bisecting cause commit starting from f9867b51d268d6fabcc4477d877f04aaad9299ae building syzkaller on b1ebbfef72842354231950b0b33fed3170fc73b7 testing commit f9867b51d268d6fabcc4477d877f04aaad9299ae with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in tipc_nl_node_dump_monitor_peer testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start f9867b51d268d6fabcc4477d877f04aaad9299ae v5.3 Bisecting: 6334 revisions left to test after this (roughly 13 steps) [81160dda9a7aad13c04e78bb2cfd3c4630e3afab] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 81160dda9a7aad13c04e78bb2cfd3c4630e3afab with gcc (GCC) 8.1.0 all runs: OK # git bisect good 81160dda9a7aad13c04e78bb2cfd3c4630e3afab Bisecting: 3157 revisions left to test after this (roughly 12 steps) [45824fc0da6e46cc5d563105e1eaaf3098a686f9] Merge tag 'powerpc-5.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 45824fc0da6e46cc5d563105e1eaaf3098a686f9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 45824fc0da6e46cc5d563105e1eaaf3098a686f9 Bisecting: 1600 revisions left to test after this (roughly 11 steps) [cf05a67b68b8d9d6469bedb63ee461f8c7de62e6] KVM: x86: omit "impossible" pmu MSRs from MSR list testing commit cf05a67b68b8d9d6469bedb63ee461f8c7de62e6 with gcc (GCC) 8.1.0 all runs: OK # git bisect good cf05a67b68b8d9d6469bedb63ee461f8c7de62e6 Bisecting: 784 revisions left to test after this (roughly 10 steps) [e37e3bc7e265d05d00f14079767537699cf6bd46] Merge tag 'pwm/for-5.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm testing commit e37e3bc7e265d05d00f14079767537699cf6bd46 with gcc (GCC) 8.1.0 all runs: OK # git bisect good e37e3bc7e265d05d00f14079767537699cf6bd46 Bisecting: 392 revisions left to test after this (roughly 9 steps) [55252ab72b774119afedfdc6d1f142ffa2a9b818] erofs: fix erofs_get_meta_page locking due to a cleanup testing commit 55252ab72b774119afedfdc6d1f142ffa2a9b818 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 55252ab72b774119afedfdc6d1f142ffa2a9b818 Bisecting: 191 revisions left to test after this (roughly 8 steps) [9819a30c11ea439e5e3c81f5539c4d42d6c76314] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 9819a30c11ea439e5e3c81f5539c4d42d6c76314 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9819a30c11ea439e5e3c81f5539c4d42d6c76314 Bisecting: 106 revisions left to test after this (roughly 7 steps) [26e0105550862a137eba701e2f4e3eeb343759e9] net: dsa: sja1105: Make function sja1105_xfer_long_buf static testing commit 26e0105550862a137eba701e2f4e3eeb343759e9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 26e0105550862a137eba701e2f4e3eeb343759e9 Bisecting: 53 revisions left to test after this (roughly 6 steps) [265ecd4fa3f0ca43909f8b2cc0e519966f21b167] net: genetlink: remove unused genl_family_attrbuf() testing commit 265ecd4fa3f0ca43909f8b2cc0e519966f21b167 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in tipc_nl_node_dump_monitor_peer # git bisect bad 265ecd4fa3f0ca43909f8b2cc0e519966f21b167 Bisecting: 21 revisions left to test after this (roughly 5 steps) [2d00aee21a5d4966e086d98f9d710afb92fb14e8] Merge tag 'kbuild-fixes-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 2d00aee21a5d4966e086d98f9d710afb92fb14e8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 2d00aee21a5d4966e086d98f9d710afb92fb14e8 Bisecting: 10 revisions left to test after this (roughly 4 steps) [c04d71b5b287aa7cc5ff707d23f5fb66307c11c7] selftests: test creating netdevsim inside network namespace testing commit c04d71b5b287aa7cc5ff707d23f5fb66307c11c7 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c04d71b5b287aa7cc5ff707d23f5fb66307c11c7 Bisecting: 5 revisions left to test after this (roughly 3 steps) [c10e6cf85e7d984a156052daeedaf20a1f38824f] net: genetlink: push attrbuf allocation and parsing to a separate function testing commit c10e6cf85e7d984a156052daeedaf20a1f38824f with gcc (GCC) 8.1.0 all runs: OK # git bisect good c10e6cf85e7d984a156052daeedaf20a1f38824f Bisecting: 2 revisions left to test after this (roughly 2 steps) [4495af31947bcc8886fe43737500f12729f7bdd9] net: nfc: have genetlink code to parse the attrs during dumpit testing commit 4495af31947bcc8886fe43737500f12729f7bdd9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4495af31947bcc8886fe43737500f12729f7bdd9 Bisecting: 0 revisions left to test after this (roughly 1 step) [c6c08614eb32d250612c9d2940e48951fb4ba325] net: tipc: allocate attrs locally instead of using genl_family_attrbuf in compat_dumpit() testing commit c6c08614eb32d250612c9d2940e48951fb4ba325 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in tipc_nl_node_dump_monitor_peer # git bisect bad c6c08614eb32d250612c9d2940e48951fb4ba325 Bisecting: 0 revisions left to test after this (roughly 0 steps) [057af70713445fad2459aa348c9c2c4ecf7db938] net: tipc: have genetlink code to parse the attrs during dumpit testing commit 057af70713445fad2459aa348c9c2c4ecf7db938 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in tipc_nl_node_dump_monitor_peer # git bisect bad 057af70713445fad2459aa348c9c2c4ecf7db938 057af70713445fad2459aa348c9c2c4ecf7db938 is the first bad commit commit 057af70713445fad2459aa348c9c2c4ecf7db938 Author: Jiri Pirko Date: Sat Oct 5 20:04:39 2019 +0200 net: tipc: have genetlink code to parse the attrs during dumpit Benefit from the fact that the generic netlink code can parse the attrs for dumpit op and avoid need to parse it in the op callback. Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller :040000 040000 c2a4bfa249df313fbeb20981f5460a3951666000 899bc41e7046c2e530522881d85031f23ca312e3 M net revisions tested: 16, total time: 4h10m50.443564719s (build: 1h34m46.930445498s, test: 2h31m14.215032803s) first bad commit: 057af70713445fad2459aa348c9c2c4ecf7db938 net: tipc: have genetlink code to parse the attrs during dumpit cc: ["davem@davemloft.net" "jiri@mellanox.com" "jon.maloy@ericsson.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "tipc-discussion@lists.sourceforge.net" "ying.xue@windriver.com"] crash: KASAN: use-after-free Read in tipc_nl_node_dump_monitor_peer ================================================================== BUG: KASAN: use-after-free in nla_parse_nested_deprecated include/net/netlink.h:1166 [inline] BUG: KASAN: use-after-free in tipc_nl_node_dump_monitor_peer+0x508/0x700 net/tipc/node.c:2493 Read of size 2 at addr ffff8880a89c9014 by task syz-executor.3/9463 CPU: 1 PID: 9463 Comm: syz-executor.3 Not tainted 5.4.0-rc1+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:634 __asan_report_load2_noabort+0x14/0x20 mm/kasan/generic_report.c:130 nla_parse_nested_deprecated include/net/netlink.h:1166 [inline] tipc_nl_node_dump_monitor_peer+0x508/0x700 net/tipc/node.c:2493 genl_lock_dumpit+0x84/0xb0 net/netlink/genetlink.c:529 netlink_dump+0x49e/0x10c0 net/netlink/af_netlink.c:2244 __netlink_dump_start+0x52b/0x810 net/netlink/af_netlink.c:2352 genl_family_rcv_msg_dumpit net/netlink/genetlink.c:614 [inline] genl_family_rcv_msg net/netlink/genetlink.c:710 [inline] genl_rcv_msg+0xbbb/0x1280 net/netlink/genetlink.c:730 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2477 genl_rcv+0x23/0x40 net/netlink/genetlink.c:741 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x43f/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x75d/0xc40 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:657 ___sys_sendmsg+0x647/0x950 net/socket.c:2311 __sys_sendmsg+0xd9/0x180 net/socket.c:2356 __do_sys_sendmsg net/socket.c:2365 [inline] __se_sys_sendmsg net/socket.c:2363 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2363 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a59 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fad312d4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459a59 RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fad312d56d4 R13: 00000000004c7a34 R14: 00000000004dd728 R15: 00000000ffffffff Allocated by task 9464: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:510 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524 __do_kmalloc_node mm/slab.c:3615 [inline] __kmalloc_node_track_caller+0x4d/0x70 mm/slab.c:3629 __kmalloc_reserve.isra.46+0x2c/0xc0 net/core/skbuff.c:141 __alloc_skb+0xd7/0x570 net/core/skbuff.c:209 alloc_skb include/linux/skbuff.h:1049 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline] netlink_sendmsg+0x808/0xc40 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:657 ___sys_sendmsg+0x647/0x950 net/socket.c:2311 __sys_sendmsg+0xd9/0x180 net/socket.c:2356 __do_sys_sendmsg net/socket.c:2365 [inline] __se_sys_sendmsg net/socket.c:2363 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2363 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9464: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 skb_free_head+0x6e/0x90 net/core/skbuff.c:591 skb_release_data+0x376/0x6a0 net/core/skbuff.c:611 skb_release_all+0x3d/0x50 net/core/skbuff.c:665 __kfree_skb net/core/skbuff.c:679 [inline] consume_skb+0xad/0x2a0 net/core/skbuff.c:838 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x447/0x630 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x75d/0xc40 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:657 ___sys_sendmsg+0x647/0x950 net/socket.c:2311 __sys_sendmsg+0xd9/0x180 net/socket.c:2356 __do_sys_sendmsg net/socket.c:2365 [inline] __se_sys_sendmsg net/socket.c:2363 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2363 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880a89c9000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 20 bytes inside of 512-byte region [ffff8880a89c9000, ffff8880a89c9200) The buggy address belongs to the page: page:ffffea0002a27240 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0xffff8880a89c9c80 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea00028efb88 ffffea00029f3088 ffff8880aa400a80 raw: ffff8880a89c9c80 ffff8880a89c9000 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a89c8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc ffff8880a89c8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880a89c9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a89c9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a89c9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================