bisecting cause commit starting from b74b991fb8b9d642b8fea20d6245c6e19125a305
building syzkaller on 78267cec1aaa5e066d66e6a6c76fea1753e51b46
testing commit b74b991fb8b9d642b8fea20d6245c6e19125a305 with gcc (GCC) 8.1.0
kernel signature: ff32d93935fa8dffd615bba1f3e416de4374c7523617b2ec067d39bbce5dd492
run #0: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: 972005edb540d4cc1a3a5febf8de9f08e2a651681eeab70ef707ba0d162f1074
all runs: OK
# git bisect start b74b991fb8b9d642b8fea20d6245c6e19125a305 d5226fa6dbae0569ee43ecfc08bdcd6770fc4755
Bisecting: 5763 revisions left to test after this (roughly 13 steps)
[9f68e3655aae6d49d6ba05dd263f99f33c2567af] Merge tag 'drm-next-2020-01-30' of git://anongit.freedesktop.org/drm/drm
testing commit 9f68e3655aae6d49d6ba05dd263f99f33c2567af with gcc (GCC) 8.1.0
kernel signature: 55652606b5f778783418731e0c247e1ffa49df27917c3d3d78b793a76925e4dc
all runs: OK
# git bisect good 9f68e3655aae6d49d6ba05dd263f99f33c2567af
Bisecting: 3009 revisions left to test after this (roughly 12 steps)
[469030d454bd1620c7b2651d9ec8cdcbaa74deb9] Merge tag 'armsoc-soc' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit 469030d454bd1620c7b2651d9ec8cdcbaa74deb9 with gcc (GCC) 8.1.0
kernel signature: 2444afeb077401627965c1834e6415d1e60fab4b8a4985342412656bf8f9d794
run #0: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 469030d454bd1620c7b2651d9ec8cdcbaa74deb9
Bisecting: 1354 revisions left to test after this (roughly 11 steps)
[f4a6365ae88d38528b4eec717326dab877b515ea] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit f4a6365ae88d38528b4eec717326dab877b515ea with gcc (GCC) 8.1.0
kernel signature: 71eeb91aeec0992479d3311ed1a9eac08ae89c3c6d28b600c96eff99f806618d
all runs: OK
# git bisect good f4a6365ae88d38528b4eec717326dab877b515ea
Bisecting: 637 revisions left to test after this (roughly 9 steps)
[e310396bb8d7db977a0e10ef7b5040e98b89c34c] Merge tag 'trace-v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
testing commit e310396bb8d7db977a0e10ef7b5040e98b89c34c with gcc (GCC) 8.1.0
kernel signature: 247b0b118f156871e193e56fb3648f88d2a18d6f461f7bf7ca4852a7a80f4501
run #0: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad e310396bb8d7db977a0e10ef7b5040e98b89c34c
Bisecting: 359 revisions left to test after this (roughly 9 steps)
[d60ddd244215da7c695cba858427094d8e366aa7] Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm
testing commit d60ddd244215da7c695cba858427094d8e366aa7 with gcc (GCC) 8.1.0
kernel signature: b30ec6b059b710b7e8e9da8b70104ae9bcb32049a12ab8b6c032d32fb277f99c
all runs: OK
# git bisect good d60ddd244215da7c695cba858427094d8e366aa7
Bisecting: 176 revisions left to test after this (roughly 8 steps)
[4fc2ea6a8608d9a649eff5e3c2ee477eb70f0fb6] Merge tag 'iommu-updates-v5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
testing commit 4fc2ea6a8608d9a649eff5e3c2ee477eb70f0fb6 with gcc (GCC) 8.1.0
kernel signature: 4ed3295c2981148c414c329d7e4eb4b61ce3d066282656bb5c3275b91b1a02c9
run #0: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 4fc2ea6a8608d9a649eff5e3c2ee477eb70f0fb6
Bisecting: 89 revisions left to test after this (roughly 7 steps)
[d271ab29230b1d0ceb426f374c221c4eb2c91c64] Merge tag 'for-linus-5.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
testing commit d271ab29230b1d0ceb426f374c221c4eb2c91c64 with gcc (GCC) 8.1.0
kernel signature: 8a63bfcd55ecbaefde44a1f3cdcba77176a6f9701d1561a5946a0ef03173b3ea
run #0: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks
run #1: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks
run #2: boot failed: can't ssh into the instance
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad d271ab29230b1d0ceb426f374c221c4eb2c91c64
Bisecting: 45 revisions left to test after this (roughly 6 steps)
[9afe2322cb90a8fbc27e32bfc691100c653cab2a] Merge branch 'unbreak-basic-and-bpf-tdc-testcases'
testing commit 9afe2322cb90a8fbc27e32bfc691100c653cab2a with gcc (GCC) 8.1.0
kernel signature: 259e3a66cf4635999672e1833fa4c5d5db5ee8a8ddb6408441eef4dcd8c93220
run #0: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 9afe2322cb90a8fbc27e32bfc691100c653cab2a
Bisecting: 22 revisions left to test after this (roughly 5 steps)
[83d0585f91da441a0b11bc5ff93f4cda56de6703] Merge branch 'Fix-reconnection-latency-caused-by-FIN-ACK-handling-race'
testing commit 83d0585f91da441a0b11bc5ff93f4cda56de6703 with gcc (GCC) 8.1.0
kernel signature: 4f4a529c0156926bacecb70f2953edc2307c8f79b1dbbc19ebdf9cbb4900750e
all runs: OK
# git bisect good 83d0585f91da441a0b11bc5ff93f4cda56de6703
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[2b5ea2947fbdf4e650169afd5ef30ce1c7d8cba8] Merge branch 'bnxt_en-Bug-fixes'
testing commit 2b5ea2947fbdf4e650169afd5ef30ce1c7d8cba8 with gcc (GCC) 8.1.0
kernel signature: 7d6bcd564c4be1f8dd340b6e3644e347ce2138db44c73ba0a3fadcf3c73a65ce
run #0: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 2b5ea2947fbdf4e650169afd5ef30ce1c7d8cba8
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[3d80c653f99658af6af3ac1b74f70bf9a069e71f] Merge tag 'rxrpc-fixes-20200203' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
testing commit 3d80c653f99658af6af3ac1b74f70bf9a069e71f with gcc (GCC) 8.1.0
kernel signature: 38e9b9643bbfe75adf902b2947e5f89f17488de404d22075c1e3065c112a786e
run #0: crashed: INFO: task hung in kvm_arch_destroy_vm
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 3d80c653f99658af6af3ac1b74f70bf9a069e71f
Bisecting: 2 revisions left to test after this (roughly 1 step)
[f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b] rxrpc: Fix insufficient receive notification generation
testing commit f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b with gcc (GCC) 8.1.0
kernel signature: dc1eee2963ed033a3228bb883fe048fcf0e8ec707fdadb668d9a07681cda86c7
run #0: crashed: WARNING: ODEBUG bug in kvm_dev_ioctl
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[fac20b9e738523fc884ee3ea5be360a321cd8bad] rxrpc: Fix use-after-free in rxrpc_put_local()
testing commit fac20b9e738523fc884ee3ea5be360a321cd8bad with gcc (GCC) 8.1.0
kernel signature: 9a5d14f571c07d82e77bd62dd8e55f862bd3846d3d06509a0460b8fdea703ab7
all runs: OK
# git bisect good fac20b9e738523fc884ee3ea5be360a321cd8bad
f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b is the first bad commit
commit f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b
Author: David Howells <dhowells@redhat.com>
Date:   Thu Jan 30 21:50:36 2020 +0000

    rxrpc: Fix insufficient receive notification generation
    
    In rxrpc_input_data(), rxrpc_notify_socket() is called if the base sequence
    number of the packet is immediately following the hard-ack point at the end
    of the function.  However, this isn't sufficient, since the recvmsg side
    may have been advancing the window and then overrun the position in which
    we're adding - at which point rx_hard_ack >= seq0 and no notification is
    generated.
    
    Fix this by always generating a notification at the end of the input
    function.
    
    Without this, a long call may stall, possibly indefinitely.
    
    Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
    Signed-off-by: David Howells <dhowells@redhat.com>

 net/rxrpc/input.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
culprit signature: dc1eee2963ed033a3228bb883fe048fcf0e8ec707fdadb668d9a07681cda86c7
parent  signature: 9a5d14f571c07d82e77bd62dd8e55f862bd3846d3d06509a0460b8fdea703ab7
revisions tested: 15, total time: 4h28m53.374585925s (build: 1h37m15.610971871s, test: 2h50m35.526879677s)
first bad commit: f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b rxrpc: Fix insufficient receive notification generation
cc: ["davem@davemloft.net" "dhowells@redhat.com" "kuba@kernel.org" "linux-afs@lists.infradead.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"]
crash: WARNING: ODEBUG bug in kvm_dev_ioctl
------------[ cut here ]------------
ODEBUG: init active (active state 0) object type: timer_list hint: srcu_delay_timer+0x0/0x90 kernel/rcu/srcutree.c:1249
WARNING: CPU: 0 PID: 2758 at lib/debugobjects.c:488 debug_print_object+0x160/0x210 lib/debugobjects.c:485
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 2758 Comm: syz-executor.4 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 panic+0x22a/0x4e3 kernel/panic.c:221
 __warn.cold.10+0x25/0x26 kernel/panic.c:582
 report_bug+0x1ad/0x270 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:176 [inline]
 do_error_trap+0x123/0x210 arch/x86/kernel/traps.c:269
 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:288
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:debug_print_object+0x160/0x210 lib/debugobjects.c:485
Code: ad 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 96 00 00 00 48 8b 14 dd 40 97 ad 87 4c 89 f6 48 c7 c7 a0 8c ad 87 e8 7c 31 fa fd <0f> 0b 83 05 0b ae 54 06 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffc90002b779e8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff8b5ff360
RBP: 0000000000000001 R08: ffffed1015d06659 R09: ffffed1015d06659
R10: ffffed1015d06658 R11: ffff8880ae8332c7 R12: ffffffff88bae5c0
R13: ffffffff81582200 R14: ffffffff87ad9220 R15: ffffffff8b84c180
 __debug_object_init+0x561/0xea0 lib/debugobjects.c:568
 debug_timer_init kernel/time/timer.c:709 [inline]
 debug_init kernel/time/timer.c:762 [inline]
 init_timer_key+0x2a/0x290 kernel/time/timer.c:804
 init_srcu_struct_nodes kernel/rcu/srcutree.c:148 [inline]
 init_srcu_struct_fields+0xb6d/0x12d0 kernel/rcu/srcutree.c:180
 kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:699 [inline]
 kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3519 [inline]
 kvm_dev_ioctl+0x2e2/0x1280 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3571
 vfs_ioctl fs/ioctl.c:47 [inline]
 file_ioctl fs/ioctl.c:545 [inline]
 do_vfs_ioctl+0x18b/0x1080 fs/ioctl.c:732
 ksys_ioctl+0x5b/0x90 fs/ioctl.c:749
 __do_sys_ioctl fs/ioctl.c:756 [inline]
 __se_sys_ioctl fs/ioctl.c:754 [inline]
 __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:754
 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f6cee305c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6cee3066d4 RCX: 000000000045c849
RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000003
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000038f R14: 00000000004c6057 R15: 000000000076bf0c
Kernel Offset: disabled
Rebooting in 86400 seconds..