bisecting fixing commit since 10b84daddbec72c6b440216a69de9a9605127f7a building syzkaller on dc88925771c47ef787f6f3a7b6756b8f0ce40af5 testing commit 10b84daddbec72c6b440216a69de9a9605127f7a with gcc (GCC) 8.1.0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find testing current HEAD f6192cb7429211bfaac1178c35607b0c989900b8 testing commit f6192cb7429211bfaac1178c35607b0c989900b8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start f6192cb7429211bfaac1178c35607b0c989900b8 10b84daddbec72c6b440216a69de9a9605127f7a Bisecting: 58607 revisions left to test after this (roughly 16 steps) [51de9c6d25594f70c0a03466546ca3deb9705d0e] drm/i915: Don't pass dev_priv around so much testing commit 51de9c6d25594f70c0a03466546ca3deb9705d0e with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 51de9c6d25594f70c0a03466546ca3deb9705d0e Bisecting: 29303 revisions left to test after this (roughly 15 steps) [c6d22ab61bfdeb9d8572859cbc670e7335853817] drm/i915: don't assume struct page in i915_sg_trim testing commit c6d22ab61bfdeb9d8572859cbc670e7335853817 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good c6d22ab61bfdeb9d8572859cbc670e7335853817 Bisecting: 14651 revisions left to test after this (roughly 14 steps) [70afb58e9856a70ff9e45760af2d0ebeb7c46ac2] net: mvpp2: fix the number of queues per cpu for PPv2.2 testing commit 70afb58e9856a70ff9e45760af2d0ebeb7c46ac2 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good 70afb58e9856a70ff9e45760af2d0ebeb7c46ac2 Bisecting: 7355 revisions left to test after this (roughly 13 steps) [26873acacbdbb4e4b444f5dd28dcc4853f0e8ba2] Merge tag 'driver-core-4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core testing commit 26873acacbdbb4e4b444f5dd28dcc4853f0e8ba2 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 26873acacbdbb4e4b444f5dd28dcc4853f0e8ba2 Bisecting: 4274 revisions left to test after this (roughly 12 steps) [a97a2d4d56ea596871b739d63d41b084733bd9fb] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc testing commit a97a2d4d56ea596871b739d63d41b084733bd9fb with gcc (GCC) 8.1.0 all runs: OK # git bisect bad a97a2d4d56ea596871b739d63d41b084733bd9fb Bisecting: 1527 revisions left to test after this (roughly 11 steps) [b8e445b6895cfe76c5959a7135a3216703fe32d4] Merge tag 'hwmon-for-v4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging testing commit b8e445b6895cfe76c5959a7135a3216703fe32d4 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad b8e445b6895cfe76c5959a7135a3216703fe32d4 Bisecting: 746 revisions left to test after this (roughly 10 steps) [6d4c407744dd0338da5d5d76f40dce5adabfb30a] net: sched: cls_u32: fix hnode refcounting testing commit 6d4c407744dd0338da5d5d76f40dce5adabfb30a with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 6d4c407744dd0338da5d5d76f40dce5adabfb30a Bisecting: 373 revisions left to test after this (roughly 9 steps) [2f19e7a7e63a04f4bbaf327d9d0e69ac800b2b8f] Merge tag 'spi-fix-v4.19-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit 2f19e7a7e63a04f4bbaf327d9d0e69ac800b2b8f with gcc (GCC) 8.1.0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good 2f19e7a7e63a04f4bbaf327d9d0e69ac800b2b8f Bisecting: 160 revisions left to test after this (roughly 8 steps) [cec4de302c5ff2c5eb3bfcb0c4845a095f5149b9] Merge gitolite.kernel.org:/pub/scm/linux/kernel/git/davem/net testing commit cec4de302c5ff2c5eb3bfcb0c4845a095f5149b9 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad cec4de302c5ff2c5eb3bfcb0c4845a095f5149b9 Bisecting: 106 revisions left to test after this (roughly 7 steps) [92d7c74b6f72a8a7d04970d5dcfb99673daaf91d] Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth testing commit 92d7c74b6f72a8a7d04970d5dcfb99673daaf91d with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 92d7c74b6f72a8a7d04970d5dcfb99673daaf91d Bisecting: 52 revisions left to test after this (roughly 6 steps) [4bd2c03be707253f1157bd759fdd6971e4f70403] net: hns: remove ndo_poll_controller testing commit 4bd2c03be707253f1157bd759fdd6971e4f70403 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good 4bd2c03be707253f1157bd759fdd6971e4f70403 Bisecting: 26 revisions left to test after this (roughly 5 steps) [c5cb93e994ffb43b7b3b1ff10b9f928f54574a36] sr9800: Check for supported Wake-on-LAN modes testing commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 Bisecting: 11 revisions left to test after this (roughly 4 steps) [c8424ddd9715bf1200392a677a8a0e819c99a726] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit c8424ddd9715bf1200392a677a8a0e819c99a726 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good c8424ddd9715bf1200392a677a8a0e819c99a726 Bisecting: 5 revisions left to test after this (roughly 3 steps) [32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa] xfrm: validate template mode testing commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa Bisecting: 2 revisions left to test after this (roughly 2 steps) [bfc0698bebcb16d19ecfc89574ad4d696955e5d3] xfrm: reset transport header back to network header after all input transforms ahave been applied testing commit bfc0698bebcb16d19ecfc89574ad4d696955e5d3 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good bfc0698bebcb16d19ecfc89574ad4d696955e5d3 Bisecting: 0 revisions left to test after this (roughly 1 step) [9e1437937807b0122e8da1ca8765be2adca9aee6] xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry. testing commit 9e1437937807b0122e8da1ca8765be2adca9aee6 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find # git bisect good 9e1437937807b0122e8da1ca8765be2adca9aee6 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa is the first bad commit commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa Author: Sean Tranchetti Date: Wed Sep 19 13:54:56 2018 -0600 xfrm: validate template mode XFRM mode parameters passed as part of the user templates in the IP_XFRM_POLICY are never properly validated. Passing values other than valid XFRM modes can cause stack-out-of-bounds reads to occur later in the XFRM processing: [ 140.535608] ================================================================ [ 140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4 [ 140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148 [ 140.557369] [ 140.558927] Call trace: [ 140.558936] dump_backtrace+0x0/0x388 [ 140.558940] show_stack+0x24/0x30 [ 140.558946] __dump_stack+0x24/0x2c [ 140.558949] dump_stack+0x8c/0xd0 [ 140.558956] print_address_description+0x74/0x234 [ 140.558960] kasan_report+0x240/0x264 [ 140.558963] __asan_report_load4_noabort+0x2c/0x38 [ 140.558967] xfrm_state_find+0x17e4/0x1cc4 [ 140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8 [ 140.558975] xfrm_lookup+0x238/0x1444 [ 140.558977] xfrm_lookup_route+0x48/0x11c [ 140.558984] ip_route_output_flow+0x88/0xc4 [ 140.558991] raw_sendmsg+0xa74/0x266c [ 140.558996] inet_sendmsg+0x258/0x3b0 [ 140.559002] sock_sendmsg+0xbc/0xec [ 140.559005] SyS_sendto+0x3a8/0x5a8 [ 140.559008] el0_svc_naked+0x34/0x38 [ 140.559009] [ 140.592245] page dumped because: kasan: bad access detected [ 140.597981] page_owner info is not active (free page?) [ 140.603267] [ 140.653503] ================================================================ Signed-off-by: Sean Tranchetti Signed-off-by: Steffen Klassert :040000 040000 1f92412419fdf8d46aef35513ad2456b06ac2d85 a52b48ec4b20ffd5dfe6c2af7a45b45623a6e67e M net revisions tested: 18, total time: 3h44m27.363869031s (build: 1h32m15.435435571s, test: 2h4m2.400258893s) first good commit: 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa xfrm: validate template mode cc: ["davem@davemloft.net" "herbert@gondor.apana.org.au" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "steffen.klassert@secunet.com" "stranche@codeaurora.org"]