bisecting cause commit starting from 37ecb5b8b8cd3156e739fd1c56a8e3842b72ebad building syzkaller on a4d01b8075bac9c99ca96de1be1975329af85157 testing commit 37ecb5b8b8cd3156e739fd1c56a8e3842b72ebad with gcc (GCC) 8.1.0 kernel signature: ebbbb025250ce70d4709439d4dedf6c318714b34d5a1a01e347d2a3b04483896 run #0: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #1: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #2: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #3: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #4: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #5: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #6: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #7: crashed: general protection fault in inet_diag_bc_sk run #8: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #9: crashed: general protection fault in inet_diag_bc_sk testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 2dfd2e549520c8f5200bacffecbb8db44d41ec061c51a45fa5b09badd44b7e92 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect start 37ecb5b8b8cd3156e739fd1c56a8e3842b72ebad 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 6698 revisions left to test after this (roughly 13 steps) [f365ab31efacb70bed1e821f7435626e0b2528a6] Merge tag 'drm-next-2020-04-01' of git://anongit.freedesktop.org/drm/drm testing commit f365ab31efacb70bed1e821f7435626e0b2528a6 with gcc (GCC) 8.1.0 kernel signature: e34f3ccecb5ac4b104627df0c2c9989895abaf3fbd8ad9ca95db4e287f18bcb7 all runs: OK # git bisect good f365ab31efacb70bed1e821f7435626e0b2528a6 Bisecting: 3348 revisions left to test after this (roughly 12 steps) [828907ef25e0133f50c346ef5a3c79a707a9b100] Merge tag 'gpio-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio testing commit 828907ef25e0133f50c346ef5a3c79a707a9b100 with gcc (GCC) 8.1.0 kernel signature: 497b7ed9fd91e66ccaa5b358082a70385f294b572bbe03c0ce3992630d1a2390 all runs: OK # git bisect good 828907ef25e0133f50c346ef5a3c79a707a9b100 Bisecting: 1669 revisions left to test after this (roughly 11 steps) [172edde9604941f61d75bb3b4f88068204f8c086] Merge tag 'io_uring-5.7-2020-04-09' of git://git.kernel.dk/linux-block testing commit 172edde9604941f61d75bb3b4f88068204f8c086 with gcc (GCC) 8.1.0 kernel signature: 0117bb8e92e2d97b2619a5ba6552e8727f2c6c66c7a8f4e414de817dc498ec23 all runs: OK # git bisect good 172edde9604941f61d75bb3b4f88068204f8c086 Bisecting: 835 revisions left to test after this (roughly 10 steps) [7adc4b399952f439cfd43ee041ec9451ad9f567f] Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 7adc4b399952f439cfd43ee041ec9451ad9f567f with gcc (GCC) 8.1.0 kernel signature: e582e74a6637ce265b54e59bee5be15fce6de02b2cef7b3eab393ce92c8ad4ec all runs: OK # git bisect good 7adc4b399952f439cfd43ee041ec9451ad9f567f Bisecting: 345 revisions left to test after this (roughly 9 steps) [d483389678f9e03d53f226641ea39679debcbc81] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit d483389678f9e03d53f226641ea39679debcbc81 with gcc (GCC) 8.1.0 kernel signature: dda32a638f943579a06cae1e4b2c72fe3a05428b3bf62ce2da5fd99beb5402f4 all runs: OK # git bisect good d483389678f9e03d53f226641ea39679debcbc81 Bisecting: 172 revisions left to test after this (roughly 8 steps) [3bc67e098c3e215f6e09ba3c0e1f569e7ae020d0] net/smc: adapt SMC remote CONFIRM_RKEY processing to use the LLC flow testing commit 3bc67e098c3e215f6e09ba3c0e1f569e7ae020d0 with gcc (GCC) 8.1.0 kernel signature: e91430d0659e21c6a413f77b0fb249d0405645c91a7fb6be10f8422985e093b5 all runs: OK # git bisect good 3bc67e098c3e215f6e09ba3c0e1f569e7ae020d0 Bisecting: 108 revisions left to test after this (roughly 7 steps) [ec9cdca0663a543ede2072ff091beec1787e3374] net/mlx5e: Unify reserving space for WQEs testing commit ec9cdca0663a543ede2072ff091beec1787e3374 with gcc (GCC) 8.1.0 kernel signature: 1981da3e9def24a727bbcf894b4caf8c3baafc9447c6a023b478d6bfc8b449b2 all runs: OK # git bisect good ec9cdca0663a543ede2072ff091beec1787e3374 Bisecting: 54 revisions left to test after this (roughly 6 steps) [466010342e89240c45746f65767c7290b96a4b36] mlxsw: spectrum_span: Add APIs to get / put a SPAN agent testing commit 466010342e89240c45746f65767c7290b96a4b36 with gcc (GCC) 8.1.0 kernel signature: 61065e68705a7032f5250e2f959c45a4612cfc08d32676be6226c0515fac472c run #0: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #1: crashed: general protection fault in inet_diag_bc_sk run #2: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #3: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #4: crashed: general protection fault in inet_diag_bc_sk run #5: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #6: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #7: crashed: general protection fault in inet_diag_bc_sk run #8: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #9: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk # git bisect bad 466010342e89240c45746f65767c7290b96a4b36 Bisecting: 26 revisions left to test after this (roughly 5 steps) [13df433f8c1333cd0f60e5e1878380a37576118a] docs: networking: convert nf_conntrack-sysctl.txt to ReST testing commit 13df433f8c1333cd0f60e5e1878380a37576118a with gcc (GCC) 8.1.0 kernel signature: c850b2aa896784ce946046f5862fb8899cb5c5486a5aaf12a0e2ce5121737b4a run #0: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #1: crashed: general protection fault in inet_diag_bc_sk run #2: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #3: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #4: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #5: crashed: general protection fault in inet_diag_bc_sk run #6: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #7: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #8: crashed: general protection fault in inet_diag_bc_sk run #9: crashed: KASAN: use-after-free Read in inet_diag_bc_sk # git bisect bad 13df433f8c1333cd0f60e5e1878380a37576118a Bisecting: 13 revisions left to test after this (roughly 4 steps) [6e3a401fc8af01828bcdc92d713195d318b36e7e] inet_diag: add cgroup id attribute testing commit 6e3a401fc8af01828bcdc92d713195d318b36e7e with gcc (GCC) 8.1.0 kernel signature: 739b2e2eee39449df06f72a8d73b6760add38ece376b0957aaa196f36570166a all runs: OK # git bisect good 6e3a401fc8af01828bcdc92d713195d318b36e7e Bisecting: 6 revisions left to test after this (roughly 3 steps) [e14fd64dcda5668c5dd5e59421fc5c61ce6d5951] docs: networking: convert mpls-sysctl.txt to ReST testing commit e14fd64dcda5668c5dd5e59421fc5c61ce6d5951 with gcc (GCC) 8.1.0 kernel signature: b00e85fdc96f89b6213a2b885172f9c4ad7c19af5c0b36b875bd6e6874084e69 run #0: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #1: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #2: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #3: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #4: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #5: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #6: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #7: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #8: crashed: general protection fault in inet_diag_bc_sk run #9: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk # git bisect bad e14fd64dcda5668c5dd5e59421fc5c61ce6d5951 Bisecting: 3 revisions left to test after this (roughly 2 steps) [10ebb22137acd97083cb52d8664cdff269e8a629] docs: networking: convert l2tp.txt to ReST testing commit 10ebb22137acd97083cb52d8664cdff269e8a629 with gcc (GCC) 8.1.0 kernel signature: 084a5faaa0bd4dc32ffb7314e00271b30df178218f1f1b7a584e794b561d9bf5 run #0: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #1: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #2: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #3: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #4: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #5: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #6: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #7: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #8: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #9: crashed: KASAN: use-after-free Read in inet_diag_bc_sk # git bisect bad 10ebb22137acd97083cb52d8664cdff269e8a629 Bisecting: 0 revisions left to test after this (roughly 1 step) [9f04960660bf5468caaf9da2752f6f35020e4679] Merge branch 'inet_diag-add-cgroup-attribute-and-filter' testing commit 9f04960660bf5468caaf9da2752f6f35020e4679 with gcc (GCC) 8.1.0 kernel signature: 2e218e9aef08bbda4d9f635eabf87523c3aade588ee83c1c05270084278c7c77 run #0: crashed: general protection fault in inet_diag_bc_sk run #1: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #2: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #3: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #4: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #5: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #6: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #7: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #8: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #9: crashed: KASAN: use-after-free Read in inet_diag_bc_sk # git bisect bad 9f04960660bf5468caaf9da2752f6f35020e4679 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b1f3e43dbfacfcd95296b0f80f84b186add9ef54] inet_diag: add support for cgroup filter testing commit b1f3e43dbfacfcd95296b0f80f84b186add9ef54 with gcc (GCC) 8.1.0 kernel signature: 2095bbc113ef91427d01371a55f2fa0769be8e196972b200e4350ca9e448cfaa run #0: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #1: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #2: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #3: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #4: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #5: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #6: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #7: crashed: KASAN: slab-out-of-bounds Read in inet_diag_bc_sk run #8: crashed: KASAN: use-after-free Read in inet_diag_bc_sk run #9: crashed: KASAN: use-after-free Read in inet_diag_bc_sk # git bisect bad b1f3e43dbfacfcd95296b0f80f84b186add9ef54 b1f3e43dbfacfcd95296b0f80f84b186add9ef54 is the first bad commit commit b1f3e43dbfacfcd95296b0f80f84b186add9ef54 Author: Dmitry Yakunin Date: Thu Apr 30 18:51:15 2020 +0300 inet_diag: add support for cgroup filter This patch adds ability to filter sockets based on cgroup v2 ID. Such filter is helpful in ss utility for filtering sockets by cgroup pathname. Signed-off-by: Dmitry Yakunin Reviewed-by: Konstantin Khlebnikov Signed-off-by: David S. Miller include/uapi/linux/inet_diag.h | 1 + net/ipv4/inet_diag.c | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) culprit signature: 2095bbc113ef91427d01371a55f2fa0769be8e196972b200e4350ca9e448cfaa parent signature: 739b2e2eee39449df06f72a8d73b6760add38ece376b0957aaa196f36570166a revisions tested: 16, total time: 3h29m53.54729615s (build: 1h32m35.907799714s, test: 1h56m9.084181979s) first bad commit: b1f3e43dbfacfcd95296b0f80f84b186add9ef54 inet_diag: add support for cgroup filter cc: ["davem@davemloft.net" "khlebnikov@yandex-team.ru" "zeil@yandex-team.ru"] crash: KASAN: use-after-free Read in inet_diag_bc_sk ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline] BUG: KASAN: use-after-free in sock_cgroup_ptr include/linux/cgroup.h:836 [inline] BUG: KASAN: use-after-free in inet_diag_bc_sk+0xa5a/0xfa0 net/ipv4/inet_diag.c:749 Read of size 8 at addr ffff8880a40b9260 by task syz-executor.3/8419 CPU: 0 PID: 8419 Comm: syz-executor.3 Not tainted 5.7.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:382 __kasan_report.cold.11+0x35/0x4d mm/kasan/report.c:511 kasan_report+0x32/0x50 mm/kasan/common.c:625 __read_once_size include/linux/compiler.h:199 [inline] sock_cgroup_ptr include/linux/cgroup.h:836 [inline] inet_diag_bc_sk+0xa5a/0xfa0 net/ipv4/inet_diag.c:749 inet_diag_dump_icsk+0x98c/0xf30 net/ipv4/inet_diag.c:1061 __inet_diag_dump+0xf7/0x1b0 net/ipv4/inet_diag.c:1113 netlink_dump+0x481/0xf50 net/netlink/af_netlink.c:2245 __netlink_dump_start+0x567/0x820 net/netlink/af_netlink.c:2353 netlink_dump_start include/linux/netlink.h:246 [inline] inet_diag_handler_cmd+0x1fe/0x280 net/ipv4/inet_diag.c:1278 __sock_diag_cmd net/core/sock_diag.c:233 [inline] sock_diag_rcv_msg+0x282/0x370 net/core/sock_diag.c:264 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2469 sock_diag_rcv+0x21/0x30 net/core/sock_diag.c:275 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 sock_write_iter+0x218/0x380 net/socket.c:1004 call_write_iter include/linux/fs.h:1907 [inline] do_iter_readv_writev+0x4f1/0x7c0 fs/read_write.c:694 do_iter_write+0x129/0x540 fs/read_write.c:999 vfs_writev+0x16d/0x2d0 fs/read_write.c:1072 do_writev+0x214/0x280 fs/read_write.c:1115 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45c829 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fcea4a7cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000050d140 RCX: 000000000045c829 RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000d18 R14: 00000000004cb1f4 R15: 00007fcea4a7d6d4 The buggy address belongs to the page: page:ffffea0002902e40 refcount:0 mapcount:0 mapping:00000000e34ef6da index:0x0 flags: 0xfffe0000000000() raw: 00fffe0000000000 ffffea0002915208 ffff8880ae83b138 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a40b9100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880a40b9180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880a40b9200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880a40b9280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880a40b9300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================