bisecting cause commit starting from 6fa9a115fe7ca507ef5618eb753706425741b285
building syzkaller on 36650b4b2c942bc382314dce384d311fbadd1208
testing commit 6fa9a115fe7ca507ef5618eb753706425741b285 with gcc (GCC) 8.1.0
kernel signature: 211a400d8606f717787a0721dd337ce7cb7986a8
all runs: crashed: general protection fault in sctp_stream_free
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: c0f67ed0df7ad960a6368e0dc4aed21afe2a5300
all runs: OK
# git bisect start 6fa9a115fe7ca507ef5618eb753706425741b285 219d54332a09e8d8741c1e1982f5eae56099de85
Bisecting: 6808 revisions left to test after this (roughly 13 steps)
[477093b3e144aa0ece07a5fd2a84013d037e2776] Merge tag 'microblaze-v5.5-rc1' of git://git.monstr.eu/linux-2.6-microblaze
testing commit 477093b3e144aa0ece07a5fd2a84013d037e2776 with gcc (GCC) 8.1.0
kernel signature: c17422b19ff9dbf7bbc728316bb40c9b3ba2e530
all runs: OK
# git bisect good 477093b3e144aa0ece07a5fd2a84013d037e2776
Bisecting: 3454 revisions left to test after this (roughly 12 steps)
[c3bfc5dd73c6f519ff0636d4e709515f06edef78] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit c3bfc5dd73c6f519ff0636d4e709515f06edef78 with gcc (GCC) 8.1.0
kernel signature: 71af920fc932e82deb5b76a2cdd666fb65051c43
all runs: OK
# git bisect good c3bfc5dd73c6f519ff0636d4e709515f06edef78
Bisecting: 1722 revisions left to test after this (roughly 11 steps)
[fb3da48a8640f634242a0c61b78c3a5c724c5004] Merge branch 'thermal/next' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux
testing commit fb3da48a8640f634242a0c61b78c3a5c724c5004 with gcc (GCC) 8.1.0
kernel signature: 5e149f981407ab04427f0c76213b50a41d61b2f8
all runs: OK
# git bisect good fb3da48a8640f634242a0c61b78c3a5c724c5004
Bisecting: 760 revisions left to test after this (roughly 10 steps)
[eb275167d18684e07ee43bdc0e09a18326540461] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit eb275167d18684e07ee43bdc0e09a18326540461 with gcc (GCC) 8.1.0
kernel signature: f4026d7991f8df199633524b9a8f086fac256167
all runs: OK
# git bisect good eb275167d18684e07ee43bdc0e09a18326540461
Bisecting: 385 revisions left to test after this (roughly 9 steps)
[94e89b40235476a83a53a47b9ffb0cb91a4c335e] Merge tag 'vfio-v5.5-rc1' of git://github.com/awilliam/linux-vfio
testing commit 94e89b40235476a83a53a47b9ffb0cb91a4c335e with gcc (GCC) 8.1.0
kernel signature: 3291f97be4c0d614e2f4c185b0c25726a31528a1
all runs: OK
# git bisect good 94e89b40235476a83a53a47b9ffb0cb91a4c335e
Bisecting: 232 revisions left to test after this (roughly 8 steps)
[138f371ddf4ff50207dbe33ebfc237e756cd6222] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
testing commit 138f371ddf4ff50207dbe33ebfc237e756cd6222 with gcc (GCC) 8.1.0
kernel signature: ce1f36b5bc3965e9c0c6655277d90e030a1b6540
all runs: OK
# git bisect good 138f371ddf4ff50207dbe33ebfc237e756cd6222
Bisecting: 117 revisions left to test after this (roughly 7 steps)
[f8fc57e8d7c5d95f4180b127d3b167de403557c0] net/x25: add new state X25_STATE_5
testing commit f8fc57e8d7c5d95f4180b127d3b167de403557c0 with gcc (GCC) 8.1.0
kernel signature: 9bd9c30f60ed93af89159fc47c1202f4eb25bf71
run #0: boot failed: can't ssh into the instance
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good f8fc57e8d7c5d95f4180b127d3b167de403557c0
Bisecting: 58 revisions left to test after this (roughly 6 steps)
[216808c6ba6d00169fd2aa928ec3c0e63bef254f] tcp: refine rule to allow EPOLLOUT generation under mem pressure
testing commit 216808c6ba6d00169fd2aa928ec3c0e63bef254f with gcc (GCC) 8.1.0
kernel signature: 05e1618a55992cc667212c160a2bf4252059f532
all runs: OK
# git bisect good 216808c6ba6d00169fd2aa928ec3c0e63bef254f
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[ad125c6c05921091daf8ac6f01b5665d5401741b] Merge tag 'mac80211-for-net-2019-10-16' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
testing commit ad125c6c05921091daf8ac6f01b5665d5401741b with gcc (GCC) 8.1.0
kernel signature: 9f78418ce25e4508e2c8a798d0a246c4cf5266a5
all runs: OK
# git bisect good ad125c6c05921091daf8ac6f01b5665d5401741b
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[9d4b98af8a2eb2ddb7779f2929700b5c174e9cc9] net: ag71xx: fix compile warnings
testing commit 9d4b98af8a2eb2ddb7779f2929700b5c174e9cc9 with gcc (GCC) 8.1.0
kernel signature: c67b7204f17f4e4d956abbec9e546f365010f6b8
all runs: crashed: general protection fault in sctp_stream_free
# git bisect bad 9d4b98af8a2eb2ddb7779f2929700b5c174e9cc9
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[0df36b90c47d93295b7e393da2d961b2f3b6cde4] iwlwifi: pcie: move power gating workaround earlier in the flow
testing commit 0df36b90c47d93295b7e393da2d961b2f3b6cde4 with gcc (GCC) 8.1.0
kernel signature: a29d32a7a0c891c7cfceb4f2a491af554d907c1f
all runs: OK
# git bisect good 0df36b90c47d93295b7e393da2d961b2f3b6cde4
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[951c6db954a1adefab492f6da805decacabbd1a7] sctp: fix memleak on err handling of stream initialization
testing commit 951c6db954a1adefab492f6da805decacabbd1a7 with gcc (GCC) 8.1.0
kernel signature: 74c3c07cd632b74c3e1938dc82603d84a84cddc1
all runs: crashed: general protection fault in sctp_stream_free
# git bisect bad 951c6db954a1adefab492f6da805decacabbd1a7
Bisecting: 0 revisions left to test after this (roughly 1 step)
[040cda8a15210f19da7e29232c897ca6ca6cc950] Merge tag 'wireless-drivers-2019-12-17' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
testing commit 040cda8a15210f19da7e29232c897ca6ca6cc950 with gcc (GCC) 8.1.0
kernel signature: a664c041b35e3aebe62d5d44647da47d25c8bf84
all runs: OK
# git bisect good 040cda8a15210f19da7e29232c897ca6ca6cc950
951c6db954a1adefab492f6da805decacabbd1a7 is the first bad commit
commit 951c6db954a1adefab492f6da805decacabbd1a7
Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Date:   Mon Dec 16 22:01:16 2019 -0300

    sctp: fix memleak on err handling of stream initialization
    
    syzbot reported a memory leak when an allocation fails within
    genradix_prealloc() for output streams. That's because
    genradix_prealloc() leaves initialized members initialized when the
    issue happens and SCTP stack will abort the current initialization but
    without cleaning up such members.
    
    The fix here is to always call genradix_free() when genradix_prealloc()
    fails, for output and also input streams, as it suffers from the same
    issue.
    
    Reported-by: syzbot+772d9e36c490b18d51d1@syzkaller.appspotmail.com
    Fixes: 2075e50caf5e ("sctp: convert to genradix")
    Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Tested-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/sctp/stream.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
culprit signature: 74c3c07cd632b74c3e1938dc82603d84a84cddc1
parent  signature: a664c041b35e3aebe62d5d44647da47d25c8bf84
revisions tested: 15, total time: 3h42m48.398455554s (build: 1h29m3.733960529s, test: 2h12m43.87411584s)
first bad commit: 951c6db954a1adefab492f6da805decacabbd1a7 sctp: fix memleak on err handling of stream initialization
cc: ["davem@davemloft.net" "lucien.xin@gmail.com" "marcelo.leitner@gmail.com"]
crash: general protection fault in sctp_stream_free
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7759 Comm: syz-executor.0 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:sctp_stream_free+0xcf/0x160 net/sctp/stream.c:183
Code: 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 48 8d 34 c1 e8 ec d7 99 fc 48 8d 78 08 48 89 fa 48 c1 ea 03 <42> 80 3c 32 00 75 5e 48 8b 78 08 e8 81 b1 ed fa 41 0f b6 45 00 84
RSP: 0018:ffffc90002be78d8 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000008
RBP: ffffc90002be7910 R08: 000000000000000c R09: fffffbfff14b63c6
R10: fffffbfff14b63c5 R11: ffffffff8a5b1e2f R12: ffff88808fbda6e8
R13: ffffed1011f7b4df R14: dffffc0000000000 R15: c0c0c0c0c0c0c0c1
FS:  00000000010cf940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000100 CR3: 00000000a2110000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 sctp_association_free+0x202/0x750 net/sctp/associola.c:350
 sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:934 [inline]
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1322 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1189 [inline]
 sctp_do_sm+0x1531/0x4b00 net/sctp/sm_sideeffect.c:1160
 sctp_primitive_ABORT+0x7c/0xc0 net/sctp/primitive.c:104
 sctp_close+0x227/0x7e0 net/sctp/socket.c:1513
 inet_release+0xc1/0x1c0 net/ipv4/af_inet.c:427
 __sock_release+0xc2/0x270 net/socket.c:592
 sock_close+0x13/0x20 net/socket.c:1270
 __fput+0x25a/0x770 fs/file_table.c:280
 ____fput+0x9/0x10 fs/file_table.c:313
 task_work_run+0x108/0x180 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x24e/0x2e0 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
 do_syscall_64+0x4ff/0x5f0 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4144b1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fffacd91d20 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004144b1
RDX: 0000001b2fa20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007fffacd91e00 R11: 0000000000000293 R12: 000000000075c9a0
R13: 000000000075c9a0 R14: 00000000007606e8 R15: 000000000075bf2c
Modules linked in:
---[ end trace 93a8052aafec0155 ]---
RIP: 0010:sctp_stream_free+0xcf/0x160 net/sctp/stream.c:183
Code: 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 48 8d 34 c1 e8 ec d7 99 fc 48 8d 78 08 48 89 fa 48 c1 ea 03 <42> 80 3c 32 00 75 5e 48 8b 78 08 e8 81 b1 ed fa 41 0f b6 45 00 84
RSP: 0018:ffffc90002be78d8 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000008
RBP: ffffc90002be7910 R08: 000000000000000c R09: fffffbfff14b63c6
R10: fffffbfff14b63c5 R11: ffffffff8a5b1e2f R12: ffff88808fbda6e8
R13: ffffed1011f7b4df R14: dffffc0000000000 R15: c0c0c0c0c0c0c0c1
FS:  00000000010cf940(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f99d1751000 CR3: 00000000a2110000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400