bisecting fixing commit since 0b412605ef5f5c64b31f19e2910b1d5eba9929c3 building syzkaller on d47f0ed6854fcc09c5db820d4e3aed72a6074841 testing commit 0b412605ef5f5c64b31f19e2910b1d5eba9929c3 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in _decode_session4 testing current HEAD 4010b622f1d2a6112244101f38225eaee20c07f2 testing commit 4010b622f1d2a6112244101f38225eaee20c07f2 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 4010b622f1d2a6112244101f38225eaee20c07f2 0b412605ef5f5c64b31f19e2910b1d5eba9929c3 Bisecting: 58265 revisions left to test after this (roughly 16 steps) [17c2f540863a6c0faa3f0ede3c785d9427bcaf80] Merge tag 'nfs-for-4.20-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 17c2f540863a6c0faa3f0ede3c785d9427bcaf80 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 17c2f540863a6c0faa3f0ede3c785d9427bcaf80 Bisecting: 29130 revisions left to test after this (roughly 15 steps) [37b71411b75c6a6c918e3102097417fdfed667b8] Merge tag 'audit-pr-20180731' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit testing commit 37b71411b75c6a6c918e3102097417fdfed667b8 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 37b71411b75c6a6c918e3102097417fdfed667b8 Bisecting: 14565 revisions left to test after this (roughly 14 steps) [9ca5a2ae4259e7aec8efb0db0f6ec721a6854c54] Merge tag 'pm-4.17-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 9ca5a2ae4259e7aec8efb0db0f6ec721a6854c54 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9ca5a2ae4259e7aec8efb0db0f6ec721a6854c54 Bisecting: 7330 revisions left to test after this (roughly 13 steps) [38047d5c269bbdedf900fc86954913f3dffa01f1] Merge tag 'driver-core-4.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core testing commit 38047d5c269bbdedf900fc86954913f3dffa01f1 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 38047d5c269bbdedf900fc86954913f3dffa01f1 Bisecting: 4101 revisions left to test after this (roughly 12 steps) [bb2407a7219760926760f0448fddf00d625e5aec] Merge tag 'docs-4.17' of git://git.lwn.net/linux testing commit bb2407a7219760926760f0448fddf00d625e5aec with gcc (GCC) 8.1.0 all runs: OK # git bisect bad bb2407a7219760926760f0448fddf00d625e5aec Bisecting: 1566 revisions left to test after this (roughly 11 steps) [2a2553cc45c889f15a1df0355891a809f17ca43d] Merge branch 'vmwgfx-next' of git://people.freedesktop.org/~thomash/linux into drm-next testing commit 2a2553cc45c889f15a1df0355891a809f17ca43d with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in _decode_session4 # git bisect good 2a2553cc45c889f15a1df0355891a809f17ca43d Bisecting: 782 revisions left to test after this (roughly 10 steps) [d22fff81418edc92be534cad8d59da914049bf69] Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit d22fff81418edc92be534cad8d59da914049bf69 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad d22fff81418edc92be534cad8d59da914049bf69 Bisecting: 433 revisions left to test after this (roughly 9 steps) [701f3b314905ac05f09fc052c87b022825d831f2] Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 701f3b314905ac05f09fc052c87b022825d831f2 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor056692012" "root@10.128.15.206:./syz-executor056692012"]: exit status 1 ssh: connect to host 10.128.15.206 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 701f3b314905ac05f09fc052c87b022825d831f2 Bisecting: 207 revisions left to test after this (roughly 8 steps) [0adb32858b0bddf4ada5f364a84ed60b196dbcda] Linux 4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 0adb32858b0bddf4ada5f364a84ed60b196dbcda Bisecting: 74 revisions left to test after this (roughly 6 steps) [b9fc828debc8ac2bb21b5819a44d2aea456f1c95] qede: Fix barrier usage after tx doorbell write. testing commit b9fc828debc8ac2bb21b5819a44d2aea456f1c95 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in _decode_session4 # git bisect good b9fc828debc8ac2bb21b5819a44d2aea456f1c95 Bisecting: 43 revisions left to test after this (roughly 5 steps) [9dd2326890d89a5179967c947dab2bab34d7ddee] Merge tag 'ceph-for-4.16-rc8' of git://github.com/ceph/ceph-client testing commit 9dd2326890d89a5179967c947dab2bab34d7ddee with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in _decode_session4 # git bisect good 9dd2326890d89a5179967c947dab2bab34d7ddee Bisecting: 21 revisions left to test after this (roughly 5 steps) [f97c3dc3c0e8d23a5c4357d182afeef4c67f5c33] net/dim: Fix int overflow testing commit f97c3dc3c0e8d23a5c4357d182afeef4c67f5c33 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad f97c3dc3c0e8d23a5c4357d182afeef4c67f5c33 Bisecting: 10 revisions left to test after this (roughly 4 steps) [5568cdc368c349eee7b5fc48bc956234a0828d71] ip_tunnel: Resolve ipsec merge conflict properly. testing commit 5568cdc368c349eee7b5fc48bc956234a0828d71 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 5568cdc368c349eee7b5fc48bc956234a0828d71 Bisecting: 5 revisions left to test after this (roughly 3 steps) [c6741fbed6dc0f183d26c4b6bca4517672f92e6c] vti6: Properly adjust vti6 MTU from MTU of lower device testing commit c6741fbed6dc0f183d26c4b6bca4517672f92e6c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad c6741fbed6dc0f183d26c4b6bca4517672f92e6c Bisecting: 2 revisions left to test after this (roughly 1 step) [dd1df24737727e119c263acf1be2a92763938297] vti4: Don't count header length twice on tunnel setup testing commit dd1df24737727e119c263acf1be2a92763938297 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in _decode_session4 # git bisect good dd1df24737727e119c263acf1be2a92763938297 Bisecting: 0 revisions left to test after this (roughly 1 step) [03080e5ec72740c1a62e6730f2a5f3f114f11b19] vti4: Don't override MTU passed on link creation via IFLA_MTU testing commit 03080e5ec72740c1a62e6730f2a5f3f114f11b19 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in _decode_session4 # git bisect good 03080e5ec72740c1a62e6730f2a5f3f114f11b19 c6741fbed6dc0f183d26c4b6bca4517672f92e6c is the first bad commit commit c6741fbed6dc0f183d26c4b6bca4517672f92e6c Author: Stefano Brivio Date: Thu Mar 15 17:17:11 2018 +0100 vti6: Properly adjust vti6 MTU from MTU of lower device If a lower device is found, we don't need to subtract LL_MAX_HEADER to calculate our MTU: just use its MTU, the link layer headers are already taken into account by it. If the lower device is not found, start from ETH_DATA_LEN instead, and only in this case subtract a worst-case LL_MAX_HEADER. We then need to subtract our additional IPv6 header from the calculation. While at it, note that vti6 doesn't have a hardware header, so it doesn't need to set dev->hard_header_len. And as vti6_link_config() now always sets the MTU, there's no need to set a default value in vti6_dev_setup(). This makes the behaviour consistent with IPv4 vti, after commit a32452366b72 ("vti4: Don't count header length twice."), which was accidentally reverted by merge commit f895f0cfbb77 ("Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec"). While commit 53c81e95df17 ("ip6_vti: adjust vti mtu according to mtu of lower device") improved on the original situation, this was still not ideal. As reported in that commit message itself, if we start from an underlying veth MTU of 9000, we end up with an MTU of 8832, that is, 9000 - LL_MAX_HEADER - sizeof(ipv6hdr). This should simply be 8880, or 9000 - sizeof(ipv6hdr) instead: we found the lower device (veth) and we know we don't have any additional link layer header, so there's no need to subtract an hypothetical worst-case number. Fixes: 53c81e95df17 ("ip6_vti: adjust vti mtu according to mtu of lower device") Signed-off-by: Stefano Brivio Acked-by: Sabrina Dubroca Signed-off-by: Steffen Klassert :040000 040000 e032d55ff387bf8d8b605268aac2859d3daa7854 b348cfdfe3003fd166c7a620459671e5fa8e70a7 M net revisions tested: 18, total time: 4h4m55.420790126s (build: 1h22m53.47623046s, test: 2h34m1.332262139s) first good commit: c6741fbed6dc0f183d26c4b6bca4517672f92e6c vti6: Properly adjust vti6 MTU from MTU of lower device cc: ["davem@davemloft.net" "herbert@gondor.apana.org.au" "kuznet@ms2.inr.ac.ru" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "sbrivio@redhat.com" "sd@queasysnail.net" "steffen.klassert@secunet.com" "yoshfuji@linux-ipv6.org"]