bisecting cause commit starting from d52caf0404e625bcda352ebea53be25e91f9de02 building syzkaller on 8ca3b7d2bb7672b5608051fab4b825fdbbf2356a testing commit d52caf0404e625bcda352ebea53be25e91f9de02 with gcc (GCC) 8.1.0 kernel signature: 0eaded964a3e66d72f4895e89dc1731a63203be3ec213e050fcad8154bc519fd all runs: crashed: general protection fault in skb_clone testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 1373f73e1cf2849cc12bf8597a0ada1d4af679f48bd81a56272f7cb42b01a7e1 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect start d52caf0404e625bcda352ebea53be25e91f9de02 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 8496 revisions left to test after this (roughly 13 steps) [bc3b3f4bfbded031a11c4284106adddbfacd05bb] Merge tag 'pinctrl-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit bc3b3f4bfbded031a11c4284106adddbfacd05bb with gcc (GCC) 8.1.0 kernel signature: 561dec715b49850bb74a69fc99b578e0c7799c7b11e50da9acf0a350e4472a8d all runs: OK # git bisect good bc3b3f4bfbded031a11c4284106adddbfacd05bb Bisecting: 4244 revisions left to test after this (roughly 12 steps) [5b8b9d0c6d0e0f1993c6c56deaf9646942c49d94] Merge branch 'akpm' (patches from Andrew) testing commit 5b8b9d0c6d0e0f1993c6c56deaf9646942c49d94 with gcc (GCC) 8.1.0 kernel signature: 0789d2621638055ee7e34c5d8cd5a9bcec0214e613480f07541e841043788cbc all runs: OK # git bisect good 5b8b9d0c6d0e0f1993c6c56deaf9646942c49d94 Bisecting: 2109 revisions left to test after this (roughly 11 steps) [caffb99b6929f41a69edbb5aef3a359bf45f3315] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit caffb99b6929f41a69edbb5aef3a359bf45f3315 with gcc (GCC) 8.1.0 kernel signature: 1a6bb17ac5c71139329353cb8e4a35fb304498f4db63744af531b6c1352c6e13 all runs: OK # git bisect good caffb99b6929f41a69edbb5aef3a359bf45f3315 Bisecting: 996 revisions left to test after this (roughly 10 steps) [5d9e4722c74e8868d5fe2f8749de80928eb4a1d1] Merge tag 'wireless-drivers-next-2020-05-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1 with gcc (GCC) 8.1.0 kernel signature: 23bdf867a027cce7ea37923dbea7da018cc63e3005414c1059c9c5511af68a8a all runs: OK # git bisect good 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1 Bisecting: 498 revisions left to test after this (roughly 9 steps) [2f984f11fdc06bcfd5bb528d07a93c20301dd068] ipv[46]: do compat setsockopt for MCAST_{JOIN,LEAVE}_GROUP directly testing commit 2f984f11fdc06bcfd5bb528d07a93c20301dd068 with gcc (GCC) 8.1.0 kernel signature: ff722be079fd6e04e097bc1c3772c8c8b307c3c58aba650b8d5eaa634f96158f all runs: OK # git bisect good 2f984f11fdc06bcfd5bb528d07a93c20301dd068 Bisecting: 256 revisions left to test after this (roughly 8 steps) [316107119f473e764cf5e50437333c8b83bec0da] ethtool: propagate get_coalesce return value testing commit 316107119f473e764cf5e50437333c8b83bec0da with gcc (GCC) 8.1.0 kernel signature: 5eefbc112e49401ad79c6438fc3c5abce99e160cc02d90b11c631fa7e69155e4 all runs: OK # git bisect good 316107119f473e764cf5e50437333c8b83bec0da Bisecting: 128 revisions left to test after this (roughly 7 steps) [37f4ca907c462d7c8a1ac9e7e3473681b5f893dd] mt76: mt7915: register per-phy HE capabilities for each interface testing commit 37f4ca907c462d7c8a1ac9e7e3473681b5f893dd with gcc (GCC) 8.1.0 kernel signature: 32f79f043c51947a0e5bdb41665c275c39c31f76d321cd7c58442b7be1d3da67 all runs: OK # git bisect good 37f4ca907c462d7c8a1ac9e7e3473681b5f893dd Bisecting: 55 revisions left to test after this (roughly 6 steps) [eda31200e68d38fbb974e7ad02bcc2de2cfe6863] Merge tag 'mt76-for-kvalo-2020-05-14' of https://github.com/nbd168/wireless testing commit eda31200e68d38fbb974e7ad02bcc2de2cfe6863 with gcc (GCC) 8.1.0 kernel signature: 3b0f992a478aed413fa90fde52886be226845b5ac01ec5b49b24a90339be081d all runs: OK # git bisect good eda31200e68d38fbb974e7ad02bcc2de2cfe6863 Bisecting: 27 revisions left to test after this (roughly 5 steps) [154388e11255dbbcf68906fe8058fe72af346634] mlxsw: spectrum: Fix spelling mistake in trap's name testing commit 154388e11255dbbcf68906fe8058fe72af346634 with gcc (GCC) 8.1.0 kernel signature: 331a17eeef94e1ab0470aa06e0eecc3510d2dc007220ac3f55730cf046a6129a all runs: OK # git bisect good 154388e11255dbbcf68906fe8058fe72af346634 Bisecting: 14 revisions left to test after this (roughly 4 steps) [472f0a240250df443ffc4f39835e829916193ca1] mt76: mt7915: Fix build error testing commit 472f0a240250df443ffc4f39835e829916193ca1 with gcc (GCC) 8.1.0 kernel signature: 68a51a44288804c564a055f43f1d1f0f4f5498534de46e827f8befc53d8a0ace all runs: OK # git bisect good 472f0a240250df443ffc4f39835e829916193ca1 Bisecting: 7 revisions left to test after this (roughly 3 steps) [eabd5c9dd0c0b8d471d144801c8302a4eff6eb27] ptp_clock: Let the ADJ_OFFSET interface respect the ADJ_NANO flag for PHC devices. testing commit eabd5c9dd0c0b8d471d144801c8302a4eff6eb27 with gcc (GCC) 8.1.0 kernel signature: d50687359e28091872964e0bd26f27cf4fda26b85a95f2af6a298521e43f456b all runs: crashed: general protection fault in skb_clone # git bisect bad eabd5c9dd0c0b8d471d144801c8302a4eff6eb27 Bisecting: 3 revisions left to test after this (roughly 2 steps) [ca23cb0bc50faae0d48786b2f9f702dbb528b925] mvneta: MVNETA_SKB_HEADROOM set last 3 bits to zero testing commit ca23cb0bc50faae0d48786b2f9f702dbb528b925 with gcc (GCC) 8.1.0 kernel signature: 2a72016f22ab132f84062e74fdaa9a76c03fa13670cd84c8b4c4f018c9f18f66 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor432980673" "root@10.128.1.49:./syz-executor432980673"]: exit status 1 ssh: connect to host 10.128.1.49 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good ca23cb0bc50faae0d48786b2f9f702dbb528b925 Bisecting: 1 revision left to test after this (roughly 1 step) [880f8f99d12ca89d3ec76f688e0d92612054cbb1] bnx2x: allow bnx2x_bsc_read() to schedule testing commit 880f8f99d12ca89d3ec76f688e0d92612054cbb1 with gcc (GCC) 8.1.0 kernel signature: e63b29e9635a2cb2e9457e9180082e7013b5d09ad5d5a46d11c0e8d8030f8b56 all runs: OK # git bisect good 880f8f99d12ca89d3ec76f688e0d92612054cbb1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [45af29ca761c275e350cca659856bc56f1035ef9] tcp: allow traceroute -Mtcp for unpriv users testing commit 45af29ca761c275e350cca659856bc56f1035ef9 with gcc (GCC) 8.1.0 kernel signature: 702965905df247e65faf03ecead618cd9b30440e19997cd28c266780cd841794 all runs: crashed: general protection fault in skb_clone # git bisect bad 45af29ca761c275e350cca659856bc56f1035ef9 45af29ca761c275e350cca659856bc56f1035ef9 is the first bad commit commit 45af29ca761c275e350cca659856bc56f1035ef9 Author: Eric Dumazet Date: Sun May 24 11:00:02 2020 -0700 tcp: allow traceroute -Mtcp for unpriv users Unpriv users can use traceroute over plain UDP sockets, but not TCP ones. $ traceroute -Mtcp 8.8.8.8 You do not have enough privileges to use this traceroute method. $ traceroute -n -Mudp 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 192.168.86.1 3.631 ms 3.512 ms 3.405 ms 2 10.1.10.1 4.183 ms 4.125 ms 4.072 ms 3 96.120.88.125 20.621 ms 19.462 ms 20.553 ms 4 96.110.177.65 24.271 ms 25.351 ms 25.250 ms 5 69.139.199.197 44.492 ms 43.075 ms 44.346 ms 6 68.86.143.93 27.969 ms 25.184 ms 25.092 ms 7 96.112.146.18 25.323 ms 96.112.146.22 25.583 ms 96.112.146.26 24.502 ms 8 72.14.239.204 24.405 ms 74.125.37.224 16.326 ms 17.194 ms 9 209.85.251.9 18.154 ms 209.85.247.55 14.449 ms 209.85.251.9 26.296 ms^C We can easily support traceroute over TCP, by queueing an error message into socket error queue. Note that applications need to set IP_RECVERR/IPV6_RECVERR option to enable this feature, and that the error message is only queued while in SYN_SNT state. socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3 setsockopt(3, SOL_IPV6, IPV6_RECVERR, [1], 4) = 0 setsockopt(3, SOL_SOCKET, SO_TIMESTAMP_OLD, [1], 4) = 0 setsockopt(3, SOL_IPV6, IPV6_UNICAST_HOPS, [5], 4) = 0 connect(3, {sa_family=AF_INET6, sin6_port=htons(8787), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "2002:a05:6608:297::", &sin6_addr), sin6_scope_id=0}, 28) = -1 EHOSTUNREACH (No route to host) recvmsg(3, {msg_name={sa_family=AF_INET6, sin6_port=htons(8787), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "2002:a05:6608:297::", &sin6_addr), sin6_scope_id=0}, msg_namelen=1024->28, msg_iov=[{iov_base="`\r\337\320\0004\6\1&\7\370\260\200\231\16\27\0\0\0\0\0\0\0\0 \2\n\5f\10\2\227"..., iov_len=1024}], msg_iovlen=1, msg_control=[{cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=SO_TIMESTAMP_OLD, cmsg_data={tv_sec=1590340680, tv_usec=272424}}, {cmsg_len=60, cmsg_level=SOL_IPV6, cmsg_type=IPV6_RECVERR}], msg_controllen=96, msg_flags=MSG_ERRQUEUE}, MSG_ERRQUEUE) = 144 Suggested-by: Maciej Żenczykowski Cc: Willem de Bruijn Reviewed-by: Maciej Żenczykowski Signed-off-by: David S. Miller net/ipv4/tcp_ipv4.c | 2 ++ net/ipv6/tcp_ipv6.c | 2 ++ 2 files changed, 4 insertions(+) culprit signature: 702965905df247e65faf03ecead618cd9b30440e19997cd28c266780cd841794 parent signature: e63b29e9635a2cb2e9457e9180082e7013b5d09ad5d5a46d11c0e8d8030f8b56 revisions tested: 16, total time: 4h5m1.679398291s (build: 1h35m55.401231836s, test: 2h27m57.595697695s) first bad commit: 45af29ca761c275e350cca659856bc56f1035ef9 tcp: allow traceroute -Mtcp for unpriv users cc: ["davem@davemloft.net" "edumazet@google.com" "maze@google.com"] crash: general protection fault in skb_clone general protection fault, probably for non-canonical address 0xe90a131b3256a237: 0000 [#1] PREEMPT SMP KASAN KASAN: maybe wild-memory-access in range [0x4850b8d992b511b8-0x4850b8d992b511bf] CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_zcopy include/linux/skbuff.h:1446 [inline] RIP: 0010:skb_orphan_frags include/linux/skbuff.h:2777 [inline] RIP: 0010:skb_clone+0x2d/0x300 net/core/skbuff.c:1436 Code: 41 55 41 54 41 89 f4 55 53 48 89 fb 0f 84 95 00 00 00 48 8d bf bc 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 0f RSP: 0018:ffffc90000d7f780 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 4850b8d992b51100 RCX: 0000000000000000 RDX: 090a171b3256a237 RSI: 0000000000000a20 RDI: 4850b8d992b511bc RBP: 0000000000000071 R08: 0000000000000000 R09: ffff88809debf040 R10: ffff8880ae938b1b R11: ffffed1015d27163 R12: 0000000000000a20 R13: 0000000000000000 R14: ffff88807a2043d2 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005596663f2fa8 CR3: 00000000a93f2000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip_icmp_error+0x2c/0x570 net/ipv4/ip_sockglue.c:397 tcp_v4_err+0x6c4/0x17b0 net/ipv4/tcp_ipv4.c:576 icmp_unreach+0x2bf/0x920 net/ipv4/icmp.c:920 icmp_rcv+0x676/0x1560 net/ipv4/icmp.c:1102 ip_protocol_deliver_rcu+0x53/0x690 net/ipv4/ip_input.c:204 ip_local_deliver_finish+0x200/0x2f0 net/ipv4/ip_input.c:231 NF_HOOK include/linux/netfilter.h:307 [inline] ip_local_deliver+0x2e5/0x3e0 net/ipv4/ip_input.c:252 NF_HOOK include/linux/netfilter.h:307 [inline] ip_rcv+0xc9/0x2e0 net/ipv4/ip_input.c:539 __netif_receive_skb_one_core+0x10b/0x180 net/core/dev.c:5268 process_backlog+0x1f2/0x710 net/core/dev.c:6214 napi_poll net/core/dev.c:6659 [inline] net_rx_action+0x415/0xd70 net/core/dev.c:6727 __do_softirq+0x26e/0xa0c kernel/softirq.c:292 run_ksoftirqd+0x8f/0x100 kernel/softirq.c:604 smpboot_thread_fn+0x511/0x850 kernel/smpboot.c:165 kthread+0x340/0x410 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Modules linked in: ---[ end trace fd8ee04f1a551e5e ]--- RIP: 0010:skb_zcopy include/linux/skbuff.h:1446 [inline] RIP: 0010:skb_orphan_frags include/linux/skbuff.h:2777 [inline] RIP: 0010:skb_clone+0x2d/0x300 net/core/skbuff.c:1436 Code: 41 55 41 54 41 89 f4 55 53 48 89 fb 0f 84 95 00 00 00 48 8d bf bc 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 0f RSP: 0018:ffffc90000d7f780 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 4850b8d992b51100 RCX: 0000000000000000 RDX: 090a171b3256a237 RSI: 0000000000000a20 RDI: 4850b8d992b511bc RBP: 0000000000000071 R08: 0000000000000000 R09: ffff88809debf040 R10: ffff8880ae938b1b R11: ffffed1015d27163 R12: 0000000000000a20 R13: 0000000000000000 R14: ffff88807a2043d2 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005596663f2fa8 CR3: 00000000a93f2000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400