bisecting fixing commit since 84f5ad468100f86d70096799e4ee716a17c2962f building syzkaller on ddc3e85997efdad885e208db6a98bca86e5dd52f testing commit 84f5ad468100f86d70096799e4ee716a17c2962f with gcc (GCC) 8.1.0 kernel signature: ad90d5c09ca6038da10a9a18b2bf5baa35b44c5579e3ea4d59c2f36a829a45fc run #0: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #1: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #2: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #3: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #4: crashed: KASAN: use-after-free Read in macvlan_broadcast run #5: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #6: crashed: KASAN: use-after-free Read in macvlan_broadcast run #7: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #8: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #9: crashed: KASAN: use-after-free Read in macvlan_broadcast testing current HEAD e0f8b8a65a473a8baa439cf865a694bbeb83fe90 testing commit e0f8b8a65a473a8baa439cf865a694bbeb83fe90 with gcc (GCC) 8.1.0 kernel signature: 08d93ebf632945b6c63c6b3bd85cc1266832399c848d56b727ff8dd455a8c6a4 all runs: OK # git bisect start e0f8b8a65a473a8baa439cf865a694bbeb83fe90 84f5ad468100f86d70096799e4ee716a17c2962f Bisecting: 395 revisions left to test after this (roughly 9 steps) [e3064d2f21f4a684539384055956605e4dfdc97b] ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant testing commit e3064d2f21f4a684539384055956605e4dfdc97b with gcc (GCC) 8.1.0 kernel signature: bdcd92fb4fa6be41cf94b3aa93367c37dbbf9b631415f172f937ca2aae80c5c1 all runs: OK # git bisect bad e3064d2f21f4a684539384055956605e4dfdc97b Bisecting: 197 revisions left to test after this (roughly 8 steps) [d070b8d5701e91dee87603c784cfb2484e5db4e1] RDMA/bnxt_re: Fix Send Work Entry state check while polling completions testing commit d070b8d5701e91dee87603c784cfb2484e5db4e1 with gcc (GCC) 8.1.0 kernel signature: bbc0713a568c607af64bb7ffd46561b61859002c8a696a6852c59903134895fb all runs: OK # git bisect bad d070b8d5701e91dee87603c784cfb2484e5db4e1 Bisecting: 98 revisions left to test after this (roughly 7 steps) [c7a6c3d2c372a592c975cda98a479287ebd169d1] rfkill: Fix incorrect check to avoid NULL pointer dereference testing commit c7a6c3d2c372a592c975cda98a479287ebd169d1 with gcc (GCC) 8.1.0 kernel signature: 4775451c859b513c03941ea87397c88a57dc4eca8fadd126056f884f02a07dd1 run #0: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #1: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #2: crashed: KASAN: use-after-free Read in macvlan_broadcast run #3: crashed: KASAN: use-after-free Read in macvlan_broadcast run #4: crashed: KASAN: use-after-free Read in macvlan_broadcast run #5: crashed: KASAN: use-after-free Read in macvlan_broadcast run #6: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #7: crashed: KASAN: use-after-free Read in macvlan_broadcast run #8: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #9: crashed: KASAN: use-after-free Read in macvlan_broadcast # git bisect good c7a6c3d2c372a592c975cda98a479287ebd169d1 Bisecting: 49 revisions left to test after this (roughly 6 steps) [54a5ba5136c188c9d349236cc0a0abc5dc0a899d] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs testing commit 54a5ba5136c188c9d349236cc0a0abc5dc0a899d with gcc (GCC) 8.1.0 kernel signature: 30476d94f580914ee74255479e826611e5c259ab3dcd5979fda99df5c0d7582d all runs: OK # git bisect bad 54a5ba5136c188c9d349236cc0a0abc5dc0a899d Bisecting: 24 revisions left to test after this (roughly 5 steps) [19716758430e63e0cf6097cdde2a72b6ac28dc75] net: dsa: mv88e6xxx: Preserve priority when setting CPU port. testing commit 19716758430e63e0cf6097cdde2a72b6ac28dc75 with gcc (GCC) 8.1.0 kernel signature: d44c1d21cbb419d6d5ff186bec78c262d03c0f5659b06986ea4c23bcac353c2c all runs: OK # git bisect bad 19716758430e63e0cf6097cdde2a72b6ac28dc75 Bisecting: 11 revisions left to test after this (roughly 4 steps) [3a8d4b961747e79a9d28e9f7621216045403b2bb] llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) testing commit 3a8d4b961747e79a9d28e9f7621216045403b2bb with gcc (GCC) 8.1.0 kernel signature: ada949af8d828c91c955a41a85acd770669c137068d2703d1eba7ab6d26c611e run #0: crashed: KASAN: use-after-free Read in macvlan_broadcast run #1: crashed: KASAN: use-after-free Read in macvlan_broadcast run #2: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #3: crashed: KASAN: use-after-free Read in macvlan_broadcast run #4: crashed: KASAN: use-after-free Read in macvlan_broadcast run #5: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #6: crashed: KASAN: use-after-free Read in macvlan_broadcast run #7: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #8: crashed: KASAN: use-after-free Read in macvlan_broadcast run #9: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast # git bisect good 3a8d4b961747e79a9d28e9f7621216045403b2bb Bisecting: 5 revisions left to test after this (roughly 3 steps) [ae4e8ce0d86159bbba7cfaa44f6276d38b1f2200] mmc: block: Delete mmc_access_rpmb() testing commit ae4e8ce0d86159bbba7cfaa44f6276d38b1f2200 with gcc (GCC) 8.1.0 kernel signature: 6ac7fa2688dd50c502532b34a4bb47af58d2e040ce5b84e01aa7b8945d6b4b53 run #0: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #1: crashed: KASAN: use-after-free Read in macvlan_broadcast run #2: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #3: crashed: KASAN: use-after-free Read in macvlan_broadcast run #4: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #5: crashed: KASAN: use-after-free Read in macvlan_broadcast run #6: crashed: KASAN: use-after-free Read in macvlan_broadcast run #7: crashed: KASAN: use-after-free Read in macvlan_broadcast run #8: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #9: crashed: KASAN: use-after-free Read in macvlan_broadcast # git bisect good ae4e8ce0d86159bbba7cfaa44f6276d38b1f2200 Bisecting: 2 revisions left to test after this (roughly 2 steps) [0f65291617d4117379ba702130040d2db283c2fb] mmc: block: propagate correct returned value in mmc_rpmb_ioctl testing commit 0f65291617d4117379ba702130040d2db283c2fb with gcc (GCC) 8.1.0 kernel signature: 9a88972c392ca57dd5d077e5b24d764e810ca78cee2326fa8fc68364f9de443f run #0: crashed: KASAN: use-after-free Read in macvlan_broadcast run #1: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #2: crashed: KASAN: use-after-free Read in macvlan_broadcast run #3: crashed: KASAN: use-after-free Read in macvlan_broadcast run #4: crashed: KASAN: use-after-free Read in macvlan_broadcast run #5: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #6: crashed: KASAN: use-after-free Read in macvlan_broadcast run #7: crashed: KASAN: use-after-free Read in macvlan_broadcast run #8: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #9: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast # git bisect good 0f65291617d4117379ba702130040d2db283c2fb Bisecting: 0 revisions left to test after this (roughly 1 step) [4a953272f2d2db63bba97137b64b3f1770634e00] macvlan: do not assume mac_header is set in macvlan_broadcast() testing commit 4a953272f2d2db63bba97137b64b3f1770634e00 with gcc (GCC) 8.1.0 kernel signature: 1c787c38415819ad3dc966921a06b0242630d4bdd527e30a96154b61e609337e all runs: OK # git bisect bad 4a953272f2d2db63bba97137b64b3f1770634e00 Bisecting: 0 revisions left to test after this (roughly 0 steps) [887b0296a905f8d5cc090ca08d309918fc24bf24] gtp: fix bad unlock balance in gtp_encap_enable_socket testing commit 887b0296a905f8d5cc090ca08d309918fc24bf24 with gcc (GCC) 8.1.0 kernel signature: 75394b8cead76047716fef3a25f9c69cd2884777acac750f36635c4d6e3df887 run #0: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #1: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #2: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #3: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #4: crashed: KASAN: use-after-free Read in macvlan_broadcast run #5: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #6: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #7: crashed: KASAN: use-after-free Read in macvlan_broadcast run #8: crashed: KASAN: use-after-free Read in macvlan_broadcast run #9: crashed: KASAN: use-after-free Read in macvlan_broadcast # git bisect good 887b0296a905f8d5cc090ca08d309918fc24bf24 4a953272f2d2db63bba97137b64b3f1770634e00 is the first bad commit commit 4a953272f2d2db63bba97137b64b3f1770634e00 Author: Eric Dumazet Date: Mon Jan 6 12:30:48 2020 -0800 macvlan: do not assume mac_header is set in macvlan_broadcast() [ Upstream commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 ] Use of eth_hdr() in tx path is error prone. Many drivers call skb_reset_mac_header() before using it, but others do not. Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") attempted to fix this generically, but commit d346a3fae3ff ("packet: introduce PACKET_QDISC_BYPASS socket option") brought back the macvlan bug. Lets add a new helper, so that tx paths no longer have to call skb_reset_mac_header() only to get a pointer to skb->data. Hopefully we will be able to revert 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") and save few cycles in transmit fast path. BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline] BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579 CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] mc_hash drivers/net/macvlan.c:251 [inline] macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 macvlan_queue_xmit drivers/net/macvlan.c:520 [inline] macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559 __netdev_start_xmit include/linux/netdevice.h:4447 [inline] netdev_start_xmit include/linux/netdevice.h:4461 [inline] dev_direct_xmit+0x419/0x630 net/core/dev.c:4079 packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240 packet_snd net/packet/af_packet.c:2966 [inline] packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:659 __sys_sendto+0x262/0x380 net/socket.c:1985 __do_sys_sendto net/socket.c:1997 [inline] __se_sys_sendto net/socket.c:1993 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x442639 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639 RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 9389: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x163/0x770 mm/slab.c:3665 kmalloc include/linux/slab.h:561 [inline] tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 security_inode_getattr+0xf2/0x150 security/security.c:1222 vfs_getattr+0x25/0x70 fs/stat.c:115 vfs_statx_fd+0x71/0xc0 fs/stat.c:145 vfs_fstat include/linux/fs.h:3265 [inline] __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 __se_sys_newfstat fs/stat.c:375 [inline] __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9389: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 security_inode_getattr+0xf2/0x150 security/security.c:1222 vfs_getattr+0x25/0x70 fs/stat.c:115 vfs_statx_fd+0x71/0xc0 fs/stat.c:145 vfs_fstat include/linux/fs.h:3265 [inline] __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 __se_sys_newfstat fs/stat.c:375 [inline] __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880a4932000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1025 bytes inside of 4096-byte region [ffff8880a4932000, ffff8880a4933000) The buggy address belongs to the page: page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000 raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: b863ceb7ddce ("[NET]: Add macvlan driver") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman drivers/net/macvlan.c | 2 +- include/linux/if_ether.h | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) culprit signature: 1c787c38415819ad3dc966921a06b0242630d4bdd527e30a96154b61e609337e parent signature: 75394b8cead76047716fef3a25f9c69cd2884777acac750f36635c4d6e3df887 revisions tested: 12, total time: 3h5m31.58517351s (build: 1h44m34.420731635s, test: 1h19m49.431338269s) first good commit: 4a953272f2d2db63bba97137b64b3f1770634e00 macvlan: do not assume mac_header is set in macvlan_broadcast() cc: ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org"]