bisecting fixing commit since 01364dad1d4577e27a57729d41053f661bb8a5b9
building syzkaller on a34e2c332411388ed2b3f6f1a3acdc062feceb79
testing commit 01364dad1d4577e27a57729d41053f661bb8a5b9 with gcc (GCC) 8.1.0
kernel signature: 11fc56ccf83118702297a7c3d86fba7067bf49a8720fb1a50701ce9b48f6eb85
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
run #8: crashed: WARNING in inet_sock_destruct
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
testing current HEAD 050272a0423e68207fd2367831ae610680129062
testing commit 050272a0423e68207fd2367831ae610680129062 with gcc (GCC) 8.1.0
kernel signature: 64a8c28e55e9eb255eee48e47b4f921ffe667d061abb30cd04a017e7bf3273e8
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
revisions tested: 2, total time: 26m10.825747505s (build: 18m58.827179742s, test: 6m12.412803649s)
the crash still happens on HEAD
commit msg: Linux 4.14.177
crash: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_0
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
device veth1_vlan entered promiscuous mode
IP: refcount_dec_and_test arch/x86/include/asm/refcount.h:75 [inline]
IP: sock_put include/net/sock.h:1657 [inline]
IP: l2tp_session_free+0xfd/0x1d0 net/l2tp/l2tp_core.c:1714
PGD a482b067 P4D a482b067 PUD a48bf067 PMD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7775 Comm: syz-executor.3 Not tainted 4.14.177-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
task: ffff8880a4720480 task.stack: ffff88808ce98000
IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
RIP: 0010:refcount_dec_and_test arch/x86/include/asm/refcount.h:75 [inline]
RIP: 0010:sock_put include/net/sock.h:1657 [inline]
RIP: 0010:l2tp_session_free+0xfd/0x1d0 net/l2tp/l2tp_core.c:1714
device veth0_macvtap entered promiscuous mode
RSP: 0018:ffff88808ce9fc80 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888089c4cc80 RCX: 0000000000000000
RDX: 1ffff11011141a49 RSI: ffff8880a4720d08 RDI: 0000000000000000
RBP: ffff88808ce9fc98 R08: ffff8880a4720d28 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888088a0d0c0
R13: ffff888089c4cc90 R14: ffff8880a3961960 R15: ffffffff87664f40
FS:  0000000000ce8940(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 00000000a4009000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
 l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:300 [inline]
 pppol2tp_session_destruct+0xbb/0xf0 net/l2tp/l2tp_ppp.c:460
 __sk_destruct+0x48/0x5a0 net/core/sock.c:1556
 sk_destruct+0x83/0xb0 net/core/sock.c:1596
 __sk_free+0x47/0x1f0 net/core/sock.c:1604
 sk_free+0x1a/0x20 net/core/sock.c:1615
device veth1_macvtap entered promiscuous mode
 sock_put include/net/sock.h:1658 [inline]
 pppol2tp_release+0x218/0x2a0 net/l2tp/l2tp_ppp.c:501
IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
 __sock_release+0xc2/0x2a0 net/socket.c:602
IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
 sock_close+0x10/0x20 net/socket.c:1139
 __fput+0x232/0x750 fs/file_table.c:210
 ____fput+0x9/0x10 fs/file_table.c:244
 task_work_run+0xe5/0x170 kernel/task_work.c:113
IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x16a/0x1b0 arch/x86/entry/common.c:164
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x416/0x5b0 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4163e1
RSP: 002b:00007fff282d7b20 EFLAGS: 00000293
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
 ORIG_RAX: 0000000000000003
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004163e1
RDX: 0000000000000001 RSI: 0000000000770720 RDI: 0000000000000003
RBP: 0000000000000000 R08: 01ffffffffffffff R09: 01ffffffffffffff
R10: 00007fff282d7c00 R11: 0000000000000293 R12: 000000000076bfa0
R13: 00000000007707f0 R14: 000000000000bd04 R15: 000000000076bfac
Code: 
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
49 8d bc 24 88 01 00 00 48 b8 00 00 00 00 00 fc ff df 
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 bd 00 00 00 49 8b bc 
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
24 
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
88 
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
01 
batman_adv: batadv0: Interface activated: batadv_slave_0
00 
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
00 
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
<f0> ff 8f 80 00 00 00 0f 88 20 62 7f 00 74 6d 48 b8 00 00 00 00 
RIP: refcount_dec_and_test arch/x86/include/asm/refcount.h:75 [inline] RSP: ffff88808ce9fc80
RIP: sock_put include/net/sock.h:1657 [inline] RSP: ffff88808ce9fc80
RIP: l2tp_session_free+0xfd/0x1d0 net/l2tp/l2tp_core.c:1714 RSP: ffff88808ce9fc80
CR2: 0000000000000080
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
---[ end trace 78452f381853a06e ]---
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!