bisecting fixing commit since a844dc4c544291470aa69edbe2434b040794e269 building syzkaller on 2a752b7c5e39457c3c16ef91cf2192a42813c802 testing commit a844dc4c544291470aa69edbe2434b040794e269 with gcc (GCC) 8.1.0 kernel signature: 18948fee65f49fca54b3ffa2efe4a6c29312c12b1717ce649023eea41279279c all runs: crashed: KASAN: use-after-free Write in __alloc_skb testing current HEAD e0f8b8a65a473a8baa439cf865a694bbeb83fe90 testing commit e0f8b8a65a473a8baa439cf865a694bbeb83fe90 with gcc (GCC) 8.1.0 kernel signature: be6864b75815c11901fbac7beb33bbc23fdfbc67dd6ad2c975b8a1b92968a9e0 all runs: OK # git bisect start e0f8b8a65a473a8baa439cf865a694bbeb83fe90 a844dc4c544291470aa69edbe2434b040794e269 Bisecting: 678 revisions left to test after this (roughly 9 steps) [7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82] bpf: reject passing modified ctx to helper functions testing commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 with gcc (GCC) 8.1.0 kernel signature: 50a6081b928f42a4fefd1006b9ff0d576a8394315304f94f44c2fa1f386bed18 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82 Bisecting: 339 revisions left to test after this (roughly 8 steps) [5ba5c4da88ae802ba8f43710d2965aa0ecba6492] drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen() testing commit 5ba5c4da88ae802ba8f43710d2965aa0ecba6492 with gcc (GCC) 8.1.0 kernel signature: 68686572bbac3a614b34741cf29b400e2b0a2f58d8854e90b8ffa4a17f45a282 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good 5ba5c4da88ae802ba8f43710d2965aa0ecba6492 Bisecting: 169 revisions left to test after this (roughly 7 steps) [cd885e8726baad6e386c182272bd52ed1612cb7a] net: stmmac: dwmac-meson8b: Fix signedness bug in probe testing commit cd885e8726baad6e386c182272bd52ed1612cb7a with gcc (GCC) 8.1.0 kernel signature: f69b77887f7fc3178614807f4833b4fc30da2c58447311f1e93a91ba280b34a5 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good cd885e8726baad6e386c182272bd52ed1612cb7a Bisecting: 84 revisions left to test after this (roughly 6 steps) [2cb7f8d0e7512189b3b7ea287ffce36d7831897f] USB: serial: ir-usb: fix IrLAP framing testing commit 2cb7f8d0e7512189b3b7ea287ffce36d7831897f with gcc (GCC) 8.1.0 kernel signature: 6e88d54884be607d0a6986d10458061f376e6ce9c417108cc4c03cf8a80def41 all runs: OK # git bisect bad 2cb7f8d0e7512189b3b7ea287ffce36d7831897f Bisecting: 42 revisions left to test after this (roughly 5 steps) [7ac7cc5e78444a84e5786e822ca6643ad4cd55f7] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject testing commit 7ac7cc5e78444a84e5786e822ca6643ad4cd55f7 with gcc (GCC) 8.1.0 kernel signature: 67c02c85a4a6db30f060b3a9ad59564a563b4147c40adddd6996ddcb8ddeb479 all runs: basic kernel testing failed: general protection fault in kernfs_find_ns # git bisect skip 7ac7cc5e78444a84e5786e822ca6643ad4cd55f7 Bisecting: 41 revisions left to test after this (roughly 5 steps) [5f36336849edd9c3294adc4f93141c0261b98034] net-sysfs: fix netdev_queue_add_kobject() breakage testing commit 5f36336849edd9c3294adc4f93141c0261b98034 with gcc (GCC) 8.1.0 kernel signature: 4b21fed7119b96985735be7d03896e848b935ce07d7c345655361b643c0edc33 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good 5f36336849edd9c3294adc4f93141c0261b98034 Bisecting: 20 revisions left to test after this (roughly 4 steps) [f4c64034ef354509f80e7038924eda37c763af6d] Input: pegasus_notetaker - fix endpoint sanity check testing commit f4c64034ef354509f80e7038924eda37c763af6d with gcc (GCC) 8.1.0 kernel signature: 64094522d1381cede344591b453fc37953145c4a62c7d78c2d39fa337e9b726b all runs: OK # git bisect bad f4c64034ef354509f80e7038924eda37c763af6d Bisecting: 10 revisions left to test after this (roughly 3 steps) [0a36cb84e2f4250d92be7e92920128474e49850d] hwmon: (core) Do not use device managed functions for memory allocations testing commit 0a36cb84e2f4250d92be7e92920128474e49850d with gcc (GCC) 8.1.0 kernel signature: 3439d4d9411483e7feef7085fe7e5031bbd73629b4af0dbb9ee3d05ef212f5cc all runs: OK # git bisect bad 0a36cb84e2f4250d92be7e92920128474e49850d Bisecting: 4 revisions left to test after this (roughly 2 steps) [7e70784f1702cd9f438e23168ae937397c2d323a] tcp_bbr: improve arithmetic division in bbr_update_bw() testing commit 7e70784f1702cd9f438e23168ae937397c2d323a with gcc (GCC) 8.1.0 kernel signature: feca17efff27be80f7f4cf2f659708c939074e96dcb7acd292c43ef621f2de69 all runs: crashed: KASAN: use-after-free Write in __alloc_skb # git bisect good 7e70784f1702cd9f438e23168ae937397c2d323a Bisecting: 1 revision left to test after this (roughly 1 step) [4c7b99b4c03b546c4ea2e7562ee083e5f3a2c0e6] hwmon: Deal with errors from the thermal subsystem testing commit 4c7b99b4c03b546c4ea2e7562ee083e5f3a2c0e6 with gcc (GCC) 8.1.0 kernel signature: 8761bca23d31e0f5add1488c1bef57f766c6ad0600d15ff104ad9b8f585b4401 all runs: OK # git bisect bad 4c7b99b4c03b546c4ea2e7562ee083e5f3a2c0e6 Bisecting: 0 revisions left to test after this (roughly 1 step) [6090ac18fcc58ed264ffdd00f6fdd6042475b6a4] hwmon: (adt7475) Make volt2reg return same reg as reg2volt input testing commit 6090ac18fcc58ed264ffdd00f6fdd6042475b6a4 with gcc (GCC) 8.1.0 kernel signature: da2abe2d4cf124bde9f764a4e5eb275e24776393b9defd6cc4e8c1766f4d7044 all runs: OK # git bisect bad 6090ac18fcc58ed264ffdd00f6fdd6042475b6a4 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e841252840c48e9a0e5add9d82796b1d55c0f653] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() testing commit e841252840c48e9a0e5add9d82796b1d55c0f653 with gcc (GCC) 8.1.0 kernel signature: 60107c9dc3f76de1b1f0abdb6669b4ed47648ce2ae01586ac68cc0725b0492cf all runs: OK # git bisect bad e841252840c48e9a0e5add9d82796b1d55c0f653 e841252840c48e9a0e5add9d82796b1d55c0f653 is the first bad commit commit e841252840c48e9a0e5add9d82796b1d55c0f653 Author: Eric Dumazet Date: Tue Jan 21 22:47:29 2020 -0800 net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() [ Upstream commit d836f5c69d87473ff65c06a6123e5b2cf5e56f5b ] rtnl_create_link() needs to apply dev->min_mtu and dev->max_mtu checks that we apply in do_setlink() Otherwise malicious users can crash the kernel, for example after an integer overflow : BUG: KASAN: use-after-free in memset include/linux/string.h:365 [inline] BUG: KASAN: use-after-free in __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238 Write of size 32 at addr ffff88819f20b9c0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 memset+0x24/0x40 mm/kasan/common.c:108 memset include/linux/string.h:365 [inline] __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238 alloc_skb include/linux/skbuff.h:1049 [inline] alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5664 sock_alloc_send_pskb+0x7ad/0x920 net/core/sock.c:2242 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2259 mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1609 add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1713 add_grec+0x7db/0x10b0 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:1970 [inline] mld_ifc_timer_expire+0x3d3/0x950 net/ipv6/mcast.c:2477 call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] __run_timers kernel/time/timer.c:1740 [inline] run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786 __do_softirq+0x262/0x98c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x19b/0x1e0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61 Code: 98 6b ea f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 44 1c 60 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 34 1c 60 00 fb f4 cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 4e 5d 9a f9 e8 79 RSP: 0018:ffffffff89807ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff13266ae RBX: ffffffff8987a1c0 RCX: 0000000000000000 RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8987aa54 RBP: ffffffff89807d18 R08: ffffffff8987a1c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000 R13: ffffffff8a799980 R14: 0000000000000000 R15: 0000000000000000 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690 default_idle_call+0x84/0xb0 kernel/sched/idle.c:94 cpuidle_idle_call kernel/sched/idle.c:154 [inline] do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269 cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361 rest_init+0x23b/0x371 init/main.c:451 arch_call_rest_init+0xe/0x1b start_kernel+0x904/0x943 init/main.c:784 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490 x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242 The buggy address belongs to the page: page:ffffea00067c82c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 raw: 057ffe0000000000 ffffea00067c82c8 ffffea00067c82c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88819f20b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88819f20b900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88819f20b980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88819f20ba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88819f20ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Fixes: 61e84623ace3 ("net: centralize net_device min/max MTU checking") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman include/linux/netdevice.h | 1 + net/core/dev.c | 32 ++++++++++++++++++++------------ net/core/rtnetlink.c | 13 +++++++++++-- 3 files changed, 32 insertions(+), 14 deletions(-) culprit signature: 60107c9dc3f76de1b1f0abdb6669b4ed47648ce2ae01586ac68cc0725b0492cf parent signature: feca17efff27be80f7f4cf2f659708c939074e96dcb7acd292c43ef621f2de69 revisions tested: 14, total time: 3h39m45.650337122s (build: 2h3m57.422192556s, test: 1h34m27.206063755s) first good commit: e841252840c48e9a0e5add9d82796b1d55c0f653 net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() cc: ["davem@davemloft.net" "edumazet@google.com" "gregkh@linuxfoundation.org"]