bisecting fixing commit since 9a95f25269bd9257ab9fba7bb14355d50b5f39ec building syzkaller on 56cd6c9b80ee424566e3ceaf8a4b042803a130ad testing commit 9a95f25269bd9257ab9fba7bb14355d50b5f39ec with gcc (GCC) 8.1.0 kernel signature: 5933a4630de53cfff0db0808ae4d214f2bd1a11493043274de426e16bffb5637 all runs: crashed: KASAN: slab-out-of-bounds Read in __nla_put_nohdr testing current HEAD 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 testing commit 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 with gcc (GCC) 8.1.0 kernel signature: a93594a308bec9721e70781e05d8398a528b4a45f00f5207d142e6309a069dc6 all runs: OK # git bisect start 98db2bf27b9ed2d5ed0b6c9c8a4bfcb127a19796 9a95f25269bd9257ab9fba7bb14355d50b5f39ec Bisecting: 154 revisions left to test after this (roughly 7 steps) [52f001bf9ba6d5fc628852dd6102a98f573e0b3b] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors testing commit 52f001bf9ba6d5fc628852dd6102a98f573e0b3b with gcc (GCC) 8.1.0 kernel signature: e522e72c648898f201334fa140814ea8139238bc66a2329512c9d6ca5dd7ece3 all runs: OK # git bisect bad 52f001bf9ba6d5fc628852dd6102a98f573e0b3b Bisecting: 77 revisions left to test after this (roughly 6 steps) [b4cdf5066ce23d1cc23c1dd4c71438e762c82581] net_sched: ematch: reject invalid TCF_EM_SIMPLE testing commit b4cdf5066ce23d1cc23c1dd4c71438e762c82581 with gcc (GCC) 8.1.0 kernel signature: 256c4ad5066716ddf9fe4d5da111c379451adee76e803ffa2d28af74ee0ef025 all runs: OK # git bisect bad b4cdf5066ce23d1cc23c1dd4c71438e762c82581 Bisecting: 38 revisions left to test after this (roughly 5 steps) [a4681849419e18f0592961f7aa88bef19eaa66f3] coresight: etb10: Do not call smp_processor_id from preemptible testing commit a4681849419e18f0592961f7aa88bef19eaa66f3 with gcc (GCC) 8.1.0 kernel signature: b6c61a179fc56ad3b3e044b0f08e879dbe6ee167a6dffaa7ee9e8a2c833163e8 all runs: OK # git bisect bad a4681849419e18f0592961f7aa88bef19eaa66f3 Bisecting: 18 revisions left to test after this (roughly 4 steps) [ffea8daac4c58e21e0196e72a84b53e3fbc363f7] hwmon: (core) Fix double-free in __hwmon_device_register() testing commit ffea8daac4c58e21e0196e72a84b53e3fbc363f7 with gcc (GCC) 8.1.0 kernel signature: ab35691b790ef101fc566d10576652f5be7ce5e727150effac58e67c34fde991 all runs: OK # git bisect bad ffea8daac4c58e21e0196e72a84b53e3fbc363f7 Bisecting: 9 revisions left to test after this (roughly 3 steps) [7ac7cc5e78444a84e5786e822ca6643ad4cd55f7] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject testing commit 7ac7cc5e78444a84e5786e822ca6643ad4cd55f7 with gcc (GCC) 8.1.0 kernel signature: 4fa79da64983ef66d1d316738eb42de84df99b96e396898f79ef1baee1363ad8 all runs: basic kernel testing failed: general protection fault in kernfs_find_ns # git bisect skip 7ac7cc5e78444a84e5786e822ca6643ad4cd55f7 Bisecting: 8 revisions left to test after this (roughly 3 steps) [5f36336849edd9c3294adc4f93141c0261b98034] net-sysfs: fix netdev_queue_add_kobject() breakage testing commit 5f36336849edd9c3294adc4f93141c0261b98034 with gcc (GCC) 8.1.0 kernel signature: ada564739796d3a02afdc8b99d0337ba09eb5cc355b4490c02af392fff5185b8 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: crashed: general protection fault in batadv_iv_ogm_queue_add run #7: OK run #8: crashed: general protection fault in batadv_iv_ogm_queue_add run #9: OK # git bisect good 5f36336849edd9c3294adc4f93141c0261b98034 Bisecting: 3 revisions left to test after this (roughly 2 steps) [7e70784f1702cd9f438e23168ae937397c2d323a] tcp_bbr: improve arithmetic division in bbr_update_bw() testing commit 7e70784f1702cd9f438e23168ae937397c2d323a with gcc (GCC) 8.1.0 kernel signature: 1dbb7107365d7749597c024db28a55ef3ccdb2240a1a095d3694b899487cf351 all runs: OK # git bisect bad 7e70784f1702cd9f438e23168ae937397c2d323a Bisecting: 2 revisions left to test after this (roughly 1 step) [8aca069fb05e2a65a264070efb9989cc72ab1694] net-sysfs: Call dev_hold always in rx_queue_add_kobject testing commit 8aca069fb05e2a65a264070efb9989cc72ab1694 with gcc (GCC) 8.1.0 kernel signature: 4a70324495f8a3f0cb6109014ee0edfaad554327702fd681217b56985a0ea129 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: crashed: general protection fault in batadv_iv_ogm_queue_add run #9: OK # git bisect good 8aca069fb05e2a65a264070efb9989cc72ab1694 Bisecting: 1 revision left to test after this (roughly 1 step) [c5fd8a37e97100254a2178e470e9641c51e91dbb] net-sysfs: Fix reference count leak testing commit c5fd8a37e97100254a2178e470e9641c51e91dbb with gcc (GCC) 8.1.0 kernel signature: 2968df375981b94aa5d895f6b7d418a7dc78dc53ee38748f097d3037089ef005 all runs: OK # git bisect bad c5fd8a37e97100254a2178e470e9641c51e91dbb c5fd8a37e97100254a2178e470e9641c51e91dbb is the first bad commit commit c5fd8a37e97100254a2178e470e9641c51e91dbb Author: Jouni Hogander Date: Mon Jan 20 09:51:03 2020 +0200 net-sysfs: Fix reference count leak [ Upstream commit cb626bf566eb4433318d35681286c494f04fedcc ] Netdev_register_kobject is calling device_initialize. In case of error reference taken by device_initialize is not given up. Drivers are supposed to call free_netdev in case of error. In non-error case the last reference is given up there and device release sequence is triggered. In error case this reference is kept and the release sequence is never started. Fix this by setting reg_state as NETREG_UNREGISTERED if registering fails. This is the rootcause for couple of memory leaks reported by Syzkaller: BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256): comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280 [<000000002340019b>] device_add+0x882/0x1750 [<000000001d588c3a>] netdev_register_kobject+0x128/0x380 [<0000000011ef5535>] register_netdevice+0xa1b/0xf00 [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0 [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40 [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510 [<00000000fba062ea>] ksys_ioctl+0x99/0xb0 [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0 [<00000000984cabb9>] do_syscall_64+0x16f/0x580 [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [<00000000e6ca2d9f>] 0xffffffffffffffff BUG: memory leak unreferenced object 0xffff8880668ba588 (size 8): comm "kobject_set_nam", pid 286, jiffies 4294725297 (age 9.871s) hex dump (first 8 bytes): 6e 72 30 00 cc be df 2b nr0....+ backtrace: [<00000000a322332a>] __kmalloc_track_caller+0x16e/0x290 [<00000000236fd26b>] kstrdup+0x3e/0x70 [<00000000dd4a2815>] kstrdup_const+0x3e/0x50 [<0000000049a377fc>] kvasprintf_const+0x10e/0x160 [<00000000627fc711>] kobject_set_name_vargs+0x5b/0x140 [<0000000019eeab06>] dev_set_name+0xc0/0xf0 [<0000000069cb12bc>] netdev_register_kobject+0xc8/0x320 [<00000000f2e83732>] register_netdevice+0xa1b/0xf00 [<000000009e1f57cc>] __tun_chr_ioctl+0x20d5/0x3dd0 [<000000009c560784>] tun_chr_ioctl+0x2f/0x40 [<000000000d759e02>] do_vfs_ioctl+0x1c7/0x1510 [<00000000351d7c31>] ksys_ioctl+0x99/0xb0 [<000000008390040a>] __x64_sys_ioctl+0x78/0xb0 [<0000000052d196b7>] do_syscall_64+0x16f/0x580 [<0000000019af9236>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [<00000000bc384531>] 0xffffffffffffffff v3 -> v4: Set reg_state to NETREG_UNREGISTERED if registering fails v2 -> v3: * Replaced BUG_ON with WARN_ON in free_netdev and netdev_release v1 -> v2: * Relying on driver calling free_netdev rather than calling put_device directly in error path Reported-by: syzbot+ad8ca40ecd77896d51e2@syzkaller.appspotmail.com Cc: David Miller Cc: Greg Kroah-Hartman Cc: Lukas Bulwahn Signed-off-by: Jouni Hogander Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman net/core/dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) culprit signature: 2968df375981b94aa5d895f6b7d418a7dc78dc53ee38748f097d3037089ef005 parent signature: 4a70324495f8a3f0cb6109014ee0edfaad554327702fd681217b56985a0ea129 revisions tested: 11, total time: 3h27m23.194824775s (build: 1h42m43.181927438s, test: 1h42m53.768755806s) first good commit: c5fd8a37e97100254a2178e470e9641c51e91dbb net-sysfs: Fix reference count leak cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "jouni.hogander@unikie.com"]