bisecting fixing commit since 2d19be4653f5e74ed95560b69f94eb6791d49af3
building syzkaller on 4c37c133e4bf703d023995535f1e264d8658e08e
testing commit 2d19be4653f5e74ed95560b69f94eb6791d49af3 with gcc (GCC) 8.4.1 20210217
kernel signature: df05ff938e3e98111e72b7965bc5c7bc214cb17cc1d1b70f1dc280283c28aa05
run #0: crashed: kernel BUG in do_exit
run #1: crashed: kernel BUG in tls_sk_proto_close
run #2: crashed: BUG: Bad page state
run #3: crashed: general protection fault in tls_sk_proto_close
run #4: crashed: general protection fault in tls_sk_proto_close
run #5: crashed: general protection fault in tls_sk_proto_close
run #6: crashed: general protection fault in tls_sk_proto_close
run #7: crashed: BUG: Bad page state
run #8: crashed: kernel BUG in do_exit
run #9: crashed: general protection fault in tls_sk_proto_close
run #10: crashed: general protection fault in tls_sk_proto_close
run #11: crashed: KASAN: use-after-free Read in __schedule
run #12: crashed: general protection fault in tls_sk_proto_close
run #13: crashed: general protection fault in tls_sk_proto_close
run #14: crashed: KASAN: slab-out-of-bounds Read in __schedule
run #15: crashed: general protection fault in corrupted
run #16: crashed: general protection fault in tls_sk_proto_close
run #17: crashed: BUG: Bad page state
run #18: crashed: general protection fault in tls_sk_proto_close
run #19: crashed: kernel BUG in do_exit
testing current HEAD 2965db2e004cf9c92b87c1f559e9812c0ae878c1
testing commit 2965db2e004cf9c92b87c1f559e9812c0ae878c1 with gcc (GCC) 8.4.1 20210217
kernel signature: 6a89f3c946cfc492896f23b9447ca666a5f7bccbb7b938526d95f7a0225ee486
run #0: crashed: general protection fault in tls_sk_proto_close
run #1: crashed: general protection fault in tls_sk_proto_close
run #2: crashed: BUG: Bad page state
run #3: crashed: KASAN: slab-out-of-bounds Read in __schedule
run #4: crashed: general protection fault in tls_sk_proto_close
run #5: crashed: general protection fault in corrupted
run #6: crashed: general protection fault in tls_sk_proto_close
run #7: crashed: BUG: Bad page state
run #8: crashed: BUG: Bad page state
run #9: crashed: BUG: Bad page state
revisions tested: 2, total time: 31m0.554564557s (build: 23m29.721416238s, test: 6m54.257155569s)
the crash still happens on HEAD
commit msg: Linux 4.19.188
crash: BUG: Bad page state
RDX: 0000000000000001 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00007fb43ba511d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000004000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffdadd127cf R14: 00007fb43ba51300 R15: 0000000000022000
ieee80211 phy9: Selected rate control algorithm 'minstrel_ht'
BUG: Bad page state in process syz-executor.1  pfn:8d860
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
page:ffffea0002361800 count:0 mapcount:0 mapping:ffff88813be46080 index:0x0 compound_mapcount: 0
kasan: CONFIG_KASAN_INLINE enabled
flags: 0xfff00000008100(slab|head)
==================================================================
BUG: KASAN: slab-out-of-bounds in schedule_debug kernel/sched/core.c:3329 [inline]
BUG: KASAN: slab-out-of-bounds in __schedule+0x19c8/0x1f70 kernel/sched/core.c:3439
Read of size 8 at addr ffff88809f900000 by task kworker/u4:2/9919

CPU: 0 PID: 9919 Comm: kworker/u4:2 Not tainted 4.19.188-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x17c/0x226 lib/dump_stack.c:118
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:396
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 schedule_debug kernel/sched/core.c:3329 [inline]
 __schedule+0x19c8/0x1f70 kernel/sched/core.c:3439
 preempt_schedule_common+0x1f/0xe0 kernel/sched/core.c:3641
 preempt_schedule+0x4d/0x60 kernel/sched/core.c:3667
 ___preempt_schedule+0x16/0x18
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
 _raw_spin_unlock_irqrestore+0xbb/0xd0 kernel/locking/spinlock.c:184
 spin_unlock_irqrestore include/linux/spinlock.h:384 [inline]
 get_random_u64+0xce/0x150 drivers/char/random.c:2309
 get_random_long include/linux/random.h:57 [inline]
 arch_rnd arch/x86/mm/mmap.c:85 [inline]
 arch_rnd arch/x86/mm/mmap.c:81 [inline]
 arch_pick_mmap_layout+0x378/0x5c0 arch/x86/mm/mmap.c:158
 setup_new_exec+0x142/0x6f0 fs/exec.c:1368
 load_elf_binary+0x9a1/0x5120 fs/binfmt_elf.c:882
 search_binary_handler fs/exec.c:1668 [inline]
 search_binary_handler+0x12b/0x630 fs/exec.c:1646
 exec_binprm fs/exec.c:1710 [inline]
 __do_execve_file.isra.12+0x1070/0x1d30 fs/exec.c:1832
 do_execveat_common fs/exec.c:1879 [inline]
 do_execve+0x20/0x30 fs/exec.c:1896
 call_usermodehelper_exec_async+0x49b/0x630 kernel/umh.c:116
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 9920:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3703
 __kmalloc_reserve.isra.9+0x2c/0xc0 net/core/skbuff.c:137
 __alloc_skb+0xd7/0x580 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:995 [inline]
 alloc_skb_with_frags+0x75/0x490 net/core/skbuff.c:5330
 sock_alloc_send_pskb+0x574/0x750 net/core/sock.c:2090
 unix_dgram_sendmsg+0x346/0x13e0 net/unix/af_unix.c:1707
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:632
 sock_write_iter+0x215/0x420 net/socket.c:901
 call_write_iter include/linux/fs.h:1821 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x443/0x890 fs/read_write.c:487
 vfs_write+0x150/0x4d0 fs/read_write.c:549
 ksys_write+0x103/0x260 fs/read_write.c:599
 __do_sys_write fs/read_write.c:611 [inline]
 __se_sys_write fs/read_write.c:608 [inline]
 __x64_sys_write+0x6e/0xb0 fs/read_write.c:608
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff88809f900040
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 64 bytes to the left of
 512-byte region [ffff88809f900040, ffff88809f900240)
The buggy address belongs to the page:
page:ffffea00027e4000 count:1 mapcount:0 mapping:ffff88813bff6940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002a3bc08 ffffea0002669b08 ffff88813bff6940
raw: 0000000000000000 ffff88809f900040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f8fff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809f8fff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809f900000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
                   ^
 ffff88809f900080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809f900100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================