bisecting fixing commit since 1e4b044d22517cae7047c99038abb444423243ca building syzkaller on f25e57704183544b0d540ef0035acfa6fb9071d7 testing commit 1e4b044d22517cae7047c99038abb444423243ca with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: WARNING: ODEBUG bug in p9_fd_close run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: WARNING: ODEBUG bug in p9_fd_close run #9: crashed: KASAN: use-after-free Read in __queue_work testing current HEAD d8778f13b73f1cde08be0ece18571dee495b92f1 testing commit d8778f13b73f1cde08be0ece18571dee495b92f1 with gcc (GCC) 8.1.0 all runs: OK # git bisect start d8778f13b73f1cde08be0ece18571dee495b92f1 1e4b044d22517cae7047c99038abb444423243ca Bisecting: 44261 revisions left to test after this (roughly 16 steps) [889865cf54bddd8a4e258a11225bcbb646f90863] Merge branch 'tcp-change-pingpong-to-3-in-delayed-ack-logic' testing commit 889865cf54bddd8a4e258a11225bcbb646f90863 with gcc (GCC) 8.1.0 all runs: boot failed: KASAN: use-after-free Read in generic_make_request # git bisect skip 889865cf54bddd8a4e258a11225bcbb646f90863 Bisecting: 44262 revisions left to test after this (roughly 16 steps) [4a41f453bedfd5e9cd040bad509d9da49feb3e2c] tcp: change pingpong threshold to 3 testing commit 4a41f453bedfd5e9cd040bad509d9da49feb3e2c with gcc (GCC) 8.1.0 run #0: boot failed: can't ssh into the instance run #1: boot failed: KASAN: use-after-free Read in generic_make_request run #2: boot failed: KASAN: use-after-free Read in generic_make_request run #3: boot failed: KASAN: use-after-free Read in generic_make_request run #4: boot failed: KASAN: use-after-free Read in generic_make_request run #5: boot failed: KASAN: use-after-free Read in generic_make_request run #6: boot failed: KASAN: use-after-free Read in generic_make_request run #7: boot failed: KASAN: use-after-free Read in generic_make_request run #8: boot failed: KASAN: use-after-free Read in generic_make_request run #9: boot failed: KASAN: use-after-free Read in generic_make_request # git bisect skip 4a41f453bedfd5e9cd040bad509d9da49feb3e2c Bisecting: 44262 revisions left to test after this (roughly 16 steps) [4fed072609b8aae27eac7169033f762867a5ab4c] perf srccode: Move struct definition from map.h to srccode.h testing commit 4fed072609b8aae27eac7169033f762867a5ab4c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 4fed072609b8aae27eac7169033f762867a5ab4c Bisecting: 22118 revisions left to test after this (roughly 15 steps) [62606c224d72a98c35d21a849f95cccf95b0a252] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 testing commit 62606c224d72a98c35d21a849f95cccf95b0a252 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 62606c224d72a98c35d21a849f95cccf95b0a252 Bisecting: 11032 revisions left to test after this (roughly 14 steps) [2475c515d4031c494ff452508a8bf8c281ec6e56] Merge tag 'staging-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 2475c515d4031c494ff452508a8bf8c281ec6e56 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 2475c515d4031c494ff452508a8bf8c281ec6e56 Bisecting: 4730 revisions left to test after this (roughly 13 steps) [9a76aba02a37718242d7cdc294f0a3901928aa57] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 9a76aba02a37718242d7cdc294f0a3901928aa57 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 9a76aba02a37718242d7cdc294f0a3901928aa57 Bisecting: 2440 revisions left to test after this (roughly 11 steps) [db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: WARNING: ODEBUG bug in p9_fd_close run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 Bisecting: 1174 revisions left to test after this (roughly 10 steps) [6ada4e2826794bdf8d88f938a9ced0b80894b037] Merge branch 'akpm' (patches from Andrew) testing commit 6ada4e2826794bdf8d88f938a9ced0b80894b037 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: WARNING: ODEBUG bug in p9_fd_close run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 6ada4e2826794bdf8d88f938a9ced0b80894b037 Bisecting: 587 revisions left to test after this (roughly 9 steps) [803ff424e46260d058daa998cc474639ca017f38] staging: gasket: core: convert to standard logging testing commit 803ff424e46260d058daa998cc474639ca017f38 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 803ff424e46260d058daa998cc474639ca017f38 Bisecting: 293 revisions left to test after this (roughly 8 steps) [edec14020e3fcfb0a86bfa9f1d512b922697890f] staging: mt7621-pci: remove unused macros testing commit edec14020e3fcfb0a86bfa9f1d512b922697890f with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: WARNING: ODEBUG bug in p9_fd_close run #9: crashed: WARNING: ODEBUG bug in p9_fd_close # git bisect good edec14020e3fcfb0a86bfa9f1d512b922697890f Bisecting: 129 revisions left to test after this (roughly 7 steps) [45dd7af410b71da511085b806c22caf8ecca87e4] Merge tag 'usb-for-v4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next testing commit 45dd7af410b71da511085b806c22caf8ecca87e4 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: WARNING: ODEBUG bug in p9_fd_close run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 45dd7af410b71da511085b806c22caf8ecca87e4 Bisecting: 64 revisions left to test after this (roughly 6 steps) [628c534ae73581fd21a09a27b7a4222b01a44d64] serial: sh-sci: Improve support for separate TEI and DRI interrupts testing commit 628c534ae73581fd21a09a27b7a4222b01a44d64 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: WARNING: ODEBUG bug in p9_fd_close run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 628c534ae73581fd21a09a27b7a4222b01a44d64 Bisecting: 29 revisions left to test after this (roughly 5 steps) [336722eb9d9732c5a497fb6299bf38cde413592b] Merge tag 'tty-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 336722eb9d9732c5a497fb6299bf38cde413592b with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 336722eb9d9732c5a497fb6299bf38cde413592b Bisecting: 16 revisions left to test after this (roughly 4 steps) [10aa14527f458e9867cf3d2cc6b8cb0f6704448b] 9p: fix multiple NULL-pointer-dereferences testing commit 10aa14527f458e9867cf3d2cc6b8cb0f6704448b with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 10aa14527f458e9867cf3d2cc6b8cb0f6704448b Bisecting: 8 revisions left to test after this (roughly 3 steps) [f28cdf0430fc92acaa718e15598bdad6cb236a4d] 9p: Replace the fidlist with an IDR testing commit f28cdf0430fc92acaa718e15598bdad6cb236a4d with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: WARNING: ODEBUG bug in p9_fd_close run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: WARNING: ODEBUG bug in p9_fd_close run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good f28cdf0430fc92acaa718e15598bdad6cb236a4d Bisecting: 4 revisions left to test after this (roughly 2 steps) [31934da810365f603dec5a67e690e00cf900fc73] net/9p/virtio: Fix hard lockup in req_done testing commit 31934da810365f603dec5a67e690e00cf900fc73 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: WARNING: ODEBUG bug in p9_fd_close run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 31934da810365f603dec5a67e690e00cf900fc73 Bisecting: 2 revisions left to test after this (roughly 1 step) [9f476d7c540cb57556d3cc7e78704e6cd5100f5f] net/9p/trans_fd.c: fix race by holding the lock testing commit 9f476d7c540cb57556d3cc7e78704e6cd5100f5f with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9f476d7c540cb57556d3cc7e78704e6cd5100f5f Bisecting: 0 revisions left to test after this (roughly 0 steps) [430ac66eb4c5b5c4eb846b78ebf65747510b30f1] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() testing commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 is the first bad commit commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Author: Tomas Bortoli Date: Fri Jul 20 11:27:30 2018 +0200 net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() The patch adds the flush in p9_mux_poll_stop() as it the function used by p9_conn_destroy(), in turn called by p9_fd_close() to stop the async polling associated with the data regarding the connection. Link: http://lkml.kernel.org/r/20180720092730.27104-1-tomasbortoli@gmail.com Signed-off-by: Tomas Bortoli Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com To: Eric Van Hensbergen To: Ron Minnich To: Latchesar Ionkov Cc: Yiwen Jiang Cc: stable@vger.kernel.org Signed-off-by: Dominique Martinet :040000 040000 2b90a26742f41f590296c62a5919e5585e6c55de 580948df285ae96f8ff9ccd49ec535c78ad96685 M net revisions tested: 20, total time: 4h46m0.64735883s (build: 1h45m3.260870219s, test: 2h50m44.852090335s) first good commit: 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() cc: ["asmadeus@codewreck.org" "davem@davemloft.net" "dominique.martinet@cea.fr" "ericvh@gmail.com" "jiangyiwen@huwei.com" "linux-kernel@vger.kernel.org" "lucho@ionkov.net" "netdev@vger.kernel.org" "tomasbortoli@gmail.com" "v9fs-developer@lists.sourceforge.net"]