Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp6471013ybi; Wed, 29 May 2019 08:17:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqytYQ5W37Kb0JMyYnKcNA12Z0QhIj9JR0iXSY183nTNocTDXC/cIsgft+IXGv7LbjWVE2PF X-Received: by 2002:a17:90a:aa81:: with SMTP id l1mr12426829pjq.55.1559143064797; Wed, 29 May 2019 08:17:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559143064; cv=none; d=google.com; s=arc-20160816; b=dL+cPHWBDByciUtC7cfkEWVVYE7yJNLHbiNrYxxAxYENMpp4CPSVq3FoJ9hNzMZMV+ 7xyI2CgW59zX7ujOXhm6x/LBFvfxq7AfhJc6Zo4daUx+xccOpX3i6swRQamp7LTP2KKP 3HyHQGcJnYYMwifdZt1x6Yegl69INC/FMp7Lri45SmE+3E5OzpX52mjHNys4mkEHirC/ 9PKcet+sOvSDwBZ5VMNex6dR1BMtKGrKeFMMmUYFVOBY3QsKmbayUWMGMv6FkeXmbJrh YHMwtJqtPX48CyNjVa3j50YSYQl2zR2eZMuJqs/2M8Bic5KJNBSaRw5SWf7pOyOUbKWs j/gQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=aPd0T4nMPp5+McITAHFhs073CifRxWMUwmwxYGayYkI=; b=q6i16w81Yeu/DCoSKNLXhj3R1iwx9llByfaZCKHxbglKKBhrDy8G/CdI5taM9xjtEn tJXbJ1OogyGa5YiAfjK+GDTcW8unr/Nk9Jaw0zXjPXJxoKS/Byv45SackcsldDmNa7Xl dzUTNkR5hPB08Q5bmVsq+lfXwFOd8aijZjkld6DuRnXW0rVHQ7fLTNmcYQC1T0Fk57mf 2av5NfMfW4KHu6YPQooURYGG0JfyRvHAlthVT2J2ud2bzDS1SufxYS4WSGgSr/PJnF0U DL2397oqUxSOyAG0GiEeXzCtqtZAkmh4tU0bbNxPAAWZp8v7QAkdltJdsfqwZw4aKfMk tH4A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rjaL1ZpH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c17si7128075pjs.84.2019.05.29.08.17.26; Wed, 29 May 2019 08:17:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rjaL1ZpH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726960AbfE2POi (ORCPT + 99 others); Wed, 29 May 2019 11:14:38 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:46331 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726012AbfE2POi (ORCPT ); Wed, 29 May 2019 11:14:38 -0400 Received: by mail-ed1-f67.google.com with SMTP id f37so4264728edb.13 for ; Wed, 29 May 2019 08:14:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aPd0T4nMPp5+McITAHFhs073CifRxWMUwmwxYGayYkI=; b=rjaL1ZpHoM13fKR3np1C2zYZHY/Y2oQB7qrCJbgzJLx1otaUNOCPdZt2rERT+ioe2h 6KsBPv958jPzU3UQjxbbUNxg+JhtqvT8QFUb8nC9Tz9riw882pzmcTJ95pcRh6y6rgbG o/ZtmdtmBJZDGYXEvKbw/+sFLyLcDd+crNUGqH1QIBGQj2sEUqaIR5P3xCcEjUN88426 jhjg2BM1Lyp/WHJk9iKtt58dMz/+R4bdN91Q1AdwkP7ZJ8yRLbiR5Ml0b/XBI3c2/izS iOCznTpQno/RSXF+N/b9FH+igvcKNk86yKp1TQ4uTpz8VbIS/xJuis+Vib2kV5vwTftk V0QA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aPd0T4nMPp5+McITAHFhs073CifRxWMUwmwxYGayYkI=; b=NyMfUo8FA0cMNbPS+LINH0cB4R8GkCjdJOfKcL816F0Y4Wsp2mVNKbfWHVpYwNOz6/ UNtOTU1K9v7JF7B6UVFsDkpi8eU4L1xl1+HTJIzWu+jEX+gZ9UTUt7osVsA71lfHJAsR 5fuYoe69xs++lOlpfXa91o1VFOiEatnV0bbeyC1jPLj8aqzomkaFDlXETlPSrh2C7Vv8 0h2ByJmcR0YHlHOIIQmuSrKD+IRL99ZmPXQ3OKo5kK3se3fw5GtR0YCaO/0uzBntgXw1 yrQhhEV3rdQZNSgHGPsoI7Mmif66Oo9CawaDbenHtR5+aet61A2AEdZeIYeX3ja0OnID fxwA== X-Gm-Message-State: APjAAAU2ZS7aqOtVxUqvRGSvwEsYVS/hsgrdu0uq211WLL1JSUU4Mqf2 0PosdjZwB1FPavevX/L0dq7dXlmJcNVsks4cxiZvFg== X-Received: by 2002:a50:bae4:: with SMTP id x91mr137315884ede.76.1559142870576; Wed, 29 May 2019 08:14:30 -0700 (PDT) MIME-Version: 1.0 References: <000000000000862b160580765e94@google.com> <3c44c1ff-2790-ec06-35c6-3572b92170c7@cumulusnetworks.com> <20190220102327.lq2zyqups2fso75z@gondor.apana.org.au> <20190529145845.bcvuc5ows4dedqh3@gondor.apana.org.au> In-Reply-To: <20190529145845.bcvuc5ows4dedqh3@gondor.apana.org.au> From: Dmitry Vyukov Date: Wed, 29 May 2019 17:14:17 +0200 Message-ID: Subject: Re: KASAN: use-after-free Read in br_mdb_ip_get To: Herbert Xu Cc: Nikolay Aleksandrov , Thomas Graf , syzbot , bridge@lists.linux-foundation.org, David Miller , LKML , netdev , Roopa Prabhu , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 29, 2019 at 4:58 PM Herbert Xu wrote: > > Hi Dmitry: > > On Thu, Feb 21, 2019 at 11:54:42AM +0100, Dmitry Vyukov wrote: > > > > Taking into account that this still happened only once, I tend to > > write it off onto a previous silent memory corruption (we have dozens > > of known bugs that corrupt memory). So if several people already > > looked at it and don't see the root cause, it's probably time to stop > > spending time on this until we have more info. > > > > Although, there was also this one: > > https://groups.google.com/d/msg/syzkaller-bugs/QfCCSxdB1aM/y2cn9IZJCwAJ > > I have not checked if it can be the root cause of this report, but it > > points suspiciously close to this stack and when I looked at it, it > > the report looked legit. > > Have you had any more reports of this kind coming from br_multicast? > > It looks like > > ommit 1515a63fc413f160d20574ab0894e7f1020c7be2 > Author: Nikolay Aleksandrov > Date: Wed Apr 3 23:27:24 2019 +0300 > > net: bridge: always clear mcast matching struct on reports and leaves > > may have at least fixed the uninitialised value error. The most up-to-date info is always available here: >> dashboard link: https://syzkaller.appspot.com/bug?extid=bc5ab0af2dbf3b0ae897 It says no new crashes happened besides the original one. We now have the following choices: 1. Invalidate with "#syz invalid" 2. Mark as tentatively fixed by that commit (could it fix it?) with "#syz fix: net: bridge: always clear mcast matching struct on reports and leaves" 3. Do nothing, then syzbot will auto-close it soon (bugs without reproducers that did not happen in the past 180 days)