bisecting cause commit starting from 46cf053efec6a3a5f343fead837777efe8252a46 building syzkaller on be5c2c81971442d623dd1b265dabf4644ceeb35b testing commit 46cf053efec6a3a5f343fead837777efe8252a46 with gcc (GCC) 8.1.0 kernel signature: 98418d6a367cfcb5b8726b5fecaee5bf650252e8 run #0: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #1: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #2: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #3: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #4: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #5: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #6: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #7: OK run #8: OK run #9: OK testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 604a26acb0b4a927c23d069c7e4a21ce77cbf3ad run #0: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #1: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #2: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #3: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: 8e8d04d77e5f285569af6e1af1c8516b3f8ba584 all runs: OK # git bisect start 219d54332a09e8d8741c1e1982f5eae56099de85 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Bisecting: 7882 revisions left to test after this (roughly 13 steps) [a9f8b38a071b468276a243ea3ea5a0636e848cf2] Merge tag 'for-linus-5.4-1' of git://github.com/cminyard/linux-ipmi testing commit a9f8b38a071b468276a243ea3ea5a0636e848cf2 with gcc (GCC) 8.1.0 kernel signature: 830bd24deb52e443869b29664fb5e0eabbd3f1b2 run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: INFO: rcu detected stall in hrtimer_run_softirq # git bisect bad a9f8b38a071b468276a243ea3ea5a0636e848cf2 Bisecting: 3920 revisions left to test after this (roughly 12 steps) [fe38bd6862074c0a2b9be7f31f043aaa70b2af5f] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit fe38bd6862074c0a2b9be7f31f043aaa70b2af5f with gcc (GCC) 8.1.0 kernel signature: 17a6dddfe77e293efeac65f76fdd6b286f595c79 all runs: OK # git bisect good fe38bd6862074c0a2b9be7f31f043aaa70b2af5f Bisecting: 1962 revisions left to test after this (roughly 11 steps) [069841ef8293697e951c34f9a45601b77fb541d7] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue testing commit 069841ef8293697e951c34f9a45601b77fb541d7 with gcc (GCC) 8.1.0 kernel signature: 9488fa3dfff5967f4f0d258fc782f92bd165c508 run #0: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #8: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 069841ef8293697e951c34f9a45601b77fb541d7 Bisecting: 978 revisions left to test after this (roughly 10 steps) [f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71] net: stmmac: dwmac-meson: use devm_platform_ioremap_resource() to simplify code testing commit f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71 with gcc (GCC) 8.1.0 kernel signature: 0400f7725343eb732f93e9fe466acc2b55656694 all runs: OK # git bisect good f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71 Bisecting: 487 revisions left to test after this (roughly 9 steps) [67e974c3ae21c8ced474eae3ce9261a6f827e95c] Merge tag 'iwlwifi-next-for-kalle-2019-09-06' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next testing commit 67e974c3ae21c8ced474eae3ce9261a6f827e95c with gcc (GCC) 8.1.0 kernel signature: 8543bee8dd8a007d88b6ebcdbe220eca3e3f23e5 all runs: OK # git bisect good 67e974c3ae21c8ced474eae3ce9261a6f827e95c Bisecting: 212 revisions left to test after this (roughly 8 steps) [1e46c09ec10049a9e366153b32e41cc557383fdb] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 1e46c09ec10049a9e366153b32e41cc557383fdb with gcc (GCC) 8.1.0 kernel signature: 0c2a062249fd9ca508413007bee08f5e22add6c1 run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #7: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: INFO: rcu detected stall in hrtimer_run_softirq # git bisect bad 1e46c09ec10049a9e366153b32e41cc557383fdb Bisecting: 137 revisions left to test after this (roughly 7 steps) [7d993c5f86aa308b00c2fd420fe5208da18125e2] gianfar: remove forward declarations testing commit 7d993c5f86aa308b00c2fd420fe5208da18125e2 with gcc (GCC) 8.1.0 kernel signature: 130623e3ebae24f04b61bc9fc540e86c303034bd run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #4: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 7d993c5f86aa308b00c2fd420fe5208da18125e2 Bisecting: 68 revisions left to test after this (roughly 6 steps) [aa3198819bea60f65f22cd771baf2ff038f59df1] ionic: Add RSS support testing commit aa3198819bea60f65f22cd771baf2ff038f59df1 with gcc (GCC) 8.1.0 kernel signature: 15ff5591fef1a429f5c926942c27c5faa91c9ab4 all runs: OK # git bisect good aa3198819bea60f65f22cd771baf2ff038f59df1 Bisecting: 36 revisions left to test after this (roughly 5 steps) [8330f73fe9742f201f467639f8356cf58756fb9f] rocker: add missing init_net check in FIB notifier testing commit 8330f73fe9742f201f467639f8356cf58756fb9f with gcc (GCC) 8.1.0 kernel signature: 7dc472c98e03a3f21502076151763a8cb490c2cf all runs: OK # git bisect good 8330f73fe9742f201f467639f8356cf58756fb9f Bisecting: 18 revisions left to test after this (roughly 4 steps) [9868b5d44f3df9dd75247acd23dddff0a42f79be] can: introduce CAN_REQUIRED_SIZE macro testing commit 9868b5d44f3df9dd75247acd23dddff0a42f79be with gcc (GCC) 8.1.0 kernel signature: 1a019487a09c94817371ee101449abcd6810f4d0 all runs: OK # git bisect good 9868b5d44f3df9dd75247acd23dddff0a42f79be Bisecting: 9 revisions left to test after this (roughly 3 steps) [4647e021193d638d3c87d1f1b9a5f7f7a48f36a3] net: stmmac: selftests: Add selftest for L3/L4 Filters testing commit 4647e021193d638d3c87d1f1b9a5f7f7a48f36a3 with gcc (GCC) 8.1.0 kernel signature: faa943ffb53c47c5b4fd42144d8e950826c9635b run #0: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #6: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #7: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 4647e021193d638d3c87d1f1b9a5f7f7a48f36a3 Bisecting: 4 revisions left to test after this (roughly 2 steps) [44c40910b66f786d33ffd2682ef38750eebb567c] Merge tag 'linux-can-next-for-5.4-20190904' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can-next testing commit 44c40910b66f786d33ffd2682ef38750eebb567c with gcc (GCC) 8.1.0 kernel signature: 15ecf74a339166d427eb09f3fa6180ec4f9ad097 run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr # git bisect bad 44c40910b66f786d33ffd2682ef38750eebb567c Bisecting: 1 revision left to test after this (roughly 1 step) [f5223e9eee651e005c0f6d6d078909087601b7e9] can: extend sockaddr_can to include j1939 members testing commit f5223e9eee651e005c0f6d6d078909087601b7e9 with gcc (GCC) 8.1.0 kernel signature: fcf879d0bdcf9eb8ecafaeced5f4b7f3067fccca all runs: OK # git bisect good f5223e9eee651e005c0f6d6d078909087601b7e9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9d71dd0c70099914fcd063135da3c580865e924c] can: add support of SAE J1939 protocol testing commit 9d71dd0c70099914fcd063135da3c580865e924c with gcc (GCC) 8.1.0 kernel signature: 147f543485b7b303a3ee4bfae4efc32bd5fc3253 run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 9d71dd0c70099914fcd063135da3c580865e924c 9d71dd0c70099914fcd063135da3c580865e924c is the first bad commit commit 9d71dd0c70099914fcd063135da3c580865e924c Author: The j1939 authors Date: Mon Oct 8 11:48:36 2018 +0200 can: add support of SAE J1939 protocol SAE J1939 is the vehicle bus recommended practice used for communication and diagnostics among vehicle components. Originating in the car and heavy-duty truck industry in the United States, it is now widely used in other parts of the world. J1939, ISO 11783 and NMEA 2000 all share the same high level protocol. SAE J1939 can be considered the replacement for the older SAE J1708 and SAE J1587 specifications. Acked-by: Oliver Hartkopp Signed-off-by: Bastian Stender Signed-off-by: Elenita Hinds Signed-off-by: kbuild test robot Signed-off-by: Kurt Van Dijck Signed-off-by: Maxime Jayat Signed-off-by: Robin van der Gracht Signed-off-by: Oleksij Rempel Signed-off-by: Marc Kleine-Budde Documentation/networking/index.rst | 1 + Documentation/networking/j1939.rst | 422 ++++++++ MAINTAINERS | 10 + include/linux/can/can-ml.h | 3 + include/uapi/linux/can/j1939.h | 99 ++ net/can/Kconfig | 2 + net/can/Makefile | 2 + net/can/j1939/Kconfig | 15 + net/can/j1939/Makefile | 10 + net/can/j1939/address-claim.c | 230 ++++ net/can/j1939/bus.c | 333 ++++++ net/can/j1939/j1939-priv.h | 338 ++++++ net/can/j1939/main.c | 403 +++++++ net/can/j1939/socket.c | 1160 +++++++++++++++++++++ net/can/j1939/transport.c | 2027 ++++++++++++++++++++++++++++++++++++ 15 files changed, 5055 insertions(+) create mode 100644 Documentation/networking/j1939.rst create mode 100644 include/uapi/linux/can/j1939.h create mode 100644 net/can/j1939/Kconfig create mode 100644 net/can/j1939/Makefile create mode 100644 net/can/j1939/address-claim.c create mode 100644 net/can/j1939/bus.c create mode 100644 net/can/j1939/j1939-priv.h create mode 100644 net/can/j1939/main.c create mode 100644 net/can/j1939/socket.c create mode 100644 net/can/j1939/transport.c culprit signature: 147f543485b7b303a3ee4bfae4efc32bd5fc3253 parent signature: fcf879d0bdcf9eb8ecafaeced5f4b7f3067fccca revisions tested: 17, total time: 4h3m36.05516953s (build: 1h41m37.543401486s, test: 2h20m24.2326839s) first bad commit: 9d71dd0c70099914fcd063135da3c580865e924c can: add support of SAE J1939 protocol cc: ["bst@pengutronix.de" "dev.kurt@vandijck-laurijssen.be" "ecathinds@gmail.com" "linux-can@vger.kernel.org" "lkp@intel.com" "maxime.jayat@mobile-devices.fr" "mkl@pengutronix.de" "o.rempel@pengutronix.de" "robin@protonic.nl" "socketcan@hartkopp.net"] crash: KASAN: use-after-free Read in j1939_session_deactivate vcan0: j1939_xtp_rx_dat: no rx connection found vcan0: j1939_tp_rxtimer: 0x00000000d6746535: abort rx timeout. Force session deactivation ================================================================== BUG: KASAN: use-after-free in j1939_session_deactivate+0x78/0x80 net/can/j1939/transport.c:1033 Read of size 8 at addr ffff8880990f9d40 by task ksoftirqd/0/9 CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.3.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x318 mm/kasan/report.c:351 __kasan_report.cold.9+0x1b/0x3f mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:618 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 j1939_session_deactivate+0x78/0x80 net/can/j1939/transport.c:1033 j1939_session_deactivate_activate_next+0xd/0x20 net/can/j1939/transport.c:1041 j1939_tp_rxtimer+0xc1/0x241 net/can/j1939/transport.c:1150 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x32f/0xb50 kernel/time/hrtimer.c:1451 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1465 __do_softirq+0x262/0x9a8 kernel/softirq.c:292 run_ksoftirqd+0x94/0x100 kernel/softirq.c:603 smpboot_thread_fn+0x55f/0x8b0 kernel/smpboot.c:165 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 8277: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.13+0xc7/0xd0 mm/kasan/common.c:493 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507 kmem_cache_alloc_trace+0x15b/0x780 mm/slab.c:3550 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:748 [inline] j1939_session_new+0x6a/0x3b0 net/can/j1939/transport.c:1384 j1939_tp_send+0x1a8/0x5d0 net/can/j1939/transport.c:1846 j1939_sk_send_loop net/can/j1939/socket.c:995 [inline] j1939_sk_sendmsg+0x9f0/0x1260 net/can/j1939/socket.c:1100 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:657 kernel_sendmsg+0x26/0x30 net/socket.c:677 sock_no_sendpage+0xfd/0x140 net/core/sock.c:2730 kernel_sendpage+0x60/0xd0 net/socket.c:3682 sock_sendpage+0x6d/0xd0 net/socket.c:935 pipe_to_sendpage+0x212/0x430 fs/splice.c:449 splice_from_pipe_feed fs/splice.c:500 [inline] __splice_from_pipe+0x2d2/0x720 fs/splice.c:624 splice_from_pipe+0xbb/0x120 fs/splice.c:659 generic_splice_sendpage+0x10/0x20 fs/splice.c:829 do_splice_from fs/splice.c:848 [inline] direct_splice_actor+0x104/0x1c0 fs/splice.c:1020 splice_direct_to_actor+0x303/0x870 fs/splice.c:975 do_splice_direct+0x14c/0x270 fs/splice.c:1063 do_sendfile+0x481/0xd10 fs/read_write.c:1464 __do_sys_sendfile64 fs/read_write.c:1525 [inline] __se_sys_sendfile64 fs/read_write.c:1511 [inline] __x64_sys_sendfile64+0x198/0x1e0 fs/read_write.c:1511 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 j1939_session_destroy net/can/j1939/transport.c:272 [inline] __j1939_session_release+0xb1/0x110 net/can/j1939/transport.c:280 kref_put include/linux/kref.h:65 [inline] j1939_session_put net/can/j1939/transport.c:285 [inline] j1939_session_deactivate_locked+0x20b/0x2b0 net/can/j1939/transport.c:1021 j1939_session_deactivate+0x38/0x80 net/can/j1939/transport.c:1032 j1939_session_deactivate_activate_next+0xd/0x20 net/can/j1939/transport.c:1041 j1939_tp_rxtimer+0xc1/0x241 net/can/j1939/transport.c:1150 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x32f/0xb50 kernel/time/hrtimer.c:1451 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1465 __do_softirq+0x262/0x9a8 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880990f9d40 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of 512-byte region [ffff8880990f9d40, ffff8880990f9f40) The buggy address belongs to the page: page:ffffea0002643e40 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002588148 ffffea00022e6188 ffff8880aa400a80 raw: 0000000000000000 ffff8880990f90c0 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880990f9c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880990f9c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8880990f9d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8880990f9d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880990f9e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================