bisecting cause commit starting from 9e9322e5d28e433f1f25f01ffa0aa5762c75dad6 building syzkaller on 7c693b524162a8621413305d441a29376d84e28b testing commit 9e9322e5d28e433f1f25f01ffa0aa5762c75dad6 with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at include/linux/mm.h:LINE! testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: OK # git bisect start 9e9322e5d28e433f1f25f01ffa0aa5762c75dad6 v4.20 Bisecting: 8110 revisions left to test after this (roughly 13 steps) [c0ea81b4d37837409d0dfd2036098a7babb312ed] Merge tag 'usb-4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit c0ea81b4d37837409d0dfd2036098a7babb312ed with gcc (GCC) 8.1.0 all runs: OK # git bisect good c0ea81b4d37837409d0dfd2036098a7babb312ed Bisecting: 4061 revisions left to test after this (roughly 12 steps) [bb617b9b4519b0cef939c9c8e9c41470749f0d51] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit bb617b9b4519b0cef939c9c8e9c41470749f0d51 with gcc (GCC) 8.1.0 all runs: OK # git bisect good bb617b9b4519b0cef939c9c8e9c41470749f0d51 Bisecting: 2030 revisions left to test after this (roughly 11 steps) [c397ab21ba362d5c5215e53f36685a9fffc45f66] net: phy: don't double-read link status register if link is up testing commit c397ab21ba362d5c5215e53f36685a9fffc45f66 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c397ab21ba362d5c5215e53f36685a9fffc45f66 Bisecting: 1082 revisions left to test after this (roughly 10 steps) [d29d1c4957d4dde1a7578b10f2a2d1fae39bd47a] Merge branch 'AF_PACKET-transport_offset-fix' testing commit d29d1c4957d4dde1a7578b10f2a2d1fae39bd47a with gcc (GCC) 8.1.0 all runs: OK # git bisect good d29d1c4957d4dde1a7578b10f2a2d1fae39bd47a Bisecting: 541 revisions left to test after this (roughly 9 steps) [84f29264551eb75cc686c3f748ac70b987b95837] Merge branch 'net-phy-marvell10g-Add-2-5GBaseT-support' testing commit 84f29264551eb75cc686c3f748ac70b987b95837 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 84f29264551eb75cc686c3f748ac70b987b95837 Bisecting: 290 revisions left to test after this (roughly 8 steps) [2a8e4997dbb2818061c76ee57d7becf390c0e4bc] net: ipv4: Fix NULL pointer dereference in route lookup testing commit 2a8e4997dbb2818061c76ee57d7becf390c0e4bc with gcc (GCC) 8.1.0 all runs: OK # git bisect good 2a8e4997dbb2818061c76ee57d7becf390c0e4bc Bisecting: 131 revisions left to test after this (roughly 7 steps) [4e7df119d9a621262f22cacf8ae5ca5060183bea] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next testing commit 4e7df119d9a621262f22cacf8ae5ca5060183bea with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4e7df119d9a621262f22cacf8ae5ca5060183bea Bisecting: 72 revisions left to test after this (roughly 6 steps) [87dab7c3d54ce0f1ff6b54840bf7279d0944bc6a] bpf: add test cases for non-pointer sanitiation logic testing commit 87dab7c3d54ce0f1ff6b54840bf7279d0944bc6a with gcc (GCC) 8.1.0 all runs: OK # git bisect good 87dab7c3d54ce0f1ff6b54840bf7279d0944bc6a Bisecting: 36 revisions left to test after this (roughly 5 steps) [46d841105d791b0ab51a1a7ebf48cb4d5416c957] net: fixup address-space warnings in compat_mc_{get,set}sockopt() testing commit 46d841105d791b0ab51a1a7ebf48cb4d5416c957 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 46d841105d791b0ab51a1a7ebf48cb4d5416c957 Bisecting: 18 revisions left to test after this (roughly 4 steps) [27758c801663d17eafcd4e45179e7294a9c290b8] mlxsw: i2c: Fix comment misspelling testing commit 27758c801663d17eafcd4e45179e7294a9c290b8 with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at include/linux/mm.h:LINE! run #1: crashed: kernel BUG at include/linux/mm.h:LINE! run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: kernel BUG at include/linux/mm.h:LINE! run #5: crashed: WARNING in sk_stream_kill_queues run #6: crashed: kernel BUG at include/linux/mm.h:LINE! run #7: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect bad 27758c801663d17eafcd4e45179e7294a9c290b8 Bisecting: 8 revisions left to test after this (roughly 3 steps) [94850257cf0f88b20db7644f28bfedc7d284de15] tls: Fix tls_device handling of partial records testing commit 94850257cf0f88b20db7644f28bfedc7d284de15 with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at include/linux/mm.h:LINE! run #1: crashed: kernel BUG at include/linux/mm.h:LINE! run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: WARNING in sk_stream_kill_queues run #5: crashed: kernel BUG at include/linux/mm.h:LINE! run #6: crashed: kernel BUG at include/linux/mm.h:LINE! run #7: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect bad 94850257cf0f88b20db7644f28bfedc7d284de15 Bisecting: 4 revisions left to test after this (roughly 2 steps) [a6d0aa97f453cc1a13ba93428590ef4fd29d005a] net: phy: remove gen10g_suspend and gen10g_resume testing commit a6d0aa97f453cc1a13ba93428590ef4fd29d005a with gcc (GCC) 8.1.0 all runs: OK # git bisect good a6d0aa97f453cc1a13ba93428590ef4fd29d005a Bisecting: 2 revisions left to test after this (roughly 1 step) [d81210c25e17b5cca71138f3990ed8071d510ba9] net: phy: don't export gen10g_read_status testing commit d81210c25e17b5cca71138f3990ed8071d510ba9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d81210c25e17b5cca71138f3990ed8071d510ba9 Bisecting: 0 revisions left to test after this (roughly 1 step) [7d827379b062533085f3cd31762a8bb7bf48df19] Merge branch 'net-phy-clean-up-the-old-gen10g-functions' testing commit 7d827379b062533085f3cd31762a8bb7bf48df19 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7d827379b062533085f3cd31762a8bb7bf48df19 94850257cf0f88b20db7644f28bfedc7d284de15 is the first bad commit commit 94850257cf0f88b20db7644f28bfedc7d284de15 Author: Boris Pismenny Date: Wed Feb 27 17:38:03 2019 +0200 tls: Fix tls_device handling of partial records Cleanup the handling of partial records while fixing a bug where the tls_push_pending_closed_record function is using the software tls context instead of the hardware context. The bug resulted in the following crash: [ 88.791229] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 88.793271] #PF error: [normal kernel read fault] [ 88.794449] PGD 800000022a426067 P4D 800000022a426067 PUD 22a156067 PMD 0 [ 88.795958] Oops: 0000 [#1] SMP PTI [ 88.796884] CPU: 2 PID: 4973 Comm: openssl Not tainted 5.0.0-rc4+ #3 [ 88.798314] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 88.800067] RIP: 0010:tls_tx_records+0xef/0x1d0 [tls] [ 88.801256] Code: 00 02 48 89 43 08 e8 a0 0b 96 d9 48 89 df e8 48 dd 4d d9 4c 89 f8 4d 8b bf 98 00 00 00 48 05 98 00 00 00 48 89 04 24 49 39 c7 <49> 8b 1f 4d 89 fd 0f 84 af 00 00 00 41 8b 47 10 85 c0 0f 85 8d 00 [ 88.805179] RSP: 0018:ffffbd888186fca8 EFLAGS: 00010213 [ 88.806458] RAX: ffff9af1ed657c98 RBX: ffff9af1e88a1980 RCX: 0000000000000000 [ 88.808050] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9af1e88a1980 [ 88.809724] RBP: ffff9af1e88a1980 R08: 0000000000000017 R09: ffff9af1ebeeb700 [ 88.811294] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 88.812917] R13: ffff9af1e88a1980 R14: ffff9af1ec13f800 R15: 0000000000000000 [ 88.814506] FS: 00007fcad2240740(0000) GS:ffff9af1f7880000(0000) knlGS:0000000000000000 [ 88.816337] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.817717] CR2: 0000000000000000 CR3: 0000000228b3e000 CR4: 00000000001406e0 [ 88.819328] Call Trace: [ 88.820123] tls_push_data+0x628/0x6a0 [tls] [ 88.821283] ? remove_wait_queue+0x20/0x60 [ 88.822383] ? n_tty_read+0x683/0x910 [ 88.823363] tls_device_sendmsg+0x53/0xa0 [tls] [ 88.824505] sock_sendmsg+0x36/0x50 [ 88.825492] sock_write_iter+0x87/0x100 [ 88.826521] __vfs_write+0x127/0x1b0 [ 88.827499] vfs_write+0xad/0x1b0 [ 88.828454] ksys_write+0x52/0xc0 [ 88.829378] do_syscall_64+0x5b/0x180 [ 88.830369] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 88.831603] RIP: 0033:0x7fcad1451680 [ 1248.470626] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 1248.472564] #PF error: [normal kernel read fault] [ 1248.473790] PGD 0 P4D 0 [ 1248.474642] Oops: 0000 [#1] SMP PTI [ 1248.475651] CPU: 3 PID: 7197 Comm: openssl Tainted: G OE 5.0.0-rc4+ #3 [ 1248.477426] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 1248.479310] RIP: 0010:tls_tx_records+0x110/0x1f0 [tls] [ 1248.480644] Code: 00 02 48 89 43 08 e8 4f cb 63 d7 48 89 df e8 f7 9c 1b d7 4c 89 f8 4d 8b bf 98 00 00 00 48 05 98 00 00 00 48 89 04 24 49 39 c7 <49> 8b 1f 4d 89 fd 0f 84 af 00 00 00 41 8b 47 10 85 c0 0f 85 8d 00 [ 1248.484825] RSP: 0018:ffffaa0a41543c08 EFLAGS: 00010213 [ 1248.486154] RAX: ffff955a2755dc98 RBX: ffff955a36031980 RCX: 0000000000000006 [ 1248.487855] RDX: 0000000000000000 RSI: 000000000000002b RDI: 0000000000000286 [ 1248.489524] RBP: ffff955a36031980 R08: 0000000000000000 R09: 00000000000002b1 [ 1248.491394] R10: 0000000000000003 R11: 00000000ad55ad55 R12: 0000000000000000 [ 1248.493162] R13: 0000000000000000 R14: ffff955a2abe6c00 R15: 0000000000000000 [ 1248.494923] FS: 0000000000000000(0000) GS:ffff955a378c0000(0000) knlGS:0000000000000000 [ 1248.496847] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1248.498357] CR2: 0000000000000000 CR3: 000000020c40e000 CR4: 00000000001406e0 [ 1248.500136] Call Trace: [ 1248.500998] ? tcp_check_oom+0xd0/0xd0 [ 1248.502106] tls_sk_proto_close+0x127/0x1e0 [tls] [ 1248.503411] inet_release+0x3c/0x60 [ 1248.504530] __sock_release+0x3d/0xb0 [ 1248.505611] sock_close+0x11/0x20 [ 1248.506612] __fput+0xb4/0x220 [ 1248.507559] task_work_run+0x88/0xa0 [ 1248.508617] do_exit+0x2cb/0xbc0 [ 1248.509597] ? core_sys_select+0x17a/0x280 [ 1248.510740] do_group_exit+0x39/0xb0 [ 1248.511789] get_signal+0x1d0/0x630 [ 1248.512823] do_signal+0x36/0x620 [ 1248.513822] exit_to_usermode_loop+0x5c/0xc6 [ 1248.515003] do_syscall_64+0x157/0x180 [ 1248.516094] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1248.517456] RIP: 0033:0x7fb398bd3f53 [ 1248.518537] Code: Bad RIP value. Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") Signed-off-by: Boris Pismenny Signed-off-by: Eran Ben Elisha Signed-off-by: David S. Miller :040000 040000 103ddf2eba8aa5d4799bf8608fbce975119502e5 0fe28eb578a306be07c179c7967a3dff174e2b29 M include :040000 040000 5a6262351dc0b56b3e15b914376a648e27f7b6ea fbc11ba854efdfdd39e3551c78cf4b04fa3da295 M net revisions tested: 16, total time: 3h44m20.162626077s (build: 1h26m42.350246523s, test: 2h13m17.719518588s) first bad commit: 94850257cf0f88b20db7644f28bfedc7d284de15 tls: Fix tls_device handling of partial records cc: ["aviadye@mellanox.com" "borisp@mellanox.com" "daniel@iogearbox.net" "davejwatson@fb.com" "davem@davemloft.net" "eranbe@mellanox.com" "john.fastabend@gmail.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"] crash: kernel BUG at include/linux/mm.h:LINE! IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) 8021q: adding VLAN 0 to HW filter on device batadv0 ------------[ cut here ]------------ kernel BUG at include/linux/mm.h:546! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 6956 Comm: syz-executor.4 Not tainted 5.0.0-rc7+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 RIP: 0010:put_page_testzero include/linux/mm.h:546 [inline] RIP: 0010:put_page include/linux/mm.h:992 [inline] RIP: 0010:__skb_frag_unref include/linux/skbuff.h:2837 [inline] RIP: 0010:skb_release_data+0x5ae/0x7c0 net/core/skbuff.c:571 Code: b2 fb ff ff e8 b3 8f 01 fc 4c 8b 65 c8 49 83 ec 01 e9 bf fc ff ff e8 a1 8f 01 fc 48 c7 c6 c0 fa fc 87 4c 89 e7 e8 12 66 2a fc <0f> 0b e8 8b 8f 01 fc 49 8d 5d 0e 48 b8 00 00 00 00 00 fc ff df 48 RSP: 0018:ffff88807368f6d0 EFLAGS: 00010293 RAX: ffff88807afbe000 RBX: ffffea0001ca0634 RCX: ffffffff815a88a0 RDX: 0000000000000000 RSI: ffffffff8198d752 RDI: ffffea0001ca0638 RBP: ffff88807368f738 R08: ffff88807afbe000 R09: ffffed1005b05020 R10: ffffed1005b05020 R11: ffff88802d828107 R12: ffffea0001ca0600 R13: ffff88802891d500 R14: 0000000000000001 R15: dffffc0000000000 FS: 00007f0086b36700(0000) GS:ffff88802d800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556297bcb218 CR3: 000000002cdbc000 CR4: 00000000007406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: skb_release_all+0x4a/0x60 net/core/skbuff.c:631 __kfree_skb+0x15/0x20 net/core/skbuff.c:645 sk_wmem_free_skb include/net/sock.h:1463 [inline] tcp_write_queue_purge+0x24f/0x7c0 net/ipv4/tcp.c:2543 tcp_disconnect+0x406/0x1890 net/ipv4/tcp.c:2583 tcp_close+0xe28/0x10a0 net/ipv4/tcp.c:2384 tls_sk_proto_close+0x3de/0x7b0 net/tls/tls_main.c:294 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:428 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:473 __sock_release+0xd7/0x2b0 net/socket.c:579 sock_close+0x19/0x20 net/socket.c:1162 __fput+0x2cf/0x8b0 fs/file_table.c:278 ____fput+0x15/0x20 fs/file_table.c:309 task_work_run+0x14d/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xb9f/0x3200 kernel/exit.c:875 do_group_exit+0x135/0x370 kernel/exit.c:979 get_signal+0x356/0x1cc0 kernel/signal.c:2575 do_signal+0x87/0x1930 arch/x86/kernel/signal.c:816 exit_to_usermode_loop+0x241/0x2c0 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x536/0x600 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457629 Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f0086b35cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000071c048 RCX: 0000000000457629 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000071c048 RBP: 000000000071c040 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000071c04c R13: 00007ffcebe84f3f R14: 00007f0086b36700 R15: 0000000000000000 Modules linked in: kobject: 'loop1' (00000000e6be0f2c): kobject_uevent_env kobject: 'loop1' (00000000e6be0f2c): fill_kobj_path: path = '/devices/virtual/block/loop1' ---[ end trace 112336f7e01521b6 ]--- RIP: 0010:put_page_testzero include/linux/mm.h:546 [inline] RIP: 0010:put_page include/linux/mm.h:992 [inline] RIP: 0010:__skb_frag_unref include/linux/skbuff.h:2837 [inline] RIP: 0010:skb_release_data+0x5ae/0x7c0 net/core/skbuff.c:571 Code: b2 fb ff ff e8 b3 8f 01 fc 4c 8b 65 c8 49 83 ec 01 e9 bf fc ff ff e8 a1 8f 01 fc 48 c7 c6 c0 fa fc 87 4c 89 e7 e8 12 66 2a fc <0f> 0b e8 8b 8f 01 fc 49 8d 5d 0e 48 b8 00 00 00 00 00 fc ff df 48 RSP: 0018:ffff88807368f6d0 EFLAGS: 00010293 RAX: ffff88807afbe000 RBX: ffffea0001ca0634 RCX: ffffffff815a88a0 RDX: 0000000000000000 RSI: ffffffff8198d752 RDI: ffffea0001ca0638 RBP: ffff88807368f738 R08: ffff88807afbe000 R09: ffffed1005b05020 R10: ffffed1005b05020 R11: ffff88802d828107 R12: ffffea0001ca0600 R13: ffff88802891d500 R14: 0000000000000001 R15: dffffc0000000000 FS: 00007f0086b36700(0000) GS:ffff88802d800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb36168b000 CR3: 000000002c1d0000 CR4: 00000000007406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554