bisecting cause commit starting from fedb8da96355f5f64353625bf96dc69423ad1826 building syzkaller on 2eeda842c89d39fee894ae34dca9829e3d77cf43 testing commit fedb8da96355f5f64353625bf96dc69423ad1826 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_poll_workfn testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_poll_workfn testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_poll_workfn testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_conn_cancel run #1: crashed: KASAN: use-after-free Read in p9_conn_cancel run #2: crashed: KASAN: use-after-free Read in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_conn_cancel run #4: crashed: KASAN: use-after-free Read in p9_conn_cancel run #5: crashed: KASAN: use-after-free Read in p9_poll_workfn run #6: crashed: KASAN: use-after-free Read in p9_poll_workfn run #7: crashed: KASAN: use-after-free Read in p9_conn_cancel run #8: crashed: KASAN: use-after-free Read in p9_conn_cancel run #9: crashed: KASAN: use-after-free Read in __queue_work testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_conn_cancel testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_conn_cancel run #1: crashed: KASAN: use-after-free Read in p9_poll_workfn run #2: crashed: KASAN: use-after-free Read in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_poll_workfn run #4: crashed: KASAN: use-after-free Read in p9_conn_cancel run #5: crashed: KASAN: use-after-free Read in p9_conn_cancel run #6: crashed: KASAN: use-after-free Read in p9_conn_cancel run #7: crashed: KASAN: use-after-free Read in p9_conn_cancel run #8: crashed: KASAN: use-after-free Read in p9_conn_cancel run #9: OK testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_conn_cancel run #1: crashed: KASAN: use-after-free Read in p9_conn_cancel run #2: crashed: KASAN: use-after-free Read in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_conn_cancel run #4: crashed: KASAN: use-after-free Read in p9_conn_cancel run #5: crashed: KASAN: use-after-free Read in p9_conn_cancel run #6: crashed: KASAN: use-after-free Read in p9_conn_cancel run #7: crashed: KASAN: use-after-free Read in p9_conn_cancel run #8: OK run #9: OK testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 run #0: crashed: KASAN: use-after-free Read in p9_conn_cancel run #1: crashed: KASAN: use-after-free Read in p9_conn_cancel run #2: crashed: KASAN: use-after-free Read in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_poll_workfn run #4: crashed: KASAN: use-after-free Read in p9_conn_cancel run #5: crashed: KASAN: use-after-free Read in p9_conn_cancel run #6: crashed: KASAN: use-after-free Read in p9_conn_cancel run #7: crashed: KASAN: use-after-free Read in p9_fd_poll run #8: crashed: KASAN: use-after-free Read in p9_conn_cancel run #9: OK testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in p9_conn_cancel run #1: crashed: KASAN: use-after-free Read in p9_conn_cancel run #2: crashed: KASAN: use-after-free Read in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_conn_cancel run #4: crashed: KASAN: use-after-free Read in p9_poll_workfn run #5: crashed: KASAN: use-after-free Read in p9_poll_workfn run #6: crashed: KASAN: use-after-free Read in p9_conn_cancel run #7: crashed: KASAN: use-after-free Read in p9_conn_cancel run #8: crashed: KASAN: use-after-free Read in p9_conn_cancel run #9: crashed: KASAN: use-after-free Read in p9_conn_cancel testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in p9_conn_cancel run #1: crashed: KASAN: use-after-free Read in p9_conn_cancel run #2: crashed: KASAN: use-after-free Read in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_conn_cancel run #4: crashed: KASAN: use-after-free Read in p9_poll_workfn run #5: crashed: KASAN: use-after-free Read in p9_conn_cancel run #6: crashed: KASAN: use-after-free Read in p9_conn_cancel run #7: crashed: KASAN: use-after-free Read in p9_poll_workfn run #8: crashed: KASAN: use-after-free Read in p9_conn_cancel run #9: crashed: KASAN: use-after-free Read in p9_conn_cancel testing release v4.8 testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in p9_conn_cancel run #1: crashed: KASAN: use-after-free Read in p9_conn_cancel run #2: crashed: KASAN: use-after-free Read in p9_conn_cancel run #3: crashed: KASAN: use-after-free Read in p9_conn_cancel run #4: crashed: KASAN: use-after-free Read in p9_conn_cancel run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.7 testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0 run #0: crashed: KASAN: use-after-free Read in p9_conn_cancel run #1: crashed: KASAN: use-after-free Read in p9_conn_cancel run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.6 testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0 run #0: crashed: KASAN: out-of-bounds Read in p9_conn_cancel run #1: crashed: KASAN: out-of-bounds Read in p9_conn_cancel run #2: crashed: KASAN: out-of-bounds Read in p9_conn_cancel run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.5 testing commit b562e44f507e863c6792946e4e1b1449fbbac85d with gcc (GCC) 5.5.0 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.4 testing commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc with gcc (GCC) 5.5.0 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #1: crashed: WARNING in work_fixup_activate run #2: crashed: BUG: bad unlock balance detected! ] run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #4: OK run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.3 testing commit 6a13feb9c82803e2b815eca72fa7a9f5561d7861 with gcc (GCC) 5.5.0 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #1: crashed: WARNING in work_fixup_activate run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.2 testing commit 64291f7db5bd8150a74ad2036f1037e6a0428df2 with gcc (GCC) 5.5.0 run #0: crashed: no output from test machine run #1: crashed: WARNING in work_fixup_activate run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #5: OK run #6: OK run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #8: OK run #9: OK testing release v4.1 testing commit b953c0d234bc72e8489d3bf51a276c5c4ec85345 with gcc (GCC) 5.5.0 run #0: crashed: no output from test machine run #1: crashed: no output from test machine run #2: crashed: no output from test machine run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel run #5: crashed: WARNING in work_fixup_activate run #6: OK run #7: OK run #8: OK run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel revisions tested: 18, total time: 3h55m9.457113069s (build: 57m31.891276722s, test: 2h52m32.421029788s) the crash already happened on the oldest tested release commit msg: Linux 4.1 crash: BUG: unable to handle kernel NULL pointer dereference in p9_conn_cancel BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 IP: [] __lock_acquire+0x2b0/0x1c70 kernel/locking/lockdep.c:3093 PGD 205efd067 PUD 209cfc067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: CPU: 1 PID: 20989 Comm: kworker/1:0 Not tainted 4.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events p9_poll_workfn task: ffff8800b9c58210 ti: ffff8802148e4000 task.ti: ffff8802148e4000 RIP: 0010:[] [] __lock_acquire+0x2b0/0x1c70 kernel/locking/lockdep.c:3093 RSP: 0018:ffff8802148e7b68 EFLAGS: 00010002 RAX: 0000000000000086 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff8802148e7c28 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000018 R15: ffff8800b9c58210 FS: 0000000000000000(0000) GS:ffff88021fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 00000001fb391000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0000000000000007 ffff8800b9c58210 0000000000000006 ffff8800b9c58a30 ffff8802148e7bc8 ffffffff00000001 0000000000000000 ffff880000000000 ffffffff822d1379 ffff88020f9ffc00 ffffffff82d94e60 0000000000000080 Call Trace: [] lock_acquire+0xe0/0x2f0 kernel/locking/lockdep.c:3623 [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:112 [inline] [] _raw_spin_lock_irqsave+0x5f/0x90 kernel/locking/spinlock.c:159 [] p9_conn_cancel+0x2c/0x170 net/9p/trans_fd.c:205 [] p9_poll_mux net/9p/trans_fd.c:626 [inline] [] p9_poll_workfn+0x11e/0x160 net/9p/trans_fd.c:1093 [] process_one_work+0x20e/0x850 kernel/workqueue.c:2025 [] worker_thread+0x4b/0x470 kernel/workqueue.c:2157 [] kthread+0xea/0x100 drivers/block/aoe/aoecmd.c:1312 [] ret_from_fork+0x42/0x70 arch/x86/kernel/entry_64.S:639 Code: 31 c0 e8 0b 0e 10 01 e8 5c 40 10 01 0f 1f 80 00 00 00 00 31 db 48 81 c4 98 00 00 00 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 90 <49> 81 3e 00 03 fc 82 b8 00 00 00 00 44 0f 44 e0 41 83 fd 01 0f RIP [] __lock_acquire+0x2b0/0x1c70 kernel/locking/lockdep.c:3232 RSP CR2: 0000000000000018 ---[ end trace a1d00b9ba5dc74d8 ]---