bisecting fixing commit since 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 building syzkaller on 5d7b90f1af2e3bf33992b75e7fcf0bab6bf49bd6 testing commit 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 with gcc (GCC) 8.1.0 kernel signature: e073135666613f1696153cbd6e4eb1bc9e0492dad99dd493318ab05e5c50ce61 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname testing current HEAD 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 testing commit 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 with gcc (GCC) 8.1.0 kernel signature: f88066563ec19772eb3a8d509caf9d5098ca39a71aeefcf4c40932a8a508d97c all runs: OK # git bisect start 12cd844a39ed16aa183a820a54fe6f9a0bb4cd14 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 Bisecting: 180 revisions left to test after this (roughly 8 steps) [04e2dcbed2136c3b332e10647beb8dc9a7a79e1a] xhci: Force Maximum Packet size for Full-speed bulk devices to valid range. testing commit 04e2dcbed2136c3b332e10647beb8dc9a7a79e1a with gcc (GCC) 8.1.0 kernel signature: 62b29be7acacda8b78da1fde54613d11dbc84f1d2d03ea7bae1f02bba65c982b all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good 04e2dcbed2136c3b332e10647beb8dc9a7a79e1a Bisecting: 90 revisions left to test after this (roughly 7 steps) [0a94e100b4fe9bd250e2c1f7624a70de2cdf4bc8] ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro testing commit 0a94e100b4fe9bd250e2c1f7624a70de2cdf4bc8 with gcc (GCC) 8.1.0 kernel signature: 704715d0dcc536a42df348de19294ddb06b6b220dc1afe92a4ceea2ac10e9265 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good 0a94e100b4fe9bd250e2c1f7624a70de2cdf4bc8 Bisecting: 45 revisions left to test after this (roughly 6 steps) [89e30bb46074c1a11b0b6e6797b0bcbcd6d83d54] drm/msm/dsi: save pll state before dsi host is powered off testing commit 89e30bb46074c1a11b0b6e6797b0bcbcd6d83d54 with gcc (GCC) 8.1.0 kernel signature: 6b7c6a80242dbbccd6bc47c45565e20da30c3d301786866a1a8f91d71c5aa09c all runs: OK # git bisect bad 89e30bb46074c1a11b0b6e6797b0bcbcd6d83d54 Bisecting: 22 revisions left to test after this (roughly 5 steps) [0bdc63911545438223d5e44f869e3b1d9981a08b] KVM: Check for a bad hva before dropping into the ghc slow path testing commit 0bdc63911545438223d5e44f869e3b1d9981a08b with gcc (GCC) 8.1.0 kernel signature: 9d64e192bb4ca5da6390737e960d826bd0b431ca2a87dd88cf8b343bdce6fd9a all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good 0bdc63911545438223d5e44f869e3b1d9981a08b Bisecting: 11 revisions left to test after this (roughly 4 steps) [5b5295b5c60d6048db2112f4bb691c9cf97631f0] EDAC/amd64: Set grain per DIMM testing commit 5b5295b5c60d6048db2112f4bb691c9cf97631f0 with gcc (GCC) 8.1.0 kernel signature: 4d45389c971f89da95373f5bcd5a68f9108866a386135e18f320edbbb8e34358 all runs: OK # git bisect bad 5b5295b5c60d6048db2112f4bb691c9cf97631f0 Bisecting: 5 revisions left to test after this (roughly 3 steps) [b200a5dded6fc266cbcf79ade856ea69e3633817] mm/huge_memory.c: use head to check huge zero page testing commit b200a5dded6fc266cbcf79ade856ea69e3633817 with gcc (GCC) 8.1.0 kernel signature: 9d5ef6365da12f043a84c7aa70acd2a909fcda327729dac1696e896d15164eff all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good b200a5dded6fc266cbcf79ade856ea69e3633817 Bisecting: 2 revisions left to test after this (roughly 2 steps) [c7cba03b2bdced33715a7167cb9c5c8733cd31c3] audit: always check the netlink payload length in audit_receive_msg() testing commit c7cba03b2bdced33715a7167cb9c5c8733cd31c3 with gcc (GCC) 8.1.0 kernel signature: a35ed4eb1490fee9c4cc775f1b763522e75c770798fa581ae5b129a598d69d31 all runs: crashed: KASAN: stack-out-of-bounds Write in ax25_getname # git bisect good c7cba03b2bdced33715a7167cb9c5c8733cd31c3 Bisecting: 0 revisions left to test after this (roughly 1 step) [7a4139ccd2ffe87c5125eb476b57c3db1b7b70d1] x86/mce: Handle varying MCA bank counts testing commit 7a4139ccd2ffe87c5125eb476b57c3db1b7b70d1 with gcc (GCC) 8.1.0 kernel signature: 456bf4adb7990e501b20bd3a04baed36a2dc4556657e4bd9595b27436c8fbd39 all runs: OK # git bisect bad 7a4139ccd2ffe87c5125eb476b57c3db1b7b70d1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ff8e12b0cfe277a54edbab525f068b39c7ed0de3] vhost: Check docket sk_family instead of call getname testing commit ff8e12b0cfe277a54edbab525f068b39c7ed0de3 with gcc (GCC) 8.1.0 kernel signature: fe7776c1fbf139dac9dc1c88263de3b5263bf24e87ddc98f18c837c259dfeefb all runs: OK # git bisect bad ff8e12b0cfe277a54edbab525f068b39c7ed0de3 ff8e12b0cfe277a54edbab525f068b39c7ed0de3 is the first bad commit commit ff8e12b0cfe277a54edbab525f068b39c7ed0de3 Author: Eugenio Pérez Date: Thu Mar 5 17:30:05 2020 +0100 vhost: Check docket sk_family instead of call getname commit 42d84c8490f9f0931786f1623191fcab397c3d64 upstream. Doing so, we save one call to get data we already have in the struct. Also, since there is no guarantee that getname use sockaddr_ll parameter beyond its size, we add a little bit of security here. It should do not do beyond MAX_ADDR_LEN, but syzbot found that ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25, versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro). Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Reported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com Signed-off-by: Eugenio Pérez Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman [jwang: backport to 4.14] Signed-off-by: Jack Wang Signed-off-by: Sasha Levin drivers/vhost/net.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) culprit signature: fe7776c1fbf139dac9dc1c88263de3b5263bf24e87ddc98f18c837c259dfeefb parent signature: a35ed4eb1490fee9c4cc775f1b763522e75c770798fa581ae5b129a598d69d31 revisions tested: 11, total time: 2h49m1.081748775s (build: 1h38m15.965390659s, test: 1h9m34.831829073s) first good commit: ff8e12b0cfe277a54edbab525f068b39c7ed0de3 vhost: Check docket sk_family instead of call getname cc: ["davem@davemloft.net" "eperezma@redhat.com" "gregkh@linuxfoundation.org" "jinpu.wang@cloud.ionos.com" "mst@redhat.com" "sashal@kernel.org"]