bisecting cause commit starting from d52caf0404e625bcda352ebea53be25e91f9de02
building syzkaller on 8ca3b7d2bb7672b5608051fab4b825fdbbf2356a
testing commit d52caf0404e625bcda352ebea53be25e91f9de02 with gcc (GCC) 8.1.0
kernel signature: c0e8dc5338a82efd48123f6ca9356f7a35ce9ed2e2a5f26429aab678947c02e6
all runs: crashed: general protection fault in skb_clone
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 87c047ef5ac4a7c9cb4b8eab9010703b9d11fcc64a5bc775dabe2cfd299d49d8
all runs: OK
# git bisect start d52caf0404e625bcda352ebea53be25e91f9de02 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 8496 revisions left to test after this (roughly 13 steps)
[bc3b3f4bfbded031a11c4284106adddbfacd05bb] Merge tag 'pinctrl-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit bc3b3f4bfbded031a11c4284106adddbfacd05bb with gcc (GCC) 8.1.0
kernel signature: 92238950f9e494bdd82b252f986682c99ae71fe86d14a2de46dc775a97cf2fc8
all runs: OK
# git bisect good bc3b3f4bfbded031a11c4284106adddbfacd05bb
Bisecting: 4244 revisions left to test after this (roughly 12 steps)
[5b8b9d0c6d0e0f1993c6c56deaf9646942c49d94] Merge branch 'akpm' (patches from Andrew)
testing commit 5b8b9d0c6d0e0f1993c6c56deaf9646942c49d94 with gcc (GCC) 8.1.0
kernel signature: 2fcdd670f63f71b8ef284ce8ec6d69f215c7673715fefd94e1dfbc37f0aac2c8
all runs: OK
# git bisect good 5b8b9d0c6d0e0f1993c6c56deaf9646942c49d94
Bisecting: 2109 revisions left to test after this (roughly 11 steps)
[caffb99b6929f41a69edbb5aef3a359bf45f3315] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit caffb99b6929f41a69edbb5aef3a359bf45f3315 with gcc (GCC) 8.1.0
kernel signature: 1ebefaf0d8dd0f9e7c9bb2c3baf450ba94ad735a01203f75c230366d47b44ab5
all runs: OK
# git bisect good caffb99b6929f41a69edbb5aef3a359bf45f3315
Bisecting: 996 revisions left to test after this (roughly 10 steps)
[5d9e4722c74e8868d5fe2f8749de80928eb4a1d1] Merge tag 'wireless-drivers-next-2020-05-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
testing commit 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1 with gcc (GCC) 8.1.0
kernel signature: 80eeb007208868f1dd928bfe4f4409439f4dddea09e850c8155c0ac8d53f62ad
all runs: OK
# git bisect good 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1
Bisecting: 498 revisions left to test after this (roughly 9 steps)
[2f984f11fdc06bcfd5bb528d07a93c20301dd068] ipv[46]: do compat setsockopt for MCAST_{JOIN,LEAVE}_GROUP directly
testing commit 2f984f11fdc06bcfd5bb528d07a93c20301dd068 with gcc (GCC) 8.1.0
kernel signature: 9e1b85a1b6e806929c23610f99c7d974b17bee38fab86eef7a0b3600a39e64bb
all runs: OK
# git bisect good 2f984f11fdc06bcfd5bb528d07a93c20301dd068
Bisecting: 256 revisions left to test after this (roughly 8 steps)
[316107119f473e764cf5e50437333c8b83bec0da] ethtool: propagate get_coalesce return value
testing commit 316107119f473e764cf5e50437333c8b83bec0da with gcc (GCC) 8.1.0
kernel signature: 8bdf35af2de61b8cdcf584801b3bebe19a12713c1785122bf31b94688099d1a2
all runs: OK
# git bisect good 316107119f473e764cf5e50437333c8b83bec0da
Bisecting: 128 revisions left to test after this (roughly 7 steps)
[37f4ca907c462d7c8a1ac9e7e3473681b5f893dd] mt76: mt7915: register per-phy HE capabilities for each interface
testing commit 37f4ca907c462d7c8a1ac9e7e3473681b5f893dd with gcc (GCC) 8.1.0
kernel signature: 9aca74f0634959beabd1933d2d29b47d12b8b4535e51a7dc85107f4dff862574
all runs: OK
# git bisect good 37f4ca907c462d7c8a1ac9e7e3473681b5f893dd
Bisecting: 55 revisions left to test after this (roughly 6 steps)
[eda31200e68d38fbb974e7ad02bcc2de2cfe6863] Merge tag 'mt76-for-kvalo-2020-05-14' of https://github.com/nbd168/wireless
testing commit eda31200e68d38fbb974e7ad02bcc2de2cfe6863 with gcc (GCC) 8.1.0
kernel signature: 8904d310caf611eb680ad8d451412c3f838e2429116da5eacc47794c5aa74933
all runs: OK
# git bisect good eda31200e68d38fbb974e7ad02bcc2de2cfe6863
Bisecting: 27 revisions left to test after this (roughly 5 steps)
[154388e11255dbbcf68906fe8058fe72af346634] mlxsw: spectrum: Fix spelling mistake in trap's name
testing commit 154388e11255dbbcf68906fe8058fe72af346634 with gcc (GCC) 8.1.0
kernel signature: 99cd91cdc69adab1219111b348829a63435eaf61e7f7d308d7a66b0ae4550f5e
all runs: OK
# git bisect good 154388e11255dbbcf68906fe8058fe72af346634
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[472f0a240250df443ffc4f39835e829916193ca1] mt76: mt7915: Fix build error
testing commit 472f0a240250df443ffc4f39835e829916193ca1 with gcc (GCC) 8.1.0
kernel signature: 96b9467d7713a9950f10b136b586928f34006dd4f04cafe5988cb3647f830fd2
all runs: OK
# git bisect good 472f0a240250df443ffc4f39835e829916193ca1
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[eabd5c9dd0c0b8d471d144801c8302a4eff6eb27] ptp_clock: Let the ADJ_OFFSET interface respect the ADJ_NANO flag for PHC devices.
testing commit eabd5c9dd0c0b8d471d144801c8302a4eff6eb27 with gcc (GCC) 8.1.0
kernel signature: d474fa7d2703e29de246e1af14839f246250e430af7acbc6c751d064a3ab0dc9
all runs: crashed: general protection fault in skb_clone
# git bisect bad eabd5c9dd0c0b8d471d144801c8302a4eff6eb27
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[ca23cb0bc50faae0d48786b2f9f702dbb528b925] mvneta: MVNETA_SKB_HEADROOM set last 3 bits to zero
testing commit ca23cb0bc50faae0d48786b2f9f702dbb528b925 with gcc (GCC) 8.1.0
kernel signature: 2bc0511d71c39e6fcee1be446abfe45fa27b091f7911ecf5e6d5fdac187182ce
all runs: OK
# git bisect good ca23cb0bc50faae0d48786b2f9f702dbb528b925
Bisecting: 1 revision left to test after this (roughly 1 step)
[880f8f99d12ca89d3ec76f688e0d92612054cbb1] bnx2x: allow bnx2x_bsc_read() to schedule
testing commit 880f8f99d12ca89d3ec76f688e0d92612054cbb1 with gcc (GCC) 8.1.0
kernel signature: 39c7226458f1dd1b2d496cbd0e18912f92e2fe36d91c28d6c9d7d280cbdec9c1
all runs: OK
# git bisect good 880f8f99d12ca89d3ec76f688e0d92612054cbb1
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[45af29ca761c275e350cca659856bc56f1035ef9] tcp: allow traceroute -Mtcp for unpriv users
testing commit 45af29ca761c275e350cca659856bc56f1035ef9 with gcc (GCC) 8.1.0
kernel signature: 6b33b41dd1c282f679d0bfbf08900d06bf438f29f824fefd6fa059e1802639e4
all runs: crashed: general protection fault in skb_clone
# git bisect bad 45af29ca761c275e350cca659856bc56f1035ef9
45af29ca761c275e350cca659856bc56f1035ef9 is the first bad commit
commit 45af29ca761c275e350cca659856bc56f1035ef9
Author: Eric Dumazet <edumazet@google.com>
Date:   Sun May 24 11:00:02 2020 -0700

    tcp: allow traceroute -Mtcp for unpriv users
    
    Unpriv users can use traceroute over plain UDP sockets, but not TCP ones.
    
    $ traceroute -Mtcp 8.8.8.8
    You do not have enough privileges to use this traceroute method.
    
    $ traceroute -n -Mudp 8.8.8.8
    traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
     1  192.168.86.1  3.631 ms  3.512 ms  3.405 ms
     2  10.1.10.1  4.183 ms  4.125 ms  4.072 ms
     3  96.120.88.125  20.621 ms  19.462 ms  20.553 ms
     4  96.110.177.65  24.271 ms  25.351 ms  25.250 ms
     5  69.139.199.197  44.492 ms  43.075 ms  44.346 ms
     6  68.86.143.93  27.969 ms  25.184 ms  25.092 ms
     7  96.112.146.18  25.323 ms 96.112.146.22  25.583 ms 96.112.146.26  24.502 ms
     8  72.14.239.204  24.405 ms 74.125.37.224  16.326 ms  17.194 ms
     9  209.85.251.9  18.154 ms 209.85.247.55  14.449 ms 209.85.251.9  26.296 ms^C
    
    We can easily support traceroute over TCP, by queueing an error message
    into socket error queue.
    
    Note that applications need to set IP_RECVERR/IPV6_RECVERR option to
    enable this feature, and that the error message is only queued
    while in SYN_SNT state.
    
    socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
    setsockopt(3, SOL_IPV6, IPV6_RECVERR, [1], 4) = 0
    setsockopt(3, SOL_SOCKET, SO_TIMESTAMP_OLD, [1], 4) = 0
    setsockopt(3, SOL_IPV6, IPV6_UNICAST_HOPS, [5], 4) = 0
    connect(3, {sa_family=AF_INET6, sin6_port=htons(8787), sin6_flowinfo=htonl(0),
            inet_pton(AF_INET6, "2002:a05:6608:297::", &sin6_addr), sin6_scope_id=0}, 28) = -1 EHOSTUNREACH (No route to host)
    recvmsg(3, {msg_name={sa_family=AF_INET6, sin6_port=htons(8787), sin6_flowinfo=htonl(0),
            inet_pton(AF_INET6, "2002:a05:6608:297::", &sin6_addr), sin6_scope_id=0},
            msg_namelen=1024->28, msg_iov=[{iov_base="`\r\337\320\0004\6\1&\7\370\260\200\231\16\27\0\0\0\0\0\0\0\0 \2\n\5f\10\2\227"..., iov_len=1024}],
            msg_iovlen=1, msg_control=[{cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=SO_TIMESTAMP_OLD, cmsg_data={tv_sec=1590340680, tv_usec=272424}},
                                       {cmsg_len=60, cmsg_level=SOL_IPV6, cmsg_type=IPV6_RECVERR}],
            msg_controllen=96, msg_flags=MSG_ERRQUEUE}, MSG_ERRQUEUE) = 144
    
    Suggested-by: Maciej Żenczykowski <maze@google.com
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Willem de Bruijn <willemb@google.com>
    Reviewed-by: Maciej Żenczykowski <maze@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_ipv4.c | 2 ++
 net/ipv6/tcp_ipv6.c | 2 ++
 2 files changed, 4 insertions(+)
culprit signature: 6b33b41dd1c282f679d0bfbf08900d06bf438f29f824fefd6fa059e1802639e4
parent  signature: 39c7226458f1dd1b2d496cbd0e18912f92e2fe36d91c28d6c9d7d280cbdec9c1
revisions tested: 16, total time: 4h6m37.624012637s (build: 1h39m7.793250871s, test: 2h26m7.633010046s)
first bad commit: 45af29ca761c275e350cca659856bc56f1035ef9 tcp: allow traceroute -Mtcp for unpriv users
cc: ["davem@davemloft.net" "edumazet@google.com" "maze@google.com"]
crash: general protection fault in skb_clone
general protection fault, probably for non-canonical address 0xf243adf908557917: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x921d8fc842abc8b8-0x921d8fc842abc8bf]
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_zcopy include/linux/skbuff.h:1446 [inline]
RIP: 0010:skb_orphan_frags include/linux/skbuff.h:2777 [inline]
RIP: 0010:skb_clone+0x2d/0x300 net/core/skbuff.c:1436
Code: 41 55 41 54 41 89 f4 55 53 48 89 fb 0f 84 95 00 00 00 48 8d bf bc 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 0f
RSP: 0018:ffffc90000d7f780 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: 921d8fc842abc800 RCX: 0000000000000000
RDX: 1243b1f908557917 RSI: 0000000000000a20 RDI: 921d8fc842abc8bc
RBP: 0000000000000071 R08: 0000000000000000 R09: ffff88809b1f8840
R10: ffff8880ae938b1b R11: ffffed1015d27163 R12: 0000000000000a20
R13: 0000000000000000 R14: ffff88809a176352 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005568bdd3c160 CR3: 00000000a7e47000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ip_icmp_error+0x2c/0x570 net/ipv4/ip_sockglue.c:397
 tcp_v4_err+0x6c4/0x17b0 net/ipv4/tcp_ipv4.c:576
 icmp_unreach+0x2bf/0x920 net/ipv4/icmp.c:920
 icmp_rcv+0x676/0x1560 net/ipv4/icmp.c:1102
 ip_protocol_deliver_rcu+0x53/0x690 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x200/0x2f0 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ip_local_deliver+0x2e5/0x3e0 net/ipv4/ip_input.c:252
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ip_rcv+0xc9/0x2e0 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core+0x10b/0x180 net/core/dev.c:5268
 process_backlog+0x1f2/0x710 net/core/dev.c:6214
 napi_poll net/core/dev.c:6659 [inline]
 net_rx_action+0x415/0xd70 net/core/dev.c:6727
 __do_softirq+0x26e/0xa0c kernel/softirq.c:292
 run_ksoftirqd+0x8f/0x100 kernel/softirq.c:604
 smpboot_thread_fn+0x511/0x850 kernel/smpboot.c:165
 kthread+0x340/0x410 kernel/kthread.c:268
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
Modules linked in:
---[ end trace 7549d4b726380397 ]---
RIP: 0010:skb_zcopy include/linux/skbuff.h:1446 [inline]
RIP: 0010:skb_orphan_frags include/linux/skbuff.h:2777 [inline]
RIP: 0010:skb_clone+0x2d/0x300 net/core/skbuff.c:1436
Code: 41 55 41 54 41 89 f4 55 53 48 89 fb 0f 84 95 00 00 00 48 8d bf bc 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 0f
RSP: 0018:ffffc90000d7f780 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: 921d8fc842abc800 RCX: 0000000000000000
RDX: 1243b1f908557917 RSI: 0000000000000a20 RDI: 921d8fc842abc8bc
RBP: 0000000000000071 R08: 0000000000000000 R09: ffff88809b1f8840
R10: ffff8880ae938b1b R11: ffffed1015d27163 R12: 0000000000000a20
R13: 0000000000000000 R14: ffff88809a176352 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005568bdd3c160 CR3: 0000000008c79000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400