bisecting fixing commit since 30c2c32d7f703530a6a0c9d2435117a9907d7109 building syzkaller on 2e0e3130f967984ba51ac1387b67040f0d953942 testing commit 30c2c32d7f703530a6a0c9d2435117a9907d7109 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: basic kernel testing failed: timed out run #5: basic kernel testing failed: timed out run #6: basic kernel testing failed: timed out run #7: basic kernel testing failed: timed out run #8: crashed: KASAN: use-after-free Read in p9_fd_poll run #9: crashed: general protection fault in p9_conn_cancel testing current HEAD 1e78030e5e5b2d8b0cad7136caf9cfab986a6bff testing commit 1e78030e5e5b2d8b0cad7136caf9cfab986a6bff with gcc (GCC) 8.1.0 all runs: OK # git bisect start 1e78030e5e5b2d8b0cad7136caf9cfab986a6bff 30c2c32d7f703530a6a0c9d2435117a9907d7109 Bisecting: 44138 revisions left to test after this (roughly 16 steps) [12491ed354d23c0ecbe02459bf4be58b8c772bc8] Merge tag 'devicetree-fixes-for-5.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit 12491ed354d23c0ecbe02459bf4be58b8c772bc8 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 12491ed354d23c0ecbe02459bf4be58b8c772bc8 Bisecting: 22008 revisions left to test after this (roughly 15 steps) [62606c224d72a98c35d21a849f95cccf95b0a252] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 testing commit 62606c224d72a98c35d21a849f95cccf95b0a252 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 62606c224d72a98c35d21a849f95cccf95b0a252 Bisecting: 11032 revisions left to test after this (roughly 14 steps) [2475c515d4031c494ff452508a8bf8c281ec6e56] Merge tag 'staging-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 2475c515d4031c494ff452508a8bf8c281ec6e56 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 2475c515d4031c494ff452508a8bf8c281ec6e56 Bisecting: 4730 revisions left to test after this (roughly 13 steps) [9a76aba02a37718242d7cdc294f0a3901928aa57] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 9a76aba02a37718242d7cdc294f0a3901928aa57 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in p9_conn_cancel run #1: crashed: WARNING: bad unlock balance detected! run #2: crashed: general protection fault in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_fd_poll run #4: crashed: general protection fault in p9_conn_cancel run #5: crashed: WARNING: bad unlock balance detected! run #6: crashed: KASAN: use-after-free Read in p9_fd_poll run #7: crashed: general protection fault in p9_conn_cancel run #8: crashed: KASAN: use-after-free Read in p9_fd_poll run #9: crashed: general protection fault in p9_conn_cancel # git bisect good 9a76aba02a37718242d7cdc294f0a3901928aa57 Bisecting: 2440 revisions left to test after this (roughly 11 steps) [db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_conn_cancel run #1: crashed: BUG: corrupted list in p9_fd_cancel run #2: crashed: general protection fault in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_fd_poll run #4: crashed: general protection fault in p9_conn_cancel run #5: crashed: WARNING: bad unlock balance detected! run #6: crashed: general protection fault in p9_conn_cancel run #7: crashed: general protection fault in p9_conn_cancel run #8: crashed: general protection fault in p9_conn_cancel run #9: crashed: general protection fault in p9_conn_cancel # git bisect good db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 Bisecting: 1174 revisions left to test after this (roughly 10 steps) [6ada4e2826794bdf8d88f938a9ced0b80894b037] Merge branch 'akpm' (patches from Andrew) testing commit 6ada4e2826794bdf8d88f938a9ced0b80894b037 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: bad unlock balance detected! run #1: crashed: general protection fault in p9_conn_cancel run #2: crashed: general protection fault in p9_conn_cancel run #3: crashed: general protection fault in p9_conn_cancel run #4: crashed: general protection fault in p9_conn_cancel run #5: crashed: KASAN: use-after-free Read in p9_fd_poll run #6: crashed: BUG: corrupted list in p9_fd_cancel run #7: crashed: general protection fault in p9_conn_cancel run #8: crashed: general protection fault in p9_conn_cancel run #9: crashed: WARNING: bad unlock balance detected! # git bisect good 6ada4e2826794bdf8d88f938a9ced0b80894b037 Bisecting: 587 revisions left to test after this (roughly 9 steps) [803ff424e46260d058daa998cc474639ca017f38] staging: gasket: core: convert to standard logging testing commit 803ff424e46260d058daa998cc474639ca017f38 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in p9_conn_cancel run #1: crashed: general protection fault in p9_conn_cancel run #2: crashed: general protection fault in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_fd_poll run #4: crashed: general protection fault in p9_conn_cancel run #5: crashed: KASAN: use-after-free Read in p9_fd_poll run #6: crashed: general protection fault in p9_conn_cancel run #7: crashed: BUG: corrupted list in p9_fd_cancel run #8: crashed: general protection fault in p9_conn_cancel run #9: crashed: BUG: corrupted list in p9_conn_cancel # git bisect good 803ff424e46260d058daa998cc474639ca017f38 Bisecting: 293 revisions left to test after this (roughly 8 steps) [edec14020e3fcfb0a86bfa9f1d512b922697890f] staging: mt7621-pci: remove unused macros testing commit edec14020e3fcfb0a86bfa9f1d512b922697890f with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in p9_conn_cancel run #1: crashed: general protection fault in p9_conn_cancel run #2: crashed: general protection fault in p9_conn_cancel run #3: crashed: general protection fault in p9_conn_cancel run #4: crashed: KASAN: use-after-free Read in p9_conn_cancel run #5: crashed: general protection fault in p9_conn_cancel run #6: crashed: WARNING: bad unlock balance detected! run #7: crashed: general protection fault in p9_conn_cancel run #8: crashed: WARNING: bad unlock balance detected! run #9: crashed: general protection fault in p9_conn_cancel # git bisect good edec14020e3fcfb0a86bfa9f1d512b922697890f Bisecting: 129 revisions left to test after this (roughly 7 steps) [45dd7af410b71da511085b806c22caf8ecca87e4] Merge tag 'usb-for-v4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next testing commit 45dd7af410b71da511085b806c22caf8ecca87e4 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in p9_conn_cancel run #1: crashed: general protection fault in p9_conn_cancel run #2: crashed: general protection fault in p9_conn_cancel run #3: crashed: general protection fault in p9_conn_cancel run #4: crashed: general protection fault in p9_conn_cancel run #5: crashed: WARNING: bad unlock balance detected! run #6: crashed: general protection fault in p9_conn_cancel run #7: crashed: general protection fault in p9_conn_cancel run #8: crashed: KASAN: use-after-free Read in p9_fd_poll run #9: crashed: WARNING: bad unlock balance detected! # git bisect good 45dd7af410b71da511085b806c22caf8ecca87e4 Bisecting: 64 revisions left to test after this (roughly 6 steps) [628c534ae73581fd21a09a27b7a4222b01a44d64] serial: sh-sci: Improve support for separate TEI and DRI interrupts testing commit 628c534ae73581fd21a09a27b7a4222b01a44d64 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: bad unlock balance detected! run #1: crashed: general protection fault in p9_conn_cancel run #2: crashed: general protection fault in p9_conn_cancel run #3: crashed: general protection fault in p9_conn_cancel run #4: crashed: WARNING: bad unlock balance detected! run #5: crashed: WARNING: bad unlock balance detected! run #6: crashed: general protection fault in p9_conn_cancel run #7: crashed: general protection fault in p9_conn_cancel run #8: crashed: general protection fault in p9_conn_cancel run #9: crashed: KASAN: use-after-free Read in p9_conn_cancel # git bisect good 628c534ae73581fd21a09a27b7a4222b01a44d64 Bisecting: 29 revisions left to test after this (roughly 5 steps) [336722eb9d9732c5a497fb6299bf38cde413592b] Merge tag 'tty-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 336722eb9d9732c5a497fb6299bf38cde413592b with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 336722eb9d9732c5a497fb6299bf38cde413592b Bisecting: 17 revisions left to test after this (roughly 4 steps) [3111784bee81591ea2815011688d28b65df03627] fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed testing commit 3111784bee81591ea2815011688d28b65df03627 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 3111784bee81591ea2815011688d28b65df03627 Bisecting: 8 revisions left to test after this (roughly 3 steps) [b5303be2bee3c8b29de3f7f4ea8ae00c4e816760] 9p: Change p9_fid_create calling convention testing commit b5303be2bee3c8b29de3f7f4ea8ae00c4e816760 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_fd_poll run #1: crashed: general protection fault in p9_conn_cancel run #2: crashed: KASAN: use-after-free Read in p9_fd_poll run #3: crashed: general protection fault in p9_conn_cancel run #4: crashed: KASAN: use-after-free Read in p9_fd_poll run #5: crashed: general protection fault in p9_conn_cancel run #6: crashed: general protection fault in p9_conn_cancel run #7: crashed: general protection fault in p9_conn_cancel run #8: crashed: BUG: corrupted list in p9_conn_cancel run #9: crashed: general protection fault in p9_conn_cancel # git bisect good b5303be2bee3c8b29de3f7f4ea8ae00c4e816760 Bisecting: 4 revisions left to test after this (roughly 2 steps) [c7ebbae7cf9c50253a978f25d72d16e012bd46f1] net/9p/trans_virtio.c: fix some spell mistakes in comments testing commit c7ebbae7cf9c50253a978f25d72d16e012bd46f1 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_fd_poll run #1: crashed: KASAN: use-after-free Read in p9_fd_poll run #2: crashed: general protection fault in p9_conn_cancel run #3: crashed: general protection fault in p9_conn_cancel run #4: crashed: general protection fault in p9_conn_cancel run #5: crashed: general protection fault in p9_conn_cancel run #6: crashed: general protection fault in p9_conn_cancel run #7: crashed: WARNING: bad unlock balance detected! run #8: crashed: general protection fault in p9_conn_cancel run #9: crashed: general protection fault in p9_conn_cancel # git bisect good c7ebbae7cf9c50253a978f25d72d16e012bd46f1 Bisecting: 2 revisions left to test after this (roughly 1 step) [430ac66eb4c5b5c4eb846b78ebf65747510b30f1] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() testing commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 with gcc (GCC) 8.1.0 run #0: crashed: BUG: corrupted list in p9_fd_cancel run #1: crashed: BUG: corrupted list in p9_conn_cancel run #2: crashed: BUG: corrupted list in p9_fd_cancel run #3: crashed: BUG: corrupted list in p9_conn_cancel run #4: crashed: BUG: corrupted list in p9_fd_cancel run #5: crashed: BUG: corrupted list in p9_conn_cancel run #6: crashed: BUG: corrupted list in p9_fd_cancel run #7: crashed: BUG: corrupted list in p9_fd_cancel run #8: OK run #9: OK # git bisect good 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Bisecting: 0 revisions left to test after this (roughly 1 step) [f984579a01d85166ee7380204a96d978a67687a1] 9p: validate PDU length testing commit f984579a01d85166ee7380204a96d978a67687a1 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad f984579a01d85166ee7380204a96d978a67687a1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9f476d7c540cb57556d3cc7e78704e6cd5100f5f] net/9p/trans_fd.c: fix race by holding the lock testing commit 9f476d7c540cb57556d3cc7e78704e6cd5100f5f with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9f476d7c540cb57556d3cc7e78704e6cd5100f5f 9f476d7c540cb57556d3cc7e78704e6cd5100f5f is the first bad commit commit 9f476d7c540cb57556d3cc7e78704e6cd5100f5f Author: Tomas Bortoli Date: Mon Jul 23 20:42:53 2018 +0200 net/9p/trans_fd.c: fix race by holding the lock It may be possible to run p9_fd_cancel() with a deleted req->req_list and incur in a double del. To fix hold the client->lock while changing the status, so the other threads will be synchronized. Link: http://lkml.kernel.org/r/20180723184253.6682-1-tomasbortoli@gmail.com Signed-off-by: Tomas Bortoli Reported-by: syzbot+735d926e9d1317c3310c@syzkaller.appspotmail.com To: Eric Van Hensbergen To: Ron Minnich To: Latchesar Ionkov Cc: Yiwen Jiang Cc: David S. Miller Signed-off-by: Dominique Martinet :040000 040000 580948df285ae96f8ff9ccd49ec535c78ad96685 fdd278a4a68fc86ddcd75d6fd4e21b3b05201d6e M net revisions tested: 19, total time: 5h2m12.074306024s (build: 1h39m23.883967919s, test: 3h16m29.839190416s) first good commit: 9f476d7c540cb57556d3cc7e78704e6cd5100f5f net/9p/trans_fd.c: fix race by holding the lock cc: ["davem@davemloft.net" "dominique.martinet@cea.fr" "jiangyiwen@huwei.com" "tomasbortoli@gmail.com"]