bisecting fixing commit since 7aa823a959e1f50c0dab9e01c1940235eccc04cc building syzkaller on 442206d76b974cca2d83ec763d4cf5ee829eb7d6 testing commit 7aa823a959e1f50c0dab9e01c1940235eccc04cc with gcc (GCC) 8.1.0 kernel signature: 1dd618b8f8c01f5e9516dc304d8350ba49b9f3d3 run #0: crashed: KASAN: use-after-free Read in pneigh_get_next run #1: crashed: KASAN: use-after-free Read in pneigh_get_next run #2: crashed: KASAN: use-after-free Read in pneigh_get_next run #3: crashed: KASAN: use-after-free Read in pneigh_get_next run #4: crashed: KASAN: use-after-free Read in pneigh_get_next run #5: crashed: KASAN: use-after-free Read in pneigh_get_next run #6: crashed: KASAN: use-after-free Read in sprintf run #7: crashed: KASAN: use-after-free Read in pneigh_get_next run #8: crashed: KASAN: use-after-free Read in pneigh_get_next run #9: crashed: KASAN: use-after-free Read in pneigh_get_next testing current HEAD 312017a460d5ea31d646e7148e400e13db799ddc testing commit 312017a460d5ea31d646e7148e400e13db799ddc with gcc (GCC) 8.1.0 kernel signature: 18847cc09dd847905cc5133954f79ccf7965e270 all runs: OK # git bisect start 312017a460d5ea31d646e7148e400e13db799ddc 7aa823a959e1f50c0dab9e01c1940235eccc04cc Bisecting: 2241 revisions left to test after this (roughly 11 steps) [52132ff52cadb32edf063c1b4d8a7a6c00d85e4d] ocfs2: wait for recovering done after direct unlock request testing commit 52132ff52cadb32edf063c1b4d8a7a6c00d85e4d with gcc (GCC) 8.1.0 kernel signature: 52b04f2e11b4487d4efba6d84639ae74d856c2b9 all runs: OK # git bisect bad 52132ff52cadb32edf063c1b4d8a7a6c00d85e4d Bisecting: 1120 revisions left to test after this (roughly 10 steps) [c8b05980c4bf7abfe9a016c34f8bf3bb5396cbfb] net: phylink: Fix flow control for fixed-link testing commit c8b05980c4bf7abfe9a016c34f8bf3bb5396cbfb with gcc (GCC) 8.1.0 kernel signature: 0e902d58db069b36878523d279934ee7ea7236ad all runs: OK # git bisect bad c8b05980c4bf7abfe9a016c34f8bf3bb5396cbfb Bisecting: 560 revisions left to test after this (roughly 9 steps) [add712b63185608ed961d8d58656164a89288d6f] media: ov7740: avoid invalid framesize setting testing commit add712b63185608ed961d8d58656164a89288d6f with gcc (GCC) 8.1.0 kernel signature: 1f6fad59bcf1b3daf82e242095fc73c3afc808f8 all runs: OK # git bisect bad add712b63185608ed961d8d58656164a89288d6f Bisecting: 279 revisions left to test after this (roughly 8 steps) [327460322c7c5ebfd9b3272d906e887f8a46ca94] x86/resctrl: Prevent possible overrun during bitmap operations testing commit 327460322c7c5ebfd9b3272d906e887f8a46ca94 with gcc (GCC) 8.1.0 kernel signature: f7c6ff100a4f244b8c7abb4e85ebadbae679dbfb all runs: OK # git bisect bad 327460322c7c5ebfd9b3272d906e887f8a46ca94 Bisecting: 139 revisions left to test after this (roughly 7 steps) [c7fb6b75def2c2a4bf2902006099ae586fcdb234] ocfs2: fix error path kobject memory leak testing commit c7fb6b75def2c2a4bf2902006099ae586fcdb234 with gcc (GCC) 8.1.0 kernel signature: a8ab4b4283dee9d24d50e86bed07838fd4351331 all runs: OK # git bisect bad c7fb6b75def2c2a4bf2902006099ae586fcdb234 Bisecting: 69 revisions left to test after this (roughly 6 steps) [0fcd1432f8b0e040ee4007a874620b053c0dfae2] USB: serial: option: add Telit 0x1260 and 0x1261 compositions testing commit 0fcd1432f8b0e040ee4007a874620b053c0dfae2 with gcc (GCC) 8.1.0 kernel signature: 1bd3dc58b5f7f53cd843d7249146a5cac5c20e0b all runs: crashed: KASAN: use-after-free Read in pneigh_get_next # git bisect good 0fcd1432f8b0e040ee4007a874620b053c0dfae2 Bisecting: 34 revisions left to test after this (roughly 5 steps) [f3885eecd2530cb731ea7e13fbb19aa99d10c32b] usb: xhci: Fix a potential null pointer dereference in xhci_debugfs_create_endpoint() testing commit f3885eecd2530cb731ea7e13fbb19aa99d10c32b with gcc (GCC) 8.1.0 kernel signature: 9c6f64854c69c92dd33dfb9dbac74549f3af5987 all runs: OK # git bisect bad f3885eecd2530cb731ea7e13fbb19aa99d10c32b Bisecting: 17 revisions left to test after this (roughly 4 steps) [103835df6821a57edf1ec5e0b33b379fa37dd35f] neigh: fix use-after-free read in pneigh_get_next testing commit 103835df6821a57edf1ec5e0b33b379fa37dd35f with gcc (GCC) 8.1.0 kernel signature: 2b6b79ed50599d8da129ea1a5c89e61c7035d605 all runs: OK # git bisect bad 103835df6821a57edf1ec5e0b33b379fa37dd35f Bisecting: 8 revisions left to test after this (roughly 3 steps) [29a6026624cde0a378ac4ebd2f697ee6d941adf9] drm/edid: abstract override/firmware EDID retrieval testing commit 29a6026624cde0a378ac4ebd2f697ee6d941adf9 with gcc (GCC) 8.1.0 kernel signature: 29a281fb519f506cd01f6e5469f433bcd73684fd run #0: crashed: KASAN: use-after-free Read in pneigh_get_next run #1: crashed: KASAN: use-after-free Read in pneigh_get_next run #2: crashed: KASAN: use-after-free Read in sprintf run #3: crashed: KASAN: use-after-free Read in pneigh_get_next run #4: crashed: KASAN: use-after-free Read in pneigh_get_next run #5: crashed: KASAN: use-after-free Read in sprintf run #6: crashed: KASAN: use-after-free Read in pneigh_get_next run #7: crashed: KASAN: use-after-free Read in pneigh_get_next run #8: crashed: KASAN: use-after-free Read in pneigh_get_next run #9: crashed: KASAN: use-after-free Read in pneigh_get_next # git bisect good 29a6026624cde0a378ac4ebd2f697ee6d941adf9 Bisecting: 4 revisions left to test after this (roughly 2 steps) [10faaa359b41797ef86373ca6028b2c9049686b9] ax25: fix inconsistent lock state in ax25_destroy_timer testing commit 10faaa359b41797ef86373ca6028b2c9049686b9 with gcc (GCC) 8.1.0 kernel signature: 0cbacd280a4c4a74a4d7d6bea613449c89cde874 all runs: crashed: KASAN: use-after-free Read in pneigh_get_next # git bisect good 10faaa359b41797ef86373ca6028b2c9049686b9 Bisecting: 2 revisions left to test after this (roughly 1 step) [a5ae5920426e9166af78658bb3e2a12b9fbf53e4] hv_netvsc: Set probe mode to sync testing commit a5ae5920426e9166af78658bb3e2a12b9fbf53e4 with gcc (GCC) 8.1.0 kernel signature: d79812a6a51d1e030a0afc8db539a270bb89bc6c run #0: crashed: KASAN: use-after-free Read in sprintf run #1: crashed: KASAN: use-after-free Read in pneigh_get_next run #2: crashed: KASAN: use-after-free Read in pneigh_get_next run #3: crashed: KASAN: use-after-free Read in pneigh_get_next run #4: crashed: KASAN: use-after-free Read in pneigh_get_next run #5: crashed: KASAN: use-after-free Read in pneigh_get_next run #6: crashed: KASAN: use-after-free Read in pneigh_get_next run #7: crashed: KASAN: use-after-free Read in pneigh_get_next run #8: crashed: KASAN: use-after-free Read in pneigh_get_next run #9: crashed: KASAN: use-after-free Read in pneigh_get_next # git bisect good a5ae5920426e9166af78658bb3e2a12b9fbf53e4 Bisecting: 0 revisions left to test after this (roughly 1 step) [2980196db6c1fc48196cad0525ab27ece4e8d1ed] lapb: fixed leak of control-blocks. testing commit 2980196db6c1fc48196cad0525ab27ece4e8d1ed with gcc (GCC) 8.1.0 kernel signature: ce3ea216a6c603cf243e5c723ec95de41246ab61 run #0: crashed: KASAN: use-after-free Read in sprintf run #1: crashed: KASAN: use-after-free Read in pneigh_get_next run #2: crashed: KASAN: use-after-free Read in sprintf run #3: crashed: KASAN: use-after-free Read in pneigh_get_next run #4: crashed: KASAN: use-after-free Read in pneigh_get_next run #5: crashed: KASAN: use-after-free Read in pneigh_get_next run #6: crashed: KASAN: use-after-free Read in pneigh_get_next run #7: crashed: KASAN: use-after-free Read in pneigh_get_next run #8: crashed: KASAN: use-after-free Read in pneigh_get_next run #9: crashed: KASAN: use-after-free Read in pneigh_get_next # git bisect good 2980196db6c1fc48196cad0525ab27ece4e8d1ed 103835df6821a57edf1ec5e0b33b379fa37dd35f is the first bad commit commit 103835df6821a57edf1ec5e0b33b379fa37dd35f Author: Eric Dumazet Date: Sat Jun 15 16:28:48 2019 -0700 neigh: fix use-after-free read in pneigh_get_next [ Upstream commit f3e92cb8e2eb8c27d109e6fd73d3a69a8c09e288 ] Nine years ago, I added RCU handling to neighbours, not pneighbours. (pneigh are not commonly used) Unfortunately I missed that /proc dump operations would use a common entry and exit point : neigh_seq_start() and neigh_seq_stop() We need to read_lock(tbl->lock) or risk use-after-free while iterating the pneigh structures. We might later convert pneigh to RCU and revert this patch. sysbot reported : BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825 CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158 neigh_seq_next+0xdb/0x210 net/core/neighbour.c:3240 seq_read+0x9cf/0x1110 fs/seq_file.c:258 proc_reg_read+0x1fc/0x2c0 fs/proc/inode.c:221 do_loop_readv_writev fs/read_write.c:714 [inline] do_loop_readv_writev fs/read_write.c:701 [inline] do_iter_read+0x4a4/0x660 fs/read_write.c:935 vfs_readv+0xf0/0x160 fs/read_write.c:997 kernel_readv fs/splice.c:359 [inline] default_file_splice_read+0x475/0x890 fs/splice.c:414 do_splice_to+0x127/0x180 fs/splice.c:877 splice_direct_to_actor+0x2d2/0x970 fs/splice.c:954 do_splice_direct+0x1da/0x2a0 fs/splice.c:1063 do_sendfile+0x597/0xd00 fs/read_write.c:1464 __do_sys_sendfile64 fs/read_write.c:1525 [inline] __se_sys_sendfile64 fs/read_write.c:1511 [inline] __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4592c9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4aab51dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000246 R12: 00007f4aab51e6d4 R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff Allocated by task 9827: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:489 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 __do_kmalloc mm/slab.c:3660 [inline] __kmalloc+0x15c/0x740 mm/slab.c:3669 kmalloc include/linux/slab.h:552 [inline] pneigh_lookup+0x19c/0x4a0 net/core/neighbour.c:731 arp_req_set_public net/ipv4/arp.c:1010 [inline] arp_req_set+0x613/0x720 net/ipv4/arp.c:1026 arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1226 inet_ioctl+0x2a0/0x340 net/ipv4/af_inet.c:926 sock_do_ioctl+0xd8/0x2f0 net/socket.c:1043 sock_ioctl+0x3ed/0x780 net/socket.c:1194 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9824: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kfree+0xcf/0x220 mm/slab.c:3755 pneigh_ifdown_and_unlock net/core/neighbour.c:812 [inline] __neigh_ifdown+0x236/0x2f0 net/core/neighbour.c:356 neigh_ifdown+0x20/0x30 net/core/neighbour.c:372 arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1274 inetdev_destroy net/ipv4/devinet.c:319 [inline] inetdev_event+0xa14/0x11f0 net/ipv4/devinet.c:1544 notifier_call_chain+0xc2/0x230 kernel/notifier.c:95 __raw_notifier_call_chain kernel/notifier.c:396 [inline] raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1749 call_netdevice_notifiers_extack net/core/dev.c:1761 [inline] call_netdevice_notifiers net/core/dev.c:1775 [inline] rollback_registered_many+0x9b9/0xfc0 net/core/dev.c:8178 rollback_registered+0x109/0x1d0 net/core/dev.c:8220 unregister_netdevice_queue net/core/dev.c:9267 [inline] unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9260 unregister_netdevice include/linux/netdevice.h:2631 [inline] __tun_detach+0xd8a/0x1040 drivers/net/tun.c:724 tun_detach drivers/net/tun.c:741 [inline] tun_chr_close+0xe0/0x180 drivers/net/tun.c:3451 __fput+0x2ff/0x890 fs/file_table.c:280 ____fput+0x16/0x20 fs/file_table.c:313 task_work_run+0x145/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:185 [inline] exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888097f2a700 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888097f2a700, ffff888097f2a740) The buggy address belongs to the page: page:ffffea00025fca80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea000250d548 ffffea00025726c8 ffff8880aa400340 raw: 0000000000000000 ffff888097f2a000 0000000100000020 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888097f2a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888097f2a680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888097f2a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff888097f2a780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888097f2a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/core/neighbour.c | 7 +++++++ 1 file changed, 7 insertions(+) culprit signature: 2b6b79ed50599d8da129ea1a5c89e61c7035d605 parent signature: ce3ea216a6c603cf243e5c723ec95de41246ab61 revisions tested: 14, total time: 4h5m12.387643969s (build: 1h59m43.626171347s, test: 2h4m4.930844101s) first good commit: 103835df6821a57edf1ec5e0b33b379fa37dd35f neigh: fix use-after-free read in pneigh_get_next cc: ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org"]