bisecting fixing commit since 0238df646e6224016a45505d2c111a24669ebe21 building syzkaller on 8b311eafa7f32ebcae67cdf5e16aa1ab3fc77e7f testing commit 0238df646e6224016a45505d2c111a24669ebe21 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in request_end run #1: crashed: WARNING in request_end run #2: crashed: WARNING in request_end run #3: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #4: crashed: WARNING in request_end run #5: crashed: WARNING in request_end run #6: OK run #7: OK run #8: OK run #9: OK testing current HEAD ecb095bff5d4b8711a81968625b3b4a235d3e477 testing commit ecb095bff5d4b8711a81968625b3b4a235d3e477 with gcc (GCC) 8.1.0 all runs: OK # git bisect start ecb095bff5d4b8711a81968625b3b4a235d3e477 0238df646e6224016a45505d2c111a24669ebe21 Bisecting: 36570 revisions left to test after this (roughly 15 steps) [b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew) testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0 all runs: OK # git bisect bad b5dd0c658c31b469ccff1b637e5124851e7a4a1c Bisecting: 18181 revisions left to test after this (roughly 14 steps) [13e1ad2be3a85f5c0f76e82af9806b3d12a574d0] Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 13e1ad2be3a85f5c0f76e82af9806b3d12a574d0 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 13e1ad2be3a85f5c0f76e82af9806b3d12a574d0 Bisecting: 8423 revisions left to test after this (roughly 13 steps) [53b3b6bbfde6aae8d1ededc86ad4e0e1e00eb5f8] Merge tag 'drm-next-2018-10-24' of git://anongit.freedesktop.org/drm/drm testing commit 53b3b6bbfde6aae8d1ededc86ad4e0e1e00eb5f8 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #1: crashed: WARNING in request_end run #2: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #3: crashed: WARNING in request_end run #4: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #5: crashed: WARNING in request_end run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 53b3b6bbfde6aae8d1ededc86ad4e0e1e00eb5f8 Bisecting: 4210 revisions left to test after this (roughly 12 steps) [3381918fec9278d14f776d1dabd68da85fd6822e] Merge tag 'for-linus-20181123' of git://git.kernel.dk/linux-block testing commit 3381918fec9278d14f776d1dabd68da85fd6822e with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 3381918fec9278d14f776d1dabd68da85fd6822e Bisecting: 2171 revisions left to test after this (roughly 11 steps) [53b7a3b7ec00f207c18e71f58ef2bca48635c622] Merge tag 'armsoc-defconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc testing commit 53b7a3b7ec00f207c18e71f58ef2bca48635c622 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in request_end run #1: crashed: WARNING in request_end run #2: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #3: crashed: WARNING in request_end run #4: crashed: WARNING in request_end run #5: crashed: WARNING in request_end run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 53b7a3b7ec00f207c18e71f58ef2bca48635c622 Bisecting: 1088 revisions left to test after this (roughly 10 steps) [9931a07d518e86eb58a75e508ed9626f86359303] Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 9931a07d518e86eb58a75e508ed9626f86359303 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9931a07d518e86eb58a75e508ed9626f86359303 Bisecting: 560 revisions left to test after this (roughly 9 steps) [0c86e761b95131943c2b8af2ffb3c0554f9a71f5] Merge tag 'vfio-v4.20-rc1.v2' of git://github.com/awilliam/linux-vfio testing commit 0c86e761b95131943c2b8af2ffb3c0554f9a71f5 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #1: crashed: WARNING in request_end run #2: crashed: WARNING in request_end run #3: crashed: WARNING in request_end run #4: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #5: crashed: WARNING in request_end run #6: crashed: WARNING in request_end run #7: crashed: WARNING in request_end run #8: OK run #9: crashed: KASAN: use-after-free Read in fuse_dev_do_read # git bisect good 0c86e761b95131943c2b8af2ffb3c0554f9a71f5 Bisecting: 266 revisions left to test after this (roughly 8 steps) [9b5cf826ef8b607d452ba7bf683ae5510a745232] Merge tag 'fuse-update-4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse testing commit 9b5cf826ef8b607d452ba7bf683ae5510a745232 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9b5cf826ef8b607d452ba7bf683ae5510a745232 Bisecting: 149 revisions left to test after this (roughly 7 steps) [19ef24654f2ef3f4392a8df431eccf8f42ac4878] Merge branch 'clk-ingenic-jz4725b' into clk-next testing commit 19ef24654f2ef3f4392a8df431eccf8f42ac4878 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #1: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #2: crashed: WARNING in request_end run #3: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #4: OK run #5: crashed: WARNING in request_end run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 19ef24654f2ef3f4392a8df431eccf8f42ac4878 Bisecting: 81 revisions left to test after this (roughly 6 steps) [d547d44e5c5dd82b32c2399632b254395a099072] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux testing commit d547d44e5c5dd82b32c2399632b254395a099072 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in request_end run #1: crashed: WARNING in request_end run #2: crashed: WARNING in request_end run #3: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #4: crashed: WARNING in request_end run #5: crashed: WARNING in request_end run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good d547d44e5c5dd82b32c2399632b254395a099072 Bisecting: 31 revisions left to test after this (roughly 5 steps) [31990f0f5366a8f66688edae8688723b22034108] Merge tag 'ceph-for-4.20-rc1' of git://github.com/ceph/ceph-client testing commit 31990f0f5366a8f66688edae8688723b22034108 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #1: crashed: WARNING in request_end run #2: crashed: WARNING in request_end run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 31990f0f5366a8f66688edae8688723b22034108 Bisecting: 15 revisions left to test after this (roughly 4 steps) [18172b10b674a7cd5340b2dd70202ce6622400bd] fuse: extract fuse_emit() helper testing commit 18172b10b674a7cd5340b2dd70202ce6622400bd with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 18172b10b674a7cd5340b2dd70202ce6622400bd Bisecting: 7 revisions left to test after this (roughly 3 steps) [2b30a533148af4f3865c0dcd619ad93ab3f4ba52] fuse: add locking to max_background and congestion_threshold changes testing commit 2b30a533148af4f3865c0dcd619ad93ab3f4ba52 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 2b30a533148af4f3865c0dcd619ad93ab3f4ba52 Bisecting: 3 revisions left to test after this (roughly 2 steps) [908a572b80f6e9577b45e81b3dfe2e22111286b8] fuse: fix blocked_waitq wakeup testing commit 908a572b80f6e9577b45e81b3dfe2e22111286b8 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 908a572b80f6e9577b45e81b3dfe2e22111286b8 Bisecting: 1 revision left to test after this (roughly 1 step) [d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0] fuse: Fix use-after-free in fuse_dev_do_write() testing commit d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in request_end run #1: crashed: WARNING in request_end run #2: crashed: WARNING in request_end run #3: crashed: WARNING in request_end run #4: crashed: WARNING in request_end run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 Bisecting: 0 revisions left to test after this (roughly 0 steps) [4c316f2f3ff315cb48efb7435621e5bfb81df96d] fuse: set FR_SENT while locked testing commit 4c316f2f3ff315cb48efb7435621e5bfb81df96d with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 4c316f2f3ff315cb48efb7435621e5bfb81df96d 4c316f2f3ff315cb48efb7435621e5bfb81df96d is the first bad commit commit 4c316f2f3ff315cb48efb7435621e5bfb81df96d Author: Miklos Szeredi Date: Fri Sep 28 16:43:22 2018 +0200 fuse: set FR_SENT while locked Otherwise fuse_dev_do_write() could come in and finish off the request, and the set_bit(FR_SENT, ...) could trigger the WARN_ON(test_bit(FR_SENT, ...)) in request_end(). Signed-off-by: Miklos Szeredi Reported-by: syzbot+ef054c4d3f64cd7f7cec@syzkaller.appspotmai Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts") Cc: # v4.2 :040000 040000 2ac9880d5afeb7f3f4cbe0035f5dab120e2e4bf3 d076966da93c9fa9f0af5b1d8ffda4fb2b0d5cdc M fs revisions tested: 18, total time: 5h14m29.510176416s (build: 1h38m58.987278653s, test: 3h29m22.859501794s) first good commit: 4c316f2f3ff315cb48efb7435621e5bfb81df96d fuse: set FR_SENT while locked cc: ["linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com"]