bisecting fixing commit since e2cd24b629389b52a31d96d226ed150dacab9cdd
building syzkaller on 32d593576a7ee67f588218d3a44a0b69fe31b0a0
testing commit e2cd24b629389b52a31d96d226ed150dacab9cdd with gcc (GCC) 8.1.0
kernel signature: db7ce1d432dd2544049c91514b6709fa773c907a
all runs: crashed: WARNING in tcp_retransmit_timer
testing current HEAD a844dc4c544291470aa69edbe2434b040794e269
testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0
kernel signature: cbd936434407f543f59dec407ecb90b8dd498e29
all runs: OK
# git bisect start a844dc4c544291470aa69edbe2434b040794e269 e2cd24b629389b52a31d96d226ed150dacab9cdd
Bisecting: 858 revisions left to test after this (roughly 10 steps)
[107e5b0b9ed11d99e409e4a3e120237710c39e95] net: openvswitch: free vport unless register_netdevice() succeeds
testing commit 107e5b0b9ed11d99e409e4a3e120237710c39e95 with gcc (GCC) 8.1.0
kernel signature: 215e864f1c81d065c52be1ae639039d59e257886
all runs: OK
# git bisect bad 107e5b0b9ed11d99e409e4a3e120237710c39e95
Bisecting: 429 revisions left to test after this (roughly 9 steps)
[07a971f35f90e4b5823a7c2e7a83df85328f4ad3] powerpc/pseries: Fix cpu_hotplug_lock acquisition in resize_hpt()
testing commit 07a971f35f90e4b5823a7c2e7a83df85328f4ad3 with gcc (GCC) 8.1.0
kernel signature: c00eb3dc5bf966dff6c2d6660f9e083596ef5bbe
all runs: OK
# git bisect bad 07a971f35f90e4b5823a7c2e7a83df85328f4ad3
Bisecting: 214 revisions left to test after this (roughly 8 steps)
[66b330f8729281f03924f1ebaaba42612a545d3d] media: rc: imon: Allow iMON RC protocol for ffdc 7e device
testing commit 66b330f8729281f03924f1ebaaba42612a545d3d with gcc (GCC) 8.1.0
kernel signature: 27aa51eadc0a65563d097538808de19e9c0c7b43
all runs: OK
# git bisect bad 66b330f8729281f03924f1ebaaba42612a545d3d
Bisecting: 106 revisions left to test after this (roughly 7 steps)
[2bb28f30f7995e1be8d0cf2a10c25c33419c92fe] perf/x86/intel: Restrict period on Nehalem
testing commit 2bb28f30f7995e1be8d0cf2a10c25c33419c92fe with gcc (GCC) 8.1.0
kernel signature: 998942bdd3a24dfcca71d143a80d6699ac82d50c
all runs: crashed: WARNING in tcp_retransmit_timer
# git bisect good 2bb28f30f7995e1be8d0cf2a10c25c33419c92fe
Bisecting: 53 revisions left to test after this (roughly 6 steps)
[e991f02f6f9117514ed1374b39ce195013ab9cd0] f2fs: use generic EFSBADCRC/EFSCORRUPTED
testing commit e991f02f6f9117514ed1374b39ce195013ab9cd0 with gcc (GCC) 8.1.0
kernel signature: 6fbf195a0dbc1194a38e36dd10682a614e58691f
all runs: OK
# git bisect bad e991f02f6f9117514ed1374b39ce195013ab9cd0
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[16694567a78161aa952cc41cfbc82fc7bf30c47c] HID: sony: Fix memory corruption issue on cleanup.
testing commit 16694567a78161aa952cc41cfbc82fc7bf30c47c with gcc (GCC) 8.1.0
kernel signature: c3eb0f2937b70fde01bcd4916d4dafcb3ade07a7
all runs: OK
# git bisect bad 16694567a78161aa952cc41cfbc82fc7bf30c47c
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[b15bf74405faa1a65025eb8a6eb337e140e5250a] iommu/amd: Fix race in increase_address_space()
testing commit b15bf74405faa1a65025eb8a6eb337e140e5250a with gcc (GCC) 8.1.0
kernel signature: f78cbee13f79a89332a646336fe1a9d890b4252e
all runs: crashed: WARNING in tcp_retransmit_timer
# git bisect good b15bf74405faa1a65025eb8a6eb337e140e5250a
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[120d5674a14f5d641970bc4287a752e60415b17c] media: technisat-usb2: break out of loop at end of buffer
testing commit 120d5674a14f5d641970bc4287a752e60415b17c with gcc (GCC) 8.1.0
kernel signature: f6b41aba0298cf6f6cca344bf4c2e8931a1f38ab
all runs: OK
# git bisect bad 120d5674a14f5d641970bc4287a752e60415b17c
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[56af7c0ea79095edbf198711141805b936fc2996] binfmt_elf: move brk out of mmap when doing direct loader exec
testing commit 56af7c0ea79095edbf198711141805b936fc2996 with gcc (GCC) 8.1.0
kernel signature: 2f580e9ef65d5068d98d2e8b48407b353e295b33
all runs: crashed: WARNING in tcp_retransmit_timer
# git bisect good 56af7c0ea79095edbf198711141805b936fc2996
Bisecting: 0 revisions left to test after this (roughly 1 step)
[ba2ddb43f270e6492ccce4fc42fc32c611de8f68] tcp: Don't dequeue SYN/FIN-segments from write-queue
testing commit ba2ddb43f270e6492ccce4fc42fc32c611de8f68 with gcc (GCC) 8.1.0
kernel signature: ab2c8f951b927155ab1f4ab5f7e1eefe037c8f90
all runs: OK
# git bisect bad ba2ddb43f270e6492ccce4fc42fc32c611de8f68
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4] tcp: Reset send_head when removing skb from write-queue
testing commit f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4 with gcc (GCC) 8.1.0
kernel signature: 68d10434a542ad81a9be9bd200ac119f52a221a5
run #0: crashed: WARNING in tcp_retransmit_timer
run #1: crashed: WARNING in tcp_retransmit_timer
run #2: crashed: WARNING in tcp_retransmit_timer
run #3: crashed: WARNING in corrupted
run #4: crashed: WARNING in tcp_retransmit_timer
run #5: crashed: WARNING in tcp_retransmit_timer
run #6: crashed: WARNING in tcp_retransmit_timer
run #7: crashed: WARNING in tcp_retransmit_timer
run #8: crashed: WARNING in tcp_retransmit_timer
run #9: crashed: WARNING in tcp_retransmit_timer
# git bisect good f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4
ba2ddb43f270e6492ccce4fc42fc32c611de8f68 is the first bad commit
commit ba2ddb43f270e6492ccce4fc42fc32c611de8f68
Author: Christoph Paasch <cpaasch@apple.com>
Date:   Fri Sep 13 13:08:19 2019 -0700

    tcp: Don't dequeue SYN/FIN-segments from write-queue
    
    If a SYN/FIN-segment is on the write-queue, skb->len is 0, but the
    segment actually has been transmitted. end_seq and seq of the tcp_skb_cb
    in that case will indicate this difference.
    
    We should not remove such segments from the write-queue as we might be
    in SYN_SENT-state and a retransmission-timer is running. When that one
    fires, packets_out will be 1, but the write-queue would be empty,
    resulting in:
    
    [   61.280214] ------------[ cut here ]------------
    [   61.281307] WARNING: CPU: 0 PID: 0 at net/ipv4/tcp_timer.c:429 tcp_retransmit_timer+0x18f9/0x2660
    [   61.283498] Modules linked in:
    [   61.284084] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.142 #58
    [   61.285214] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
    [   61.286644] task: ffffffff8401e1c0 task.stack: ffffffff84000000
    [   61.287758] RIP: 0010:tcp_retransmit_timer+0x18f9/0x2660
    [   61.288715] RSP: 0018:ffff88806ce07cb8 EFLAGS: 00010206
    [   61.289669] RAX: ffffffff8401e1c0 RBX: ffff88805c998b00 RCX: 0000000000000006
    [   61.290968] RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff88805c9994d8
    [   61.292314] RBP: ffff88805c99919a R08: ffff88807fff901c R09: ffff88807fff9008
    [   61.293547] R10: ffff88807fff9017 R11: ffff88807fff9010 R12: ffff88805c998b30
    [   61.294834] R13: ffffffff844b9380 R14: 0000000000000000 R15: ffff88805c99930c
    [   61.296086] FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
    [   61.297523] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [   61.298646] CR2: 00007f721da50ff8 CR3: 0000000004014002 CR4: 00000000001606f0
    [   61.299944] Call Trace:
    [   61.300403]  <IRQ>
    [   61.300806]  ? kvm_sched_clock_read+0x21/0x30
    [   61.301689]  ? sched_clock+0x5/0x10
    [   61.302433]  ? sched_clock_cpu+0x18/0x170
    [   61.303173]  tcp_write_timer_handler+0x2c1/0x7a0
    [   61.304038]  tcp_write_timer+0x13e/0x160
    [   61.304794]  call_timer_fn+0x14a/0x5f0
    [   61.305480]  ? tcp_write_timer_handler+0x7a0/0x7a0
    [   61.306364]  ? __next_timer_interrupt+0x140/0x140
    [   61.307229]  ? _raw_spin_unlock_irq+0x24/0x40
    [   61.308033]  ? tcp_write_timer_handler+0x7a0/0x7a0
    [   61.308887]  ? tcp_write_timer_handler+0x7a0/0x7a0
    [   61.309760]  run_timer_softirq+0xc41/0x1080
    [   61.310539]  ? trigger_dyntick_cpu.isra.33+0x180/0x180
    [   61.311506]  ? ktime_get+0x13f/0x1c0
    [   61.312232]  ? clockevents_program_event+0x10d/0x2f0
    [   61.313158]  __do_softirq+0x20b/0x96b
    [   61.313889]  irq_exit+0x1a7/0x1e0
    [   61.314513]  smp_apic_timer_interrupt+0xfc/0x4d0
    [   61.315386]  apic_timer_interrupt+0x8f/0xa0
    [   61.316129]  </IRQ>
    
    Followed by a panic.
    
    So, before removing an skb with skb->len == 0, let's make sure that the
    skb is really empty by checking the end_seq and seq.
    
    This patch needs to be backported only to 4.14 and older (among those
    that applied the backport of fdfc5c8594c2).
    
    Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases")
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Jason Baron <jbaron@akamai.com>
    Cc: Vladimir Rutsky <rutsky@google.com>
    Cc: Soheil Hassas Yeganeh <soheil@google.com>
    Cc: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: Christoph Paasch <cpaasch@apple.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/ipv4/tcp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
kernel signature:   ab2c8f951b927155ab1f4ab5f7e1eefe037c8f90
previous signature: 68d10434a542ad81a9be9bd200ac119f52a221a5
revisions tested: 13, total time: 3h30m22.597505732s (build: 1h44m48.780518068s, test: 1h44m11.910256988s)
first good commit: ba2ddb43f270e6492ccce4fc42fc32c611de8f68 tcp: Don't dequeue SYN/FIN-segments from write-queue
cc: ["cpaasch@apple.com" "edumazet@google.com" "gregkh@linuxfoundation.org" "jbaron@akamai.com" "ncardwell@google.com" "rutsky@google.com" "soheil@google.com"]