bisecting cause commit starting from 20f1b5f9c07ca3a49e869327d4705b4254258756
building syzkaller on 607e3baf1c25928040d05fc22eff6fce7edd709e
testing commit 20f1b5f9c07ca3a49e869327d4705b4254258756 with gcc (GCC) 10.2.1 20210217
kernel signature: 632a27bbf0535a22d19996fa687a0fd751438e3801aea8169be4de6c71cd8181
all runs: crashed: UBSAN: shift-out-of-bounds in choke_change
testing release v5.11
testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217
kernel signature: 5c643a348412391009cab5f5d8db832b5e7f79b46f5f09332842aa5764453385
all runs: crashed: UBSAN: shift-out-of-bounds in choke_change
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217
kernel signature: d66bdc02a9d848e263aec7fd7e2ba3a19ab82535f342666de81bca04069e2fa5
all runs: crashed: UBSAN: shift-out-of-bounds in choke_change
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217
kernel signature: e0b93c2d684f4d7402b69a7f8914dfda28c0e501735cd11fb2a07df9304a8389
all runs: crashed: UBSAN: shift-out-of-bounds in choke_change
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.4.1 20210217
kernel signature: 0d296e56790b9ab0ad8dcc0e88234d3bd5a37d7be90f7666a2e065e8d9040927
all runs: crashed: UBSAN: shift-out-of-bounds in choke_change
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.4.1 20210217
kernel signature: 30bb8568dd39869a7d1597402c993d3f551d458038bb013eb5050757dec24aad
all runs: crashed: UBSAN: shift-out-of-bounds in choke_change
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.4.1 20210217
kernel signature: 7d8971fd9d35d0039efe21f67504b0d17fb8d9a231225ba019bb01fe15ae81c7
all runs: crashed: UBSAN: undefined-behaviour in choke_change
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.4.1 20210217
kernel signature: 2daa13cb8cb93affd4c2d50a9ca5a8516a4a40cbf05d4a16ab09f4ea1a509d18
all runs: crashed: UBSAN: undefined-behaviour in choke_change
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.4.1 20210217
kernel signature: 27c18dfcd6e65c2b2bd4e7f57c0756d4deec46f60206e105a851389a68fd2aa4
all runs: crashed: UBSAN: undefined-behaviour in choke_change
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.4.1 20210217
kernel signature: f8fbf3cf1f9d0817ac631676c8d63b88546a384b0b2d4852c3e8bc09c9ff1a18
all runs: crashed: UBSAN: undefined-behaviour in choke_change
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.4.1 20210217
kernel signature: 1eab048fd1e30f1639206541c4fa0790adb56823e1916984f8d09cfca36586f7
all runs: OK
# git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36
Bisecting: 7848 revisions left to test after this (roughly 13 steps)
[43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.4.1 20210217
kernel signature: da6b65a07642f423bb6e1c0a29c5ce55094cef033861a62bef5c6d07cf2e9596
all runs: OK
# git bisect good 43c95d3694cc448fdf50bd53b7ff3a5bb4655883
Bisecting: 3922 revisions left to test after this (roughly 12 steps)
[0e2a5b5bd9a6aaec85df347dd71432a1d2d10763] Merge branch 'parisc-5.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux

testing commit 0e2a5b5bd9a6aaec85df347dd71432a1d2d10763 with gcc (GCC) 8.4.1 20210217
kernel signature: f0da466b6e6951160afae142221005f14c667fb19a4b824970f2969e59b15452
all runs: OK
# git bisect good 0e2a5b5bd9a6aaec85df347dd71432a1d2d10763
Bisecting: 1961 revisions left to test after this (roughly 11 steps)
[12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea] perf record: Fix module size on s390

testing commit 12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea with gcc (GCC) 8.4.1 20210217
kernel signature: 6e18c436fb46d55da88b8a112779e808111f036d9316968d0247f2223dc7aff8
all runs: OK
# git bisect good 12a6d2940b5f02b4b9f71ce098e3bb02bc24a9ea
Bisecting: 984 revisions left to test after this (roughly 10 steps)
[85d8d3b172eb37b23dcdbe9fa7a85e343642bfea] Merge tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux

testing commit 85d8d3b172eb37b23dcdbe9fa7a85e343642bfea with gcc (GCC) 8.4.1 20210217
kernel signature: 3f16c119cab1a02383912c9d766d00149167beced1e634e539866c407719dbc6
all runs: OK
# git bisect good 85d8d3b172eb37b23dcdbe9fa7a85e343642bfea
Bisecting: 496 revisions left to test after this (roughly 9 steps)
[6525771f58cbc6ab97b5cff9069865cde8283346] Merge tag 'arc-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc

testing commit 6525771f58cbc6ab97b5cff9069865cde8283346 with gcc (GCC) 8.4.1 20210217
kernel signature: b2938a7c3975047a2dc9d4340b23424d6b2ef054651aa492cb9ff6c8e572f3be
all runs: OK
# git bisect good 6525771f58cbc6ab97b5cff9069865cde8283346
Bisecting: 251 revisions left to test after this (roughly 8 steps)
[345464fb760d1b772e891538b498e111c588b692] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit 345464fb760d1b772e891538b498e111c588b692 with gcc (GCC) 8.4.1 20210217
kernel signature: 6920a3155caf76ef00c41084383da2169ddcc98ddf8d41a6c7c4aa0a856dcdda
all runs: OK
# git bisect good 345464fb760d1b772e891538b498e111c588b692
Bisecting: 126 revisions left to test after this (roughly 7 steps)
[840ce8f8073edb3ff3d2c2c7a6ef211f4176961c] Merge tag 'pinctrl-v5.3-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

testing commit 840ce8f8073edb3ff3d2c2c7a6ef211f4176961c with gcc (GCC) 8.4.1 20210217
kernel signature: 4f370fd0da39f01ec2fd065cff42146c59196046d06b740117287d1370cd4eae
all runs: OK
# git bisect good 840ce8f8073edb3ff3d2c2c7a6ef211f4176961c
Bisecting: 63 revisions left to test after this (roughly 6 steps)
[c3dc1fa72249e4472b90ecef4dbafe25f0f07889] net: hns3: fix spelling mistake "undeflow" -> "underflow"

testing commit c3dc1fa72249e4472b90ecef4dbafe25f0f07889 with gcc (GCC) 8.4.1 20210217
kernel signature: 8aafd630b876d7b2f5e9ac3c3852fbdbcd0b304a49ee172ebbcfe90e0c548683
all runs: OK
# git bisect good c3dc1fa72249e4472b90ecef4dbafe25f0f07889
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[1c4c5e2528af0c803fb1171632074f4070229a75] Merge tag 'mmc-v5.3-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

testing commit 1c4c5e2528af0c803fb1171632074f4070229a75 with gcc (GCC) 8.4.1 20210217
kernel signature: a3e053fd6b6a29abbf4164f7f022fa7ca7b0342498f79d5c47a905097323d00b
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: crashed: general protection fault in batadv_iv_ogm_queue_add
reproducer seems to be flaky
# git bisect bad 1c4c5e2528af0c803fb1171632074f4070229a75
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[1b304a1ae45de4df7d773f0a39d1100aabca615b] Merge tag 'for-5.3-rc8-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

testing commit 1b304a1ae45de4df7d773f0a39d1100aabca615b with gcc (GCC) 8.4.1 20210217
kernel signature: 99a167c08caf596f41f08f56e8049cb7dfb69ca91ecf0e00696596ef2a73ccb0
all runs: OK
# git bisect good 1b304a1ae45de4df7d773f0a39d1100aabca615b
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[e6bb711600db23eef2fa0c16a2d361e17b45bb28] Merge tag 'drm-misc-fixes-2019-09-12' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

testing commit e6bb711600db23eef2fa0c16a2d361e17b45bb28 with gcc (GCC) 8.4.1 20210217
kernel signature: 9807f507d241f49169c3b0dc91a558a09bd7ee1dae6c50df9fc8c9baec1bb2dd
all runs: OK
# git bisect good e6bb711600db23eef2fa0c16a2d361e17b45bb28
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[87b5d602a1cc76169b8d81ec2c74c8d95d9350dc] mmc: tmio: Fixup runtime PM management during remove

testing commit 87b5d602a1cc76169b8d81ec2c74c8d95d9350dc with gcc (GCC) 8.4.1 20210217
kernel signature: 9807f507d241f49169c3b0dc91a558a09bd7ee1dae6c50df9fc8c9baec1bb2dd
all runs: OK
# git bisect good 87b5d602a1cc76169b8d81ec2c74c8d95d9350dc
Bisecting: 2 revisions left to test after this (roughly 1 step)
[97a61369830ab085df5aed0ff9256f35b07d425a] cgroup: freezer: fix frozen state inheritance

testing commit 97a61369830ab085df5aed0ff9256f35b07d425a with gcc (GCC) 8.4.1 20210217
kernel signature: 6e98d6e4274238d2725c9f99d38e4acda20be9275939d56e85b259a3d010a853
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: crashed: KASAN: use-after-free Read in batadv_iv_ogm_queue_add
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 97a61369830ab085df5aed0ff9256f35b07d425a
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[44e9d308a51fbf6d2e5a913f7452a5d5f1902249] kselftests: cgroup: add freezer mkdir test

testing commit 44e9d308a51fbf6d2e5a913f7452a5d5f1902249 with gcc (GCC) 8.4.1 20210217
kernel signature: 79378d82f34aad43045f071a0014b833051a2f4eccad4395bc9d86f4d6e6901a
all runs: OK
# git bisect good 44e9d308a51fbf6d2e5a913f7452a5d5f1902249
97a61369830ab085df5aed0ff9256f35b07d425a is the first bad commit
commit 97a61369830ab085df5aed0ff9256f35b07d425a
Author: Roman Gushchin <guro@fb.com>
Date:   Thu Sep 12 10:56:45 2019 -0700

    cgroup: freezer: fix frozen state inheritance
    
    If a new child cgroup is created in the frozen cgroup hierarchy
    (one or more of ancestor cgroups is frozen), the CGRP_FREEZE cgroup
    flag should be set. Otherwise if a process will be attached to the
    child cgroup, it won't become frozen.
    
    The problem can be reproduced with the test_cgfreezer_mkdir test.
    
    This is the output before this patch:
      ~/test_freezer
      ok 1 test_cgfreezer_simple
      ok 2 test_cgfreezer_tree
      ok 3 test_cgfreezer_forkbomb
      Cgroup /sys/fs/cgroup/cg_test_mkdir_A/cg_test_mkdir_B isn't frozen
      not ok 4 test_cgfreezer_mkdir
      ok 5 test_cgfreezer_rmdir
      ok 6 test_cgfreezer_migrate
      ok 7 test_cgfreezer_ptrace
      ok 8 test_cgfreezer_stopped
      ok 9 test_cgfreezer_ptraced
      ok 10 test_cgfreezer_vfork
    
    And with this patch:
      ~/test_freezer
      ok 1 test_cgfreezer_simple
      ok 2 test_cgfreezer_tree
      ok 3 test_cgfreezer_forkbomb
      ok 4 test_cgfreezer_mkdir
      ok 5 test_cgfreezer_rmdir
      ok 6 test_cgfreezer_migrate
      ok 7 test_cgfreezer_ptrace
      ok 8 test_cgfreezer_stopped
      ok 9 test_cgfreezer_ptraced
      ok 10 test_cgfreezer_vfork
    
    Reported-by: Mark Crossen <mcrossen@fb.com>
    Signed-off-by: Roman Gushchin <guro@fb.com>
    Fixes: 76f969e8948d ("cgroup: cgroup v2 freezer")
    Cc: Tejun Heo <tj@kernel.org>
    Cc: stable@vger.kernel.org # v5.2+
    Signed-off-by: Tejun Heo <tj@kernel.org>

 kernel/cgroup/cgroup.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

culprit signature: 6e98d6e4274238d2725c9f99d38e4acda20be9275939d56e85b259a3d010a853
parent  signature: 79378d82f34aad43045f071a0014b833051a2f4eccad4395bc9d86f4d6e6901a
Reproducer flagged being flaky
revisions tested: 25, total time: 5h37m4.612590511s (build: 2h47m17.226653143s, test: 2h46m27.565960611s)
first bad commit: 97a61369830ab085df5aed0ff9256f35b07d425a cgroup: freezer: fix frozen state inheritance
recipients (to): ["guro@fb.com" "linux-kernel@vger.kernel.org" "tj@kernel.org"]
recipients (cc): ["cgroups@vger.kernel.org" "hannes@cmpxchg.org" "lizefan@huawei.com" "tj@kernel.org"]
crash: KASAN: use-after-free Read in batadv_iv_ogm_queue_add
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:359 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:544 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x327/0xec0 net/batman-adv/bat_iv_ogm.c:640
Read of size 60 at addr ffff8880a86e7720 by task kworker/u4:6/10428

CPU: 0 PID: 10428 Comm: kworker/u4:6 Not tainted 5.3.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x86/0xca lib/dump_stack.c:113
 print_address_description.cold.4+0x9/0x35a mm/kasan/report.c:351
 __kasan_report.cold.5+0x1b/0x3e mm/kasan/report.c:482
 kasan_report+0x12/0x17 mm/kasan/common.c:618
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x151/0x1d0 mm/kasan/generic.c:192
 memcpy+0x23/0x50 mm/kasan/common.c:122
 memcpy include/linux/string.h:359 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:544 [inline]
 batadv_iv_ogm_queue_add+0x327/0xec0 net/batman-adv/bat_iv_ogm.c:640
 batadv_iv_ogm_schedule+0xb47/0xe80 net/batman-adv/bat_iv_ogm.c:813
 batadv_iv_send_outstanding_bat_ogm_packet+0x570/0x7d0 net/batman-adv/bat_iv_ogm.c:1675
 process_one_work+0x7d2/0x1560 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 10428:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc.part.0+0x44/0xc0 mm/kasan/common.c:493
 __kasan_kmalloc.constprop.1+0xb1/0xc0 mm/kasan/common.c:474
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507
 __kmalloc+0x153/0x390 mm/slub.c:3811
 kmalloc include/linux/slab.h:557 [inline]
 batadv_tvlv_realloc_packet_buff net/batman-adv/tvlv.c:277 [inline]
 batadv_tvlv_container_ogm_append+0x16f/0x4c0 net/batman-adv/tvlv.c:318
 batadv_iv_ogm_schedule+0xc39/0xe80 net/batman-adv/bat_iv_ogm.c:776
 batadv_iv_send_outstanding_bat_ogm_packet+0x570/0x7d0 net/batman-adv/bat_iv_ogm.c:1675
 process_one_work+0x7d2/0x1560 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 589:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x145/0x210 mm/kasan/common.c:455
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463
 slab_free_hook mm/slub.c:1423 [inline]
 slab_free_freelist_hook mm/slub.c:1474 [inline]
 slab_free mm/slub.c:3016 [inline]
 kfree+0xf7/0x380 mm/slub.c:3957
 batadv_iv_ogm_iface_disable+0x34/0x70 net/batman-adv/bat_iv_ogm.c:220
 batadv_hardif_disable_interface.cold.8+0x5fb/0xeff net/batman-adv/hard-interface.c:875
 batadv_softif_destroy_netlink+0x94/0x100 net/batman-adv/soft-interface.c:1146
 default_device_exit_batch+0x239/0x3d0 net/core/dev.c:9775
 ops_exit_list.isra.1+0xd3/0x120 net/core/net_namespace.c:175
 cleanup_net+0x430/0x940 net/core/net_namespace.c:594
 process_one_work+0x7d2/0x1560 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880a86e7720
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff8880a86e7720, ffff8880a86e7760)
The buggy address belongs to the page:
page:ffffea0002a1b9c0 refcount:1 mapcount:0 mapping:ffff8880b5c03180 index:0x0
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea0002303040 0000000700000007 ffff8880b5c03180
raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a86e7600: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
 ffff8880a86e7680: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880a86e7700: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
                               ^
 ffff8880a86e7780: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
 ffff8880a86e7800: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================