bisecting fixing commit since addba38e7c3bc19036a05c83bcce7878dc644d87 building syzkaller on 3fd2ea69e05557e7e0fef9b68263b4150670671c testing commit addba38e7c3bc19036a05c83bcce7878dc644d87 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 1c8e99176b6b695e4314792309f3fb23648cc3f8126009deb672d357d27f43cb run #0: crashed: KASAN: use-after-free Write in skcipher_null_crypt run #1: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #2: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #3: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #4: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #5: crashed: KASAN: stack-out-of-bounds Write in skcipher_null_crypt run #6: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #7: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #8: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #9: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #10: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #11: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #12: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #13: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #14: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #15: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #16: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #17: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #18: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #19: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt testing current HEAD b172b44fcb1771e083aad806fa96f3f60e2ddfac testing commit b172b44fcb1771e083aad806fa96f3f60e2ddfac compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: f58bb95fd119b5d4cd86e097850e587254b249863fe485d38ff114406675abe3 run #0: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #1: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #2: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #3: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #4: crashed: KASAN: use-after-free Write in skcipher_null_crypt run #5: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #6: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #7: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #8: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt run #9: crashed: KASAN: slab-out-of-bounds Write in skcipher_null_crypt revisions tested: 2, total time: 24m20.176925838s (build: 17m6.834602846s, test: 6m39.019858715s) the crash still happens on HEAD commit msg: Linux 4.19.206 crash: KASAN: slab-out-of-bounds Write in skcipher_null_crypt IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline] BUG: KASAN: slab-out-of-bounds in skcipher_null_crypt+0x97/0xf0 crypto/crypto_null.c:89 Write of size 4096 at addr ffff88809fd08000 by task syz-executor.0/9903 CPU: 1 PID: 9903 Comm: syz-executor.0 Not tainted 4.19.206-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x17c/0x226 lib/dump_stack.c:118 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:396 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13c/0x1b0 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:377 [inline] skcipher_null_crypt+0x97/0xf0 crypto/crypto_null.c:89 wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 skcipher_crypt_blkcipher crypto/skcipher.c:639 [inline] skcipher_encrypt_blkcipher+0x1bc/0x280 crypto/skcipher.c:648 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 crypto_skcipher_encrypt include/crypto/skcipher.h:445 [inline] crypto_authenc_encrypt+0x6db/0xb90 crypto/authenc.c:237 crypto_aead_encrypt include/crypto/aead.h:337 [inline] esp6_output_tail+0x7b7/0x19d0 net/ipv6/esp6.c:406 esp6_output+0x458/0xde0 net/ipv6/esp6.c:476 xfrm_output_one net/xfrm/xfrm_output.c:115 [inline] xfrm_output_resume+0x5fe/0x2060 net/xfrm/xfrm_output.c:150 xfrm_output2 net/xfrm/xfrm_output.c:177 [inline] xfrm_output+0x203/0x860 net/xfrm/xfrm_output.c:262 xfrm6_output_finish+0x57/0x70 net/ipv6/xfrm6_output.c:135 IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready __xfrm6_output+0x13a/0xe00 net/ipv6/xfrm6_output.c:184 NF_HOOK_COND include/linux/netfilter.h:278 [inline] xfrm6_output+0xe7/0x400 net/ipv6/xfrm6_output.c:189 dst_output include/net/dst.h:455 [inline] ip6_local_out+0x74/0x110 net/ipv6/output_core.c:160 ip6_send_skb+0x92/0x2a0 net/ipv6/ip6_output.c:1741 IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready ip6_push_pending_frames+0x94/0xb0 net/ipv6/ip6_output.c:1761 wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 rawv6_push_pending_frames net/ipv6/raw.c:618 [inline] rawv6_sendmsg+0x23cb/0x32f0 net/ipv6/raw.c:959 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready inet_sendmsg+0x108/0x440 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:661 ___sys_sendmsg+0x647/0x950 net/socket.c:2227 IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 __sys_sendmsg+0xd9/0x180 net/socket.c:2265 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 __do_sys_sendmsg net/socket.c:2274 [inline] __se_sys_sendmsg net/socket.c:2272 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2272 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665e9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready RSP: 002b:00007f474196b188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffda4d2420f R14: 00007f474196b300 R15: 0000000000022000 Allocated by task 1: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x390 mm/slab.c:3559 ieee80211 phy13: Selected rate control algorithm 'minstrel_ht' kmem_cache_zalloc include/linux/slab.h:699 [inline] __alloc_file+0x2b/0x2f0 fs/file_table.c:100 IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready alloc_empty_file+0x45/0x110 fs/file_table.c:150 path_openat+0x107/0x2900 fs/namei.c:3526 do_filp_open+0x177/0x250 fs/namei.c:3567 do_sys_open+0x1dc/0x350 fs/open.c:1085 __do_sys_open fs/open.c:1103 [inline] __se_sys_open fs/open.c:1098 [inline] __x64_sys_open+0x79/0xb0 fs/open.c:1098 wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 1: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x83/0x290 mm/slab.c:3765 file_free_rcu+0x5d/0x90 fs/file_table.c:49 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0x93a/0x19b0 kernel/rcu/tree.c:2881 __do_softirq+0x25f/0x919 kernel/softirq.c:292 The buggy address belongs to the object at ffff88809fd080c0 which belongs to the cache filp of size 456 The buggy address is located 192 bytes to the left of 456-byte region [ffff88809fd080c0, ffff88809fd08288) The buggy address belongs to the page: IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready page:ffffea00027f4200 count:1 mapcount:0 mapping:ffff88813be7fcc0 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002a674c8 ffffea00027f4808 ffff88813be7fcc0 raw: 0000000000000000 ffff88809fd080c0 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809fd07f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809fd07f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ieee80211 phy14: Selected rate control algorithm 'minstrel_ht' >ffff88809fd08000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88809fd08080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff88809fd08100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================