bisecting fixing commit since 2d19be4653f5e74ed95560b69f94eb6791d49af3
building syzkaller on 4c37c133e4bf703d023995535f1e264d8658e08e
testing commit 2d19be4653f5e74ed95560b69f94eb6791d49af3 with gcc (GCC) 8.4.1 20210217
kernel signature: 4216e23bf691f562f9dd9bd525e20ee2ed496f393c5c235a833910af03858eaa
run #0: crashed: general protection fault in corrupted
run #1: crashed: general protection fault in tls_sk_proto_close
run #2: crashed: general protection fault in tls_sk_proto_close
run #3: crashed: general protection fault in tls_sk_proto_close
run #4: crashed: general protection fault in tls_sk_proto_close
run #5: crashed: general protection fault in tls_sk_proto_close
run #6: crashed: general protection fault in tls_sk_proto_close
run #7: crashed: kernel panic: corrupted stack end in corrupted
run #8: crashed: BUG: Bad page state
run #9: crashed: general protection fault in corrupted
run #10: crashed: KASAN: slab-out-of-bounds Read in __schedule
run #11: crashed: BUG: Bad page state
run #12: crashed: general protection fault in tls_sk_proto_close
run #13: crashed: kernel panic: corrupted stack end in corrupted
run #14: crashed: kernel panic: corrupted stack end in corrupted
run #15: crashed: BUG: Bad page state
run #16: crashed: KASAN: use-after-free Read in __schedule
run #17: crashed: general protection fault in tls_sk_proto_close
run #18: crashed: BUG: Bad page state
run #19: crashed: general protection fault in tls_sk_proto_close
testing current HEAD 6b7b0056defc6eb5c87bbe4690ccda547b2891aa
testing commit 6b7b0056defc6eb5c87bbe4690ccda547b2891aa with gcc (GCC) 8.4.1 20210217
kernel signature: ca045aa76c5d6b16e8aecc9e624be8896597d5363b5a6d351b02465b04124524
run #0: crashed: general protection fault in tls_sk_proto_close
run #1: crashed: general protection fault in tls_sk_proto_close
run #2: crashed: general protection fault in tls_sk_proto_close
run #3: crashed: general protection fault in tls_sk_proto_close
run #4: crashed: general protection fault in tls_sk_proto_close
run #5: crashed: BUG: Bad page state
run #6: crashed: general protection fault in tls_sk_proto_close
run #7: crashed: kernel panic: corrupted stack end in call_usermodehelper_exec_async
run #8: crashed: BUG: Bad page state
run #9: crashed: general protection fault in tls_sk_proto_close
revisions tested: 2, total time: 24m7.613051678s (build: 17m13.483072717s, test: 6m28.121903548s)
the crash still happens on HEAD
commit msg: Linux 4.19.192
crash: general protection fault in tls_sk_proto_close
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
page:ffffea000237b000 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
batman_adv: batadv0: Interface activated: batadv_slave_0
kasan: GPF could be caused by NULL-ptr deref or user memory access
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
general protection fault: 0000 [#1] PREEMPT SMP KASAN
flags: 0xfff00000000000()
CPU: 1 PID: 9789 Comm: syz-executor.3 Not tainted 4.19.192-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:261 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:142 [inline]
RIP: 0010:put_page include/linux/mm.h:951 [inline]
RIP: 0010:tls_sk_proto_close+0x2af/0x980 net/tls/tls_main.c:277
Code: 89 ca 48 89 8d 40 ff ff ff 48 c1 ea 03 4a 8d 0c 2a 48 89 8d 68 ff ff ff 48 83 e0 fc 48 8d 78 08 49 89 c6 48 89 fe 48 c1 ee 03 <42> 80 3c 2e 00 0f 85 63 05 00 00 49 8b 76 08 48 8d 7e ff 83 e6 01
RSP: 0018:ffff8880910dfca0 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff888098a11300 RCX: ffffed1013c7cdc5
RDX: 1ffffffff1322499 RSI: 0000000000000001 RDI: 0000000000000008
RBP: ffff8880910dfd60 R08: ffff888098bbac50 R09: 1ffffffff18c53ea
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88809904f0c0
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88809e3e6e00
FS:  0000000002896400(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f70963a3000 CR3: 00000000988c0000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 inet_release+0xb4/0x1b0 net/ipv4/af_inet.c:427
 inet6_release+0x46/0x60 net/ipv6/af_inet6.c:472
 __sock_release+0xc2/0x290 net/socket.c:579
 sock_close+0x10/0x20 net/socket.c:1140
 __fput+0x249/0x7f0 fs/file_table.c:278
 ____fput+0x9/0x10 fs/file_table.c:309
 task_work_run+0x108/0x180 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x185/0x1e0 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x41920b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffe8b421810 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 000000000041920b
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000001b2c0200fc
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000056c9e0
R13: 000000000056c9e0 R14: 000000000056bf60 R15: 000000000000c49b
Modules linked in:
---[ end trace 97164afb87d614a2 ]---
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
RIP: 0010:__read_once_size include/linux/compiler.h:261 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:142 [inline]
RIP: 0010:put_page include/linux/mm.h:951 [inline]
RIP: 0010:tls_sk_proto_close+0x2af/0x980 net/tls/tls_main.c:277
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
Code: 89 ca 48 89 8d 40 ff ff ff 48 c1 ea 03 4a 8d 0c 2a 48 89 8d 68 ff ff ff 48 83 e0 fc 48 8d 78 08 49 89 c6 48 89 fe 48 c1 ee 03 <42> 80 3c 2e 00 0f 85 63 05 00 00 49 8b 76 08 48 8d 7e ff 83 e6 01
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
RSP: 0018:ffff8880910dfca0 EFLAGS: 00010202
raw: 00fff00000000000 ffffea00026f1a08 ffffea00025ff408 0000000000000000
RAX: 0000000000000000 RBX: ffff888098a11300 RCX: ffffed1013c7cdc5
raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
RDX: 1ffffffff1322499 RSI: 0000000000000001 RDI: 0000000000000008
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
RBP: ffff8880910dfd60 R08: ffff888098bbac50 R09: 1ffffffff18c53ea
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88809904f0c0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88809e3e6e00
------------[ cut here ]------------
FS:  0000000002896400(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000
kernel BUG at include/linux/mm.h:519!
invalid opcode: 0000 [#2] PREEMPT SMP KASAN
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CPU: 0 PID: 9793 Comm: syz-executor.3 Tainted: G      D           4.19.192-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:put_page_testzero include/linux/mm.h:519 [inline]
RIP: 0010:put_page include/linux/mm.h:962 [inline]
RIP: 0010:do_exit+0x22b0/0x2d90 kernel/exit.c:909
Code: 89 e7 e8 a3 93 23 00 48 c7 c7 80 90 80 89 4d 89 fe e8 84 73 6f 06 e9 6e e8 ff ff 48 c7 c6 00 2e 08 88 48 89 df e8 50 40 4a 00 <0f> 0b 49 8d bf e8 04 00 00 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48
RSP: 0018:ffff88808de2faa0 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffea000237b000 RCX: 0000000000000000
RDX: 1ffffd400046f607 RSI: 0000000000000000 RDI: ffffea000237b038
RBP: ffff88808de2fc10 R08: ffffed1017444e99 R09: ffffed1017444e98
R10: ffffed1017444e98 R11: ffff8880ba2274c7 R12: ffffea000237b034
R13: ffff88808de2f680 R14: dffffc0000000000 R15: ffff888098d42480
FS:  00007fac406ce700(0000) GS:ffff8880ba200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f70963a2028 CR3: 00000000b0265000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
CR2: 00007f70963a9000 CR3: 00000000988c0000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 do_group_exit+0xf8/0x2c0 kernel/exit.c:967
 get_signal+0x30b/0x1970 kernel/signal.c:2589
 do_signal+0x87/0x1870 arch/x86/kernel/signal.c:799
 exit_to_usermode_loop+0x159/0x1e0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
RIP: 0033:0x465ef9
Code: Bad RIP value.
RSP: 002b:00007fac406ce218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca