bisecting cause commit starting from da2968ff879b9e74688cdc658f646971991d2c56
building syzkaller on 1d75fe458f90d0a3dbb1578b88cdb64ae0a37398
testing commit da2968ff879b9e74688cdc658f646971991d2c56 with gcc (GCC) 8.1.0
kernel signature: 0330c2610921f59fabb561329c04a75e668ee3ed59304b553be089fe39492e28
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in fib_dump_info
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 6051351c86dcbb321006a58a49e655c7435afe91d204d21c978c460584200150
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in fib_dump_info
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 5a4a14d1020819e1ed651f5e7c82645de581fe6d62184bff8fd2a2579a8ca909
all runs: crashed: general protection fault in fib_dump_info
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 6451426b39c9964ccb70b897e547b7bf17957610665458bfac0b3b802b048505
all runs: OK
# git bisect start 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 7542 revisions left to test after this (roughly 13 steps)
[50a5de895dbe5df947b3a695777db5b2c313e065] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
testing commit 50a5de895dbe5df947b3a695777db5b2c313e065 with gcc (GCC) 8.1.0
kernel signature: 80ecb4fb4cde069a874af87b59d77b9d3638831c3ccf658a61a00391e5e1bca0
all runs: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(8,1)
# git bisect skip 50a5de895dbe5df947b3a695777db5b2c313e065
Bisecting: 7542 revisions left to test after this (roughly 13 steps)
[422c032afcf57d5e8109a54912e22ffc53d99068] netfilter: flowtable: Use rw sem as flow block lock
testing commit 422c032afcf57d5e8109a54912e22ffc53d99068 with gcc (GCC) 8.1.0
kernel signature: 68f255a3b9570b93a51d6e2f3b2968b4ad7cb757c1b4fb82fb3718a816287623
all runs: OK
# git bisect good 422c032afcf57d5e8109a54912e22ffc53d99068
Bisecting: 6728 revisions left to test after this (roughly 13 steps)
[8c1b724ddb218f221612d4c649bc9c7819d8d7a6] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
testing commit 8c1b724ddb218f221612d4c649bc9c7819d8d7a6 with gcc (GCC) 8.1.0
kernel signature: 4c6e636ebe77b3fb2de29327b321dd2031322b9bad9bb18826ca07a072b1e6d2
all runs: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(8,1)
# git bisect skip 8c1b724ddb218f221612d4c649bc9c7819d8d7a6
Bisecting: 6728 revisions left to test after this (roughly 13 steps)
[88d7fcfa3b1fe670f0412b95be785aafca63352b] net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
testing commit 88d7fcfa3b1fe670f0412b95be785aafca63352b with gcc (GCC) 8.1.0
kernel signature: 235ae60845ba9b5e8d4169e1fa623776a03f6f283ed69e8b7359b1ce8531e00c
all runs: OK
# git bisect good 88d7fcfa3b1fe670f0412b95be785aafca63352b
Bisecting: 321 revisions left to test after this (roughly 8 steps)
[8f261041b18ee80ad8afdd1621c909c4df9f6cc3] Merge tag 'staging-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
testing commit 8f261041b18ee80ad8afdd1621c909c4df9f6cc3 with gcc (GCC) 8.1.0
kernel signature: 0fcbbb3ea179f3481aeea92cf9bf56e28563bb2b9b0fb3a2c323b9ee39c48760
all runs: OK
# git bisect good 8f261041b18ee80ad8afdd1621c909c4df9f6cc3
Bisecting: 161 revisions left to test after this (roughly 7 steps)
[86e43b8bf0e6b3897e504cdb9230fd063ecd4452] Merge tag 'drm-fixes-2020-05-29-1' of git://anongit.freedesktop.org/drm/drm
testing commit 86e43b8bf0e6b3897e504cdb9230fd063ecd4452 with gcc (GCC) 8.1.0
kernel signature: 284982a2a0a81f97d2e5823e65bbd4e9a6a3931a335b3d7dbb11266c4ad0839f
all runs: OK
# git bisect good 86e43b8bf0e6b3897e504cdb9230fd063ecd4452
Bisecting: 80 revisions left to test after this (roughly 6 steps)
[10f6d46c943d1ccd1d730d2e915226cbdeaad2d5] mptcp: fix race between MP_JOIN and close
testing commit 10f6d46c943d1ccd1d730d2e915226cbdeaad2d5 with gcc (GCC) 8.1.0
kernel signature: 0ff8a5705095d29fe1ab9d34c8e1edfca2082a1000ac0788d488208f9c0dbbb1
all runs: crashed: general protection fault in fib_dump_info
# git bisect bad 10f6d46c943d1ccd1d730d2e915226cbdeaad2d5
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[45ebf73ebcec88a34a778f5feaa0b82b1c76069e] sctp: check assoc before SCTP_ADDR_{MADE_PRIM, ADDED} event
testing commit 45ebf73ebcec88a34a778f5feaa0b82b1c76069e with gcc (GCC) 8.1.0
kernel signature: a892eef6736bac6825c7b1fdea8946fc8cf98dff1480d07c922f0a751f6593eb
all runs: crashed: general protection fault in fib_dump_info
# git bisect bad 45ebf73ebcec88a34a778f5feaa0b82b1c76069e
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[0a82e230c68860b7286dad8644d9d9f7cfd755d2] mptcp: avoid NULL-ptr derefence on fallback
testing commit 0a82e230c68860b7286dad8644d9d9f7cfd755d2 with gcc (GCC) 8.1.0
kernel signature: e614dac75ec2f3341b6520129423b3345d79623cf86f3ecc705dfe091c4773ae
all runs: crashed: general protection fault in fib_dump_info
# git bisect bad 0a82e230c68860b7286dad8644d9d9f7cfd755d2
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[963bdfc75cfa20c53bde64928af57a6ca175fc01] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
testing commit 963bdfc75cfa20c53bde64928af57a6ca175fc01 with gcc (GCC) 8.1.0
kernel signature: 427a3d0fc27d729edabc849457d16988c4c4e74c77da196486669e274615bd68
all runs: OK
# git bisect good 963bdfc75cfa20c53bde64928af57a6ca175fc01
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[af7888ad9edbd8ba7f6449d1c27ce281ad4b26fd] ipv4: Refactor nhc evaluation in fib_table_lookup
testing commit af7888ad9edbd8ba7f6449d1c27ce281ad4b26fd with gcc (GCC) 8.1.0
kernel signature: 8e90e2a2dd64743ee0946b1d21bf47aafe1ec18c6d09d0a8ce09b73a4795fc53
all runs: crashed: general protection fault in fib_dump_info
# git bisect bad af7888ad9edbd8ba7f6449d1c27ce281ad4b26fd
Bisecting: 1 revision left to test after this (roughly 1 step)
[90f33bffa382598a32cc82abfeb20adc92d041b6] nexthops: don't modify published nexthop groups
testing commit 90f33bffa382598a32cc82abfeb20adc92d041b6 with gcc (GCC) 8.1.0
kernel signature: 4f8bac9854c971240b68b823f98fec23e2de69575cdb8ad2e9ab79b2c2ed3bc4
all runs: OK
# git bisect good 90f33bffa382598a32cc82abfeb20adc92d041b6
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0b5e2e39739e861fa5fc84ab27a35dbe62a15330] nexthop: Expand nexthop_is_multipath in a few places
testing commit 0b5e2e39739e861fa5fc84ab27a35dbe62a15330 with gcc (GCC) 8.1.0
kernel signature: bb9fd315f242f83a695dce4fae35f0ef319d5d75c0ba62becf860e085031a7d6
all runs: crashed: general protection fault in fib_dump_info
# git bisect bad 0b5e2e39739e861fa5fc84ab27a35dbe62a15330
0b5e2e39739e861fa5fc84ab27a35dbe62a15330 is the first bad commit
commit 0b5e2e39739e861fa5fc84ab27a35dbe62a15330
Author: David Ahern <dsahern@gmail.com>
Date:   Tue May 26 12:56:16 2020 -0600

    nexthop: Expand nexthop_is_multipath in a few places
    
    I got too fancy consolidating checks on multipath type. The result
    is that path lookups can access 2 different nh_grp structs as exposed
    by Nik's torture tests. Expand nexthop_is_multipath within nexthop.h to
    avoid multiple, nh_grp dereferences and make decisions based on the
    consistent struct.
    
    Only 2 places left using nexthop_is_multipath are within IPv6, both
    only check that the nexthop is a multipath for a branching decision
    which are acceptable.
    
    Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
    Signed-off-by: David Ahern <dsahern@gmail.com>
    Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/nexthop.h | 41 +++++++++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 16 deletions(-)
culprit signature: bb9fd315f242f83a695dce4fae35f0ef319d5d75c0ba62becf860e085031a7d6
parent  signature: 4f8bac9854c971240b68b823f98fec23e2de69575cdb8ad2e9ab79b2c2ed3bc4
revisions tested: 17, total time: 3h40m38.557818881s (build: 1h35m2.686311183s, test: 2h3m59.331384447s)
first bad commit: 0b5e2e39739e861fa5fc84ab27a35dbe62a15330 nexthop: Expand nexthop_is_multipath in a few places
recipients (to): ["davem@davemloft.net" "dsahern@gmail.com" "nikolay@cumulusnetworks.com"]
recipients (cc): []
crash: general protection fault in fib_dump_info
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 1 PID: 8651 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:nexthop_is_blackhole include/net/nexthop.h:198 [inline]
RIP: 0010:fib_dump_info+0x744/0x19e0 net/ipv4/fib_semantics.c:1781
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 54 11 00 00 4d 8b 6d 10 49 8d 7d 70 48 ba 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 e3 10 00 00 4d 8b 6d 70 e8 d9 67 34 fb 85 c0 74
RSP: 0018:ffffc900049f72a8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88807884aac0 RCX: 000000000000000e
RDX: dffffc0000000000 RSI: ffffffff8990c428 RDI: 0000000000000070
RBP: ffffc900049f7460 R08: ffffed100f109b06 R09: ffffed100f109b06
R10: ffff88807884d82b R11: ffffed100f109b05 R12: ffff88807884d800
R13: 0000000000000000 R14: ffff88807884d817 R15: ffff8880a8a4ea00
FS:  0000000000000000(0000) GS:ffff8880ae900000(0063) knlGS:00000000f7755b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000055cac250ced8 CR3: 000000009ec42000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rtmsg_fib+0x2cd/0xb20 net/ipv4/fib_semantics.c:524
 fib_table_insert+0x730/0x1980 net/ipv4/fib_trie.c:1352
 inet_rtm_newroute+0xe8/0x1a0 net/ipv4/fib_frontend.c:882
 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5454
 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2469
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x554/0x760 net/socket.c:2362
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2416
 __sys_sendmsg+0xce/0x170 net/socket.c:2449
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x231/0xba0 arch/x86/entry/common.c:396
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
Modules linked in:
---[ end trace fe22094ecd066dc7 ]---
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:nexthop_is_blackhole include/net/nexthop.h:198 [inline]
RIP: 0010:fib_dump_info+0x744/0x19e0 net/ipv4/fib_semantics.c:1781
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 54 11 00 00 4d 8b 6d 10 49 8d 7d 70 48 ba 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 e3 10 00 00 4d 8b 6d 70 e8 d9 67 34 fb 85 c0 74
RSP: 0018:ffffc900049f72a8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88807884aac0 RCX: 000000000000000e
RDX: dffffc0000000000 RSI: ffffffff8990c428 RDI: 0000000000000070
RBP: ffffc900049f7460 R08: ffffed100f109b06 R09: ffffed100f109b06
R10: ffff88807884d82b R11: ffffed100f109b05 R12: ffff88807884d800
R13: 0000000000000000 R14: ffff88807884d817 R15: ffff8880a8a4ea00
FS:  0000000000000000(0000) GS:ffff8880ae900000(0063) knlGS:00000000f7755b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000055cac250ced8 CR3: 000000009ec42000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400