bisecting cause commit starting from 085b7755808aa11f78ab9377257e1dad2e6fa4bb building syzkaller on 53199d6e8aee5f0ebd3775d2b1c674f4e6e64e2b testing commit 085b7755808aa11f78ab9377257e1dad2e6fa4bb with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in skb_queue_tail testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in skb_queue_tail run #1: crashed: general protection fault in skb_queue_tail run #2: crashed: general protection fault in skb_queue_tail run #3: crashed: general protection fault in corrupted run #4: crashed: general protection fault in skb_queue_tail run #5: crashed: general protection fault in corrupted run #6: crashed: general protection fault in skb_queue_tail run #7: crashed: general protection fault in skb_queue_tail run #8: crashed: general protection fault in skb_queue_tail run #9: crashed: general protection fault in skb_queue_tail testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in skb_queue_tail testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: basic kernel testing failed: timed out testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: basic kernel testing failed: timed out run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start v4.20 v4.18 Bisecting: 15098 revisions left to test after this (roughly 14 steps) [89303c7ea770b6010943ef4ed73eb92bdc5a7ec8] Merge tag 'usb-serial-4.20-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next testing commit 89303c7ea770b6010943ef4ed73eb92bdc5a7ec8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 89303c7ea770b6010943ef4ed73eb92bdc5a7ec8 Bisecting: 7502 revisions left to test after this (roughly 13 steps) [685f7e4f161425b137056abe35ba8ef7b669d83d] Merge tag 'powerpc-4.20-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 685f7e4f161425b137056abe35ba8ef7b669d83d with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in skb_queue_tail # git bisect bad 685f7e4f161425b137056abe35ba8ef7b669d83d Bisecting: 3019 revisions left to test after this (roughly 12 steps) [50b825d7e87f4cff7070df6eb26390152bb29537] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 50b825d7e87f4cff7070df6eb26390152bb29537 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in skb_queue_tail # git bisect bad 50b825d7e87f4cff7070df6eb26390152bb29537 Bisecting: 2287 revisions left to test after this (roughly 11 steps) [b87e7f246898d0ccd676fbac5cb3fe41b1735cf9] Documentation: e1000e: Prepare documentation for RST conversion testing commit b87e7f246898d0ccd676fbac5cb3fe41b1735cf9 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in skb_queue_tail run #1: crashed: general protection fault in skb_queue_tail run #2: crashed: general protection fault in skb_queue_tail run #3: crashed: general protection fault in skb_queue_tail run #4: crashed: general protection fault in skb_queue_tail run #5: crashed: general protection fault in skb_queue_tail run #6: crashed: general protection fault in skb_queue_tail run #7: crashed: general protection fault in skb_queue_tail run #8: crashed: general protection fault in skb_queue_tail run #9: crashed: kernel BUG at net/rxrpc/local_object.c:LINE! # git bisect bad b87e7f246898d0ccd676fbac5cb3fe41b1735cf9 Bisecting: 1143 revisions left to test after this (roughly 10 steps) [f76c483a0b373fdfaedafefe8e4da8beb614e1e9] dpaa2-eth: Rename structure testing commit f76c483a0b373fdfaedafefe8e4da8beb614e1e9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f76c483a0b373fdfaedafefe8e4da8beb614e1e9 Bisecting: 571 revisions left to test after this (roughly 9 steps) [bf341eb895411f36582a905d4a646b387a0d1fc3] mlxsw: spectrum: Remove misuses of private header file testing commit bf341eb895411f36582a905d4a646b387a0d1fc3 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in skb_queue_tail run #1: crashed: general protection fault in skb_queue_tail run #2: crashed: general protection fault in skb_queue_tail run #3: crashed: general protection fault in skb_queue_tail run #4: crashed: general protection fault in skb_queue_tail run #5: crashed: general protection fault in skb_queue_tail run #6: crashed: general protection fault in skb_queue_tail run #7: crashed: general protection fault in skb_queue_tail run #8: crashed: general protection fault in skb_queue_tail run #9: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect # git bisect bad bf341eb895411f36582a905d4a646b387a0d1fc3 Bisecting: 332 revisions left to test after this (roughly 8 steps) [5580d810560da33804053ae3bca13110c9a8d5e8] Merge tag 'mt76-for-kvalo-2018-10-05' of https://github.com/nbd168/wireless testing commit 5580d810560da33804053ae3bca13110c9a8d5e8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 5580d810560da33804053ae3bca13110c9a8d5e8 Bisecting: 166 revisions left to test after this (roughly 7 steps) [062f97a314355c3f0021cfa1454726cfe12432fa] isdn/gigaset/isocdata: mark expected switch fall-through testing commit 062f97a314355c3f0021cfa1454726cfe12432fa with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in skb_queue_tail # git bisect bad 062f97a314355c3f0021cfa1454726cfe12432fa Bisecting: 82 revisions left to test after this (roughly 6 steps) [39932473b63ebbfdebe298cad09711349feddbc6] net: hns3: Optimize for unicast mac vlan table testing commit 39932473b63ebbfdebe298cad09711349feddbc6 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in skb_queue_tail # git bisect bad 39932473b63ebbfdebe298cad09711349feddbc6 Bisecting: 41 revisions left to test after this (roughly 5 steps) [e908bcf4f1a271e7c264dcbffc5881ced8bfacee] rxrpc: Allow the reply time to be obtained on a client call testing commit e908bcf4f1a271e7c264dcbffc5881ced8bfacee with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in skb_queue_tail # git bisect bad e908bcf4f1a271e7c264dcbffc5881ced8bfacee Bisecting: 20 revisions left to test after this (roughly 4 steps) [6b27f3de223fb83b4c2b41c5becb1c5be77fe49e] ixgbe: remove redundant function ixgbe_fw_recovery_mode() testing commit 6b27f3de223fb83b4c2b41c5becb1c5be77fe49e with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6b27f3de223fb83b4c2b41c5becb1c5be77fe49e Bisecting: 10 revisions left to test after this (roughly 3 steps) [37ebb5fa6fc9be0eb80dcd3d17984cc36006a21c] iavf: fix a typo testing commit 37ebb5fa6fc9be0eb80dcd3d17984cc36006a21c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 37ebb5fa6fc9be0eb80dcd3d17984cc36006a21c Bisecting: 5 revisions left to test after this (roughly 3 steps) [68eb64c3d2fd558c606dcff6d3e8a2701388a80f] afs: Do better max capacity handling on address lists testing commit 68eb64c3d2fd558c606dcff6d3e8a2701388a80f with gcc (GCC) 8.1.0 all runs: basic kernel testing failed: timed out # git bisect skip 68eb64c3d2fd558c606dcff6d3e8a2701388a80f Bisecting: 4 revisions left to test after this (roughly 3 steps) [4c19bbdc7f7c76da14a7192072c47c3b9b582e80] afs: Always build address lists using the helper functions testing commit 4c19bbdc7f7c76da14a7192072c47c3b9b582e80 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: basic kernel testing failed: timed out run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 4c19bbdc7f7c76da14a7192072c47c3b9b582e80 Bisecting: 2 revisions left to test after this (roughly 1 step) [46894a13599a977ac35411b536fb3e0b2feefa95] rxrpc: Use IPv4 addresses throught the IPv6 testing commit 46894a13599a977ac35411b536fb3e0b2feefa95 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in skb_queue_tail # git bisect bad 46894a13599a977ac35411b536fb3e0b2feefa95 Bisecting: 0 revisions left to test after this (roughly 0 steps) [66be646bd9a7d50961afbf48c1d0df148e37d416] afs: Sort address lists so that they are in logical ascending order testing commit 66be646bd9a7d50961afbf48c1d0df148e37d416 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 66be646bd9a7d50961afbf48c1d0df148e37d416 46894a13599a977ac35411b536fb3e0b2feefa95 is the first bad commit commit 46894a13599a977ac35411b536fb3e0b2feefa95 Author: David Howells Date: Thu Oct 4 09:32:28 2018 +0100 rxrpc: Use IPv4 addresses throught the IPv6 AF_RXRPC opens an IPv6 socket through which to send and receive network packets, both IPv6 and IPv4. It currently turns AF_INET addresses into AF_INET-as-AF_INET6 addresses based on an assumption that this was necessary; on further inspection of the code, however, it turns out that the IPv6 code just farms packets aimed at AF_INET addresses out to the IPv4 code. Fix AF_RXRPC to use AF_INET addresses directly when given them. Fixes: 7b674e390e51 ("rxrpc: Fix IPv6 support") Signed-off-by: David Howells :040000 040000 03ec12e91b434ee23d1557b7f3705c7c179328a2 08845a46a3e8f298f06808416c7a571c8f2e572c M fs :040000 040000 ac3ebeb152a3543e1546bf58ae5ff9581790cc4c a8a247dcbee26bf5acad339fea72ea0346f7e9b2 M net revisions tested: 21, total time: 5h0m47.304785682s (build: 1h59m29.024845163s, test: 2h54m24.800506155s) first bad commit: 46894a13599a977ac35411b536fb3e0b2feefa95 rxrpc: Use IPv4 addresses throught the IPv6 cc: ["davem@davemloft.net" "dhowells@redhat.com" "linux-afs@lists.infradead.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"] crash: general protection fault in skb_queue_tail kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access kobject: 'loop5' (00000000fc9b34d0): fill_kobj_path: path = '/devices/virtual/block/loop5' general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 28304 Comm: syz-executor.1 Not tainted 4.19.0-rc6+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] RIP: 0010:do_raw_spin_lock+0x27/0x200 kernel/locking/spinlock_debug.c:112 Code: 00 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 56 41 55 41 54 53 48 89 fb 48 83 c7 04 48 89 fa 48 83 ec 08 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b RSP: 0018:ffff8800921aef88 EFLAGS: 00010003 RAX: dffffc0000000000 RBX: 0000000000000118 RCX: 0000000000000000 RDX: 0000000000000023 RSI: 0000000000000000 RDI: 000000000000011c RBP: ffff8800921aefb0 R08: 0000000000000001 R09: 0000000000000001 R10: ffffed00116e00cc R11: 0000000000000000 R12: 0000000000000286 R13: ffff88008b700580 R14: 0000000000000118 R15: ffff88008a2a7748 FS: 00007f92070ec700(0000) GS:ffff8800aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcd3e9bdac CR3: 000000009ff97000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0xa1/0xd0 kernel/locking/spinlock.c:152 kobject: 'loop5' (00000000fc9b34d0): kobject_uevent_env skb_queue_tail+0x21/0x150 net/core/skbuff.c:2918 rxrpc_reject_packet net/rxrpc/input.c:1082 [inline] rxrpc_data_ready+0x6ec/0x471b net/rxrpc/input.c:1398 kobject: 'loop5' (00000000fc9b34d0): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (00000000fc9b34d0): kobject_uevent_env kobject: 'loop5' (00000000fc9b34d0): fill_kobj_path: path = '/devices/virtual/block/loop5' __udp_enqueue_schedule_skb+0x3a7/0x5e0 net/ipv4/udp.c:1412 kobject: 'loop3' (00000000e3001a1a): kobject_uevent_env __udp_queue_rcv_skb net/ipv4/udp.c:1875 [inline] udp_queue_rcv_skb+0x9dd/0x1350 net/ipv4/udp.c:1999 udp_unicast_rcv_skb.isra.52+0x2c8/0x350 net/ipv4/udp.c:2139 __udp4_lib_rcv+0x5fe/0x2ba0 net/ipv4/udp.c:2195 udp_rcv+0x15/0x20 net/ipv4/udp.c:2376 kobject: 'loop3' (00000000e3001a1a): fill_kobj_path: path = '/devices/virtual/block/loop3' ip_local_deliver_finish+0x23a/0x9c0 net/ipv4/ip_input.c:215 NF_HOOK include/linux/netfilter.h:289 [inline] ip_local_deliver+0x2f7/0x440 net/ipv4/ip_input.c:256 kobject: 'loop0' (000000009b57a8d0): kobject_uevent_env kobject: 'loop0' (000000009b57a8d0): fill_kobj_path: path = '/devices/virtual/block/loop0' kobject: 'loop4' (0000000058445527): kobject_uevent_env dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x173/0x270 net/ipv4/ip_input.c:415 NF_HOOK include/linux/netfilter.h:289 [inline] ip_rcv+0xcb/0x2e0 net/ipv4/ip_input.c:524 kobject: 'loop4' (0000000058445527): fill_kobj_path: path = '/devices/virtual/block/loop4' __netif_receive_skb_one_core+0xeb/0x170 net/core/dev.c:4894 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5004 netif_receive_skb_internal+0xd1/0x3c0 net/core/dev.c:5107 napi_frags_finish net/core/dev.c:5643 [inline] napi_gro_frags+0x4d6/0x950 net/core/dev.c:5716 tun_get_user+0x21b0/0x32c0 drivers/net/tun.c:1957 tun_chr_write_iter+0xaf/0x150 drivers/net/tun.c:2002 call_write_iter include/linux/fs.h:1808 [inline] do_iter_readv_writev+0x4b8/0x960 fs/read_write.c:680 do_iter_write+0x128/0x540 fs/read_write.c:959 vfs_writev+0x16f/0x2d0 fs/read_write.c:1004 do_writev+0xda/0x260 fs/read_write.c:1039 __do_sys_writev fs/read_write.c:1112 [inline] __se_sys_writev fs/read_write.c:1109 [inline] __x64_sys_writev+0x70/0xb0 fs/read_write.c:1109 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x458ae1 Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b9 fb ff c3 48 83 ec 08 e8 1a 2d 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 63 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007f92070ebba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000000002a RCX: 0000000000458ae1 RDX: 0000000000000001 RSI: 00007f92070ebc00 RDI: 00000000000000f0 RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 00007f92070ec9d0 R11: 0000000000000293 R12: 00007f92070ec6d4 R13: 00000000004c7523 R14: 00000000004dd490 R15: 00000000ffffffff Modules linked in: ---[ end trace 5f3a5239820325d9 ]--- RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] RIP: 0010:do_raw_spin_lock+0x27/0x200 kernel/locking/spinlock_debug.c:112 Code: 00 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 56 41 55 41 54 53 48 89 fb 48 83 c7 04 48 89 fa 48 83 ec 08 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 7b RSP: 0018:ffff8800921aef88 EFLAGS: 00010003 RAX: dffffc0000000000 RBX: 0000000000000118 RCX: 0000000000000000 RDX: 0000000000000023 RSI: 0000000000000000 RDI: 000000000000011c RBP: ffff8800921aefb0 R08: 0000000000000001 R09: 0000000000000001 R10: ffffed00116e00cc R11: 0000000000000000 R12: 0000000000000286 R13: ffff88008b700580 R14: 0000000000000118 R15: ffff88008a2a7748 FS: 00007f92070ec700(0000) GS:ffff8800aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcd3e9bdac CR3: 000000009ff97000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400