ci starts bisection 2023-05-04 00:24:16.932118545 +0000 UTC m=+42992.336632725 bisecting fixing commit since 7e25f40eab52c57ff6772d27d2aef3640a3237d7 building syzkaller on c59079a693ad1d89c782f7db14b9f1c5629e2abc ensuring issue is reproducible on original commit 7e25f40eab52c57ff6772d27d2aef3640a3237d7 testing commit 7e25f40eab52c57ff6772d27d2aef3640a3237d7 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e30a3c54e78a375da4d91f7161b106ee946d24dc33dc4253e3695f1289c3c95c run #0: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #1: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #2: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #3: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #4: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #5: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #6: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #7: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #8: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #9: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #10: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #11: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #12: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #13: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #14: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #15: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #16: crashed: INFO: task hung in addrconf_dad_work run #17: crashed: INFO: task hung in crda_timeout_work run #18: crashed: INFO: task hung in addrconf_dad_work run #19: crashed: INFO: task hung in linkwatch_event testing current HEAD fa31fc82fb775445c176e576304c4098222f47f2 testing commit fa31fc82fb775445c176e576304c4098222f47f2 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5f1ee1e25b834cc6d6bc4f1721300261d731488fbb93de40f1bb8a9596d4d073 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #2: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #3: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #4: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #5: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #6: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #7: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #8: crashed: WARNING: ODEBUG bug in ieee80211_ibss_setup_sdata run #9: crashed: KASAN: use-after-free Write in detach_if_pending revisions tested: 2, total time: 30m26.454459419s (build: 14m31.549742219s, test: 14m52.917072058s) the crash still happens on HEAD commit msg: Merge tag 'pm-6.4-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm crash: KASAN: use-after-free Write in detach_if_pending bridge_slave_0: left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state veth1_macvtap: left promiscuous mode veth0_macvtap: left promiscuous mode veth1_vlan: left promiscuous mode veth0_vlan: left promiscuous mode ================================================================== BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:899 [inline] BUG: KASAN: use-after-free in detach_timer kernel/time/timer.c:880 [inline] BUG: KASAN: use-after-free in detach_if_pending+0x2d4/0x310 kernel/time/timer.c:899 Write of size 8 at addr ffff888076b29980 by task kworker/u4:3/45 CPU: 1 PID: 45 Comm: kworker/u4:3 Not tainted 6.3.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x64/0xb0 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 __hlist_del include/linux/list.h:899 [inline] detach_timer kernel/time/timer.c:880 [inline] detach_if_pending+0x2d4/0x310 kernel/time/timer.c:899 __timer_delete+0xaa/0x160 kernel/time/timer.c:1336 del_timer include/linux/timer.h:213 [inline] addrconf_del_rs_timer net/ipv6/addrconf.c:308 [inline] addrconf_ifdown.isra.0+0x44d/0x13f0 net/ipv6/addrconf.c:3814 addrconf_notify+0xc6/0x1330 net/ipv6/addrconf.c:3678 notifier_call_chain+0x94/0x2a0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] call_netdevice_notifiers net/core/dev.c:1987 [inline] dev_close_many+0x296/0x570 net/core/dev.c:1528 unregister_netdevice_many_notify+0x381/0x1600 net/core/dev.c:10855 unregister_netdevice_many net/core/dev.c:10938 [inline] default_device_exit_batch+0x3b5/0x520 net/core/dev.c:11391 cleanup_net+0x427/0x980 net/core/net_namespace.c:614 process_one_work+0x86e/0x1410 kernel/workqueue.c:2405 worker_thread+0x5af/0xf00 kernel/workqueue.c:2552 kthread+0x2ea/0x3c0 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the physical page: page:ffffea0001daca40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x76b29 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 0000000000000000 ffffffff00000201 0000000000000000 raw: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888076b29880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888076b29900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888076b29980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888076b29a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888076b29a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================