bisecting fixing commit since ca04b3cca11acbaf904f707f2d9ca9654d7cc226 building syzkaller on f25e57704183544b0d540ef0035acfa6fb9071d7 testing commit ca04b3cca11acbaf904f707f2d9ca9654d7cc226 with gcc (GCC) 8.1.0 kernel signature: 5815a6ca46c681e809a4125e241c4c9c061f54c4 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: WARNING: ODEBUG bug in p9_fd_close run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work testing current HEAD eea2d5da29e396b6cc1fb35e36bcbf5f57731015 testing commit eea2d5da29e396b6cc1fb35e36bcbf5f57731015 with gcc (GCC) 8.1.0 kernel signature: 465d69f926eb662eebf3af28e01cd4b41a7006b2 all runs: OK # git bisect start eea2d5da29e396b6cc1fb35e36bcbf5f57731015 ca04b3cca11acbaf904f707f2d9ca9654d7cc226 Bisecting: 59566 revisions left to test after this (roughly 16 steps) [007dc78fea62610bf06829e38f1d8c69b6ea5af6] Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 007dc78fea62610bf06829e38f1d8c69b6ea5af6 with gcc (GCC) 8.1.0 kernel signature: cb5a33e0f9633bdf717046d07b706d6a8590f8a8 all runs: OK # git bisect bad 007dc78fea62610bf06829e38f1d8c69b6ea5af6 Bisecting: 29775 revisions left to test after this (roughly 15 steps) [d577a3d279c3c60adabdcc4b7a414d37dea7b8b2] net: sched: mq: offload a graft notification testing commit d577a3d279c3c60adabdcc4b7a414d37dea7b8b2 with gcc (GCC) 8.1.0 kernel signature: 2170617a8d70363e7fbd21113020b0119a38090f all runs: OK # git bisect bad d577a3d279c3c60adabdcc4b7a414d37dea7b8b2 Bisecting: 14887 revisions left to test after this (roughly 14 steps) [f1c03a465192fea123789c85e44dc2610730b6cb] Merge branch 'for-4.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu testing commit f1c03a465192fea123789c85e44dc2610730b6cb with gcc (GCC) 8.1.0 kernel signature: 7d7a254b1365dd53d0adebcd41900884ae102043 all runs: OK # git bisect bad f1c03a465192fea123789c85e44dc2610730b6cb Bisecting: 6828 revisions left to test after this (roughly 13 steps) [54dbe75bbf1e189982516de179147208e90b5e45] Merge tag 'drm-next-2018-08-15' of git://anongit.freedesktop.org/drm/drm testing commit 54dbe75bbf1e189982516de179147208e90b5e45 with gcc (GCC) 8.1.0 kernel signature: 0c7cc05e16f1bc11a094ea5acc40d6d52a3c14b0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: WARNING: ODEBUG bug in p9_fd_close run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: WARNING: ODEBUG bug in p9_fd_close run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 54dbe75bbf1e189982516de179147208e90b5e45 Bisecting: 3426 revisions left to test after this (roughly 12 steps) [bbd60bffaf780464298cb7a39852f7f1065f1726] Merge tag 'mmc-v4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc testing commit bbd60bffaf780464298cb7a39852f7f1065f1726 with gcc (GCC) 8.1.0 kernel signature: c4dfc8c8754440ff7e1cab0e5016143a23e02604 all runs: OK # git bisect bad bbd60bffaf780464298cb7a39852f7f1065f1726 Bisecting: 1635 revisions left to test after this (roughly 11 steps) [9bd553929f68921be0f2014dd06561e0c8249a0d] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 9bd553929f68921be0f2014dd06561e0c8249a0d with gcc (GCC) 8.1.0 kernel signature: c8b8cb4f18cbe35e2b78f8d3123a3572e78317a2 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: WARNING: ODEBUG bug in p9_fd_close run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: WARNING: ODEBUG bug in p9_fd_close run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 9bd553929f68921be0f2014dd06561e0c8249a0d Bisecting: 817 revisions left to test after this (roughly 10 steps) [ae3b4ed1a23fc197716c4bcf1e32be37f2472d3b] staging: rtl8188eu: use phydm_regdefine11n.h from rtlwifi testing commit ae3b4ed1a23fc197716c4bcf1e32be37f2472d3b with gcc (GCC) 8.1.0 kernel signature: aedbbfe07e5392ad1bb5ed5bc5eba80b8aed9930 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: WARNING: ODEBUG bug in p9_fd_close run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good ae3b4ed1a23fc197716c4bcf1e32be37f2472d3b Bisecting: 441 revisions left to test after this (roughly 9 steps) [336722eb9d9732c5a497fb6299bf38cde413592b] Merge tag 'tty-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 336722eb9d9732c5a497fb6299bf38cde413592b with gcc (GCC) 8.1.0 kernel signature: 46c39756a935f0acd79202ee4b77f97ca536e8da all runs: OK # git bisect bad 336722eb9d9732c5a497fb6299bf38cde413592b Bisecting: 209 revisions left to test after this (roughly 8 steps) [29c692c96b3a39cd1911fb79cd2505af8d070f07] USB: serial: pl2303: add a new device id for ATEN testing commit 29c692c96b3a39cd1911fb79cd2505af8d070f07 with gcc (GCC) 8.1.0 kernel signature: 4f8999d22433845dc91691994f36e27ff90eb25a run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: WARNING: ODEBUG bug in p9_fd_close run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 29c692c96b3a39cd1911fb79cd2505af8d070f07 Bisecting: 104 revisions left to test after this (roughly 7 steps) [87a5ffc163966b2eb675c9c863c0caccab3183f6] mm/list_lru.c: use list_lru_walk_one() in list_lru_walk_node() testing commit 87a5ffc163966b2eb675c9c863c0caccab3183f6 with gcc (GCC) 8.1.0 kernel signature: 6f5a835d260564fc9423fc8561a760d7fcccdcca run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: WARNING: ODEBUG bug in p9_fd_close run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 87a5ffc163966b2eb675c9c863c0caccab3183f6 Bisecting: 52 revisions left to test after this (roughly 6 steps) [36ecc1481dc8d8c52d43ba18c6b642c1d2fde789] pty: fix O_CLOEXEC for TIOCGPTPEER testing commit 36ecc1481dc8d8c52d43ba18c6b642c1d2fde789 with gcc (GCC) 8.1.0 kernel signature: 85fe409185e17d5c8ecefbcd4301c271f6c8a5ed run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in p9_read_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 36ecc1481dc8d8c52d43ba18c6b642c1d2fde789 Bisecting: 23 revisions left to test after this (roughly 5 steps) [1f7a4c73a739a63b3f108d8eda6f947fdc70dd65] Merge tag '9p-for-4.19-2' of git://github.com/martinetd/linux testing commit 1f7a4c73a739a63b3f108d8eda6f947fdc70dd65 with gcc (GCC) 8.1.0 kernel signature: 58189d0706c09a44c391dd3ad89774605d56c254 all runs: OK # git bisect bad 1f7a4c73a739a63b3f108d8eda6f947fdc70dd65 Bisecting: 14 revisions left to test after this (roughly 4 steps) [430ac66eb4c5b5c4eb846b78ebf65747510b30f1] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() testing commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 with gcc (GCC) 8.1.0 kernel signature: 2fc637ed6284f3f87e953303f986e2631c1ab7bd all runs: OK # git bisect bad 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Bisecting: 6 revisions left to test after this (roughly 3 steps) [2d58f63f72f28ba297a9ae344a5b5f0cf75bcd94] 9p: Fix comment on smp_wmb testing commit 2d58f63f72f28ba297a9ae344a5b5f0cf75bcd94 with gcc (GCC) 8.1.0 kernel signature: f116ed5ca047009e71deb3e344f486dba4c11e61 all runs: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 2d58f63f72f28ba297a9ae344a5b5f0cf75bcd94 Bisecting: 3 revisions left to test after this (roughly 2 steps) [2557d0c57c0c11af915d0d4d97402527958c0c01] 9p: Embed wait_queue_head into p9_req_t testing commit 2557d0c57c0c11af915d0d4d97402527958c0c01 with gcc (GCC) 8.1.0 kernel signature: 61318e66fbae2bbe6c9d1eed75d7a7dcf40bf59f run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: WARNING: ODEBUG bug in p9_fd_close # git bisect good 2557d0c57c0c11af915d0d4d97402527958c0c01 Bisecting: 1 revision left to test after this (roughly 1 step) [c7ebbae7cf9c50253a978f25d72d16e012bd46f1] net/9p/trans_virtio.c: fix some spell mistakes in comments testing commit c7ebbae7cf9c50253a978f25d72d16e012bd46f1 with gcc (GCC) 8.1.0 kernel signature: 4a6762b95206e3aee921e7f1e1e42a9bce109c0d run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: WARNING: ODEBUG bug in p9_fd_close run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: WARNING: ODEBUG bug in p9_fd_close run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: WARNING: ODEBUG bug in p9_fd_close run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good c7ebbae7cf9c50253a978f25d72d16e012bd46f1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [31934da810365f603dec5a67e690e00cf900fc73] net/9p/virtio: Fix hard lockup in req_done testing commit 31934da810365f603dec5a67e690e00cf900fc73 with gcc (GCC) 8.1.0 kernel signature: 53939b9734b472b5dfe188644214d059897f6ba7 all runs: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 31934da810365f603dec5a67e690e00cf900fc73 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 is the first bad commit commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Author: Tomas Bortoli Date: Fri Jul 20 11:27:30 2018 +0200 net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() The patch adds the flush in p9_mux_poll_stop() as it the function used by p9_conn_destroy(), in turn called by p9_fd_close() to stop the async polling associated with the data regarding the connection. Link: http://lkml.kernel.org/r/20180720092730.27104-1-tomasbortoli@gmail.com Signed-off-by: Tomas Bortoli Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com To: Eric Van Hensbergen To: Ron Minnich To: Latchesar Ionkov Cc: Yiwen Jiang Cc: stable@vger.kernel.org Signed-off-by: Dominique Martinet net/9p/trans_fd.c | 2 ++ 1 file changed, 2 insertions(+) kernel signature: 2fc637ed6284f3f87e953303f986e2631c1ab7bd previous signature: 53939b9734b472b5dfe188644214d059897f6ba7 revisions tested: 19, total time: 4h1m37.864082749s (build: 1h35m26.829400546s, test: 2h23m29.887628796s) first good commit: 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() cc: ["asmadeus@codewreck.org" "davem@davemloft.net" "dominique.martinet@cea.fr" "ericvh@gmail.com" "jiangyiwen@huwei.com" "linux-kernel@vger.kernel.org" "lucho@ionkov.net" "netdev@vger.kernel.org" "tomasbortoli@gmail.com" "v9fs-developer@lists.sourceforge.net"]