bisecting cause commit starting from 249155c20f9b0754bc1b932a33344cfb4e0c2101
building syzkaller on 7509bf360eba1461ac6059e4cacfbc29c9d2d4c7
testing commit 249155c20f9b0754bc1b932a33344cfb4e0c2101 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Write in xfrm_hash_rebuild
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Write in xfrm_hash_rebuild
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Write in xfrm_hash_rebuild
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
all runs: OK
# git bisect start v5.0 v4.20
Bisecting: 7011 revisions left to test after this (roughly 13 steps)
[af7ddd8a627c62a835524b3f5b471edbbbcce025] Merge tag 'dma-mapping-4.21' of git://git.infradead.org/users/hch/dma-mapping
testing commit af7ddd8a627c62a835524b3f5b471edbbbcce025 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good af7ddd8a627c62a835524b3f5b471edbbbcce025
Bisecting: 3532 revisions left to test after this (roughly 12 steps)
[c9bef4a651769927445900564781a9c99fdf6258] Merge tag 'pinctrl-v4.21-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit c9bef4a651769927445900564781a9c99fdf6258 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good c9bef4a651769927445900564781a9c99fdf6258
Bisecting: 1768 revisions left to test after this (roughly 11 steps)
[4d5f6e0201bc568c0758ed3f77a06648ec9fd482] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
testing commit 4d5f6e0201bc568c0758ed3f77a06648ec9fd482 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 4d5f6e0201bc568c0758ed3f77a06648ec9fd482
Bisecting: 879 revisions left to test after this (roughly 10 steps)
[680905431b9de8c7224b15b76b1826a1481cfeaf] Merge tag 'char-misc-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
testing commit 680905431b9de8c7224b15b76b1826a1481cfeaf with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Write in xfrm_hash_rebuild
# git bisect bad 680905431b9de8c7224b15b76b1826a1481cfeaf
Bisecting: 435 revisions left to test after this (roughly 9 steps)
[037222ad3f43a45c3a601dabf893efc9264ff5a0] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit 037222ad3f43a45c3a601dabf893efc9264ff5a0 with gcc (GCC) 8.1.0
all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect
# git bisect skip 037222ad3f43a45c3a601dabf893efc9264ff5a0
Bisecting: 435 revisions left to test after this (roughly 9 steps)
[1fde6f21d90f8ba5da3cb9c54ca991ed72696c43] proc: fix /proc/net/* after setns(2)
testing commit 1fde6f21d90f8ba5da3cb9c54ca991ed72696c43 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Write in xfrm_hash_rebuild
# git bisect bad 1fde6f21d90f8ba5da3cb9c54ca991ed72696c43
Bisecting: 327 revisions left to test after this (roughly 8 steps)
[96f18cb89ffa4bc6dafa447c9493449809fbb318] Merge tag 'staging-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
testing commit 96f18cb89ffa4bc6dafa447c9493449809fbb318 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 96f18cb89ffa4bc6dafa447c9493449809fbb318
Bisecting: 163 revisions left to test after this (roughly 7 steps)
[63346650c1a94a92be61a57416ac88c0a47c4327] netrom: switch to sock timer API
testing commit 63346650c1a94a92be61a57416ac88c0a47c4327 with gcc (GCC) 8.1.0
all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect
# git bisect skip 63346650c1a94a92be61a57416ac88c0a47c4327
Bisecting: 163 revisions left to test after this (roughly 7 steps)
[94a980c39c8e3f8abaff5d3b5bbcd4ccf1c02c4f] kvm: selftests: Fix region overlap check in kvm_util
testing commit 94a980c39c8e3f8abaff5d3b5bbcd4ccf1c02c4f with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 94a980c39c8e3f8abaff5d3b5bbcd4ccf1c02c4f
Bisecting: 156 revisions left to test after this (roughly 7 steps)
[9881051828375a872964f91bf985b8a35e4fbaef] Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 9881051828375a872964f91bf985b8a35e4fbaef with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9881051828375a872964f91bf985b8a35e4fbaef
Bisecting: 74 revisions left to test after this (roughly 6 steps)
[877ef51d53abfdadabc64809d045d9c27c1cf757] Merge tag 'gpio-v5.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
testing commit 877ef51d53abfdadabc64809d045d9c27c1cf757 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Write in xfrm_hash_rebuild
# git bisect bad 877ef51d53abfdadabc64809d045d9c27c1cf757
Bisecting: 40 revisions left to test after this (roughly 5 steps)
[327852ec64205bb651be391a069784872098a3b2] qed: Fix VF probe failure while FLR
testing commit 327852ec64205bb651be391a069784872098a3b2 with gcc (GCC) 8.1.0
all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect
# git bisect skip 327852ec64205bb651be391a069784872098a3b2
Bisecting: 40 revisions left to test after this (roughly 5 steps)
[9e71a15d8b5bbce25c637f7f8833cd3f45b65646] qed: Fix bug in tx promiscuous mode settings
testing commit 9e71a15d8b5bbce25c637f7f8833cd3f45b65646 with gcc (GCC) 8.1.0
all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect
# git bisect skip 9e71a15d8b5bbce25c637f7f8833cd3f45b65646
Bisecting: 40 revisions left to test after this (roughly 5 steps)
[625210cfa6c0c26ea422f655bf68288176f174e6] x86/Kconfig: Select PCI_LOCKLESS_CONFIG if PCI is enabled
testing commit 625210cfa6c0c26ea422f655bf68288176f174e6 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 625210cfa6c0c26ea422f655bf68288176f174e6
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[ff44a8373c882221c1ff30b87c42fba4f6938119] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
testing commit ff44a8373c882221c1ff30b87c42fba4f6938119 with gcc (GCC) 8.1.0
all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect
# git bisect skip ff44a8373c882221c1ff30b87c42fba4f6938119
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[2486e67374aa8b7854c2de32869642c2873b3d53] gpio: pcf857x: Fix interrupts on multiple instances
testing commit 2486e67374aa8b7854c2de32869642c2873b3d53 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2486e67374aa8b7854c2de32869642c2873b3d53
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[3da15ad3e9c856ab26516bd423f6a87c48acbc3f] Merge tag 'mlx5-fixes-2019-01-25' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
testing commit 3da15ad3e9c856ab26516bd423f6a87c48acbc3f with gcc (GCC) 8.1.0
all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect
# git bisect skip 3da15ad3e9c856ab26516bd423f6a87c48acbc3f
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[0977b2383de69dc48e9fa61c5c77878ed08d87fe] selftests: xfrm: add block rules with adjacent/overlapping subnets
testing commit 0977b2383de69dc48e9fa61c5c77878ed08d87fe with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 0977b2383de69dc48e9fa61c5c77878ed08d87fe
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[ed29ca8b9592562559c64d027fb5eb126e463e2c] net: hns: Restart autoneg need return failed when autoneg off
testing commit ed29ca8b9592562559c64d027fb5eb126e463e2c with gcc (GCC) 8.1.0
all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect
# git bisect skip ed29ca8b9592562559c64d027fb5eb126e463e2c
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[d999c0ec2498e54b9328db6b2c1037710025add1] x86/hpet: Remove unused FSEC_PER_NSEC define
testing commit d999c0ec2498e54b9328db6b2c1037710025add1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good d999c0ec2498e54b9328db6b2c1037710025add1
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[f785ffb61605734b518afa766d1b5445e9f38c8d] gpio: sprd: Fix incorrect irq type setting for the async EIC
testing commit f785ffb61605734b518afa766d1b5445e9f38c8d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f785ffb61605734b518afa766d1b5445e9f38c8d
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[32eb67b93c9e3cd62cb423e30b090cdd4aa8d275] net: tls: Save iv in tls_rec for async crypto requests
testing commit 32eb67b93c9e3cd62cb423e30b090cdd4aa8d275 with gcc (GCC) 8.1.0
all runs: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect
# git bisect skip 32eb67b93c9e3cd62cb423e30b090cdd4aa8d275
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[1548bc4e0512700cf757192c106b3a20ab639223] xfrm: policy: delete inexact policies from inexact list on hash rebuild
testing commit 1548bc4e0512700cf757192c106b3a20ab639223 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Write in xfrm_hash_rebuild
# git bisect bad 1548bc4e0512700cf757192c106b3a20ab639223
Bisecting: 1 revision left to test after this (roughly 1 step)
[355b00d1e14051c13aea48c1c5430c486fed2d7a] xfrm: policy: use hlist rcu variants on inexact insert, part 2
testing commit 355b00d1e14051c13aea48c1c5430c486fed2d7a with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 355b00d1e14051c13aea48c1c5430c486fed2d7a
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[7a474c36586f4277f930ab7e6865c97e44dfc3bc] xfrm: policy: increment xfrm_hash_generation on hash rebuild
testing commit 7a474c36586f4277f930ab7e6865c97e44dfc3bc with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7a474c36586f4277f930ab7e6865c97e44dfc3bc
1548bc4e0512700cf757192c106b3a20ab639223 is the first bad commit
commit 1548bc4e0512700cf757192c106b3a20ab639223
Author: Florian Westphal <fw@strlen.de>
Date:   Fri Jan 4 14:17:02 2019 +0100

    xfrm: policy: delete inexact policies from inexact list on hash rebuild
    
    An xfrm hash rebuild has to reset the inexact policy list before the
    policies get re-inserted: A change of hash thresholds will result in
    policies to get moved from inexact tree to the policy hash table.
    
    If the thresholds are increased again later, they get moved from hash
    table to inexact tree.
    
    We must unlink all policies from the inexact tree before re-insertion.
    
    Otherwise 'migrate' may find policies that are in main hash table a
    second time, when it searches the inexact lists.
    
    Furthermore, re-insertion without deletion can cause elements ->next to
    point back to itself, causing soft lockups or double-frees.
    
    Reported-by: syzbot+9d971dd21eb26567036b@syzkaller.appspotmail.com
    Fixes: 9cf545ebd591da ("xfrm: policy: store inexact policies in a tree ordered by destination address")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

:040000 040000 86338a9bdce9e616b6246055bee4c5b278c71175 145518911e5be709c4521ce92b5b7f25489f24ca M	net
revisions tested: 29, total time: 7h49m58.478492693s (build: 2h43m36.147754204s, test: 4h58m12.135869126s)
first bad commit: 1548bc4e0512700cf757192c106b3a20ab639223 xfrm: policy: delete inexact policies from inexact list on hash rebuild
cc: ["davem@davemloft.net" "fw@strlen.de" "herbert@gondor.apana.org.au" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "steffen.klassert@secunet.com"]
crash: KASAN: use-after-free Write in xfrm_hash_rebuild
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready
==================================================================
hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:218 [inline]
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:702 [inline]
BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:455 [inline]
BUG: KASAN: use-after-free in xfrm_hash_rebuild+0x103b/0x1230 net/xfrm/xfrm_policy.c:1312
Write of size 8 at addr ffff88809972d300 by task kworker/0:3/7442
IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready

CPU: 0 PID: 7442 Comm: kworker/0:3 Not tainted 4.20.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events xfrm_hash_rebuild
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140
 __write_once_size include/linux/compiler.h:218 [inline]
 __hlist_del include/linux/list.h:702 [inline]
 hlist_del_rcu include/linux/rculist.h:455 [inline]
 xfrm_hash_rebuild+0x103b/0x1230 net/xfrm/xfrm_policy.c:1312
 process_one_work+0x830/0x1670 kernel/workqueue.c:2153
 worker_thread+0x85/0xb60 kernel/workqueue.c:2296
 kthread+0x324/0x3e0 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 7423:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 kasan_kmalloc+0xcb/0xd0 mm/kasan/common.c:482
 __do_kmalloc mm/slab.c:3709 [inline]
 __kmalloc+0x15d/0x760 mm/slab.c:3718
 kmalloc include/linux/slab.h:550 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 xfrm_hash_alloc+0x7f/0x90 net/xfrm/xfrm_hash.c:21
 xfrm_policy_init net/xfrm/xfrm_policy.c:3821 [inline]
 xfrm_net_init+0x1ec/0xa30 net/xfrm/xfrm_policy.c:3905
 ops_init+0x95/0x370 net/core/net_namespace.c:129
 setup_net+0x24b/0x5d0 net/core/net_namespace.c:314
 copy_net_ns+0x193/0x2a0 net/core/net_namespace.c:437
 create_new_namespaces+0x487/0x760 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0x87/0x1a0 kernel/nsproxy.c:206
 ksys_unshare+0x31b/0x710 kernel/fork.c:2545
 __do_sys_unshare kernel/fork.c:2613 [inline]
 __se_sys_unshare kernel/fork.c:2611 [inline]
 __x64_sys_unshare+0x2c/0x40 kernel/fork.c:2611
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 22:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:444
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:452
 __cache_free mm/slab.c:3485 [inline]
 kfree+0xcf/0x220 mm/slab.c:3804
 xfrm_hash_free+0x84/0xa0 net/xfrm/xfrm_hash.c:35
 xfrm_bydst_resize net/xfrm/xfrm_policy.c:597 [inline]
 xfrm_hash_resize+0x51a/0x1ab0 net/xfrm/xfrm_policy.c:675
 process_one_work+0x830/0x1670 kernel/workqueue.c:2153
 worker_thread+0x85/0xb60 kernel/workqueue.c:2296
 kthread+0x324/0x3e0 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88809972d300
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff88809972d300, ffff88809972d340)
The buggy address belongs to the page:
page:ffffea000265cb40 count:1 mapcount:0 mapping:ffff88812c366340 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea000265fcc8 ffffea00021fb5c8 ffff88812c366340
raw: 0000000000000000 ffff88809972d000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809972d200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff88809972d280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff88809972d300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff88809972d380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88809972d400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================