bisecting fixing commit since 9b15f7fae677336e04b9e026ff91854e43165455 building syzkaller on 5d7b90f1af2e3bf33992b75e7fcf0bab6bf49bd6 testing commit 9b15f7fae677336e04b9e026ff91854e43165455 with gcc (GCC) 8.1.0 kernel signature: 07fe00fb9fbb888ef70cb1ccedfedf2aa8f44652633b561aa12d9c27bcc1ba04 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname testing current HEAD 339485c9a80f3b9f30708f784346fef42ad127c3 testing commit 339485c9a80f3b9f30708f784346fef42ad127c3 with gcc (GCC) 8.1.0 kernel signature: 5056df6f89827ae9c55b57f0cfdab712f1802eee5a9fca8cd10c5b3b4fcfd364 all runs: OK # git bisect start 339485c9a80f3b9f30708f784346fef42ad127c3 9b15f7fae677336e04b9e026ff91854e43165455 Bisecting: 246 revisions left to test after this (roughly 8 steps) [4db4761cfe1555c7ad0403a3e8cf3eb9c29e9327] USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 testing commit 4db4761cfe1555c7ad0403a3e8cf3eb9c29e9327 with gcc (GCC) 8.1.0 kernel signature: bc9dc62125988c931ebb5c5a8d2a231ec5572b294e0641df70ba4c89c449f9a4 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good 4db4761cfe1555c7ad0403a3e8cf3eb9c29e9327 Bisecting: 123 revisions left to test after this (roughly 7 steps) [bcfa3be32de5a44ca094a5d41d449b2e3178792b] HID: alps: Fix an error handling path in 'alps_input_configured()' testing commit bcfa3be32de5a44ca094a5d41d449b2e3178792b with gcc (GCC) 8.1.0 kernel signature: 56f4e471201a0cdd0b3cf54d4f9642a9b0697d2f0805c4386c492055afce431e all runs: OK # git bisect bad bcfa3be32de5a44ca094a5d41d449b2e3178792b Bisecting: 61 revisions left to test after this (roughly 6 steps) [c0965be4b28b8078202bd174d2cf2beb1b91fe46] ecryptfs: replace BUG_ON with error handling code testing commit c0965be4b28b8078202bd174d2cf2beb1b91fe46 with gcc (GCC) 8.1.0 kernel signature: 5ef3807edfc91a82372e2c6efa8f294198cd1e543366fb7de625a8a6525d4d65 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good c0965be4b28b8078202bd174d2cf2beb1b91fe46 Bisecting: 30 revisions left to test after this (roughly 5 steps) [aeeff8dd696ceedd8af74a3a4178b0d0ed3da570] net: ena: rss: store hash function as values and not bits testing commit aeeff8dd696ceedd8af74a3a4178b0d0ed3da570 with gcc (GCC) 8.1.0 kernel signature: 714a4efba63450137c0e8813b905492e516c6cf93453e0c5e564aa4be0c491c0 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good aeeff8dd696ceedd8af74a3a4178b0d0ed3da570 Bisecting: 15 revisions left to test after this (roughly 4 steps) [6ab8a5a3a0029232430acead78a5719ad5cf1917] ipv6: Fix nlmsg_flags when splitting a multipath route testing commit 6ab8a5a3a0029232430acead78a5719ad5cf1917 with gcc (GCC) 8.1.0 kernel signature: 33cc3b4f45ecbf679f72fa520f0fa6c60ad7b25680bcc88bd5a9c04fd8abb193 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good 6ab8a5a3a0029232430acead78a5719ad5cf1917 Bisecting: 7 revisions left to test after this (roughly 3 steps) [30f22a3842f50b8af9a5c540f541aeb05a13d7e2] HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock testing commit 30f22a3842f50b8af9a5c540f541aeb05a13d7e2 with gcc (GCC) 8.1.0 kernel signature: e5c375ef1013e17e33aef3e14321974705e3af8d990247559121728b97aefca8 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good 30f22a3842f50b8af9a5c540f541aeb05a13d7e2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [91495e01e83b109db640e451434a0fdb748dec4d] tracing: Disable trace_printk() on post poned tests testing commit 91495e01e83b109db640e451434a0fdb748dec4d with gcc (GCC) 8.1.0 kernel signature: 7ada2e9e0e21d6d57574132af3468a09ca611dce05c4a8a9bed997132a24645b all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good 91495e01e83b109db640e451434a0fdb748dec4d Bisecting: 1 revision left to test after this (roughly 1 step) [c47655fba16fa9a6af1c3eef997cf26bf2c92645] amdgpu/gmc_v9: save/restore sdpif regs during S3 testing commit c47655fba16fa9a6af1c3eef997cf26bf2c92645 with gcc (GCC) 8.1.0 kernel signature: ad6d61abbae6bf9d8e368fc5457d11cfa8537e7c598c8d9622f1e5f2d2f05fd6 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good c47655fba16fa9a6af1c3eef997cf26bf2c92645 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ad598a48fe61c6c2407f08a807cb7a2ea83386b3] vhost: Check docket sk_family instead of call getname testing commit ad598a48fe61c6c2407f08a807cb7a2ea83386b3 with gcc (GCC) 8.1.0 kernel signature: 07f695b7bd805ba95981e7264662992887210a2916b0b42cf7f330f4fa266f57 all runs: OK # git bisect bad ad598a48fe61c6c2407f08a807cb7a2ea83386b3 ad598a48fe61c6c2407f08a807cb7a2ea83386b3 is the first bad commit commit ad598a48fe61c6c2407f08a807cb7a2ea83386b3 Author: Eugenio Pérez Date: Fri Feb 21 12:06:56 2020 +0100 vhost: Check docket sk_family instead of call getname commit 42d84c8490f9f0931786f1623191fcab397c3d64 upstream. Doing so, we save one call to get data we already have in the struct. Also, since there is no guarantee that getname use sockaddr_ll parameter beyond its size, we add a little bit of security here. It should do not do beyond MAX_ADDR_LEN, but syzbot found that ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25, versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro). Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Reported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com Signed-off-by: Eugenio Pérez Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman drivers/vhost/net.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) culprit signature: 07f695b7bd805ba95981e7264662992887210a2916b0b42cf7f330f4fa266f57 parent signature: ad6d61abbae6bf9d8e368fc5457d11cfa8537e7c598c8d9622f1e5f2d2f05fd6 revisions tested: 11, total time: 2h43m11.13217105s (build: 1h44m0.970298299s, test: 57m42.137366071s) first good commit: ad598a48fe61c6c2407f08a807cb7a2ea83386b3 vhost: Check docket sk_family instead of call getname cc: ["davem@davemloft.net" "eperezma@redhat.com" "gregkh@linuxfoundation.org" "mst@redhat.com"]