bisecting fixing commit since 312017a460d5ea31d646e7148e400e13db799ddc building syzkaller on 2a752b7c5e39457c3c16ef91cf2192a42813c802 testing commit 312017a460d5ea31d646e7148e400e13db799ddc with gcc (GCC) 8.1.0 kernel signature: b513fb17ec57bbcde7976c6fd2dd0c9d4b0257bf2d84eb75ab474751b24c5504 all runs: crashed: KASAN: use-after-free Write in __alloc_skb testing current HEAD b499cf4b3a901e87e1f933df04abf69b54de4457 testing commit b499cf4b3a901e87e1f933df04abf69b54de4457 with gcc (GCC) 8.1.0 kernel signature: 78900c57524106bd5f57b39d711eacf6b766a8d113fcad12ad56f205d0cf8745 all runs: OK # git bisect start b499cf4b3a901e87e1f933df04abf69b54de4457 312017a460d5ea31d646e7148e400e13db799ddc Bisecting: 914 revisions left to test after this (roughly 10 steps) [5bff4167f637b94b386419303fe480a6584ceb5c] btrfs: fix memory leak in qgroup accounting testing commit 5bff4167f637b94b386419303fe480a6584ceb5c with gcc (GCC) 8.1.0 kernel signature: c632ff118d96db0828121191ee516988d851b2053695103b559762b777dbf000 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good 5bff4167f637b94b386419303fe480a6584ceb5c Bisecting: 457 revisions left to test after this (roughly 9 steps) [d947f064b4feb08ab1e2f43e035ec62827c33581] net: hns3: fix a memory leak issue for hclge_map_unmap_ring_to_vf_vector testing commit d947f064b4feb08ab1e2f43e035ec62827c33581 with gcc (GCC) 8.1.0 kernel signature: ee722ed60493648a73d1cec91314027e75eab90c7e517e0300611164eddbe400 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good d947f064b4feb08ab1e2f43e035ec62827c33581 Bisecting: 228 revisions left to test after this (roughly 8 steps) [6fab6dbff4a5843b8f44f87a2454450961c1f0bc] drm/radeon: fix bad DMA from INTERRUPT_CNTL2 testing commit 6fab6dbff4a5843b8f44f87a2454450961c1f0bc with gcc (GCC) 8.1.0 kernel signature: 6643734a2fff641027515d84d250a86d1c184204e58b3e4219bb2a993e53d447 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good 6fab6dbff4a5843b8f44f87a2454450961c1f0bc Bisecting: 114 revisions left to test after this (roughly 7 steps) [ad7a72e8180170cb97407d03be349ab7e5b6dc98] serial: 8250_bcm2835aux: Fix line mismatch on driver unbind testing commit ad7a72e8180170cb97407d03be349ab7e5b6dc98 with gcc (GCC) 8.1.0 kernel signature: c8b42e48c35efab691e5090b22b5ee3d1dcbd31819d2f34ebf12ebf250156482 all runs: OK # git bisect bad ad7a72e8180170cb97407d03be349ab7e5b6dc98 Bisecting: 56 revisions left to test after this (roughly 6 steps) [6f1355914bfb70d7093ca1bbb6730e749ce938e0] net/sonic: Avoid needless receive descriptor EOL flag updates testing commit 6f1355914bfb70d7093ca1bbb6730e749ce938e0 with gcc (GCC) 8.1.0 kernel signature: f43c5de5169820b3ed4792b419c98096763f19715343ca5d5c5a29e604d92aad all runs: OK # git bisect bad 6f1355914bfb70d7093ca1bbb6730e749ce938e0 Bisecting: 28 revisions left to test after this (roughly 5 steps) [9bbde0825846002c6931f41fbbd71eeb848ca0e1] tcp: do not leave dangling pointers in tp->highest_sack testing commit 9bbde0825846002c6931f41fbbd71eeb848ca0e1 with gcc (GCC) 8.1.0 kernel signature: 4167c8ec702345ba5fc3786a4209ba6d23d1c4a1a5ed7818d764e910c49784c9 all runs: OK # git bisect bad 9bbde0825846002c6931f41fbbd71eeb848ca0e1 Bisecting: 13 revisions left to test after this (roughly 4 steps) [404d333fd36172ee7730c9a17746d3e35a167f5d] net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM testing commit 404d333fd36172ee7730c9a17746d3e35a167f5d with gcc (GCC) 8.1.0 kernel signature: 1cc2a8fa79edfaef5d42127f32fe315d0564846c5f2113cb37e252eba2c12f43 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good 404d333fd36172ee7730c9a17746d3e35a167f5d Bisecting: 6 revisions left to test after this (roughly 3 steps) [7070695e6077e2c3bb3a67432682cf4b3c258942] net-sysfs: fix netdev_queue_add_kobject() breakage testing commit 7070695e6077e2c3bb3a67432682cf4b3c258942 with gcc (GCC) 8.1.0 kernel signature: 83f0f9b27e0a78e7ec2c67de9a5ce862d8ba6d05a1fef13e91b7ca7346fd6ba5 all runs: OK # git bisect bad 7070695e6077e2c3bb3a67432682cf4b3c258942 Bisecting: 3 revisions left to test after this (roughly 2 steps) [1d3b53f716b56be2afd794b1fc47633e7621f018] net, ip_tunnel: fix namespaces move testing commit 1d3b53f716b56be2afd794b1fc47633e7621f018 with gcc (GCC) 8.1.0 kernel signature: 9939abc0c8a89249a0de306db4e403a7af98a637da478d5a6e5a1ba8abd4c2f1 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good 1d3b53f716b56be2afd794b1fc47633e7621f018 Bisecting: 1 revision left to test after this (roughly 1 step) [66ac8ee96faa582a252ae19510f35529c9143670] net_sched: fix datalen for ematch testing commit 66ac8ee96faa582a252ae19510f35529c9143670 with gcc (GCC) 8.1.0 kernel signature: 8dabcce95970273e67184ca23f144b22c377bd04a2cc7ced42a70c3e8ac29411 all runs: OK # git bisect bad 66ac8ee96faa582a252ae19510f35529c9143670 Bisecting: 0 revisions left to test after this (roughly 0 steps) [be1a2be7a7b0ed5a758fd8decc39386ba3b5d556] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() testing commit be1a2be7a7b0ed5a758fd8decc39386ba3b5d556 with gcc (GCC) 8.1.0 kernel signature: bc189f654ae02873119391a67cc5e54abd7c8b4c0fa56ddf38ef323a7be5663a all runs: OK # git bisect bad be1a2be7a7b0ed5a758fd8decc39386ba3b5d556 be1a2be7a7b0ed5a758fd8decc39386ba3b5d556 is the first bad commit commit be1a2be7a7b0ed5a758fd8decc39386ba3b5d556 Author: Eric Dumazet Date: Tue Jan 21 22:47:29 2020 -0800 net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() [ Upstream commit d836f5c69d87473ff65c06a6123e5b2cf5e56f5b ] rtnl_create_link() needs to apply dev->min_mtu and dev->max_mtu checks that we apply in do_setlink() Otherwise malicious users can crash the kernel, for example after an integer overflow : BUG: KASAN: use-after-free in memset include/linux/string.h:365 [inline] BUG: KASAN: use-after-free in __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238 Write of size 32 at addr ffff88819f20b9c0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 memset+0x24/0x40 mm/kasan/common.c:108 memset include/linux/string.h:365 [inline] __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238 alloc_skb include/linux/skbuff.h:1049 [inline] alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5664 sock_alloc_send_pskb+0x7ad/0x920 net/core/sock.c:2242 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2259 mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1609 add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1713 add_grec+0x7db/0x10b0 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:1970 [inline] mld_ifc_timer_expire+0x3d3/0x950 net/ipv6/mcast.c:2477 call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] __run_timers kernel/time/timer.c:1740 [inline] run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786 __do_softirq+0x262/0x98c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x19b/0x1e0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61 Code: 98 6b ea f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 44 1c 60 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 34 1c 60 00 fb f4 cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 4e 5d 9a f9 e8 79 RSP: 0018:ffffffff89807ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff13266ae RBX: ffffffff8987a1c0 RCX: 0000000000000000 RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8987aa54 RBP: ffffffff89807d18 R08: ffffffff8987a1c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000 R13: ffffffff8a799980 R14: 0000000000000000 R15: 0000000000000000 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690 default_idle_call+0x84/0xb0 kernel/sched/idle.c:94 cpuidle_idle_call kernel/sched/idle.c:154 [inline] do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269 cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361 rest_init+0x23b/0x371 init/main.c:451 arch_call_rest_init+0xe/0x1b start_kernel+0x904/0x943 init/main.c:784 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490 x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242 The buggy address belongs to the page: page:ffffea00067c82c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 raw: 057ffe0000000000 ffffea00067c82c8 ffffea00067c82c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88819f20b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88819f20b900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88819f20b980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88819f20ba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88819f20ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Fixes: 61e84623ace3 ("net: centralize net_device min/max MTU checking") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman include/linux/netdevice.h | 2 ++ net/core/dev.c | 29 +++++++++++++++++++---------- net/core/rtnetlink.c | 13 +++++++++++-- 3 files changed, 32 insertions(+), 12 deletions(-) culprit signature: bc189f654ae02873119391a67cc5e54abd7c8b4c0fa56ddf38ef323a7be5663a parent signature: 9939abc0c8a89249a0de306db4e403a7af98a637da478d5a6e5a1ba8abd4c2f1 revisions tested: 13, total time: 3h29m23.995463979s (build: 1h57m44.262379689s, test: 1h30m26.977099209s) first good commit: be1a2be7a7b0ed5a758fd8decc39386ba3b5d556 net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() cc: ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org"]