bisecting cause commit starting from 3dd0130f2430decf0cb001b452824515436986d2
building syzkaller on 4a77ae0bdc5cd75ebe88ce7c896aae6bbf457a29
testing commit 3dd0130f2430decf0cb001b452824515436986d2 with gcc (GCC) 8.1.0
kernel signature: 6dcc3a7df9791dc459583be91b7565ef215a2fb21567666a8d5e386f6aeff85a
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qp_release_pages
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: c8e76bd576d17a3da7d4c04675d695d50c50a29d2841a6f17b484f81b639c306
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qp_release_pages
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 6c79a1274846e1dd35e051f11e5da60649d2f713717c461e4116c55f65b7924c
all runs: crashed: general protection fault in qp_release_pages
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 31cb6ec86e01e8d2d4c6c243fb9d4b5e3a51b51fb0a78db6365b00d2381e9dc2
all runs: crashed: general protection fault in qp_release_pages
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: ee6d31c410c6a9c95c364337774192866a3f8e6eb95d2e0a8e905e81ddddb9a3
all runs: crashed: general protection fault in qp_release_pages
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: c884ac6ac81875c7ea10781f22397d722e91708db5eed37129946e0cfe28bc72
all runs: crashed: general protection fault in qp_release_pages
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 65d2cbf91e25155d7a7b2b15f0c9e9a7fd39b232e78d8edb58ea3e8cc3e3d4c3
all runs: crashed: general protection fault in qp_release_pages
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: acfbe3f2a17e328a185a3e5d3df112e857a8808e3bd5bf95db1a2be729f32f18
all runs: crashed: general protection fault in qp_release_pages
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 59332160b7da194918fe53ffdc2361c99cf48832e7ac230e54d6370c11f4172d
all runs: crashed: general protection fault in qp_release_pages
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 4fc42aede2b52d2b5b0f69fbcc1068668bf2ad0a0a4f8856982df3c479026d9d
run #0: crashed: general protection fault in qp_release_pages
run #1: crashed: general protection fault in qp_release_pages
run #2: crashed: general protection fault in corrupted
run #3: crashed: general protection fault in qp_release_pages
run #4: crashed: general protection fault in qp_release_pages
run #5: crashed: general protection fault in qp_release_pages
run #6: crashed: general protection fault in qp_release_pages
run #7: crashed: general protection fault in qp_release_pages
run #8: crashed: general protection fault in qp_release_pages
run #9: crashed: general protection fault in qp_release_pages
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
certs/signing_key.pem: Permission denied
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
certs/signing_key.pem: Permission denied
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
certs/signing_key.pem: Permission denied
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
certs/signing_key.pem: Permission denied
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
certs/signing_key.pem: Permission denied
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
certs/signing_key.pem: Permission denied
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
certs/signing_key.pem: Permission denied
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
certs/signing_key.pem: Permission denied
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0
certs/signing_key.pem: Permission denied
testing release v4.11
testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0
certs/signing_key.pem: Permission denied
testing release v4.10
testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0
certs/signing_key.pem: Permission denied
testing release v4.9
testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0
certs/signing_key.pem: Permission denied
testing release v4.8
testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0
certs/signing_key.pem: Permission denied
testing release v4.7
testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0
certs/signing_key.pem: Permission denied
testing release v4.6
testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0
certs/signing_key.pem: Permission denied
revisions tested: 25, total time: 2h1m20.035542053s (build: 1h26m45.437605417s, test: 30m56.19407077s)
the crash already happened on the oldest tested release
commit msg: Linux 5.0
crash: general protection fault in qp_release_pages
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
Bluetooth: hci5: command 0x040f tx timeout
Bluetooth: hci1: command 0x040f tx timeout
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8206 Comm: syz-executor.0 Not tainted 5.0.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ieee80211 phy9: Selected rate control algorithm 'minstrel_ht'
RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:143 [inline]
RIP: 0010:put_page include/linux/mm.h:981 [inline]
RIP: 0010:qp_release_pages+0x44/0x240 drivers/misc/vmw_vmci/vmci_queue_pair.c:650
Code: 75 c0 88 55 cf 0f 84 a5 01 00 00 49 bc 00 00 00 00 00 fc ff df 45 31 ed 31 c0 e9 ab 00 00 00 49 8d 7f 08 48 89 fa 48 c1 ea 03 <42> 80 3c 22 00 0f 85 8a 01 00 00 49 8b 57 08 48 8d 4a ff 83 e2 01
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
RSP: 0018:ffff888083e776d8 EFLAGS: 00010202
RAX: 1ffff110124bbb30 RBX: ffff8880925dd980 RCX: 1ffff110124bbb2c
RDX: 0000000000000001 RSI: ffff8880925dd980 RDI: 0000000000000008
RBP: ffff888083e77718 R08: ffffed1011b0baf9 R09: ffffed1011b0baf8
R10: ffffed1011b0baf8 R11: ffff88808d85d7c7 R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000002400 R15: 0000000000000000
FS:  00007f844a4fd700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
ieee80211 phy10: Selected rate control algorithm 'minstrel_ht'
CR2: 0000000001590004 CR3: 0000000091cae000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 qp_host_get_user_memory.isra.15+0x1fe/0x3a0 drivers/misc/vmw_vmci/vmci_queue_pair.c:674
 qp_host_register_user_memory drivers/misc/vmw_vmci/vmci_queue_pair.c:717 [inline]
 qp_broker_create drivers/misc/vmw_vmci/vmci_queue_pair.c:1394 [inline]
 qp_broker_alloc+0xec6/0x1a80 drivers/misc/vmw_vmci/vmci_queue_pair.c:1748
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
 vmci_qp_broker_alloc+0x17/0x20 drivers/misc/vmw_vmci/vmci_queue_pair.c:1941
 vmci_host_do_alloc_queuepair.isra.5+0x275/0x340 drivers/misc/vmw_vmci/vmci_host.c:491
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
 vmci_host_unlocked_ioctl+0xbad/0x17f0 drivers/misc/vmw_vmci/vmci_host.c:930
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
ieee80211 phy11: Selected rate control algorithm 'minstrel_ht'
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45de59
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f844a4fcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000010300 RCX: 000000000045de59
RDX: 0000000020000100 RSI: 00000000000007a8 RDI: 0000000000000003
ieee80211 phy12: Selected rate control algorithm 'minstrel_ht'
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffe938e5eaf R14: 00007f844a4fd9c0 R15: 000000000118bf2c
Modules linked in:
---[ end trace 04db4fec57631124 ]---
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:143 [inline]
RIP: 0010:put_page include/linux/mm.h:981 [inline]
RIP: 0010:qp_release_pages+0x44/0x240 drivers/misc/vmw_vmci/vmci_queue_pair.c:650
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
Code: 75 c0 88 55 cf 0f 84 a5 01 00 00 49 bc 00 00 00 00 00 fc ff df 45 31 ed 31 c0 e9 ab 00 00 00 49 8d 7f 08 48 89 fa 48 c1 ea 03 <42> 80 3c 22 00 0f 85 8a 01 00 00 49 8b 57 08 48 8d 4a ff 83 e2 01
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
RSP: 0018:ffff888083e776d8 EFLAGS: 00010202
RAX: 1ffff110124bbb30 RBX: ffff8880925dd980 RCX: 1ffff110124bbb2c
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
RDX: 0000000000000001 RSI: ffff8880925dd980 RDI: 0000000000000008
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
RBP: ffff888083e77718 R08: ffffed1011b0baf9 R09: ffffed1011b0baf8
R10: ffffed1011b0baf8 R11: ffff88808d85d7c7 R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000002400 R15: 0000000000000000
FS:  00007f844a4fd700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
neighbour: ndisc_cache: neighbor table overflow!
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
ieee80211 phy13: Selected rate control algorithm 'minstrel_ht'
CR2: 0000555aa5a5ea07 CR3: 0000000091cae000 CR4: 00000000001406e0
neighbour: ndisc_cache: neighbor table overflow!
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
neighbour: ndisc_cache: neighbor table overflow!
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
ieee80211 phy14: Selected rate control algorithm 'minstrel_ht'
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
neighbour: ndisc_cache: neighbor table overflow!
neighbour: ndisc_cache: neighbor table overflow!
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50