bisecting cause commit starting from a0cfa79f8470031a06f99172ae7163ceb12cb524
building syzkaller on 2458c1c6c2935db73abd6307d4f12126bef9efb5
testing commit a0cfa79f8470031a06f99172ae7163ceb12cb524 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in tipc_mcast_filter_msg
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start a0cfa79f8470031a06f99172ae7163ceb12cb524 v5.0
Bisecting: 5792 revisions left to test after this (roughly 13 steps)
[e431f2d74e1b91e00e71e97cadcadffc4cda8a9b] Merge tag 'driver-core-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
testing commit e431f2d74e1b91e00e71e97cadcadffc4cda8a9b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good e431f2d74e1b91e00e71e97cadcadffc4cda8a9b
Bisecting: 2846 revisions left to test after this (roughly 12 steps)
[3601fe43e8164f67a8de3de8e988bfcb3a94af46] Merge tag 'gpio-v5.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
testing commit 3601fe43e8164f67a8de3de8e988bfcb3a94af46 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3601fe43e8164f67a8de3de8e988bfcb3a94af46
Bisecting: 1419 revisions left to test after this (roughly 11 steps)
[b7a7d1c1ec688104fdc922568c26395a756f616d] Merge tag 'dma-mapping-5.1' of git://git.infradead.org/users/hch/dma-mapping
testing commit b7a7d1c1ec688104fdc922568c26395a756f616d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good b7a7d1c1ec688104fdc922568c26395a756f616d
Bisecting: 709 revisions left to test after this (roughly 10 steps)
[dfee9c257b102d7c0407629eef2ed32e152de0d2] Merge tag 'fuse-update-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse
testing commit dfee9c257b102d7c0407629eef2ed32e152de0d2 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good dfee9c257b102d7c0407629eef2ed32e152de0d2
Bisecting: 287 revisions left to test after this (roughly 9 steps)
[dc2535be1fd547fbd56aff091370280007b0a1af] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit dc2535be1fd547fbd56aff091370280007b0a1af with gcc (GCC) 8.1.0
all runs: OK
# git bisect good dc2535be1fd547fbd56aff091370280007b0a1af
Bisecting: 160 revisions left to test after this (roughly 7 steps)
[31ef489a026ef2c07383ef336dc9b6601c7b9b93] Merge tag 'dmaengine-5.1-rc1' of git://git.infradead.org/users/vkoul/slave-dma
testing commit 31ef489a026ef2c07383ef336dc9b6601c7b9b93 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 31ef489a026ef2c07383ef336dc9b6601c7b9b93
Bisecting: 79 revisions left to test after this (roughly 6 steps)
[3b319ee220a8795406852a897299dbdfc1b09911] Merge tag 'acpi-5.1-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
testing commit 3b319ee220a8795406852a897299dbdfc1b09911 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3b319ee220a8795406852a897299dbdfc1b09911
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[9180bb4f046064dfa4541488102703b402bb04e1] tun: add a missing rcu_read_unlock() in error path
testing commit 9180bb4f046064dfa4541488102703b402bb04e1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9180bb4f046064dfa4541488102703b402bb04e1
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[06b39e8506f6dd4e11e1d8fc4d314d72d237ad10] sctp: fix ignoring asoc_id for tcp-style sockets on SCTP_AUTH_ACTIVE_KEY sockopt
testing commit 06b39e8506f6dd4e11e1d8fc4d314d72d237ad10 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 06b39e8506f6dd4e11e1d8fc4d314d72d237ad10
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[7221b727f0079a32aca91f657141e1de564d4b97] s390/qeth: fix race when initializing the IP address table
testing commit 7221b727f0079a32aca91f657141e1de564d4b97 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7221b727f0079a32aca91f657141e1de564d4b97
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[02ec6cafd78c2052283516afc74c309745d20271] tipc: support broadcast/replicast configurable for bc-link
testing commit 02ec6cafd78c2052283516afc74c309745d20271 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 02ec6cafd78c2052283516afc74c309745d20271
Bisecting: 2 revisions left to test after this (roughly 1 step)
[c55c8edafa91139419ed011f7d036274ce96be0b] tipc: smooth change between replicast and broadcast
testing commit c55c8edafa91139419ed011f7d036274ce96be0b with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in tipc_mcast_filter_msg
# git bisect bad c55c8edafa91139419ed011f7d036274ce96be0b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ff2ebbfba6186adf3964eb816f8f255c6e664dc4] tipc: introduce new capability flag for cluster
testing commit ff2ebbfba6186adf3964eb816f8f255c6e664dc4 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ff2ebbfba6186adf3964eb816f8f255c6e664dc4
c55c8edafa91139419ed011f7d036274ce96be0b is the first bad commit
commit c55c8edafa91139419ed011f7d036274ce96be0b
Author: Hoang Le <hoang.h.le@dektech.com.au>
Date:   Tue Mar 19 18:49:50 2019 +0700

    tipc: smooth change between replicast and broadcast
    
    Currently, a multicast stream may start out using replicast, because
    there are few destinations, and then it should ideally switch to
    L2/broadcast IGMP/multicast when the number of destinations grows beyond
    a certain limit. The opposite should happen when the number decreases
    below the limit.
    
    To eliminate the risk of message reordering caused by method change,
    a sending socket must stick to a previously selected method until it
    enters an idle period of 5 seconds. Means there is a 5 seconds pause
    in the traffic from the sender socket.
    
    If the sender never makes such a pause, the method will never change,
    and transmission may become very inefficient as the cluster grows.
    
    With this commit, we allow such a switch between replicast and
    broadcast without any need for a traffic pause.
    
    Solution is to send a dummy message with only the header, also with
    the SYN bit set, via broadcast or replicast. For the data message,
    the SYN bit is set and sending via replicast or broadcast (inverse
    method with dummy).
    
    Then, at receiving side any messages follow first SYN bit message
    (data or dummy message), they will be held in deferred queue until
    another pair (dummy or data message) arrived in other link.
    
    v2: reverse christmas tree declaration
    
    Acked-by: Jon Maloy <jon.maloy@ericsson.com>
    Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/bcast.c  | 165 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 net/tipc/bcast.h  |   5 ++
 net/tipc/msg.h    |  10 ++++
 net/tipc/socket.c |   5 ++
 4 files changed, 184 insertions(+), 1 deletion(-)
revisions tested: 15, total time: 3h43m55.816221119s (build: 1h22m38.64584927s, test: 2h18m25.726716044s)
first bad commit: c55c8edafa91139419ed011f7d036274ce96be0b tipc: smooth change between replicast and broadcast
cc: ["davem@davemloft.net" "hoang.h.le@dektech.com.au" "jon.maloy@ericsson.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "tipc-discussion@lists.sourceforge.net" "ying.xue@windriver.com"]
crash: general protection fault in tipc_mcast_filter_msg
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 6810 Comm: syz-executor.4 Not tainted 5.0.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
RIP: 0010:tipc_mcast_filter_msg+0x199/0x1720 net/tipc/bcast.c:782
Code: 4c 39 eb 0f c9 89 4d c8 0f 84 e8 04 00 00 49 b9 00 00 00 00 00 fc ff df 48 89 45 c0 49 8d bd c8 00 00 00 48 89 f8 48 c1 e8 03 <42> 80 3c 08 00 0f 85 76 0d 00 00 4d 8b b5 c8 00 00 00 4c 89 f0 48
RSP: 0018:ffff888073f9eda0 EFLAGS: 00010202
RAX: 0000000000000019 RBX: ffff88807ac4c548 RCX: 00000000be4c9010
RDX: 0000000000000000 RSI: ffff888073f9ef70 RDI: 00000000000000c8
RBP: ffff888073f9ee08 R08: ffff88807d4838c0 R09: dffffc0000000000
R10: ffffed100fd45bc7 R11: ffff88807ea2de3b R12: ffff88807d4838c0
R13: 0000000000000000 R14: ffff88807cf64108 R15: 00000000416c002c
FS:  00007fbeda992700(0000) GS:ffff88807ea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000071c061 CR3: 0000000077c55000 CR4: 00000000007406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 tipc_sk_filter_rcv+0x11ca/0x2bf0 net/tipc/socket.c:2168
 tipc_sk_enqueue net/tipc/socket.c:2254 [inline]
 tipc_sk_rcv+0xaca/0x1db0 net/tipc/socket.c:2305
 tipc_sk_mcast_rcv+0x65c/0x10a0 net/tipc/socket.c:1209
 tipc_mcast_xmit+0x649/0xed0 net/tipc/bcast.c:410
 tipc_sendmcast+0x9c6/0xd50 net/tipc/socket.c:820
 __tipc_sendmsg+0xe95/0x1590 net/tipc/socket.c:1358
 tipc_sendmsg+0x4b/0x70 net/tipc/socket.c:1291
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xb7/0xf0 net/socket.c:661
 ___sys_sendmsg+0x649/0x950 net/socket.c:2260
 __sys_sendmsg+0xd9/0x180 net/socket.c:2298
 __do_sys_sendmsg net/socket.c:2307 [inline]
 __se_sys_sendmsg net/socket.c:2305 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2305
 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457799
Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fbeda991c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000457799
RDX: 0000000000000000 RSI: 0000000020002140 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000006ed140 R14: 00000000004ac820 R15: 00007fbeda9926d4
Modules linked in:
---[ end trace e6c5ab2ea19844b5 ]---
RIP: 0010:tipc_mcast_filter_msg+0x199/0x1720 net/tipc/bcast.c:782
Code: 4c 39 eb 0f c9 89 4d c8 0f 84 e8 04 00 00 49 b9 00 00 00 00 00 fc ff df 48 89 45 c0 49 8d bd c8 00 00 00 48 89 f8 48 c1 e8 03 <42> 80 3c 08 00 0f 85 76 0d 00 00 4d 8b b5 c8 00 00 00 4c 89 f0 48
RSP: 0018:ffff888073f9eda0 EFLAGS: 00010202
RAX: 0000000000000019 RBX: ffff88807ac4c548 RCX: 00000000be4c9010
RDX: 0000000000000000 RSI: ffff888073f9ef70 RDI: 00000000000000c8
RBP: ffff888073f9ee08 R08: ffff88807d4838c0 R09: dffffc0000000000
R10: ffffed100fd45bc7 R11: ffff88807ea2de3b R12: ffff88807d4838c0
R13: 0000000000000000 R14: ffff88807cf64108 R15: 00000000416c002c
FS:  00007fbeda992700(0000) GS:ffff88807ea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000071c061 CR3: 0000000077c55000 CR4: 00000000007406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554