bisecting cause commit starting from 687dec9b94599b19e218f89fd034d6449c3ff57c building syzkaller on d973f52833e0e3cec5406aa9cdf606a463d85c46 testing commit 687dec9b94599b19e218f89fd034d6449c3ff57c with gcc (GCC) 8.1.0 kernel signature: 066ec565f1653d75bb2ec9f3aa0288463be720e2 all runs: crashed: kernel BUG at arch/x86/kvm/mmu/mmu.c:LINE! testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 0b8bddc411f266ca40984384211e12157734bad2 all runs: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: d05b1808aa4490a6e8db0d65a2e7885cbaf722cc all runs: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: d16a348872e3d8f38014d6ba9626326343a75e8e all runs: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: f7c25e6cbbef3f22161448e985c3659c2687a8a2 all runs: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: a6674de5815f45eb649dbf9305631500871fe9ea all runs: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: d3ad431f463aae969956b46e9f4a2c3d64d8ce80 all runs: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: 89e6064edbad83c95261fc503b6935c3cccf47b1 all runs: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 kernel signature: e5868fb6c22860a8f5b0b4a22772dd84be8a2160 all runs: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 kernel signature: 29c2286ba613cff5d5af16b07c1c51c7c775acaa all runs: OK # git bisect start 94710cac0ef4ee177a63b5227664b38c95bbf703 29dcea88779c856c7dc92040a0c01233263101d4 Bisecting: 7032 revisions left to test after this (roughly 13 steps) [3036bc45364f98515a2c446d7fac2c34dcfbeff4] Merge tag 'media/v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 3036bc45364f98515a2c446d7fac2c34dcfbeff4 with gcc (GCC) 8.1.0 kernel signature: cd0325b9bdf1ed615363ad427e98d993afd5c2b9 run #0: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #1: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #2: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #3: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #4: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #5: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #6: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 3036bc45364f98515a2c446d7fac2c34dcfbeff4 Bisecting: 3644 revisions left to test after this (roughly 12 steps) [135c5504a600ff9b06e321694fbcac78a9530cd4] Merge tag 'drm-next-2018-06-06-1' of git://anongit.freedesktop.org/drm/drm testing commit 135c5504a600ff9b06e321694fbcac78a9530cd4 with gcc (GCC) 8.1.0 kernel signature: 55a134ea628c0d93ee111991d88c2dfec84c3a64 all runs: OK # git bisect good 135c5504a600ff9b06e321694fbcac78a9530cd4 Bisecting: 1830 revisions left to test after this (roughly 11 steps) [f39c6b29ae1d3727d9c65a4ab99d5150b558be5e] Merge tag 'mlx5e-updates-2018-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit f39c6b29ae1d3727d9c65a4ab99d5150b558be5e with gcc (GCC) 8.1.0 kernel signature: 77bc4f2c8b034884ef0b5f4a64115ae7447012ed run #0: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #1: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #2: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #3: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #4: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #5: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #6: crashed: kernel BUG at arch/x86/kvm/mmu.c:LINE! run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad f39c6b29ae1d3727d9c65a4ab99d5150b558be5e Bisecting: 901 revisions left to test after this (roughly 10 steps) [7d6541fba19c970cf5ebbc2c56b0fb04eab89f98] Merge tag 'mlx5e-updates-2018-05-14' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 7d6541fba19c970cf5ebbc2c56b0fb04eab89f98 with gcc (GCC) 8.1.0 kernel signature: 6d4fcd644552059ed7f799240ae8f63e4634fa35 all runs: OK # git bisect good 7d6541fba19c970cf5ebbc2c56b0fb04eab89f98 Bisecting: 450 revisions left to test after this (roughly 9 steps) [73bf1fc58dc4376d0111a4c1c9eab27e2759f468] Merge branch 'net-ipv6-Fix-route-append-and-replace-use-cases' testing commit 73bf1fc58dc4376d0111a4c1c9eab27e2759f468 with gcc (GCC) 8.1.0 kernel signature: b651b65951b60c06906f2717756395fc5176e7b5 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: WARNING in __static_key_slow_dec_cpuslocked # git bisect bad 73bf1fc58dc4376d0111a4c1c9eab27e2759f468 Bisecting: 280 revisions left to test after this (roughly 8 steps) [763ece85f45a6b93268e25a0abf02922f911dab4] brcmfmac: fix initialization of struct cfg80211_inform_bss variable testing commit 763ece85f45a6b93268e25a0abf02922f911dab4 with gcc (GCC) 8.1.0 kernel signature: 71c60a204deb9d423ecad18bc15bdb5678841a70 all runs: OK # git bisect good 763ece85f45a6b93268e25a0abf02922f911dab4 Bisecting: 142 revisions left to test after this (roughly 7 steps) [7c5995b33d6e40316d366205a7926d122c5366a7] tc-testing: fixed copy-pasting error in ife tests testing commit 7c5995b33d6e40316d366205a7926d122c5366a7 with gcc (GCC) 8.1.0 kernel signature: f75fbdc2cf132a6ba7df987610dc4474d6963d5c all runs: OK # git bisect good 7c5995b33d6e40316d366205a7926d122c5366a7 Bisecting: 71 revisions left to test after this (roughly 6 steps) [da077392486b2f87c384bc12b27a16b29620c5e4] dsa: set devlink port attrs for dsa ports testing commit da077392486b2f87c384bc12b27a16b29620c5e4 with gcc (GCC) 8.1.0 kernel signature: c036bc8ec603025d42ccf1f8884d579188ec7165 all runs: OK # git bisect good da077392486b2f87c384bc12b27a16b29620c5e4 Bisecting: 35 revisions left to test after this (roughly 5 steps) [99a6993a6933acbf791d1c7bb789e0ebe5bd7127] net: hns3: cleanup of return values in hclge_init_client_instance() testing commit 99a6993a6933acbf791d1c7bb789e0ebe5bd7127 with gcc (GCC) 8.1.0 kernel signature: 899b9e82a1a974db30f066ae9946c29fe1ac629e all runs: OK # git bisect good 99a6993a6933acbf791d1c7bb789e0ebe5bd7127 Bisecting: 17 revisions left to test after this (roughly 4 steps) [3bcd47726c3b744fd08781795cca905cc59a1382] net: phy: phylink: Don't release NULL GPIO testing commit 3bcd47726c3b744fd08781795cca905cc59a1382 with gcc (GCC) 8.1.0 kernel signature: 3e6db03c7d45a4f82805a9a45e47b216aa89d85a all runs: OK # git bisect good 3bcd47726c3b744fd08781795cca905cc59a1382 Bisecting: 8 revisions left to test after this (roughly 3 steps) [c79c3850440c1535b845e96e7e5ff0139ba479e6] ti: ethernet: davinci: Fix cast to int warnings testing commit c79c3850440c1535b845e96e7e5ff0139ba479e6 with gcc (GCC) 8.1.0 kernel signature: e8620b27fac5ce1ac373a2285149b8e409e572fa all runs: OK # git bisect good c79c3850440c1535b845e96e7e5ff0139ba479e6 Bisecting: 4 revisions left to test after this (roughly 2 steps) [37ce42c14edad0d979444d8a589ae2299edb464d] selftests: fib_tests: Add success-fail counts testing commit 37ce42c14edad0d979444d8a589ae2299edb464d with gcc (GCC) 8.1.0 kernel signature: a1d9aea5a2583fd3aa83bb1c4e54a69df8e906cb all runs: OK # git bisect good 37ce42c14edad0d979444d8a589ae2299edb464d Bisecting: 2 revisions left to test after this (roughly 1 step) [7df15e6c3e83850eeec13a9a89a494a898344e93] selftests: fib_tests: Add option to pause after each test testing commit 7df15e6c3e83850eeec13a9a89a494a898344e93 with gcc (GCC) 8.1.0 kernel signature: f0a34a2475e63cd6a1a24956cf935a1291030204 all runs: OK # git bisect good 7df15e6c3e83850eeec13a9a89a494a898344e93 Bisecting: 0 revisions left to test after this (roughly 1 step) [abb1860aac20868c74da2f4974d8ed05827e2854] selftests: fib_tests: Add ipv4 route add append replace tests testing commit abb1860aac20868c74da2f4974d8ed05827e2854 with gcc (GCC) 8.1.0 kernel signature: 0d50f91b8f488199ce1a618fe3fa741b21058d56 all runs: OK # git bisect good abb1860aac20868c74da2f4974d8ed05827e2854 73bf1fc58dc4376d0111a4c1c9eab27e2759f468 is the first bad commit commit 73bf1fc58dc4376d0111a4c1c9eab27e2759f468 Merge: e3bb946cd922 abb1860aac20 Author: David S. Miller Date: Tue May 22 14:44:20 2018 -0400 Merge branch 'net-ipv6-Fix-route-append-and-replace-use-cases' David Ahern says: ==================== net/ipv6: Fix route append and replace use cases This patch set fixes a few append and replace uses cases for IPv6 and adds test cases that codifies the expectations of how append and replace are expected to work. In paricular it allows a multipath route to have a dev-only nexthop, something Thomas tried to accomplish with commit edd7ceb78296 ("ipv6: Allow non-gateway ECMP for IPv6") which had to be reverted because of breakage, and to replace an existing FIB entry with a reject route. There are a number of inconsistent and surprising aspects to the Linux API for adding, deleting, replacing and changing FIB entries. For example, with IPv4 NLM_F_APPEND means insert the route after any existing entries with the same key (prefix + priority + TOS for IPv4) and NLM_F_CREATE without the append flag inserts the new route before any existing entries. IPv6 on the other hand attempts to guess whether a new route should be appended to an existing one, possibly creating a multipath route, or to add a new entry after any existing ones. This applies to both the 'append' (NLM_F_CREATE + NLM_F_APPEND) and 'prepend' (NLM_F_CREATE only) cases meaning for IPv6 the NLM_F_APPEND is basically ignored. This guessing whether the route should be added to a multipath route (gateway routes) or inserted after existing entries (non-gateway based routes) means a multipath route can not have a dev only nexthop (potentially required in some cases - tunnels or VRF route leaking for example) and route 'replace' is a bit adhoc treating gateway based routes and dev-only / reject routes differently. This has led to frustration with developers working on routing suites such as FRR where workarounds such as delete and add are used instead of replace. After this patch set there are 2 differences between IPv4 and IPv6: 1. 'ip ro prepend' = NLM_F_CREATE only IPv4 adds the new route before any existing ones IPv6 adds new route after any existing ones 2. 'ip ro append' = NLM_F_CREATE|NLM_F_APPEND IPv4 adds the new route after any existing ones IPv6 adds the nexthop to existing routes converting to multipath For the former, there are cases where we want same prefix routes added after existing ones (e.g., multicast, prefix routes for macvlan when used for virtual router redundancy). Requiring the APPEND flag to add a new route to an existing one helps here but is a slight change in behavior since prepend with gateway routes now create a separate entry. For the latter IPv6 behavior is preferred - appending a route for the same prefix and metric to make a multipath route, so really IPv4 not allowing an existing route to be updated is the limiter. This will be fixed when nexthops become separate objects - a future patch set. Thank you to Thomas and Ido for testing earlier versions of this set, and to Ido for providing an update to the mlxsw driver. Changes since RFC - cleanup wording in test script; add comments about expected failures and why ==================== Signed-off-by: David S. Miller .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 + include/net/ip6_route.h | 6 - net/ipv6/ip6_fib.c | 157 +++-- net/ipv6/route.c | 3 +- tools/testing/selftests/net/fib_tests.sh | 679 ++++++++++++++++++++- 5 files changed, 743 insertions(+), 104 deletions(-) revisions tested: 24, total time: 5h23m50.295262123s (build: 2h18m36.588577259s, test: 3h3m22.227633872s) first bad commit: 73bf1fc58dc4376d0111a4c1c9eab27e2759f468 Merge branch 'net-ipv6-Fix-route-append-and-replace-use-cases' cc: ["davem@davemloft.net"] crash: WARNING in __static_key_slow_dec_cpuslocked ------------[ cut here ]------------ jump label: negative count! WARNING: CPU: 1 PID: 2126 at kernel/jump_label.c:197 __static_key_slow_dec_cpuslocked+0xd2/0xf0 kernel/jump_label.c:196 Kernel panic - not syncing: panic_on_warn set ... kobject: 'kvm' (00000000de4e1b96): fill_kobj_path: path = '/devices/virtual/misc/kvm' CPU: 1 PID: 2126 Comm: syz-executor.4 Not tainted 4.17.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x109/0x15a lib/dump_stack.c:113 panic+0x1c6/0x36b kernel/panic.c:184 __warn.cold.8+0x120/0x168 kernel/panic.c:536 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1df/0x330 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:__static_key_slow_dec_cpuslocked+0xd2/0xf0 kernel/jump_label.c:196 RSP: 0018:ffff88009283fc68 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffffff88fad280 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff8744f420 RDI: ffffffff89efbc20 RBP: ffff88009283fc80 R08: ffffed0015da4f89 R09: ffffed0015da4f88 R10: ffffed0015da4f88 R11: ffff8800aed27c47 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000003 R15: dffffc0000000000 __static_key_slow_dec kernel/jump_label.c:215 [inline] static_key_slow_dec+0x4c/0x80 kernel/jump_label.c:229 kvm_arch_vcpu_uninit+0x15f/0x1a0 arch/x86/kvm/x86.c:8673 kvm_vcpu_uninit+0x3f/0x80 arch/x86/kvm/../../../virt/kvm/kvm_main.c:312 vmx_free_vcpu+0x1d3/0x290 arch/x86/kvm/vmx.c:9988 kvm_arch_vcpu_free arch/x86/kvm/x86.c:8289 [inline] kvm_free_vcpus arch/x86/kvm/x86.c:8738 [inline] kvm_arch_destroy_vm+0x214/0x490 arch/x86/kvm/x86.c:8835 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:729 [inline] kvm_put_kvm+0x433/0xa60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:750 kvm_vcpu_release+0x77/0xa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2380 __fput+0x232/0x780 fs/file_table.c:209 ____fput+0x9/0x10 fs/file_table.c:243 task_work_run+0x111/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x16a/0x1b0 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x407/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4144a1 RSP: 002b:00007fffdced4d20 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00000000004144a1 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff R10: 00007fffdced4e00 R11: 0000000000000293 R12: 000000000075bf20 kobject: 'kvm' (00000000de4e1b96): kobject_uevent_env R13: 0000000000071601 R14: 00000000007608e0 R15: 000000000075bf2c kobject: 'kvm' (00000000de4e1b96): kobject_uevent_env Kernel Offset: disabled Rebooting in 86400 seconds..