bisecting cause commit starting from f8788d86ab28f61f7b46eb6be375f8a726783636
building syzkaller on 59b57593586656c1d5be820aeed0e751087e6ac6
testing commit f8788d86ab28f61f7b46eb6be375f8a726783636 with gcc (GCC) 8.1.0
kernel signature: f085f893762e53f869915e0299e191e53892748424b2d75d57996c496abe8ae9
all runs: crashed: general protection fault in ipvlan_hard_header
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: c167ff5b033f8d24eb39576c1fca1d923c7c7a571368f1ac5448f1b4a33f2281
all runs: crashed: general protection fault in macvlan_hard_header
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 9fb23c72dc260432df48fed70d8d518fefde80a3a7782247750286fe462abbae
all runs: crashed: general protection fault in macvlan_hard_header
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: f71f46b07a51c27f557018d7949a6d009d202ea4f45c494d1889d73a369c4975
all runs: crashed: general protection fault in macvlan_hard_header
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 9e469b0ff9f1bac5076e24283f533196cee30d7a90d0fe41ac1529db31a5583e
all runs: OK
# git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36
Bisecting: 7848 revisions left to test after this (roughly 13 steps)
[43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0
kernel signature: 58d39d75ec50150ca36d4586170b2c9856cd66ee7fbeed7cda4d029e0aebfe69
run #0: crashed: general protection fault in send_hsr_supervision_frame
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 43c95d3694cc448fdf50bd53b7ff3a5bb4655883
Bisecting: 4619 revisions left to test after this (roughly 12 steps)
[8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0
kernel signature: 68d4bfd3d7e7c5763328272223cadb1cf931315f5235db4ddeb2db5a418c998a
all runs: OK
# git bisect good 8f6ccf6159aed1f04c6d179f61f6fb2691261e84
Bisecting: 2306 revisions left to test after this (roughly 11 steps)
[753c8d9b7d81206bb5d011b28abe829d364b028e] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 753c8d9b7d81206bb5d011b28abe829d364b028e with gcc (GCC) 8.1.0
kernel signature: 1b7f50279f3827ac787f2dc95043427f256cc4dbc95ceb3ed90800b012564c26
run #0: crashed: general protection fault in batadv_iv_ogm_queue_add
run #1: crashed: general protection fault in send_hsr_supervision_frame
run #2: crashed: general protection fault in send_hsr_supervision_frame
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 753c8d9b7d81206bb5d011b28abe829d364b028e
Bisecting: 1156 revisions left to test after this (roughly 10 steps)
[2f9b0d93a9d3ec64558537ab5d7cff820886afa4] net: ethernet: ti: cpsw: Fix suspend/resume break
testing commit 2f9b0d93a9d3ec64558537ab5d7cff820886afa4 with gcc (GCC) 8.1.0
kernel signature: 34c5693a8048797ffad94f6d161529b19f2be18eaac6ff584de8ef6bdc8d9cfc
all runs: OK
# git bisect good 2f9b0d93a9d3ec64558537ab5d7cff820886afa4
Bisecting: 578 revisions left to test after this (roughly 9 steps)
[354d0fab649d47045517cf7cae03d653a4dcb3b8] net: hns3: add default value for tc_size and tc_offset
testing commit 354d0fab649d47045517cf7cae03d653a4dcb3b8 with gcc (GCC) 8.1.0
kernel signature: dc74153765299d028ee3ccc51aa5426d1eff6efeb3d1a31c169763f994fb3795
all runs: OK
# git bisect good 354d0fab649d47045517cf7cae03d653a4dcb3b8
Bisecting: 289 revisions left to test after this (roughly 8 steps)
[52c0609258658ff35b85c654c568a50abd602ac6] bnxt_en: rename some xdp functions
testing commit 52c0609258658ff35b85c654c568a50abd602ac6 with gcc (GCC) 8.1.0
kernel signature: ef1a28eca98bf72bafee97243ab8f79009a0967ca15f9e5a7fb36690eb418b35
run #0: crashed: WARNING: ODEBUG bug in netdev_freemem
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 52c0609258658ff35b85c654c568a50abd602ac6
Bisecting: 163 revisions left to test after this (roughly 7 steps)
[1375da478712369d1af8586768cf476e4f42f0ce] Merge tag 'iwlwifi-next-for-kalle-2019-06-29' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next
testing commit 1375da478712369d1af8586768cf476e4f42f0ce with gcc (GCC) 8.1.0
kernel signature: bd87b569d8cb0b4996d47ebad5870502e16ddc7c9062737f818cb9b8b23d47f7
run #0: crashed: general protection fault in batadv_iv_ogm_queue_add
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 1375da478712369d1af8586768cf476e4f42f0ce
Bisecting: 62 revisions left to test after this (roughly 6 steps)
[e991c4c2998353212adb1c2b7c3052d61fa6c307] mt76: mt7615: update peer's bssid when state transition occurs
testing commit e991c4c2998353212adb1c2b7c3052d61fa6c307 with gcc (GCC) 8.1.0
kernel signature: 1d79606e51d6edebd794b34b4057fb5a99e18cb8b48882cdbf3db6944a0057b0
all runs: OK
# git bisect good e991c4c2998353212adb1c2b7c3052d61fa6c307
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[bd9c519785926c72ff66e1b7218a622ace1da0eb] iwlwifi: remove some unnecessary NULL checks
testing commit bd9c519785926c72ff66e1b7218a622ace1da0eb with gcc (GCC) 8.1.0
kernel signature: 0c2984b4443f412832c12a034697d33edb986616bda3048736e6f25e06a4774d
all runs: OK
# git bisect good bd9c519785926c72ff66e1b7218a622ace1da0eb
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[6c7f70877872afa7574bdc147ea1c46c03ef9d71] iwlwifi: dbg: debug recording stop and restart command remove
testing commit 6c7f70877872afa7574bdc147ea1c46c03ef9d71 with gcc (GCC) 8.1.0
kernel signature: 2395d3cc1a15d6b21261dbe086b06bcfbc99589cf2614a22191dfd41e513f0c1
all runs: OK
# git bisect good 6c7f70877872afa7574bdc147ea1c46c03ef9d71
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[9829a0bd664da613c6b44b210d8f0ab8dba2400b] Merge tag 'mt76-for-kvalo-2019-06-27' of https://github.com/nbd168/wireless
testing commit 9829a0bd664da613c6b44b210d8f0ab8dba2400b with gcc (GCC) 8.1.0
kernel signature: 149243353ba817fbcbc681766b489391ea481d1b9cffd0998ddb2c814d6239cf
run #0: crashed: KASAN: use-after-free Read in batadv_iv_ogm_queue_add
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 9829a0bd664da613c6b44b210d8f0ab8dba2400b
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[81ca02a17404755f4baed82be1fce4604a25848e] mt76: mt76u: get rid of {out,in}_max_packet
testing commit 81ca02a17404755f4baed82be1fce4604a25848e with gcc (GCC) 8.1.0
kernel signature: b727dd65d7efdbd38db8b68a53674af2d66d9266b2927257d8a38e8f9e419576
all runs: OK
# git bisect good 81ca02a17404755f4baed82be1fce4604a25848e
Bisecting: 1 revision left to test after this (roughly 1 step)
[d923cf6bc38a7b174e6b813d1bf72c926539858c] mt76: mt7615: fix sparse warnings: warning: cast from restricted __le16
testing commit d923cf6bc38a7b174e6b813d1bf72c926539858c with gcc (GCC) 8.1.0
kernel signature: f7ff3f84d187dbcd3cf1808c3bff65f2b937bb206c3d64a7cf9c1c2bb397b286
all runs: OK
# git bisect good d923cf6bc38a7b174e6b813d1bf72c926539858c
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[676fabd1d2f089f9fb8bece3476c2ab5584b4a1a] mt76: mt7603: fix sparse warnings: warning: incorrect type in assignment (different base types)
testing commit 676fabd1d2f089f9fb8bece3476c2ab5584b4a1a with gcc (GCC) 8.1.0
kernel signature: b3ed3ecb833bdfd92c617a4833c2465a0c683aca1d5727c0ad669d399497c323
all runs: OK
# git bisect good 676fabd1d2f089f9fb8bece3476c2ab5584b4a1a
9829a0bd664da613c6b44b210d8f0ab8dba2400b is the first bad commit
commit 9829a0bd664da613c6b44b210d8f0ab8dba2400b
Merge: b741422218ef 676fabd1d2f0
Author: Kalle Valo <kvalo@codeaurora.org>
Date:   Sun Jun 30 12:29:30 2019 +0300

    Merge tag 'mt76-for-kvalo-2019-06-27' of https://github.com/nbd168/wireless
    
    mt76 patches for 5.3
    
    * use NAPI polling for tx cleanup on mt7603/mt7615
    * various fixes for mt7615
    * unify some code between mt7603 and mt7615
    * fix locking issues on mt76x02
    * add support for toggling edcca on mt7603
    * fix reading target tx power with ext PA on mt7603/mt7615
    * fix initalizing channel maximum power
    * fix rate control / tx status reporting issues on mt76x02/mt7603
    * add support for eeprom calibration data from mtd on mt7615
    * support configuring tx power on mt7615
    * fix external PA support on mt76x0
    * per-chain signal reporting on mt7615
    * rx/tx buffer fixes for USB devices

 drivers/net/wireless/mediatek/mt76/dma.c           |    1 +
 drivers/net/wireless/mediatek/mt76/mac80211.c      |   62 +-
 drivers/net/wireless/mediatek/mt76/mt76.h          |   23 +-
 drivers/net/wireless/mediatek/mt76/mt7603/core.c   |    2 +-
 .../net/wireless/mediatek/mt76/mt7603/debugfs.c    |   30 +
 drivers/net/wireless/mediatek/mt76/mt7603/dma.c    |   29 +-
 drivers/net/wireless/mediatek/mt76/mt7603/eeprom.h |    2 +
 drivers/net/wireless/mediatek/mt76/mt7603/init.c   |   26 +-
 drivers/net/wireless/mediatek/mt76/mt7603/mac.c    |  191 +--
 drivers/net/wireless/mediatek/mt76/mt7603/main.c   |    8 +-
 drivers/net/wireless/mediatek/mt76/mt7603/mcu.c    |    2 +-
 drivers/net/wireless/mediatek/mt76/mt7603/mt7603.h |   15 +-
 drivers/net/wireless/mediatek/mt76/mt7603/regs.h   |    6 +
 drivers/net/wireless/mediatek/mt76/mt7615/dma.c    |   23 +-
 drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c |   97 +-
 drivers/net/wireless/mediatek/mt76/mt7615/eeprom.h |   61 +
 drivers/net/wireless/mediatek/mt76/mt7615/init.c   |   77 +-
 drivers/net/wireless/mediatek/mt76/mt7615/mac.c    |   85 +-
 drivers/net/wireless/mediatek/mt76/mt7615/mac.h    |    5 +
 drivers/net/wireless/mediatek/mt76/mt7615/main.c   |   52 +-
 drivers/net/wireless/mediatek/mt76/mt7615/mcu.c    | 1265 ++++++++++----------
 drivers/net/wireless/mediatek/mt76/mt7615/mcu.h    |   56 +-
 drivers/net/wireless/mediatek/mt76/mt7615/mt7615.h |   16 +-
 drivers/net/wireless/mediatek/mt76/mt7615/pci.c    |    7 +-
 drivers/net/wireless/mediatek/mt76/mt76x0/init.c   |    5 +-
 drivers/net/wireless/mediatek/mt76/mt76x0/main.c   |    2 +-
 drivers/net/wireless/mediatek/mt76/mt76x0/phy.c    |   13 +-
 drivers/net/wireless/mediatek/mt76/mt76x0/usb.c    |    2 +-
 drivers/net/wireless/mediatek/mt76/mt76x02.h       |    1 -
 .../net/wireless/mediatek/mt76/mt76x02_beacon.c    |    4 +-
 .../net/wireless/mediatek/mt76/mt76x02_debugfs.c   |   10 +-
 drivers/net/wireless/mediatek/mt76/mt76x02_dfs.c   |   18 +-
 drivers/net/wireless/mediatek/mt76/mt76x02_dfs.h   |    2 -
 .../net/wireless/mediatek/mt76/mt76x02_eeprom.h    |    1 +
 drivers/net/wireless/mediatek/mt76/mt76x02_mac.c   |  106 +-
 drivers/net/wireless/mediatek/mt76/mt76x02_mac.h   |    2 +-
 drivers/net/wireless/mediatek/mt76/mt76x02_mmio.c  |   18 +-
 drivers/net/wireless/mediatek/mt76/mt76x02_regs.h  |    3 +
 drivers/net/wireless/mediatek/mt76/mt76x02_txrx.c  |    9 +-
 .../net/wireless/mediatek/mt76/mt76x02_usb_core.c  |   11 +-
 drivers/net/wireless/mediatek/mt76/mt76x2/init.c   |    9 +-
 .../net/wireless/mediatek/mt76/mt76x2/pci_main.c   |   16 +-
 .../net/wireless/mediatek/mt76/mt76x2/pci_phy.c    |    8 +-
 .../net/wireless/mediatek/mt76/mt76x2/usb_init.c   |    2 +-
 .../net/wireless/mediatek/mt76/mt76x2/usb_main.c   |   23 +-
 .../net/wireless/mediatek/mt76/mt76x2/usb_phy.c    |    7 +-
 drivers/net/wireless/mediatek/mt76/usb.c           |   20 +-
 47 files changed, 1422 insertions(+), 1011 deletions(-)
revisions tested: 19, total time: 5h0m51.893753873s (build: 1h55m51.433577066s, test: 3h3m19.426196492s)
first bad commit: 9829a0bd664da613c6b44b210d8f0ab8dba2400b Merge tag 'mt76-for-kvalo-2019-06-27' of https://github.com/nbd168/wireless
cc: ["kvalo@codeaurora.org"]
crash: KASAN: use-after-free Read in batadv_iv_ogm_queue_add
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:359 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:538 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x32f/0xe50 net/batman-adv/bat_iv_ogm.c:634
Read of size 60 at addr ffff88809eef0180 by task kworker/u4:1/21

CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 5.2.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:188
 __kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/generic.c:191
 memcpy+0x23/0x50 mm/kasan/common.c:124
 memcpy include/linux/string.h:359 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:538 [inline]
 batadv_iv_ogm_queue_add+0x32f/0xe50 net/batman-adv/bat_iv_ogm.c:634
 batadv_iv_ogm_schedule+0xb60/0xe90 net/batman-adv/bat_iv_ogm.c:807
 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 net/batman-adv/bat_iv_ogm.c:1669
 process_one_work+0x830/0x16a0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x324/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 21:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc.constprop.12+0xc7/0xd0 mm/kasan/common.c:489
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
 __do_kmalloc mm/slab.c:3660 [inline]
 __kmalloc+0x15d/0x760 mm/slab.c:3669
 kmalloc include/linux/slab.h:552 [inline]
 batadv_tvlv_realloc_packet_buff net/batman-adv/tvlv.c:277 [inline]
 batadv_tvlv_container_ogm_append+0x16f/0x4b0 net/batman-adv/tvlv.c:318
 batadv_iv_ogm_schedule+0xc53/0xe90 net/batman-adv/bat_iv_ogm.c:770
 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 net/batman-adv/bat_iv_ogm.c:1669
 process_one_work+0x830/0x16a0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x324/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 7984:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kfree+0xcf/0x220 mm/slab.c:3755
 batadv_iv_ogm_iface_disable+0x34/0x70 net/batman-adv/bat_iv_ogm.c:220
 batadv_hardif_disable_interface.cold.23+0x5a8/0xc32 net/batman-adv/hard-interface.c:871
 batadv_softif_slave_del+0x4e/0x90 net/batman-adv/soft-interface.c:922
 do_set_master+0xbb/0x200 net/core/rtnetlink.c:2355
 do_setlink+0x95a/0x2db0 net/core/rtnetlink.c:2504
 rtnl_group_changelink net/core/rtnetlink.c:2978 [inline]
 __rtnl_newlink+0x889/0x13f0 net/core/rtnetlink.c:3134
 rtnl_newlink+0x61/0x90 net/core/rtnetlink.c:3254
 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:5223
 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5241
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x43b/0x640 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x765/0xc40 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:665
 ___sys_sendmsg+0x647/0x950 net/socket.c:2286
 __sys_sendmsg+0xd9/0x180 net/socket.c:2324
 __do_sys_sendmsg net/socket.c:2333 [inline]
 __se_sys_sendmsg net/socket.c:2331 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2331
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809eef0180
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff88809eef0180, ffff88809eef01c0)
The buggy address belongs to the page:
page:ffffea00027bbc00 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002277188 ffffea00026a2008 ffff8880aa400340
raw: 0000000000000000 ffff88809eef0000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809eef0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809eef0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809eef0180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff88809eef0200: 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc
 ffff88809eef0280: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc
==================================================================