bisecting cause commit starting from c63ee2939dc1c6eee6c544af1b4ab441490bfe6e building syzkaller on 8098ea0f3397d5db00e4852b1b29d0958f2189c6 testing commit c63ee2939dc1c6eee6c544af1b4ab441490bfe6e with gcc (GCC) 8.1.0 kernel signature: 58ef780464e74dc1d897dd6341ed1c624a9a8cdb all runs: crashed: KASAN: use-after-free Read in slip_open testing release v4.19.84 testing commit c555efaf14026c7751fa68d87403a5eb5ae7dcaf with gcc (GCC) 8.1.0 kernel signature: 5a2a9a20be8033dd33375bda3723b002b2fc10a5 all runs: OK # git bisect start c63ee2939dc1c6eee6c544af1b4ab441490bfe6e c555efaf14026c7751fa68d87403a5eb5ae7dcaf Bisecting: 209 revisions left to test after this (roughly 8 steps) [8ac08053744cdd9cc88c26857f5ff48583e995ac] ARM: dts: socfpga: Fix I2C bus unit-address error testing commit 8ac08053744cdd9cc88c26857f5ff48583e995ac with gcc (GCC) 8.1.0 kernel signature: 2bae6e4fe6f0992885170d1ec3faf84c52ba09db all runs: crashed: KASAN: use-after-free Read in slip_open # git bisect bad 8ac08053744cdd9cc88c26857f5ff48583e995ac Bisecting: 104 revisions left to test after this (roughly 7 steps) [5dc1cbcff700b11bea1b5707d6ee0f95c2850e5c] net/mlx5: Fix atomic_mode enum values testing commit 5dc1cbcff700b11bea1b5707d6ee0f95c2850e5c with gcc (GCC) 8.1.0 kernel signature: b33c9049f47e8a31460f4317e71af6b8da153d31 all runs: crashed: KASAN: use-after-free Read in slip_open # git bisect bad 5dc1cbcff700b11bea1b5707d6ee0f95c2850e5c Bisecting: 52 revisions left to test after this (roughly 6 steps) [f7b2312c68a8d2aa376f8abc503238e429d69cc0] ALSA: seq: Do error checks at creating system ports testing commit f7b2312c68a8d2aa376f8abc503238e429d69cc0 with gcc (GCC) 8.1.0 kernel signature: 811be39fa3f864eb83cdc93357cb0a27bef7f57e all runs: crashed: KASAN: use-after-free Read in slip_open # git bisect bad f7b2312c68a8d2aa376f8abc503238e429d69cc0 Bisecting: 25 revisions left to test after this (roughly 5 steps) [5b1c342fc3e02784c0bb94fe90f24a50bd2934b3] iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros testing commit 5b1c342fc3e02784c0bb94fe90f24a50bd2934b3 with gcc (GCC) 8.1.0 kernel signature: 4861402e259a66b38af39272c4789c5106194fe2 all runs: crashed: KASAN: use-after-free Read in slip_open # git bisect bad 5b1c342fc3e02784c0bb94fe90f24a50bd2934b3 Bisecting: 12 revisions left to test after this (roughly 4 steps) [47d06a15f25a5b052204a5597fd0f59aa08329f3] Btrfs: fix log context list corruption after rename exchange operation testing commit 47d06a15f25a5b052204a5597fd0f59aa08329f3 with gcc (GCC) 8.1.0 kernel signature: b57530341410db174ddae3711486d7e388de77c0 all runs: crashed: KASAN: use-after-free Read in slip_open # git bisect bad 47d06a15f25a5b052204a5597fd0f59aa08329f3 Bisecting: 6 revisions left to test after this (roughly 3 steps) [0a772b2ac696f335551176c6ed7802b5c9399143] net: gemini: add missed free_netdev testing commit 0a772b2ac696f335551176c6ed7802b5c9399143 with gcc (GCC) 8.1.0 kernel signature: 3cad730baf61a6f1749cb309a84470e45b6f425a all runs: OK # git bisect good 0a772b2ac696f335551176c6ed7802b5c9399143 Bisecting: 3 revisions left to test after this (roughly 2 steps) [a2c763cd9609cdbf3c0b88c887a4f2e440e4cb3c] ALSA: usb-audio: Fix missing error check at mixer resolution test testing commit a2c763cd9609cdbf3c0b88c887a4f2e440e4cb3c with gcc (GCC) 8.1.0 kernel signature: c852ac635b290f6af4cd0d1882fb5516a982be06 all runs: crashed: KASAN: use-after-free Read in slip_open # git bisect bad a2c763cd9609cdbf3c0b88c887a4f2e440e4cb3c Bisecting: 0 revisions left to test after this (roughly 1 step) [edc471038b4846b119d0b025f0336bf4b3e1ce23] slip: Fix memory leak in slip_open error path testing commit edc471038b4846b119d0b025f0336bf4b3e1ce23 with gcc (GCC) 8.1.0 kernel signature: 7cf33de1278d631473245098c419517bfa7f410b all runs: crashed: KASAN: use-after-free Read in slip_open # git bisect bad edc471038b4846b119d0b025f0336bf4b3e1ce23 Bisecting: 0 revisions left to test after this (roughly 0 steps) [4cd50a31ac9e865ac4b52cba3337ae7207c534b4] net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules testing commit 4cd50a31ac9e865ac4b52cba3337ae7207c534b4 with gcc (GCC) 8.1.0 kernel signature: b57c4b19edcac52b8de34a54404c46250dd4d57e all runs: OK # git bisect good 4cd50a31ac9e865ac4b52cba3337ae7207c534b4 edc471038b4846b119d0b025f0336bf4b3e1ce23 is the first bad commit commit edc471038b4846b119d0b025f0336bf4b3e1ce23 Author: Jouni Hogander Date: Wed Nov 13 13:45:02 2019 +0200 slip: Fix memory leak in slip_open error path [ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ] Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected by Syzkaller in slcan. Same issue exists in slip.c and this patch is addressing the leak in slip.c. Here is the slcan memory leak trace reported by Syzkaller: BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096): comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) hex dump (first 32 bytes): 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0 [<0000000083306e66>] kvmalloc_node+0x3a/0xc0 [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080 [<0000000061a996c9>] slcan_open+0x3ae/0x9a0 [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0 [<000000004de5a617>] tty_ioctl+0x48d/0x1590 [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510 [<0000000059068dbc>] ksys_ioctl+0x99/0xb0 [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0 [<0000000053d0332e>] do_syscall_64+0x16f/0x580 [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [<000000008ea75434>] 0xfffffffffffffff Cc: "David S. Miller" Cc: Oliver Hartkopp Cc: Lukas Bulwahn Signed-off-by: Jouni Hogander Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman drivers/net/slip/slip.c | 1 + 1 file changed, 1 insertion(+) kernel signature: 7cf33de1278d631473245098c419517bfa7f410b previous signature: b57c4b19edcac52b8de34a54404c46250dd4d57e revisions tested: 11, total time: 2h35m19.705405216s (build: 1h32m57.464386567s, test: 58m57.757207972s) first bad commit: edc471038b4846b119d0b025f0336bf4b3e1ce23 slip: Fix memory leak in slip_open error path cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "jouni.hogander@unikie.com" "lukas.bulwahn@gmail.com" "socketcan@hartkopp.net"] crash: KASAN: use-after-free Read in slip_open IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready ================================================================== BUG: KASAN: use-after-free in sl_sync drivers/net/slip/slip.c:725 [inline] BUG: KASAN: use-after-free in slip_open+0xd87/0x10b4 drivers/net/slip/slip.c:801 Read of size 8 at addr ffff88808675f408 by task syz-executor.2/6943 CPU: 1 PID: 6943 Comm: syz-executor.2 Not tainted 4.19.84-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x177 lib/dump_stack.c:118 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 sl_sync drivers/net/slip/slip.c:725 [inline] slip_open+0xd87/0x10b4 drivers/net/slip/slip.c:801 tty_ldisc_open.isra.3+0x65/0xa0 drivers/tty/tty_ldisc.c:462 tty_set_ldisc+0x252/0x5b0 drivers/tty/tty_ldisc.c:587 tiocsetd drivers/tty/tty_io.c:2359 [inline] tty_ioctl+0x31e/0x1290 drivers/tty/tty_io.c:2603 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:688 ksys_ioctl+0x62/0x90 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:710 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a639 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fadf16d7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fadf16d7c90 RCX: 000000000045a639 RDX: 00000000200003c0 RSI: 0000000000005423 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fadf16d86d4 R13: 00000000004c52b4 R14: 00000000004da170 R15: 0000000000000004 Allocated by task 6938: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3689 [inline] __kmalloc_node+0x50/0x70 mm/slab.c:3696 kmalloc_node include/linux/slab.h:557 [inline] kvmalloc_node+0x68/0x70 mm/util.c:423 kvmalloc include/linux/mm.h:577 [inline] kvzalloc include/linux/mm.h:585 [inline] alloc_netdev_mqs+0x5d/0xc00 net/core/dev.c:8945 sl_alloc drivers/net/slip/slip.c:751 [inline] slip_open+0x300/0x10b4 drivers/net/slip/slip.c:812 tty_ldisc_open.isra.3+0x65/0xa0 drivers/tty/tty_ldisc.c:462 tty_set_ldisc+0x252/0x5b0 drivers/tty/tty_ldisc.c:587 tiocsetd drivers/tty/tty_io.c:2359 [inline] tty_ioctl+0x31e/0x1290 drivers/tty/tty_io.c:2603 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:688 ksys_ioctl+0x62/0x90 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:710 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 6938: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 kvfree+0x2c/0x30 mm/util.c:452 netdev_freemem net/core/dev.c:8899 [inline] free_netdev+0x312/0x3d0 net/core/dev.c:9048 slip_open+0xb61/0x10b4 drivers/net/slip/slip.c:858 tty_ldisc_open.isra.3+0x65/0xa0 drivers/tty/tty_ldisc.c:462 tty_set_ldisc+0x252/0x5b0 drivers/tty/tty_ldisc.c:587 tiocsetd drivers/tty/tty_io.c:2359 [inline] tty_ioctl+0x31e/0x1290 drivers/tty/tty_io.c:2603 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:688 ksys_ioctl+0x62/0x90 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:710 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88808675e940 which belongs to the cache kmalloc-4096 of size 4096 The buggy address is located 2760 bytes inside of 4096-byte region [ffff88808675e940, ffff88808675f940) The buggy address belongs to the page: page:ffffea000219d780 count:1 mapcount:0 mapping:ffff88812c35edc0 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000008100(slab|head) raw: 01fffc0000008100 ffffea0002201488 ffffea000219cb08 ffff88812c35edc0 raw: 0000000000000000 ffff88808675e940 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808675f300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808675f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88808675f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88808675f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808675f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================