bisecting cause commit starting from b182a66792feb706c62e50c31db8546ca4ff168e building syzkaller on 012fbc3229ebef871a201ea431b16610e6e0d345 testing commit b182a66792feb706c62e50c31db8546ca4ff168e with gcc (GCC) 8.1.0 kernel signature: 03903f5122ec8f1ed2cd28b4f49a90feebb18470ec3e537c80269280f4437180 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 6dec00a6572fb023d0fde780cadb7cc776cab4843dc8b18e0a392ad86e54e508 all runs: crashed: BUG: sleeping function called from invalid context in lock_sock_nested testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: c9136fbd34a8ca73cd54de2fe0a3ba6560f7e2fd506eb34d2cb3e3662155219a run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: crashed: KASAN: use-after-free Read in sk_psock_unlink run #2: crashed: KASAN: use-after-free Read in sk_psock_unlink run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: 44fbd893bcec3222e222974a1d27e4d6015f0198c09846576f1b2926dea1b587 all runs: OK # git bisect start 219d54332a09e8d8741c1e1982f5eae56099de85 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Bisecting: 7882 revisions left to test after this (roughly 13 steps) [a9f8b38a071b468276a243ea3ea5a0636e848cf2] Merge tag 'for-linus-5.4-1' of git://github.com/cminyard/linux-ipmi testing commit a9f8b38a071b468276a243ea3ea5a0636e848cf2 with gcc (GCC) 8.1.0 kernel signature: 0dd80b3e13c411859da3158f001e6def5fddfbfda28ca595c789f458c30cc039 run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad a9f8b38a071b468276a243ea3ea5a0636e848cf2 Bisecting: 3920 revisions left to test after this (roughly 12 steps) [fe38bd6862074c0a2b9be7f31f043aaa70b2af5f] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit fe38bd6862074c0a2b9be7f31f043aaa70b2af5f with gcc (GCC) 8.1.0 kernel signature: e7e409ea8241729e6117b98fb438b27ae175e9e247787483780a31fc1f9b8282 run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: crashed: KASAN: use-after-free Read in sk_psock_unlink run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad fe38bd6862074c0a2b9be7f31f043aaa70b2af5f Bisecting: 1970 revisions left to test after this (roughly 11 steps) [fc6fd1392a8f3d5f3d722ad9c92314477c1a2a35] Merge branch 'x86-build-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit fc6fd1392a8f3d5f3d722ad9c92314477c1a2a35 with gcc (GCC) 8.1.0 kernel signature: 536ca745138567141b7b66f3ed4eaa285f7529af19b1bed16df0a7c0de649f2a run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: crashed: KASAN: use-after-free Read in sk_psock_unlink run #2: crashed: KASAN: use-after-free Read in sk_psock_unlink run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad fc6fd1392a8f3d5f3d722ad9c92314477c1a2a35 Bisecting: 1024 revisions left to test after this (roughly 10 steps) [d47ebd684229f0048be5def6027bfcfbfe2db0d6] Merge tag 'armsoc-defconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit d47ebd684229f0048be5def6027bfcfbfe2db0d6 with gcc (GCC) 8.1.0 kernel signature: 29a6f9ffdc6b9f8e28e2454a8d7e0fef0d8012a0adf82c5caeed81e1be20342d run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: crashed: KASAN: use-after-free Read in sk_psock_unlink run #2: OK run #3: OK run #4: crashed: KASAN: use-after-free Read in sk_psock_unlink run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad d47ebd684229f0048be5def6027bfcfbfe2db0d6 Bisecting: 459 revisions left to test after this (roughly 9 steps) [52a5525214d0d612160154d902956eca0558b7c0] Merge tag 'iommu-updates-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu testing commit 52a5525214d0d612160154d902956eca0558b7c0 with gcc (GCC) 8.1.0 kernel signature: 8d460826dcb44b0bbe1705c6146d1b65565059188a47cce76914bd2dc5ec2ee0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: KASAN: use-after-free Read in sk_psock_unlink # git bisect bad 52a5525214d0d612160154d902956eca0558b7c0 Bisecting: 211 revisions left to test after this (roughly 8 steps) [aa62325dc38de2be8b1c27eb180ad3751b3f58ec] Merge tag 'spi-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit aa62325dc38de2be8b1c27eb180ad3751b3f58ec with gcc (GCC) 8.1.0 kernel signature: 38ea5e905aebbc1432ff14cf851d22b47d8b25119e9b6768091d31f0517cc629 run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: crashed: KASAN: use-after-free Read in sk_psock_unlink run #8: OK run #9: OK # git bisect bad aa62325dc38de2be8b1c27eb180ad3751b3f58ec Bisecting: 105 revisions left to test after this (roughly 7 steps) [c4d11ccb2b5cec6cdef7aeeb0017473d23031d96] Merge tag 'regulator-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator testing commit c4d11ccb2b5cec6cdef7aeeb0017473d23031d96 with gcc (GCC) 8.1.0 kernel signature: 96b5de3ba43ab647ee47a13875a47b9f55911b4bf3c19dc45ebecc34682c70c9 run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad c4d11ccb2b5cec6cdef7aeeb0017473d23031d96 Bisecting: 60 revisions left to test after this (roughly 6 steps) [6729fb666a3b5a9a5ffa1bb6589127f7e4d35c38] Merge tag 'hwmon-for-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging testing commit 6729fb666a3b5a9a5ffa1bb6589127f7e4d35c38 with gcc (GCC) 8.1.0 kernel signature: 0bfe81d9f104879626edfbf879026d6c0e334fec491414878ac04d3cdc2cfaea run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: crashed: KASAN: use-after-free Read in sk_psock_unlink run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 6729fb666a3b5a9a5ffa1bb6589127f7e4d35c38 Bisecting: 42 revisions left to test after this (roughly 6 steps) [35cd180485425dcab3f587fd67f21552505939ac] hwmon: (lm75) Aproximate sample times to data-sheet values testing commit 35cd180485425dcab3f587fd67f21552505939ac with gcc (GCC) 8.1.0 kernel signature: 12909226e2058be395d3aa90d3d753e7c43720e3704c0b582902ca63ad072327 run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 35cd180485425dcab3f587fd67f21552505939ac Bisecting: 21 revisions left to test after this (roughly 5 steps) [dcb12653875e7cd969a6a18346bc1ed24ffb893b] hwmon: (lm75) Create structure to save all the configuration parameters. testing commit dcb12653875e7cd969a6a18346bc1ed24ffb893b with gcc (GCC) 8.1.0 kernel signature: 1c37b87920aea314b99328f786d355ef3584b1634d54b3316bd46db2924f9af0 run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: crashed: KASAN: use-after-free Read in sk_psock_unlink run #2: crashed: KASAN: use-after-free Read in sk_psock_unlink run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad dcb12653875e7cd969a6a18346bc1ed24ffb893b Bisecting: 10 revisions left to test after this (roughly 3 steps) [af4e1c5eca95bed1192d8dc45c8ed63aea2209e8] x86/amd_nb: Add PCI device IDs for family 17h, model 70h testing commit af4e1c5eca95bed1192d8dc45c8ed63aea2209e8 with gcc (GCC) 8.1.0 kernel signature: 89c27d1162647f8dd78e82583b0dbfd7726568da9512841da7aded522329a88b run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: crashed: KASAN: use-after-free Read in sk_psock_unlink run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad af4e1c5eca95bed1192d8dc45c8ed63aea2209e8 Bisecting: 4 revisions left to test after this (roughly 2 steps) [5ac6badc5aa057ceb1d50c93326a81db6e89ad2f] device-tree: bindinds: add NXP PCT2075 as compatible device to LM75 testing commit 5ac6badc5aa057ceb1d50c93326a81db6e89ad2f with gcc (GCC) 8.1.0 kernel signature: 44664e6a4d77b6bb58fdb7095205446264123805bbc4a3f89e25d4d012248aea run #0: crashed: KASAN: use-after-free Read in sk_psock_unlink run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 5ac6badc5aa057ceb1d50c93326a81db6e89ad2f Bisecting: 2 revisions left to test after this (roughly 1 step) [7d82fcc9d9e81241778aaa22fda7be753e237d86] hwmon: (lm75) Fix write operations for negative temperatures testing commit 7d82fcc9d9e81241778aaa22fda7be753e237d86 with gcc (GCC) 8.1.0 kernel signature: 01f102ccb9ef1c6cfa0c924c6c20ec01ba7efd48e0414139aa65116be2ec161d all runs: OK # git bisect good 7d82fcc9d9e81241778aaa22fda7be753e237d86 Bisecting: 0 revisions left to test after this (roughly 1 step) [2c9d5b5e32a2516ae9b1120c7688ea25ffee7805] hwmon: Remove ads1015 driver testing commit 2c9d5b5e32a2516ae9b1120c7688ea25ffee7805 with gcc (GCC) 8.1.0 kernel signature: 9ff7c19df02dac6b6b8641e5ea10390016768d894b851728982a7470fdb7344a all runs: OK # git bisect good 2c9d5b5e32a2516ae9b1120c7688ea25ffee7805 5ac6badc5aa057ceb1d50c93326a81db6e89ad2f is the first bad commit commit 5ac6badc5aa057ceb1d50c93326a81db6e89ad2f Author: Daniel Mack Date: Thu Jul 11 14:45:03 2019 +0200 device-tree: bindinds: add NXP PCT2075 as compatible device to LM75 The PCT2075 is compatible to other chips that are already handled by the LM75 driver. Signed-off-by: Daniel Mack Link: https://lore.kernel.org/r/20190711124504.7580-1-daniel@zonque.org Signed-off-by: Guenter Roeck Documentation/devicetree/bindings/hwmon/lm75.txt | 1 + 1 file changed, 1 insertion(+) culprit signature: 44664e6a4d77b6bb58fdb7095205446264123805bbc4a3f89e25d4d012248aea parent signature: 9ff7c19df02dac6b6b8641e5ea10390016768d894b851728982a7470fdb7344a revisions tested: 18, total time: 4h52m33.849466806s (build: 2h3m39.237377666s, test: 2h47m7.04397885s) first bad commit: 5ac6badc5aa057ceb1d50c93326a81db6e89ad2f device-tree: bindinds: add NXP PCT2075 as compatible device to LM75 cc: ["daniel@zonque.org" "devicetree@vger.kernel.org" "jdelvare@suse.com" "linux-hwmon@vger.kernel.org" "linux-kernel@vger.kernel.org" "linux@roeck-us.net" "mark.rutland@arm.com" "robh+dt@kernel.org"] crash: KASAN: use-after-free Read in sk_psock_unlink ================================================================== BUG: KASAN: use-after-free in sk_psock_unlink+0x321/0x410 net/core/sock_map.c:997 Read of size 4 at addr ffff8880891fdd58 by task syz-executor.3/1038 CPU: 0 PID: 1038 Comm: syz-executor.3 Not tainted 5.3.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x318 mm/kasan/report.c:351 __kasan_report.cold.9+0x1b/0x3f mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:618 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 sk_psock_unlink+0x321/0x410 net/core/sock_map.c:997 tcp_bpf_remove+0x1c/0x40 net/ipv4/tcp_bpf.c:539 tcp_bpf_close+0xd2/0x280 net/ipv4/tcp_bpf.c:579 inet_release+0xc1/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x46/0x60 net/ipv6/af_inet6.c:470 __sock_release+0xc2/0x270 net/socket.c:590 sock_close+0x13/0x20 net/socket.c:1268 __fput+0x25a/0x770 fs/file_table.c:280 ____fput+0x9/0x10 fs/file_table.c:313 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x24e/0x2e0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] syscall_return_slowpath arch/x86/entry/common.c:274 [inline] do_syscall_64+0x462/0x540 arch/x86/entry/common.c:299 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x415fe1 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffcc59c4700 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000415fe1 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff R10: 00007ffcc59c47e0 R11: 0000000000000293 R12: 000000000076bf20 R13: 0000000000771120 R14: 00000000000671b6 R15: 000000000076bf2c Allocated by task 1040: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.13+0xc7/0xd0 mm/kasan/common.c:493 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507 kmem_cache_alloc_trace+0x15b/0x780 mm/slab.c:3550 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:748 [inline] sock_hash_alloc+0x170/0x4e0 net/core/sock_map.c:806 find_and_alloc_map kernel/bpf/syscall.c:121 [inline] map_create kernel/bpf/syscall.c:569 [inline] __do_sys_bpf+0x337/0x33c0 kernel/bpf/syscall.c:2831 __se_sys_bpf kernel/bpf/syscall.c:2808 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:2808 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8289: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463 __cache_free mm/slab.c:3425 [inline] kfree+0x108/0x2c0 mm/slab.c:3756 sock_hash_free+0x2f1/0x4e0 net/core/sock_map.c:869 bpf_map_free_deferred+0xaf/0x100 kernel/bpf/syscall.c:307 process_one_work+0x856/0x1630 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880891fdd40 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 24 bytes inside of 512-byte region [ffff8880891fdd40, ffff8880891fdf40) The buggy address belongs to the page: page:ffffea0002247f40 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0xffff8880891fd840 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00024d5248 ffffea0002924a08 ffff8880aa400a80 raw: ffff8880891fd840 ffff8880891fd0c0 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880891fdc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880891fdc80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8880891fdd00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8880891fdd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880891fde00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================