bisecting cause commit starting from 1bdd3dbfff7a308643c7f9ef74e4a8ef3923e686 building syzkaller on acbc5b7d05ff9d1ff890aa24f42a334e613445f7 testing commit 1bdd3dbfff7a308643c7f9ef74e4a8ef3923e686 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: OK # git bisect start v5.0 v4.20 Bisecting: 7011 revisions left to test after this (roughly 13 steps) [af7ddd8a627c62a835524b3f5b471edbbbcce025] Merge tag 'dma-mapping-4.21' of git://git.infradead.org/users/hch/dma-mapping testing commit af7ddd8a627c62a835524b3f5b471edbbbcce025 with gcc (GCC) 8.1.0 all runs: OK # git bisect good af7ddd8a627c62a835524b3f5b471edbbbcce025 Bisecting: 3532 revisions left to test after this (roughly 12 steps) [c9bef4a651769927445900564781a9c99fdf6258] Merge tag 'pinctrl-v4.21-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit c9bef4a651769927445900564781a9c99fdf6258 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c9bef4a651769927445900564781a9c99fdf6258 Bisecting: 1768 revisions left to test after this (roughly 11 steps) [4d5f6e0201bc568c0758ed3f77a06648ec9fd482] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 4d5f6e0201bc568c0758ed3f77a06648ec9fd482 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4d5f6e0201bc568c0758ed3f77a06648ec9fd482 Bisecting: 879 revisions left to test after this (roughly 10 steps) [680905431b9de8c7224b15b76b1826a1481cfeaf] Merge tag 'char-misc-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 680905431b9de8c7224b15b76b1826a1481cfeaf with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release # git bisect bad 680905431b9de8c7224b15b76b1826a1481cfeaf Bisecting: 435 revisions left to test after this (roughly 9 steps) [037222ad3f43a45c3a601dabf893efc9264ff5a0] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 037222ad3f43a45c3a601dabf893efc9264ff5a0 with gcc (GCC) 8.1.0 all runs: boot failed: KASAN: use-after-free Read in generic_make_request # git bisect skip 037222ad3f43a45c3a601dabf893efc9264ff5a0 Bisecting: 435 revisions left to test after this (roughly 9 steps) [1fde6f21d90f8ba5da3cb9c54ca991ed72696c43] proc: fix /proc/net/* after setns(2) testing commit 1fde6f21d90f8ba5da3cb9c54ca991ed72696c43 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release # git bisect bad 1fde6f21d90f8ba5da3cb9c54ca991ed72696c43 Bisecting: 327 revisions left to test after this (roughly 8 steps) [96f18cb89ffa4bc6dafa447c9493449809fbb318] Merge tag 'staging-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 96f18cb89ffa4bc6dafa447c9493449809fbb318 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release # git bisect bad 96f18cb89ffa4bc6dafa447c9493449809fbb318 Bisecting: 167 revisions left to test after this (roughly 7 steps) [74827ee29565f86e2a64495a5e3e58d3371d74ee] ceph: quota: cleanup license mess testing commit 74827ee29565f86e2a64495a5e3e58d3371d74ee with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release # git bisect bad 74827ee29565f86e2a64495a5e3e58d3371d74ee Bisecting: 83 revisions left to test after this (roughly 6 steps) [3e64cf7a435ed0500e3adaa8aada2272d3ae8abc] net: phy: phy driver features are mandatory testing commit 3e64cf7a435ed0500e3adaa8aada2272d3ae8abc with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release # git bisect bad 3e64cf7a435ed0500e3adaa8aada2272d3ae8abc Bisecting: 41 revisions left to test after this (roughly 5 steps) [20704bd1633dd5afb29a321d3a615c9c8e9c9d05] erspan: build the header with the right proto according to erspan_ver testing commit 20704bd1633dd5afb29a321d3a615c9c8e9c9d05 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release # git bisect bad 20704bd1633dd5afb29a321d3a615c9c8e9c9d05 Bisecting: 19 revisions left to test after this (roughly 4 steps) [0762216c0ad2a2fccd63890648eca491f2c83d9a] tipc: fix uninit-value in tipc_nl_compat_bearer_enable testing commit 0762216c0ad2a2fccd63890648eca491f2c83d9a with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in seccomp_notify_release run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 0762216c0ad2a2fccd63890648eca491f2c83d9a Bisecting: 9 revisions left to test after this (roughly 3 steps) [5be99560c6a0c24b7a0cc3bb4f26051c92cdff2a] selftests/txtimestamp: Fix an equals vs assign bug testing commit 5be99560c6a0c24b7a0cc3bb4f26051c92cdff2a with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release # git bisect bad 5be99560c6a0c24b7a0cc3bb4f26051c92cdff2a Bisecting: 4 revisions left to test after this (roughly 3 steps) [10f4e765879e514e1ce7f52ed26603047af196e2] netfilter: nft_flow_offload: fix interaction with vrf slave device testing commit 10f4e765879e514e1ce7f52ed26603047af196e2 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release # git bisect bad 10f4e765879e514e1ce7f52ed26603047af196e2 Bisecting: 2 revisions left to test after this (roughly 2 steps) [715849ab31f8e57bbad84cc6c38912aeba6beb21] netfilter: nf_tables: selective rule dump needs table to be specified testing commit 715849ab31f8e57bbad84cc6c38912aeba6beb21 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 715849ab31f8e57bbad84cc6c38912aeba6beb21 Bisecting: 1 revision left to test after this (roughly 1 step) [a799aea0988ea0d1b1f263e996fdad2f6133c680] netfilter: nft_flow_offload: Fix reverse route lookup testing commit a799aea0988ea0d1b1f263e996fdad2f6133c680 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in seccomp_notify_release # git bisect bad a799aea0988ea0d1b1f263e996fdad2f6133c680 a799aea0988ea0d1b1f263e996fdad2f6133c680 is the first bad commit commit a799aea0988ea0d1b1f263e996fdad2f6133c680 Author: wenxu Date: Wed Jan 9 10:40:11 2019 +0800 netfilter: nft_flow_offload: Fix reverse route lookup Using the following example: client 1.1.1.7 ---> 2.2.2.7 which dnat to 10.0.0.7 server The first reply packet (ie. syn+ack) uses an incorrect destination address for the reverse route lookup since it uses: daddr = ct->tuplehash[!dir].tuple.dst.u3.ip; which is 2.2.2.7 in the scenario that is described above, while this should be: daddr = ct->tuplehash[dir].tuple.src.u3.ip; that is 10.0.0.7. Signed-off-by: wenxu Signed-off-by: Pablo Neira Ayuso net/netfilter/nft_flow_offload.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) revisions tested: 18, total time: 3h54m48.842474364s (build: 1h44m39.236192478s, test: 2h5m26.485313507s) first bad commit: a799aea0988ea0d1b1f263e996fdad2f6133c680 netfilter: nft_flow_offload: Fix reverse route lookup cc: ["coreteam@netfilter.org" "davem@davemloft.net" "fw@strlen.de" "kadlec@blackhole.kfki.hu" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org" "wenxu@ucloud.cn"] crash: KASAN: use-after-free Read in seccomp_notify_release IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready 8021q: adding VLAN 0 to HW filter on device batadv0 8021q: adding VLAN 0 to HW filter on device batadv0 8021q: adding VLAN 0 to HW filter on device batadv0 ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x33ac/0x4760 kernel/locking/lockdep.c:3215 Read of size 8 at addr ffff888076796880 by task syz-executor.5/7938 CPU: 1 PID: 7938 Comm: syz-executor.5 Not tainted 4.20.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __lock_acquire+0x33ac/0x4760 kernel/locking/lockdep.c:3215 lock_acquire+0x173/0x3d0 kernel/locking/lockdep.c:3841 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0xf5/0x1210 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 seccomp_notify_release+0x52/0x240 kernel/seccomp.c:979 __fput+0x24c/0x800 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x10e/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x40d/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x411381 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 74 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fff22be2760 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000411381 RDX: 0000000000000000 RSI: 00000000007202a8 RDI: 0000000000000003 RBP: 0000000000000001 R08: 00000000007202a0 R09: 0000000000021f8e R10: 00007fff22be2680 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000005 Allocated by task 7954: save_stack+0x43/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] kasan_kmalloc+0xcb/0xd0 mm/kasan/common.c:482 kmem_cache_alloc_trace+0x154/0x750 mm/slab.c:3607 kmalloc include/linux/slab.h:545 [inline] kzalloc include/linux/slab.h:740 [inline] seccomp_prepare_filter kernel/seccomp.c:451 [inline] seccomp_prepare_user_filter kernel/seccomp.c:491 [inline] seccomp_set_mode_filter kernel/seccomp.c:1257 [inline] do_seccomp+0x616/0x2330 kernel/seccomp.c:1370 __do_sys_seccomp kernel/seccomp.c:1389 [inline] __se_sys_seccomp kernel/seccomp.c:1386 [inline] __x64_sys_seccomp+0x6e/0xb0 kernel/seccomp.c:1386 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7954: save_stack+0x43/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:444 kasan_slab_free+0xe/0x10 mm/kasan/common.c:452 __cache_free mm/slab.c:3485 [inline] kfree+0xcf/0x230 mm/slab.c:3804 seccomp_filter_free kernel/seccomp.c:565 [inline] seccomp_set_mode_filter kernel/seccomp.c:1311 [inline] do_seccomp+0x92d/0x2330 kernel/seccomp.c:1370 __do_sys_seccomp kernel/seccomp.c:1389 [inline] __se_sys_seccomp kernel/seccomp.c:1386 [inline] __x64_sys_seccomp+0x6e/0xb0 kernel/seccomp.c:1386 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888076796800 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 128 bytes inside of 192-byte region [ffff888076796800, ffff8880767968c0) The buggy address belongs to the page: page:ffffea0001d9e580 count:1 mapcount:0 mapping:ffff88802d400040 index:0x0 flags: 0x5fffc0000000200(slab) raw: 05fffc0000000200 ffffea0001e8f648 ffff88807e400148 ffff88802d400040 raw: 0000000000000000 ffff888076796000 0000000100000010 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888076796780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ffff888076796800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888076796880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff888076796900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888076796980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ==================================================================