bisecting cause commit starting from 12ad143e1b803e541e48b8ba40f550250259ecdd building syzkaller on 12365b99ce83b8a58433eaedbe412dff563ef8fb testing commit 12ad143e1b803e541e48b8ba40f550250259ecdd with gcc (GCC) 8.1.0 all runs: crashed: WARNING in lockdep_unregister_key testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 12ad143e1b803e541e48b8ba40f550250259ecdd v5.0 Bisecting: 5337 revisions left to test after this (roughly 12 steps) [542d0e583b7b366527175b2b5fc0aad262fa33b0] Merge tag 'devprop-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 542d0e583b7b366527175b2b5fc0aad262fa33b0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 542d0e583b7b366527175b2b5fc0aad262fa33b0 Bisecting: 2108 revisions left to test after this (roughly 11 steps) [851ca779d110f694b5d078bc4af06d3ad37169e8] Merge tag 'drm-next-2019-03-06' of git://anongit.freedesktop.org/drm/drm testing commit 851ca779d110f694b5d078bc4af06d3ad37169e8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 851ca779d110f694b5d078bc4af06d3ad37169e8 Bisecting: 950 revisions left to test after this (roughly 10 steps) [96a6de1a541c86e9e67b9c310c14db4099bd1cbc] Merge tag 'media/v5.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 96a6de1a541c86e9e67b9c310c14db4099bd1cbc with gcc (GCC) 8.1.0 all runs: OK # git bisect good 96a6de1a541c86e9e67b9c310c14db4099bd1cbc Bisecting: 549 revisions left to test after this (roughly 9 steps) [a50243b1ddcdd766d0d17fbfeeb1a22e62fdc461] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit a50243b1ddcdd766d0d17fbfeeb1a22e62fdc461 with gcc (GCC) 8.1.0 all runs: OK # git bisect good a50243b1ddcdd766d0d17fbfeeb1a22e62fdc461 Bisecting: 277 revisions left to test after this (roughly 8 steps) [d6075262969321bcb5d795de25595fc2a141ac02] Merge tag 'nios2-v5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/lftan/nios2 testing commit d6075262969321bcb5d795de25595fc2a141ac02 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d6075262969321bcb5d795de25595fc2a141ac02 Bisecting: 122 revisions left to test after this (roughly 7 steps) [bb97be23db2a296c5f8b8b4c40feb0435b068c5e] Merge tag 'iommu-updates-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu testing commit bb97be23db2a296c5f8b8b4c40feb0435b068c5e with gcc (GCC) 8.1.0 all runs: OK # git bisect good bb97be23db2a296c5f8b8b4c40feb0435b068c5e Bisecting: 58 revisions left to test after this (roughly 6 steps) [dbbdf54c7206bf3f201f9ddaa5f4dd87835271cc] Merge tag 'platform-drivers-x86-v5.1-1' of git://git.infradead.org/linux-platform-drivers-x86 testing commit dbbdf54c7206bf3f201f9ddaa5f4dd87835271cc with gcc (GCC) 8.1.0 all runs: OK # git bisect good dbbdf54c7206bf3f201f9ddaa5f4dd87835271cc Bisecting: 29 revisions left to test after this (roughly 5 steps) [e34c940245437f36d2c492edd1f8237eff391064] perf c2c: Fix c2c report for empty numa node testing commit e34c940245437f36d2c492edd1f8237eff391064 with gcc (GCC) 8.1.0 all runs: OK # git bisect good e34c940245437f36d2c492edd1f8237eff391064 Bisecting: 18 revisions left to test after this (roughly 4 steps) [b6e3cb4e8679dd971eed33f6a08d62c66a4230c9] Merge branch 'x86-boot-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit b6e3cb4e8679dd971eed33f6a08d62c66a4230c9 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in lockdep_unregister_key # git bisect bad b6e3cb4e8679dd971eed33f6a08d62c66a4230c9 Bisecting: 6 revisions left to test after this (roughly 3 steps) [69a106c00e8554a7e6b3f4bb2967332670f89337] workqueue, lockdep: Fix a memory leak in wq->lock_name testing commit 69a106c00e8554a7e6b3f4bb2967332670f89337 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in lockdep_unregister_key # git bisect bad 69a106c00e8554a7e6b3f4bb2967332670f89337 Bisecting: 1 revision left to test after this (roughly 1 step) [0126574fca2ce0f0d5beb9dade6efb823ff7407b] locking/lockdep: Only call init_rcu_head() after RCU has been initialized testing commit 0126574fca2ce0f0d5beb9dade6efb823ff7407b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 0126574fca2ce0f0d5beb9dade6efb823ff7407b Bisecting: 0 revisions left to test after this (roughly 0 steps) [009bb421b6ceb7916ce627023d0eb7ced04c8910] workqueue, lockdep: Fix an alloc_workqueue() error path testing commit 009bb421b6ceb7916ce627023d0eb7ced04c8910 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in lockdep_unregister_key # git bisect bad 009bb421b6ceb7916ce627023d0eb7ced04c8910 009bb421b6ceb7916ce627023d0eb7ced04c8910 is the first bad commit commit 009bb421b6ceb7916ce627023d0eb7ced04c8910 Author: Bart Van Assche Date: Sun Mar 3 14:00:46 2019 -0800 workqueue, lockdep: Fix an alloc_workqueue() error path This patch fixes a use-after-free and a memory leak in an alloc_workqueue() error path. Repoted by syzkaller and KASAN: BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:197 [inline] BUG: KASAN: use-after-free in lockdep_register_key+0x3b9/0x490 kernel/locking/lockdep.c:1023 Read of size 8 at addr ffff888090fc2698 by task syz-executor134/7858 CPU: 1 PID: 7858 Comm: syz-executor134 Not tainted 5.0.0-rc8-next-20190301 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __read_once_size include/linux/compiler.h:197 [inline] lockdep_register_key+0x3b9/0x490 kernel/locking/lockdep.c:1023 wq_init_lockdep kernel/workqueue.c:3444 [inline] alloc_workqueue+0x427/0xe70 kernel/workqueue.c:4263 ucma_open+0x76/0x290 drivers/infiniband/core/ucma.c:1732 misc_open+0x398/0x4c0 drivers/char/misc.c:141 chrdev_open+0x247/0x6b0 fs/char_dev.c:417 do_dentry_open+0x488/0x1160 fs/open.c:771 vfs_open+0xa0/0xd0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0x10e9/0x46e0 fs/namei.c:3533 do_filp_open+0x1a1/0x280 fs/namei.c:3563 do_sys_open+0x3fe/0x5d0 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x9d/0x100 fs/open.c:1084 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Allocated by task 7789: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_kmalloc mm/kasan/common.c:497 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511 __do_kmalloc mm/slab.c:3726 [inline] __kmalloc+0x15c/0x740 mm/slab.c:3735 kmalloc include/linux/slab.h:553 [inline] kzalloc include/linux/slab.h:743 [inline] alloc_workqueue+0x13c/0xe70 kernel/workqueue.c:4236 ucma_open+0x76/0x290 drivers/infiniband/core/ucma.c:1732 misc_open+0x398/0x4c0 drivers/char/misc.c:141 chrdev_open+0x247/0x6b0 fs/char_dev.c:417 do_dentry_open+0x488/0x1160 fs/open.c:771 vfs_open+0xa0/0xd0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0x10e9/0x46e0 fs/namei.c:3533 do_filp_open+0x1a1/0x280 fs/namei.c:3563 do_sys_open+0x3fe/0x5d0 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x9d/0x100 fs/open.c:1084 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7789: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3821 alloc_workqueue+0xc3e/0xe70 kernel/workqueue.c:4295 ucma_open+0x76/0x290 drivers/infiniband/core/ucma.c:1732 misc_open+0x398/0x4c0 drivers/char/misc.c:141 chrdev_open+0x247/0x6b0 fs/char_dev.c:417 do_dentry_open+0x488/0x1160 fs/open.c:771 vfs_open+0xa0/0xd0 fs/open.c:880 do_last fs/namei.c:3416 [inline] path_openat+0x10e9/0x46e0 fs/namei.c:3533 do_filp_open+0x1a1/0x280 fs/namei.c:3563 do_sys_open+0x3fe/0x5d0 fs/open.c:1063 __do_sys_openat fs/open.c:1090 [inline] __se_sys_openat fs/open.c:1084 [inline] __x64_sys_openat+0x9d/0x100 fs/open.c:1084 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888090fc2580 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 280 bytes inside of 512-byte region [ffff888090fc2580, ffff888090fc2780) Reported-by: syzbot+17335689e239ce135d8b@syzkaller.appspotmail.com Signed-off-by: Bart Van Assche Signed-off-by: Peter Zijlstra (Intel) Cc: Andrew Morton Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Dave Hansen Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Paul E. McKenney Cc: Peter Zijlstra Cc: Rik van Riel Cc: Thomas Gleixner Cc: Will Deacon Fixes: 669de8bda87b ("kernel/workqueue: Use dynamic lockdep keys for workqueues") Link: https://lkml.kernel.org/r/20190303220046.29448-1-bvanassche@acm.org Signed-off-by: Ingo Molnar :040000 040000 64eda3efa650669656c9e08b0a000476d5904abf 9ffd39b592182f7d167f2dae4f27dad8f143cf2e M kernel revisions tested: 14, total time: 3h0m47.826452366s (build: 1h17m17.121878155s, test: 1h40m54.550457511s) first bad commit: 009bb421b6ceb7916ce627023d0eb7ced04c8910 workqueue, lockdep: Fix an alloc_workqueue() error path cc: ["akpm@linux-foundation.org" "bp@alien8.de" "bvanassche@acm.org" "dave.hansen@linux.intel.com" "hpa@zytor.com" "luto@kernel.org" "mingo@kernel.org" "paulmck@linux.vnet.ibm.com" "peterz@infradead.org" "riel@surriel.com" "tglx@linutronix.de" "torvalds@linux-foundation.org" "will.deacon@arm.com"] crash: WARNING in lockdep_unregister_key RDX: 0000000000000001 RSI: 00000000400455c8 RDI: 0000000000000003 RBP: 00007f41a609dca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000006e6130 R14: 00000000004a7999 R15: 00007f41a609e6d4 CPU: 0 PID: 6973 Comm: syz-executor.0 Not tainted 5.0.0+ #1 WARNING: CPU: 1 PID: 6970 at kernel/locking/lockdep.c:4925 lockdep_unregister_key+0x21c/0x4e0 kernel/locking/lockdep.c:4925 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Kernel panic - not syncing: panic_on_warn set ... Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16e/0x1f6 lib/dump_stack.c:113 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold.4+0xa/0x17 lib/fault-inject.c:149 __should_failslab+0x124/0x180 mm/failslab.c:32 should_failslab+0x9/0x14 mm/slab_common.c:1604 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc mm/slab.c:3374 [inline] kmem_cache_alloc_trace+0x2db/0x750 mm/slab.c:3613 kmalloc include/linux/slab.h:545 [inline] kzalloc include/linux/slab.h:740 [inline] alloc_workqueue_attrs+0x7c/0x110 kernel/workqueue.c:3255 alloc_workqueue+0x1a8/0xea0 kernel/workqueue.c:4144 hci_register_dev+0x1b3/0x860 net/bluetooth/hci_core.c:3288 hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:676 [inline] hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:700 [inline] hci_uart_tty_ioctl+0x770/0xb00 drivers/bluetooth/hci_ldisc.c:754 tty_ioctl+0x12d8/0x16c0 drivers/tty/tty_io.c:2662 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x1e1/0x1370 fs/ioctl.c:696 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0x103/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457799 Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f8b51dcfc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000457799 RDX: 0000000000000001 RSI: 00000000400455c8 RDI: 0000000000000003 RBP: 00007f8b51dcfca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000006e6130 R14: 00000000004a7999 R15: 00007f8b51dd06d4 CPU: 1 PID: 6970 Comm: syz-executor.4 Not tainted 5.0.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16e/0x1f6 lib/dump_stack.c:113 panic+0x2ad/0x632 kernel/panic.c:214 __warn.cold.8+0x20/0x54 kernel/panic.c:571 report_bug+0x254/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:179 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:lockdep_unregister_key+0x21c/0x4e0 kernel/locking/lockdep.c:4925 Code: b8 00 00 00 00 00 fc ff df 48 89 d1 48 c1 e9 03 80 3c 01 00 0f 85 4d 02 00 00 48 b8 00 02 00 00 00 00 ad de 48 89 43 08 eb 02 <0f> 0b ba 01 00 00 00 4c 89 e6 4c 89 ff e8 62 da ff ff 4c 89 ff e8 RSP: 0018:ffff8880226df8b0 EFLAGS: 00010046 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 1ffffffff1461b07 RSI: 0000000000000004 RDI: ffffffff8a30d838 RBP: ffff8880226df8e8 R08: ffffed10044dbf0b R09: ffffed10044dbf0a R10: ffffed10044dbf0a R11: 0000000000000003 R12: ffff888074144418 R13: ffff888074144448 R14: 0000000000000282 R15: ffffffff8a08a748 wq_unregister_lockdep kernel/workqueue.c:3356 [inline] alloc_workqueue+0x1e2/0xea0 kernel/workqueue.c:4197 hci_register_dev+0x1b3/0x860 net/bluetooth/hci_core.c:3288 hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:676 [inline] hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:700 [inline] hci_uart_tty_ioctl+0x770/0xb00 drivers/bluetooth/hci_ldisc.c:754 tty_ioctl+0x12d8/0x16c0 drivers/tty/tty_io.c:2662 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x1e1/0x1370 fs/ioctl.c:696 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0x103/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457799 Code: 8d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f41a609dc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000071bf00 RCX: 0000000000457799 RDX: 0000000000000001 RSI: 00000000400455c8 RDI: 0000000000000003 RBP: 00007f41a609dca0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000006e6130 R14: 00000000004a7999 R15: 00007f41a609e6d4 Shutting down cpus with NMI Kernel Offset: disabled Rebooting in 86400 seconds..