bisecting fixing commit since 6b6446efedb27c2766745a04f9b5d4449f51391d building syzkaller on cba33199be220cbf61f7c0c8223d88a25a913d6f testing commit 6b6446efedb27c2766745a04f9b5d4449f51391d with gcc (GCC) 8.4.1 20210217 kernel signature: 27b714e8759ea46789a36a0d1d439aa0c8df1cf59fb8d9af5b6dd4e923c3c959 all runs: crashed: KASAN: use-after-free Read in ieee80211_ibss_build_presp testing current HEAD cf256fbcbe347b7d0ff58fe2dfa382a156bd3694 testing commit cf256fbcbe347b7d0ff58fe2dfa382a156bd3694 with gcc (GCC) 8.4.1 20210217 kernel signature: 9fe5a42001aef309cfd89ff67bc86ae5c8ebe21aefe7a5139e7fae13a1852826 all runs: OK # git bisect start cf256fbcbe347b7d0ff58fe2dfa382a156bd3694 6b6446efedb27c2766745a04f9b5d4449f51391d Bisecting: 743 revisions left to test after this (roughly 10 steps) [b5ea72b2da495ec40035b5dfccf72c0d840aba9a] irqchip/mips-cpu: Set IPI domain parent chip testing commit b5ea72b2da495ec40035b5dfccf72c0d840aba9a with gcc (GCC) 8.4.1 20210217 kernel signature: d5a118310b8a5664c7c98d33ae8da66cdf0636c60d38d1fecdbe23804d823177 all runs: crashed: KASAN: use-after-free Read in ieee80211_ibss_build_presp # git bisect good b5ea72b2da495ec40035b5dfccf72c0d840aba9a Bisecting: 371 revisions left to test after this (roughly 9 steps) [8f78d999ce48b6fa466c14e1669e2d9f671d3df0] staging: most: sound: add sanity check for function argument testing commit 8f78d999ce48b6fa466c14e1669e2d9f671d3df0 with gcc (GCC) 8.4.1 20210217 kernel signature: acd559684c153d5ac1b94229faf9d2edc3d0d874928e99fce01aa27e87b4e366 all runs: crashed: KASAN: use-after-free Read in ieee80211_ibss_build_presp # git bisect good 8f78d999ce48b6fa466c14e1669e2d9f671d3df0 Bisecting: 185 revisions left to test after this (roughly 8 steps) [0a4605f18c8a0a28f111bb3292626e0195c5e67f] net: wan: fix error return code of uhdlc_init() testing commit 0a4605f18c8a0a28f111bb3292626e0195c5e67f with gcc (GCC) 8.4.1 20210217 kernel signature: 82a95994c0ac9fe7e023d42de21afce9ae75177d953d53a7dad5ba7dd942e879 all runs: crashed: KASAN: use-after-free Read in ieee80211_ibss_build_presp # git bisect good 0a4605f18c8a0a28f111bb3292626e0195c5e67f Bisecting: 92 revisions left to test after this (roughly 7 steps) [5b00c605a81f39fa5cc89f64778443c5eae6620d] cdc-acm: fix BREAK rx code path adding necessary calls testing commit 5b00c605a81f39fa5cc89f64778443c5eae6620d with gcc (GCC) 8.4.1 20210217 kernel signature: 1c0e169e4b189a7401918f292e09d6b69edf846ede03253640c6b67ec2aae72c all runs: OK # git bisect bad 5b00c605a81f39fa5cc89f64778443c5eae6620d Bisecting: 46 revisions left to test after this (roughly 6 steps) [769207ad6afb31189fe3f6ff9a5b95c8926feeb5] can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" testing commit 769207ad6afb31189fe3f6ff9a5b95c8926feeb5 with gcc (GCC) 8.4.1 20210217 kernel signature: 110dfd5abd608bdb12f64d723c9e34695924c17136572cdd11b07f110f04a604 all runs: OK # git bisect bad 769207ad6afb31189fe3f6ff9a5b95c8926feeb5 Bisecting: 22 revisions left to test after this (roughly 5 steps) [e7e81fdefa0149ea0a2e7efe3aa429f324c204b0] ftgmac100: Restart MAC HW once testing commit e7e81fdefa0149ea0a2e7efe3aa429f324c204b0 with gcc (GCC) 8.4.1 20210217 kernel signature: 7ea33e83013d4e8a5cc6f885f436e088e8f8887098541c1a436ef1d69648bea9 all runs: crashed: KASAN: use-after-free Read in ieee80211_ibss_build_presp # git bisect good e7e81fdefa0149ea0a2e7efe3aa429f324c204b0 Bisecting: 11 revisions left to test after this (roughly 4 steps) [aea037bb753c7aa647d8754635af972cc58ebe3f] RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server testing commit aea037bb753c7aa647d8754635af972cc58ebe3f with gcc (GCC) 8.4.1 20210217 kernel signature: 3cecb7cbc91eea98576d75d3f1259b6b7c2a5ca1f46d425ebcc573e4c05834bc all runs: crashed: KASAN: use-after-free Read in ieee80211_ibss_build_presp # git bisect good aea037bb753c7aa647d8754635af972cc58ebe3f Bisecting: 5 revisions left to test after this (roughly 3 steps) [b8edc965a2e3c382a4437461f96d5d589835af9b] locking/mutex: Fix non debug version of mutex_lock_io_nested() testing commit b8edc965a2e3c382a4437461f96d5d589835af9b with gcc (GCC) 8.4.1 20210217 kernel signature: 54a79ea1519125a962abe2f808f29058ab6e6be17ac450544bc5b974bb57f33d all runs: crashed: KASAN: use-after-free Read in ieee80211_ibss_build_presp # git bisect good b8edc965a2e3c382a4437461f96d5d589835af9b Bisecting: 2 revisions left to test after this (roughly 2 steps) [749d2e33bfbacb3112cbfaafde75e507cb46c67d] net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() testing commit 749d2e33bfbacb3112cbfaafde75e507cb46c67d with gcc (GCC) 8.4.1 20210217 kernel signature: 511eeddc33ef53341d7b719f147ed9c1b9652bbb0f1d5a11587c6fe578e89e08 all runs: crashed: KASAN: use-after-free Read in ieee80211_ibss_build_presp # git bisect good 749d2e33bfbacb3112cbfaafde75e507cb46c67d Bisecting: 0 revisions left to test after this (roughly 1 step) [e436212b3f7e14e7cfe209915a240242e381a85d] ext4: add reclaim checks to xattr code testing commit e436212b3f7e14e7cfe209915a240242e381a85d with gcc (GCC) 8.4.1 20210217 kernel signature: ced087f97d3651dd8ba7bcc2df61c3579bd7db1e6ea37fb0b594750567b5aead all runs: OK # git bisect bad e436212b3f7e14e7cfe209915a240242e381a85d Bisecting: 0 revisions left to test after this (roughly 0 steps) [d2ddd5417f6d5be4421068434408e716787cf1b3] mac80211: fix double free in ibss_leave testing commit d2ddd5417f6d5be4421068434408e716787cf1b3 with gcc (GCC) 8.4.1 20210217 kernel signature: 6ec28eaaf8047f1fcf63915d64480f8e847733c20594ba19bfc3ceb8a98ed98a all runs: OK # git bisect bad d2ddd5417f6d5be4421068434408e716787cf1b3 d2ddd5417f6d5be4421068434408e716787cf1b3 is the first bad commit commit d2ddd5417f6d5be4421068434408e716787cf1b3 Author: Markus Theil Date: Sat Feb 13 14:36:53 2021 +0100 mac80211: fix double free in ibss_leave commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream. Clear beacon ie pointer and ie length after free in order to prevent double free. ================================================================== BUG: KASAN: double-free or invalid-free \ in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230 kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355 ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341 kasan_slab_free include/linux/kasan.h:192 [inline] __cache_free mm/slab.c:3424 [inline] kfree+0xed/0x270 mm/slab.c:3760 ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline] __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212 __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172 cfg80211_leave net/wireless/core.c:1221 [inline] cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040 call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] call_netdevice_notifiers net/core/dev.c:2066 [inline] __dev_close_many+0xee/0x2e0 net/core/dev.c:1586 __dev_close net/core/dev.c:1624 [inline] __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476 dev_change_flags+0x8a/0x160 net/core/dev.c:8549 dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265 dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511 sock_do_ioctl+0x148/0x2d0 net/socket.c:1060 sock_ioctl+0x477/0x6a0 net/socket.c:1177 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com Signed-off-by: Markus Theil Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman net/mac80211/ibss.c | 2 ++ 1 file changed, 2 insertions(+) culprit signature: 6ec28eaaf8047f1fcf63915d64480f8e847733c20594ba19bfc3ceb8a98ed98a parent signature: 511eeddc33ef53341d7b719f147ed9c1b9652bbb0f1d5a11587c6fe578e89e08 revisions tested: 13, total time: 2h55m36.60227983s (build: 1h34m6.984846312s, test: 1h20m29.064539574s) first good commit: d2ddd5417f6d5be4421068434408e716787cf1b3 mac80211: fix double free in ibss_leave recipients (to): ["gregkh@linuxfoundation.org" "johannes.berg@intel.com" "markus.theil@tu-ilmenau.de"] recipients (cc): []