bisecting fixing commit since 968722f5371ad5deee23fc20269fdc44c23014b1 building syzkaller on 13dcda9b39492dcd91150df7d867bbe2a44cc5e6 testing commit 968722f5371ad5deee23fc20269fdc44c23014b1 with gcc (GCC) 8.1.0 kernel signature: 2e52ccca004b4203b40cbba918ae4c41997149ad run #0: crashed: KASAN: use-after-free Read in tcp_write_xmit run #1: crashed: KASAN: use-after-free Read in tcp_write_xmit run #2: crashed: KASAN: use-after-free Read in tcp_write_xmit run #3: crashed: KASAN: use-after-free Read in tcp_write_xmit run #4: crashed: KASAN: use-after-free Read in tcp_write_xmit run #5: crashed: KASAN: use-after-free Read in tcp_write_xmit run #6: crashed: KASAN: use-after-free Read in tcp_write_xmit run #7: crashed: general protection fault in tcp_push run #8: crashed: KASAN: use-after-free Read in tcp_write_xmit run #9: crashed: KASAN: use-after-free Read in tcp_write_xmit testing current HEAD a844dc4c544291470aa69edbe2434b040794e269 testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0 kernel signature: b7fbd6f437b934c5dd97cb923b1656aac6701438 all runs: OK # git bisect start a844dc4c544291470aa69edbe2434b040794e269 968722f5371ad5deee23fc20269fdc44c23014b1 Bisecting: 848 revisions left to test after this (roughly 10 steps) [e45760e46f7bf11545f3b5347cec3744c5e631f2] usb: gadget: configfs: fix concurrent issue between composite APIs testing commit e45760e46f7bf11545f3b5347cec3744c5e631f2 with gcc (GCC) 8.1.0 kernel signature: d869cd83aebaa80ac489daaa05058345ea4bc712 all runs: OK # git bisect bad e45760e46f7bf11545f3b5347cec3744c5e631f2 Bisecting: 423 revisions left to test after this (roughly 9 steps) [e3dcbbe53846df1abf7cef1d3e56b2f6af0ca633] USB: yurex: Don't retry on unexpected errors testing commit e3dcbbe53846df1abf7cef1d3e56b2f6af0ca633 with gcc (GCC) 8.1.0 kernel signature: 4d924f344468e1d2d4938b282881de1d5b4ec1a4 all runs: OK # git bisect bad e3dcbbe53846df1abf7cef1d3e56b2f6af0ca633 Bisecting: 211 revisions left to test after this (roughly 8 steps) [d3a3ad92891c873cb43e71c43ad3c3765f2dddeb] media: cpia2_usb: fix memory leaks testing commit d3a3ad92891c873cb43e71c43ad3c3765f2dddeb with gcc (GCC) 8.1.0 kernel signature: 867135213ca83223ed9fba2689b114b22c536315 all runs: OK # git bisect bad d3a3ad92891c873cb43e71c43ad3c3765f2dddeb Bisecting: 105 revisions left to test after this (roughly 7 steps) [f6e27dbb1afabcba436e346d6aa88a592a1436bb] Linux 4.14.146 testing commit f6e27dbb1afabcba436e346d6aa88a592a1436bb with gcc (GCC) 8.1.0 kernel signature: 6f8a37b249865631f065ab51d48cde7038e07d4e all runs: OK # git bisect bad f6e27dbb1afabcba436e346d6aa88a592a1436bb Bisecting: 52 revisions left to test after this (roughly 6 steps) [717ad917f254f0bfce622271a3f8a01dd66de48f] xen-netfront: do not assume sk_buff_head list is empty in error handling testing commit 717ad917f254f0bfce622271a3f8a01dd66de48f with gcc (GCC) 8.1.0 kernel signature: 09e430d8f294e52c991b959a301e057812d216c2 run #0: crashed: general protection fault in tcp_push run #1: crashed: KASAN: use-after-free Read in tcp_write_xmit run #2: crashed: KASAN: use-after-free Read in tcp_write_xmit run #3: crashed: KASAN: use-after-free Read in tcp_write_xmit run #4: crashed: KASAN: use-after-free Read in tcp_write_xmit run #5: crashed: KASAN: use-after-free Read in tcp_write_xmit run #6: crashed: KASAN: use-after-free Read in tcp_write_xmit run #7: crashed: general protection fault in tcp_push run #8: crashed: general protection fault in tcp_push run #9: crashed: KASAN: use-after-free Read in tcp_write_xmit # git bisect good 717ad917f254f0bfce622271a3f8a01dd66de48f Bisecting: 26 revisions left to test after this (roughly 5 steps) [dee9ad44006842aa8e04b8895dba00a7035a5bad] NFSv2: Fix write regression testing commit dee9ad44006842aa8e04b8895dba00a7035a5bad with gcc (GCC) 8.1.0 kernel signature: b446cc97de65959565e6450e73bb578248068d1f run #0: crashed: general protection fault in tcp_push run #1: crashed: KASAN: use-after-free Read in tcp_write_xmit run #2: crashed: general protection fault in tcp_push run #3: crashed: KASAN: use-after-free Read in tcp_write_xmit run #4: crashed: KASAN: use-after-free Read in tcp_write_xmit run #5: crashed: KASAN: use-after-free Read in tcp_write_xmit run #6: crashed: KASAN: use-after-free Read in tcp_write_xmit run #7: crashed: KASAN: use-after-free Read in tcp_write_xmit run #8: crashed: KASAN: use-after-free Read in tcp_write_xmit run #9: crashed: KASAN: use-after-free Read in tcp_write_xmit # git bisect good dee9ad44006842aa8e04b8895dba00a7035a5bad Bisecting: 13 revisions left to test after this (roughly 4 steps) [b53f7557485c753751cf5f8f1d5953bd7bec295b] net: seeq: Fix the function used to release some memory in an error handling path testing commit b53f7557485c753751cf5f8f1d5953bd7bec295b with gcc (GCC) 8.1.0 kernel signature: a25a06367643b495b84bbcb09acc97a2a00f1dca run #0: crashed: KASAN: use-after-free Read in tcp_write_xmit run #1: crashed: KASAN: use-after-free Read in tcp_write_xmit run #2: crashed: KASAN: use-after-free Read in tcp_write_xmit run #3: crashed: KASAN: use-after-free Read in tcp_write_xmit run #4: crashed: KASAN: use-after-free Read in tcp_write_xmit run #5: crashed: general protection fault in tcp_push run #6: crashed: KASAN: use-after-free Read in tcp_write_xmit run #7: crashed: KASAN: use-after-free Read in tcp_write_xmit run #8: crashed: KASAN: use-after-free Read in tcp_write_xmit run #9: crashed: KASAN: use-after-free Read in tcp_write_xmit # git bisect good b53f7557485c753751cf5f8f1d5953bd7bec295b Bisecting: 6 revisions left to test after this (roughly 3 steps) [b15bf74405faa1a65025eb8a6eb337e140e5250a] iommu/amd: Fix race in increase_address_space() testing commit b15bf74405faa1a65025eb8a6eb337e140e5250a with gcc (GCC) 8.1.0 kernel signature: 53e46a15fbf77cdecffc9c09571f069fb8d1b3d3 run #0: crashed: KASAN: use-after-free Read in tcp_write_xmit run #1: crashed: KASAN: use-after-free Read in tcp_write_xmit run #2: crashed: general protection fault in tcp_push run #3: crashed: general protection fault in tcp_push run #4: crashed: KASAN: use-after-free Read in tcp_write_xmit run #5: crashed: general protection fault in tcp_push run #6: crashed: KASAN: use-after-free Read in tcp_write_xmit run #7: crashed: general protection fault in tcp_push run #8: crashed: KASAN: use-after-free Read in tcp_write_xmit run #9: crashed: KASAN: use-after-free Read in tcp_write_xmit # git bisect good b15bf74405faa1a65025eb8a6eb337e140e5250a Bisecting: 3 revisions left to test after this (roughly 2 steps) [56af7c0ea79095edbf198711141805b936fc2996] binfmt_elf: move brk out of mmap when doing direct loader exec testing commit 56af7c0ea79095edbf198711141805b936fc2996 with gcc (GCC) 8.1.0 kernel signature: 673f7cd88c17860e10d5a0133961fa0150e1b21d run #0: crashed: general protection fault in tcp_push run #1: crashed: KASAN: use-after-free Read in tcp_write_xmit run #2: crashed: general protection fault in tcp_push run #3: crashed: general protection fault in tcp_push run #4: crashed: KASAN: use-after-free Read in tcp_write_xmit run #5: crashed: KASAN: use-after-free Read in tcp_write_xmit run #6: crashed: general protection fault in tcp_push run #7: crashed: KASAN: use-after-free Read in tcp_write_xmit run #8: crashed: KASAN: use-after-free Read in tcp_write_xmit run #9: crashed: KASAN: use-after-free Read in tcp_write_xmit # git bisect good 56af7c0ea79095edbf198711141805b936fc2996 Bisecting: 1 revision left to test after this (roughly 1 step) [ba2ddb43f270e6492ccce4fc42fc32c611de8f68] tcp: Don't dequeue SYN/FIN-segments from write-queue testing commit ba2ddb43f270e6492ccce4fc42fc32c611de8f68 with gcc (GCC) 8.1.0 kernel signature: 6b7ad0deec23647c2b9795dcec723008bdc15176 all runs: OK # git bisect bad ba2ddb43f270e6492ccce4fc42fc32c611de8f68 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4] tcp: Reset send_head when removing skb from write-queue testing commit f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4 with gcc (GCC) 8.1.0 kernel signature: 810656c5cdd959473fe3cbcde009506acf90f26d all runs: OK # git bisect bad f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4 f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4 is the first bad commit commit f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4 Author: Christoph Paasch Date: Fri Sep 13 13:08:18 2019 -0700 tcp: Reset send_head when removing skb from write-queue syzkaller is not happy since commit fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases"): CPU: 1 PID: 13814 Comm: syz-executor.4 Not tainted 4.14.143 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011 task: ffff888040105c00 task.stack: ffff8880649c0000 RIP: 0010:tcp_sendmsg_locked+0x6b4/0x4390 net/ipv4/tcp.c:1350 RSP: 0018:ffff8880649cf718 EFLAGS: 00010206 RAX: 0000000000000014 RBX: 000000000000001e RCX: ffffc90000717000 RDX: 0000000000000077 RSI: ffffffff82e760f7 RDI: 00000000000000a0 RBP: ffff8880649cfaa8 R08: 1ffff1100c939e7a R09: ffff8880401063c8 R10: 0000000000000003 R11: 0000000000000001 R12: dffffc0000000000 R13: ffff888043d74750 R14: ffff888043d74500 R15: 000000000000001e FS: 00007f0afcb6d700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2ca22000 CR3: 0000000040496004 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tcp_sendmsg+0x2a/0x40 net/ipv4/tcp.c:1533 inet_sendmsg+0x173/0x4e0 net/ipv4/af_inet.c:784 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xc3/0x100 net/socket.c:656 SYSC_sendto+0x35d/0x5e0 net/socket.c:1766 do_syscall_64+0x241/0x680 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The problem is that we are removing an skb from the write-queue that could have been referenced by the sk_send_head. Thus, we need to check for the send_head's sanity after removing it. This patch needs to be backported only to 4.14 and older (among those that applied the backport of fdfc5c8594c2). Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases") Cc: Eric Dumazet Cc: Jason Baron Cc: Vladimir Rutsky Cc: Soheil Hassas Yeganeh Cc: Neal Cardwell Signed-off-by: Christoph Paasch Signed-off-by: Greg Kroah-Hartman net/ipv4/tcp.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) kernel signature: 810656c5cdd959473fe3cbcde009506acf90f26d previous signature: 673f7cd88c17860e10d5a0133961fa0150e1b21d revisions tested: 13, total time: 3h19m29.513535695s (build: 1h41m33.36128577s, test: 1h36m50.795035784s) first good commit: f1dcc5ed4bea3f2d63b74ad86617ec12b1e5e9d4 tcp: Reset send_head when removing skb from write-queue cc: ["cpaasch@apple.com" "edumazet@google.com" "gregkh@linuxfoundation.org" "jbaron@akamai.com" "ncardwell@google.com" "rutsky@google.com" "soheil@google.com"]