bisecting cause commit starting from 9097a058d49e049925d8da72db07fffcee24efa0 building syzkaller on 588075e659832f8685d0c9dc9c75c461e023e77f testing commit 9097a058d49e049925d8da72db07fffcee24efa0 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in tcp_splice_read run #1: crashed: general protection fault in tcp_splice_read run #2: crashed: general protection fault in tcp_splice_read run #3: crashed: general protection fault in corrupted run #4: crashed: general protection fault in tcp_splice_read run #5: crashed: general protection fault in tcp_splice_read run #6: crashed: general protection fault in tcp_splice_read run #7: crashed: general protection fault in tcp_splice_read run #8: crashed: general protection fault in tcp_splice_read run #9: crashed: general protection fault in tcp_splice_read testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in tcp_splice_read testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in tcp_splice_read testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in tcp_splice_read testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in tcp_splice_read testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in tcp_splice_read testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in tcp_splice_read testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in tcp_splice_read testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in tcp_splice_read testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 all runs: OK # git bisect start v4.12 v4.11 Bisecting: 7831 revisions left to test after this (roughly 13 steps) [2bd80401743568ced7d303b008ae5298ce77e695] Merge tag 'gpio-v4.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio testing commit 2bd80401743568ced7d303b008ae5298ce77e695 with gcc (GCC) 7.3.0 all runs: crashed: INFO: trying to register non-static key in can_notifier # git bisect bad 2bd80401743568ced7d303b008ae5298ce77e695 Bisecting: 3853 revisions left to test after this (roughly 12 steps) [8d65b08debc7e62b2c6032d7fe7389d895b92cbc] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 8d65b08debc7e62b2c6032d7fe7389d895b92cbc with gcc (GCC) 7.3.0 all runs: crashed: INFO: trying to register non-static key in can_notifier # git bisect bad 8d65b08debc7e62b2c6032d7fe7389d895b92cbc Bisecting: 2022 revisions left to test after this (roughly 11 steps) [cec381919818a9a0cb85600b3c82404bdd38cf36] Merge tag 'mac80211-next-for-davem-2017-04-28' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next testing commit cec381919818a9a0cb85600b3c82404bdd38cf36 with gcc (GCC) 5.5.0 all runs: crashed: INFO: trying to register non-static key in can_notifier # git bisect bad cec381919818a9a0cb85600b3c82404bdd38cf36 Bisecting: 1013 revisions left to test after this (roughly 10 steps) [5cd8985a19090f2b0ce8700ae3ec19e06a4fc5e9] net-next: dsa: add Mediatek tag RX/TX handler testing commit 5cd8985a19090f2b0ce8700ae3ec19e06a4fc5e9 with gcc (GCC) 5.5.0 run #0: crashed: WARNING: ODEBUG bug in del_timer run #1: crashed: WARNING: ODEBUG bug in del_timer run #2: crashed: WARNING: ODEBUG bug in del_timer run #3: crashed: WARNING: ODEBUG bug in del_timer run #4: crashed: WARNING: ODEBUG bug in del_timer run #5: crashed: WARNING: ODEBUG bug in del_timer run #6: crashed: WARNING: ODEBUG bug in del_timer run #7: crashed: WARNING: ODEBUG bug in del_timer run #8: crashed: WARNING: ODEBUG bug in del_timer run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "27835" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor621257978" "root@localhost:/syz-executor621257978"] Warning: Permanently added '[localhost]:27835' (ECDSA) to the list of known hosts. Connection to localhost closed by remote host. # git bisect bad 5cd8985a19090f2b0ce8700ae3ec19e06a4fc5e9 Bisecting: 506 revisions left to test after this (roughly 9 steps) [b4f0a66155564aaf7e98492e027efad9f797c244] net: stmmac: fix dma operation mode config for older versions testing commit b4f0a66155564aaf7e98492e027efad9f797c244 with gcc (GCC) 5.5.0 run #0: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "37093" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor674771300" "root@localhost:/syz-executor674771300"] Warning: Permanently added '[localhost]:37093' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 37093 run #1: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "16092" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor483460979" "root@localhost:/syz-executor483460979"] Warning: Permanently added '[localhost]:16092' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 16092 run #2: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "53268" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor597125174" "root@localhost:/syz-executor597125174"] Warning: Permanently added '[localhost]:53268' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 53268 run #3: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "52883" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor347418141" "root@localhost:/syz-executor347418141"] Warning: Permanently added '[localhost]:52883' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 52883 run #4: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "47417" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor342145623" "root@localhost:/syz-executor342145623"] Warning: Permanently added '[localhost]:47417' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 47417 run #5: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "64244" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor582418136" "root@localhost:/syz-executor582418136"] Warning: Permanently added '[localhost]:64244' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 64244 run #6: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "16739" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor588545994" "root@localhost:/syz-executor588545994"] Warning: Permanently added '[localhost]:16739' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 16739 run #7: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22538" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor228121761" "root@localhost:/syz-executor228121761"] Warning: Permanently added '[localhost]:22538' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 22538 run #8: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "26030" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor998494604" "root@localhost:/syz-executor998494604"] Warning: Permanently added '[localhost]:26030' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 26030 run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "52674" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor045061499" "root@localhost:/syz-executor045061499"] Warning: Permanently added '[localhost]:52674' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 52674 # git bisect skip b4f0a66155564aaf7e98492e027efad9f797c244 Bisecting: 506 revisions left to test after this (roughly 9 steps) [ac0488ef59a54e42ad744ae1a91fafbcb2566a06] nfp: disable FW on reconfiguration errors testing commit ac0488ef59a54e42ad744ae1a91fafbcb2566a06 with gcc (GCC) 5.5.0 run #0: crashed: WARNING: ODEBUG bug in del_timer run #1: crashed: WARNING: ODEBUG bug in del_timer run #2: crashed: WARNING: ODEBUG bug in del_timer run #3: crashed: WARNING: ODEBUG bug in del_timer run #4: crashed: WARNING: ODEBUG bug in del_timer run #5: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "56886" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor204394719" "root@localhost:/syz-executor204394719"] Warning: Permanently added '[localhost]:56886' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 56886 run #6: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "29317" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor263163570" "root@localhost:/syz-executor263163570"] Warning: Permanently added '[localhost]:29317' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 29317 run #7: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "11227" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor807966900" "root@localhost:/syz-executor807966900"] Warning: Permanently added '[localhost]:11227' (ECDSA) to the list of known hosts. packet_write_wait: Connection to 127.0.0.1 port 11227: Broken pipe run #8: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "61389" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor849273961" "root@localhost:/syz-executor849273961"] Warning: Permanently added '[localhost]:61389' (ECDSA) to the list of known hosts. Connection to localhost closed by remote host. run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "40199" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor279012709" "root@localhost:/syz-executor279012709"] Warning: Permanently added '[localhost]:40199' (ECDSA) to the list of known hosts. # git bisect bad ac0488ef59a54e42ad744ae1a91fafbcb2566a06 Bisecting: 250 revisions left to test after this (roughly 8 steps) [556c2cf4eff18bb7f41056796d2d37b48239278b] net: bcmgenet: remove meaningless lines testing commit 556c2cf4eff18bb7f41056796d2d37b48239278b with gcc (GCC) 5.5.0 all runs: crashed: WARNING: ODEBUG bug in del_timer # git bisect bad 556c2cf4eff18bb7f41056796d2d37b48239278b Bisecting: 125 revisions left to test after this (roughly 7 steps) [c0243892cbb0e48873d6132f673c830602808245] ipv4: fib: Move FIB notification code to a separate file testing commit c0243892cbb0e48873d6132f673c830602808245 with gcc (GCC) 5.5.0 run #0: crashed: WARNING: ODEBUG bug in del_timer run #1: crashed: WARNING: ODEBUG bug in del_timer run #2: crashed: WARNING: ODEBUG bug in del_timer run #3: crashed: WARNING: ODEBUG bug in del_timer run #4: crashed: WARNING: ODEBUG bug in del_timer run #5: crashed: WARNING: ODEBUG bug in del_timer run #6: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "64479" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor958776696" "root@localhost:/syz-executor958776696"] Warning: Permanently added '[localhost]:64479' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 64479 run #7: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "2105" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor390140266" "root@localhost:/syz-executor390140266"] Warning: Permanently added '[localhost]:2105' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 2105 run #8: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "5297" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor854013889" "root@localhost:/syz-executor854013889"] Warning: Permanently added '[localhost]:5297' (ECDSA) to the list of known hosts. Connection closed by 127.0.0.1 port 5297 run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "33741" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect2/jobs/linux/workdir/image/key" "/tmp/syz-executor418308158" "root@localhost:/syz-executor418308158"] Warning: Permanently added '[localhost]:33741' (ECDSA) to the list of known hosts. # git bisect bad c0243892cbb0e48873d6132f673c830602808245 Bisecting: 62 revisions left to test after this (roughly 6 steps) [4e4a105f1fde326a5d1b0fbcbba8254c54a673e4] net: mvpp2: store physical address of buffer in rx_desc->buf_cookie testing commit 4e4a105f1fde326a5d1b0fbcbba8254c54a673e4 with gcc (GCC) 5.5.0 all runs: OK # git bisect good 4e4a105f1fde326a5d1b0fbcbba8254c54a673e4 Bisecting: 30 revisions left to test after this (roughly 5 steps) [9ff304bfaf58c119ef8ba3e20326edeed9983aef] nfp: add support for reporting CRC32 hash function testing commit 9ff304bfaf58c119ef8ba3e20326edeed9983aef with gcc (GCC) 5.5.0 all runs: OK # git bisect good 9ff304bfaf58c119ef8ba3e20326edeed9983aef Bisecting: 15 revisions left to test after this (roughly 4 steps) [9efd3831d5ae3babb45a37ae7d6b18642a0745de] net: ks8851: Added support for half-duplex SPI testing commit 9efd3831d5ae3babb45a37ae7d6b18642a0745de with gcc (GCC) 5.5.0 all runs: crashed: WARNING: ODEBUG bug in del_timer # git bisect bad 9efd3831d5ae3babb45a37ae7d6b18642a0745de Bisecting: 7 revisions left to test after this (roughly 3 steps) [5692dbb56e6012c0755614ee64fe4c221f357e7a] nfp: prevent theoretical buffer overrun in nfp_eth_read_ports testing commit 5692dbb56e6012c0755614ee64fe4c221f357e7a with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Write in ida_get_new_above run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 5692dbb56e6012c0755614ee64fe4c221f357e7a Bisecting: 3 revisions left to test after this (roughly 2 steps) [bef6b1b7a6ffaa9afc8776c5e09e4ea11ac1727e] nfp: reorder variables in nfp_net_tx() testing commit bef6b1b7a6ffaa9afc8776c5e09e4ea11ac1727e with gcc (GCC) 5.5.0 all runs: OK # git bisect good bef6b1b7a6ffaa9afc8776c5e09e4ea11ac1727e Bisecting: 1 revision left to test after this (roughly 1 step) [7de5f115e1fd8a6df7aa89078cb70700e725173d] nfp: avoid rearming the interrupts when in busy poll testing commit 7de5f115e1fd8a6df7aa89078cb70700e725173d with gcc (GCC) 5.5.0 all runs: OK # git bisect good 7de5f115e1fd8a6df7aa89078cb70700e725173d Bisecting: 0 revisions left to test after this (roughly 0 steps) [b9dcf88a47ebab2743a0c627a95126c4cb3e9883] nfp: add metadata format bit testing commit b9dcf88a47ebab2743a0c627a95126c4cb3e9883 with gcc (GCC) 5.5.0 all runs: OK # git bisect good b9dcf88a47ebab2743a0c627a95126c4cb3e9883 5692dbb56e6012c0755614ee64fe4c221f357e7a is the first bad commit commit 5692dbb56e6012c0755614ee64fe4c221f357e7a Author: Simon Horman Date: Wed Mar 8 08:57:08 2017 -0800 nfp: prevent theoretical buffer overrun in nfp_eth_read_ports Prevent theoretical buffer overrun by returning an error if the number of entries returned by the firmware does not match those present. Also use a common handling error path. Found by inspection. Signed-off-by: Simon Horman Tested-by: Jakub Kicinski Signed-off-by: David S. Miller .../ethernet/netronome/nfp/nfpcore/nfp_nsp_eth.c | 34 +++++++++++++--------- 1 file changed, 20 insertions(+), 14 deletions(-) revisions tested: 25, total time: 19h53m37.175626985s (build: 1h51m36.499669695s, test: 17h56m47.266170086s) first bad commit: 5692dbb56e6012c0755614ee64fe4c221f357e7a nfp: prevent theoretical buffer overrun in nfp_eth_read_ports cc: ["davem@davemloft.net" "jakub.kicinski@netronome.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "oss-drivers@netronome.com" "simon.horman@netronome.com"] crash: KASAN: use-after-free Write in ida_get_new_above IPVS: Creating netns size=2720 id=2 IPVS: ftp: loaded support on port[0] = 21 ================================================================== BUG: KASAN: use-after-free in ida_get_new_above+0x2eb/0x5d0 lib/idr.c:295 at addr ffff8800649956c0 Write of size 128 by task syz-executor2/5333 CPU: 1 PID: 5333 Comm: syz-executor2 Not tainted 4.10.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0xe6/0x120 lib/dump_stack.c:52 kasan_object_err+0x1c/0x70 mm/kasan/report.c:162 print_address_description mm/kasan/report.c:200 [inline] kasan_report_error mm/kasan/report.c:289 [inline] kasan_report.part.2+0x1e1/0x4a0 mm/kasan/report.c:311 kasan_report+0x20/0x30 mm/kasan/report.c:298 check_memory_region_inline mm/kasan/kasan.c:319 [inline] check_memory_region+0x13d/0x1a0 mm/kasan/kasan.c:333 memset+0x23/0x40 mm/kasan/kasan.c:351 ida_get_new_above+0x2eb/0x5d0 lib/idr.c:295 ida_simple_get+0xd1/0x170 lib/idr.c:447 __kernfs_new_node+0x84/0x290 fs/kernfs/dir.c:633 kernfs_new_node+0x5e/0xe0 fs/kernfs/dir.c:661 __kernfs_create_file+0x2d/0x2c0 fs/kernfs/file.c:988 sysfs_add_file_mode_ns+0x1d0/0x4e0 fs/sysfs/file.c:305 sysfs_create_file_ns+0x6c/0xb0 fs/sysfs/file.c:332 sysfs_create_file include/linux/sysfs.h:494 [inline] populate_dir lib/kobject.c:58 [inline] create_dir lib/kobject.c:75 [inline] kobject_add_internal+0x4ef/0x980 lib/kobject.c:229 kobject_add_varg lib/kobject.c:366 [inline] kobject_init_and_add+0xc5/0x110 lib/kobject.c:438 netdev_queue_add_kobject net/core/net-sysfs.c:1335 [inline] netdev_queue_update_kobjects+0xd7/0x300 net/core/net-sysfs.c:1364 register_queue_kobjects net/core/net-sysfs.c:1406 [inline] netdev_register_kobject+0x258/0x3a0 net/core/net-sysfs.c:1608 register_netdevice+0x7c6/0xd60 net/core/dev.c:7296 __ip_tunnel_create+0x313/0x410 net/ipv4/ip_tunnel.c:281 ip_tunnel_init_net+0x1bd/0x430 net/ipv4/ip_tunnel.c:1017 ipgre_init_net+0x18/0x20 net/ipv4/ip_gre.c:766 ops_init+0x95/0x390 net/core/net_namespace.c:117 setup_net+0x21b/0x520 net/core/net_namespace.c:293 copy_net_ns+0x134/0x3b0 net/core/net_namespace.c:398 create_new_namespaces+0x354/0x660 kernel/nsproxy.c:106 unshare_nsproxy_namespaces+0x8a/0x190 kernel/nsproxy.c:205 SYSC_unshare kernel/fork.c:2306 [inline] SyS_unshare+0x308/0x6b0 kernel/fork.c:2256 entry_SYSCALL_64_fastpath+0x23/0xc6 RIP: 0033:0x4582a7 RSP: 002b:00007ffffc216438 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007ffffc216440 RCX: 00000000004582a7 RDX: 0000000000000000 RSI: 00007ffffc216420 RDI: 0000000040000000 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000018 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Object at ffff8800649956c0, in cache kmalloc-128 size: 128 Allocated: PID = 5333 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x46/0xd0 mm/kasan/kasan.c:513 set_track mm/kasan/kasan.c:525 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 kmem_cache_alloc_trace+0x142/0x800 mm/slab.c:3635 kmalloc include/linux/slab.h:490 [inline] ida_pre_get+0xa8/0xc0 lib/radix-tree.c:2129 proc_alloc_inum+0x9b/0x150 fs/proc/generic.c:197 proc_register+0x20/0x2a0 fs/proc/generic.c:338 proc_mkdir_data+0xe9/0x160 fs/proc/generic.c:441 proc_net_mkdir include/linux/proc_fs.h:84 [inline] nfs_fs_proc_net_init+0x161/0x340 fs/nfs/client.c:1294 nfs_net_init+0x15/0x20 fs/nfs/inode.c:2051 ops_init+0x95/0x390 net/core/net_namespace.c:117 setup_net+0x21b/0x520 net/core/net_namespace.c:293 copy_net_ns+0x134/0x3b0 net/core/net_namespace.c:398 create_new_namespaces+0x354/0x660 kernel/nsproxy.c:106 unshare_nsproxy_namespaces+0x8a/0x190 kernel/nsproxy.c:205 SYSC_unshare kernel/fork.c:2306 [inline] SyS_unshare+0x308/0x6b0 kernel/fork.c:2256 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 5334 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x46/0xd0 mm/kasan/kasan.c:513 set_track mm/kasan/kasan.c:525 [inline] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:589 __cache_free mm/slab.c:3511 [inline] kfree+0xcf/0x2c0 mm/slab.c:3828 ida_pre_get+0x6f/0xc0 lib/radix-tree.c:2133 mnt_alloc_id fs/namespace.c:107 [inline] alloc_vfsmnt+0x49/0x720 fs/namespace.c:209 clone_mnt+0x6c/0xf00 fs/namespace.c:1019 copy_tree+0x322/0x8e0 fs/namespace.c:1803 copy_mnt_ns+0xdc/0xcb0 fs/namespace.c:2935 create_new_namespaces+0xc5/0x660 kernel/nsproxy.c:74 unshare_nsproxy_namespaces+0x8a/0x190 kernel/nsproxy.c:205 SYSC_unshare kernel/fork.c:2306 [inline] SyS_unshare+0x308/0x6b0 kernel/fork.c:2256 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff880064995580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff880064995600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff880064995680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff880064995700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff880064995780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================