bisecting cause commit starting from dcb8cfbd8fe9e62c7d64e82288d3ffe2502b7371 building syzkaller on 6affd8e838ce8a0c7d72445a7f67fe3bde8bbe04 testing commit dcb8cfbd8fe9e62c7d64e82288d3ffe2502b7371 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in sock_def_write_space run #1: crashed: KASAN: use-after-free Read in sock_def_write_space run #2: crashed: KASAN: use-after-free Read in sock_def_write_space run #3: crashed: KASAN: use-after-free Read in sock_def_write_space run #4: crashed: KASAN: use-after-free Read in sock_def_write_space run #5: crashed: KASAN: use-after-free Read in sock_def_write_space run #6: crashed: KASAN: use-after-free Read in sock_def_write_space run #7: OK run #8: OK run #9: OK testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 all runs: OK # git bisect start dcb8cfbd8fe9e62c7d64e82288d3ffe2502b7371 v5.2 Bisecting: 6987 revisions left to test after this (roughly 13 steps) [8931084c0d017314ad025f19353f7c5c1d3782d8] Merge tag 'mmc-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc testing commit 8931084c0d017314ad025f19353f7c5c1d3782d8 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in sock_def_write_space run #1: crashed: KASAN: use-after-free Read in sock_def_write_space run #2: crashed: KASAN: use-after-free Read in sock_def_write_space run #3: crashed: KASAN: use-after-free Read in sock_def_write_space run #4: crashed: KASAN: use-after-free Read in sock_def_write_space run #5: crashed: KASAN: use-after-free Read in sock_def_write_space run #6: crashed: KASAN: use-after-free Read in sock_def_write_space run #7: OK run #8: OK run #9: OK # git bisect bad 8931084c0d017314ad025f19353f7c5c1d3782d8 Bisecting: 3679 revisions left to test after this (roughly 12 steps) [8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 Bisecting: 1858 revisions left to test after this (roughly 11 steps) [9ce67c3235be71e8cf922a9b3d0b7359ed3f4ce5] Bluetooth: btusb: Add protocol support for MediaTek MT7663U USB devices testing commit 9ce67c3235be71e8cf922a9b3d0b7359ed3f4ce5 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in sock_def_write_space run #1: crashed: KASAN: use-after-free Read in sock_def_write_space run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 9ce67c3235be71e8cf922a9b3d0b7359ed3f4ce5 Bisecting: 910 revisions left to test after this (roughly 10 steps) [363887a2cdfeb6af52a9b78d84697662adf6f8d5] ipv4: Support multipath hashing on inner IP pkts for GRE tunnel testing commit 363887a2cdfeb6af52a9b78d84697662adf6f8d5 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in sock_def_write_space run #1: crashed: KASAN: use-after-free Read in sock_def_write_space run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 363887a2cdfeb6af52a9b78d84697662adf6f8d5 Bisecting: 454 revisions left to test after this (roughly 9 steps) [b33bc2b878e05c5dd4e20682328c3addb4787ac9] nexthop: Add entry to MAINTAINERS testing commit b33bc2b878e05c5dd4e20682328c3addb4787ac9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good b33bc2b878e05c5dd4e20682328c3addb4787ac9 Bisecting: 227 revisions left to test after this (roughly 8 steps) [8a6389a515f406a89a1a69c267fbc712cdd9e8e9] net: ethernet: ti: cpts: use devm_get_clk_from_child testing commit 8a6389a515f406a89a1a69c267fbc712cdd9e8e9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8a6389a515f406a89a1a69c267fbc712cdd9e8e9 Bisecting: 113 revisions left to test after this (roughly 7 steps) [9f9ae3f98b8d8b8aa709831057759dbb52ba5083] net: ena: make ethtool show correct current and max queue sizes testing commit 9f9ae3f98b8d8b8aa709831057759dbb52ba5083 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9f9ae3f98b8d8b8aa709831057759dbb52ba5083 Bisecting: 47 revisions left to test after this (roughly 6 steps) [d96ec97511149b447712a5a401b290913cbd4426] Merge tag 'mac80211-next-for-davem-2019-06-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next testing commit d96ec97511149b447712a5a401b290913cbd4426 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d96ec97511149b447712a5a401b290913cbd4426 Bisecting: 23 revisions left to test after this (roughly 5 steps) [1086ca3a63a3af6b8a722fff55da46f111bc40ee] net: phy: sfp: clean up a condition testing commit 1086ca3a63a3af6b8a722fff55da46f111bc40ee with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1086ca3a63a3af6b8a722fff55da46f111bc40ee Bisecting: 11 revisions left to test after this (roughly 4 steps) [31bb229d6f4a603a351d670ac078dff8ba3af398] net: hns3: clear restting state when initializing HW device testing commit 31bb229d6f4a603a351d670ac078dff8ba3af398 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 31bb229d6f4a603a351d670ac078dff8ba3af398 Bisecting: 5 revisions left to test after this (roughly 3 steps) [26e392ca9b76b219fe3e3831f425c28b03f6fd74] Merge branch 'hns3-next' testing commit 26e392ca9b76b219fe3e3831f425c28b03f6fd74 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 26e392ca9b76b219fe3e3831f425c28b03f6fd74 Bisecting: 2 revisions left to test after this (roughly 2 steps) [3d797eb1d08f02cc767f9e00714077b9ed8670fc] Merge branch 'enable-and-use-static_branch_deferred_inc' testing commit 3d797eb1d08f02cc767f9e00714077b9ed8670fc with gcc (GCC) 8.1.0 all runs: OK # git bisect good 3d797eb1d08f02cc767f9e00714077b9ed8670fc Bisecting: 0 revisions left to test after this (roughly 1 step) [31c03aef9bc22a64a8324d650ca4198819ef3a33] virtio_net: enable napi_tx by default testing commit 31c03aef9bc22a64a8324d650ca4198819ef3a33 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in sock_def_write_space run #1: crashed: KASAN: use-after-free Read in sock_def_write_space run #2: crashed: KASAN: use-after-free Read in sock_def_write_space run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 31c03aef9bc22a64a8324d650ca4198819ef3a33 Bisecting: 0 revisions left to test after this (roughly 0 steps) [87f373921c4ed770abdb3cdafd796ef7f7b86620] net: sched: ingress: set 'unlocked' flag for clsact Qdisc ops testing commit 87f373921c4ed770abdb3cdafd796ef7f7b86620 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 87f373921c4ed770abdb3cdafd796ef7f7b86620 31c03aef9bc22a64a8324d650ca4198819ef3a33 is the first bad commit commit 31c03aef9bc22a64a8324d650ca4198819ef3a33 Author: Willem de Bruijn Date: Thu Jun 13 12:24:57 2019 -0400 virtio_net: enable napi_tx by default NAPI tx mode improves TCP behavior by enabling TCP small queues (TSQ). TSQ reduces queuing ("bufferbloat") and burstiness. Previous measurements have shown significant improvement for TCP_STREAM style workloads. Such as those in commit 86a5df1495cc ("Merge branch 'virtio-net-tx-napi'"). There has been uncertainty about smaller possible regressions in latency due to increased reliance on tx interrupts. The above results did not show that, nor did I observe this when rerunning TCP_RR on Linux 5.1 this week on a pair of guests in the same rack. This may be subject to other settings, notably interrupt coalescing. In the unlikely case of regression, we have landed a credible runtime solution. Ethtool can configure it with -C tx-frames [0|1] as of commit 0c465be183c7 ("virtio_net: ethtool tx napi configuration"). NAPI tx mode has been the default in Google Container-Optimized OS (COS) for over half a year, as of release M70 in October 2018, without any negative reports. Link: https://marc.info/?l=linux-netdev&m=149305618416472 Link: https://lwn.net/Articles/507065/ Signed-off-by: Willem de Bruijn Acked-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller :040000 040000 5e929f41558692824dbdc61099cece16d862caa1 efb0af498a02258e0c41ad680e296c065d8f0845 M drivers revisions tested: 16, total time: 4h26m46.601324052s (build: 1h34m14.400835706s, test: 2h46m46.434691559s) first bad commit: 31c03aef9bc22a64a8324d650ca4198819ef3a33 virtio_net: enable napi_tx by default cc: ["davem@davemloft.net" "jasowang@redhat.com" "mst@redhat.com" "willemb@google.com"] crash: KASAN: use-after-free Read in sock_def_write_space ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:194 [inline] BUG: KASAN: use-after-free in list_empty include/linux/list.h:254 [inline] BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:126 [inline] BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:147 [inline] BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2086 [inline] BUG: KASAN: use-after-free in sock_def_write_space+0x452/0x480 net/core/sock.c:2788 Read of size 8 at addr ffff888098db79f8 by task syz-executor.2/7872 CPU: 0 PID: 7872 Comm: syz-executor.2 Not tainted 5.2.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:188 __kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __read_once_size include/linux/compiler.h:194 [inline] list_empty include/linux/list.h:254 [inline] waitqueue_active include/linux/wait.h:126 [inline] wq_has_sleeper include/linux/wait.h:147 [inline] skwq_has_sleeper include/net/sock.h:2086 [inline] sock_def_write_space+0x452/0x480 net/core/sock.c:2788 sock_wfree+0xf3/0x120 net/core/sock.c:1946 skb_release_head_state+0x9f/0x1a0 net/core/skbuff.c:650 skb_release_all+0xd/0x50 net/core/skbuff.c:661 _kfree_skb_defer net/core/skbuff.c:772 [inline] napi_consume_skb+0x10d/0x400 net/core/skbuff.c:817 free_old_xmit_skbs+0xbc/0x1f0 drivers/net/virtio_net.c:1366 virtnet_poll_tx+0x1e5/0x360 drivers/net/virtio_net.c:1493 napi_poll net/core/dev.c:6329 [inline] net_rx_action+0x470/0xe20 net/core/dev.c:6395 __do_softirq+0x260/0x958 kernel/softirq.c:293 invoke_softirq kernel/softirq.c:374 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:414 exiting_irq arch/x86/include/asm/apic.h:536 [inline] do_IRQ+0x10b/0x1c0 arch/x86/kernel/irq.c:259 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:583 RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline] RIP: 0010:do_syscall_64+0x51/0x530 arch/x86/entry/common.c:289 Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 3a 04 00 00 48 83 3d ec 8e 31 07 00 0f 84 78 03 00 00 fb 66 0f 1f 44 00 00 <65> 4c 8b 34 25 c0 fd 01 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 RSP: 0018:ffff888089847f20 EFLAGS: 00000282 ORIG_RAX: ffffffffffffffd6 RAX: dffffc0000000000 RBX: 000000000000003d RCX: 0000000000000000 RDX: 1ffffffff10643e0 RSI: 0000000000000006 RDI: ffff888091d0ae3c RBP: ffff888089847f48 R08: 0000000000000006 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888089847f58 R13: ffffffff88321f00 R14: 0000000000000000 R15: 0000000000000000 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4137ba Code: 0f 83 6a 18 00 00 c3 66 0f 1f 84 00 00 00 00 00 8b 05 de 2a 66 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d4 ff ff ff f7 RSP: 002b:00007fff088087e8 EFLAGS: 00000246 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 000000000005da8c RCX: 00000000004137ba RDX: 0000000040000001 RSI: 00007fff08808820 RDI: ffffffffffffffff RBP: 0000000000001345 R08: 0000000000000001 R09: 0000555556872940 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006 R13: 00007fff08808820 R14: 000000000005d9fa R15: 00007fff08808830 Allocated by task 13138: save_stack+0x21/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc.constprop.8+0xc7/0xd0 mm/kasan/common.c:489 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 kmem_cache_alloc_trace+0x154/0x740 mm/slab.c:3555 kmalloc include/linux/slab.h:547 [inline] sock_alloc_inode+0x5c/0x230 net/socket.c:249 alloc_inode+0x5c/0x1a0 fs/inode.c:227 new_inode_pseudo+0xc/0xd0 fs/inode.c:916 sock_alloc+0x3c/0x270 net/socket.c:569 __sock_create+0x7a/0x540 net/socket.c:1388 sock_create net/socket.c:1475 [inline] __sys_socket+0xd7/0x1c0 net/socket.c:1517 __do_sys_socket net/socket.c:1526 [inline] __se_sys_socket net/socket.c:1524 [inline] __x64_sys_socket+0x6e/0xb0 net/socket.c:1524 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack+0x21/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kfree+0xcf/0x220 mm/slab.c:3755 __rcu_reclaim kernel/rcu/rcu.h:215 [inline] rcu_do_batch kernel/rcu/tree.c:2092 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2310 [inline] rcu_core+0xc8e/0x1430 kernel/rcu/tree.c:2291 __do_softirq+0x260/0x958 kernel/softirq.c:293 The buggy address belongs to the object at ffff888098db79c0 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 56 bytes inside of 128-byte region [ffff888098db79c0, ffff888098db7a40) The buggy address belongs to the page: page:ffffea0002636dc0 refcount:1 mapcount:0 mapping:ffff8880aa400640 index:0xffff888098db76c0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea00027b9508 ffffea00024b5408 ffff8880aa400640 raw: ffff888098db76c0 ffff888098db7000 0000000100000011 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888098db7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888098db7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888098db7980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff888098db7a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888098db7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ==================================================================