bisecting fixing commit since 3906fe9bb7f1a2c8667ae54e967dc8690824f4ea
building syzkaller on d50eb50a564f0774e935b4f77390e3f591b4206d
testing commit 3906fe9bb7f1a2c8667ae54e967dc8690824f4ea
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3c126e95d98a144722e0903d2d8562b5c86c5eb974584dc32f703f2e11be3fea
run #0: crashed: KASAN: use-after-free Read in dump_schedule
run #1: crashed: KASAN: use-after-free Read in dump_schedule
run #2: crashed: KASAN: use-after-free Read in dump_schedule
run #3: crashed: KASAN: use-after-free Read in dump_schedule
run #4: crashed: KASAN: use-after-free Read in dump_schedule
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: crashed: KASAN: use-after-free Read in dump_schedule
run #16: OK
run #17: OK
run #18: OK
run #19: OK
reproducer seems to be flaky
testing current HEAD 0840a7914caa14315a3191178a9f72c742477860
testing commit 0840a7914caa14315a3191178a9f72c742477860
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b9ba460ba3b641bde699ada26ae751bb4e343e2250b364c63af2f2674ee04987
run #0: crashed: KASAN: use-after-free Read in dump_schedule
run #1: crashed: KASAN: use-after-free Read in dump_schedule
run #2: crashed: KASAN: use-after-free Read in dump_schedule
run #3: crashed: KASAN: use-after-free Read in dump_schedule
run #4: crashed: KASAN: use-after-free Read in dump_schedule
run #5: crashed: KASAN: use-after-free Read in dump_schedule
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
Reproducer flagged being flaky
revisions tested: 2, total time: 37m15.49561409s (build: 13m11.052778896s, test: 23m10.220517566s)
the crash still happens on HEAD
commit msg: Merge tag 'char-misc-5.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
crash: KASAN: use-after-free Read in dump_schedule
==================================================================
BUG: KASAN: use-after-free in dump_schedule+0x6cd/0x730 net/sched/sch_taprio.c:1849
Read of size 8 at addr ffff88801d5326c0 by task syz-executor514/32472

CPU: 0 PID: 32472 Comm: syz-executor514 Not tainted 5.19.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 dump_schedule+0x6cd/0x730 net/sched/sch_taprio.c:1849
 taprio_dump+0x43a/0xba0 net/sched/sch_taprio.c:1918
 tc_fill_qdisc+0x57c/0xf90 net/sched/sch_api.c:924
 qdisc_notify.isra.0+0x22e/0x2a0 net/sched/sch_api.c:990
 tc_modify_qdisc+0xc4d/0x1680 net/sched/sch_api.c:1633
 rtnetlink_rcv_msg+0x32d/0x9a0 net/core/rtnetlink.c:6089
 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2501
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x433/0x710 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x782/0xc30 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:734
 sock_no_sendpage+0xf3/0x130 net/core/sock.c:3161
 kernel_sendpage.part.0+0x151/0x550 net/socket.c:3571
 kernel_sendpage net/socket.c:3568 [inline]
 sock_sendpage+0xbd/0x190 net/socket.c:1054
 pipe_to_sendpage+0x245/0x410 fs/splice.c:364
 splice_from_pipe_feed fs/splice.c:418 [inline]
 __splice_from_pipe+0x362/0x810 fs/splice.c:562
 splice_from_pipe fs/splice.c:597 [inline]
 generic_splice_sendpage+0xba/0x120 fs/splice.c:746
 do_splice_from fs/splice.c:767 [inline]
 do_splice+0x9c8/0x1b00 fs/splice.c:1079
 __do_splice+0xf4/0x1b0 fs/splice.c:1144
 __do_sys_splice fs/splice.c:1350 [inline]
 __se_sys_splice fs/splice.c:1332 [inline]
 __x64_sys_splice+0x14a/0x200 fs/splice.c:1332
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f491845bc99
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f49185ffc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f491845bc99
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000010976 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f49185ffcc8
R13: 00007f49185ffce0 R14: 00007f49185ffd20 R15: 000000000000209a
 </TASK>

Allocated by task 32468:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 taprio_change+0x51b/0x3a80 net/sched/sch_taprio.c:1485
 qdisc_change net/sched/sch_api.c:1329 [inline]
 tc_modify_qdisc+0xafd/0x1680 net/sched/sch_api.c:1631
 rtnetlink_rcv_msg+0x32d/0x9a0 net/core/rtnetlink.c:6089
 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2501
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x433/0x710 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x782/0xc30 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:734
 sock_no_sendpage+0xf3/0x130 net/core/sock.c:3161
 kernel_sendpage.part.0+0x151/0x550 net/socket.c:3571
 kernel_sendpage net/socket.c:3568 [inline]
 sock_sendpage+0xbd/0x190 net/socket.c:1054
 pipe_to_sendpage+0x245/0x410 fs/splice.c:364
 splice_from_pipe_feed fs/splice.c:418 [inline]
 __splice_from_pipe+0x362/0x810 fs/splice.c:562
 splice_from_pipe fs/splice.c:597 [inline]
 generic_splice_sendpage+0xba/0x120 fs/splice.c:746
 do_splice_from fs/splice.c:767 [inline]
 do_splice+0x9c8/0x1b00 fs/splice.c:1079
 __do_splice+0xf4/0x1b0 fs/splice.c:1144
 __do_sys_splice fs/splice.c:1350 [inline]
 __se_sys_splice fs/splice.c:1332 [inline]
 __x64_sys_splice+0x14a/0x200 fs/splice.c:1332
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 21:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1754 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780
 slab_free mm/slub.c:3536 [inline]
 kfree+0xd6/0x4d0 mm/slub.c:4584
 rcu_do_batch kernel/rcu/tree.c:2578 [inline]
 rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2838
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:571

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
 call_rcu+0x99/0x790 kernel/rcu/tree.c:3126
 taprio_change+0x259a/0x3a80 net/sched/sch_taprio.c:1605
 qdisc_change net/sched/sch_api.c:1329 [inline]
 tc_modify_qdisc+0xafd/0x1680 net/sched/sch_api.c:1631
 rtnetlink_rcv_msg+0x32d/0x9a0 net/core/rtnetlink.c:6089
 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2501
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x433/0x710 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x782/0xc30 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:734
 sock_no_sendpage+0xf3/0x130 net/core/sock.c:3161
 kernel_sendpage.part.0+0x151/0x550 net/socket.c:3571
 kernel_sendpage net/socket.c:3568 [inline]
 sock_sendpage+0xbd/0x190 net/socket.c:1054
 pipe_to_sendpage+0x245/0x410 fs/splice.c:364
 splice_from_pipe_feed fs/splice.c:418 [inline]
 __splice_from_pipe+0x362/0x810 fs/splice.c:562
 splice_from_pipe fs/splice.c:597 [inline]
 generic_splice_sendpage+0xba/0x120 fs/splice.c:746
 do_splice_from fs/splice.c:767 [inline]
 do_splice+0x9c8/0x1b00 fs/splice.c:1079
 __do_splice+0xf4/0x1b0 fs/splice.c:1144
 __do_sys_splice fs/splice.c:1350 [inline]
 __se_sys_splice fs/splice.c:1332 [inline]
 __x64_sys_splice+0x14a/0x200 fs/splice.c:1332
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
 kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3647
 cfg80211_update_known_bss+0x785/0xa90 net/wireless/scan.c:1668
 cfg80211_bss_update+0xd9/0x1e50 net/wireless/scan.c:1715
 cfg80211_inform_single_bss_frame_data+0x629/0xce0 net/wireless/scan.c:2473
 cfg80211_inform_bss_frame_data+0x94/0xaa0 net/wireless/scan.c:2506
 ieee80211_bss_info_update+0x267/0x880 net/mac80211/scan.c:190
 ieee80211_rx_bss_info net/mac80211/ibss.c:1119 [inline]
 ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1610 [inline]
 ieee80211_ibss_rx_queued_mgmt+0x1306/0x3230 net/mac80211/ibss.c:1639
 ieee80211_iface_process_skb net/mac80211/iface.c:1527 [inline]
 ieee80211_iface_work+0x746/0x990 net/mac80211/iface.c:1581
 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289
 worker_thread+0x598/0xec0 kernel/workqueue.c:2436
 kthread+0x299/0x340 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302

The buggy address belongs to the object at ffff88801d532680
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
 96-byte region [ffff88801d532680, ffff88801d5326e0)

The buggy address belongs to the physical page:
page:ffffea0000754c80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d532
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001d161c0 dead000000000002 ffff888010041780
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 3019, tgid 3019 (udevd), ts 13603922757, free_ts 13603775559
 prep_new_page mm/page_alloc.c:2456 [inline]
 get_page_from_freelist+0x19d3/0x3b30 mm/page_alloc.c:4198
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426
 alloc_slab_page mm/slub.c:1824 [inline]
 allocate_slab+0x26c/0x3c0 mm/slub.c:1969
 new_slab mm/slub.c:2029 [inline]
 ___slab_alloc+0x9bc/0xe10 mm/slub.c:3031
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
 slab_alloc_node mm/slub.c:3209 [inline]
 slab_alloc mm/slub.c:3251 [inline]
 __kmalloc+0x318/0x350 mm/slub.c:4442
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 tomoyo_encode2.part.0+0x92/0x310 security/tomoyo/realpath.c:45
 tomoyo_realpath_from_path+0x140/0x6a0 security/tomoyo/realpath.c:288
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x1fb/0x350 security/tomoyo/file.c:822
 security_inode_getattr+0xab/0x100 security/security.c:1344
 vfs_getattr fs/stat.c:157 [inline]
 vfs_statx+0xf4/0x2e0 fs/stat.c:232
 vfs_fstatat+0x4f/0x70 fs/stat.c:255
 __do_sys_newfstatat+0x72/0xd0 fs/stat.c:425
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page+0x19/0x6a0 mm/page_alloc.c:3438
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:750 [inline]
 slab_alloc_node mm/slub.c:3243 [inline]
 slab_alloc mm/slub.c:3251 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3258 [inline]
 kmem_cache_alloc+0x204/0x3b0 mm/slub.c:3268
 getname_flags.part.0+0x4a/0x440 fs/namei.c:139
 vfs_fstatat+0x35/0x70 fs/stat.c:254
 __do_sys_newfstatat+0x72/0xd0 fs/stat.c:425
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Memory state around the buggy address:
 ffff88801d532580: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff88801d532600: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff88801d532680: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                           ^
 ffff88801d532700: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff88801d532780: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================