bisecting cause commit starting from 673b41e04a035d760bc0aff83fa9ee24fd9c2779
building syzkaller on c8d1cc20df5ca5d9ea437054720fa3cfdfa1f578
testing commit 673b41e04a035d760bc0aff83fa9ee24fd9c2779 with gcc (GCC) 8.1.0
kernel signature: 9a5cfe1b573f31ec0378fbd21462de88daeb8ba3e6e09250c62f8e0bab502a88
all runs: crashed: KASAN: use-after-free Read in __hrtimer_run_queues
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: b50684a47573534b53e1adc3ca2799b50ace0d29bfe5169325f85632a9200244
all runs: OK
# git bisect start 673b41e04a035d760bc0aff83fa9ee24fd9c2779 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 1116 revisions left to test after this (roughly 10 steps)
[59838093be51ee9447f6ad05483d697b6fa0368d] Merge tag 'driver-core-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
testing commit 59838093be51ee9447f6ad05483d697b6fa0368d with gcc (GCC) 8.1.0
kernel signature: cd3b0cdb4a4686c1136a9811f7bb929626dbea24f3dc1f3047538e84697401be
all runs: OK
# git bisect good 59838093be51ee9447f6ad05483d697b6fa0368d
Bisecting: 564 revisions left to test after this (roughly 9 steps)
[a231bed2267cf45b0759da1d3ad62483b8bd0925] Merge tag 'regulator-spi-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc
testing commit a231bed2267cf45b0759da1d3ad62483b8bd0925 with gcc (GCC) 8.1.0
kernel signature: 21d13aa929a7cb7dd6eecd8c4b7bfe27ca55c0b36a4ae9acf8deb3a1ecefa065
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect good a231bed2267cf45b0759da1d3ad62483b8bd0925
Bisecting: 338 revisions left to test after this (roughly 8 steps)
[7c4fa150714fb319d4e2bb2303ebbd7307b0fb6d] Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 7c4fa150714fb319d4e2bb2303ebbd7307b0fb6d with gcc (GCC) 8.1.0
kernel signature: 489084e94e72d2b20cd1f19b12d5594503f9ecf4cce27371dbe694550b18b879
all runs: OK
# git bisect good 7c4fa150714fb319d4e2bb2303ebbd7307b0fb6d
Bisecting: 162 revisions left to test after this (roughly 7 steps)
[4b9fd8a829a1eec7442e38afff21d610604de56a] Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 4b9fd8a829a1eec7442e38afff21d610604de56a with gcc (GCC) 8.1.0
kernel signature: bd1d051e57dc7eebeb2990cd7fc4e394bf8fe6a74a32c7f7d19a210cc71d4dfb
all runs: crashed: KASAN: use-after-free Read in __hrtimer_run_queues
# git bisect bad 4b9fd8a829a1eec7442e38afff21d610604de56a
Bisecting: 87 revisions left to test after this (roughly 7 steps)
[badc61982adb6018a48ed8fe32087b9754cae14b] efi/x86: Add RNG seed EFI table to unencrypted mapping check
testing commit badc61982adb6018a48ed8fe32087b9754cae14b with gcc (GCC) 8.1.0
kernel signature: dd0093af0e10d5989edcd6e0e7248108be2e3c40a79dec198aec5ba5cf72e423
all runs: OK
# git bisect good badc61982adb6018a48ed8fe32087b9754cae14b
Bisecting: 43 revisions left to test after this (roughly 6 steps)
[9e860351550b28901a78f122b1e2dc97f78ba369] m68knommu: Remove mm.h include from uaccess_no.h
testing commit 9e860351550b28901a78f122b1e2dc97f78ba369 with gcc (GCC) 8.1.0
kernel signature: c0c023a7a6fd7d8c92703cd8c2e0eb65048da2a138f889218346855daedbad3e
all runs: crashed: KASAN: use-after-free Read in __hrtimer_run_queues
# git bisect bad 9e860351550b28901a78f122b1e2dc97f78ba369
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[f6f48e18040402136874a6a71611e081b4d0788a] lockdep: Teach lockdep about "USED" <- "IN-NMI" inversions
testing commit f6f48e18040402136874a6a71611e081b4d0788a with gcc (GCC) 8.1.0
kernel signature: daa1bc0fe723890aa2be19c68e23cc045741a03b7b02ec081991c4fa4157363a
all runs: OK
# git bisect good f6f48e18040402136874a6a71611e081b4d0788a
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[80fbaf1c3f2926c834f8ca915441dfe27ce5487e] rcuwait: Add @state argument to rcuwait_wait_event()
testing commit 80fbaf1c3f2926c834f8ca915441dfe27ce5487e with gcc (GCC) 8.1.0
kernel signature: 0a9d6e5ad10abcae5daa7495252e04b70dd7f0bc14709650cd0e1fbe10fc9d5a
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect good 80fbaf1c3f2926c834f8ca915441dfe27ce5487e
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[a5c6234e10280b3ec65e2410ce34904a2580e5f8] completion: Use simple wait queues
testing commit a5c6234e10280b3ec65e2410ce34904a2580e5f8 with gcc (GCC) 8.1.0
kernel signature: 3529e2fb62b23ab360c4c6895012b701250355478ddec73d04b683d2b328f4ce
all runs: OK
# git bisect good a5c6234e10280b3ec65e2410ce34904a2580e5f8
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[49915ac35ca7b07c54295a72d905be5064afb89e] lockdep: Annotate irq_work
testing commit 49915ac35ca7b07c54295a72d905be5064afb89e with gcc (GCC) 8.1.0
kernel signature: 63189342fd3bb61a32193e30110eb55c7a1e0ab4daaf3941beabb6cac1c8722f
all runs: crashed: KASAN: use-after-free Read in __hrtimer_run_queues
# git bisect bad 49915ac35ca7b07c54295a72d905be5064afb89e
Bisecting: 0 revisions left to test after this (roughly 1 step)
[40db173965c05a1d803451240ed41707d5bd978d] lockdep: Add hrtimer context tracing bits
testing commit 40db173965c05a1d803451240ed41707d5bd978d with gcc (GCC) 8.1.0
kernel signature: 61d2c7cf8f040e486e1ff1f75184a87d0b155e36db0e1a06067bef1856e2fa04
all runs: crashed: KASAN: use-after-free Read in __hrtimer_run_queues
# git bisect bad 40db173965c05a1d803451240ed41707d5bd978d
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[de8f5e4f2dc1f032b46afda0a78cab5456974f89] lockdep: Introduce wait-type checks
testing commit de8f5e4f2dc1f032b46afda0a78cab5456974f89 with gcc (GCC) 8.1.0
kernel signature: fe72ec0c9356a98c456f223af3c47d8c9817fe4c6817d2551008d51835b2f8ee
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect good de8f5e4f2dc1f032b46afda0a78cab5456974f89
40db173965c05a1d803451240ed41707d5bd978d is the first bad commit
commit 40db173965c05a1d803451240ed41707d5bd978d
Author: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date:   Sat Mar 21 12:26:02 2020 +0100

    lockdep: Add hrtimer context tracing bits
    
    Set current->irq_config = 1 for hrtimers which are not marked to expire in
    hard interrupt context during hrtimer_init(). These timers will expire in
    softirq context on PREEMPT_RT.
    
    Setting this allows lockdep to differentiate these timers. If a timer is
    marked to expire in hard interrupt context then the timer callback is not
    supposed to acquire a regular spinlock instead of a raw_spinlock in the
    expiry callback.
    
    Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20200321113242.534508206@linutronix.de

 include/linux/irqflags.h | 15 +++++++++++++++
 include/linux/sched.h    |  1 +
 kernel/locking/lockdep.c |  2 +-
 kernel/time/hrtimer.c    |  6 +++++-
 4 files changed, 22 insertions(+), 2 deletions(-)
culprit signature: 61d2c7cf8f040e486e1ff1f75184a87d0b155e36db0e1a06067bef1856e2fa04
parent  signature: fe72ec0c9356a98c456f223af3c47d8c9817fe4c6817d2551008d51835b2f8ee
revisions tested: 14, total time: 3h26m16.783580212s (build: 1h31m0.116780561s, test: 1h54m18.81615574s)
first bad commit: 40db173965c05a1d803451240ed41707d5bd978d lockdep: Add hrtimer context tracing bits
cc: ["bigeasy@linutronix.de" "peterz@infradead.org" "tglx@linutronix.de"]
crash: KASAN: use-after-free Read in __hrtimer_run_queues
vxcan0: j1939_tp_rxtimer: 0x0000000095c8d76e: abort rx timeout. Force session deactivation
==================================================================
BUG: KASAN: use-after-free in __run_hrtimer kernel/time/hrtimer.c:1521 [inline]
BUG: KASAN: use-after-free in __hrtimer_run_queues+0xa65/0xb80 kernel/time/hrtimer.c:1583
Read of size 1 at addr ffff888093430573 by task syz-executor.0/7255

CPU: 0 PID: 7255 Comm: syz-executor.0 Not tainted 5.6.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374
 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 __run_hrtimer kernel/time/hrtimer.c:1521 [inline]
 __hrtimer_run_queues+0xa65/0xb80 kernel/time/hrtimer.c:1583
 hrtimer_run_softirq+0x167/0x250 kernel/time/hrtimer.c:1600
 __do_softirq+0x26e/0xa0c kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x191/0x1d0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:546 [inline]
 smp_apic_timer_interrupt+0x1a1/0x5f0 arch/x86/kernel/apic/apic.c:1146
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
 </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:752 [inline]
RIP: 0010:console_unlock+0x8bb/0xbd0 kernel/printk/printk.c:2481
Code: 18 1f b4 88 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 b7 02 00 00 48 83 3d 79 eb 60 07 00 0f 84 0e 01 00 00 48 8b 7d c8 57 9d <0f> 1f 44 00 00 e9 9c f8 ff ff 49 8d 7f 08 48 89 f8 48 c1 e8 03 42
RSP: 0018:ffffc900019bec30 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff11683e3 RBX: 0000000000000200 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000282
RBP: ffffc900019beca8 R08: 0000000000000001 R09: fffffbfff165e795
R10: fffffbfff165e794 R11: ffffffff8b2f3ca7 R12: 0000000000000000
R13: ffffffff89316710 R14: dffffc0000000000 R15: 0000000000000000
 vprintk_emit+0x19c/0x560 kernel/printk/printk.c:1996
 printk+0x9a/0xc0 kernel/printk/printk.c:2056
 batadv_check_known_mac_addr.cold.22+0x13/0x28 net/batman-adv/hard-interface.c:516
 batadv_hard_if_event+0x207/0x1320 net/batman-adv/hard-interface.c:1062
 notifier_call_chain+0x86/0x150 kernel/notifier.c:83
 call_netdevice_notifiers_extack net/core/dev.c:1960 [inline]
 call_netdevice_notifiers net/core/dev.c:1974 [inline]
 dev_set_mac_address+0x279/0x3d0 net/core/dev.c:8404
 do_setlink+0x5a5/0x2c30 net/core/rtnetlink.c:2551
 __rtnl_newlink+0x9cb/0x1250 net/core/rtnetlink.c:3252
 rtnl_newlink+0x5c/0x80 net/core/rtnetlink.c:3377
 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5436
 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2478
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 __sys_sendto+0x1d9/0x2b0 net/socket.c:1998
 __do_compat_sys_socketcall net/compat.c:771 [inline]
 __se_compat_sys_socketcall net/compat.c:719 [inline]
 __ia32_compat_sys_socketcall+0x401/0x550 net/compat.c:719
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Allocated by task 8504:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515
 kmem_cache_alloc_trace+0x156/0x780 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 j1939_session_new+0x65/0x3b0 net/can/j1939/transport.c:1418
 j1939_tp_send+0x1a7/0x650 net/can/j1939/transport.c:1877
 j1939_sk_send_loop net/can/j1939/socket.c:1037 [inline]
 j1939_sk_sendmsg+0x97c/0x1150 net/can/j1939/socket.c:1160
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x554/0x760 net/socket.c:2343
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397
 __sys_sendmsg+0xce/0x170 net/socket.c:2430
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Freed by task 7255:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:476
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x107/0x2b0 mm/slab.c:3757
 j1939_tp_rxtimer+0x249/0x254 net/can/j1939/transport.c:1194
 __run_hrtimer kernel/time/hrtimer.c:1519 [inline]
 __hrtimer_run_queues+0x31e/0xb80 kernel/time/hrtimer.c:1583
 hrtimer_run_softirq+0x167/0x250 kernel/time/hrtimer.c:1600
 __do_softirq+0x26e/0xa0c kernel/softirq.c:292

The buggy address belongs to the object at ffff888093430400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 371 bytes inside of
 512-byte region [ffff888093430400, ffff888093430600)
The buggy address belongs to the page:
page:ffffea00024d0c00 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002a6e608 ffffea0002a40b48 ffff8880aa400a80
raw: 0000000000000000 ffff888093430000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888093430400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888093430480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888093430500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff888093430580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888093430600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================