bisecting fixing commit since c3038e718a19fc596f7b1baba0f83d5146dc7784 building syzkaller on 04ca72cd45348daab9d896bbec8ea4c2d13455ac testing commit c3038e718a19fc596f7b1baba0f83d5146dc7784 with gcc (GCC) 8.1.0 kernel signature: 3ace1a184d2848c829787a830d1c31d845da5f6be4606138fb0ee2ecfc855049 run #0: crashed: WARNING in bpf_prog_kallsyms_find run #1: crashed: WARNING in bpf_prog_kallsyms_find run #2: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #3: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #4: crashed: KASAN: use-after-free Read in bpf_prog_kallsyms_find run #5: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #6: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #7: crashed: KASAN: use-after-free Read in bpf_prog_kallsyms_find run #8: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #9: crashed: KASAN: use-after-free Read in bpf_prog_kallsyms_find testing current HEAD 205a42ce2861f2d0dea8eb5090d05262e1cfa049 testing commit 205a42ce2861f2d0dea8eb5090d05262e1cfa049 with gcc (GCC) 8.1.0 kernel signature: d4920f526100ee8cddd0428aa584b16b17abb551d653ffe1d5b1927c2bb345d7 run #0: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #1: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #2: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #3: crashed: KASAN: use-after-free Read in bpf_prog_kallsyms_find run #4: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #5: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #6: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #7: crashed: KASAN: use-after-free Read in bpf_prog_kallsyms_find run #8: crashed: BUG: unable to handle kernel paging request in bpf_prog_kallsyms_find run #9: crashed: KASAN: use-after-free Read in bpf_prog_kallsyms_find revisions tested: 2, total time: 27m52.669146438s (build: 18m25.276044828s, test: 8m3.300316542s) the crash still happens on HEAD commit msg: Linux 4.19.135 crash: KASAN: use-after-free Read in bpf_prog_kallsyms_find ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193 [inline] BUG: KASAN: use-after-free in __lt_find include/linux/rbtree_latch.h:118 [inline] BUG: KASAN: use-after-free in latch_tree_find include/linux/rbtree_latch.h:208 [inline] BUG: KASAN: use-after-free in bpf_prog_kallsyms_find+0x297/0x2e0 kernel/bpf/core.c:511 Read of size 8 at addr ffff88809b3ac040 by task syz-executor.0/23024 CPU: 1 PID: 23024 Comm: syz-executor.0 Not tainted 4.19.135-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x123/0x177 lib/dump_stack.c:118 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __read_once_size include/linux/compiler.h:193 [inline] __lt_find include/linux/rbtree_latch.h:118 [inline] latch_tree_find include/linux/rbtree_latch.h:208 [inline] bpf_prog_kallsyms_find+0x297/0x2e0 kernel/bpf/core.c:511 is_bpf_text_address+0x48/0xe0 kernel/bpf/core.c:546 kernel_text_address+0x79/0xf0 kernel/extable.c:152 __kernel_text_address+0xd/0x40 kernel/extable.c:107 unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:18 __save_stack_trace+0x9c/0x100 arch/x86/kernel/stacktrace.c:45 save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc mm/slab.c:3397 [inline] kmem_cache_alloc+0x11b/0x730 mm/slab.c:3557 anon_vma_chain_alloc mm/rmap.c:129 [inline] anon_vma_clone+0xc3/0x3f0 mm/rmap.c:269 __split_vma+0x137/0x4a0 mm/mmap.c:2637 split_vma+0x75/0xd0 mm/mmap.c:2680 mprotect_fixup+0x695/0x8b0 mm/mprotect.c:451 do_mprotect_pkey+0x403/0x7f0 mm/mprotect.c:589 __do_sys_mprotect mm/mprotect.c:614 [inline] __se_sys_mprotect mm/mprotect.c:611 [inline] __x64_sys_mprotect+0x73/0xb0 mm/mprotect.c:611 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a0b7 Code: 00 00 00 b8 0b 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 0a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffeb1638778 EFLAGS: 00000246 ORIG_RAX: 000000000000000a RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 000000000045a0b7 RDX: 0000000000000000 RSI: 0000000000001000 RDI: 00007f24393c6000 RBP: 00007ffeb1638860 R08: 0000000000717800 R09: 0000000000717800 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffeb1638950 R13: 00007f24393e6700 R14: 00007f24393e69c0 R15: 000000000075bf2c Allocated by task 23021: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x740 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] bpf_prog_alloc+0x1e7/0x270 kernel/bpf/core.c:90 jit_subprogs kernel/bpf/verifier.c:5849 [inline] fixup_call_args kernel/bpf/verifier.c:5968 [inline] bpf_check+0x3011/0x58a1 kernel/bpf/verifier.c:6375 bpf_prog_load+0xa82/0x1030 kernel/bpf/syscall.c:1445 __do_sys_bpf kernel/bpf/syscall.c:2418 [inline] __se_sys_bpf kernel/bpf/syscall.c:2379 [inline] __x64_sys_bpf+0x254/0x3a0 kernel/bpf/syscall.c:2379 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 24: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 bpf_jit_free+0x6f/0x2a0 bpf_prog_free_deferred+0x15d/0x3a0 kernel/bpf/core.c:1809 process_one_work+0x830/0x1670 kernel/workqueue.c:2155 worker_thread+0x85/0xb60 kernel/workqueue.c:2298 kthread+0x324/0x3e0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff88809b3ac000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 64 bytes inside of 256-byte region [ffff88809b3ac000, ffff88809b3ac100) The buggy address belongs to the page: page:ffffea00026ceb00 count:1 mapcount:0 mapping:ffff88812c31e7c0 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffffea00026ee708 ffffea000269df88 ffff88812c31e7c0 raw: 0000000000000000 ffff88809b3ac000 000000010000000c 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809b3abf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809b3abf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88809b3ac000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88809b3ac080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809b3ac100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ==================================================================