bisecting fixing commit since b36fdc6853a38a6f8749897a33435635019e0647 building syzkaller on 873745f2ff183dcbc303a504683ccaa3a472a635 testing commit b36fdc6853a38a6f8749897a33435635019e0647 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 testing current HEAD ecb095bff5d4b8711a81968625b3b4a235d3e477 testing commit ecb095bff5d4b8711a81968625b3b4a235d3e477 with gcc (GCC) 8.1.0 all runs: OK # git bisect start ecb095bff5d4b8711a81968625b3b4a235d3e477 b36fdc6853a38a6f8749897a33435635019e0647 Bisecting: 37121 revisions left to test after this (roughly 15 steps) [b1e243957e9b3ba8e820fb8583bdf18e7c737aa2] Merge tag 'for-5.1-part1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit b1e243957e9b3ba8e820fb8583bdf18e7c737aa2 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad b1e243957e9b3ba8e820fb8583bdf18e7c737aa2 Bisecting: 18565 revisions left to test after this (roughly 14 steps) [996680d461f8f759082e64f2395c1f7c25d9d549] Merge tag 'media/v4.20-7' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 996680d461f8f759082e64f2395c1f7c25d9d549 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 # git bisect good 996680d461f8f759082e64f2395c1f7c25d9d549 Bisecting: 9280 revisions left to test after this (roughly 13 steps) [9b286efeb5eb5aaa2712873fc1f928b2f879dbde] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 9b286efeb5eb5aaa2712873fc1f928b2f879dbde with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 # git bisect good 9b286efeb5eb5aaa2712873fc1f928b2f879dbde Bisecting: 4640 revisions left to test after this (roughly 12 steps) [65b034cf5c1766492aa107958149b440889480be] net: dsa: mv88e6xxx: Default CMODE to 1000BaseX only on 6390X testing commit 65b034cf5c1766492aa107958149b440889480be with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 65b034cf5c1766492aa107958149b440889480be Bisecting: 2319 revisions left to test after this (roughly 11 steps) [04c03114be82194d4a4858d41dba8e286ad1787c] tcp: clear icsk_backoff in tcp_write_queue_purge() testing commit 04c03114be82194d4a4858d41dba8e286ad1787c with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor991108194" "root@10.128.10.35:./syz-executor991108194"]: exit status 1 ssh: connect to host 10.128.10.35 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 04c03114be82194d4a4858d41dba8e286ad1787c Bisecting: 1159 revisions left to test after this (roughly 10 steps) [f0e7ce1eef5854584dfb59b3824a67edee37580f] Merge tag 'drm-msm-fixes-2019-01-24' of git://people.freedesktop.org/~robclark/linux into drm-fixes testing commit f0e7ce1eef5854584dfb59b3824a67edee37580f with gcc (GCC) 8.1.0 all runs: OK # git bisect bad f0e7ce1eef5854584dfb59b3824a67edee37580f Bisecting: 590 revisions left to test after this (roughly 9 steps) [66c56cfa64d9dbb9efa8a06c1aece77e8d57ea19] Merge tag 'remove-dma_zalloc_coherent-5.0' of git://git.infradead.org/users/hch/dma-mapping testing commit 66c56cfa64d9dbb9efa8a06c1aece77e8d57ea19 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 # git bisect good 66c56cfa64d9dbb9efa8a06c1aece77e8d57ea19 Bisecting: 295 revisions left to test after this (roughly 8 steps) [cc5e710759470bc7f3c61d11fd54586f15fdbdf4] vhost: log dirty page correctly testing commit cc5e710759470bc7f3c61d11fd54586f15fdbdf4 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 # git bisect good cc5e710759470bc7f3c61d11fd54586f15fdbdf4 Bisecting: 144 revisions left to test after this (roughly 7 steps) [0facb892456ff922924e704f78cafcaa7be85e8c] Merge tag 'for-linus-20190118' of git://git.kernel.dk/linux-block testing commit 0facb892456ff922924e704f78cafcaa7be85e8c with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 # git bisect good 0facb892456ff922924e704f78cafcaa7be85e8c Bisecting: 71 revisions left to test after this (roughly 6 steps) [bb617b9b4519b0cef939c9c8e9c41470749f0d51] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit bb617b9b4519b0cef939c9c8e9c41470749f0d51 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 # git bisect good bb617b9b4519b0cef939c9c8e9c41470749f0d51 Bisecting: 43 revisions left to test after this (roughly 5 steps) [df133f3f96257ee29696c0ed8bd198ec801dc810] virtio_net: bulk free tx skbs testing commit df133f3f96257ee29696c0ed8bd198ec801dc810 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 # git bisect good df133f3f96257ee29696c0ed8bd198ec801dc810 Bisecting: 21 revisions left to test after this (roughly 5 steps) [dbcfc961939394152cbcf3f17144ff3df359f216] Merge tag 'gcc-plugins-v5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux testing commit dbcfc961939394152cbcf3f17144ff3df359f216 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad dbcfc961939394152cbcf3f17144ff3df359f216 Bisecting: 10 revisions left to test after this (roughly 4 steps) [c61c27687a5abce11431e6de1adb6e36099b9859] bpf: Correctly annotate implicit fall through in bpf_base_func_proto testing commit c61c27687a5abce11431e6de1adb6e36099b9859 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 # git bisect good c61c27687a5abce11431e6de1adb6e36099b9859 Bisecting: 5 revisions left to test after this (roughly 3 steps) [64cf5481262b9664ae3cdcb333f4a06af3e8fb58] tools: bpftool: Cleanup license mess testing commit 64cf5481262b9664ae3cdcb333f4a06af3e8fb58 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: slab-out-of-bounds Read in _decode_session6 # git bisect good 64cf5481262b9664ae3cdcb333f4a06af3e8fb58 Bisecting: 2 revisions left to test after this (roughly 2 steps) [7d0ae236ed13d7645fb73b85e7c95deee46c4656] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 7d0ae236ed13d7645fb73b85e7c95deee46c4656 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 7d0ae236ed13d7645fb73b85e7c95deee46c4656 Bisecting: 0 revisions left to test after this (roughly 1 step) [6436408e814b81046f4595245c1f9bc4409e945c] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 6436408e814b81046f4595245c1f9bc4409e945c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 6436408e814b81046f4595245c1f9bc4409e945c Bisecting: 0 revisions left to test after this (roughly 0 steps) [e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488] bpf: in __bpf_redirect_no_mac pull mac only if present testing commit e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 is the first bad commit commit e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 Author: Willem de Bruijn Date: Tue Jan 15 20:19:22 2019 -0500 bpf: in __bpf_redirect_no_mac pull mac only if present Syzkaller was able to construct a packet of negative length by redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT: BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline] BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline] BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395 Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:345 [inline] skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline] __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395 __pskb_copy include/linux/skbuff.h:1053 [inline] pskb_copy include/linux/skbuff.h:2904 [inline] skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539 ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline] sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029 __netdev_start_xmit include/linux/netdevice.h:4325 [inline] netdev_start_xmit include/linux/netdevice.h:4334 [inline] xmit_one net/core/dev.c:3219 [inline] dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235 __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838 __bpf_tx_skb net/core/filter.c:2016 [inline] __bpf_redirect_common net/core/filter.c:2054 [inline] __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061 ____bpf_clone_redirect net/core/filter.c:2094 [inline] bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066 bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000 The generated test constructs a packet with mac header, network header, skb->data pointing to network header and skb->len 0. Redirecting to a sit0 through __bpf_redirect_no_mac pulls the mac length, even though skb->data already is at skb->network_header. bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2. Update the offset calculation to pull only if skb->data differs from skb->network_header, which is not true in this case. The test itself can be run only from commit 1cf1cae963c2 ("bpf: introduce BPF_PROG_TEST_RUN command"), but the same type of packets with skb at network header could already be built from lwt xmit hooks, so this fix is more relevant to that commit. Also set the mac header on redirect from LWT_XMIT, as even after this change to __bpf_redirect_no_mac that field is expected to be set, but is not yet in ip_finish_output2. Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") Reported-by: syzbot Signed-off-by: Willem de Bruijn Acked-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann :040000 040000 3a013b53fd567fd8ec7ec4f99b67c02462115345 f181f4c88b4e8c6dbabca0a967e8a014bebc4f05 M net revisions tested: 19, total time: 3h51m19.360891438s (build: 1h28m50.222750275s, test: 2h16m0.626239458s) first good commit: e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 bpf: in __bpf_redirect_no_mac pull mac only if present cc: ["ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net" "davem@davemloft.net" "dsahern@gmail.com" "johannes.berg@intel.com" "kafai@fb.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "posk@google.com" "songliubraving@fb.com" "tglx@linutronix.de" "willemb@google.com" "yhs@fb.com"]