bisecting cause commit starting from 46cf053efec6a3a5f343fead837777efe8252a46 building syzkaller on be5c2c81971442d623dd1b265dabf4644ceeb35b testing commit 46cf053efec6a3a5f343fead837777efe8252a46 with gcc (GCC) 8.1.0 kernel signature: 396b831bab2c2648b846e635670a76f9830289f0 all runs: crashed: general protection fault in xt_rateest_tg_checkentry testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: eea4dcb981ef1c89348c09a07d51581b76205f81 all runs: crashed: general protection fault in xt_rateest_tg_checkentry testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: f364065f19ad88d3327d4a95d8ed68601aed5c1f all runs: crashed: general protection fault in xt_rateest_tg_checkentry testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 0ac3a8c1ad68d8b7a9f9889ecd3b533b0cc4be41 all runs: crashed: general protection fault in xt_rateest_tg_checkentry testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: 10a8fde8e0e7be54e4ad16e26a72dcabf02156aa all runs: crashed: general protection fault in xt_rateest_tg_checkentry testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: bfa89a4fd3d82718b8ee1848f9deac98937c94ca all runs: crashed: general protection fault in xt_rateest_tg_checkentry testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: 8554c9654a0ad8d25363819bf1ff447ac0ed4fa8 run #0: crashed: general protection fault in xt_rateest_tg_checkentry run #1: crashed: general protection fault in xt_rateest_tg_checkentry run #2: crashed: general protection fault in xt_rateest_tg_checkentry run #3: crashed: general protection fault in xt_rateest_tg_checkentry run #4: crashed: general protection fault in corrupted run #5: crashed: general protection fault in xt_rateest_tg_checkentry run #6: crashed: general protection fault in xt_rateest_tg_checkentry run #7: crashed: general protection fault in xt_rateest_tg_checkentry run #8: crashed: general protection fault in xt_rateest_tg_checkentry run #9: crashed: general protection fault in xt_rateest_tg_checkentry testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: 42bc4e55e277a73101094f54302b74b62378e4b3 all runs: crashed: general protection fault in xt_rateest_tg_checkentry testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 kernel signature: f6f76c1937fe5d785203546cd898e1b23c9ef253 all runs: crashed: general protection fault in xt_rateest_tg_checkentry testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 kernel signature: dd7d2fe0afac1339fbafe8bcd91395196a6f3dfc all runs: crashed: general protection fault in xt_rateest_tg_checkentry testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 kernel signature: 245cffdfc9d0bc1588fc51d84586274a09fd66c3 all runs: OK # git bisect start 29dcea88779c856c7dc92040a0c01233263101d4 0adb32858b0bddf4ada5f364a84ed60b196dbcda Bisecting: 7380 revisions left to test after this (roughly 13 steps) [97b1255cb27c551d7c3c5c496d787da40772da99] mm,oom_reaper: check for MMF_OOM_SKIP before complaining testing commit 97b1255cb27c551d7c3c5c496d787da40772da99 with gcc (GCC) 8.1.0 kernel signature: 64045fb8dd159afa0f36065c5c25a6ef4552fcf5 all runs: crashed: general protection fault in xt_rateest_tg_checkentry # git bisect bad 97b1255cb27c551d7c3c5c496d787da40772da99 Bisecting: 4372 revisions left to test after this (roughly 12 steps) [bb2407a7219760926760f0448fddf00d625e5aec] Merge tag 'docs-4.17' of git://git.lwn.net/linux testing commit bb2407a7219760926760f0448fddf00d625e5aec with gcc (GCC) 8.1.0 kernel signature: 85892a92c667bcd520b9baaf732fad098775e3dc all runs: OK # git bisect good bb2407a7219760926760f0448fddf00d625e5aec Bisecting: 2394 revisions left to test after this (roughly 11 steps) [147a89bc71e7db40f011454a40add7ff2d10f8d8] Merge tag 'kconfig-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 147a89bc71e7db40f011454a40add7ff2d10f8d8 with gcc (GCC) 8.1.0 kernel signature: 32d3721613b1a3050eef5f76794fce90cd6104f9 all runs: crashed: general protection fault in xt_rateest_tg_checkentry # git bisect bad 147a89bc71e7db40f011454a40add7ff2d10f8d8 Bisecting: 988 revisions left to test after this (roughly 10 steps) [32c23b47dbd9765c6ec2542400f41f0d47a7d2c1] i40e: Properly check allowed advertisement capabilities testing commit 32c23b47dbd9765c6ec2542400f41f0d47a7d2c1 with gcc (GCC) 8.1.0 kernel signature: 6a64d49a063c652b709993fb6ec87a8fee36ee40 all runs: OK # git bisect good 32c23b47dbd9765c6ec2542400f41f0d47a7d2c1 Bisecting: 496 revisions left to test after this (roughly 9 steps) [e15f20ea33b8e5074145abe464b4b48acea505d9] Merge tag 'mac80211-next-for-davem-2018-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next testing commit e15f20ea33b8e5074145abe464b4b48acea505d9 with gcc (GCC) 8.1.0 kernel signature: 8e1bb69c9ecc3908b86bbd7ef45feaf5dbe188c8 all runs: OK # git bisect good e15f20ea33b8e5074145abe464b4b48acea505d9 Bisecting: 248 revisions left to test after this (roughly 8 steps) [699efed00df0631e39a639b49e3b8e27e62e6c89] bnxt_en: Include additional hardware port statistics in ethtool -S. testing commit 699efed00df0631e39a639b49e3b8e27e62e6c89 with gcc (GCC) 8.1.0 kernel signature: f8b0d422bb37ed88db5d7575d66b021d66616892 all runs: crashed: general protection fault in xt_rateest_tg_checkentry # git bisect bad 699efed00df0631e39a639b49e3b8e27e62e6c89 Bisecting: 125 revisions left to test after this (roughly 7 steps) [b9a12601541eb55d07e00261a5112a4bc36fe7be] Merge branch 'Close-race-between-un-register_netdevice_notifier-and-pernet_operations' testing commit b9a12601541eb55d07e00261a5112a4bc36fe7be with gcc (GCC) 8.1.0 kernel signature: 5e2506cd9cb8445cc841a0d874600973eb16cce9 all runs: OK # git bisect good b9a12601541eb55d07e00261a5112a4bc36fe7be Bisecting: 62 revisions left to test after this (roughly 6 steps) [c0b6edef0bf0e33c12eaf80c676ff09def011518] tc-testing: Add newline when writing test case files testing commit c0b6edef0bf0e33c12eaf80c676ff09def011518 with gcc (GCC) 8.1.0 kernel signature: 1929c309cb6495500ae4004c8f11de8b9498c13e all runs: crashed: general protection fault in xt_rateest_tg_checkentry # git bisect bad c0b6edef0bf0e33c12eaf80c676ff09def011518 Bisecting: 31 revisions left to test after this (roughly 5 steps) [20710b3b81895c89e92bcc32ce85c0bede1171f8] netfilter: ctnetlink: synproxy support testing commit 20710b3b81895c89e92bcc32ce85c0bede1171f8 with gcc (GCC) 8.1.0 kernel signature: 36365009ff3958e77b6c5b71282185930710d8f8 all runs: crashed: general protection fault in xt_rateest_tg_checkentry # git bisect bad 20710b3b81895c89e92bcc32ce85c0bede1171f8 Bisecting: 15 revisions left to test after this (roughly 4 steps) [7d7d7e02111e9a4dc9d0658597f528f815d820fd] netfilter: compat: reject huge allocation requests testing commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd with gcc (GCC) 8.1.0 kernel signature: e4a7677376c18bfeaadfa9e94a0af84f1a41a26b all runs: OK # git bisect good 7d7d7e02111e9a4dc9d0658597f528f815d820fd Bisecting: 7 revisions left to test after this (roughly 3 steps) [35d8deb80c30fdb2dee3e2dac71eab00d8a6fed5] netfilter: conncount: Support count only use case testing commit 35d8deb80c30fdb2dee3e2dac71eab00d8a6fed5 with gcc (GCC) 8.1.0 kernel signature: ed774616fa2b3820a66486b3e7645db850e91002 all runs: crashed: general protection fault in xt_rateest_tg_checkentry # git bisect bad 35d8deb80c30fdb2dee3e2dac71eab00d8a6fed5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [010eacd968a73ddcb8592b14c1607e1004120ede] netfilter: xt_limit: Spelling s/maxmum/maximum/ testing commit 010eacd968a73ddcb8592b14c1607e1004120ede with gcc (GCC) 8.1.0 kernel signature: fd372905ffb1aae66608f596d964092e4af08f88 all runs: crashed: general protection fault in xt_rateest_tg_checkentry # git bisect bad 010eacd968a73ddcb8592b14c1607e1004120ede Bisecting: 1 revision left to test after this (roughly 1 step) [0d7df906a0e78079a02108b06d32c3ef2238ad25] netfilter: x_tables: ensure last rule in base chain matches underflow/policy testing commit 0d7df906a0e78079a02108b06d32c3ef2238ad25 with gcc (GCC) 8.1.0 kernel signature: ffa2b070f1689bc924914778390d9b02e8e145b4 all runs: OK # git bisect good 0d7df906a0e78079a02108b06d32c3ef2238ad25 Bisecting: 0 revisions left to test after this (roughly 0 steps) [3427b2ab63faccafe774ea997fc2da7faf690c5a] netfilter: make xt_rateest hash table per net testing commit 3427b2ab63faccafe774ea997fc2da7faf690c5a with gcc (GCC) 8.1.0 kernel signature: 1b0ad4bf4d914904bce35993ff812cf75f9a81e5 all runs: crashed: general protection fault in xt_rateest_tg_checkentry # git bisect bad 3427b2ab63faccafe774ea997fc2da7faf690c5a 3427b2ab63faccafe774ea997fc2da7faf690c5a is the first bad commit commit 3427b2ab63faccafe774ea997fc2da7faf690c5a Author: Cong Wang Date: Thu Mar 1 18:58:38 2018 -0800 netfilter: make xt_rateest hash table per net As suggested by Eric, we need to make the xt_rateest hash table and its lock per netns to reduce lock contentions. Cc: Florian Westphal Cc: Eric Dumazet Cc: Pablo Neira Ayuso Signed-off-by: Cong Wang Reviewed-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso include/net/netfilter/xt_rateest.h | 4 +- net/netfilter/xt_RATEEST.c | 91 +++++++++++++++++++++++++++----------- net/netfilter/xt_rateest.c | 10 ++--- 3 files changed, 72 insertions(+), 33 deletions(-) culprit signature: 1b0ad4bf4d914904bce35993ff812cf75f9a81e5 parent signature: ffa2b070f1689bc924914778390d9b02e8e145b4 revisions tested: 25, total time: 4h25m38.509576618s (build: 2h13m40.927093057s, test: 2h10m6.034255546s) first bad commit: 3427b2ab63faccafe774ea997fc2da7faf690c5a netfilter: make xt_rateest hash table per net cc: ["edumazet@google.com" "pablo@netfilter.org" "xiyou.wangcong@gmail.com"] crash: general protection fault in xt_rateest_tg_checkentry 8021q: adding VLAN 0 to HW filter on device batadv0 kasan: CONFIG_KASAN_INLINE enabled IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready kasan: GPF could be caused by NULL-ptr deref or user memory access IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready general protection fault: 0000 [#1] PREEMPT SMP KASAN bridge0: port 2(bridge_slave_1) entered blocking state Modules linked in: CPU: 0 PID: 6552 Comm: syz-executor.1 Not tainted 4.16.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] RIP: 0010:net_generic include/net/netns/generic.h:45 [inline] RIP: 0010:xt_rateest_tg_checkentry+0xe6/0xbd0 net/netfilter/xt_RATEEST.c:112 RSP: 0018:ffff8800993e7808 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 1ffff1001327cf04 RCX: 1ffffffff0fba56c RDX: 0000000000000288 RSI: ffffffff87237760 RDI: 0000000000001440 RBP: ffff8800993e78e8 R08: ffff88009939a918 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88009939a040 R12: 0000000000000028 bridge0: port 2(bridge_slave_1) entered forwarding state R13: ffff8800993e7b88 R14: 0000000000000000 R15: ffff8800993e78c0 FS: 00007f3e1b7cc700(0000) GS:ffff8800aec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc8a66bd08 CR3: 000000008b79e000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready xt_check_target+0x200/0x640 net/netfilter/x_tables.c:988 IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready check_target net/ipv4/netfilter/arp_tables.c:413 [inline] find_check_entry net/ipv4/netfilter/arp_tables.c:436 [inline] translate_table+0xdb8/0x1dc0 net/ipv4/netfilter/arp_tables.c:586 bridge0: port 1(bridge_slave_0) entered blocking state do_replace net/ipv4/netfilter/arp_tables.c:991 [inline] do_arpt_set_ctl+0x257/0x540 net/ipv4/netfilter/arp_tables.c:1470 bridge0: port 1(bridge_slave_0) entered forwarding state IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5c/0xb0 net/netfilter/nf_sockopt.c:115 IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready ip_setsockopt+0x59/0x70 net/ipv4/ip_sockglue.c:1261 udp_setsockopt+0x16/0x30 net/ipv4/udp.c:2406 sock_common_setsockopt+0x73/0xf0 net/core/sock.c:2979 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x140/0x210 net/socket.c:1829 IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready do_syscall_64+0x1c7/0x6a0 arch/x86/entry/common.c:287 IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready entry_SYSCALL_64_after_hwframe+0x42/0xb7 IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready RIP: 0033:0x45a919 RSP: 002b:00007f3e1b7cbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000045a919 RDX: 0000000000000060 RSI: 0a02000000000000 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000530 R09: 0000000000000000 R10: 0000000020000800 R11: 0000000000000246 R12: 00007f3e1b7cc6d4 R13: 00000000004d1ce8 R14: 00000000004e1d20 R15: 00000000ffffffff Code: e8 IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready 70 97 e5 fb e8 cb 71 hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network ea fb 5a 85 c0 0f 85 b2 02 00 00 49 8d be 40 14 00 00 48 b8 00 00 hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b1 08 00 00 4d 8b b6 40 14 00 00 e8 94 71 ea RIP: __read_once_size include/linux/compiler.h:188 [inline] RSP: ffff8800993e7808 RIP: net_generic include/net/netns/generic.h:45 [inline] RSP: ffff8800993e7808 RIP: xt_rateest_tg_checkentry+0xe6/0xbd0 net/netfilter/xt_RATEEST.c:112 RSP: ffff8800993e7808 ---[ end trace a67265bba4b67eba ]--- IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready