bisecting fixing commit since 4520f06b03ae667e442da1ab9351fd28cd7ac598 building syzkaller on ef26b61025bac4c6bb1a0ef7eccc45f43f84c841 testing commit 4520f06b03ae667e442da1ab9351fd28cd7ac598 with gcc (GCC) 8.1.0 kernel signature: f6bb45db4a13a18795b39ec1592be59330fca818ed059ae6b37e032e9431539c all runs: crashed: kernel BUG at net/core/dev.c:LINE! testing current HEAD 773e2b1cd56a17bab4cdd4fe7db12f2140951668 testing commit 773e2b1cd56a17bab4cdd4fe7db12f2140951668 with gcc (GCC) 8.1.0 kernel signature: 5aabf9072ae59bcc06fa4b1d390ff734729b15cf1a8512825ec0d81239822a80 all runs: crashed: kernel BUG at net/core/dev.c:LINE! revisions tested: 2, total time: 25m28.803087564s (build: 18m2.321183823s, test: 6m22.336870783s) the crash still happens on HEAD commit msg: Linux 4.14.178 crash: kernel BUG at net/core/dev.c:LINE! IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready ip_tables: iptables: counters copy to user failed while replacing table IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready ------------[ cut here ]------------ kernel BUG at net/core/dev.c:2648! invalid opcode: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 7864 Comm: syz-executor.2 Not tainted 4.14.178-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880a11fc080 task.stack: ffff888087540000 RIP: 0010:skb_checksum_help+0x566/0x880 net/core/dev.c:2648 RSP: 0018:ffff888087547230 EFLAGS: 00010287 RAX: 0000000000000120 RBX: ffff88808b150400 RCX: 000000000000001c RDX: 000000000000001c RSI: 0000000000000000 RDI: ffff88808b150498 RBP: ffff888087547288 R08: ffff8880a11fc978 R09: ffff88808b150480 R10: ffff88808b1504cc R11: ffff88808b1504d8 R12: 0000000000000040 R13: ffff88808b150490 R14: 00000000000000e0 R15: ffff88808b150484 FS: 00007fe06e6b3700(0000) GS:ffff8880aec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff0ff3fe00 CR3: 000000008b622000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: checksum_tg+0x48/0x57 net/netfilter/xt_CHECKSUM.c:29 ipt_do_table+0xa7e/0x1660 net/ipv4/netfilter/ip_tables.c:353 iptable_mangle_hook+0x93/0x5d0 net/ipv4/netfilter/iptable_mangle.c:90 nf_hook_entry_hookfn include/linux/netfilter.h:108 [inline] nf_hook_slow+0xa1/0x180 net/netfilter/core.c:467 nf_hook include/linux/netfilter.h:205 [inline] NF_HOOK include/linux/netfilter.h:248 [inline] ip_rcv+0xd40/0x133d net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x1d54/0x3260 net/core/dev.c:4478 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:4516 netif_receive_skb_internal+0xcc/0x4d0 net/core/dev.c:4589 netif_receive_skb+0x37/0x230 net/core/dev.c:4613 tun_rx_batched.isra.48+0x4b8/0x990 drivers/net/tun.c:1221 tun_get_user+0xacf/0x3890 drivers/net/tun.c:1581 tun_chr_write_iter+0xcb/0x18b drivers/net/tun.c:1608 call_write_iter include/linux/fs.h:1778 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x413/0x840 fs/read_write.c:482 vfs_write+0x150/0x4f0 fs/read_write.c:544 SYSC_write fs/read_write.c:590 [inline] SyS_write+0x100/0x250 fs/read_write.c:582 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45c879 RSP: 002b:00007fe06e6b2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fe06e6b36d4 RCX: 000000000045c879 RDX: 000000000000fdef RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000d0d R14: 00000000004cf399 R15: 000000000076bf0c Code: ea 03 80 3c 02 00 0f 84 5f fe ff ff 4c 89 df e8 71 f2 66 fc e9 52 fe ff ff 48 89 df e8 f4 b4 ff ff b8 ea ff ff ff e9 c4 fe ff ff <0f> 0b 0f 0b 48 ba 00 00 00 00 00 fc ff df 4c 89 de 48 c1 ee 03 RIP: skb_checksum_help+0x566/0x880 net/core/dev.c:2648 RSP: ffff888087547230 ---[ end trace 64ddf33879b9d35f ]---