bisecting fixing commit since 050cdc6c9501abcd64720b8cc3e7941efee9547d building syzkaller on 7ef1de9ea4b02a8799b3a7f4b1d7b06a586b3f37 testing commit 050cdc6c9501abcd64720b8cc3e7941efee9547d with gcc (GCC) 8.1.0 all runs: crashed: BUG: corrupted list in p9_write_work testing current HEAD 0eb0ce0a78e1f57082bca6cbdea6fd04feedb876 testing commit 0eb0ce0a78e1f57082bca6cbdea6fd04feedb876 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 0eb0ce0a78e1f57082bca6cbdea6fd04feedb876 050cdc6c9501abcd64720b8cc3e7941efee9547d Bisecting: 37162 revisions left to test after this (roughly 15 steps) [67e79a6dc2664a3ef85113440e60f7aaca3c7815] Merge tag 'tty-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 67e79a6dc2664a3ef85113440e60f7aaca3c7815 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 67e79a6dc2664a3ef85113440e60f7aaca3c7815 Bisecting: 18556 revisions left to test after this (roughly 14 steps) [2be09de7d6a06f58e768de1255a687c9aaa66606] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 2be09de7d6a06f58e768de1255a687c9aaa66606 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 2be09de7d6a06f58e768de1255a687c9aaa66606 Bisecting: 9313 revisions left to test after this (roughly 13 steps) [c7a2c49ea6c9eebbe44ff2c08b663b2905ee2c13] Merge tag 'nfs-for-4.20-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit c7a2c49ea6c9eebbe44ff2c08b663b2905ee2c13 with gcc (GCC) 8.1.0 all runs: crashed: BUG: corrupted list in p9_write_work # git bisect good c7a2c49ea6c9eebbe44ff2c08b663b2905ee2c13 Bisecting: 4630 revisions left to test after this (roughly 12 steps) [b3491d8430dd25f0a4e00c33d60da22a9bd9d052] Merge tag 'media/v4.20-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit b3491d8430dd25f0a4e00c33d60da22a9bd9d052 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad b3491d8430dd25f0a4e00c33d60da22a9bd9d052 Bisecting: 2453 revisions left to test after this (roughly 11 steps) [fe675d4d3c6b96710d481346821839b4a817c672] Merge tag 'mailbox-v4.20' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit fe675d4d3c6b96710d481346821839b4a817c672 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad fe675d4d3c6b96710d481346821839b4a817c672 Bisecting: 1114 revisions left to test after this (roughly 10 steps) [993d52e2f71560d539b3f194be2970eb9d8ce9c1] drm/omap: Use ERR_CAST directly instead of ERR_PTR(PTR_ERR()) testing commit 993d52e2f71560d539b3f194be2970eb9d8ce9c1 with gcc (GCC) 8.1.0 run #0: crashed: BUG: corrupted list in p9_write_work run #1: crashed: BUG: corrupted list in p9_write_work run #2: crashed: BUG: corrupted list in p9_write_work run #3: crashed: BUG: corrupted list in p9_write_work run #4: crashed: BUG: corrupted list in p9_write_work run #5: crashed: BUG: corrupted list in p9_write_work run #6: crashed: BUG: corrupted list in p9_write_work run #7: crashed: BUG: corrupted list in p9_write_work run #8: crashed: BUG: corrupted list in p9_write_work run #9: crashed: no output from test machine # git bisect good 993d52e2f71560d539b3f194be2970eb9d8ce9c1 Bisecting: 561 revisions left to test after this (roughly 9 steps) [69d5b97c597307773fe6c59775a5d5a88bb7e6b3] HID: we do not randomly make new drivers 'default y' testing commit 69d5b97c597307773fe6c59775a5d5a88bb7e6b3 with gcc (GCC) 8.1.0 all runs: crashed: BUG: corrupted list in p9_write_work # git bisect good 69d5b97c597307773fe6c59775a5d5a88bb7e6b3 Bisecting: 280 revisions left to test after this (roughly 8 steps) [e26f70a6539cc9d4b1d2589d1c50b2a2c8b22bea] drm/amd/powerplay: update PPtable with DC BTC and Tvr SocLimit fields testing commit e26f70a6539cc9d4b1d2589d1c50b2a2c8b22bea with gcc (GCC) 8.1.0 run #0: crashed: BUG: corrupted list in p9_write_work run #1: crashed: BUG: corrupted list in p9_write_work run #2: crashed: BUG: corrupted list in p9_write_work run #3: crashed: BUG: corrupted list in p9_write_work run #4: crashed: BUG: corrupted list in p9_write_work run #5: crashed: BUG: corrupted list in p9_write_work run #6: crashed: BUG: corrupted list in p9_write_work run #7: crashed: BUG: corrupted list in p9_write_work run #8: crashed: BUG: corrupted list in p9_write_work run #9: crashed: BUG: corrupted list in corrupted # git bisect good e26f70a6539cc9d4b1d2589d1c50b2a2c8b22bea Bisecting: 148 revisions left to test after this (roughly 7 steps) [f8cab69be0a8a756a7409f6d2bd1e6e96ce46482] Merge tag 'linux-kselftest-4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest testing commit f8cab69be0a8a756a7409f6d2bd1e6e96ce46482 with gcc (GCC) 8.1.0 all runs: crashed: BUG: corrupted list in p9_write_work # git bisect good f8cab69be0a8a756a7409f6d2bd1e6e96ce46482 Bisecting: 79 revisions left to test after this (roughly 6 steps) [9f51ae62c84a23ade0ba86457d30a30c9db0c50f] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 9f51ae62c84a23ade0ba86457d30a30c9db0c50f with gcc (GCC) 8.1.0 run #0: crashed: BUG: corrupted list in p9_write_work run #1: crashed: BUG: corrupted list in p9_write_work run #2: crashed: BUG: corrupted list in p9_write_work run #3: crashed: BUG: corrupted list in p9_write_work run #4: crashed: BUG: corrupted list in corrupted run #5: crashed: BUG: corrupted list in p9_write_work run #6: crashed: BUG: corrupted list in p9_write_work run #7: crashed: BUG: corrupted list in p9_write_work run #8: crashed: no output from test machine run #9: crashed: no output from test machine # git bisect good 9f51ae62c84a23ade0ba86457d30a30c9db0c50f Bisecting: 49 revisions left to test after this (roughly 5 steps) [673c790e72822ee433931ea701e4fceef75a0eac] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu testing commit 673c790e72822ee433931ea701e4fceef75a0eac with gcc (GCC) 8.1.0 all runs: crashed: BUG: corrupted list in p9_write_work # git bisect good 673c790e72822ee433931ea701e4fceef75a0eac Bisecting: 27 revisions left to test after this (roughly 5 steps) [7da4221b530f0427cc09bdaa5c5c1bd86d30583d] Merge tag '9p-for-4.20' of git://github.com/martinetd/linux testing commit 7da4221b530f0427cc09bdaa5c5c1bd86d30583d with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 7da4221b530f0427cc09bdaa5c5c1bd86d30583d Bisecting: 10 revisions left to test after this (roughly 4 steps) [426d5a0f9733ecc2c4d7b252672fa8b1970d1c91] 9p: fix spelling mistake in fall-through annotation testing commit 426d5a0f9733ecc2c4d7b252672fa8b1970d1c91 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 426d5a0f9733ecc2c4d7b252672fa8b1970d1c91 Bisecting: 5 revisions left to test after this (roughly 3 steps) [6348b903d79119a8157aace08ab99521f5dba139] 9p: Remove p9_idpool testing commit 6348b903d79119a8157aace08ab99521f5dba139 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in _copy_from_iter # git bisect good 6348b903d79119a8157aace08ab99521f5dba139 Bisecting: 2 revisions left to test after this (roughly 2 steps) [43cbcbee9938b17f77cf34f1bc12d302f456810f] 9p: rename p9_free_req() function testing commit 43cbcbee9938b17f77cf34f1bc12d302f456810f with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in _copy_from_iter # git bisect good 43cbcbee9938b17f77cf34f1bc12d302f456810f Bisecting: 0 revisions left to test after this (roughly 1 step) [8b894adb2b7e1d1e64b8954569c761eaf3d51ab5] 9p/rdma: do not disconnect on down_interruptible EAGAIN testing commit 8b894adb2b7e1d1e64b8954569c761eaf3d51ab5 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 8b894adb2b7e1d1e64b8954569c761eaf3d51ab5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [728356dedeff8ef999cb436c71333ef4ac51a81c] 9p: Add refcount to p9_req_t testing commit 728356dedeff8ef999cb436c71333ef4ac51a81c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 728356dedeff8ef999cb436c71333ef4ac51a81c 728356dedeff8ef999cb436c71333ef4ac51a81c is the first bad commit commit 728356dedeff8ef999cb436c71333ef4ac51a81c Author: Tomas Bortoli Date: Tue Aug 14 19:43:42 2018 +0200 9p: Add refcount to p9_req_t To avoid use-after-free(s), use a refcount to keep track of the usable references to any instantiated struct p9_req_t. This commit adds p9_req_put(), p9_req_get() and p9_req_try_get() as wrappers to kref_put(), kref_get() and kref_get_unless_zero(). These are used by the client and the transports to keep track of valid requests' references. p9_free_req() is added back and used as callback by kref_put(). Add SLAB_TYPESAFE_BY_RCU as it ensures that the memory freed by kmem_cache_free() will not be reused for another type until the rcu synchronisation period is over, so an address gotten under rcu read lock is safe to inc_ref() without corrupting random memory while the lock is held. Link: http://lkml.kernel.org/r/1535626341-20693-1-git-send-email-asmadeus@codewreck.org Co-developed-by: Dominique Martinet Signed-off-by: Tomas Bortoli Reported-by: syzbot+467050c1ce275af2a5b8@syzkaller.appspotmail.com Signed-off-by: Dominique Martinet :040000 040000 65e4744682b6e32ed2e65a6fa022297012f26094 0da85becce2c5c90cb2138fef979ff5f028f9f5f M include :040000 040000 5346c8f8aaaa8d667a0aab27d0589fb61be32c27 8cae99d10699f46718c3fcaf94ff64525939cdfb M net revisions tested: 19, total time: 4h11m33.352447779s (build: 1h24m53.537038601s, test: 2h40m2.107757235s) first good commit: 728356dedeff8ef999cb436c71333ef4ac51a81c 9p: Add refcount to p9_req_t cc: ["asmadeus@codewreck.org" "davem@davemloft.net" "dominique.martinet@cea.fr" "ericvh@gmail.com" "linux-kernel@vger.kernel.org" "lucho@ionkov.net" "netdev@vger.kernel.org" "tomasbortoli@gmail.com" "v9fs-developer@lists.sourceforge.net"]