bisecting fixing commit since e44f65fd666c73944d6f2462cea0559ce5508721
building syzkaller on 510951950dc0ee69cfdaf746061d3dbe31b49fd8
testing commit e44f65fd666c73944d6f2462cea0559ce5508721 with gcc (GCC) 8.1.0
kernel signature: 045ab8fb5a2433c8f66c29cbedaf1741189778b1000fe315513806422c1bc6be
all runs: crashed: KASAN: use-after-free Read in __cfg8NUM_wpan_dev_from_attrs
testing current HEAD c1055b76ad00aed0e8b79417080f212d736246b6
testing commit c1055b76ad00aed0e8b79417080f212d736246b6 with gcc (GCC) 8.1.0
kernel signature: 79b3de78f1d798f2e016a62840751c3d69ed33a1471ede9e858bd0a229e17f6f
all runs: OK
# git bisect start c1055b76ad00aed0e8b79417080f212d736246b6 e44f65fd666c73944d6f2462cea0559ce5508721
Bisecting: 1793 revisions left to test after this (roughly 11 steps)
[b807b368c4f9bbdb8410dcc6241d7903094f0bef] mt76: add U-APSD support on AP side
testing commit b807b368c4f9bbdb8410dcc6241d7903094f0bef with gcc (GCC) 8.1.0
kernel signature: 71fc9b2ee6b0d54975d8255e02a9e71d9180ee54eda1915bad64e6622797b766
all runs: OK
# git bisect bad b807b368c4f9bbdb8410dcc6241d7903094f0bef
Bisecting: 852 revisions left to test after this (roughly 10 steps)
[5a764898afec0bc097003e8c3e727792289f76d6] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 5a764898afec0bc097003e8c3e727792289f76d6 with gcc (GCC) 8.1.0
kernel signature: da925cdf0c8d8ba68a2fd45bb7cda2734022d1ae1d7eb4d939c8a2c8fc6459fe
all runs: OK
# git bisect bad 5a764898afec0bc097003e8c3e727792289f76d6
Bisecting: 470 revisions left to test after this (roughly 9 steps)
[7fec3ce50a5d3fc54de9c0e9d43682ea9320b199] Merge tag 'pci-v5.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
testing commit 7fec3ce50a5d3fc54de9c0e9d43682ea9320b199 with gcc (GCC) 8.1.0
kernel signature: 93fd12327954ee4c072e39ff146704a8851ad1518e19353d61191ddee5be5a96
run #0: crashed: BUG: stack guard page was hit in corrupted
run #1: crashed: BUG: stack guard page was hit in corrupted
run #2: crashed: BUG: stack guard page was hit in corrupted
run #3: crashed: BUG: stack guard page was hit in corrupted
run #4: crashed: BUG: stack guard page was hit in corrupted
run #5: crashed: BUG: stack guard page was hit in corrupted
run #6: crashed: BUG: stack guard page was hit in corrupted
run #7: crashed: BUG: stack guard page was hit in corrupted
run #8: crashed: BUG: stack guard page was hit in corrupted
run #9: boot failed: can't ssh into the instance
# git bisect good 7fec3ce50a5d3fc54de9c0e9d43682ea9320b199
Bisecting: 235 revisions left to test after this (roughly 8 steps)
[cb24c61b53c3f47d4ba596fe37076202f7189676] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
testing commit cb24c61b53c3f47d4ba596fe37076202f7189676 with gcc (GCC) 8.1.0
kernel signature: 51eb96074c9e0d19ee924856c0364443176a8c9a7af07a7f6e4a402a5a897a65
all runs: crashed: BUG: stack guard page was hit in corrupted
# git bisect good cb24c61b53c3f47d4ba596fe37076202f7189676
Bisecting: 117 revisions left to test after this (roughly 7 steps)
[f0b594dfa47555d8d69e6865c882d65a9054cb81] net/mlx5e: Do not include rwlock.h directly
testing commit f0b594dfa47555d8d69e6865c882d65a9054cb81 with gcc (GCC) 8.1.0
kernel signature: 55b93721cced052421f907d48831a9e4a2230627037c9ed20e9cd630544674c0
all runs: OK
# git bisect bad f0b594dfa47555d8d69e6865c882d65a9054cb81
Bisecting: 53 revisions left to test after this (roughly 6 steps)
[e708e2bd55c921f5bb554fa5837d132a878951cf] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
testing commit e708e2bd55c921f5bb554fa5837d132a878951cf with gcc (GCC) 8.1.0
kernel signature: bd0cd7a7861f545c9dec2eb1409c86db8818b421ce479a58fe53d5e898ffb464
all runs: OK
# git bisect bad e708e2bd55c921f5bb554fa5837d132a878951cf
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[0433c93dff147fac488d39956ef1ddf34fd76044] Merge branch 'net-ipa-three-bug-fixes'
testing commit 0433c93dff147fac488d39956ef1ddf34fd76044 with gcc (GCC) 8.1.0
kernel signature: eabacf2e919fd88cc9a665c7883b15d89055a5820bfe9f44ee043186a7322b91
all runs: OK
# git bisect bad 0433c93dff147fac488d39956ef1ddf34fd76044
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[33c568ba49e2b0ff7c3daead5d9427be797a4c43] Merge tag 'mac80211-for-net-2020-06-29' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
testing commit 33c568ba49e2b0ff7c3daead5d9427be797a4c43 with gcc (GCC) 8.1.0
kernel signature: 696dcada8f609213e934a26c1e63073fe00c03fccfd5bdc405843f449c2abe45
all runs: crashed: KASAN: use-after-free Read in __cfg8NUM_wpan_dev_from_attrs
# git bisect good 33c568ba49e2b0ff7c3daead5d9427be797a4c43
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[ab59d2b6982b69a9728296ee3a1f330a72c0383e] net: vti: implement header_ops->parse_protocol for AF_PACKET
testing commit ab59d2b6982b69a9728296ee3a1f330a72c0383e with gcc (GCC) 8.1.0
kernel signature: 69977b9d1cbc8501a0f869687ef45da98ddb251d0a7fe47e4dd9015f1af745fa
all runs: OK
# git bisect bad ab59d2b6982b69a9728296ee3a1f330a72c0383e
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[e53ac93220e002fdf26b2874af6a74f393cd3872] net: ipip: implement header_ops->parse_protocol for AF_PACKET
testing commit e53ac93220e002fdf26b2874af6a74f393cd3872 with gcc (GCC) 8.1.0
kernel signature: 4b618c312c5ba6e4a79d5e44811d32c77ea09ceb20a4d7a62d795b62e910e0f2
all runs: OK
# git bisect bad e53ac93220e002fdf26b2874af6a74f393cd3872
Bisecting: 0 revisions left to test after this (roughly 1 step)
[2606aff916854b61234bf85001be9777bab2d5f8] net: ip_tunnel: add header_ops for layer 3 devices
testing commit 2606aff916854b61234bf85001be9777bab2d5f8 with gcc (GCC) 8.1.0
kernel signature: ecff00f0c47ad3976983b5528136fe0cd8dbe9c9c5be642677f73899ec87100f
all runs: OK
# git bisect bad 2606aff916854b61234bf85001be9777bab2d5f8
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[bf64ff4c2aac65d680dc639a511c781cf6b6ec08] genetlink: get rid of family->attrbuf
testing commit bf64ff4c2aac65d680dc639a511c781cf6b6ec08 with gcc (GCC) 8.1.0
kernel signature: a4e2ca8c774ffee94c331e66bb0bdff97176cc30bd052eb651bc62a0a1fe6bc7
all runs: OK
# git bisect bad bf64ff4c2aac65d680dc639a511c781cf6b6ec08
bf64ff4c2aac65d680dc639a511c781cf6b6ec08 is the first bad commit
commit bf64ff4c2aac65d680dc639a511c781cf6b6ec08
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Sat Jun 27 00:12:24 2020 -0700

    genetlink: get rid of family->attrbuf
    
    genl_family_rcv_msg_attrs_parse() reuses the global family->attrbuf
    when family->parallel_ops is false. However, family->attrbuf is not
    protected by any lock on the genl_family_rcv_msg_doit() code path.
    
    This leads to several different consequences, one of them is UAF,
    like the following:
    
    genl_family_rcv_msg_doit():             genl_start():
                                              genl_family_rcv_msg_attrs_parse()
                                                attrbuf = family->attrbuf
                                                __nlmsg_parse(attrbuf);
      genl_family_rcv_msg_attrs_parse()
        attrbuf = family->attrbuf
        __nlmsg_parse(attrbuf);
                                              info->attrs = attrs;
                                              cb->data = info;
    
    netlink_unicast_kernel():
     consume_skb()
                                            genl_lock_dumpit():
                                              genl_dumpit_info(cb)->attrs
    
    Note family->attrbuf is an array of pointers to the skb data, once
    the skb is freed, any dereference of family->attrbuf will be a UAF.
    
    Maybe we could serialize the family->attrbuf with genl_mutex too, but
    that would make the locking more complicated. Instead, we can just get
    rid of family->attrbuf and always allocate attrbuf from heap like the
    family->parallel_ops==true code path. This may add some performance
    overhead but comparing with taking the global genl_mutex, it still
    looks better.
    
    Fixes: 75cdbdd08900 ("net: ieee802154: have genetlink code to parse the attrs during dumpit")
    Fixes: 057af7071344 ("net: tipc: have genetlink code to parse the attrs during dumpit")
    Reported-and-tested-by: syzbot+3039ddf6d7b13daf3787@syzkaller.appspotmail.com
    Reported-and-tested-by: syzbot+80cad1e3cb4c41cde6ff@syzkaller.appspotmail.com
    Reported-and-tested-by: syzbot+736bcbcb11b60d0c0792@syzkaller.appspotmail.com
    Reported-and-tested-by: syzbot+520f8704db2b68091d44@syzkaller.appspotmail.com
    Reported-and-tested-by: syzbot+c96e4dfb32f8987fdeed@syzkaller.appspotmail.com
    Cc: Jiri Pirko <jiri@mellanox.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/genetlink.h |  2 --
 net/netlink/genetlink.c | 48 +++++++++++++-----------------------------------
 2 files changed, 13 insertions(+), 37 deletions(-)
culprit signature: a4e2ca8c774ffee94c331e66bb0bdff97176cc30bd052eb651bc62a0a1fe6bc7
parent  signature: 696dcada8f609213e934a26c1e63073fe00c03fccfd5bdc405843f449c2abe45
revisions tested: 14, total time: 3h32m30.769180805s (build: 1h20m24.320950642s, test: 2h10m58.610719387s)
first good commit: bf64ff4c2aac65d680dc639a511c781cf6b6ec08 genetlink: get rid of family->attrbuf
recipients (to): ["davem@davemloft.net" "syzbot+3039ddf6d7b13daf3787@syzkaller.appspotmail.com" "syzbot+520f8704db2b68091d44@syzkaller.appspotmail.com" "syzbot+736bcbcb11b60d0c0792@syzkaller.appspotmail.com" "syzbot+80cad1e3cb4c41cde6ff@syzkaller.appspotmail.com" "syzbot+c96e4dfb32f8987fdeed@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"]
recipients (cc): []