bisecting cause commit starting from fb8ddaa915395c97f234340f465a4c424a7be090
building syzkaller on 9072c1268eaa464b9adbba5c8e11d308f15d1a92
testing commit fb8ddaa915395c97f234340f465a4c424a7be090 with gcc (GCC) 8.1.0
kernel signature: f7ad38c66ae5aeb8fb38d2f2c28ea97747bd3046b26b302f125fbd94a2ad8b65
all runs: crashed: general protection fault in __tipc_sendstream
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 3082456ba2b2096eba0a8c7f32a5a1df3cafbf8b05bf080c3e2467e50541a0ee
all runs: OK
# git bisect start fb8ddaa915395c97f234340f465a4c424a7be090 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 8508 revisions left to test after this (roughly 13 steps)
[bc3b3f4bfbded031a11c4284106adddbfacd05bb] Merge tag 'pinctrl-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit bc3b3f4bfbded031a11c4284106adddbfacd05bb with gcc (GCC) 8.1.0
kernel signature: 4373177cdb6294153146ab92c4faab008ee067397d9771cb8de6bfe70bb33bde
all runs: OK
# git bisect good bc3b3f4bfbded031a11c4284106adddbfacd05bb
Bisecting: 4254 revisions left to test after this (roughly 12 steps)
[9de6fe3c28d6d8feadfad907961f1f31b85c6985] KVM: x86: Emulate split-lock access as a write in emulator
testing commit 9de6fe3c28d6d8feadfad907961f1f31b85c6985 with gcc (GCC) 8.1.0
kernel signature: d2bd992832457e07c8720f90d7522c25f37a6ca69365f51b095fab3d746d79bd
all runs: OK
# git bisect good 9de6fe3c28d6d8feadfad907961f1f31b85c6985
Bisecting: 2121 revisions left to test after this (roughly 11 steps)
[caffb99b6929f41a69edbb5aef3a359bf45f3315] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit caffb99b6929f41a69edbb5aef3a359bf45f3315 with gcc (GCC) 8.1.0
kernel signature: 175be17b6b7d6f8c415235e994d3a5105fe17bda7e3bc2f8307bca76529e1f32
all runs: OK
# git bisect good caffb99b6929f41a69edbb5aef3a359bf45f3315
Bisecting: 1008 revisions left to test after this (roughly 10 steps)
[5d9e4722c74e8868d5fe2f8749de80928eb4a1d1] Merge tag 'wireless-drivers-next-2020-05-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
testing commit 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1 with gcc (GCC) 8.1.0
kernel signature: aab360b87b905fd7564def8e3049fccb7500edef961fb202352fd0e1916af0fe
all runs: OK
# git bisect good 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1
Bisecting: 504 revisions left to test after this (roughly 9 steps)
[8c2348e36af0da79477b0726781da297263269a4] atm: separate ATM_GETNAMES handling from the rest of atm_dev_ioctl()
testing commit 8c2348e36af0da79477b0726781da297263269a4 with gcc (GCC) 8.1.0
kernel signature: cbf74daf94190dae6ae9eb09462db9c7099df0fea7b919d7e27f3d81c3ebbe6c
all runs: OK
# git bisect good 8c2348e36af0da79477b0726781da297263269a4
Bisecting: 251 revisions left to test after this (roughly 8 steps)
[13209a8f7304a34158f4366e8ea07a1965c05ac7] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 13209a8f7304a34158f4366e8ea07a1965c05ac7 with gcc (GCC) 8.1.0
kernel signature: fadf8f272bd9b3f8b9a5139250cc778b8f8ba433598fcee0b44f1aa93acc0c05
all runs: OK
# git bisect good 13209a8f7304a34158f4366e8ea07a1965c05ac7
Bisecting: 125 revisions left to test after this (roughly 7 steps)
[5205071a519c5dd7b479343e17a109fb3cb19629] mt76: mt7915: enable Rx HE rate reporting
testing commit 5205071a519c5dd7b479343e17a109fb3cb19629 with gcc (GCC) 8.1.0
kernel signature: 5c70b028694245b104b6d21368ff327348e4b1b8689b9ae4a770e5306dc1cd02
all runs: OK
# git bisect good 5205071a519c5dd7b479343e17a109fb3cb19629
Bisecting: 50 revisions left to test after this (roughly 6 steps)
[eda31200e68d38fbb974e7ad02bcc2de2cfe6863] Merge tag 'mt76-for-kvalo-2020-05-14' of https://github.com/nbd168/wireless
testing commit eda31200e68d38fbb974e7ad02bcc2de2cfe6863 with gcc (GCC) 8.1.0
kernel signature: e1873825ce1dded1d523697527fdee76d30abbab2e9095097be0a93d830f3b69
all runs: OK
# git bisect good eda31200e68d38fbb974e7ad02bcc2de2cfe6863
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[617504c67e01d30310558442777a4112ea6d587d] bridge: mrp: Fix out-of-bounds read in br_mrp_parse
testing commit 617504c67e01d30310558442777a4112ea6d587d with gcc (GCC) 8.1.0
kernel signature: e16fc3af0bd5c85c3f23c44a627c5563e683551a112d83f558eb32dfe75f3222
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect good 617504c67e01d30310558442777a4112ea6d587d
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[d29d5ff9daee41a2553843574257e5a6724d5453] r8169: sync RTL8168g hw config with vendor driver
testing commit d29d5ff9daee41a2553843574257e5a6724d5453 with gcc (GCC) 8.1.0
kernel signature: 0fcc5d4f45444dcf0f3334a97fa13e89541294d0dbc91f906a6fd31a2b06925e
all runs: OK
# git bisect good d29d5ff9daee41a2553843574257e5a6724d5453
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[c6ed7a5cc2d68c36287c09260dc211173e0447d7] tipc: add back link trace events
testing commit c6ed7a5cc2d68c36287c09260dc211173e0447d7 with gcc (GCC) 8.1.0
kernel signature: 4a9ef94903549a8212fd499d9a492595b8fdaf6da1e89ebd8f40f60559723563
all runs: OK
# git bisect good c6ed7a5cc2d68c36287c09260dc211173e0447d7
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[6a862a44fd0c963f1bcb2ac9299609e1d8c011c2] Merge branch 'tipc-add-some-improvements'
testing commit 6a862a44fd0c963f1bcb2ac9299609e1d8c011c2 with gcc (GCC) 8.1.0
kernel signature: d50dae376f830e27a67b809487ac18af3465d09a6e7c785e87682b3cabfb67f7
all runs: crashed: general protection fault in __tipc_sendstream
# git bisect bad 6a862a44fd0c963f1bcb2ac9299609e1d8c011c2
Bisecting: 1 revision left to test after this (roughly 1 step)
[03b6fefd9bb4844c75faeb10df8496794e2fd5da] tipc: add support for broadcast rcv stats dumping
testing commit 03b6fefd9bb4844c75faeb10df8496794e2fd5da with gcc (GCC) 8.1.0
kernel signature: a0570ace82ea23e1eab601410f6e3253c70e0151d4daa37dbeeca872da914d19
all runs: OK
# git bisect good 03b6fefd9bb4844c75faeb10df8496794e2fd5da
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0a3e060f340dbe232ffa290c40f879b7f7db595b] tipc: add test for Nagle algorithm effectiveness
testing commit 0a3e060f340dbe232ffa290c40f879b7f7db595b with gcc (GCC) 8.1.0
kernel signature: 58541a6e6a03dc0f4f7521637c1c1e96be5caac3acc0d14124059a86ffd2dd71
all runs: crashed: general protection fault in __tipc_sendstream
# git bisect bad 0a3e060f340dbe232ffa290c40f879b7f7db595b
0a3e060f340dbe232ffa290c40f879b7f7db595b is the first bad commit
commit 0a3e060f340dbe232ffa290c40f879b7f7db595b
Author: Tuong Lien <tuong.t.lien@dektech.com.au>
Date:   Tue May 26 16:38:38 2020 +0700

    tipc: add test for Nagle algorithm effectiveness
    
    When streaming in Nagle mode, we try to bundle small messages from user
    as many as possible if there is one outstanding buffer, i.e. not ACK-ed
    by the receiving side, which helps boost up the overall throughput. So,
    the algorithm's effectiveness really depends on when Nagle ACK comes or
    what the specific network latency (RTT) is, compared to the user's
    message sending rate.
    
    In a bad case, the user's sending rate is low or the network latency is
    small, there will not be many bundles, so making a Nagle ACK or waiting
    for it is not meaningful.
    For example: a user sends its messages every 100ms and the RTT is 50ms,
    then for each messages, we require one Nagle ACK but then there is only
    one user message sent without any bundles.
    
    In a better case, even if we have a few bundles (e.g. the RTT = 300ms),
    but now the user sends messages in medium size, then there will not be
    any difference at all, that says 3 x 1000-byte data messages if bundled
    will still result in 3 bundles with MTU = 1500.
    
    When Nagle is ineffective, the delay in user message sending is clearly
    wasted instead of sending directly.
    
    Besides, adding Nagle ACKs will consume some processor load on both the
    sending and receiving sides.
    
    This commit adds a test on the effectiveness of the Nagle algorithm for
    an individual connection in the network on which it actually runs.
    Particularly, upon receipt of a Nagle ACK we will compare the number of
    bundles in the backlog queue to the number of user messages which would
    be sent directly without Nagle. If the ratio is good (e.g. >= 2), Nagle
    mode will be kept for further message sending. Otherwise, we will leave
    Nagle and put a 'penalty' on the connection, so it will have to spend
    more 'one-way' messages before being able to re-enter Nagle.
    
    In addition, the 'ack-required' bit is only set when really needed that
    the number of Nagle ACKs will be reduced during Nagle mode.
    
    Testing with benchmark showed that with the patch, there was not much
    difference in throughput for small messages since the tool continuously
    sends messages without a break, so Nagle would still take in effect.
    
    Acked-by: Ying Xue <ying.xue@windriver.com>
    Acked-by: Jon Maloy <jmaloy@redhat.com>
    Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/msg.c    |  3 ---
 net/tipc/msg.h    | 14 ++++++++++--
 net/tipc/socket.c | 64 ++++++++++++++++++++++++++++++++++++++++++++-----------
 3 files changed, 64 insertions(+), 17 deletions(-)
culprit signature: 58541a6e6a03dc0f4f7521637c1c1e96be5caac3acc0d14124059a86ffd2dd71
parent  signature: a0570ace82ea23e1eab601410f6e3253c70e0151d4daa37dbeeca872da914d19
revisions tested: 16, total time: 4h1m18.624427792s (build: 1h34m36.387569393s, test: 2h24m58.110348054s)
first bad commit: 0a3e060f340dbe232ffa290c40f879b7f7db595b tipc: add test for Nagle algorithm effectiveness
cc: ["davem@davemloft.net" "jmaloy@redhat.com" "tuong.t.lien@dektech.com.au" "ying.xue@windriver.com"]
crash: general protection fault in __tipc_sendstream
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
CPU: 0 PID: 8446 Comm: syz-executor.3 Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__tipc_sendstream+0x8fb/0xe40 net/tipc/socket.c:1591
Code: 00 0f 85 20 04 00 00 49 8b 9d 90 02 00 00 b8 00 00 00 00 48 39 5c 24 20 48 0f 44 d8 48 8d bb c8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 fd 03 00 00 48 8b 9b c8 00 00 00 48 89 d8 48 c1
RSP: 0018:ffffc90004867800 EFLAGS: 00010202
RAX: 0000000000000019 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffc90004867d88 RDI: 00000000000000c8
RBP: dffffc0000000000 R08: ffff8880a63ee348 R09: fffffbfff16ae951
R10: ffffffff8b574a87 R11: fffffbfff16ae950 R12: ffff8880a63ee5fe
R13: ffff8880a63ee0c0 R14: ffffc900048678e8 R15: 0000000000000004
FS:  00007fa04c5e0700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004fc5d0 CR3: 00000000a897f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tipc_sendstream+0x46/0x60 net/tipc/socket.c:1533
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x39d/0x790 net/socket.c:2352
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2406
 __sys_sendmmsg+0x13e/0x320 net/socket.c:2496
 __do_sys_sendmmsg net/socket.c:2525 [inline]
 __se_sys_sendmmsg net/socket.c:2522 [inline]
 __x64_sys_sendmmsg+0x94/0x100 net/socket.c:2522
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca29
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa04c5dfc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004fc5c0 RCX: 000000000045ca29
RDX: 0492492492492619 RSI: 0000000020003240 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008de R14: 00000000004cba28 R15: 00007fa04c5e06d4
Modules linked in:
---[ end trace 430a4916c65070ae ]---
RIP: 0010:__tipc_sendstream+0x8fb/0xe40 net/tipc/socket.c:1591
Code: 00 0f 85 20 04 00 00 49 8b 9d 90 02 00 00 b8 00 00 00 00 48 39 5c 24 20 48 0f 44 d8 48 8d bb c8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 fd 03 00 00 48 8b 9b c8 00 00 00 48 89 d8 48 c1
RSP: 0018:ffffc90004867800 EFLAGS: 00010202
RAX: 0000000000000019 RBX: 0000000000000000 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffc90004867d88 RDI: 00000000000000c8
RBP: dffffc0000000000 R08: ffff8880a63ee348 R09: fffffbfff16ae951
R10: ffffffff8b574a87 R11: fffffbfff16ae950 R12: ffff8880a63ee5fe
R13: ffff8880a63ee0c0 R14: ffffc900048678e8 R15: 0000000000000004
FS:  00007fa04c5e0700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd971a15008 CR3: 00000000a897f000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400