bisecting cause commit starting from 24625f7d91fb86b91e14749633a7f022f5866116 building syzkaller on 127d1fafc7d808f8bfcbb50170aa1f00b0209dad testing commit 24625f7d91fb86b91e14749633a7f022f5866116 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9323178c8ecd7e181ce642ccd2f7bd2d9b609041711a1abd259646f78c0e34f5 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: crashed: possible deadlock in j1939_sk_errqueue run #2: crashed: possible deadlock in j1939_sk_errqueue run #3: crashed: possible deadlock in j1939_sk_errqueue run #4: crashed: possible deadlock in j1939_sk_errqueue run #5: crashed: possible deadlock in j1939_sk_errqueue run #6: crashed: possible deadlock in j1939_sk_errqueue run #7: crashed: possible deadlock in j1939_sk_errqueue run #8: crashed: possible deadlock in j1939_sk_errqueue run #9: crashed: possible deadlock in j1939_sk_errqueue run #10: crashed: possible deadlock in j1939_sk_errqueue run #11: crashed: possible deadlock in j1939_sk_errqueue run #12: crashed: possible deadlock in j1939_sk_errqueue run #13: crashed: possible deadlock in j1939_sk_errqueue run #14: crashed: possible deadlock in j1939_sk_errqueue run #15: crashed: possible deadlock in j1939_sk_errqueue run #16: crashed: possible deadlock in j1939_sk_errqueue run #17: crashed: possible deadlock in j1939_sk_errqueue run #18: crashed: possible deadlock in j1939_sk_errqueue run #19: crashed: possible deadlock in j1939_sk_errqueue testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 768117d2dd8e5be6501352227ca61097037a3a302f4fc211474a983ec5c8baaa all runs: crashed: possible deadlock in j1939_sk_errqueue testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0e210fb2afb33ea0dcb66d395a0534a0eb6e806625f54b6fb8228729545d8263 all runs: crashed: possible deadlock in j1939_sk_errqueue testing release v5.16 testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 64fb104ed9331388f6cf1273566edfff421fbe670f5f5d2c66beb24e5d8aaa7d all runs: crashed: possible deadlock in j1939_sk_errqueue testing release v5.15 testing commit 8bb7eca972ad531c9b149c0a51ab43a417385813 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cfc7433006fe31cfcfe16ee86441ac16916e74113d0c9aa02b1befe917036699 all runs: crashed: possible deadlock in j1939_sk_errqueue testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c61de881a8aaa06053fa91a2831c6be77e1f8ef34cad5975780753524723904d all runs: crashed: WARNING in j1939_session_deactivate testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 06dbb388e5f4caaa5c7779c6dea4fd3dcd8299bd01dc7c259247bbf481ce45f4 all runs: OK # git bisect start 7d2a07b769330c34b4deabeed939325c77a7ec2f 62fb9874f5da54fdb243003b386128037319b219 Bisecting: 7914 revisions left to test after this (roughly 13 steps) [406254918b232db198ed60f5bf1f8b84d96bca00] Merge tag 'perf-tools-for-v5.14-2021-07-01' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit 406254918b232db198ed60f5bf1f8b84d96bca00 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d93ea758c8fdd1927e824a1d4bf3a9ff920d713eaf1a28cb2fe9271db8902a53 all runs: OK # git bisect good 406254918b232db198ed60f5bf1f8b84d96bca00 Bisecting: 3969 revisions left to test after this (roughly 12 steps) [4ea90317956718e0648e1f87e56530db809a5a04] Merge tag 'for-linus-5.14-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 4ea90317956718e0648e1f87e56530db809a5a04 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2195934209e1445013e63b1f07ede552bae982372a5efde0b7aa312cf204d4af run #0: boot failed: possible deadlock in get_page_from_freelist run #1: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #2: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #3: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #4: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #5: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #6: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #7: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #8: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #9: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) # git bisect skip 4ea90317956718e0648e1f87e56530db809a5a04 Bisecting: 3969 revisions left to test after this (roughly 12 steps) [c1b8ac969febc8f413c4d71f0eefe2e107610449] pwm: tegra: Drop an if block with an always false condition testing commit c1b8ac969febc8f413c4d71f0eefe2e107610449 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fd1a8304d088788504a404a955825f0c694d4fd2d0d1a8b86e92297d47744761 all runs: OK # git bisect good c1b8ac969febc8f413c4d71f0eefe2e107610449 Bisecting: 3937 revisions left to test after this (roughly 12 steps) [b5e6d1261e2090df1325e762669c8eab6d4fb2fb] Merge tag 'hwlock-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc testing commit b5e6d1261e2090df1325e762669c8eab6d4fb2fb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d5cf1b6affc2a4f25c6b43c84735f8d01ebe4cc71999acb91499fc5f751be0af run #0: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #1: boot failed: possible deadlock in fs_reclaim_acquire run #2: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #3: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #4: boot failed: possible deadlock in fs_reclaim_acquire run #5: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #6: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #7: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #8: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) run #9: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(NUM,NUM) # git bisect skip b5e6d1261e2090df1325e762669c8eab6d4fb2fb Bisecting: 3937 revisions left to test after this (roughly 12 steps) [5a4e0f58e2d959e2de0f0f1ddaa169e60711d2f0] s390/ipl: use register pair instead of register asm testing commit 5a4e0f58e2d959e2de0f0f1ddaa169e60711d2f0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b051a714f2eab08e543d84c6a5cc1f1573850e85fbfef8bd7652d2a00f11f3ac all runs: OK # git bisect good 5a4e0f58e2d959e2de0f0f1ddaa169e60711d2f0 Bisecting: 3929 revisions left to test after this (roughly 12 steps) [2de7e4f67599affc97132bd07e30e3bd59d0b777] ixgbevf: use xso.real_dev instead of xso.dev in callback functions of struct xfrmdev_ops testing commit 2de7e4f67599affc97132bd07e30e3bd59d0b777 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: aba8354a686a6a3926b832744c3370620e5386fc7b5b697cd056a7c7f6d5ae22 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in lock_sock_nested run #1: crashed: KASAN: use-after-free Read in j1939_xtp_rx_dat_one run #2: crashed: KASAN: use-after-free Read in j1939_xtp_rx_dat_one run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect bad 2de7e4f67599affc97132bd07e30e3bd59d0b777 Bisecting: 46 revisions left to test after this (roughly 6 steps) [ca75bcf0a83b6cc7f53a593d98ec7121c4839b43] net: remove the caif_hsi driver testing commit ca75bcf0a83b6cc7f53a593d98ec7121c4839b43 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d2f2af0a103fcccb7f0ce4808ddc972af95f3808be96456adb7af79f2d5e42fe run #0: boot failed: general protection fault in ptp_clock_register run #1: boot failed: general protection fault in ptp_clock_register run #2: boot failed: general protection fault in ptp_clock_register run #3: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #4: boot failed: possible deadlock in fs_reclaim_acquire run #5: boot failed: possible deadlock in get_page_from_freelist run #6: boot failed: BUG: sleeping function called from invalid context in stack_depot_save run #7: boot failed: general protection fault in ptp_clock_register run #8: boot failed: possible deadlock in get_page_from_freelist run #9: boot failed: general protection fault in ptp_clock_register run #10: boot failed: general protection fault in ptp_clock_register run #11: boot failed: general protection fault in ptp_clock_register run #12: boot failed: general protection fault in ptp_clock_register run #13: boot failed: general protection fault in ptp_clock_register run #14: boot failed: general protection fault in ptp_clock_register run #15: boot failed: general protection fault in ptp_clock_register run #16: boot failed: general protection fault in ptp_clock_register run #17: boot failed: general protection fault in ptp_clock_register run #18: boot failed: general protection fault in ptp_clock_register run #19: boot failed: BUG: sleeping function called from invalid context in stack_depot_save # git bisect skip ca75bcf0a83b6cc7f53a593d98ec7121c4839b43 Bisecting: 46 revisions left to test after this (roughly 6 steps) [11527f3c4725640e6c40a2b7654e303f45e82a6c] net: dsa: mv88e6xxx: use correct .stats_set_histogram() on Topaz testing commit 11527f3c4725640e6c40a2b7654e303f45e82a6c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d8505d62d97d58508d0a6a0dd891f1047eda25c8f8fbcd7c53024479192a99b7 run #0: crashed: KASAN: use-after-free Read in j1939_xtp_rx_dat_one run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 11527f3c4725640e6c40a2b7654e303f45e82a6c Bisecting: 3 revisions left to test after this (roughly 2 steps) [5c0512072f6517326d9fba083c4467f173ddd984] octeontx2-pf: cn10k: Use runtime allocated LMTLINE region testing commit 5c0512072f6517326d9fba083c4467f173ddd984 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9610e7c8b552421cedd45e43b3328928dd87e2f070d532988f9496aa53bfa8a6 run #0: crashed: KASAN: use-after-free Read in j1939_xtp_rx_dat_one run #1: crashed: KASAN: use-after-free Read in j1939_xtp_rx_dat_one run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 5c0512072f6517326d9fba083c4467f173ddd984 Bisecting: 1 revision left to test after this (roughly 1 step) [873a1e3d207ae587a7a1cc1d84545146b449ea5d] octeontx2-af: cn10k: Setting up lmtst map table testing commit 873a1e3d207ae587a7a1cc1d84545146b449ea5d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9610e7c8b552421cedd45e43b3328928dd87e2f070d532988f9496aa53bfa8a6 run #0: crashed: KASAN: use-after-free Read in j1939_xtp_rx_dat_one run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 873a1e3d207ae587a7a1cc1d84545146b449ea5d 873a1e3d207ae587a7a1cc1d84545146b449ea5d is the first bad commit commit 873a1e3d207ae587a7a1cc1d84545146b449ea5d Author: Harman Kalra Date: Tue Jun 29 22:30:04 2021 +0530 octeontx2-af: cn10k: Setting up lmtst map table Introducing a new mailbox to support updating lmt entries and common lmt base address scheme i.e. multiple pcifuncs can share lmt region to reduce L1 cache pressure for application. Parameters passed to mailbox includes the primary pcifunc value whose lmt regions will be shared by other secondary pcifuncs. Here secondary pcifunc will be the one who is calling the mailbox. For example: By default each pcifunc has its own LMT base address: PCIFUNC1 LMT_BASE_ADDR A PCIFUNC2 LMT_BASE_ADDR B PCIFUNC3 LMT_BASE_ADDR C PCIFUNC4 LMT_BASE_ADDR D Application will choose PCIFUNC1 as base/primary pcifunc and as and when other pcifunc(secondary pcifuncs) gets probed, this mailbox will be called and LMTST table will be updated as: PCIFUNC1 LMT_BASE_ADDR A PCIFUNC2 LMT_BASE_ADDR A PCIFUNC3 LMT_BASE_ADDR A PCIFUNC4 LMT_BASE_ADDR A On FLR lmtst map table gets resetted to the default lmt base addresses for all secondary pcifuncs. Signed-off-by: Harman Kalra Signed-off-by: Geetha sowjanya Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller drivers/net/ethernet/marvell/octeontx2/af/mbox.h | 7 ++ drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 1 + drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 4 + .../net/ethernet/marvell/octeontx2/af/rvu_cn10k.c | 140 +++++++++++++++++++++ .../net/ethernet/marvell/octeontx2/af/rvu_reg.h | 5 + .../net/ethernet/marvell/octeontx2/af/rvu_struct.h | 3 +- 6 files changed, 159 insertions(+), 1 deletion(-) parent commit dbe69e43372212527abf48609aba7fc39a6daa27 wasn't tested testing commit dbe69e43372212527abf48609aba7fc39a6daa27 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9610e7c8b552421cedd45e43b3328928dd87e2f070d532988f9496aa53bfa8a6 culprit signature: 9610e7c8b552421cedd45e43b3328928dd87e2f070d532988f9496aa53bfa8a6 parent signature: 9610e7c8b552421cedd45e43b3328928dd87e2f070d532988f9496aa53bfa8a6 Reproducer flagged being flaky revisions tested: 17, total time: 4h3m55.684335972s (build: 1h53m50.155151582s, test: 2h7m24.71454967s) first bad commit: 873a1e3d207ae587a7a1cc1d84545146b449ea5d octeontx2-af: cn10k: Setting up lmtst map table recipients (to): ["davem@davemloft.net" "gakula@marvell.com" "hkalra@marvell.com" "sgoutham@marvell.com"] recipients (cc): [] crash: KASAN: use-after-free Read in j1939_xtp_rx_dat_one vcan0: j1939_xtp_rx_dat: no rx connection found vcan0: j1939_xtp_rx_dat_one: 0xffff8880398f1800: last 00 vcan0: j1939_xtp_rx_dat_one: 0xffff8880398f1800: Data of RX-looped back packet (00 ff ff ff ff ff ff) doesn't match TX data (00 00 00 00 00 00 00)! ================================================================== BUG: KASAN: use-after-free in j1939_xtp_rx_dat_one+0xbf7/0xd20 net/can/j1939/transport.c:1849 Read of size 1 at addr ffff888028f2068e by task ksoftirqd/1/19 CPU: 1 PID: 19 Comm: ksoftirqd/1 Tainted: G W 5.13.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:96 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 j1939_xtp_rx_dat_one+0xbf7/0xd20 net/can/j1939/transport.c:1849 j1939_xtp_rx_dat net/can/j1939/transport.c:1901 [inline] j1939_tp_recv+0x3fe/0x8e0 net/can/j1939/transport.c:2083 j1939_can_recv+0x584/0x7a0 net/can/j1939/main.c:101 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x4ce/0x7b0 net/can/af_can.c:608 can_receive+0x2b7/0x490 net/can/af_can.c:665 can_rcv+0xce/0x150 net/can/af_can.c:696 __netif_receive_skb_one_core+0x104/0x180 net/core/dev.c:5486 process_backlog+0x1d2/0x610 net/core/dev.c:6464 __napi_poll+0x94/0x350 net/core/dev.c:7019 napi_poll net/core/dev.c:7086 [inline] net_rx_action+0x6fc/0xa50 net/core/dev.c:7173 __do_softirq+0x29b/0x9bd kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:920 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:912 smpboot_thread_fn+0x548/0x8c0 kernel/smpboot.c:164 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 5990: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x84/0xa0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2970 [inline] kmem_cache_alloc_node+0x266/0x3e0 mm/slub.c:3006 __alloc_skb+0x153/0x280 net/core/skbuff.c:414 alloc_skb include/linux/skbuff.h:1112 [inline] alloc_skb_with_frags+0x73/0x540 net/core/skbuff.c:6004 sock_alloc_send_pskb+0x636/0x7c0 net/core/sock.c:2400 j1939_sk_alloc_skb net/can/j1939/socket.c:861 [inline] j1939_sk_send_loop net/can/j1939/socket.c:1043 [inline] j1939_sk_sendmsg+0x5ac/0x10f0 net/can/j1939/socket.c:1178 sock_sendmsg_nosec net/socket.c:702 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:722 sock_no_sendpage+0xe7/0x120 net/core/sock.c:2898 kernel_sendpage.part.0+0x11e/0x240 net/socket.c:3666 kernel_sendpage net/socket.c:3663 [inline] sock_sendpage+0xc7/0x1a0 net/socket.c:995 pipe_to_sendpage+0x245/0x410 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x362/0x810 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0xba/0x120 fs/splice.c:746 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0xfb/0x1c0 fs/splice.c:936 splice_direct_to_actor+0x2dd/0x7c0 fs/splice.c:891 do_splice_direct+0x154/0x260 fs/splice.c:979 do_sendfile+0x824/0x1020 fs/read_write.c:1260 __do_sys_sendfile64 fs/read_write.c:1325 [inline] __se_sys_sendfile64 fs/read_write.c:1311 [inline] __x64_sys_sendfile64+0x186/0x1d0 fs/read_write.c:1311 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 13: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:229 [inline] slab_free_hook mm/slub.c:1639 [inline] slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1664 slab_free mm/slub.c:3224 [inline] kmem_cache_free+0x8e/0x5a0 mm/slub.c:3240 j1939_session_skb_drop_old net/can/j1939/transport.c:336 [inline] j1939_xtp_rx_cts_one net/can/j1939/transport.c:1418 [inline] j1939_xtp_rx_cts+0x9fa/0x1150 net/can/j1939/transport.c:1457 j1939_tp_cmd_recv net/can/j1939/transport.c:2027 [inline] j1939_tp_recv+0x662/0x8e0 net/can/j1939/transport.c:2093 j1939_can_recv+0x584/0x7a0 net/can/j1939/main.c:101 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x4ce/0x7b0 net/can/af_can.c:608 can_receive+0x2b7/0x490 net/can/af_can.c:665 can_rcv+0xce/0x150 net/can/af_can.c:696 __netif_receive_skb_one_core+0x104/0x180 net/core/dev.c:5486 process_backlog+0x1d2/0x610 net/core/dev.c:6464 __napi_poll+0x94/0x350 net/core/dev.c:7019 napi_poll net/core/dev.c:7086 [inline] net_rx_action+0x6fc/0xa50 net/core/dev.c:7173 __do_softirq+0x29b/0x9bd kernel/softirq.c:558 The buggy address belongs to the object at ffff888028f20640 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 78 bytes inside of 224-byte region [ffff888028f20640, ffff888028f20720) The buggy address belongs to the page: page:ffffea0000a3c800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28f20 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8881445f7000 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 19, ts 103597212743, free_ts 102770182827 prep_new_page mm/page_alloc.c:2445 [inline] get_page_from_freelist+0xa6f/0x2f50 mm/page_alloc.c:4178 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5386 alloc_slab_page mm/slub.c:1702 [inline] allocate_slab+0x32b/0x4c0 mm/slub.c:1842 new_slab mm/slub.c:1905 [inline] new_slab_objects mm/slub.c:2651 [inline] ___slab_alloc+0x4ba/0x820 mm/slub.c:2814 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2854 slab_alloc_node mm/slub.c:2936 [inline] kmem_cache_alloc_node+0x12c/0x3e0 mm/slub.c:3006 __alloc_skb+0x153/0x280 net/core/skbuff.c:414 alloc_skb include/linux/skbuff.h:1112 [inline] j1939_tp_tx_dat_new+0x2b/0x4b0 net/can/j1939/transport.c:583 j1939_xtp_do_tx_ctl+0x69/0x170 net/can/j1939/transport.c:644 j1939_tp_tx_ctl net/can/j1939/transport.c:662 [inline] j1939_session_tx_eoma net/can/j1939/transport.c:968 [inline] j1939_xtp_txnext_receiver net/can/j1939/transport.c:1008 [inline] j1939_tp_txtimer+0x1634/0x1fa0 net/can/j1939/transport.c:1142 __run_hrtimer kernel/time/hrtimer.c:1537 [inline] __hrtimer_run_queues+0x4d7/0xb00 kernel/time/hrtimer.c:1601 hrtimer_run_softirq+0x176/0x340 kernel/time/hrtimer.c:1618 __do_softirq+0x29b/0x9bd kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:920 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:912 smpboot_thread_fn+0x548/0x8c0 kernel/smpboot.c:164 kthread+0x38b/0x460 kernel/kthread.c:319 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1355 [inline] free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1406 free_unref_page_prepare mm/page_alloc.c:3341 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3420 unfreeze_partials+0x17c/0x1d0 mm/slub.c:2432 put_cpu_partial+0x13d/0x230 mm/slub.c:2468 qlink_free mm/kasan/quarantine.c:146 [inline] qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 __kasan_slab_alloc+0x8e/0xa0 mm/kasan/common.c:444 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2970 [inline] kmem_cache_alloc_node+0x266/0x3e0 mm/slub.c:3006 __alloc_skb+0x153/0x280 net/core/skbuff.c:414 alloc_skb include/linux/skbuff.h:1112 [inline] alloc_skb_with_frags+0x73/0x540 net/core/skbuff.c:6004 sock_alloc_send_pskb+0x636/0x7c0 net/core/sock.c:2400 j1939_sk_alloc_skb net/can/j1939/socket.c:861 [inline] j1939_sk_send_loop net/can/j1939/socket.c:1043 [inline] j1939_sk_sendmsg+0x5ac/0x10f0 net/can/j1939/socket.c:1178 sock_sendmsg_nosec net/socket.c:702 [inline] sock_sendmsg+0xab/0xe0 net/socket.c:722 sock_no_sendpage+0xe7/0x120 net/core/sock.c:2898 kernel_sendpage.part.0+0x11e/0x240 net/socket.c:3666 kernel_sendpage net/socket.c:3663 [inline] sock_sendpage+0xc7/0x1a0 net/socket.c:995 Memory state around the buggy address: ffff888028f20580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff888028f20600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff888028f20680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888028f20700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888028f20780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================