bisecting fixing commit since ef244c3088856cf048c77231653b4c92a7b2213c building syzkaller on 5ea87a6638e52a94361b26b8576a1605585815fb testing commit ef244c3088856cf048c77231653b4c92a7b2213c with gcc (GCC) 8.1.0 kernel signature: 0c84918d8593addf6da6ef3715186e0182c19dfe all runs: crashed: KASAN: use-after-free Read in rxrpc_send_keepalive testing current HEAD 7d120bf21c05cbe30a679f0feeca884eeaceb069 testing commit 7d120bf21c05cbe30a679f0feeca884eeaceb069 with gcc (GCC) 8.1.0 kernel signature: 9f3b28dc9ff9b4482920cb9155e3c6c12534b775 all runs: OK # git bisect start 7d120bf21c05cbe30a679f0feeca884eeaceb069 ef244c3088856cf048c77231653b4c92a7b2213c Bisecting: 1037 revisions left to test after this (roughly 10 steps) [ff36ace6c107a3abe90f08e1712650a207eb7327] tools: PCI: Fix broken pcitest compilation testing commit ff36ace6c107a3abe90f08e1712650a207eb7327 with gcc (GCC) 8.1.0 kernel signature: e94b81181195806044f10e81feaa2dabe80eedf8 all runs: OK # git bisect bad ff36ace6c107a3abe90f08e1712650a207eb7327 Bisecting: 518 revisions left to test after this (roughly 9 steps) [23ad83c399b0ac62b6e8cd10352119f3b4116c0b] f2fs: avoid wrong decrypted data from disk testing commit 23ad83c399b0ac62b6e8cd10352119f3b4116c0b with gcc (GCC) 8.1.0 kernel signature: 3dd6652aa51673bc720d23e652fe9e8258a0058b all runs: OK # git bisect bad 23ad83c399b0ac62b6e8cd10352119f3b4116c0b Bisecting: 259 revisions left to test after this (roughly 8 steps) [9a06efc745c37e62888142671e23624f136c3117] soundwire: depend on ACPI testing commit 9a06efc745c37e62888142671e23624f136c3117 with gcc (GCC) 8.1.0 kernel signature: 2b3e36c378bdc2c42d2fa52782c8fb1540af946d all runs: OK # git bisect bad 9a06efc745c37e62888142671e23624f136c3117 Bisecting: 129 revisions left to test after this (roughly 7 steps) [64efcbc7a5a3c7a14e42ccf7b8a7e7667d672a33] rtlwifi: Fix potential overflow on P2P code testing commit 64efcbc7a5a3c7a14e42ccf7b8a7e7667d672a33 with gcc (GCC) 8.1.0 kernel signature: 7ec315219569f1ddcbcd50eaadb5c5350e10ee21 all runs: crashed: KASAN: use-after-free Read in rxrpc_send_keepalive # git bisect good 64efcbc7a5a3c7a14e42ccf7b8a7e7667d672a33 Bisecting: 64 revisions left to test after this (roughly 6 steps) [5536fc891221464bc2900d1d108eb87da14614ff] net: dsa: bcm_sf2: Fix IMP setup for port different than 8 testing commit 5536fc891221464bc2900d1d108eb87da14614ff with gcc (GCC) 8.1.0 kernel signature: 344f897a17ece19b95900a23fab0a4c36347e003 all runs: OK # git bisect bad 5536fc891221464bc2900d1d108eb87da14614ff Bisecting: 32 revisions left to test after this (roughly 5 steps) [513474f59001d8d84b33b159d2b17ecc398ad356] ASoC: wm_adsp: Don't generate kcontrols without READ flags testing commit 513474f59001d8d84b33b159d2b17ecc398ad356 with gcc (GCC) 8.1.0 kernel signature: d76c2acf8066799c3ff38a832ca8a684a024157b all runs: OK # git bisect bad 513474f59001d8d84b33b159d2b17ecc398ad356 Bisecting: 15 revisions left to test after this (roughly 4 steps) [83131743069386182be6b2c5c44071df519144aa] ALSA: timer: Fix mutex deadlock at releasing card testing commit 83131743069386182be6b2c5c44071df519144aa with gcc (GCC) 8.1.0 kernel signature: b5e5d728277134fad70235fffe711569f5cb8f3f all runs: OK # git bisect bad 83131743069386182be6b2c5c44071df519144aa Bisecting: 7 revisions left to test after this (roughly 3 steps) [570ab0dd35f95a2260d509c4108debd224fdfdf5] rxrpc: Fix call ref leak testing commit 570ab0dd35f95a2260d509c4108debd224fdfdf5 with gcc (GCC) 8.1.0 kernel signature: 27103f57871081b3e6c1e4b30175e89362248feb all runs: OK # git bisect bad 570ab0dd35f95a2260d509c4108debd224fdfdf5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [74001646d47c900e2f817f684d92e4ce0f96e9eb] NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid() testing commit 74001646d47c900e2f817f684d92e4ce0f96e9eb with gcc (GCC) 8.1.0 kernel signature: 092c9481154fbf99f5ecac0e88b182bcb59c5f1d all runs: crashed: KASAN: use-after-free Read in rxrpc_send_keepalive # git bisect good 74001646d47c900e2f817f684d92e4ce0f96e9eb Bisecting: 1 revision left to test after this (roughly 1 step) [3f3f7409f028283c118bee4446e86bff70ee271c] llc: fix sk_buff leak in llc_sap_state_process() testing commit 3f3f7409f028283c118bee4446e86bff70ee271c with gcc (GCC) 8.1.0 kernel signature: 1bc78a36f481f156375b447b13ba93e1e29fd15c all runs: crashed: KASAN: use-after-free Read in rxrpc_send_keepalive # git bisect good 3f3f7409f028283c118bee4446e86bff70ee271c Bisecting: 0 revisions left to test after this (roughly 0 steps) [d634bd01b3a02c855a281e8635ae0a6ef71cc7da] llc: fix sk_buff leak in llc_conn_service() testing commit d634bd01b3a02c855a281e8635ae0a6ef71cc7da with gcc (GCC) 8.1.0 kernel signature: 44583e3b871eab05ca62e795db65564e1c85ad38 all runs: crashed: KASAN: use-after-free Read in rxrpc_send_keepalive # git bisect good d634bd01b3a02c855a281e8635ae0a6ef71cc7da 570ab0dd35f95a2260d509c4108debd224fdfdf5 is the first bad commit commit 570ab0dd35f95a2260d509c4108debd224fdfdf5 Author: David Howells Date: Mon Oct 7 10:58:28 2019 +0100 rxrpc: Fix call ref leak commit c48fc11b69e95007109206311b0187a3090591f3 upstream. When sendmsg() finds a call to continue on with, if the call is in an inappropriate state, it doesn't release the ref it just got on that call before returning an error. This causes the following symptom to show up with kasan: BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635 Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077 where line 635 is: whdr.epoch = htonl(peer->local->rxnet->epoch); The local endpoint (which cannot be pinned by the call) has been released, but not the peer (which is pinned by the call). Fix this by releasing the call in the error path. Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception") Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman net/rxrpc/sendmsg.c | 1 + 1 file changed, 1 insertion(+) culprit signature: 27103f57871081b3e6c1e4b30175e89362248feb parent signature: 44583e3b871eab05ca62e795db65564e1c85ad38 revisions tested: 13, total time: 3h32m5.249550574s (build: 1h48m13.09236716s, test: 1h42m33.216317443s) first good commit: 570ab0dd35f95a2260d509c4108debd224fdfdf5 rxrpc: Fix call ref leak cc: ["davem@davemloft.net" "dhowells@redhat.com" "gregkh@linuxfoundation.org" "linux-afs@lists.infradead.org" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org"]