bisecting cause commit starting from c392798a85ab955fa9385e84da1a4110d462b7f0
building syzkaller on 8e3c52b11d5d0843be47f41e00c5612ce29811b0
testing commit c392798a85ab955fa9385e84da1a4110d462b7f0 with gcc (GCC) 8.1.0
all runs: crashed: BUG: unable to handle page fault for address = ADDR
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
all runs: crashed: BUG: unable to handle kernel paging request in slhc_free
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
all runs: crashed: BUG: unable to handle kernel paging request in slhc_free
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
all runs: basic kernel testing failed: timed out
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
all runs: crashed: BUG: unable to handle kernel paging request in slhc_free
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
all runs: crashed: BUG: unable to handle kernel paging request in slhc_free
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
all runs: OK
# git bisect start v4.17 v4.16
Bisecting: 7380 revisions left to test after this (roughly 13 steps)
[97b1255cb27c551d7c3c5c496d787da40772da99] mm,oom_reaper: check for MMF_OOM_SKIP before complaining
testing commit 97b1255cb27c551d7c3c5c496d787da40772da99 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 97b1255cb27c551d7c3c5c496d787da40772da99
Bisecting: 3715 revisions left to test after this (roughly 12 steps)
[5e630afdcb82779f5bf03fd4a5e86adc56fe7c8a] Merge tag 'fbdev-v4.17' of git://github.com/bzolnier/linux
testing commit 5e630afdcb82779f5bf03fd4a5e86adc56fe7c8a with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 5e630afdcb82779f5bf03fd4a5e86adc56fe7c8a
Bisecting: 1873 revisions left to test after this (roughly 11 steps)
[d19efb729f10339f91c35003d480dc718cae3b3c] Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue
testing commit d19efb729f10339f91c35003d480dc718cae3b3c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good d19efb729f10339f91c35003d480dc718cae3b3c
Bisecting: 936 revisions left to test after this (roughly 10 steps)
[41e3e1082367221e99a59c8968a583706123ae04] Merge tag 'pm-4.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
testing commit 41e3e1082367221e99a59c8968a583706123ae04 with gcc (GCC) 8.1.0
all runs: crashed: BUG: unable to handle kernel paging request in slhc_free
# git bisect bad 41e3e1082367221e99a59c8968a583706123ae04
Bisecting: 467 revisions left to test after this (roughly 9 steps)
[0d95cfa922c24bcc20b5ccf7496b6ac7c8e29efb] Merge tag 'powerpc-4.17-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
testing commit 0d95cfa922c24bcc20b5ccf7496b6ac7c8e29efb with gcc (GCC) 8.1.0
all runs: crashed: BUG: unable to handle kernel paging request in slhc_free
# git bisect bad 0d95cfa922c24bcc20b5ccf7496b6ac7c8e29efb
Bisecting: 231 revisions left to test after this (roughly 8 steps)
[7f5d15735588bc14e7c399e7214c0a36f3808dcf] Merge tag 'pci-v4.17-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
testing commit 7f5d15735588bc14e7c399e7214c0a36f3808dcf with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7f5d15735588bc14e7c399e7214c0a36f3808dcf
Bisecting: 111 revisions left to test after this (roughly 7 steps)
[7ff5000268355c63dc948ecb01f4de17987586e5] Merge tag 'sound-4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit 7ff5000268355c63dc948ecb01f4de17987586e5 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7ff5000268355c63dc948ecb01f4de17987586e5
Bisecting: 57 revisions left to test after this (roughly 6 steps)
[ee3748be5c18db11f17baebf50405bbebeb85471] Merge tag 'driver-core-4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
testing commit ee3748be5c18db11f17baebf50405bbebeb85471 with gcc (GCC) 8.1.0
all runs: crashed: BUG: unable to handle kernel paging request in slhc_free
# git bisect bad ee3748be5c18db11f17baebf50405bbebeb85471
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[573a094873752d225041b1059a662eca013a54f4] Merge tag 'usb-serial-4.17-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus
testing commit 573a094873752d225041b1059a662eca013a54f4 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 573a094873752d225041b1059a662eca013a54f4
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[66dd99c2033684169f04068f66c7f83f7da229b8] tty: serial: xuartps: Setup early console when uartclk is also passed
testing commit 66dd99c2033684169f04068f66c7f83f7da229b8 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 66dd99c2033684169f04068f66c7f83f7da229b8
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[b93815d0f37e7c4a056a143e6d782abc084ea56b] firmware: some documentation fixes
testing commit b93815d0f37e7c4a056a143e6d782abc084ea56b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good b93815d0f37e7c4a056a143e6d782abc084ea56b
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[79a17dd9d2491443a0d03745adbb3d76ab97a356] Merge tag 'staging-4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
testing commit 79a17dd9d2491443a0d03745adbb3d76ab97a356 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 79a17dd9d2491443a0d03745adbb3d76ab97a356
Bisecting: 0 revisions left to test after this (roughly 1 step)
[b52c85a7b78938cbb44eb3c536f5f70426a238ae] Merge tag 'tty-4.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
testing commit b52c85a7b78938cbb44eb3c536f5f70426a238ae with gcc (GCC) 8.1.0
run #0: basic kernel testing failed: timed out
run #1: crashed: BUG: unable to handle kernel paging request in slhc_free
run #2: crashed: BUG: unable to handle kernel paging request in slhc_free
run #3: crashed: BUG: unable to handle kernel paging request in slhc_free
run #4: crashed: BUG: unable to handle kernel paging request in slhc_free
run #5: crashed: BUG: unable to handle kernel paging request in slhc_free
run #6: crashed: BUG: unable to handle kernel paging request in slhc_free
run #7: crashed: BUG: unable to handle kernel paging request in slhc_free
run #8: crashed: BUG: unable to handle kernel paging request in slhc_free
run #9: crashed: BUG: unable to handle kernel paging request in slhc_free
# git bisect bad b52c85a7b78938cbb44eb3c536f5f70426a238ae
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20] tty: Use __GFP_NOFAIL for tty_ldisc_get()
testing commit bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20 with gcc (GCC) 8.1.0
all runs: crashed: BUG: unable to handle kernel paging request in slhc_free
# git bisect bad bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20
bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20 is the first bad commit
commit bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Wed Apr 25 20:12:31 2018 +0900

    tty: Use __GFP_NOFAIL for tty_ldisc_get()
    
    syzbot is reporting crashes triggered by memory allocation fault injection
    at tty_ldisc_get() [1]. As an attempt to handle OOM in a graceful way, we
    have tried commit 5362544bebe85071 ("tty: don't panic on OOM in
    tty_set_ldisc()"). But we reverted that attempt by commit a8983d01f9b7d600
    ("Revert "tty: don't panic on OOM in tty_set_ldisc()"") due to reproducible
    crash. We should spend resource for finding and fixing race condition bugs
    rather than complicate error paths for 2 * sizeof(void *) bytes allocation
    failure.
    
    [1] https://syzkaller.appspot.com/bug?id=489d33fa386453859ead58ff5171d43772b13aa3
    
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Reported-by: syzbot <syzbot+40b7287c2dc987c48c81@syzkaller.appspotmail.com>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Vegard Nossum <vegard.nossum@gmail.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Jiri Slaby <jslaby@suse.com>
    Cc: Peter Hurley <peter@hurleysoftware.com>
    Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

:040000 040000 57e90a4b9d506cf1f8adad06b1a51722234584b8 55e9da31a5a364af7504d44f7813ecf6caf6824a M	drivers
revisions tested: 21, total time: 4h53m49.664211986s (build: 1h58m31.433292961s, test: 2h48m18.616080104s)
first bad commit: bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20 tty: Use __GFP_NOFAIL for tty_ldisc_get()
cc: ["dvyukov@google.com" "gnomes@lxorguk.ukuu.org.uk" "gregkh@linuxfoundation.org" "jslaby@suse.com" "mhocko@suse.com" "penguin-kernel@i-love.sakura.ne.jp" "peter@hurleysoftware.com" "torvalds@linux-foundation.org" "vegard.nossum@gmail.com"]
crash: BUG: unable to handle kernel paging request in slhc_free
RAX: ffffffffffffffda RBX: 00007ff089692c90 RCX: 0000000000458d99
RDX: 0000000020000140 RSI: 0000000000005423 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff0896936d4
R13: 00000000004c31f5 R14: 00000000004d6588 R15: 0000000000000004
BUG: unable to handle kernel paging request at fffffffffffffff4
PGD 7a6d067 P4D 7a6d067 PUD 7a6f067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 6866 Comm: syz-executor.1 Not tainted 4.17.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:slhc_free+0x24/0x80 drivers/net/slip/slhc.c:159
RSP: 0018:ffff88008d8579b8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: 1ffff1001152d545
RDX: 1ffffffffffffffe RSI: ffff88008a96aa08 RDI: fffffffffffffff4
RBP: ffff88008d8579c0 R08: ffff88008a96aa28 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff10011b0af43
R13: ffff88008a56d780 R14: ffff88008a56ccc0 R15: fffffffffffffff4
FS:  00007ff089693700(0000) GS:ffff8800aec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffff4 CR3: 000000008a80d000 CR4: 00000000001406f0
Call Trace:
 sl_alloc_bufs drivers/net/slip/slip.c:197 [inline]
 slip_open+0xcea/0x1092 drivers/net/slip/slip.c:822
 tty_ldisc_open.isra.1+0x64/0xa0 drivers/tty/tty_ldisc.c:466
 tty_set_ldisc+0x252/0x5b0 drivers/tty/tty_ldisc.c:591
 tiocsetd drivers/tty/tty_io.c:2336 [inline]
 tty_ioctl+0x31e/0x12a0 drivers/tty/tty_io.c:2580
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x199/0x1000 fs/ioctl.c:684
 ksys_ioctl+0x62/0x90 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:706
 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458d99
RSP: 002b:00007ff089692c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff089692c90 RCX: 0000000000458d99
RDX: 0000000020000140 RSI: 0000000000005423 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff0896936d4
R13: 00000000004c31f5 R14: 00000000004d6588 R15: 0000000000000004
Code: 1f 84 00 00 00 00 00 48 85 ff 74 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 48 89 e5 53 48 89 fb 80 3c 02 00 75 42 <48> 8b 3b 48 85 ff 74 05 e8 9f 67 9c fd 48 8d 7b 08 48 b8 00 00 
RIP: slhc_free+0x24/0x80 drivers/net/slip/slhc.c:159 RSP: ffff88008d8579b8
CR2: fffffffffffffff4
---[ end trace 6106a119c258341d ]---