bisecting cause commit starting from c7d102232649226a69dddd58a4942cf13cff4f7c building syzkaller on 6c236867ce33c0c16b102e02a08226d7eb9b2046 testing commit c7d102232649226a69dddd58a4942cf13cff4f7c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 276555861727ec2b19221f3227647a818b2fa8b1bfc819ad7e355bc67924c80e all runs: crashed: WARNING in j1939_session_deactivate testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: eaab50170f966c8b3eb39852b91e95d9bc7e454d96827a490e5a435720d1ffbe run #0: crashed: KASAN: invalid-free in j1939_xtp_rx_cts run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: crashed: KASAN: invalid-free in j1939_xtp_rx_cts reproducer seems to be flaky testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a2c67d0aa4cd9031fb2dccc0e9429d13c38be324308c26aa1ef6b084265ddb79 run #0: crashed: unregister_netdevice: waiting for DEV to become free run #1: crashed: unregister_netdevice: waiting for DEV to become free run #2: crashed: unregister_netdevice: waiting for DEV to become free run #3: crashed: unregister_netdevice: waiting for DEV to become free run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 760afc9eb3d03287b34ea942b7a411382f5645571be3e022de43df2d69784b74 run #0: crashed: unregister_netdevice: waiting for DEV to become free run #1: crashed: unregister_netdevice: waiting for DEV to become free run #2: crashed: unregister_netdevice: waiting for DEV to become free run #3: crashed: unregister_netdevice: waiting for DEV to become free run #4: crashed: unregister_netdevice: waiting for DEV to become free run #5: crashed: unregister_netdevice: waiting for DEV to become free run #6: crashed: unregister_netdevice: waiting for DEV to become free run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ed87a01106570e960457a093defc61da2463f8df499a22d92a19e05b34bca040 run #0: crashed: unregister_netdevice: waiting for DEV to become free run #1: crashed: unregister_netdevice: waiting for DEV to become free run #2: crashed: unregister_netdevice: waiting for DEV to become free run #3: crashed: unregister_netdevice: waiting for DEV to become free run #4: crashed: unregister_netdevice: waiting for DEV to become free run #5: crashed: unregister_netdevice: waiting for DEV to become free run #6: crashed: unregister_netdevice: waiting for DEV to become free run #7: crashed: unregister_netdevice: waiting for DEV to become free run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a6ff38e82dd9e7b72f8594f21d4456e9f130fed2d0baffe8f9a1ac831a8846b8 run #0: crashed: unregister_netdevice: waiting for DEV to become free run #1: crashed: unregister_netdevice: waiting for DEV to become free run #2: crashed: unregister_netdevice: waiting for DEV to become free run #3: crashed: unregister_netdevice: waiting for DEV to become free run #4: crashed: unregister_netdevice: waiting for DEV to become free run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 148af9454d2419d8c534f359dc0ada77e2a0b73e26499bd1d569517b33bb77e1 run #0: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #1: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #2: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #3: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #4: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #5: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #6: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #7: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #8: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #9: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #10: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #11: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 compiler: gcc version 8.4.1 20210217 (GCC), GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c39813ac1b4cf9ee17cd9581d29834c9312d7a9e2d37c5149682cd29e326d445 run #0: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #1: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #2: crashed: WARNING in j1939_xtp_rx_rts run #3: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #4: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #5: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #6: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #7: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #8: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #9: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #10: crashed: unregister_netdevice: waiting for DEV to become free run #11: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #12: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #13: OK run #14: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 65e9f41c1707ffe281e68adea77024db743fc3aec52e15a3092851b775aa1091 run #0: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #1: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #2: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #3: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #4: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #5: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #6: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #7: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #8: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #9: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #10: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #11: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #12: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #13: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: df229a265ef77d7ea04c00e82025c3f1c0476396510a270bc6ec4e905f5dd17e run #0: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #1: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #2: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #3: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #4: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #5: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #6: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #7: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #8: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #9: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #10: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #11: crashed: unregister_netdevice: waiting for DEV to become free run #12: crashed: unregister_netdevice: waiting for DEV to become free run #13: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #14: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #15: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 4db262e20e001154554aacba8ee069cf005e1d0d472bd35a6ff08601ed7ef2f2 run #0: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #1: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #2: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #3: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #4: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #5: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #6: crashed: KASAN: use-after-free Read in j1939_tp_txtimer run #7: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #8: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #9: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #10: crashed: unregister_netdevice: waiting for DEV to become free run #11: crashed: unregister_netdevice: waiting for DEV to become free run #12: crashed: WARNING in j1939_xtp_rx_rts run #13: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 8a03cb69477372e7c3f6c0fee23e5ea1b68880d5ca37439f59113cf3c4eda96e all runs: OK # git bisect start 219d54332a09e8d8741c1e1982f5eae56099de85 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Bisecting: 7882 revisions left to test after this (roughly 13 steps) [a9f8b38a071b468276a243ea3ea5a0636e848cf2] Merge tag 'for-linus-5.4-1' of git://github.com/cminyard/linux-ipmi testing commit a9f8b38a071b468276a243ea3ea5a0636e848cf2 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: ceeaa8b0cfd529302ba500b7667f68e052337f4d182c21133fad9a5ec409b8b0 run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #10: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #11: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #12: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #13: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #14: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #15: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #16: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #17: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #18: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #19: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad a9f8b38a071b468276a243ea3ea5a0636e848cf2 Bisecting: 3920 revisions left to test after this (roughly 12 steps) [fe38bd6862074c0a2b9be7f31f043aaa70b2af5f] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit fe38bd6862074c0a2b9be7f31f043aaa70b2af5f compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 3d0d4a9da4bc7c928f19ca21482e2c6d6e64a677674bf2710088819cd7d655b2 all runs: OK # git bisect good fe38bd6862074c0a2b9be7f31f043aaa70b2af5f Bisecting: 1962 revisions left to test after this (roughly 11 steps) [069841ef8293697e951c34f9a45601b77fb541d7] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue testing commit 069841ef8293697e951c34f9a45601b77fb541d7 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: e1ad679bd3d60852318c2347b12cb72c53a3758b904e5a22707caefc8e2c8acc run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #7: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #10: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #11: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #12: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #13: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #14: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #15: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #16: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #17: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #18: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #19: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 069841ef8293697e951c34f9a45601b77fb541d7 Bisecting: 978 revisions left to test after this (roughly 10 steps) [f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71] net: stmmac: dwmac-meson: use devm_platform_ioremap_resource() to simplify code testing commit f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 05e1fe7c870764985c5267bfb1874062ca3ab2146f0edb5489938d5feaf5d514 all runs: OK # git bisect good f33bf6b00f20c9d26c42dfdaf8b83c2b0c1e6f71 Bisecting: 487 revisions left to test after this (roughly 9 steps) [67e974c3ae21c8ced474eae3ce9261a6f827e95c] Merge tag 'iwlwifi-next-for-kalle-2019-09-06' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next testing commit 67e974c3ae21c8ced474eae3ce9261a6f827e95c compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 9de731d3e858bc52a951986ccd150b36aafc891c9d7a239677c30cfffff37c36 all runs: OK # git bisect good 67e974c3ae21c8ced474eae3ce9261a6f827e95c Bisecting: 212 revisions left to test after this (roughly 8 steps) [1e46c09ec10049a9e366153b32e41cc557383fdb] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 1e46c09ec10049a9e366153b32e41cc557383fdb compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: d4d829efb9a793abc51e1f1881dcdbf3a3cd12182f9f3f298b0eb6d15d3499b9 run #0: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #10: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #11: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #12: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #13: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #14: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #15: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #16: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #17: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #18: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #19: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 1e46c09ec10049a9e366153b32e41cc557383fdb Bisecting: 137 revisions left to test after this (roughly 7 steps) [7d993c5f86aa308b00c2fd420fe5208da18125e2] gianfar: remove forward declarations testing commit 7d993c5f86aa308b00c2fd420fe5208da18125e2 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dedf6154b3c1c0dd1a42c4129be075bdd21b336ff80d7ec59f9ff458244769df run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #10: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #11: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #12: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #13: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #14: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #15: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #16: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #17: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #18: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #19: crashed: INFO: rcu detected stall in j1939_tp_rxtimer # git bisect bad 7d993c5f86aa308b00c2fd420fe5208da18125e2 Bisecting: 68 revisions left to test after this (roughly 6 steps) [aa3198819bea60f65f22cd771baf2ff038f59df1] ionic: Add RSS support testing commit aa3198819bea60f65f22cd771baf2ff038f59df1 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 653ea795f7a703035cf7fc444ba6f438b5c217d4ea2ffd30ba38633e8d92c216 all runs: OK # git bisect good aa3198819bea60f65f22cd771baf2ff038f59df1 Bisecting: 36 revisions left to test after this (roughly 5 steps) [8330f73fe9742f201f467639f8356cf58756fb9f] rocker: add missing init_net check in FIB notifier testing commit 8330f73fe9742f201f467639f8356cf58756fb9f compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 5520d9ff20fbb7e0a801bdc2211eb3c550679878dc7278c8699c2c5bc7c9d5c6 all runs: OK # git bisect good 8330f73fe9742f201f467639f8356cf58756fb9f Bisecting: 18 revisions left to test after this (roughly 4 steps) [9868b5d44f3df9dd75247acd23dddff0a42f79be] can: introduce CAN_REQUIRED_SIZE macro testing commit 9868b5d44f3df9dd75247acd23dddff0a42f79be compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 339a50aa53be3b9aa9c8b4c45a16bc7d263b89ba2033f4d4eeac66b38fb39070 all runs: OK # git bisect good 9868b5d44f3df9dd75247acd23dddff0a42f79be Bisecting: 9 revisions left to test after this (roughly 3 steps) [4647e021193d638d3c87d1f1b9a5f7f7a48f36a3] net: stmmac: selftests: Add selftest for L3/L4 Filters testing commit 4647e021193d638d3c87d1f1b9a5f7f7a48f36a3 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dedf6154b3c1c0dd1a42c4129be075bdd21b336ff80d7ec59f9ff458244769df run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #2: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #10: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #11: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #12: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #13: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #14: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #15: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #16: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #17: crashed: KASAN: use-after-free Read in j1939_session_get_by_addr run #18: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #19: crashed: KASAN: use-after-free Write in j1939_sock_pending_del # git bisect bad 4647e021193d638d3c87d1f1b9a5f7f7a48f36a3 Bisecting: 4 revisions left to test after this (roughly 2 steps) [44c40910b66f786d33ffd2682ef38750eebb567c] Merge tag 'linux-can-next-for-5.4-20190904' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can-next testing commit 44c40910b66f786d33ffd2682ef38750eebb567c compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dedf6154b3c1c0dd1a42c4129be075bdd21b336ff80d7ec59f9ff458244769df run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: slab-out-of-bounds Read in j1939_tp_txtimer run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #10: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #11: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #12: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #13: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #14: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #15: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #16: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #17: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #18: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #19: crashed: INFO: rcu detected stall in j1939_tp_rxtimer # git bisect bad 44c40910b66f786d33ffd2682ef38750eebb567c Bisecting: 1 revision left to test after this (roughly 1 step) [f5223e9eee651e005c0f6d6d078909087601b7e9] can: extend sockaddr_can to include j1939 members testing commit f5223e9eee651e005c0f6d6d078909087601b7e9 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: ddf3659430f1264ef2868b20cca8efe5fcdab0be3fadd70d3daf51f42e792cef all runs: OK # git bisect good f5223e9eee651e005c0f6d6d078909087601b7e9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9d71dd0c70099914fcd063135da3c580865e924c] can: add support of SAE J1939 protocol testing commit 9d71dd0c70099914fcd063135da3c580865e924c compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: dc55f6cc73006dfeb880801cd1eb7848504c50c98a0308f1c38abe56c5fbd169 run #0: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #1: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #2: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #3: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #4: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #5: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #6: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #7: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #8: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #9: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #10: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #11: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #12: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #13: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #14: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #15: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #16: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #17: crashed: KASAN: use-after-free Write in j1939_sock_pending_del run #18: crashed: KASAN: use-after-free Read in j1939_session_deactivate run #19: crashed: KASAN: use-after-free Read in j1939_session_deactivate # git bisect bad 9d71dd0c70099914fcd063135da3c580865e924c 9d71dd0c70099914fcd063135da3c580865e924c is the first bad commit commit 9d71dd0c70099914fcd063135da3c580865e924c Author: The j1939 authors Date: Mon Oct 8 11:48:36 2018 +0200 can: add support of SAE J1939 protocol SAE J1939 is the vehicle bus recommended practice used for communication and diagnostics among vehicle components. Originating in the car and heavy-duty truck industry in the United States, it is now widely used in other parts of the world. J1939, ISO 11783 and NMEA 2000 all share the same high level protocol. SAE J1939 can be considered the replacement for the older SAE J1708 and SAE J1587 specifications. Acked-by: Oliver Hartkopp Signed-off-by: Bastian Stender Signed-off-by: Elenita Hinds Signed-off-by: kbuild test robot Signed-off-by: Kurt Van Dijck Signed-off-by: Maxime Jayat Signed-off-by: Robin van der Gracht Signed-off-by: Oleksij Rempel Signed-off-by: Marc Kleine-Budde Documentation/networking/index.rst | 1 + Documentation/networking/j1939.rst | 422 ++++++++ MAINTAINERS | 10 + include/linux/can/can-ml.h | 3 + include/uapi/linux/can/j1939.h | 99 ++ net/can/Kconfig | 2 + net/can/Makefile | 2 + net/can/j1939/Kconfig | 15 + net/can/j1939/Makefile | 10 + net/can/j1939/address-claim.c | 230 ++++ net/can/j1939/bus.c | 333 ++++++ net/can/j1939/j1939-priv.h | 338 ++++++ net/can/j1939/main.c | 403 +++++++ net/can/j1939/socket.c | 1160 +++++++++++++++++++++ net/can/j1939/transport.c | 2027 ++++++++++++++++++++++++++++++++++++ 15 files changed, 5055 insertions(+) create mode 100644 Documentation/networking/j1939.rst create mode 100644 include/uapi/linux/can/j1939.h create mode 100644 net/can/j1939/Kconfig create mode 100644 net/can/j1939/Makefile create mode 100644 net/can/j1939/address-claim.c create mode 100644 net/can/j1939/bus.c create mode 100644 net/can/j1939/j1939-priv.h create mode 100644 net/can/j1939/main.c create mode 100644 net/can/j1939/socket.c create mode 100644 net/can/j1939/transport.c culprit signature: dc55f6cc73006dfeb880801cd1eb7848504c50c98a0308f1c38abe56c5fbd169 parent signature: ddf3659430f1264ef2868b20cca8efe5fcdab0be3fadd70d3daf51f42e792cef Reproducer flagged being flaky revisions tested: 26, total time: 6h49m30.046109451s (build: 2h41m9.56828346s, test: 4h4m58.617392547s) first bad commit: 9d71dd0c70099914fcd063135da3c580865e924c can: add support of SAE J1939 protocol recipients (to): ["bst@pengutronix.de" "dev.kurt@vandijck-laurijssen.be" "ecathinds@gmail.com" "linux-can@vger.kernel.org" "lkp@intel.com" "maxime.jayat@mobile-devices.fr" "mkl@pengutronix.de" "o.rempel@pengutronix.de" "robin@protonic.nl" "socketcan@hartkopp.net"] recipients (cc): [] crash: KASAN: use-after-free Read in j1939_session_deactivate vcan0: j1939_tp_rxtimer: 0x00000000e0fd8baa: abort rx timeout. Force session deactivation vcan0: j1939_tp_rxtimer: 0x0000000030164fd7: abort rx timeout. Force session deactivation ================================================================== BUG: KASAN: use-after-free in j1939_session_deactivate+0x78/0x80 net/can/j1939/transport.c:1033 Read of size 8 at addr ffff88809d102500 by task ksoftirqd/1/16 CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.3.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x86/0xca lib/dump_stack.c:113 print_address_description.cold.4+0x9/0x35a mm/kasan/report.c:351 __kasan_report.cold.5+0x1b/0x3e mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:618 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 j1939_session_deactivate+0x78/0x80 net/can/j1939/transport.c:1033 j1939_session_deactivate_activate_next+0xd/0x20 net/can/j1939/transport.c:1041 j1939_tp_rxtimer+0xb6/0x226 net/can/j1939/transport.c:1150 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x332/0xb50 kernel/time/hrtimer.c:1451 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1465 __do_softirq+0x222/0x90d kernel/softirq.c:292 run_ksoftirqd kernel/softirq.c:603 [inline] run_ksoftirqd+0x30/0x50 kernel/softirq.c:595 smpboot_thread_fn+0x55f/0x8c0 kernel/smpboot.c:165 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 10861: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc.part.0+0x44/0xc0 mm/kasan/common.c:493 __kasan_kmalloc.constprop.1+0xb1/0xc0 mm/kasan/common.c:474 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507 kmem_cache_alloc_trace+0x135/0x340 mm/slub.c:2797 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:748 [inline] j1939_session_new+0x6a/0x490 net/can/j1939/transport.c:1384 j1939_tp_send+0x1a8/0x5d0 net/can/j1939/transport.c:1846 j1939_sk_send_loop net/can/j1939/socket.c:995 [inline] j1939_sk_sendmsg+0x9e7/0x1260 net/can/j1939/socket.c:1100 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:657 kernel_sendmsg+0x26/0x30 net/socket.c:677 sock_no_sendpage+0xfd/0x140 net/core/sock.c:2730 kernel_sendpage+0x60/0xd0 net/socket.c:3682 sock_sendpage+0x6d/0xd0 net/socket.c:935 pipe_to_sendpage+0x212/0x430 fs/splice.c:449 splice_from_pipe_feed fs/splice.c:500 [inline] __splice_from_pipe+0x297/0x6c0 fs/splice.c:624 splice_from_pipe+0xbb/0x120 fs/splice.c:659 generic_splice_sendpage+0x10/0x20 fs/splice.c:829 do_splice_from fs/splice.c:848 [inline] direct_splice_actor+0x104/0x1c0 fs/splice.c:1020 splice_direct_to_actor+0x303/0x870 fs/splice.c:975 do_splice_direct+0x14c/0x270 fs/splice.c:1063 do_sendfile+0x4b1/0xed0 fs/read_write.c:1464 __do_sys_sendfile64 fs/read_write.c:1525 [inline] __se_sys_sendfile64+0x100/0x120 fs/read_write.c:1511 __x64_sys_sendfile64+0x92/0xf0 fs/read_write.c:1511 do_syscall_64+0xa3/0x4a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 16: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x145/0x210 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463 slab_free_hook mm/slub.c:1423 [inline] slab_free_freelist_hook mm/slub.c:1474 [inline] slab_free mm/slub.c:3016 [inline] kfree+0xf7/0x380 mm/slub.c:3957 j1939_session_destroy net/can/j1939/transport.c:272 [inline] __j1939_session_release net/can/j1939/transport.c:280 [inline] kref_put include/linux/kref.h:65 [inline] j1939_session_put+0xf3/0x1b0 net/can/j1939/transport.c:285 j1939_session_deactivate_locked net/can/j1939/transport.c:1021 [inline] j1939_session_deactivate_locked+0x1e4/0x290 net/can/j1939/transport.c:1009 j1939_session_deactivate+0x38/0x80 net/can/j1939/transport.c:1032 j1939_session_deactivate_activate_next+0xd/0x20 net/can/j1939/transport.c:1041 j1939_tp_rxtimer+0xb6/0x226 net/can/j1939/transport.c:1150 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x332/0xb50 kernel/time/hrtimer.c:1451 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1465 __do_softirq+0x222/0x90d kernel/softirq.c:292 The buggy address belongs to the object at ffff88809d102500 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of 512-byte region [ffff88809d102500, ffff88809d102700) The buggy address belongs to the page: page:ffffea0002744080 refcount:1 mapcount:0 mapping:ffff8880b5c02500 index:0x0 compound_mapcount: 0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 0000000000000000 0000000900000001 ffff8880b5c02500 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page allocated via order 1, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2147 [inline] prep_new_page+0x183/0x220 mm/page_alloc.c:2153 get_page_from_freelist.part.23+0x1378/0x43d0 mm/page_alloc.c:3680 get_page_from_freelist mm/page_alloc.c:4711 [inline] __alloc_pages_nodemask+0x324/0x26a0 mm/page_alloc.c:4714 alloc_pages_current+0xd6/0x1b0 mm/mempolicy.c:2153 alloc_pages include/linux/gfp.h:509 [inline] alloc_slab_page mm/slub.c:1515 [inline] allocate_slab mm/slub.c:1660 [inline] new_slab+0x7da/0x16a0 mm/slub.c:1727 new_slab_objects mm/slub.c:2476 [inline] ___slab_alloc+0x57b/0x8d0 mm/slub.c:2627 __slab_alloc.isra.23+0x4f/0x80 mm/slub.c:2667 slab_alloc_node mm/slub.c:2730 [inline] __kmalloc_node_track_caller+0x22c/0x450 mm/slub.c:4365 __kmalloc_reserve.isra.10+0x2c/0xc0 net/core/skbuff.c:141 __alloc_skb+0xd7/0x570 net/core/skbuff.c:209 alloc_skb include/linux/skbuff.h:1043 [inline] j1939_tp_tx_dat_new+0x3a/0x420 net/can/j1939/transport.c:564 j1939_tp_tx_dat net/can/j1939/transport.c:602 [inline] j1939_session_tx_dat net/can/j1939/transport.c:787 [inline] j1939_xtp_txnext_transmiter net/can/j1939/transport.c:843 [inline] j1939_tp_txtimer+0x757/0x1660 net/can/j1939/transport.c:1076 __run_hrtimer kernel/time/hrtimer.c:1389 [inline] __hrtimer_run_queues+0x332/0xb50 kernel/time/hrtimer.c:1451 hrtimer_run_softirq+0x16c/0x250 kernel/time/hrtimer.c:1465 __do_softirq+0x222/0x90d kernel/softirq.c:292 run_ksoftirqd kernel/softirq.c:603 [inline] run_ksoftirqd+0x30/0x50 kernel/softirq.c:595 Memory state around the buggy address: ffff88809d102400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809d102480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88809d102500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88809d102580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809d102600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================