bisecting cause commit starting from e382d91f5f806abd770edeebe41851733aef1f93 building syzkaller on 3361bde5773da39c293045c578c844ddc89291e6 testing commit e382d91f5f806abd770edeebe41851733aef1f93 with gcc (GCC) 8.1.0 run #0: crashed: kernel BUG at net/core/net-sysfs.c:LINE! run #1: crashed: kernel BUG at net/core/net-sysfs.c:LINE! run #2: crashed: kernel BUG at net/core/net-sysfs.c:LINE! run #3: crashed: kernel BUG at net/core/net-sysfs.c:LINE! run #4: crashed: kernel BUG at net/core/net-sysfs.c:LINE! run #5: crashed: kernel BUG at net/core/net-sysfs.c:LINE! run #6: crashed: kernel BUG at net/core/net-sysfs.c:LINE! run #7: crashed: kernel BUG at net/core/net-sysfs.c:LINE! run #8: OK run #9: crashed: kernel BUG at net/core/net-sysfs.c:LINE! testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: OK # git bisect start e382d91f5f806abd770edeebe41851733aef1f93 v5.0 Bisecting: 7919 revisions left to test after this (roughly 13 steps) [b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew) testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0 all runs: OK # git bisect good b5dd0c658c31b469ccff1b637e5124851e7a4a1c Bisecting: 3964 revisions left to test after this (roughly 12 steps) [a5adcfcad55d5f034b33f79f1a873229d1e77b24] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit a5adcfcad55d5f034b33f79f1a873229d1e77b24 with gcc (GCC) 8.1.0 all runs: OK # git bisect good a5adcfcad55d5f034b33f79f1a873229d1e77b24 Bisecting: 1962 revisions left to test after this (roughly 11 steps) [dbedfa8edf03aa8bf123e19a26a76ffc8813862d] Merge remote-tracking branch 'hid/for-next' testing commit dbedfa8edf03aa8bf123e19a26a76ffc8813862d with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at net/core/net-sysfs.c:LINE! # git bisect bad dbedfa8edf03aa8bf123e19a26a76ffc8813862d Bisecting: 1000 revisions left to test after this (roughly 10 steps) [bab3fbb2b56f6ceb839dfb693aabf45d10f3cbc3] ARM: dts: sun6i: Fix Display Engine DTC warnings testing commit bab3fbb2b56f6ceb839dfb693aabf45d10f3cbc3 with gcc (GCC) 8.1.0 all runs: OK # git bisect good bab3fbb2b56f6ceb839dfb693aabf45d10f3cbc3 Bisecting: 476 revisions left to test after this (roughly 9 steps) [be0869bbea5968356065dc1db2c78d53da75b5cb] Merge remote-tracking branch 'imx-mxs/for-next' testing commit be0869bbea5968356065dc1db2c78d53da75b5cb with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at net/core/net-sysfs.c:LINE! # git bisect bad be0869bbea5968356065dc1db2c78d53da75b5cb Bisecting: 270 revisions left to test after this (roughly 8 steps) [5acf14ee77bbbe203186005b48dea94bbb02dfa3] Merge remote-tracking branch 'sound-current/for-linus' testing commit 5acf14ee77bbbe203186005b48dea94bbb02dfa3 with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at net/core/net-sysfs.c:LINE! # git bisect bad 5acf14ee77bbbe203186005b48dea94bbb02dfa3 Bisecting: 122 revisions left to test after this (roughly 7 steps) [e0831ef7160eb1d6f7a4b6867ea9d36e4f72b58a] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit e0831ef7160eb1d6f7a4b6867ea9d36e4f72b58a with gcc (GCC) 8.1.0 all runs: OK # git bisect good e0831ef7160eb1d6f7a4b6867ea9d36e4f72b58a Bisecting: 49 revisions left to test after this (roughly 6 steps) [f165d026fec93399f3bea89fa36a441a2cdfb982] Merge remote-tracking branch 'kspp-gustavo/for-next/kspp' testing commit f165d026fec93399f3bea89fa36a441a2cdfb982 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f165d026fec93399f3bea89fa36a441a2cdfb982 Bisecting: 27 revisions left to test after this (roughly 5 steps) [6b70fc94afd165342876e53fc4b2f7d085009945] net-sysfs: Fix memory leak in netdev_register_kobject testing commit 6b70fc94afd165342876e53fc4b2f7d085009945 with gcc (GCC) 8.1.0 all runs: crashed: kernel BUG at net/core/net-sysfs.c:LINE! # git bisect bad 6b70fc94afd165342876e53fc4b2f7d085009945 Bisecting: 10 revisions left to test after this (roughly 4 steps) [6ac86ca3524b4549d31c45d11487b0626c334f10] net/sched: act_pedit: validate the control action inside init() testing commit 6ac86ca3524b4549d31c45d11487b0626c334f10 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6ac86ca3524b4549d31c45d11487b0626c334f10 Bisecting: 5 revisions left to test after this (roughly 3 steps) [7c3d825d12c5e6056ea73c0a202cbdef9d9ab9e6] net/sched: act_skbmod: validate the control action inside init() testing commit 7c3d825d12c5e6056ea73c0a202cbdef9d9ab9e6 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7c3d825d12c5e6056ea73c0a202cbdef9d9ab9e6 Bisecting: 2 revisions left to test after this (roughly 2 steps) [fe384e2fa36ca084a456fd30558cccc75b4b3fbd] net/sched: don't dereference a->goto_chain to read the chain index testing commit fe384e2fa36ca084a456fd30558cccc75b4b3fbd with gcc (GCC) 8.1.0 all runs: OK # git bisect good fe384e2fa36ca084a456fd30558cccc75b4b3fbd Bisecting: 0 revisions left to test after this (roughly 1 step) [1ea186e3aeead3d99f82fbda820d758d59947b41] Merge branch 'net-sched-validate-the-control-action-with-all-the-other-parameters' testing commit 1ea186e3aeead3d99f82fbda820d758d59947b41 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1ea186e3aeead3d99f82fbda820d758d59947b41 6b70fc94afd165342876e53fc4b2f7d085009945 is the first bad commit commit 6b70fc94afd165342876e53fc4b2f7d085009945 Author: Wang Hai Date: Wed Mar 20 14:25:05 2019 -0400 net-sysfs: Fix memory leak in netdev_register_kobject When registering struct net_device, it will call register_netdevice -> netdev_register_kobject -> device_initialize(dev); dev_set_name(dev, "%s", ndev->name) device_add(dev) register_queue_kobjects(ndev) In netdev_register_kobject(), if device_add(dev) or register_queue_kobjects(ndev) failed. Register_netdevice() will return error, causing netdev_freemem(ndev) to be called to free net_device, however put_device(&dev->dev)->..-> kobject_cleanup() won't be called, resulting in a memory leak. syzkaller report this: BUG: memory leak unreferenced object 0xffff8881f4fad168 (size 8): comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) hex dump (first 8 bytes): 77 70 61 6e 30 00 ff ff wpan0... backtrace: [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] [<00000000e4b3df51>] 0xffffffffc1500e0e [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 Reported-by: Hulk Robot Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") Signed-off-by: Wang Hai Reviewed-by: Andy Shevchenko Reviewed-by: Stephen Hemminger Signed-off-by: David S. Miller net/core/net-sysfs.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) revisions tested: 15, total time: 3h14m56.359360944s (build: 1h16m23.578831791s, test: 1h55m8.948159906s) first bad commit: 6b70fc94afd165342876e53fc4b2f7d085009945 net-sysfs: Fix memory leak in netdev_register_kobject cc: ["andriy.shevchenko@linux.intel.com" "davem@davemloft.net" "stephen@networkplumber.org" "wanghai26@huawei.com"] crash: kernel BUG at net/core/net-sysfs.c:LINE! RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000457879 RDX: 0000000020000080 RSI: 00000000000089f1 RDI: 0000000000000006 RBP: 00007fe93e0abca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 R13: 00000000006e6fd8 R14: 00000000004b1840 R15: 00007fe93e0ac6d4 ------------[ cut here ]------------ kernel BUG at net/core/net-sysfs.c:1631! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 6835 Comm: syz-executor.3 Not tainted 5.0.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 RIP: 0010:netdev_release+0x71/0x90 net/core/net-sysfs.c:1631 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 22 48 8b bb 80 fa ff ff e8 3c ee 6d fc 4c 89 e7 e8 b4 77 f6 ff 5b 41 5c 5d c3 <0f> 0b e8 a8 27 6e fc eb ba e8 01 28 6e fc eb d7 0f 1f 44 00 00 66 RSP: 0018:ffff888071bd7738 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff88802b7ef220 RCX: 0000000000000000 RDX: 1ffff110056fde3d RSI: ffff888071bd76b8 RDI: ffff88802b7ef1e8 RBP: ffff888071bd7748 R08: 0000000000000006 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88802b7eec80 R13: 0000000000000000 R14: ffffffff87daaf80 R15: ffff88802b7eec80 FS: 00007fe93e0ac700(0000) GS:ffff88802d800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2af903d000 CR3: 000000007b3a6000 CR4: 00000000007406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: device_release+0x74/0x1d0 drivers/base/core.c:1064 kobject_cleanup lib/kobject.c:662 [inline] kobject_release lib/kobject.c:691 [inline] kref_put include/linux/kref.h:67 [inline] kobject_put.cold.9+0x22e/0x281 lib/kobject.c:708 put_device+0x12/0x20 drivers/base/core.c:2205 netdev_register_kobject+0x179/0x360 net/core/net-sysfs.c:1763 register_netdevice+0x6e8/0x1100 net/core/dev.c:8711 ip6_tnl_create2+0x144/0x270 net/ipv6/ip6_tunnel.c:269 ip6_tnl_create net/ipv6/ip6_tunnel.c:320 [inline] ip6_tnl_locate+0x524/0x780 net/ipv6/ip6_tunnel.c:368 ip6_tnl_ioctl+0x3ee/0x890 net/ipv6/ip6_tunnel.c:1634 dev_ifsioc+0x294/0x720 net/core/dev_ioctl.c:322 dev_ioctl+0x57e/0xad0 net/core/dev_ioctl.c:513 sock_ioctl+0x3be/0x510 net/socket.c:1102 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x199/0x10d0 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457879 Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fe93e0abc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000457879 RDX: 0000000020000080 RSI: 00000000000089f1 RDI: 0000000000000006 RBP: 00007fe93e0abca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 R13: 00000000006e6fd8 R14: 00000000004b1840 R15: 00007fe93e0ac6d4 Modules linked in: ---[ end trace 1e6882502cec0892 ]--- RIP: 0010:netdev_release+0x71/0x90 net/core/net-sysfs.c:1631 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 22 48 8b bb 80 fa ff ff e8 3c ee 6d fc 4c 89 e7 e8 b4 77 f6 ff 5b 41 5c 5d c3 <0f> 0b e8 a8 27 6e fc eb ba e8 01 28 6e fc eb d7 0f 1f 44 00 00 66 RSP: 0018:ffff888071bd7738 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff88802b7ef220 RCX: 0000000000000000 RDX: 1ffff110056fde3d RSI: ffff888071bd76b8 RDI: ffff88802b7ef1e8 RBP: ffff888071bd7748 R08: 0000000000000006 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88802b7eec80 R13: 0000000000000000 R14: ffffffff87daaf80 R15: ffff88802b7eec80 FS: 00007fe93e0ac700(0000) GS:ffff88802d800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc384bb7190 CR3: 000000007b3a6000 CR4: 00000000007406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554