bisecting cause commit starting from 6207214a70bfaec7b41f39502353fd3ca89df68c building syzkaller on b1c228e1773559f05fa98950902ab025d6ab946e testing commit 6207214a70bfaec7b41f39502353fd3ca89df68c with gcc (GCC) 8.1.0 kernel signature: b263e4f911a5ab0feb7dd6f734d9434f1ddf7278210a48334069332d1ddfc60b run #0: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #1: crashed: WARNING in rds_rdma_extra_size run #2: crashed: WARNING in rds_rdma_extra_size run #3: crashed: WARNING in rds_rdma_extra_size run #4: crashed: WARNING in rds_rdma_extra_size run #5: crashed: WARNING in rds_rdma_extra_size run #6: crashed: WARNING in rds_rdma_extra_size run #7: crashed: WARNING in rds_rdma_extra_size run #8: crashed: WARNING in rds_rdma_extra_size run #9: crashed: WARNING in rds_rdma_extra_size testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 395a614079c9030036488f72c030c4708fae86b9aba956ca15d15003efd3a593 all runs: crashed: WARNING in rds_rdma_extra_size testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 267e4e72ea6151d6ca484a7d3cc70be89ff7365b860f2a296ca76a677664b0bf run #0: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #2: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #3: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #4: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #5: crashed: WARNING in rds_rdma_extra_size run #6: crashed: WARNING in rds_rdma_extra_size run #7: crashed: WARNING in rds_rdma_extra_size run #8: crashed: WARNING in rds_rdma_extra_size run #9: crashed: WARNING in rds_rdma_extra_size testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: e1b748eb2406e6b7622d3ac2ddd4d5444e7de9e64fd85ab34f83bf371b1755d5 run #0: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #1: crashed: WARNING in rds_rdma_extra_size run #2: crashed: WARNING in rds_rdma_extra_size run #3: crashed: WARNING in rds_rdma_extra_size run #4: crashed: WARNING in rds_rdma_extra_size run #5: crashed: WARNING in rds_rdma_extra_size run #6: crashed: WARNING in rds_rdma_extra_size run #7: crashed: WARNING in rds_rdma_extra_size run #8: crashed: WARNING in rds_rdma_extra_size run #9: crashed: WARNING in rds_rdma_extra_size testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: 47862bb6707373f5ffcdd61ba6af4294f0c423a6cb2ee4daa5590631048de304 run #0: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #2: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #3: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #4: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #5: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #6: crashed: WARNING in rds_rdma_extra_size run #7: crashed: WARNING in rds_rdma_extra_size run #8: crashed: WARNING in rds_rdma_extra_size run #9: crashed: WARNING in rds_rdma_extra_size testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 61d2f47e590b5f5b9af99913aeee4a183890a5a3a42d33ead5af338d6fce77b0 all runs: crashed: WARNING in rds_rdma_extra_size testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: c02e30c85a426c1e8f9c3abeaf54f05a4c728b21f645f4db12a4be37adab4f4f all runs: crashed: WARNING in rds_rdma_extra_size testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 418d776f3a3a1cc9254eb5d6ca3b32cfdd18be0b9d67b015b468405fb2daecff all runs: crashed: WARNING in rds_rdma_extra_size testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: e249628c1ee34f77f2aa319be282abb58f3d9140778e2d153979f2cd76c9b777 all runs: crashed: WARNING in rds_rdma_extra_size testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: a6a68d9583d3a8125b02c95fc9622169e78400904b09f46799b9f3c98b341f31 all runs: crashed: WARNING in rds_rdma_extra_size testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: f8444d7f606701f2cba2c2b1e79ec64e2e00a9604951e8f29c97fd39394d2e63 all runs: crashed: WARNING in rds_rdma_extra_size testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: d1de21bb044e544efe5b0b18676c1120101c7d2ac339371f47a9b257538ce7cb all runs: crashed: WARNING in rds_rdma_extra_size testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: c441b2368f678ae5529d853b70abc87303478f8435f97d01e80cef739b5f6527 all runs: crashed: WARNING in rds_rdma_extra_size testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: 5245e4536e0b6585c39613e9f5bd6bc911c1db66c6314a862227039043f5cdad all runs: OK # git bisect start 8fe28cb58bcb235034b64cbbb7550a8a43fd88be 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d Bisecting: 7499 revisions left to test after this (roughly 13 steps) [ec9c166434595382be3babf266febf876327774d] Merge tag 'mips_fixes_4.20_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit ec9c166434595382be3babf266febf876327774d with gcc (GCC) 8.1.0 kernel signature: fe4c6503f726f078eafd945679d5dfe88ae648afe8ee4188a4745afb06c070f0 all runs: OK # git bisect good ec9c166434595382be3babf266febf876327774d Bisecting: 3610 revisions left to test after this (roughly 12 steps) [93335e5911dbffccd3b74c4d214268c0fd2bc1b0] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc testing commit 93335e5911dbffccd3b74c4d214268c0fd2bc1b0 with gcc (GCC) 8.1.0 kernel signature: d48dfde36031b89f66075227daeaf3c679547b6b5fffaf606563d9c75e4b46de all runs: OK # git bisect good 93335e5911dbffccd3b74c4d214268c0fd2bc1b0 Bisecting: 1804 revisions left to test after this (roughly 11 steps) [e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0] Merge tag 'kbuild-fixes-v4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 with gcc (GCC) 8.1.0 kernel signature: 51464a14007442eccb060a63f37a91fd258ada1439e34c9113b6218572f98066 all runs: OK # git bisect good e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 Bisecting: 900 revisions left to test after this (roughly 10 steps) [d8f190ee836a4581ba906731835d735cb97948f5] Merge branch 'akpm' (patches from Andrew) testing commit d8f190ee836a4581ba906731835d735cb97948f5 with gcc (GCC) 8.1.0 kernel signature: 407e87d82411c850e68c7a59d8b8c2a42d0fb54930967040421bf4aa38863952 all runs: OK # git bisect good d8f190ee836a4581ba906731835d735cb97948f5 Bisecting: 450 revisions left to test after this (roughly 9 steps) [d48f782e4fb20dc7ec935ca0ca41ae31e4a69362] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit d48f782e4fb20dc7ec935ca0ca41ae31e4a69362 with gcc (GCC) 8.1.0 kernel signature: 2fe5a48d1eb335cd4415a2a9e4372026e8f79b1956e8e57e9d3de70a26f0fb81 run #0: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #2: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #3: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good d48f782e4fb20dc7ec935ca0ca41ae31e4a69362 Bisecting: 264 revisions left to test after this (roughly 8 steps) [ab63e725b49c80f941446327d79ba5b68593bf5a] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit ab63e725b49c80f941446327d79ba5b68593bf5a with gcc (GCC) 8.1.0 kernel signature: a7152e592e99ff2a13cf110eb0520729eef5144567a6bff97708e0be524fb4cf all runs: OK # git bisect good ab63e725b49c80f941446327d79ba5b68593bf5a Bisecting: 132 revisions left to test after this (roughly 7 steps) [c6f4075e2f14a91f2180c98bc7715946f791cbe6] Merge tag 'wireless-drivers-for-davem-2018-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers testing commit c6f4075e2f14a91f2180c98bc7715946f791cbe6 with gcc (GCC) 8.1.0 kernel signature: d2523a9df70141a0fedb93a4312c9014ff639523410aa4669988f3666ffdf5f0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: general protection fault in batadv_iv_ogm_queue_add reproducer seems to be flaky # git bisect bad c6f4075e2f14a91f2180c98bc7715946f791cbe6 Bisecting: 65 revisions left to test after this (roughly 6 steps) [10589a568f2ec531975504c98c1bed88c233a63d] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 10589a568f2ec531975504c98c1bed88c233a63d with gcc (GCC) 8.1.0 kernel signature: 7071b8d1677d9dd15f02ec603ced113bd6976152243a72784a5af093069992a1 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: general protection fault in batadv_iv_ogm_queue_add # git bisect bad 10589a568f2ec531975504c98c1bed88c233a63d Bisecting: 34 revisions left to test after this (roughly 5 steps) [9e69efd453211a3646fba9262d3e7819f80b2949] Merge branch 'vhost-fixes' testing commit 9e69efd453211a3646fba9262d3e7819f80b2949 with gcc (GCC) 8.1.0 kernel signature: 3fbdc349a686c281237908e47808a3f5d9a777696423ec29ecdbe693df92922d all runs: OK # git bisect good 9e69efd453211a3646fba9262d3e7819f80b2949 Bisecting: 17 revisions left to test after this (roughly 4 steps) [6c0563e442528733219afe15c749eb2cc365da3f] net/tls: Init routines in create_ctx testing commit 6c0563e442528733219afe15c749eb2cc365da3f with gcc (GCC) 8.1.0 kernel signature: de98c2f91d4ce42e7dfffb6b9332d300fb20336ff7ba36a5e09db5afbe436e7d run #0: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #1: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #2: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #3: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 6c0563e442528733219afe15c749eb2cc365da3f Bisecting: 8 revisions left to test after this (roughly 3 steps) [65cab850f0eeaa9180bd2e10a231964f33743edf] net: Allow class-e address assignment via ifconfig ioctl testing commit 65cab850f0eeaa9180bd2e10a231964f33743edf with gcc (GCC) 8.1.0 kernel signature: 25e8236dd561aacf2d65e7d5f2c2cbc9b4ce05ea4ecb8b1591fd5da16f3919a8 all runs: OK # git bisect good 65cab850f0eeaa9180bd2e10a231964f33743edf Bisecting: 4 revisions left to test after this (roughly 2 steps) [c2a20a2731df11f9b7b7030f7ac3fc222c9ce39d] selftests/bpf: add missing pointer dereference for map stacktrace fixup testing commit c2a20a2731df11f9b7b7030f7ac3fc222c9ce39d with gcc (GCC) 8.1.0 kernel signature: b2135a2b7ba3f347136ab9dcee3c5b38c7b94d504ff6ea75783ff32d7ad52d56 all runs: OK # git bisect good c2a20a2731df11f9b7b7030f7ac3fc222c9ce39d Bisecting: 2 revisions left to test after this (roughly 1 step) [fdadd04931c2d7cd294dc5b2b342863f94be53a3] bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K testing commit fdadd04931c2d7cd294dc5b2b342863f94be53a3 with gcc (GCC) 8.1.0 kernel signature: ab32412662adae9175aa461e08e67e8d580d9c59c608ac7602226d9701378ed3 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: KASAN: use-after-free Read in batadv_iv_ogm_queue_add # git bisect bad fdadd04931c2d7cd294dc5b2b342863f94be53a3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [aca1a80ebe3e4d49adaf6516c61a6786b1ee7dad] selftests/bpf: use proper type when passing prog_type testing commit aca1a80ebe3e4d49adaf6516c61a6786b1ee7dad with gcc (GCC) 8.1.0 kernel signature: b2135a2b7ba3f347136ab9dcee3c5b38c7b94d504ff6ea75783ff32d7ad52d56 run #0: boot failed: create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}. run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good aca1a80ebe3e4d49adaf6516c61a6786b1ee7dad fdadd04931c2d7cd294dc5b2b342863f94be53a3 is the first bad commit commit fdadd04931c2d7cd294dc5b2b342863f94be53a3 Author: Daniel Borkmann Date: Tue Dec 11 12:14:12 2018 +0100 bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K Michael and Sandipan report: Commit ede95a63b5 introduced a bpf_jit_limit tuneable to limit BPF JIT allocations. At compile time it defaults to PAGE_SIZE * 40000, and is adjusted again at init time if MODULES_VADDR is defined. For ppc64 kernels, MODULES_VADDR isn't defined, so we're stuck with the compile-time default at boot-time, which is 0x9c400000 when using 64K page size. This overflows the signed 32-bit bpf_jit_limit value: root@ubuntu:/tmp# cat /proc/sys/net/core/bpf_jit_limit -1673527296 and can cause various unexpected failures throughout the network stack. In one case `strace dhclient eth0` reported: setsockopt(5, SOL_SOCKET, SO_ATTACH_FILTER, {len=11, filter=0x105dd27f8}, 16) = -1 ENOTSUPP (Unknown error 524) and similar failures can be seen with tools like tcpdump. This doesn't always reproduce however, and I'm not sure why. The more consistent failure I've seen is an Ubuntu 18.04 KVM guest booted on a POWER9 host would time out on systemd/netplan configuring a virtio-net NIC with no noticeable errors in the logs. Given this and also given that in near future some architectures like arm64 will have a custom area for BPF JIT image allocations we should get rid of the BPF_JIT_LIMIT_DEFAULT fallback / default entirely. For 4.21, we have an overridable bpf_jit_alloc_exec(), bpf_jit_free_exec() so therefore add another overridable bpf_jit_alloc_exec_limit() helper function which returns the possible size of the memory area for deriving the default heuristic in bpf_jit_charge_init(). Like bpf_jit_alloc_exec() and bpf_jit_free_exec(), the new bpf_jit_alloc_exec_limit() assumes that module_alloc() is the default JIT memory provider, and therefore in case archs implement their custom module_alloc() we use MODULES_{END,_VADDR} for limits and otherwise for vmalloc_exec() cases like on ppc64 we use VMALLOC_{END,_START}. Additionally, for archs supporting large page sizes, we should change the sysctl to be handled as long to not run into sysctl restrictions in future. Fixes: ede95a63b5e8 ("bpf: add bpf_jit_limit knob to restrict unpriv allocations") Reported-by: Sandipan Das Reported-by: Michael Roth Signed-off-by: Daniel Borkmann Tested-by: Michael Roth Signed-off-by: Alexei Starovoitov include/linux/filter.h | 2 +- kernel/bpf/core.c | 21 +++++++++++++++------ net/core/sysctl_net_core.c | 20 +++++++++++++++++--- 3 files changed, 33 insertions(+), 10 deletions(-) culprit signature: ab32412662adae9175aa461e08e67e8d580d9c59c608ac7602226d9701378ed3 parent signature: b2135a2b7ba3f347136ab9dcee3c5b38c7b94d504ff6ea75783ff32d7ad52d56 Reproducer flagged being flaky revisions tested: 28, total time: 5h15m24.913197633s (build: 2h26m11.008839235s, test: 2h46m9.662169602s) first bad commit: fdadd04931c2d7cd294dc5b2b342863f94be53a3 bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K recipients (to): ["ast@kernel.org" "daniel@iogearbox.net" "mdroth@linux.vnet.ibm.com"] recipients (cc): [] crash: KASAN: use-after-free Read in batadv_iv_ogm_queue_add device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state batman_adv: batadv0: Interface deactivated: batadv_slave_0 batman_adv: batadv0: Removing interface: batadv_slave_0 ================================================================== BUG: KASAN: use-after-free in memcpy include/linux/string.h:352 [inline] BUG: KASAN: use-after-free in batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:551 [inline] BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x327/0xf00 net/batman-adv/bat_iv_ogm.c:647 Read of size 60 at addr ffff8880b3ad6660 by task kworker/u4:1/21 CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 4.20.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x86/0xca lib/dump_stack.c:113 print_address_description.cold.5+0x9/0x244 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.6+0x242/0x304 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13c/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:352 [inline] batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:551 [inline] batadv_iv_ogm_queue_add+0x327/0xf00 net/batman-adv/bat_iv_ogm.c:647 batadv_iv_ogm_schedule+0xb47/0xe80 net/batman-adv/bat_iv_ogm.c:820 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x7a0 net/batman-adv/bat_iv_ogm.c:1682 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 21: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538 __kmalloc+0x157/0x340 mm/slub.c:3787 kmalloc include/linux/slab.h:551 [inline] batadv_tvlv_realloc_packet_buff net/batman-adv/tvlv.c:289 [inline] batadv_tvlv_container_ogm_append+0x16f/0x4b0 net/batman-adv/tvlv.c:330 batadv_iv_ogm_schedule+0xc39/0xe80 net/batman-adv/bat_iv_ogm.c:783 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x7a0 net/batman-adv/bat_iv_ogm.c:1682 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 51: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x167/0x240 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 slab_free_hook mm/slub.c:1409 [inline] slab_free_freelist_hook mm/slub.c:1436 [inline] slab_free mm/slub.c:2991 [inline] kfree+0xf2/0x310 mm/slub.c:3942 batadv_iv_ogm_iface_disable+0x34/0x70 net/batman-adv/bat_iv_ogm.c:233 batadv_hardif_disable_interface.cold.10+0x712/0x107a net/batman-adv/hard-interface.c:882 batadv_softif_destroy_netlink+0x94/0x100 net/batman-adv/soft-interface.c:1147 default_device_exit_batch+0x239/0x3d0 net/core/dev.c:9583 ops_exit_list.isra.0+0xd3/0x120 net/core/net_namespace.c:156 cleanup_net+0x363/0x840 net/core/net_namespace.c:551 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880b3ad6660 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff8880b3ad6660, ffff8880b3ad66a0) The buggy address belongs to the page: page:ffffea0002ceb580 count:1 mapcount:0 mapping:ffff88813ff35600 index:0xffff8880b3ad6300 flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea0002b2c440 0000000a0000000a ffff88813ff35600 raw: ffff8880b3ad6300 00000000802a001c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880b3ad6500: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb ffff8880b3ad6580: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc >ffff8880b3ad6600: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ^ ffff8880b3ad6680: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb ffff8880b3ad6700: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================