bisecting cause commit starting from 12d61c6996999e6562cbbed5f270d572248a11c5 building syzkaller on d01bb02a96019cda0fa8c46e5c6d5eb66a273f17 testing commit 12d61c6996999e6562cbbed5f270d572248a11c5 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in nf_ct_deliver_cached_events testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in rxrpc_error_report run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 all runs: crashed: general protection fault in rxrpc_connect_call testing release v4.8 testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0 all runs: crashed: kernel BUG at net/rxrpc/call_object.c:LINE! testing release v4.7 testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0 all runs: OK # git bisect start v4.8 v4.7 Bisecting: 7344 revisions left to test after this (roughly 13 steps) [e61c10e468a42512f5fad74c00b62af5cc19f65f] sh: add device tree source for J2 FPGA on Mimas v2 board testing commit e61c10e468a42512f5fad74c00b62af5cc19f65f with gcc (GCC) 5.5.0 all runs: crashed: kernel BUG at net/rxrpc/call_object.c:LINE! # git bisect bad e61c10e468a42512f5fad74c00b62af5cc19f65f Bisecting: 3754 revisions left to test after this (roughly 12 steps) [08fd8c17686c6b09fa410a26d516548dd80ff147] Merge tag 'for-linus-4.8-rc0-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 08fd8c17686c6b09fa410a26d516548dd80ff147 with gcc (GCC) 5.5.0 all runs: OK # git bisect good 08fd8c17686c6b09fa410a26d516548dd80ff147 Bisecting: 1877 revisions left to test after this (roughly 11 steps) [7ae0ae4a022b72f33d23ab6e858163d4b37400a5] Merge tag 'spi-v4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit 7ae0ae4a022b72f33d23ab6e858163d4b37400a5 with gcc (GCC) 5.5.0 all runs: crashed: kernel BUG at net/rxrpc/call_object.c:LINE! # git bisect bad 7ae0ae4a022b72f33d23ab6e858163d4b37400a5 Bisecting: 938 revisions left to test after this (roughly 10 steps) [6fd980ac39efee9c26b1eb256c3271fcb139bd99] net: samples: pktgen mode samples/tests for qdisc layer testing commit 6fd980ac39efee9c26b1eb256c3271fcb139bd99 with gcc (GCC) 5.5.0 all runs: crashed: kernel BUG at net/rxrpc/call_object.c:LINE! # git bisect bad 6fd980ac39efee9c26b1eb256c3271fcb139bd99 Bisecting: 468 revisions left to test after this (roughly 9 steps) [697666eac664dbea7c2c1fa7518fd5dfe098776f] net: ethernet: bcmsysport: use phy_ethtool_{get|set}_link_ksettings testing commit 697666eac664dbea7c2c1fa7518fd5dfe098776f with gcc (GCC) 5.5.0 all runs: crashed: kernel BUG at net/rxrpc/af_rxrpc.c:LINE! # git bisect bad 697666eac664dbea7c2c1fa7518fd5dfe098776f Bisecting: 234 revisions left to test after this (roughly 8 steps) [6988bd920c6ea53497ed15db947408b7488c9e36] bnxt_en: Add new function bnxt_reset(). testing commit 6988bd920c6ea53497ed15db947408b7488c9e36 with gcc (GCC) 5.5.0 all runs: crashed: kernel BUG at net/rxrpc/af_rxrpc.c:LINE! # git bisect bad 6988bd920c6ea53497ed15db947408b7488c9e36 Bisecting: 116 revisions left to test after this (roughly 7 steps) [6ad8c632ee48ae099aa13704ef18a641220fe211] qed: Add support for query/config dcbx. testing commit 6ad8c632ee48ae099aa13704ef18a641220fe211 with gcc (GCC) 5.5.0 all runs: OK # git bisect good 6ad8c632ee48ae099aa13704ef18a641220fe211 Bisecting: 58 revisions left to test after this (roughly 6 steps) [1578b0a5e92825334760741e5c166b8873886f1b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 1578b0a5e92825334760741e5c166b8873886f1b with gcc (GCC) 5.5.0 all runs: crashed: kernel BUG at net/rxrpc/af_rxrpc.c:LINE! # git bisect bad 1578b0a5e92825334760741e5c166b8873886f1b Bisecting: 28 revisions left to test after this (roughly 5 steps) [d3fff6c443fe8f8a5ef2bdcea45e2ff39db948c7] net: add netdev_lockdep_set_classes() helper testing commit d3fff6c443fe8f8a5ef2bdcea45e2ff39db948c7 with gcc (GCC) 5.5.0 all runs: OK # git bisect good d3fff6c443fe8f8a5ef2bdcea45e2ff39db948c7 Bisecting: 13 revisions left to test after this (roughly 4 steps) [23c731e830009a51a39a7a558179007235c84eb7] Merge branch 'BCM53xx-driver' testing commit 23c731e830009a51a39a7a558179007235c84eb7 with gcc (GCC) 5.5.0 all runs: OK # git bisect good 23c731e830009a51a39a7a558179007235c84eb7 Bisecting: 6 revisions left to test after this (roughly 3 steps) [f6613d4fa937fa8388f2c1cb4e69ccc25e9e2336] bgmac: Add support for ethtool statistics testing commit f6613d4fa937fa8388f2c1cb4e69ccc25e9e2336 with gcc (GCC) 5.5.0 all runs: crashed: kernel BUG at net/rxrpc/af_rxrpc.c:LINE! # git bisect bad f6613d4fa937fa8388f2c1cb4e69ccc25e9e2336 Bisecting: 3 revisions left to test after this (roughly 2 steps) [2341e0775747864b684abe8627f3d45b167f2940] rxrpc: Simplify connect() implementation and simplify sendmsg() op testing commit 2341e0775747864b684abe8627f3d45b167f2940 with gcc (GCC) 5.5.0 all runs: crashed: kernel BUG at net/rxrpc/af_rxrpc.c:LINE! # git bisect bad 2341e0775747864b684abe8627f3d45b167f2940 Bisecting: 0 revisions left to test after this (roughly 1 step) [21aff3b905ad9e5e52b18a755c13fe755bd6ab3d] net/netlink/af_netlink.h: Remove unused structure. testing commit 21aff3b905ad9e5e52b18a755c13fe755bd6ab3d with gcc (GCC) 5.5.0 all runs: OK # git bisect good 21aff3b905ad9e5e52b18a755c13fe755bd6ab3d 2341e0775747864b684abe8627f3d45b167f2940 is the first bad commit commit 2341e0775747864b684abe8627f3d45b167f2940 Author: David Howells Date: Thu Jun 9 23:02:51 2016 +0100 rxrpc: Simplify connect() implementation and simplify sendmsg() op Simplify the RxRPC connect() implementation. It will just note the destination address it is given, and if a sendmsg() comes along with no address, this will be assigned as the address. No transport struct will be held internally, which will allow us to remove this later. Simplify sendmsg() also. Whilst a call is active, userspace refers to it by a private unique user ID specified in a control message. When sendmsg() sees a user ID that doesn't map to an extant call, it creates a new call for that user ID and attempts to add it. If, when we try to add it, the user ID is now registered, we now reject the message with -EEXIST. We should never see this situation unless two threads are racing, trying to create a call with the same ID - which would be an error. It also isn't required to provide sendmsg() with an address - provided the control message data holds a user ID that maps to a currently active call. Signed-off-by: David Howells Signed-off-by: David S. Miller :040000 040000 facf6f57ee893b1844691b7dc1468be0f5ceb309 309219c57b66ee257667a7a5318e7c56d15ddc0d M include :040000 040000 8b694fe90312bf7298569a03a43a921a1bc95f10 1739cb5f0604e56d923efb2e96ca38b6b00dc0de M net revisions tested: 32, total time: 6h54m21.156895526s (build: 2h26m31.540430252s, test: 4h19m23.664209951s) first bad commit: 2341e0775747864b684abe8627f3d45b167f2940 rxrpc: Simplify connect() implementation and simplify sendmsg() op cc: ["davem@davemloft.net" "dhowells@redhat.com" "linux-afs@lists.infradead.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"] crash: kernel BUG at net/rxrpc/af_rxrpc.c:LINE! bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves af_rxrpc: Assertion failed ------------[ cut here ]------------ kernel BUG at net/rxrpc/af_rxrpc.c:236! invalid opcode: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 1 PID: 16543 Comm: syz-executor468 Not tainted 4.7.0-rc1+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800a8280280 ti: ffff8800ad8c0000 task.ti: ffff8800ad8c0000 RIP: 0010:[] [] rxrpc_name_to_transport+0x1a5/0x220 net/rxrpc/af_rxrpc.c:236 RSP: 0018:ffff8800ad8c7978 EFLAGS: 00010282 RAX: 000000000000001a RBX: ffff8800a8287740 RCX: 0000000000000000 RDX: 000000000000001a RSI: ffffffff85abed60 RDI: ffffed0015b18f25 RBP: ffff8800ad8c79a0 R08: 0000000000000001 R09: 0000000000000000 R10: ffff8800a8287740 R11: 0000000000000001 R12: ffff8800a8287c40 R13: ffff8800a8287b80 R14: 0000000000000018 R15: ffff8800ad8c7b30 FS: 0000000000c56880(0000) GS:ffff88012c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200000c0 CR3: 00000000ba1b7000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff8514631d ffff8800ad8c7b48 0000000000000018 ffff8800a8287c40 0000000000000018 ffff8800ad8c7a20 ffffffff8515e988 ffffffff845deec6 ffff8800ad8c79c8 ffffffff8143e21d ffff8800ad8c79e8 ffff8800ad8c7dd0 Call Trace: [] rxrpc_new_client_call_for_sendmsg net/rxrpc/ar-output.c:149 [inline] [] rxrpc_do_sendmsg+0x498/0x930 net/rxrpc/ar-output.c:217 [] rxrpc_sendmsg+0x212/0x2c0 net/rxrpc/af_rxrpc.c:448 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] ___sys_sendmsg+0x258/0x830 net/socket.c:1942 [] __sys_sendmmsg+0x11f/0x300 net/socket.c:2032 [] SYSC_sendmmsg net/socket.c:2061 [inline] [] SyS_sendmmsg+0xd/0x20 net/socket.c:2056 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Code: 00 44 89 c2 4c 89 e6 e8 ba 65 02 00 4c 89 e7 48 89 c3 e8 9f 36 02 00 48 89 d8 e9 1a ff ff ff 48 c7 c7 40 db 2b 86 e8 c4 70 4e fc <0f> 0b 44 89 45 dc e8 20 b4 60 fc 44 8b 45 dc e9 b4 fe ff ff 44 RIP [] rxrpc_name_to_transport+0x1a5/0x220 net/rxrpc/af_rxrpc.c:236 RSP ---[ end trace 1e708869d2b64e20 ]---