bisecting fixing commit since 46cf053efec6a3a5f343fead837777efe8252a46 building syzkaller on be5c2c81971442d623dd1b265dabf4644ceeb35b testing commit 46cf053efec6a3a5f343fead837777efe8252a46 with gcc (GCC) 8.1.0 kernel signature: 8bc4da3a23edfee83e530c7277f42910d4abcbceff0e99be5e30e579b2d86e88 run #0: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #1: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #2: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing current HEAD 9786cab674574239b04df638f825ee0e7d76a48c testing commit 9786cab674574239b04df638f825ee0e7d76a48c with gcc (GCC) 8.1.0 kernel signature: 362b7cd65fff727d7117432bfe9286af7fb2dd8674eca730537800002524fc6b run #0: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #1: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #2: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #3: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK revisions tested: 2, total time: 34m59.902082493s (build: 12m1.983877206s, test: 22m13.911426774s) the crash still happens on HEAD commit msg: Merge tag 'selinux-pr-20200416' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux crash: KASAN: use-after-free Read in j1939_tp_txtimer ================================================================== BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline] BUG: KASAN: use-after-free in j1939_session_tx_dat net/can/j1939/transport.c:790 [inline] BUG: KASAN: use-after-free in j1939_xtp_txnext_transmiter net/can/j1939/transport.c:847 [inline] BUG: KASAN: use-after-free in j1939_tp_txtimer+0x747/0x1690 net/can/j1939/transport.c:1095 Read of size 7 at addr ffff88808e4df917 by task ksoftirqd/0/9 CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.7.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:382 __kasan_report.cold.11+0x37/0x4e mm/kasan/report.c:511 kasan_report+0x38/0x50 mm/kasan/common.c:625 check_memory_region_inline mm/kasan/generic.c:187 [inline] check_memory_region+0x1cc/0x1f0 mm/kasan/generic.c:193 memcpy+0x23/0x60 mm/kasan/common.c:106 memcpy include/linux/string.h:381 [inline] j1939_session_tx_dat net/can/j1939/transport.c:790 [inline] j1939_xtp_txnext_transmiter net/can/j1939/transport.c:847 [inline] j1939_tp_txtimer+0x747/0x1690 net/can/j1939/transport.c:1095 __run_hrtimer kernel/time/hrtimer.c:1520 [inline] __hrtimer_run_queues+0x224/0xc00 kernel/time/hrtimer.c:1584 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1601 __do_softirq+0x262/0xa02 kernel/softirq.c:292 run_ksoftirqd+0x94/0x100 kernel/softirq.c:604 smpboot_thread_fn+0x55f/0x8b0 kernel/smpboot.c:165 kthread+0x354/0x420 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the page: page:ffffea00023937c0 refcount:0 mapcount:0 mapping:0000000033f3b049 index:0x0 flags: 0xfffe0000000000() raw: 00fffe0000000000 ffffea0001de3288 ffffea00024d0748 0000000000000000 raw: 0000000000000000 ffff88808e4df000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808e4df800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88808e4df880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88808e4df900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88808e4df980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88808e4dfa00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================