ee827cdd74fed2ca9b70a18
Bisecting: 124 revisions left to test after this (roughly 7 steps)
[4ebaf0754c7a1109e66693f488f02b78f5875fee] Merge tag 'tty-4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
testing commit 4ebaf0754c7a1109e66693f488f02b78f5875fee with gcc (GCC) 8.1.0
kernel signature: 4db6ecb11c3563dba96ab25e3149fd3c3493d0511df94860307380a86ca7331e
all runs: crashed: WARNING in hsr_addr_subst_dest
# git bisect bad 4ebaf0754c7a1109e66693f488f02b78f5875fee
Bisecting: 69 revisions left to test after this (roughly 6 steps)
[5943a9bbbb98b5c957662edd2fc902cc14e65895] Merge tag 'pci-v4.19-fixes-3' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
testing commit 5943a9bbbb98b5c957662edd2fc902cc14e65895 with gcc (GCC) 8.1.0
kernel signature: b3a33cd62a9775a022702292840aaa381c6874bb1661f3be971220e04ac30a3e
all runs: OK
# git bisect good 5943a9bbbb98b5c957662edd2fc902cc14e65895
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[35f3625c21852ad839f20c91c7d81c4c1101e207] net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
testing commit 35f3625c21852ad839f20c91c7d81c4c1101e207 with gcc (GCC) 8.1.0
kernel signature: a722eea0331349ab029004d4841dc4b5788422b2aef0231ae4492a0acf0d606d
run #0: crashed: WARNING in hsr_addr_subst_dest
run #1: crashed: WARNING in hsr_addr_subst_dest
run #2: crashed: WARNING in hsr_addr_subst_dest
run #3: crashed: WARNING in hsr_addr_subst_dest
run #4: crashed: WARNING in hsr_addr_subst_dest
run #5: crashed: kernel BUG at net/core/dev.c:LINE!
run #6: crashed: kernel BUG at net/core/dev.c:LINE!
run #7: crashed: kernel BUG at net/core/dev.c:LINE!
run #8: crashed: kernel BUG at net/core/dev.c:LINE!
run #9: crashed: WARNING in hsr_addr_subst_dest
# git bisect bad 35f3625c21852ad839f20c91c7d81c4c1101e207
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[17c357efe5eceebdc3971a48b3d4d61a03c1178b] openvswitch: load NAT helper
testing commit 17c357efe5eceebdc3971a48b3d4d61a03c1178b with gcc (GCC) 8.1.0
kernel signature: 904632bd83356ece845dd0cf19c706d5ede2b5b05c5d1fe572a8bf4b45d30cb9
run #0: crashed: WARNING in packet_sock_destruct
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
reproducer seems to be flaky
# git bisect bad 17c357efe5eceebdc3971a48b3d4d61a03c1178b
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[9e15ff7b89b6d9c51c296499539ea884220ab590] Merge tag 'mac80211-for-davem-2018-10-04' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
testing commit 9e15ff7b89b6d9c51c296499539ea884220ab590 with gcc (GCC) 8.1.0
kernel signature: d4dfc8c57f5d886c385d55d3bb081c4fb47934ccaee80940fc418ca307988b0b
run #0: crashed: general protection fault in batadv_iv_ogm_queue_add
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 9e15ff7b89b6d9c51c296499539ea884220ab590
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[1db58529454742f67ebd96e3588315e880b72837] cfg80211: fix use-after-free in reg_process_hint()
testing commit 1db58529454742f67ebd96e3588315e880b72837 with gcc (GCC) 8.1.0
kernel signature: 0032a5dc8dbd8db1200fc60c273bf85aea5fd4d3808fcff88ebdfe16c2b79022
all runs: OK
# git bisect good 1db58529454742f67ebd96e3588315e880b72837
Bisecting: 1 revision left to test after this (roughly 1 step)
[c360867ec46a4ec5cb19e5c329d65dff522cc69d] mlxsw: spectrum: Delete RIF when VLAN device is removed
testing commit c360867ec46a4ec5cb19e5c329d65dff522cc69d with gcc (GCC) 8.1.0
kernel signature: b255d14455890a758b188c1ade4ae3313e4fe4bb44fd4f876019f060e6a0a072
run #0: crashed: KASAN: use-after-free Read in dev_queue_xmit_nit
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad c360867ec46a4ec5cb19e5c329d65dff522cc69d
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f3c84a8e3e922afdcbc55f04df8fdf8a548f5a21] mlxsw: pci: Derive event type from event queue number
testing commit f3c84a8e3e922afdcbc55f04df8fdf8a548f5a21 with gcc (GCC) 8.1.0
kernel signature: b255d14455890a758b188c1ade4ae3313e4fe4bb44fd4f876019f060e6a0a072
run #0: crashed: general protection fault in batadv_iv_ogm_queue_add
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad f3c84a8e3e922afdcbc55f04df8fdf8a548f5a21
f3c84a8e3e922afdcbc55f04df8fdf8a548f5a21 is the first bad commit
commit f3c84a8e3e922afdcbc55f04df8fdf8a548f5a21
Author: Nir Dotan <nird@mellanox.com>
Date:   Thu Oct 4 15:48:02 2018 +0000

    mlxsw: pci: Derive event type from event queue number
    
    Due to a hardware issue in Spectrum-2, the field event_type of the event
    queue element (EQE) has become reserved. It was used to distinguish between
    command interface completion events and completion events.
    
    Use queue number to determine event type, as command interface completion
    events are always received on EQ0 and mlxsw driver maps completion events
    to EQ1.
    
    Fixes: c3ab435466d5 ("mlxsw: spectrum: Extend to support Spectrum-2 ASIC")
    Signed-off-by: Nir Dotan <nird@mellanox.com>
    Reviewed-by: Jiri Pirko <jiri@mellanox.com>
    Signed-off-by: Ido Schimmel <idosch@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/mellanox/mlxsw/pci.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)
parent commit cec4de302c5ff2c5eb3bfcb0c4845a095f5149b9 wasn't tested
testing commit cec4de302c5ff2c5eb3bfcb0c4845a095f5149b9 with gcc (GCC) 8.1.0
kernel signature: 5aad62ef7b21e64182cad81ff4eb4962312648a907b761a6d8086ecb0636ebf1
culprit signature: b255d14455890a758b188c1ade4ae3313e4fe4bb44fd4f876019f060e6a0a072
parent  signature: 5aad62ef7b21e64182cad81ff4eb4962312648a907b761a6d8086ecb0636ebf1
Reproducer flagged being flaky
revisions tested: 28, total time: 5h55m34.899652923s (build: 2h25m1.715185604s, test: 3h27m12.066393547s)
first bad commit: f3c84a8e3e922afdcbc55f04df8fdf8a548f5a21 mlxsw: pci: Derive event type from event queue number
recipients (to): ["davem@davemloft.net" "idosch@mellanox.com" "jiri@mellanox.com" "nird@mellanox.com"]
recipients (cc): []
crash: general protection fault in batadv_iv_ogm_queue_add
bridge0: port 1(bridge_slave_0) entered disabled state
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 10142 Comm: kworker/u4:6 Not tainted 4.19.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:785
Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 99 0b 00 00
RSP: 0018:ffff8800a2167aa8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff880096d84cc0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff8800a2167bc0 R08: ffff8800a5f1ec80 R09: 0000000000000001
R10: ffffed001442cf8f R11: 0000000000000003 R12: ffff8800a5f1ec80
R13: dffffc0000000000 R14: ffffed0014be3d9f R15: 000000000000003c
FS:  0000000000000000(0000) GS:ffff8800ba300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5f20269740 CR3: 00000000ac8bf000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 batadv_iv_ogm_schedule+0xb7e/0xf30 net/batman-adv/bat_iv_ogm.c:989
 batadv_iv_send_outstanding_bat_ogm_packet+0x4b2/0x7b0 net/batman-adv/bat_iv_ogm.c:1817
 process_one_work+0x7b9/0x14f0 kernel/workqueue.c:2153
 worker_thread+0x85/0xb60 kernel/workqueue.c:2296
 kthread+0x324/0x3e0 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:413
Modules linked in:
---[ end trace d6c2ad4d52b593ab ]---
RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:785
Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 99 0b 00 00
RSP: 0018:ffff8800a2167aa8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff880096d84cc0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff8800a2167bc0 R08: ffff8800a5f1ec80 R09: 0000000000000001
R10: ffffed001442cf8f R11: 0000000000000003 R12: ffff8800a5f1ec80
R13: dffffc0000000000 R14: ffffed0014be3d9f R15: 000000000000003c
FS:  0000000000000000(0000) GS:ffff8800ba300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5f20269740 CR3: 00000000ac8bf000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400