bisecting cause commit starting from 1590a2e1c681b0991bd42c992cabfd380e0338f2 building syzkaller on ffec44b5d1e024359410f6ba8d5e965973ede8f5 testing commit 1590a2e1c681b0991bd42c992cabfd380e0338f2 with gcc (GCC) 8.1.0 kernel signature: 659aa500ee492ff926fc2406dc5103c6f7bf170116263312278992c3a1fd3a5a all runs: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: 311baa9a021a52a69bd2c7fb1b68bbcd333db14e697d14fcdf303542a567cfd1 all runs: OK # git bisect start 1590a2e1c681b0991bd42c992cabfd380e0338f2 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Bisecting: 7906 revisions left to test after this (roughly 13 steps) [762a3af6faa0682e5b30b67b1db156c7df55f2c7] exec: open code copy_string_kernel testing commit 762a3af6faa0682e5b30b67b1db156c7df55f2c7 with gcc (GCC) 8.1.0 kernel signature: 50172edc611af84972910d63f5d8a57f2c672364c4c887436f769d956983a727 run #0: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #1: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #2: crashed: WARNING in print_bfs_bug run #3: crashed: WARNING in print_bfs_bug run #4: crashed: WARNING in print_bfs_bug run #5: crashed: WARNING in print_bfs_bug run #6: crashed: WARNING in print_bfs_bug run #7: OK run #8: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor528559821" "root@10.128.10.62:./syz-executor528559821"] Warning: Permanently added '10.128.10.62' (ECDSA) to the list of known hosts. run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor308705736" "root@10.128.0.86:./syz-executor308705736"] Warning: Permanently added '10.128.0.86' (ECDSA) to the list of known hosts. # git bisect bad 762a3af6faa0682e5b30b67b1db156c7df55f2c7 Bisecting: 3953 revisions left to test after this (roughly 12 steps) [86ec2da037b85436b63afe3df43ed48fa0e52b0e] mm/thp: rename pmd_mknotpresent() as pmd_mkinvalid() testing commit 86ec2da037b85436b63afe3df43ed48fa0e52b0e with gcc (GCC) 8.1.0 kernel signature: 084bccf96affe846d7495c88d09048025a8321cbc3d3030f6594074df2e18169 all runs: OK # git bisect good 86ec2da037b85436b63afe3df43ed48fa0e52b0e Bisecting: 1869 revisions left to test after this (roughly 11 steps) [3248044ecf9f91900be5678919966715f1fb8834] Merge tag 'wireless-drivers-next-2020-05-25' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 3248044ecf9f91900be5678919966715f1fb8834 with gcc (GCC) 8.1.0 kernel signature: 6fbbfca4bc0b195bb602e147e5b428dd3796e173c2357d63c4132d0a985e8715 run #0: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #1: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #2: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #3: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor711033310" "root@10.128.15.203:./syz-executor711033310"]: exit status 1 Connection timed out during banner exchange lost connection run #4: crashed: WARNING in print_bfs_bug run #5: crashed: WARNING in print_bfs_bug run #6: crashed: WARNING in print_bfs_bug run #7: crashed: WARNING in print_bfs_bug run #8: crashed: WARNING in print_bfs_bug run #9: OK # git bisect bad 3248044ecf9f91900be5678919966715f1fb8834 Bisecting: 970 revisions left to test after this (roughly 10 steps) [5d9e4722c74e8868d5fe2f8749de80928eb4a1d1] Merge tag 'wireless-drivers-next-2020-05-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1 with gcc (GCC) 8.1.0 kernel signature: 16c0329b0dd1eaa9c16830eae992821683eb1d3b301f39460bbd22905309e886 run #0: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #1: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #2: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #3: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #4: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #5: crashed: WARNING in print_bfs_bug run #6: crashed: WARNING in print_bfs_bug run #7: crashed: WARNING in print_bfs_bug run #8: crashed: WARNING in print_bfs_bug run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor251889990" "root@10.128.15.199:./syz-executor251889990"] # git bisect bad 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1 Bisecting: 556 revisions left to test after this (roughly 9 steps) [da4063bdfcfa70ec57a6c25f772ac6378b1584ad] netlink: allow NLA_MSECS to have range validation testing commit da4063bdfcfa70ec57a6c25f772ac6378b1584ad with gcc (GCC) 8.1.0 kernel signature: b82ec69865d046e794216f2b0b15fc2913d3dc2d796d00195ebfc56f9512f72c all runs: OK # git bisect good da4063bdfcfa70ec57a6c25f772ac6378b1584ad Bisecting: 278 revisions left to test after this (roughly 8 steps) [58618ef85546726cf27c38ddc1b022c703b7a6ad] net: nxp: Fix use correct return type for ndo_start_xmit() testing commit 58618ef85546726cf27c38ddc1b022c703b7a6ad with gcc (GCC) 8.1.0 kernel signature: dd23e2ae7dcca5a6c8f8b9b66469be175ec751bbbd582d4d5be53742924c0056 run #0: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #1: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #2: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #3: crashed: WARNING in print_bfs_bug run #4: crashed: WARNING in print_bfs_bug run #5: crashed: WARNING in print_bfs_bug run #6: crashed: WARNING in print_bfs_bug run #7: crashed: WARNING in print_bfs_bug run #8: crashed: WARNING in print_bfs_bug run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor427402410" "root@10.128.1.22:./syz-executor427402410"] Warning: Permanently added '10.128.1.22' (ECDSA) to the list of known hosts. # git bisect bad 58618ef85546726cf27c38ddc1b022c703b7a6ad Bisecting: 163 revisions left to test after this (roughly 7 steps) [5b95dea31636ce93660930d16172fe75589b2e70] Merge branch 'net-smc-extent-buffer-mapping-and-port-handling' testing commit 5b95dea31636ce93660930d16172fe75589b2e70 with gcc (GCC) 8.1.0 kernel signature: d1d82df4e5df9ff1177479483649201bb622656d4c7f804a3381fbce82aafde5 all runs: OK # git bisect good 5b95dea31636ce93660930d16172fe75589b2e70 Bisecting: 81 revisions left to test after this (roughly 6 steps) [80f8443fcdaa27871a233d08e9142612e6ade77c] net: ena: avoid unnecessary admin command when RSS function set fails testing commit 80f8443fcdaa27871a233d08e9142612e6ade77c with gcc (GCC) 8.1.0 kernel signature: 4a0f49b5c4c326770d8691a0420d18eec2201dc8ef0985913e44ec178c2104bb all runs: OK # git bisect good 80f8443fcdaa27871a233d08e9142612e6ade77c Bisecting: 40 revisions left to test after this (roughly 5 steps) [f0ec4f1d32ad49a23b93156949208dd9348e3590] net/smc: save state of last sent CDC message testing commit f0ec4f1d32ad49a23b93156949208dd9348e3590 with gcc (GCC) 8.1.0 kernel signature: 790c3ad0fea63bb4fc79ae7772cd073d8875c755b03a81e52cdc1dac3c6fecdb all runs: OK # git bisect good f0ec4f1d32ad49a23b93156949208dd9348e3590 Bisecting: 19 revisions left to test after this (roughly 4 steps) [09be4c47abe384fe8bd6a6f25012013acacc7729] Merge branch 'net-ipa-I-O-map-SMEM-and-IMEM' testing commit 09be4c47abe384fe8bd6a6f25012013acacc7729 with gcc (GCC) 8.1.0 kernel signature: dc5b158174b6bf9b6c12390197ca6524b09e6ef931041c037adc744fd539311e all runs: OK # git bisect good 09be4c47abe384fe8bd6a6f25012013acacc7729 Bisecting: 9 revisions left to test after this (roughly 3 steps) [885a26bae0223cac7f939a4a549f2df6c7f89bbd] arm64: dts: ti: k3-am65-mcu: add cpsw cpts node testing commit 885a26bae0223cac7f939a4a549f2df6c7f89bbd with gcc (GCC) 8.1.0 kernel signature: 1467be7857939d52c37584fe64d51905aaee5654485814b38a9cc22f2143f265 all runs: OK # git bisect good 885a26bae0223cac7f939a4a549f2df6c7f89bbd Bisecting: 4 revisions left to test after this (roughly 2 steps) [1a33e10e4a95cb109ff1145098175df3113313ef] net: partially revert dynamic lockdep key changes testing commit 1a33e10e4a95cb109ff1145098175df3113313ef with gcc (GCC) 8.1.0 kernel signature: 69e1c78ae0a013f4d0e0dbc7418a1138fe5d1bfd58605bf652ca2aaea8b407eb run #0: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #1: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #2: crashed: KASAN: use-after-free Read in macvlan_dev_get_iflink run #3: crashed: WARNING in print_bfs_bug run #4: crashed: WARNING in print_bfs_bug run #5: crashed: WARNING in print_bfs_bug run #6: crashed: WARNING in print_bfs_bug run #7: crashed: WARNING in print_bfs_bug run #8: crashed: WARNING in print_bfs_bug run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor884587094" "root@10.128.15.202:./syz-executor884587094"] # git bisect bad 1a33e10e4a95cb109ff1145098175df3113313ef Bisecting: 2 revisions left to test after this (roughly 1 step) [29390928fe9a7cac7f8b1479f0f285034f16eb6f] arm64: dts: ti: k3-j721e-mcu: add mcu cpsw cpts node testing commit 29390928fe9a7cac7f8b1479f0f285034f16eb6f with gcc (GCC) 8.1.0 kernel signature: a2ff3676a985f09af572d2715b2d2e7e7b68e75fd7157ecac7517a483086fa95 all runs: OK # git bisect good 29390928fe9a7cac7f8b1479f0f285034f16eb6f Bisecting: 0 revisions left to test after this (roughly 1 step) [ea84c842900872f5b8d6d4754cf0fa37d6672011] Merge branch 'net-ethernet-ti-k3-introduce-common-platform-time-sync-driver-cpts' testing commit ea84c842900872f5b8d6d4754cf0fa37d6672011 with gcc (GCC) 8.1.0 kernel signature: 8c305b7b3c6dc9ba0590a9204d0c8cde23a0b3ecb3fa554e5486954c37c625af all runs: OK # git bisect good ea84c842900872f5b8d6d4754cf0fa37d6672011 1a33e10e4a95cb109ff1145098175df3113313ef is the first bad commit commit 1a33e10e4a95cb109ff1145098175df3113313ef Author: Cong Wang Date: Sat May 2 22:22:19 2020 -0700 net: partially revert dynamic lockdep key changes This patch reverts the folowing commits: commit 064ff66e2bef84f1153087612032b5b9eab005bd "bonding: add missing netdev_update_lockdep_key()" commit 53d374979ef147ab51f5d632dfe20b14aebeccd0 "net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key()" commit 1f26c0d3d24125992ab0026b0dab16c08df947c7 "net: fix kernel-doc warning in " commit ab92d68fc22f9afab480153bd82a20f6e2533769 "net: core: add generic lockdep keys" but keeps the addr_list_lock_key because we still lock addr_list_lock nestedly on stack devices, unlikely xmit_lock this is safe because we don't take addr_list_lock on any fast path. Reported-and-tested-by: syzbot+aaa6fa4949cc5d9b7b25@syzkaller.appspotmail.com Cc: Dmitry Vyukov Cc: Taehee Yoo Signed-off-by: Cong Wang Acked-by: Taehee Yoo Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 1 + drivers/net/ethernet/netronome/nfp/nfp_net_repr.c | 16 ++++ drivers/net/hamradio/bpqether.c | 20 +++++ drivers/net/hyperv/netvsc_drv.c | 2 + drivers/net/ipvlan/ipvlan_main.c | 2 + drivers/net/macsec.c | 2 + drivers/net/macvlan.c | 2 + drivers/net/ppp/ppp_generic.c | 2 + drivers/net/team/team.c | 1 + drivers/net/vrf.c | 1 + drivers/net/wireless/intersil/hostap/hostap_hw.c | 22 ++++++ include/linux/netdevice.h | 27 +++++-- net/8021q/vlan_dev.c | 21 ++++++ net/batman-adv/soft-interface.c | 30 ++++++++ net/bluetooth/6lowpan.c | 8 ++ net/core/dev.c | 90 ++++++++++++++++++----- net/dsa/slave.c | 12 +++ net/ieee802154/6lowpan/core.c | 8 ++ net/l2tp/l2tp_eth.c | 1 + net/netrom/af_netrom.c | 21 ++++++ net/rose/af_rose.c | 21 ++++++ net/sched/sch_generic.c | 17 +++-- 22 files changed, 294 insertions(+), 33 deletions(-) culprit signature: 69e1c78ae0a013f4d0e0dbc7418a1138fe5d1bfd58605bf652ca2aaea8b407eb parent signature: 8c305b7b3c6dc9ba0590a9204d0c8cde23a0b3ecb3fa554e5486954c37c625af revisions tested: 16, total time: 4h32m39.531295041s (build: 1h36m49.590328627s, test: 2h53m57.901452212s) first bad commit: 1a33e10e4a95cb109ff1145098175df3113313ef net: partially revert dynamic lockdep key changes cc: ["ap420073@gmail.com" "davem@davemloft.net" "syzbot+aaa6fa4949cc5d9b7b25@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"] crash: WARNING in print_bfs_bug ------------[ cut here ]------------ lockdep bfs error:-1 WARNING: CPU: 0 PID: 26 at kernel/locking/lockdep.c:1733 print_bfs_bug+0x138/0x1d0 kernel/locking/lockdep.c:1733 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 26 Comm: kworker/u4:2 Not tainted 5.7.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x26 kernel/panic.c:582 report_bug+0x1ad/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:175 [inline] do_error_trap+0x123/0x210 arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:print_bfs_bug+0x138/0x1d0 kernel/locking/lockdep.c:1733 Code: 07 00 74 2d 48 c7 c7 00 00 8a 8b e8 c2 6a 01 00 66 90 45 85 e4 75 05 5b 5d 41 5c c3 89 ee 48 c7 c7 80 d5 8a 87 e8 54 30 ed ff <0f> 0b 5b 5d 41 5c c3 0f 0b e8 da 6a f8 01 85 c0 74 d6 48 c7 c7 10 RSP: 0018:ffffc90000e276a0 EFLAGS: 00010082 RAX: 0000000000000000 RBX: ffff8880a943c040 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000007 RDI: ffffffff8b8e41a0 RBP: 00000000ffffffff R08: ffffed1015d045f1 R09: ffffed1015d045f1 R10: ffff8880ae822f83 R11: ffffed1015d045f0 R12: 0000000000000001 R13: ffff8880a943c9d0 R14: ffff8880a943c9a8 R15: 0000000000000893 check_path+0x36/0x40 kernel/locking/lockdep.c:1809 check_noncircular+0x171/0x400 kernel/locking/lockdep.c:1834 check_prev_add kernel/locking/lockdep.c:2515 [inline] check_prevs_add kernel/locking/lockdep.c:2620 [inline] validate_chain kernel/locking/lockdep.c:3237 [inline] __lock_acquire+0x24be/0x3690 kernel/locking/lockdep.c:4355 lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4934 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x153/0x13e0 kernel/locking/mutex.c:1103 nsim_destroy+0x24/0x60 drivers/net/netdevsim/netdev.c:329 __nsim_dev_port_del+0x126/0x1d0 drivers/net/netdevsim/dev.c:934 nsim_dev_port_del_all+0x73/0xc0 drivers/net/netdevsim/dev.c:947 nsim_dev_reload_destroy+0x54/0xe0 drivers/net/netdevsim/dev.c:1123 nsim_dev_reload_down+0x50/0xb0 drivers/net/netdevsim/dev.c:703 devlink_reload+0xa3/0x330 net/core/devlink.c:2797 devlink_pernet_pre_exit+0xdb/0x150 net/core/devlink.c:9282 ops_pre_exit_list net/core/net_namespace.c:176 [inline] cleanup_net+0x3d4/0x910 net/core/net_namespace.c:591 process_one_work+0x908/0x15d0 kernel/workqueue.c:2268 worker_thread+0x82/0xb50 kernel/workqueue.c:2414 kthread+0x340/0x410 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Kernel Offset: disabled Rebooting in 86400 seconds..