bisecting cause commit starting from 32ef9553635ab1236c33951a8bd9b5af1c3b1646 building syzkaller on a76bf83ffac5c0bed0a686f8ebc98c74bfb34a0c testing commit 32ef9553635ab1236c33951a8bd9b5af1c3b1646 with gcc (GCC) 8.1.0 kernel signature: 326351f3b6cbb8c40ae0372cec587b34b492fa11 run #0: crashed: KASAN: use-after-free Read in slcan_open run #1: crashed: KASAN: use-after-free Read in slcan_open run #2: crashed: KASAN: use-after-free Read in slcan_open run #3: crashed: KASAN: use-after-free Read in slcan_open run #4: crashed: KASAN: use-after-free Read in slcan_open run #5: crashed: KASAN: use-after-free Read in slcan_open run #6: crashed: KASAN: use-after-free Read in slcan_open run #7: crashed: KASAN: use-after-free Read in slcan_open run #8: OK run #9: OK testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: cdd1f3d0568d94c143918cb9e440fa7104b5fbeb all runs: OK # git bisect start 32ef9553635ab1236c33951a8bd9b5af1c3b1646 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 4665 revisions left to test after this (roughly 12 steps) [361b0d286afea0d867537536977a695b5557d133] Merge tag 'devprop-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 361b0d286afea0d867537536977a695b5557d133 with gcc (GCC) 8.1.0 kernel signature: 2b3e0c08c397a03e99e08788c6f3797bc0055e19 run #0: crashed: KASAN: use-after-free Read in slcan_open run #1: crashed: KASAN: use-after-free Read in slcan_open run #2: crashed: KASAN: use-after-free Read in slcan_open run #3: crashed: KASAN: use-after-free Read in slcan_open run #4: crashed: KASAN: use-after-free Read in slcan_open run #5: crashed: KASAN: use-after-free Read in slcan_open run #6: crashed: KASAN: use-after-free Read in slcan_open run #7: OK run #8: OK run #9: OK # git bisect bad 361b0d286afea0d867537536977a695b5557d133 Bisecting: 2351 revisions left to test after this (roughly 11 steps) [622dc5ad8052f4f0c6b7a12787696a5caa3c6a58] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 622dc5ad8052f4f0c6b7a12787696a5caa3c6a58 with gcc (GCC) 8.1.0 kernel signature: 6f39dd8b6c21bd84f74faaa7d364544bd4dfc277 run #0: crashed: KASAN: use-after-free Read in slcan_open run #1: crashed: KASAN: use-after-free Read in slcan_open run #2: crashed: KASAN: use-after-free Read in slcan_open run #3: crashed: KASAN: use-after-free Read in slcan_open run #4: crashed: KASAN: use-after-free Read in slcan_open run #5: crashed: KASAN: use-after-free Read in slcan_open run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 622dc5ad8052f4f0c6b7a12787696a5caa3c6a58 Bisecting: 994 revisions left to test after this (roughly 10 steps) [a3ead21d6eec4d18b48466c7b978566bc9cab676] Merge tag 'wireless-drivers-next-2019-11-05' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit a3ead21d6eec4d18b48466c7b978566bc9cab676 with gcc (GCC) 8.1.0 kernel signature: 7f877631ed7d0c0049915a9366e484b7b4bde528 all runs: OK # git bisect good a3ead21d6eec4d18b48466c7b978566bc9cab676 Bisecting: 508 revisions left to test after this (roughly 9 steps) [df98be06c94d23e2a8e12065bf2df5b186b81f0f] bonding: symmetric ICMP transmit testing commit df98be06c94d23e2a8e12065bf2df5b186b81f0f with gcc (GCC) 8.1.0 kernel signature: bdf01ddbb8e50bd348e97f10e49eb4b55c73555d all runs: OK # git bisect good df98be06c94d23e2a8e12065bf2df5b186b81f0f Bisecting: 254 revisions left to test after this (roughly 8 steps) [9bb59a21f53e7231696257d5e6283a4fbacfb43f] tcp: warn if offset reach the maxlen limit when using snprintf testing commit 9bb59a21f53e7231696257d5e6283a4fbacfb43f with gcc (GCC) 8.1.0 kernel signature: 8faf8bdf929e46bcc89938ec0120eeb7f923a73e all runs: crashed: KASAN: use-after-free Read in slcan_open # git bisect bad 9bb59a21f53e7231696257d5e6283a4fbacfb43f Bisecting: 126 revisions left to test after this (roughly 7 steps) [89d8fd44abfb9019bb37a858532d6633e2590cac] netfilter: nft_payload: add C-VLAN offload support testing commit 89d8fd44abfb9019bb37a858532d6633e2590cac with gcc (GCC) 8.1.0 kernel signature: 54719eb30ab28127ec95523c801cafbb86df3ac6 run #0: crashed: KASAN: use-after-free Read in slcan_open run #1: crashed: KASAN: use-after-free Read in slcan_open run #2: crashed: KASAN: use-after-free Read in slcan_open run #3: crashed: KASAN: use-after-free Read in slcan_open run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 89d8fd44abfb9019bb37a858532d6633e2590cac Bisecting: 63 revisions left to test after this (roughly 6 steps) [8550179018e0d243985a095c78f3c62866507076] Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git testing commit 8550179018e0d243985a095c78f3c62866507076 with gcc (GCC) 8.1.0 kernel signature: 26450977c384ca091c35cb9fefd252a2ab1ed259 all runs: OK # git bisect good 8550179018e0d243985a095c78f3c62866507076 Bisecting: 31 revisions left to test after this (roughly 5 steps) [298e54fa810e027f1b0800d789eb862592721f08] net: phy: add core phylib sfp support testing commit 298e54fa810e027f1b0800d789eb862592721f08 with gcc (GCC) 8.1.0 kernel signature: 387f6d133167a69f8873f0cddb26d9e1c6c81dee run #0: crashed: KASAN: use-after-free Read in slcan_open run #1: crashed: KASAN: use-after-free Read in slcan_open run #2: crashed: KASAN: use-after-free Read in slcan_open run #3: crashed: KASAN: use-after-free Read in slcan_open run #4: crashed: KASAN: use-after-free Read in slcan_open run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 298e54fa810e027f1b0800d789eb862592721f08 Bisecting: 15 revisions left to test after this (roughly 4 steps) [23403cd8898dbc9808d3eb2f63bc1db8a340b751] netfilter: nf_tables_offload: release flow_rule on error from commit path testing commit 23403cd8898dbc9808d3eb2f63bc1db8a340b751 with gcc (GCC) 8.1.0 kernel signature: 2ce1c98d293e2b5b98673ec8ff976c79e74d6e2d all runs: OK # git bisect good 23403cd8898dbc9808d3eb2f63bc1db8a340b751 Bisecting: 7 revisions left to test after this (roughly 3 steps) [597b01edafac57aafdbf1ca51e26ceb41c371912] selftests: net: avoid ptl lock contention in tcp_mmap testing commit 597b01edafac57aafdbf1ca51e26ceb41c371912 with gcc (GCC) 8.1.0 kernel signature: d078032a77c7b70b1e69aca1e8a63eeaf062430e all runs: OK # git bisect good 597b01edafac57aafdbf1ca51e26ceb41c371912 Bisecting: 4 revisions left to test after this (roughly 2 steps) [ff4bf2f42a40e7dff28379f085b64df322c70b45] netfilter: nf_tables: add nft_unregister_flowtable_hook() testing commit ff4bf2f42a40e7dff28379f085b64df322c70b45 with gcc (GCC) 8.1.0 kernel signature: fe0a35b73cfa20c6414c31e2c6da5cb497e40ec7 all runs: OK # git bisect good ff4bf2f42a40e7dff28379f085b64df322c70b45 Bisecting: 2 revisions left to test after this (roughly 1 step) [19b7e21c55c81713c4011278143006af9f232504] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 19b7e21c55c81713c4011278143006af9f232504 with gcc (GCC) 8.1.0 kernel signature: 111984893a3cc3433b7cc32bf2d8296c3ccaa50c run #0: crashed: KASAN: use-after-free Read in slcan_open run #1: crashed: KASAN: use-after-free Read in slcan_open run #2: crashed: KASAN: use-after-free Read in slcan_open run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 19b7e21c55c81713c4011278143006af9f232504 Bisecting: 0 revisions left to test after this (roughly 0 steps) [1e8795b1b20d2721620165434cdcf427ecd2ba85] mscc.c: fix semicolon.cocci warnings testing commit 1e8795b1b20d2721620165434cdcf427ecd2ba85 with gcc (GCC) 8.1.0 kernel signature: 43ba323c19790d0d03b44ea7ba2f2d0dea72448b all runs: OK # git bisect good 1e8795b1b20d2721620165434cdcf427ecd2ba85 19b7e21c55c81713c4011278143006af9f232504 is the first bad commit commit 19b7e21c55c81713c4011278143006af9f232504 Merge: 1e8795b1b20d 1d4c79ed324a Author: David S. Miller Date: Sat Nov 16 18:47:31 2019 -0800 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Lots of overlapping changes and parallel additions, stuff like that. Signed-off-by: David S. Miller .mailmap | 4 + Documentation/ABI/testing/sysfs-devices-system-cpu | 2 + Documentation/admin-guide/hw-vuln/index.rst | 2 + Documentation/admin-guide/hw-vuln/multihit.rst | 163 ++++++++ .../admin-guide/hw-vuln/tsx_async_abort.rst | 276 +++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 92 +++++ Documentation/x86/index.rst | 1 + Documentation/x86/tsx_async_abort.rst | 117 ++++++ MAINTAINERS | 2 - Makefile | 5 +- arch/arm/boot/dts/imx6-logicpd-baseboard.dtsi | 4 + arch/arm/boot/dts/imx6qdl-sabreauto.dtsi | 8 + arch/arm/boot/dts/stm32mp157c-ev1.dts | 13 +- arch/arm/boot/dts/stm32mp157c.dtsi | 4 +- arch/arm/boot/dts/sun8i-a83t-tbs-a711.dts | 1 + arch/arm/mach-sunxi/mc_smp.c | 6 +- arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts | 2 +- arch/arm64/boot/dts/freescale/imx8mm.dtsi | 6 +- arch/arm64/boot/dts/freescale/imx8mn.dtsi | 6 +- .../arm64/boot/dts/freescale/imx8mq-zii-ultra.dtsi | 2 +- arch/arm64/include/asm/vdso/vsyscall.h | 7 - arch/mips/include/asm/vdso/vsyscall.h | 7 - arch/mips/sgi-ip27/Kconfig | 7 - arch/mips/sgi-ip27/ip27-init.c | 21 +- arch/mips/sgi-ip27/ip27-memory.c | 4 - arch/sparc/vdso/Makefile | 4 +- arch/x86/Kconfig | 45 +++ arch/x86/include/asm/cpufeatures.h | 2 + arch/x86/include/asm/kvm_host.h | 6 + arch/x86/include/asm/msr-index.h | 16 + arch/x86/include/asm/nospec-branch.h | 4 +- arch/x86/include/asm/processor.h | 7 + arch/x86/kernel/apic/apic.c | 28 +- arch/x86/kernel/cpu/Makefile | 2 +- arch/x86/kernel/cpu/bugs.c | 159 +++++++- arch/x86/kernel/cpu/common.c | 99 +++-- arch/x86/kernel/cpu/cpu.h | 18 + arch/x86/kernel/cpu/intel.c | 5 + arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 4 + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 4 - arch/x86/kernel/cpu/tsx.c | 140 +++++++ arch/x86/kernel/dumpstack_64.c | 7 + arch/x86/kernel/early-quirks.c | 2 + arch/x86/kernel/tsc.c | 3 + arch/x86/kvm/mmu.c | 282 ++++++++++++- arch/x86/kvm/mmu.h | 4 + arch/x86/kvm/paging_tmpl.h | 29 +- arch/x86/kvm/vmx/vmx.c | 23 +- arch/x86/kvm/vmx/vmx.h | 11 + arch/x86/kvm/x86.c | 99 +++-- block/bfq-iosched.c | 32 +- block/bio.c | 2 +- block/blk-iocost.c | 8 +- drivers/base/cpu.c | 17 + drivers/base/memory.c | 36 ++ drivers/block/rbd.c | 2 +- drivers/block/rsxx/core.c | 2 + drivers/char/hw_random/core.c | 5 +- drivers/char/random.c | 4 +- drivers/clocksource/sh_mtu2.c | 16 +- drivers/clocksource/timer-mediatek.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 38 +- drivers/gpu/drm/i915/display/intel_display_power.c | 3 + drivers/gpu/drm/i915/gem/i915_gem_context.c | 5 + drivers/gpu/drm/i915/gem/i915_gem_context_types.h | 7 + drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 111 ++++-- drivers/gpu/drm/i915/gt/intel_engine_types.h | 13 +- drivers/gpu/drm/i915/gt/intel_gt_pm.c | 8 + drivers/gpu/drm/i915/gt/intel_mocs.c | 10 +- drivers/gpu/drm/i915/gvt/dmabuf.c | 4 +- drivers/gpu/drm/i915/i915_cmd_parser.c | 435 +++++++++++++++------ drivers/gpu/drm/i915/i915_drv.c | 7 +- drivers/gpu/drm/i915/i915_drv.h | 31 +- drivers/gpu/drm/i915/i915_gem.c | 16 +- drivers/gpu/drm/i915/i915_getparam.c | 2 +- drivers/gpu/drm/i915/i915_reg.h | 10 + drivers/gpu/drm/i915/intel_pm.c | 122 +++++- drivers/gpu/drm/i915/intel_pm.h | 3 + drivers/gpu/drm/sun4i/sun4i_tcon.c | 2 +- drivers/hwtracing/intel_th/gth.c | 3 + drivers/hwtracing/intel_th/msu.c | 11 +- drivers/hwtracing/intel_th/pci.c | 10 + drivers/iio/adc/stm32-adc.c | 4 +- drivers/iio/imu/adis16480.c | 5 +- drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 9 + drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 2 + drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 15 +- drivers/iio/proximity/srf04.c | 29 +- drivers/infiniband/hw/hfi1/init.c | 1 - drivers/infiniband/hw/hfi1/pcie.c | 4 +- drivers/infiniband/hw/hfi1/rc.c | 16 +- drivers/infiniband/hw/hfi1/tid_rdma.c | 57 +-- drivers/infiniband/hw/hfi1/tid_rdma.h | 3 +- drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +- drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +- drivers/input/ff-memless.c | 9 + drivers/input/mouse/synaptics.c | 1 + drivers/input/rmi4/rmi_f11.c | 9 +- drivers/input/rmi4/rmi_f12.c | 32 +- drivers/input/rmi4/rmi_f54.c | 5 +- drivers/input/touchscreen/cyttsp4_core.c | 7 - drivers/interconnect/core.c | 4 + drivers/interconnect/qcom/qcs404.c | 3 +- drivers/interconnect/qcom/sdm845.c | 3 +- drivers/mmc/host/sdhci-of-at91.c | 2 +- drivers/net/can/slcan.c | 1 + drivers/net/dsa/mv88e6xxx/ptp.c | 13 + drivers/net/ethernet/broadcom/tg3.c | 4 + drivers/net/ethernet/cirrus/ep93xx_eth.c | 5 +- drivers/net/ethernet/cortina/gemini.c | 1 + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 10 +- drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 5 - .../net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 19 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 16 +- drivers/net/ethernet/intel/igb/igb_ptp.c | 17 + drivers/net/ethernet/marvell/octeontx2/af/cgx.h | 4 +- .../net/ethernet/marvell/octeontx2/af/cgx_fw_if.h | 4 +- drivers/net/ethernet/marvell/octeontx2/af/common.h | 4 +- drivers/net/ethernet/marvell/octeontx2/af/mbox.h | 4 +- drivers/net/ethernet/marvell/octeontx2/af/npc.h | 4 +- .../ethernet/marvell/octeontx2/af/npc_profile.h | 4 +- drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 4 +- .../net/ethernet/marvell/octeontx2/af/rvu_reg.h | 4 +- .../net/ethernet/marvell/octeontx2/af/rvu_struct.h | 4 +- .../net/ethernet/mellanox/mlx5/core/lib/clock.c | 17 + drivers/net/ethernet/microchip/lan743x_ptp.c | 4 + drivers/net/ethernet/renesas/ravb.h | 3 +- drivers/net/ethernet/renesas/ravb_main.c | 26 +- drivers/net/ethernet/renesas/ravb_ptp.c | 11 + drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 +- drivers/net/ethernet/stmicro/stmmac/dwmac5.h | 2 +- drivers/net/ethernet/stmicro/stmmac/dwxgmac2.h | 2 +- drivers/net/ethernet/stmicro/stmmac/hwif.h | 2 +- drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 4 + drivers/net/phy/dp83640.c | 16 + drivers/net/phy/mdio_bus.c | 11 +- drivers/net/slip/slip.c | 1 + drivers/net/usb/ax88172a.c | 2 +- drivers/net/usb/cdc_ncm.c | 2 +- drivers/net/usb/qmi_wwan.c | 2 + drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 20 +- drivers/nfc/nxp-nci/i2c.c | 6 +- drivers/pinctrl/intel/pinctrl-cherryview.c | 26 +- drivers/pinctrl/intel/pinctrl-intel.c | 21 +- drivers/pinctrl/pinctrl-stmfx.c | 14 - drivers/ptp/ptp_chardev.c | 20 +- drivers/reset/core.c | 5 +- drivers/scsi/qla2xxx/qla_mid.c | 8 +- drivers/scsi/qla2xxx/qla_os.c | 8 +- drivers/scsi/scsi_lib.c | 3 +- drivers/scsi/sd_zbc.c | 29 +- drivers/soc/imx/gpc.c | 8 +- drivers/soundwire/Kconfig | 1 + drivers/soundwire/intel.c | 4 +- drivers/soundwire/slave.c | 3 +- drivers/thunderbolt/nhi_ops.c | 1 - drivers/thunderbolt/switch.c | 28 +- drivers/watchdog/bd70528_wdt.c | 1 + drivers/watchdog/cpwd.c | 8 +- drivers/watchdog/imx_sc_wdt.c | 8 +- drivers/watchdog/meson_gxbb_wdt.c | 4 +- drivers/watchdog/pm8916_wdt.c | 15 +- fs/afs/dir.c | 7 +- fs/aio.c | 10 +- fs/autofs/expire.c | 5 +- fs/btrfs/inode.c | 30 +- fs/btrfs/ioctl.c | 6 - fs/btrfs/space-info.c | 21 + fs/btrfs/tree-checker.c | 8 - fs/btrfs/volumes.c | 1 + fs/ceph/file.c | 29 +- fs/cifs/smb2pdu.h | 1 + fs/configfs/symlink.c | 2 +- fs/ecryptfs/inode.c | 84 ++-- fs/exportfs/expfs.c | 31 +- fs/io_uring.c | 32 +- fs/namespace.c | 15 +- include/asm-generic/vdso/vsyscall.h | 7 - include/linux/can/core.h | 1 + include/linux/cpu.h | 30 +- include/linux/kvm_host.h | 7 + include/linux/memory.h | 1 + include/linux/reset-controller.h | 4 +- include/linux/reset.h | 2 +- include/trace/events/tcp.h | 2 +- include/uapi/linux/devlink.h | 3 +- include/uapi/linux/ptp_clock.h | 5 +- kernel/audit_watch.c | 2 +- kernel/cgroup/cgroup.c | 5 +- kernel/cpu.c | 27 +- kernel/events/core.c | 23 +- kernel/irq/irqdomain.c | 2 +- kernel/sched/core.c | 23 +- kernel/sched/deadline.c | 40 +- kernel/sched/fair.c | 15 +- kernel/sched/idle.c | 9 +- kernel/sched/rt.c | 37 +- kernel/sched/sched.h | 30 +- kernel/sched/stop_task.c | 18 +- kernel/signal.c | 2 +- kernel/stacktrace.c | 6 +- kernel/time/ntp.c | 2 +- kernel/time/vsyscall.c | 9 +- lib/Kconfig | 1 - lib/xz/xz_dec_lzma2.c | 1 + mm/debug.c | 31 +- mm/hugetlb_cgroup.c | 2 +- mm/khugepaged.c | 28 +- mm/madvise.c | 16 +- mm/memcontrol.c | 2 +- mm/memory_hotplug.c | 43 +- mm/mempolicy.c | 14 +- mm/page_io.c | 6 +- mm/slub.c | 39 +- net/can/af_can.c | 3 +- net/can/j1939/main.c | 9 + net/can/j1939/socket.c | 94 ++++- net/can/j1939/transport.c | 36 +- net/core/devlink.c | 8 +- net/dsa/tag_8021q.c | 2 +- net/ipv4/ipmr.c | 3 +- net/ipv6/seg6_local.c | 11 + net/rds/ib_cm.c | 23 +- net/smc/af_smc.c | 3 +- net/tipc/core.c | 2 - net/tipc/core.h | 6 + net/xfrm/xfrm_input.c | 3 + net/xfrm/xfrm_state.c | 2 + scripts/tools-support-relr.sh | 8 +- sound/core/pcm_lib.c | 8 +- sound/pci/hda/hda_intel.c | 3 + sound/pci/hda/patch_hdmi.c | 4 +- sound/usb/endpoint.c | 3 + sound/usb/mixer.c | 4 +- sound/usb/quirks.c | 4 +- sound/usb/validate.c | 6 +- tools/perf/util/hist.c | 2 +- .../perf/util/scripting-engines/trace-event-perl.c | 8 +- .../util/scripting-engines/trace-event-python.c | 9 +- tools/perf/util/trace-event-parse.c | 31 -- tools/perf/util/trace-event.h | 2 - tools/testing/selftests/drivers/net/mlxsw/vxlan.sh | 8 +- tools/testing/selftests/kvm/lib/assert.c | 4 +- tools/testing/selftests/ptp/testptp.c | 53 ++- virt/kvm/kvm_main.c | 175 ++++++++- 245 files changed, 3696 insertions(+), 1067 deletions(-) create mode 100644 Documentation/admin-guide/hw-vuln/multihit.rst create mode 100644 Documentation/admin-guide/hw-vuln/tsx_async_abort.rst create mode 100644 Documentation/x86/tsx_async_abort.rst create mode 100644 arch/x86/kernel/cpu/tsx.c revisions tested: 15, total time: 4h26m44.335092298s (build: 1h39m6.216986594s, test: 2h42m43.973930921s) first bad commit: 19b7e21c55c81713c4011278143006af9f232504 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net cc: ["andrew@lunn.ch" "bryan.whitehead@microchip.com" "davem@davemloft.net" "f.fainelli@gmail.com" "jiri@mellanox.com" "jon.maloy@ericsson.com" "linux-kernel@vger.kernel.org" "linux-rdma@vger.kernel.org" "netdev@vger.kernel.org" "rds-devel@oss.oracle.com" "santosh.shilimkar@oracle.com" "tipc-discussion@lists.sourceforge.net" "unglinuxdriver@microchip.com" "vivien.didelot@gmail.com" "ying.xue@windriver.com"] crash: KASAN: use-after-free Read in slcan_open ================================================================== BUG: KASAN: use-after-free in slc_sync drivers/net/can/slcan.c:504 [inline] BUG: KASAN: use-after-free in slcan_open+0x847/0xa50 drivers/net/can/slcan.c:579 Read of size 8 at addr ffff88807ef50b48 by task syz-executor.5/7845 CPU: 0 PID: 7845 Comm: syz-executor.5 Not tainted 5.4.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:634 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 slc_sync drivers/net/can/slcan.c:504 [inline] slcan_open+0x847/0xa50 drivers/net/can/slcan.c:579 tty_ldisc_open.isra.3+0x78/0xc0 drivers/tty/tty_ldisc.c:469 tty_set_ldisc+0x238/0x5b0 drivers/tty/tty_ldisc.c:596 tiocsetd drivers/tty/tty_io.c:2334 [inline] tty_ioctl+0x332/0x12f0 drivers/tty/tty_io.c:2594 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a679 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f54e1429c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f54e1429c90 RCX: 000000000045a679 RDX: 00000000200000c0 RSI: 0000000000005423 RDI: 0000000000000004 RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f54e142a6d4 R13: 00000000004c5310 R14: 00000000004da8b0 R15: 0000000000000005 Allocated by task 7860: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.13+0xc7/0xd0 mm/kasan/common.c:510 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524 __do_kmalloc_node mm/slab.c:3615 [inline] __kmalloc_node+0x4d/0x70 mm/slab.c:3622 kmalloc_node include/linux/slab.h:599 [inline] kvmalloc_node+0x40/0x80 mm/util.c:564 kvmalloc include/linux/mm.h:670 [inline] kvzalloc include/linux/mm.h:678 [inline] alloc_netdev_mqs+0x5d/0xca0 net/core/dev.c:9730 slc_alloc drivers/net/can/slcan.c:533 [inline] slcan_open+0x301/0xa50 drivers/net/can/slcan.c:590 tty_ldisc_open.isra.3+0x78/0xc0 drivers/tty/tty_ldisc.c:469 tty_set_ldisc+0x238/0x5b0 drivers/tty/tty_ldisc.c:596 tiocsetd drivers/tty/tty_io.c:2334 [inline] tty_ioctl+0x332/0x12f0 drivers/tty/tty_io.c:2594 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7860: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 kvfree+0x2c/0x30 mm/util.c:593 netdev_freemem net/core/dev.c:9684 [inline] free_netdev+0x342/0x400 net/core/dev.c:9839 slcan_open+0x790/0xa50 drivers/net/can/slcan.c:620 tty_ldisc_open.isra.3+0x78/0xc0 drivers/tty/tty_ldisc.c:469 tty_set_ldisc+0x238/0x5b0 drivers/tty/tty_ldisc.c:596 tiocsetd drivers/tty/tty_io.c:2334 [inline] tty_ioctl+0x332/0x12f0 drivers/tty/tty_io.c:2594 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88807ef50000 which belongs to the cache kmalloc-32k of size 32768 The buggy address is located 2888 bytes inside of 32768-byte region [ffff88807ef50000, ffff88807ef58000) The buggy address belongs to the page: page:ffffea0001fbd400 refcount:1 mapcount:0 mapping:ffff8880aa402540 index:0x0 compound_mapcount: 0 raw: 00fffe0000010200 ffffea0001fbd808 ffff8880aa401d48 ffff8880aa402540 raw: 0000000000000000 ffff88807ef50000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88807ef50a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807ef50a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807ef50b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807ef50b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807ef50c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================