bisecting fixing commit since 4938296e03bd227e5020d63d418956fe52baf97c building syzkaller on 4d1b57d4d1aa7f8938163f8debd9293c062482b0 testing commit 4938296e03bd227e5020d63d418956fe52baf97c compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dd4ec7bcc5f49f6819808647c4bdaf822b4885eede7835fedd65760ad0dbb9f5 run #0: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #1: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #2: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #3: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #4: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #5: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #6: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #7: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #8: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #9: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #10: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #11: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #12: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #13: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #14: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing current HEAD 2950c9c5e0df6bd34af45a5168bbee345e95eae2 testing commit 2950c9c5e0df6bd34af45a5168bbee345e95eae2 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 355a1b7e2148eef22807047b3cd29b7ba17d1d9d850b1972c779e13b2a1f3b30 all runs: OK # git bisect start 2950c9c5e0df6bd34af45a5168bbee345e95eae2 4938296e03bd227e5020d63d418956fe52baf97c Bisecting: 332 revisions left to test after this (roughly 8 steps) [c764cf4c8f93485e38048c91d5c935a3f817f6e2] ASoC: intel: atom: Fix breakage for PCM buffer address setup testing commit c764cf4c8f93485e38048c91d5c935a3f817f6e2 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: da1190e5cfcc38e8b0a5368f08f818fc46b5652569b3b4bb64727ae7aa3403ed run #0: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #1: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #2: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #3: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #4: OK run #5: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good c764cf4c8f93485e38048c91d5c935a3f817f6e2 Bisecting: 166 revisions left to test after this (roughly 7 steps) [79aba0ac3df1a604e843780b17c37646e175b4f8] bpf: correct slot_type marking logic to allow more stack slot sharing testing commit 79aba0ac3df1a604e843780b17c37646e175b4f8 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: f4fe12852cc123868093c9fa9ddf967fcf7b27cc8177d535be142d43d515a693 all runs: OK # git bisect bad 79aba0ac3df1a604e843780b17c37646e175b4f8 Bisecting: 82 revisions left to test after this (roughly 6 steps) [cf5b3bd01970a902f25f66704713ae2893898119] s390/cio: add dev_busid sysfs entry for each subchannel testing commit cf5b3bd01970a902f25f66704713ae2893898119 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: fb118f866a4c3c67b3c9816b9753344129e8f0658e39fa42b74527ba1997153b all runs: OK # git bisect bad cf5b3bd01970a902f25f66704713ae2893898119 Bisecting: 41 revisions left to test after this (roughly 5 steps) [42150e1b46a474541f677c759ac61599277c8a9c] gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V formats testing commit 42150e1b46a474541f677c759ac61599277c8a9c compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: ad94aca07fb8f21927a0ff199df7b05f904e5612cda37abff621f9cacb56fffb run #0: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #1: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #2: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #3: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #4: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #5: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 42150e1b46a474541f677c759ac61599277c8a9c Bisecting: 20 revisions left to test after this (roughly 4 steps) [dd8b408964e77e9b23c4fc6e0cca61bc9345a01f] mm/page_alloc: speed up the iteration of max_order testing commit dd8b408964e77e9b23c4fc6e0cca61bc9345a01f compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 10bdd49f03defb89b0361126563e74c22b21bd6e91120b98c25c92d411d5821f all runs: OK # git bisect bad dd8b408964e77e9b23c4fc6e0cca61bc9345a01f Bisecting: 10 revisions left to test after this (roughly 3 steps) [4a3217bba039330f5c489245923f989b43bd94d1] media: stkwebcam: fix memory leak in stk_camera_probe testing commit 4a3217bba039330f5c489245923f989b43bd94d1 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 2141bca4d4d70b0356fe20bbc9f26a18ae73ac2038e35d6c1c2c81c0bce3cd65 run #0: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #1: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #2: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #3: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #4: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #5: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #6: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #7: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #8: OK run #9: OK # git bisect good 4a3217bba039330f5c489245923f989b43bd94d1 Bisecting: 5 revisions left to test after this (roughly 3 steps) [69178f2d652e64991dc812be24d0776a731f447d] ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) testing commit 69178f2d652e64991dc812be24d0776a731f447d compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 49c21420070770e2e57ae85f0b54cfd3dd2a7d56504b4c15e1e271d59aaa42fb all runs: OK # git bisect bad 69178f2d652e64991dc812be24d0776a731f447d Bisecting: 2 revisions left to test after this (roughly 1 step) [8ba71ffe2a3fb29a1f55f0cad7f2988318dc10f9] ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init testing commit 8ba71ffe2a3fb29a1f55f0cad7f2988318dc10f9 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 2141bca4d4d70b0356fe20bbc9f26a18ae73ac2038e35d6c1c2c81c0bce3cd65 run #0: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #1: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #2: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #3: crashed: KASAN: use-after-free Read in ip_check_mc_rcu run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect good 8ba71ffe2a3fb29a1f55f0cad7f2988318dc10f9 Bisecting: 0 revisions left to test after this (roughly 1 step) [f4b606f708379d10ea822bde217bdf338a94d096] USB: serial: mos7720: improve OOM-handling in read_mos_reg() testing commit f4b606f708379d10ea822bde217bdf338a94d096 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: e4f8f9d541fa47dfb3a1d72bbdf7b6fbed3f9ca9547fffeb9fc5c808a73e7c67 all runs: OK # git bisect bad f4b606f708379d10ea822bde217bdf338a94d096 Bisecting: 0 revisions left to test after this (roughly 0 steps) [4768973dffed4d0126854514335ed4fe87bec1ab] igmp: Add ip_mc_list lock in ip_check_mc_rcu testing commit 4768973dffed4d0126854514335ed4fe87bec1ab compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: e755e9bb710fb4cd9449a6f206ab93063ad67c1c3be8076cde93cfc4a6c6f566 all runs: OK # git bisect bad 4768973dffed4d0126854514335ed4fe87bec1ab 4768973dffed4d0126854514335ed4fe87bec1ab is the first bad commit commit 4768973dffed4d0126854514335ed4fe87bec1ab Author: Liu Jian Date: Fri Jul 16 12:06:17 2021 +0800 igmp: Add ip_mc_list lock in ip_check_mc_rcu commit 23d2b94043ca8835bd1e67749020e839f396a1c2 upstream. I got below panic when doing fuzz test: Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4056 Comm: syz-executor.3 Tainted: G B 5.14.0-rc1-00195-gcff5c4254439-dirty #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x7a/0x9b panic+0x2cd/0x5af end_report.cold+0x5a/0x5a kasan_report+0xec/0x110 ip_check_mc_rcu+0x556/0x5d0 __mkroute_output+0x895/0x1740 ip_route_output_key_hash_rcu+0x2d0/0x1050 ip_route_output_key_hash+0x182/0x2e0 ip_route_output_flow+0x28/0x130 udp_sendmsg+0x165d/0x2280 udpv6_sendmsg+0x121e/0x24f0 inet6_sendmsg+0xf7/0x140 sock_sendmsg+0xe9/0x180 ____sys_sendmsg+0x2b8/0x7a0 ___sys_sendmsg+0xf0/0x160 __sys_sendmmsg+0x17e/0x3c0 __x64_sys_sendmmsg+0x9e/0x100 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x462eb9 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3df5af1c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462eb9 RDX: 0000000000000312 RSI: 0000000020001700 RDI: 0000000000000007 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3df5af26bc R13: 00000000004c372d R14: 0000000000700b10 R15: 00000000ffffffff It is one use-after-free in ip_check_mc_rcu. In ip_mc_del_src, the ip_sf_list of pmc has been freed under pmc->lock protection. But access to ip_sf_list in ip_check_mc_rcu is not protected by the lock. Signed-off-by: Liu Jian Signed-off-by: David S. Miller Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman net/ipv4/igmp.c | 2 ++ 1 file changed, 2 insertions(+) culprit signature: e755e9bb710fb4cd9449a6f206ab93063ad67c1c3be8076cde93cfc4a6c6f566 parent signature: 2141bca4d4d70b0356fe20bbc9f26a18ae73ac2038e35d6c1c2c81c0bce3cd65 Reproducer flagged being flaky revisions tested: 12, total time: 3h41m9.977135643s (build: 1h54m23.127545098s, test: 1h45m21.109790581s) first good commit: 4768973dffed4d0126854514335ed4fe87bec1ab igmp: Add ip_mc_list lock in ip_check_mc_rcu recipients (to): ["davem@davemloft.net" "gregkh@linuxfoundation.org" "lee.jones@linaro.org" "liujian56@huawei.com"] recipients (cc): []