bisecting cause commit starting from 3c2f450e553ce47fcb0d6141807a8858e3213c9c
building syzkaller on be5c2c81971442d623dd1b265dabf4644ceeb35b
testing commit 3c2f450e553ce47fcb0d6141807a8858e3213c9c with gcc (GCC) 8.1.0
kernel signature: 6b2bd120d4a396ed5291e2e30494235b8b6e3dd1
all runs: crashed: KASAN: slab-out-of-bounds Read in hsr_debugfs_rename
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: d3ed286e0a3137ccab9fc30a1ed8f2fe5c6c8d12
all runs: OK
# git bisect start 3c2f450e553ce47fcb0d6141807a8858e3213c9c 219d54332a09e8d8741c1e1982f5eae56099de85
Bisecting: 7565 revisions left to test after this (roughly 13 steps)
[8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0
kernel signature: a1ca88011c81434778bfb6974a435169c2c614a3
all runs: OK
# git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820
Bisecting: 3784 revisions left to test after this (roughly 12 steps)
[937d6eefc716a9071f0e3bada19200de1bb9d048] Merge tag 'docs-5.5a' of git://git.lwn.net/linux
testing commit 937d6eefc716a9071f0e3bada19200de1bb9d048 with gcc (GCC) 8.1.0
kernel signature: eebf6a164ba62f9c9d8d10ae46c82f7fb5950da4
all runs: OK
# git bisect good 937d6eefc716a9071f0e3bada19200de1bb9d048
Bisecting: 1593 revisions left to test after this (roughly 11 steps)
[eb275167d18684e07ee43bdc0e09a18326540461] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit eb275167d18684e07ee43bdc0e09a18326540461 with gcc (GCC) 8.1.0
kernel signature: d4cda8493b5e8a06a58265c1b70c237178bc1e67
all runs: OK
# git bisect good eb275167d18684e07ee43bdc0e09a18326540461
Bisecting: 796 revisions left to test after this (roughly 10 steps)
[b0689faa8efc5a3391402d7ae93bd373b7248e51] hv_netvsc: Fix unwanted rx_table reset
testing commit b0689faa8efc5a3391402d7ae93bd373b7248e51 with gcc (GCC) 8.1.0
kernel signature: d6404e2a9f9f80baaf870408542d2566b87a7f49
all runs: OK
# git bisect good b0689faa8efc5a3391402d7ae93bd373b7248e51
Bisecting: 377 revisions left to test after this (roughly 9 steps)
[89c683cd06e03dfd3186c4cab1e2a39982c42a48] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 89c683cd06e03dfd3186c4cab1e2a39982c42a48 with gcc (GCC) 8.1.0
kernel signature: 7ba7b11b5556a50895df8b54dfd2684ac8da477b
all runs: OK
# git bisect good 89c683cd06e03dfd3186c4cab1e2a39982c42a48
Bisecting: 195 revisions left to test after this (roughly 8 steps)
[f8f04d085974ae37782c317abd75f770a25e7713] Merge tag 'io_uring-5.5-20191220' of git://git.kernel.dk/linux-block
testing commit f8f04d085974ae37782c317abd75f770a25e7713 with gcc (GCC) 8.1.0
kernel signature: 5dfef14deda65bb8964eed435942b390d93b2237
all runs: OK
# git bisect good f8f04d085974ae37782c317abd75f770a25e7713
Bisecting: 95 revisions left to test after this (roughly 7 steps)
[78bac77b521b032f96077c21241cc5d5668482c5] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 78bac77b521b032f96077c21241cc5d5668482c5 with gcc (GCC) 8.1.0
kernel signature: 41d232033a1f5d14a6d17ea986e0769c61d102e8
all runs: OK
# git bisect good 78bac77b521b032f96077c21241cc5d5668482c5
Bisecting: 52 revisions left to test after this (roughly 6 steps)
[a396560706d457058b9f54f184b6f5973c82032c] Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
testing commit a396560706d457058b9f54f184b6f5973c82032c with gcc (GCC) 8.1.0
kernel signature: 33723edd61042ad885b8ef141a4131c5f90da2a5
all runs: OK
# git bisect good a396560706d457058b9f54f184b6f5973c82032c
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[47d0b2fe23d840ecbfc187d9ef0ee9e1a229a332] Merge branch 'disable-neigh-update-for-tunnels-during-pmtu-update'
testing commit 47d0b2fe23d840ecbfc187d9ef0ee9e1a229a332 with gcc (GCC) 8.1.0
kernel signature: c32881641eae3482c1a3d1bf65bd6d6d74386e6c
all runs: OK
# git bisect good 47d0b2fe23d840ecbfc187d9ef0ee9e1a229a332
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[92a35678ec075100ce666a2fb6969151affb0e5d] hsr: fix a race condition in node list insertion and deletion
testing commit 92a35678ec075100ce666a2fb6969151affb0e5d with gcc (GCC) 8.1.0
kernel signature: 216ef2f86cd670a62434f61f41c23dd2d9e1ea2f
all runs: crashed: KASAN: slab-out-of-bounds Read in hsr_debugfs_rename
# git bisect bad 92a35678ec075100ce666a2fb6969151affb0e5d
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[0b698c838e84149b690c7e979f78cccb6f8aa4b9] s390/qeth: fix initialization on old HW
testing commit 0b698c838e84149b690c7e979f78cccb6f8aa4b9 with gcc (GCC) 8.1.0
kernel signature: 26899a3f3b11007736f693a4b00a004024d3f0b8
all runs: OK
# git bisect good 0b698c838e84149b690c7e979f78cccb6f8aa4b9
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[84bb59d773853bc2dda2ac1ef8474c40eb33a3c6] hsr: avoid debugfs warning message when module is remove
testing commit 84bb59d773853bc2dda2ac1ef8474c40eb33a3c6 with gcc (GCC) 8.1.0
kernel signature: 99b86281b7444d38358e793ae4c2a2eed20e7bf7
all runs: OK
# git bisect good 84bb59d773853bc2dda2ac1ef8474c40eb33a3c6
Bisecting: 1 revision left to test after this (roughly 1 step)
[c6c4ccd7f96993e106dfea7ef18127f972f2db5e] hsr: add hsr root debugfs directory
testing commit c6c4ccd7f96993e106dfea7ef18127f972f2db5e with gcc (GCC) 8.1.0
kernel signature: f206bc5359352c1130be1223ed97f1ba5405dac7
all runs: OK
# git bisect good c6c4ccd7f96993e106dfea7ef18127f972f2db5e
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[4c2d5e33dcd3a6333a7895be3b542ff3d373177c] hsr: rename debugfs file when interface name is changed
testing commit 4c2d5e33dcd3a6333a7895be3b542ff3d373177c with gcc (GCC) 8.1.0
kernel signature: 6770c2de21fcf8e1b4fbb0155fa43aaf76ad38f0
all runs: crashed: KASAN: slab-out-of-bounds Read in hsr_debugfs_rename
# git bisect bad 4c2d5e33dcd3a6333a7895be3b542ff3d373177c
4c2d5e33dcd3a6333a7895be3b542ff3d373177c is the first bad commit
commit 4c2d5e33dcd3a6333a7895be3b542ff3d373177c
Author: Taehee Yoo <ap420073@gmail.com>
Date:   Sun Dec 22 11:26:39 2019 +0000

    hsr: rename debugfs file when interface name is changed
    
    hsr interface has own debugfs file, which name is same with interface name.
    So, interface name is changed, debugfs file name should be changed too.
    
    Fixes: fc4ecaeebd26 ("net: hsr: add debugfs support for display node list")
    Signed-off-by: Taehee Yoo <ap420073@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/hsr/hsr_debugfs.c | 13 +++++++++++++
 net/hsr/hsr_main.c    |  3 +++
 net/hsr/hsr_main.h    |  4 ++++
 3 files changed, 20 insertions(+)
culprit signature: 6770c2de21fcf8e1b4fbb0155fa43aaf76ad38f0
parent  signature: f206bc5359352c1130be1223ed97f1ba5405dac7
revisions tested: 16, total time: 4h2m27.949768841s (build: 1h37m34.913588695s, test: 2h23m48.978327123s)
first bad commit: 4c2d5e33dcd3a6333a7895be3b542ff3d373177c hsr: rename debugfs file when interface name is changed
cc: ["ap420073@gmail.com" "arvid.brodin@alten.se" "davem@davemloft.net" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"]
crash: KASAN: slab-out-of-bounds Read in hsr_debugfs_rename
@: renamed from hsr_slave_0
==================================================================
BUG: KASAN: slab-out-of-bounds in hsr_debugfs_rename+0x87/0xa0 net/hsr/hsr_debugfs.c:73
Read of size 8 at addr ffff8880a4bf4ca0 by task syz-executor.2/7879

CPU: 1 PID: 7879 Comm: syz-executor.2 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12d/0x187 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374
 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 hsr_debugfs_rename+0x87/0xa0 net/hsr/hsr_debugfs.c:73
 hsr_netdev_notify+0x57e/0x9d0 net/hsr/hsr_main.c:49
 notifier_call_chain+0x8a/0x160 kernel/notifier.c:83
 __raw_notifier_call_chain kernel/notifier.c:361 [inline]
 raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:368
 call_netdevice_notifiers_info+0x87/0xd0 net/core/dev.c:1893
 call_netdevice_notifiers_extack net/core/dev.c:1905 [inline]
 call_netdevice_notifiers net/core/dev.c:1919 [inline]
 dev_change_name+0x42c/0x880 net/core/dev.c:1270
 do_setlink+0x782/0x2dc0 net/core/rtnetlink.c:2571
 __rtnl_newlink+0xa7a/0x1480 net/core/rtnetlink.c:3238
 rtnl_newlink+0x61/0x90 net/core/rtnetlink.c:3363
 rtnetlink_rcv_msg+0x34a/0x8d0 net/core/rtnetlink.c:5424
 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5442
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x45e/0x6a0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x7b0/0xcb0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:659
 ____sys_sendmsg+0x603/0x950 net/socket.c:2330
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2384
 __sys_sendmsg+0xd9/0x180 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg net/socket.c:2424 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2424
 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a919
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8d2a212c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8d2a2136d4
R13: 00000000004c99b6 R14: 00000000004e1888 R15: 00000000ffffffff

Allocated by task 7861:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc7/0xd0 mm/kasan/common.c:513
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
 __do_kmalloc_node mm/slab.c:3616 [inline]
 __kmalloc_node+0x4d/0x70 mm/slab.c:3623
 kmalloc_node include/linux/slab.h:579 [inline]
 kvmalloc_node+0x6a/0x80 mm/util.c:574
 kvmalloc include/linux/mm.h:655 [inline]
 kvzalloc include/linux/mm.h:663 [inline]
 alloc_netdev_mqs+0x5d/0xca0 net/core/dev.c:9731
 rtnl_create_link+0x1e2/0xb90 net/core/rtnetlink.c:3042
 __rtnl_newlink+0xbee/0x1480 net/core/rtnetlink.c:3295
 rtnl_newlink+0x61/0x90 net/core/rtnetlink.c:3363
 rtnetlink_rcv_msg+0x34a/0x8d0 net/core/rtnetlink.c:5424
 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5442
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x45e/0x6a0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x7b0/0xcb0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:659
 __sys_sendto+0x1f2/0x2e0 net/socket.c:1985
 __do_sys_sendto net/socket.c:1997 [inline]
 __se_sys_sendto net/socket.c:1993 [inline]
 __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1993
 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8880a4bf4000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 3232 bytes inside of
 4096-byte region [ffff8880a4bf4000, ffff8880a4bf5000)
The buggy address belongs to the page:
page:ffffea000292fd00 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
raw: 00fffe0000010200 ffffea0002696608 ffffea0002a29188 ffff8880aa402000
raw: 0000000000000000 ffff8880a4bf4000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a4bf4b80: 00 00 00 00 00 00 00 00 07 fc fc fc fc fc fc fc
 ffff8880a4bf4c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a4bf4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff8880a4bf4d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a4bf4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================