bisecting cause commit starting from f2e19fd15bd7cba347ce50be71955f5cd28a6019 building syzkaller on 83f5c9b5f8b0305fc61522640ce31465ec14c81f testing commit f2e19fd15bd7cba347ce50be71955f5cd28a6019 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 58d58a075f2f88165983b1459f84771598aaa79fe4392c2681042a7438562c86 all runs: crashed: KASAN: use-after-free Read in sixpack_close testing release v5.15 testing commit 8bb7eca972ad531c9b149c0a51ab43a417385813 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fda635a039ec7a6b34b70166e431bc918c49571dab4b08bbf4dfbb4a20b5b507 all runs: OK # git bisect start f2e19fd15bd7cba347ce50be71955f5cd28a6019 8bb7eca972ad531c9b149c0a51ab43a417385813 Bisecting: 7050 revisions left to test after this (roughly 13 steps) [dcd68326d29b62f3039e4f4d23d3e38f24d37360] Merge tag 'devicetree-for-5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit dcd68326d29b62f3039e4f4d23d3e38f24d37360 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3e2761a79b9d8fa0010ca8a5e0ee15c4680f04ecd0b1f9c385ce67b48d33cce1 all runs: OK # git bisect good dcd68326d29b62f3039e4f4d23d3e38f24d37360 Bisecting: 3500 revisions left to test after this (roughly 12 steps) [5c0b0c676ac2d84f69568715af91e45b610fe17a] Merge tag 'powerpc-5.16-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 5c0b0c676ac2d84f69568715af91e45b610fe17a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 90927cb778ba591be77a523dbd67af8dee66f3adf55ca3d6dace3f0a075d6a0f all runs: OK # git bisect good 5c0b0c676ac2d84f69568715af91e45b610fe17a Bisecting: 1753 revisions left to test after this (roughly 11 steps) [d4efc0de00fc10a805ce991ceb6a94ed837a6e71] Merge tag 'tag-chrome-platform-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux testing commit d4efc0de00fc10a805ce991ceb6a94ed837a6e71 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 162f138a23b7173f61480f157dd0cd93cfbd5e1a352a951f7fc18b4ba41bb87c all runs: OK # git bisect good d4efc0de00fc10a805ce991ceb6a94ed837a6e71 Bisecting: 878 revisions left to test after this (roughly 10 steps) [71b79d5016f4afb650daa79041a9c98809564aac] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2.git testing commit 71b79d5016f4afb650daa79041a9c98809564aac compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b67e450f8a09d431bb49a0e252ba87396e9519d0825defadcc9b17b7481fd0c1 all runs: crashed: KASAN: use-after-free Read in sixpack_close # git bisect bad 71b79d5016f4afb650daa79041a9c98809564aac Bisecting: 438 revisions left to test after this (roughly 9 steps) [c6f8d12138a6a7abc903b356f8dde762edbb12f5] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git testing commit c6f8d12138a6a7abc903b356f8dde762edbb12f5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f2bdc0240d60da590f3a1ce75494f4bb8fc6b8f0729df29dfda43a4bcc0971fa all runs: crashed: KASAN: use-after-free Read in sixpack_close # git bisect bad c6f8d12138a6a7abc903b356f8dde762edbb12f5 Bisecting: 213 revisions left to test after this (roughly 8 steps) [2ec20f489591962db8ff1718aa6055c08d88d0cc] Merge tag 'nfs-for-5.16-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 2ec20f489591962db8ff1718aa6055c08d88d0cc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3df7d2a3d7980aeaaad541bcfbb82ba178bd9add12c36688f11f325e1ba331ab all runs: OK # git bisect good 2ec20f489591962db8ff1718aa6055c08d88d0cc Bisecting: 106 revisions left to test after this (roughly 7 steps) [dc2fc9f03c5c410d8f01c2206b3d529f80b13733] net: dsa: mv88e6xxx: Don't support >1G speeds on 6191X on ports other than 10 testing commit dc2fc9f03c5c410d8f01c2206b3d529f80b13733 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1be7f1c706bbb37abfbc94ac711475cb70fd84db0d78cb710282fdb7c15ac10a all runs: crashed: KASAN: use-after-free Read in sixpack_close # git bisect bad dc2fc9f03c5c410d8f01c2206b3d529f80b13733 Bisecting: 53 revisions left to test after this (roughly 6 steps) [6789a4c05127d3f9257db6767fd7ede614e0241f] net: ax88796c: hide ax88796c_dt_ids if !CONFIG_OF testing commit 6789a4c05127d3f9257db6767fd7ede614e0241f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0dfc157e12d91e7349c63f0763508eb2b06a151760c09b0ab3c4967e1cf956d2 all runs: OK # git bisect good 6789a4c05127d3f9257db6767fd7ede614e0241f Bisecting: 26 revisions left to test after this (roughly 5 steps) [3f1c7aa28498e52a5e6aa2f1b89bf35c63352cfd] can: peak_usb: always ask for BERR reporting for PCAN-USB devices testing commit 3f1c7aa28498e52a5e6aa2f1b89bf35c63352cfd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fb76360b069a8b4f5eb17e08e2eee285617913110711f53fa71d2e0feec7c83b all runs: OK # git bisect good 3f1c7aa28498e52a5e6aa2f1b89bf35c63352cfd Bisecting: 13 revisions left to test after this (roughly 4 steps) [54f0bad6686cdc50a3f4c5f7c4252c5018511459] net: sungem_phy: fix code indentation testing commit 54f0bad6686cdc50a3f4c5f7c4252c5018511459 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e383f0766bd8ce0052185f4863eb1b827a4690d9fbdd8be0ca411bac0ead3ada all runs: OK # git bisect good 54f0bad6686cdc50a3f4c5f7c4252c5018511459 Bisecting: 6 revisions left to test after this (roughly 3 steps) [e0dc3b93bd7bcff8c3813d1df43e0908499c7cf0] bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding testing commit e0dc3b93bd7bcff8c3813d1df43e0908499c7cf0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 358e48bafa1d1112ac2f6806be8a6abbb31541a90dac366649fc3001541134eb all runs: OK # git bisect good e0dc3b93bd7bcff8c3813d1df43e0908499c7cf0 Bisecting: 3 revisions left to test after this (roughly 2 steps) [1c360cc1cc883fbdf0a258b4df376571fbeac5ee] gve: Fix off by one in gve_tx_timeout() testing commit 1c360cc1cc883fbdf0a258b4df376571fbeac5ee compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4c99403387faacf62d4f12001fee2d220172924c8c5e258f86ff3b68a40e0e70 all runs: crashed: KASAN: use-after-free Read in sixpack_close # git bisect bad 1c360cc1cc883fbdf0a258b4df376571fbeac5ee Bisecting: 0 revisions left to test after this (roughly 1 step) [0b9111922b1f399aba6ed1e1b8f2079c3da1aed8] hamradio: defer 6pack kfree after unregister_netdev testing commit 0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6d7698447bb3b7d46f973d09f813e5f7dedc2b5110d006be5df7fbc6d51907e3 all runs: crashed: KASAN: use-after-free Read in sixpack_close # git bisect bad 0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 Bisecting: 0 revisions left to test after this (roughly 0 steps) [3e0588c291d6ce225f2b891753ca41d45ba42469] hamradio: defer ax25 kfree after unregister_netdev testing commit 3e0588c291d6ce225f2b891753ca41d45ba42469 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9b6c4b5c36465540b3d7fedf08dd4c7ecdec30059be0c4d6451db9ebe5af43ae all runs: OK # git bisect good 3e0588c291d6ce225f2b891753ca41d45ba42469 0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 is the first bad commit commit 0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 Author: Lin Ma Date: Mon Nov 8 18:37:59 2021 +0800 hamradio: defer 6pack kfree after unregister_netdev There is a possible race condition (use-after-free) like below (USE) | (FREE) dev_queue_xmit | __dev_queue_xmit | __dev_xmit_skb | sch_direct_xmit | ... xmit_one | netdev_start_xmit | tty_ldisc_kill __netdev_start_xmit | 6pack_close sp_xmit | kfree sp_encaps | | According to the patch "defer ax25 kfree after unregister_netdev", this patch reorder the kfree after the unregister_netdev to avoid the possible UAF as the unregister_netdev() is well synchronized and won't return if there is a running routine. Signed-off-by: Lin Ma Signed-off-by: David S. Miller drivers/net/hamradio/6pack.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) culprit signature: 6d7698447bb3b7d46f973d09f813e5f7dedc2b5110d006be5df7fbc6d51907e3 parent signature: 9b6c4b5c36465540b3d7fedf08dd4c7ecdec30059be0c4d6451db9ebe5af43ae revisions tested: 16, total time: 3h32m49.612232293s (build: 1h42m2.540525521s, test: 1h49m16.299952185s) first bad commit: 0b9111922b1f399aba6ed1e1b8f2079c3da1aed8 hamradio: defer 6pack kfree after unregister_netdev recipients (to): ["ajk@comnets.uni-bremen.de" "davem@davemloft.net" "davem@davemloft.net" "kuba@kernel.org" "linma@zju.edu.cn" "linux-hams@vger.kernel.org" "netdev@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in sixpack_close ================================================================== BUG: KASAN: use-after-free in sixpack_close+0x1e8/0x220 drivers/net/hamradio/6pack.c:678 Read of size 8 at addr ffff888076cd6c90 by task syz-executor.4/9043 CPU: 0 PID: 9043 Comm: syz-executor.4 Not tainted 5.15.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 sixpack_close+0x1e8/0x220 drivers/net/hamradio/6pack.c:678 tty_ldisc_kill+0x73/0x110 drivers/tty/tty_ldisc.c:629 tty_ldisc_release+0xd7/0x1b0 drivers/tty/tty_ldisc.c:803 tty_release_struct+0x10/0xd0 drivers/tty/tty_io.c:1706 tty_release+0xa06/0xf80 drivers/tty/tty_io.c:1878 __fput+0x204/0x8d0 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f34ea9cf72b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fff3d935a60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f34ea9cf72b RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000001b31220038 R10: 0000000000000000 R11: 0000000000000293 R12: 00007f34eab30b60 R13: 00007f34eab30b60 R14: 00007f34eab2ff60 R15: 000000000000edb4 Allocated by task 9044: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa4/0xd0 mm/kasan/common.c:522 kvmalloc include/linux/mm.h:800 [inline] kvzalloc include/linux/mm.h:808 [inline] alloc_netdev_mqs+0x5a/0xda0 net/core/dev.c:10825 sixpack_open+0xde/0xa00 drivers/net/hamradio/6pack.c:558 tty_ldisc_open+0x73/0xc0 drivers/tty/tty_ldisc.c:449 tty_set_ldisc+0x277/0x5a0 drivers/tty/tty_ldisc.c:579 tiocsetd drivers/tty/tty_io.c:2455 [inline] tty_ioctl+0x9ed/0x12d0 drivers/tty/tty_io.c:2741 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x11f/0x190 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 9043: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1700 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1726 slab_free mm/slub.c:3492 [inline] kfree+0xf3/0x550 mm/slub.c:4552 device_release+0x93/0x200 drivers/base/core.c:2232 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 netdev_run_todo+0x63b/0x910 net/core/dev.c:10635 sixpack_close+0x140/0x220 drivers/net/hamradio/6pack.c:675 tty_ldisc_kill+0x73/0x110 drivers/tty/tty_ldisc.c:629 tty_ldisc_release+0xd7/0x1b0 drivers/tty/tty_ldisc.c:803 tty_release_struct+0x10/0xd0 drivers/tty/tty_io.c:1706 tty_release+0xa06/0xf80 drivers/tty/tty_io.c:1878 __fput+0x204/0x8d0 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888076cd6000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 3216 bytes inside of 4096-byte region [ffff888076cd6000, ffff888076cd7000) The buggy address belongs to the page: page:ffffea0001db3400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76cd0 head:ffffea0001db3400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88800fc4c280 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2919, ts 12355498099, free_ts 9615424194 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0xa6f/0x2f50 mm/page_alloc.c:4155 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5381 alloc_slab_page mm/slub.c:1770 [inline] allocate_slab mm/slub.c:1907 [inline] new_slab+0x319/0x490 mm/slub.c:1970 ___slab_alloc+0x923/0xfe0 mm/slub.c:3001 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3088 slab_alloc_node mm/slub.c:3179 [inline] __kmalloc_node+0x2d0/0x370 mm/slub.c:4444 kvmalloc include/linux/mm.h:800 [inline] seq_buf_alloc fs/seq_file.c:38 [inline] seq_read_iter+0x673/0xfe0 fs/seq_file.c:210 call_read_iter include/linux/fs.h:2155 [inline] new_sync_read+0x35d/0x5f0 fs/read_write.c:400 vfs_read+0x265/0x4c0 fs/read_write.c:481 ksys_read+0xf4/0x1d0 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare+0x326/0x810 mm/page_alloc.c:1391 free_unref_page_prepare mm/page_alloc.c:3317 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3396 free_contig_range+0xa8/0xf0 mm/page_alloc.c:9272 destroy_args+0x7e/0x503 mm/debug_vm_pgtable.c:1016 debug_vm_pgtable+0x1eb8/0x1f3c mm/debug_vm_pgtable.c:1329 do_one_initcall+0xbe/0x440 init/main.c:1295 do_initcall_level init/main.c:1368 [inline] do_initcalls init/main.c:1384 [inline] do_basic_setup init/main.c:1403 [inline] kernel_init_freeable+0x5ab/0x605 init/main.c:1606 kernel_init+0x14/0x120 init/main.c:1497 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff888076cd6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888076cd6c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888076cd6c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888076cd6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888076cd6d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================