bisecting cause commit starting from 9aaa29494030a8ba89311b70123a367a26788323
building syzkaller on bc8bc756c272115ed92fad4f716b77f6fb995203
testing commit 9aaa29494030a8ba89311b70123a367a26788323 with gcc (GCC) 8.1.0
kernel signature: 2e4b0f0cb09c20ad752cb0251d69c2afee93b3cb
all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: d1a25c294d1a8ad1943c71c8db6a2c1462ed4f57
all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: ea88575ec91fbdcf3e3a6ab8dbafbbb332955d47
all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: f5f930f198d6050345c72f41c2599b0dbdf130dd
all runs: OK
# git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36
Bisecting: 7848 revisions left to test after this (roughly 13 steps)
[43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0
kernel signature: 625d0d6f7b922491f0f57210655538835c519649
all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup
# git bisect bad 43c95d3694cc448fdf50bd53b7ff3a5bb4655883
Bisecting: 4619 revisions left to test after this (roughly 12 steps)
[8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0
kernel signature: f19e2c1fbd514692a3dbe0ea65133b92fac55050
all runs: OK
# git bisect good 8f6ccf6159aed1f04c6d179f61f6fb2691261e84
Bisecting: 2306 revisions left to test after this (roughly 11 steps)
[753c8d9b7d81206bb5d011b28abe829d364b028e] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 753c8d9b7d81206bb5d011b28abe829d364b028e with gcc (GCC) 8.1.0
kernel signature: 62d7c8834cc148ebc999d6fd35af144d1d8f881f
run #0: crashed: general protection fault in send_hsr_supervision_frame
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 753c8d9b7d81206bb5d011b28abe829d364b028e
Bisecting: 1156 revisions left to test after this (roughly 10 steps)
[2f9b0d93a9d3ec64558537ab5d7cff820886afa4] net: ethernet: ti: cpsw: Fix suspend/resume break
testing commit 2f9b0d93a9d3ec64558537ab5d7cff820886afa4 with gcc (GCC) 8.1.0
kernel signature: 99b0a04881669816a4837611c80a2f600e7a4d15
all runs: OK
# git bisect good 2f9b0d93a9d3ec64558537ab5d7cff820886afa4
Bisecting: 578 revisions left to test after this (roughly 9 steps)
[354d0fab649d47045517cf7cae03d653a4dcb3b8] net: hns3: add default value for tc_size and tc_offset
testing commit 354d0fab649d47045517cf7cae03d653a4dcb3b8 with gcc (GCC) 8.1.0
kernel signature: 770926926eb21511ff32044edd0a4b9b9e4cb361
all runs: OK
# git bisect good 354d0fab649d47045517cf7cae03d653a4dcb3b8
Bisecting: 289 revisions left to test after this (roughly 8 steps)
[52c0609258658ff35b85c654c568a50abd602ac6] bnxt_en: rename some xdp functions
testing commit 52c0609258658ff35b85c654c568a50abd602ac6 with gcc (GCC) 8.1.0
kernel signature: c388f3932271bac043cc5126a6a801a41f8b4825
all runs: OK
# git bisect good 52c0609258658ff35b85c654c568a50abd602ac6
Bisecting: 169 revisions left to test after this (roughly 7 steps)
[e858faf556d4e14c750ba1e8852783c6f9520a0e] tcp: Reset bytes_acked and bytes_received when disconnecting
testing commit e858faf556d4e14c750ba1e8852783c6f9520a0e with gcc (GCC) 8.1.0
kernel signature: aa74d1609d87771475501f1ece1eb75fe97bb389
run #0: crashed: general protection fault in send_hsr_supervision_frame
run #1: crashed: general protection fault in send_hsr_supervision_frame
run #2: crashed: general protection fault in send_hsr_supervision_frame
run #3: crashed: general protection fault in send_hsr_supervision_frame
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad e858faf556d4e14c750ba1e8852783c6f9520a0e
Bisecting: 59 revisions left to test after this (roughly 6 steps)
[3d26eb8ad1e9b906433903ce05f775cf038e747f] net: bridge: don't cache ether dest pointer on input
testing commit 3d26eb8ad1e9b906433903ce05f775cf038e747f with gcc (GCC) 8.1.0
kernel signature: de9f323ddebedca2ea16a6aee528a8b647de1357
run #0: crashed: general protection fault in batadv_iv_ogm_queue_add
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 3d26eb8ad1e9b906433903ce05f775cf038e747f
Bisecting: 29 revisions left to test after this (roughly 5 steps)
[e5b1c6c6277d5a283290a8c033c72544746f9b5b] igmp: fix memory leak in igmpv3_del_delrec()
testing commit e5b1c6c6277d5a283290a8c033c72544746f9b5b with gcc (GCC) 8.1.0
kernel signature: 01faa5b01ba6a434f8342b6c745a07ef06f0d44f
all runs: OK
# git bisect good e5b1c6c6277d5a283290a8c033c72544746f9b5b
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[4d1415811e492d9a8238f8a92dd0d51612c788e9] sctp: fix error handling on stream scheduler initialization
testing commit 4d1415811e492d9a8238f8a92dd0d51612c788e9 with gcc (GCC) 8.1.0
kernel signature: adc34fdd405218bc317a05b2eb739fac499e0cd1
all runs: OK
# git bisect good 4d1415811e492d9a8238f8a92dd0d51612c788e9
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[d39d714969cda5cbda291402c8c6b1fb1047f42e] idr: introduce idr_for_each_entry_continue_ul()
testing commit d39d714969cda5cbda291402c8c6b1fb1047f42e with gcc (GCC) 8.1.0
kernel signature: 597fd8fdc1496c31907505813440015a57ee841a
all runs: OK
# git bisect good d39d714969cda5cbda291402c8c6b1fb1047f42e
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[acd3e96d53a24d219f720ed4012b62723ae05da1] net/tls: make sure offload also gets the keys wiped
testing commit acd3e96d53a24d219f720ed4012b62723ae05da1 with gcc (GCC) 8.1.0
kernel signature: 8478afeb1269839481affcf5560379bf4bcfbb56
all runs: OK
# git bisect good acd3e96d53a24d219f720ed4012b62723ae05da1
Bisecting: 1 revision left to test after this (roughly 1 step)
[e57f61858b7cf478ed6fa23ed4b3876b1c9625c4] net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
testing commit e57f61858b7cf478ed6fa23ed4b3876b1c9625c4 with gcc (GCC) 8.1.0
kernel signature: a2b202754a432abb0959b6ae194e8d7d4289b993
all runs: OK
# git bisect good e57f61858b7cf478ed6fa23ed4b3876b1c9625c4
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[3b26a5d03d35d8f732d75951218983c0f7f68dff] net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
testing commit 3b26a5d03d35d8f732d75951218983c0f7f68dff with gcc (GCC) 8.1.0
kernel signature: 2c71b2445704f5e55aa6dda7697d6bf37743fa77
all runs: OK
# git bisect good 3b26a5d03d35d8f732d75951218983c0f7f68dff
3d26eb8ad1e9b906433903ce05f775cf038e747f is the first bad commit
commit 3d26eb8ad1e9b906433903ce05f775cf038e747f
Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date:   Tue Jul 2 15:00:20 2019 +0300

    net: bridge: don't cache ether dest pointer on input
    
    We would cache ether dst pointer on input in br_handle_frame_finish but
    after the neigh suppress code that could lead to a stale pointer since
    both ipv4 and ipv6 suppress code do pskb_may_pull. This means we have to
    always reload it after the suppress code so there's no point in having
    it cached just retrieve it directly.
    
    Fixes: 057658cb33fbf ("bridge: suppress arp pkts on BR_NEIGH_SUPPRESS ports")
    Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
    Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br_input.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
culprit signature: de9f323ddebedca2ea16a6aee528a8b647de1357
parent  signature: 2c71b2445704f5e55aa6dda7697d6bf37743fa77
revisions tested: 18, total time: 4h48m6.392482785s (build: 1h54m25.968564003s, test: 2h52m8.629809595s)
first bad commit: 3d26eb8ad1e9b906433903ce05f775cf038e747f net: bridge: don't cache ether dest pointer on input
cc: ["bridge@lists.linux-foundation.org" "davem@davemloft.net" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "nikolay@cumulusnetworks.com" "roopa@cumulusnetworks.com"]
crash: general protection fault in batadv_iv_ogm_queue_add
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7801 Comm: kworker/u4:5 Not tainted 5.2.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:599
Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00
RSP: 0018:ffff88808829fab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88808be11000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff88808829fbd0 R08: ffff88808e36b580 R09: 0000000000000001
R10: ffffed10117c2207 R11: ffff88808be1103f R12: ffff88808e36b580
R13: 0000000000000000 R14: 00000000f5182993 R15: 000000000000003c
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe14bff3c4 CR3: 00000000a3fd9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 batadv_iv_ogm_schedule+0x7b2/0xe90 net/batman-adv/bat_iv_ogm.c:791
 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 net/batman-adv/bat_iv_ogm.c:1669
 process_one_work+0x830/0x16a0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x324/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace c940a429f7d3f817 ]---
RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:599
Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00
RSP: 0018:ffff88808829fab8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88808be11000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff88808829fbd0 R08: ffff88808e36b580 R09: 0000000000000001
R10: ffffed10117c2207 R11: ffff88808be1103f R12: ffff88808e36b580
R13: 0000000000000000 R14: 00000000f5182993 R15: 000000000000003c
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000000a3fd9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400