bisecting cause commit starting from 08cc83cc7fd8e6c3670ff545ef2bbfbc01a02d87 building syzkaller on f62e1e85cf54ccfa990868a402eca32bf4513b21 testing commit 08cc83cc7fd8e6c3670ff545ef2bbfbc01a02d87 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_datagram_dst_update testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: OK # git bisect start 08cc83cc7fd8e6c3670ff545ef2bbfbc01a02d87 v5.1 Bisecting: 8639 revisions left to test after this (roughly 13 steps) [055128ee008b00fba14e3638e7e84fc2cff8d77d] Merge tag 'dmaengine-5.2-rc1' of git://git.infradead.org/users/vkoul/slave-dma testing commit 055128ee008b00fba14e3638e7e84fc2cff8d77d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 055128ee008b00fba14e3638e7e84fc2cff8d77d Bisecting: 4323 revisions left to test after this (roughly 12 steps) [78e03651849fd3e8aa9ab3288bc1d3726c4c6129] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 78e03651849fd3e8aa9ab3288bc1d3726c4c6129 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 78e03651849fd3e8aa9ab3288bc1d3726c4c6129 Bisecting: 2171 revisions left to test after this (roughly 11 steps) [e858faf556d4e14c750ba1e8852783c6f9520a0e] tcp: Reset bytes_acked and bytes_received when disconnecting testing commit e858faf556d4e14c750ba1e8852783c6f9520a0e with gcc (GCC) 8.1.0 all runs: OK # git bisect good e858faf556d4e14c750ba1e8852783c6f9520a0e Bisecting: 1092 revisions left to test after this (roughly 10 steps) [497ad9f5b2dc86b733761b9afa44ecfa2f17be65] page_pool: fix compile warning when CONFIG_PAGE_POOL is disabled testing commit 497ad9f5b2dc86b733761b9afa44ecfa2f17be65 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 497ad9f5b2dc86b733761b9afa44ecfa2f17be65 Bisecting: 546 revisions left to test after this (roughly 9 steps) [c782e204f7343b6f4527e953a5ad265be4abd627] r8169: add random MAC address fallback testing commit c782e204f7343b6f4527e953a5ad265be4abd627 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c782e204f7343b6f4527e953a5ad265be4abd627 Bisecting: 219 revisions left to test after this (roughly 8 steps) [437fde6cda74bb31705a9f37f14d481cdd431ad8] Merge tag 'wireless-drivers-next-for-davem-2019-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 437fde6cda74bb31705a9f37f14d481cdd431ad8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 437fde6cda74bb31705a9f37f14d481cdd431ad8 Bisecting: 124 revisions left to test after this (roughly 7 steps) [7650b1a9bd693d133a3ec0548ba63e828f34e3ec] Merge branch 'mp-inner-L3' testing commit 7650b1a9bd693d133a3ec0548ba63e828f34e3ec with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7650b1a9bd693d133a3ec0548ba63e828f34e3ec Bisecting: 62 revisions left to test after this (roughly 6 steps) [b5d9a834f4fd1b6abfa527ec351c871084dd23a3] net/tls: don't clear TX resync flag on error testing commit b5d9a834f4fd1b6abfa527ec351c871084dd23a3 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_datagram_dst_update # git bisect bad b5d9a834f4fd1b6abfa527ec351c871084dd23a3 Bisecting: 30 revisions left to test after this (roughly 5 steps) [06ec0e2c490afd2f870d89c59200540fd9acde95] selftests/bpf: fix test_attach_probe map definition testing commit 06ec0e2c490afd2f870d89c59200540fd9acde95 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 06ec0e2c490afd2f870d89c59200540fd9acde95 Bisecting: 15 revisions left to test after this (roughly 4 steps) [d27cf5c59a12f66425df29cd81f61aa73ef14ac1] net: core: add MPLS update core helper and use in OvS testing commit d27cf5c59a12f66425df29cd81f61aa73ef14ac1 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_datagram_dst_update # git bisect bad d27cf5c59a12f66425df29cd81f61aa73ef14ac1 Bisecting: 7 revisions left to test after this (roughly 3 steps) [6d7855c54e1e269275d7c504f8f62a0b7a5b3f18] sockfs: switch to ->free_inode() testing commit 6d7855c54e1e269275d7c504f8f62a0b7a5b3f18 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6d7855c54e1e269275d7c504f8f62a0b7a5b3f18 Bisecting: 3 revisions left to test after this (roughly 2 steps) [6413139dfc641aaaa30580b59696a5f7ea274194] skbuff: increase verbosity when dumping skb data testing commit 6413139dfc641aaaa30580b59696a5f7ea274194 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_datagram_dst_update # git bisect bad 6413139dfc641aaaa30580b59696a5f7ea274194 Bisecting: 1 revision left to test after this (roughly 1 step) [ee4f56f46ab7a795dc8f7ecdfa11b616a5754b50] bonding: fix value exported by Netlink for peer_notif_delay testing commit ee4f56f46ab7a795dc8f7ecdfa11b616a5754b50 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor712253513" "root@10.128.0.117:./syz-executor712253513"]: exit status 1 ssh: connect to host 10.128.0.117 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good ee4f56f46ab7a795dc8f7ecdfa11b616a5754b50 Bisecting: 0 revisions left to test after this (roughly 0 steps) [59c820b2317f0ffe1ab9b5d2c0515cdbfe714e6e] ipv6: elide flowlabel check if no exclusive leases exist testing commit 59c820b2317f0ffe1ab9b5d2c0515cdbfe714e6e with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_datagram_dst_update # git bisect bad 59c820b2317f0ffe1ab9b5d2c0515cdbfe714e6e 59c820b2317f0ffe1ab9b5d2c0515cdbfe714e6e is the first bad commit commit 59c820b2317f0ffe1ab9b5d2c0515cdbfe714e6e Author: Willem de Bruijn Date: Sun Jul 7 05:34:45 2019 -0400 ipv6: elide flowlabel check if no exclusive leases exist Processes can request ipv6 flowlabels with cmsg IPV6_FLOWINFO. If not set, by default an autogenerated flowlabel is selected. Explicit flowlabels require a control operation per label plus a datapath check on every connection (every datagram if unconnected). This is particularly expensive on unconnected sockets multiplexing many flows, such as QUIC. In the common case, where no lease is exclusive, the check can be safely elided, as both lease request and check trivially succeed. Indeed, autoflowlabel does the same even with exclusive leases. Elide the check if no process has requested an exclusive lease. fl6_sock_lookup previously returns either a reference to a lease or NULL to denote failure. Modify to return a real error and update all callers. On return NULL, they can use the label and will elide the atomic_dec in fl6_sock_release. This is an optimization. Robust applications still have to revert to requesting leases if the fast path fails due to an exclusive lease. Changes RFC->v1: - use static_key_false_deferred to rate limit jump label operations - call static_key_deferred_flush to stop timers on exit - move decrement out of RCU context - defer optimization also if opt data is associated with a lease - updated all fp6_sock_lookup callers, not just udp Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller :040000 040000 2292dec4825edb37b39023904ad507ad47414c59 e547eb710546f7423aed9204f35120eb41be58e4 M include :040000 040000 ba9e4ec68c4eb881398e105ce72a2958a9ec4761 f748c8bb9c946fee1817c33148d93a9453a7d77b M net revisions tested: 16, total time: 4h0m31.512714225s (build: 1h31m4.359771205s, test: 2h24m0.29815591s) first bad commit: 59c820b2317f0ffe1ab9b5d2c0515cdbfe714e6e ipv6: elide flowlabel check if no exclusive leases exist cc: ["afaerber@suse.de" "davem@davemloft.net" "dccp@vger.kernel.org" "edumazet@google.com" "g.nault@alphalink.fr" "gerrit@erg.abdn.ac.uk" "jian.w.wen@oracle.com" "kuznet@ms2.inr.ac.ru" "linux-arm-kernel@lists.infradead.org" "linux-kernel@vger.kernel.org" "linux-sctp@vger.kernel.org" "manivannan.sadhasivam@linaro.org" "marcelo.leitner@gmail.com" "netdev@vger.kernel.org" "nhorman@tuxdriver.com" "vyasevich@gmail.com" "willemb@google.com" "yoshfuji@linux-ipv6.org"] crash: general protection fault in ip6_datagram_dst_update kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 7564 Comm: syz-executor.4 Not tainted 5.2.0-rc6+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ip6_datagram_dst_update+0x468/0xb10 net/ipv6/datagram.c:83 Code: ed 8b fb 5a 85 c0 0f 85 10 01 00 00 4d 85 ed 0f 84 8d 03 00 00 49 8d 7d 20 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 3d 05 00 00 49 8b 4d 20 48 8d 95 10 ff ff ff 48 RSP: 0018:ffff88808b597a90 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: 1ffff110116b2f56 RCX: ffffffff8156c074 RDX: 0000000000000003 RSI: 0000000000000004 RDI: 000000000000001e RBP: ffff88808b597bc0 R08: ffffed1015d46c80 R09: ffffed1015d46c7f R10: ffffed1015d46c7f R11: ffff8880aea363fb R12: ffff888097cf48b0 R13: fffffffffffffffe R14: ffff88808b597b10 R15: ffff888097cf4340 FS: 00007f5fe7957700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb448e57db8 CR3: 0000000093802000 CR4: 00000000001406e0 Call Trace: __ip6_datagram_connect+0x4b7/0x1360 net/ipv6/datagram.c:246 ip6_datagram_connect+0x27/0x40 net/ipv6/datagram.c:269 ip6_datagram_connect_v6_only+0x40/0x70 net/ipv6/datagram.c:281 inet_dgram_connect+0x108/0x270 net/ipv4/af_inet.c:571 __sys_connect+0x20d/0x2d0 net/socket.c:1824 __do_sys_connect net/socket.c:1835 [inline] __se_sys_connect net/socket.c:1832 [inline] __x64_sys_connect+0x6e/0xb0 net/socket.c:1832 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4597c9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f5fe7956c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004597c9 RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5fe79576d4 R13: 00000000004bfd07 R14: 00000000004d1838 R15: 00000000ffffffff Modules linked in: ---[ end trace 06023da0b422017e ]--- RIP: 0010:ip6_datagram_dst_update+0x468/0xb10 net/ipv6/datagram.c:83 Code: ed 8b fb 5a 85 c0 0f 85 10 01 00 00 4d 85 ed 0f 84 8d 03 00 00 49 8d 7d 20 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 3d 05 00 00 49 8b 4d 20 48 8d 95 10 ff ff ff 48 RSP: 0018:ffff88808b597a90 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: 1ffff110116b2f56 RCX: ffffffff8156c074