bisecting cause commit starting from 61678d28d4a45ef376f5d02a839cc37509ae9281 building syzkaller on 2e95ab335759ed7e1c246c2057c84d813a2c29e1 testing commit 61678d28d4a45ef376f5d02a839cc37509ae9281 with gcc (GCC) 8.1.0 kernel signature: ee13a4109f08d90118c434098b491b3a15a771fcc08fc7c54b83ac7b222907d2 all runs: crashed: BUG: unable to handle kernel paging request in do_csum testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 54954366f18245539879016047f21ddf3f59b7239e2f656b72fa33004e08bb28 all runs: crashed: BUG: unable to handle kernel paging request in do_csum testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: aba5c8ef162abb5f13e414780d66d0cf3a8afc774a7e7a35a771a18ea9bd4af4 all runs: crashed: BUG: unable to handle kernel paging request in do_csum testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 768ef1fcb5b3e9111c720dd5a270bff6c82892fd76320a5a45a85461fceaabac all runs: crashed: BUG: unable to handle kernel paging request in do_csum testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: f9b140b41815802ac0827fe0095c03267ca9977b22b4f237342601aa0f3052f1 all runs: crashed: WARNING in skb_warn_bad_offload testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: eec6705866734292329c5a3472cd1cae6d655b7a43f7153545a6df12c3c22e82 run #0: crashed: WARNING in skb_warn_bad_offload run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in skb_warn_bad_offload run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in skb_warn_bad_offload run #5: crashed: WARNING in skb_warn_bad_offload run #6: crashed: WARNING in skb_warn_bad_offload run #7: crashed: WARNING in skb_warn_bad_offload run #8: crashed: WARNING in skb_warn_bad_offload run #9: crashed: WARNING in skb_warn_bad_offload testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: 4b3c83b27653ce12991dad0f83c85420cc67f562acb6b662edea887fa3b9b049 all runs: OK # git bisect start 1c163f4c7b3f621efff9b28a47abb36f7378d783 8fe28cb58bcb235034b64cbbb7550a8a43fd88be Bisecting: 7011 revisions left to test after this (roughly 13 steps) [af7ddd8a627c62a835524b3f5b471edbbbcce025] Merge tag 'dma-mapping-4.21' of git://git.infradead.org/users/hch/dma-mapping testing commit af7ddd8a627c62a835524b3f5b471edbbbcce025 with gcc (GCC) 8.1.0 kernel signature: eee7ba11240dd482fc9055a33008ac20259210392f9b4052dd5e192ef25663b3 all runs: crashed: WARNING in skb_warn_bad_offload # git bisect bad af7ddd8a627c62a835524b3f5b471edbbbcce025 Bisecting: 3448 revisions left to test after this (roughly 12 steps) [792bf4d871dea8b69be2aaabdd320d7c6ed15985] Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 792bf4d871dea8b69be2aaabdd320d7c6ed15985 with gcc (GCC) 8.1.0 kernel signature: eabcfd669b88af09b085835eabf4a34e6c2ab8b652b292ff82de44e7e721a0f5 all runs: OK # git bisect good 792bf4d871dea8b69be2aaabdd320d7c6ed15985 Bisecting: 1729 revisions left to test after this (roughly 11 steps) [aa9d6e0f33aea8a1879e7e53fe0e436943f9ce0c] linux/netlink.h: drop unnecessary extern prefix testing commit aa9d6e0f33aea8a1879e7e53fe0e436943f9ce0c with gcc (GCC) 8.1.0 kernel signature: 6b8a5d7aff510f4ed4972dc7ca9a0400360408d741d5fd57a59851a279e3947f run #0: crashed: WARNING in skb_warn_bad_offload run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in skb_warn_bad_offload run #3: crashed: WARNING in skb_warn_bad_offload run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in skb_warn_bad_offload run #6: crashed: WARNING in skb_warn_bad_offload run #7: crashed: WARNING in corrupted run #8: crashed: WARNING in skb_warn_bad_offload run #9: crashed: WARNING in skb_warn_bad_offload # git bisect bad aa9d6e0f33aea8a1879e7e53fe0e436943f9ce0c Bisecting: 858 revisions left to test after this (roughly 10 steps) [2a95471c3397734ba6869ca3fa084490fb35b40b] Merge branch 'prog_test_run-improvement' testing commit 2a95471c3397734ba6869ca3fa084490fb35b40b with gcc (GCC) 8.1.0 kernel signature: 9d8c39e7c9459e9e1d5b76e638a00c798e46db825048338374c264474e1c00c7 all runs: crashed: WARNING in skb_warn_bad_offload # git bisect bad 2a95471c3397734ba6869ca3fa084490fb35b40b Bisecting: 429 revisions left to test after this (roughly 9 steps) [480ba9c18a27ff77b02a2012e50dfd3e20ee9f7a] sctp: add sockopt SCTP_EVENT testing commit 480ba9c18a27ff77b02a2012e50dfd3e20ee9f7a with gcc (GCC) 8.1.0 kernel signature: 8ba7a3124ca41a63d406afc6d5a19fa586e80ba420e87febf266cecd9344af33 all runs: crashed: WARNING in skb_warn_bad_offload # git bisect bad 480ba9c18a27ff77b02a2012e50dfd3e20ee9f7a Bisecting: 214 revisions left to test after this (roughly 8 steps) [d1ce01144e75c82bc3c036863f57ac3029354429] Merge branch 'PHYID-matching-macros' testing commit d1ce01144e75c82bc3c036863f57ac3029354429 with gcc (GCC) 8.1.0 kernel signature: 231888e251812d8c47ac4ab3329a13081df05b71c377ae8fadb74fbc6d463d9b run #0: crashed: WARNING in skb_warn_bad_offload run #1: crashed: WARNING in skb_warn_bad_offload run #2: crashed: WARNING in skb_warn_bad_offload run #3: crashed: WARNING in skb_warn_bad_offload run #4: crashed: WARNING in skb_warn_bad_offload run #5: crashed: WARNING in skb_warn_bad_offload run #6: crashed: WARNING in skb_warn_bad_offload run #7: crashed: WARNING in skb_warn_bad_offload run #8: crashed: WARNING in corrupted run #9: crashed: WARNING in skb_warn_bad_offload # git bisect bad d1ce01144e75c82bc3c036863f57ac3029354429 Bisecting: 107 revisions left to test after this (roughly 7 steps) [1c51dc9ad68acf4d2cb89ba847fb48fd6e2de723] net/ipv6: compute anycast address hash only if dev is null testing commit 1c51dc9ad68acf4d2cb89ba847fb48fd6e2de723 with gcc (GCC) 8.1.0 kernel signature: 33946186c47f59126a031a81cd08d39a0d4f7d9149a145b42298b59aaaf41075 all runs: crashed: WARNING in skb_warn_bad_offload # git bisect bad 1c51dc9ad68acf4d2cb89ba847fb48fd6e2de723 Bisecting: 53 revisions left to test after this (roughly 6 steps) [68cb7d531e6a87250a51b8a4ee1c79b3445aeff3] ip: factor out protocol delivery helper testing commit 68cb7d531e6a87250a51b8a4ee1c79b3445aeff3 with gcc (GCC) 8.1.0 kernel signature: 2500e744d22e2e295559d517654b72e939614ac9dbde43a1eba1e6df68338617 all runs: OK # git bisect good 68cb7d531e6a87250a51b8a4ee1c79b3445aeff3 Bisecting: 28 revisions left to test after this (roughly 5 steps) [be08989c4d900d5388be1a7d002cd7c2942d69cd] Merge branch 'nfp-add-and-use-tunnel-netdev-helpers' testing commit be08989c4d900d5388be1a7d002cd7c2942d69cd with gcc (GCC) 8.1.0 kernel signature: b6b19f79ed5d09ff0f51b25cf4aed829e8560f6dfe1bf698978c80a6e68ff8d2 all runs: crashed: WARNING in skb_warn_bad_offload # git bisect bad be08989c4d900d5388be1a7d002cd7c2942d69cd Bisecting: 12 revisions left to test after this (roughly 4 steps) [2e7ad56aa54778de863998579fc6b5ff52838571] net/wan/fsl_ucc_hdlc: add BQL support testing commit 2e7ad56aa54778de863998579fc6b5ff52838571 with gcc (GCC) 8.1.0 kernel signature: e9701eaae34cf1e4beae038316a032da36cdb1c02e22513ed1c541f24a527a72 all runs: crashed: WARNING in skb_warn_bad_offload # git bisect bad 2e7ad56aa54778de863998579fc6b5ff52838571 Bisecting: 5 revisions left to test after this (roughly 3 steps) [3327a9c46352f111697d93d6134e7bf37c6bffca] selftests: add functionals test for UDP GRO testing commit 3327a9c46352f111697d93d6134e7bf37c6bffca with gcc (GCC) 8.1.0 kernel signature: ed622ff4419a7c3a97dba4eefc1ed3b239845a00734ce04851f6536ea29f4482 run #0: crashed: WARNING in skb_warn_bad_offload run #1: crashed: WARNING in skb_warn_bad_offload run #2: crashed: WARNING in skb_warn_bad_offload run #3: crashed: WARNING in skb_warn_bad_offload run #4: crashed: WARNING in skb_warn_bad_offload run #5: crashed: WARNING in skb_warn_bad_offload run #6: crashed: WARNING in skb_warn_bad_offload run #7: crashed: WARNING in corrupted run #8: crashed: WARNING in skb_warn_bad_offload run #9: crashed: WARNING in skb_warn_bad_offload # git bisect bad 3327a9c46352f111697d93d6134e7bf37c6bffca Bisecting: 2 revisions left to test after this (roughly 2 steps) [0a9ac2e95409169ed42ea66dd4270bc16b868e21] selftests: add GRO support to udp bench rx program testing commit 0a9ac2e95409169ed42ea66dd4270bc16b868e21 with gcc (GCC) 8.1.0 kernel signature: 9d98e6d97d844348e4ffd1635fa14fdeb6e95f4d73b2ea0e415d84e0992cb51e run #0: crashed: WARNING in skb_warn_bad_offload run #1: crashed: WARNING in skb_warn_bad_offload run #2: crashed: WARNING in skb_warn_bad_offload run #3: crashed: WARNING in skb_warn_bad_offload run #4: crashed: WARNING in skb_warn_bad_offload run #5: crashed: WARNING in skb_warn_bad_offload run #6: crashed: WARNING in skb_warn_bad_offload run #7: crashed: WARNING in skb_warn_bad_offload run #8: crashed: WARNING in skb_warn_bad_offload run #9: crashed: WARNING in corrupted # git bisect bad 0a9ac2e95409169ed42ea66dd4270bc16b868e21 Bisecting: 0 revisions left to test after this (roughly 1 step) [cf329aa42b6659204fee865bbce0ea20462552eb] udp: cope with UDP GRO packet misdirection testing commit cf329aa42b6659204fee865bbce0ea20462552eb with gcc (GCC) 8.1.0 kernel signature: fb1d52cccaa7473e5e48b279477d1895cb86aca2661b51c0ead66341dc7bf227 all runs: crashed: WARNING in skb_warn_bad_offload # git bisect bad cf329aa42b6659204fee865bbce0ea20462552eb Bisecting: 0 revisions left to test after this (roughly 0 steps) [80bde363f9a43d942e404821b966e362131cd0ca] ipv6: factor out protocol delivery helper testing commit 80bde363f9a43d942e404821b966e362131cd0ca with gcc (GCC) 8.1.0 kernel signature: 1b081243ede3e32e8d51fcf18d3a0f35ffa3bccebf052fb25c0ef6791ef9a011 all runs: OK # git bisect good 80bde363f9a43d942e404821b966e362131cd0ca cf329aa42b6659204fee865bbce0ea20462552eb is the first bad commit commit cf329aa42b6659204fee865bbce0ea20462552eb Author: Paolo Abeni Date: Wed Nov 7 12:38:33 2018 +0100 udp: cope with UDP GRO packet misdirection In some scenarios, the GRO engine can assemble an UDP GRO packet that ultimately lands on a non GRO-enabled socket. This patch tries to address the issue explicitly checking for the UDP socket features before enqueuing the packet, and eventually segmenting the unexpected GRO packet, as needed. We must also cope with re-insertion requests: after segmentation the UDP code calls the helper introduced by the previous patches, as needed. Segmentation is performed by a common helper, which takes care of updating socket and protocol stats is case of failure. rfc v3 -> v1 - fix compile issues with rxrpc - when gso_segment returns NULL, treat is as an error - added 'ipv4' argument to udp_rcv_segment() rfc v2 -> rfc v3 - moved udp_rcv_segment() into net/udp.h, account errors to socket and ns, always return NULL or segs list Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller include/linux/udp.h | 6 ++++++ include/net/udp.h | 45 +++++++++++++++++++++++++++++++++++++-------- net/ipv4/udp.c | 23 ++++++++++++++++++++++- net/ipv6/udp.c | 24 +++++++++++++++++++++++- 4 files changed, 88 insertions(+), 10 deletions(-) culprit signature: fb1d52cccaa7473e5e48b279477d1895cb86aca2661b51c0ead66341dc7bf227 parent signature: 1b081243ede3e32e8d51fcf18d3a0f35ffa3bccebf052fb25c0ef6791ef9a011 revisions tested: 21, total time: 3h39m22.250616087s (build: 2h1m22.235524406s, test: 1h36m34.803849204s) first bad commit: cf329aa42b6659204fee865bbce0ea20462552eb udp: cope with UDP GRO packet misdirection cc: ["davem@davemloft.net" "kuznet@ms2.inr.ac.ru" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "pabeni@redhat.com" "yoshfuji@linux-ipv6.org"] crash: WARNING in skb_warn_bad_offload IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready ------------[ cut here ]------------ batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 gretap0: caps=(0x00000000401d7869, 0x0000000000000000) len=1053 data_len=877 gso_size=1024 gso_type=131072 ip_summed=0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! WARNING: CPU: 1 PID: 7600 at net/core/dev.c:2879 skb_warn_bad_offload+0x266/0x5d0 net/core/dev.c:2874 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 Kernel panic - not syncing: panic_on_warn set ... batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! CPU: 1 PID: 7600 Comm: syz-executor.1 Not tainted 4.20.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16b/0x224 lib/dump_stack.c:113 panic+0x212/0x3b7 kernel/panic.c:188 __warn.cold.8+0x1b/0x3c kernel/panic.c:540 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969 RIP: 0010:skb_warn_bad_offload+0x266/0x5d0 net/core/dev.c:2874 Code: 00 48 8d 88 28 03 00 00 48 85 c0 48 c7 c0 c0 f7 be 87 48 0f 44 c8 41 56 48 c7 c7 40 cd be 87 56 4c 89 fe 41 55 e8 4d 2a d1 fb <0f> 0b 48 83 c4 18 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 RSP: 0018:ffff8800aeb078d8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88007f14d500 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffff8800a63e88e8 RDI: ffffffff8a14fca0 RBP: ffff8800aeb07928 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88008e186e40 R13: 0000000000000400 R14: 0000000000000000 R15: ffff88008e186e40 __skb_gso_segment+0x491/0x670 net/core/dev.c:3086 udp_rcv_segment include/net/udp.h:479 [inline] udp_queue_rcv_skb+0x205/0x8b0 net/ipv4/udp.c:2022 __udp4_lib_mcast_deliver net/ipv4/udp.c:2109 [inline] __udp4_lib_rcv+0x187f/0x2e00 net/ipv4/udp.c:2240 udp_rcv+0x15/0x20 net/ipv4/udp.c:2415 ip_protocol_deliver_rcu+0x5a/0x700 net/ipv4/ip_input.c:208 ip_local_deliver_finish+0x1fb/0x2f0 net/ipv4/ip_input.c:234 NF_HOOK include/linux/netfilter.h:289 [inline] ip_local_deliver+0x2f7/0x440 net/ipv4/ip_input.c:255 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x162/0x250 net/ipv4/ip_input.c:414 NF_HOOK include/linux/netfilter.h:289 [inline] ip_rcv+0xcb/0x2e0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xe9/0x170 net/core/dev.c:4941 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5051 process_backlog+0x1fc/0x700 net/core/dev.c:5855 napi_poll net/core/dev.c:6275 [inline] net_rx_action+0x45c/0xe50 net/core/dev.c:6341 __do_softirq+0x25e/0x987 kernel/softirq.c:292 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1023 do_softirq.part.14+0x126/0x160 kernel/softirq.c:337 do_softirq+0x19/0x20 kernel/softirq.c:340 netif_rx_ni+0x15f/0x240 net/core/dev.c:4538 dev_loopback_xmit+0x260/0x5f0 net/core/dev.c:3550 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 ip_mc_finish_output+0x2b/0x150 net/ipv4/ip_output.c:331 NF_HOOK include/linux/netfilter.h:289 [inline] ip_mc_output+0x4d0/0xca0 net/ipv4/ip_output.c:369 dst_output include/net/dst.h:444 [inline] ip_local_out+0x78/0x130 net/ipv4/ip_output.c:124 ip_send_skb+0x36/0xa0 net/ipv4/ip_output.c:1441 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! udp_send_skb.isra.43+0x5d4/0x1500 net/ipv4/udp.c:827 udp_sendmsg+0x177a/0x22c0 net/ipv4/udp.c:1114 udpv6_sendmsg+0x5e0/0x2fe0 net/ipv6/udp.c:1231 inet_sendmsg+0x108/0x440 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 __sys_sendto+0x1f2/0x2e0 net/socket.c:1788 __do_sys_sendto net/socket.c:1800 [inline] __se_sys_sendto net/socket.c:1796 [inline] __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1796 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45b349 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f791e560c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f791e5616d4 RCX: 000000000045b349 RDX: 0000000000000401 RSI: 0000000020000600 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 00000000200011c0 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000009a9 R14: 00000000004cb1e8 R15: 000000000075bf2c Kernel Offset: disabled Rebooting in 86400 seconds..