bisecting cause commit starting from af8f3fb7fb077c9df9fed97113a031e792163def
building syzkaller on 13427bd9a952fddd2f59aaca90a76fe209f6c9c9
testing commit af8f3fb7fb077c9df9fed97113a031e792163def with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
all runs: OK
# git bisect start af8f3fb7fb077c9df9fed97113a031e792163def v5.1
Bisecting: 6409 revisions left to test after this (roughly 13 steps)
[8c79f4cd441b27df6cadd11b70a50e06b3b3a2bf] Merge tag 'docs-5.2' of git://git.lwn.net/linux
testing commit 8c79f4cd441b27df6cadd11b70a50e06b3b3a2bf with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
# git bisect bad 8c79f4cd441b27df6cadd11b70a50e06b3b3a2bf
Bisecting: 3195 revisions left to test after this (roughly 12 steps)
[67a242223958d628f0ba33283668e3ddd192d057] Merge tag 'for-5.2/block-20190507' of git://git.kernel.dk/linux-block
testing commit 67a242223958d628f0ba33283668e3ddd192d057 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 67a242223958d628f0ba33283668e3ddd192d057
Bisecting: 1634 revisions left to test after this (roughly 11 steps)
[64439f8f0bc4e9da1c6cb31c2ee642e3139f5731] ice: Disable sniffing VF traffic on PF
testing commit 64439f8f0bc4e9da1c6cb31c2ee642e3139f5731 with gcc (GCC) 8.1.0
failed to run ["make" "bzImage" "-j" "64" "CC=/syzkaller/bisect_bin/gcc-8.1.0/bin/gcc"]: exit status 2
# git bisect skip 64439f8f0bc4e9da1c6cb31c2ee642e3139f5731
Bisecting: 1634 revisions left to test after this (roughly 11 steps)
[173584cbdc289a13918071737589787d039df5fd] docs/zh_CN: add license-rules Chinese translation
testing commit 173584cbdc289a13918071737589787d039df5fd with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 173584cbdc289a13918071737589787d039df5fd
Bisecting: 1565 revisions left to test after this (roughly 11 steps)
[92724071aac8a98b5ae9a60668404428587d8e65] mt76usb: change mt76u_fill_rx_sg arguments
testing commit 92724071aac8a98b5ae9a60668404428587d8e65 with gcc (GCC) 8.1.0
failed to run ["make" "bzImage" "-j" "64" "CC=/syzkaller/bisect_bin/gcc-8.1.0/bin/gcc"]: exit status 2
# git bisect skip 92724071aac8a98b5ae9a60668404428587d8e65
Bisecting: 1565 revisions left to test after this (roughly 11 steps)
[70a7f8be85986a3c2ffc7274c41b89552dfe2ad0] usb: gadget: atmel: support USB suspend
testing commit 70a7f8be85986a3c2ffc7274c41b89552dfe2ad0 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 70a7f8be85986a3c2ffc7274c41b89552dfe2ad0
Bisecting: 1541 revisions left to test after this (roughly 11 steps)
[05d7f547bea1872e711ee97bd46aace6cf61c42b] genetlink: do not validate dump requests if there is no policy
testing commit 05d7f547bea1872e711ee97bd46aace6cf61c42b with gcc (GCC) 8.1.0
failed to run ["make" "bzImage" "-j" "64" "CC=/syzkaller/bisect_bin/gcc-8.1.0/bin/gcc"]: exit status 2
# git bisect skip 05d7f547bea1872e711ee97bd46aace6cf61c42b
Bisecting: 1541 revisions left to test after this (roughly 11 steps)
[ccdd85d518d8b9320ace1d87271f0ba2175f21fa] media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
testing commit ccdd85d518d8b9320ace1d87271f0ba2175f21fa with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ccdd85d518d8b9320ace1d87271f0ba2175f21fa
Bisecting: 1457 revisions left to test after this (roughly 11 steps)
[0bac1194539753eca1c0fd9aca7a1764356bdc9f] net/mlx5e: Replace TC VLAN pop with VLAN 0 rewrite in prio tag mode
testing commit 0bac1194539753eca1c0fd9aca7a1764356bdc9f with gcc (GCC) 8.1.0
failed to run ["make" "bzImage" "-j" "64" "CC=/syzkaller/bisect_bin/gcc-8.1.0/bin/gcc"]: exit status 2
# git bisect skip 0bac1194539753eca1c0fd9aca7a1764356bdc9f
Bisecting: 1457 revisions left to test after this (roughly 11 steps)
[dbdf0760990583649bfaca75fd98f76afd5f3905] parisc: Switch from DISCONTIGMEM to SPARSEMEM
testing commit dbdf0760990583649bfaca75fd98f76afd5f3905 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good dbdf0760990583649bfaca75fd98f76afd5f3905
Bisecting: 1448 revisions left to test after this (roughly 11 steps)
[0c2561c81f5d089781f7cb24b8ce9e52ac716f61] ice: Use ice_for_each_q_vector macro where possible
testing commit 0c2561c81f5d089781f7cb24b8ce9e52ac716f61 with gcc (GCC) 8.1.0
failed to run ["make" "bzImage" "-j" "64" "CC=/syzkaller/bisect_bin/gcc-8.1.0/bin/gcc"]: exit status 2
# git bisect skip 0c2561c81f5d089781f7cb24b8ce9e52ac716f61
Bisecting: 1448 revisions left to test after this (roughly 11 steps)
[3dd3e236d79362ebfd9f36fb18d1d5b29800f953] net: aquantia: add link interrupt fields
testing commit 3dd3e236d79362ebfd9f36fb18d1d5b29800f953 with gcc (GCC) 8.1.0
failed to run ["make" "bzImage" "-j" "64" "CC=/syzkaller/bisect_bin/gcc-8.1.0/bin/gcc"]: exit status 2
# git bisect skip 3dd3e236d79362ebfd9f36fb18d1d5b29800f953
Bisecting: 1448 revisions left to test after this (roughly 11 steps)
[f79c957a0b537d6871a8aa195d5b5bcc7e480957] drivers: net: sfc: use netdev_xmit_more helper
testing commit f79c957a0b537d6871a8aa195d5b5bcc7e480957 with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
# git bisect bad f79c957a0b537d6871a8aa195d5b5bcc7e480957
Bisecting: 186 revisions left to test after this (roughly 8 steps)
[6146dd453e235c487d85ae4dc6cc08978a1c890f] net: dsa: Avoid null pointer when failing to connect to PHY
testing commit 6146dd453e235c487d85ae4dc6cc08978a1c890f with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
# git bisect bad 6146dd453e235c487d85ae4dc6cc08978a1c890f
Bisecting: 93 revisions left to test after this (roughly 7 steps)
[f48ef4d5b083c9273d754246e2220d98f3aedd7d] net: sched: flower: add reference counter to flower mask
testing commit f48ef4d5b083c9273d754246e2220d98f3aedd7d with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
# git bisect bad f48ef4d5b083c9273d754246e2220d98f3aedd7d
Bisecting: 43 revisions left to test after this (roughly 6 steps)
[0b8515eddbd82f4aa3ad966aa4e6e708af461cc4] Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue
testing commit 0b8515eddbd82f4aa3ad966aa4e6e708af461cc4 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 0b8515eddbd82f4aa3ad966aa4e6e708af461cc4
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[c7a1ce397adacaf5d4bb2eab0a738b5f80dc3e43] ipv6: Change addrconf_f6i_alloc to use ip6_route_info_create
testing commit c7a1ce397adacaf5d4bb2eab0a738b5f80dc3e43 with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
# git bisect bad c7a1ce397adacaf5d4bb2eab0a738b5f80dc3e43
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[4bd97d51a5e602ea1fbdab8c2d653513dea17115] net: dev: rename queue selection helpers.
testing commit 4bd97d51a5e602ea1fbdab8c2d653513dea17115 with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
# git bisect bad 4bd97d51a5e602ea1fbdab8c2d653513dea17115
Bisecting: 4 revisions left to test after this (roughly 3 steps)
[1bfe45f4ae81dc961b4bcb2ce6860c4ee1af621a] net: bridge: use eth_broadcast_addr() to assign broadcast address
testing commit 1bfe45f4ae81dc961b4bcb2ce6860c4ee1af621a with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
# git bisect bad 1bfe45f4ae81dc961b4bcb2ce6860c4ee1af621a
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[1e614b5086ee8b2287238f74a9fa6d7935084a3c] net: phy: aquantia: check for changed interface mode in read_status
testing commit 1e614b5086ee8b2287238f74a9fa6d7935084a3c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 1e614b5086ee8b2287238f74a9fa6d7935084a3c
Bisecting: 1 revision left to test after this (roughly 1 step)
[6a23c0a6af98c927f387353a219c1f5664bb3d5b] Merge branch 'net-phy-aquantia-add-interface-mode-handling'
testing commit 6a23c0a6af98c927f387353a219c1f5664bb3d5b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 6a23c0a6af98c927f387353a219c1f5664bb3d5b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f295b3ae9f5927e084bd5decdff82390e3471801] net/tls: Add support of AES128-CCM based ciphers
testing commit f295b3ae9f5927e084bd5decdff82390e3471801 with gcc (GCC) 8.1.0
all runs: crashed: kernel BUG at include/linux/scatterlist.h:LINE!
# git bisect bad f295b3ae9f5927e084bd5decdff82390e3471801
f295b3ae9f5927e084bd5decdff82390e3471801 is the first bad commit
commit f295b3ae9f5927e084bd5decdff82390e3471801
Author: Vakul Garg <vakul.garg@nxp.com>
Date:   Wed Mar 20 02:03:36 2019 +0000

    net/tls: Add support of AES128-CCM based ciphers
    
    Added support for AES128-CCM based record encryption. AES128-CCM is
    similar to AES128-GCM. Both of them have same salt/iv/mac size. The
    notable difference between the two is that while invoking AES128-CCM
    operation, the salt||nonce (which is passed as IV) has to be prefixed
    with a hardcoded value '2'. Further, CCM implementation in kernel
    requires IV passed in crypto_aead_request() to be full '16' bytes.
    Therefore, the record structure 'struct tls_rec' has been modified to
    reserve '16' bytes for IV. This works for both GCM and CCM based cipher.
    
    Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

:040000 040000 bc2a744ab8efea34a5de925f062c3c938a9bcf8a 4c642191d34551f7ff1e472169d6acb027d596b6 M	include
:040000 040000 affa7e9c5f83d09e9502d692faf9704b8816b3dd 5f3c2871d6f5744f3698d5c23a76286774daf412 M	net
revisions tested: 24, total time: 5h20m58.38267174s (build: 2h48m17.273841921s, test: 2h22m53.733366237s)
first bad commit: f295b3ae9f5927e084bd5decdff82390e3471801 net/tls: Add support of AES128-CCM based ciphers
cc: ["aviadye@mellanox.com" "borisp@mellanox.com" "daniel@iogearbox.net" "davejwatson@fb.com" "davem@davemloft.net" "john.fastabend@gmail.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "vakul.garg@nxp.com"]
crash: kernel BUG at include/linux/scatterlist.h:LINE!
------------[ cut here ]------------
kernel BUG at include/linux/scatterlist.h:97!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7143 Comm: syz-executor.3 Not tainted 5.0.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:sg_assign_page include/linux/scatterlist.h:97 [inline]
RIP: 0010:sg_set_page include/linux/scatterlist.h:119 [inline]
RIP: 0010:sk_msg_page_add include/linux/skmsg.h:246 [inline]
RIP: 0010:tls_sw_do_sendpage net/tls/tls_sw.c:1161 [inline]
RIP: 0010:tls_sw_sendpage+0xa09/0xf10 net/tls/tls_sw.c:1220
Code: 89 df e8 8a 01 ff ff 85 c0 41 89 c6 0f 84 f3 f7 ff ff e9 35 ff ff ff 48 c7 c6 00 b2 7e 87 48 89 d7 e8 eb a9 ea fb 0f 0b 0f 0b <0f> 0b 45 31 f6 e9 18 ff ff ff 83 85 b4 fe ff ff 01 e9 86 fd ff ff
RSP: 0018:ffff888099ba7978 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff888093986c00 RCX: ffff88808d922c48
RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffff888099ba7ae0 R08: fffff940004ad237 R09: 0000000000000004
R10: ffff88808d922ba0 R11: ffffea00025691b7 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88808d922bac R15: ffff88808d922b80
FS:  00007fd798783700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f53f08bf000 CR3: 000000008edc3000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 inet_sendpage+0x122/0x600 net/ipv4/af_inet.c:815
 kernel_sendpage+0x60/0xd0 net/socket.c:3643
 sock_sendpage+0x6d/0xd0 net/socket.c:934
 pipe_to_sendpage+0x212/0x430 fs/splice.c:448
 splice_from_pipe_feed fs/splice.c:499 [inline]
 __splice_from_pipe+0x2c6/0x720 fs/splice.c:623
 splice_from_pipe+0xbb/0x120 fs/splice.c:658
 generic_splice_sendpage+0x10/0x20 fs/splice.c:828
 do_splice_from fs/splice.c:847 [inline]
 do_splice+0x5a2/0x12f0 fs/splice.c:1154
 __do_sys_splice fs/splice.c:1424 [inline]
 __se_sys_splice fs/splice.c:1404 [inline]
 __x64_sys_splice+0x248/0x300 fs/splice.c:1404
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd798782c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007fd798782c90 RCX: 0000000000459279
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000100000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd7987836d4
R13: 00000000004c84f1 R14: 00000000004de010 R15: 0000000000000005
Modules linked in:
---[ end trace 9709615ad291bc60 ]---
RIP: 0010:sg_assign_page include/linux/scatterlist.h:97 [inline]
RIP: 0010:sg_set_page include/linux/scatterlist.h:119 [inline]
RIP: 0010:sk_msg_page_add include/linux/skmsg.h:246 [inline]
RIP: 0010:tls_sw_do_sendpage net/tls/tls_sw.c:1161 [inline]
RIP: 0010:tls_sw_sendpage+0xa09/0xf10 net/tls/tls_sw.c:1220
Code: 89 df e8 8a 01 ff ff 85 c0 41 89 c6 0f 84 f3 f7 ff ff e9 35 ff ff ff 48 c7 c6 00 b2 7e 87 48 89 d7 e8 eb a9 ea fb 0f 0b 0f 0b <0f> 0b 45 31 f6 e9 18 ff ff ff 83 85 b4 fe ff ff 01 e9 86 fd ff ff
RSP: 0018:ffff888099ba7978 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff888093986c00 RCX: ffff88808d922c48
RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffff888099ba7ae0 R08: fffff940004ad237 R09: 0000000000000004
R10: ffff88808d922ba0 R11: ffffea00025691b7 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88808d922bac R15: ffff88808d922b80
FS:  00007fd798783700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f53f08bf000 CR3: 000000008edc3000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400