bisecting fixing commit since 3d40d7117e353b84627c1e8c5ed9ae0b1237ef5c building syzkaller on 53430d97195bc8dc0221eaa2ea913237d82e199d testing commit 3d40d7117e353b84627c1e8c5ed9ae0b1237ef5c with gcc (GCC) 8.1.0 kernel signature: 7e67ea69254bf79a2668fe26b304ea87c7a1e4fc6c5007d5d9222836ffcd5dfd run #0: crashed: KASAN: use-after-free Read in macvlan_broadcast run #1: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #2: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #3: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #4: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #5: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #6: crashed: KASAN: use-after-free Read in macvlan_broadcast run #7: crashed: KASAN: use-after-free Read in macvlan_broadcast run #8: crashed: KASAN: use-after-free Read in macvlan_broadcast run #9: crashed: KASAN: use-after-free Read in macvlan_broadcast testing current HEAD b499cf4b3a901e87e1f933df04abf69b54de4457 testing commit b499cf4b3a901e87e1f933df04abf69b54de4457 with gcc (GCC) 8.1.0 kernel signature: efa0e77313badbca6d1d2bb40ea5f28b17599692bce28780ba7c216d4e273c31 all runs: OK # git bisect start b499cf4b3a901e87e1f933df04abf69b54de4457 3d40d7117e353b84627c1e8c5ed9ae0b1237ef5c Bisecting: 645 revisions left to test after this (roughly 9 steps) [f27808ed8c147e178e77404eb7719ef3a96bf5e7] brcmfmac: create debugfs files for bus-specific layer testing commit f27808ed8c147e178e77404eb7719ef3a96bf5e7 with gcc (GCC) 8.1.0 kernel signature: 2c8b402e5aa92a7ba66ec40f00ed804f8441d0f0fa0666e312d7b4f42af120bf all runs: OK # git bisect bad f27808ed8c147e178e77404eb7719ef3a96bf5e7 Bisecting: 322 revisions left to test after this (roughly 8 steps) [a9a5fd928285d228bfc7cd4ee80f48c481cb466f] rseq/selftests: Turn off timeout setting testing commit a9a5fd928285d228bfc7cd4ee80f48c481cb466f with gcc (GCC) 8.1.0 kernel signature: 7149c5dda283c3b750d09c8539089861b1c4b40d1bbe0c8a9f619e8d1c8f9254 all runs: OK # git bisect bad a9a5fd928285d228bfc7cd4ee80f48c481cb466f Bisecting: 160 revisions left to test after this (roughly 7 steps) [77de8ee6b09f5c73a92c0434e8a08b4e614fbcba] fs: avoid softlockups in s_inodes iterators testing commit 77de8ee6b09f5c73a92c0434e8a08b4e614fbcba with gcc (GCC) 8.1.0 kernel signature: ee61528f3a6d292b7f93bea782ccb5ab924f6c0dddf559da09b552ddbdaf58b7 run #0: crashed: KASAN: use-after-free Read in macvlan_broadcast run #1: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #2: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #3: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #4: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #5: crashed: KASAN: use-after-free Read in macvlan_broadcast run #6: crashed: KASAN: use-after-free Read in macvlan_broadcast run #7: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #8: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #9: crashed: KASAN: use-after-free Read in macvlan_broadcast # git bisect good 77de8ee6b09f5c73a92c0434e8a08b4e614fbcba Bisecting: 80 revisions left to test after this (roughly 6 steps) [d429612632cc33d8b929a59f7242bcb3239813dd] phy: cpcap-usb: Fix flakey host idling and enumerating of devices testing commit d429612632cc33d8b929a59f7242bcb3239813dd with gcc (GCC) 8.1.0 kernel signature: cfdb696580e7fc683c9cb17e8bd8179f0b4b41184e89c30d6c28ab47ae14b7f4 all runs: OK # git bisect bad d429612632cc33d8b929a59f7242bcb3239813dd Bisecting: 39 revisions left to test after this (roughly 5 steps) [1b7d82175bf8ac8f692b2b1d1ab801afa8cf0c03] usb: chipidea: host: Disable port power only if previously enabled testing commit 1b7d82175bf8ac8f692b2b1d1ab801afa8cf0c03 with gcc (GCC) 8.1.0 kernel signature: 5b9e5188702fba3bc3fa2bc4d5c46241ccaec2dc11fe0bbe7fbfd32c63de7fbf all runs: OK # git bisect bad 1b7d82175bf8ac8f692b2b1d1ab801afa8cf0c03 Bisecting: 19 revisions left to test after this (roughly 4 steps) [d36857e02bf8a9574362912afc865cdfb8ba1972] net: dsa: mv88e6xxx: Preserve priority when setting CPU port. testing commit d36857e02bf8a9574362912afc865cdfb8ba1972 with gcc (GCC) 8.1.0 kernel signature: 85f8e3f994831d8fc611f60354a0bdec83d74446254b362492c9ffaf8eac5249 all runs: OK # git bisect bad d36857e02bf8a9574362912afc865cdfb8ba1972 Bisecting: 9 revisions left to test after this (roughly 3 steps) [4b9f0187aa07bd9386cb81e47e0387a6ff679294] parisc: Fix compiler warnings in debug_core.c testing commit 4b9f0187aa07bd9386cb81e47e0387a6ff679294 with gcc (GCC) 8.1.0 kernel signature: 9adf98069e10f218b21acd0960c19ba2cc19187591af9ffcb598d91bb49a5272 run #0: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #1: crashed: KASAN: use-after-free Read in macvlan_broadcast run #2: crashed: KASAN: use-after-free Read in macvlan_broadcast run #3: crashed: KASAN: use-after-free Read in macvlan_broadcast run #4: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #5: crashed: KASAN: use-after-free Read in macvlan_broadcast run #6: crashed: KASAN: use-after-free Read in macvlan_broadcast run #7: crashed: KASAN: use-after-free Read in macvlan_broadcast run #8: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #9: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast # git bisect good 4b9f0187aa07bd9386cb81e47e0387a6ff679294 Bisecting: 4 revisions left to test after this (roughly 2 steps) [4ef576e99d29a6c58a3cc9016f052629f040f111] cpufreq: imx6q: read OCOTP through nvmem for imx6ul/imx6ull testing commit 4ef576e99d29a6c58a3cc9016f052629f040f111 with gcc (GCC) 8.1.0 kernel signature: 0d3c735deb3eaad13dcefe4cb2dd98079943bfaf847ef546d22dfc70f4e7248d run #0: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #1: crashed: KASAN: use-after-free Read in macvlan_broadcast run #2: crashed: KASAN: use-after-free Read in macvlan_broadcast run #3: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #4: crashed: KASAN: use-after-free Read in macvlan_broadcast run #5: crashed: KASAN: use-after-free Read in macvlan_broadcast run #6: crashed: KASAN: use-after-free Read in macvlan_broadcast run #7: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #8: crashed: KASAN: use-after-free Read in macvlan_broadcast run #9: crashed: KASAN: use-after-free Read in macvlan_broadcast # git bisect good 4ef576e99d29a6c58a3cc9016f052629f040f111 Bisecting: 2 revisions left to test after this (roughly 1 step) [13d9f98ef4c11cef57093cd6e28b31d7c3b55fb0] PCI/switchtec: Read all 64 bits of part_event_bitmap testing commit 13d9f98ef4c11cef57093cd6e28b31d7c3b55fb0 with gcc (GCC) 8.1.0 kernel signature: c0afb9a18e31af66c9621d0ad4ab245f3b82065ebb82bee24fc1e3e520313e91 run #0: crashed: KASAN: use-after-free Read in macvlan_broadcast run #1: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #2: crashed: KASAN: use-after-free Read in macvlan_broadcast run #3: crashed: KASAN: use-after-free Read in macvlan_broadcast run #4: crashed: KASAN: use-after-free Read in macvlan_broadcast run #5: crashed: KASAN: use-after-free Read in macvlan_broadcast run #6: crashed: KASAN: use-after-free Read in macvlan_broadcast run #7: crashed: KASAN: use-after-free Read in macvlan_broadcast run #8: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #9: crashed: KASAN: use-after-free Read in macvlan_broadcast # git bisect good 13d9f98ef4c11cef57093cd6e28b31d7c3b55fb0 Bisecting: 0 revisions left to test after this (roughly 1 step) [5f3274c53ae7049755b29ec0c351f145cb68270c] macvlan: do not assume mac_header is set in macvlan_broadcast() testing commit 5f3274c53ae7049755b29ec0c351f145cb68270c with gcc (GCC) 8.1.0 kernel signature: e4871c65e03ee259b2dc53b9c7ba9fcfd3a6754172a58111e5d9dca82e62be73 all runs: OK # git bisect bad 5f3274c53ae7049755b29ec0c351f145cb68270c Bisecting: 0 revisions left to test after this (roughly 0 steps) [776a81a024e73e809af4d965ed397405062d4515] gtp: fix bad unlock balance in gtp_encap_enable_socket testing commit 776a81a024e73e809af4d965ed397405062d4515 with gcc (GCC) 8.1.0 kernel signature: 95dd21b1788bbe620c4e90664a30ca1cefbbdd41bef93cf65937674724fd46ac run #0: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #1: crashed: KASAN: use-after-free Read in macvlan_broadcast run #2: crashed: KASAN: use-after-free Read in macvlan_broadcast run #3: crashed: KASAN: use-after-free Read in macvlan_broadcast run #4: crashed: KASAN: use-after-free Read in macvlan_broadcast run #5: crashed: KASAN: use-after-free Read in macvlan_broadcast run #6: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #7: crashed: KASAN: use-after-free Read in macvlan_broadcast run #8: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast run #9: crashed: KASAN: slab-out-of-bounds Read in macvlan_broadcast # git bisect good 776a81a024e73e809af4d965ed397405062d4515 5f3274c53ae7049755b29ec0c351f145cb68270c is the first bad commit commit 5f3274c53ae7049755b29ec0c351f145cb68270c Author: Eric Dumazet Date: Mon Jan 6 12:30:48 2020 -0800 macvlan: do not assume mac_header is set in macvlan_broadcast() [ Upstream commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 ] Use of eth_hdr() in tx path is error prone. Many drivers call skb_reset_mac_header() before using it, but others do not. Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") attempted to fix this generically, but commit d346a3fae3ff ("packet: introduce PACKET_QDISC_BYPASS socket option") brought back the macvlan bug. Lets add a new helper, so that tx paths no longer have to call skb_reset_mac_header() only to get a pointer to skb->data. Hopefully we will be able to revert 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") and save few cycles in transmit fast path. BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline] BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579 CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] mc_hash drivers/net/macvlan.c:251 [inline] macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 macvlan_queue_xmit drivers/net/macvlan.c:520 [inline] macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559 __netdev_start_xmit include/linux/netdevice.h:4447 [inline] netdev_start_xmit include/linux/netdevice.h:4461 [inline] dev_direct_xmit+0x419/0x630 net/core/dev.c:4079 packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240 packet_snd net/packet/af_packet.c:2966 [inline] packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:659 __sys_sendto+0x262/0x380 net/socket.c:1985 __do_sys_sendto net/socket.c:1997 [inline] __se_sys_sendto net/socket.c:1993 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x442639 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639 RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 9389: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x163/0x770 mm/slab.c:3665 kmalloc include/linux/slab.h:561 [inline] tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 security_inode_getattr+0xf2/0x150 security/security.c:1222 vfs_getattr+0x25/0x70 fs/stat.c:115 vfs_statx_fd+0x71/0xc0 fs/stat.c:145 vfs_fstat include/linux/fs.h:3265 [inline] __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 __se_sys_newfstat fs/stat.c:375 [inline] __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9389: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 security_inode_getattr+0xf2/0x150 security/security.c:1222 vfs_getattr+0x25/0x70 fs/stat.c:115 vfs_statx_fd+0x71/0xc0 fs/stat.c:145 vfs_fstat include/linux/fs.h:3265 [inline] __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 __se_sys_newfstat fs/stat.c:375 [inline] __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880a4932000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1025 bytes inside of 4096-byte region [ffff8880a4932000, ffff8880a4933000) The buggy address belongs to the page: page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000 raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: b863ceb7ddce ("[NET]: Add macvlan driver") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman drivers/net/macvlan.c | 2 +- include/linux/if_ether.h | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) culprit signature: e4871c65e03ee259b2dc53b9c7ba9fcfd3a6754172a58111e5d9dca82e62be73 parent signature: 95dd21b1788bbe620c4e90664a30ca1cefbbdd41bef93cf65937674724fd46ac revisions tested: 13, total time: 3h31m50.308765886s (build: 1h59m37.449342398s, test: 1h31m2.873466005s) first good commit: 5f3274c53ae7049755b29ec0c351f145cb68270c macvlan: do not assume mac_header is set in macvlan_broadcast() cc: ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org"]