bisecting cause commit starting from 3dbdb38e286903ec220aaf1fb29a8d94297da246 building syzkaller on 8f5a7b8cde529e0a19a53f79bdf9c6cad306827b testing commit 3dbdb38e286903ec220aaf1fb29a8d94297da246 with gcc (GCC) 10.2.1 20210217 kernel signature: be86f3f3b2899214e9271a92aa000cb0f01513f966a0a7a9a6242b89884a3943 run #0: crashed: BUG: unable to handle kernel paging request in do_csum run #1: basic kernel testing failed: possible deadlock in fs_reclaim_acquire run #2: crashed: BUG: unable to handle kernel paging request in do_csum run #3: crashed: BUG: unable to handle kernel paging request in do_csum run #4: crashed: BUG: unable to handle kernel paging request in do_csum run #5: crashed: BUG: unable to handle kernel paging request in do_csum run #6: crashed: BUG: unable to handle kernel paging request in do_csum run #7: crashed: BUG: unable to handle kernel paging request in do_csum run #8: crashed: BUG: unable to handle kernel paging request in do_csum run #9: crashed: BUG: unable to handle kernel paging request in do_csum run #10: crashed: BUG: unable to handle kernel paging request in do_csum run #11: crashed: BUG: unable to handle kernel paging request in do_csum run #12: crashed: BUG: unable to handle kernel paging request in do_csum run #13: crashed: BUG: unable to handle kernel paging request in do_csum run #14: crashed: BUG: unable to handle kernel paging request in do_csum run #15: crashed: BUG: unable to handle kernel paging request in do_csum run #16: crashed: BUG: unable to handle kernel paging request in do_csum run #17: crashed: BUG: unable to handle kernel paging request in do_csum run #18: crashed: BUG: unable to handle kernel paging request in do_csum run #19: crashed: BUG: unable to handle kernel paging request in do_csum testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 with gcc (GCC) 10.2.1 20210217 kernel signature: e9ace9c5ee2829ecfd31f47be41f589c91c15eff6b62baab7051a38e73106e48 all runs: crashed: BUG: unable to handle kernel paging request in do_csum testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217 kernel signature: e8c8edc56ed7eecefb295a9ce860712552bfe61648872ba3f622452206b435fc all runs: crashed: BUG: unable to handle kernel paging request in do_csum testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: 13ee78a1f289bc974c3d49828f6b6cb5fb780fdcacbea983f22b336310c726dc all runs: crashed: BUG: unable to handle kernel paging request in do_csum testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: 73651e18334bb8c9dd0f1435f393d0181d0040f6cf988d8ee15dc2e3470c31a7 all runs: crashed: BUG: unable to handle kernel paging request in do_csum testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217 kernel signature: ce2ca99df9867843bac1eef5099fc62a3a4a2947c556e08e6b875db4da8495b4 all runs: OK # git bisect start 2c85ebc57b3e1817b6ce1a6b703928e113a90442 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 9594 revisions left to test after this (roughly 13 steps) [4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 10.2.1 20210217 kernel signature: f70577b73e0534da56f623d112ee1e9989d045b8180533098066f6c638e938b1 all runs: OK # git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be Bisecting: 4874 revisions left to test after this (roughly 12 steps) [6694875ef8045cdb1e6712ee9b68fe08763507d8] ext4: indicate that fast_commit is available via /sys/fs/ext4/feature/... testing commit 6694875ef8045cdb1e6712ee9b68fe08763507d8 with gcc (GCC) 10.2.1 20210217 kernel signature: da727db75a146d124f42585b74b81b9abe4dd1e438dc0c46d25af8044701dd62 all runs: crashed: BUG: unable to handle kernel paging request in do_csum # git bisect bad 6694875ef8045cdb1e6712ee9b68fe08763507d8 Bisecting: 2342 revisions left to test after this (roughly 11 steps) [14c914fcb515c424177bb6848cc2858ebfe717a8] Merge tag 'wireless-drivers-next-2020-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 14c914fcb515c424177bb6848cc2858ebfe717a8 with gcc (GCC) 8.4.1 20210217 kernel signature: ca2ab31e1d357e5d7fed2975095d02679990f83e64a41e5df5d09705a2197d5f all runs: OK # git bisect good 14c914fcb515c424177bb6848cc2858ebfe717a8 Bisecting: 1132 revisions left to test after this (roughly 10 steps) [6f78b9acf04fbf9ede7f4265e7282f9fb39d2c8c] Merge tag 'mtd/for-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux testing commit 6f78b9acf04fbf9ede7f4265e7282f9fb39d2c8c with gcc (GCC) 10.2.1 20210217 kernel signature: dda4e916c3d9c6cb868c383e30cd13cb3b806f120118daaa9fc2cdd36bdc9cf1 all runs: crashed: BUG: unable to handle kernel paging request in do_csum # git bisect bad 6f78b9acf04fbf9ede7f4265e7282f9fb39d2c8c Bisecting: 672 revisions left to test after this (roughly 9 steps) [c4cf498dc0241fa2d758dba177634268446afb06] Merge branch 'akpm' (patches from Andrew) testing commit c4cf498dc0241fa2d758dba177634268446afb06 with gcc (GCC) 10.2.1 20210217 kernel signature: 7e9d9236030ff7d70b2b02850a5a29d66064d05be3adb82c5dbcfc7eec5e4df4 all runs: crashed: BUG: unable to handle kernel paging request in do_csum # git bisect bad c4cf498dc0241fa2d758dba177634268446afb06 Bisecting: 268 revisions left to test after this (roughly 8 steps) [ee92e4f1f95eb7b8820299f10fc5fba16d85cece] net/mlx5: Add NIC TX domain namespace testing commit ee92e4f1f95eb7b8820299f10fc5fba16d85cece with gcc (GCC) 8.4.1 20210217 kernel signature: 0fc698aea9e2ce16587165442b8ca827b33b04d75060ddc77847eccad1f064f7 all runs: OK # git bisect good ee92e4f1f95eb7b8820299f10fc5fba16d85cece Bisecting: 153 revisions left to test after this (roughly 7 steps) [346e320cb2103edef709c4466a29140c4a8e527a] netfilter: nftables: allow re-computing sctp CRC-32C in 'payload' statements testing commit 346e320cb2103edef709c4466a29140c4a8e527a with gcc (GCC) 8.4.1 20210217 kernel signature: 2e4709080dfe9f75d1b7dd608663b4f692678b156c37b2a1e89aab277c288ebf all runs: OK # git bisect good 346e320cb2103edef709c4466a29140c4a8e527a Bisecting: 73 revisions left to test after this (roughly 6 steps) [fefa636d815975b34afc45f50852a2810fb23ba9] Merge tag 'trace-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit fefa636d815975b34afc45f50852a2810fb23ba9 with gcc (GCC) 10.2.1 20210217 kernel signature: 6967b56e76d77486b66eed80b8c5d08ee2a67f398bc843505d1430897410a795 all runs: OK # git bisect good fefa636d815975b34afc45f50852a2810fb23ba9 Bisecting: 36 revisions left to test after this (roughly 5 steps) [1e40d75ef90c5c99d9418637cd7295fa49ecb5fb] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 1e40d75ef90c5c99d9418637cd7295fa49ecb5fb with gcc (GCC) 8.4.1 20210217 kernel signature: 914ba0a0e13b6555d1f2bf0ef5879290cf055ffc467adf51f4c3342a6edcf20d all runs: crashed: BUG: unable to handle kernel paging request in do_csum # git bisect bad 1e40d75ef90c5c99d9418637cd7295fa49ecb5fb Bisecting: 18 revisions left to test after this (roughly 4 steps) [b54fa649d7e7f8081f80c052de71267a42095dfa] Merge tag 'linux-can-fixes-for-5.9-20201008' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can testing commit b54fa649d7e7f8081f80c052de71267a42095dfa with gcc (GCC) 8.4.1 20210217 kernel signature: e4d19453d5af20cc428531df28be399facb84f27e4bc43e5517fe1b9092cae36 all runs: OK # git bisect good b54fa649d7e7f8081f80c052de71267a42095dfa Bisecting: 9 revisions left to test after this (roughly 3 steps) [98a381a7d4892dd9969d24433a4bca2f45092643] netfilter: nftables: extend error reporting for chain updates testing commit 98a381a7d4892dd9969d24433a4bca2f45092643 with gcc (GCC) 8.4.1 20210217 kernel signature: c5815d19110d97ac63c751ca5c6c490f14e8b3f17b5add62d6c8d5ba9e14f281 all runs: OK # git bisect good 98a381a7d4892dd9969d24433a4bca2f45092643 Bisecting: 4 revisions left to test after this (roughly 2 steps) [254941f323702dbebe3f9145fdb1ab24c5bd23c1] docs: networking: update XPS to account for netif_set_xps_queue testing commit 254941f323702dbebe3f9145fdb1ab24c5bd23c1 with gcc (GCC) 8.4.1 20210217 kernel signature: 19c8376f41e41fe8e6ed84c276d978470247544ce4456e6db5c502ab0a36b564 all runs: OK # git bisect good 254941f323702dbebe3f9145fdb1ab24c5bd23c1 Bisecting: 2 revisions left to test after this (roughly 1 step) [4e3bbb33e6f36e4b05be1b1b9b02e3dd5aaa3e69] socket: don't clear SOCK_TSTAMP_NEW when SO_TIMESTAMPNS is disabled testing commit 4e3bbb33e6f36e4b05be1b1b9b02e3dd5aaa3e69 with gcc (GCC) 8.4.1 20210217 kernel signature: e87e595a01631d28ce6b55237e5264f7958eeda17249b8d2ef53308f3f34d589 all runs: OK # git bisect good 4e3bbb33e6f36e4b05be1b1b9b02e3dd5aaa3e69 Bisecting: 1 revision left to test after this (roughly 1 step) [0d9826bc18ce356e8909919ad681ad65d0a6061e] netfilter: nf_log: missing vlan offload tag and proto testing commit 0d9826bc18ce356e8909919ad681ad65d0a6061e with gcc (GCC) 8.4.1 20210217 kernel signature: f3ab80f5f443671ccc4549b31366b47ed7e5754790edd35a2751009dddf5fcb2 all runs: OK # git bisect good 0d9826bc18ce356e8909919ad681ad65d0a6061e Bisecting: 0 revisions left to test after this (roughly 0 steps) [fdafed459998e2be0e877e6189b24cb7a0183224] ip_gre: set dev->hard_header_len and dev->needed_headroom properly testing commit fdafed459998e2be0e877e6189b24cb7a0183224 with gcc (GCC) 8.4.1 20210217 kernel signature: 73cb03b4a67fd1ad9fde2445272a634ac2e544f70fcd21019cdc330328d16c13 all runs: crashed: BUG: unable to handle kernel paging request in do_csum # git bisect bad fdafed459998e2be0e877e6189b24cb7a0183224 fdafed459998e2be0e877e6189b24cb7a0183224 is the first bad commit commit fdafed459998e2be0e877e6189b24cb7a0183224 Author: Cong Wang Date: Mon Oct 12 16:17:21 2020 -0700 ip_gre: set dev->hard_header_len and dev->needed_headroom properly GRE tunnel has its own header_ops, ipgre_header_ops, and sets it conditionally. When it is set, it assumes the outer IP header is already created before ipgre_xmit(). This is not true when we send packets through a raw packet socket, where L2 headers are supposed to be constructed by user. Packet socket calls dev_validate_header() to validate the header. But GRE tunnel does not set dev->hard_header_len, so that check can be simply bypassed, therefore uninit memory could be passed down to ipgre_xmit(). Similar for dev->needed_headroom. dev->hard_header_len is supposed to be the length of the header created by dev->header_ops->create(), so it should be used whenever header_ops is set, and dev->needed_headroom should be used when it is not set. Reported-and-tested-by: syzbot+4a2c52677a8a1aa283cb@syzkaller.appspotmail.com Cc: William Tu Acked-by: Willem de Bruijn Signed-off-by: Cong Wang Acked-by: Xie He Signed-off-by: Jakub Kicinski net/ipv4/ip_gre.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) culprit signature: 73cb03b4a67fd1ad9fde2445272a634ac2e544f70fcd21019cdc330328d16c13 parent signature: e87e595a01631d28ce6b55237e5264f7958eeda17249b8d2ef53308f3f34d589 revisions tested: 21, total time: 4h42m2.365419043s (build: 2h22m48.330929837s, test: 2h15m41.460728158s) first bad commit: fdafed459998e2be0e877e6189b24cb7a0183224 ip_gre: set dev->hard_header_len and dev->needed_headroom properly recipients (to): ["kuba@kernel.org" "syzbot+4a2c52677a8a1aa283cb@syzkaller.appspotmail.com" "willemb@google.com" "xie.he.0141@gmail.com" "xiyou.wangcong@gmail.com"] recipients (cc): [] crash: BUG: unable to handle kernel paging request in do_csum BUG: unable to handle page fault for address: ffff8880bfffd000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD f601067 P4D f601067 PUD 23ffff067 PMD 23fffe067 PTE 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 10134 Comm: syz-executor.5 Not tainted 5.9.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:do_csum+0xe4/0x2e0 arch/x86/lib/csum-partial_64.c:72 Code: 01 c3 44 89 e1 41 c1 ec 04 d1 e9 45 85 e4 0f 84 c7 01 00 00 41 8d 44 24 ff 31 d2 48 83 c0 01 48 c1 e0 06 48 01 e8 48 03 5d 00 <48> 13 5d 08 48 13 5d 10 48 13 5d 18 48 13 5d 20 48 13 5d 28 48 13 RSP: 0018:ffffc9000ae4f420 EFLAGS: 00010202 RAX: ffff8881a76d3078 RBX: 49e667d282206ff1 RCX: 000000001ffffffd RDX: 0000000000000000 RSI: ffffffffffffffec RDI: ffff8880a76d30b8 RBP: ffff8880bfffcff8 R08: 0000000000000100 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000003ffffff R13: 0000000000000000 R14: ffff8880a76d30b8 R15: ffff8880a76d30a4 FS: 00007f13ca725700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8880bfffd000 CR3: 00000000a3809000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: csum_partial+0x8/0x10 arch/x86/lib/csum-partial_64.c:136 lco_csum include/linux/skbuff.h:4571 [inline] gre_checksum include/net/gre.h:114 [inline] gre_build_header include/net/gre.h:149 [inline] __gre_xmit+0x78f/0x8c0 net/ipv4/ip_gre.c:462 ipgre_xmit+0x62e/0x8b0 net/ipv4/ip_gre.c:648 __netdev_start_xmit include/linux/netdevice.h:4681 [inline] netdev_start_xmit include/linux/netdevice.h:4695 [inline] xmit_one net/core/dev.c:3561 [inline] dev_hard_start_xmit+0x156/0x750 net/core/dev.c:3577 __dev_queue_xmit+0x1c28/0x2a10 net/core/dev.c:4136 packet_snd net/packet/af_packet.c:2989 [inline] packet_sendmsg+0x2f5f/0x5060 net/packet/af_packet.c:3014 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:671 sock_no_sendpage+0xeb/0x130 net/core/sock.c:2847 kernel_sendpage+0x208/0x3b0 net/socket.c:3644 sock_sendpage+0x6e/0xd0 net/socket.c:944 pipe_to_sendpage+0x247/0x410 fs/splice.c:448 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x296/0x750 fs/splice.c:646 splice_from_pipe+0xad/0x100 fs/splice.c:681 do_splice+0x85d/0x1440 fs/splice.c:1164 __do_sys_splice fs/splice.c:1439 [inline] __se_sys_splice fs/splice.c:1421 [inline] __x64_sys_splice+0x14e/0x200 fs/splice.c:1421 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f13ca725188 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9 RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00000000004bfcb9 R08: 00000000ffffffff R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 R13: 00007ffcbc050aff R14: 00007f13ca725300 R15: 0000000000022000 Modules linked in: CR2: ffff8880bfffd000 ---[ end trace 460f070396b291f4 ]--- RIP: 0010:do_csum+0xe4/0x2e0 arch/x86/lib/csum-partial_64.c:72 Code: 01 c3 44 89 e1 41 c1 ec 04 d1 e9 45 85 e4 0f 84 c7 01 00 00 41 8d 44 24 ff 31 d2 48 83 c0 01 48 c1 e0 06 48 01 e8 48 03 5d 00 <48> 13 5d 08 48 13 5d 10 48 13 5d 18 48 13 5d 20 48 13 5d 28 48 13 RSP: 0018:ffffc9000ae4f420 EFLAGS: 00010202 RAX: ffff8881a76d3078 RBX: 49e667d282206ff1 RCX: 000000001ffffffd RDX: 0000000000000000 RSI: ffffffffffffffec RDI: ffff8880a76d30b8 RBP: ffff8880bfffcff8 R08: 0000000000000100 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000003ffffff R13: 0000000000000000 R14: ffff8880a76d30b8 R15: ffff8880a76d30a4 FS: 00007f13ca725700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8880bfffd000 CR3: 00000000a3809000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400