bisecting cause commit starting from 009fc857c5f6fda81f2f7dd851b2d54193a8e733 building syzkaller on b3c3bb8e115e28ac78d37da1ee8931351d6cb113 testing commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733 with gcc (GCC) 10.2.1 20210217 kernel signature: f47f9928d09d0007abdda5e36c06da09a44f7e44b65f6749dd401a046b02f312 run #0: crashed: KASAN: use-after-free Read in bcm_rx_handler run #1: crashed: KASAN: use-after-free Read in bcm_rx_handler run #2: crashed: KASAN: use-after-free Read in bcm_rx_handler run #3: crashed: KASAN: use-after-free Read in bcm_rx_handler run #4: crashed: KASAN: use-after-free Read in bcm_rx_handler run #5: crashed: KASAN: use-after-free Read in bcm_rx_handler run #6: crashed: KASAN: use-after-free Read in bcm_rx_handler run #7: crashed: KASAN: use-after-free Read in bcm_rx_handler run #8: crashed: KASAN: use-after-free Read in bcm_rx_handler run #9: crashed: KASAN: use-after-free Read in bcm_send_to_user run #10: crashed: KASAN: use-after-free Read in bcm_rx_handler run #11: crashed: KASAN: use-after-free Read in bcm_rx_handler run #12: crashed: KASAN: use-after-free Read in bcm_rx_handler run #13: crashed: KASAN: use-after-free Read in bcm_rx_handler run #14: crashed: KASAN: use-after-free Read in bcm_rx_handler run #15: crashed: KASAN: use-after-free Read in bcm_rx_handler run #16: crashed: KASAN: use-after-free Read in bcm_rx_handler run #17: crashed: KASAN: use-after-free Read in bcm_rx_handler run #18: crashed: KASAN: use-after-free Read in bcm_rx_handler run #19: crashed: KASAN: use-after-free Read in bcm_rx_handler testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217 kernel signature: 1109f9be8385a1b187df831786445ddf0445ad7ec30cbcbf6eddc2eec6f9ddc3 run #0: crashed: KASAN: use-after-free Read in bcm_rx_handler run #1: crashed: KASAN: use-after-free Read in bcm_rx_handler run #2: crashed: KASAN: use-after-free Read in bcm_rx_handler run #3: crashed: KASAN: use-after-free Read in bcm_rx_handler run #4: crashed: KASAN: use-after-free Read in bcm_send_to_user run #5: crashed: KASAN: use-after-free Read in bcm_rx_handler run #6: crashed: KASAN: use-after-free Read in bcm_rx_handler run #7: crashed: KASAN: use-after-free Read in bcm_rx_handler run #8: crashed: KASAN: use-after-free Read in bcm_rx_handler run #9: crashed: KASAN: use-after-free Read in bcm_rx_handler testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: 9d21064640c713b8d677f57b1bcd0cf8e762c6d3bf0e6457a6babaafd000596a run #0: crashed: KASAN: use-after-free Read in bcm_send_to_user run #1: crashed: KASAN: use-after-free Read in bcm_send_to_user run #2: crashed: KASAN: use-after-free Read in bcm_send_to_user run #3: crashed: KASAN: use-after-free Read in bcm_rx_handler run #4: crashed: KASAN: use-after-free Read in bcm_send_to_user run #5: crashed: KASAN: use-after-free Read in bcm_send_to_user run #6: crashed: KASAN: use-after-free Read in bcm_rx_handler run #7: crashed: KASAN: use-after-free Read in bcm_send_to_user run #8: crashed: KASAN: use-after-free Read in bcm_send_to_user run #9: crashed: KASAN: use-after-free Read in bcm_rx_handler testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: 34e80e340f57ad66db7bd4b43aaf85a17636ab3814afbea373ef7ed09f10bac7 run #0: crashed: KASAN: use-after-free Read in bcm_rx_handler run #1: crashed: KASAN: use-after-free Read in bcm_send_to_user run #2: crashed: KASAN: use-after-free Read in bcm_rx_handler run #3: crashed: KASAN: use-after-free Read in bcm_rx_handler run #4: crashed: KASAN: use-after-free Read in bcm_rx_handler run #5: crashed: KASAN: use-after-free Read in bcm_rx_handler run #6: crashed: KASAN: use-after-free Read in bcm_send_to_user run #7: crashed: KASAN: use-after-free Read in bcm_send_to_user run #8: crashed: KASAN: use-after-free Read in bcm_send_to_user run #9: crashed: KASAN: use-after-free Read in bcm_send_to_user testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217 kernel signature: 2cfbac3c5bdb22b1effd251df99493d300e4f13516f06ec6c1d226eea66add2d all runs: OK # git bisect start 2c85ebc57b3e1817b6ce1a6b703928e113a90442 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 9594 revisions left to test after this (roughly 13 steps) [4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 10.2.1 20210217 kernel signature: 3106fe18a153f28aad9d621e8429fc25cf5879e6a849965a5ced7e17dad15c01 all runs: OK # git bisect good 4d0e9df5e43dba52d38b251e3b909df8fa1110be Bisecting: 4874 revisions left to test after this (roughly 12 steps) [6694875ef8045cdb1e6712ee9b68fe08763507d8] ext4: indicate that fast_commit is available via /sys/fs/ext4/feature/... testing commit 6694875ef8045cdb1e6712ee9b68fe08763507d8 with gcc (GCC) 10.2.1 20210217 kernel signature: b4205d9be5df2cf1333913e6ce8034cf9ee3e309daf50504072e6494957489ca run #0: crashed: KASAN: use-after-free Read in bcm_rx_handler run #1: crashed: KASAN: use-after-free Read in bcm_rx_handler run #2: crashed: KASAN: use-after-free Read in bcm_rx_handler run #3: crashed: KASAN: use-after-free Read in bcm_send_to_user run #4: crashed: KASAN: use-after-free Read in bcm_send_to_user run #5: crashed: KASAN: use-after-free Read in bcm_rx_handler run #6: crashed: KASAN: use-after-free Read in bcm_send_to_user run #7: crashed: KASAN: use-after-free Read in bcm_send_to_user run #8: crashed: KASAN: use-after-free Read in bcm_send_to_user run #9: crashed: KASAN: use-after-free Read in bcm_rx_handler # git bisect bad 6694875ef8045cdb1e6712ee9b68fe08763507d8 Bisecting: 2342 revisions left to test after this (roughly 11 steps) [14c914fcb515c424177bb6848cc2858ebfe717a8] Merge tag 'wireless-drivers-next-2020-10-02' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 14c914fcb515c424177bb6848cc2858ebfe717a8 with gcc (GCC) 8.4.1 20210217 kernel signature: 59594d983214f4903bb668bde23b55b99e0edb5a328cd23e564cb820685c5bb3 all runs: OK # git bisect good 14c914fcb515c424177bb6848cc2858ebfe717a8 Bisecting: 1132 revisions left to test after this (roughly 10 steps) [6f78b9acf04fbf9ede7f4265e7282f9fb39d2c8c] Merge tag 'mtd/for-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux testing commit 6f78b9acf04fbf9ede7f4265e7282f9fb39d2c8c with gcc (GCC) 10.2.1 20210217 kernel signature: 31b73b36e13bdb082f63aa5f16e1ab3cbe7bf8bfa53bcb1d15374bf48cf0608e run #0: crashed: KASAN: use-after-free Read in bcm_rx_handler run #1: crashed: KASAN: use-after-free Read in bcm_rx_handler run #2: crashed: KASAN: use-after-free Read in bcm_send_to_user run #3: crashed: KASAN: use-after-free Read in bcm_rx_handler run #4: crashed: KASAN: use-after-free Read in bcm_rx_handler run #5: crashed: KASAN: use-after-free Read in bcm_rx_handler run #6: crashed: KASAN: use-after-free Read in bcm_send_to_user run #7: crashed: KASAN: use-after-free Read in bcm_rx_handler run #8: crashed: KASAN: use-after-free Read in bcm_rx_handler run #9: crashed: KASAN: use-after-free Read in bcm_rx_handler # git bisect bad 6f78b9acf04fbf9ede7f4265e7282f9fb39d2c8c Bisecting: 672 revisions left to test after this (roughly 9 steps) [c4cf498dc0241fa2d758dba177634268446afb06] Merge branch 'akpm' (patches from Andrew) testing commit c4cf498dc0241fa2d758dba177634268446afb06 with gcc (GCC) 10.2.1 20210217 kernel signature: 86c253f4bfac7ff8b1f5937db02673abe2a48d55f4649cfb4853c5828260ba12 run #0: crashed: KASAN: use-after-free Read in bcm_rx_handler run #1: crashed: KASAN: use-after-free Read in bcm_rx_handler run #2: crashed: KASAN: use-after-free Read in bcm_send_to_user run #3: crashed: KASAN: use-after-free Read in bcm_rx_handler run #4: crashed: KASAN: use-after-free Read in bcm_send_to_user run #5: crashed: KASAN: use-after-free Read in bcm_rx_handler run #6: crashed: KASAN: use-after-free Read in bcm_rx_handler run #7: crashed: KASAN: use-after-free Read in bcm_send_to_user run #8: crashed: KASAN: use-after-free Read in bcm_send_to_user run #9: crashed: KASAN: use-after-free Read in bcm_rx_handler # git bisect bad c4cf498dc0241fa2d758dba177634268446afb06 Bisecting: 268 revisions left to test after this (roughly 8 steps) [ee92e4f1f95eb7b8820299f10fc5fba16d85cece] net/mlx5: Add NIC TX domain namespace testing commit ee92e4f1f95eb7b8820299f10fc5fba16d85cece with gcc (GCC) 8.4.1 20210217 kernel signature: 88da371e38aa0ae02bec28b66e33376024b505c0ed251ff5fc592c287448d388 run #0: crashed: KASAN: use-after-free Read in bcm_send_to_user run #1: crashed: KASAN: use-after-free Read in bcm_send_to_user run #2: crashed: KASAN: use-after-free Read in bcm_send_to_user run #3: crashed: KASAN: use-after-free Read in bcm_rx_changed run #4: crashed: KASAN: use-after-free Read in bcm_rx_handler run #5: crashed: KASAN: use-after-free Read in bcm_rx_handler run #6: crashed: KASAN: use-after-free Read in bcm_send_to_user run #7: crashed: KASAN: use-after-free Read in bcm_send_to_user run #8: crashed: KASAN: use-after-free Read in bcm_rx_handler run #9: crashed: KASAN: use-after-free Read in bcm_rx_handler # git bisect bad ee92e4f1f95eb7b8820299f10fc5fba16d85cece Bisecting: 133 revisions left to test after this (roughly 7 steps) [f97db2621b41b98e6e8e0fa8271db3a600fa6335] dt-bindings: can: rcar_can: Document r8a774e1 support testing commit f97db2621b41b98e6e8e0fa8271db3a600fa6335 with gcc (GCC) 8.4.1 20210217 kernel signature: afcd5e413504ca3ddbd85baf690852c6d26de7d53896510223e3877f0e3411f0 run #0: crashed: KASAN: use-after-free Read in bcm_rx_handler run #1: crashed: KASAN: use-after-free Read in bcm_send_to_user run #2: crashed: KASAN: use-after-free Read in bcm_rx_handler run #3: crashed: KASAN: use-after-free Read in bcm_send_to_user run #4: crashed: KASAN: use-after-free Read in bcm_send_to_user run #5: crashed: KASAN: use-after-free Read in bcm_send_to_user run #6: crashed: KASAN: use-after-free Read in bcm_send_to_user run #7: crashed: KASAN: use-after-free Read in bcm_rx_handler run #8: crashed: KASAN: use-after-free Read in bcm_send_to_user run #9: crashed: KASAN: use-after-free Read in bcm_rx_handler # git bisect bad f97db2621b41b98e6e8e0fa8271db3a600fa6335 Bisecting: 61 revisions left to test after this (roughly 6 steps) [321e921daa05dc32a1a89ae458169d7ef783cc84] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next testing commit 321e921daa05dc32a1a89ae458169d7ef783cc84 with gcc (GCC) 8.4.1 20210217 kernel signature: df593b24f8d04e963d2d6653ad993d9978db79649a5fc327294a972e7ea4981a all runs: OK # git bisect good 321e921daa05dc32a1a89ae458169d7ef783cc84 Bisecting: 30 revisions left to test after this (roughly 5 steps) [e193c3ab8302908b1378fc0606be561e976d2532] net: atlantic: implement phy downshift feature testing commit e193c3ab8302908b1378fc0606be561e976d2532 with gcc (GCC) 8.4.1 20210217 kernel signature: 59430a4016d9d988d1ee9fa6d8246b22c3e289821cee8589c7f56621d08e66ed all runs: OK # git bisect good e193c3ab8302908b1378fc0606be561e976d2532 Bisecting: 15 revisions left to test after this (roughly 4 steps) [ff419afa43109e05d42d75629f21d9fd87f635ea] ethtool: trim policy tables testing commit ff419afa43109e05d42d75629f21d9fd87f635ea with gcc (GCC) 8.4.1 20210217 kernel signature: eab5d8e94d8134f1c4a1732e7749ba8b2ffb3734b89e96b663218c3de4d6738f all runs: OK # git bisect good ff419afa43109e05d42d75629f21d9fd87f635ea Bisecting: 7 revisions left to test after this (roughly 3 steps) [71e663c4a02213d1013a3def4ed10ca63769bbb2] can: c_can: reg_map_{c,d}_can: mark as __maybe_unused testing commit 71e663c4a02213d1013a3def4ed10ca63769bbb2 with gcc (GCC) 8.4.1 20210217 kernel signature: c1a9b1a56883454dac095b6a982c9a6d5d5d8fcc58e7934909784b9ca8f36c3c all runs: OK # git bisect good 71e663c4a02213d1013a3def4ed10ca63769bbb2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [1c47fa6b31c2683f03bc2f9174902bb7dcd35d83] can: dev: add a helper function to calculate the duration of one bit testing commit 1c47fa6b31c2683f03bc2f9174902bb7dcd35d83 with gcc (GCC) 8.4.1 20210217 kernel signature: 99faed928c8db4cad7a980132b1980996975fc8a535fcee7163ddc8842b085a3 all runs: OK # git bisect good 1c47fa6b31c2683f03bc2f9174902bb7dcd35d83 Bisecting: 1 revision left to test after this (roughly 1 step) [df73446a2882a4336cad473d8eb9d895e49f092b] dt-bindings: can: rcar_can: Add r8a7742 support testing commit df73446a2882a4336cad473d8eb9d895e49f092b with gcc (GCC) 8.4.1 20210217 kernel signature: afcd5e413504ca3ddbd85baf690852c6d26de7d53896510223e3877f0e3411f0 run #0: crashed: KASAN: use-after-free Read in bcm_rx_handler run #1: crashed: KASAN: use-after-free Read in bcm_send_to_user run #2: crashed: KASAN: use-after-free Read in bcm_send_to_user run #3: crashed: KASAN: use-after-free Read in bcm_rx_handler run #4: crashed: KASAN: use-after-free Read in bcm_rx_handler run #5: crashed: KASAN: use-after-free Read in bcm_rx_handler run #6: crashed: KASAN: use-after-free Read in bcm_rx_handler run #7: crashed: KASAN: use-after-free Read in bcm_send_to_user run #8: crashed: KASAN: use-after-free Read in bcm_send_to_user run #9: crashed: KASAN: use-after-free Read in bcm_send_to_user # git bisect bad df73446a2882a4336cad473d8eb9d895e49f092b Bisecting: 0 revisions left to test after this (roughly 0 steps) [e057dd3fc20ffb3d7f150af46542a51b59b90127] can: add ISO 15765-2:2016 transport protocol testing commit e057dd3fc20ffb3d7f150af46542a51b59b90127 with gcc (GCC) 8.4.1 20210217 kernel signature: afcd5e413504ca3ddbd85baf690852c6d26de7d53896510223e3877f0e3411f0 run #0: crashed: KASAN: use-after-free Read in bcm_rx_handler run #1: crashed: KASAN: use-after-free Read in bcm_send_to_user run #2: crashed: KASAN: use-after-free Read in bcm_rx_handler run #3: crashed: KASAN: use-after-free Read in bcm_rx_handler run #4: crashed: KASAN: use-after-free Read in bcm_send_to_user run #5: crashed: KASAN: use-after-free Read in bcm_send_to_user run #6: crashed: KASAN: use-after-free Read in bcm_send_to_user run #7: crashed: KASAN: use-after-free Read in bcm_rx_handler run #8: crashed: KASAN: use-after-free Read in bcm_send_to_user run #9: crashed: KASAN: use-after-free Read in bcm_rx_handler # git bisect bad e057dd3fc20ffb3d7f150af46542a51b59b90127 e057dd3fc20ffb3d7f150af46542a51b59b90127 is the first bad commit commit e057dd3fc20ffb3d7f150af46542a51b59b90127 Author: Oliver Hartkopp Date: Mon Sep 28 22:04:04 2020 +0200 can: add ISO 15765-2:2016 transport protocol CAN Transport Protocols offer support for segmented Point-to-Point communication between CAN nodes via two defined CAN Identifiers. As CAN frames can only transport a small amount of data bytes (max. 8 bytes for 'classic' CAN and max. 64 bytes for CAN FD) this segmentation is needed to transport longer PDUs as needed e.g. for vehicle diagnosis (UDS, ISO 14229) or IP-over-CAN traffic. This protocol driver implements data transfers according to ISO 15765-2:2016 for 'classic' CAN and CAN FD frame types. Signed-off-by: Oliver Hartkopp Link: https://lore.kernel.org/r/20200928200404.82229-1-socketcan@hartkopp.net [mkl: Removed "WITH Linux-syscall-note" from isotp.c. Fixed indention, a checkpatch warning and typos. Replaced __u{8,32} by u{8,32}. Removed always false (optlen < 0) check in isotp_setsockopt().] Signed-off-by: Marc Kleine-Budde MAINTAINERS | 1 + include/uapi/linux/can/isotp.h | 166 +++++ net/can/Kconfig | 13 + net/can/Makefile | 3 + net/can/isotp.c | 1426 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 1609 insertions(+) create mode 100644 include/uapi/linux/can/isotp.h create mode 100644 net/can/isotp.c culprit signature: afcd5e413504ca3ddbd85baf690852c6d26de7d53896510223e3877f0e3411f0 parent signature: 99faed928c8db4cad7a980132b1980996975fc8a535fcee7163ddc8842b085a3 revisions tested: 19, total time: 4h8m17.484874645s (build: 2h10m51.327201174s, test: 1h54m41.396133817s) first bad commit: e057dd3fc20ffb3d7f150af46542a51b59b90127 can: add ISO 15765-2:2016 transport protocol recipients (to): ["davem@davemloft.net" "kuba@kernel.org" "linux-can@vger.kernel.org" "mkl@pengutronix.de" "mkl@pengutronix.de" "netdev@vger.kernel.org" "socketcan@hartkopp.net" "socketcan@hartkopp.net"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in bcm_rx_handler ================================================================== BUG: KASAN: use-after-free in bcm_rx_handler+0x56a/0x700 net/can/bcm.c:671 Read of size 4 at addr ffff888088855818 by task syz-executor.2/11554 CPU: 1 PID: 11554 Comm: syz-executor.2 Not tainted 5.9.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x99/0xd0 lib/dump_stack.c:118 print_address_description.constprop.8.cold.9+0x9/0x503 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold.10+0x1f/0x37 mm/kasan/report.c:530 bcm_rx_handler+0x56a/0x700 net/can/bcm.c:671 deliver net/can/af_can.c:571 [inline] can_rcv_filter+0x36f/0x7b0 net/can/af_can.c:632 can_receive+0x255/0x480 net/can/af_can.c:658 can_rcv+0xd9/0x200 net/can/af_can.c:688 __netif_receive_skb_one_core+0x10b/0x180 net/core/dev.c:5302 process_backlog+0x1f8/0x6b0 net/core/dev.c:6306 napi_poll net/core/dev.c:6750 [inline] net_rx_action+0x442/0xf50 net/core/dev.c:6820 __do_softirq+0x1d5/0xa45 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xa2/0xd0 arch/x86/kernel/irq_64.c:77 do_softirq.part.10+0x6f/0x80 kernel/softirq.c:343 netif_rx_ni+0x2af/0x480 net/core/dev.c:4836 can_send+0x391/0x780 net/can/af_can.c:287 isotp_sendmsg+0x6ae/0x1380 net/can/isotp.c:942 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:671 ____sys_sendmsg+0x57b/0x7a0 net/socket.c:2353 ___sys_sendmsg+0xe4/0x160 net/socket.c:2407 __sys_sendmsg+0xce/0x170 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7ed3b01188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 RDX: 0000000000000004 RSI: 00000000200003c0 RDI: 0000000000000004 RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007ffdc3c9dfdf R14: 00007f7ed3b01300 R15: 0000000000022000 Allocated by task 11565: kasan_save_stack+0x19/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:461 [inline] __kasan_kmalloc.constprop.14+0xc1/0xd0 mm/kasan/common.c:434 kmem_cache_alloc_trace+0x10e/0x1e0 mm/slub.c:2915 kmalloc include/linux/slab.h:554 [inline] kzalloc include/linux/slab.h:666 [inline] bcm_rx_setup net/can/bcm.c:1070 [inline] bcm_sendmsg+0x1b3a/0x40b8 net/can/bcm.c:1331 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:671 ____sys_sendmsg+0x57b/0x7a0 net/socket.c:2353 ___sys_sendmsg+0xe4/0x160 net/socket.c:2407 __sys_sendmsg+0xce/0x170 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 11553: kasan_save_stack+0x19/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0xfe/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577 slab_free mm/slub.c:3138 [inline] kfree+0xdd/0x660 mm/slub.c:4119 bcm_release+0x1ce/0x530 net/can/bcm.c:1506 __sock_release+0xbb/0x270 net/socket.c:596 sock_close+0xf/0x20 net/socket.c:1277 __fput+0x1ff/0x830 fs/file_table.c:281 task_work_run+0xc2/0x160 kernel/task_work.c:141 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:165 [inline] exit_to_user_mode_prepare+0x1b6/0x1c0 kernel/entry/common.c:192 syscall_exit_to_user_mode+0x41/0x2a0 kernel/entry/common.c:267 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888088855800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 24 bytes inside of 512-byte region [ffff888088855800, ffff888088855a00) The buggy address belongs to the page: page:000000000ef80ac7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x88854 head:000000000ef80ac7 order:2 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 dead000000000100 dead000000000122 ffff8880b5841280 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2219 [inline] prep_new_page+0x12f/0x240 mm/page_alloc.c:2225 get_page_from_freelist+0x1a3e/0x5d10 mm/page_alloc.c:3844 __alloc_pages_nodemask+0x2cd/0x7d0 mm/page_alloc.c:4895 alloc_pages include/linux/gfp.h:545 [inline] alloc_slab_page mm/slub.c:1615 [inline] allocate_slab+0x284/0x510 mm/slub.c:1758 new_slab mm/slub.c:1819 [inline] new_slab_objects mm/slub.c:2576 [inline] ___slab_alloc+0x49e/0x830 mm/slub.c:2737 __slab_alloc.isra.50+0xd2/0x170 mm/slub.c:2777 slab_alloc_node mm/slub.c:2852 [inline] slab_alloc mm/slub.c:2896 [inline] kmem_cache_alloc_trace+0x19e/0x1e0 mm/slub.c:2913 kmalloc include/linux/slab.h:554 [inline] kmalloc_array include/linux/slab.h:593 [inline] rtnl_newlink+0x43/0x80 net/core/rtnetlink.c:3496 rtnetlink_rcv_msg+0x353/0x8c0 net/core/rtnetlink.c:5563 netlink_rcv_skb+0x117/0x370 net/netlink/af_netlink.c:2489 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x766/0xc10 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:671 __sys_sendto+0x1d2/0x2b0 net/socket.c:1992 __do_sys_sendto net/socket.c:2004 [inline] __se_sys_sendto net/socket.c:2000 [inline] __x64_sys_sendto+0xd8/0x1b0 net/socket.c:2000 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 page_owner free stack trace missing Memory state around the buggy address: ffff888088855700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888088855780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888088855800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888088855880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888088855900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================