bisecting cause commit starting from 810c2f0a3f86158c1e02e74947b66d811473434a
building syzkaller on 9ad6612a0a3b4ab403e6db3bafc65dc098e83fc3
testing commit 810c2f0a3f86158c1e02e74947b66d811473434a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f0d31d3d086a679bfdbae4de034fdb7626111936ff4fc4042cb5228f4e7f6eec
all runs: crashed: UBSAN: shift-out-of-bounds in tcf_pedit_init
testing release v5.17
testing commit f443e374ae131c168a065ea1748feac6b2e76613
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c272e72322bcce90c56a04ec076a38fd1dcccb458838ca86c9b7fa22744878ba
all runs: OK
# git bisect start 810c2f0a3f86158c1e02e74947b66d811473434a f443e374ae131c168a065ea1748feac6b2e76613
Bisecting: 8047 revisions left to test after this (roughly 13 steps)
[25fd2d41b505d0640bdfe67aa77c549de2d3c18a] selftests: kselftest framework: provide "finished" helper

testing commit 25fd2d41b505d0640bdfe67aa77c549de2d3c18a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 80e909dd9ab4e4ed6441e88a00b63942e23874e5a2f731681b95ec46afad16fc
all runs: OK
# git bisect good 25fd2d41b505d0640bdfe67aa77c549de2d3c18a
Bisecting: 4152 revisions left to test after this (roughly 12 steps)
[ff61bc81b3feebcef4d0431a92e2e40e8d4fe8b3] Merge tag 'pinctrl-v5.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

testing commit ff61bc81b3feebcef4d0431a92e2e40e8d4fe8b3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: aa914829070af466ef22072eff271438e58c1401f61ead3de74883d1c18166ab
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good ff61bc81b3feebcef4d0431a92e2e40e8d4fe8b3
Bisecting: 2077 revisions left to test after this (roughly 11 steps)
[cf300b83c793c25c6b485fdaf7a4447d8ea4c655] kbuild: Remove '-mno-global-merge'

testing commit cf300b83c793c25c6b485fdaf7a4447d8ea4c655
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 500a238115742d2eb70316b2f20cb2668717b5ee8d9ad4d03f61a97104711a25
all runs: OK
# git bisect good cf300b83c793c25c6b485fdaf7a4447d8ea4c655
Bisecting: 1038 revisions left to test after this (roughly 10 steps)
[1bdec44b1eee32e311b44b5b06144bb7d9b33938] tmpfs: fix regressions from wider use of ZERO_PAGE

testing commit 1bdec44b1eee32e311b44b5b06144bb7d9b33938
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 39290cb65a258596f449f825efc324986b4ab97e13281e3d506fe332611900cc
all runs: OK
# git bisect good 1bdec44b1eee32e311b44b5b06144bb7d9b33938
Bisecting: 517 revisions left to test after this (roughly 9 steps)
[259b897e5a7958e06d1ac30ddd28dc8419e8f328] Merge tag 'platform-drivers-x86-v5.18-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86

testing commit 259b897e5a7958e06d1ac30ddd28dc8419e8f328
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9bf3686a3e418fd2e6795141ab295ccc71ef7ee18e42106874e64cc31c56c247
all runs: OK
# git bisect good 259b897e5a7958e06d1ac30ddd28dc8419e8f328
Bisecting: 246 revisions left to test after this (roughly 8 steps)
[a6b5c5dc06a4b25fc7690a7a25a7c095d3f16fa9] Merge tag 'tty-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

testing commit a6b5c5dc06a4b25fc7690a7a25a7c095d3f16fa9
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 671f01e300f5a210f2f8c9ba5787ac1e63358b4c56e79366a69eccff377c6bec
all runs: OK
# git bisect good a6b5c5dc06a4b25fc7690a7a25a7c095d3f16fa9
Bisecting: 136 revisions left to test after this (roughly 7 steps)
[a7391ad3572431a354c927cf8896e86e50d7d0bf] Merge tag 'iomm-fixes-v5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu

testing commit a7391ad3572431a354c927cf8896e86e50d7d0bf
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 6b2555d48dce7e4062ba4735329a6ca708b97ba0a3d5c1f202c38717a5cdac6a
all runs: OK
# git bisect good a7391ad3572431a354c927cf8896e86e50d7d0bf
Bisecting: 67 revisions left to test after this (roughly 6 steps)
[ef562489818723ea0a66c57bfdfbf151ad568c42] Merge branch 'insufficient-tcp-source-port-randomness'

testing commit ef562489818723ea0a66c57bfdfbf151ad568c42
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ddd6f14d5fad30cf0f32a2f6dda27bebec16a127738d46c41081d95681792be2
all runs: OK
# git bisect good ef562489818723ea0a66c57bfdfbf151ad568c42
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[630fd4822af2374cd75c682b7665dcb367613765] net: dsa: flush switchdev workqueue on bridge join error path

testing commit 630fd4822af2374cd75c682b7665dcb367613765
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e5909a739136a6a0160bfddbf2a70d73ddf066daef460dafc94f042160cf1320
all runs: OK
# git bisect good 630fd4822af2374cd75c682b7665dcb367613765
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[3f95a7472d14abef284d8968734fe2ae7ff4845f] i40e: i40e_main: fix a missing check on list iterator

testing commit 3f95a7472d14abef284d8968734fe2ae7ff4845f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e9f5097d773ea2a45fe01b227c36e8878b3c76bfbb32ce59000839131bdc10d1
all runs: crashed: UBSAN: shift-out-of-bounds in tcf_pedit_init
# git bisect bad 3f95a7472d14abef284d8968734fe2ae7ff4845f
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[79784d77ebbd3ec516b7a5ce555d979fb7946202] net: atlantic: reduce scope of is_rsc_complete

testing commit 79784d77ebbd3ec516b7a5ce555d979fb7946202
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 996fefe597d5ab6f22b008251be1914f576a03d0cf888c5cc4282c4c6dfaa4bb
all runs: OK
# git bisect good 79784d77ebbd3ec516b7a5ce555d979fb7946202
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[2c50c6867c85afee6f2b3bcbc50fc9d0083d1343] s390/ctcm: fix variable dereferenced before check

testing commit 2c50c6867c85afee6f2b3bcbc50fc9d0083d1343
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 11f8e1f8ae8d770956dc2eadb7deae9e0694e49e6e73138ac69660c2455ac550
all runs: OK
# git bisect good 2c50c6867c85afee6f2b3bcbc50fc9d0083d1343
Bisecting: 2 revisions left to test after this (roughly 1 step)
[671bb35c8e746439f0ed70815968f9a4f20a8deb] s390/lcs: fix variable dereferenced before check

testing commit 671bb35c8e746439f0ed70815968f9a4f20a8deb
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 7bbd072b3804f70611f9f1abb1fb8416b1bc3297c3b3a561d0e0ec895a755aab
all runs: OK
# git bisect good 671bb35c8e746439f0ed70815968f9a4f20a8deb
Bisecting: 0 revisions left to test after this (roughly 1 step)
[8b796475fd7882663a870456466a4fb315cc1bd6] net/sched: act_pedit: really ensure the skb is writable

testing commit 8b796475fd7882663a870456466a4fb315cc1bd6
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b4b088f3008249b46bfe708d01650d6b91748b1fab8fc37aca951fd4928d5050
all runs: crashed: UBSAN: shift-out-of-bounds in tcf_pedit_init
# git bisect bad 8b796475fd7882663a870456466a4fb315cc1bd6
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[3cc5c6a7829a67d943a8e9c42edbcc0db18493e2] Merge branch 's390-net-fixes'

testing commit 3cc5c6a7829a67d943a8e9c42edbcc0db18493e2
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3589d8aa1938692a1d3fb85aea4583cd9fbf86df4e47ea6862898a5d09b8476a
all runs: OK
# git bisect good 3cc5c6a7829a67d943a8e9c42edbcc0db18493e2
8b796475fd7882663a870456466a4fb315cc1bd6 is the first bad commit
commit 8b796475fd7882663a870456466a4fb315cc1bd6
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Tue May 10 16:57:34 2022 +0200

    net/sched: act_pedit: really ensure the skb is writable
    
    Currently pedit tries to ensure that the accessed skb offset
    is writable via skb_unclone(). The action potentially allows
    touching any skb bytes, so it may end-up modifying shared data.
    
    The above causes some sporadic MPTCP self-test failures, due to
    this code:
    
            tc -n $ns2 filter add dev ns2eth$i egress \
                    protocol ip prio 1000 \
                    handle 42 fw \
                    action pedit munge offset 148 u8 invert \
                    pipe csum tcp \
                    index 100
    
    The above modifies a data byte outside the skb head and the skb is
    a cloned one, carrying a TCP output packet.
    
    This change addresses the issue by keeping track of a rough
    over-estimate highest skb offset accessed by the action and ensuring
    such offset is really writable.
    
    Note that this may cause performance regressions in some scenarios,
    but hopefully pedit is not in the critical path.
    
    Fixes: db2c24175d14 ("act_pedit: access skb->data safely")
    Acked-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
    Tested-by: Geliang Tang <geliang.tang@suse.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Link: https://lore.kernel.org/r/1fcf78e6679d0a287dd61bb0f04730ce33b3255d.1652194627.git.pabeni@redhat.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

 include/net/tc_act/tc_pedit.h |  1 +
 net/sched/act_pedit.c         | 26 ++++++++++++++++++++++----
 2 files changed, 23 insertions(+), 4 deletions(-)

culprit signature: b4b088f3008249b46bfe708d01650d6b91748b1fab8fc37aca951fd4928d5050
parent  signature: 3589d8aa1938692a1d3fb85aea4583cd9fbf86df4e47ea6862898a5d09b8476a
revisions tested: 17, total time: 3h58m14.895081905s (build: 1h44m8.410667949s, test: 2h12m35.613594924s)
first bad commit: 8b796475fd7882663a870456466a4fb315cc1bd6 net/sched: act_pedit: really ensure the skb is writable
recipients (to): ["geliang.tang@suse.com" "jhs@mojatatu.com" "kuba@kernel.org" "mathew.j.martineau@linux.intel.com" "pabeni@redhat.com"]
recipients (cc): []
crash: UBSAN: shift-out-of-bounds in tcf_pedit_init
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'.
================================================================================
UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43
shift exponent 1400735974 is too large for 32-bit type 'unsigned int'
CPU: 1 PID: 4096 Comm: syz-executor.0 Not tainted 5.18.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 ubsan_epilogue+0x5/0x36 lib/ubsan.c:151
 __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef lib/ubsan.c:322
 tcf_pedit_init.cold+0x2c/0x4e net/sched/act_pedit.c:238
 tcf_action_init_1+0x3a9/0x680 net/sched/act_api.c:1367
 tcf_action_init+0x412/0x790 net/sched/act_api.c:1432
 tcf_action_add+0xee/0x400 net/sched/act_api.c:1956
 tc_ctl_action+0x292/0x3d0 net/sched/act_api.c:2015
 rtnetlink_rcv_msg+0x31d/0x8d0 net/core/rtnetlink.c:5993
 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x433/0x710 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x770/0xc20 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:725
 ____sys_sendmsg+0x5b9/0x7a0 net/socket.c:2413
 ___sys_sendmsg+0xd3/0x150 net/socket.c:2467
 __sys_sendmsg+0xb2/0x140 net/socket.c:2496
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f8b66e890e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8b67fa8168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f8b66f9bf60 RCX: 00007f8b66e890e9
RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
RBP: 00007f8b66ee308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff856deabf R14: 00007f8b67fa8300 R15: 0000000000022000
 </TASK>
================================================================================