bisecting fixing commit since 87335852c5d9ec629f80bb2257b9a9945962b719
building syzkaller on 2f1cec6277878744f2f5484a1833fb91903515f2
testing commit 87335852c5d9ec629f80bb2257b9a9945962b719 with gcc (GCC) 8.1.0
kernel signature: c644be943d22aa642964244172ca1760708615d570fff33bee1c5f51d53883e5
all runs: crashed: general protection fault in ieee80211_subif_start_xmit
testing current HEAD 2d2791fce891fc20709232d49a6bae075b9a77f8
testing commit 2d2791fce891fc20709232d49a6bae075b9a77f8 with gcc (GCC) 8.1.0
kernel signature: 37976344ef332cb158fdec7ed9494ce1dd0010dc0a6d10759fc22edb16adda31
all runs: crashed: general protection fault in ieee80211_subif_start_xmit
revisions tested: 2, total time: 24m25.819896511s (build: 15m36.209765639s, test: 8m22.092309208s)
the crash still happens on HEAD
commit msg: Linux 4.14.217
crash: general protection fault in ieee80211_subif_start_xmit
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
ieee80211 phy14: mac80211_hwsim_change_interface (old type=3, new type=1, mac_addr=02:00:00:00:0e:00)
Modules linked in:
CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.14.217-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8881f4c12480 task.stack: ffff8881f4c20000
RIP: 0010:ieee80211_multicast_to_unicast net/mac80211/tx.c:3680 [inline]
RIP: 0010:ieee80211_subif_start_xmit+0x20a/0xf60 net/mac80211/tx.c:3764
RSP: 0018:ffff8881f4c27a70 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff8881dbdcc1c0
RDX: 000000000000003b RSI: ffff8881dbdcc1c0 RDI: 00000000000001d8
RBP: ffff8881f4c27b98 R08: 1ffff1103e9825a0 R09: ffffffff8aaa3410
R10: ffff8881f4c27b70 R11: ffff8881f4c12480 R12: 1ffff1103e984f5a
R13: ffff8881d7050f02 R14: ffff8881d40de540 R15: ffff8881d40de618
FS:  0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bcf76bea78 CR3: 0000000008e6a005 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ieee80211 phy14: mac80211_hwsim_bss_info_changed(changed=0xe vif->addr=02:00:00:00:0e:00)
 __netdev_start_xmit include/linux/netdevice.h:4039 [inline]
 netdev_start_xmit include/linux/netdevice.h:4048 [inline]
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0x15e/0x780 net/core/dev.c:3021
 sch_direct_xmit+0x26f/0x520 net/sched/sch_generic.c:186
ieee80211 phy9: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static)
 qdisc_restart net/sched/sch_generic.c:249 [inline]
 __qdisc_run+0x18f/0xd30 net/sched/sch_generic.c:257
 qdisc_run include/net/pkt_sched.h:115 [inline]
 net_tx_action+0x416/0x910 net/core/dev.c:4171
ieee80211 phy9: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static)
 __do_softirq+0x246/0x9b5 kernel/softirq.c:288
 run_ksoftirqd+0x57/0x1a0 kernel/softirq.c:670
 smpboot_thread_fn+0x553/0x850 kernel/smpboot.c:164
ieee80211 phy14:   ERP_CTS_PROT: 0
 kthread+0x338/0x400 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: 85 
ieee80211 phy14:   ERP_PREAMBLE: 0
4c 0d 00 00 48 8b 85 30 ff ff ff 48 8b 98 70 14 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb d8 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 34 0d 00 00 80 bb d8 01 00 00 00 
RIP: ieee80211_multicast_to_unicast net/mac80211/tx.c:3680 [inline] RSP: ffff8881f4c27a70
RIP: ieee80211_subif_start_xmit+0x20a/0xf60 net/mac80211/tx.c:3764 RSP: ffff8881f4c27a70
---[ end trace fddb678c229c0946 ]---
ieee80211 phy14:   ERP_SLOT: 0