Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2670300imm; Fri, 20 Jul 2018 02:50:06 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcICncIF9hbl5dy8iu0oT0ZuiFKVXOupUeMtaUEOQMwTb0sCzHZ6YluhT2V0dB32vu5UQUh X-Received: by 2002:aa7:84c2:: with SMTP id x2-v6mr1473152pfn.220.1532080206510; Fri, 20 Jul 2018 02:50:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532080206; cv=none; d=google.com; s=arc-20160816; b=WWfCPtKdWLCszTkwnyzDREIh71phHIYqEZUVsytbtNZdyWpoRa30EMeHXl167OxKid AkD3KrMiP58BM2yWGIWc0SBQQb0lEDLmXZKKWAD9NGseJtzfNC6LLZUEOCb2GGeAVGpt 5rnNuHfdtH6tfgoteZq39eG/dK3l4WgdXlyyzvsdvAsLSqtWnPQ4yEh75wLiauFtKdmv jFrbMBuAU5pshx4XvwmILoUs+LpAFLXYUXH7o3ufqtTv9mYAi50ccYJ4puS8ZFmsH/MA A8QCSWvX1UgSkmRApJZ5Fpj4ThjBkiFtVwCvE+NNvRAHmttVMsSNMBI7A7LBi8EsNl+w 9MIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=/Uv5Cc0rHAN0UaQz5Whi3ffaANvmeqoujrzM6GsNCfI=; b=tpHqMoXJeeaklylP09DniZ+Twuv6DxMF3MZztJmCJfpeGsoEZIkQ4+VgPA/QcTgUky 83PCuM5zB2MGbjmsziNsoMfDlosP4MXyHGMNF2RgBnaW2SQVTZnSGQqKihWhnfAeNGO+ qqooIBugUiNh8sBFFlIC9XKDh1g1kYxrGX9eVAADrQJlMfHknFEAKRfIcD+JW+fPqJCK dCaiPXbkt0XmZrY4cN0HFhcbLc9Ti+RkTLgrXpPTc+yJDZZNrIiwJe0ZPapBA1jInhQZ 3KgZGuDeu2Lm7RMO74ho6zy+wQmfgvG8uUhpZWVt3ku9opzD0TfZI/wb2B7uKicP3A6j dKUA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m3-v6si1372240pld.90.2018.07.20.02.49.51; Fri, 20 Jul 2018 02:50:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728185AbeGTKgl (ORCPT + 99 others); Fri, 20 Jul 2018 06:36:41 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:49520 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727156AbeGTKgl (ORCPT ); Fri, 20 Jul 2018 06:36:41 -0400 Received: from localhost (LFbn-1-12238-233.w90-92.abo.wanadoo.fr [90.92.53.233]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 46F2341C; Fri, 20 Jul 2018 09:49:13 +0000 (UTC) Date: Fri, 20 Jul 2018 11:49:11 +0200 From: Greg Kroah-Hartman To: Dmitry Vyukov , stable@vger.kernel.org Cc: James Chapman , David Miller , "Reshetova, Elena" , Hans Liljestrand , Kees Cook , LKML , netdev , syzkaller-bugs , Greg Hackmann , syzbot , Guillaume Nault Subject: Re: KASAN: use-after-free Read in l2tp_session_create Message-ID: <20180720094911.GA24081@kroah.com> References: <001a11405130a984300562e8e7b3@google.com> <5308835b-b5ef-51e4-2e4f-05a9636dff55@katalix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 20, 2018 at 10:00:34AM +0200, Dmitry Vyukov wrote: > On Fri, Jul 20, 2018 at 9:53 AM, James Chapman wrote: > > On 18/07/18 12:00, Dmitry Vyukov wrote: > >> On Tue, Jan 16, 2018 at 7:29 PM, syzbot > >> wrote: > >>> Hello, > >>> > >>> syzkaller hit the following crash on > >>> a8750ddca918032d6349adbf9a4b6555e7db20da > >>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > >>> compiler: gcc (GCC) 7.1.1 20170620 > >>> .config is attached > >>> Raw console output is attached. > >>> Unfortunately, I don't have any reproducer for this bug yet. > >>> > >>> > >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: > >>> Reported-by: syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com > >>> It will help syzbot understand when the bug is fixed. See footer for > >>> details. > >>> If you forward the report, please keep this part and the footer. > >> > >> James, > >> > >> Did you fix this? You asked syzbot to test a fix for this bug some time ago. > >> If yes, did you include the Reported-by tag in the commit? This bug is > >> still considered open by syzbot. But it stopped happening ~4 months > >> ago: > > > > Yes, I think this has been fixed now. I think it was fixed by > > Guillaume's 6b9f34239b00e6956a267abed2bc559ede556ad6 that was actually > > to fix another syzbot bug fbeeb5c3b538e8545644 which looks similar to > > this one. > > > >> https://syzkaller.appspot.com/bug?id=6fed0854381422329e78d7e16fb9cf4af8c9aef1 > >> We are also seeing these crashes in 4.4 and 4.9, it would be good to > >> backport the fix. > > > > It looks like 6b9f34239b00e6956a267abed2bc559ede556ad6 hasn't made it to > > 4.9 or 4.4. > > Thanks for the update! > > Let's tell syzbot that this is fixed: > > #syz fix: l2tp: fix races in tunnel creation > > Greg H: so this is probably the patch we need. > > +Greg KH: I think we need this in stable, we hit this in both 4.4 and 4.9. It's also needed in 4.14.y. But it doesn't apply to any of those kernel trees cleanly, can someone please provide a working backport? thanks, greg k-h