bisecting cause commit starting from 4a94c43323342f1522034d6566c5129a7386a0ab building syzkaller on 79b211f74b08737aeb4934c6ff69a263b3c38013 testing commit 4a94c43323342f1522034d6566c5129a7386a0ab with gcc (GCC) 8.1.0 kernel signature: 21a0db58d65e320602b2b1beffc02cd0d23d38d3 all runs: crashed: KASAN: use-after-free Read in eth_type_trans testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: c2c69bca5c87648bfcb5e6e992f1e1e4a4bba8d1 run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: KASAN: use-after-free Read in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: use-after-free Read in eth_type_trans run #7: crashed: KASAN: use-after-free Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: slab-out-of-bounds Read in eth_type_trans testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: b0334239c2029679204d7c024c8e0c12733d3e13 all runs: crashed: KASAN: use-after-free Read in eth_type_trans testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: f0e56028f8e85d776d3a1730d86cc1db46bf7d92 run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: KASAN: use-after-free Read in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: out-of-bounds Read in eth_type_trans run #7: crashed: KASAN: use-after-free Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: use-after-free Read in eth_type_trans testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: ec2d5e478a9de1a19c051d08ab492fe6af8fb19f run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: out-of-bounds Read in eth_type_trans run #2: crashed: KASAN: slab-out-of-bounds Read in eth_type_trans run #3: crashed: KASAN: use-after-free Read in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: use-after-free Read in eth_type_trans run #7: crashed: KASAN: use-after-free Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: use-after-free Read in eth_type_trans testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 91d170d82ada99018e6248db0dd3c50c48e8d914 all runs: crashed: KASAN: use-after-free Read in eth_type_trans testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: 72c18f11e24a60569bfed7336a51f88d9900b189 all runs: crashed: KASAN: use-after-free Read in eth_type_trans testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: b784c60b328c971f5cda37fb776cd69dc751710c run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: KASAN: use-after-free Read in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: use-after-free Read in eth_type_trans run #7: crashed: KASAN: slab-out-of-bounds Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: use-after-free Read in eth_type_trans testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 kernel signature: ee67f0324abf116379550dcc8fe39a8506da5655 run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: KASAN: use-after-free Read in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: slab-out-of-bounds Read in eth_type_trans run #6: crashed: KASAN: use-after-free Read in eth_type_trans run #7: crashed: KASAN: use-after-free Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: use-after-free Read in eth_type_trans testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 kernel signature: 3aa28586849b2420cc733e7345d6dda8669e5c36 run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: KASAN: use-after-free Read in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: slab-out-of-bounds Read in eth_type_trans run #7: crashed: KASAN: use-after-free Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: use-after-free Read in eth_type_trans testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 kernel signature: 8679b3ce7c5399691f04ff91adaf3a796364e990 run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: KASAN: use-after-free Read in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: use-after-free Read in eth_type_trans run #7: crashed: KASAN: use-after-free Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: slab-out-of-bounds Read in eth_type_trans testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 kernel signature: e29765296646319b25ba10896606555360e221b8 run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: KASAN: use-after-free Read in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: use-after-free Read in eth_type_trans run #7: crashed: KASAN: slab-out-of-bounds Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: use-after-free Read in eth_type_trans testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 kernel signature: 29e1b0dba83e12ce21ce0d761440409daf45f9e9 all runs: OK # git bisect start d8a5b80568a9cb66810e75b182018e9edb68e8ff bebc6082da0a9f5d47a1ea2edc099bf671058bd4 Bisecting: 8497 revisions left to test after this (roughly 13 steps) [5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a] Merge tag 'media/v4.15-1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a with gcc (GCC) 8.1.0 kernel signature: accdebae5be1cdd33c5b04e2d6aa6ea53d860740 all runs: crashed: KASAN: use-after-free Read in eth_type_trans # git bisect bad 5d352e69c60e54b5f04d6e337a1d2bf0dbf3d94a Bisecting: 3798 revisions left to test after this (roughly 12 steps) [4e4510fec4af08ead21f6934c1410af1f19a8cad] Merge tag 'sound-4.15-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 4e4510fec4af08ead21f6934c1410af1f19a8cad with gcc (GCC) 8.1.0 kernel signature: f311a9e882a5da451ef5659d8677c501a3792909 all runs: OK # git bisect good 4e4510fec4af08ead21f6934c1410af1f19a8cad Bisecting: 1899 revisions left to test after this (roughly 11 steps) [9fb7bd77d11ab03b4a969279de9f54d8fd6fe988] mlxsw: spectrum_ipip: Split accessor functions testing commit 9fb7bd77d11ab03b4a969279de9f54d8fd6fe988 with gcc (GCC) 8.1.0 kernel signature: 16192a5d5442e71d90702f8a0ec45c99ef22511d run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: BUG: unable to handle kernel paging request in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: use-after-free Read in eth_type_trans run #7: crashed: KASAN: use-after-free Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: use-after-free Read in eth_type_trans # git bisect bad 9fb7bd77d11ab03b4a969279de9f54d8fd6fe988 Bisecting: 943 revisions left to test after this (roughly 10 steps) [af28f6f26a67ef850a26c42c49a1d9ca4927e10c] Merge tag 'mlx5-updates-2017-10-11' of git://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux testing commit af28f6f26a67ef850a26c42c49a1d9ca4927e10c with gcc (GCC) 8.1.0 kernel signature: 45529520be0544d041f518ed61b9e051319e5a7d all runs: crashed: KASAN: use-after-free Read in eth_type_trans # git bisect bad af28f6f26a67ef850a26c42c49a1d9ca4927e10c Bisecting: 477 revisions left to test after this (roughly 9 steps) [0ccdf3c7fdeda511b10def19505178a9d2d3fccd] sctp: add sockopt to get/set stream scheduler parameters testing commit 0ccdf3c7fdeda511b10def19505178a9d2d3fccd with gcc (GCC) 8.1.0 kernel signature: f429352643e430609eaf0fdd3d98e9e7dd058711 run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: KASAN: use-after-free Read in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: use-after-free Read in eth_type_trans run #7: crashed: BUG: unable to handle kernel paging request in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: use-after-free Read in eth_type_trans # git bisect bad 0ccdf3c7fdeda511b10def19505178a9d2d3fccd Bisecting: 238 revisions left to test after this (roughly 8 steps) [e451ae8e4f6b3f6bd3b83a5595657b5421b3bf69] neigh: make struct neigh_table::entry_size unsigned int testing commit e451ae8e4f6b3f6bd3b83a5595657b5421b3bf69 with gcc (GCC) 8.1.0 kernel signature: 267d203f7b41245e598b3f5c1cdb1f88de679415 all runs: crashed: KASAN: use-after-free Read in eth_type_trans # git bisect bad e451ae8e4f6b3f6bd3b83a5595657b5421b3bf69 Bisecting: 118 revisions left to test after this (roughly 7 steps) [334e4a7d5505f59a741b0549f41082e29a914439] drivers: net: pcnet32: use setup_timer() helper. testing commit 334e4a7d5505f59a741b0549f41082e29a914439 with gcc (GCC) 8.1.0 kernel signature: ecbf99710067d72fcae06329bca9d06cc3595f3d all runs: OK # git bisect good 334e4a7d5505f59a741b0549f41082e29a914439 Bisecting: 59 revisions left to test after this (roughly 6 steps) [66f06890305eb2c8200cefbc3d6405ff6baef47e] drivers: net: cxgb: use setup_timer() helper. testing commit 66f06890305eb2c8200cefbc3d6405ff6baef47e with gcc (GCC) 8.1.0 kernel signature: ef39ea8937f725079af2f8371626cb7218c3b152 all runs: OK # git bisect good 66f06890305eb2c8200cefbc3d6405ff6baef47e Bisecting: 29 revisions left to test after this (roughly 5 steps) [e0f911c81e93fc23fe1a4fb0318ff1c3b1c9027f] cxgb4: fetch stats for offloaded tc flower flows testing commit e0f911c81e93fc23fe1a4fb0318ff1c3b1c9027f with gcc (GCC) 8.1.0 kernel signature: 706f1d27e469f95829417ecc1baa04b07fd88fd4 all runs: OK # git bisect good e0f911c81e93fc23fe1a4fb0318ff1c3b1c9027f Bisecting: 14 revisions left to test after this (roughly 4 steps) [943170998b200190f99d3fe7e771437e2c51f319] tun: enable NAPI for TUN/TAP driver testing commit 943170998b200190f99d3fe7e771437e2c51f319 with gcc (GCC) 8.1.0 kernel signature: 0e8eccbe012d0567397075046387423330fbf15c all runs: OK # git bisect good 943170998b200190f99d3fe7e771437e2c51f319 Bisecting: 7 revisions left to test after this (roughly 3 steps) [088b8749da1e35b0dd9cb0e6500ca1c94c9bf547] liquidio: allow override of firmware present in flash testing commit 088b8749da1e35b0dd9cb0e6500ca1c94c9bf547 with gcc (GCC) 8.1.0 kernel signature: 879147c9858136e149f9cad701f04ef844702b99 all runs: crashed: KASAN: use-after-free Read in eth_type_trans # git bisect bad 088b8749da1e35b0dd9cb0e6500ca1c94c9bf547 Bisecting: 3 revisions left to test after this (roughly 2 steps) [6450f8f269a9271985e4a8c13920b7e4cf21c0f3] hv_netvsc: Fix the real number of queues of non-vRSS cases testing commit 6450f8f269a9271985e4a8c13920b7e4cf21c0f3 with gcc (GCC) 8.1.0 kernel signature: 9ea6c9fe3c6778b67a2e37735fe94c04e7560173 run #0: crashed: KASAN: use-after-free Read in eth_type_trans run #1: crashed: KASAN: use-after-free Read in eth_type_trans run #2: crashed: KASAN: use-after-free Read in eth_type_trans run #3: crashed: BUG: unable to handle kernel paging request in eth_type_trans run #4: crashed: KASAN: use-after-free Read in eth_type_trans run #5: crashed: KASAN: use-after-free Read in eth_type_trans run #6: crashed: KASAN: use-after-free Read in eth_type_trans run #7: crashed: KASAN: use-after-free Read in eth_type_trans run #8: crashed: KASAN: use-after-free Read in eth_type_trans run #9: crashed: KASAN: use-after-free Read in eth_type_trans # git bisect bad 6450f8f269a9271985e4a8c13920b7e4cf21c0f3 Bisecting: 0 revisions left to test after this (roughly 1 step) [070eb6e0890b189a5a5cd37e39005ea0c77d9ea3] Merge branch 'tun-NAPI-and-gro' testing commit 070eb6e0890b189a5a5cd37e39005ea0c77d9ea3 with gcc (GCC) 8.1.0 kernel signature: d0c491d561b532629c6b73f3ed16e457be80164f all runs: crashed: KASAN: use-after-free Read in eth_type_trans # git bisect bad 070eb6e0890b189a5a5cd37e39005ea0c77d9ea3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [90e33d45940793def6f773b2d528e9f3c84ffdc7] tun: enable napi_gro_frags() for TUN/TAP driver testing commit 90e33d45940793def6f773b2d528e9f3c84ffdc7 with gcc (GCC) 8.1.0 kernel signature: 298ed76d6da07d51961f64ffb4a65ef745e59f3e all runs: crashed: KASAN: use-after-free Read in eth_type_trans # git bisect bad 90e33d45940793def6f773b2d528e9f3c84ffdc7 90e33d45940793def6f773b2d528e9f3c84ffdc7 is the first bad commit commit 90e33d45940793def6f773b2d528e9f3c84ffdc7 Author: Petar Penkov Date: Fri Sep 22 13:49:15 2017 -0700 tun: enable napi_gro_frags() for TUN/TAP driver Add a TUN/TAP receive mode that exercises the napi_gro_frags() interface. This mode is available only in TAP mode, as the interface expects packets with Ethernet headers. Furthermore, packets follow the layout of the iovec_iter that was received. The first iovec is the linear data, and every one after the first is a fragment. If there are more fragments than the max number, drop the packet. Additionally, invoke eth_get_headlen() to exercise flow dissector code and to verify that the header resides in the linear data. The napi_gro_frags() mode requires setting the IFF_NAPI_FRAGS option. This is imposed because this mode is intended for testing via tools like syzkaller and packetdrill, and the increased flexibility it provides can introduce security vulnerabilities. This flag is accepted only if the device is in TAP mode and has the IFF_NAPI flag set as well. This is done because both of these are explicit requirements for correct operation in this mode. Signed-off-by: Petar Penkov Cc: Eric Dumazet Cc: Mahesh Bandewar Cc: Willem de Bruijn Cc: davem@davemloft.net Cc: ppenkov@stanford.edu Acked-by: Mahesh Bandewar Signed-off-by: David S. Miller drivers/net/tun.c | 134 ++++++++++++++++++++++++++++++++++++++++++-- include/uapi/linux/if_tun.h | 1 + 2 files changed, 129 insertions(+), 6 deletions(-) culprit signature: 298ed76d6da07d51961f64ffb4a65ef745e59f3e parent signature: 0e8eccbe012d0567397075046387423330fbf15c revisions tested: 27, total time: 4h41m9.387259818s (build: 2h21m56.353899992s, test: 2h16m51.234799571s) first bad commit: 90e33d45940793def6f773b2d528e9f3c84ffdc7 tun: enable napi_gro_frags() for TUN/TAP driver cc: ["arnd@arndb.de" "davej@redhat.com" "davem@davemloft.net" "dhowells@redhat.com" "jasowang@redhat.com" "linux-kernel@vger.kernel.org" "mst@redhat.com" "mtk.manpages@gmail.com" "netdev@vger.kernel.org" "peterpenkov96@gmail.com" "tglx@linutronix.de"] crash: KASAN: use-after-free Read in eth_type_trans bridge0: port 2(bridge_slave_1) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready hrtimer: interrupt took 29740 ns ================================================================== BUG: KASAN: use-after-free in is_multicast_ether_addr_64bits include/linux/etherdevice.h:139 [inline] BUG: KASAN: use-after-free in eth_type_trans+0x52d/0x650 net/ethernet/eth.c:168 Read of size 8 at addr ffff8801013f0040 by task syz-executor.0/7765 CPU: 0 PID: 7765 Comm: syz-executor.0 Not tainted 4.14.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x145/0x1e1 lib/dump_stack.c:52 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.8+0x121/0x2da mm/kasan/report.c:409 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 is_multicast_ether_addr_64bits include/linux/etherdevice.h:139 [inline] eth_type_trans+0x52d/0x650 net/ethernet/eth.c:168 napi_frags_finish net/core/dev.c:4978 [inline] napi_gro_frags+0x62e/0xcb0 net/core/dev.c:5052 tun_get_user+0x262a/0x39f0 drivers/net/tun.c:1751 tun_chr_write_iter+0xd1/0x1a0 drivers/net/tun.c:1794 call_write_iter include/linux/fs.h:1770 [inline] do_iter_readv_writev+0x60c/0xbd0 fs/read_write.c:673 do_iter_write+0x131/0x520 fs/read_write.c:952 vfs_writev+0x16b/0x320 fs/read_write.c:997 do_writev+0xf3/0x340 fs/read_write.c:1032 SYSC_writev fs/read_write.c:1105 [inline] SyS_writev+0xb/0x10 fs/read_write.c:1102 entry_SYSCALL_64_fastpath+0x23/0xc2 RIP: 0033:0x45a7d1 RSP: 002b:00007fd1743f8ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 0000000000207843 RCX: 000000000045a7d1 RDX: 0000000000000001 RSI: 00007fd1743f8c00 RDI: 00000000000000f0 RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000075bf2c R13: 00007fff3762ae1f R14: 00007fd1743f99c0 R15: 000000000075bf2c The buggy address belongs to the page: page:ffffea000404fc00 count:0 mapcount:0 mapping: (null) index:0x1 flags: 0x17ffe0000000000() raw: 017ffe0000000000 0000000000000000 0000000000000001 00000000ffffffff raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801013eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801013eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801013f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801013f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801013f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================