bisecting fixing commit since dda0e2920330128e0dbdeb11c8f25031aa40b11c
building syzkaller on 17a986e54c507287c078a70fa9eea0be9f191f84
testing commit dda0e2920330128e0dbdeb11c8f25031aa40b11c with gcc (GCC) 8.1.0
kernel signature: 1437d2ad649355d91482c5f0292979e56a3710d6be0306f59a84c013e52f86fd
run #0: crashed: KASAN: use-after-free Read in rdma_listen
run #1: crashed: KASAN: use-after-free Read in rdma_listen
run #2: crashed: KASAN: use-after-free Read in rdma_listen
run #3: crashed: KASAN: use-after-free Read in cma_cancel_operation
run #4: crashed: KASAN: use-after-free Read in rdma_listen
run #5: crashed: KASAN: use-after-free Read in rdma_listen
run #6: crashed: KASAN: use-after-free Read in rdma_listen
run #7: crashed: KASAN: use-after-free Read in rdma_listen
run #8: crashed: KASAN: use-after-free Read in rdma_listen
run #9: crashed: KASAN: use-after-free Read in rdma_listen
testing current HEAD 033c4ea49a4ba7a2b13aabf3ec755557924a9cda
testing commit 033c4ea49a4ba7a2b13aabf3ec755557924a9cda with gcc (GCC) 8.1.0
kernel signature: e40b083c9905f7c3fc4f2e1162a3c71868dc872e70b111804aed34c313c0531b
all runs: OK
# git bisect start 033c4ea49a4ba7a2b13aabf3ec755557924a9cda dda0e2920330128e0dbdeb11c8f25031aa40b11c
Bisecting: 280 revisions left to test after this (roughly 8 steps)
[60cb7886942b91f7abfa63497682ca799dccac0b] s390/cpum_sf: Fix wrong page count in error message
testing commit 60cb7886942b91f7abfa63497682ca799dccac0b with gcc (GCC) 8.1.0
kernel signature: 323caaa81726e48c78df8637d70ee307d9b49a9c484528be2a58d65f86d784ca
all runs: OK
# git bisect bad 60cb7886942b91f7abfa63497682ca799dccac0b
Bisecting: 139 revisions left to test after this (roughly 7 steps)
[f9971a898a815c2a6cce2932e91a576b28ed4cce] KVM: VMX: fix crash cleanup when KVM wasn't used
testing commit f9971a898a815c2a6cce2932e91a576b28ed4cce with gcc (GCC) 8.1.0
kernel signature: 97cce49bc4b2624cea89d4664963082f6e651815739a6488ddc384b8491798e8
all runs: OK
# git bisect bad f9971a898a815c2a6cce2932e91a576b28ed4cce
Bisecting: 69 revisions left to test after this (roughly 6 steps)
[fe5b2e54d6c639996d29a2840c9335c9a446361e] null_blk: fix spurious IO errors after failed past-wp access
testing commit fe5b2e54d6c639996d29a2840c9335c9a446361e with gcc (GCC) 8.1.0
kernel signature: 22aae7ab85da4652f70cc85cc490c89c5869b13226988844f1c2270cb5f91a13
all runs: OK
# git bisect bad fe5b2e54d6c639996d29a2840c9335c9a446361e
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[259f9d9a290e89fca1537b736c0d6cb133b42d40] random: always use batched entropy for get_random_u{32,64}
testing commit 259f9d9a290e89fca1537b736c0d6cb133b42d40 with gcc (GCC) 8.1.0
kernel signature: 33d54d3de5d426155e25e128aafce092509e7c5ee18ae314bec2ffb73db2b4ef
all runs: crashed: KASAN: use-after-free Read in rdma_listen
# git bisect good 259f9d9a290e89fca1537b736c0d6cb133b42d40
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[7abfe9914d942dc62c06772c8fcf00d8b866a634] rpmsg: glink: Remove chunk size word align warning
testing commit 7abfe9914d942dc62c06772c8fcf00d8b866a634 with gcc (GCC) 8.1.0
kernel signature: e146cd6d8be047f44710e44daa4afd2b16b054eb832752ebf2f380f4e0dd3162
all runs: OK
# git bisect bad 7abfe9914d942dc62c06772c8fcf00d8b866a634
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[4eeddc6229e7c10a220afae4bb63ddb69200d218] ceph: canonicalize server path in place
testing commit 4eeddc6229e7c10a220afae4bb63ddb69200d218 with gcc (GCC) 8.1.0
kernel signature: d816f3e32a4ce16f9758980a4eba69aa0e0c3cfd6c61617996f616e2e517a62b
all runs: crashed: KASAN: use-after-free Read in rdma_listen
# git bisect good 4eeddc6229e7c10a220afae4bb63ddb69200d218
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[e2db80e0a7a4d9b2dfa14d84f0fa928af404cf87] RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow
testing commit e2db80e0a7a4d9b2dfa14d84f0fa928af404cf87 with gcc (GCC) 8.1.0
kernel signature: cd6bb8d16a3f85dc234df3666d7a70ca21d02df311262485353f5bb6d58cd339
all runs: OK
# git bisect bad e2db80e0a7a4d9b2dfa14d84f0fa928af404cf87
Bisecting: 1 revision left to test after this (roughly 1 step)
[ee433d1cdee016c73707b4636c9dd4424aaaad53] RDMA/cma: Teach lockdep about the order of rtnl and lock
testing commit ee433d1cdee016c73707b4636c9dd4424aaaad53 with gcc (GCC) 8.1.0
kernel signature: 22ee85f4dd6cce4f6bb32faa0a4019f0353fe8c8377d9c03cdba6b6a57d6f7a2
all runs: OK
# git bisect bad ee433d1cdee016c73707b4636c9dd4424aaaad53
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[abc4ea7f1345398261295345fd9b30243e4f4f8e] RDMA/ucma: Put a lock around every call to the rdma_cm layer
testing commit abc4ea7f1345398261295345fd9b30243e4f4f8e with gcc (GCC) 8.1.0
kernel signature: 5fc61f60a654813d522429635549e8a6017c679f83630794b8ccd0a620cbf185
all runs: OK
# git bisect bad abc4ea7f1345398261295345fd9b30243e4f4f8e
abc4ea7f1345398261295345fd9b30243e4f4f8e is the first bad commit
commit abc4ea7f1345398261295345fd9b30243e4f4f8e
Author: Jason Gunthorpe <jgg@mellanox.com>
Date:   Tue Feb 18 15:45:38 2020 -0400

    RDMA/ucma: Put a lock around every call to the rdma_cm layer
    
    commit 7c11910783a1ea17e88777552ef146cace607b3c upstream.
    
    The rdma_cm must be used single threaded.
    
    This appears to be a bug in the design, as it does have lots of locking
    that seems like it should allow concurrency. However, when it is all said
    and done every single place that uses the cma_exch() scheme is broken, and
    all the unlocked reads from the ucma of the cm_id data are wrong too.
    
    syzkaller has been finding endless bugs related to this.
    
    Fixing this in any elegant way is some enormous amount of work. Take a
    very big hammer and put a mutex around everything to do with the
    ucma_context at the top of every syscall.
    
    Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
    Link: https://lore.kernel.org/r/20200218210432.GA31966@ziepe.ca
    Reported-by: syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com
    Reported-by: syzbot+e5579222b6a3edd96522@syzkaller.appspotmail.com
    Reported-by: syzbot+4b628fcc748474003457@syzkaller.appspotmail.com
    Reported-by: syzbot+29ee8f76017ce6cf03da@syzkaller.appspotmail.com
    Reported-by: syzbot+6956235342b7317ec564@syzkaller.appspotmail.com
    Reported-by: syzbot+b358909d8d01556b790b@syzkaller.appspotmail.com
    Reported-by: syzbot+6b46b135602a3f3ac99e@syzkaller.appspotmail.com
    Reported-by: syzbot+8458d13b13562abf6b77@syzkaller.appspotmail.com
    Reported-by: syzbot+bd034f3fdc0402e942ed@syzkaller.appspotmail.com
    Reported-by: syzbot+c92378b32760a4eef756@syzkaller.appspotmail.com
    Reported-by: syzbot+68b44a1597636e0b342c@syzkaller.appspotmail.com
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/infiniband/core/ucma.c | 49 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 47 insertions(+), 2 deletions(-)
culprit signature: 5fc61f60a654813d522429635549e8a6017c679f83630794b8ccd0a620cbf185
parent  signature: d816f3e32a4ce16f9758980a4eba69aa0e0c3cfd6c61617996f616e2e517a62b
revisions tested: 11, total time: 3h18m11.72994964s (build: 1h47m32.872787261s, test: 1h28m18.737948637s)
first good commit: abc4ea7f1345398261295345fd9b30243e4f4f8e RDMA/ucma: Put a lock around every call to the rdma_cm layer
cc: ["dledford@redhat.com" "gregkh@linuxfoundation.org" "jgg@mellanox.com" "jgg@ziepe.ca" "linux-kernel@vger.kernel.org" "linux-rdma@vger.kernel.org"]