bisecting cause commit starting from 83bdc7275e6206f560d247be856bceba3e1ed8f2 building syzkaller on 8df85ed9883abc2a200858f44f22c11c602d218a testing commit 83bdc7275e6206f560d247be856bceba3e1ed8f2 with gcc (GCC) 8.1.0 kernel signature: 71adec3f5206924b7a77310591043c916ebc8db4f156c2df30b76ed9552e4d95 all runs: crashed: INFO: trying to register non-static key in skb_dequeue testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: a800dd1374c96f1f474cb6210c5a925919bd0c10d45a8f10c2191c3cccd2f43a all runs: crashed: INFO: trying to register non-static key in skb_dequeue testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 6a6ed0e48b72ea9cea866d98d39d45bbca9e607cd3a5c1a32ad6605750f99652 all runs: crashed: INFO: trying to register non-static key in skb_dequeue testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 9fe715b2e4deeb48b153108b57fb5220131d1986068ce4d2ace29d8c11177a5d all runs: crashed: INFO: trying to register non-static key in skb_dequeue testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: ef4056a58fdaeb59e319ccf724bd17c1cf48c3f1aa761609543ce0c6e2b2e79e all runs: crashed: INFO: trying to register non-static key in skb_dequeue testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: 3162dc6fa059552a9696d434b07a2bcf2f3074a6a4d77e4dfb9f95741867cf0d all runs: OK # git bisect start 219d54332a09e8d8741c1e1982f5eae56099de85 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Bisecting: 7882 revisions left to test after this (roughly 13 steps) [a9f8b38a071b468276a243ea3ea5a0636e848cf2] Merge tag 'for-linus-5.4-1' of git://github.com/cminyard/linux-ipmi testing commit a9f8b38a071b468276a243ea3ea5a0636e848cf2 with gcc (GCC) 8.1.0 kernel signature: 3d18764cec8c90155ae6959bf584d1992514831ff2390f6568b18c3568b523be all runs: crashed: INFO: trying to register non-static key in skb_dequeue # git bisect bad a9f8b38a071b468276a243ea3ea5a0636e848cf2 Bisecting: 3920 revisions left to test after this (roughly 12 steps) [fe38bd6862074c0a2b9be7f31f043aaa70b2af5f] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit fe38bd6862074c0a2b9be7f31f043aaa70b2af5f with gcc (GCC) 8.1.0 kernel signature: d691ce9cefc8e2c0df78ab988589e32cf26c1b362672a357274eebef84b16eac all runs: OK # git bisect good fe38bd6862074c0a2b9be7f31f043aaa70b2af5f Bisecting: 1962 revisions left to test after this (roughly 11 steps) [069841ef8293697e951c34f9a45601b77fb541d7] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue testing commit 069841ef8293697e951c34f9a45601b77fb541d7 with gcc (GCC) 8.1.0 kernel signature: 2cb50a5f29e6a3f5f66b871ebfa044427de332622050754edc5b8d09b3ec759f all runs: crashed: INFO: trying to register non-static key in skb_dequeue # git bisect bad 069841ef8293697e951c34f9a45601b77fb541d7 Bisecting: 978 revisions left to test after this (roughly 10 steps) [f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71] net: stmmac: dwmac-meson: use devm_platform_ioremap_resource() to simplify code testing commit f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71 with gcc (GCC) 8.1.0 kernel signature: d59f696eaac3cf2edc1b97232ab847897556b9a84aca01454b46b8a621119233 all runs: crashed: INFO: trying to register non-static key in skb_dequeue # git bisect bad f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71 Bisecting: 489 revisions left to test after this (roughly 9 steps) [16e9b481e988b1f7e6df2243bb510e1c9b581272] nfp: no need to check return value of debugfs_create functions testing commit 16e9b481e988b1f7e6df2243bb510e1c9b581272 with gcc (GCC) 8.1.0 kernel signature: fa2bd6e6bc279006253de6269c4089cbf55c69b211969f9351b388bc1dff8c86 all runs: OK # git bisect good 16e9b481e988b1f7e6df2243bb510e1c9b581272 Bisecting: 244 revisions left to test after this (roughly 8 steps) [a4d2113e46c1d2ded1bfed9a19fe17b5ab2d584c] ipvlan: set hw_enc_features like macvlan testing commit a4d2113e46c1d2ded1bfed9a19fe17b5ab2d584c with gcc (GCC) 8.1.0 kernel signature: 5aaa6c720a5e473d34eb62ea0c42e22136a48e966af707900436a26eb49ee747 all runs: crashed: INFO: trying to register non-static key in skb_dequeue # git bisect bad a4d2113e46c1d2ded1bfed9a19fe17b5ab2d584c Bisecting: 122 revisions left to test after this (roughly 7 steps) [043b8413e8c0c0ffbf8be268eb73716e05a96064] net: devlink: remove redundant rtnl lock assert testing commit 043b8413e8c0c0ffbf8be268eb73716e05a96064 with gcc (GCC) 8.1.0 kernel signature: 97034dde41ae31de3a763582a78149c17c39ac4ef7fb9dab28463c53ab047a37 all runs: OK # git bisect good 043b8413e8c0c0ffbf8be268eb73716e05a96064 Bisecting: 68 revisions left to test after this (roughly 6 steps) [8d73f8f23e6b869b726cb01dd4747f56dc88660a] page_pool: fix logic in __page_pool_get_cached testing commit 8d73f8f23e6b869b726cb01dd4747f56dc88660a with gcc (GCC) 8.1.0 kernel signature: 918b6edac23d3071868185227607634dad64c65989378baa959304641ecad48a all runs: crashed: INFO: trying to register non-static key in skb_dequeue # git bisect bad 8d73f8f23e6b869b726cb01dd4747f56dc88660a Bisecting: 25 revisions left to test after this (roughly 5 steps) [c162610c7db2e9611a7b3ec806f9c97fcfec0b0b] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next testing commit c162610c7db2e9611a7b3ec806f9c97fcfec0b0b with gcc (GCC) 8.1.0 kernel signature: 4298e41845012acbe23da0a30e47b6038900616fc1b91d5732d181b4d31ad17e all runs: crashed: INFO: trying to register non-static key in skb_dequeue # git bisect bad c162610c7db2e9611a7b3ec806f9c97fcfec0b0b Bisecting: 13 revisions left to test after this (roughly 4 steps) [2a475c409fe81a76fb26a6b023509d648237bbe6] kbuild: remove all netfilter headers from header-test blacklist. testing commit 2a475c409fe81a76fb26a6b023509d648237bbe6 with gcc (GCC) 8.1.0 kernel signature: ca7583b8218b61988102d39796548c26fb7c78527dc57158eb91bf9f7c8a66f3 all runs: boot failed: general protection fault in dma_direct_max_mapping_size # git bisect skip 2a475c409fe81a76fb26a6b023509d648237bbe6 Bisecting: 13 revisions left to test after this (roughly 4 steps) [65b27995a4ab8fc51b4adc6b4dcdca20f7a595bb] net: phy: let phy_speed_down/up support speeds >1Gbps testing commit 65b27995a4ab8fc51b4adc6b4dcdca20f7a595bb with gcc (GCC) 8.1.0 kernel signature: ceeb894f78b24dab86eeb0290358876a70d14b6d3c71e7ce23dd3f0fba47e975 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: OK # git bisect bad 65b27995a4ab8fc51b4adc6b4dcdca20f7a595bb Bisecting: 0 revisions left to test after this (roughly 1 step) [331c56ac73846fa267c04ee6aa9a00bb5fed9440] net: phy: add phy_speed_down_core and phy_resolve_min_speed testing commit 331c56ac73846fa267c04ee6aa9a00bb5fed9440 with gcc (GCC) 8.1.0 kernel signature: 4e6d62eaa13bd93ce108bff98f8dc84185ebd5c2ec39f9f3d8672920dae8ace9 all runs: OK # git bisect good 331c56ac73846fa267c04ee6aa9a00bb5fed9440 65b27995a4ab8fc51b4adc6b4dcdca20f7a595bb is the first bad commit commit 65b27995a4ab8fc51b4adc6b4dcdca20f7a595bb Author: Heiner Kallweit Date: Mon Aug 12 23:52:19 2019 +0200 net: phy: let phy_speed_down/up support speeds >1Gbps So far phy_speed_down/up can be used up to 1Gbps only. Remove this restriction by using new helper __phy_speed_down. New member adv_old in struct phy_device is used by phy_speed_up to restore the advertised modes before calling phy_speed_down. Don't simply advertise what is supported because a user may have intentionally removed modes from advertisement. Signed-off-by: Heiner Kallweit Reviewed-by: Andrew Lunn Signed-off-by: Jakub Kicinski drivers/net/phy/phy.c | 60 ++++++++++++++------------------------------------- include/linux/phy.h | 2 ++ 2 files changed, 18 insertions(+), 44 deletions(-) culprit signature: ceeb894f78b24dab86eeb0290358876a70d14b6d3c71e7ce23dd3f0fba47e975 parent signature: 4e6d62eaa13bd93ce108bff98f8dc84185ebd5c2ec39f9f3d8672920dae8ace9 revisions tested: 18, total time: 3h48m10.218471051s (build: 1h52m37.011909006s, test: 1h53m34.55601093s) first bad commit: 65b27995a4ab8fc51b4adc6b4dcdca20f7a595bb net: phy: let phy_speed_down/up support speeds >1Gbps recipients (to): ["andrew@lunn.ch" "hkallweit1@gmail.com" "jakub.kicinski@netronome.com"] recipients (cc): [] crash: KASAN: use-after-free Read in __queue_work Bluetooth: hci5: command 0x0405 tx timeout ================================================================== BUG: KASAN: use-after-free in __queue_work+0xb52/0xee0 kernel/workqueue.c:1414 Read of size 4 at addr ffff888095483e40 by task kworker/1:62/2600 CPU: 1 PID: 2600 Comm: kworker/1:62 Not tainted 5.3.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events hci_cmd_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x165/0x21a lib/dump_stack.c:113 print_address_description.cold.4+0x9/0x327 mm/kasan/report.c:351 __kasan_report.cold.5+0x1b/0x40 mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:612 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 __queue_work+0xb52/0xee0 kernel/workqueue.c:1414 queue_work_on+0x150/0x190 kernel/workqueue.c:1518 queue_work include/linux/workqueue.h:490 [inline] hci_cmd_timeout+0x196/0x200 net/bluetooth/hci_core.c:2626 process_one_work+0x7d2/0x1560 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 6939: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.part.0+0x44/0xc0 mm/kasan/common.c:487 __kasan_kmalloc.constprop.1+0xb1/0xc0 mm/kasan/common.c:468 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x16b/0x410 mm/slab.c:3664 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:748 [inline] alloc_workqueue+0x10b/0xca0 kernel/workqueue.c:4238 hci_register_dev+0x177/0x7d0 net/bluetooth/hci_core.c:3288 __vhci_create_device+0x265/0x530 drivers/bluetooth/hci_vhci.c:124 vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline] vhci_open_timeout+0x34/0x50 drivers/bluetooth/hci_vhci.c:304 process_one_work+0x7d2/0x1560 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 17198: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x11a/0x1e0 mm/kasan/common.c:449 kasan_slab_free+0xe/0x10 mm/kasan/common.c:457 __cache_free mm/slab.c:3425 [inline] kfree+0x104/0x2d0 mm/slab.c:3756 rcu_free_wq+0xd6/0x130 kernel/workqueue.c:3490 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2114 [inline] rcu_core+0x66e/0x14d0 kernel/rcu/tree.c:2314 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323 __do_softirq+0x264/0x9a6 kernel/softirq.c:292 The buggy address belongs to the object at ffff888095483cc0 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 384 bytes inside of 512-byte region [ffff888095483cc0, ffff888095483ec0) The buggy address belongs to the page: page:ffffea00025520c0 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0xffff888095483a40 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea000227d808 ffffea00024fa488 ffff8880aa400a80 raw: ffff888095483a40 ffff888095483040 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888095483d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888095483d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888095483e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888095483e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888095483f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================