bisecting fixing commit since 4710e78940d8d957f24b8f085f961f1279f8fbff building syzkaller on 8bd6bd63656d411729c450d452e1355b42adf900 testing commit 4710e78940d8d957f24b8f085f961f1279f8fbff with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in crypto_gcm_init_common testing current HEAD 296d05cb0d3c9f4648e31abb8ce404ac6915d66c testing commit 296d05cb0d3c9f4648e31abb8ce404ac6915d66c with gcc (GCC) 8.1.0 all runs: OK # git bisect start 296d05cb0d3c9f4648e31abb8ce404ac6915d66c 4710e78940d8d957f24b8f085f961f1279f8fbff Bisecting: 29987 revisions left to test after this (roughly 15 steps) [a43d05086c5e88e62e11be595dd1966ab08f3803] Merge branch 'bpf-sysctl-hook' testing commit a43d05086c5e88e62e11be595dd1966ab08f3803 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in tls_sw_free_resources_tx # git bisect good a43d05086c5e88e62e11be595dd1966ab08f3803 Bisecting: 14993 revisions left to test after this (roughly 14 steps) [c681edae33e86ff27be2d6cc717663d91df20b0e] net: ipv4: move tcp_fastopen server side code to SipHash library testing commit c681edae33e86ff27be2d6cc717663d91df20b0e with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in tls_sw_free_resources_tx # git bisect good c681edae33e86ff27be2d6cc717663d91df20b0e Bisecting: 7551 revisions left to test after this (roughly 13 steps) [90c6260c1905a68fb596844087f2223bd4657fee] iio: adc: gyroadc: fix uninitialized return code testing commit 90c6260c1905a68fb596844087f2223bd4657fee with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 90c6260c1905a68fb596844087f2223bd4657fee Bisecting: 3706 revisions left to test after this (roughly 12 steps) [4cdd5f9186bbe80306e76f11da7ecb0b9720433c] Merge tag 'sound-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 4cdd5f9186bbe80306e76f11da7ecb0b9720433c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 4cdd5f9186bbe80306e76f11da7ecb0b9720433c Bisecting: 1872 revisions left to test after this (roughly 11 steps) [090bc5a2a91499c1fd64b78d125daa6ca5531d38] Merge branch 'ras-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 090bc5a2a91499c1fd64b78d125daa6ca5531d38 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 090bc5a2a91499c1fd64b78d125daa6ca5531d38 Bisecting: 923 revisions left to test after this (roughly 10 steps) [b7b8a44f3abab51cc2772c5ced2fe2f51a1ad2b8] Merge tag 'char-misc-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit b7b8a44f3abab51cc2772c5ced2fe2f51a1ad2b8 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in tls_sw_free_resources_tx # git bisect good b7b8a44f3abab51cc2772c5ced2fe2f51a1ad2b8 Bisecting: 494 revisions left to test after this (roughly 9 steps) [278ecbf027c3c559deb225f0cf53a23b7672dacf] Merge tag 'm68k-for-v5.3-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k testing commit 278ecbf027c3c559deb225f0cf53a23b7672dacf with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 278ecbf027c3c559deb225f0cf53a23b7672dacf Bisecting: 216 revisions left to test after this (roughly 8 steps) [f8b5c72227618780f49e53fb77b0e7ddb2996552] Merge tag 'arc-5.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc testing commit f8b5c72227618780f49e53fb77b0e7ddb2996552 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad f8b5c72227618780f49e53fb77b0e7ddb2996552 Bisecting: 104 revisions left to test after this (roughly 7 steps) [c88e40e07cd967dcdf37321a63ab6e8b0d881100] Merge tag 'mfd-fixes-5.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd testing commit c88e40e07cd967dcdf37321a63ab6e8b0d881100 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in tls_sw_free_resources_tx # git bisect good c88e40e07cd967dcdf37321a63ab6e8b0d881100 Bisecting: 50 revisions left to test after this (roughly 6 steps) [fe2da896fd9469317ff693fb08a86d9c435e101a] Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit fe2da896fd9469317ff693fb08a86d9c435e101a with gcc (GCC) 8.1.0 all runs: OK # git bisect bad fe2da896fd9469317ff693fb08a86d9c435e101a Bisecting: 26 revisions left to test after this (roughly 5 steps) [89ed5b519004a7706f50b70f611edbd3aaacff2c] af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET testing commit 89ed5b519004a7706f50b70f611edbd3aaacff2c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 89ed5b519004a7706f50b70f611edbd3aaacff2c Bisecting: 13 revisions left to test after this (roughly 4 steps) [38c73529de13e1e10914de7030b659a2f8b01c3b] ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop testing commit 38c73529de13e1e10914de7030b659a2f8b01c3b with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 38c73529de13e1e10914de7030b659a2f8b01c3b Bisecting: 6 revisions left to test after this (roughly 3 steps) [c492d4c74dd3f87559883ffa0f94a8f1ae3fe5f5] tipc: change to use register_pernet_device testing commit c492d4c74dd3f87559883ffa0f94a8f1ae3fe5f5 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in timer_is_static_object run #1: crashed: INFO: task hung in tls_sw_free_resources_tx run #2: crashed: INFO: task hung in tls_sw_free_resources_tx run #3: crashed: INFO: task hung in tls_sw_free_resources_tx run #4: crashed: INFO: task hung in tls_sw_free_resources_tx run #5: crashed: INFO: task hung in tls_sw_free_resources_tx run #6: crashed: INFO: task hung in tls_sw_free_resources_tx run #7: crashed: INFO: task hung in tls_sw_free_resources_tx run #8: crashed: INFO: task hung in tls_sw_free_resources_tx run #9: crashed: INFO: task hung in tls_sw_free_resources_tx # git bisect good c492d4c74dd3f87559883ffa0f94a8f1ae3fe5f5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [55655e3d1197fff16a7a05088fb0e5eba50eac55] net/packet: fix memory leak in packet_set_ring() testing commit 55655e3d1197fff16a7a05088fb0e5eba50eac55 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 55655e3d1197fff16a7a05088fb0e5eba50eac55 Bisecting: 0 revisions left to test after this (roughly 1 step) [9354544cbccf68da1b047f8fb7b47630e3c8a59d] net/tls: fix page double free on TX cleanup testing commit 9354544cbccf68da1b047f8fb7b47630e3c8a59d with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9354544cbccf68da1b047f8fb7b47630e3c8a59d Bisecting: 0 revisions left to test after this (roughly 0 steps) [45d5cb137c3638b3a310f41b31d8e79daf647f14] net/sched: cbs: Fix error path of cbs_module_init testing commit 45d5cb137c3638b3a310f41b31d8e79daf647f14 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in tls_sw_free_resources_tx # git bisect good 45d5cb137c3638b3a310f41b31d8e79daf647f14 9354544cbccf68da1b047f8fb7b47630e3c8a59d is the first bad commit commit 9354544cbccf68da1b047f8fb7b47630e3c8a59d Author: Dirk van der Merwe Date: Sun Jun 23 21:26:58 2019 -0700 net/tls: fix page double free on TX cleanup With commit 94850257cf0f ("tls: Fix tls_device handling of partial records") a new path was introduced to cleanup partial records during sk_proto_close. This path does not handle the SW KTLS tx_list cleanup. This is unnecessary though since the free_resources calls for both SW and offload paths will cleanup a partial record. The visible effect is the following warning, but this bug also causes a page double free. WARNING: CPU: 7 PID: 4000 at net/core/stream.c:206 sk_stream_kill_queues+0x103/0x110 RIP: 0010:sk_stream_kill_queues+0x103/0x110 RSP: 0018:ffffb6df87e07bd0 EFLAGS: 00010206 RAX: 0000000000000000 RBX: ffff8c21db4971c0 RCX: 0000000000000007 RDX: ffffffffffffffa0 RSI: 000000000000001d RDI: ffff8c21db497270 RBP: ffff8c21db497270 R08: ffff8c29f4748600 R09: 000000010020001a R10: ffffb6df87e07aa0 R11: ffffffff9a445600 R12: 0000000000000007 R13: 0000000000000000 R14: ffff8c21f03f2900 R15: ffff8c21f03b8df0 Call Trace: inet_csk_destroy_sock+0x55/0x100 tcp_close+0x25d/0x400 ? tcp_check_oom+0x120/0x120 tls_sk_proto_close+0x127/0x1c0 inet_release+0x3c/0x60 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0xd8/0x210 task_work_run+0x84/0xa0 do_exit+0x2dc/0xb90 ? release_sock+0x43/0x90 do_group_exit+0x3a/0xa0 get_signal+0x295/0x720 do_signal+0x36/0x610 ? SYSC_recvfrom+0x11d/0x130 exit_to_usermode_loop+0x69/0xb0 do_syscall_64+0x173/0x180 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7fe9b9abc10d RSP: 002b:00007fe9b19a1d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 0000000000000006 RCX: 00007fe9b9abc10d RDX: 0000000000000002 RSI: 0000000000000080 RDI: 00007fe948003430 RBP: 00007fe948003410 R08: 00007fe948003430 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00005603739d9080 R13: 00007fe9b9ab9f90 R14: 00007fe948003430 R15: 0000000000000000 Fixes: 94850257cf0f ("tls: Fix tls_device handling of partial records") Signed-off-by: Dirk van der Merwe Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller :040000 040000 5c481ba84ec096a90f55c96dc0d67e4634d388b1 632d773f9b15266b803afd662e9ff53f5726a008 M include :040000 040000 de7436eb222b0d800f51ecb877bb6e3ae8173cb1 b84eeeb5d81c837eb3e6c9baffb1099ea1f12e6e M net revisions tested: 18, total time: 4h41m21.031359829s (build: 1h41m52.61834467s, test: 2h53m22.079943109s) first good commit: 9354544cbccf68da1b047f8fb7b47630e3c8a59d net/tls: fix page double free on TX cleanup cc: ["aviadye@mellanox.com" "borisp@mellanox.com" "daniel@iogearbox.net" "davejwatson@fb.com" "davem@davemloft.net" "dirk.vandermerwe@netronome.com" "jakub.kicinski@netronome.com" "john.fastabend@gmail.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"]