bisecting cause commit starting from 2c5ca23f7414eb2c782f945aa417cfab7b5c88dd
building syzkaller on af70c3a9d26d6637e932facd13b1e55dd96270b5
testing commit 2c5ca23f7414eb2c782f945aa417cfab7b5c88dd
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 43f59889d18c5c13ac1b63dac8247499cd6fe8cc0ca7d05f8c6b9108e577312f
all runs: crashed: kernel BUG in __skb_gso_segment
testing release v5.18
testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: bc2465e033cba2c96e5b10e660a8b5d3b34833a68e8007b1419855e60efddc6b
all runs: OK
# git bisect start 2c5ca23f7414eb2c782f945aa417cfab7b5c88dd 4b0986a3613c92f4ec1bdc7f60ec66fea135991f
Bisecting: 6168 revisions left to test after this (roughly 13 steps)
[86c87bea6b42100c67418af690919c44de6ede6e] Merge tag 'devicetree-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

testing commit 86c87bea6b42100c67418af690919c44de6ede6e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2543a9ab2b847f93f81db9e6f8ce1eec36c138c3d8ab885013778c8ff5fbbc4f
all runs: crashed: kernel BUG in __skb_gso_segment
# git bisect bad 86c87bea6b42100c67418af690919c44de6ede6e
Bisecting: 2583 revisions left to test after this (roughly 11 steps)
[7208c9842c50f97327aac20be62edc8ad230f05c] Merge tag 'gfs2-v5.18-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2

testing commit 7208c9842c50f97327aac20be62edc8ad230f05c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 68633f80b617298fefce122bd3fd25161e4a8faf92334aa42a2cd0b1dfca61c5
all runs: OK
# git bisect good 7208c9842c50f97327aac20be62edc8ad230f05c
Bisecting: 1292 revisions left to test after this (roughly 10 steps)
[01f4685797a5723b0046da03c30185ac9ff42b30] eth: amd: remove NI6510 support (ni65)

testing commit 01f4685797a5723b0046da03c30185ac9ff42b30
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9e8f2c81f8467c8d4c9a51e9e0b54265decf806e9e34ae7e65039e20fe07f7bd
all runs: crashed: kernel BUG in __skb_gso_segment
# git bisect bad 01f4685797a5723b0046da03c30185ac9ff42b30
Bisecting: 615 revisions left to test after this (roughly 9 steps)
[50c6afabfd2ae91a4ff0e2feb14fe702b0688ec5] Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

testing commit 50c6afabfd2ae91a4ff0e2feb14fe702b0688ec5
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3f227d0ca3f18cb43cacef2b1c28cda47a59bb6e8da4c3937884b10a1fc6ab51
all runs: crashed: kernel BUG in __skb_gso_segment
# git bisect bad 50c6afabfd2ae91a4ff0e2feb14fe702b0688ec5
Bisecting: 337 revisions left to test after this (roughly 8 steps)
[7d9dbdfbfdc5e52131bea94a7318ee35b15a5f19] net: ipv6: add skb drop reasons to TLV parse

testing commit 7d9dbdfbfdc5e52131bea94a7318ee35b15a5f19
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f2b01ff1f70ab55134f5c37950e791f563b6d8f9b037d059b1adf4b4bfd6a38b
all runs: OK
# git bisect good 7d9dbdfbfdc5e52131bea94a7318ee35b15a5f19
Bisecting: 168 revisions left to test after this (roughly 7 steps)
[fb799dd49a25625db05af51dd141371f6f64d3d1] Merge branch 'ipv6-RT_ONLINK-remove-prep'

testing commit fb799dd49a25625db05af51dd141371f6f64d3d1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4fcda814e9f931db75a13152fa1ca4d3587969ac12538ca7bf63a34e397723f9
all runs: OK
# git bisect good fb799dd49a25625db05af51dd141371f6f64d3d1
Bisecting: 84 revisions left to test after this (roughly 6 steps)
[11d5daa89254ba2233d422777d52dbf24666b280] libbpf: Avoid joining .BTF.ext data with BPF programs by section name

testing commit 11d5daa89254ba2233d422777d52dbf24666b280
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 39ee4412c42bf6a62869814defc204602ad76dd3c3309efff81234e4177f6c67
all runs: OK
# git bisect good 11d5daa89254ba2233d422777d52dbf24666b280
Bisecting: 42 revisions left to test after this (roughly 5 steps)
[c5794097b269f15961ed78f7f27b50e51766dec9] net: ipa: compute proper aggregation limit

testing commit c5794097b269f15961ed78f7f27b50e51766dec9
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 512d5d4e9b2d3f1affb1261b933ae5e0f1f7c61e3f7082274ae18e3ee3eade51
all runs: OK
# git bisect good c5794097b269f15961ed78f7f27b50e51766dec9
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[124de27101ffec33a1eb6ccf0eff89a1a9b999a8] Merge branch 'mptcp-MP_FAIL-timeout'

testing commit 124de27101ffec33a1eb6ccf0eff89a1a9b999a8
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c8ddd03bb84154bfe2b586ad27aa4480f1e1506aeedafe86ea83ca1ea6457deb
all runs: crashed: kernel BUG in __skb_gso_segment
# git bisect bad 124de27101ffec33a1eb6ccf0eff89a1a9b999a8
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[c706b2b5ed74d30436b85cbd8e63e969f6b5873a] net: tls: fix async vs NIC crypto offload

testing commit c706b2b5ed74d30436b85cbd8e63e969f6b5873a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d45c96fc69da181426446557ce3ac156f36f9bef7da405efbfb15d98ab97fb46
all runs: crashed: kernel BUG in __skb_gso_segment
# git bisect bad c706b2b5ed74d30436b85cbd8e63e969f6b5873a
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[de6dd626d7082eda383ec77a5e06093c82122d10] net: dsa: ksz: added the generic port_stp_state_set function

testing commit de6dd626d7082eda383ec77a5e06093c82122d10
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 716cad73e924df8b88c5e932e168bbbbef676c63522100c80dfb6653bb0910f2
all runs: OK
# git bisect good de6dd626d7082eda383ec77a5e06093c82122d10
Bisecting: 2 revisions left to test after this (roughly 1 step)
[561215482cc69d1c758944d4463b3d5d96d37bd1] net: usb: qmi_wwan: add support for Sierra Wireless EM7590

testing commit 561215482cc69d1c758944d4463b3d5d96d37bd1
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 34ce41e25da099ca54df7065d7628461a8c95e057e03cb26baf154a5f940c27c
all runs: crashed: kernel BUG in __skb_gso_segment
# git bisect bad 561215482cc69d1c758944d4463b3d5d96d37bd1
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[dfed913e8b55a0c2c4906f1242fd38fd9a116e49] net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO

testing commit dfed913e8b55a0c2c4906f1242fd38fd9a116e49
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 222cfddfb5a6f01b7a3307aed0d2f5c6707c06f0d9ab6513f698783be2aaa2f2
all runs: crashed: kernel BUG in __skb_gso_segment
# git bisect bad dfed913e8b55a0c2c4906f1242fd38fd9a116e49
dfed913e8b55a0c2c4906f1242fd38fd9a116e49 is the first bad commit
commit dfed913e8b55a0c2c4906f1242fd38fd9a116e49
Author: Hangbin Liu <liuhangbin@gmail.com>
Date:   Mon Apr 25 09:45:02 2022 +0800

    net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO
    
    Currently, the kernel drops GSO VLAN tagged packet if it's created with
    socket(AF_PACKET, SOCK_RAW, 0) plus virtio_net_hdr.
    
    The reason is AF_PACKET doesn't adjust the skb network header if there is
    a VLAN tag. Then after virtio_net_hdr_set_proto() called, the skb->protocol
    will be set to ETH_P_IP/IPv6. And in later inet/ipv6_gso_segment() the skb
    is dropped as network header position is invalid.
    
    Let's handle VLAN packets by adjusting network header position in
    packet_parse_headers(). The adjustment is safe and does not affect the
    later xmit as tap device also did that.
    
    In packet_snd(), packet_parse_headers() need to be moved before calling
    virtio_net_hdr_set_proto(), so we can set correct skb->protocol and
    network header first.
    
    There is no need to update tpacket_snd() as it calls packet_parse_headers()
    in tpacket_fill_skb(), which is already before calling virtio_net_hdr_*
    functions.
    
    skb->no_fcs setting is also moved upper to make all skb settings together
    and keep consistency with function packet_sendmsg_spkt().
    
    Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
    Acked-by: Willem de Bruijn <willemb@google.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Link: https://lore.kernel.org/r/20220425014502.985464-1-liuhangbin@gmail.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>

 net/packet/af_packet.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

culprit signature: 222cfddfb5a6f01b7a3307aed0d2f5c6707c06f0d9ab6513f698783be2aaa2f2
parent  signature: 716cad73e924df8b88c5e932e168bbbbef676c63522100c80dfb6653bb0910f2
revisions tested: 15, total time: 3h2m5.100774226s (build: 1h38m46.442243482s, test: 1h21m47.738236217s)
first bad commit: dfed913e8b55a0c2c4906f1242fd38fd9a116e49 net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO
recipients (to): ["liuhangbin@gmail.com" "mst@redhat.com" "pabeni@redhat.com" "willemb@google.com"]
recipients (cc): []
crash: kernel BUG in __skb_gso_segment
------------[ cut here ]------------
kernel BUG at include/linux/skbuff.h:2587!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 4087 Comm: syz-executor.0 Not tainted 5.18.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__skb_pull include/linux/skbuff.h:2587 [inline]
RIP: 0010:skb_mac_gso_segment+0x3a0/0x470 net/core/gro.c:136
Code: 60 71 e4 89 be b7 02 00 00 48 c7 c7 c0 71 e4 89 c6 05 89 47 fd 05 01 e8 8f c1 a1 01 e9 d3 fd ff ff 49 c7 c4 ea ff ff ff eb 80 <0f> 0b 48 89 df e8 a6 c3 f6 fa 48 ba 00 00 00 00 00 fc ff df e9 14
RSP: 0018:ffffc90002d8f4d8 EFLAGS: 00010297
RAX: 0000000000000012 RBX: 0000000000000fe0 RCX: 0000000000000000
RDX: 0000000000000007 RSI: 0000000000000012 RDI: ffff8880160d52f4
RBP: 1ffff920005b1e9d R08: ffffed1002c1aa5e R09: ffff8880160d5348
R10: ffff8880160d52f0 R11: 1ffff11002c1aa5e R12: 0000000000005dbc
R13: ffff8880160d52f0 R14: 0000000000000012 R15: ffff8880160d5280
FS:  00007fb97f65c700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200015c0 CR3: 0000000072c36000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 __skb_gso_segment+0x2cb/0x5a0 net/core/dev.c:3359
 skb_gso_segment include/linux/netdevice.h:4690 [inline]
 validate_xmit_skb+0x5e3/0xc40 net/core/dev.c:3618
 validate_xmit_skb_list+0xa9/0x120 net/core/dev.c:3668
 sch_direct_xmit+0x2d8/0x10a0 net/sched/sch_generic.c:327
 __dev_xmit_skb net/core/dev.c:3764 [inline]
 __dev_queue_xmit+0x11b2/0x30c0 net/core/dev.c:4173
 packet_snd net/packet/af_packet.c:3071 [inline]
 packet_sendmsg+0x1c3e/0x48c0 net/packet/af_packet.c:3102
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:725
 ____sys_sendmsg+0x5b9/0x7a0 net/socket.c:2413
 ___sys_sendmsg+0xd3/0x150 net/socket.c:2467
 __sys_sendmsg+0xb2/0x140 net/socket.c:2496
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fb97e489109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb97f65c168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fb97e59bf60 RCX: 00007fb97e489109
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003
RBP: 00007fb97e4e308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffeefa2e79f R14: 00007fb97f65c300 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__skb_pull include/linux/skbuff.h:2587 [inline]
RIP: 0010:skb_mac_gso_segment+0x3a0/0x470 net/core/gro.c:136
Code: 60 71 e4 89 be b7 02 00 00 48 c7 c7 c0 71 e4 89 c6 05 89 47 fd 05 01 e8 8f c1 a1 01 e9 d3 fd ff ff 49 c7 c4 ea ff ff ff eb 80 <0f> 0b 48 89 df e8 a6 c3 f6 fa 48 ba 00 00 00 00 00 fc ff df e9 14
RSP: 0018:ffffc90002d8f4d8 EFLAGS: 00010297
RAX: 0000000000000012 RBX: 0000000000000fe0 RCX: 0000000000000000
RDX: 0000000000000007 RSI: 0000000000000012 RDI: ffff8880160d52f4
RBP: 1ffff920005b1e9d R08: ffffed1002c1aa5e R09: ffff8880160d5348
R10: ffff8880160d52f0 R11: 1ffff11002c1aa5e R12: 0000000000005dbc
R13: ffff8880160d52f0 R14: 0000000000000012 R15: ffff8880160d5280
FS:  00007fb97f65c700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200015c0 CR3: 0000000072c36000 CR4: 0000000000350ee0