bisecting fixing commit since 1ec8f1f0bffe34ebdf95dbe0fd4a6635a84612a8
building syzkaller on e955ac5009431b0201f2e3cf548472bb8acea696
testing commit 1ec8f1f0bffe34ebdf95dbe0fd4a6635a84612a8 with gcc (GCC) 8.1.0
kernel signature: 9f1ed1604b540bfe0376115e15618a42b87d08fa
run #0: crashed: KASAN: use-after-free Read in erspan_build_header
run #1: crashed: KASAN: use-after-free Read in erspan_build_header
run #2: crashed: KASAN: use-after-free Read in erspan_build_header
run #3: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #4: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #5: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #6: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #7: crashed: KASAN: use-after-free Read in erspan_build_header
run #8: crashed: KASAN: use-after-free Read in erspan_build_header
run #9: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
testing current HEAD 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e
testing commit 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e with gcc (GCC) 8.1.0
kernel signature: 72fcf6b11323660e2f71ce095faa91cebc59a7f7
run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #1: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #2: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #3: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect start 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e 1ec8f1f0bffe34ebdf95dbe0fd4a6635a84612a8
Bisecting: 1748 revisions left to test after this (roughly 11 steps)
[5d953c77e6d2e3a4e70e3b559b46105c96ac26c3] 9p: pass the correct prototype to read_cache_page
testing commit 5d953c77e6d2e3a4e70e3b559b46105c96ac26c3 with gcc (GCC) 8.1.0
kernel signature: c8540ab8cedaccbdd30a8f4262d73ab5efc8abf2
all runs: OK
# git bisect bad 5d953c77e6d2e3a4e70e3b559b46105c96ac26c3
Bisecting: 873 revisions left to test after this (roughly 10 steps)
[c8bd0da237e20664fe481af8aebc9c7c5d6a9e8b] drm/amdgpu: fix old fence check in amdgpu_fence_emit
testing commit c8bd0da237e20664fe481af8aebc9c7c5d6a9e8b with gcc (GCC) 8.1.0
kernel signature: 42994b1b6a6c639d9fd9e1089fada329c87d6527
all runs: OK
# git bisect bad c8bd0da237e20664fe481af8aebc9c7c5d6a9e8b
Bisecting: 436 revisions left to test after this (roughly 9 steps)
[5d60a0661058612ec612caf9672f24a40a9c7765] linux/kernel.h: Use parentheses around argument in u64_to_user_ptr()
testing commit 5d60a0661058612ec612caf9672f24a40a9c7765 with gcc (GCC) 8.1.0
kernel signature: 0cea56e7eeb6b5216c994c717fcfc26f3fcb4dfc
run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #1: crashed: KASAN: use-after-free Read in erspan_build_header
run #2: crashed: KASAN: use-after-free Read in erspan_build_header
run #3: crashed: KASAN: use-after-free Read in erspan_build_header
run #4: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #5: crashed: KASAN: use-after-free Read in erspan_build_header
run #6: crashed: KASAN: use-after-free Read in erspan_build_header
run #7: crashed: KASAN: use-after-free Read in erspan_build_header
run #8: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #9: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
# git bisect good 5d60a0661058612ec612caf9672f24a40a9c7765
Bisecting: 218 revisions left to test after this (roughly 8 steps)
[db858f17883e43280f7f6d0702539761bf6e5c0e] bcache: fix a race between cache register and cacheset unregister
testing commit db858f17883e43280f7f6d0702539761bf6e5c0e with gcc (GCC) 8.1.0
kernel signature: 8a11c4f22ef98ea99859ccd48a8daa6ca87c753f
run #0: crashed: KASAN: use-after-free Read in erspan_build_header
run #1: crashed: KASAN: use-after-free Read in erspan_build_header
run #2: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #3: crashed: KASAN: use-after-free Read in erspan_build_header
run #4: crashed: KASAN: use-after-free Read in erspan_build_header
run #5: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #6: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #7: crashed: KASAN: use-after-free Read in erspan_build_header
run #8: crashed: KASAN: use-after-free Read in erspan_build_header
run #9: crashed: KASAN: use-after-free Read in erspan_build_header
# git bisect good db858f17883e43280f7f6d0702539761bf6e5c0e
Bisecting: 109 revisions left to test after this (roughly 7 steps)
[e71556e3684d6b11592bbdbe5406bbe1d73ab706] libnvdimm/pmem: Bypass CONFIG_HARDENED_USERCOPY overhead
testing commit e71556e3684d6b11592bbdbe5406bbe1d73ab706 with gcc (GCC) 8.1.0
kernel signature: 2a9821c5e61cccf37189fe373b5af269870933a0
run #0: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #1: crashed: KASAN: use-after-free Read in erspan_build_header
run #2: crashed: KASAN: use-after-free Read in erspan_build_header
run #3: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #4: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #5: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #6: crashed: KASAN: use-after-free Read in erspan_build_header
run #7: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #8: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #9: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
# git bisect good e71556e3684d6b11592bbdbe5406bbe1d73ab706
Bisecting: 54 revisions left to test after this (roughly 6 steps)
[f213a1d5c03a4e5c3360bcb043095b0bddad71c5] mac80211/cfg80211: update bss channel on channel switch
testing commit f213a1d5c03a4e5c3360bcb043095b0bddad71c5 with gcc (GCC) 8.1.0
kernel signature: 0918e13899a58bd5767b3330404d632cfa193fbc
run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad f213a1d5c03a4e5c3360bcb043095b0bddad71c5
Bisecting: 27 revisions left to test after this (roughly 5 steps)
[470237c22724c9777de74fddc75a5c70ff779788] IB/hfi1: Fix WQ_MEM_RECLAIM warning
testing commit 470237c22724c9777de74fddc75a5c70ff779788 with gcc (GCC) 8.1.0
kernel signature: 4844d433f246eee13f76566273b794bd504f7651
all runs: OK
# git bisect bad 470237c22724c9777de74fddc75a5c70ff779788
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[d819d97ea025f8c32c12adef0ff55b2c7bf5c853] btrfs: honor path->skip_locking in backref code
testing commit d819d97ea025f8c32c12adef0ff55b2c7bf5c853 with gcc (GCC) 8.1.0
kernel signature: b7a98499665ea4e9cb56c773a2f9c3c320b7bfae
run #0: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #1: crashed: KASAN: use-after-free Read in erspan_build_header
run #2: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #3: crashed: KASAN: use-after-free Read in erspan_build_header
run #4: crashed: KASAN: use-after-free Read in erspan_build_header
run #5: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #6: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #7: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #8: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #9: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
# git bisect good d819d97ea025f8c32c12adef0ff55b2c7bf5c853
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[3b61016de8d6cf147ff3346ea4dd46acd933dc26] batman-adv: mcast: fix multicast tt/tvlv worker locking
testing commit 3b61016de8d6cf147ff3346ea4dd46acd933dc26 with gcc (GCC) 8.1.0
kernel signature: a891e01ebb2dde1cdb9388b0de55dc883d77f1ff
run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #1: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #2: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #3: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #4: crashed: KASAN: use-after-free Read in erspan_build_header
run #5: crashed: KASAN: use-after-free Read in erspan_build_header
run #6: crashed: KASAN: use-after-free Read in erspan_build_header
run #7: crashed: KASAN: use-after-free Read in erspan_build_header
run #8: crashed: KASAN: use-after-free Read in erspan_build_header
run #9: crashed: KASAN: use-after-free Read in erspan_build_header
# git bisect good 3b61016de8d6cf147ff3346ea4dd46acd933dc26
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[6250c25a2aa516d375a9bb8b730a28531f632ff5] Revert "btrfs: Honour FITRIM range constraints during free space trim"
testing commit 6250c25a2aa516d375a9bb8b730a28531f632ff5 with gcc (GCC) 8.1.0
kernel signature: 7e49b5dc77339ec9cb6f24bb48af5a8c4f22c156
all runs: OK
# git bisect bad 6250c25a2aa516d375a9bb8b730a28531f632ff5
Bisecting: 0 revisions left to test after this (roughly 1 step)
[1d629bf9b5767cdbe902f32b058ae8c99df72516] net: erspan: fix use-after-free
testing commit 1d629bf9b5767cdbe902f32b058ae8c99df72516 with gcc (GCC) 8.1.0
kernel signature: af7d4e6a4c24a244502383e7bcd7d73a5a5fa84f
run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 1d629bf9b5767cdbe902f32b058ae8c99df72516
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[1fa1c6b63f1e6585ad98e5478e73f5f68f9c823e] at76c50x-usb: Don't register led_trigger if usb_register_driver failed
testing commit 1fa1c6b63f1e6585ad98e5478e73f5f68f9c823e with gcc (GCC) 8.1.0
kernel signature: c11500a6893f3a34af0617e59998b0560646daf3
run #0: boot failed: create image operation failed: &{Code:QUOTA_EXCEEDED Location: Message:Quota 'CPUS' exceeded.  Limit: 500.0 in region us-central1. ForceSendFields:[] NullFields:[]}.
run #1: crashed: KASAN: use-after-free Read in erspan_build_header
run #2: crashed: KASAN: use-after-free Read in erspan_build_header
run #3: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #4: crashed: KASAN: use-after-free Read in erspan_build_header
run #5: crashed: KASAN: use-after-free Read in erspan_build_header
run #6: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #7: crashed: KASAN: use-after-free Read in erspan_build_header
run #8: crashed: KASAN: slab-out-of-bounds Read in erspan_build_header
run #9: crashed: KASAN: use-after-free Read in erspan_build_header
# git bisect good 1fa1c6b63f1e6585ad98e5478e73f5f68f9c823e
1d629bf9b5767cdbe902f32b058ae8c99df72516 is the first bad commit
commit 1d629bf9b5767cdbe902f32b058ae8c99df72516
Author: William Tu <u9012063@gmail.com>
Date:   Tue Jan 23 17:01:29 2018 -0800

    net: erspan: fix use-after-free
    
    commit b423d13c08a656c719fa56324a8f4279c835d90c upstream.
    
    When building the erspan header for either v1 or v2, the eth_hdr()
    does not point to the right inner packet's eth_hdr,
    causing kasan report use-after-free and slab-out-of-bouds read.
    
    The patch fixes the following syzkaller issues:
    [1] BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
    [2] BUG: KASAN: slab-out-of-bounds in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
    [3] BUG: KASAN: use-after-free in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
    [4] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
    
    [2] CPU: 0 PID: 3654 Comm: syzkaller377964 Not tainted 4.15.0-rc9+ #185
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0x194/0x257 lib/dump_stack.c:53
     print_address_description+0x73/0x250 mm/kasan/report.c:252
     kasan_report_error mm/kasan/report.c:351 [inline]
     kasan_report+0x25b/0x340 mm/kasan/report.c:409
     __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
     erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
     erspan_xmit+0x3b8/0x13b0 net/ipv4/ip_gre.c:740
     __netdev_start_xmit include/linux/netdevice.h:4042 [inline]
     netdev_start_xmit include/linux/netdevice.h:4051 [inline]
     packet_direct_xmit+0x315/0x6b0 net/packet/af_packet.c:266
     packet_snd net/packet/af_packet.c:2943 [inline]
     packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2968
     sock_sendmsg_nosec net/socket.c:638 [inline]
     sock_sendmsg+0xca/0x110 net/socket.c:648
     SYSC_sendto+0x361/0x5c0 net/socket.c:1729
     SyS_sendto+0x40/0x50 net/socket.c:1697
     do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
     do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
     entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129
    RIP: 0023:0xf7fcfc79
    RSP: 002b:00000000ffc6976c EFLAGS: 00000286 ORIG_RAX: 0000000000000171
    RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020011000
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020008000
    RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    
    Fixes: f551c91de262 ("net: erspan: introduce erspan v2 for ip_gre")
    Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
    Reported-by: syzbot+9723f2d288e49b492cf0@syzkaller.appspotmail.com
    Reported-by: syzbot+f0ddeb2b032a8e1d9098@syzkaller.appspotmail.com
    Reported-by: syzbot+f14b3703cd8d7670203f@syzkaller.appspotmail.com
    Reported-by: syzbot+eefa384efad8d7997f20@syzkaller.appspotmail.com
    Signed-off-by: William Tu <u9012063@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Christoph Paasch <cpaasch@apple.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 net/ipv4/ip_gre.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
kernel signature:   af7d4e6a4c24a244502383e7bcd7d73a5a5fa84f
previous signature: c11500a6893f3a34af0617e59998b0560646daf3
revisions tested: 14, total time: 3h37m22.999032342s (build: 1h50m19.57933802s, test: 1h42m40.167499182s)
first good commit: 1d629bf9b5767cdbe902f32b058ae8c99df72516 net: erspan: fix use-after-free
cc: ["cpaasch@apple.com" "davem@davemloft.net" "gregkh@linuxfoundation.org" "u9012063@gmail.com"]