bisecting cause commit starting from 8f8972a3127ff46df62ae30057d29606968ec4aa
building syzkaller on 0342f8c7bc656ea8ee3c45e49edeb4ee9cc12cce
testing commit 8f8972a3127ff46df62ae30057d29606968ec4aa with gcc (GCC) 8.1.0
kernel signature: ea04eadabf830f46f7364b2e8be62931af73d303
all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: c664d8e2a0290c6fccaacf025e853aa055a928ea
all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 3f3cc7cac5b19de91251e078e0b5f393e1d1ab03
all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: b9c59587a09679f631df74f651a409f349f9aa08
all runs: OK
# git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36
Bisecting: 7848 revisions left to test after this (roughly 13 steps)
[43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0
kernel signature: 910b7eda1310f5923eb6f74b6d0eef62cda26706
all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup
# git bisect bad 43c95d3694cc448fdf50bd53b7ff3a5bb4655883
Bisecting: 4619 revisions left to test after this (roughly 12 steps)
[8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0
kernel signature: 9823c4a41f553d9737a5e56e4f8f924a90beb6c9
all runs: OK
# git bisect good 8f6ccf6159aed1f04c6d179f61f6fb2691261e84
Bisecting: 2306 revisions left to test after this (roughly 11 steps)
[753c8d9b7d81206bb5d011b28abe829d364b028e] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 753c8d9b7d81206bb5d011b28abe829d364b028e with gcc (GCC) 8.1.0
kernel signature: b56241a5cebfe78dbd5143b58906f07a10dfd6fb
run #0: crashed: general protection fault in send_hsr_supervision_frame
run #1: crashed: general protection fault in send_hsr_supervision_frame
run #2: crashed: general protection fault in send_hsr_supervision_frame
run #3: crashed: general protection fault in send_hsr_supervision_frame
run #4: crashed: general protection fault in send_hsr_supervision_frame
run #5: crashed: general protection fault in send_hsr_supervision_frame
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 753c8d9b7d81206bb5d011b28abe829d364b028e
Bisecting: 1156 revisions left to test after this (roughly 10 steps)
[2f9b0d93a9d3ec64558537ab5d7cff820886afa4] net: ethernet: ti: cpsw: Fix suspend/resume break
testing commit 2f9b0d93a9d3ec64558537ab5d7cff820886afa4 with gcc (GCC) 8.1.0
kernel signature: 9afc60f879e7fa9b0fb3dba6b49dc6c75f66ebf4
all runs: OK
# git bisect good 2f9b0d93a9d3ec64558537ab5d7cff820886afa4
Bisecting: 578 revisions left to test after this (roughly 9 steps)
[354d0fab649d47045517cf7cae03d653a4dcb3b8] net: hns3: add default value for tc_size and tc_offset
testing commit 354d0fab649d47045517cf7cae03d653a4dcb3b8 with gcc (GCC) 8.1.0
kernel signature: 88617d4999fedd45fedf8988447cf6c88a65c31c
run #0: crashed: general protection fault in batadv_iv_ogm_queue_add
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 354d0fab649d47045517cf7cae03d653a4dcb3b8
Bisecting: 288 revisions left to test after this (roughly 8 steps)
[3a49584477ff4c8838833be9f3b7cc13f0f7c0d3] Merge branch 'nfp-extend-flower-capabilities-for-GRE-tunnel-offload'
testing commit 3a49584477ff4c8838833be9f3b7cc13f0f7c0d3 with gcc (GCC) 8.1.0
kernel signature: 70d389155b5697bea7956f7ebd419fcc684efb2a
all runs: OK
# git bisect good 3a49584477ff4c8838833be9f3b7cc13f0f7c0d3
Bisecting: 144 revisions left to test after this (roughly 7 steps)
[a773c76cb8491d1ae337b7073be7a263dff4b9b6] mlxsw: spectrum: PTP: Configure PTP traps and FIFO events
testing commit a773c76cb8491d1ae337b7073be7a263dff4b9b6 with gcc (GCC) 8.1.0
kernel signature: b6cb0f2e83ce7b6afcb47884317d4685d6127e90
all runs: OK
# git bisect good a773c76cb8491d1ae337b7073be7a263dff4b9b6
Bisecting: 84 revisions left to test after this (roughly 6 steps)
[e5a3e259ef239f443951d401db10db7d426c9497] Merge branch 'bpf-tcp-rtt-hook'
testing commit e5a3e259ef239f443951d401db10db7d426c9497 with gcc (GCC) 8.1.0
kernel signature: 22df816401bb15e89ad02d6266982f847c009155
all runs: OK
# git bisect good e5a3e259ef239f443951d401db10db7d426c9497
Bisecting: 42 revisions left to test after this (roughly 5 steps)
[2559d7c4dd0eb17e6454fc7f52f9c5ea63a272df] qlcnic: remove redundant assignment to variable err
testing commit 2559d7c4dd0eb17e6454fc7f52f9c5ea63a272df with gcc (GCC) 8.1.0
kernel signature: 6e48c74d780db6bb208c29621ddefd85de971e66
all runs: OK
# git bisect good 2559d7c4dd0eb17e6454fc7f52f9c5ea63a272df
Bisecting: 20 revisions left to test after this (roughly 5 steps)
[e3b60ffbc16feeb007d07b2b7d1da4304e98c1a3] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
testing commit e3b60ffbc16feeb007d07b2b7d1da4304e98c1a3 with gcc (GCC) 8.1.0
kernel signature: 8454cf1b0b19361b837a357e2272c2f0657594b6
all runs: OK
# git bisect good e3b60ffbc16feeb007d07b2b7d1da4304e98c1a3
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[eceed3b1453d4115b4256ea1d24fab7b6eb7ba1f] mlxsw: spectrum_ptp: Enable/disable PTP shaper on a port when getting HWTSTAMP on/off
testing commit eceed3b1453d4115b4256ea1d24fab7b6eb7ba1f with gcc (GCC) 8.1.0
kernel signature: ffee04e3a4af9091f71bf6f4bc6029236bb7bd33
all runs: OK
# git bisect good eceed3b1453d4115b4256ea1d24fab7b6eb7ba1f
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[2d5066fc175ea77a733d84df9ef414b34f311641] net: hns3: enable broadcast promisc mode when initializing VF
testing commit 2d5066fc175ea77a733d84df9ef414b34f311641 with gcc (GCC) 8.1.0
kernel signature: 4ba3e7291f0c953f751b9880c46ea4b9bfade3fd
all runs: OK
# git bisect good 2d5066fc175ea77a733d84df9ef414b34f311641
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[9e1511fb8091e3f5b23bb21f32e9394bedc6c34e] net: hns3: add all IMP return code
testing commit 9e1511fb8091e3f5b23bb21f32e9394bedc6c34e with gcc (GCC) 8.1.0
kernel signature: e73d16c1a6fe30feaa1dcbf305d0586b0a0895a0
all runs: OK
# git bisect good 9e1511fb8091e3f5b23bb21f32e9394bedc6c34e
Bisecting: 0 revisions left to test after this (roughly 1 step)
[0bae5cf25d66156ae3eb9ca20a1ad9bc4aa35a6d] net: hns3: check msg_data before memcpy in hclgevf_send_mbx_msg
testing commit 0bae5cf25d66156ae3eb9ca20a1ad9bc4aa35a6d with gcc (GCC) 8.1.0
kernel signature: 689b32be5fc83ba5d4e20c4c7ab8bf88b48e3738
all runs: OK
# git bisect good 0bae5cf25d66156ae3eb9ca20a1ad9bc4aa35a6d
354d0fab649d47045517cf7cae03d653a4dcb3b8 is the first bad commit
commit 354d0fab649d47045517cf7cae03d653a4dcb3b8
Author: Peng Li <lipeng321@huawei.com>
Date:   Thu Jul 4 22:04:26 2019 +0800

    net: hns3: add default value for tc_size and tc_offset
    
    This patch adds default value for tc_size and tc_offset, or it may
    get random value and used later.
    
    Signed-off-by: Peng Li <lipeng321@huawei.com>
    Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
culprit signature: 88617d4999fedd45fedf8988447cf6c88a65c31c
parent  signature: 689b32be5fc83ba5d4e20c4c7ab8bf88b48e3738
revisions tested: 18, total time: 4h44m2.580955637s (build: 1h51m53.778621488s, test: 2h50m49.128021543s)
first bad commit: 354d0fab649d47045517cf7cae03d653a4dcb3b8 net: hns3: add default value for tc_size and tc_offset
cc: ["davem@davemloft.net" "lipeng321@huawei.com" "tanhuazhong@huawei.com"]
crash: general protection fault in batadv_iv_ogm_queue_add
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7880 Comm: kworker/u4:5 Not tainted 5.2.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:599
Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00
RSP: 0018:ffff888089217ab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8880a7e2e040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff888089217bd0 R08: ffff88807755fd40 R09: 0000000000000001
R10: ffffed1011242f8f R11: 0000000000000003 R12: 0000000000000007
R13: ffff88807755fd68 R14: ffff88807755fd40 R15: 000000000000003c
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffdca54d9b4 CR3: 00000000924eb000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 batadv_iv_ogm_schedule+0xb60/0xe90 net/batman-adv/bat_iv_ogm.c:807
 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 net/batman-adv/bat_iv_ogm.c:1669
 process_one_work+0x830/0x16a0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x324/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace f21023ca6e000e65 ]---
RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:599
Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00
RSP: 0018:ffff888089217ab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8880a7e2e040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff888089217bd0 R08: ffff88807755fd40 R09: 0000000000000001
R10: ffffed1011242f8f R11: 0000000000000003 R12: 0000000000000007
R13: ffff88807755fd68 R14: ffff88807755fd40 R15: 000000000000003c
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000000924eb000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400