bisecting cause commit starting from 87b983f55b8ccaa0aa185e0e7672c1fa007cbf7f
building syzkaller on ede31a9b5144a9da36a8c5382d3b1ab892abcc83
testing commit 87b983f55b8ccaa0aa185e0e7672c1fa007cbf7f with gcc (GCC) 8.1.0
all runs: crashed: KASAN: null-ptr-deref Write in rxrpc_unuse_local
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 87b983f55b8ccaa0aa185e0e7672c1fa007cbf7f v5.2
Bisecting: 9579 revisions left to test after this (roughly 13 steps)
[be8454afc50f43016ca8b6130d9673bdd0bd56ec] Merge tag 'drm-next-2019-07-16' of git://anongit.freedesktop.org/drm/drm
testing commit be8454afc50f43016ca8b6130d9673bdd0bd56ec with gcc (GCC) 8.1.0
all runs: OK
# git bisect good be8454afc50f43016ca8b6130d9673bdd0bd56ec
Bisecting: 4787 revisions left to test after this (roughly 12 steps)
[57d26332659814582d6de400226c1fa03f294fc7] Merge remote-tracking branch 'sunxi/sunxi/for-next'
testing commit 57d26332659814582d6de400226c1fa03f294fc7 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 57d26332659814582d6de400226c1fa03f294fc7
Bisecting: 2178 revisions left to test after this (roughly 11 steps)
[6dfc2da6fc00146144b2fd48c57b42ac0ddede0b] Merge remote-tracking branch 'amdgpu/drm-next'
testing commit 6dfc2da6fc00146144b2fd48c57b42ac0ddede0b with gcc (GCC) 8.1.0
all runs: crashed: KASAN: null-ptr-deref Write in rxrpc_unuse_local
# git bisect bad 6dfc2da6fc00146144b2fd48c57b42ac0ddede0b
Bisecting: 1131 revisions left to test after this (roughly 10 steps)
[5b56e7b3725a1c2fed82234ba73d98efa2f6bd90] Merge remote-tracking branch 'net-next/master'
testing commit 5b56e7b3725a1c2fed82234ba73d98efa2f6bd90 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: null-ptr-deref Write in rxrpc_unuse_local
# git bisect bad 5b56e7b3725a1c2fed82234ba73d98efa2f6bd90
Bisecting: 757 revisions left to test after this (roughly 10 steps)
[fa6e48355137416f2f2a5aca3571c0238d162597] Merge remote-tracking branch 'hwmon-staging/hwmon-next'
testing commit fa6e48355137416f2f2a5aca3571c0238d162597 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: null-ptr-deref Write in rxrpc_unuse_local
# git bisect bad fa6e48355137416f2f2a5aca3571c0238d162597
Bisecting: 354 revisions left to test after this (roughly 9 steps)
[7958c0ecb42088a6aa6ecf70895ffd6e4aa08930] Merge remote-tracking branch 'f2fs/dev'
testing commit 7958c0ecb42088a6aa6ecf70895ffd6e4aa08930 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: null-ptr-deref Write in rxrpc_unuse_local
# git bisect bad 7958c0ecb42088a6aa6ecf70895ffd6e4aa08930
Bisecting: 183 revisions left to test after this (roughly 8 steps)
[ed029087bb375d07bacd3491e9ec75d94f130b9d] Merge remote-tracking branch 'afs/afs-next'
testing commit ed029087bb375d07bacd3491e9ec75d94f130b9d with gcc (GCC) 8.1.0
all runs: crashed: KASAN: null-ptr-deref Write in rxrpc_unuse_local
# git bisect bad ed029087bb375d07bacd3491e9ec75d94f130b9d
Bisecting: 96 revisions left to test after this (roughly 7 steps)
[f141f01620a8eb759554cfda6e5a47578158aae2] Merge remote-tracking branch 'sh/sh-next'
testing commit f141f01620a8eb759554cfda6e5a47578158aae2 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f141f01620a8eb759554cfda6e5a47578158aae2
Bisecting: 45 revisions left to test after this (roughly 6 steps)
[76428ff915f3160bb7379c9fca10d3766779ba6c] Merge branch 'xtensa-5.0-fixes' into xtensa-for-next
testing commit 76428ff915f3160bb7379c9fca10d3766779ba6c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 76428ff915f3160bb7379c9fca10d3766779ba6c
Bisecting: 23 revisions left to test after this (roughly 5 steps)
[6326b440055fd97acf620ad952aa50878aa8c3b6] Merge branch 'xtensa-5.3' into xtensa-for-next
testing commit 6326b440055fd97acf620ad952aa50878aa8c3b6 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 6326b440055fd97acf620ad952aa50878aa8c3b6
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[5c2833938bf50d502586e16b9dad1e3cf88fda6f] rxrpc: Fix local endpoint refcounting
testing commit 5c2833938bf50d502586e16b9dad1e3cf88fda6f with gcc (GCC) 8.1.0
all runs: crashed: KASAN: null-ptr-deref Write in rxrpc_unuse_local
# git bisect bad 5c2833938bf50d502586e16b9dad1e3cf88fda6f
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[9dd0b82ef530cdfe805c9f7079c99e104be59a14] afs: Fix missing dentry data version updating
testing commit 9dd0b82ef530cdfe805c9f7079c99e104be59a14 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9dd0b82ef530cdfe805c9f7079c99e104be59a14
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[2c167cc6f251a190cf25ce983985a94136bb745c] rxrpc: Fix -Wframe-larger-than= warnings from on-stack crypto
testing commit 2c167cc6f251a190cf25ce983985a94136bb745c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2c167cc6f251a190cf25ce983985a94136bb745c
Bisecting: 0 revisions left to test after this (roughly 1 step)
[852c1d04f6d025f1c914b8996a36e45ff7d25583] afs: Support RCU pathwalk
testing commit 852c1d04f6d025f1c914b8996a36e45ff7d25583 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 852c1d04f6d025f1c914b8996a36e45ff7d25583
5c2833938bf50d502586e16b9dad1e3cf88fda6f is the first bad commit
commit 5c2833938bf50d502586e16b9dad1e3cf88fda6f
Author: David Howells <dhowells@redhat.com>
Date:   Wed Jul 31 16:26:05 2019 +0100

    rxrpc: Fix local endpoint refcounting
    
    The object lifetime management on the rxrpc_local struct is broken in that
    the rxrpc_local_processor() function is expected to clean up and remove an
    object - but it may get requeued by packets coming in on the backing UDP
    socket once it starts running.
    
    This may result in the assertion in rxrpc_local_rcu() firing because the
    memory has been scheduled for RCU destruction whilst still queued:
    
            rxrpc: Assertion failed
            ------------[ cut here ]------------
            kernel BUG at net/rxrpc/local_object.c:468!
    
    Note that if the processor comes around before the RCU free function, it
    will just do nothing because ->dead is true.
    
    Fix this by adding a separate refcount to count active users of the
    endpoint that causes the endpoint to be destroyed when it reaches 0.
    
    The original refcount can then be used to refcount objects through the work
    processor and cause the memory to be rcu freed when that reaches 0.
    
    Fixes: 4f95dd78a77e ("rxrpc: Rework local endpoint management")
    Reported-by: syzbot+1e0edc4b8b7494c28450@syzkaller.appspotmail.com
    Signed-off-by: David Howells <dhowells@redhat.com>

:040000 040000 9cfeb3f5245de40250e6cc60eb94f3e154b101f1 5c7d53642edc009c3e68b43c1e8654a5d5caa0f3 M	net
revisions tested: 16, total time: 3h44m34.281189954s (build: 1h36m23.390781812s, test: 2h1m31.09482131s)
first bad commit: 5c2833938bf50d502586e16b9dad1e3cf88fda6f rxrpc: Fix local endpoint refcounting
cc: ["davem@davemloft.net" "dhowells@redhat.com" "linux-afs@lists.infradead.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"]
crash: KASAN: null-ptr-deref Write in rxrpc_unuse_local
==================================================================
BUG: KASAN: null-ptr-deref in atomic_sub_return include/asm-generic/atomic-instrumented.h:159 [inline]
BUG: KASAN: null-ptr-deref in atomic_dec_return include/linux/atomic-fallback.h:455 [inline]
BUG: KASAN: null-ptr-deref in rxrpc_unuse_local+0x16/0x40 net/rxrpc/local_object.c:405
Write of size 4 at addr 0000000000000010 by task syz-executor.2/9118

CPU: 1 PID: 9118 Comm: syz-executor.2 Not tainted 5.3.0-rc2+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 __kasan_report.cold.9+0x5/0x3f mm/kasan/report.c:486
 kasan_report+0x12/0x17 mm/kasan/common.c:612
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x153/0x1d0 mm/kasan/generic.c:192
 __kasan_check_write+0x14/0x20 mm/kasan/common.c:98
 atomic_sub_return include/asm-generic/atomic-instrumented.h:159 [inline]
 atomic_dec_return include/linux/atomic-fallback.h:455 [inline]
 rxrpc_unuse_local+0x16/0x40 net/rxrpc/local_object.c:405
 rxrpc_release_sock net/rxrpc/af_rxrpc.c:904 [inline]
 rxrpc_release+0x3f6/0x720 net/rxrpc/af_rxrpc.c:930
 __sock_release+0xc2/0x270 net/socket.c:590
 sock_close+0x13/0x20 net/socket.c:1268
 __fput+0x25a/0x770 fs/file_table.c:280
 ____fput+0x9/0x10 fs/file_table.c:313
 task_work_run+0x108/0x180 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x24e/0x2e0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x462/0x540 arch/x86/entry/common.c:299
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x413511
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffc15f47670 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000413511
RDX: 0000001b2be20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffc15f47750 R11: 0000000000000293 R12: 000000000075bf20
R13: 0000000000012403 R14: 0000000000760068 R15: ffffffffffffffff
==================================================================