bisecting cause commit starting from dda18a5c0b75461d1ed228f80b59c67434b8d601
building syzkaller on 67fa1f59b87fed7268b465f7e9540a590a250c65
testing commit dda18a5c0b75461d1ed228f80b59c67434b8d601 with gcc (GCC) 8.1.0
kernel signature: f5b244ed5aaadb415ee8e2e6b035585d02bd23763190e7053a9209114dc0a296
all runs: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 4777c7e059f9daa09f2416de3d7beb5c1c118172d9db22bf4781d1eb159439af
all runs: OK
# git bisect start dda18a5c0b75461d1ed228f80b59c67434b8d601 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 7910 revisions left to test after this (roughly 13 steps)
[6cad420cc695867b4ca710bac21fde21a4102e4b] Merge branch 'akpm' (patches from Andrew)
testing commit 6cad420cc695867b4ca710bac21fde21a4102e4b with gcc (GCC) 8.1.0
kernel signature: 317b834d7d2a65f35e0d82ad56742ff908e82cf3d5460934617072a2adc00fec
all runs: OK
# git bisect good 6cad420cc695867b4ca710bac21fde21a4102e4b
Bisecting: 3951 revisions left to test after this (roughly 12 steps)
[78b877113f6ed39c96f2e78b8e1fbb13c225377a] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
testing commit 78b877113f6ed39c96f2e78b8e1fbb13c225377a with gcc (GCC) 8.1.0
kernel signature: d3dc4bcb1825cb5faf609886c7532fea9a51dbd117193d13d52a855a5d5df989
all runs: OK
# git bisect good 78b877113f6ed39c96f2e78b8e1fbb13c225377a
Bisecting: 1975 revisions left to test after this (roughly 11 steps)
[72d3fef16158b9c1852855a3846757ec165c16e1] net/mlx5: IPsec, Fix coverity issue
testing commit 72d3fef16158b9c1852855a3846757ec165c16e1 with gcc (GCC) 8.1.0
kernel signature: a34b9576d6dbdd6bcb99b69d583311661cb4c088c047aba502f9cf47e9a9a955
all runs: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
# git bisect bad 72d3fef16158b9c1852855a3846757ec165c16e1
Bisecting: 987 revisions left to test after this (roughly 10 steps)
[b9663b7ca6ff780555108394c9c1b409f63b99a7] net: stmmac: Enable SERDES power up/down sequence
testing commit b9663b7ca6ff780555108394c9c1b409f63b99a7 with gcc (GCC) 8.1.0
kernel signature: ce66074e2ba83170e7300d7106094c3933f7771d241a051b6a86ef9c24034979
all runs: OK
# git bisect good b9663b7ca6ff780555108394c9c1b409f63b99a7
Bisecting: 516 revisions left to test after this (roughly 9 steps)
[5ef58e29078261ef5195c7fee74768546b863182] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
testing commit 5ef58e29078261ef5195c7fee74768546b863182 with gcc (GCC) 8.1.0
kernel signature: 4ace3e6f0ad16ca1574d96d413b990d698edc06a5d61e5050c42b4f047db87dc
all runs: OK
# git bisect good 5ef58e29078261ef5195c7fee74768546b863182
Bisecting: 285 revisions left to test after this (roughly 8 steps)
[6033cebdfff9b10192eb254e8cc60fedd595ea7f] ptp: idt82p33: remove unnecessary comparison
testing commit 6033cebdfff9b10192eb254e8cc60fedd595ea7f with gcc (GCC) 8.1.0
kernel signature: 3c998537d48a94eefd0c9722ab87e085f5d53257a831d79290d990320d877c90
all runs: OK
# git bisect good 6033cebdfff9b10192eb254e8cc60fedd595ea7f
Bisecting: 142 revisions left to test after this (roughly 7 steps)
[47fa15eae487f3f454d004894671ebea53e77bde] mlxsw: spectrum_matchall: Move ingress indication into mall_entry
testing commit 47fa15eae487f3f454d004894671ebea53e77bde with gcc (GCC) 8.1.0
kernel signature: 36a98ca7bc49df92c570ccdc45f523561c1748ba49de46f71dffb236c4648284
all runs: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
# git bisect bad 47fa15eae487f3f454d004894671ebea53e77bde
Bisecting: 69 revisions left to test after this (roughly 6 steps)
[167ff131cb3dffccab8bb4d65a8d72e7c5ffc398] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
testing commit 167ff131cb3dffccab8bb4d65a8d72e7c5ffc398 with gcc (GCC) 8.1.0
kernel signature: 2765cbd054426eda04c760de49ba9f89281c4d99a17c2d031f32abe99d256d68
all runs: OK
# git bisect good 167ff131cb3dffccab8bb4d65a8d72e7c5ffc398
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[163749ad8436b3206709172406d68869c40bc176] qlcnic: remove unused inline function qlcnic_hw_write_wx_2M
testing commit 163749ad8436b3206709172406d68869c40bc176 with gcc (GCC) 8.1.0
kernel signature: 43fb3ae5ef556067328d56dd51f9f91768581ac13a414ea23ead369f43dc80d1
all runs: OK
# git bisect good 163749ad8436b3206709172406d68869c40bc176
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[2f1a11ae11d222b3a3b41d09a85cb2bf8f83db49] bridge: mrp: Add MRP interface.
testing commit 2f1a11ae11d222b3a3b41d09a85cb2bf8f83db49 with gcc (GCC) 8.1.0
kernel signature: 68e714b1cf22534d5a33b1632dc1e77f5169cb533d920ae52af5b0828294bb2f
all runs: OK
# git bisect good 2f1a11ae11d222b3a3b41d09a85cb2bf8f83db49
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[10478283f210e64ac682083083437dd5f89b7c4a] r8169: improve configuring RxConfig register
testing commit 10478283f210e64ac682083083437dd5f89b7c4a with gcc (GCC) 8.1.0
kernel signature: 0195a24a3f4d2434df9fe97f8caa7359d4eec7aaa2cbe72644785d92989d8bb8
all runs: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
# git bisect bad 10478283f210e64ac682083083437dd5f89b7c4a
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[4d02b8f075153508562803e590f76c4dfe5f4b66] bridge: mrp: Implement netlink interface to configure MRP
testing commit 4d02b8f075153508562803e590f76c4dfe5f4b66 with gcc (GCC) 8.1.0
kernel signature: 232887286089fd9e16875396f6f11e288cc0683e1c708ca6e9f28f2e2d3b6cdf
all runs: OK
# git bisect good 4d02b8f075153508562803e590f76c4dfe5f4b66
Bisecting: 2 revisions left to test after this (roughly 1 step)
[419dba8a49d7cc355e5b495d20dea8217369ed63] net: bridge: Add checks for enabling the STP.
testing commit 419dba8a49d7cc355e5b495d20dea8217369ed63 with gcc (GCC) 8.1.0
kernel signature: 83a36df9e3f28f6bd719afa33d57fd518834bfe234125e5e36e6bb9b571289bb
all runs: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
# git bisect bad 419dba8a49d7cc355e5b495d20dea8217369ed63
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[6536993371fab3de4e8379649b60e94d03e6ff37] bridge: mrp: Integrate MRP into the bridge
testing commit 6536993371fab3de4e8379649b60e94d03e6ff37 with gcc (GCC) 8.1.0
kernel signature: 595adb64da2c2414dd7ce98b9d2f627b9cb3fd8de77856b0d4278e86a32513b0
run #0: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
run #1: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
run #2: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
run #3: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
run #4: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
run #5: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
run #6: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
run #7: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
run #8: crashed: KASAN: slab-out-of-bounds Read in br_mrp_parse
run #9: boot failed: BUG: Invalid wait context ]
# git bisect bad 6536993371fab3de4e8379649b60e94d03e6ff37
6536993371fab3de4e8379649b60e94d03e6ff37 is the first bad commit
commit 6536993371fab3de4e8379649b60e94d03e6ff37
Author: Horatiu Vultur <horatiu.vultur@microchip.com>
Date:   Sun Apr 26 15:22:07 2020 +0200

    bridge: mrp: Integrate MRP into the bridge
    
    To integrate MRP into the bridge, the bridge needs to do the following:
    - detect if the MRP frame was received on MRP ring port in that case it would be
      processed otherwise just forward it as usual.
    - enable parsing of MRP
    - before whenever the bridge was set up, it would set all the ports in
      forwarding state. Add an extra check to not set ports in forwarding state if
      the port is an MRP ring port. The reason of this change is that if the MRP
      instance initially sets the port in blocked state by setting the bridge up it
      would overwrite this setting.
    
    Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/bridge/br_device.c  |  3 +++
 net/bridge/br_if.c      |  2 ++
 net/bridge/br_input.c   |  3 +++
 net/bridge/br_netlink.c |  5 +++++
 net/bridge/br_private.h | 31 +++++++++++++++++++++++++++++++
 5 files changed, 44 insertions(+)
culprit signature: 595adb64da2c2414dd7ce98b9d2f627b9cb3fd8de77856b0d4278e86a32513b0
parent  signature: 232887286089fd9e16875396f6f11e288cc0683e1c708ca6e9f28f2e2d3b6cdf
revisions tested: 16, total time: 3h45m4.663372054s (build: 1h36m12.110926125s, test: 2h7m36.429035084s)
first bad commit: 6536993371fab3de4e8379649b60e94d03e6ff37 bridge: mrp: Integrate MRP into the bridge
cc: ["davem@davemloft.net" "horatiu.vultur@microchip.com" "nikolay@cumulusnetworks.com"]
crash: KASAN: slab-out-of-bounds Read in br_mrp_parse
==================================================================
BUG: KASAN: slab-out-of-bounds in br_mrp_parse+0x277/0x3a0 net/bridge/br_mrp_netlink.c:30
Read of size 4 at addr ffff888092996f5c by task syz-executor.0/8584

CPU: 0 PID: 8584 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:382
 __kasan_report.cold.11+0x35/0x4d mm/kasan/report.c:511
 kasan_report+0x32/0x50 mm/kasan/common.c:625
 br_mrp_parse+0x277/0x3a0 net/bridge/br_mrp_netlink.c:30
 br_afspec+0x316/0x3d0 net/bridge/br_netlink.c:676
 br_setlink+0x33c/0x4c0 net/bridge/br_netlink.c:933
 rtnl_bridge_setlink+0x214/0x6e0 net/core/rtnetlink.c:4803
 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5461
 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2469
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x554/0x760 net/socket.c:2362
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2416
 __sys_sendmsg+0xce/0x170 net/socket.c:2449
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca29
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3602a0ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000500d80 RCX: 000000000045ca29
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009fd R14: 00000000004ccd59 R15: 00007f3602a0b6d4

Allocated by task 7340:
 save_stack+0x19/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:495
 kvmalloc include/linux/mm.h:757 [inline]
 kvzalloc include/linux/mm.h:765 [inline]
 alloc_netdev_mqs+0x5a/0xd00 net/core/dev.c:9821
 rtnl_create_link+0x1e5/0xb60 net/core/rtnetlink.c:3068
 __rtnl_newlink+0xb22/0x1250 net/core/rtnetlink.c:3330
 rtnl_newlink+0x5c/0x80 net/core/rtnetlink.c:3398
 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5461
 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2469
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 __sys_sendto+0x1d9/0x2b0 net/socket.c:2000
 __do_sys_sendto net/socket.c:2012 [inline]
 __se_sys_sendto net/socket.c:2008 [inline]
 __x64_sys_sendto+0xd8/0x1b0 net/socket.c:2008
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

Freed by task 1:
 save_stack+0x19/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 kasan_set_free_info mm/kasan/common.c:317 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x107/0x2b0 mm/slab.c:3757
 tomoyo_realpath_from_path+0x145/0x670 security/tomoyo/realpath.c:289
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x1fa/0x370 security/tomoyo/file.c:822
 security_inode_getattr+0xab/0x100 security/security.c:1273
 vfs_getattr+0x17/0x40 fs/stat.c:117
 vfs_statx+0xcb/0x130 fs/stat.c:201
 vfs_lstat include/linux/fs.h:3284 [inline]
 __do_sys_newlstat+0x77/0xd0 fs/stat.c:364
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff888092996000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 3932 bytes inside of
 4096-byte region [ffff888092996000, ffff888092997000)
The buggy address belongs to the page:
page:ffffea00024a6580 refcount:1 mapcount:0 mapping:00000000e0c12e3c index:0x0 head:ffffea00024a6580 order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00027dba08 ffffea00024a2688 ffff8880aa402000
raw: 0000000000000000 ffff888092996000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888092996e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888092996e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888092996f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                    ^
 ffff888092996f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888092997000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================