bisecting fixing commit since 112cbae26d18e75098d95cc234cfa5059de8d479 building syzkaller on 1fb62d581554435800ba339e7f7912cd81d619ba testing commit 112cbae26d18e75098d95cc234cfa5059de8d479 with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! testing current HEAD 296d05cb0d3c9f4648e31abb8ce404ac6915d66c testing commit 296d05cb0d3c9f4648e31abb8ce404ac6915d66c with gcc (GCC) 8.1.0 all runs: OK # git bisect start 296d05cb0d3c9f4648e31abb8ce404ac6915d66c 112cbae26d18e75098d95cc234cfa5059de8d479 Bisecting: 44036 revisions left to test after this (roughly 16 steps) [bdf2bd9aa684511bcb4271f185f735525ca27a70] ath10k: fix documentation in ath10k_wow_convert_8023_to_80211() testing commit bdf2bd9aa684511bcb4271f185f735525ca27a70 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad bdf2bd9aa684511bcb4271f185f735525ca27a70 Bisecting: 21899 revisions left to test after this (roughly 15 steps) [18d0eae30e6a4f8644d589243d7ac1d70d29203d] Merge tag 'char-misc-4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 18d0eae30e6a4f8644d589243d7ac1d70d29203d with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: OK run #6: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #7: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #8: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #9: OK # git bisect good 18d0eae30e6a4f8644d589243d7ac1d70d29203d Bisecting: 10975 revisions left to test after this (roughly 14 steps) [13e1ad2be3a85f5c0f76e82af9806b3d12a574d0] Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 13e1ad2be3a85f5c0f76e82af9806b3d12a574d0 with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #7: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #8: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #9: OK # git bisect good 13e1ad2be3a85f5c0f76e82af9806b3d12a574d0 Bisecting: 5553 revisions left to test after this (roughly 13 steps) [117eda8f71ff545cfdec8fe8073adbd173a1ceff] Merge tag 'tty-4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 117eda8f71ff545cfdec8fe8073adbd173a1ceff with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: OK run #6: OK run #7: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #8: OK run #9: OK # git bisect good 117eda8f71ff545cfdec8fe8073adbd173a1ceff Bisecting: 2775 revisions left to test after this (roughly 12 steps) [977e4899c9b4bea787531b0837af5ed442e3118f] Merge ra.kernel.org:/pub/scm/linux/kernel/git/bpf/bpf testing commit 977e4899c9b4bea787531b0837af5ed442e3118f with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #7: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #8: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #9: OK # git bisect good 977e4899c9b4bea787531b0837af5ed442e3118f Bisecting: 1385 revisions left to test after this (roughly 11 steps) [aa7b98459f15bf45d0610c8acfa7929a8641864a] Merge tag 'sound-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit aa7b98459f15bf45d0610c8acfa7929a8641864a with gcc (GCC) 8.1.0 all runs: OK # git bisect bad aa7b98459f15bf45d0610c8acfa7929a8641864a Bisecting: 706 revisions left to test after this (roughly 10 steps) [e8af37f3f488e7adce2b5c6f6dfe8c83c2662e1f] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit e8af37f3f488e7adce2b5c6f6dfe8c83c2662e1f with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good e8af37f3f488e7adce2b5c6f6dfe8c83c2662e1f Bisecting: 352 revisions left to test after this (roughly 9 steps) [2a8cbf2a02784efc02f7093000010e20c4ebc9ea] Merge tag 'fbdev-v5.0-rc3' of git://github.com/bzolnier/linux testing commit 2a8cbf2a02784efc02f7093000010e20c4ebc9ea with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #7: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #8: OK run #9: OK # git bisect good 2a8cbf2a02784efc02f7093000010e20c4ebc9ea Bisecting: 207 revisions left to test after this (roughly 8 steps) [bb617b9b4519b0cef939c9c8e9c41470749f0d51] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit bb617b9b4519b0cef939c9c8e9c41470749f0d51 with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #7: OK run #8: OK run #9: OK # git bisect good bb617b9b4519b0cef939c9c8e9c41470749f0d51 Bisecting: 104 revisions left to test after this (roughly 7 steps) [7d0ae236ed13d7645fb73b85e7c95deee46c4656] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 7d0ae236ed13d7645fb73b85e7c95deee46c4656 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 7d0ae236ed13d7645fb73b85e7c95deee46c4656 Bisecting: 51 revisions left to test after this (roughly 6 steps) [2cddd20147826aef283115abb00012d4dafe3cdb] net/sched: cls_flower: allocate mask dynamically in fl_change() testing commit 2cddd20147826aef283115abb00012d4dafe3cdb with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 2cddd20147826aef283115abb00012d4dafe3cdb Bisecting: 26 revisions left to test after this (roughly 5 steps) [efa8c819a6892b03d5535b2ce1d8c85ea9850b58] Merge branch 'mlxsw-fixes' testing commit efa8c819a6892b03d5535b2ce1d8c85ea9850b58 with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #7: OK run #8: OK run #9: OK # git bisect good efa8c819a6892b03d5535b2ce1d8c85ea9850b58 Bisecting: 13 revisions left to test after this (roughly 4 steps) [e224c390a6259c529f7b2a6bd215a087b3344f5c] bpf: fix SO_MAX_PACING_RATE to support TCP internal pacing testing commit e224c390a6259c529f7b2a6bd215a087b3344f5c with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #7: OK run #8: OK run #9: OK # git bisect good e224c390a6259c529f7b2a6bd215a087b3344f5c Bisecting: 6 revisions left to test after this (roughly 3 steps) [3e64cf7a435ed0500e3adaa8aada2272d3ae8abc] net: phy: phy driver features are mandatory testing commit 3e64cf7a435ed0500e3adaa8aada2272d3ae8abc with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #7: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #8: OK run #9: OK # git bisect good 3e64cf7a435ed0500e3adaa8aada2272d3ae8abc Bisecting: 3 revisions left to test after this (roughly 2 steps) [64cf5481262b9664ae3cdcb333f4a06af3e8fb58] tools: bpftool: Cleanup license mess testing commit 64cf5481262b9664ae3cdcb333f4a06af3e8fb58 with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 64cf5481262b9664ae3cdcb333f4a06af3e8fb58 Bisecting: 2 revisions left to test after this (roughly 1 step) [df133f3f96257ee29696c0ed8bd198ec801dc810] virtio_net: bulk free tx skbs testing commit df133f3f96257ee29696c0ed8bd198ec801dc810 with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #1: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #2: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #3: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #4: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #5: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #6: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #7: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #8: crashed: kernel BUG at net/ipv4/ip_output.c:LINE! run #9: OK # git bisect good df133f3f96257ee29696c0ed8bd198ec801dc810 Bisecting: 0 revisions left to test after this (roughly 1 step) [6436408e814b81046f4595245c1f9bc4409e945c] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 6436408e814b81046f4595245c1f9bc4409e945c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 6436408e814b81046f4595245c1f9bc4409e945c Bisecting: 0 revisions left to test after this (roughly 0 steps) [e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488] bpf: in __bpf_redirect_no_mac pull mac only if present testing commit e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 is the first bad commit commit e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 Author: Willem de Bruijn Date: Tue Jan 15 20:19:22 2019 -0500 bpf: in __bpf_redirect_no_mac pull mac only if present Syzkaller was able to construct a packet of negative length by redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT: BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline] BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline] BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395 Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:345 [inline] skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline] __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395 __pskb_copy include/linux/skbuff.h:1053 [inline] pskb_copy include/linux/skbuff.h:2904 [inline] skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539 ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline] sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029 __netdev_start_xmit include/linux/netdevice.h:4325 [inline] netdev_start_xmit include/linux/netdevice.h:4334 [inline] xmit_one net/core/dev.c:3219 [inline] dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235 __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838 __bpf_tx_skb net/core/filter.c:2016 [inline] __bpf_redirect_common net/core/filter.c:2054 [inline] __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061 ____bpf_clone_redirect net/core/filter.c:2094 [inline] bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066 bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000 The generated test constructs a packet with mac header, network header, skb->data pointing to network header and skb->len 0. Redirecting to a sit0 through __bpf_redirect_no_mac pulls the mac length, even though skb->data already is at skb->network_header. bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2. Update the offset calculation to pull only if skb->data differs from skb->network_header, which is not true in this case. The test itself can be run only from commit 1cf1cae963c2 ("bpf: introduce BPF_PROG_TEST_RUN command"), but the same type of packets with skb at network header could already be built from lwt xmit hooks, so this fix is more relevant to that commit. Also set the mac header on redirect from LWT_XMIT, as even after this change to __bpf_redirect_no_mac that field is expected to be set, but is not yet in ip_finish_output2. Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") Reported-by: syzbot Signed-off-by: Willem de Bruijn Acked-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann :040000 040000 3a013b53fd567fd8ec7ec4f99b67c02462115345 f181f4c88b4e8c6dbabca0a967e8a014bebc4f05 M net revisions tested: 20, total time: 5h21m37.437571931s (build: 1h30m20.055409681s, test: 3h44m23.013935375s) first good commit: e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 bpf: in __bpf_redirect_no_mac pull mac only if present cc: ["ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net" "davem@davemloft.net" "dsahern@gmail.com" "johannes.berg@intel.com" "kafai@fb.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "posk@google.com" "songliubraving@fb.com" "tglx@linutronix.de" "willemb@google.com" "yhs@fb.com"]