bisecting fixing commit since 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e
building syzkaller on 598ca6c8b8766304c3b2865e38f5f301c39bd299
testing commit 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e with gcc (GCC) 8.1.0
kernel signature: 0d6e318b6cdac12853f21753fc91e3732c317ff4
all runs: crashed: KASAN: use-after-free Read in slip_open
testing current HEAD e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b
testing commit e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b with gcc (GCC) 8.1.0
kernel signature: e4101203c200c28ce2c54dea53ee110227ad5dc6
all runs: OK
# git bisect start e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e
Bisecting: 363 revisions left to test after this (roughly 9 steps)
[a3a967f00a54885eaea6034c8a3c538f65a0b9e7] staging: rtl8192e: fix potential use after free
testing commit a3a967f00a54885eaea6034c8a3c538f65a0b9e7 with gcc (GCC) 8.1.0
kernel signature: 4ce8ec9ae99d6016cd305ece0f67dcfac075a1fc
all runs: crashed: KASAN: use-after-free Read in slip_open
# git bisect good a3a967f00a54885eaea6034c8a3c538f65a0b9e7
Bisecting: 181 revisions left to test after this (roughly 8 steps)
[60c5e0c603dd8edd1b571ae322edf2a0c0f47fc0] coresight: etm4x: Fix input validation for sysfs.
testing commit 60c5e0c603dd8edd1b571ae322edf2a0c0f47fc0 with gcc (GCC) 8.1.0
kernel signature: 7d1a44373f8db48770c4f9346dbb6d4c97d9bb30
all runs: OK
# git bisect bad 60c5e0c603dd8edd1b571ae322edf2a0c0f47fc0
Bisecting: 90 revisions left to test after this (roughly 7 steps)
[08d28c1840082f88efe7fbe5ace5d5ae4f8a3305] net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2
testing commit 08d28c1840082f88efe7fbe5ace5d5ae4f8a3305 with gcc (GCC) 8.1.0
kernel signature: 6675dd6df481c004546708ba156dacc305b5b143
all runs: OK
# git bisect bad 08d28c1840082f88efe7fbe5ace5d5ae4f8a3305
Bisecting: 45 revisions left to test after this (roughly 6 steps)
[c319da0690bf14bd2b8da37e59dbe9f32e5f97ac] pinctrl: stm32: fix memory leak issue
testing commit c319da0690bf14bd2b8da37e59dbe9f32e5f97ac with gcc (GCC) 8.1.0
kernel signature: 1070839be53f2b45ad19fea1741c974a4f15f8bc
all runs: OK
# git bisect bad c319da0690bf14bd2b8da37e59dbe9f32e5f97ac
Bisecting: 22 revisions left to test after this (roughly 5 steps)
[1e23d6338d76bb24a4a02210db17e805de3b8974] net: macb: Fix SUBNS increment and increase resolution
testing commit 1e23d6338d76bb24a4a02210db17e805de3b8974 with gcc (GCC) 8.1.0
kernel signature: 92c2c195a7edfb1dad12174476dfd38fb6a72d2b
all runs: OK
# git bisect bad 1e23d6338d76bb24a4a02210db17e805de3b8974
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[e854565dbbd3b65f3a7c5f10c3434634e523e66a] macvlan: schedule bc_work even if error
testing commit e854565dbbd3b65f3a7c5f10c3434634e523e66a with gcc (GCC) 8.1.0
kernel signature: e012469abfc0f3d4b889971a9b370d1938bac56e
all runs: crashed: KASAN: use-after-free Read in slip_open
# git bisect good e854565dbbd3b65f3a7c5f10c3434634e523e66a
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[796c569498e1ce5159f070c142ba1bfebd33cc18] openvswitch: remove another BUG_ON()
testing commit 796c569498e1ce5159f070c142ba1bfebd33cc18 with gcc (GCC) 8.1.0
kernel signature: e7d46d04f0cfe4abbafa53e879f5c7fc6500e989
all runs: OK
# git bisect bad 796c569498e1ce5159f070c142ba1bfebd33cc18
Bisecting: 2 revisions left to test after this (roughly 1 step)
[0e32df103ca66a9efce43c6100bb0f8d973f24b6] openvswitch: fix flow command message size
testing commit 0e32df103ca66a9efce43c6100bb0f8d973f24b6 with gcc (GCC) 8.1.0
kernel signature: 98b0d53e882b1d6b23b4f71201c51a371a44507e
all runs: crashed: KASAN: use-after-free Read in slip_open
# git bisect good 0e32df103ca66a9efce43c6100bb0f8d973f24b6
Bisecting: 0 revisions left to test after this (roughly 1 step)
[2356f0b95fc04f37a028e4f67ef7812aacd2e30c] openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
testing commit 2356f0b95fc04f37a028e4f67ef7812aacd2e30c with gcc (GCC) 8.1.0
kernel signature: 805f31fae9ce98f3cb5d9feb506b32320db10dbe
all runs: OK
# git bisect bad 2356f0b95fc04f37a028e4f67ef7812aacd2e30c
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[f5bcc687e3d699bc4949bf37ef5f77fa50269f8c] slip: Fix use-after-free Read in slip_open
testing commit f5bcc687e3d699bc4949bf37ef5f77fa50269f8c with gcc (GCC) 8.1.0
kernel signature: ad7364b4b6051695a7e90f1a77dca2460ca8b3ad
all runs: OK
# git bisect bad f5bcc687e3d699bc4949bf37ef5f77fa50269f8c
f5bcc687e3d699bc4949bf37ef5f77fa50269f8c is the first bad commit
commit f5bcc687e3d699bc4949bf37ef5f77fa50269f8c
Author: Jouni Hogander <jouni.hogander@unikie.com>
Date:   Mon Nov 25 14:23:43 2019 +0200

    slip: Fix use-after-free Read in slip_open
    
    [ Upstream commit e58c1912418980f57ba2060017583067f5f71e52 ]
    
    Slip_open doesn't clean-up device which registration failed from the
    slip_devs device list. On next open after failure this list is iterated
    and freed device is accessed. Fix this by calling sl_free_netdev in error
    path.
    
    Here is the trace from the Syzbot:
    
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x197/0x210 lib/dump_stack.c:118
    print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
    __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
    kasan_report+0x12/0x20 mm/kasan/common.c:634
    __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
    sl_sync drivers/net/slip/slip.c:725 [inline]
    slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
    tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
    tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
    tiocsetd drivers/tty/tty_io.c:2334 [inline]
    tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
    vfs_ioctl fs/ioctl.c:46 [inline]
    file_ioctl fs/ioctl.c:509 [inline]
    do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
    ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
    __do_sys_ioctl fs/ioctl.c:720 [inline]
    __se_sys_ioctl fs/ioctl.c:718 [inline]
    __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
    do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
    entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
    Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
    Cc: David Miller <davem@davemloft.net>
    Cc: Oliver Hartkopp <socketcan@hartkopp.net>
    Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
    Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/net/slip/slip.c | 1 +
 1 file changed, 1 insertion(+)
culprit signature: ad7364b4b6051695a7e90f1a77dca2460ca8b3ad
parent  signature: 98b0d53e882b1d6b23b4f71201c51a371a44507e
revisions tested: 12, total time: 3h21m37.967501182s (build: 1h40m8.147820843s, test: 1h40m12.794945607s)
first good commit: f5bcc687e3d699bc4949bf37ef5f77fa50269f8c slip: Fix use-after-free Read in slip_open
cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "jouni.hogander@unikie.com"]