bisecting cause commit starting from 12d61c6996999e6562cbbed5f270d572248a11c5 building syzkaller on d01bb02a96019cda0fa8c46e5c6d5eb66a273f17 testing commit 12d61c6996999e6562cbbed5f270d572248a11c5 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_sublist_rcv testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 12d61c6996999e6562cbbed5f270d572248a11c5 v5.3 Bisecting: 10431 revisions left to test after this (roughly 13 steps) [45824fc0da6e46cc5d563105e1eaaf3098a686f9] Merge tag 'powerpc-5.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 45824fc0da6e46cc5d563105e1eaaf3098a686f9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 45824fc0da6e46cc5d563105e1eaaf3098a686f9 Bisecting: 5164 revisions left to test after this (roughly 12 steps) [c2dd2464ff1f616a0cdbefad6a6639f56a4e49fd] Merge remote-tracking branch 'btrfs/for-next' testing commit c2dd2464ff1f616a0cdbefad6a6639f56a4e49fd with gcc (GCC) 8.1.0 all runs: OK # git bisect good c2dd2464ff1f616a0cdbefad6a6639f56a4e49fd Bisecting: 2734 revisions left to test after this (roughly 11 steps) [f8593384f83f59ca4f3f0d1c497c93bcab5b0975] Merge remote-tracking branch 'drm/drm-next' testing commit f8593384f83f59ca4f3f0d1c497c93bcab5b0975 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_sublist_rcv # git bisect bad f8593384f83f59ca4f3f0d1c497c93bcab5b0975 Bisecting: 1117 revisions left to test after this (roughly 10 steps) [ed5484fbd82ab7f0020d2d97e37674f426d71b1d] Merge remote-tracking branch 'net-next/master' testing commit ed5484fbd82ab7f0020d2d97e37674f426d71b1d with gcc (GCC) 8.1.0 all runs: OK # git bisect good ed5484fbd82ab7f0020d2d97e37674f426d71b1d Bisecting: 566 revisions left to test after this (roughly 9 steps) [f3a36d469621e52a04392820fa96bc4f2a9d29e7] dt-bindings: display: renesas: Add r8a774b1 support testing commit f3a36d469621e52a04392820fa96bc4f2a9d29e7 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f3a36d469621e52a04392820fa96bc4f2a9d29e7 Bisecting: 298 revisions left to test after this (roughly 8 steps) [f13680e1b82fe72b4995bcb582687ee3fc6023b7] Merge remote-tracking branch 'spi-nor/spi-nor/next' testing commit f13680e1b82fe72b4995bcb582687ee3fc6023b7 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_sublist_rcv # git bisect bad f13680e1b82fe72b4995bcb582687ee3fc6023b7 Bisecting: 143 revisions left to test after this (roughly 7 steps) [0eeb91ade90ce06d2fa1e2fcb55e3316b64c203c] rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot testing commit 0eeb91ade90ce06d2fa1e2fcb55e3316b64c203c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 0eeb91ade90ce06d2fa1e2fcb55e3316b64c203c Bisecting: 57 revisions left to test after this (roughly 6 steps) [cd8ca41f236ffdeeeabe65ce2268c9f9b6c25ef2] Merge remote-tracking branch 'netfilter-next/master' testing commit cd8ca41f236ffdeeeabe65ce2268c9f9b6c25ef2 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_sublist_rcv # git bisect bad cd8ca41f236ffdeeeabe65ce2268c9f9b6c25ef2 Bisecting: 42 revisions left to test after this (roughly 6 steps) [8af1c8b8d6223c31fada6148fd870257407952d1] selftests/bpf: Make reference_tracking test use subtests testing commit 8af1c8b8d6223c31fada6148fd870257407952d1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8af1c8b8d6223c31fada6148fd870257407952d1 Bisecting: 21 revisions left to test after this (roughly 5 steps) [3f0465a9ef02624e0a36db9e7c9bedcafcd6f6fe] netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables testing commit 3f0465a9ef02624e0a36db9e7c9bedcafcd6f6fe with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_sublist_rcv # git bisect bad 3f0465a9ef02624e0a36db9e7c9bedcafcd6f6fe Bisecting: 10 revisions left to test after this (roughly 3 steps) [ac524481d7f72d46805bcaa6595f233236c92132] ipvs: batch __ip_vs_dev_cleanup testing commit ac524481d7f72d46805bcaa6595f233236c92132 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ac524481d7f72d46805bcaa6595f233236c92132 Bisecting: 5 revisions left to test after this (roughly 3 steps) [5ccbf891f073e9f4b74f30bdfa1976bbdb666214] Merge tag 'ipvs-next-for-v5.5' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next testing commit 5ccbf891f073e9f4b74f30bdfa1976bbdb666214 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 5ccbf891f073e9f4b74f30bdfa1976bbdb666214 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ca58fbe06c54795f00db79e447f94c2028d30124] netfilter: add and use nf_hook_slow_list() testing commit ca58fbe06c54795f00db79e447f94c2028d30124 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in ip6_sublist_rcv # git bisect bad ca58fbe06c54795f00db79e447f94c2028d30124 Bisecting: 0 revisions left to test after this (roughly 1 step) [2ad9d7747c10d17cc06447944fefd4c29ae11eb1] netfilter: conntrack: free extension area immediately testing commit 2ad9d7747c10d17cc06447944fefd4c29ae11eb1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 2ad9d7747c10d17cc06447944fefd4c29ae11eb1 ca58fbe06c54795f00db79e447f94c2028d30124 is the first bad commit commit ca58fbe06c54795f00db79e447f94c2028d30124 Author: Florian Westphal Date: Fri Oct 11 00:30:37 2019 +0200 netfilter: add and use nf_hook_slow_list() At this time, NF_HOOK_LIST() macro will iterate the list and then calls nf_hook() for each individual skb. This makes it so the entire list is passed into the netfilter core. The advantage is that we only need to fetch the rule blob once per list instead of per-skb. NF_HOOK_LIST now only works for ipv4 and ipv6, as those are the only callers. v2: use skb_list_del_init() instead of list_del (Edward Cree) Signed-off-by: Florian Westphal Acked-by: Edward Cree Signed-off-by: Pablo Neira Ayuso :040000 040000 d0df1c5e1114ed5d5025f9de84a7ee64debe2e6f a8acb69badd33694381b78d551f635acc3c95a41 M include :040000 040000 c96abd069a97a63aed5b7fc8610c2d05b3577c5a db3f961fd3eda944c337e1132e445ed04cdde36d M net revisions tested: 16, total time: 3h52m35.32872098s (build: 1h35m29.635537934s, test: 2h11m27.11774286s) first bad commit: ca58fbe06c54795f00db79e447f94c2028d30124 netfilter: add and use nf_hook_slow_list() cc: ["coreteam@netfilter.org" "davem@davemloft.net" "ecree@solarflare.com" "fw@strlen.de" "kadlec@netfilter.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org"] crash: general protection fault in ip6_sublist_rcv kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 7537 Comm: syz-executor.2 Not tainted 5.4.0-rc1+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline] RIP: 0010:NF_HOOK_LIST include/linux/netfilter.h:331 [inline] RIP: 0010:ip6_sublist_rcv+0x4a8/0x7c0 net/ipv6/ip6_input.c:292 Code: 7e fb 5a 85 c0 0f 85 02 01 00 00 48 8b 85 08 ff ff ff 48 8d b8 10 0f 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 fb 02 00 00 48 8b 85 08 ff ff ff 48 8b 98 10 0f RSP: 0018:ffff888079a872f0 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff8880872a08c0 RCX: ffffffff81584a34 RDX: 00000000000001e2 RSI: 0000000000000004 RDI: 0000000000000f10 RBP: ffff888079a87418 R08: ffffed1015d46b75 R09: ffffed1015d46b75 R10: ffffed1015d46b74 R11: ffff8880aea35ba3 R12: ffff888079a873f0 R13: 0000000000000000 R14: ffff8880980da1c0 R15: dffffc0000000000 FS: 00007f2949586700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000075c091 CR3: 0000000092f3c000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ipv6_list_rcv+0x2e1/0x4b0 net/ipv6/ip6_input.c:328 __netif_receive_skb_list_ptype net/core/dev.c:5279 [inline] __netif_receive_skb_list_core+0x4bd/0x930 net/core/dev.c:5327 __netif_receive_skb_list net/core/dev.c:5379 [inline] netif_receive_skb_list_internal+0x61b/0xd70 net/core/dev.c:5474 gro_normal_list.part.137+0x19/0xb0 net/core/dev.c:5987 gro_normal_list net/core/dev.c:5985 [inline] gro_normal_one net/core/dev.c:5999 [inline] napi_frags_finish net/core/dev.c:6012 [inline] napi_gro_frags+0x834/0xc70 net/core/dev.c:6085 tun_get_user+0x2432/0x3760 drivers/net/tun.c:1976 tun_chr_write_iter+0xaf/0x150 drivers/net/tun.c:2022 call_write_iter include/linux/fs.h:1895 [inline] do_iter_readv_writev+0x526/0xa70 fs/read_write.c:693 do_iter_write+0x12a/0x510 fs/read_write.c:970 vfs_writev+0x16d/0x2d0 fs/read_write.c:1015 do_writev+0x112/0x2e0 fs/read_write.c:1058 __do_sys_writev fs/read_write.c:1131 [inline] __se_sys_writev fs/read_write.c:1128 [inline] __x64_sys_writev+0x70/0xb0 fs/read_write.c:1128 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459db1 Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b7 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007f2949585ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000000003e RCX: 0000000000459db1 RDX: 0000000000000001 RSI: 00007f2949585c00 RDI: 00000000000000f0 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 00007f29495866d4 R13: 00000000004c922e R14: 00000000004e0860 R15: 00000000ffffffff Modules linked in: ---[ end trace 06b4c0ff8268147e ]--- RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline] RIP: 0010:NF_HOOK_LIST include/linux/netfilter.h:331 [inline] RIP: 0010:ip6_sublist_rcv+0x4a8/0x7c0 net/ipv6/ip6_input.c:292 Code: 7e fb 5a 85 c0 0f 85 02 01 00 00 48 8b 85 08 ff ff ff 48 8d b8 10 0f 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 fb 02 00 00 48 8b 85 08 ff ff ff 48 8b 98 10 0f RSP: 0018:ffff888079a872f0 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff8880872a08c0 RCX: ffffffff81584a34 RDX: 00000000000001e2 RSI: 0000000000000004 RDI: 0000000000000f10 RBP: ffff888079a87418 R08: ffffed1015d46b75 R09: ffffed1015d46b75 R10: ffffed1015d46b74 R11: ffff8880aea35ba3 R12: ffff888079a873f0 R13: 0000000000000000 R14: ffff8880980da1c0 R15: dffffc0000000000 FS: 00007f2949586700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000075c091 CR3: 0000000092f3c000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400