bisecting fixing commit since d72e90f33aa4709ebecc5005562f52335e106a60 building syzkaller on f69c5fcd766adfb7894e1b0cd35f42c633f16419 testing commit d72e90f33aa4709ebecc5005562f52335e106a60 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_fd_poll testing current HEAD cf6c8aef16cc0cd15e91a930befd8e312d5703f5 testing commit cf6c8aef16cc0cd15e91a930befd8e312d5703f5 with gcc (GCC) 8.1.0 all runs: OK # git bisect start cf6c8aef16cc0cd15e91a930befd8e312d5703f5 d72e90f33aa4709ebecc5005562f52335e106a60 Bisecting: 43982 revisions left to test after this (roughly 16 steps) [9fc55413270fffe1b5ebdea03489d763c62c0305] net: hns3: fix improper error handling in the hclge_init_ae_dev() testing commit 9fc55413270fffe1b5ebdea03489d763c62c0305 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9fc55413270fffe1b5ebdea03489d763c62c0305 Bisecting: 22103 revisions left to test after this (roughly 15 steps) [64ae16dfeefec670276607fa789ce096c7ebd7c4] KEYS: asym_tpm: Add support for the sign operation [ver #2] testing commit 64ae16dfeefec670276607fa789ce096c7ebd7c4 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 64ae16dfeefec670276607fa789ce096c7ebd7c4 Bisecting: 10918 revisions left to test after this (roughly 14 steps) [13bf2cf9e2d1e0e56088ec6342c2726704100647] Merge tag 'dmaengine-4.19-rc1' of git://git.infradead.org/users/vkoul/slave-dma testing commit 13bf2cf9e2d1e0e56088ec6342c2726704100647 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 13bf2cf9e2d1e0e56088ec6342c2726704100647 Bisecting: 5137 revisions left to test after this (roughly 13 steps) [9a76aba02a37718242d7cdc294f0a3901928aa57] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 9a76aba02a37718242d7cdc294f0a3901928aa57 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_fd_poll run #1: crashed: KASAN: use-after-free Read in p9_fd_poll run #2: crashed: KASAN: use-after-free Read in p9_fd_poll run #3: crashed: KASAN: use-after-free Read in snd_pcm_oss_set_trigger run #4: crashed: KASAN: use-after-free Read in p9_fd_poll run #5: crashed: KASAN: use-after-free Read in p9_fd_poll run #6: crashed: KASAN: use-after-free Read in p9_fd_poll run #7: crashed: KASAN: use-after-free Read in snd_pcm_oss_set_trigger run #8: crashed: KASAN: use-after-free Read in snd_pcm_oss_set_trigger run #9: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good 9a76aba02a37718242d7cdc294f0a3901928aa57 Bisecting: 2581 revisions left to test after this (roughly 11 steps) [f91e654474d413201ae578820fb63f8a811f6c4e] Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security testing commit f91e654474d413201ae578820fb63f8a811f6c4e with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in snd_pcm_oss_set_trigger run #1: crashed: KASAN: use-after-free Read in snd_pcm_oss_set_trigger run #2: crashed: KASAN: use-after-free Read in p9_fd_poll run #3: crashed: KASAN: use-after-free Read in p9_fd_poll run #4: crashed: KASAN: use-after-free Read in p9_fd_poll run #5: crashed: KASAN: use-after-free Read in p9_fd_poll run #6: crashed: KASAN: use-after-free Read in p9_fd_poll run #7: crashed: KASAN: use-after-free Read in p9_fd_poll run #8: crashed: KASAN: use-after-free Read in p9_fd_poll run #9: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good f91e654474d413201ae578820fb63f8a811f6c4e Bisecting: 1317 revisions left to test after this (roughly 10 steps) [336722eb9d9732c5a497fb6299bf38cde413592b] Merge tag 'tty-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 336722eb9d9732c5a497fb6299bf38cde413592b with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 336722eb9d9732c5a497fb6299bf38cde413592b Bisecting: 694 revisions left to test after this (roughly 9 steps) [022ff62c3d8c3758d15ccc6b58615fd8f257ba85] Merge tag 'drm-next-2018-08-17-1' of git://anongit.freedesktop.org/drm/drm testing commit 022ff62c3d8c3758d15ccc6b58615fd8f257ba85 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good 022ff62c3d8c3758d15ccc6b58615fd8f257ba85 Bisecting: 375 revisions left to test after this (roughly 9 steps) [9bd553929f68921be0f2014dd06561e0c8249a0d] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 9bd553929f68921be0f2014dd06561e0c8249a0d with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good 9bd553929f68921be0f2014dd06561e0c8249a0d Bisecting: 209 revisions left to test after this (roughly 8 steps) [29c692c96b3a39cd1911fb79cd2505af8d070f07] USB: serial: pl2303: add a new device id for ATEN testing commit 29c692c96b3a39cd1911fb79cd2505af8d070f07 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good 29c692c96b3a39cd1911fb79cd2505af8d070f07 Bisecting: 104 revisions left to test after this (roughly 7 steps) [87a5ffc163966b2eb675c9c863c0caccab3183f6] mm/list_lru.c: use list_lru_walk_one() in list_lru_walk_node() testing commit 87a5ffc163966b2eb675c9c863c0caccab3183f6 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good 87a5ffc163966b2eb675c9c863c0caccab3183f6 Bisecting: 52 revisions left to test after this (roughly 6 steps) [36ecc1481dc8d8c52d43ba18c6b642c1d2fde789] pty: fix O_CLOEXEC for TIOCGPTPEER testing commit 36ecc1481dc8d8c52d43ba18c6b642c1d2fde789 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good 36ecc1481dc8d8c52d43ba18c6b642c1d2fde789 Bisecting: 23 revisions left to test after this (roughly 5 steps) [1f7a4c73a739a63b3f108d8eda6f947fdc70dd65] Merge tag '9p-for-4.19-2' of git://github.com/martinetd/linux testing commit 1f7a4c73a739a63b3f108d8eda6f947fdc70dd65 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 1f7a4c73a739a63b3f108d8eda6f947fdc70dd65 Bisecting: 14 revisions left to test after this (roughly 4 steps) [430ac66eb4c5b5c4eb846b78ebf65747510b30f1] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() testing commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Bisecting: 6 revisions left to test after this (roughly 3 steps) [2d58f63f72f28ba297a9ae344a5b5f0cf75bcd94] 9p: Fix comment on smp_wmb testing commit 2d58f63f72f28ba297a9ae344a5b5f0cf75bcd94 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_fd_poll run #1: crashed: KASAN: use-after-free Read in p9_fd_poll run #2: crashed: KASAN: use-after-free Read in p9_fd_poll run #3: crashed: KASAN: use-after-free Read in p9_fd_poll run #4: crashed: KASAN: use-after-free Read in p9_fd_poll run #5: crashed: KASAN: null-ptr-deref Write in snd_pcm_format_set_silence run #6: crashed: KASAN: use-after-free Read in p9_fd_poll run #7: crashed: KASAN: use-after-free Read in p9_fd_poll run #8: crashed: KASAN: use-after-free Read in p9_fd_poll run #9: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good 2d58f63f72f28ba297a9ae344a5b5f0cf75bcd94 Bisecting: 3 revisions left to test after this (roughly 2 steps) [2557d0c57c0c11af915d0d4d97402527958c0c01] 9p: Embed wait_queue_head into p9_req_t testing commit 2557d0c57c0c11af915d0d4d97402527958c0c01 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_fd_poll run #1: crashed: BUG: unable to handle kernel paging request in snd_pcm_format_set_silence run #2: crashed: KASAN: use-after-free Read in p9_fd_poll run #3: crashed: KASAN: use-after-free Read in p9_fd_poll run #4: crashed: KASAN: use-after-free Read in p9_fd_poll run #5: crashed: KASAN: use-after-free Read in p9_fd_poll run #6: crashed: KASAN: use-after-free Read in p9_fd_poll run #7: crashed: KASAN: use-after-free Read in p9_fd_poll run #8: crashed: BUG: unable to handle kernel paging request in snd_pcm_format_set_silence run #9: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good 2557d0c57c0c11af915d0d4d97402527958c0c01 Bisecting: 1 revision left to test after this (roughly 1 step) [c7ebbae7cf9c50253a978f25d72d16e012bd46f1] net/9p/trans_virtio.c: fix some spell mistakes in comments testing commit c7ebbae7cf9c50253a978f25d72d16e012bd46f1 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in p9_fd_poll run #1: crashed: KASAN: use-after-free Read in p9_fd_poll run #2: crashed: KASAN: use-after-free Read in p9_fd_poll run #3: crashed: KASAN: use-after-free Read in p9_fd_poll run #4: crashed: KASAN: use-after-free Read in p9_fd_poll run #5: crashed: KASAN: use-after-free Read in p9_fd_poll run #6: crashed: KASAN: use-after-free Read in p9_fd_poll run #7: crashed: BUG: unable to handle kernel paging request in snd_pcm_format_set_silence run #8: crashed: KASAN: use-after-free Read in p9_fd_poll run #9: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good c7ebbae7cf9c50253a978f25d72d16e012bd46f1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [31934da810365f603dec5a67e690e00cf900fc73] net/9p/virtio: Fix hard lockup in req_done testing commit 31934da810365f603dec5a67e690e00cf900fc73 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in p9_fd_poll # git bisect good 31934da810365f603dec5a67e690e00cf900fc73 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 is the first bad commit commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Author: Tomas Bortoli Date: Fri Jul 20 11:27:30 2018 +0200 net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() The patch adds the flush in p9_mux_poll_stop() as it the function used by p9_conn_destroy(), in turn called by p9_fd_close() to stop the async polling associated with the data regarding the connection. Link: http://lkml.kernel.org/r/20180720092730.27104-1-tomasbortoli@gmail.com Signed-off-by: Tomas Bortoli Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com To: Eric Van Hensbergen To: Ron Minnich To: Latchesar Ionkov Cc: Yiwen Jiang Cc: stable@vger.kernel.org Signed-off-by: Dominique Martinet :040000 040000 2b90a26742f41f590296c62a5919e5585e6c55de 580948df285ae96f8ff9ccd49ec535c78ad96685 M net revisions tested: 19, total time: 3h54m43.274935488s (build: 1h41m20.156800758s, test: 2h6m7.196292637s) first good commit: 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() cc: ["asmadeus@codewreck.org" "davem@davemloft.net" "dominique.martinet@cea.fr" "ericvh@gmail.com" "jiangyiwen@huwei.com" "linux-kernel@vger.kernel.org" "lucho@ionkov.net" "netdev@vger.kernel.org" "tomasbortoli@gmail.com" "v9fs-developer@lists.sourceforge.net"]