bisecting cause commit starting from a089e4fed5c5e8717f233d71bb750fbf9e1f38e0
building syzkaller on 12365b99ce83b8a58433eaedbe412dff563ef8fb
testing commit a089e4fed5c5e8717f233d71bb750fbf9e1f38e0 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in sctp_assoc_rwnd_increase
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start a089e4fed5c5e8717f233d71bb750fbf9e1f38e0 v5.0
Bisecting: 5173 revisions left to test after this (roughly 12 steps)
[da2577fe63f865cd9dc785a42c29c0071f567a35] Merge tag 'sound-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit da2577fe63f865cd9dc785a42c29c0071f567a35 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good da2577fe63f865cd9dc785a42c29c0071f567a35
Bisecting: 2426 revisions left to test after this (roughly 11 steps)
[851ca779d110f694b5d078bc4af06d3ad37169e8] Merge tag 'drm-next-2019-03-06' of git://anongit.freedesktop.org/drm/drm
testing commit 851ca779d110f694b5d078bc4af06d3ad37169e8 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 851ca779d110f694b5d078bc4af06d3ad37169e8
Bisecting: 1158 revisions left to test after this (roughly 10 steps)
[2901752c14b8e1b7dd898d2e5245c93e531aa624] Merge tag 'pci-v5.1-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
testing commit 2901752c14b8e1b7dd898d2e5245c93e531aa624 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2901752c14b8e1b7dd898d2e5245c93e531aa624
Bisecting: 595 revisions left to test after this (roughly 9 steps)
[d6075262969321bcb5d795de25595fc2a141ac02] Merge tag 'nios2-v5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/lftan/nios2
testing commit d6075262969321bcb5d795de25595fc2a141ac02 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good d6075262969321bcb5d795de25595fc2a141ac02
Bisecting: 309 revisions left to test after this (roughly 8 steps)
[c3665a6be5de16cf6670a00003642114c44d8a70] Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
testing commit c3665a6be5de16cf6670a00003642114c44d8a70 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good c3665a6be5de16cf6670a00003642114c44d8a70
Bisecting: 153 revisions left to test after this (roughly 7 steps)
[8f49a658b4ea1d0205068da76b7c8c844817dc44] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit 8f49a658b4ea1d0205068da76b7c8c844817dc44 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in sctp_assoc_rwnd_increase
# git bisect bad 8f49a658b4ea1d0205068da76b7c8c844817dc44
Bisecting: 75 revisions left to test after this (roughly 6 steps)
[ffd602eb4693bbb49b301fa059b109bbdebf9524] Merge tag 'kbuild-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
testing commit ffd602eb4693bbb49b301fa059b109bbdebf9524 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ffd602eb4693bbb49b301fa059b109bbdebf9524
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[ffb3016bd6f2cc92b46b3232e88e3c27fdb86db1] Merge branch 'stmmac-add-some-fixes-for-stm32'
testing commit ffb3016bd6f2cc92b46b3232e88e3c27fdb86db1 with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in sctp_assoc_rwnd_increase
run #1: crashed: general protection fault in sctp_ulpevent_free
run #2: crashed: general protection fault in sctp_assoc_rwnd_increase
run #3: crashed: general protection fault in sctp_assoc_rwnd_increase
run #4: crashed: general protection fault in sctp_assoc_rwnd_increase
run #5: crashed: general protection fault in sctp_assoc_rwnd_increase
run #6: crashed: general protection fault in sctp_assoc_rwnd_increase
run #7: crashed: general protection fault in sctp_assoc_rwnd_increase
# git bisect bad ffb3016bd6f2cc92b46b3232e88e3c27fdb86db1
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[f9d19a7494e5341a7f256823e32788ae560ca22f] net: atm: Use IS_ENABLED in atm_dev_ioctl
testing commit f9d19a7494e5341a7f256823e32788ae560ca22f with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f9d19a7494e5341a7f256823e32788ae560ca22f
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[89664c623617b1d34447a927ac7871ddf3db29d3] sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails
testing commit 89664c623617b1d34447a927ac7871ddf3db29d3 with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in sctp_assoc_rwnd_increase
run #1: crashed: general protection fault in sctp_assoc_rwnd_increase
run #2: crashed: general protection fault in sctp_assoc_rwnd_increase
run #3: crashed: general protection fault in sctp_assoc_rwnd_increase
run #4: crashed: general protection fault in corrupted
run #5: crashed: general protection fault in sctp_assoc_rwnd_increase
run #6: crashed: general protection fault in sctp_assoc_rwnd_increase
run #7: crashed: general protection fault in corrupted
# git bisect bad 89664c623617b1d34447a927ac7871ddf3db29d3
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[1e027960edfaa6a43f9ca31081729b716598112b] net/hsr: fix possible crash in add_timer()
testing commit 1e027960edfaa6a43f9ca31081729b716598112b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 1e027960edfaa6a43f9ca31081729b716598112b
Bisecting: 2 revisions left to test after this (roughly 1 step)
[2e990dfd13974d9eae493006f42ffb48707970ef] sctp: remove sched init from sctp_stream_init
testing commit 2e990dfd13974d9eae493006f42ffb48707970ef with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2e990dfd13974d9eae493006f42ffb48707970ef
Bisecting: 0 revisions left to test after this (roughly 1 step)
[ad6c9986bcb627c7c22b8f9e9a934becc27df87c] vxlan: Fix GRO cells race condition between receive and link delete
testing commit ad6c9986bcb627c7c22b8f9e9a934becc27df87c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ad6c9986bcb627c7c22b8f9e9a934becc27df87c
89664c623617b1d34447a927ac7871ddf3db29d3 is the first bad commit
commit 89664c623617b1d34447a927ac7871ddf3db29d3
Author: Xin Long <lucien.xin@gmail.com>
Date:   Sun Mar 3 17:54:53 2019 +0800

    sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails
    
    It should fail to create the new sk if sctp_bind_addr_dup() fails
    when accepting or peeloff an association.
    
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

:040000 040000 3009bc44e3a7b72315a848138477a24165636d41 315ad98c90e7c48a97642e03bb4a78f44cf4ab14 M	net
revisions tested: 15, total time: 3h21m12.296173052s (build: 1h20m43.917421453s, test: 1h57m31.851356935s)
first bad commit: 89664c623617b1d34447a927ac7871ddf3db29d3 sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails
cc: ["davem@davemloft.net" "linux-kernel@vger.kernel.org" "linux-sctp@vger.kernel.org" "lucien.xin@gmail.com" "marcelo.leitner@gmail.com" "netdev@vger.kernel.org" "nhorman@tuxdriver.com" "vyasevich@gmail.com"]
crash: general protection fault in corrupted
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x16e/0x1f6 lib/dump_stack.c:113
kasan: CONFIG_KASAN_INLINE enabled
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold.4+0xa/0x17 lib/fault-inject.c:149
kasan: GPF could be caused by NULL-ptr deref or user memory access
 __should_failslab+0x124/0x180 mm/failslab.c:32
general protection fault: 0000 [#1] PREEMPT SMP KASAN
 should_failslab+0x9/0x14 mm/slab_common.c:1604
CPU: 0 PID: 7339 Comm: syz-executor.5 Not tainted 5.0.0+ #1
 slab_pre_alloc_hook mm/slab.h:423 [inline]
 slab_alloc mm/slab.c:3374 [inline]
 kmem_cache_alloc_trace+0x2db/0x750 mm/slab.c:3613
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x510 net/sctp/associola.c:1498
Code: 41 89 f5 41 54 53 48 89 fb 48 83 ec 08 e8 54 06 f5 fa 48 8d bb 60 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 27 04 00 00 44 8b a3 60 06 00
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 sctp_add_bind_addr+0x96/0x3a0 net/sctp/bind_addr.c:159
RSP: 0018:ffff888075e2f5d8 EFLAGS: 00010203
 sctp_bind_addr_dup+0xd8/0x140 net/sctp/bind_addr.c:114
RAX: dffffc0000000000 RBX: ffffffffffffffff RCX: 0000000000000001
 sctp_sock_migrate+0x526/0x13c0 net/sctp/socket.c:9223
RDX: 00000000000000cb RSI: ffffffff867aba5c RDI: 000000000000065f
RBP: ffff888075e2f608 R08: ffff888073620000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88807af3776f
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 sctp_do_peeloff+0x2ef/0x470 net/sctp/socket.c:5646
FS:  00007f9cc3f51700(0000) GS:ffff88802d800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000625208 CR3: 000000001fa88000 CR4: 00000000007406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
 sctp_getsockopt_peeloff_common.isra.31+0x8e/0x260 net/sctp/socket.c:5665
Call Trace:
 sctp_ulpevent_release_data net/sctp/ulpevent.c:1092 [inline]
 sctp_ulpevent_free+0x21f/0x4e0 net/sctp/ulpevent.c:1129
 sctp_queue_purge_ulpevents+0xbf/0x110 net/sctp/ulpevent.c:1146
 sctp_close+0x13a/0x850 net/sctp/socket.c:1515
 sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline]
 sctp_getsockopt+0x1ad9/0x676c net/sctp/socket.c:7802
 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:428
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:473
 __sock_release+0x204/0x2b0 net/socket.c:579
 sock_release+0x17/0x20 net/socket.c:599
 sctp_do_peeloff+0x384/0x470 net/sctp/socket.c:5649
 sctp_getsockopt_peeloff_common.isra.31+0x8e/0x260 net/sctp/socket.c:5665
 sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline]
 sctp_getsockopt+0x1ad9/0x676c net/sctp/socket.c:7802
 sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079
 __sys_getsockopt+0x175/0x260 net/socket.c:1960
 __do_sys_getsockopt net/socket.c:1971 [inline]
 __se_sys_getsockopt net/socket.c:1968 [inline]
 __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968
 do_syscall_64+0x103/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457799
Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb34a5abc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 000000000071bfa0 RCX: 0000000000457799
RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
RBP: 00007fb34a5abca0 R08: 0000000020000140 R09: 0000000000000000
R10: 0000000020000040 R11: 0000000000000246 R12: 0000000000000004
R13: 00000000006e3ef8 R14: 00000000004b0af8 R15: 00007fb34a5ac6d4
 sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3079
CPU: 1 PID: 7340 Comm: syz-executor.3 Not tainted 5.0.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
 __sys_getsockopt+0x175/0x260 net/socket.c:1960
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x16e/0x1f6 lib/dump_stack.c:113
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold.4+0xa/0x17 lib/fault-inject.c:149
 __should_failslab+0x124/0x180 mm/failslab.c:32
 __do_sys_getsockopt net/socket.c:1971 [inline]
 __se_sys_getsockopt net/socket.c:1968 [inline]
 __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1968
 should_failslab+0x9/0x14 mm/slab_common.c:1604
 do_syscall_64+0x103/0x600 arch/x86/entry/common.c:290
 slab_pre_alloc_hook mm/slab.h:423 [inline]
 slab_alloc mm/slab.c:3374 [inline]
 kmem_cache_alloc_trace+0x2db/0x750 mm/slab.c:3613
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457799
Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 sctp_add_bind_addr+0x96/0x3a0 net/sctp/bind_addr.c:159
RSP: 002b:00007f9cc3f50c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
 sctp_bind_addr_dup+0xd8/0x140 net/sctp/bind_addr.c:114
RAX: ffffffffffffffda RBX: 000000000071bfa0 RCX: 0000000000457799
 sctp_sock_migrate+0x526/0x13c0 net/sctp/socket.c:9223
RDX: 0000000000000066 RSI: 0000000000000084 RDI: 0000000000000003
RBP: 00007f9cc3f50ca0 R08: 0000000020000140 R09: 0000000000000000
R10: 0000000020000040 R11: 0000000000000246 R12: 0000000000000004
 sctp_do_peeloff+0x2ef/0x470 net/sctp/socket.c:5646
R13: 00000000006e3ef8 R14: 00000000004b0af8 R15: 00007f9cc3f516d4
Modules linked in:
 sctp_getsockopt_peeloff_common.isra.31+0x8e/0x260 net/sctp/socket.c:5665
 sctp_getsockopt_peeloff net/sctp/socket.c:5707 [inline]
 sctp_getsockopt+0x1ad9/0x676c net/sctp/socket.c:7802
---[ end trace 2103fac05e604873 ]---
RIP: 0010:sctp_assoc_rwnd_increase+0x34/0x510 net/sctp/associola.c:1498
Code: 41 89 f5 41 54 53 48 89 fb 48 83 ec 08 e8 54 06 f5 fa 48 8d bb 60 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 27 04 00 00 44 8b a3 60 06 00
RSP: 0018:ffff888075e2f5d8 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffffffffffffffff RCX: 0000000000000001
RDX: 00000000000000cb RSI: ffffffff867aba5c RDI: 000000000000065f
RBP: ffff888075e2f608 R08: ffff888073620000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88807af3776f
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f9cc3f51700(0000) GS:ffff88802d800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000625208 CR3: 000000001fa88000 CR4: 00000000007406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554