bisecting cause commit starting from 12d61c6996999e6562cbbed5f270d572248a11c5
building syzkaller on d01bb02a96019cda0fa8c46e5c6d5eb66a273f17
testing commit 12d61c6996999e6562cbbed5f270d572248a11c5 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in ip6_sublist_rcv
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 12d61c6996999e6562cbbed5f270d572248a11c5 v5.3
Bisecting: 10431 revisions left to test after this (roughly 13 steps)
[45824fc0da6e46cc5d563105e1eaaf3098a686f9] Merge tag 'powerpc-5.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
testing commit 45824fc0da6e46cc5d563105e1eaaf3098a686f9 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 45824fc0da6e46cc5d563105e1eaaf3098a686f9
Bisecting: 5164 revisions left to test after this (roughly 12 steps)
[c2dd2464ff1f616a0cdbefad6a6639f56a4e49fd] Merge remote-tracking branch 'btrfs/for-next'
testing commit c2dd2464ff1f616a0cdbefad6a6639f56a4e49fd with gcc (GCC) 8.1.0
all runs: OK
# git bisect good c2dd2464ff1f616a0cdbefad6a6639f56a4e49fd
Bisecting: 2734 revisions left to test after this (roughly 11 steps)
[f8593384f83f59ca4f3f0d1c497c93bcab5b0975] Merge remote-tracking branch 'drm/drm-next'
testing commit f8593384f83f59ca4f3f0d1c497c93bcab5b0975 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in ip6_sublist_rcv
# git bisect bad f8593384f83f59ca4f3f0d1c497c93bcab5b0975
Bisecting: 1117 revisions left to test after this (roughly 10 steps)
[ed5484fbd82ab7f0020d2d97e37674f426d71b1d] Merge remote-tracking branch 'net-next/master'
testing commit ed5484fbd82ab7f0020d2d97e37674f426d71b1d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ed5484fbd82ab7f0020d2d97e37674f426d71b1d
Bisecting: 566 revisions left to test after this (roughly 9 steps)
[f3a36d469621e52a04392820fa96bc4f2a9d29e7] dt-bindings: display: renesas: Add r8a774b1 support
testing commit f3a36d469621e52a04392820fa96bc4f2a9d29e7 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f3a36d469621e52a04392820fa96bc4f2a9d29e7
Bisecting: 298 revisions left to test after this (roughly 8 steps)
[f13680e1b82fe72b4995bcb582687ee3fc6023b7] Merge remote-tracking branch 'spi-nor/spi-nor/next'
testing commit f13680e1b82fe72b4995bcb582687ee3fc6023b7 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in ip6_sublist_rcv
# git bisect bad f13680e1b82fe72b4995bcb582687ee3fc6023b7
Bisecting: 143 revisions left to test after this (roughly 7 steps)
[0eeb91ade90ce06d2fa1e2fcb55e3316b64c203c] rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot
testing commit 0eeb91ade90ce06d2fa1e2fcb55e3316b64c203c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 0eeb91ade90ce06d2fa1e2fcb55e3316b64c203c
Bisecting: 57 revisions left to test after this (roughly 6 steps)
[cd8ca41f236ffdeeeabe65ce2268c9f9b6c25ef2] Merge remote-tracking branch 'netfilter-next/master'
testing commit cd8ca41f236ffdeeeabe65ce2268c9f9b6c25ef2 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in ip6_sublist_rcv
# git bisect bad cd8ca41f236ffdeeeabe65ce2268c9f9b6c25ef2
Bisecting: 42 revisions left to test after this (roughly 6 steps)
[8af1c8b8d6223c31fada6148fd870257407952d1] selftests/bpf: Make reference_tracking test use subtests
testing commit 8af1c8b8d6223c31fada6148fd870257407952d1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 8af1c8b8d6223c31fada6148fd870257407952d1
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[3f0465a9ef02624e0a36db9e7c9bedcafcd6f6fe] netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables
testing commit 3f0465a9ef02624e0a36db9e7c9bedcafcd6f6fe with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in ip6_sublist_rcv
# git bisect bad 3f0465a9ef02624e0a36db9e7c9bedcafcd6f6fe
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[ac524481d7f72d46805bcaa6595f233236c92132] ipvs: batch __ip_vs_dev_cleanup
testing commit ac524481d7f72d46805bcaa6595f233236c92132 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ac524481d7f72d46805bcaa6595f233236c92132
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[5ccbf891f073e9f4b74f30bdfa1976bbdb666214] Merge tag 'ipvs-next-for-v5.5' of https://git.kernel.org/pub/scm/linux/kernel/git/horms/ipvs-next
testing commit 5ccbf891f073e9f4b74f30bdfa1976bbdb666214 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 5ccbf891f073e9f4b74f30bdfa1976bbdb666214
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[ca58fbe06c54795f00db79e447f94c2028d30124] netfilter: add and use nf_hook_slow_list()
testing commit ca58fbe06c54795f00db79e447f94c2028d30124 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in ip6_sublist_rcv
# git bisect bad ca58fbe06c54795f00db79e447f94c2028d30124
Bisecting: 0 revisions left to test after this (roughly 1 step)
[2ad9d7747c10d17cc06447944fefd4c29ae11eb1] netfilter: conntrack: free extension area immediately
testing commit 2ad9d7747c10d17cc06447944fefd4c29ae11eb1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2ad9d7747c10d17cc06447944fefd4c29ae11eb1
ca58fbe06c54795f00db79e447f94c2028d30124 is the first bad commit
commit ca58fbe06c54795f00db79e447f94c2028d30124
Author: Florian Westphal <fw@strlen.de>
Date:   Fri Oct 11 00:30:37 2019 +0200

    netfilter: add and use nf_hook_slow_list()
    
    At this time, NF_HOOK_LIST() macro will iterate the list and then calls
    nf_hook() for each individual skb.
    
    This makes it so the entire list is passed into the netfilter core.
    The advantage is that we only need to fetch the rule blob once per list
    instead of per-skb.
    
    NF_HOOK_LIST now only works for ipv4 and ipv6, as those are the only
    callers.
    
    v2: use skb_list_del_init() instead of list_del (Edward Cree)
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Acked-by: Edward Cree <ecree@solarflare.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

:040000 040000 d0df1c5e1114ed5d5025f9de84a7ee64debe2e6f a8acb69badd33694381b78d551f635acc3c95a41 M	include
:040000 040000 c96abd069a97a63aed5b7fc8610c2d05b3577c5a db3f961fd3eda944c337e1132e445ed04cdde36d M	net
revisions tested: 16, total time: 3h52m35.32872098s (build: 1h35m29.635537934s, test: 2h11m27.11774286s)
first bad commit: ca58fbe06c54795f00db79e447f94c2028d30124 netfilter: add and use nf_hook_slow_list()
cc: ["coreteam@netfilter.org" "davem@davemloft.net" "ecree@solarflare.com" "fw@strlen.de" "kadlec@netfilter.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org"]
crash: general protection fault in ip6_sublist_rcv
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7537 Comm: syz-executor.2 Not tainted 5.4.0-rc1+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:NF_HOOK_LIST include/linux/netfilter.h:331 [inline]
RIP: 0010:ip6_sublist_rcv+0x4a8/0x7c0 net/ipv6/ip6_input.c:292
Code: 7e fb 5a 85 c0 0f 85 02 01 00 00 48 8b 85 08 ff ff ff 48 8d b8 10 0f 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 fb 02 00 00 48 8b 85 08 ff ff ff 48 8b 98 10 0f
RSP: 0018:ffff888079a872f0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8880872a08c0 RCX: ffffffff81584a34
RDX: 00000000000001e2 RSI: 0000000000000004 RDI: 0000000000000f10
RBP: ffff888079a87418 R08: ffffed1015d46b75 R09: ffffed1015d46b75
R10: ffffed1015d46b74 R11: ffff8880aea35ba3 R12: ffff888079a873f0
R13: 0000000000000000 R14: ffff8880980da1c0 R15: dffffc0000000000
FS:  00007f2949586700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000075c091 CR3: 0000000092f3c000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ipv6_list_rcv+0x2e1/0x4b0 net/ipv6/ip6_input.c:328
 __netif_receive_skb_list_ptype net/core/dev.c:5279 [inline]
 __netif_receive_skb_list_core+0x4bd/0x930 net/core/dev.c:5327
 __netif_receive_skb_list net/core/dev.c:5379 [inline]
 netif_receive_skb_list_internal+0x61b/0xd70 net/core/dev.c:5474
 gro_normal_list.part.137+0x19/0xb0 net/core/dev.c:5987
 gro_normal_list net/core/dev.c:5985 [inline]
 gro_normal_one net/core/dev.c:5999 [inline]
 napi_frags_finish net/core/dev.c:6012 [inline]
 napi_gro_frags+0x834/0xc70 net/core/dev.c:6085
 tun_get_user+0x2432/0x3760 drivers/net/tun.c:1976
 tun_chr_write_iter+0xaf/0x150 drivers/net/tun.c:2022
 call_write_iter include/linux/fs.h:1895 [inline]
 do_iter_readv_writev+0x526/0xa70 fs/read_write.c:693
 do_iter_write+0x12a/0x510 fs/read_write.c:970
 vfs_writev+0x16d/0x2d0 fs/read_write.c:1015
 do_writev+0x112/0x2e0 fs/read_write.c:1058
 __do_sys_writev fs/read_write.c:1131 [inline]
 __se_sys_writev fs/read_write.c:1128 [inline]
 __x64_sys_writev+0x70/0xb0 fs/read_write.c:1128
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459db1
Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b7 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f2949585ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000000003e RCX: 0000000000459db1
RDX: 0000000000000001 RSI: 00007f2949585c00 RDI: 00000000000000f0
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f29495866d4
R13: 00000000004c922e R14: 00000000004e0860 R15: 00000000ffffffff
Modules linked in:
---[ end trace 06b4c0ff8268147e ]---
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:NF_HOOK_LIST include/linux/netfilter.h:331 [inline]
RIP: 0010:ip6_sublist_rcv+0x4a8/0x7c0 net/ipv6/ip6_input.c:292
Code: 7e fb 5a 85 c0 0f 85 02 01 00 00 48 8b 85 08 ff ff ff 48 8d b8 10 0f 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 fb 02 00 00 48 8b 85 08 ff ff ff 48 8b 98 10 0f
RSP: 0018:ffff888079a872f0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8880872a08c0 RCX: ffffffff81584a34
RDX: 00000000000001e2 RSI: 0000000000000004 RDI: 0000000000000f10
RBP: ffff888079a87418 R08: ffffed1015d46b75 R09: ffffed1015d46b75
R10: ffffed1015d46b74 R11: ffff8880aea35ba3 R12: ffff888079a873f0
R13: 0000000000000000 R14: ffff8880980da1c0 R15: dffffc0000000000
FS:  00007f2949586700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000075c091 CR3: 0000000092f3c000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400