bisecting cause commit starting from ae596de1a0c8c2c924dc99d23c026259372ab234
building syzkaller on 6cee973cb5514a9ab06a2d258dd4bc527004c23f
testing commit ae596de1a0c8c2c924dc99d23c026259372ab234 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: crashed: WARNING: refcount bug in igmp_start_timer
run #3: crashed: WARNING: refcount bug in igmp_start_timer
run #4: crashed: WARNING: refcount bug in igmp_start_timer
run #5: crashed: WARNING: refcount bug in igmp_start_timer
run #6: crashed: WARNING: refcount bug in igmp_start_timer
run #7: OK
run #8: OK
run #9: OK
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: crashed: WARNING: refcount bug in igmp_start_timer
run #3: crashed: WARNING: refcount bug in igmp_start_timer
run #4: OK
run #5: OK
run #6: crashed: WARNING: refcount bug in igmp_start_timer
run #7: OK
run #8: OK
run #9: OK
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: crashed: WARNING: refcount bug in igmp_start_timer
run #3: crashed: WARNING: refcount bug in igmp_start_timer
run #4: crashed: WARNING: refcount bug in igmp_start_timer
run #5: crashed: WARNING: refcount bug in igmp_start_timer
run #6: crashed: WARNING: refcount bug in igmp_start_timer
run #7: crashed: WARNING: refcount bug in igmp_start_timer
run #8: OK
run #9: OK
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: crashed: WARNING: refcount bug in igmp_start_timer
run #3: crashed: WARNING: refcount bug in igmp_start_timer
run #4: crashed: WARNING: refcount bug in igmp_start_timer
run #5: crashed: WARNING: refcount bug in igmp_start_timer
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: crashed: WARNING: refcount bug in igmp_start_timer
run #3: crashed: WARNING: refcount bug in igmp_start_timer
run #4: crashed: WARNING: refcount bug in igmp_start_timer
run #5: crashed: WARNING: refcount bug in igmp_start_timer
run #6: OK
run #7: OK
run #8: OK
run #9: crashed: WARNING: refcount bug in igmp_start_timer
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: crashed: WARNING: refcount bug in igmp_start_timer
run #3: crashed: WARNING: refcount bug in igmp_start_timer
run #4: crashed: WARNING: refcount bug in igmp_start_timer
run #5: crashed: WARNING: refcount bug in igmp_start_timer
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start v4.14 v4.13
Bisecting: 7300 revisions left to test after this (roughly 13 steps)
[15d8ffc96464f6571ecf22043c45fad659f11bdd] Merge tag 'mmc-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
testing commit 15d8ffc96464f6571ecf22043c45fad659f11bdd with gcc (GCC) 8.1.0
all runs: basic kernel testing failed: WARNING in __nf_hook_entries_try_shrink
# git bisect skip 15d8ffc96464f6571ecf22043c45fad659f11bdd
Bisecting: 7300 revisions left to test after this (roughly 13 steps)
[ace743214ea205c7d433562c5fa24e33bdfda7ab] net/mlx5e: Fix erroneous freeing of encap header buffer
testing commit ace743214ea205c7d433562c5fa24e33bdfda7ab with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: crashed: WARNING: refcount bug in igmp_start_timer
run #3: crashed: WARNING: refcount bug in igmp_start_timer
run #4: crashed: WARNING: refcount bug in igmp_start_timer
run #5: crashed: WARNING: refcount bug in igmp_start_timer
run #6: crashed: WARNING: refcount bug in igmp_start_timer
run #7: crashed: WARNING: refcount bug in igmp_start_timer
run #8: OK
run #9: OK
# git bisect bad ace743214ea205c7d433562c5fa24e33bdfda7ab
Bisecting: 6370 revisions left to test after this (roughly 13 steps)
[aae3dbb4776e7916b6cd442d00159bea27a695c1] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
testing commit aae3dbb4776e7916b6cd442d00159bea27a695c1 with gcc (GCC) 8.1.0
all runs: basic kernel testing failed: WARNING in __nf_hook_entries_try_shrink
# git bisect skip aae3dbb4776e7916b6cd442d00159bea27a695c1
Bisecting: 6370 revisions left to test after this (roughly 13 steps)
[f5808ac158f2b16b686a3d3c0879c5d6048aba14] leds: gpio: Allow LED to retain state at shutdown
testing commit f5808ac158f2b16b686a3d3c0879c5d6048aba14 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f5808ac158f2b16b686a3d3c0879c5d6048aba14
Bisecting: 6353 revisions left to test after this (roughly 13 steps)
[da4c3c735ea4dcc2a0b0ff0bd4803c336361b6f5] mm/hmm/mirror: helper to snapshot CPU page table
testing commit da4c3c735ea4dcc2a0b0ff0bd4803c336361b6f5 with gcc (GCC) 8.1.0
all runs: basic kernel testing failed: WARNING in __nf_hook_entries_try_shrink
# git bisect skip da4c3c735ea4dcc2a0b0ff0bd4803c336361b6f5
Bisecting: 6353 revisions left to test after this (roughly 13 steps)
[fe556cd86774388a82bc1ab1e2e3818ca87dd4d4] MIPS: lantiq: remove old USB PHY initialisation
testing commit fe556cd86774388a82bc1ab1e2e3818ca87dd4d4 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good fe556cd86774388a82bc1ab1e2e3818ca87dd4d4
Bisecting: 6212 revisions left to test after this (roughly 13 steps)
[a1f2a82072ea298ae91505c213f6d299ddb5e446] watchdog: da9063_wdt: Simplify by removing unneeded struct...
testing commit a1f2a82072ea298ae91505c213f6d299ddb5e446 with gcc (GCC) 8.1.0
all runs: basic kernel testing failed: WARNING in __nf_hook_entries_try_shrink
# git bisect skip a1f2a82072ea298ae91505c213f6d299ddb5e446
Bisecting: 6212 revisions left to test after this (roughly 13 steps)
[f2fe445986c8c53d2c324062f2e2c34263cd79a1] skd: Avoid double completions in case of a timeout
testing commit f2fe445986c8c53d2c324062f2e2c34263cd79a1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f2fe445986c8c53d2c324062f2e2c34263cd79a1
Bisecting: 6100 revisions left to test after this (roughly 13 steps)
[9d4ac934829ac58c5109c49e6dfe677300e5e652] userfaultfd: provide pid in userfault msg
testing commit 9d4ac934829ac58c5109c49e6dfe677300e5e652 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: crashed: WARNING: refcount bug in igmp_start_timer
run #3: crashed: WARNING: refcount bug in igmp_start_timer
run #4: crashed: WARNING: refcount bug in igmp_start_timer
run #5: crashed: WARNING: refcount bug in igmp_start_timer
run #6: crashed: WARNING: refcount bug in igmp_start_timer
run #7: OK
run #8: crashed: WARNING: refcount bug in igmp_start_timer
run #9: crashed: WARNING: refcount bug in igmp_start_timer
# git bisect bad 9d4ac934829ac58c5109c49e6dfe677300e5e652
Bisecting: 2203 revisions left to test after this (roughly 11 steps)
[dd90cccffc20a15d8e4c3ac8813f4b6a6cd4766f] Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit dd90cccffc20a15d8e4c3ac8813f4b6a6cd4766f with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: crashed: WARNING: refcount bug in igmp_start_timer
run #3: crashed: WARNING: refcount bug in igmp_start_timer
run #4: crashed: WARNING: refcount bug in igmp_start_timer
run #5: crashed: WARNING: refcount bug in igmp_start_timer
run #6: crashed: WARNING: refcount bug in igmp_start_timer
run #7: crashed: WARNING: refcount bug in igmp_start_timer
run #8: crashed: WARNING: refcount bug in igmp_start_timer
run #9: OK
# git bisect bad dd90cccffc20a15d8e4c3ac8813f4b6a6cd4766f
Bisecting: 1074 revisions left to test after this (roughly 10 steps)
[1fc08218ed2a42c86af5c905fe4c00885376a07e] drm/syncobj: Add a CREATE_SIGNALED flag
testing commit 1fc08218ed2a42c86af5c905fe4c00885376a07e with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: crashed: WARNING: refcount bug in igmp_start_timer
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 1fc08218ed2a42c86af5c905fe4c00885376a07e
Bisecting: 518 revisions left to test after this (roughly 9 steps)
[09ef2378dc42339f3871584dc26d27da220277cb] Merge tag 'drm-misc-next-2017-08-08' of git://anongit.freedesktop.org/git/drm-misc into drm-next
testing commit 09ef2378dc42339f3871584dc26d27da220277cb with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 09ef2378dc42339f3871584dc26d27da220277cb
Bisecting: 277 revisions left to test after this (roughly 8 steps)
[6a00a4221a9af8117c5fc1d7e2740614bb7626f7] drm: rcar-du: Restrict DPLL duty cycle workaround to H3 ES1.x
testing commit 6a00a4221a9af8117c5fc1d7e2740614bb7626f7 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: refcount bug in igmp_start_timer
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 6a00a4221a9af8117c5fc1d7e2740614bb7626f7
Bisecting: 137 revisions left to test after this (roughly 7 steps)
[8038e09be5a3ac061118bd80c7a505829920b50f] drm/crc: Only open CRC on atomic drivers when the CRTC is active.
testing commit 8038e09be5a3ac061118bd80c7a505829920b50f with gcc (GCC) 7.3.0
run #0: crashed: WARNING: ODEBUG bug in __do_softirq
run #1: crashed: WARNING: ODEBUG bug in __do_softirq
run #2: crashed: WARNING: ODEBUG bug in __do_softirq
run #3: crashed: WARNING: ODEBUG bug in __do_softirq
run #4: crashed: WARNING: ODEBUG bug in __do_softirq
run #5: crashed: WARNING: ODEBUG bug in __do_softirq
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 8038e09be5a3ac061118bd80c7a505829920b50f
Bisecting: 68 revisions left to test after this (roughly 6 steps)
[0b20a0f8c3cb6f74fe326101b62eeb5e2c56a53c] drm: Add old state pointer to CRTC .enable() helper function
testing commit 0b20a0f8c3cb6f74fe326101b62eeb5e2c56a53c with gcc (GCC) 7.3.0
run #0: crashed: WARNING: ODEBUG bug in __do_softirq
run #1: crashed: WARNING: ODEBUG bug in __do_softirq
run #2: crashed: WARNING: ODEBUG bug in __do_softirq
run #3: crashed: WARNING: ODEBUG bug in __do_softirq
run #4: crashed: WARNING: ODEBUG bug in __do_softirq
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: crashed: WARNING: ODEBUG bug in __do_softirq
# git bisect bad 0b20a0f8c3cb6f74fe326101b62eeb5e2c56a53c
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[8814b40bf6b2293eede832d35957b4e9ba495ae3] drm/rockchip: dw_hdmi: introduce the pclk for grf
testing commit 8814b40bf6b2293eede832d35957b4e9ba495ae3 with gcc (GCC) 7.3.0
run #0: crashed: WARNING: ODEBUG bug in __do_softirq
run #1: crashed: WARNING: ODEBUG bug in __do_softirq
run #2: crashed: WARNING: ODEBUG bug in __do_softirq
run #3: crashed: WARNING: ODEBUG bug in __do_softirq
run #4: crashed: WARNING: ODEBUG bug in __do_softirq
run #5: crashed: WARNING: ODEBUG bug in __do_softirq
run #6: crashed: WARNING: ODEBUG bug in __do_softirq
run #7: crashed: WARNING: ODEBUG bug in __do_softirq
run #8: OK
run #9: OK
# git bisect bad 8814b40bf6b2293eede832d35957b4e9ba495ae3
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[5a1535b110d73ed8d29c504eeb5fa92ac5b47cd9] drm/rockchip: Remove unnecessary NULL check
testing commit 5a1535b110d73ed8d29c504eeb5fa92ac5b47cd9 with gcc (GCC) 7.3.0
all runs: crashed: WARNING: ODEBUG bug in __do_softirq
# git bisect bad 5a1535b110d73ed8d29c504eeb5fa92ac5b47cd9
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[10631d724deff712343d96dd3017cd323349f761] drm/pci: Deprecate drm_pci_init/exit completely
testing commit 10631d724deff712343d96dd3017cd323349f761 with gcc (GCC) 7.3.0
all runs: crashed: WARNING: ODEBUG bug in __do_softirq
# git bisect bad 10631d724deff712343d96dd3017cd323349f761
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[57d30230c573e3f1a49ae7e0f7f8b73b17881415] drm/doc: vblank cleanup
testing commit 57d30230c573e3f1a49ae7e0f7f8b73b17881415 with gcc (GCC) 7.3.0
run #0: crashed: WARNING: ODEBUG bug in __do_softirq
run #1: crashed: WARNING: ODEBUG bug in __do_softirq
run #2: crashed: WARNING: ODEBUG bug in __do_softirq
run #3: crashed: WARNING: ODEBUG bug in __do_softirq
run #4: crashed: WARNING: ODEBUG bug in __do_softirq
run #5: crashed: WARNING: ODEBUG bug in __do_softirq
run #6: crashed: WARNING: ODEBUG bug in __do_softirq
run #7: crashed: WARNING: ODEBUG bug in __do_softirq
run #8: crashed: WARNING: ODEBUG bug in __do_softirq
run #9: OK
# git bisect bad 57d30230c573e3f1a49ae7e0f7f8b73b17881415
Bisecting: 1 revision left to test after this (roughly 1 step)
[00a9121b8698ddf7fcb18e107405afacc35f748a] drm/tegra: Drop drm_vblank_cleanup
testing commit 00a9121b8698ddf7fcb18e107405afacc35f748a with gcc (GCC) 7.3.0
run #0: crashed: WARNING: ODEBUG bug in __do_softirq
run #1: crashed: WARNING: ODEBUG bug in __do_softirq
run #2: crashed: WARNING: ODEBUG bug in __do_softirq
run #3: crashed: WARNING: ODEBUG bug in __do_softirq
run #4: crashed: WARNING: ODEBUG bug in __do_softirq
run #5: crashed: WARNING: ODEBUG bug in __do_softirq
run #6: crashed: WARNING: ODEBUG bug in __do_softirq
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 00a9121b8698ddf7fcb18e107405afacc35f748a
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[fc5e9d63a8db40e9e3a3b180be33d44af8a3cee8] drm/sti: Drop drm_vblank_cleanup
testing commit fc5e9d63a8db40e9e3a3b180be33d44af8a3cee8 with gcc (GCC) 7.3.0
run #0: crashed: WARNING: ODEBUG bug in __do_softirq
run #1: crashed: WARNING: ODEBUG bug in __do_softirq
run #2: crashed: WARNING: ODEBUG bug in __do_softirq
run #3: crashed: WARNING: ODEBUG bug in __do_softirq
run #4: crashed: WARNING: ODEBUG bug in __do_softirq
run #5: crashed: WARNING: ODEBUG bug in __do_softirq
run #6: crashed: WARNING: ODEBUG bug in __do_softirq
run #7: crashed: WARNING: ODEBUG bug in __do_softirq
run #8: crashed: WARNING: ODEBUG bug in __do_softirq
run #9: OK
# git bisect bad fc5e9d63a8db40e9e3a3b180be33d44af8a3cee8
fc5e9d63a8db40e9e3a3b180be33d44af8a3cee8 is the first bad commit
commit fc5e9d63a8db40e9e3a3b180be33d44af8a3cee8
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Wed May 24 16:52:05 2017 +0200

    drm/sti: Drop drm_vblank_cleanup
    
    Seems entirely cargo-culted.
    
    Cc: Benjamin Gaignard <benjamin.gaignard@linaro.org>
    Cc: Vincent Abriou <vincent.abriou@st.com>
    Acked-by: Vincent Abriou <vincent.abriou@st.com>
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Link: http://patchwork.freedesktop.org/patch/msgid/20170524145212.27837-31-daniel.vetter@ffwll.ch

:040000 040000 c98217109108a84554a3e21a9550dac7c6245b07 c724591580bfde6c581c697ab0e68bb3b27e373c M	drivers
revisions tested: 28, total time: 7h15m20.938787332s (build: 2h19m12.980675185s, test: 4h48m20.592907135s)
first bad commit: fc5e9d63a8db40e9e3a3b180be33d44af8a3cee8 drm/sti: Drop drm_vblank_cleanup
cc: ["benjamin.gaignard@linaro.org" "daniel.vetter@ffwll.ch" "daniel.vetter@intel.com" "vincent.abriou@st.com"]
crash: WARNING: ODEBUG bug in __do_softirq
ODEBUG: free active (active state 0) object type: timer_list hint: ip_mc_rejoin_groups net/ipv4/igmp.c:1587 [inline]
ODEBUG: free active (active state 0) object type: timer_list hint: igmp_timer_expire+0x0/0x570 net/ipv4/igmp.c:3010
------------[ cut here ]------------
kobject: 'loop0' (ffff8801d230a3e0): kobject_uevent_env
kobject: 'loop0' (ffff8801d230a3e0): fill_kobj_path: path = '/devices/virtual/block/loop0'
WARNING: CPU: 0 PID: 7 at lib/debugobjects.c:289 debug_print_object+0x17a/0x210 lib/debugobjects.c:286
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 7 Comm: ksoftirqd/0 Not tainted 4.12.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x145/0x1f1 lib/dump_stack.c:52
 panic+0x1b6/0x358 kernel/panic.c:180
 __warn+0x18d/0x1b0 kernel/panic.c:541
 report_bug+0x1a4/0x250 lib/bug.c:183
 fixup_bug arch/x86/kernel/traps.c:190 [inline]
 do_trap_no_signal arch/x86/kernel/traps.c:224 [inline]
 do_trap+0x1d9/0x3e0 arch/x86/kernel/traps.c:273
 do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:310
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323
 invalid_op+0x1e/0x30 arch/x86/entry/entry_64.S:847
RIP: 0010:debug_print_object+0x17a/0x210 lib/debugobjects.c:286
RSP: 0018:ffff8801d9777700 EFLAGS: 00010082
RAX: 000000000000005e RBX: 0000000000000003 RCX: 0000000000000000
RDX: 000000000000005e RSI: 1ffff1003b2eeea2 RDI: ffffed003b2eeed6
RBP: ffff8801d9777728 R08: 0000000000000000 R09: 1ffff1003b2eee74
R10: ffffed003b2eef0c R11: ffffffff81583bac R12: ffffffff870c7ca0
R13: ffffffff85f0dc70 R14: 0000000000000000 R15: dffffc0000000000
 __debug_check_no_obj_freed lib/debugobjects.c:743 [inline]
 debug_check_no_obj_freed+0x662/0xf20 lib/debugobjects.c:772
 kfree+0xbd/0x270 mm/slab.c:3827
 __rcu_reclaim kernel/rcu/rcu.h:190 [inline]
 rcu_do_batch kernel/rcu/tree.c:2800 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3057 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3024 [inline]
 rcu_process_callbacks+0xebd/0x1800 kernel/rcu/tree.c:3041
 __do_softirq+0x300/0xbd3 kernel/softirq.c:284
 run_ksoftirqd+0x86/0x100 kernel/softirq.c:676
 smpboot_thread_fn+0x574/0x900 kernel/smpboot.c:164
 kthread+0x345/0x410 kernel/kthread.c:231
 ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:427

======================================================