bisecting cause commit starting from f9f1e414128ea58d8e848a0275db0f644c9e9f45
building syzkaller on 2b6b214cf2fc16447250192774f9c8e124793c50
testing commit f9f1e414128ea58d8e848a0275db0f644c9e9f45 with gcc (GCC) 8.1.0
kernel signature: d3751fe82a1523c87bfe59cd0c57fb0ea96d4128
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
kernel signature: a9562f5bc25ecf7378ae1c6e7165968c7ce5244d
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
kernel signature: a779546eac8eb829a7f5fb3b95d2d05777d4a1d6
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
kernel signature: be3ad7b6b6f9e705eb55b3a3748185e16dc482cf
all runs: OK
# git bisect start bebc6082da0a9f5d47a1ea2edc099bf671058bd4 569dbb88e80deb68974ef6fdd6a13edb9d686261
Bisecting: 7300 revisions left to test after this (roughly 13 steps)
[15d8ffc96464f6571ecf22043c45fad659f11bdd] Merge tag 'mmc-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
testing commit 15d8ffc96464f6571ecf22043c45fad659f11bdd with gcc (GCC) 8.1.0
kernel signature: fb6cbd65f9f9af840d98ded48207d3c9d75a2305
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
# git bisect bad 15d8ffc96464f6571ecf22043c45fad659f11bdd
Bisecting: 3676 revisions left to test after this (roughly 12 steps)
[bafb0762cb6a906eb4105cccfb3bcd90be7f40d2] Merge tag 'char-misc-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
testing commit bafb0762cb6a906eb4105cccfb3bcd90be7f40d2 with gcc (GCC) 8.1.0
kernel signature: 1a2ae1e412cabfd1f45196b38214285ff0a28e0c
run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good bafb0762cb6a906eb4105cccfb3bcd90be7f40d2
Bisecting: 1826 revisions left to test after this (roughly 11 steps)
[b63f6044d8e43e4a1eef8b0a2310cec872fd1d38] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
testing commit b63f6044d8e43e4a1eef8b0a2310cec872fd1d38 with gcc (GCC) 8.1.0
kernel signature: 7d6f57c96c27b182a0e7884ee0bf7a7b744cd4ae
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
# git bisect bad b63f6044d8e43e4a1eef8b0a2310cec872fd1d38
Bisecting: 924 revisions left to test after this (roughly 10 steps)
[e08af95df1130883762b388a19bb150ae5d16c09] sctp: remove the typedef sctp_verb_t
testing commit e08af95df1130883762b388a19bb150ae5d16c09 with gcc (GCC) 8.1.0
kernel signature: a4b7329c45001d5ad75a1c60957c67a7e9f1be45
all runs: OK
# git bisect good e08af95df1130883762b388a19bb150ae5d16c09
Bisecting: 457 revisions left to test after this (roughly 9 steps)
[49107fcbf436bb37861a924b7ec190a92fb95e36] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue
testing commit 49107fcbf436bb37861a924b7ec190a92fb95e36 with gcc (GCC) 8.1.0
kernel signature: 4bf736ac49171e6769c7add7a9f7e8f1ef817f8b
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
# git bisect bad 49107fcbf436bb37861a924b7ec190a92fb95e36
Bisecting: 233 revisions left to test after this (roughly 8 steps)
[170c658afc43c2d18a167783824f4e122a07abd2] net: make BQL sysfs attributes ro_after_init
testing commit 170c658afc43c2d18a167783824f4e122a07abd2 with gcc (GCC) 8.1.0
kernel signature: 19bd89052d3eaae62281e2f600a06c4d71485691
run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 170c658afc43c2d18a167783824f4e122a07abd2
Bisecting: 116 revisions left to test after this (roughly 7 steps)
[ab2fb7e3240d24c68f854aa1b972fe415d8d1b3e] udp: remove unreachable ufo branches
testing commit ab2fb7e3240d24c68f854aa1b972fe415d8d1b3e with gcc (GCC) 8.1.0
kernel signature: 43e5c7043c1e9cb6f8121aa0e3427049a389140d
all runs: OK
# git bisect good ab2fb7e3240d24c68f854aa1b972fe415d8d1b3e
Bisecting: 58 revisions left to test after this (roughly 6 steps)
[fb3bbbda5f96512ee94fbc9c8712800087b63182] Merge branch 'mlxsw-ipv4-host-dpipe-table'
testing commit fb3bbbda5f96512ee94fbc9c8712800087b63182 with gcc (GCC) 8.1.0
kernel signature: 9e1795302304bd38ce5f220caa5ce3d1dc20b00a
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
# git bisect bad fb3bbbda5f96512ee94fbc9c8712800087b63182
Bisecting: 28 revisions left to test after this (roughly 5 steps)
[e457d86ada27cbd2f46ded75d4b4bc06e26d0e2e] net: sched: add couple of goto_chain helpers
testing commit e457d86ada27cbd2f46ded75d4b4bc06e26d0e2e with gcc (GCC) 8.1.0
kernel signature: cc28c267b0cc778e83afa1c02c03195860d8a9b2
run #0: crashed: kernel BUG at net/core/skbuff.c:LINE!
run #1: crashed: kernel BUG at net/core/skbuff.c:LINE!
run #2: crashed: kernel BUG at net/core/skbuff.c:LINE!
run #3: crashed: kernel BUG at net/core/skbuff.c:LINE!
run #4: crashed: kernel BUG at net/core/skbuff.c:LINE!
run #5: crashed: kernel BUG at net/core/skbuff.c:LINE!
run #6: crashed: kernel BUG at net/core/skbuff.c:LINE!
run #7: crashed: kernel BUG at net/core/skbuff.c:LINE!
run #8: crashed: kernel BUG at net/core/skbuff.c:LINE!
run #9: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
# git bisect bad e457d86ada27cbd2f46ded75d4b4bc06e26d0e2e
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[cd36c3a21a400cac9c457394b9adf94e0027c136] bpf: fix map value attribute for hash of maps
testing commit cd36c3a21a400cac9c457394b9adf94e0027c136 with gcc (GCC) 8.1.0
kernel signature: 7fcd9ef0c99b4e9124c0a01ef8ca183acba1d9cc
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
# git bisect bad cd36c3a21a400cac9c457394b9adf94e0027c136
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[76eb1b1de5b6467c78bb72311dbf29eea1f10a3a] net: mvpp2: set maximum packet size for 10G ports
testing commit 76eb1b1de5b6467c78bb72311dbf29eea1f10a3a with gcc (GCC) 8.1.0
kernel signature: 58a62e4981b7d36a8df39433db6704b53d94f680
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
# git bisect bad 76eb1b1de5b6467c78bb72311dbf29eea1f10a3a
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[1068ec79d9cb5481ccfa6ffacdcf174636227b5d] net: mvpp2: fix the synchronization module bypass macro name
testing commit 1068ec79d9cb5481ccfa6ffacdcf174636227b5d with gcc (GCC) 8.1.0
kernel signature: 8f5db1fc2bd99c58ae0955d34ea08f5c123cb58d
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
# git bisect bad 1068ec79d9cb5481ccfa6ffacdcf174636227b5d
Bisecting: 0 revisions left to test after this (roughly 1 step)
[81b6630ff7210356fe1843572543c76674e90450] net: mvpp2: unify register definitions coding style
testing commit 81b6630ff7210356fe1843572543c76674e90450 with gcc (GCC) 8.1.0
kernel signature: f77d176fe544bb46b2c08e2301445e5287d51be0
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
# git bisect bad 81b6630ff7210356fe1843572543c76674e90450
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[84e54fe0a5eaed696dee4019c396f8396f5a908b] gre: introduce native tunnel support for ERSPAN
testing commit 84e54fe0a5eaed696dee4019c396f8396f5a908b with gcc (GCC) 8.1.0
kernel signature: 3e2df729cdf5cfdf9c489fdaa27a359a8d3c0193
all runs: crashed: kernel BUG at net/core/skbuff.c:LINE!
# git bisect bad 84e54fe0a5eaed696dee4019c396f8396f5a908b
84e54fe0a5eaed696dee4019c396f8396f5a908b is the first bad commit
commit 84e54fe0a5eaed696dee4019c396f8396f5a908b
Author: William Tu <u9012063@gmail.com>
Date:   Tue Aug 22 09:40:28 2017 -0700

    gre: introduce native tunnel support for ERSPAN
    
    The patch adds ERSPAN type II tunnel support.  The implementation
    is based on the draft at [1].  One of the purposes is for Linux
    box to be able to receive ERSPAN monitoring traffic sent from
    the Cisco switch, by creating a ERSPAN tunnel device.
    In addition, the patch also adds ERSPAN TX, so Linux virtual
    switch can redirect monitored traffic to the ERSPAN tunnel device.
    The traffic will be encapsulated into ERSPAN and sent out.
    
    The implementation reuses tunnel key as ERSPAN session ID, and
    field 'erspan' as ERSPAN Index fields:
    ./ip link add dev ers11 type erspan seq key 100 erspan 123 \
                            local 172.16.1.200 remote 172.16.1.100
    
    To use the above device as ERSPAN receiver, configure
    Nexus 5000 switch as below:
    
    monitor session 100 type erspan-source
      erspan-id 123
      vrf default
      destination ip 172.16.1.200
      source interface Ethernet1/11 both
      source interface Ethernet1/12 both
      no shut
    monitor erspan origin ip-address 172.16.1.100 global
    
    [1] https://tools.ietf.org/html/draft-foschiano-erspan-01
    [2] iproute2 patch: http://marc.info/?l=linux-netdev&m=150306086924951&w=2
    [3] test script: http://marc.info/?l=linux-netdev&m=150231021807304&w=2
    
    Signed-off-by: William Tu <u9012063@gmail.com>
    Signed-off-by: Meenakshi Vohra <mvohra@vmware.com>
    Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
    Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/erspan.h           |  61 ++++++++++
 include/net/ip_tunnels.h       |   3 +
 include/uapi/linux/if_ether.h  |   1 +
 include/uapi/linux/if_tunnel.h |   1 +
 net/ipv4/ip_gre.c              | 269 +++++++++++++++++++++++++++++++++++++++++
 5 files changed, 335 insertions(+)
 create mode 100644 include/net/erspan.h
kernel signature:   3e2df729cdf5cfdf9c489fdaa27a359a8d3c0193
previous signature: 43e5c7043c1e9cb6f8121aa0e3427049a389140d
revisions tested: 18, total time: 2h37m28.350560474s (build: 1h4m28.619013249s, test: 1h28m9.126475151s)
first bad commit: 84e54fe0a5eaed696dee4019c396f8396f5a908b gre: introduce native tunnel support for ERSPAN
cc: ["davem@davemloft.net" "kuznet@ms2.inr.ac.ru" "mvohra@vmware.com" "u9012063@gmail.com" "yoshfuji@linux-ipv6.org"]
crash: kernel BUG at net/core/skbuff.c:LINE!
IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
skbuff: skb_over_panic: text:ffffffff84a2c1b8 len:1584 put:1584 head:ffff8801d4c04d40 data:ffff8801d4c04dd8 tail:0x6c8 end:0x6c0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:105!
invalid opcode: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 4434 Comm: syz-executor2 Not tainted 4.13.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d0f704c0 task.stack: ffff8801cc410000
RIP: 0010:skb_panic+0x169/0x16b net/core/skbuff.c:105
RSP: 0018:ffff8801cc417140 EFLAGS: 00010286
RAX: 000000000000008b RBX: ffffffff85e5b4e0 RCX: 0000000000000000
RDX: 000000000000008b RSI: ffff8801db116d78 RDI: ffffed0039882e1f
RBP: ffff8801cc4171a8 R08: ffff8801d0f70d48 R09: 0000000000000006
R10: ffff8801d0f704c0 R11: dffffc0000000000 R12: ffff8801cfc863c0
R13: ffff8801d4c04dd8 R14: 00000000000006c8 R15: 00000000000006c0
FS:  00007f45d2974700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000063f210 CR3: 00000001cdd2f000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
skbuff: skb_over_panic: text:ffffffff84a2c1b8 len:1584 put:1584 head:ffff8801cbedab00 data:ffff8801cbedab98 tail:0x6c8 end:0x6c0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:105!
Call Trace:
 skb_over_panic net/core/skbuff.c:110 [inline]
 skb_put.cold.86+0x21/0x21 net/core/skbuff.c:1702
 __ip6_append_data.isra.44+0x1e88/0x3e50 net/ipv6/ip6_output.c:1424
 ip6_append_data+0x157/0x2b0 net/ipv6/ip6_output.c:1552
 rawv6_sendmsg+0x1d2c/0x46d0 net/ipv6/raw.c:928
 inet_sendmsg+0x148/0x5a0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:643
 ___sys_sendmsg+0x690/0x9d0 net/socket.c:2049
 __sys_sendmsg+0xd6/0x220 net/socket.c:2083
 SYSC_sendmsg net/socket.c:2094 [inline]
 SyS_sendmsg+0xd/0x20 net/socket.c:2090
 entry_SYSCALL_64_fastpath+0x23/0xc2
RIP: 0033:0x453929
RSP: 002b:00007f45d2973c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453929
RDX: 0000000000008000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ef910
R13: 00000000ffffffff R14: 00007f45d29746d4 R15: 0000000000000000
Code: 4c 8b 4d b8 44 8b 45 d4 48 8b 55 c8 53 48 c7 c7 20 b5 e5 85 41 8b 8c 24 80 00 00 00 48 8b 75 c0 41 57 41 56 41 55 e8 57 f1 3f fd <0f> 0b 4c 8b 65 08 89 75 e8 e8 5a 52 89 fd 8b 75 e8 48 c7 c1 60 
RIP: skb_panic+0x169/0x16b net/core/skbuff.c:105 RSP: ffff8801cc417140
invalid opcode: 0000 [#2] SMP KASAN
---[ end trace d08d49753cc3316a ]---