bisecting cause commit starting from d9862cfbe2099deb83f0e9c1932c91f2d9c50464 building syzkaller on 16559f86f52b7da53f9156685e32dde788dbe371 testing commit d9862cfbe2099deb83f0e9c1932c91f2d9c50464 with gcc (GCC) 8.1.0 run #0: crashed: INFO: trying to register non-static key in __icmp_send run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 run #0: OK run #1: crashed: INFO: trying to register non-static key in __icmp_send run #2: crashed: INFO: rcu detected stall in netlink_sendmsg run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 run #0: crashed: WARNING: locking bug in corrupted run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: crashed: inconsistent lock state in rhashtable_walk_enter testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 all runs: crashed: inconsistent lock state in rhashtable_walk_enter testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 run #0: crashed: inconsistent lock state in rhashtable_walk_enter run #1: crashed: inconsistent lock state in rhashtable_walk_enter run #2: crashed: inconsistent lock state in rhashtable_walk_enter run #3: crashed: inconsistent lock state in rhashtable_walk_enter run #4: crashed: KASAN: slab-out-of-bounds Read in icmp_send run #5: crashed: inconsistent lock state in rhashtable_walk_enter run #6: crashed: inconsistent lock state in rhashtable_walk_enter run #7: crashed: inconsistent lock state in rhashtable_walk_enter testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.17 v4.16 Bisecting: 7380 revisions left to test after this (roughly 13 steps) [97b1255cb27c551d7c3c5c496d787da40772da99] mm,oom_reaper: check for MMF_OOM_SKIP before complaining testing commit 97b1255cb27c551d7c3c5c496d787da40772da99 with gcc (GCC) 8.1.0 all runs: crashed: inconsistent lock state in rhashtable_walk_enter # git bisect bad 97b1255cb27c551d7c3c5c496d787da40772da99 Bisecting: 4372 revisions left to test after this (roughly 12 steps) [bb2407a7219760926760f0448fddf00d625e5aec] Merge tag 'docs-4.17' of git://git.lwn.net/linux testing commit bb2407a7219760926760f0448fddf00d625e5aec with gcc (GCC) 8.1.0 all runs: OK # git bisect good bb2407a7219760926760f0448fddf00d625e5aec Bisecting: 2394 revisions left to test after this (roughly 11 steps) [147a89bc71e7db40f011454a40add7ff2d10f8d8] Merge tag 'kconfig-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 147a89bc71e7db40f011454a40add7ff2d10f8d8 with gcc (GCC) 8.1.0 all runs: crashed: inconsistent lock state in rhashtable_walk_enter # git bisect bad 147a89bc71e7db40f011454a40add7ff2d10f8d8 Bisecting: 988 revisions left to test after this (roughly 10 steps) [32c23b47dbd9765c6ec2542400f41f0d47a7d2c1] i40e: Properly check allowed advertisement capabilities testing commit 32c23b47dbd9765c6ec2542400f41f0d47a7d2c1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 32c23b47dbd9765c6ec2542400f41f0d47a7d2c1 Bisecting: 496 revisions left to test after this (roughly 9 steps) [e15f20ea33b8e5074145abe464b4b48acea505d9] Merge tag 'mac80211-next-for-davem-2018-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next testing commit e15f20ea33b8e5074145abe464b4b48acea505d9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good e15f20ea33b8e5074145abe464b4b48acea505d9 Bisecting: 248 revisions left to test after this (roughly 8 steps) [699efed00df0631e39a639b49e3b8e27e62e6c89] bnxt_en: Include additional hardware port statistics in ethtool -S. testing commit 699efed00df0631e39a639b49e3b8e27e62e6c89 with gcc (GCC) 8.1.0 run #0: crashed: inconsistent lock state in rhashtable_walk_enter run #1: crashed: inconsistent lock state in rhashtable_walk_enter run #2: crashed: inconsistent lock state in rhashtable_walk_enter run #3: crashed: inconsistent lock state in rhashtable_walk_enter run #4: crashed: inconsistent lock state in rhashtable_walk_enter run #5: crashed: KASAN: slab-out-of-bounds Read in icmp_send run #6: crashed: inconsistent lock state in rhashtable_walk_enter run #7: crashed: inconsistent lock state in rhashtable_walk_enter # git bisect bad 699efed00df0631e39a639b49e3b8e27e62e6c89 Bisecting: 125 revisions left to test after this (roughly 7 steps) [b9a12601541eb55d07e00261a5112a4bc36fe7be] Merge branch 'Close-race-between-un-register_netdevice_notifier-and-pernet_operations' testing commit b9a12601541eb55d07e00261a5112a4bc36fe7be with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "13912" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect3/jobs/linux/workdir/image/key" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect3/jobs/linux/workdir/repro.prog" "root@localhost:/repro.prog"]: exit status 1 Warning: Permanently added '[localhost]:13912' (ECDSA) to the list of known hosts. /usr/local/google/home/dvyukov/syzkaller/ci-bisect3/jobs/linux/workdir/repro.prog: Broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK # git bisect good b9a12601541eb55d07e00261a5112a4bc36fe7be Bisecting: 62 revisions left to test after this (roughly 6 steps) [c0b6edef0bf0e33c12eaf80c676ff09def011518] tc-testing: Add newline when writing test case files testing commit c0b6edef0bf0e33c12eaf80c676ff09def011518 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in fsnotify run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK # git bisect bad c0b6edef0bf0e33c12eaf80c676ff09def011518 Bisecting: 31 revisions left to test after this (roughly 5 steps) [20710b3b81895c89e92bcc32ce85c0bede1171f8] netfilter: ctnetlink: synproxy support testing commit 20710b3b81895c89e92bcc32ce85c0bede1171f8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 20710b3b81895c89e92bcc32ce85c0bede1171f8 Bisecting: 15 revisions left to test after this (roughly 4 steps) [26c97c5d8dac6bc56d4360561a286f52543ac07e] netfilter: ipset: Use is_zero_ether_addr instead of static and memcmp testing commit 26c97c5d8dac6bc56d4360561a286f52543ac07e with gcc (GCC) 8.1.0 all runs: OK # git bisect good 26c97c5d8dac6bc56d4360561a286f52543ac07e Bisecting: 7 revisions left to test after this (roughly 3 steps) [8bafb83eeee2efb8b9b4e9dfd9fb90debe4a2417] Merge branch 'stmmac-DWMAC5' testing commit 8bafb83eeee2efb8b9b4e9dfd9fb90debe4a2417 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in icmp_send run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK # git bisect bad 8bafb83eeee2efb8b9b4e9dfd9fb90debe4a2417 Bisecting: 3 revisions left to test after this (roughly 2 steps) [e7696042fe9351b90a2dc2e4e042283192ccacbe] Merge branch 'do-not-allow-adding-routes-if-disable_ipv6-is-enabled' testing commit e7696042fe9351b90a2dc2e4e042283192ccacbe with gcc (GCC) 8.1.0 all runs: OK # git bisect good e7696042fe9351b90a2dc2e4e042283192ccacbe Bisecting: 1 revision left to test after this (roughly 1 step) [34877a15f787b594649ed375943ecc65f4342e30] net: stmmac: Rework and fix TX Timeout code testing commit 34877a15f787b594649ed375943ecc65f4342e30 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 34877a15f787b594649ed375943ecc65f4342e30 Bisecting: 0 revisions left to test after this (roughly 0 steps) [8bf993a5877e8a0a2f6338085f2dee7c23f524a3] net: stmmac: Add support for DWMAC5 and implement Safety Features testing commit 8bf993a5877e8a0a2f6338085f2dee7c23f524a3 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8bf993a5877e8a0a2f6338085f2dee7c23f524a3 8bafb83eeee2efb8b9b4e9dfd9fb90debe4a2417 is the first bad commit revisions tested: 21, total time: 4h43m57.832371462s (build: 2h0m30.37020006s, test: 2h39m15.221347629s) first bad commit: 8bafb83eeee2efb8b9b4e9dfd9fb90debe4a2417 Merge branch 'stmmac-DWMAC5' cc: ["davem@davemloft.net"] crash: KASAN: slab-out-of-bounds Read in icmp_send Enabling of bearer rejected, already enabled Enabling of bearer rejected, already enabled Enabling of bearer rejected, already enabled Enabling of bearer rejected, already enabled ================================================================== BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:188 [inline] BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline] BUG: KASAN: slab-out-of-bounds in queued_spin_trylock include/asm-generic/qspinlock.h:71 [inline] BUG: KASAN: slab-out-of-bounds in do_raw_spin_trylock+0xbb/0xd0 kernel/locking/spinlock_debug.c:119 Read of size 4 at addr ffff880079c4b1b4 by task ksoftirqd/0/8 CPU: 0 PID: 8 Comm: ksoftirqd/0 Not tainted 4.16.0-rc6+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x151/0x1c4 lib/dump_stack.c:53 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 __read_once_size include/linux/compiler.h:188 [inline] atomic_read arch/x86/include/asm/atomic.h:27 [inline] queued_spin_trylock include/asm-generic/qspinlock.h:71 [inline] do_raw_spin_trylock+0xbb/0xd0 kernel/locking/spinlock_debug.c:119 __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline] _raw_spin_trylock+0x1c/0x80 kernel/locking/spinlock.c:128 spin_trylock include/linux/spinlock.h:320 [inline] icmp_xmit_lock net/ipv4/icmp.c:219 [inline] icmp_send+0x554/0x1430 net/ipv4/icmp.c:668 Enabling of bearer rejected, already enabled __udp4_lib_rcv+0x23b8/0x3170 net/ipv4/udp.c:2122 Enabling of bearer rejected, already enabled udp_rcv+0x21/0x30 net/ipv4/udp.c:2281 Enabling of bearer rejected, already enabled ip_local_deliver_finish+0x27f/0xc50 net/ipv4/ip_input.c:215 Enabling of bearer rejected, already enabled NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x1dd/0x520 net/ipv4/ip_input.c:256 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x944/0x1dc0 net/ipv4/ip_input.c:396 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0xa0a/0x128b net/ipv4/ip_input.c:492 __netif_receive_skb_core+0x24f7/0x3340 net/core/dev.c:4597 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4662 process_backlog+0x24e/0x7a0 net/core/dev.c:5342 napi_poll net/core/dev.c:5740 [inline] net_rx_action+0x518/0x1120 net/core/dev.c:5806 __do_softirq+0x24d/0x985 kernel/softirq.c:285 run_ksoftirqd+0x86/0xf0 kernel/softirq.c:666 smpboot_thread_fn+0x68c/0xa00 kernel/smpboot.c:164 kthread+0x34c/0x410 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406 Allocated by task 9289: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:552 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x790 mm/slab.c:3541 sk_prot_alloc+0x69/0x2e0 net/core/sock.c:1468 sk_alloc+0x37/0xf80 net/core/sock.c:1528 inet_create+0x36a/0xe10 net/ipv4/af_inet.c:320 __sock_create+0x3d5/0x730 net/socket.c:1285 sock_create_kern+0x3b/0x50 net/socket.c:1331 inet_ctl_sock_create+0x9d/0x1f0 net/ipv4/af_inet.c:1566 icmp_sk_init+0x120/0x680 net/ipv4/icmp.c:1206 ops_init+0xb6/0x410 net/core/net_namespace.c:127 setup_net+0x2a1/0x700 net/core/net_namespace.c:312 copy_net_ns+0x1bc/0x310 net/core/net_namespace.c:435 create_new_namespaces+0x574/0x780 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:206 SYSC_unshare kernel/fork.c:2407 [inline] SyS_unshare+0x3dc/0x970 kernel/fork.c:2357 do_syscall_64+0x1f9/0x7c0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff880079c4ac40 which belongs to the cache RAW of size 1304 The buggy address is located 92 bytes to the right of 1304-byte region [ffff880079c4ac40, ffff880079c4b158) The buggy address belongs to the page: page:ffffea0001e71280 count:1 mapcount:0 mapping:ffff880079c4a0c0 index:0x0 compound_mapcount: 0 flags: 0x5fffc0000008100(slab|head) raw: 05fffc0000008100 ffff880079c4a0c0 0000000000000000 0000000100000005 raw: ffffea0001d02920 ffff88007cff9848 ffff88007cf5cac0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880079c4b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff880079c4b100: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc >ffff880079c4b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff880079c4b200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff880079c4b280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================