bisecting cause commit starting from 89695196f0ba78a17453f9616355f2ca6b293402
building syzkaller on 89bc860804252dbacb8c2bea60b9204859f4afd7
testing commit 89695196f0ba78a17453f9616355f2ca6b293402
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 7e563d11e3460117190a557ef12977ebf3c2472659c4b93f316caf7d2f101799
run #0: crashed: general protection fault in llc_build_and_send_xid_pkt
run #1: crashed: general protection fault in llc_ui_sendmsg
run #2: crashed: general protection fault in llc_build_and_send_xid_pkt
run #3: crashed: general protection fault in llc_ui_sendmsg
run #4: crashed: general protection fault in llc_build_and_send_xid_pkt
run #5: crashed: general protection fault in llc_ui_sendmsg
run #6: crashed: general protection fault in llc_build_and_send_xid_pkt
run #7: crashed: general protection fault in llc_build_and_send_xid_pkt
run #8: crashed: general protection fault in llc_build_and_send_xid_pkt
run #9: crashed: general protection fault in llc_ui_sendmsg
run #10: crashed: general protection fault in llc_build_and_send_xid_pkt
run #11: crashed: general protection fault in llc_build_and_send_xid_pkt
run #12: crashed: general protection fault in llc_build_and_send_xid_pkt
run #13: crashed: general protection fault in llc_build_and_send_xid_pkt
run #14: crashed: general protection fault in llc_ui_sendmsg
run #15: crashed: general protection fault in llc_build_and_send_xid_pkt
run #16: crashed: general protection fault in llc_ui_sendmsg
run #17: crashed: general protection fault in llc_build_and_send_xid_pkt
run #18: crashed: general protection fault in llc_build_and_send_xid_pkt
run #19: crashed: general protection fault in llc_build_and_send_xid_pkt
testing release v5.16
testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1fd9ab6ec52dc5d6eec160897ae3403fe7938723519a9996a423afd6588ef1fc
all runs: OK
# git bisect start 89695196f0ba78a17453f9616355f2ca6b293402 df0cc57e057f18e44dac8e6c18aba47ab53202f9
Bisecting: 8529 revisions left to test after this (roughly 13 steps)
[e1a7aa25ff45636a6c1930bf2430c8b802e93d9c] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

testing commit e1a7aa25ff45636a6c1930bf2430c8b802e93d9c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 99d9bf3331f0214b688f12d4b11bc6dacebab0bceb35d47ab41f6ef9884bff2b
all runs: OK
# git bisect good e1a7aa25ff45636a6c1930bf2430c8b802e93d9c
Bisecting: 4265 revisions left to test after this (roughly 12 steps)
[cc0def5b4ed61a262b88c67e6f8ed1a70c52c568] Merge tag 'optee-fixes-for-v5.17' of git://git.linaro.org/people/jens.wiklander/linux-tee into arm/fixes

testing commit cc0def5b4ed61a262b88c67e6f8ed1a70c52c568
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2056961b2007f1936732ab01bc0286a6527ccd982d1ef835a68f29027f2aefb3
all runs: OK
# git bisect good cc0def5b4ed61a262b88c67e6f8ed1a70c52c568
Bisecting: 2133 revisions left to test after this (roughly 11 steps)
[ee6373ddf3a974c4239f56931f5944fd289146e7] net/funeth: probing and netdev ops

testing commit ee6373ddf3a974c4239f56931f5944fd289146e7
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3a60394d0d33cd3eed04072d1cb364ad14c4814556ed102707ae46aea7e0ad30
all runs: OK
# git bisect good ee6373ddf3a974c4239f56931f5944fd289146e7
Bisecting: 1021 revisions left to test after this (roughly 10 steps)
[1e8a3f0d2a1ef544611a7ea4a7c1512c732e0e43] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit 1e8a3f0d2a1ef544611a7ea4a7c1512c732e0e43
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8dfe06e5908d2510ad8a3907f137a551ed7afba7b43233cb4ce8cc8a295f925f
all runs: OK
# git bisect good 1e8a3f0d2a1ef544611a7ea4a7c1512c732e0e43
Bisecting: 517 revisions left to test after this (roughly 9 steps)
[770c9a3a01af178a90368a78c75eb91707c7233c] net/mlx5: Remove unused fill page array API function

testing commit 770c9a3a01af178a90368a78c75eb91707c7233c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1ce022e0da150a0af7d5b678a2f9b33b9fc1fff8bcacc651ed8629d69aaffea8
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #2: basic kernel testing failed: WARNING in __napi_schedule
run #3: basic kernel testing failed: WARNING in __napi_schedule
run #4: basic kernel testing failed: WARNING in __napi_schedule
run #5: basic kernel testing failed: WARNING in __napi_schedule
run #6: basic kernel testing failed: WARNING in __napi_schedule
run #7: basic kernel testing failed: WARNING in __napi_schedule
run #8: basic kernel testing failed: WARNING in __napi_schedule
run #9: basic kernel testing failed: WARNING in __napi_schedule
# git bisect skip 770c9a3a01af178a90368a78c75eb91707c7233c
Bisecting: 517 revisions left to test after this (roughly 9 steps)
[fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009] ax25: Fix NULL pointer dereferences in ax25 timers

testing commit fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3d2937f986be8992d8f24502cd9f0e611ace16dbccabb4004eb9aafebfd36b6a
all runs: OK
# git bisect good fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009
Bisecting: 455 revisions left to test after this (roughly 9 steps)
[49045b9c810cd9b4ac5f8f235ad8ef17553a00fa] Merge branch 'mediatek-next'

testing commit 49045b9c810cd9b4ac5f8f235ad8ef17553a00fa
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f7e23def0a057fccb9d8e5a4e2503de26fac3a1088273ce01a02e9f974ef9a65
all runs: basic kernel testing failed: WARNING in __napi_schedule
# git bisect skip 49045b9c810cd9b4ac5f8f235ad8ef17553a00fa
Bisecting: 455 revisions left to test after this (roughly 9 steps)
[9f01cfbf2922432668c2fd4dfc0413342aaff48b] net: sparx5: Use Switchdev fdb events for managing fdb entries

testing commit 9f01cfbf2922432668c2fd4dfc0413342aaff48b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 28869e7365a55e1d7cc0047d8ad80230ffca684c2a08e23306ceacf750201e75
all runs: basic kernel testing failed: WARNING in __napi_schedule
# git bisect skip 9f01cfbf2922432668c2fd4dfc0413342aaff48b
Bisecting: 455 revisions left to test after this (roughly 9 steps)
[aa80511a93dbab1fb362ab414acc665a319c6522] Merge branch 'net-mscc-miim-add-integrated-phy-reset-support'

testing commit aa80511a93dbab1fb362ab414acc665a319c6522
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e07c76fd0a1ecf2d0eeccb2a54c3d8e2193ca35f55fc2f8e9de7e2471083bd09
all runs: OK
# git bisect good aa80511a93dbab1fb362ab414acc665a319c6522
Bisecting: 89 revisions left to test after this (roughly 7 steps)
[515a49173b80a4aabcbad9a4fa2a247042378ea1] ARM: rethook: Add rethook arm implementation

testing commit 515a49173b80a4aabcbad9a4fa2a247042378ea1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 49d8c97bd441a81d06f30220d8d557d41edc3b998dc3ea609299ff404e7564a1
all runs: OK
# git bisect good 515a49173b80a4aabcbad9a4fa2a247042378ea1
Bisecting: 44 revisions left to test after this (roughly 6 steps)
[e1cc1f39981b06ba22a0c92e800e9fd8ba59d2d3] selftests/bpf: Test skipping stacktrace

testing commit e1cc1f39981b06ba22a0c92e800e9fd8ba59d2d3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3c628ee3d57be7cbf75a7221f1f7be4491517049743d64d3002a5deb89174410
all runs: boot failed: KASAN: null-ptr-deref Write in register_btf_kfunc_id_set
# git bisect skip e1cc1f39981b06ba22a0c92e800e9fd8ba59d2d3
Bisecting: 44 revisions left to test after this (roughly 6 steps)
[a911ad18a56aeecf87a098ad1cdc4de91d7f60de] net: bridge: mst: Restrict info size queries to bridge ports

testing commit a911ad18a56aeecf87a098ad1cdc4de91d7f60de
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5e1b7ac11aca3dd5e7436e8dea10f8957a7f36ecb4988203f62c38974bf02a49
all runs: OK
# git bisect good a911ad18a56aeecf87a098ad1cdc4de91d7f60de
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[6a7d8cff4a3301087dd139293e9bddcf63827282] tipc: fix the timer expires after interval 100ms

testing commit 6a7d8cff4a3301087dd139293e9bddcf63827282
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9bff82c49a9b20d1154d7dd50941625c463c0a67b00f249cf594eb7ffb8e9bfe
all runs: OK
# git bisect good 6a7d8cff4a3301087dd139293e9bddcf63827282
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[764f4eb6846f5475f1244767d24d25dd86528a4a] llc: fix netdevice reference leaks in llc_ui_bind()

testing commit 764f4eb6846f5475f1244767d24d25dd86528a4a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: db50463e49e03e94d439b27cf834ec7c024306770f407965469180f532d1231f
run #0: crashed: general protection fault in llc_build_and_send_xid_pkt
run #1: crashed: general protection fault in llc_ui_sendmsg
run #2: crashed: general protection fault in llc_build_and_send_xid_pkt
run #3: crashed: general protection fault in llc_ui_sendmsg
run #4: crashed: general protection fault in llc_build_and_send_xid_pkt
run #5: crashed: general protection fault in llc_build_and_send_xid_pkt
run #6: crashed: general protection fault in llc_build_and_send_xid_pkt
run #7: crashed: general protection fault in llc_build_and_send_xid_pkt
run #8: crashed: general protection fault in llc_build_and_send_xid_pkt
run #9: crashed: general protection fault in llc_build_and_send_xid_pkt
# git bisect bad 764f4eb6846f5475f1244767d24d25dd86528a4a
Bisecting: 1 revision left to test after this (roughly 1 step)
[054d5575cd6ed2792611a7cbb8c88663cc873780] net/sched: fix incorrect vlan_push_eth dest field

testing commit 054d5575cd6ed2792611a7cbb8c88663cc873780
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8dd8eeec0d8a00c475aef4a14c033fde568d98647e3911e71b8dde417fc09a32
all runs: OK
# git bisect good 054d5575cd6ed2792611a7cbb8c88663cc873780
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[2844e2434385819f674d1fb4130c308c50ba681e] drivers: ethernet: cpsw: fix panic when interrupt coaleceing is set via ethtool

testing commit 2844e2434385819f674d1fb4130c308c50ba681e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 22459dcdde1d503c31edeac40b71f75b93cd5e0235a745ed00493dbadbf049ee
all runs: OK
# git bisect good 2844e2434385819f674d1fb4130c308c50ba681e
764f4eb6846f5475f1244767d24d25dd86528a4a is the first bad commit
commit 764f4eb6846f5475f1244767d24d25dd86528a4a
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Mar 22 17:41:47 2022 -0700

    llc: fix netdevice reference leaks in llc_ui_bind()
    
    Whenever llc_ui_bind() and/or llc_ui_autobind()
    took a reference on a netdevice but subsequently fail,
    they must properly release their reference
    or risk the infamous message from unregister_netdevice()
    at device dismantle.
    
    unregister_netdevice: waiting for eth0 to become free. Usage count = 3
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: 赵子轩 <beraphin@gmail.com>
    Reported-by: Stoyan Manolov <smanolov@suse.de>
    Link: https://lore.kernel.org/r/20220323004147.1990845-1-eric.dumazet@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

 net/llc/af_llc.c | 8 ++++++++
 1 file changed, 8 insertions(+)

culprit signature: db50463e49e03e94d439b27cf834ec7c024306770f407965469180f532d1231f
parent  signature: 22459dcdde1d503c31edeac40b71f75b93cd5e0235a745ed00493dbadbf049ee
revisions tested: 18, total time: 3h25m46.210440521s (build: 1h57m56.774645297s, test: 1h25m47.689526407s)
first bad commit: 764f4eb6846f5475f1244767d24d25dd86528a4a llc: fix netdevice reference leaks in llc_ui_bind()
recipients (to): ["davem@davemloft.net" "edumazet@google.com" "kuba@kernel.org" "kuba@kernel.org" "linux-kernel@vger.kernel.org"]
recipients (cc): ["netdev@vger.kernel.org" "paskripkin@gmail.com" "yajun.deng@linux.dev"]
crash: general protection fault in llc_build_and_send_xid_pkt
general protection fault, probably for non-canonical address 0xdffffc0000000070: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]
CPU: 1 PID: 4072 Comm: syz-executor200 Not tainted 5.17.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:llc_build_and_send_xid_pkt+0xd3/0x200 net/llc/llc_sap.c:264
Code: 48 c1 ea 03 80 3c 02 00 0f 85 3a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 5d 10 48 8d bb 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 0a 01 00 00 48 8b b3 80 03 00 00 48 8d 7d 2e ba
RSP: 0018:ffffc9000422f8a8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000070 RSI: ffff88801c91a640 RDI: 0000000000000380
RBP: ffff88801c91a640 R08: ffff88807da7d50c R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888010faf000
R13: ffff88807da7d510 R14: 0000000000000000 R15: ffffc9000422fd70
FS:  00007fe769a29700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010038 CR3: 000000006fd38000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 llc_ui_sendmsg+0x947/0xf20 net/llc/af_llc.c:979
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:725
 ____sys_sendmsg+0x392/0x7a0 net/socket.c:2413
 ___sys_sendmsg+0xd3/0x150 net/socket.c:2467
 __sys_sendmmsg+0x141/0x310 net/socket.c:2553
 __do_sys_sendmmsg net/socket.c:2582 [inline]
 __se_sys_sendmmsg net/socket.c:2579 [inline]
 __x64_sys_sendmmsg+0x94/0x100 net/socket.c:2579
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fe769a988c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe769a29318 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fe769b203f8 RCX: 00007fe769a988c9
RDX: 03fffffffffffeed RSI: 0000000020001380 RDI: 0000000000000003
RBP: 00007fe769b203f0 R08: 00007fe769a29700 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe769b203fc
R13: 00007ffc8df12e2f R14: 00007fe769a29400 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:llc_build_and_send_xid_pkt+0xd3/0x200 net/llc/llc_sap.c:264
Code: 48 c1 ea 03 80 3c 02 00 0f 85 3a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 5d 10 48 8d bb 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 0a 01 00 00 48 8b b3 80 03 00 00 48 8d 7d 2e ba
RSP: 0018:ffffc9000422f8a8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000070 RSI: ffff88801c91a640 RDI: 0000000000000380
RBP: ffff88801c91a640 R08: ffff88807da7d50c R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888010faf000
R13: ffff88807da7d510 R14: 0000000000000000 R15: ffffc9000422fd70
FS:  00007fe769a29700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe769aedae8 CR3: 000000006fd38000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 3a 01 00 00    	jne    0x148
   e:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  15:	fc ff df
  18:	48 8b 5d 10          	mov    0x10(%rbp),%rbx
  1c:	48 8d bb 80 03 00 00 	lea    0x380(%rbx),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 0a 01 00 00    	jne    0x13e
  34:	48 8b b3 80 03 00 00 	mov    0x380(%rbx),%rsi
  3b:	48 8d 7d 2e          	lea    0x2e(%rbp),%rdi
  3f:	ba                   	.byte 0xba