bisecting cause commit starting from 5591cf003452dc3cb5047dc774151ff36c8d9cf7 building syzkaller on dc438b91deb00a8ad5634a9c55903e0b1a537c61 testing commit 5591cf003452dc3cb5047dc774151ff36c8d9cf7 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in j1939_sk_recv testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 5591cf003452dc3cb5047dc774151ff36c8d9cf7 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Bisecting: 12638 revisions left to test after this (roughly 14 steps) [a7b7b772bb4abaa4b2d9df67b50bf7208203da82] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit a7b7b772bb4abaa4b2d9df67b50bf7208203da82 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in j1939_sk_recv # git bisect bad a7b7b772bb4abaa4b2d9df67b50bf7208203da82 Bisecting: 5303 revisions left to test after this (roughly 13 steps) [81160dda9a7aad13c04e78bb2cfd3c4630e3afab] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 81160dda9a7aad13c04e78bb2cfd3c4630e3afab with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in j1939_sk_recv # git bisect bad 81160dda9a7aad13c04e78bb2cfd3c4630e3afab Bisecting: 3707 revisions left to test after this (roughly 12 steps) [04cbfba6208592999d7bfe6609ec01dc3fde73f5] Merge tag 'dmaengine-5.4-rc1' of git://git.infradead.org/users/vkoul/slave-dma testing commit 04cbfba6208592999d7bfe6609ec01dc3fde73f5 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 04cbfba6208592999d7bfe6609ec01dc3fde73f5 Bisecting: 1853 revisions left to test after this (roughly 11 steps) [e69e9db9031b2ef4897cfafb9a496f8eb6724e14] nfp: nsp: add support for hwinfo set operation testing commit e69e9db9031b2ef4897cfafb9a496f8eb6724e14 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in j1939_sk_recv # git bisect bad e69e9db9031b2ef4897cfafb9a496f8eb6724e14 Bisecting: 918 revisions left to test after this (roughly 10 steps) [8c40f3b212a373be843a29db608b462af5c3ed5d] Merge tag 'mlx5-updates-2019-08-15' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 8c40f3b212a373be843a29db608b462af5c3ed5d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8c40f3b212a373be843a29db608b462af5c3ed5d Bisecting: 459 revisions left to test after this (roughly 9 steps) [58d3bef4163b40147058649b225fddcdd9de7e82] iwlwifi: remove all the d0i3 references testing commit 58d3bef4163b40147058649b225fddcdd9de7e82 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 58d3bef4163b40147058649b225fddcdd9de7e82 Bisecting: 184 revisions left to test after this (roughly 8 steps) [1e46c09ec10049a9e366153b32e41cc557383fdb] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 1e46c09ec10049a9e366153b32e41cc557383fdb with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in j1939_sk_recv # git bisect bad 1e46c09ec10049a9e366153b32e41cc557383fdb Bisecting: 137 revisions left to test after this (roughly 7 steps) [7d993c5f86aa308b00c2fd420fe5208da18125e2] gianfar: remove forward declarations testing commit 7d993c5f86aa308b00c2fd420fe5208da18125e2 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in j1939_sk_recv # git bisect bad 7d993c5f86aa308b00c2fd420fe5208da18125e2 Bisecting: 68 revisions left to test after this (roughly 6 steps) [aa3198819bea60f65f22cd771baf2ff038f59df1] ionic: Add RSS support testing commit aa3198819bea60f65f22cd771baf2ff038f59df1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good aa3198819bea60f65f22cd771baf2ff038f59df1 Bisecting: 36 revisions left to test after this (roughly 5 steps) [8330f73fe9742f201f467639f8356cf58756fb9f] rocker: add missing init_net check in FIB notifier testing commit 8330f73fe9742f201f467639f8356cf58756fb9f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8330f73fe9742f201f467639f8356cf58756fb9f Bisecting: 18 revisions left to test after this (roughly 4 steps) [9868b5d44f3df9dd75247acd23dddff0a42f79be] can: introduce CAN_REQUIRED_SIZE macro testing commit 9868b5d44f3df9dd75247acd23dddff0a42f79be with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9868b5d44f3df9dd75247acd23dddff0a42f79be Bisecting: 9 revisions left to test after this (roughly 3 steps) [4647e021193d638d3c87d1f1b9a5f7f7a48f36a3] net: stmmac: selftests: Add selftest for L3/L4 Filters testing commit 4647e021193d638d3c87d1f1b9a5f7f7a48f36a3 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in j1939_sk_recv # git bisect bad 4647e021193d638d3c87d1f1b9a5f7f7a48f36a3 Bisecting: 4 revisions left to test after this (roughly 2 steps) [44c40910b66f786d33ffd2682ef38750eebb567c] Merge tag 'linux-can-next-for-5.4-20190904' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can-next testing commit 44c40910b66f786d33ffd2682ef38750eebb567c with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in j1939_sk_recv # git bisect bad 44c40910b66f786d33ffd2682ef38750eebb567c Bisecting: 1 revision left to test after this (roughly 1 step) [f5223e9eee651e005c0f6d6d078909087601b7e9] can: extend sockaddr_can to include j1939 members testing commit f5223e9eee651e005c0f6d6d078909087601b7e9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f5223e9eee651e005c0f6d6d078909087601b7e9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9d71dd0c70099914fcd063135da3c580865e924c] can: add support of SAE J1939 protocol testing commit 9d71dd0c70099914fcd063135da3c580865e924c with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in j1939_sk_recv # git bisect bad 9d71dd0c70099914fcd063135da3c580865e924c 9d71dd0c70099914fcd063135da3c580865e924c is the first bad commit commit 9d71dd0c70099914fcd063135da3c580865e924c Author: The j1939 authors Date: Mon Oct 8 11:48:36 2018 +0200 can: add support of SAE J1939 protocol SAE J1939 is the vehicle bus recommended practice used for communication and diagnostics among vehicle components. Originating in the car and heavy-duty truck industry in the United States, it is now widely used in other parts of the world. J1939, ISO 11783 and NMEA 2000 all share the same high level protocol. SAE J1939 can be considered the replacement for the older SAE J1708 and SAE J1587 specifications. Acked-by: Oliver Hartkopp Signed-off-by: Bastian Stender Signed-off-by: Elenita Hinds Signed-off-by: kbuild test robot Signed-off-by: Kurt Van Dijck Signed-off-by: Maxime Jayat Signed-off-by: Robin van der Gracht Signed-off-by: Oleksij Rempel Signed-off-by: Marc Kleine-Budde :040000 040000 6438450435a8d8353573ce224b3dc9bcc05336fa 7305e82a35c355e46b2660329eb868aa551e2b4c M Documentation :100644 100644 a081c477d1d16934701a8f744f6a44e0d280b3f9 844f416437c427107d7410ab5ab972a202ebe86a M MAINTAINERS :040000 040000 dd56832348e76ffa1949ca007d838d21854a0bfa dfca2d178b96f019a0a7ae1ab81a813b2064f5d3 M include :040000 040000 93492ef857a6d33d4eafc56c27db9f1e31803033 356932da79a67691bcedc6e71faa591f7e5f7392 M net revisions tested: 17, total time: 4h15m11.675062845s (build: 1h44m0.54313785s, test: 2h26m19.874987878s) first bad commit: 9d71dd0c70099914fcd063135da3c580865e924c can: add support of SAE J1939 protocol cc: ["bst@pengutronix.de" "dev.kurt@vandijck-laurijssen.be" "ecathinds@gmail.com" "linux-can@vger.kernel.org" "lkp@intel.com" "maxime.jayat@mobile-devices.fr" "mkl@pengutronix.de" "o.rempel@pengutronix.de" "robin@protonic.nl" "socketcan@hartkopp.net"] crash: KASAN: use-after-free Read in j1939_sk_recv ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3a8b/0x4b70 kernel/locking/lockdep.c:3753 Read of size 8 at addr ffff8880797f95c0 by task syz-executor.2/14428 CPU: 0 PID: 14428 Comm: syz-executor.2 Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x318 mm/kasan/report.c:351 __kasan_report.cold.9+0x1b/0x3f mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:618 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __lock_acquire+0x3a8b/0x4b70 kernel/locking/lockdep.c:3753 lock_acquire+0x194/0x410 kernel/locking/lockdep.c:4412 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:343 [inline] j1939_sk_recv+0x2a/0x2e0 net/can/j1939/socket.c:345 j1939_can_recv+0x43f/0x590 net/can/j1939/main.c:105 deliver net/can/af_can.c:568 [inline] can_rcv_filter+0x4ff/0x840 net/can/af_can.c:602 can_receive+0x290/0x470 net/can/af_can.c:659 can_rcv+0xd9/0x160 net/can/af_can.c:685 __netif_receive_skb_one_core+0xe9/0x170 net/core/dev.c:5006 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5120 process_backlog+0x1cb/0x670 net/core/dev.c:5951 napi_poll net/core/dev.c:6388 [inline] net_rx_action+0x458/0xe40 net/core/dev.c:6456 __do_softirq+0x262/0x9a8 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x19a/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:537 [inline] smp_apic_timer_interrupt+0x1a6/0x5f0 arch/x86/kernel/apic/apic.c:1133 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:768 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0xaf/0xd0 kernel/locking/spinlock.c:191 Code: 90 9e 32 88 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 28 48 83 3d 98 45 77 01 00 74 15 48 89 df 57 9d <0f> 1f 44 00 00 eb ad e8 85 00 45 fa eb bb 0f 0b 0f 0b e8 0a 71 de RSP: 0018:ffff88807957f938 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: 0000000000000286 RCX: 0000000000000000 RDX: 1ffffffff10653d2 RSI: 0000000000000006 RDI: 0000000000000286 RBP: ffff88807957f948 R08: 0000000000000006 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808d104a90 R13: 0000000000000001 R14: ffff8880aeb35818 R15: ffff8880aeb206e0 try_to_wake_up+0x76b/0x1870 kernel/sched/core.c:2526 wake_up_process kernel/sched/core.c:2548 [inline] wake_up_q+0xa0/0xf0 kernel/sched/core.c:495 futex_wake+0x330/0x560 kernel/futex.c:1638 do_futex+0x59a/0x1880 kernel/futex.c:3651 __do_sys_futex kernel/futex.c:3707 [inline] __se_sys_futex kernel/futex.c:3675 [inline] __x64_sys_futex+0x1cb/0x390 kernel/futex.c:3675 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a219 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ff6faa05cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: ffffffffffffffda RBX: 000000000075bf28 RCX: 000000000045a219 RDX: 00000000004c7ab3 RSI: 0000000000000081 RDI: 000000000075bf2c RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 000000000075bf2c R13: 00007ffe663e8c4f R14: 00007ff6faa069c0 R15: 000000000075bf2c Allocated by task 14428: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:493 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507 kmem_cache_alloc_trace+0x15b/0x780 mm/slab.c:3550 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:748 [inline] j1939_priv_create net/can/j1939/main.c:122 [inline] j1939_netdev_start+0x93/0x510 net/can/j1939/main.c:251 j1939_sk_bind+0x5b6/0x870 net/can/j1939/socket.c:438 __sys_bind+0x1e1/0x230 net/socket.c:1647 __do_sys_bind net/socket.c:1658 [inline] __se_sys_bind net/socket.c:1656 [inline] __x64_sys_bind+0x6e/0xb0 net/socket.c:1656 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 14427: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 __j1939_priv_release net/can/j1939/main.c:154 [inline] kref_put include/linux/kref.h:65 [inline] j1939_priv_put+0x70/0x90 net/can/j1939/main.c:159 j1939_netdev_stop+0x2d/0x170 net/can/j1939/main.c:291 j1939_sk_release+0x322/0x4c0 net/can/j1939/socket.c:580 __sock_release+0xc2/0x270 net/socket.c:590 sock_close+0x13/0x20 net/socket.c:1268 __fput+0x25a/0x770 fs/file_table.c:280 ____fput+0x9/0x10 fs/file_table.c:313 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x24e/0x2e0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] syscall_return_slowpath arch/x86/entry/common.c:274 [inline] do_syscall_64+0x462/0x540 arch/x86/entry/common.c:299 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880797f8500 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 4288 bytes inside of 8192-byte region [ffff8880797f8500, ffff8880797fa500) The buggy address belongs to the page: page:ffffea0001e5fe00 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea0002315a08 ffffea0001e35c08 ffff8880aa4021c0 raw: 0000000000000000 ffff8880797f8500 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880797f9480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880797f9500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880797f9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880797f9600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880797f9680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================