bisecting cause commit starting from a99d8080aaf358d5d23581244e5da23b35e340b9 building syzkaller on 76630fc9477809305ab0fc257f92826e7671cb7e testing commit a99d8080aaf358d5d23581244e5da23b35e340b9 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #1: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #4: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #5: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start a99d8080aaf358d5d23581244e5da23b35e340b9 v5.3 Bisecting: 7459 revisions left to test after this (roughly 13 steps) [7d14df2d280fb7411eba2eb96682da0683ad97f6] Merge tag 'for-5.4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 7d14df2d280fb7411eba2eb96682da0683ad97f6 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #1: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #4: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #7: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #8: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #9: crashed: KASAN: use-after-free Write in j1939_sock_pending_del # git bisect bad 7d14df2d280fb7411eba2eb96682da0683ad97f6 Bisecting: 3781 revisions left to test after this (roughly 12 steps) [77dcfe2b9edc98286cf18e03c243c9b999f955d9] Merge tag 'pm-5.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 77dcfe2b9edc98286cf18e03c243c9b999f955d9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 77dcfe2b9edc98286cf18e03c243c9b999f955d9 Bisecting: 1884 revisions left to test after this (roughly 11 steps) [c1b3ddf7c319722d939b09c288968feb12c12c15] Merge tag 'mac80211-next-for-davem-2019-09-11' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next testing commit c1b3ddf7c319722d939b09c288968feb12c12c15 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #6: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #7: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #8: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #9: crashed: KASAN: use-after-free Write in j1939_sock_pending_del # git bisect bad c1b3ddf7c319722d939b09c288968feb12c12c15 Bisecting: 948 revisions left to test after this (roughly 10 steps) [6c7a00339e2a64b068c986301f37bd31eb83d7e9] cfg80211: Support assoc-at timer in sta-info testing commit 6c7a00339e2a64b068c986301f37bd31eb83d7e9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6c7a00339e2a64b068c986301f37bd31eb83d7e9 Bisecting: 473 revisions left to test after this (roughly 9 steps) [1ddee6d843d841414039414923620c8160aec623] Merge branch 'gianfar-some-assorted-cleanup' testing commit 1ddee6d843d841414039414923620c8160aec623 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #1: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #6: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #7: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #8: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #9: crashed: KASAN: use-after-free Write in j1939_sock_pending_del # git bisect bad 1ddee6d843d841414039414923620c8160aec623 Bisecting: 237 revisions left to test after this (roughly 8 steps) [ce37115e3a5741219ceb0bb26de23faba6b93881] r8169: factor out reading MAC address from registers testing commit ce37115e3a5741219ceb0bb26de23faba6b93881 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ce37115e3a5741219ceb0bb26de23faba6b93881 Bisecting: 115 revisions left to test after this (roughly 7 steps) [94810bd365cbcce4abc4af497aef4b68db7b4f2a] Merge tag 'mlx5-updates-2019-09-01-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 94810bd365cbcce4abc4af497aef4b68db7b4f2a with gcc (GCC) 8.1.0 all runs: OK # git bisect good 94810bd365cbcce4abc4af497aef4b68db7b4f2a Bisecting: 61 revisions left to test after this (roughly 6 steps) [f4d7c8e3da9173ac7b0498abc3aab0d320efe997] vsock/virtio: a better comment on credit update testing commit f4d7c8e3da9173ac7b0498abc3aab0d320efe997 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f4d7c8e3da9173ac7b0498abc3aab0d320efe997 Bisecting: 40 revisions left to test after this (roughly 5 steps) [9d71dd0c70099914fcd063135da3c580865e924c] can: add support of SAE J1939 protocol testing commit 9d71dd0c70099914fcd063135da3c580865e924c with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #1: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #4: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #9: crashed: KASAN: use-after-free Write in j1939_sock_pending_del # git bisect bad 9d71dd0c70099914fcd063135da3c580865e924c Bisecting: 10 revisions left to test after this (roughly 3 steps) [6625a18e9ff6462ff81f740a331899b69ad6033e] can: af_can: give variable holding the CAN receiver and the receiver list a sensible name testing commit 6625a18e9ff6462ff81f740a331899b69ad6033e with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6625a18e9ff6462ff81f740a331899b69ad6033e Bisecting: 5 revisions left to test after this (roughly 3 steps) [bdfb5765e45b86b599caf377a99826409f8403cb] can: af_can: remove NULL-ptr checks from users of can_dev_rcv_lists_find() testing commit bdfb5765e45b86b599caf377a99826409f8403cb with gcc (GCC) 8.1.0 all runs: OK # git bisect good bdfb5765e45b86b599caf377a99826409f8403cb Bisecting: 2 revisions left to test after this (roughly 2 steps) [9868b5d44f3df9dd75247acd23dddff0a42f79be] can: introduce CAN_REQUIRED_SIZE macro testing commit 9868b5d44f3df9dd75247acd23dddff0a42f79be with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9868b5d44f3df9dd75247acd23dddff0a42f79be Bisecting: 0 revisions left to test after this (roughly 1 step) [f5223e9eee651e005c0f6d6d078909087601b7e9] can: extend sockaddr_can to include j1939 members testing commit f5223e9eee651e005c0f6d6d078909087601b7e9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f5223e9eee651e005c0f6d6d078909087601b7e9 9d71dd0c70099914fcd063135da3c580865e924c is the first bad commit commit 9d71dd0c70099914fcd063135da3c580865e924c Author: The j1939 authors Date: Mon Oct 8 11:48:36 2018 +0200 can: add support of SAE J1939 protocol SAE J1939 is the vehicle bus recommended practice used for communication and diagnostics among vehicle components. Originating in the car and heavy-duty truck industry in the United States, it is now widely used in other parts of the world. J1939, ISO 11783 and NMEA 2000 all share the same high level protocol. SAE J1939 can be considered the replacement for the older SAE J1708 and SAE J1587 specifications. Acked-by: Oliver Hartkopp Signed-off-by: Bastian Stender Signed-off-by: Elenita Hinds Signed-off-by: kbuild test robot Signed-off-by: Kurt Van Dijck Signed-off-by: Maxime Jayat Signed-off-by: Robin van der Gracht Signed-off-by: Oleksij Rempel Signed-off-by: Marc Kleine-Budde :040000 040000 6438450435a8d8353573ce224b3dc9bcc05336fa 7305e82a35c355e46b2660329eb868aa551e2b4c M Documentation :100644 100644 a081c477d1d16934701a8f744f6a44e0d280b3f9 844f416437c427107d7410ab5ab972a202ebe86a M MAINTAINERS :040000 040000 dd56832348e76ffa1949ca007d838d21854a0bfa dfca2d178b96f019a0a7ae1ab81a813b2064f5d3 M include :040000 040000 93492ef857a6d33d4eafc56c27db9f1e31803033 356932da79a67691bcedc6e71faa591f7e5f7392 M net revisions tested: 15, total time: 3h32m43.077975142s (build: 1h27m43.64033165s, test: 2h0m50.557047001s) first bad commit: 9d71dd0c70099914fcd063135da3c580865e924c can: add support of SAE J1939 protocol cc: ["bst@pengutronix.de" "dev.kurt@vandijck-laurijssen.be" "ecathinds@gmail.com" "linux-can@vger.kernel.org" "lkp@intel.com" "maxime.jayat@mobile-devices.fr" "mkl@pengutronix.de" "o.rempel@pengutronix.de" "robin@protonic.nl" "socketcan@hartkopp.net"] crash: KASAN: use-after-free Write in j1939_sock_pending_del vcan0: j1939_xtp_rx_abort_one: 0x00000000ebf36e87: 0x00000: (2) System resources were needed for another task so this connection managed session was terminated. vcan0: j1939_xtp_rx_abort_one: 0x000000006ca238ad: 0x00000: (2) System resources were needed for another task so this connection managed session was terminated. vcan0: j1939_xtp_rx_abort_one: 0x000000002b85db49: 0x00000: (2) System resources were needed for another task so this connection managed session was terminated. vcan0: j1939_xtp_rx_abort_one: 0x00000000072d557f: 0x00000: (2) System resources were needed for another task so this connection managed session was terminated. ================================================================== BUG: KASAN: use-after-free in atomic_sub_return include/asm-generic/atomic-instrumented.h:159 [inline] BUG: KASAN: use-after-free in atomic_dec_return include/linux/atomic-fallback.h:455 [inline] BUG: KASAN: use-after-free in j1939_sock_pending_del+0x19/0x50 net/can/j1939/socket.c:73 Write of size 4 at addr ffff888085443900 by task ksoftirqd/1/16 CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x318 mm/kasan/report.c:351 __kasan_report.cold.9+0x1b/0x3f mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:618 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x153/0x1d0 mm/kasan/generic.c:192 __kasan_check_write+0x14/0x20 mm/kasan/common.c:98 atomic_sub_return include/asm-generic/atomic-instrumented.h:159 [inline] atomic_dec_return include/linux/atomic-fallback.h:455 [inline] j1939_sock_pending_del+0x19/0x50 net/can/j1939/socket.c:73 __j1939_session_drop net/can/j1939/transport.c:257 [inline] j1939_session_destroy net/can/j1939/transport.c:270 [inline] __j1939_session_release net/can/j1939/transport.c:280 [inline] kref_put include/linux/kref.h:65 [inline] j1939_session_put+0xb8/0x120 net/can/j1939/transport.c:285 j1939_xtp_rx_abort_one+0xa2/0xe0 net/can/j1939/transport.c:1261 j1939_xtp_rx_abort net/can/j1939/transport.c:1269 [inline] j1939_tp_cmd_recv net/can/j1939/transport.c:1940 [inline] j1939_tp_recv+0x4a9/0x780 net/can/j1939/transport.c:1973 j1939_can_recv+0x425/0x590 net/can/j1939/main.c:100 deliver net/can/af_can.c:568 [inline] can_rcv_filter+0x4ff/0x840 net/can/af_can.c:602 can_receive+0x290/0x470 net/can/af_can.c:659 can_rcv+0xd9/0x160 net/can/af_can.c:685 __netif_receive_skb_one_core+0xe9/0x170 net/core/dev.c:5006 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5120 process_backlog+0x1cb/0x670 net/core/dev.c:5951 napi_poll net/core/dev.c:6388 [inline] net_rx_action+0x458/0xe40 net/core/dev.c:6456 __do_softirq+0x262/0x9a8 kernel/softirq.c:292 run_ksoftirqd+0x94/0x100 kernel/softirq.c:603 smpboot_thread_fn+0x55f/0x8b0 kernel/smpboot.c:165 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 8897: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:493 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x164/0x790 mm/slab.c:3664 kmalloc include/linux/slab.h:557 [inline] sk_prot_alloc+0x14d/0x250 net/core/sock.c:1603 sk_alloc+0x30/0xc70 net/core/sock.c:1657 can_create+0x1ac/0x420 net/can/af_can.c:157 __sock_create+0x262/0x540 net/socket.c:1418 sock_create net/socket.c:1469 [inline] __sys_socket+0xd7/0x1c0 net/socket.c:1511 __do_sys_socket net/socket.c:1520 [inline] __se_sys_socket net/socket.c:1518 [inline] __x64_sys_socket+0x6e/0xb0 net/socket.c:1518 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 16: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 sk_prot_free net/core/sock.c:1640 [inline] __sk_destruct+0x3f1/0x580 net/core/sock.c:1726 sk_destruct+0x5a/0x70 net/core/sock.c:1734 __sk_free+0xc7/0x2a0 net/core/sock.c:1745 sock_wfree+0x10c/0x140 net/core/sock.c:1958 skb_release_head_state+0x9f/0x1a0 net/core/skbuff.c:652 skb_release_all+0xd/0x50 net/core/skbuff.c:663 __kfree_skb net/core/skbuff.c:679 [inline] kfree_skb+0xb3/0x2b0 net/core/skbuff.c:697 skb_queue_purge+0x12/0x30 net/core/skbuff.c:3078 j1939_session_destroy net/can/j1939/transport.c:269 [inline] __j1939_session_release net/can/j1939/transport.c:280 [inline] kref_put include/linux/kref.h:65 [inline] j1939_session_put+0x61/0x120 net/can/j1939/transport.c:285 j1939_xtp_rx_abort_one+0xa2/0xe0 net/can/j1939/transport.c:1261 j1939_xtp_rx_abort net/can/j1939/transport.c:1269 [inline] j1939_tp_cmd_recv net/can/j1939/transport.c:1940 [inline] j1939_tp_recv+0x4a9/0x780 net/can/j1939/transport.c:1973 j1939_can_recv+0x425/0x590 net/can/j1939/main.c:100 deliver net/can/af_can.c:568 [inline] can_rcv_filter+0x4ff/0x840 net/can/af_can.c:602 can_receive+0x290/0x470 net/can/af_can.c:659 can_rcv+0xd9/0x160 net/can/af_can.c:685 __netif_receive_skb_one_core+0xe9/0x170 net/core/dev.c:5006 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5120 process_backlog+0x1cb/0x670 net/core/dev.c:5951 napi_poll net/core/dev.c:6388 [inline] net_rx_action+0x458/0xe40 net/core/dev.c:6456 __do_softirq+0x262/0x9a8 kernel/softirq.c:292 The buggy address belongs to the object at ffff888085443440 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1216 bytes inside of 2048-byte region [ffff888085443440, ffff888085443c40) The buggy address belongs to the page: page:ffffea0002151080 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea0002557908 ffffea0001e57788 ffff8880aa400e00 raw: 0000000000000000 ffff888085442340 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888085443800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888085443880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888085443900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888085443980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888085443a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================