bisecting fixing commit since 28619527b8a712590c93d0a9e24b4425b9376a8c building syzkaller on 6b5120a46407f0462e664e15fed3eae5da951c75 testing commit 28619527b8a712590c93d0a9e24b4425b9376a8c with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in psock_map_pop testing current HEAD 91b4db5313a2c793aabc2143efb8ed0cf0fdd097 testing commit 91b4db5313a2c793aabc2143efb8ed0cf0fdd097 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 91b4db5313a2c793aabc2143efb8ed0cf0fdd097 28619527b8a712590c93d0a9e24b4425b9376a8c Bisecting: 37174 revisions left to test after this (roughly 15 steps) [b1e243957e9b3ba8e820fb8583bdf18e7c737aa2] Merge tag 'for-5.1-part1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit b1e243957e9b3ba8e820fb8583bdf18e7c737aa2 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad b1e243957e9b3ba8e820fb8583bdf18e7c737aa2 Bisecting: 18582 revisions left to test after this (roughly 14 steps) [339bbff2d6e005a5586adeffc3d69a0eea50a764] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 339bbff2d6e005a5586adeffc3d69a0eea50a764 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 339bbff2d6e005a5586adeffc3d69a0eea50a764 Bisecting: 9284 revisions left to test after this (roughly 13 steps) [4904008165c8a1c48602b8316139691b8c735e6e] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 4904008165c8a1c48602b8316139691b8c735e6e with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 4904008165c8a1c48602b8316139691b8c735e6e Bisecting: 5260 revisions left to test after this (roughly 12 steps) [3f80e08f40cdb308589a49077c87632fa4508b21] tcp: add tcp_reset_xmit_timer() helper testing commit 3f80e08f40cdb308589a49077c87632fa4508b21 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 3f80e08f40cdb308589a49077c87632fa4508b21 Bisecting: 2001 revisions left to test after this (roughly 11 steps) [d793fb46822ff7408a1767313ef6b12e811baa55] Merge tag 'wireless-drivers-next-for-davem-2018-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit d793fb46822ff7408a1767313ef6b12e811baa55 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad d793fb46822ff7408a1767313ef6b12e811baa55 Bisecting: 1018 revisions left to test after this (roughly 10 steps) [e366fa435032db1ce1538a2c029714666985dd48] Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net testing commit e366fa435032db1ce1538a2c029714666985dd48 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in psock_map_pop # git bisect good e366fa435032db1ce1538a2c029714666985dd48 Bisecting: 511 revisions left to test after this (roughly 9 steps) [7a153655d725ff867325da72f8cb171d3ec8fc69] Merge branch 'Refactor-classifier-API-to-work-with-Qdisc-blocks-without-rtnl-lock' testing commit 7a153655d725ff867325da72f8cb171d3ec8fc69 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 7a153655d725ff867325da72f8cb171d3ec8fc69 Bisecting: 244 revisions left to test after this (roughly 8 steps) [2dd68cc7fd8c3ae9c151c0565824b5ef42e3806b] Merge gitolite.kernel.org:/pub/scm/linux/kernel/git/davem/net testing commit 2dd68cc7fd8c3ae9c151c0565824b5ef42e3806b with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 2dd68cc7fd8c3ae9c151c0565824b5ef42e3806b Bisecting: 130 revisions left to test after this (roughly 7 steps) [10dc890d4228cd17ddfd09ba9aaa9221627e29b2] Merge tag 'pinctrl-v4.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 10dc890d4228cd17ddfd09ba9aaa9221627e29b2 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in psock_map_pop # git bisect good 10dc890d4228cd17ddfd09ba9aaa9221627e29b2 Bisecting: 65 revisions left to test after this (roughly 6 steps) [b80e71a986c2ab5677dc6b84923cd7030b690800] ixgbe: remove ndo_poll_controller testing commit b80e71a986c2ab5677dc6b84923cd7030b690800 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in psock_map_pop # git bisect good b80e71a986c2ab5677dc6b84923cd7030b690800 Bisecting: 32 revisions left to test after this (roughly 5 steps) [6bf4ca7fbc85d80446ac01c0d1d77db4d91a6d84] Linux 4.19-rc5 testing commit 6bf4ca7fbc85d80446ac01c0d1d77db4d91a6d84 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in psock_map_pop run #1: crashed: KASAN: use-after-free Read in psock_map_pop run #2: crashed: KASAN: use-after-free Read in psock_map_pop run #3: crashed: KASAN: use-after-free Read in psock_map_pop run #4: crashed: KASAN: use-after-free Read in psock_map_pop run #5: crashed: KASAN: use-after-free Read in psock_map_pop run #6: crashed: KASAN: use-after-free Read in psock_map_pop run #7: crashed: KASAN: use-after-free Read in psock_map_pop run #8: OK run #9: OK # git bisect good 6bf4ca7fbc85d80446ac01c0d1d77db4d91a6d84 Bisecting: 18 revisions left to test after this (roughly 4 steps) [d26ed6b0e5e23190d43ab34bc69cbecdc464a2cf] net: aquantia: memory corruption on jumbo frames testing commit d26ed6b0e5e23190d43ab34bc69cbecdc464a2cf with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in psock_map_pop # git bisect good d26ed6b0e5e23190d43ab34bc69cbecdc464a2cf Bisecting: 9 revisions left to test after this (roughly 3 steps) [02214bfc89c71bcc5167f653994cfa5c57f10ff1] Merge tag 'media/v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 02214bfc89c71bcc5167f653994cfa5c57f10ff1 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in psock_map_pop # git bisect good 02214bfc89c71bcc5167f653994cfa5c57f10ff1 Bisecting: 4 revisions left to test after this (roughly 2 steps) [fad0c40fab14523ca381a30fef88b7c3266bef1c] Merge branch 'bpf-sockmap-estab-fixes' testing commit fad0c40fab14523ca381a30fef88b7c3266bef1c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad fad0c40fab14523ca381a30fef88b7c3266bef1c Bisecting: 2 revisions left to test after this (roughly 1 step) [5607fff303636d48b88414c6be353d9fed700af2] bpf: sockmap only allow ESTABLISHED sock state testing commit 5607fff303636d48b88414c6be353d9fed700af2 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 5607fff303636d48b88414c6be353d9fed700af2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [080220b687147fd9376878534aba7194f17f6ef5] tools: bpf: fix license for a compat header file testing commit 080220b687147fd9376878534aba7194f17f6ef5 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in psock_map_pop # git bisect good 080220b687147fd9376878534aba7194f17f6ef5 5607fff303636d48b88414c6be353d9fed700af2 is the first bad commit commit 5607fff303636d48b88414c6be353d9fed700af2 Author: John Fastabend Date: Tue Sep 18 09:01:44 2018 -0700 bpf: sockmap only allow ESTABLISHED sock state After this patch we only allow socks that are in ESTABLISHED state or are being added via a sock_ops event that is transitioning into an ESTABLISHED state. By allowing sock_ops events we allow users to manage sockmaps directly from sock ops programs. The two supported sock_ops ops are BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB and BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB. Similar to TLS ULP this ensures sk_user_data is correct. Reported-by: Eric Dumazet Fixes: 1aa12bdf1bfb ("bpf: sockmap, add sock close() hook to remove socks") Signed-off-by: John Fastabend Acked-by: Yonghong Song Signed-off-by: Daniel Borkmann :040000 040000 f46941c894d8256164c138e4d5f51d6cf90c2807 5902e4a5ff2f767ed9d17ca684e16d38c4136f5b M kernel revisions tested: 18, total time: 4h52m34.71530557s (build: 1h40m12.304701993s, test: 3h6m5.03839765s) first good commit: 5607fff303636d48b88414c6be353d9fed700af2 bpf: sockmap only allow ESTABLISHED sock state cc: ["ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net" "john.fastabend@gmail.com" "kafai@fb.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "songliubraving@fb.com" "yhs@fb.com"]