bisecting cause commit starting from 442b8cea2477fa95c22f28ca982addb5bc6b0845
building syzkaller on 4b6d14f266bcae8f1856f987c2194f36eadef83b
testing commit 442b8cea2477fa95c22f28ca982addb5bc6b0845 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in trailing_symlink
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: crashed: KASAN: use-after-free Read in link_path_walk
run #3: crashed: KASAN: use-after-free Read in link_path_walk
run #4: crashed: KASAN: use-after-free Read in link_path_walk
run #5: crashed: KASAN: use-after-free Read in trailing_symlink
run #6: crashed: KASAN: use-after-free Read in trailing_symlink
run #7: crashed: KASAN: use-after-free Read in trailing_symlink
run #8: OK
run #9: OK
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in link_path_walk
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: crashed: KASAN: use-after-free Read in trailing_symlink
run #3: crashed: KASAN: use-after-free Read in trailing_symlink
run #4: crashed: KASAN: use-after-free Read in trailing_symlink
run #5: crashed: KASAN: use-after-free Read in link_path_walk
run #6: crashed: KASAN: use-after-free Read in link_path_walk
run #7: crashed: KASAN: use-after-free Read in link_path_walk
run #8: crashed: KASAN: use-after-free Read in trailing_symlink
run #9: crashed: KASAN: use-after-free Read in trailing_symlink
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in link_path_walk
run #1: crashed: KASAN: use-after-free Read in trailing_symlink
run #2: crashed: KASAN: use-after-free Read in link_path_walk
run #3: crashed: KASAN: use-after-free Read in link_path_walk
run #4: crashed: KASAN: use-after-free Read in trailing_symlink
run #5: crashed: KASAN: use-after-free Read in trailing_symlink
run #6: crashed: KASAN: use-after-free Read in link_path_walk
run #7: crashed: KASAN: use-after-free Read in trailing_symlink
run #8: crashed: KASAN: use-after-free Read in trailing_symlink
run #9: crashed: KASAN: use-after-free Read in link_path_walk
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in link_path_walk
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: crashed: KASAN: use-after-free Read in link_path_walk
run #3: crashed: KASAN: use-after-free Read in trailing_symlink
run #4: crashed: KASAN: use-after-free Read in link_path_walk
run #5: crashed: KASAN: use-after-free Read in trailing_symlink
run #6: crashed: KASAN: use-after-free Read in link_path_walk
run #7: crashed: KASAN: use-after-free Read in link_path_walk
run #8: crashed: KASAN: use-after-free Read in trailing_symlink
run #9: crashed: KASAN: use-after-free Read in link_path_walk
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in link_path_walk
run #1: crashed: KASAN: use-after-free Read in trailing_symlink
run #2: crashed: KASAN: use-after-free Read in trailing_symlink
run #3: crashed: KASAN: use-after-free Read in link_path_walk
run #4: crashed: KASAN: use-after-free Read in link_path_walk
run #5: crashed: KASAN: use-after-free Read in link_path_walk
run #6: crashed: KASAN: use-after-free Read in link_path_walk
run #7: crashed: KASAN: use-after-free Read in trailing_symlink
run #8: crashed: KASAN: use-after-free Read in trailing_symlink
run #9: OK
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in trailing_symlink
run #1: crashed: KASAN: use-after-free Read in trailing_symlink
run #2: crashed: KASAN: use-after-free Read in trailing_symlink
run #3: crashed: KASAN: use-after-free Read in link_path_walk
run #4: crashed: KASAN: use-after-free Read in link_path_walk
run #5: crashed: KASAN: use-after-free Read in link_path_walk
run #6: crashed: KASAN: use-after-free Read in link_path_walk
run #7: crashed: KASAN: use-after-free Read in link_path_walk
run #8: crashed: KASAN: use-after-free Read in link_path_walk
run #9: OK
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in link_path_walk
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: crashed: KASAN: use-after-free Read in link_path_walk
run #3: crashed: KASAN: use-after-free Read in link_path_walk
run #4: crashed: KASAN: use-after-free Read in link_path_walk
run #5: crashed: KASAN: use-after-free Read in link_path_walk
run #6: crashed: KASAN: use-after-free Read in link_path_walk
run #7: crashed: KASAN: use-after-free Read in link_path_walk
run #8: crashed: KASAN: use-after-free Read in link_path_walk
run #9: OK
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start v4.14 v4.13
Bisecting: 7300 revisions left to test after this (roughly 13 steps)
[15d8ffc96464f6571ecf22043c45fad659f11bdd] Merge tag 'mmc-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
testing commit 15d8ffc96464f6571ecf22043c45fad659f11bdd with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in link_path_walk
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: crashed: KASAN: use-after-free Read in link_path_walk
run #3: crashed: KASAN: use-after-free Read in trailing_symlink
run #4: crashed: KASAN: use-after-free Read in trailing_symlink
run #5: crashed: KASAN: use-after-free Read in link_path_walk
run #6: crashed: KASAN: use-after-free Read in link_path_walk
run #7: crashed: KASAN: use-after-free Read in link_path_walk
run #8: crashed: KASAN: use-after-free Read in trailing_symlink
run #9: OK
# git bisect bad 15d8ffc96464f6571ecf22043c45fad659f11bdd
Bisecting: 3676 revisions left to test after this (roughly 12 steps)
[bafb0762cb6a906eb4105cccfb3bcd90be7f40d2] Merge tag 'char-misc-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
testing commit bafb0762cb6a906eb4105cccfb3bcd90be7f40d2 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in trailing_symlink
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: crashed: KASAN: use-after-free Read in link_path_walk
run #3: OK
run #4: crashed: KASAN: use-after-free Read in link_path_walk
run #5: crashed: KASAN: use-after-free Read in trailing_symlink
run #6: crashed: KASAN: use-after-free Read in trailing_symlink
run #7: crashed: KASAN: use-after-free Read in link_path_walk
run #8: crashed: KASAN: use-after-free Read in trailing_symlink
run #9: crashed: KASAN: use-after-free Read in link_path_walk
# git bisect bad bafb0762cb6a906eb4105cccfb3bcd90be7f40d2
Bisecting: 1794 revisions left to test after this (roughly 11 steps)
[9657752cb5039c7498d4b27c4a75530f93b87d9b] Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 9657752cb5039c7498d4b27c4a75530f93b87d9b with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in trailing_symlink
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 9657752cb5039c7498d4b27c4a75530f93b87d9b
Bisecting: 870 revisions left to test after this (roughly 10 steps)
[735f463af70e9601881ec879961ec42aef051733] Merge tag 'drm-intel-next-2017-08-18' of git://anongit.freedesktop.org/git/drm-intel into drm-next
testing commit 735f463af70e9601881ec879961ec42aef051733 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 735f463af70e9601881ec879961ec42aef051733
Bisecting: 430 revisions left to test after this (roughly 9 steps)
[aa9d4648c2fbb455df7750ade1b73dd9ad9b3690] Merge tag 'for-linus-ioctl' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma
testing commit aa9d4648c2fbb455df7750ade1b73dd9ad9b3690 with gcc (GCC) 8.1.0
run #0: OK
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad aa9d4648c2fbb455df7750ade1b73dd9ad9b3690
Bisecting: 219 revisions left to test after this (roughly 8 steps)
[9161860463e38e1046a5fd57130be150cc0cac5d] IB/hfi1: Add flag for platform config scratch register read
testing commit 9161860463e38e1046a5fd57130be150cc0cac5d with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in link_path_walk
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 9161860463e38e1046a5fd57130be150cc0cac5d
Bisecting: 109 revisions left to test after this (roughly 7 steps)
[3ffea7d8cd9e3f8f96514ac499f2510ad2f31d11] IB/{rdmavt, hfi1, qib}: Fix panic with post receive and SGE compression
testing commit 3ffea7d8cd9e3f8f96514ac499f2510ad2f31d11 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3ffea7d8cd9e3f8f96514ac499f2510ad2f31d11
Bisecting: 53 revisions left to test after this (roughly 6 steps)
[d0d62c34fb746eaf68df5b3d6f4877c7d1e6320c] Merge branch 'rdma-netlink' into k.o/merge-test
testing commit d0d62c34fb746eaf68df5b3d6f4877c7d1e6320c with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in link_path_walk
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad d0d62c34fb746eaf68df5b3d6f4877c7d1e6320c
Bisecting: 27 revisions left to test after this (roughly 5 steps)
[ac50525374315b9b609747f83b07f8dccb06b722] RDMA/netlink: Expose device and port capability masks
testing commit ac50525374315b9b609747f83b07f8dccb06b722 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ac50525374315b9b609747f83b07f8dccb06b722
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[ac3a949fb2fff36bebdc4fab90567ed349ea7245] IB/CM: Set appropriate slid and dlid when handling CM request
testing commit ac3a949fb2fff36bebdc4fab90567ed349ea7245 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ac3a949fb2fff36bebdc4fab90567ed349ea7245
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[db14dff1743e4cd3d840950ad8d735b8957aaf6a] Merge tag 'rdma-next-2017-08-10' of git://git.kernel.org/pub/scm/linux/kernel/git/leon/linux-rdma into rdma-netlink
testing commit db14dff1743e4cd3d840950ad8d735b8957aaf6a with gcc (GCC) 8.1.0
all runs: OK
# git bisect good db14dff1743e4cd3d840950ad8d735b8957aaf6a
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[c66cd353bbe6869a059869a7a1518ec619afdc9d] RDMA/core: expose affinity mappings per completion vector
testing commit c66cd353bbe6869a059869a7a1518ec619afdc9d with gcc (GCC) 8.1.0
run #0: OK
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad c66cd353bbe6869a059869a7a1518ec619afdc9d
Bisecting: 1 revision left to test after this (roughly 1 step)
[a85e5474f4c783b252bf6b80571cdb2abb7d69d9] mlx5e: don't assume anything on the irq affinity mappings of the device
testing commit a85e5474f4c783b252bf6b80571cdb2abb7d69d9 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good a85e5474f4c783b252bf6b80571cdb2abb7d69d9
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[a435393acafbf0ecff4deb3e3cb554b34f0d0664] mlx5: move affinity hints assignments to generic code
testing commit a435393acafbf0ecff4deb3e3cb554b34f0d0664 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in link_path_walk
run #1: crashed: KASAN: use-after-free Read in link_path_walk
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad a435393acafbf0ecff4deb3e3cb554b34f0d0664
a435393acafbf0ecff4deb3e3cb554b34f0d0664 is the first bad commit
commit a435393acafbf0ecff4deb3e3cb554b34f0d0664
Author: Sagi Grimberg <sagi@grimberg.me>
Date:   Thu Jul 13 11:09:40 2017 +0300

    mlx5: move affinity hints assignments to generic code
    
    generic api takes care of spreading affinity similar to
    what mlx5 open coded (and even handles better asymmetric
    configurations). Ask the generic API to spread affinity
    for us, and feed him pre_vectors that do not participate
    in affinity settings (which is an improvement to what we
    had before).
    
    The affinity assignments should match what mlx5 tried to
    do earlier but now we do not set affinity to async, cmd
    and pages dedicated vectors.
    
    Also, remove mlx5e_get_cpu and introduce mlx5e_get_node
    (used for allocation purposes) and mlx5_get_vector_affinity
    (for indirection table construction) as they provide the needed
    information. Luckily, we have generic helpers to get cpumask
    and node given a irq vector. mlx5_get_vector_affinity will
    be used by mlx5_ib in a subsequent patch.
    
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Acked-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
    Signed-off-by: Doug Ledford <dledford@redhat.com>

:040000 040000 bdeadc60a3afeb24a2a57c284c1eabc68f4dc192 12dba34d1ad00d9278a3bf5d50a7336a9e897bab M	drivers
:040000 040000 e3d74423684d8ebcaed9ca71ee9e6ea8ef398e8a 0d63e04209a54bb157f2a749a839b5f59d497232 M	include
revisions tested: 22, total time: 5h49m3.277131299s (build: 1h57m28.393920766s, test: 3h45m14.777642794s)
first bad commit: a435393acafbf0ecff4deb3e3cb554b34f0d0664 mlx5: move affinity hints assignments to generic code
cc: ["dledford@redhat.com" "hch@lst.de" "leonro@mellanox.com" "sagi@grimberg.me"]
crash: KASAN: use-after-free Read in link_path_walk
==================================================================
BUG: KASAN: use-after-free in link_path_walk+0x1198/0x18e0 fs/namei.c:2063
Read of size 1 at addr ffff8801d1793282 by task syz-executor3/31766

CPU: 0 PID: 31766 Comm: syz-executor3 Not tainted 4.13.0-rc2+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x145/0x1e1 lib/dump_stack.c:52
 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.8+0x121/0x2da mm/kasan/report.c:408
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:426
 link_path_walk+0x1198/0x18e0 fs/namei.c:2063
 path_lookupat.isra.39+0x1a1/0xc00 fs/namei.c:2301
 filename_lookup+0x22e/0x480 fs/namei.c:2336
 user_path_at_empty+0x31/0x40 fs/namei.c:2590
 user_path include/linux/namei.h:61 [inline]
 do_mount+0x119/0x2c20 fs/namespace.c:2721
 SYSC_mount fs/namespace.c:2992 [inline]
 SyS_mount+0xb8/0xd0 fs/namespace.c:2969
 entry_SYSCALL_64_fastpath+0x23/0xc2
RIP: 0033:0x4576b9
RSP: 002b:00007fb8e2ed1c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004576b9
RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
RBP: 0000000000000082 R08: 0000000020000340 R09: 0000000000000000
R10: 0000000000200000 R11: 0000000000000246 R12: 000000000072bf0c
R13: 00007ffc5d5c192f R14: 00007fb8e2ed29c0 R15: 0000000000000000

Allocated by task 31776:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:551
 __do_kmalloc mm/slab.c:3725 [inline]
 __kmalloc_track_caller+0x143/0x7a0 mm/slab.c:3740
 kstrdup+0x2c/0x60 mm/util.c:56
 bpf_symlink+0x1e/0x100 kernel/bpf/inode.c:200
 vfs_symlink+0x2f4/0x520 fs/namei.c:4107
 SYSC_symlinkat fs/namei.c:4134 [inline]
 SyS_symlinkat fs/namei.c:4114 [inline]
 SYSC_symlink fs/namei.c:4147 [inline]
 SyS_symlink+0x1a9/0x210 fs/namei.c:4145
 entry_SYSCALL_64_fastpath+0x23/0xc2

Freed by task 31781:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x270 mm/slab.c:3820
 bpf_evict_inode+0xe8/0x120 kernel/bpf/inode.c:375
 evict+0x452/0x9d0 fs/inode.c:553
 iput_final fs/inode.c:1514 [inline]
 iput+0x52c/0xad0 fs/inode.c:1541
 do_unlinkat+0x5f8/0x910 fs/namei.c:4049
 SYSC_unlink fs/namei.c:4090 [inline]
 SyS_unlink+0x11/0x20 fs/namei.c:4088
 entry_SYSCALL_64_fastpath+0x23/0xc2

The buggy address belongs to the object at ffff8801d1793280
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 2 bytes inside of
 32-byte region [ffff8801d1793280, ffff8801d17932a0)
The buggy address belongs to the page:
page:ffffea000745e4c0 count:1 mapcount:0 mapping:ffff8801d1793000 index:0xffff8801d1793fc1
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d1793000 ffff8801d1793fc1 0000000100000020
raw: ffffea00074161a0 ffffea000740b9a0 ffff8801da8001c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d1793180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8801d1793200: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc
>ffff8801d1793280: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc
                   ^
 ffff8801d1793300: 05 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8801d1793380: 00 01 fc fc fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================