bisecting cause commit starting from 645ff1e8e704c4f33ab1fcd3c87f95cb9b6d7144 building syzkaller on 66fcd29b60c566b3d7b7cc75550a4b96e355164d testing commit 645ff1e8e704c4f33ab1fcd3c87f95cb9b6d7144 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.14 v4.13 Bisecting: 7300 revisions left to test after this (roughly 13 steps) [15d8ffc96464f6571ecf22043c45fad659f11bdd] Merge tag 'mmc-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc testing commit 15d8ffc96464f6571ecf22043c45fad659f11bdd with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free # git bisect bad 15d8ffc96464f6571ecf22043c45fad659f11bdd Bisecting: 3676 revisions left to test after this (roughly 12 steps) [bafb0762cb6a906eb4105cccfb3bcd90be7f40d2] Merge tag 'char-misc-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit bafb0762cb6a906eb4105cccfb3bcd90be7f40d2 with gcc (GCC) 8.1.0 all runs: OK # git bisect good bafb0762cb6a906eb4105cccfb3bcd90be7f40d2 Bisecting: 1826 revisions left to test after this (roughly 11 steps) [b63f6044d8e43e4a1eef8b0a2310cec872fd1d38] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next testing commit b63f6044d8e43e4a1eef8b0a2310cec872fd1d38 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in bpf_jit_free run #1: crashed: WARNING in bpf_jit_free run #2: crashed: WARNING in bpf_jit_free run #3: crashed: WARNING in bpf_jit_free run #4: crashed: WARNING in bpf_jit_free run #5: crashed: WARNING in bpf_jit_free run #6: crashed: WARNING in bpf_jit_free run #7: crashed: WARNING in bpf_jit_free run #8: crashed: WARNING in bpf_jit_free run #9: OK # git bisect bad b63f6044d8e43e4a1eef8b0a2310cec872fd1d38 Bisecting: 924 revisions left to test after this (roughly 10 steps) [e08af95df1130883762b388a19bb150ae5d16c09] sctp: remove the typedef sctp_verb_t testing commit e08af95df1130883762b388a19bb150ae5d16c09 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free # git bisect bad e08af95df1130883762b388a19bb150ae5d16c09 Bisecting: 462 revisions left to test after this (roughly 9 steps) [2a4932167772874c5bc4b3dfebf61cfadb5554b9] sctp: remove the typedef sctp_error_t testing commit 2a4932167772874c5bc4b3dfebf61cfadb5554b9 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free # git bisect bad 2a4932167772874c5bc4b3dfebf61cfadb5554b9 Bisecting: 230 revisions left to test after this (roughly 8 steps) [a248878d7a1d35ea3bb874891997144ad16d7c27] ibmvnic: Check for transport event on driver resume testing commit a248878d7a1d35ea3bb874891997144ad16d7c27 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in bpf_jit_free # git bisect bad a248878d7a1d35ea3bb874891997144ad16d7c27 Bisecting: 115 revisions left to test after this (roughly 7 steps) [160e22aa2629875c23092e38eded442002d1ebda] mlxsw: spectrum_router: Don't create FIB node during lookup testing commit 160e22aa2629875c23092e38eded442002d1ebda with gcc (GCC) 8.1.0 run #0: crashed: WARNING in bpf_jit_free run #1: crashed: WARNING in bpf_jit_free run #2: crashed: WARNING in bpf_jit_free run #3: crashed: WARNING in bpf_jit_free run #4: crashed: WARNING in bpf_jit_free run #5: crashed: WARNING in bpf_jit_free run #6: crashed: WARNING in bpf_jit_free run #7: crashed: WARNING in bpf_jit_free run #8: crashed: WARNING in bpf_jit_free run #9: OK # git bisect bad 160e22aa2629875c23092e38eded442002d1ebda Bisecting: 57 revisions left to test after this (roughly 6 steps) [2ddf71e23cc246e95af72a6deed67b4a50a7b81c] net: add notifier hooks for devmap bpf map testing commit 2ddf71e23cc246e95af72a6deed67b4a50a7b81c with gcc (GCC) 8.1.0 run #0: crashed: WARNING: refcount bug in ipv6_del_addr run #1: crashed: WARNING in bpf_jit_free run #2: crashed: WARNING in bpf_jit_free run #3: crashed: WARNING in bpf_jit_free run #4: crashed: WARNING in bpf_jit_free run #5: crashed: WARNING in bpf_jit_free run #6: crashed: WARNING in bpf_jit_free run #7: crashed: WARNING in bpf_jit_free run #8: crashed: WARNING in bpf_jit_free run #9: crashed: WARNING in bpf_jit_free # git bisect bad 2ddf71e23cc246e95af72a6deed67b4a50a7b81c Bisecting: 27 revisions left to test after this (roughly 5 steps) [a288855151546d1026c8f94728084c1173126a01] Merge branch 'sctp-typedef-remove-part-2' testing commit a288855151546d1026c8f94728084c1173126a01 with gcc (GCC) 8.1.0 all runs: OK # git bisect good a288855151546d1026c8f94728084c1173126a01 Bisecting: 13 revisions left to test after this (roughly 4 steps) [7607dd35fc34893214284cca740d015154d20452] mlxsw: spectrum: Trap IPv4 packets with Router Alert option testing commit 7607dd35fc34893214284cca740d015154d20452 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: refcount bug in addrconf_del_dad_work run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 7607dd35fc34893214284cca740d015154d20452 Bisecting: 6 revisions left to test after this (roughly 3 steps) [046759a6cf36118f5f4468f5a3998aada040ca5d] mlxsw: spectrum: Add ttl to the ipv4 acl block testing commit 046759a6cf36118f5f4468f5a3998aada040ca5d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 046759a6cf36118f5f4468f5a3998aada040ca5d Bisecting: 3 revisions left to test after this (roughly 2 steps) [abac7b011d527cfc98dba6a7422bdedcdedda039] mlxsw: spectrum: Add tos to the ipv4 acl block testing commit abac7b011d527cfc98dba6a7422bdedcdedda039 with gcc (GCC) 8.1.0 all runs: OK # git bisect good abac7b011d527cfc98dba6a7422bdedcdedda039 Bisecting: 1 revision left to test after this (roughly 1 step) [ef210ec07579425d3d724dc35927f421255417f0] Merge branch 'mlxsw-ttl-tos' testing commit ef210ec07579425d3d724dc35927f421255417f0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ef210ec07579425d3d724dc35927f421255417f0 Bisecting: 0 revisions left to test after this (roughly 0 steps) [0fcc484748c9dcad5238373a4b2e1b2f309392eb] mlxsw: spectrum: Mark packets trapped in router testing commit 0fcc484748c9dcad5238373a4b2e1b2f309392eb with gcc (GCC) 8.1.0 all runs: OK # git bisect good 0fcc484748c9dcad5238373a4b2e1b2f309392eb 7607dd35fc34893214284cca740d015154d20452 is the first bad commit commit 7607dd35fc34893214284cca740d015154d20452 Author: Ido Schimmel Date: Mon Jul 17 14:15:30 2017 +0200 mlxsw: spectrum: Trap IPv4 packets with Router Alert option In case local sockets have the IP_ROUTER_ALERT socket option set, then they expect to get packets with the Router Alert option. Trap such packets, so that the kernel could inspect them and potentially send them to interested sockets. Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 1 + drivers/net/ethernet/mellanox/mlxsw/trap.h | 1 + 2 files changed, 2 insertions(+) revisions tested: 23, total time: 4h50m29.42802813s (build: 1h41m39.922737237s, test: 3h4m11.869233223s) first bad commit: 7607dd35fc34893214284cca740d015154d20452 mlxsw: spectrum: Trap IPv4 packets with Router Alert option cc: ["davem@davemloft.net" "idosch@mellanox.com" "jiri@mellanox.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"] crash: WARNING: refcount bug in addrconf_del_dad_work IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready refcount_t: decrement hit 0; leaking memory. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 6110 at lib/refcount.c:227 refcount_dec.cold.14+0x13/0x1a lib/refcount.c:227 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 6110 Comm: syz-executor5 Not tainted 4.12.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x145/0x1e1 lib/dump_stack.c:52 panic+0x1a9/0x349 kernel/panic.c:180 __warn.cold.8+0x11a/0x14b kernel/panic.c:541 report_bug+0x1a3/0x227 lib/bug.c:183 fixup_bug arch/x86/kernel/traps.c:190 [inline] do_trap_no_signal arch/x86/kernel/traps.c:224 [inline] do_trap+0x1ef/0x2d0 arch/x86/kernel/traps.c:273 do_error_trap+0x11f/0x390 arch/x86/kernel/traps.c:310 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:323 invalid_op+0x1e/0x30 arch/x86/entry/entry_64.S:845 RIP: 0010:refcount_dec.cold.14+0x13/0x1a lib/refcount.c:227 RSP: 0018:ffff88006c40e9d8 EFLAGS: 00010286 RAX: 000000000000002c RBX: ffff88006367b2c0 RCX: 0000000000000000 RDX: 000000000000002c RSI: ffffffff870c8bc0 RDI: ffffed000d881d32 RBP: ffff88006c40e9d8 R08: ffff88006cd1a8c0 R09: 0000000000000006 kobject: 'loop0' (ffff880069636360): kobject_uevent_env kobject: 'loop0' (ffff880069636360): fill_kobj_path: path = '/devices/virtual/block/loop0' R10: 0000000000000000 R11: dffffc0000000000 R12: 1ffff1000d881d47 R13: ffff88006c40eb98 R14: ffff88006c40ea58 R15: ffff88006367b2dc __in6_ifa_put include/net/addrconf.h:359 [inline] addrconf_del_dad_work+0x21/0x30 net/ipv6/addrconf.c:321 ipv6_del_addr+0x42a/0xab0 net/ipv6/addrconf.c:1212 addrconf_permanent_addr net/ipv6/addrconf.c:3370 [inline] addrconf_notify+0x1c9e/0x26f0 net/ipv6/addrconf.c:3436 notifier_call_chain+0x19e/0x2c0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 call_netdevice_notifiers_info+0x4b/0x60 net/core/dev.c:1678 call_netdevice_notifiers net/core/dev.c:1694 [inline] __dev_notify_flags+0xe9/0x2b0 net/core/dev.c:6730 dev_change_flags+0xe6/0x150 net/core/dev.c:6763 do_setlink+0xc66/0x3590 net/core/rtnetlink.c:2088 rtnl_newlink+0x10d8/0x1ab0 net/core/rtnetlink.c:2642 rtnetlink_rcv_msg+0x4c0/0x7e0 net/core/rtnetlink.c:4216 netlink_rcv_skb+0x211/0x490 net/netlink/af_netlink.c:2397 rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:4222 netlink_unicast_kernel net/netlink/af_netlink.c:1265 [inline] netlink_unicast+0x426/0x630 net/netlink/af_netlink.c:1291 netlink_sendmsg+0x8c3/0xe80 net/netlink/af_netlink.c:1854 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:643 SYSC_sendto+0x345/0x6a0 net/socket.c:1736 SyS_sendto+0x9/0x10 net/socket.c:1704 entry_SYSCALL_64_fastpath+0x23/0xc2 RIP: 0033:0x411173 RSP: 002b:00007fffe1416368 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000a30070 RCX: 0000000000411173 RDX: 0000000000000038 RSI: 0000000000a30070 RDI: 0000000000000003 RBP: 0000000000000082 R08: 00007fffe1416374 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffe1416368 R13: 0000000000000003 R14: 00007fffe1416738 R15: 00007fffe14164b0 Kernel Offset: disabled Rebooting in 86400 seconds..