bisecting cause commit starting from 3ecafda911f4e56cb80149fd7ab87f8610c7765f building syzkaller on b0e8efcb4b0aac61f4647a76bbe54a5d38a370ba testing commit 3ecafda911f4e56cb80149fd7ab87f8610c7765f with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #1: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #2: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #3: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 3ecafda911f4e56cb80149fd7ab87f8610c7765f v5.0 Bisecting: 6776 revisions left to test after this (roughly 13 steps) [6c3ac1134371b51c9601171af2c32153ccb11100] Merge tag 'powerpc-5.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 6c3ac1134371b51c9601171af2c32153ccb11100 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6c3ac1134371b51c9601171af2c32153ccb11100 Bisecting: 3393 revisions left to test after this (roughly 12 steps) [262d6a9a63a387c8dfa9eb4f7713e159c941e52c] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 262d6a9a63a387c8dfa9eb4f7713e159c941e52c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 262d6a9a63a387c8dfa9eb4f7713e159c941e52c Bisecting: 1702 revisions left to test after this (roughly 11 steps) [80b98e92ebcb4433b86fd32b5d82ec6b0d75cf59] Merge branch 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 80b98e92ebcb4433b86fd32b5d82ec6b0d75cf59 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 80b98e92ebcb4433b86fd32b5d82ec6b0d75cf59 Bisecting: 841 revisions left to test after this (roughly 10 steps) [63fc9c23488d6cf34e4c233e24ba59b7e5548412] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 63fc9c23488d6cf34e4c233e24ba59b7e5548412 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 63fc9c23488d6cf34e4c233e24ba59b7e5548412 Bisecting: 420 revisions left to test after this (roughly 9 steps) [39ce67557568962fa9d1593741f76c4cc6762469] rxrpc: Trace received connection aborts testing commit 39ce67557568962fa9d1593741f76c4cc6762469 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 39ce67557568962fa9d1593741f76c4cc6762469 Bisecting: 214 revisions left to test after this (roughly 8 steps) [b60bc0665e6af8c55b946b67ea8cb235823bb74e] Merge tag 'nfs-for-5.1-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit b60bc0665e6af8c55b946b67ea8cb235823bb74e with gcc (GCC) 8.1.0 all runs: OK # git bisect good b60bc0665e6af8c55b946b67ea8cb235823bb74e Bisecting: 100 revisions left to test after this (roughly 7 steps) [2a3a028fc61d03e80ac57091330eb514280bd5be] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 2a3a028fc61d03e80ac57091330eb514280bd5be with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #1: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 2a3a028fc61d03e80ac57091330eb514280bd5be Bisecting: 56 revisions left to test after this (roughly 6 steps) [444fe991353987c1c9bc5ab1f903d01f1b4ad415] Merge tag 'riscv-for-linus-5.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux testing commit 444fe991353987c1c9bc5ab1f903d01f1b4ad415 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 444fe991353987c1c9bc5ab1f903d01f1b4ad415 Bisecting: 35 revisions left to test after this (roughly 5 steps) [732488018281632c9408e64349a808b22f0cd6a4] Merge tag 'mlx5-fixes-2019-04-09' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 732488018281632c9408e64349a808b22f0cd6a4 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #1: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #2: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #3: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 732488018281632c9408e64349a808b22f0cd6a4 Bisecting: 10 revisions left to test after this (roughly 3 steps) [7ee2ace9c544a0886e02b54b625e521df8692d20] net/mlx5e: Switch to Toeplitz RSS hash by default testing commit 7ee2ace9c544a0886e02b54b625e521df8692d20 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7ee2ace9c544a0886e02b54b625e521df8692d20 Bisecting: 5 revisions left to test after this (roughly 3 steps) [9ac6bb1414ac0d45fe9cefbd1f5b06f0e1a3c98a] qed: Delete redundant doorbell recovery types testing commit 9ac6bb1414ac0d45fe9cefbd1f5b06f0e1a3c98a with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #1: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #2: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #3: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 9ac6bb1414ac0d45fe9cefbd1f5b06f0e1a3c98a Bisecting: 2 revisions left to test after this (roughly 1 step) [9e550f015303a99a9395a838743bbeff94d4d49c] Merge branch 'rxrpc-fixes' testing commit 9e550f015303a99a9395a838743bbeff94d4d49c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9e550f015303a99a9395a838743bbeff94d4d49c Bisecting: 0 revisions left to test after this (roughly 1 step) [c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad] ipv4: ensure rcu_read_lock() in ipv4_link_failure() testing commit c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #1: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #2: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad Bisecting: 0 revisions left to test after this (roughly 0 steps) [ed0de45a1008991fdaa27a0152befcb74d126a8b] ipv4: recompile ip options in ipv4_link_failure testing commit ed0de45a1008991fdaa27a0152befcb74d126a8b with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #1: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #2: crashed: WARNING: suspicious RCU usage in fib_compute_spec_dst run #3: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #4: crashed: KASAN: stack-out-of-bounds Write in __ip_options_echo run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad ed0de45a1008991fdaa27a0152befcb74d126a8b ed0de45a1008991fdaa27a0152befcb74d126a8b is the first bad commit commit ed0de45a1008991fdaa27a0152befcb74d126a8b Author: Stephen Suryaputra Date: Fri Apr 12 16:19:27 2019 -0400 ipv4: recompile ip options in ipv4_link_failure Recompile IP options since IPCB may not be valid anymore when ipv4_link_failure is called from arp_error_report. Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error") and the commit before that (9ef6b42ad6fd) for a similar issue. Signed-off-by: Stephen Suryaputra Signed-off-by: David S. Miller :040000 040000 d9a069fefd033854f1167cf9c10fbdf7e1bc59b3 4e8010c12924f30787806bc346e150428cfc7505 M net revisions tested: 16, total time: 4h28m18.617608863s (build: 1h34m42.667662448s, test: 2h47m40.307184924s) first bad commit: ed0de45a1008991fdaa27a0152befcb74d126a8b ipv4: recompile ip options in ipv4_link_failure cc: ["davem@davemloft.net" "kuznet@ms2.inr.ac.ru" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "ssuryaextr@gmail.com" "yoshfuji@linux-ipv6.org"] crash: KASAN: stack-out-of-bounds Write in __ip_options_echo ================================================================== BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:355 [inline] BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x241/0x1350 net/ipv4/ip_options.c:123 Write of size 69 at addr ffff888098d06fd8 by task syz-executor.1/11636 CPU: 0 PID: 11636 Comm: syz-executor.1 Not tainted 5.1.0-rc4+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/generic.c:191 memcpy+0x37/0x50 mm/kasan/common.c:133 memcpy include/linux/string.h:355 [inline] __ip_options_echo+0x241/0x1350 net/ipv4/ip_options.c:123 __icmp_send+0x6ea/0x1920 net/ipv4/icmp.c:695 ipv4_link_failure+0x1a5/0x340 net/ipv4/route.c:1198 dst_link_failure include/net/dst.h:427 [inline] vti6_xmit net/ipv6/ip6_vti.c:514 [inline] vti6_tnl_xmit+0xce0/0x192d net/ipv6/ip6_vti.c:553 __netdev_start_xmit include/linux/netdevice.h:4414 [inline] netdev_start_xmit include/linux/netdevice.h:4423 [inline] xmit_one net/core/dev.c:3292 [inline] dev_hard_start_xmit+0x16a/0x720 net/core/dev.c:3308 __dev_queue_xmit+0x1edf/0x29c0 net/core/dev.c:3878 dev_queue_xmit+0xb/0x10 net/core/dev.c:3911 neigh_direct_output+0xc/0x10 net/core/neighbour.c:1527 neigh_output include/net/neighbour.h:508 [inline] ip_finish_output2+0x6f1/0x13d0 net/ipv4/ip_output.c:229 ip_finish_output+0x4e3/0xb90 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_output+0x1ba/0x550 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:289 [inline] raw_send_hdrinc net/ipv4/raw.c:432 [inline] raw_sendmsg+0x1976/0x2b20 net/ipv4/raw.c:663 inet_sendmsg+0x10d/0x450 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xb7/0xf0 net/socket.c:661 sock_write_iter+0x1e9/0x3d0 net/socket.c:988 call_write_iter include/linux/fs.h:1866 [inline] new_sync_write+0x3f1/0x740 fs/read_write.c:474 __vfs_write+0x97/0x110 fs/read_write.c:487 vfs_write+0x150/0x4e0 fs/read_write.c:549 ksys_write+0x103/0x260 fs/read_write.c:599 __do_sys_write fs/read_write.c:611 [inline] __se_sys_write fs/read_write.c:608 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:608 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x458c29 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f2acb56bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29 RDX: 0000000000000014 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2acb56c6d4 R13: 00000000004c8623 R14: 00000000004ded68 R15: 00000000ffffffff The buggy address belongs to the page: page:ffffea0002634180 count:0 mapcount:0 mapping:0000000000000000 index:0xffff888098d06180 flags: 0x1fffc0000000000() raw: 01fffc0000000000 dead000000000100 dead000000000200 0000000000000000 raw: ffff888098d06180 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888098d06f00: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 ffff888098d06f80: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888098d07000: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff888098d07080: 00 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 00 00 00 ffff888098d07100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 ==================================================================