bisecting cause commit starting from 6b529fb0a3eabf9c4cc3e94c11477250379ce6d8 building syzkaller on c3f3344c78d6f69e1494297262c453f8ed10a844 testing commit 6b529fb0a3eabf9c4cc3e94c11477250379ce6d8 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Read in fib6_clean_node run #1: crashed: KASAN: stack-out-of-bounds Read in corrupted run #2: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "39305" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/usr/local/google/home/dvyukov/syzkaller/ci-bisect3/jobs/linux/workdir/image/key" "/tmp/syz-executor502270977" "root@localhost:/syz-executor502270977"]: exit status 1 ssh: connect to host localhost port 39305: Connection refused lost connection run #3: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: KASAN: use-after-free Read in tick_sched_handle run #7: crashed: KASAN: use-after-free Read in tick_sched_handle testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: OK # git bisect start 6b529fb0a3eabf9c4cc3e94c11477250379ce6d8 v4.20 Bisecting: 5731 revisions left to test after this (roughly 13 steps) [e0c38a4d1f196a4b17d2eba36afff8f656a4f1de] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit e0c38a4d1f196a4b17d2eba36afff8f656a4f1de with gcc (GCC) 8.1.0 run #0: crashed: WARNING: locking bug in __f_unlock_pos run #1: crashed: KASAN: use-after-free Read in tick_sched_handle run #2: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle run #3: crashed: KASAN: stack-out-of-bounds Read in addrconf_verify_rtnl run #4: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle run #5: crashed: general protection fault in vma_interval_tree_insert run #6: crashed: KASAN: stack-out-of-bounds Read in __fput run #7: crashed: general protection fault in corrupted # git bisect bad e0c38a4d1f196a4b17d2eba36afff8f656a4f1de Bisecting: 3061 revisions left to test after this (roughly 12 steps) [c2f1f3e0e17d94ab0c66d83e669492cb9e9a3698] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-next testing commit c2f1f3e0e17d94ab0c66d83e669492cb9e9a3698 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c2f1f3e0e17d94ab0c66d83e669492cb9e9a3698 Bisecting: 1530 revisions left to test after this (roughly 11 steps) [33f18c96afdf4da20014f834874e2820ee880cde] net: ethernet: don't set phylib state CHANGELINK in drivers testing commit 33f18c96afdf4da20014f834874e2820ee880cde with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Read in corrupted run #1: crashed: general protection fault in corrupted run #2: crashed: KASAN: stack-out-of-bounds Read in neigh_flush_dev run #3: crashed: KASAN: use-after-free Read in tick_sched_handle run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: KASAN: stack-out-of-bounds Read in addrconf_verify_rtnl run #6: crashed: KASAN: invalid-free in rcu_process_callbacks run #7: crashed: WARNING in anon_vma_clone # git bisect bad 33f18c96afdf4da20014f834874e2820ee880cde Bisecting: 765 revisions left to test after this (roughly 10 steps) [cff478b9d9ccaee0de0e02700c63addf007b5d3c] netns: add support of NETNSA_TARGET_NSID testing commit cff478b9d9ccaee0de0e02700c63addf007b5d3c with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Read in fib6_add_rt2node run #1: crashed: general protection fault in cpuacct_account_field run #2: crashed: KASAN: stack-out-of-bounds Read in addrconf_verify_rtnl run #3: crashed: KASAN: stack-out-of-bounds Write in corrupted run #4: crashed: KASAN: stack-out-of-bounds Read in sctp_addr_wq_mgmt run #5: crashed: KASAN: stack-out-of-bounds Write in corrupted run #6: crashed: WARNING: kernel stack regs has bad 'bp' value run #7: crashed: KASAN: stack-out-of-bounds Read in fib_find_alias # git bisect bad cff478b9d9ccaee0de0e02700c63addf007b5d3c Bisecting: 382 revisions left to test after this (roughly 9 steps) [25fc1989077e71be9fdbe6b78670cf90df2fb789] net: sched: gred: store red flags per virtual queue testing commit 25fc1989077e71be9fdbe6b78670cf90df2fb789 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: stack-out-of-bounds Read in batadv_hardif_get_by_netdev run #1: crashed: KASAN: use-after-free Read in tick_sched_handle run #2: crashed: general protection fault in corrupted run #3: crashed: KASAN: stack-out-of-bounds Read in fib6_clean_node run #4: crashed: KASAN: stack-out-of-bounds Read in batadv_hardif_get_by_netdev run #5: crashed: KASAN: stack-out-of-bounds Read in corrupted run #6: crashed: KASAN: use-after-free Read in tick_sched_handle run #7: crashed: BUG: corrupted list in corrupted # git bisect bad 25fc1989077e71be9fdbe6b78670cf90df2fb789 Bisecting: 190 revisions left to test after this (roughly 8 steps) [6fe42e228dc2eb169afcde6f7b70c28175527753] tg3: extend PTP gettime function to read system clock testing commit 6fe42e228dc2eb169afcde6f7b70c28175527753 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in tick_sched_handle run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted run #2: crashed: KASAN: stack-out-of-bounds Write in mld_sendpack run #3: crashed: general protection fault in corrupted run #4: crashed: KASAN: stack-out-of-bounds Read in corrupted run #5: crashed: KASAN: global-out-of-bounds Read in lock_timer_base run #6: crashed: general protection fault in corrupted run #7: crashed: KASAN: stack-out-of-bounds Read in addrconf_verify_rtnl # git bisect bad 6fe42e228dc2eb169afcde6f7b70c28175527753 Bisecting: 95 revisions left to test after this (roughly 7 steps) [85a1f31d6392fb2c6726fcc4e072de008e3f0656] net: phy: remove state PHY_AN testing commit 85a1f31d6392fb2c6726fcc4e072de008e3f0656 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 85a1f31d6392fb2c6726fcc4e072de008e3f0656 Bisecting: 47 revisions left to test after this (roughly 6 steps) [960abf68d2023f0d0b08c6f5d05971630496cfb0] net: 8021q: vlan_core: allow use list of vlans for real device testing commit 960abf68d2023f0d0b08c6f5d05971630496cfb0 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in __run_timers run #1: crashed: KASAN: stack-out-of-bounds Read in sctp_addr_wq_mgmt run #2: crashed: PANIC: double fault in match_held_lock run #3: crashed: general protection fault in gue_err_proto_handler run #4: crashed: KASAN: stack-out-of-bounds Read in rcu_cblist_dequeue run #5: crashed: KASAN: stack-out-of-bounds Read in copy_process run #6: crashed: general protection fault in depot_save_stack run #7: crashed: general protection fault in corrupted # git bisect bad 960abf68d2023f0d0b08c6f5d05971630496cfb0 Bisecting: 23 revisions left to test after this (roughly 5 steps) [b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e] fou, fou6: ICMP error handlers for FoU and GUE testing commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e with gcc (GCC) 8.1.0 run #0: crashed: WARNING: locking bug in corrupted run #1: crashed: KASAN: stack-out-of-bounds Read in kernfs_refresh_inode run #2: crashed: KASAN: stack-out-of-bounds Read in batadv_hardif_get_by_netdev run #3: crashed: KASAN: stack-out-of-bounds Read in __hrtimer_run_queues run #4: crashed: KASAN: stack-out-of-bounds Read in fib6_table_lookup run #5: crashed: WARNING in vmacache_find run #6: crashed: WARNING: locking bug in corrupted run #7: crashed: KASAN: use-after-free Read in tick_sched_handle # git bisect bad b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e Bisecting: 11 revisions left to test after this (roughly 4 steps) [1c51dc9ad68acf4d2cb89ba847fb48fd6e2de723] net/ipv6: compute anycast address hash only if dev is null testing commit 1c51dc9ad68acf4d2cb89ba847fb48fd6e2de723 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1c51dc9ad68acf4d2cb89ba847fb48fd6e2de723 Bisecting: 5 revisions left to test after this (roughly 3 steps) [582888792f7bc2d543d85cb610160e2162d5f132] selftests: pmtu: Introduce tests for IPv4/IPv6 over VXLAN over IPv4/IPv6 testing commit 582888792f7bc2d543d85cb610160e2162d5f132 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 582888792f7bc2d543d85cb610160e2162d5f132 Bisecting: 2 revisions left to test after this (roughly 2 steps) [ce7336610ca950cda131293def57a0178d860121] selftests: pmtu: Introduce tests for IPv4/IPv6 over GENEVE over IPv4/IPv6 testing commit ce7336610ca950cda131293def57a0178d860121 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ce7336610ca950cda131293def57a0178d860121 Bisecting: 0 revisions left to test after this (roughly 1 step) [e7cc082455cb49ea937a3ec4ab3d001b0b5f137b] udp: Support for error handlers of tunnels with arbitrary destination port testing commit e7cc082455cb49ea937a3ec4ab3d001b0b5f137b with gcc (GCC) 8.1.0 all runs: OK # git bisect good e7cc082455cb49ea937a3ec4ab3d001b0b5f137b b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e is the first bad commit commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e Author: Stefano Brivio Date: Thu Nov 8 12:19:23 2018 +0100 fou, fou6: ICMP error handlers for FoU and GUE As the destination port in FoU and GUE receiving sockets doesn't necessarily match the remote destination port, we can't associate errors to the encapsulating tunnels with a socket lookup -- we need to blindly try them instead. This means we don't even know if we are handling errors for FoU or GUE without digging into the packets. Hence, implement a single handler for both, one for IPv4 and one for IPv6, that will check whether the packet that generated the ICMP error used a direct IP encapsulation or if it had a GUE header, and send the error to the matching protocol handler, if any. Signed-off-by: Stefano Brivio Reviewed-by: Sabrina Dubroca Signed-off-by: David S. Miller :040000 040000 cabdcb7779c24a357486aae139cb31cdd625bc53 6bc9db712d9698330234b7c8c934dcfc71cfb657 M net revisions tested: 15, total time: 2h36m23.351867634s (build: 1h7m29.872457507s, test: 1h25m43.402895925s) first bad commit: b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e fou, fou6: ICMP error handlers for FoU and GUE cc: ["davem@davemloft.net" "kuznet@ms2.inr.ac.ru" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "sbrivio@redhat.com" "sd@queasysnail.net" "yoshfuji@linux-ipv6.org"] crash: KASAN: use-after-free Read in tick_sched_handle IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready ================================================================== BUG: KASAN: use-after-free in tick_sched_handle+0x16c/0x180 kernel/time/tick-sched.c:164 IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready Read of size 8 at addr ffff880071eba620 by task syz-executor4/7068 CPU: 0 PID: 7068 Comm: syz-executor4 Not tainted 4.20.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 tick_sched_handle+0x16c/0x180 kernel/time/tick-sched.c:164 tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274 __run_hrtimer kernel/time/hrtimer.c:1398 [inline] __hrtimer_run_queues+0x41c/0x10d0 kernel/time/hrtimer.c:1460 hrtimer_interrupt+0x313/0x780 kernel/time/hrtimer.c:1518 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1034 [inline] smp_apic_timer_interrupt+0x1a1/0x760 arch/x86/kernel/apic/apic.c:1059 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:804 The buggy address belongs to the page: page:ffffea0001c7ae80 count:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x5fffc0000000000() raw: 05fffc0000000000 dead000000000100 dead000000000200 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880071eba500: ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 BUG: unable to handle kernel paging request at ffffc900004c2668 usercopy: Kernel memory overwrite attempt detected to SLAB object 'kmalloc-64' (offset 120, size 8)! ffff880071eba580: 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ------------[ cut here ]------------ >ffff880071eba600: ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 kernel BUG at mm/usercopy.c:102! ^ invalid opcode: 0000 [#1] PREEMPT SMP KASAN ffff880071eba680: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 CPU: 1 PID: 7069 Comm: syz-executor2 Not tainted 4.20.0-rc1+ #1 ffff880071eba700: f2 f2 f2 f2 f2 f8 f2 f2 f2 00 00 ff 00 00 00 00 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 ==================================================================