bisecting cause commit starting from 056ddc38e94105a7ee982ca06cc19448fc927f6f building syzkaller on f3f7d9c8c3dfa1406a5f5a5f5f45a351f533139f testing commit 056ddc38e94105a7ee982ca06cc19448fc927f6f with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in nl8NUM_dump_wpan_phy testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 056ddc38e94105a7ee982ca06cc19448fc927f6f v5.3 Bisecting: 6299 revisions left to test after this (roughly 13 steps) [81160dda9a7aad13c04e78bb2cfd3c4630e3afab] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 81160dda9a7aad13c04e78bb2cfd3c4630e3afab with gcc (GCC) 8.1.0 all runs: OK # git bisect good 81160dda9a7aad13c04e78bb2cfd3c4630e3afab Bisecting: 3122 revisions left to test after this (roughly 12 steps) [45824fc0da6e46cc5d563105e1eaaf3098a686f9] Merge tag 'powerpc-5.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 45824fc0da6e46cc5d563105e1eaaf3098a686f9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 45824fc0da6e46cc5d563105e1eaaf3098a686f9 Bisecting: 1565 revisions left to test after this (roughly 11 steps) [cf05a67b68b8d9d6469bedb63ee461f8c7de62e6] KVM: x86: omit "impossible" pmu MSRs from MSR list testing commit cf05a67b68b8d9d6469bedb63ee461f8c7de62e6 with gcc (GCC) 8.1.0 all runs: OK # git bisect good cf05a67b68b8d9d6469bedb63ee461f8c7de62e6 Bisecting: 784 revisions left to test after this (roughly 10 steps) [738f531d877ac2b228b25354dfa4da6e79a2c369] Merge tag 'for-5.4/io_uring-2019-09-27' of git://git.kernel.dk/linux-block testing commit 738f531d877ac2b228b25354dfa4da6e79a2c369 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 738f531d877ac2b228b25354dfa4da6e79a2c369 Bisecting: 392 revisions left to test after this (roughly 9 steps) [97bfe0e05ceb8ff91a331765bff384876ebd5f5e] Merge branch 'devlink-allow-devlink-instances-to-change-network-namespace' testing commit 97bfe0e05ceb8ff91a331765bff384876ebd5f5e with gcc (GCC) 8.1.0 all runs: OK # git bisect good 97bfe0e05ceb8ff91a331765bff384876ebd5f5e Bisecting: 196 revisions left to test after this (roughly 8 steps) [812ad49d88b51fab551acb3c2d9c7d054bc69423] Merge tag 'riscv/for-v5.4-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux testing commit 812ad49d88b51fab551acb3c2d9c7d054bc69423 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 812ad49d88b51fab551acb3c2d9c7d054bc69423 Bisecting: 88 revisions left to test after this (roughly 7 steps) [9819a30c11ea439e5e3c81f5539c4d42d6c76314] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 9819a30c11ea439e5e3c81f5539c4d42d6c76314 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9819a30c11ea439e5e3c81f5539c4d42d6c76314 Bisecting: 39 revisions left to test after this (roughly 6 steps) [6f4c930e02355664d89c976eccea5d999a90de16] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 6f4c930e02355664d89c976eccea5d999a90de16 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6f4c930e02355664d89c976eccea5d999a90de16 Bisecting: 19 revisions left to test after this (roughly 4 steps) [c6c08614eb32d250612c9d2940e48951fb4ba325] net: tipc: allocate attrs locally instead of using genl_family_attrbuf in compat_dumpit() testing commit c6c08614eb32d250612c9d2940e48951fb4ba325 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in nl8NUM_dump_wpan_phy # git bisect bad c6c08614eb32d250612c9d2940e48951fb4ba325 Bisecting: 9 revisions left to test after this (roughly 3 steps) [c04d71b5b287aa7cc5ff707d23f5fb66307c11c7] selftests: test creating netdevsim inside network namespace testing commit c04d71b5b287aa7cc5ff707d23f5fb66307c11c7 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c04d71b5b287aa7cc5ff707d23f5fb66307c11c7 Bisecting: 4 revisions left to test after this (roughly 2 steps) [c10e6cf85e7d984a156052daeedaf20a1f38824f] net: genetlink: push attrbuf allocation and parsing to a separate function testing commit c10e6cf85e7d984a156052daeedaf20a1f38824f with gcc (GCC) 8.1.0 all runs: OK # git bisect good c10e6cf85e7d984a156052daeedaf20a1f38824f Bisecting: 2 revisions left to test after this (roughly 1 step) [75cdbdd089003cd53560ff87b690ae911fa7df8e] net: ieee802154: have genetlink code to parse the attrs during dumpit testing commit 75cdbdd089003cd53560ff87b690ae911fa7df8e with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in nl8NUM_dump_wpan_phy # git bisect bad 75cdbdd089003cd53560ff87b690ae911fa7df8e Bisecting: 0 revisions left to test after this (roughly 0 steps) [bf813b0afeae2f012f0e527a526c1b78ca21ad82] net: genetlink: parse attrs and store in contect info struct during dumpit testing commit bf813b0afeae2f012f0e527a526c1b78ca21ad82 with gcc (GCC) 8.1.0 all runs: OK # git bisect good bf813b0afeae2f012f0e527a526c1b78ca21ad82 75cdbdd089003cd53560ff87b690ae911fa7df8e is the first bad commit commit 75cdbdd089003cd53560ff87b690ae911fa7df8e Author: Jiri Pirko Date: Sat Oct 5 20:04:37 2019 +0200 net: ieee802154: have genetlink code to parse the attrs during dumpit Benefit from the fact that the generic netlink code can parse the attrs for dumpit op and avoid need to parse it in the op callback. Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller :040000 040000 7561903c4395481f203f762713915f5bd2a17c30 4dfd4138de0db725f9c7bfe6fbcb5b3f62c74ec6 M net revisions tested: 15, total time: 3h57m51.422110614s (build: 1h27m14.764895138s, test: 2h26m4.797876477s) first bad commit: 75cdbdd089003cd53560ff87b690ae911fa7df8e net: ieee802154: have genetlink code to parse the attrs during dumpit cc: ["alex.aring@gmail.com" "davem@davemloft.net" "jiri@mellanox.com" "linux-kernel@vger.kernel.org" "linux-wpan@vger.kernel.org" "netdev@vger.kernel.org" "stefan@datenfreihafen.org"] crash: KASAN: use-after-free Read in nl8NUM_dump_wpan_phy netlink: 'syz-executor.4': attribute type 6 has an invalid length. netlink: 2 bytes leftover after parsing attributes in process `syz-executor.4'. ================================================================== BUG: KASAN: use-after-free in nla_memcpy+0x8b/0xa0 lib/nlattr.c:572 Read of size 2 at addr ffff8880914d509c by task syz-executor.4/7549 CPU: 1 PID: 7549 Comm: syz-executor.4 Not tainted 5.4.0-rc1+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:634 __asan_report_load2_noabort+0x14/0x20 mm/kasan/generic_report.c:130 nla_memcpy+0x8b/0xa0 lib/nlattr.c:572 nla_get_u64 include/net/netlink.h:1539 [inline] nl802154_dump_wpan_phy_parse net/ieee802154/nl802154.c:559 [inline] nl802154_dump_wpan_phy+0x4ef/0xa90 net/ieee802154/nl802154.c:593 genl_lock_dumpit+0x84/0xb0 net/netlink/genetlink.c:529 netlink_dump+0x49e/0x10c0 net/netlink/af_netlink.c:2244 __netlink_dump_start+0x52b/0x810 net/netlink/af_netlink.c:2352 genl_family_rcv_msg_dumpit net/netlink/genetlink.c:614 [inline] genl_family_rcv_msg net/netlink/genetlink.c:710 [inline] genl_rcv_msg+0xbbb/0x1280 net/netlink/genetlink.c:730 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2477 genl_rcv+0x23/0x40 net/netlink/genetlink.c:741 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x43f/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x75d/0xc40 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:657 ___sys_sendmsg+0x647/0x950 net/socket.c:2311 __sys_sendmsg+0xd9/0x180 net/socket.c:2356 __do_sys_sendmsg net/socket.c:2365 [inline] __se_sys_sendmsg net/socket.c:2363 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2363 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a59 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4e85b0ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459a59 RDX: 0000000000000000 RSI: 0000000020000d40 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e85b0b6d4 R13: 00000000004c7b62 R14: 00000000004dd8c0 R15: 00000000ffffffff Allocated by task 7551: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:510 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524 __do_kmalloc_node mm/slab.c:3615 [inline] __kmalloc_node_track_caller+0x4d/0x70 mm/slab.c:3629 __kmalloc_reserve.isra.46+0x2c/0xc0 net/core/skbuff.c:141 __alloc_skb+0xd7/0x570 net/core/skbuff.c:209 alloc_skb include/linux/skbuff.h:1049 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline] netlink_sendmsg+0x808/0xc40 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:657 ___sys_sendmsg+0x647/0x950 net/socket.c:2311 __sys_sendmsg+0xd9/0x180 net/socket.c:2356 __do_sys_sendmsg net/socket.c:2365 [inline] __se_sys_sendmsg net/socket.c:2363 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2363 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7551: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 skb_free_head+0x6e/0x90 net/core/skbuff.c:591 skb_release_data+0x376/0x6a0 net/core/skbuff.c:611 skb_release_all+0x3d/0x50 net/core/skbuff.c:665 __kfree_skb net/core/skbuff.c:679 [inline] consume_skb+0xad/0x2a0 net/core/skbuff.c:838 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x447/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x75d/0xc40 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:657 ___sys_sendmsg+0x647/0x950 net/socket.c:2311 __sys_sendmsg+0xd9/0x180 net/socket.c:2356 __do_sys_sendmsg net/socket.c:2365 [inline] __se_sys_sendmsg net/socket.c:2363 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2363 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880914d5080 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 28 bytes inside of 512-byte region [ffff8880914d5080, ffff8880914d5280) The buggy address belongs to the page: page:ffffea0002453540 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea0001e63e08 ffff8880aa401748 ffff8880aa400a80 raw: 0000000000000000 ffff8880914d5080 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880914d4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880914d5000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880914d5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880914d5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880914d5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================