bisecting fixing commit since 9e9322e5d28e433f1f25f01ffa0aa5762c75dad6 building syzkaller on 7c693b524162a8621413305d441a29376d84e28b testing commit 9e9322e5d28e433f1f25f01ffa0aa5762c75dad6 with gcc (GCC) 8.1.0 kernel signature: 668844a6189d4af81e83a9806c40be8ba526bace run #0: crashed: kernel BUG at include/linux/mm.h:LINE! run #1: crashed: WARNING in sk_stream_kill_queues run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: kernel BUG at include/linux/mm.h:LINE! run #5: crashed: WARNING in sk_stream_kill_queues run #6: crashed: kernel BUG at include/linux/mm.h:LINE! run #7: crashed: WARNING in sk_stream_kill_queues run #8: crashed: kernel BUG at include/linux/mm.h:LINE! run #9: crashed: WARNING in sk_stream_kill_queues testing current HEAD 596cf45cbf6e4fa7bcb0df33e373a7d062b644b5 testing commit 596cf45cbf6e4fa7bcb0df33e373a7d062b644b5 with gcc (GCC) 8.1.0 kernel signature: 6d00d22c6eef066da0a1d47211990d923a5f9f79 all runs: OK # git bisect start 596cf45cbf6e4fa7bcb0df33e373a7d062b644b5 9e9322e5d28e433f1f25f01ffa0aa5762c75dad6 Bisecting: 34349 revisions left to test after this (roughly 15 steps) [39e7317e37f7f0be366d1201c283f968c17268da] perf build: Do not use -Wshadow on gcc < 4.8 testing commit 39e7317e37f7f0be366d1201c283f968c17268da with gcc (GCC) 8.1.0 kernel signature: 1e6bbdf9bc13acd041f281608ad3dfebcafc26b7 all runs: OK # git bisect bad 39e7317e37f7f0be366d1201c283f968c17268da Bisecting: 17073 revisions left to test after this (roughly 14 steps) [80f232121b69cc69a31ccb2b38c1665d770b0710] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 80f232121b69cc69a31ccb2b38c1665d770b0710 with gcc (GCC) 8.1.0 kernel signature: 9a706ce306ef6f86e62298da74d1ef42f3c36801 run #0: crashed: kernel BUG at include/linux/mm.h:LINE! run #1: crashed: kernel BUG at include/linux/mm.h:LINE! run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: kernel BUG at include/linux/mm.h:LINE! run #5: crashed: kernel BUG at include/linux/mm.h:LINE! run #6: crashed: kernel BUG at include/linux/mm.h:LINE! run #7: crashed: kernel BUG at include/linux/mm.h:LINE! run #8: crashed: WARNING in sk_stream_kill_queues run #9: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect good 80f232121b69cc69a31ccb2b38c1665d770b0710 Bisecting: 8536 revisions left to test after this (roughly 13 steps) [792232390b891a97500eb3cccd54d0c7ca8e4981] net: stmmac: dwmac-mediatek: disable rx watchdog testing commit 792232390b891a97500eb3cccd54d0c7ca8e4981 with gcc (GCC) 8.1.0 kernel signature: 6c6c707cc02474fd2b856487f3592509a3dc2afd run #0: crashed: kernel BUG at include/linux/mm.h:LINE! run #1: crashed: kernel BUG at include/linux/mm.h:LINE! run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: WARNING in sk_stream_kill_queues run #5: crashed: kernel BUG at include/linux/mm.h:LINE! run #6: crashed: kernel BUG at include/linux/mm.h:LINE! run #7: crashed: WARNING in sk_stream_kill_queues run #8: crashed: kernel BUG at include/linux/mm.h:LINE! run #9: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect good 792232390b891a97500eb3cccd54d0c7ca8e4981 Bisecting: 4287 revisions left to test after this (roughly 12 steps) [0415052db4f92b7e272fc15802ad8b8be672deea] Merge tag 'devprop-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 0415052db4f92b7e272fc15802ad8b8be672deea with gcc (GCC) 8.1.0 kernel signature: cc66cf6eb711138f12a69fe0783649c5e96569d1 all runs: OK # git bisect bad 0415052db4f92b7e272fc15802ad8b8be672deea Bisecting: 2141 revisions left to test after this (roughly 11 steps) [a98429acadefc2b36611220f51659ecb3c1f35d2] Merge remote-tracking branch 'asoc/topic/meson' into asoc-next testing commit a98429acadefc2b36611220f51659ecb3c1f35d2 with gcc (GCC) 8.1.0 kernel signature: c2040ae007898ab6eb6eb91750cf1e928b0e3b9b all runs: OK # git bisect bad a98429acadefc2b36611220f51659ecb3c1f35d2 Bisecting: 1077 revisions left to test after this (roughly 10 steps) [c891f3b97964a07c5797569126c90a3865a6ba18] treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 507 testing commit c891f3b97964a07c5797569126c90a3865a6ba18 with gcc (GCC) 8.1.0 kernel signature: 7f70b20294afead9d94bdd07b1a45eab9eb7c612 run #0: crashed: kernel BUG at include/linux/mm.h:LINE! run #1: crashed: kernel BUG at include/linux/mm.h:LINE! run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: kernel BUG at include/linux/mm.h:LINE! run #5: crashed: kernel BUG at include/linux/mm.h:LINE! run #6: crashed: kernel BUG at include/linux/mm.h:LINE! run #7: crashed: kernel BUG at include/linux/mm.h:LINE! run #8: crashed: WARNING in sk_stream_kill_queues run #9: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect good c891f3b97964a07c5797569126c90a3865a6ba18 Bisecting: 532 revisions left to test after this (roughly 9 steps) [0839c537628df5a3b713d0f619b2dcc8469f08c0] Merge branch 'akpm' (patches from Andrew) testing commit 0839c537628df5a3b713d0f619b2dcc8469f08c0 with gcc (GCC) 8.1.0 kernel signature: d2bef5f026e70f604df3b74706bbdf8cfac675d4 all runs: OK # git bisect bad 0839c537628df5a3b713d0f619b2dcc8469f08c0 Bisecting: 275 revisions left to test after this (roughly 8 steps) [e929387449cf631e96840296a01922be1ef3c832] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit e929387449cf631e96840296a01922be1ef3c832 with gcc (GCC) 8.1.0 kernel signature: a770e0452ce1ef693eb69f4e69cf2cb108246675 run #0: crashed: WARNING in sk_stream_kill_queues run #1: crashed: kernel BUG at include/linux/mm.h:LINE! run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: kernel BUG at include/linux/mm.h:LINE! run #5: crashed: kernel BUG at include/linux/mm.h:LINE! run #6: crashed: kernel BUG at include/linux/mm.h:LINE! run #7: crashed: kernel BUG at include/linux/mm.h:LINE! run #8: crashed: WARNING in sk_stream_kill_queues run #9: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect good e929387449cf631e96840296a01922be1ef3c832 Bisecting: 137 revisions left to test after this (roughly 7 steps) [30d8177e8ac776d89d387fad547af6a0f599210e] bonding: Always enable vlan tx offload testing commit 30d8177e8ac776d89d387fad547af6a0f599210e with gcc (GCC) 8.1.0 kernel signature: f4f004a5a20f17510daa8939387767f6d33a097c all runs: OK # git bisect bad 30d8177e8ac776d89d387fad547af6a0f599210e Bisecting: 64 revisions left to test after this (roughly 6 steps) [0728f6c3cab107f0aab2c8ded1292dd2cc41a228] Merge tag 'drm-fixes-2019-06-21' of git://anongit.freedesktop.org/drm/drm testing commit 0728f6c3cab107f0aab2c8ded1292dd2cc41a228 with gcc (GCC) 8.1.0 kernel signature: 98a95630c58f06f0dc8f8837c10d1f280ffc8989 run #0: crashed: WARNING in sk_stream_kill_queues run #1: crashed: kernel BUG at include/linux/mm.h:LINE! run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: kernel BUG at include/linux/mm.h:LINE! run #5: crashed: kernel BUG at include/linux/mm.h:LINE! run #6: crashed: WARNING in sk_stream_kill_queues run #7: crashed: kernel BUG at include/linux/mm.h:LINE! run #8: crashed: kernel BUG at include/linux/mm.h:LINE! run #9: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect good 0728f6c3cab107f0aab2c8ded1292dd2cc41a228 Bisecting: 36 revisions left to test after this (roughly 5 steps) [b6653b3629e5b88202be3c9abc44713973f5c4b4] tcp: refine memory limit test in tcp_fragment() testing commit b6653b3629e5b88202be3c9abc44713973f5c4b4 with gcc (GCC) 8.1.0 kernel signature: 2d79d30027de04e605e4efc5e98c19528b8da56f run #0: crashed: kernel BUG at include/linux/mm.h:LINE! run #1: crashed: kernel BUG at include/linux/mm.h:LINE! run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: WARNING in sk_stream_kill_queues run #5: crashed: kernel BUG at include/linux/mm.h:LINE! run #6: crashed: kernel BUG at include/linux/mm.h:LINE! run #7: crashed: WARNING in sk_stream_kill_queues run #8: crashed: WARNING in sk_stream_kill_queues run #9: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect good b6653b3629e5b88202be3c9abc44713973f5c4b4 Bisecting: 15 revisions left to test after this (roughly 4 steps) [121bddf39a8e39baf0df9ef1d688392c179935cd] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 121bddf39a8e39baf0df9ef1d688392c179935cd with gcc (GCC) 8.1.0 kernel signature: 3b9b94067f5e32cb255a5649c9cf45ad013a25db run #0: crashed: kernel BUG at include/linux/mm.h:LINE! run #1: crashed: kernel BUG at include/linux/mm.h:LINE! run #2: crashed: kernel BUG at include/linux/mm.h:LINE! run #3: crashed: kernel BUG at include/linux/mm.h:LINE! run #4: crashed: kernel BUG at include/linux/mm.h:LINE! run #5: crashed: kernel BUG at include/linux/mm.h:LINE! run #6: crashed: kernel BUG at include/linux/mm.h:LINE! run #7: crashed: kernel BUG at include/linux/mm.h:LINE! run #8: crashed: WARNING in sk_stream_kill_queues run #9: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect good 121bddf39a8e39baf0df9ef1d688392c179935cd Bisecting: 7 revisions left to test after this (roughly 3 steps) [45d5cb137c3638b3a310f41b31d8e79daf647f14] net/sched: cbs: Fix error path of cbs_module_init testing commit 45d5cb137c3638b3a310f41b31d8e79daf647f14 with gcc (GCC) 8.1.0 kernel signature: d890a3ae099f804d1a90aa331619f7e1c65e70e1 all runs: crashed: kernel BUG at include/linux/mm.h:LINE! # git bisect good 45d5cb137c3638b3a310f41b31d8e79daf647f14 Bisecting: 3 revisions left to test after this (roughly 2 steps) [4f07b80c973348a99b5d2a32476a2e7877e94a05] tipc: check msg->req data len in tipc_nl_compat_bearer_disable testing commit 4f07b80c973348a99b5d2a32476a2e7877e94a05 with gcc (GCC) 8.1.0 kernel signature: 7d74e9dbbdae8be6bf781c4a350a3bff377489f0 all runs: OK # git bisect bad 4f07b80c973348a99b5d2a32476a2e7877e94a05 Bisecting: 1 revision left to test after this (roughly 1 step) [55655e3d1197fff16a7a05088fb0e5eba50eac55] net/packet: fix memory leak in packet_set_ring() testing commit 55655e3d1197fff16a7a05088fb0e5eba50eac55 with gcc (GCC) 8.1.0 kernel signature: 5ea6e838aaa686bb932a1ac1e9f585345fbda595 all runs: OK # git bisect bad 55655e3d1197fff16a7a05088fb0e5eba50eac55 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9354544cbccf68da1b047f8fb7b47630e3c8a59d] net/tls: fix page double free on TX cleanup testing commit 9354544cbccf68da1b047f8fb7b47630e3c8a59d with gcc (GCC) 8.1.0 kernel signature: d982d45d809f046d9b869467efa2885246e919e9 all runs: OK # git bisect bad 9354544cbccf68da1b047f8fb7b47630e3c8a59d 9354544cbccf68da1b047f8fb7b47630e3c8a59d is the first bad commit commit 9354544cbccf68da1b047f8fb7b47630e3c8a59d Author: Dirk van der Merwe Date: Sun Jun 23 21:26:58 2019 -0700 net/tls: fix page double free on TX cleanup With commit 94850257cf0f ("tls: Fix tls_device handling of partial records") a new path was introduced to cleanup partial records during sk_proto_close. This path does not handle the SW KTLS tx_list cleanup. This is unnecessary though since the free_resources calls for both SW and offload paths will cleanup a partial record. The visible effect is the following warning, but this bug also causes a page double free. WARNING: CPU: 7 PID: 4000 at net/core/stream.c:206 sk_stream_kill_queues+0x103/0x110 RIP: 0010:sk_stream_kill_queues+0x103/0x110 RSP: 0018:ffffb6df87e07bd0 EFLAGS: 00010206 RAX: 0000000000000000 RBX: ffff8c21db4971c0 RCX: 0000000000000007 RDX: ffffffffffffffa0 RSI: 000000000000001d RDI: ffff8c21db497270 RBP: ffff8c21db497270 R08: ffff8c29f4748600 R09: 000000010020001a R10: ffffb6df87e07aa0 R11: ffffffff9a445600 R12: 0000000000000007 R13: 0000000000000000 R14: ffff8c21f03f2900 R15: ffff8c21f03b8df0 Call Trace: inet_csk_destroy_sock+0x55/0x100 tcp_close+0x25d/0x400 ? tcp_check_oom+0x120/0x120 tls_sk_proto_close+0x127/0x1c0 inet_release+0x3c/0x60 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0xd8/0x210 task_work_run+0x84/0xa0 do_exit+0x2dc/0xb90 ? release_sock+0x43/0x90 do_group_exit+0x3a/0xa0 get_signal+0x295/0x720 do_signal+0x36/0x610 ? SYSC_recvfrom+0x11d/0x130 exit_to_usermode_loop+0x69/0xb0 do_syscall_64+0x173/0x180 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7fe9b9abc10d RSP: 002b:00007fe9b19a1d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 0000000000000006 RCX: 00007fe9b9abc10d RDX: 0000000000000002 RSI: 0000000000000080 RDI: 00007fe948003430 RBP: 00007fe948003410 R08: 00007fe948003430 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00005603739d9080 R13: 00007fe9b9ab9f90 R14: 00007fe948003430 R15: 0000000000000000 Fixes: 94850257cf0f ("tls: Fix tls_device handling of partial records") Signed-off-by: Dirk van der Merwe Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller include/net/tls.h | 15 --------------- net/tls/tls_main.c | 3 ++- 2 files changed, 2 insertions(+), 16 deletions(-) kernel signature: d982d45d809f046d9b869467efa2885246e919e9 previous signature: d890a3ae099f804d1a90aa331619f7e1c65e70e1 revisions tested: 18, total time: 3h44m43.800946707s (build: 1h43m59.187859293s, test: 1h58m29.869522386s) first good commit: 9354544cbccf68da1b047f8fb7b47630e3c8a59d net/tls: fix page double free on TX cleanup cc: ["aviadye@mellanox.com" "borisp@mellanox.com" "daniel@iogearbox.net" "davem@davemloft.net" "dirk.vandermerwe@netronome.com" "jakub.kicinski@netronome.com" "john.fastabend@gmail.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"]