bisecting cause commit starting from 77c9387c0c5bd496fba3200024e3618356b2fd34 building syzkaller on 42718dd659525414aa0bf2794688ac94a32f7764 testing commit 77c9387c0c5bd496fba3200024e3618356b2fd34 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c55f8b7e39fe5f5ebee3e244305408c46187564e0306351d2fbac2bb0014fc08 run #0: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #1: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #2: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #3: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #4: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #5: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #6: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #7: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #8: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #9: crashed: KASAN: slab-out-of-bounds Read in vxlan_vnifilter_dump_dev run #10: crashed: KASAN: slab-out-of-bounds Read in vxlan_vnifilter_dump_dev run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9fc4d3e0efb3af7592048775ab5aa0b1e324e592b3c93a6b21c33323c8ace187 all runs: OK # git bisect start 77c9387c0c5bd496fba3200024e3618356b2fd34 f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 5336 revisions left to test after this (roughly 13 steps) [169e77764adc041b1dacba84ea90516a895d43b2] Merge tag 'net-next-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 169e77764adc041b1dacba84ea90516a895d43b2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 69f4b8615adf7493d8b2ff1d40ccf44db7877039fa8ab88f291111d9942dd3c1 run #0: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #1: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #2: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #3: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect bad 169e77764adc041b1dacba84ea90516a895d43b2 Bisecting: 3788 revisions left to test after this (roughly 12 steps) [b4bc93bd76d4da32600795cd323c971f00a2e788] Merge tag 'arm-drivers-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit b4bc93bd76d4da32600795cd323c971f00a2e788 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c03b0e17735c3d106f63914e808c428ac9cebbaea1eb24b85f7a6d9cc5e92175 all runs: OK # git bisect good b4bc93bd76d4da32600795cd323c971f00a2e788 Bisecting: 1893 revisions left to test after this (roughly 11 steps) [4c7d2e179576e821b461bb4a58d0a834916601fa] Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue testing commit 4c7d2e179576e821b461bb4a58d0a834916601fa compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9b1f64da02f7527170a20a03cad4153e77ad7228c24a5086aff2b2a690ded821 run #0: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #1: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #2: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #3: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 4c7d2e179576e821b461bb4a58d0a834916601fa Bisecting: 893 revisions left to test after this (roughly 10 steps) [b96a79253fff1cd2c928b379eadd8c7a6f8055e1] Merge tag 'wireless-next-2022-02-11' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next testing commit b96a79253fff1cd2c928b379eadd8c7a6f8055e1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bcbc16f02a387364a50a9fcd148e53154a23ee1d5ccd96724e6ff29e25ebafd6 all runs: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first # git bisect skip b96a79253fff1cd2c928b379eadd8c7a6f8055e1 Bisecting: 893 revisions left to test after this (roughly 10 steps) [13c6a37d409db9abc9c0bfc6d0a2f07bf0fff60e] selftests/bpf: Add test for reg2btf_ids out of bounds access testing commit 13c6a37d409db9abc9c0bfc6d0a2f07bf0fff60e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5f02114a0e53b8c64dc68dc7cabe0adfbbc23cf63a2f88a691b734fc45fda015 all runs: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first # git bisect skip 13c6a37d409db9abc9c0bfc6d0a2f07bf0fff60e Bisecting: 893 revisions left to test after this (roughly 10 steps) [4bd80d7a4039ac605a1e9ae767d2b01dbfc9b61e] Bluetooth: move adv_instance_cnt read within the device lock testing commit 4bd80d7a4039ac605a1e9ae767d2b01dbfc9b61e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e7eca0985cd389f6a004484d5fc625026018a5d40fc008502998742389e4dab3 run #0: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #1: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #2: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #3: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #4: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #5: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #6: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #7: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #8: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #9: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #10: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #11: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 4bd80d7a4039ac605a1e9ae767d2b01dbfc9b61e Bisecting: 847 revisions left to test after this (roughly 10 steps) [d24d2a2b0a81dd5e9bb99aeb4559ec9734e1416f] bpf: bpf_prog_pack: Set proper size before freeing ro_header testing commit d24d2a2b0a81dd5e9bb99aeb4559ec9734e1416f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c93c3e511cbefeac13993d1a4856b08f10ab7d740b2eb7d84b2446d58ea90d3a run #0: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #1: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #2: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #3: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #4: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #5: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #6: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #7: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #8: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #9: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #10: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #11: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #12: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #13: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #14: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #15: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #16: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #17: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #18: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first run #19: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first # git bisect skip d24d2a2b0a81dd5e9bb99aeb4559ec9734e1416f Bisecting: 847 revisions left to test after this (roughly 10 steps) [1080ef5cc0c2c3419dbdd61e441d1e014410824a] selftests/bpf: Update sockopt_sk test to the use bpf_set_retval testing commit 1080ef5cc0c2c3419dbdd61e441d1e014410824a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9ec37332bcbc9e2e8cb2b040bd003c289d9339eecdf10c62e2c702e2b34cc539 all runs: OK # git bisect good 1080ef5cc0c2c3419dbdd61e441d1e014410824a Bisecting: 847 revisions left to test after this (roughly 10 steps) [453f8305483851c20a41b66719d5acdc945541ca] i40e: Add a stat tracking new RX page allocations testing commit 453f8305483851c20a41b66719d5acdc945541ca compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7595e347e8f0716243e43e66fd3d1bd45a6545e5fb2a2e22e03ae0ac1398b638 all runs: basic kernel testing failed: WARNING: suspicious RCU usage in hsr_node_get_first # git bisect skip 453f8305483851c20a41b66719d5acdc945541ca Bisecting: 847 revisions left to test after this (roughly 10 steps) [b1755400b4be33dbd286272b153579631be2e2ca] net: remove net_invalid_timestamp() testing commit b1755400b4be33dbd286272b153579631be2e2ca compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9fd25f51775359eba80017b281f39af893d70aebb041d591ed970a8d8c2a3f3b all runs: OK # git bisect good b1755400b4be33dbd286272b153579631be2e2ca Bisecting: 654 revisions left to test after this (roughly 10 steps) [adce573b927adf827f2f8627f05c2ba90031ebc9] Bluetooth: hci_h5: Add power reset via gpio in h5_btrtl_open testing commit adce573b927adf827f2f8627f05c2ba90031ebc9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0c6afc7c6231a4d90465d182d4d7066774454518c7dcb60bd79a3f23cd57977e all runs: OK # git bisect good adce573b927adf827f2f8627f05c2ba90031ebc9 Bisecting: 654 revisions left to test after this (roughly 10 steps) [ee6373ddf3a974c4239f56931f5944fd289146e7] net/funeth: probing and netdev ops testing commit ee6373ddf3a974c4239f56931f5944fd289146e7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e502f606ac5c9c0b134fefca4ba0dc0bef2e6b4168cc724bdab90d7902733d3e run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good ee6373ddf3a974c4239f56931f5944fd289146e7 Bisecting: 128 revisions left to test after this (roughly 7 steps) [8fe96f586b8326073ab193f2e5cf951d7cd4d609] mlxsw: reg: Fix packing of router interface counters testing commit 8fe96f586b8326073ab193f2e5cf951d7cd4d609 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ad50306fdbb1cdbf14c56aa0a097c1543a72fa05aa60e2ca6c68e0c3340007dc run #0: crashed: KASAN: slab-out-of-bounds Read in vxlan_vnifilter_dump_dev run #1: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #2: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #3: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #4: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #5: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #6: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #7: crashed: KASAN: slab-out-of-bounds Read in vxlan_vnifilter_dump_dev run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 8fe96f586b8326073ab193f2e5cf951d7cd4d609 Bisecting: 63 revisions left to test after this (roughly 6 steps) [445b2f36bb4efb81f064e931f28b9ec19f114355] drivers: vxlan: vnifilter: add support for stats dumping testing commit 445b2f36bb4efb81f064e931f28b9ec19f114355 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a3630fefad13012c2c8cb5b68ae535d48b11914344d2a28f1df935cf48d74ee5 run #0: crashed: KASAN: slab-out-of-bounds Read in vxlan_vnifilter_dump_dev run #1: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #2: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #3: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #4: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #5: crashed: KASAN: slab-out-of-bounds Read in vxlan_vnifilter_dump_dev run #6: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #7: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 445b2f36bb4efb81f064e931f28b9ec19f114355 Bisecting: 31 revisions left to test after this (roughly 5 steps) [98fffd72f934c48e7e69e21e1394de0b5aed49b4] net: decnet: use time_is_before_jiffies() instead of open coding it testing commit 98fffd72f934c48e7e69e21e1394de0b5aed49b4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 31b4e0b1b9c4205ff76b7174a09fdb552a61a3b14ffce1ef51d8b0b46b804366 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 98fffd72f934c48e7e69e21e1394de0b5aed49b4 Bisecting: 15 revisions left to test after this (roughly 4 steps) [72fb3b60a3114a1154a8ae5629ea3b43a88a7a4d] net/mlx5: Add reset_state field to MFRL register testing commit 72fb3b60a3114a1154a8ae5629ea3b43a88a7a4d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c0132040476afa687e04cf837a37952ee3071a3513d59def897f1cebfa8ffd30 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 72fb3b60a3114a1154a8ae5629ea3b43a88a7a4d Bisecting: 7 revisions left to test after this (roughly 3 steps) [c63053e0cb5afcf53d5119cf82136c22131792a2] vxlan_core: move some fdb helpers to non-static testing commit c63053e0cb5afcf53d5119cf82136c22131792a2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 88f3ba936e75e168d7199ba9ddc64cdbbcdb4dc73ef217e52a325f9f32635de4 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good c63053e0cb5afcf53d5119cf82136c22131792a2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [a498c5953a9cdadcc1479c07d5b04c1afa3f53dc] vxlan_multicast: Move multicast helpers to a separate file testing commit a498c5953a9cdadcc1479c07d5b04c1afa3f53dc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 269d189dda53c01e56514a54de6c0ff4b00ceb570a569a64b292fcdbf767106d all runs: OK # git bisect good a498c5953a9cdadcc1479c07d5b04c1afa3f53dc Bisecting: 1 revision left to test after this (roughly 1 step) [3edf5f66c12aa0b318b05ad2c04cf363b0f51f99] selftests: add new tests for vxlan vnifiltering testing commit 3edf5f66c12aa0b318b05ad2c04cf363b0f51f99 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b056eb37bf1c9449abcd8b40a5c276aab1a736ecc04778c84aedecc7a3d44406 run #0: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #1: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #2: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #3: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #4: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #5: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #6: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #7: crashed: KASAN: slab-out-of-bounds Read in vxlan_vnifilter_dump_dev run #8: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 3edf5f66c12aa0b318b05ad2c04cf363b0f51f99 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f9c4bb0b245cee35ef66f75bf409c9573d934cf9] vxlan: vni filtering support on collect metadata device testing commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2133c6477656cfe49fb2ecff98b65beea9ff5196e78df6af58be760cfebf0c01 run #0: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #1: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #2: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #3: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #4: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #5: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #6: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #7: crashed: KASAN: slab-out-of-bounds Read in vxlan_vnifilter_dump_dev run #8: crashed: KASAN: slab-out-of-bounds Read in vxlan_vnifilter_dump_dev run #9: crashed: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad f9c4bb0b245cee35ef66f75bf409c9573d934cf9 f9c4bb0b245cee35ef66f75bf409c9573d934cf9 is the first bad commit commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 Author: Roopa Prabhu Date: Tue Mar 1 05:04:36 2022 +0000 vxlan: vni filtering support on collect metadata device This patch adds vnifiltering support to collect metadata device. Motivation: You can only use a single vxlan collect metadata device for a given vxlan udp port in the system today. The vxlan collect metadata device terminates all received vxlan packets. As shown in the below diagram, there are use-cases where you need to support multiple such vxlan devices in independent bridge domains. Each vxlan device must terminate the vni's it is configured for. Example usecase: In a service provider network a service provider typically supports multiple bridge domains with overlapping vlans. One bridge domain per customer. Vlans in each bridge domain are mapped to globally unique vxlan ranges assigned to each customer. vnifiltering support in collect metadata devices terminates only configured vnis. This is similar to vlan filtering in bridge driver. The vni filtering capability is provided by a new flag on collect metadata device. In the below pic: - customer1 is mapped to br1 bridge domain - customer2 is mapped to br2 bridge domain - customer1 vlan 10-11 is mapped to vni 1001-1002 - customer2 vlan 10-11 is mapped to vni 2001-2002 - br1 and br2 are vlan filtering bridges - vxlan1 and vxlan2 are collect metadata devices with vnifiltering enabled ┌──────────────────────────────────────────────────────────────────┐ │ switch │ │ │ │ ┌───────────┐ ┌───────────┐ │ │ │ │ │ │ │ │ │ br1 │ │ br2 │ │ │ └┬─────────┬┘ └──┬───────┬┘ │ │ vlans│ │ vlans │ │ │ │ 10,11│ │ 10,11│ │ │ │ │ vlanvnimap: │ vlanvnimap: │ │ │ 10-1001,11-1002 │ 10-2001,11-2002 │ │ │ │ │ │ │ │ ┌──────┴┐ ┌──┴─────────┐ ┌───┴────┐ │ │ │ │ swp1 │ │vxlan1 │ │ swp2 │ ┌┴─────────────┐ │ │ │ │ │ vnifilter:│ │ │ │vxlan2 │ │ │ └───┬───┘ │ 1001,1002│ └───┬────┘ │ vnifilter: │ │ │ │ └────────────┘ │ │ 2001,2002 │ │ │ │ │ └──────────────┘ │ │ │ │ │ └───────┼──────────────────────────────────┼───────────────────────┘ │ │ │ │ ┌─────┴───────┐ │ │ customer1 │ ┌─────┴──────┐ │ host/VM │ │customer2 │ └─────────────┘ │ host/VM │ └────────────┘ With this implementation, vxlan dst metadata device can be associated with range of vnis. struct vxlan_vni_node is introduced to represent a configured vni. We start with vni and its associated remote_ip in this structure. This structure can be extended to bring in other per vni attributes if there are usecases for it. A vni inherits an attribute from the base vxlan device if there is no per vni attributes defined. struct vxlan_dev gets a new rhashtable for vnis called vxlan_vni_group. vxlan_vnifilter.c implements the necessary netlink api, notifications and helper functions to process and manage lifecycle of vxlan_vni_node. This patch also adds new helper functions in vxlan_multicast.c to handle per vni remote_ip multicast groups which are part of vxlan_vni_group. Fix build problems: Reported-by: kernel test robot Signed-off-by: Roopa Prabhu Signed-off-by: David S. Miller drivers/net/vxlan/Makefile | 2 +- drivers/net/vxlan/vxlan_core.c | 96 +++- drivers/net/vxlan/vxlan_multicast.c | 150 ++++++- drivers/net/vxlan/vxlan_private.h | 41 +- drivers/net/vxlan/vxlan_vnifilter.c | 862 ++++++++++++++++++++++++++++++++++++ include/net/vxlan.h | 28 +- 6 files changed, 1147 insertions(+), 32 deletions(-) create mode 100644 drivers/net/vxlan/vxlan_vnifilter.c culprit signature: 2133c6477656cfe49fb2ecff98b65beea9ff5196e78df6af58be760cfebf0c01 parent signature: 269d189dda53c01e56514a54de6c0ff4b00ceb570a569a64b292fcdbf767106d Reproducer flagged being flaky revisions tested: 22, total time: 4h9m4.544403122s (build: 2h15m28.492681107s, test: 1h51m32.338488643s) first bad commit: f9c4bb0b245cee35ef66f75bf409c9573d934cf9 vxlan: vni filtering support on collect metadata device recipients (to): ["davem@davemloft.net" "davem@davemloft.net" "kuba@kernel.org" "netdev@vger.kernel.org" "pabeni@redhat.com" "roopa@nvidia.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in vxlan_vnifilter_dump_dev ================================================================== BUG: KASAN: use-after-free in vxlan_vnifilter_dump_dev+0x77b/0xa20 drivers/net/vxlan/vxlan_vnifilter.c:227 Read of size 4 at addr ffff88807d000e70 by task syz-executor406/4074 CPU: 0 PID: 4074 Comm: syz-executor406 Not tainted 5.17.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 vxlan_vnifilter_dump_dev+0x77b/0xa20 drivers/net/vxlan/vxlan_vnifilter.c:227 vxlan_vnifilter_dump+0x2ce/0x420 drivers/net/vxlan/vxlan_vnifilter.c:297 netlink_dump+0x41b/0xaa0 net/netlink/af_netlink.c:2268 __netlink_dump_start+0x572/0x810 net/netlink/af_netlink.c:2373 netlink_dump_start include/linux/netlink.h:245 [inline] rtnetlink_rcv_msg+0x548/0x8d0 net/core/rtnetlink.c:5561 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x430/0x700 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x770/0xc10 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:725 ____sys_sendmsg+0x5bf/0x7a0 net/socket.c:2413 ___sys_sendmsg+0xd3/0x150 net/socket.c:2467 __sys_sendmsg+0xb2/0x140 net/socket.c:2496 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f07f7dc3519 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff60d1cab8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f07f7dc3519 RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000004 RBP: 0000000000000000 R08: 00007fff60d1cae0 R09: 00007fff60d1cae0 R10: 00007fff60d1cae0 R11: 0000000000000246 R12: 00007fff60d1cadc R13: 00007fff60d1caf0 R14: 00007fff60d1cb30 R15: 0000000000000000 Allocated by task 4042: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc include/linux/slab.h:586 [inline] tomoyo_realpath_from_path+0xb0/0x6a0 security/tomoyo/realpath.c:254 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x1fb/0x350 security/tomoyo/file.c:822 security_inode_getattr+0xab/0x100 security/security.c:1337 vfs_getattr fs/stat.c:157 [inline] vfs_statx+0xe8/0x2e0 fs/stat.c:225 vfs_fstatat fs/stat.c:243 [inline] __do_sys_newfstatat+0x7d/0xd0 fs/stat.c:412 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 4042: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3509 [inline] kfree+0xd0/0x390 mm/slub.c:4562 tomoyo_realpath_from_path+0x14b/0x6a0 security/tomoyo/realpath.c:291 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x1fb/0x350 security/tomoyo/file.c:822 security_inode_getattr+0xab/0x100 security/security.c:1337 vfs_getattr fs/stat.c:157 [inline] vfs_statx+0xe8/0x2e0 fs/stat.c:225 vfs_fstatat fs/stat.c:243 [inline] __do_sys_newfstatat+0x7d/0xd0 fs/stat.c:412 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88807d000000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3696 bytes inside of 4096-byte region [ffff88807d000000, ffff88807d001000) The buggy address belongs to the page: page:ffffea0001f40000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d000 head:ffffea0001f40000 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff88800fc42140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4042, ts 66397170350, free_ts 66379907349 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa6f/0x2f10 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x27f/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0xbe3/0x12a0 mm/slub.c:3018 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] slab_alloc mm/slub.c:3238 [inline] __kmalloc+0x372/0x450 mm/slub.c:4420 kmalloc include/linux/slab.h:586 [inline] tomoyo_realpath_from_path+0xb0/0x6a0 security/tomoyo/realpath.c:254 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x1fb/0x350 security/tomoyo/file.c:822 security_inode_getattr+0xab/0x100 security/security.c:1337 vfs_getattr fs/stat.c:157 [inline] vfs_statx+0xe8/0x2e0 fs/stat.c:225 vfs_fstatat fs/stat.c:243 [inline] __do_sys_newfstatat+0x7d/0xd0 fs/stat.c:412 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3404 __unfreeze_partials+0x320/0x340 mm/slub.c:2536 qlink_free mm/kasan/quarantine.c:157 [inline] qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446 kasan_slab_alloc include/linux/kasan.h:260 [inline] slab_post_alloc_hook mm/slab.h:732 [inline] slab_alloc_node mm/slub.c:3230 [inline] slab_alloc mm/slub.c:3238 [inline] kmem_cache_alloc_trace+0x258/0x3d0 mm/slub.c:3255 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:714 [inline] tomoyo_environ security/tomoyo/domain.c:633 [inline] tomoyo_find_next_domain+0xa6a/0x1c50 security/tomoyo/domain.c:879 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline] tomoyo_bprm_check_security+0xfb/0x170 security/tomoyo/tomoyo.c:91 security_bprm_check+0x34/0x70 security/security.c:866 search_binary_handler fs/exec.c:1715 [inline] exec_binprm fs/exec.c:1768 [inline] bprm_execve fs/exec.c:1837 [inline] bprm_execve+0x5da/0x1520 fs/exec.c:1799 do_execveat_common+0x51d/0x700 fs/exec.c:1926 do_execve fs/exec.c:1994 [inline] __do_sys_execve fs/exec.c:2070 [inline] __se_sys_execve fs/exec.c:2065 [inline] __x64_sys_execve+0x8a/0xb0 fs/exec.c:2065 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88807d000d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807d000d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807d000e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807d000e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807d000f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================