bisecting cause commit starting from 36f18439ea16ebb670720602bfbf47c95a6691d4 building syzkaller on 5457ef3463862267bd1911708fbc661bd05e3a79 testing commit 36f18439ea16ebb670720602bfbf47c95a6691d4 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in napi_gro_frags run #1: crashed: KASAN: use-after-free Read in napi_gro_frags run #2: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #3: crashed: KASAN: use-after-free Read in napi_gro_frags run #4: crashed: KASAN: use-after-free Read in napi_gro_frags run #5: crashed: KASAN: slab-out-of-bounds Read in napi_gro_frags run #6: crashed: KASAN: use-after-free Read in napi_gro_frags run #7: crashed: KASAN: use-after-free Read in napi_gro_frags run #8: crashed: KASAN: use-after-free Read in napi_gro_frags run #9: crashed: KASAN: use-after-free Read in napi_gro_frags testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 run #0: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #1: crashed: KASAN: use-after-free Read in napi_gro_frags run #2: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #3: crashed: KASAN: use-after-free Read in napi_gro_frags run #4: crashed: KASAN: use-after-free Read in napi_gro_frags run #5: crashed: KASAN: use-after-free Read in napi_gro_frags run #6: crashed: KASAN: use-after-free Read in napi_gro_frags run #7: crashed: KASAN: use-after-free Read in napi_gro_frags run #8: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #9: crashed: KASAN: slab-out-of-bounds Read in napi_gro_frags testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in napi_gro_frags testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: OK # git bisect start v5.0 v4.20 Bisecting: 7011 revisions left to test after this (roughly 13 steps) [af7ddd8a627c62a835524b3f5b471edbbbcce025] Merge tag 'dma-mapping-4.21' of git://git.infradead.org/users/hch/dma-mapping testing commit af7ddd8a627c62a835524b3f5b471edbbbcce025 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in napi_gro_frags run #1: crashed: KASAN: use-after-free Read in napi_gro_frags run #2: crashed: KASAN: use-after-free Read in napi_gro_frags run #3: crashed: KASAN: use-after-free Read in napi_gro_frags run #4: crashed: KASAN: use-after-free Read in napi_gro_frags run #5: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #6: crashed: KASAN: use-after-free Read in napi_gro_frags run #7: crashed: KASAN: use-after-free Read in napi_gro_frags run #8: crashed: KASAN: use-after-free Read in napi_gro_frags run #9: crashed: KASAN: use-after-free Read in napi_gro_frags # git bisect bad af7ddd8a627c62a835524b3f5b471edbbbcce025 Bisecting: 3448 revisions left to test after this (roughly 12 steps) [792bf4d871dea8b69be2aaabdd320d7c6ed15985] Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 792bf4d871dea8b69be2aaabdd320d7c6ed15985 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 792bf4d871dea8b69be2aaabdd320d7c6ed15985 Bisecting: 1729 revisions left to test after this (roughly 11 steps) [aa9d6e0f33aea8a1879e7e53fe0e436943f9ce0c] linux/netlink.h: drop unnecessary extern prefix testing commit aa9d6e0f33aea8a1879e7e53fe0e436943f9ce0c with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in napi_gro_frags run #1: crashed: KASAN: use-after-free Read in napi_gro_frags run #2: crashed: KASAN: use-after-free Read in napi_gro_frags run #3: crashed: KASAN: use-after-free Read in napi_gro_frags run #4: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #5: crashed: KASAN: use-after-free Read in napi_gro_frags run #6: crashed: KASAN: use-after-free Read in napi_gro_frags run #7: crashed: KASAN: use-after-free Read in napi_gro_frags run #8: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #9: crashed: KASAN: out-of-bounds Read in napi_gro_frags # git bisect bad aa9d6e0f33aea8a1879e7e53fe0e436943f9ce0c Bisecting: 858 revisions left to test after this (roughly 10 steps) [2a95471c3397734ba6869ca3fa084490fb35b40b] Merge branch 'prog_test_run-improvement' testing commit 2a95471c3397734ba6869ca3fa084490fb35b40b with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in napi_gro_frags run #1: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #2: crashed: KASAN: use-after-free Read in napi_gro_frags run #3: crashed: KASAN: use-after-free Read in napi_gro_frags run #4: crashed: KASAN: slab-out-of-bounds Read in napi_gro_frags run #5: crashed: KASAN: use-after-free Read in napi_gro_frags run #6: crashed: KASAN: use-after-free Read in napi_gro_frags run #7: crashed: KASAN: slab-out-of-bounds Read in napi_gro_frags run #8: crashed: KASAN: use-after-free Read in napi_gro_frags run #9: crashed: KASAN: use-after-free Read in napi_gro_frags # git bisect bad 2a95471c3397734ba6869ca3fa084490fb35b40b Bisecting: 429 revisions left to test after this (roughly 9 steps) [480ba9c18a27ff77b02a2012e50dfd3e20ee9f7a] sctp: add sockopt SCTP_EVENT testing commit 480ba9c18a27ff77b02a2012e50dfd3e20ee9f7a with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in napi_gro_frags # git bisect bad 480ba9c18a27ff77b02a2012e50dfd3e20ee9f7a Bisecting: 214 revisions left to test after this (roughly 8 steps) [d1ce01144e75c82bc3c036863f57ac3029354429] Merge branch 'PHYID-matching-macros' testing commit d1ce01144e75c82bc3c036863f57ac3029354429 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d1ce01144e75c82bc3c036863f57ac3029354429 Bisecting: 101 revisions left to test after this (roughly 7 steps) [7e18750cda3d0df7c35ed1a60612229f36b957e8] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue testing commit 7e18750cda3d0df7c35ed1a60612229f36b957e8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7e18750cda3d0df7c35ed1a60612229f36b957e8 Bisecting: 50 revisions left to test after this (roughly 6 steps) [4777be08b8aab41286efdf5362a02f8e26d1a84e] net: sched: gred: use extack to provide more details on configuration errors testing commit 4777be08b8aab41286efdf5362a02f8e26d1a84e with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4777be08b8aab41286efdf5362a02f8e26d1a84e Bisecting: 25 revisions left to test after this (roughly 5 steps) [a0b4371751bf836fb438877c981bda733f918988] net: hns3: Support two vlan header when setting mtu testing commit a0b4371751bf836fb438877c981bda733f918988 with gcc (GCC) 8.1.0 all runs: OK # git bisect good a0b4371751bf836fb438877c981bda733f918988 Bisecting: 12 revisions left to test after this (roughly 4 steps) [fdc13a9effd5359ae00705708c8c846b1cb2b69c] dt-bindings: net: phy: add bindings for the IC Plus Corp. IP101A/G PHYs testing commit fdc13a9effd5359ae00705708c8c846b1cb2b69c with gcc (GCC) 8.1.0 all runs: OK # git bisect good fdc13a9effd5359ae00705708c8c846b1cb2b69c Bisecting: 6 revisions left to test after this (roughly 3 steps) [05b0e1d6980f9d76a6e5c6184854141bc26c2b13] Merge branch 'IP101GR-devicetree-based-configuration-of-SEL_INTR32' testing commit 05b0e1d6980f9d76a6e5c6184854141bc26c2b13 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 05b0e1d6980f9d76a6e5c6184854141bc26c2b13 Bisecting: 3 revisions left to test after this (roughly 2 steps) [f2be6d710d25be7d8d13f49f713d69dea9c71d57] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit f2be6d710d25be7d8d13f49f713d69dea9c71d57 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in napi_gro_frags # git bisect bad f2be6d710d25be7d8d13f49f713d69dea9c71d57 Bisecting: 0 revisions left to test after this (roughly 1 step) [bae4e109837b419b93fbddcb414c86673b1c90a5] mlxsw: spectrum: Expose discard counters via ethtool testing commit bae4e109837b419b93fbddcb414c86673b1c90a5 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in napi_gro_frags run #1: crashed: KASAN: use-after-free Read in napi_gro_frags run #2: crashed: KASAN: use-after-free Read in napi_gro_frags run #3: crashed: KASAN: use-after-free Read in napi_gro_frags run #4: crashed: KASAN: use-after-free Read in napi_gro_frags run #5: crashed: KASAN: use-after-free Read in napi_gro_frags run #6: crashed: KASAN: use-after-free Read in napi_gro_frags run #7: crashed: KASAN: slab-out-of-bounds Read in napi_gro_frags run #8: crashed: KASAN: use-after-free Read in napi_gro_frags run #9: crashed: KASAN: out-of-bounds Read in napi_gro_frags # git bisect bad bae4e109837b419b93fbddcb414c86673b1c90a5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [aa6daacaa113cda96760c8d3157bae937908f6e3] tun: use netdev_alloc_frag() in tun_napi_alloc_frags() testing commit aa6daacaa113cda96760c8d3157bae937908f6e3 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #1: crashed: KASAN: use-after-free Read in napi_gro_frags run #2: crashed: KASAN: use-after-free Read in napi_gro_frags run #3: crashed: KASAN: use-after-free Read in napi_gro_frags run #4: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #5: crashed: KASAN: use-after-free Read in napi_gro_frags run #6: crashed: KASAN: use-after-free Read in napi_gro_frags run #7: crashed: KASAN: use-after-free Read in napi_gro_frags run #8: crashed: KASAN: out-of-bounds Read in napi_gro_frags run #9: crashed: KASAN: out-of-bounds Read in napi_gro_frags # git bisect bad aa6daacaa113cda96760c8d3157bae937908f6e3 aa6daacaa113cda96760c8d3157bae937908f6e3 is the first bad commit commit aa6daacaa113cda96760c8d3157bae937908f6e3 Author: Eric Dumazet Date: Sun Nov 18 07:37:33 2018 -0800 tun: use netdev_alloc_frag() in tun_napi_alloc_frags() In order to cook skbs in the same way than Ethernet drivers, it is probably better to not use GFP_KERNEL, but rather use the GFP_ATOMIC and PFMEMALLOC mechanisms provided by netdev_alloc_frag(). This would allow to use tun driver even in memory stress situations, especially if swap is used over this tun channel. Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver") Signed-off-by: Eric Dumazet Cc: Petar Penkov Cc: Mahesh Bandewar Cc: Willem de Bruijn Signed-off-by: David S. Miller :040000 040000 831a03ff9191b1feb70ca7c5ac1eef459b44af2b 8dbd7303f7966b3da04d0e367a75803f3da178b0 M drivers revisions tested: 18, total time: 4h56m21.782033269s (build: 2h25m2.26101069s, test: 2h23m5.041606682s) first bad commit: aa6daacaa113cda96760c8d3157bae937908f6e3 tun: use netdev_alloc_frag() in tun_napi_alloc_frags() cc: ["davem@davemloft.net" "edumazet@google.com" "maheshb@google.com" "peterpenkov96@gmail.com" "willemb@google.com"] crash: KASAN: out-of-bounds Read in napi_gro_frags IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready 8021q: adding VLAN 0 to HW filter on device batadv0 IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready 8021q: adding VLAN 0 to HW filter on device batadv0 ================================================================== BUG: KASAN: out-of-bounds in napi_frags_skb net/core/dev.c:5758 [inline] BUG: KASAN: out-of-bounds in napi_gro_frags+0x880/0x940 net/core/dev.c:5765 Read of size 2 at addr ffff888094e485d6 by task syz-executor.2/7151 CPU: 0 PID: 7151 Comm: syz-executor.2 Not tainted 4.20.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16b/0x224 lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443 napi_frags_skb net/core/dev.c:5758 [inline] napi_gro_frags+0x880/0x940 net/core/dev.c:5765 tun_get_user+0x2208/0x3460 drivers/net/tun.c:1952 tun_chr_write_iter+0xaf/0x150 drivers/net/tun.c:1997 call_write_iter include/linux/fs.h:1857 [inline] do_iter_readv_writev+0x4ae/0x960 fs/read_write.c:680 do_iter_write+0x12a/0x510 fs/read_write.c:959 vfs_writev+0x16f/0x2d0 fs/read_write.c:1004 do_writev+0xda/0x260 fs/read_write.c:1039 __do_sys_writev fs/read_write.c:1112 [inline] __se_sys_writev fs/read_write.c:1109 [inline] __x64_sys_writev+0x70/0xb0 fs/read_write.c:1109 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459131 Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 34 b9 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fa44f7bfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 0000000020000d85 RCX: 0000000000459131 RDX: 0000000000000003 RSI: 00007fa44f7bfc00 RDI: 00000000000000f0 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 00007fa44f7c09d0 R11: 0000000000000293 R12: 00007fa44f7c06d4 R13: 00000000004c7d21 R14: 00000000004de160 R15: 00000000ffffffff The buggy address belongs to the page: page:ffffea0002539200 count:1 mapcount:-512 mapping:0000000000000000 index:0x0 flags: 0x1fffc0000000000() raw: 01fffc0000000000 dead000000000100 dead000000000200 0000000000000000 raw: 0000000000000000 0000000000000000 00000001fffffdff ffff888090388740 page dumped because: kasan: bad access detected page->mem_cgroup:ffff888090388740 Memory state around the buggy address: ffff888094e48480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888094e48500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888094e48580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff888094e48600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888094e48680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================