bisecting cause commit starting from 4703d9119972bf586d2cca76ec6438f819ffa30e building syzkaller on 2e95ab335759ed7e1c246c2057c84d813a2c29e1 testing commit 4703d9119972bf586d2cca76ec6438f819ffa30e with gcc (GCC) 8.1.0 kernel signature: 6c38c19b015371494c338ad19d4fa6d013fa46171f89b2e7721e369e72de3ddd all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ipmac_ext_cleanup testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: fe9ee5694bd7b6cfa10744bc2184ec0b0f7779560833708dddadf2a7f58cba4f all runs: crashed: KASAN: use-after-free Read in bitmap_ipmac_ext_cleanup testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: 5d3c2721afbaf172369223b2dd625b99f876c3c22d9e161c908201c130ad4d76 all runs: crashed: KASAN: use-after-free Read in bitmap_ipmac_ext_cleanup testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: d37855456752892e10fd2d5bbacc5b35bb72446b11fc828d78ce8901b46aac91 all runs: OK # git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36 Bisecting: 7848 revisions left to test after this (roughly 13 steps) [43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0 kernel signature: 1ba572ab86d57defef8cba104a27b32d27f20095d4f5bbaac554ec3f85c18f7d all runs: crashed: KASAN: use-after-free Read in bitmap_ipmac_ext_cleanup # git bisect bad 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 Bisecting: 4619 revisions left to test after this (roughly 12 steps) [8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0 kernel signature: 585b12bfaad8c16721687e7dd2f8e6edfc2f716a327627f9e20a6327b6b11769 all runs: OK # git bisect good 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 Bisecting: 2306 revisions left to test after this (roughly 11 steps) [753c8d9b7d81206bb5d011b28abe829d364b028e] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 753c8d9b7d81206bb5d011b28abe829d364b028e with gcc (GCC) 8.1.0 kernel signature: 660df262b9b63944339b46cb0325ee170f6fa7fbdee04f843126a6406048b684 run #0: crashed: general protection fault in send_hsr_supervision_frame run #1: crashed: general protection fault in send_hsr_supervision_frame run #2: crashed: general protection fault in send_hsr_supervision_frame run #3: crashed: general protection fault in send_hsr_supervision_frame run #4: crashed: KASAN: use-after-free Read in batadv_tvlv_container_ogm_append run #5: crashed: general protection fault in send_hsr_supervision_frame run #6: crashed: general protection fault in send_hsr_supervision_frame run #7: OK run #8: OK run #9: OK # git bisect bad 753c8d9b7d81206bb5d011b28abe829d364b028e Bisecting: 1156 revisions left to test after this (roughly 10 steps) [2f9b0d93a9d3ec64558537ab5d7cff820886afa4] net: ethernet: ti: cpsw: Fix suspend/resume break testing commit 2f9b0d93a9d3ec64558537ab5d7cff820886afa4 with gcc (GCC) 8.1.0 kernel signature: 4cf7fd0985b6bfb948872c380c7992cddadd965a0f60a948034e4a7b05bbba4a all runs: OK # git bisect good 2f9b0d93a9d3ec64558537ab5d7cff820886afa4 Bisecting: 578 revisions left to test after this (roughly 9 steps) [354d0fab649d47045517cf7cae03d653a4dcb3b8] net: hns3: add default value for tc_size and tc_offset testing commit 354d0fab649d47045517cf7cae03d653a4dcb3b8 with gcc (GCC) 8.1.0 kernel signature: 6dba1a5ab28500d6005505a60b5b99725da7141b203b94b9ab4ac9f8534979e5 all runs: OK # git bisect good 354d0fab649d47045517cf7cae03d653a4dcb3b8 Bisecting: 289 revisions left to test after this (roughly 8 steps) [52c0609258658ff35b85c654c568a50abd602ac6] bnxt_en: rename some xdp functions testing commit 52c0609258658ff35b85c654c568a50abd602ac6 with gcc (GCC) 8.1.0 kernel signature: f1c0c9d07d7002f43859368cde5a3a2856f576a7e1e0d92ce3cacb60a52b1729 all runs: OK # git bisect good 52c0609258658ff35b85c654c568a50abd602ac6 Bisecting: 169 revisions left to test after this (roughly 7 steps) [e858faf556d4e14c750ba1e8852783c6f9520a0e] tcp: Reset bytes_acked and bytes_received when disconnecting testing commit e858faf556d4e14c750ba1e8852783c6f9520a0e with gcc (GCC) 8.1.0 kernel signature: f861a0bc6b24afc9ce0e6ecfcfe960ba7af7636ad3f80510175e71e718ce3f25 run #0: crashed: general protection fault in send_hsr_supervision_frame run #1: crashed: general protection fault in send_hsr_supervision_frame run #2: crashed: general protection fault in send_hsr_supervision_frame run #3: crashed: general protection fault in send_hsr_supervision_frame run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad e858faf556d4e14c750ba1e8852783c6f9520a0e Bisecting: 59 revisions left to test after this (roughly 6 steps) [3d26eb8ad1e9b906433903ce05f775cf038e747f] net: bridge: don't cache ether dest pointer on input testing commit 3d26eb8ad1e9b906433903ce05f775cf038e747f with gcc (GCC) 8.1.0 kernel signature: ade78be5099e03dbbde265c668514fe17fac3a8a7f42296874ccbc314df347f0 all runs: OK # git bisect good 3d26eb8ad1e9b906433903ce05f775cf038e747f Bisecting: 30 revisions left to test after this (roughly 5 steps) [9d1bc24b52fb8c5d859f9a47084bf1179470e04c] bonding: validate ip header before check IPPROTO_IGMP testing commit 9d1bc24b52fb8c5d859f9a47084bf1179470e04c with gcc (GCC) 8.1.0 kernel signature: ad8fee9701771580a3c234cbe6d3597321a8f8746739dd121205805bc6b07ca5 all runs: OK # git bisect good 9d1bc24b52fb8c5d859f9a47084bf1179470e04c Bisecting: 15 revisions left to test after this (roughly 4 steps) [13aecb17acabc2a92187d08f7ca93bb8aad62c6f] net/tls: fix poll ignoring partially copied records testing commit 13aecb17acabc2a92187d08f7ca93bb8aad62c6f with gcc (GCC) 8.1.0 kernel signature: 3a3f97480c399b087e3935ce08eb028a4f7ce1d3df6697019505c65b4bf53007 run #0: crashed: general protection fault in send_hsr_supervision_frame run #1: crashed: general protection fault in send_hsr_supervision_frame run #2: crashed: general protection fault in send_hsr_supervision_frame run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 13aecb17acabc2a92187d08f7ca93bb8aad62c6f Bisecting: 7 revisions left to test after this (roughly 3 steps) [56c5ee1a5823e9cf5288b84ae6364cb4112f8225] xfrm interface: fix memory leak on creation testing commit 56c5ee1a5823e9cf5288b84ae6364cb4112f8225 with gcc (GCC) 8.1.0 kernel signature: b4638e6c92fc7c61aaba5d9902d6ef303f82bd6ae551c27a205ac50e7343c139 all runs: OK # git bisect good 56c5ee1a5823e9cf5288b84ae6364cb4112f8225 Bisecting: 3 revisions left to test after this (roughly 2 steps) [edf070a0fb45ac845f534baf172fbadbeb5048c6] hsr: fix a NULL pointer deref in hsr_dev_xmit() testing commit edf070a0fb45ac845f534baf172fbadbeb5048c6 with gcc (GCC) 8.1.0 kernel signature: 27d67650e898822764f776f928f57949ef179683eb4e6fdf2893bb45aa62d8a6 run #0: crashed: general protection fault in send_hsr_supervision_frame run #1: crashed: general protection fault in send_hsr_supervision_frame run #2: crashed: general protection fault in send_hsr_supervision_frame run #3: crashed: general protection fault in send_hsr_supervision_frame run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad edf070a0fb45ac845f534baf172fbadbeb5048c6 Bisecting: 1 revision left to test after this (roughly 1 step) [619afef01f74f3572b5e9a266c1230dc83761eec] hsr: fix a memory leak in hsr_del_port() testing commit 619afef01f74f3572b5e9a266c1230dc83761eec with gcc (GCC) 8.1.0 kernel signature: cf63a8933301810789b601d1919d220180c228828150ec4d5fcce0a3005e1611 all runs: OK # git bisect good 619afef01f74f3572b5e9a266c1230dc83761eec Bisecting: 0 revisions left to test after this (roughly 0 steps) [b9a1e627405d68d475a3c1f35e685ccfb5bbe668] hsr: implement dellink to clean up resources testing commit b9a1e627405d68d475a3c1f35e685ccfb5bbe668 with gcc (GCC) 8.1.0 kernel signature: 0dfc627c3a48cb25d1558c43d29c8d4eab4b2229d3c8052275f23ff8a430cd60 run #0: crashed: general protection fault in send_hsr_supervision_frame run #1: crashed: general protection fault in send_hsr_supervision_frame run #2: crashed: general protection fault in send_hsr_supervision_frame run #3: crashed: general protection fault in batadv_iv_ogm_queue_add run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad b9a1e627405d68d475a3c1f35e685ccfb5bbe668 b9a1e627405d68d475a3c1f35e685ccfb5bbe668 is the first bad commit commit b9a1e627405d68d475a3c1f35e685ccfb5bbe668 Author: Cong Wang Date: Wed Jul 3 17:21:13 2019 -0700 hsr: implement dellink to clean up resources hsr_link_ops implements ->newlink() but not ->dellink(), which leads that resources not released after removing the device, particularly the entries in self_node_db and node_db. So add ->dellink() implementation to replace the priv_destructor. This also makes the code slightly easier to understand. Reported-by: syzbot+c6167ec3de7def23d1e8@syzkaller.appspotmail.com Cc: Arvid Brodin Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/hsr/hsr_device.c | 13 +++++-------- net/hsr/hsr_device.h | 1 + net/hsr/hsr_framereg.c | 11 ++++++++++- net/hsr/hsr_framereg.h | 3 ++- net/hsr/hsr_netlink.c | 7 +++++++ 5 files changed, 25 insertions(+), 10 deletions(-) culprit signature: 0dfc627c3a48cb25d1558c43d29c8d4eab4b2229d3c8052275f23ff8a430cd60 parent signature: cf63a8933301810789b601d1919d220180c228828150ec4d5fcce0a3005e1611 revisions tested: 18, total time: 4h46m9.267346121s (build: 1h53m43.289648667s, test: 2h50m52.700322759s) first bad commit: b9a1e627405d68d475a3c1f35e685ccfb5bbe668 hsr: implement dellink to clean up resources cc: ["arvid.brodin@alten.se" "davem@davemloft.net" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "xiyou.wangcong@gmail.com"] crash: general protection fault in batadv_iv_ogm_queue_add kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.2.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:599 Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00 RSP: 0018:ffff8880a989fab8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff888090db1840 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: ffff8880a989fbd0 R08: ffff8880a602c280 R09: 0000000000000001 R10: ffffed1015313f8f R11: 0000000000000003 R12: 0000000000000007 R13: ffff8880a602c2a8 R14: ffff8880a602c280 R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcc04acde4 CR3: 000000000886d000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: batadv_iv_ogm_schedule+0xb60/0xe90 net/batman-adv/bat_iv_ogm.c:807 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 net/batman-adv/bat_iv_ogm.c:1669 process_one_work+0x830/0x16a0 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x324/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: ---[ end trace ee8231dcc007b849 ]--- RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:599 Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00 RSP: 0018:ffff8880a989fab8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff888090db1840 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: ffff8880a989fbd0 R08: ffff8880a602c280 R09: 0000000000000001 R10: ffffed1015313f8f R11: 0000000000000003 R12: 0000000000000007 R13: ffff8880a602c2a8 R14: ffff8880a602c280 R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcc04acde4 CR3: 00000000a0d9f000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400