bisecting fixing commit since c63ee2939dc1c6eee6c544af1b4ab441490bfe6e
building syzkaller on 8098ea0f3397d5db00e4852b1b29d0958f2189c6
testing commit c63ee2939dc1c6eee6c544af1b4ab441490bfe6e with gcc (GCC) 8.1.0
kernel signature: f19fb3aa331d5ff63ae4c4fe457a8c1ac5c03fd6
all runs: crashed: KASAN: use-after-free Read in slip_open
testing current HEAD c7ecf3e3a71c216327980f26b1e895ce9b07ad31
testing commit c7ecf3e3a71c216327980f26b1e895ce9b07ad31 with gcc (GCC) 8.1.0
kernel signature: e01f29d889f26733d6c163c003158bc3a6cdd956
all runs: OK
# git bisect start c7ecf3e3a71c216327980f26b1e895ce9b07ad31 c63ee2939dc1c6eee6c544af1b4ab441490bfe6e
Bisecting: 760 revisions left to test after this (roughly 10 steps)
[b32dc79a5ac557d124fbc124b2d6d61bbc97bcf1] mmc: core: align max segment size with logical block size
testing commit b32dc79a5ac557d124fbc124b2d6d61bbc97bcf1 with gcc (GCC) 8.1.0
kernel signature: 273c08f6276b26f65ed5c8cacdd5b55270deea94
all runs: crashed: KASAN: use-after-free Read in slip_open
# git bisect good b32dc79a5ac557d124fbc124b2d6d61bbc97bcf1
Bisecting: 380 revisions left to test after this (roughly 9 steps)
[0aa2570917f4fe5d6c37f54140cabd1bd682a638] rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer
testing commit 0aa2570917f4fe5d6c37f54140cabd1bd682a638 with gcc (GCC) 8.1.0
kernel signature: 6bbced37d874058be5adcf5cd6fbd03977eff580
all runs: OK
# git bisect bad 0aa2570917f4fe5d6c37f54140cabd1bd682a638
Bisecting: 189 revisions left to test after this (roughly 8 steps)
[a4d121d90e28daf1619781ee1eb098705a474ec9] sparc: Correct ctx->saw_frame_pointer logic.
testing commit a4d121d90e28daf1619781ee1eb098705a474ec9 with gcc (GCC) 8.1.0
kernel signature: 22174409b2890f713fda3fd5c3244c86c49e5352
all runs: OK
# git bisect bad a4d121d90e28daf1619781ee1eb098705a474ec9
Bisecting: 94 revisions left to test after this (roughly 7 steps)
[af17e1fc7cb773c7f22f7343323cf102ea52a50b] exportfs_decode_fh(): negative pinned may become positive without the parent locked
testing commit af17e1fc7cb773c7f22f7343323cf102ea52a50b with gcc (GCC) 8.1.0
kernel signature: 25556ba14df645518803d826a1d76db83354cf5f
all runs: OK
# git bisect bad af17e1fc7cb773c7f22f7343323cf102ea52a50b
Bisecting: 47 revisions left to test after this (roughly 6 steps)
[93c259c582afb5890f3d6d054160ba0aa5f78a2a] selftests: bpf: test_sockmap: handle file creation failures gracefully
testing commit 93c259c582afb5890f3d6d054160ba0aa5f78a2a with gcc (GCC) 8.1.0
kernel signature: 33a6d5781e2a69ec28892ddf58311399093b4108
all runs: OK
# git bisect bad 93c259c582afb5890f3d6d054160ba0aa5f78a2a
Bisecting: 23 revisions left to test after this (roughly 5 steps)
[44efbdc479d0e0a45b4257d709dab7bf0f4b8033] mm, gup: add missing refcount overflow checks on s390
testing commit 44efbdc479d0e0a45b4257d709dab7bf0f4b8033 with gcc (GCC) 8.1.0
kernel signature: 020b5323bcb8e622b55e82877738e1486218a0da
all runs: crashed: KASAN: use-after-free Read in slip_open
# git bisect good 44efbdc479d0e0a45b4257d709dab7bf0f4b8033
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[8f93f779f1220d1a912873c179fa2c6f8075eb33] media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE
testing commit 8f93f779f1220d1a912873c179fa2c6f8075eb33 with gcc (GCC) 8.1.0
kernel signature: c814cb4ad7f04f94a6024c1ed2d4a1c38d692b2a
all runs: crashed: KASAN: use-after-free Read in slip_open
# git bisect good 8f93f779f1220d1a912873c179fa2c6f8075eb33
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[4f8bd02b6f6715cc06e5725a9a9ce7835bcfd958] net: psample: fix skb_over_panic
testing commit 4f8bd02b6f6715cc06e5725a9a9ce7835bcfd958 with gcc (GCC) 8.1.0
kernel signature: 4dd5f8b7b5d7355d942c748d9fdd2b8a8acef80b
all runs: crashed: KASAN: use-after-free Read in slip_open
# git bisect good 4f8bd02b6f6715cc06e5725a9a9ce7835bcfd958
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[0c6e6ceae72c9bdb8834352190c6cafcd0b3c21d] slip: Fix use-after-free Read in slip_open
testing commit 0c6e6ceae72c9bdb8834352190c6cafcd0b3c21d with gcc (GCC) 8.1.0
kernel signature: 3fb99c021bfe050e29dddeaaf4ec6bc71c72397d
all runs: OK
# git bisect bad 0c6e6ceae72c9bdb8834352190c6cafcd0b3c21d
Bisecting: 0 revisions left to test after this (roughly 1 step)
[681e08498e5e7e051ba1fedf815509f56ef31c4f] sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook
testing commit 681e08498e5e7e051ba1fedf815509f56ef31c4f with gcc (GCC) 8.1.0
kernel signature: 8002a097b1e8c714c77983c72df298397a05947e
all runs: crashed: KASAN: use-after-free Read in slip_open
# git bisect good 681e08498e5e7e051ba1fedf815509f56ef31c4f
0c6e6ceae72c9bdb8834352190c6cafcd0b3c21d is the first bad commit
commit 0c6e6ceae72c9bdb8834352190c6cafcd0b3c21d
Author: Jouni Hogander <jouni.hogander@unikie.com>
Date:   Mon Nov 25 14:23:43 2019 +0200

    slip: Fix use-after-free Read in slip_open
    
    [ Upstream commit e58c1912418980f57ba2060017583067f5f71e52 ]
    
    Slip_open doesn't clean-up device which registration failed from the
    slip_devs device list. On next open after failure this list is iterated
    and freed device is accessed. Fix this by calling sl_free_netdev in error
    path.
    
    Here is the trace from the Syzbot:
    
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x197/0x210 lib/dump_stack.c:118
    print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
    __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
    kasan_report+0x12/0x20 mm/kasan/common.c:634
    __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
    sl_sync drivers/net/slip/slip.c:725 [inline]
    slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
    tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
    tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
    tiocsetd drivers/tty/tty_io.c:2334 [inline]
    tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
    vfs_ioctl fs/ioctl.c:46 [inline]
    file_ioctl fs/ioctl.c:509 [inline]
    do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
    ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
    __do_sys_ioctl fs/ioctl.c:720 [inline]
    __se_sys_ioctl fs/ioctl.c:718 [inline]
    __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
    do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
    entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    Fixes: 3b5a39979daf ("slip: Fix memory leak in slip_open error path")
    Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
    Cc: David Miller <davem@davemloft.net>
    Cc: Oliver Hartkopp <socketcan@hartkopp.net>
    Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
    Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/net/slip/slip.c | 1 +
 1 file changed, 1 insertion(+)
culprit signature: 3fb99c021bfe050e29dddeaaf4ec6bc71c72397d
parent  signature: 8002a097b1e8c714c77983c72df298397a05947e
revisions tested: 12, total time: 3h12m16.055096538s (build: 1h44m6.03064857s, test: 1h26m22.299025585s)
first good commit: 0c6e6ceae72c9bdb8834352190c6cafcd0b3c21d slip: Fix use-after-free Read in slip_open
cc: ["davem@davemloft.net" "gregkh@linuxfoundation.org" "jouni.hogander@unikie.com"]