bisecting cause commit starting from d89091a4930ee0d80bee3e259a98513f3a2543ec
building syzkaller on 438e1227121e9d4bbca7b12b6e1b715524d512c2
testing commit d89091a4930ee0d80bee3e259a98513f3a2543ec with gcc (GCC) 8.1.0
kernel signature: 32e9eb5e9f25b61e7ebbe5275c10fea52c2b460c
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 5aefa6e20be7d3a8c3f6b222352600d88c6015db
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 07048b392e7c04d5489bb0b1c9c5d4152753c74e
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: d113517c68bac3a86896bc1b81592c18d2b9b034
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: a4f5722a6a4e220b10d46df378de23d926dd5b65
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 8b4680f3c6f697f4ff2c13a6cd247bb44b3317d2
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: a4d7ace55ac0e50011181138aa56ba091a4b2a24
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: d46828acae7c8350538a863031b324d0837ec487
all runs: basic kernel testing failed: timed out
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: ea29ab7dff62bc4388989966e8325b6fa00dcd5d
all runs: OK
# git bisect start 8fe28cb58bcb235034b64cbbb7550a8a43fd88be 94710cac0ef4ee177a63b5227664b38c95bbf703
Bisecting: 15098 revisions left to test after this (roughly 14 steps)
[89303c7ea770b6010943ef4ed73eb92bdc5a7ec8] Merge tag 'usb-serial-4.20-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next
testing commit 89303c7ea770b6010943ef4ed73eb92bdc5a7ec8 with gcc (GCC) 8.1.0
kernel signature: 42b8d81155b369290f7ea8e5b9aefedf382a976c
all runs: OK
# git bisect good 89303c7ea770b6010943ef4ed73eb92bdc5a7ec8
Bisecting: 7502 revisions left to test after this (roughly 13 steps)
[685f7e4f161425b137056abe35ba8ef7b669d83d] Merge tag 'powerpc-4.20-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
testing commit 685f7e4f161425b137056abe35ba8ef7b669d83d with gcc (GCC) 8.1.0
kernel signature: f75923cc07395d18b43501009afe5e25c36e9582
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
# git bisect bad 685f7e4f161425b137056abe35ba8ef7b669d83d
Bisecting: 3019 revisions left to test after this (roughly 12 steps)
[50b825d7e87f4cff7070df6eb26390152bb29537] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
testing commit 50b825d7e87f4cff7070df6eb26390152bb29537 with gcc (GCC) 8.1.0
kernel signature: a12509dcbd16390cd1dca4e2b207166f299c7f45
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
# git bisect bad 50b825d7e87f4cff7070df6eb26390152bb29537
Bisecting: 2287 revisions left to test after this (roughly 11 steps)
[b87e7f246898d0ccd676fbac5cb3fe41b1735cf9] Documentation: e1000e: Prepare documentation for RST conversion
testing commit b87e7f246898d0ccd676fbac5cb3fe41b1735cf9 with gcc (GCC) 8.1.0
kernel signature: a322a82a225d3f7508820e168ce3848144c6ce41
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
# git bisect bad b87e7f246898d0ccd676fbac5cb3fe41b1735cf9
Bisecting: 1143 revisions left to test after this (roughly 10 steps)
[f76c483a0b373fdfaedafefe8e4da8beb614e1e9] dpaa2-eth: Rename structure
testing commit f76c483a0b373fdfaedafefe8e4da8beb614e1e9 with gcc (GCC) 8.1.0
kernel signature: 28d9d3fbb2661c7bfdf8e42c8b6f84c9d27ea4f4
all runs: OK
# git bisect good f76c483a0b373fdfaedafefe8e4da8beb614e1e9
Bisecting: 571 revisions left to test after this (roughly 9 steps)
[bf341eb895411f36582a905d4a646b387a0d1fc3] mlxsw: spectrum: Remove misuses of private header file
testing commit bf341eb895411f36582a905d4a646b387a0d1fc3 with gcc (GCC) 8.1.0
kernel signature: 8fc249fb1f5a138d4399343b833716c44967bc5f
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
# git bisect bad bf341eb895411f36582a905d4a646b387a0d1fc3
Bisecting: 332 revisions left to test after this (roughly 8 steps)
[5580d810560da33804053ae3bca13110c9a8d5e8] Merge tag 'mt76-for-kvalo-2018-10-05' of https://github.com/nbd168/wireless
testing commit 5580d810560da33804053ae3bca13110c9a8d5e8 with gcc (GCC) 8.1.0
kernel signature: f2e3a6e05be012703348ccee0d8b152ac1dc4d02
all runs: OK
# git bisect good 5580d810560da33804053ae3bca13110c9a8d5e8
Bisecting: 166 revisions left to test after this (roughly 7 steps)
[062f97a314355c3f0021cfa1454726cfe12432fa] isdn/gigaset/isocdata: mark expected switch fall-through
testing commit 062f97a314355c3f0021cfa1454726cfe12432fa with gcc (GCC) 8.1.0
kernel signature: 508e21165d4604d8023d6d22ecaf0da749e28015
all runs: OK
# git bisect good 062f97a314355c3f0021cfa1454726cfe12432fa
Bisecting: 95 revisions left to test after this (roughly 6 steps)
[df3f94a0bbeb6cb6a02eb16b8e76f16b33cb2f8f] bpf: fix building without CONFIG_INET
testing commit df3f94a0bbeb6cb6a02eb16b8e76f16b33cb2f8f with gcc (GCC) 8.1.0
kernel signature: c354d6fd833e0c39a4cb96052fe17c300baec505
all runs: OK
# git bisect good df3f94a0bbeb6cb6a02eb16b8e76f16b33cb2f8f
Bisecting: 47 revisions left to test after this (roughly 6 steps)
[1f15462539829cd05510c053538aad27a8f1fac8] octeontx2-af: Convert mbox msg id check to a macro
testing commit 1f15462539829cd05510c053538aad27a8f1fac8 with gcc (GCC) 8.1.0
kernel signature: a0681bcc4dce9fa86c0acdd096800562a8c0cce6
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
# git bisect bad 1f15462539829cd05510c053538aad27a8f1fac8
Bisecting: 23 revisions left to test after this (roughly 5 steps)
[9306425b70bf1284a037b7461222887aff48cf8d] netfilter: ctnetlink: must check mark attributes vs NULL
testing commit 9306425b70bf1284a037b7461222887aff48cf8d with gcc (GCC) 8.1.0
kernel signature: 9d9b25384ade326f1ebb6ebe2d840172bbfe1d80
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
# git bisect bad 9306425b70bf1284a037b7461222887aff48cf8d
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[4430b897a2063c44462e8cea3293ebb5851d9cfd] netfilter: cttimeout: remove superfluous check on layer 4 netlink functions
testing commit 4430b897a2063c44462e8cea3293ebb5851d9cfd with gcc (GCC) 8.1.0
kernel signature: 4bea4306fcf4776226eb3951d679d9473588d63c
all runs: OK
# git bisect good 4430b897a2063c44462e8cea3293ebb5851d9cfd
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[6fe78fa484a5dad030b24e33e0cedc5d5bbd0fde] netfilter: conntrack: remove error callback and handle icmp from core
testing commit 6fe78fa484a5dad030b24e33e0cedc5d5bbd0fde with gcc (GCC) 8.1.0
kernel signature: 119d4f5d7158aa42773c4285d5536687976f46ec
all runs: OK
# git bisect good 6fe78fa484a5dad030b24e33e0cedc5d5bbd0fde
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[93185c80a5f748620f5652e492f2a1c8d89db593] netfilter: conntrack: clamp l4proto array size at largers supported protocol
testing commit 93185c80a5f748620f5652e492f2a1c8d89db593 with gcc (GCC) 8.1.0
kernel signature: d223117d000eb8e457a89f8141282fa054d204bb
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
# git bisect bad 93185c80a5f748620f5652e492f2a1c8d89db593
Bisecting: 0 revisions left to test after this (roughly 1 step)
[dd2934a95701576203b2f61e8ded4e4a2f9183ea] netfilter: conntrack: remove l3->l4 mapping information
testing commit dd2934a95701576203b2f61e8ded4e4a2f9183ea with gcc (GCC) 8.1.0
kernel signature: f3f4abb77fa1a4ed64684b29c5202cead5f20401
all runs: crashed: general protection fault in dccp_timeout_nlattr_to_obj
# git bisect bad dd2934a95701576203b2f61e8ded4e4a2f9183ea
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ca2ca6e1c04e64413f5fb9a5d54fb8b0bdd86467] netfilter: conntrack: remove unused proto arg from netns init functions
testing commit ca2ca6e1c04e64413f5fb9a5d54fb8b0bdd86467 with gcc (GCC) 8.1.0
kernel signature: 75edc07715564ee4ac9b312cf4493859c11e788d
all runs: OK
# git bisect good ca2ca6e1c04e64413f5fb9a5d54fb8b0bdd86467
dd2934a95701576203b2f61e8ded4e4a2f9183ea is the first bad commit
commit dd2934a95701576203b2f61e8ded4e4a2f9183ea
Author: Florian Westphal <fw@strlen.de>
Date:   Mon Sep 17 12:02:54 2018 +0200

    netfilter: conntrack: remove l3->l4 mapping information
    
    l4 protocols are demuxed by l3num, l4num pair.
    
    However, almost all l4 trackers are l3 agnostic.
    
    Only exceptions are:
     - gre, icmp (ipv4 only)
     - icmpv6 (ipv6 only)
    
    This commit gets rid of the l3 mapping, l4 trackers can now be looked up
    by their IPPROTO_XXX value alone, which gets rid of the additional l3
    indirection.
    
    For icmp, ipcmp6 and gre, add a check on state->pf and
    return -NF_ACCEPT in case we're asked to track e.g. icmpv6-in-ipv4,
    this seems more fitting than using the generic tracker.
    
    Additionally we can kill the 2nd l4proto definitions that were needed
    for v4/v6 split -- they are now the same so we can use single l4proto
    struct for each protocol, rather than two.
    
    The EXPORT_SYMBOLs can be removed as all these object files are
    part of nf_conntrack with no external references.
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

 include/net/netfilter/ipv4/nf_conntrack_ipv4.h |  13 ++--
 include/net/netfilter/ipv6/nf_conntrack_ipv6.h |  13 ----
 include/net/netfilter/nf_conntrack_l4proto.h   |   9 +--
 net/netfilter/nf_conntrack_core.c              |  15 ++--
 net/netfilter/nf_conntrack_expect.c            |   3 +-
 net/netfilter/nf_conntrack_netlink.c           |  14 ++--
 net/netfilter/nf_conntrack_proto.c             | 104 +++++++------------------
 net/netfilter/nf_conntrack_proto_dccp.c        |  35 +--------
 net/netfilter/nf_conntrack_proto_generic.c     |   1 -
 net/netfilter/nf_conntrack_proto_gre.c         |   4 +-
 net/netfilter/nf_conntrack_proto_icmp.c        |   6 +-
 net/netfilter/nf_conntrack_proto_icmpv6.c      |   6 +-
 net/netfilter/nf_conntrack_proto_sctp.c        |  36 +--------
 net/netfilter/nf_conntrack_proto_tcp.c         |  37 +--------
 net/netfilter/nf_conntrack_proto_udp.c         |  62 +--------------
 net/netfilter/nf_conntrack_standalone.c        |   2 +-
 net/netfilter/nf_flow_table_core.c             |   2 +-
 net/netfilter/nfnetlink_cttimeout.c            |  11 +--
 net/netfilter/nft_ct.c                         |   2 +-
 net/netfilter/xt_CT.c                          |   2 +-
 20 files changed, 76 insertions(+), 301 deletions(-)
culprit signature: f3f4abb77fa1a4ed64684b29c5202cead5f20401
parent  signature: 75edc07715564ee4ac9b312cf4493859c11e788d
revisions tested: 25, total time: 4h47m1.710390206s (build: 2h19m32.416433109s, test: 2h25m45.063310817s)
first bad commit: dd2934a95701576203b2f61e8ded4e4a2f9183ea netfilter: conntrack: remove l3->l4 mapping information
cc: ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@blackhole.kfki.hu" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org"]
crash: general protection fault in dccp_timeout_nlattr_to_obj
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'.
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
general protection fault: 0000 [#1] PREEMPT SMP KASAN
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
CPU: 0 PID: 7058 Comm: syz-executor.4 Not tainted 4.19.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dccp_timeout_nlattr_to_obj+0x5a/0x240 net/netfilter/nf_conntrack_proto_dccp.c:690
Code: 89 d8 48 c1 e8 03 42 0f b6 0c 30 48 89 d8 83 e0 07 83 c0 03 38 c8 7c 08 84 c9 0f 85 71 01 00 00 4c 89 e0 44 8b 3b 48 c1 e8 03 <42> 0f b6 0c 30 4c 89 e0 83 e0 07 83 c0 03 38 c8 7c 08 84 c9 0f 85
RSP: 0018:ffff880091ad74a8 EFLAGS: 00010246
IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
RAX: 0000000000000000 RBX: ffff88008d0dd8ac RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88008d0dd8d0 RDI: ffff88008c22e880
RBP: ffff880091ad74e0 R08: dffffc0000000000 R09: 0000000000000005
R10: ffffed0011845d17 R11: ffff88008c22e8bf R12: 0000000000000000
R13: ffff88008c22e880 R14: dffffc0000000000 R15: 0000000000005dc0
FS:  00007fc53a857700(0000) GS:ffff8800aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f14298ca000 CR3: 00000000a80b4000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ctnl_timeout_parse_policy+0x130/0x1b0 net/netfilter/nfnetlink_cttimeout.c:67
 cttimeout_default_set+0x13f/0x1a0 net/netfilter/nfnetlink_cttimeout.c:372
IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
 nfnetlink_rcv_msg+0x942/0xc10 net/netfilter/nfnetlink.c:228
 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2447
 nfnetlink_rcv+0x163/0x3b0 net/netfilter/nfnetlink.c:560
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x443/0x650 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x765/0xc40 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:631
 ___sys_sendmsg+0x647/0x950 net/socket.c:2114
 __sys_sendmsg+0xd9/0x180 net/socket.c:2152
 __do_sys_sendmsg net/socket.c:2161 [inline]
 __se_sys_sendmsg net/socket.c:2159 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2159
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45af49
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc53a856c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045af49
RDX: 0000000000000940 RSI: 0000000020000200 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc53a8576d4
R13: 00000000004c9fec R14: 00000000004e2e30 R15: 00000000ffffffff
Modules linked in:
device veth0_vlan entered promiscuous mode
---[ end trace 91f044ec97337a79 ]---
device veth1_vlan entered promiscuous mode
RIP: 0010:dccp_timeout_nlattr_to_obj+0x5a/0x240 net/netfilter/nf_conntrack_proto_dccp.c:690
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
Code: 89 d8 48 c1 e8 03 42 0f b6 0c 30 48 89 d8 83 e0 07 83 c0 03 38 c8 7c 08 84 c9 0f 85 71 01 00 00 4c 89 e0 44 8b 3b 48 c1 e8 03 <42> 0f b6 0c 30 4c 89 e0 83 e0 07 83 c0 03 38 c8 7c 08 84 c9 0f 85
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
RSP: 0018:ffff880091ad74a8 EFLAGS: 00010246
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
RAX: 0000000000000000 RBX: ffff88008d0dd8ac RCX: 0000000000000000
IPv6: ADDRCONF(NETDEV_UP): veth1_virt_wifi: link is not ready
RDX: 0000000000000000 RSI: ffff88008d0dd8d0 RDI: ffff88008c22e880
device veth1_vlan entered promiscuous mode
RBP: ffff880091ad74e0 R08: dffffc0000000000 R09: 0000000000000005
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
R10: ffffed0011845d17 R11: ffff88008c22e8bf R12: 0000000000000000
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
R13: ffff88008c22e880 R14: dffffc0000000000 R15: 0000000000005dc0
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
FS:  00007fc53a857700(0000) GS:ffff8800aea00000(0000) knlGS:0000000000000000
IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
CR2: 000056284915caf8 CR3: 00000000a80b4000 CR4: 00000000001406f0
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400