bisecting cause commit starting from 4a94c43323342f1522034d6566c5129a7386a0ab building syzkaller on 36650b4b2c942bc382314dce384d311fbadd1208 testing commit 4a94c43323342f1522034d6566c5129a7386a0ab with gcc (GCC) 8.1.0 kernel signature: f599e33bf708f57fcc32ed71b7d5d3d66c12086b run #0: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #1: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #2: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #3: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #4: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 4c0337f4527aaba854d0efb8fd62086d2b378f58 run #0: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #1: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #2: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #3: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #4: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: e9901708b22f3808e009d38c3e8db0ee984f7af2 all runs: OK # git bisect start 219d54332a09e8d8741c1e1982f5eae56099de85 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Bisecting: 7882 revisions left to test after this (roughly 13 steps) [a9f8b38a071b468276a243ea3ea5a0636e848cf2] Merge tag 'for-linus-5.4-1' of git://github.com/cminyard/linux-ipmi testing commit a9f8b38a071b468276a243ea3ea5a0636e848cf2 with gcc (GCC) 8.1.0 kernel signature: 22367190b2ab9a21d5cbf789c9faa432b563cd40 run #0: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #9: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr # git bisect bad a9f8b38a071b468276a243ea3ea5a0636e848cf2 Bisecting: 3920 revisions left to test after this (roughly 12 steps) [fe38bd6862074c0a2b9be7f31f043aaa70b2af5f] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit fe38bd6862074c0a2b9be7f31f043aaa70b2af5f with gcc (GCC) 8.1.0 kernel signature: 7cc3ab368bbeca27635a8e33ad1d4b42e30da131 all runs: OK # git bisect good fe38bd6862074c0a2b9be7f31f043aaa70b2af5f Bisecting: 1962 revisions left to test after this (roughly 11 steps) [069841ef8293697e951c34f9a45601b77fb541d7] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue testing commit 069841ef8293697e951c34f9a45601b77fb541d7 with gcc (GCC) 8.1.0 kernel signature: 771341dab546bc2baaa002a740fa25fe0f7e4168 run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #8: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #9: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr # git bisect bad 069841ef8293697e951c34f9a45601b77fb541d7 Bisecting: 978 revisions left to test after this (roughly 10 steps) [f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71] net: stmmac: dwmac-meson: use devm_platform_ioremap_resource() to simplify code testing commit f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71 with gcc (GCC) 8.1.0 kernel signature: e6d712f1459beaa52655f5ce53c5a5b73a2b6ae2 all runs: OK # git bisect good f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71 Bisecting: 487 revisions left to test after this (roughly 9 steps) [67e974c3ae21c8ced474eae3ce9261a6f827e95c] Merge tag 'iwlwifi-next-for-kalle-2019-09-06' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next testing commit 67e974c3ae21c8ced474eae3ce9261a6f827e95c with gcc (GCC) 8.1.0 kernel signature: e988f755bbe2ba7d08d513cc3c046046c680e331 all runs: OK # git bisect good 67e974c3ae21c8ced474eae3ce9261a6f827e95c Bisecting: 212 revisions left to test after this (roughly 8 steps) [1e46c09ec10049a9e366153b32e41cc557383fdb] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 1e46c09ec10049a9e366153b32e41cc557383fdb with gcc (GCC) 8.1.0 kernel signature: 752c8ccabf63f582b8b6357740733608c0891bb7 run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #4: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 1e46c09ec10049a9e366153b32e41cc557383fdb Bisecting: 137 revisions left to test after this (roughly 7 steps) [7d993c5f86aa308b00c2fd420fe5208da18125e2] gianfar: remove forward declarations testing commit 7d993c5f86aa308b00c2fd420fe5208da18125e2 with gcc (GCC) 8.1.0 kernel signature: 3d2c3c63da1a1e6766823090e454a6dbe5789bb8 run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: INFO: rcu detected stall in hrtimer_run_softirq # git bisect bad 7d993c5f86aa308b00c2fd420fe5208da18125e2 Bisecting: 68 revisions left to test after this (roughly 6 steps) [aa3198819bea60f65f22cd771baf2ff038f59df1] ionic: Add RSS support testing commit aa3198819bea60f65f22cd771baf2ff038f59df1 with gcc (GCC) 8.1.0 kernel signature: 6715bee2bee560ad09f6d89956e648f63e34959e all runs: OK # git bisect good aa3198819bea60f65f22cd771baf2ff038f59df1 Bisecting: 36 revisions left to test after this (roughly 5 steps) [8330f73fe9742f201f467639f8356cf58756fb9f] rocker: add missing init_net check in FIB notifier testing commit 8330f73fe9742f201f467639f8356cf58756fb9f with gcc (GCC) 8.1.0 kernel signature: 6a32753d79ec2cce328bceb8a15d80a527b985fb all runs: OK # git bisect good 8330f73fe9742f201f467639f8356cf58756fb9f Bisecting: 18 revisions left to test after this (roughly 4 steps) [9868b5d44f3df9dd75247acd23dddff0a42f79be] can: introduce CAN_REQUIRED_SIZE macro testing commit 9868b5d44f3df9dd75247acd23dddff0a42f79be with gcc (GCC) 8.1.0 kernel signature: aceea6dee3fc3b27e14f232bcb77f60f3e8ab10b all runs: OK # git bisect good 9868b5d44f3df9dd75247acd23dddff0a42f79be Bisecting: 9 revisions left to test after this (roughly 3 steps) [4647e021193d638d3c87d1f1b9a5f7f7a48f36a3] net: stmmac: selftests: Add selftest for L3/L4 Filters testing commit 4647e021193d638d3c87d1f1b9a5f7f7a48f36a3 with gcc (GCC) 8.1.0 kernel signature: d249c71ab84c5cd6aa6b7ab83e80f9442f33f8ff run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr # git bisect bad 4647e021193d638d3c87d1f1b9a5f7f7a48f36a3 Bisecting: 4 revisions left to test after this (roughly 2 steps) [44c40910b66f786d33ffd2682ef38750eebb567c] Merge tag 'linux-can-next-for-5.4-20190904' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can-next testing commit 44c40910b66f786d33ffd2682ef38750eebb567c with gcc (GCC) 8.1.0 kernel signature: 807e79e298ee813f0925934de1e7fd19f529455e run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 44c40910b66f786d33ffd2682ef38750eebb567c Bisecting: 1 revision left to test after this (roughly 1 step) [f5223e9eee651e005c0f6d6d078909087601b7e9] can: extend sockaddr_can to include j1939 members testing commit f5223e9eee651e005c0f6d6d078909087601b7e9 with gcc (GCC) 8.1.0 kernel signature: 5130c3d493c6a64d5b614beb49eef7750a454840 all runs: OK # git bisect good f5223e9eee651e005c0f6d6d078909087601b7e9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9d71dd0c70099914fcd063135da3c580865e924c] can: add support of SAE J1939 protocol testing commit 9d71dd0c70099914fcd063135da3c580865e924c with gcc (GCC) 8.1.0 kernel signature: 7730fa2fec0a940bef32d0386b322f360e7a9e38 run #0: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 9d71dd0c70099914fcd063135da3c580865e924c 9d71dd0c70099914fcd063135da3c580865e924c is the first bad commit commit 9d71dd0c70099914fcd063135da3c580865e924c Author: The j1939 authors Date: Mon Oct 8 11:48:36 2018 +0200 can: add support of SAE J1939 protocol SAE J1939 is the vehicle bus recommended practice used for communication and diagnostics among vehicle components. Originating in the car and heavy-duty truck industry in the United States, it is now widely used in other parts of the world. J1939, ISO 11783 and NMEA 2000 all share the same high level protocol. SAE J1939 can be considered the replacement for the older SAE J1708 and SAE J1587 specifications. Acked-by: Oliver Hartkopp Signed-off-by: Bastian Stender Signed-off-by: Elenita Hinds Signed-off-by: kbuild test robot Signed-off-by: Kurt Van Dijck Signed-off-by: Maxime Jayat Signed-off-by: Robin van der Gracht Signed-off-by: Oleksij Rempel Signed-off-by: Marc Kleine-Budde Documentation/networking/index.rst | 1 + Documentation/networking/j1939.rst | 422 ++++++++ MAINTAINERS | 10 + include/linux/can/can-ml.h | 3 + include/uapi/linux/can/j1939.h | 99 ++ net/can/Kconfig | 2 + net/can/Makefile | 2 + net/can/j1939/Kconfig | 15 + net/can/j1939/Makefile | 10 + net/can/j1939/address-claim.c | 230 ++++ net/can/j1939/bus.c | 333 ++++++ net/can/j1939/j1939-priv.h | 338 ++++++ net/can/j1939/main.c | 403 +++++++ net/can/j1939/socket.c | 1160 +++++++++++++++++++++ net/can/j1939/transport.c | 2027 ++++++++++++++++++++++++++++++++++++ 15 files changed, 5055 insertions(+) create mode 100644 Documentation/networking/j1939.rst create mode 100644 include/uapi/linux/can/j1939.h create mode 100644 net/can/j1939/Kconfig create mode 100644 net/can/j1939/Makefile create mode 100644 net/can/j1939/address-claim.c create mode 100644 net/can/j1939/bus.c create mode 100644 net/can/j1939/j1939-priv.h create mode 100644 net/can/j1939/main.c create mode 100644 net/can/j1939/socket.c create mode 100644 net/can/j1939/transport.c culprit signature: 7730fa2fec0a940bef32d0386b322f360e7a9e38 parent signature: 5130c3d493c6a64d5b614beb49eef7750a454840 revisions tested: 17, total time: 3h58m31.978553176s (build: 1h40m48.038584334s, test: 2h16m37.042274879s) first bad commit: 9d71dd0c70099914fcd063135da3c580865e924c can: add support of SAE J1939 protocol cc: ["bst@pengutronix.de" "dev.kurt@vandijck-laurijssen.be" "ecathinds@gmail.com" "linux-can@vger.kernel.org" "lkp@intel.com" "maxime.jayat@mobile-devices.fr" "mkl@pengutronix.de" "o.rempel@pengutronix.de" "robin@protonic.nl" "socketcan@hartkopp.net"] crash: KASAN: use-after-free Read in j1939_session_deactivate ================================================================== BUG: KASAN: use-after-free in j1939_session_deactivate+0x78/0x80 net/can/j1939/transport.c:1033 Read of size 8 at addr ffff8880a5d36000 by task ksoftirqd/0/9 CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.3.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x318 mm/kasan/report.c:351 __kasan_report.cold.9+0x1b/0x3f mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:618 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 j1939_session_deactivate+0x78/0x80 net/can/j1939/transport.c:1033 j1939_session_deactivate_activate_next+0xd/0x20 net/can/j1939/transport.c:1041 j1939_tp_rxtimer+0xc1/0x241 net/can/j1939/transport.c:1150 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x32f/0xb50 kernel/time/hrtimer.c:1451 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1465 __do_softirq+0x262/0x9a8 kernel/softirq.c:292 run_ksoftirqd+0x94/0x100 kernel/softirq.c:603 smpboot_thread_fn+0x55f/0x8b0 kernel/smpboot.c:165 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 7954: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.13+0xc7/0xd0 mm/kasan/common.c:493 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507 kmem_cache_alloc_trace+0x15b/0x780 mm/slab.c:3550 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:748 [inline] j1939_session_new+0x6a/0x3b0 net/can/j1939/transport.c:1384 j1939_tp_send+0x1a8/0x5d0 net/can/j1939/transport.c:1846 j1939_sk_send_loop net/can/j1939/socket.c:995 [inline] j1939_sk_sendmsg+0x9f0/0x1260 net/can/j1939/socket.c:1100 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:657 kernel_sendmsg+0x26/0x30 net/socket.c:677 sock_no_sendpage+0xfd/0x140 net/core/sock.c:2730 kernel_sendpage+0x60/0xd0 net/socket.c:3682 sock_sendpage+0x6d/0xd0 net/socket.c:935 pipe_to_sendpage+0x212/0x430 fs/splice.c:449 splice_from_pipe_feed fs/splice.c:500 [inline] __splice_from_pipe+0x2d2/0x720 fs/splice.c:624 splice_from_pipe+0xbb/0x120 fs/splice.c:659 generic_splice_sendpage+0x10/0x20 fs/splice.c:829 do_splice_from fs/splice.c:848 [inline] direct_splice_actor+0x104/0x1c0 fs/splice.c:1020 splice_direct_to_actor+0x303/0x870 fs/splice.c:975 do_splice_direct+0x14c/0x270 fs/splice.c:1063 do_sendfile+0x481/0xd10 fs/read_write.c:1464 __do_sys_sendfile64 fs/read_write.c:1525 [inline] __se_sys_sendfile64 fs/read_write.c:1511 [inline] __x64_sys_sendfile64+0x198/0x1e0 fs/read_write.c:1511 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 j1939_session_destroy net/can/j1939/transport.c:272 [inline] __j1939_session_release+0xb1/0x110 net/can/j1939/transport.c:280 kref_put include/linux/kref.h:65 [inline] j1939_session_put net/can/j1939/transport.c:285 [inline] j1939_session_deactivate_locked+0x20b/0x2b0 net/can/j1939/transport.c:1021 j1939_session_deactivate+0x38/0x80 net/can/j1939/transport.c:1032 j1939_session_deactivate_activate_next+0xd/0x20 net/can/j1939/transport.c:1041 j1939_tp_rxtimer+0xc1/0x241 net/can/j1939/transport.c:1150 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x32f/0xb50 kernel/time/hrtimer.c:1451 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1465 __do_softirq+0x262/0x9a8 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880a5d36000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of 512-byte region [ffff8880a5d36000, ffff8880a5d36200) The buggy address belongs to the page: page:ffffea0002974d80 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002627948 ffffea0002a39ec8 ffff8880aa400a80 raw: 0000000000000000 ffff8880a5d36000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a5d35f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a5d35f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880a5d36000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a5d36080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a5d36100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================