bisecting cause commit starting from 8f8972a3127ff46df62ae30057d29606968ec4aa
building syzkaller on 0342f8c7bc656ea8ee3c45e49edeb4ee9cc12cce
testing commit 8f8972a3127ff46df62ae30057d29606968ec4aa with gcc (GCC) 8.1.0
kernel signature: 49c1f1a9d9afce6a2462aa218e6bfd9add3145d1
all runs: crashed: KASAN: use-after-free Read in bitmap_ipmac_ext_cleanup
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 38a36ac39e0cedae73fceeb1b1396476f816c846
all runs: crashed: KASAN: use-after-free Read in bitmap_ipmac_ext_cleanup
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 13d438afec4ec60c7cd8f3e82f55e5e33523f590
all runs: crashed: KASAN: use-after-free Read in bitmap_ipmac_ext_cleanup
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 7ee3e5a1ebdc7f53353b4cd985fe211d87577646
all runs: OK
# git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36
Bisecting: 7848 revisions left to test after this (roughly 13 steps)
[43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0
kernel signature: 3024a0b43b944336e38b9a23651d2afc7cd39de9
all runs: crashed: KASAN: use-after-free Read in bitmap_ipmac_ext_cleanup
# git bisect bad 43c95d3694cc448fdf50bd53b7ff3a5bb4655883
Bisecting: 4619 revisions left to test after this (roughly 12 steps)
[8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0
kernel signature: e0da35dfc6fd3fec57008398838802c222df7462
all runs: OK
# git bisect good 8f6ccf6159aed1f04c6d179f61f6fb2691261e84
Bisecting: 2306 revisions left to test after this (roughly 11 steps)
[753c8d9b7d81206bb5d011b28abe829d364b028e] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 753c8d9b7d81206bb5d011b28abe829d364b028e with gcc (GCC) 8.1.0
kernel signature: 4496b6bf190487c5fda70cea0de1e05e61b1b5f2
run #0: crashed: general protection fault in send_hsr_supervision_frame
run #1: crashed: general protection fault in send_hsr_supervision_frame
run #2: crashed: general protection fault in send_hsr_supervision_frame
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 753c8d9b7d81206bb5d011b28abe829d364b028e
Bisecting: 1156 revisions left to test after this (roughly 10 steps)
[2f9b0d93a9d3ec64558537ab5d7cff820886afa4] net: ethernet: ti: cpsw: Fix suspend/resume break
testing commit 2f9b0d93a9d3ec64558537ab5d7cff820886afa4 with gcc (GCC) 8.1.0
kernel signature: e2fce196771cbdf4eeb2735b08926bb158aa90a4
all runs: OK
# git bisect good 2f9b0d93a9d3ec64558537ab5d7cff820886afa4
Bisecting: 578 revisions left to test after this (roughly 9 steps)
[354d0fab649d47045517cf7cae03d653a4dcb3b8] net: hns3: add default value for tc_size and tc_offset
testing commit 354d0fab649d47045517cf7cae03d653a4dcb3b8 with gcc (GCC) 8.1.0
kernel signature: 2fa5f2aaaae9b3494e61fdf60d56013a3fcb763e
all runs: OK
# git bisect good 354d0fab649d47045517cf7cae03d653a4dcb3b8
Bisecting: 289 revisions left to test after this (roughly 8 steps)
[52c0609258658ff35b85c654c568a50abd602ac6] bnxt_en: rename some xdp functions
testing commit 52c0609258658ff35b85c654c568a50abd602ac6 with gcc (GCC) 8.1.0
kernel signature: 5553404d46fc92496f1b5b0d8a8165e50b2a3498
all runs: OK
# git bisect good 52c0609258658ff35b85c654c568a50abd602ac6
Bisecting: 169 revisions left to test after this (roughly 7 steps)
[e858faf556d4e14c750ba1e8852783c6f9520a0e] tcp: Reset bytes_acked and bytes_received when disconnecting
testing commit e858faf556d4e14c750ba1e8852783c6f9520a0e with gcc (GCC) 8.1.0
kernel signature: 183023616457a33976440623fdc91a160e437287
run #0: crashed: general protection fault in send_hsr_supervision_frame
run #1: crashed: general protection fault in send_hsr_supervision_frame
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad e858faf556d4e14c750ba1e8852783c6f9520a0e
Bisecting: 59 revisions left to test after this (roughly 6 steps)
[3d26eb8ad1e9b906433903ce05f775cf038e747f] net: bridge: don't cache ether dest pointer on input
testing commit 3d26eb8ad1e9b906433903ce05f775cf038e747f with gcc (GCC) 8.1.0
kernel signature: 67f341ed400a6970bbb7a6cac16f47693bdf0adf
all runs: OK
# git bisect good 3d26eb8ad1e9b906433903ce05f775cf038e747f
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[9d1bc24b52fb8c5d859f9a47084bf1179470e04c] bonding: validate ip header before check IPPROTO_IGMP
testing commit 9d1bc24b52fb8c5d859f9a47084bf1179470e04c with gcc (GCC) 8.1.0
kernel signature: b37c7187b8aa9ddba7b72f3c2882e85e86b573d5
run #0: crashed: KASAN: use-after-free Read in batadv_iv_ogm_queue_add
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 9d1bc24b52fb8c5d859f9a47084bf1179470e04c
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[455302d1c9ae9318660aaeb9748a01ff414c9741] xdp: fix hang while unregistering device bound to xdp socket
testing commit 455302d1c9ae9318660aaeb9748a01ff414c9741 with gcc (GCC) 8.1.0
kernel signature: b24d5c087ada59c754f554205a4812afc8e855da
all runs: OK
# git bisect good 455302d1c9ae9318660aaeb9748a01ff414c9741
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[78226f6eaac80bf30256a33a4926c194ceefdf36] net: usb: asix: init MAC address buffers
testing commit 78226f6eaac80bf30256a33a4926c194ceefdf36 with gcc (GCC) 8.1.0
kernel signature: 4e3048dc45c1db4548bed63a2019762775bf86bf
all runs: OK
# git bisect good 78226f6eaac80bf30256a33a4926c194ceefdf36
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[9fae54186c64db6faec85c194812fb2e5e970f77] r8152: move calling r8153b_rx_agg_chg_indicate()
testing commit 9fae54186c64db6faec85c194812fb2e5e970f77 with gcc (GCC) 8.1.0
kernel signature: 216daa676d002cc6b8994997a74610ae1c634e40
run #0: crashed: general protection fault in batadv_iv_ogm_queue_add
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 9fae54186c64db6faec85c194812fb2e5e970f77
Bisecting: 1 revision left to test after this (roughly 1 step)
[ff95bf28c23490584b9d75913a520bb7bb1f2ecb] selftests/net: skip psock_tpacket test if KALLSYMS was not enabled
testing commit ff95bf28c23490584b9d75913a520bb7bb1f2ecb with gcc (GCC) 8.1.0
kernel signature: a0bc23e5ae2e4ee201e5323add5fda7bd6bbcf8d
run #0: crashed: KASAN: use-after-free Write in batadv_iv_ogm_schedule
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad ff95bf28c23490584b9d75913a520bb7bb1f2ecb
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[99f0eae653b2db64917d0b58099eb51e300b311d] rxrpc: Fix oops in tracepoint
testing commit 99f0eae653b2db64917d0b58099eb51e300b311d with gcc (GCC) 8.1.0
kernel signature: b76442404bef517a7fd9b8416ba81c58cc43317b
all runs: OK
# git bisect good 99f0eae653b2db64917d0b58099eb51e300b311d
ff95bf28c23490584b9d75913a520bb7bb1f2ecb is the first bad commit
commit ff95bf28c23490584b9d75913a520bb7bb1f2ecb
Author: Po-Hsu Lin <po-hsu.lin@canonical.com>
Date:   Mon Jul 1 12:40:31 2019 +0800

    selftests/net: skip psock_tpacket test if KALLSYMS was not enabled
    
    The psock_tpacket test will need to access /proc/kallsyms, this would
    require the kernel config CONFIG_KALLSYMS to be enabled first.
    
    Apart from adding CONFIG_KALLSYMS to the net/config file here, check the
    file existence to determine if we can run this test will be helpful to
    avoid a false-positive test result when testing it directly with the
    following commad against a kernel that have CONFIG_KALLSYMS disabled:
        make -C tools/testing/selftests TARGETS=net run_tests
    
    Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
    Acked-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 tools/testing/selftests/net/config            |  1 +
 tools/testing/selftests/net/run_afpackettests | 14 +++++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)
culprit signature: a0bc23e5ae2e4ee201e5323add5fda7bd6bbcf8d
parent  signature: b76442404bef517a7fd9b8416ba81c58cc43317b
revisions tested: 18, total time: 4h51m30.534018939s (build: 1h55m34.434309782s, test: 2h53m56.743229712s)
first bad commit: ff95bf28c23490584b9d75913a520bb7bb1f2ecb selftests/net: skip psock_tpacket test if KALLSYMS was not enabled
cc: ["davem@davemloft.net" "po-hsu.lin@canonical.com" "skhan@linuxfoundation.org"]
crash: KASAN: use-after-free Write in batadv_iv_ogm_schedule
==================================================================
BUG: KASAN: use-after-free in batadv_iv_ogm_schedule+0xd63/0xe90 net/batman-adv/bat_iv_ogm.c:776
Write of size 2 at addr ffff888098c2b816 by task kworker/u4:0/7

CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.2.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:188
 __kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_store2_noabort+0x17/0x20 mm/kasan/generic_report.c:135
 batadv_iv_ogm_schedule+0xd63/0xe90 net/batman-adv/bat_iv_ogm.c:776
 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 net/batman-adv/bat_iv_ogm.c:1669
 process_one_work+0x830/0x16a0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x324/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 7611:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc.constprop.12+0xc7/0xd0 mm/kasan/common.c:489
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
 kmem_cache_alloc_trace+0x154/0x740 mm/slab.c:3555
 kmalloc include/linux/slab.h:547 [inline]
 batadv_iv_ogm_iface_enable+0x11c/0x370 net/batman-adv/bat_iv_ogm.c:201
 batadv_hardif_enable_interface+0x20d/0x8f0 net/batman-adv/hard-interface.c:760
 batadv_softif_slave_add+0x7f/0xd0 net/batman-adv/soft-interface.c:896
 do_set_master+0x171/0x200 net/core/rtnetlink.c:2360
 do_setlink+0x95a/0x2db0 net/core/rtnetlink.c:2495
 __rtnl_newlink+0xa57/0x13f0 net/core/rtnetlink.c:3120
 rtnl_newlink+0x61/0x90 net/core/rtnetlink.c:3245
 rtnetlink_rcv_msg+0x34f/0x8f0 net/core/rtnetlink.c:5214
 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2482
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5232
 netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline]
 netlink_unicast+0x43b/0x640 net/netlink/af_netlink.c:1333
 netlink_sendmsg+0x765/0xc40 net/netlink/af_netlink.c:1922
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:665
 __sys_sendto+0x1f2/0x2e0 net/socket.c:1958
 __do_compat_sys_socketcall net/compat.c:770 [inline]
 __se_compat_sys_socketcall net/compat.c:718 [inline]
 __ia32_compat_sys_socketcall+0x473/0x610 net/compat.c:718
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x235/0xb05 arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139

Freed by task 2625:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kfree+0xcf/0x220 mm/slab.c:3755
 batadv_iv_ogm_iface_disable+0x34/0x70 net/batman-adv/bat_iv_ogm.c:220
 batadv_hardif_disable_interface.cold.23+0x5a8/0xc32 net/batman-adv/hard-interface.c:874
 batadv_softif_destroy_netlink+0x98/0x110 net/batman-adv/soft-interface.c:1150
 default_device_exit_batch+0x239/0x3d0 net/core/dev.c:9778
 ops_exit_list.isra.5+0xd3/0x120 net/core/net_namespace.c:157
 cleanup_net+0x363/0x850 net/core/net_namespace.c:553
 process_one_work+0x830/0x16a0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x324/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff888098c2b800
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 22 bytes inside of
 32-byte region [ffff888098c2b800, ffff888098c2b820)
The buggy address belongs to the page:
page:ffffea0002630ac0 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888098c2bfc1
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027949c8 ffffea00026daf08 ffff8880aa4001c0
raw: ffff888098c2bfc1 ffff888098c2b000 000000010000003e 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888098c2b700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff888098c2b780: 00 04 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc
>ffff888098c2b800: fb fb fb fb fc fc fc fc 00 06 fc fc fc fc fc fc
                         ^
 ffff888098c2b880: 00 00 05 fc fc fc fc fc fb fb fb fb fc fc fc fc
 ffff888098c2b900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================