bisecting fixing commit since b09c34517e1ac4018e3bb75ed5c8610a8a1f486b building syzkaller on 5ef9c29141f85f210b326ce68718498ae0c1fd35 testing commit b09c34517e1ac4018e3bb75ed5c8610a8a1f486b with gcc (GCC) 8.1.0 kernel signature: 421ea2f3b0155a9245d44fddfdf2f184899b55116eb4d5eda5ef263c4c745a15 all runs: crashed: KASAN: use-after-free Read in tipc_mcast_xmit testing current HEAD 0c88e405c97ed1828443b67891e6d4bb6e56cd4e testing commit 0c88e405c97ed1828443b67891e6d4bb6e56cd4e with gcc (GCC) 8.1.0 kernel signature: 27439902b89dedeb2f89d4d3fde96d750c2b4f1b9aa5c7a7bc293a83ae659009 all runs: OK # git bisect start 0c88e405c97ed1828443b67891e6d4bb6e56cd4e b09c34517e1ac4018e3bb75ed5c8610a8a1f486b Bisecting: 424 revisions left to test after this (roughly 9 steps) [17ef715c0c88fe2df485fba68aa7c6c6cb3004f9] xen/events: defer eoi in case of excessive number of events testing commit 17ef715c0c88fe2df485fba68aa7c6c6cb3004f9 with gcc (GCC) 8.1.0 kernel signature: 8ffff4de4b4e6454f43e96a94b60842ed3e1c675a9c3a771d1ad75ab0b8a228a all runs: OK # git bisect bad 17ef715c0c88fe2df485fba68aa7c6c6cb3004f9 Bisecting: 211 revisions left to test after this (roughly 8 steps) [eca79d8158e8c7f06914fa45b4dff95214272664] net: dsa: rtl8366rb: Support all 4096 VLANs testing commit eca79d8158e8c7f06914fa45b4dff95214272664 with gcc (GCC) 8.1.0 kernel signature: 3df3c3dc73dff0bb7f4cbe26887ca6c228a6df6a9682748874858d53871daa4b all runs: OK # git bisect bad eca79d8158e8c7f06914fa45b4dff95214272664 Bisecting: 105 revisions left to test after this (roughly 7 steps) [0364aee683c37679ae91f7bf9e399c5cd6eba126] reiserfs: Initialize inode keys properly testing commit 0364aee683c37679ae91f7bf9e399c5cd6eba126 with gcc (GCC) 8.1.0 kernel signature: 8482f49bfd7e06b162aab2d1ccc5c63229cfa8291730bd664eda53beac39c4b5 all runs: crashed: KASAN: use-after-free Read in tipc_mcast_xmit # git bisect good 0364aee683c37679ae91f7bf9e399c5cd6eba126 Bisecting: 52 revisions left to test after this (roughly 6 steps) [7cfd9b85b72b561912a9812ff7da7cb74a8cf82a] media: omap3isp: Fix memleak in isp_probe testing commit 7cfd9b85b72b561912a9812ff7da7cb74a8cf82a with gcc (GCC) 8.1.0 kernel signature: 7e4fca220dd54f8639f7bedae1c628f0275e3769b6e981e609b6a824c19e16e7 all runs: OK # git bisect bad 7cfd9b85b72b561912a9812ff7da7cb74a8cf82a Bisecting: 26 revisions left to test after this (roughly 5 steps) [a298ba5e7d1715d4c3a5844b6e7a5c7bd7feff87] net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels testing commit a298ba5e7d1715d4c3a5844b6e7a5c7bd7feff87 with gcc (GCC) 8.1.0 kernel signature: 657dbde4765b67deb4b8cdce26d0103923ffa058b5cf518cadcfd8267e89b47a all runs: OK # git bisect bad a298ba5e7d1715d4c3a5844b6e7a5c7bd7feff87 Bisecting: 12 revisions left to test after this (roughly 4 steps) [0cca96df3732fef913c0f7c48f7118a90db466da] net/smc: fix valid DMBE buffer sizes testing commit 0cca96df3732fef913c0f7c48f7118a90db466da with gcc (GCC) 8.1.0 kernel signature: 7cab61629cf1752cdf5775d58656566fe01b2e1eddea49023e738a3a7445dff5 all runs: crashed: KASAN: use-after-free Read in tipc_mcast_xmit # git bisect good 0cca96df3732fef913c0f7c48f7118a90db466da Bisecting: 6 revisions left to test after this (roughly 3 steps) [35cc2facc2a5ff52b9aa03f2dc81dcb000d97da3] binder: fix UAF when releasing todo list testing commit 35cc2facc2a5ff52b9aa03f2dc81dcb000d97da3 with gcc (GCC) 8.1.0 kernel signature: 503863158c2e995ef62980a2031b02ed710d0e610d1e6e17646f3ff69265af44 all runs: OK # git bisect bad 35cc2facc2a5ff52b9aa03f2dc81dcb000d97da3 Bisecting: 2 revisions left to test after this (roughly 2 steps) [9db62b759161b9e75626e419d85d6944a23a2ab1] net/ipv4: always honour route mtu during forwarding testing commit 9db62b759161b9e75626e419d85d6944a23a2ab1 with gcc (GCC) 8.1.0 kernel signature: 582906889705c310b538ac5cc11ad938a9386f48e70f78b2ba6c5f4e9c1701d9 all runs: OK # git bisect bad 9db62b759161b9e75626e419d85d6944a23a2ab1 Bisecting: 0 revisions left to test after this (roughly 1 step) [26217e062f976fc4e2b7b8b6981a6d119435ea51] tipc: fix the skb_unshare() in tipc_buf_append() testing commit 26217e062f976fc4e2b7b8b6981a6d119435ea51 with gcc (GCC) 8.1.0 kernel signature: 51aa90df8ac02226d3f6779f826240de02944dc49993021156c60cd3b4039f08 all runs: OK # git bisect bad 26217e062f976fc4e2b7b8b6981a6d119435ea51 Bisecting: 0 revisions left to test after this (roughly 0 steps) [be431112aaae464aa60f7616cdf6457230aa5664] net: usb: qmi_wwan: add Cellient MPL200 card testing commit be431112aaae464aa60f7616cdf6457230aa5664 with gcc (GCC) 8.1.0 kernel signature: 7cab61629cf1752cdf5775d58656566fe01b2e1eddea49023e738a3a7445dff5 all runs: crashed: KASAN: use-after-free Read in tipc_mcast_xmit # git bisect good be431112aaae464aa60f7616cdf6457230aa5664 26217e062f976fc4e2b7b8b6981a6d119435ea51 is the first bad commit commit 26217e062f976fc4e2b7b8b6981a6d119435ea51 Author: Cong Wang Date: Wed Oct 7 21:12:50 2020 -0700 tipc: fix the skb_unshare() in tipc_buf_append() [ Upstream commit ed42989eab57d619667d7e87dfbd8fe207db54fe ] skb_unshare() drops a reference count on the old skb unconditionally, so in the failure case, we end up freeing the skb twice here. And because the skb is allocated in fclone and cloned by caller tipc_msg_reassemble(), the consequence is actually freeing the original skb too, thus triggered the UAF by syzbot. Fix this by replacing this skb_unshare() with skb_cloned()+skb_copy(). Fixes: ff48b6222e65 ("tipc: use skb_unshare() instead in tipc_buf_append()") Reported-and-tested-by: syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com Cc: Jon Maloy Cc: Ying Xue Signed-off-by: Cong Wang Reviewed-by: Xin Long Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman net/tipc/msg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) culprit signature: 51aa90df8ac02226d3f6779f826240de02944dc49993021156c60cd3b4039f08 parent signature: 7cab61629cf1752cdf5775d58656566fe01b2e1eddea49023e738a3a7445dff5 revisions tested: 12, total time: 3h24m41.695732538s (build: 1h52m35.925848168s, test: 1h30m53.076575772s) first good commit: 26217e062f976fc4e2b7b8b6981a6d119435ea51 tipc: fix the skb_unshare() in tipc_buf_append() recipients (to): ["gregkh@linuxfoundation.org" "kuba@kernel.org" "lucien.xin@gmail.com" "syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"] recipients (cc): []