bisecting cause commit starting from 05a59d79793d482f628a31753c671f2e92178a21 building syzkaller on 764067f3e1106ab958069c12c978aac62592f5ef testing commit 05a59d79793d482f628a31753c671f2e92178a21 with gcc (GCC) 10.2.1 20210217 kernel signature: 121fcb66a73ac0ad57d56c478074555611785c354770ead8e663769e35d59998 run #0: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #1: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #2: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #3: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #4: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #5: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #6: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #7: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #8: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #9: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #10: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #11: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #12: crashed: KASAN: slab-out-of-bounds Read in eth_header_parse_protocol run #13: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #14: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #15: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #16: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #17: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #18: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #19: boot failed: WARNING in kvm_wait testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: 3bfbab9f0a8303761ae0d95c8d56f283777f4c3e904a51928b2768ada02d137a all runs: OK # git bisect start 05a59d79793d482f628a31753c671f2e92178a21 f40ddce88593482919761f74910f42f4b84c004b Bisecting: 6325 revisions left to test after this (roughly 13 steps) [a864e8f159b13babf552aff14a5fbe11abc017e4] ALSA: hda: intel-nhlt: verify config type testing commit a864e8f159b13babf552aff14a5fbe11abc017e4 with gcc (GCC) 10.2.1 20210217 kernel signature: d303a944fd0423fa1af32e7ec2364dc4a40f359696cf49c2151ac412d46ab212 all runs: OK # git bisect good a864e8f159b13babf552aff14a5fbe11abc017e4 Bisecting: 3195 revisions left to test after this (roughly 12 steps) [3672ac8ac0d8bece188f82c48770bbe40f234f1e] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 3672ac8ac0d8bece188f82c48770bbe40f234f1e with gcc (GCC) 10.2.1 20210217 kernel signature: 45b4e5d982353dff55d5ab5b875148f98b9b2e5347733faee0979460001ab7cb all runs: OK # git bisect good 3672ac8ac0d8bece188f82c48770bbe40f234f1e Bisecting: 1595 revisions left to test after this (roughly 11 steps) [e229b429bb4af24d9828758c0c851bb6a4169400] Merge tag 'char-misc-5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit e229b429bb4af24d9828758c0c851bb6a4169400 with gcc (GCC) 10.2.1 20210217 kernel signature: d13c1bd3aceddb1549714cc8542e6c85f6ceafa18339cf405e6e4add0342252c all runs: OK # git bisect good e229b429bb4af24d9828758c0c851bb6a4169400 Bisecting: 796 revisions left to test after this (roughly 10 steps) [8f47d753d4ecc6d3e306e22d885d6772625a3423] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit 8f47d753d4ecc6d3e306e22d885d6772625a3423 with gcc (GCC) 10.2.1 20210217 kernel signature: 5fb8617852f1fb61a99fdac37a60142f3333b28bf174e9c64a382f12b007f0f1 run #0: boot failed: WARNING in kvm_wait run #1: boot failed: WARNING in kvm_wait run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 8f47d753d4ecc6d3e306e22d885d6772625a3423 Bisecting: 397 revisions left to test after this (roughly 9 steps) [3cb60ee6323968b694208c4cbd56a7176396e931] Merge tag 'tpmdd-next-v5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd testing commit 3cb60ee6323968b694208c4cbd56a7176396e931 with gcc (GCC) 10.2.1 20210217 kernel signature: b3ad21327012548ded709a4ffe57d6053cf86f6b1c1b5cd6c4b0ab162ebc0139 run #0: boot failed: WARNING in kvm_wait run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 3cb60ee6323968b694208c4cbd56a7176396e931 Bisecting: 198 revisions left to test after this (roughly 8 steps) [987a08741d72c1f735e31bfe478dc2ac6be8fc7e] Merge git://git.kernel.org:/pub/scm/linux/kernel/git/davem/sparc testing commit 987a08741d72c1f735e31bfe478dc2ac6be8fc7e with gcc (GCC) 10.2.1 20210217 kernel signature: 21815152a8c3984b6246e664cc7820163f60324e3576dd2356ef2fca35c9a0a2 run #0: boot failed: WARNING in kvm_wait run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 987a08741d72c1f735e31bfe478dc2ac6be8fc7e Bisecting: 99 revisions left to test after this (roughly 7 steps) [e216674a5b5781694223ff3f0c4f2cc721a36ab0] Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue testing commit e216674a5b5781694223ff3f0c4f2cc721a36ab0 with gcc (GCC) 10.2.1 20210217 kernel signature: 52e92f9d208de39b2de558a918257d6076de9f631cbd67c26422c31bb080a0a3 all runs: OK # git bisect good e216674a5b5781694223ff3f0c4f2cc721a36ab0 Bisecting: 45 revisions left to test after this (roughly 6 steps) [9270bbe258c8d1e22fadf4839e762ac937d1ec62] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 9270bbe258c8d1e22fadf4839e762ac937d1ec62 with gcc (GCC) 10.2.1 20210217 kernel signature: 7ab51eebc4f5858003c24ffc76c5784fb8a8c85c28cf09546a8bfbf8e008942d run #0: boot failed: WARNING in kvm_wait run #1: boot failed: WARNING in kvm_wait run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 9270bbe258c8d1e22fadf4839e762ac937d1ec62 Bisecting: 22 revisions left to test after this (roughly 5 steps) [b005c9ef5adaf1357b7faa977330eaae18647300] Merge branch 'virtio_net-infinite-loop' testing commit b005c9ef5adaf1357b7faa977330eaae18647300 with gcc (GCC) 10.2.1 20210217 kernel signature: 65e734fc83666757b67705fb6bab799a5f5e082a19272a863710cda2d86684f2 all runs: crashed: KASAN: use-after-free Read in eth_header_parse_protocol # git bisect bad b005c9ef5adaf1357b7faa977330eaae18647300 Bisecting: 11 revisions left to test after this (roughly 4 steps) [1b2395dfff5bb40228a187f21f577cd90673d344] net: enetc: set MAC RX FIFO to recommended value testing commit 1b2395dfff5bb40228a187f21f577cd90673d344 with gcc (GCC) 10.2.1 20210217 kernel signature: 91a6d8f6d76c53567f68086af4fafd17b75824a8d912fb079a76ccac4babc521 all runs: OK # git bisect good 1b2395dfff5bb40228a187f21f577cd90673d344 Bisecting: 5 revisions left to test after this (roughly 3 steps) [3153724fc084d8ef640c611f269ddfb576d1dcb1] atm: uPD98402: fix incorrect allocation testing commit 3153724fc084d8ef640c611f269ddfb576d1dcb1 with gcc (GCC) 10.2.1 20210217 kernel signature: 0c077f1adb13ba16a80a5933c70be36699e9334a61b84e8992dbfc9587f222ea all runs: OK # git bisect good 3153724fc084d8ef640c611f269ddfb576d1dcb1 Bisecting: 2 revisions left to test after this (roughly 2 steps) [286a8624d7f9c6505cd568d947772eb59646514b] net: dsa: xrs700x: check if partner is same as port in hsr join testing commit 286a8624d7f9c6505cd568d947772eb59646514b with gcc (GCC) 10.2.1 20210217 kernel signature: 0e2d518ad82797a328f695abfd2136894e4fbcbd45b5c3a943e08602b43d8e3e all runs: OK # git bisect good 286a8624d7f9c6505cd568d947772eb59646514b Bisecting: 0 revisions left to test after this (roughly 1 step) [d348ede32e99d3a04863e9f9b28d224456118c27] net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 testing commit d348ede32e99d3a04863e9f9b28d224456118c27 with gcc (GCC) 10.2.1 20210217 kernel signature: 65e734fc83666757b67705fb6bab799a5f5e082a19272a863710cda2d86684f2 run #0: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #1: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #2: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #3: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #4: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #5: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #6: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #7: crashed: KASAN: slab-out-of-bounds Read in eth_header_parse_protocol run #8: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #9: crashed: KASAN: use-after-free Read in eth_header_parse_protocol # git bisect bad d348ede32e99d3a04863e9f9b28d224456118c27 Bisecting: 0 revisions left to test after this (roughly 0 steps) [924a9bc362a5223cd448ca08c3dde21235adc310] net: check if protocol extracted by virtio_net_hdr_set_proto is correct testing commit 924a9bc362a5223cd448ca08c3dde21235adc310 with gcc (GCC) 10.2.1 20210217 kernel signature: 235c416a26ccb1866b2457019277bcea5f85cfd2b7a97249e9f268e52e898f05 run #0: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #1: crashed: KASAN: slab-out-of-bounds Read in eth_header_parse_protocol run #2: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #3: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #4: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #5: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #6: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #7: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #8: crashed: KASAN: use-after-free Read in eth_header_parse_protocol run #9: crashed: KASAN: use-after-free Read in eth_header_parse_protocol # git bisect bad 924a9bc362a5223cd448ca08c3dde21235adc310 924a9bc362a5223cd448ca08c3dde21235adc310 is the first bad commit commit 924a9bc362a5223cd448ca08c3dde21235adc310 Author: Balazs Nemeth Date: Tue Mar 9 12:31:00 2021 +0100 net: check if protocol extracted by virtio_net_hdr_set_proto is correct For gso packets, virtio_net_hdr_set_proto sets the protocol (if it isn't set) based on the type in the virtio net hdr, but the skb could contain anything since it could come from packet_snd through a raw socket. If there is a mismatch between what virtio_net_hdr_set_proto sets and the actual protocol, then the skb could be handled incorrectly later on. An example where this poses an issue is with the subsequent call to skb_flow_dissect_flow_keys_basic which relies on skb->protocol being set correctly. A specially crafted packet could fool skb_flow_dissect_flow_keys_basic preventing EINVAL to be returned. Avoid blindly trusting the information provided by the virtio net header by checking that the protocol in the packet actually matches the protocol set by virtio_net_hdr_set_proto. Note that since the protocol is only checked if skb->dev implements header_ops->parse_protocol, packets from devices without the implementation are not checked at this stage. Fixes: 9274124f023b ("net: stricter validation of untrusted gso packets") Signed-off-by: Balazs Nemeth Acked-by: Willem de Bruijn Signed-off-by: David S. Miller include/linux/virtio_net.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) culprit signature: 235c416a26ccb1866b2457019277bcea5f85cfd2b7a97249e9f268e52e898f05 parent signature: 0e2d518ad82797a328f695abfd2136894e4fbcbd45b5c3a943e08602b43d8e3e revisions tested: 16, total time: 4h24m52.481690923s (build: 1h48m6.31449659s, test: 2h35m23.87909051s) first bad commit: 924a9bc362a5223cd448ca08c3dde21235adc310 net: check if protocol extracted by virtio_net_hdr_set_proto is correct recipients (to): ["bnemeth@redhat.com" "davem@davemloft.net" "willemb@google.com"] recipients (cc): [] crash: KASAN: use-after-free Read in eth_header_parse_protocol ================================================================== BUG: KASAN: use-after-free in eth_header_parse_protocol+0xd7/0xe0 net/ethernet/eth.c:282 Read of size 2 at addr ffff888012b9400b by task syz-executor.1/10088 CPU: 1 PID: 10088 Comm: syz-executor.1 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xa5/0xe6 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:397 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:414 eth_header_parse_protocol+0xd7/0xe0 net/ethernet/eth.c:282 dev_parse_header_protocol include/linux/netdevice.h:3177 [inline] virtio_net_hdr_to_skb.constprop.0+0x857/0xb00 include/linux/virtio_net.h:83 packet_snd net/packet/af_packet.c:2994 [inline] packet_sendmsg+0x1d97/0x47c0 net/packet/af_packet.c:3031 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:674 sock_no_sendpage+0xe7/0x120 net/core/sock.c:2860 kernel_sendpage.part.0+0x11e/0x240 net/socket.c:3641 kernel_sendpage net/socket.c:3638 [inline] sock_sendpage+0xc7/0x1a0 net/socket.c:947 pipe_to_sendpage+0x245/0x410 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x362/0x810 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0xba/0x120 fs/splice.c:746 do_splice_from fs/splice.c:767 [inline] do_splice+0x9ed/0x1b00 fs/splice.c:1079 __do_splice+0xf4/0x1b0 fs/splice.c:1144 __do_sys_splice fs/splice.c:1350 [inline] __se_sys_splice fs/splice.c:1332 [inline] __x64_sys_splice+0x14a/0x200 fs/splice.c:1332 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x465f69 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6b8c852188 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 000000000056c008 RCX: 0000000000465f69 RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00000000004bfa3f R08: 000000000004ffe0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c008 R13: 00007ffe14b8adff R14: 00007f6b8c852300 R15: 0000000000022000 Allocated by task 9165: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:400 [inline] ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:428 kasan_slab_alloc include/linux/kasan.h:208 [inline] slab_post_alloc_hook mm/slab.h:516 [inline] slab_alloc_node mm/slub.c:2895 [inline] slab_alloc mm/slub.c:2903 [inline] kmem_cache_alloc+0x1c6/0x440 mm/slub.c:2908 getname_kernel+0x49/0x330 fs/namei.c:218 kernel_execve+0x19/0x3e0 fs/exec.c:1936 call_usermodehelper_exec_async+0x2c1/0x500 kernel/umh.c:110 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Freed by task 9165: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356 ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:361 kasan_slab_free include/linux/kasan.h:191 [inline] slab_free_hook mm/slub.c:1561 [inline] slab_free_freelist_hook+0x6b/0x160 mm/slub.c:1594 slab_free mm/slub.c:3146 [inline] kmem_cache_free+0x82/0x350 mm/slub.c:3162 kernel_execve+0x2d4/0x3e0 fs/exec.c:1977 call_usermodehelper_exec_async+0x2c1/0x500 kernel/umh.c:110 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the object at ffff888012b93300 which belongs to the cache names_cache of size 4096 The buggy address is located 3339 bytes inside of 4096-byte region [ffff888012b93300, ffff888012b94300) The buggy address belongs to the page: page:000000005099a3bb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12b90 head:000000005099a3bb order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88800f9c5140 raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012b93f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888012b93f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888012b94000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012b94080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888012b94100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================