bisecting cause commit starting from 6c09d7dbb7d366122d0218bc7487e0a1e6cca6ed building syzkaller on 4c04afaa19a16e90d8b495cc3795fd4ed21df4df testing commit 6c09d7dbb7d366122d0218bc7487e0a1e6cca6ed with gcc (GCC) 8.1.0 kernel signature: d10b21a1f12ebd43627882c0d33a8f19904879a6 all runs: crashed: WARNING: refcount bug in sk_alloc testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 929cffa7c5530db9de60bc3337501d51f1a5e95c run #0: crashed: WARNING in refcount_error_report run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in refcount_error_report run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in refcount_error_report run #5: crashed: WARNING in refcount_error_report run #6: crashed: WARNING in refcount_error_report run #7: crashed: BUG: corrupted list in cleanup_net run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: WARNING in refcount_error_report testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: e3e00a71628f7afd376f7d84c05f054ff96996ec run #0: crashed: WARNING in refcount_error_report run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in xt_net_exit run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in refcount_error_report run #5: crashed: BUG: corrupted list in cleanup_net run #6: crashed: KASAN: use-after-free Read in cleanup_net run #7: crashed: BUG: corrupted list in cleanup_net run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: be4459b47e1d9fd3f7062f370ac25c71e0d1b42a run #0: crashed: WARNING in refcount_error_report run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in refcount_error_report run #3: crashed: WARNING in refcount_error_report run #4: crashed: BUG: corrupted list in cleanup_net run #5: crashed: KASAN: use-after-free Read in cleanup_net run #6: crashed: KASAN: use-after-free Read in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: WARNING in refcount_error_report testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: ac76d915ec9889bdd0037d2f3e2bd972fd7f2db7 run #0: crashed: BUG: corrupted list in cleanup_net run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in refcount_error_report run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in refcount_error_report run #5: crashed: BUG: corrupted list in cleanup_net run #6: crashed: KASAN: use-after-free Read in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 497c0fe93dd3dcf16b310980a91809a51a444efd all runs: OK # git bisect start e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd 1c163f4c7b3f621efff9b28a47abb36f7378d783 Bisecting: 7074 revisions left to test after this (roughly 13 steps) [b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew) testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0 kernel signature: ce1c2cb77ddf7c59085e104f68594bc6c887ce0e run #0: crashed: WARNING in refcount_error_report run #1: crashed: WARNING in corrupted run #2: crashed: BUG: corrupted list in corrupted run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in corrupted run #5: crashed: KASAN: use-after-free Read in cleanup_net run #6: crashed: KASAN: use-after-free Read in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net # git bisect bad b5dd0c658c31b469ccff1b637e5124851e7a4a1c Bisecting: 3569 revisions left to test after this (roughly 12 steps) [3478588b5136966c80c571cf0006f08e9e5b8f04] Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 3478588b5136966c80c571cf0006f08e9e5b8f04 with gcc (GCC) 8.1.0 kernel signature: e65d9fd010399b810259e46a74c23afa953f85b5 all runs: basic kernel testing failed: timed out # git bisect skip 3478588b5136966c80c571cf0006f08e9e5b8f04 Bisecting: 3569 revisions left to test after this (roughly 12 steps) [747fc3f351baa061b41a1e2a81821bc963e4f794] net: hns3: some bugfix of ppu(rcb) ras errors testing commit 747fc3f351baa061b41a1e2a81821bc963e4f794 with gcc (GCC) 8.1.0 kernel signature: 544e9de1762c561c18f8d8bd45a8bb6116cb0f5e all runs: OK # git bisect good 747fc3f351baa061b41a1e2a81821bc963e4f794 Bisecting: 2642 revisions left to test after this (roughly 12 steps) [6ad63dec9c2c80710896edd1996e56c54a230870] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 6ad63dec9c2c80710896edd1996e56c54a230870 with gcc (GCC) 8.1.0 kernel signature: 26888d377b999d547079f8fd6db7dc58c45de1ba run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in refcount_error_report run #4: crashed: BUG: corrupted list in cleanup_net run #5: crashed: KASAN: use-after-free Read in cleanup_net run #6: crashed: KASAN: use-after-free Read in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net # git bisect bad 6ad63dec9c2c80710896edd1996e56c54a230870 Bisecting: 1507 revisions left to test after this (roughly 11 steps) [6456300356433873309a1cae6aa05e77d6b59153] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 6456300356433873309a1cae6aa05e77d6b59153 with gcc (GCC) 8.1.0 kernel signature: 69066300a7af9fe207daf1c21ea73e71272b6117 run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in ex_handler_refcount run #2: crashed: WARNING in refcount_error_report run #3: crashed: WARNING in corrupted run #4: crashed: KASAN: use-after-free Read in cleanup_net run #5: crashed: KASAN: use-after-free Read in corrupted run #6: crashed: KASAN: use-after-free Read in cleanup_net run #7: crashed: KASAN: use-after-free Read in corrupted run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net # git bisect bad 6456300356433873309a1cae6aa05e77d6b59153 Bisecting: 704 revisions left to test after this (roughly 10 steps) [cf29576fee6016fa7004262cb98f57a2269178f1] Merge tag 'wireless-drivers-next-for-davem-2019-03-01' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit cf29576fee6016fa7004262cb98f57a2269178f1 with gcc (GCC) 8.1.0 kernel signature: 1dbb3361b7fe8037013ce54c52043670251b6a14 run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in ex_handler_refcount run #2: crashed: WARNING in ex_handler_refcount run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in ex_handler_refcount run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: KASAN: use-after-free Read in corrupted # git bisect bad cf29576fee6016fa7004262cb98f57a2269178f1 Bisecting: 355 revisions left to test after this (roughly 9 steps) [f88d5d684c0289fc7970795848f2ed07ef0b1b57] Merge tag 'mlx5-updates-2019-02-21' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit f88d5d684c0289fc7970795848f2ed07ef0b1b57 with gcc (GCC) 8.1.0 kernel signature: 34dd47d629fc9ec80241e0e1dc540b0497835341 run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in ex_handler_refcount run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in ex_handler_refcount run #5: crashed: BUG: corrupted list in cleanup_net run #6: crashed: KASAN: use-after-free Read in corrupted run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: KASAN: use-after-free Read in corrupted # git bisect bad f88d5d684c0289fc7970795848f2ed07ef0b1b57 Bisecting: 181 revisions left to test after this (roughly 8 steps) [a4176ec356c73a46c07c181c6d04039fafa34a9f] brcmfmac: add subtype check for event handling in data path testing commit a4176ec356c73a46c07c181c6d04039fafa34a9f with gcc (GCC) 8.1.0 kernel signature: ddd537bd769cc6c7c60a7fd102f4bf97bfb8b3ce all runs: basic kernel testing failed: timed out # git bisect skip a4176ec356c73a46c07c181c6d04039fafa34a9f Bisecting: 181 revisions left to test after this (roughly 8 steps) [1b64d58bd4cb60cd7b0251d8654e18e5b1539ef4] iwlwifi: dbg_ini: implement Tx fifos dump testing commit 1b64d58bd4cb60cd7b0251d8654e18e5b1539ef4 with gcc (GCC) 8.1.0 kernel signature: d81964e53fdab707a2a900f44cd3649e779b2e7a all runs: OK # git bisect good 1b64d58bd4cb60cd7b0251d8654e18e5b1539ef4 Bisecting: 50 revisions left to test after this (roughly 6 steps) [6c4128f658571b2dc7e01058ad09a8e947bc0159] rhashtable: Remove obsolete rhashtable_walk_init function testing commit 6c4128f658571b2dc7e01058ad09a8e947bc0159 with gcc (GCC) 8.1.0 kernel signature: 19a47596f1207f220ef550c5798cdb8e1ca7421b all runs: basic kernel testing failed: timed out # git bisect skip 6c4128f658571b2dc7e01058ad09a8e947bc0159 Bisecting: 50 revisions left to test after this (roughly 6 steps) [43f2ebd5571653f5a02c178d6d73ab642e8a0cad] net: phy: at803x: don't inline helpers testing commit 43f2ebd5571653f5a02c178d6d73ab642e8a0cad with gcc (GCC) 8.1.0 kernel signature: 33b50e1c1c1539f5702b92b4fbae4b10d7871625 run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in ex_handler_refcount run #2: crashed: WARNING in ex_handler_refcount run #3: crashed: BUG: corrupted list in cleanup_net run #4: crashed: KASAN: use-after-free Read in cleanup_net run #5: crashed: BUG: corrupted list in cleanup_net run #6: crashed: KASAN: use-after-free Read in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: BUG: corrupted list in cleanup_net # git bisect bad 43f2ebd5571653f5a02c178d6d73ab642e8a0cad Bisecting: 33 revisions left to test after this (roughly 5 steps) [7976b1e9e3bfdd7ed1cfb21afc4a195655017f13] mac80211: ignore quiet mode in probe testing commit 7976b1e9e3bfdd7ed1cfb21afc4a195655017f13 with gcc (GCC) 8.1.0 kernel signature: b1b23b724cfec0f87a9c830e6d26f69aeee1482f all runs: OK # git bisect good 7976b1e9e3bfdd7ed1cfb21afc4a195655017f13 Bisecting: 14 revisions left to test after this (roughly 4 steps) [5328b633c9b3c3af38bec8cb70120658c0866e0a] Merge tag 'mac80211-next-for-davem-2019-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next testing commit 5328b633c9b3c3af38bec8cb70120658c0866e0a with gcc (GCC) 8.1.0 kernel signature: 0f9b6d3adad4c7c9f3c635c86526efdd134f930e all runs: OK # git bisect good 5328b633c9b3c3af38bec8cb70120658c0866e0a Bisecting: 7 revisions left to test after this (roughly 3 steps) [41f5f63cd17530d9eddaf99a71f5d069afd787d8] net/mlx5e: Trust kernel regarding transport offset testing commit 41f5f63cd17530d9eddaf99a71f5d069afd787d8 with gcc (GCC) 8.1.0 kernel signature: e887fedfd81ac324ac8b570642f7a0d218398673 all runs: OK # git bisect good 41f5f63cd17530d9eddaf99a71f5d069afd787d8 Bisecting: 3 revisions left to test after this (roughly 2 steps) [5c0c4c85463461a9ea0a69c4e80849a71c6b1e24] Merge tag 'iwlwifi-next-for-kalle-2019-02-20' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next testing commit 5c0c4c85463461a9ea0a69c4e80849a71c6b1e24 with gcc (GCC) 8.1.0 kernel signature: f60e0b44ba1dba184a29340d181e666d87283624 all runs: OK # git bisect good 5c0c4c85463461a9ea0a69c4e80849a71c6b1e24 Bisecting: 1 revision left to test after this (roughly 1 step) [1a2566085650be593d464c4d73ac2d20ff67c058] Merge tag 'wireless-drivers-next-for-davem-2019-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 1a2566085650be593d464c4d73ac2d20ff67c058 with gcc (GCC) 8.1.0 kernel signature: 6a00bf929e0c70a0012938cdd413a203c1a4fdfc all runs: OK # git bisect good 1a2566085650be593d464c4d73ac2d20ff67c058 Bisecting: 0 revisions left to test after this (roughly 0 steps) [14215108a1fd7e002c0a1f9faf8fbaf41fdda50d] net_sched: initialize net pointer inside tcf_exts_init() testing commit 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d with gcc (GCC) 8.1.0 kernel signature: b8aba47883676694a97051b8476aa7a6af8c34ca run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in ex_handler_refcount run #6: crashed: BUG: corrupted list in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net # git bisect bad 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d is the first bad commit commit 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d Author: Cong Wang Date: Wed Feb 20 21:37:42 2019 -0800 net_sched: initialize net pointer inside tcf_exts_init() For tcindex filter, it is too late to initialize the net pointer in tcf_exts_validate(), as tcf_exts_get_net() requires a non-NULL net pointer. We can just move its initialization into tcf_exts_init(), which just requires an additional parameter. This makes the code in tcindex_alloc_perfect_hash() prettier. Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller include/net/pkt_cls.h | 5 +++-- net/sched/cls_api.c | 1 - net/sched/cls_basic.c | 2 +- net/sched/cls_bpf.c | 2 +- net/sched/cls_cgroup.c | 2 +- net/sched/cls_flow.c | 2 +- net/sched/cls_flower.c | 2 +- net/sched/cls_fw.c | 5 +++-- net/sched/cls_matchall.c | 2 +- net/sched/cls_route.c | 2 +- net/sched/cls_rsvp.h | 7 ++++--- net/sched/cls_tcindex.c | 19 +++++++++---------- net/sched/cls_u32.c | 8 ++++---- 13 files changed, 30 insertions(+), 29 deletions(-) culprit signature: b8aba47883676694a97051b8476aa7a6af8c34ca parent signature: 6a00bf929e0c70a0012938cdd413a203c1a4fdfc revisions tested: 23, total time: 4h57m23.235135952s (build: 2h18m55.550950819s, test: 2h36m41.389328425s) first bad commit: 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d net_sched: initialize net pointer inside tcf_exts_init() cc: ["ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net" "davem@davemloft.net" "jhs@mojatatu.com" "jiri@resnulli.us" "kafai@fb.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "songliubraving@fb.com" "xiyou.wangcong@gmail.com" "yhs@fb.com"] crash: KASAN: use-after-free Read in cleanup_net RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000007 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fabb720c6d4 R13: 00000000004c9b18 R14: 00000000004e2b10 R15: 0000000000000008 ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0xd0/0xf3 lib/list_debug.c:42 Read of size 8 at addr ffff8880873c8210 by task kworker/u4:1/21 CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __list_del_entry_valid+0xd0/0xf3 lib/list_debug.c:42 __list_del_entry include/linux/list.h:117 [inline] list_del_rcu include/linux/rculist.h:130 [inline] cleanup_net+0xd9/0x840 net/core/net_namespace.c:523 process_one_work+0x830/0x16a0 kernel/workqueue.c:2173 worker_thread+0x85/0xb60 kernel/workqueue.c:2319 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 7194: save_stack+0x43/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.constprop.13+0xcb/0xd0 mm/kasan/common.c:496 kasan_kmalloc mm/kasan/common.c:504 [inline] kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:411 kmem_cache_alloc+0x130/0x730 mm/slab.c:3543 kmem_cache_zalloc include/linux/slab.h:730 [inline] net_alloc net/core/net_namespace.c:384 [inline] copy_net_ns+0xc6/0x2a0 net/core/net_namespace.c:424 create_new_namespaces+0x483/0x750 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0x87/0x1a0 kernel/nsproxy.c:206 ksys_unshare+0x31b/0x710 kernel/fork.c:2550 __do_sys_unshare kernel/fork.c:2618 [inline] __se_sys_unshare kernel/fork.c:2616 [inline] __x64_sys_unshare+0x2c/0x40 kernel/fork.c:2616 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 21: save_stack+0x43/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466 __cache_free mm/slab.c:3487 [inline] kmem_cache_free+0x83/0x290 mm/slab.c:3749 net_free net/core/net_namespace.c:400 [inline] net_drop_ns+0x54/0x60 net/core/net_namespace.c:407 cleanup_net+0x550/0x840 net/core/net_namespace.c:569 process_one_work+0x830/0x16a0 kernel/workqueue.c:2173 worker_thread+0x85/0xb60 kernel/workqueue.c:2319 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880873c81c0 which belongs to the cache net_namespace of size 8512 The buggy address is located 80 bytes inside of 8512-byte region [ffff8880873c81c0, ffff8880873ca300) The buggy address belongs to the page: page:ffffea00021cf200 count:1 mapcount:0 mapping:ffff88821b71c0c0 index:0x0 compound_mapcount: 0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea00023a0008 ffffea000254a908 ffff88821b71c0c0 raw: 0000000000000000 ffff8880873c81c0 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880873c8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880873c8180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8880873c8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880873c8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880873c8300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================