bisecting cause commit starting from e60b5f79bd7529e76b13cf1e85823abbd0e33634
building syzkaller on 7a06e79212dacfad95dfd1ded7e8b43f2bbf64a1
testing commit e60b5f79bd7529e76b13cf1e85823abbd0e33634 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: ODEBUG bug in __do_softirq
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
all runs: OK
# git bisect start e60b5f79bd7529e76b13cf1e85823abbd0e33634 v4.20
Bisecting: 6894 revisions left to test after this (roughly 13 steps)
[fe2b0cdabcd9e6aeca66a104bc03576946e5fee2] Merge tag 'for-4.21/libata-20181221' of git://git.kernel.dk/linux-block
testing commit fe2b0cdabcd9e6aeca66a104bc03576946e5fee2 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good fe2b0cdabcd9e6aeca66a104bc03576946e5fee2
Bisecting: 3491 revisions left to test after this (roughly 12 steps)
[115502a6f31d84d8172a71283aaea266302a8ad5] Merge tag 'linux-watchdog-4.21-rc1' of git://www.linux-watchdog.org/linux-watchdog
testing commit 115502a6f31d84d8172a71283aaea266302a8ad5 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 115502a6f31d84d8172a71283aaea266302a8ad5
Bisecting: 1745 revisions left to test after this (roughly 11 steps)
[47bfa6d9dc8c060bf56554a465c9031e286d2f80] Merge tag 'selinux-pr-20190115' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
testing commit 47bfa6d9dc8c060bf56554a465c9031e286d2f80 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 47bfa6d9dc8c060bf56554a465c9031e286d2f80
Bisecting: 872 revisions left to test after this (roughly 10 steps)
[c50e964b76903b03a1516a04463c2faf945ec140] net: fec_mpc52xx: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
testing commit c50e964b76903b03a1516a04463c2faf945ec140 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good c50e964b76903b03a1516a04463c2faf945ec140
Bisecting: 435 revisions left to test after this (roughly 9 steps)
[212146f0800e151bd61b98fb6fe4b8b6778a649a] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 212146f0800e151bd61b98fb6fe4b8b6778a649a with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 212146f0800e151bd61b98fb6fe4b8b6778a649a
Bisecting: 218 revisions left to test after this (roughly 8 steps)
[1f43f400a2cbb02f3d34de8fe30075c070254816] net: netcp: Fix ethss driver probe issue
testing commit 1f43f400a2cbb02f3d34de8fe30075c070254816 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 1f43f400a2cbb02f3d34de8fe30075c070254816
Bisecting: 110 revisions left to test after this (roughly 7 steps)
[1f5a018c5b15c2e3e519ae8ca9bfb03a00384448] Merge branch 'fixes-v5.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
testing commit 1f5a018c5b15c2e3e519ae8ca9bfb03a00384448 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 1f5a018c5b15c2e3e519ae8ca9bfb03a00384448
Bisecting: 55 revisions left to test after this (roughly 6 steps)
[a3504f7a38233030def726fcfe692e786ab162df] Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit a3504f7a38233030def726fcfe692e786ab162df with gcc (GCC) 8.1.0
all runs: OK
# git bisect good a3504f7a38233030def726fcfe692e786ab162df
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[8456e98e18f35f4d4376e8ff3110a3342f81ce9b] Merge branch 'parisc-5.0-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
testing commit 8456e98e18f35f4d4376e8ff3110a3342f81ce9b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 8456e98e18f35f4d4376e8ff3110a3342f81ce9b
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[9053d2db8b04a468ce1ab92693b940b046ea392c] Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit 9053d2db8b04a468ce1ab92693b940b046ea392c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9053d2db8b04a468ce1ab92693b940b046ea392c
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[cb268d806972c76c34e5d74343fb6064cd722c7c] Merge branch 'fixes-v5.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
testing commit cb268d806972c76c34e5d74343fb6064cd722c7c with gcc (GCC) 8.1.0
run #0: crashed: WARNING: ODEBUG bug in __do_softirq
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad cb268d806972c76c34e5d74343fb6064cd722c7c
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[5b317cbf2bcb85a1e96ce87717cb991ecab1dd4d] Merge branch 'pm-cpufreq-fixes'
testing commit 5b317cbf2bcb85a1e96ce87717cb991ecab1dd4d with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in rpc_make_runnable
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 5b317cbf2bcb85a1e96ce87717cb991ecab1dd4d
Bisecting: 1 revision left to test after this (roughly 1 step)
[8cbd468bdeb5ed3acac2d7a9f7494d5b77e46297] cpufreq: scmi: Fix use-after-free in scmi_cpufreq_exit()
testing commit 8cbd468bdeb5ed3acac2d7a9f7494d5b77e46297 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 8cbd468bdeb5ed3acac2d7a9f7494d5b77e46297
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[74fb44863084275b952f21ec6a024af0e2e75cb8] PM-runtime: Fix deadlock when canceling hrtimer
testing commit 74fb44863084275b952f21ec6a024af0e2e75cb8 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 74fb44863084275b952f21ec6a024af0e2e75cb8
5b317cbf2bcb85a1e96ce87717cb991ecab1dd4d is the first bad commit
revisions tested: 16, total time: 5h11m57.682025398s (build: 2h10m40.364829692s, test: 2h52m6.437398485s)
first bad commit: 5b317cbf2bcb85a1e96ce87717cb991ecab1dd4d Merge branch 'pm-cpufreq-fixes'
cc: ["rafael.j.wysocki@intel.com"]
crash: KASAN: use-after-free Read in rpc_make_runnable
FS-Cache: O-key=[10] '0200020000807f000008'
FS-Cache: N-cookie c=0000000075957f87 [p=00000000fa538f39 fl=2 nc=0 na=1]
FS-Cache: N-cookie d=00000000bf5ef13b n=00000000b2fea5c6
FS-Cache: N-key=[10] '0200020000807f000008'
==================================================================
BUG: KASAN: use-after-free in rpc_make_runnable+0x153/0x190 net/sunrpc/sched.c:349
Read of size 2 at addr ffff888094f446a4 by task kworker/u5:0/18928

CPU: 1 PID: 18928 Comm: kworker/u5:0 Not tainted 5.0.0-rc7+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: xprtiod xs_udp_setup_socket
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/generic_report.c:133
 rpc_make_runnable+0x153/0x190 net/sunrpc/sched.c:349
 __rpc_do_wake_up_task_on_wq net/sunrpc/sched.c:444 [inline]
 rpc_wake_up_task_on_wq_queue_action_locked+0x5e5/0xcd0 net/sunrpc/sched.c:461
 rpc_wake_up_task_on_wq_queue_locked net/sunrpc/sched.c:473 [inline]
 rpc_wake_up_task_queue_locked net/sunrpc/sched.c:481 [inline]
 rpc_wake_up+0x94/0xe0 net/sunrpc/sched.c:657
 xprt_wake_pending_tasks+0x14/0x20 net/sunrpc/xprt.c:507
 xs_udp_setup_socket+0x9f/0x6a0 net/sunrpc/xprtsock.c:2103
 process_one_work+0x835/0x16b0 kernel/workqueue.c:2173
 worker_thread+0x85/0xb60 kernel/workqueue.c:2319
kobject: 'loop4' (00000000281a755c): fill_kobj_path: path = '/devices/virtual/block/loop4'
 kthread+0x327/0x3f0 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 19424:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.9+0xcb/0xd0 mm/kasan/common.c:496
 kasan_kmalloc mm/kasan/common.c:504 [inline]
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:411
 kmem_cache_alloc+0x130/0x730 mm/slab.c:3543
 mempool_alloc_slab+0x3a/0x50 mm/mempool.c:505
 mempool_alloc+0x11b/0x320 mm/mempool.c:385
 rpc_alloc_task net/sunrpc/sched.c:1014 [inline]
 rpc_new_task+0x4fa/0x660 net/sunrpc/sched.c:1026
 rpc_run_task+0x19/0x670 net/sunrpc/clnt.c:1057
 rpc_call_sync+0xa3/0x140 net/sunrpc/clnt.c:1095
 rpc_ping net/sunrpc/clnt.c:2529 [inline]
 rpc_create_xprt+0x25b/0x3d0 net/sunrpc/clnt.c:480
 rpc_create+0x2ba/0x4f0 net/sunrpc/clnt.c:588
 nfs_create_rpc_client+0x32d/0x550 fs/nfs/client.c:517
 nfs_init_client+0x53/0xd0 fs/nfs/client.c:629
 nfs_get_client+0x783/0x1160 fs/nfs/client.c:419
 nfs_init_server+0x1fd/0xcf0 fs/nfs/client.c:665
 nfs_create_server+0x72/0x4f0 fs/nfs/client.c:949
 nfs_try_mount+0x15c/0x790 fs/nfs/super.c:1873
 nfs_fs_mount+0x13bc/0x21f0 fs/nfs/super.c:2691
 mount_fs+0xd3/0x341 fs/super.c:1258
 vfs_kern_mount.part.35+0x58/0x3d0 fs/namespace.c:959
 vfs_kern_mount fs/namespace.c:949 [inline]
 do_new_mount fs/namespace.c:2513 [inline]
 do_mount+0x3ba/0x2890 fs/namespace.c:2847
 ksys_mount+0xba/0xe0 fs/namespace.c:3063
 __do_sys_mount fs/namespace.c:3077 [inline]
 __se_sys_mount fs/namespace.c:3074 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3074
 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 19424:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kmem_cache_free+0x83/0x290 mm/slab.c:3749
 mempool_free_slab+0x12/0x20 mm/mempool.c:512
 mempool_free+0xcb/0x310 mm/mempool.c:494
 rpc_free_task+0x10b/0x140 net/sunrpc/sched.c:1064
 rpc_final_put_task+0xe9/0x120 net/sunrpc/sched.c:1090
 rpc_do_put_task+0x34/0x40 net/sunrpc/sched.c:1097
 rpc_put_task+0xb/0x10 net/sunrpc/sched.c:1103
 rpc_call_sync+0x119/0x140 net/sunrpc/clnt.c:1099
 rpc_ping net/sunrpc/clnt.c:2529 [inline]
 rpc_create_xprt+0x25b/0x3d0 net/sunrpc/clnt.c:480
 rpc_create+0x2ba/0x4f0 net/sunrpc/clnt.c:588
 nfs_create_rpc_client+0x32d/0x550 fs/nfs/client.c:517
 nfs_init_client+0x53/0xd0 fs/nfs/client.c:629
 nfs_get_client+0x783/0x1160 fs/nfs/client.c:419
 nfs_init_server+0x1fd/0xcf0 fs/nfs/client.c:665
 nfs_create_server+0x72/0x4f0 fs/nfs/client.c:949
 nfs_try_mount+0x15c/0x790 fs/nfs/super.c:1873
 nfs_fs_mount+0x13bc/0x21f0 fs/nfs/super.c:2691
 mount_fs+0xd3/0x341 fs/super.c:1258
 vfs_kern_mount.part.35+0x58/0x3d0 fs/namespace.c:959
 vfs_kern_mount fs/namespace.c:949 [inline]
 do_new_mount fs/namespace.c:2513 [inline]
 do_mount+0x3ba/0x2890 fs/namespace.c:2847
 ksys_mount+0xba/0xe0 fs/namespace.c:3063
 __do_sys_mount fs/namespace.c:3077 [inline]
 __se_sys_mount fs/namespace.c:3074 [inline]
 __x64_sys_mount+0xb9/0x150 fs/namespace.c:3074
 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888094f445c0
 which belongs to the cache rpc_tasks of size 240
The buggy address is located 228 bytes inside of
 240-byte region [ffff888094f445c0, ffff888094f446b0)
The buggy address belongs to the page:
page:ffffea000253d100 count:1 mapcount:0 mapping:ffff888219c28c40 index:0xffff888094f44e80
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00025d62c8 ffffea000254b008 ffff888219c28c40
raw: ffff888094f44e80 ffff888094f440c0 000000010000000a 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888094f44580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff888094f44600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888094f44680: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff888094f44700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888094f44780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
==================================================================