bisecting cause commit starting from 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7 building syzkaller on c88c7b75a4e022b758f4b0f1bf3db8ebb2fb25e6 testing commit 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7 with gcc (GCC) 8.1.0 kernel signature: 357bc364d6a79fb308cf1a35ddf6c08214cd947fc96d27e68f863b5cc12a72b0 run #0: crashed: KASAN: use-after-free Read in skb_release_data run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 962a83bb274bb15830c5c8be719f966da0c6a7b8f50ac4960b4be24ca9a56cf7 run #0: crashed: KASAN: use-after-free Read in skb_release_data run #1: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 4e1f4ce486b8cab9467f751f05d77d8abd76e1dcdccc7a1413352239b72109dd all runs: OK # git bisect start d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 8639 revisions left to test after this (roughly 13 steps) [8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0 kernel signature: 8ddb0bd60bc8f8bac8ae865d4c4d944409c6fa8d57a994b761075112841f1ac2 run #0: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #1: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 8c39f71ee2019e77ee14f88b1321b2348db51820 Bisecting: 3435 revisions left to test after this (roughly 12 steps) [3b397c7ccafe0624018cb09fc96729f8f6165573] Merge tag 'regmap-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap testing commit 3b397c7ccafe0624018cb09fc96729f8f6165573 with gcc (GCC) 8.1.0 kernel signature: 586ddf94aae5aaad32712d7cb09c7f50f73239c55015ca8b00f297bc8bbfa9d5 run #0: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #1: crashed: general protection fault in skb_put run #2: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #3: crashed: general protection fault in skb_put run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 3b397c7ccafe0624018cb09fc96729f8f6165573 Bisecting: 1709 revisions left to test after this (roughly 11 steps) [924ea58dadea23cc28b60d02b9c0896b7b168a6f] Merge tag 'mt76-for-kvalo-2019-11-20' of https://github.com/nbd168/wireless testing commit 924ea58dadea23cc28b60d02b9c0896b7b168a6f with gcc (GCC) 8.1.0 kernel signature: f23662de05e34d934f7d47f2e807f299040d581c47a4cd6577a0bc7e7657339e run #0: crashed: KASAN: use-after-free Read in skb_release_data run #1: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #2: crashed: KASAN: use-after-free Read in skb_release_data run #3: crashed: general protection fault in skb_put run #4: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 924ea58dadea23cc28b60d02b9c0896b7b168a6f Bisecting: 855 revisions left to test after this (roughly 10 steps) [3b7ad08b5153b0eda2f4d57ac53d815c30acd172] vsock: Simplify '__vsock_release()' testing commit 3b7ad08b5153b0eda2f4d57ac53d815c30acd172 with gcc (GCC) 8.1.0 kernel signature: b970c6b07cf8d5be0713d69ed08edc1f65cd99aa834f73722df39085e8282b46 run #0: crashed: general protection fault in skb_put run #1: crashed: KASAN: use-after-free Read in h5_reset_rx run #2: crashed: general protection fault in skb_put run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 3b7ad08b5153b0eda2f4d57ac53d815c30acd172 Bisecting: 427 revisions left to test after this (roughly 9 steps) [a3e09ded6a6d4b4cbdeb8c1ec4c7cf60798b3ce0] i40e: Extract detection of HW flags into a function testing commit a3e09ded6a6d4b4cbdeb8c1ec4c7cf60798b3ce0 with gcc (GCC) 8.1.0 kernel signature: 59eeade40d31c9f62bc0a5dbcc3182edc2cc039157959f9a0dfce74e922d402c run #0: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #1: crashed: KASAN: use-after-free Read in h5_reset_rx run #2: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #3: crashed: KASAN: use-after-free Read in h5_reset_rx run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad a3e09ded6a6d4b4cbdeb8c1ec4c7cf60798b3ce0 Bisecting: 218 revisions left to test after this (roughly 8 steps) [cb0ce18aaf4c08f1c5c60d8a09fcba34f63f6f51] genetlink: do not parse attributes for families with zero maxattr testing commit cb0ce18aaf4c08f1c5c60d8a09fcba34f63f6f51 with gcc (GCC) 8.1.0 kernel signature: 19d1b6d531bef5e6266072dbff2a8d4ab22488eaa84f511b7e1a1bbfd78401ff run #0: crashed: general protection fault in skb_put run #1: crashed: KASAN: use-after-free Read in skb_release_data run #2: crashed: KASAN: use-after-free Read in skb_release_data run #3: crashed: KASAN: use-after-free Read in skb_release_data run #4: crashed: KASAN: use-after-free Read in skb_release_data run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad cb0ce18aaf4c08f1c5c60d8a09fcba34f63f6f51 Bisecting: 103 revisions left to test after this (roughly 7 steps) [4495af31947bcc8886fe43737500f12729f7bdd9] net: nfc: have genetlink code to parse the attrs during dumpit testing commit 4495af31947bcc8886fe43737500f12729f7bdd9 with gcc (GCC) 8.1.0 kernel signature: 1f87a0ff26441a2979f3074352bab302a9e4773bab545fa82769cb390aedc1cb run #0: crashed: general protection fault in skb_put run #1: crashed: general protection fault in skb_put run #2: crashed: KASAN: use-after-free Read in skb_release_data run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 4495af31947bcc8886fe43737500f12729f7bdd9 Bisecting: 51 revisions left to test after this (roughly 6 steps) [9077f052abd5391a866dd99e27212213648becef] net: propagate errors correctly in register_netdevice() testing commit 9077f052abd5391a866dd99e27212213648becef with gcc (GCC) 8.1.0 kernel signature: a0477af3599dc9dff7f3b7399b0de9953af34563b2b7f8c7da39e9df415b2873 run #0: crashed: general protection fault in skb_put run #1: crashed: general protection fault in skb_put run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 9077f052abd5391a866dd99e27212213648becef Bisecting: 25 revisions left to test after this (roughly 5 steps) [e982ae6aa4e1505d7567a54ef3f259a9647dfd35] ionic: add lif_quiesce to wait for queue activity to stop testing commit e982ae6aa4e1505d7567a54ef3f259a9647dfd35 with gcc (GCC) 8.1.0 kernel signature: a0bf019955e62771d3b960b84e97a35cf5170065abf3c7b81d378a867ca67137 run #0: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad e982ae6aa4e1505d7567a54ef3f259a9647dfd35 Bisecting: 12 revisions left to test after this (roughly 4 steps) [9fb137aef34e4eedaa23307d309b0ebe8358fea1] net: usb: ax88179_178a: allow optionally getting mac address from device tree testing commit 9fb137aef34e4eedaa23307d309b0ebe8358fea1 with gcc (GCC) 8.1.0 kernel signature: 2d8fb9f17452e64d8ef4063991373ed2e07197080b36940171a7ed2c5b480733 run #0: crashed: general protection fault in skb_put run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 9fb137aef34e4eedaa23307d309b0ebe8358fea1 Bisecting: 6 revisions left to test after this (roughly 3 steps) [36fbf1e52bd3ff8a5cb604955eedfc9350c2e6cc] net: rtnetlink: add linkprop commands to add and delete alternative ifnames testing commit 36fbf1e52bd3ff8a5cb604955eedfc9350c2e6cc with gcc (GCC) 8.1.0 kernel signature: c66ccd05c24f874a8f87bd6e0c51e534596c2b875759ba271712a3e0c43201e6 run #0: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 36fbf1e52bd3ff8a5cb604955eedfc9350c2e6cc Bisecting: 2 revisions left to test after this (roughly 2 steps) [be2644aac3e1db02d09f45d56206bbdafca582a2] tcp: add ipv6_addr_v4mapped_loopback() helper testing commit be2644aac3e1db02d09f45d56206bbdafca582a2 with gcc (GCC) 8.1.0 kernel signature: 60c3288fb9879a722f7ddc898d32c356ee50fa40e05fa5c602ad9b1b02652f52 run #0: crashed: general protection fault in skb_put run #1: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #2: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #3: crashed: general protection fault in skb_put run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad be2644aac3e1db02d09f45d56206bbdafca582a2 Bisecting: 0 revisions left to test after this (roughly 1 step) [5be5515a8ea198de6eb204a0ff25faf98b8ff719] net: core: dev: replace state xoff flag comparison by netif_xmit_stopped method testing commit 5be5515a8ea198de6eb204a0ff25faf98b8ff719 with gcc (GCC) 8.1.0 kernel signature: b8992fb32c177645a7ffae596039361c3a76807020a0f1d3f453d9830701bda7 run #0: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #1: crashed: general protection fault in skb_put run #2: crashed: general protection fault in skb_put run #3: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 5be5515a8ea198de6eb204a0ff25faf98b8ff719 Bisecting: 0 revisions left to test after this (roughly 0 steps) [5f71c84038d39def573744a145c573758f52a949] r8152: Factor out OOB link list waits testing commit 5f71c84038d39def573744a145c573758f52a949 with gcc (GCC) 8.1.0 kernel signature: 149f166f61e3cc5a53acee48920580538daf9d4bbe0e95b24c7cb3eda8fc4d25 run #0: crashed: general protection fault in skb_put run #1: crashed: KASAN: use-after-free Read in h5_rx_3wire_hdr run #2: crashed: KASAN: use-after-free Read in h5_reset_rx run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 5f71c84038d39def573744a145c573758f52a949 5f71c84038d39def573744a145c573758f52a949 is the first bad commit commit 5f71c84038d39def573744a145c573758f52a949 Author: Prashant Malani Date: Tue Oct 1 01:35:57 2019 -0700 r8152: Factor out OOB link list waits The same for-loop check for the LINK_LIST_READY bit of an OOB_CTRL register is used in several places. Factor these out into a single function to reduce the lines of code. Change-Id: I20e8f327045a72acc0a83e2d145ae2993ab62915 Signed-off-by: Prashant Malani Reviewed-by: Grant Grundler Acked-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 73 ++++++++++++++----------------------------------- 1 file changed, 21 insertions(+), 52 deletions(-) parent commit 02dc96ef6c25f990452c114c59d75c368a1f4c8f wasn't tested testing commit 02dc96ef6c25f990452c114c59d75c368a1f4c8f with gcc (GCC) 8.1.0 kernel signature: 68122d59d2b2a2004de30bd38037ed2e92c669d83f2ee98b23abf42c5883c26b culprit signature: 149f166f61e3cc5a53acee48920580538daf9d4bbe0e95b24c7cb3eda8fc4d25 parent signature: 68122d59d2b2a2004de30bd38037ed2e92c669d83f2ee98b23abf42c5883c26b revisions tested: 17, total time: 4h59m47.530364261s (build: 2h1m1.643554292s, test: 2h57m35.286158604s) first bad commit: 5f71c84038d39def573744a145c573758f52a949 r8152: Factor out OOB link list waits cc: ["davem@davemloft.net" "grundler@chromium.org" "hayeswang@realtek.com" "pmalani@chromium.org"] crash: KASAN: use-after-free Read in h5_reset_rx Bluetooth: Invalid header checksum ================================================================== BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline] BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1010 [inline] BUG: KASAN: use-after-free in kfree_skb+0x2d/0x2b0 net/core/skbuff.c:693 Read of size 4 at addr ffff888090c57c14 by task syz-executor.5/31357 CPU: 1 PID: 31357 Comm: syz-executor.5 Not tainted 5.3.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:634 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x153/0x1d0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:92 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] refcount_read include/linux/refcount.h:43 [inline] skb_unref include/linux/skbuff.h:1010 [inline] kfree_skb+0x2d/0x2b0 net/core/skbuff.c:693 h5_reset_rx+0x3d/0x100 drivers/bluetooth/hci_h5.c:530 h5_rx_3wire_hdr+0x287/0x350 drivers/bluetooth/hci_h5.c:440 h5_recv+0x28b/0x460 drivers/bluetooth/hci_h5.c:563 hci_uart_tty_receive+0x1fc/0x560 drivers/bluetooth/hci_ldisc.c:613 tiocsti drivers/tty/tty_io.c:2197 [inline] tty_ioctl+0x652/0x12f0 drivers/tty/tty_io.c:2573 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c479 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007eff29f35c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007eff29f366d4 RCX: 000000000045c479 RDX: 00000000200000c0 RSI: 0000000000005412 RDI: 0000000000000003 RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000583 R14: 00000000004c7d91 R15: 000000000076bfcc Allocated by task 128: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.constprop.13+0xc7/0xd0 mm/kasan/common.c:510 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:518 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slab.c:3262 [inline] kmem_cache_alloc_node+0x138/0x760 mm/slab.c:3574 __alloc_skb+0xa7/0x570 net/core/skbuff.c:197 alloc_skb include/linux/skbuff.h:1049 [inline] bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline] h5_rx_pkt_start+0xba/0x270 drivers/bluetooth/hci_h5.c:474 h5_recv+0x28b/0x460 drivers/bluetooth/hci_h5.c:563 hci_uart_tty_receive+0x1fc/0x560 drivers/bluetooth/hci_ldisc.c:613 tty_ldisc_receive_buf+0xff/0x1b0 drivers/tty/tty_buffer.c:465 tty_port_default_receive_buf+0x5f/0x90 drivers/tty/tty_port.c:38 receive_buf drivers/tty/tty_buffer.c:481 [inline] flush_to_ldisc+0x1aa/0x3a0 drivers/tty/tty_buffer.c:533 process_one_work+0x856/0x1630 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 128: save_stack+0x21/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 __cache_free mm/slab.c:3425 [inline] kmem_cache_free+0x83/0x320 mm/slab.c:3693 kfree_skbmem+0x88/0xf0 net/core/skbuff.c:623 __kfree_skb net/core/skbuff.c:680 [inline] kfree_skb+0xbb/0x2b0 net/core/skbuff.c:697 h5_reset_rx+0x3d/0x100 drivers/bluetooth/hci_h5.c:530 h5_rx_3wire_hdr+0x287/0x350 drivers/bluetooth/hci_h5.c:440 h5_recv+0x28b/0x460 drivers/bluetooth/hci_h5.c:563 hci_uart_tty_receive+0x1fc/0x560 drivers/bluetooth/hci_ldisc.c:613 tty_ldisc_receive_buf+0xff/0x1b0 drivers/tty/tty_buffer.c:465 tty_port_default_receive_buf+0x5f/0x90 drivers/tty/tty_port.c:38 receive_buf drivers/tty/tty_buffer.c:481 [inline] flush_to_ldisc+0x1aa/0x3a0 drivers/tty/tty_buffer.c:533 process_one_work+0x856/0x1630 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff888090c57b40 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 212 bytes inside of 224-byte region [ffff888090c57b40, ffff888090c57c20) The buggy address belongs to the page: page:ffffea00024315c0 refcount:1 mapcount:0 mapping:ffff8880a99ff8c0 index:0xffff888090c57500 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00028d0b08 ffffea0001dbd2c8 ffff8880a99ff8c0 raw: ffff888090c57500 ffff888090c57000 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888090c57b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff888090c57b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888090c57c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888090c57c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888090c57d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================