bisecting cause commit starting from 773dc50d71690202afd7b5017c060c6ca8c75dd9 building syzkaller on 98682e5e2aefc9aad61354f4f3ac93be96002a2a testing commit 773dc50d71690202afd7b5017c060c6ca8c75dd9 with gcc (GCC) 10.2.1 20210217 kernel signature: e3ff650cb2cebd8729ba42afb682f0e0540ed3d6d1e1aaee0861a3ac3f982d87 all runs: crashed: general protection fault in mptcp_sendmsg_frag testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: ad0020076c568fd04e3712999367961eadbdf96cf6f928f88e3fec927cee834c all runs: OK # git bisect start 773dc50d71690202afd7b5017c060c6ca8c75dd9 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 8518 revisions left to test after this (roughly 13 steps) [ba1d41a55e4d07c7b27ee2f6e7cf5b5348849261] Merge tag 'pstore-v5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux testing commit ba1d41a55e4d07c7b27ee2f6e7cf5b5348849261 with gcc (GCC) 10.2.1 20210217 kernel signature: 29b9744cac67d33ab751a246c5b6f1abb6f6ca0df53fe68fd1f20ab7692aebf7 all runs: OK # git bisect good ba1d41a55e4d07c7b27ee2f6e7cf5b5348849261 Bisecting: 4261 revisions left to test after this (roughly 12 steps) [c45647f9f562b52915b43b6bb447827cebf511bd] Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux testing commit c45647f9f562b52915b43b6bb447827cebf511bd with gcc (GCC) 10.2.1 20210217 kernel signature: 9ff853198343d0a3c134bea61db11cd63c3e2e6b0e5efee1d3c3b704e6e4ff79 all runs: OK # git bisect good c45647f9f562b52915b43b6bb447827cebf511bd Bisecting: 2130 revisions left to test after this (roughly 11 steps) [a34ffec8af8ff1c730697a99e09ec7b74a3423b6] net/mlx5e: Release skb in case of failure in tc update skb testing commit a34ffec8af8ff1c730697a99e09ec7b74a3423b6 with gcc (GCC) 10.2.1 20210217 kernel signature: 2916a455e82ea23c9603c13dae8d7ec9e92e32d46135bd1876ba06931dd0ac20 all runs: OK # git bisect good a34ffec8af8ff1c730697a99e09ec7b74a3423b6 Bisecting: 1065 revisions left to test after this (roughly 10 steps) [4d469ec8ec05e1fa4792415de1a95b28871ff2fa] Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue testing commit 4d469ec8ec05e1fa4792415de1a95b28871ff2fa with gcc (GCC) 10.2.1 20210217 kernel signature: c8532165c07275d22b7a4548e943842921ee5d9dea422de4cb024635dacb5384 all runs: OK # git bisect good 4d469ec8ec05e1fa4792415de1a95b28871ff2fa Bisecting: 513 revisions left to test after this (roughly 9 steps) [dc9d87581d464e7b7d38853d6904b70b6c920d99] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit dc9d87581d464e7b7d38853d6904b70b6c920d99 with gcc (GCC) 10.2.1 20210217 kernel signature: 07c4e899fff95c6bf71845d517ac4ed6c3d651b01896588529cc69cf374cf951 all runs: OK # git bisect good dc9d87581d464e7b7d38853d6904b70b6c920d99 Bisecting: 279 revisions left to test after this (roughly 8 steps) [9d083348e938eb0330639ad08dcfe493a59a8a40] rtw88: 8822c: update RF_B (2/2) parameter tables to v60 testing commit 9d083348e938eb0330639ad08dcfe493a59a8a40 with gcc (GCC) 10.2.1 20210217 kernel signature: 0288ee0937adbcdce7f7a22051300b35dfd1f877735825e07b01a3da3b0e8d0f all runs: OK # git bisect good 9d083348e938eb0330639ad08dcfe493a59a8a40 Bisecting: 161 revisions left to test after this (roughly 7 steps) [1d1311516a5d104eed3f0983e111bd1aaeb00543] Merge branch 'marvell-cn10k' testing commit 1d1311516a5d104eed3f0983e111bd1aaeb00543 with gcc (GCC) 10.2.1 20210217 kernel signature: e7e17c95fad5d9db072372c2f910738bde9ca744f56cb3a76e35c626a16f857b all runs: OK # git bisect good 1d1311516a5d104eed3f0983e111bd1aaeb00543 Bisecting: 80 revisions left to test after this (roughly 6 steps) [80d55154b2f8f5298f14fb83a0fb99cacb043c07] mac80211: minstrel_ht: significantly redesign the rate probing strategy testing commit 80d55154b2f8f5298f14fb83a0fb99cacb043c07 with gcc (GCC) 10.2.1 20210217 kernel signature: 71f5a5b4fc69d7c92f54545b2588f7806f5ee96c1b7a78da9b72ff787484b4ae all runs: OK # git bisect good 80d55154b2f8f5298f14fb83a0fb99cacb043c07 Bisecting: 39 revisions left to test after this (roughly 5 steps) [21cc70c75be0d1a38da34095d1933a75ce784b1d] Merge tag 'mac80211-next-for-net-next-2021-02-12' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next testing commit 21cc70c75be0d1a38da34095d1933a75ce784b1d with gcc (GCC) 10.2.1 20210217 kernel signature: 1ef187db79c9e00e5e74db76b04aefcb1fb92c16ec5283ca008d7b9f3d8fb1b0 all runs: crashed: general protection fault in mptcp_sendmsg_frag # git bisect bad 21cc70c75be0d1a38da34095d1933a75ce784b1d Bisecting: 20 revisions left to test after this (roughly 4 steps) [f384221a381751508f390b36d0e51bd5a7beb627] selftests: mptcp: fix ACKRX debug message testing commit f384221a381751508f390b36d0e51bd5a7beb627 with gcc (GCC) 10.2.1 20210217 kernel signature: 162295d4afb8b60ba20f974e9a13b1be66197e5ec2b071ba0d7fdbe3b78d6144 all runs: OK # git bisect good f384221a381751508f390b36d0e51bd5a7beb627 Bisecting: 9 revisions left to test after this (roughly 3 steps) [0a2f6b32cc45e3918321779fe90c28f1ed27d2af] Merge branch 'mptcp-genl-events' testing commit 0a2f6b32cc45e3918321779fe90c28f1ed27d2af with gcc (GCC) 10.2.1 20210217 kernel signature: f16c5a992f12c005a5ebe9cbc8d365913112bb3d225ee1a0a004ddf67f3fb1a2 run #0: crashed: general protection fault in mptcp_sendmsg_frag run #1: crashed: general protection fault in mptcp_sendmsg_frag run #2: crashed: general protection fault in mptcp_sendmsg_frag run #3: crashed: general protection fault in mptcp_sendmsg_frag run #4: crashed: general protection fault in mptcp_sendmsg_frag run #5: crashed: general protection fault in mptcp_sendmsg_frag run #6: crashed: general protection fault in mptcp_sendmsg_frag run #7: crashed: possible deadlock in mptcp_push_pending run #8: crashed: general protection fault in mptcp_sendmsg_frag run #9: crashed: general protection fault in mptcp_sendmsg_frag # git bisect bad 0a2f6b32cc45e3918321779fe90c28f1ed27d2af Bisecting: 5 revisions left to test after this (roughly 3 steps) [a141e02e393370e082b25636401c49978b61bfcf] mptcp: split __mptcp_close_ssk helper testing commit a141e02e393370e082b25636401c49978b61bfcf with gcc (GCC) 10.2.1 20210217 kernel signature: 64456a31e87e3bc84100d034dbf54e697bb6b43a4a29979c591187189cd2ddb4 all runs: OK # git bisect good a141e02e393370e082b25636401c49978b61bfcf Bisecting: 2 revisions left to test after this (roughly 2 steps) [6c714f1b547feb0402520357c91024375a4236f7] mptcp: pass subflow socket to a few helpers testing commit 6c714f1b547feb0402520357c91024375a4236f7 with gcc (GCC) 10.2.1 20210217 kernel signature: 41a0f487d4ed1e3c4ba34328dcca0627bf67b54b57a22a8bf11c608a75b30cbc run #0: crashed: general protection fault in mptcp_sendmsg_frag run #1: crashed: possible deadlock in mptcp_push_pending run #2: crashed: general protection fault in mptcp_sendmsg_frag run #3: crashed: general protection fault in mptcp_sendmsg_frag run #4: crashed: KASAN: use-after-free Read in mptcp_established_options run #5: crashed: general protection fault in mptcp_sendmsg_frag run #6: crashed: general protection fault in mptcp_sendmsg_frag run #7: crashed: general protection fault in mptcp_sendmsg_frag run #8: crashed: general protection fault in mptcp_sendmsg_frag run #9: crashed: general protection fault in mptcp_sendmsg_frag # git bisect bad 6c714f1b547feb0402520357c91024375a4236f7 Bisecting: 0 revisions left to test after this (roughly 1 step) [b263b0d7d60baecda3c840a0703bb6d511f7ae2d] mptcp: move subflow close loop after sk close check testing commit b263b0d7d60baecda3c840a0703bb6d511f7ae2d with gcc (GCC) 10.2.1 20210217 kernel signature: 69e299a4e3a7c242c7b4f650dee40af196b9bc1614818a45ad635d1980493e3a run #0: crashed: general protection fault in mptcp_sendmsg_frag run #1: crashed: general protection fault in mptcp_sendmsg_frag run #2: crashed: general protection fault in mptcp_sendmsg_frag run #3: crashed: general protection fault in mptcp_sendmsg_frag run #4: crashed: general protection fault in mptcp_sendmsg_frag run #5: crashed: general protection fault in mptcp_sendmsg_frag run #6: crashed: general protection fault in mptcp_sendmsg_frag run #7: crashed: general protection fault in mptcp_sendmsg_frag run #8: crashed: possible deadlock in mptcp_push_pending run #9: crashed: general protection fault in mptcp_sendmsg_frag # git bisect bad b263b0d7d60baecda3c840a0703bb6d511f7ae2d Bisecting: 0 revisions left to test after this (roughly 0 steps) [40947e13997a1cba4e875893ca6e5d5e61a0689d] mptcp: schedule worker when subflow is closed testing commit 40947e13997a1cba4e875893ca6e5d5e61a0689d with gcc (GCC) 10.2.1 20210217 kernel signature: 9870e1d46e1ce9ed0adf109886e109d0ba1d644c3df6c2518600bcf329dd8afa run #0: crashed: general protection fault in mptcp_sendmsg_frag run #1: crashed: KASAN: use-after-free Read in tcp_current_mss run #2: crashed: general protection fault in mptcp_sendmsg_frag run #3: crashed: general protection fault in mptcp_sendmsg_frag run #4: crashed: general protection fault in mptcp_sendmsg_frag run #5: crashed: possible deadlock in mptcp_push_pending run #6: crashed: general protection fault in mptcp_sendmsg_frag run #7: crashed: KASAN: use-after-free Read in tcp_current_mss run #8: crashed: general protection fault in mptcp_sendmsg_frag run #9: crashed: general protection fault in mptcp_sendmsg_frag # git bisect bad 40947e13997a1cba4e875893ca6e5d5e61a0689d 40947e13997a1cba4e875893ca6e5d5e61a0689d is the first bad commit commit 40947e13997a1cba4e875893ca6e5d5e61a0689d Author: Florian Westphal Date: Fri Feb 12 15:59:56 2021 -0800 mptcp: schedule worker when subflow is closed When remote side closes a subflow we should schedule the worker to dispose of the subflow in a timely manner. Otherwise, SF_CLOSED event won't be generated until the mptcp socket itself is closing or local side is closing another subflow. Signed-off-by: Florian Westphal Signed-off-by: Mat Martineau Signed-off-by: David S. Miller net/mptcp/protocol.c | 4 ++++ net/mptcp/subflow.c | 25 +++++++++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) culprit signature: 9870e1d46e1ce9ed0adf109886e109d0ba1d644c3df6c2518600bcf329dd8afa parent signature: 64456a31e87e3bc84100d034dbf54e697bb6b43a4a29979c591187189cd2ddb4 revisions tested: 17, total time: 4h20m23.485972184s (build: 1h55m4.445224605s, test: 2h23m59.505634183s) first bad commit: 40947e13997a1cba4e875893ca6e5d5e61a0689d mptcp: schedule worker when subflow is closed recipients (to): ["davem@davemloft.net" "fw@strlen.de" "mathew.j.martineau@linux.intel.com"] recipients (cc): [] crash: general protection fault in mptcp_sendmsg_frag general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] CPU: 1 PID: 10369 Comm: syz-executor.5 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:mptcp_sendmsg_frag+0x8df/0x1250 net/mptcp/protocol.c:1330 Code: fc ff df 80 3c 02 00 0f 85 64 07 00 00 4d 8b ac 24 20 07 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7d 38 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 83 04 00 00 48 8d 7b 10 41 8b RSP: 0018:ffffc9000b147818 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff88803b2bbf10 RCX: 0000000000000000 RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000038 RBP: ffff88803f3f8720 R08: 0000000000000001 R09: ffff88803b2bbf10 R10: ffffed10076577e4 R11: ffffea0000f10000 R12: ffff88803f3f8000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f9c49052700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc387f6850 CR3: 000000003a526000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mptcp_push_pending+0x271/0x5e0 net/mptcp/protocol.c:1477 mptcp_sendmsg+0x1b82/0x2420 net/mptcp/protocol.c:1692 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:672 sock_write_iter+0x211/0x370 net/socket.c:999 call_write_iter include/linux/fs.h:1901 [inline] new_sync_write+0x4ad/0x5f0 fs/read_write.c:518 vfs_write+0x5be/0x870 fs/read_write.c:605 ksys_write+0x171/0x1d0 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x465d99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9c49052188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000056c008 RCX: 0000000000465d99 RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00000000004bcf27 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c008 R13: 00007ffd3425746f R14: 00007f9c49052300 R15: 0000000000022000 Modules linked in: ---[ end trace b1d655f4b04cf600 ]--- RIP: 0010:mptcp_sendmsg_frag+0x8df/0x1250 net/mptcp/protocol.c:1330 Code: fc ff df 80 3c 02 00 0f 85 64 07 00 00 4d 8b ac 24 20 07 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7d 38 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 83 04 00 00 48 8d 7b 10 41 8b RSP: 0018:ffffc9000b147818 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff88803b2bbf10 RCX: 0000000000000000 RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000038 RBP: ffff88803f3f8720 R08: 0000000000000001 R09: ffff88803b2bbf10 R10: ffffed10076577e4 R11: ffffea0000f10000 R12: ffff88803f3f8000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f9c49052700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000053d978 CR3: 000000003a526000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400