bisecting cause commit starting from 3eb2ce825ea1ad89d20f7a3b5780df850e4be274 building syzkaller on e033c1f167809d025521a34e0f97bbc207b880f8 testing commit 3eb2ce825ea1ad89d20f7a3b5780df850e4be274 with gcc (GCC) 8.1.0 kernel signature: e5689eb3c8d2a3de65cf2bae1fefe302bf876b84 all runs: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 kernel signature: 29bea7cccc0fa116719855cb3a14df475041a6a5 all runs: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 kernel signature: 2682d2c65b6595b84f68e8bbb46ca111b844d2e1 all runs: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 kernel signature: 922c4f847f693ea1ecb4dbd524488fd97ed4d594 all runs: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 kernel signature: e6a58a46ab9eb4889c60d1e9136855bdcf6c6a3f all runs: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 kernel signature: dd62ff015db882cba7ec942e0e2f0840dc3646b1 run #0: crashed: KASAN: use-after-free Read in cma_cancel_operation run #1: crashed: KASAN: use-after-free Read in cma_cancel_operation run #2: crashed: KASAN: use-after-free Read in cma_cancel_operation run #3: crashed: KASAN: use-after-free Read in cma_cancel_operation run #4: crashed: KASAN: use-after-free Read in rdma_listen run #5: crashed: KASAN: use-after-free Read in cma_cancel_operation run #6: crashed: KASAN: use-after-free Read in cma_cancel_operation run #7: crashed: KASAN: use-after-free Read in cma_cancel_operation run #8: crashed: KASAN: use-after-free Read in cma_cancel_operation run #9: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 kernel signature: 355c73c0a1bbea7b4b7014aeee9e95c5e56ff94c all runs: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 kernel signature: 57a9f7371c37dcc759dec6af2bf5fbeecf6f1c4b all runs: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.8 testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0 kernel signature: c03deb8bddce60be6138eff4e7394c6a88ca12c9 run #0: crashed: KASAN: use-after-free Read in cma_cancel_operation run #1: crashed: KASAN: use-after-free Read in cma_cancel_operation run #2: crashed: KASAN: use-after-free Read in rdma_listen run #3: crashed: KASAN: use-after-free Read in cma_cancel_operation run #4: crashed: KASAN: use-after-free Read in cma_cancel_operation run #5: crashed: KASAN: use-after-free Read in cma_cancel_operation run #6: crashed: KASAN: use-after-free Read in cma_cancel_operation run #7: crashed: KASAN: use-after-free Read in cma_cancel_operation run #8: crashed: KASAN: use-after-free Read in cma_cancel_operation run #9: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.7 testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0 kernel signature: 36d1e82d3d682ba23d2788bfffc5392cf6862916 all runs: crashed: KASAN: use-after-free Read in cma_cancel_operation testing release v4.6 testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0 kernel signature: 6e38cab4abc3776bd27df3d17b071396dd829d69 run #0: crashed: KASAN: use-after-free Read in cma_cancel_operation run #1: crashed: KASAN: use-after-free Read in cma_cancel_operation run #2: crashed: KASAN: use-after-free Read in cma_cancel_operation run #3: crashed: KASAN: use-after-free Read in cma_cancel_operation run #4: crashed: KASAN: use-after-free Read in cma_cancel_operation run #5: crashed: KASAN: use-after-free Read in cma_cancel_operation run #6: crashed: KASAN: use-after-free Read in cma_cancel_operation run #7: crashed: KASAN: use-after-free Read in cma_cancel_operation run #8: crashed: KASAN: use-after-free Read in cma_cancel_operation run #9: crashed: KASAN: out-of-bounds Read in cma_cancel_operation testing release v4.5 testing commit b562e44f507e863c6792946e4e1b1449fbbac85d with gcc (GCC) 5.5.0 kernel signature: e3e16c204c0f916a1f1db60d66e16dacfa41fcb1 run #0: crashed: WARNING in cma_cancel_operation run #1: crashed: WARNING in cma_cancel_operation run #2: crashed: WARNING in rdma_listen run #3: crashed: WARNING in rdma_listen run #4: crashed: WARNING in cma_cancel_operation run #5: crashed: WARNING in cma_cancel_operation run #6: crashed: WARNING in rdma_listen run #7: crashed: WARNING in cma_cancel_operation run #8: crashed: WARNING in cma_cancel_operation run #9: crashed: WARNING in cma_cancel_operation testing release v4.4 testing commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc with gcc (GCC) 5.5.0 kernel signature: ca3e11d2b456adbe2751bd6be53c1075e08d7957 run #0: crashed: WARNING in cma_cancel_operation run #1: crashed: WARNING in rdma_listen run #2: crashed: WARNING in rdma_listen run #3: crashed: WARNING in rdma_listen run #4: crashed: WARNING in cma_cancel_operation run #5: crashed: WARNING in cma_cancel_operation run #6: crashed: WARNING in cma_cancel_operation run #7: crashed: WARNING in rdma_listen run #8: crashed: WARNING in cma_cancel_operation run #9: crashed: WARNING in cma_cancel_operation testing release v4.3 testing commit 6a13feb9c82803e2b815eca72fa7a9f5561d7861 with gcc (GCC) 5.5.0 kernel signature: 7fca3e26a02cbfdc7c9a520a610db72c3b6e5fc2 run #0: crashed: WARNING in cma_cancel_operation run #1: crashed: WARNING in cma_cancel_operation run #2: crashed: WARNING in cma_cancel_operation run #3: crashed: WARNING in cma_cancel_operation run #4: crashed: WARNING in rdma_listen run #5: crashed: WARNING in cma_cancel_operation run #6: crashed: WARNING in cma_cancel_operation run #7: crashed: WARNING in cma_cancel_operation run #8: crashed: WARNING in cma_cancel_operation run #9: crashed: WARNING in cma_cancel_operation testing release v4.2 testing commit 64291f7db5bd8150a74ad2036f1037e6a0428df2 with gcc (GCC) 5.5.0 kernel signature: 7b12f900eeb5df4774bd06597d48def9d7366401 run #0: crashed: WARNING in cma_cancel_operation run #1: crashed: WARNING in rdma_listen run #2: crashed: WARNING in cma_cancel_operation run #3: crashed: WARNING in cma_cancel_operation run #4: crashed: WARNING in cma_cancel_operation run #5: crashed: WARNING in cma_cancel_operation run #6: crashed: WARNING in cma_cancel_operation run #7: crashed: WARNING in cma_cancel_operation run #8: crashed: WARNING in cma_cancel_operation run #9: crashed: no output from test machine testing release v4.1 testing commit b953c0d234bc72e8489d3bf51a276c5c4ec85345 with gcc (GCC) 5.5.0 kernel signature: 98c6097efd289afae9f58bebac68635d88993371 run #0: crashed: WARNING in cma_cancel_operation run #1: crashed: WARNING in cma_cancel_operation run #2: crashed: WARNING in cma_cancel_operation run #3: crashed: WARNING in cma_cancel_operation run #4: crashed: WARNING in rdma_listen run #5: crashed: WARNING in cma_cancel_operation run #6: crashed: WARNING in cma_cancel_operation run #7: crashed: WARNING in rdma_listen run #8: crashed: WARNING in cma_cancel_operation run #9: crashed: WARNING in cma_cancel_operation revisions tested: 16, total time: 1h42m48.514585779s (build: 46m13.07383141s, test: 52m17.176450876s) the crash already happened on the oldest tested release commit msg: Linux 4.1 crash: WARNING in cma_cancel_operation IPVS: Creating netns size=2688 id=6 IPVS: ftp: loaded support on port[0] = 21 IPVS: Creating netns size=2688 id=7 IPVS: ftp: loaded support on port[0] = 21 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3658 at lib/list_debug.c:62 __list_del_entry+0xdd/0xe0 lib/list_debug.c:60() list_del corruption. next->prev should be ffff8800b8f891c8, but was ffff8800b8f895c8 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 3658 Comm: syz-executor Not tainted 4.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffffffff82668c78 ffff8800b8f1fa08 ffffffff820471b4 0000000000000032 ffffffff8263e396 ffff8800b8f1fa88 ffffffff82045151 0000000000000000 ffffffff00000008 ffff8800b8f1fa98 ffff8800b8f1fa38 0000000000000006 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x4c/0x65 lib/dump_stack.c:50 [] panic+0xcd/0x211 kernel/panic.c:111 [] warn_slowpath_common+0xbb/0xc0 kernel/panic.c:442 [] warn_slowpath_fmt+0x41/0x50 kernel/panic.c:458 [] __list_del_entry+0xdd/0xe0 lib/list_debug.c:60 [] list_del+0x11/0x40 lib/list_debug.c:77 [] cma_cancel_listens drivers/infiniband/core/cma.c:967 [inline] [] cma_cancel_operation+0xe0/0x230 drivers/infiniband/core/cma.c:995 [] rdma_destroy_id+0x4f/0x260 drivers/infiniband/core/cma.c:1047 [] ucma_free_ctx+0x31/0x1b0 drivers/infiniband/core/ucma.c:456 [] ucma_close+0x7d/0xc0 drivers/infiniband/core/ucma.c:1565 [] __fput+0xea/0x200 fs/file_table.c:208 [] ____fput+0x9/0x10 fs/file_table.c:244 [] task_work_run+0xc4/0xf0 kernel/task_work.c:123 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x358/0xc40 kernel/exit.c:746 [] do_group_exit+0x4b/0xc0 kernel/exit.c:874 [] get_signal+0x2a1/0xa10 kernel/signal.c:2358 [] do_signal+0x23/0xaf0 arch/x86/kernel/signal.c:690 [] do_notify_resume+0x58/0x70 arch/x86/kernel/signal.c:735 [] int_signal+0x12/0x17 Kernel Offset: disabled