bisecting cause commit starting from 83bdc7275e6206f560d247be856bceba3e1ed8f2
building syzkaller on 8df85ed9883abc2a200858f44f22c11c602d218a
testing commit 83bdc7275e6206f560d247be856bceba3e1ed8f2 with gcc (GCC) 8.1.0
kernel signature: d2eb7ad465fe065a2d07c4575eb535df6f461daaacabd2ab51c64fca5a64a88c
run #0: crashed: unexpected kernel reboot
run #1: crashed: unexpected kernel reboot
run #2: crashed: unexpected kernel reboot
run #3: crashed: INFO: trying to register non-static key in psi_group_change
run #4: crashed: INFO: trying to register non-static key in psi_group_change
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in update_curr
run #6: crashed: unexpected kernel reboot
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in add_grec
run #8: crashed: BUG: unable to handle kernel paging request in qrtr_endpoint_post
run #9: boot failed: can't ssh into the instance
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 720156a0d78a58f1dd578c7cc6da737760e109533dca3ef1c08ac4a5e0a4454a
all runs: OK
# git bisect start 83bdc7275e6206f560d247be856bceba3e1ed8f2 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162
Bisecting: 8674 revisions left to test after this (roughly 13 steps)
[886d7de631da71e30909980fdbf318f7caade262] Merge branch 'akpm' (patches from Andrew)
testing commit 886d7de631da71e30909980fdbf318f7caade262 with gcc (GCC) 8.1.0
kernel signature: 042db4c52b9f53420b9bf8932d6e9484dfd5a381e659a7782def60623e53ab63
run #0: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
run #1: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
run #2: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
run #3: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
run #4: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
run #5: crashed: BUG: unable to handle kernel paging request in qrtr_endpoint_post
run #6: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
run #7: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
run #8: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
run #9: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
# git bisect bad 886d7de631da71e30909980fdbf318f7caade262
Bisecting: 4325 revisions left to test after this (roughly 12 steps)
[039aeb9deb9291f3b19c375a8bc6fa7f768996cc] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
testing commit 039aeb9deb9291f3b19c375a8bc6fa7f768996cc with gcc (GCC) 8.1.0
kernel signature: f06ce1e7d812534081cf702a9fe422e8b8af95196f76a0bc4d96ab5cd109f16e
all runs: OK
# git bisect good 039aeb9deb9291f3b19c375a8bc6fa7f768996cc
Bisecting: 2162 revisions left to test after this (roughly 11 steps)
[9785b92b4443f2862495c9aa0ee8caed6f43523d] mlxsw: spectrum: Add packet traps for BFD packets
testing commit 9785b92b4443f2862495c9aa0ee8caed6f43523d with gcc (GCC) 8.1.0
kernel signature: e35b6f23a986439aeb1719fb5a98eb29984ab4a5766854d921b908a4c01d8a1a
all runs: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
# git bisect bad 9785b92b4443f2862495c9aa0ee8caed6f43523d
Bisecting: 1049 revisions left to test after this (roughly 10 steps)
[5d9e4722c74e8868d5fe2f8749de80928eb4a1d1] Merge tag 'wireless-drivers-next-2020-05-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
testing commit 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1 with gcc (GCC) 8.1.0
kernel signature: f5a6318684ec94045820281592aa982cf8693f6e68312c8de6514226b3b093cd
all runs: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
# git bisect bad 5d9e4722c74e8868d5fe2f8749de80928eb4a1d1
Bisecting: 556 revisions left to test after this (roughly 9 steps)
[da4063bdfcfa70ec57a6c25f772ac6378b1584ad] netlink: allow NLA_MSECS to have range validation
testing commit da4063bdfcfa70ec57a6c25f772ac6378b1584ad with gcc (GCC) 8.1.0
kernel signature: 832284dae29af517566df78d0bf4280259feae3b2a699576c8ceabfe7bdb6487
all runs: OK
# git bisect good da4063bdfcfa70ec57a6c25f772ac6378b1584ad
Bisecting: 278 revisions left to test after this (roughly 8 steps)
[58618ef85546726cf27c38ddc1b022c703b7a6ad] net: nxp: Fix use correct return type for ndo_start_xmit()
testing commit 58618ef85546726cf27c38ddc1b022c703b7a6ad with gcc (GCC) 8.1.0
kernel signature: 4a1b1a5eba8eda999b6fc6992f9644ba6f03e1843ddb34aefe69b06c2bd90399
all runs: OK
# git bisect good 58618ef85546726cf27c38ddc1b022c703b7a6ad
Bisecting: 150 revisions left to test after this (roughly 7 steps)
[cbb1404f65414130fb89e52a97b9d853d303dc5c] rtlwifi: rtl8188ee: remove Comparison to bool in rf.c
testing commit cbb1404f65414130fb89e52a97b9d853d303dc5c with gcc (GCC) 8.1.0
kernel signature: a005b0ebd813bacf13e058fe26353887934026fd683f4e83715aa1bd1e5b22ee
all runs: OK
# git bisect good cbb1404f65414130fb89e52a97b9d853d303dc5c
Bisecting: 75 revisions left to test after this (roughly 6 steps)
[f30dcb7dcb1aa925dfc83923c580a53c975b754b] net: ipa: kill ipa_endpoint_stop()
testing commit f30dcb7dcb1aa925dfc83923c580a53c975b754b with gcc (GCC) 8.1.0
kernel signature: 38d699da716c791d68926a7de76cdae41e2558884520a021b2f5c7ea026ba52b
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect good f30dcb7dcb1aa925dfc83923c580a53c975b754b
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[d431f8939c1419854dfe89dd345387f5397c6edd] ath10k: remove the max_sched_scan_reqs value
testing commit d431f8939c1419854dfe89dd345387f5397c6edd with gcc (GCC) 8.1.0
kernel signature: 0fd740bbe46e5aa2bc0634085688ffc24c763c17e74fabd2c27591699a7f40ae
all runs: OK
# git bisect good d431f8939c1419854dfe89dd345387f5397c6edd
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[7f960633a458136d168f2049508d39cba8be55bd] net: encx24j600: make encx24j600_hw_init() return void
testing commit 7f960633a458136d168f2049508d39cba8be55bd with gcc (GCC) 8.1.0
kernel signature: 0fc0154b9e15453a24bad3ddb8df84efec0681fefcd49757cb7e829501e79073
all runs: OK
# git bisect good 7f960633a458136d168f2049508d39cba8be55bd
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[d7d43782d541edb8596d2f4fc7f41b0734948ec5] ath11k: fix kernel panic by freeing the msdu received with invalid length
testing commit d7d43782d541edb8596d2f4fc7f41b0734948ec5 with gcc (GCC) 8.1.0
kernel signature: 24ee1ce0dc4b0e1a7da79815d4847e4e35efc223bff35f3c7c39f5c59f5da318
all runs: OK
# git bisect good d7d43782d541edb8596d2f4fc7f41b0734948ec5
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[3031a86ebd3f9c818486dd7433f121c27ef23188] Merge branch 'Add-QRTR-MHI-client-driver'
testing commit 3031a86ebd3f9c818486dd7433f121c27ef23188 with gcc (GCC) 8.1.0
kernel signature: d2fb8118b8fb0fe0501d40b06afc9bf0e82207f6f6fd73be5a0c2ea8c8747476
all runs: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
# git bisect bad 3031a86ebd3f9c818486dd7433f121c27ef23188
Bisecting: 2 revisions left to test after this (roughly 1 step)
[0932969e0b1b6ba54028b35b80148302e8fe7db8] via-rhine: Add platform dependencies
testing commit 0932969e0b1b6ba54028b35b80148302e8fe7db8 with gcc (GCC) 8.1.0
kernel signature: 0b4cec74434c36b61af33caeff0b4724143768fcb462a8219ddf9ff4e8587277
all runs: OK
# git bisect good 0932969e0b1b6ba54028b35b80148302e8fe7db8
Bisecting: 0 revisions left to test after this (roughly 1 step)
[e42671084361302141a09284fde9bbc14fdd16bf] net: qrtr: Do not depend on ARCH_QCOM
testing commit e42671084361302141a09284fde9bbc14fdd16bf with gcc (GCC) 8.1.0
kernel signature: 6ed3915606709bcfd603215e25b07a7ba5aa2d631d6b1bc52b1328ff5c886f9f
all runs: crashed: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
# git bisect bad e42671084361302141a09284fde9bbc14fdd16bf
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[6e728f321393b1fce9e1c2c3e55f9f7c15991321] net: qrtr: Add MHI transport layer
testing commit 6e728f321393b1fce9e1c2c3e55f9f7c15991321 with gcc (GCC) 8.1.0
kernel signature: 31beb03d06ca0f97605da7427050a9d7a833e8a7eeaa48a88dd768b2e59f65f4
all runs: OK
# git bisect good 6e728f321393b1fce9e1c2c3e55f9f7c15991321
e42671084361302141a09284fde9bbc14fdd16bf is the first bad commit
commit e42671084361302141a09284fde9bbc14fdd16bf
Author: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Date:   Thu May 7 18:23:06 2020 +0530

    net: qrtr: Do not depend on ARCH_QCOM
    
    IPC Router protocol is also used by external modems for exchanging the QMI
    messages. Hence, it doesn't always depend on Qualcomm platforms. One such
    instance is the QCA6390 WLAN device connected to x86 machine.
    
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/qrtr/Kconfig | 1 -
 1 file changed, 1 deletion(-)
culprit signature: 6ed3915606709bcfd603215e25b07a7ba5aa2d631d6b1bc52b1328ff5c886f9f
parent  signature: 31beb03d06ca0f97605da7427050a9d7a833e8a7eeaa48a88dd768b2e59f65f4
revisions tested: 17, total time: 3h58m6.815128351s (build: 1h37m59.521638906s, test: 2h18m24.23993803s)
first bad commit: e42671084361302141a09284fde9bbc14fdd16bf net: qrtr: Do not depend on ARCH_QCOM
recipients (to): ["bjorn.andersson@linaro.org" "davem@davemloft.net" "manivannan.sadhasivam@linaro.org"]
recipients (cc): []
crash: KASAN: slab-out-of-bounds Read in qrtr_endpoint_post
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2286 [inline]
BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x545/0x1020 net/qrtr/qrtr.c:486
Read of size 4294967294 at addr ffff8880a7f46a10 by task syz-executor.2/8460

CPU: 1 PID: 8460 Comm: syz-executor.2 Not tainted 5.7.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:382
 __kasan_report.cold.11+0x35/0x4d mm/kasan/report.c:511
 kasan_report+0x32/0x50 mm/kasan/common.c:625
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 check_memory_region+0x1c1/0x1e0 mm/kasan/generic.c:193
 memcpy+0x1f/0x60 mm/kasan/common.c:106
 memcpy include/linux/string.h:381 [inline]
 skb_put_data include/linux/skbuff.h:2286 [inline]
 qrtr_endpoint_post+0x545/0x1020 net/qrtr/qrtr.c:486
 qrtr_tun_write_iter+0xc2/0x120 net/qrtr/tun.c:92
 call_write_iter include/linux/fs.h:1907 [inline]
 new_sync_write+0x417/0x6c0 fs/read_write.c:484
 vfs_write+0x18b/0x490 fs/read_write.c:559
 ksys_write+0xec/0x1c0 fs/read_write.c:612
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45cc79
Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1e56cf5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000000382c0 RCX: 000000000045cc79
RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 000000000078bf40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bf0c
R13: 00007fff8304eccf R14: 00007f1e56cf69c0 R15: 000000000078bf0c

Allocated by task 8460:
 save_stack+0x19/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:495
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x164/0x7b0 mm/slab.c:3665
 kmalloc include/linux/slab.h:560 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 qrtr_tun_write_iter+0x84/0x120 net/qrtr/tun.c:83
 call_write_iter include/linux/fs.h:1907 [inline]
 new_sync_write+0x417/0x6c0 fs/read_write.c:484
 vfs_write+0x18b/0x490 fs/read_write.c:559
 ksys_write+0xec/0x1c0 fs/read_write.c:612
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

Freed by task 4115:
 save_stack+0x19/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 kasan_set_free_info mm/kasan/common.c:317 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x107/0x2b0 mm/slab.c:3757
 tomoyo_check_open_permission+0x15f/0x300 security/tomoyo/file.c:786
 security_file_open+0x3f/0x320 security/security.c:1548
 do_dentry_open+0x2d7/0x1050 fs/open.c:784
 do_open fs/namei.c:3229 [inline]
 path_openat+0xd15/0x21c0 fs/namei.c:3346
 do_filp_open+0x171/0x240 fs/namei.c:3373
 do_sys_openat2+0x2dc/0x500 fs/open.c:1148
 do_sys_open+0x85/0xd0 fs/open.c:1164
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff8880a7f46a00
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 16 bytes inside of
 32-byte region [ffff8880a7f46a00, ffff8880a7f46a20)
The buggy address belongs to the page:
page:ffffea00029fd180 refcount:1 mapcount:0 mapping:00000000d99ace5e index:0xffff8880a7f46fc1
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002682648 ffffea00029a75c8 ffff8880aa4001c0
raw: ffff8880a7f46fc1 ffff8880a7f46000 000000010000003f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a7f46900: 00 03 fc fc fc fc fc fc 00 01 fc fc fc fc fc fc
 ffff8880a7f46980: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
>ffff8880a7f46a00: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc
                         ^
 ffff8880a7f46a80: 00 00 01 fc fc fc fc fc 06 fc fc fc fc fc fc fc
 ffff8880a7f46b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================