bisecting fixing commit since c25c74b7476e27180e9b76840e963e542023f118 building syzkaller on 2e0e3130f967984ba51ac1387b67040f0d953942 testing commit c25c74b7476e27180e9b76840e963e542023f118 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: ODEBUG bug in p9_fd_close run #1: crashed: WARNING: ODEBUG bug in p9_fd_close run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in p9_conn_cancel run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: WARNING: ODEBUG bug in p9_fd_close run #7: crashed: BUG: corrupted list in p9_conn_cancel run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work testing current HEAD 33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9 testing commit 33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 33920f1ec5bf47c5c0a1d2113989bdd9dfb3fae9 c25c74b7476e27180e9b76840e963e542023f118 Bisecting: 44382 revisions left to test after this (roughly 16 steps) [29cf2ee3b55547ed29a38d1080eaf32e9b4f991f] Merge tag 'qcom-arm64-for-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux into arm/dt testing commit 29cf2ee3b55547ed29a38d1080eaf32e9b4f991f with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor330256101" "root@10.128.10.63:./syz-executor330256101"]: exit status 1 ssh: connect to host 10.128.10.63 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 29cf2ee3b55547ed29a38d1080eaf32e9b4f991f Bisecting: 22288 revisions left to test after this (roughly 15 steps) [83c4087ce468601501ecde4d0ec5b2abd5f57c31] Merge branch 'for-4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup testing commit 83c4087ce468601501ecde4d0ec5b2abd5f57c31 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 83c4087ce468601501ecde4d0ec5b2abd5f57c31 Bisecting: 11052 revisions left to test after this (roughly 14 steps) [2475c515d4031c494ff452508a8bf8c281ec6e56] Merge tag 'staging-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 2475c515d4031c494ff452508a8bf8c281ec6e56 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 2475c515d4031c494ff452508a8bf8c281ec6e56 Bisecting: 4730 revisions left to test after this (roughly 13 steps) [9a76aba02a37718242d7cdc294f0a3901928aa57] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 9a76aba02a37718242d7cdc294f0a3901928aa57 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: WARNING: ODEBUG bug in p9_fd_close run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: WARNING: ODEBUG bug in p9_fd_close run #9: crashed: general protection fault in p9_conn_cancel # git bisect good 9a76aba02a37718242d7cdc294f0a3901928aa57 Bisecting: 2440 revisions left to test after this (roughly 11 steps) [db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in p9_fd_cancel run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: BUG: corrupted list in p9_fd_cancel run #4: crashed: WARNING: ODEBUG bug in p9_fd_close run #5: crashed: BUG: corrupted list in p9_fd_cancel run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: BUG: corrupted list in p9_conn_cancel # git bisect good db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 Bisecting: 1174 revisions left to test after this (roughly 10 steps) [6ada4e2826794bdf8d88f938a9ced0b80894b037] Merge branch 'akpm' (patches from Andrew) testing commit 6ada4e2826794bdf8d88f938a9ced0b80894b037 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: WARNING: ODEBUG bug in p9_fd_close run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: WARNING: ODEBUG bug in p9_fd_close run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: BUG: corrupted list in p9_fd_cancel run #9: crashed: WARNING: ODEBUG bug in p9_fd_close # git bisect good 6ada4e2826794bdf8d88f938a9ced0b80894b037 Bisecting: 587 revisions left to test after this (roughly 9 steps) [803ff424e46260d058daa998cc474639ca017f38] staging: gasket: core: convert to standard logging testing commit 803ff424e46260d058daa998cc474639ca017f38 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: WARNING: ODEBUG bug in p9_fd_close run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 803ff424e46260d058daa998cc474639ca017f38 Bisecting: 293 revisions left to test after this (roughly 8 steps) [edec14020e3fcfb0a86bfa9f1d512b922697890f] staging: mt7621-pci: remove unused macros testing commit edec14020e3fcfb0a86bfa9f1d512b922697890f with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __queue_work # git bisect good edec14020e3fcfb0a86bfa9f1d512b922697890f Bisecting: 129 revisions left to test after this (roughly 7 steps) [45dd7af410b71da511085b806c22caf8ecca87e4] Merge tag 'usb-for-v4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next testing commit 45dd7af410b71da511085b806c22caf8ecca87e4 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: BUG: corrupted list in p9_fd_cancel run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 45dd7af410b71da511085b806c22caf8ecca87e4 Bisecting: 64 revisions left to test after this (roughly 6 steps) [628c534ae73581fd21a09a27b7a4222b01a44d64] serial: sh-sci: Improve support for separate TEI and DRI interrupts testing commit 628c534ae73581fd21a09a27b7a4222b01a44d64 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: WARNING: ODEBUG bug in p9_fd_close run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: WARNING: ODEBUG bug in p9_fd_close run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: BUG: corrupted list in p9_conn_cancel run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good 628c534ae73581fd21a09a27b7a4222b01a44d64 Bisecting: 29 revisions left to test after this (roughly 5 steps) [336722eb9d9732c5a497fb6299bf38cde413592b] Merge tag 'tty-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 336722eb9d9732c5a497fb6299bf38cde413592b with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 336722eb9d9732c5a497fb6299bf38cde413592b Bisecting: 17 revisions left to test after this (roughly 4 steps) [3111784bee81591ea2815011688d28b65df03627] fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed testing commit 3111784bee81591ea2815011688d28b65df03627 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 3111784bee81591ea2815011688d28b65df03627 Bisecting: 8 revisions left to test after this (roughly 3 steps) [b5303be2bee3c8b29de3f7f4ea8ae00c4e816760] 9p: Change p9_fid_create calling convention testing commit b5303be2bee3c8b29de3f7f4ea8ae00c4e816760 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: WARNING: ODEBUG bug in p9_fd_close run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: BUG: corrupted list in p9_conn_cancel run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect good b5303be2bee3c8b29de3f7f4ea8ae00c4e816760 Bisecting: 4 revisions left to test after this (roughly 2 steps) [c7ebbae7cf9c50253a978f25d72d16e012bd46f1] net/9p/trans_virtio.c: fix some spell mistakes in comments testing commit c7ebbae7cf9c50253a978f25d72d16e012bd46f1 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: WARNING: ODEBUG bug in p9_fd_close run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: BUG: corrupted list in p9_fd_cancel run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: WARNING: ODEBUG bug in p9_fd_close # git bisect good c7ebbae7cf9c50253a978f25d72d16e012bd46f1 Bisecting: 2 revisions left to test after this (roughly 1 step) [430ac66eb4c5b5c4eb846b78ebf65747510b30f1] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() testing commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 with gcc (GCC) 8.1.0 run #0: crashed: BUG: corrupted list in p9_conn_cancel run #1: crashed: BUG: corrupted list in p9_fd_cancel run #2: crashed: BUG: corrupted list in p9_conn_cancel run #3: crashed: BUG: corrupted list in p9_conn_cancel run #4: crashed: BUG: corrupted list in p9_conn_cancel run #5: crashed: BUG: corrupted list in p9_conn_cancel run #6: crashed: BUG: corrupted list in p9_fd_cancel run #7: crashed: BUG: corrupted list in p9_conn_cancel run #8: crashed: BUG: corrupted list in p9_fd_cancel run #9: crashed: BUG: corrupted list in p9_fd_cancel # git bisect good 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Bisecting: 0 revisions left to test after this (roughly 1 step) [f984579a01d85166ee7380204a96d978a67687a1] 9p: validate PDU length testing commit f984579a01d85166ee7380204a96d978a67687a1 with gcc (GCC) 8.1.0 all runs: OK # git bisect bad f984579a01d85166ee7380204a96d978a67687a1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9f476d7c540cb57556d3cc7e78704e6cd5100f5f] net/9p/trans_fd.c: fix race by holding the lock testing commit 9f476d7c540cb57556d3cc7e78704e6cd5100f5f with gcc (GCC) 8.1.0 all runs: OK # git bisect bad 9f476d7c540cb57556d3cc7e78704e6cd5100f5f 9f476d7c540cb57556d3cc7e78704e6cd5100f5f is the first bad commit commit 9f476d7c540cb57556d3cc7e78704e6cd5100f5f Author: Tomas Bortoli Date: Mon Jul 23 20:42:53 2018 +0200 net/9p/trans_fd.c: fix race by holding the lock It may be possible to run p9_fd_cancel() with a deleted req->req_list and incur in a double del. To fix hold the client->lock while changing the status, so the other threads will be synchronized. Link: http://lkml.kernel.org/r/20180723184253.6682-1-tomasbortoli@gmail.com Signed-off-by: Tomas Bortoli Reported-by: syzbot+735d926e9d1317c3310c@syzkaller.appspotmail.com To: Eric Van Hensbergen To: Ron Minnich To: Latchesar Ionkov Cc: Yiwen Jiang Cc: David S. Miller Signed-off-by: Dominique Martinet :040000 040000 580948df285ae96f8ff9ccd49ec535c78ad96685 fdd278a4a68fc86ddcd75d6fd4e21b3b05201d6e M net revisions tested: 19, total time: 4h14m37.828326506s (build: 1h38m26.975429427s, test: 2h29m47.612031692s) first good commit: 9f476d7c540cb57556d3cc7e78704e6cd5100f5f net/9p/trans_fd.c: fix race by holding the lock cc: ["davem@davemloft.net" "dominique.martinet@cea.fr" "jiangyiwen@huwei.com" "tomasbortoli@gmail.com"]