bisecting cause commit starting from 249155c20f9b0754bc1b932a33344cfb4e0c2101
building syzkaller on 7509bf360eba1461ac6059e4cacfbc29c9d2d4c7
testing commit 249155c20f9b0754bc1b932a33344cfb4e0c2101 with gcc (GCC) 8.1.0
run #0: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #1: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #2: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #3: crashed: KASAN: use-after-free Read in __queue_work
run #4: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #5: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #6: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #7: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #8: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #9: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
run #0: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #1: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #2: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #3: crashed: KASAN: use-after-free Read in __queue_work
run #4: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #5: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #6: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #7: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #8: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #9: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in __queue_work
run #1: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #2: crashed: general protection fault in skb_queue_tail
run #3: crashed: general protection fault in skb_queue_tail
run #4: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #5: crashed: general protection fault in skb_queue_tail
run #6: crashed: general protection fault in skb_queue_tail
run #7: crashed: general protection fault in skb_queue_tail
run #8: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #9: crashed: KASAN: use-after-free Read in __queue_work
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
run #0: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #1: crashed: general protection fault in skb_queue_tail
run #2: crashed: KASAN: use-after-free Read in __queue_work
run #3: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #4: crashed: general protection fault in skb_queue_tail
run #5: crashed: general protection fault in skb_queue_tail
run #6: crashed: KASAN: use-after-free Read in __queue_work
run #7: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #8: crashed: KASAN: use-after-free Read in __queue_work
run #9: crashed: general protection fault in skb_queue_tail
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
all runs: OK
# git bisect start v4.20 v4.19
Bisecting: 7499 revisions left to test after this (roughly 13 steps)
[ec9c166434595382be3babf266febf876327774d] Merge tag 'mips_fixes_4.20_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux
testing commit ec9c166434595382be3babf266febf876327774d with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in skb_queue_tail
run #1: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #2: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #3: crashed: KASAN: use-after-free Read in __queue_work
run #4: crashed: general protection fault in skb_queue_tail
run #5: crashed: general protection fault in skb_queue_tail
run #6: crashed: general protection fault in skb_queue_tail
run #7: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #8: crashed: general protection fault in skb_queue_tail
run #9: crashed: general protection fault in skb_queue_tail
# git bisect bad ec9c166434595382be3babf266febf876327774d
Bisecting: 3252 revisions left to test after this (roughly 12 steps)
[50b825d7e87f4cff7070df6eb26390152bb29537] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
testing commit 50b825d7e87f4cff7070df6eb26390152bb29537 with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in skb_queue_tail
run #1: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #2: crashed: KASAN: use-after-free Read in __queue_work
run #3: crashed: general protection fault in skb_queue_tail
run #4: crashed: KASAN: use-after-free Read in __queue_work
run #5: crashed: KASAN: use-after-free Read in __queue_work
run #6: crashed: general protection fault in skb_queue_tail
run #7: crashed: KASAN: use-after-free Read in __queue_work
run #8: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #9: crashed: general protection fault in skb_queue_tail
# git bisect bad 50b825d7e87f4cff7070df6eb26390152bb29537
Bisecting: 2120 revisions left to test after this (roughly 11 steps)
[99e9acd85ccbdc8f5785f9e961d4956e96bd6aa5] Merge tag 'mlx5-updates-2018-10-17' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
testing commit 99e9acd85ccbdc8f5785f9e961d4956e96bd6aa5 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in __queue_work
run #1: crashed: KASAN: use-after-free Read in __queue_work
run #2: crashed: KASAN: use-after-free Read in __queue_work
run #3: crashed: general protection fault in skb_queue_tail
run #4: crashed: general protection fault in skb_queue_tail
run #5: crashed: KASAN: use-after-free Read in __queue_work
run #6: crashed: general protection fault in skb_queue_tail
run #7: crashed: general protection fault in skb_queue_tail
run #8: crashed: KASAN: use-after-free Read in __queue_work
run #9: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
# git bisect bad 99e9acd85ccbdc8f5785f9e961d4956e96bd6aa5
Bisecting: 989 revisions left to test after this (roughly 10 steps)
[d793fb46822ff7408a1767313ef6b12e811baa55] Merge tag 'wireless-drivers-next-for-davem-2018-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
testing commit d793fb46822ff7408a1767313ef6b12e811baa55 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good d793fb46822ff7408a1767313ef6b12e811baa55
Bisecting: 461 revisions left to test after this (roughly 9 steps)
[071a234ad744ab9a1e9c948874d5f646a2964734] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
testing commit 071a234ad744ab9a1e9c948874d5f646a2964734 with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in skb_queue_tail
run #1: crashed: general protection fault in skb_queue_tail
run #2: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #3: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #4: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #5: crashed: KASAN: use-after-free Read in __queue_work
run #6: crashed: general protection fault in skb_queue_tail
run #7: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #8: crashed: general protection fault in skb_queue_tail
run #9: crashed: KASAN: use-after-free Read in __queue_work
# git bisect bad 071a234ad744ab9a1e9c948874d5f646a2964734
Bisecting: 275 revisions left to test after this (roughly 8 steps)
[5580d810560da33804053ae3bca13110c9a8d5e8] Merge tag 'mt76-for-kvalo-2018-10-05' of https://github.com/nbd168/wireless
testing commit 5580d810560da33804053ae3bca13110c9a8d5e8 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 5580d810560da33804053ae3bca13110c9a8d5e8
Bisecting: 137 revisions left to test after this (roughly 7 steps)
[b245d32c995868879f361d252f32bb8a2ca33deb] net: sched: cls_u32: keep track of knodes count in tc_u_common
testing commit b245d32c995868879f361d252f32bb8a2ca33deb with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in skb_queue_tail
run #1: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #2: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #3: crashed: KASAN: use-after-free Read in __queue_work
run #4: crashed: general protection fault in skb_queue_tail
run #5: crashed: KASAN: use-after-free Read in __queue_work
run #6: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #7: crashed: general protection fault in skb_queue_tail
run #8: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #9: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
# git bisect bad b245d32c995868879f361d252f32bb8a2ca33deb
Bisecting: 68 revisions left to test after this (roughly 6 steps)
[cc5f0eb2164f9aa11fe631f8d905192e0233e262] net: Move free of fib_metrics to helper
testing commit cc5f0eb2164f9aa11fe631f8d905192e0233e262 with gcc (GCC) 8.1.0
run #0: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #1: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #2: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #3: crashed: KASAN: use-after-free Read in __queue_work
run #4: crashed: general protection fault in skb_queue_tail
run #5: crashed: general protection fault in skb_queue_tail
run #6: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #7: crashed: general protection fault in skb_queue_tail
run #8: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #9: crashed: KASAN: use-after-free Read in __queue_work
# git bisect bad cc5f0eb2164f9aa11fe631f8d905192e0233e262
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[6a5e6b118092dfddc545d95911d66d6562f05281] Merge branch 'ieee802154-for-davem-2018-10-04' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan-next
testing commit 6a5e6b118092dfddc545d95911d66d6562f05281 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 6a5e6b118092dfddc545d95911d66d6562f05281
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[9e50727f0e710e25e9fd740c9f43f51b37757773] Merge tag 'mlx5-updates-2018-10-03' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
testing commit 9e50727f0e710e25e9fd740c9f43f51b37757773 with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in skb_queue_tail
run #1: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #2: crashed: general protection fault in skb_queue_tail
run #3: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #4: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #5: crashed: general protection fault in skb_queue_tail
run #6: crashed: KASAN: use-after-free Read in __queue_work
run #7: crashed: general protection fault in skb_queue_tail
run #8: crashed: KASAN: use-after-free Read in __queue_work
run #9: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
# git bisect bad 9e50727f0e710e25e9fd740c9f43f51b37757773
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[e908bcf4f1a271e7c264dcbffc5881ced8bfacee] rxrpc: Allow the reply time to be obtained on a client call
testing commit e908bcf4f1a271e7c264dcbffc5881ced8bfacee with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in __queue_work
run #1: crashed: general protection fault in skb_queue_tail
run #2: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #3: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #4: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #5: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #6: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #7: crashed: KASAN: use-after-free Read in __queue_work
run #8: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #9: crashed: KASAN: use-after-free Read in __queue_work
# git bisect bad e908bcf4f1a271e7c264dcbffc5881ced8bfacee
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[4c19bbdc7f7c76da14a7192072c47c3b9b582e80] afs: Always build address lists using the helper functions
testing commit 4c19bbdc7f7c76da14a7192072c47c3b9b582e80 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 4c19bbdc7f7c76da14a7192072c47c3b9b582e80
Bisecting: 2 revisions left to test after this (roughly 1 step)
[46894a13599a977ac35411b536fb3e0b2feefa95] rxrpc: Use IPv4 addresses throught the IPv6
testing commit 46894a13599a977ac35411b536fb3e0b2feefa95 with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in skb_queue_tail
run #1: crashed: general protection fault in skb_queue_tail
run #2: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #3: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #4: crashed: general protection fault in skb_queue_tail
run #5: crashed: general protection fault in skb_queue_tail
run #6: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
run #7: crashed: general protection fault in skb_queue_tail
run #8: crashed: KASAN: use-after-free Read in __queue_work
run #9: crashed: kernel BUG at net/rxrpc/local_object.c:LINE!
# git bisect bad 46894a13599a977ac35411b536fb3e0b2feefa95
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[66be646bd9a7d50961afbf48c1d0df148e37d416] afs: Sort address lists so that they are in logical ascending order
testing commit 66be646bd9a7d50961afbf48c1d0df148e37d416 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 66be646bd9a7d50961afbf48c1d0df148e37d416
46894a13599a977ac35411b536fb3e0b2feefa95 is the first bad commit
commit 46894a13599a977ac35411b536fb3e0b2feefa95
Author: David Howells <dhowells@redhat.com>
Date:   Thu Oct 4 09:32:28 2018 +0100

    rxrpc: Use IPv4 addresses throught the IPv6
    
    AF_RXRPC opens an IPv6 socket through which to send and receive network
    packets, both IPv6 and IPv4.  It currently turns AF_INET addresses into
    AF_INET-as-AF_INET6 addresses based on an assumption that this was
    necessary; on further inspection of the code, however, it turns out that
    the IPv6 code just farms packets aimed at AF_INET addresses out to the IPv4
    code.
    
    Fix AF_RXRPC to use AF_INET addresses directly when given them.
    
    Fixes: 7b674e390e51 ("rxrpc: Fix IPv6 support")
    Signed-off-by: David Howells <dhowells@redhat.com>

:040000 040000 03ec12e91b434ee23d1557b7f3705c7c179328a2 08845a46a3e8f298f06808416c7a571c8f2e572c M	fs
:040000 040000 ac3ebeb152a3543e1546bf58ae5ff9581790cc4c a8a247dcbee26bf5acad339fea72ea0346f7e9b2 M	net
revisions tested: 19, total time: 4h2m5.906444099s (build: 1h44m38.134787247s, test: 2h12m1.161206582s)
first bad commit: 46894a13599a977ac35411b536fb3e0b2feefa95 rxrpc: Use IPv4 addresses throught the IPv6
cc: ["davem@davemloft.net" "dhowells@redhat.com" "linux-afs@lists.infradead.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"]
crash: kernel BUG at net/rxrpc/local_object.c:LINE!
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
rxrpc: Assertion failed
------------[ cut here ]------------
kernel BUG at net/rxrpc/local_object.c:453!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.19.0-rc6+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:rxrpc_local_rcu.cold.4+0xc/0xe net/rxrpc/local_object.c:453
Code: 20 49 83 ec 20 e9 7b ff ff ff 48 89 c7 e8 3b 33 a8 fb eb c6 4c 89 ef e8 51 33 a8 fb eb de 48 c7 c7 c0 70 62 87 e8 a2 39 66 fb <0f> 0b 48 c7 c7 c0 70 62 87 e8 94 39 66 fb 0f 0b 48 c7 c7 c0 70 62
RSP: 0018:ffff8800aa2efc90 EFLAGS: 00010286
RAX: 0000000000000017 RBX: ffff880090c09240 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff86fe4e80 RDI: ffffffff89a56620
RBP: ffff8800aa2efc98 R08: ffffed0015d44fe9 R09: ffffed0015d44fe8
R10: ffffed0015d44fe8 R11: ffff8800aea27f47 R12: 000000000000000a
R13: ffffffff85e75860 R14: ffff880090c09248 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8800aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000900 CR3: 000000009a4ca000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __rcu_reclaim kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2880 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2847 [inline]
 rcu_process_callbacks+0xbcd/0x19a0 kernel/rcu/tree.c:2864
 __do_softirq+0x262/0x906 kernel/softirq.c:292
 run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
 smpboot_thread_fn+0x55f/0x860 kernel/smpboot.c:164
 kthread+0x324/0x3e0 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:413
Modules linked in:
---[ end trace 28cd2d669ba67d96 ]---
RIP: 0010:rxrpc_local_rcu.cold.4+0xc/0xe net/rxrpc/local_object.c:453
Code: 20 49 83 ec 20 e9 7b ff ff ff 48 89 c7 e8 3b 33 a8 fb eb c6 4c 89 ef e8 51 33 a8 fb eb de 48 c7 c7 c0 70 62 87 e8 a2 39 66 fb <0f> 0b 48 c7 c7 c0 70 62 87 e8 94 39 66 fb 0f 0b 48 c7 c7 c0 70 62
RSP: 0018:ffff8800aa2efc90 EFLAGS: 00010286
RAX: 0000000000000017 RBX: ffff880090c09240 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff86fe4e80 RDI: ffffffff89a56620
RBP: ffff8800aa2efc98 R08: ffffed0015d44fe9 R09: ffffed0015d44fe8
R10: ffffed0015d44fe8 R11: ffff8800aea27f47 R12: 000000000000000a
R13: ffffffff85e75860 R14: ffff880090c09248 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8800aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000900 CR3: 000000009a4ca000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400