bisecting fixing commit since 7cdefde351b6911ec5ef39322980296c091f6c52 building syzkaller on 0eb59c27682ecbe1d467de4c4accbb3f9c807042 testing commit 7cdefde351b6911ec5ef39322980296c091f6c52 with gcc (GCC) 8.1.0 kernel signature: 3be08d3e32ee77fbb1c7de897acaa45f2d31290fdbe084aad39d09607e78959e all runs: crashed: KASAN: use-after-free Read in rdma_listen testing current HEAD 765675379b6253b6901563e649a2f87d28ada3ff testing commit 765675379b6253b6901563e649a2f87d28ada3ff with gcc (GCC) 8.1.0 kernel signature: 5e6bee3e9f6cb7dce53f8c3e142e967f5572b508160602c74d7244df6a268393 all runs: OK # git bisect start 765675379b6253b6901563e649a2f87d28ada3ff 7cdefde351b6911ec5ef39322980296c091f6c52 Bisecting: 815 revisions left to test after this (roughly 10 steps) [7c1a140b000d3768d759b5c0df7144c73b398065] net: thunderx: workaround BGX TX Underflow issue testing commit 7c1a140b000d3768d759b5c0df7144c73b398065 with gcc (GCC) 8.1.0 kernel signature: 2a6a3dcf62606692e44ac5fa056cc6b45f55b3ee5dffa62dc43d0c396427affc all runs: crashed: KASAN: use-after-free Read in rdma_listen # git bisect good 7c1a140b000d3768d759b5c0df7144c73b398065 Bisecting: 407 revisions left to test after this (roughly 9 steps) [b12448912c5e3c38f5baa58fb1f8912a1926a542] mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE testing commit b12448912c5e3c38f5baa58fb1f8912a1926a542 with gcc (GCC) 8.1.0 kernel signature: 380f711b81a33e61dc73f861e167210fc6f2abbe35c2f8b9822f7cf29ec12149 all runs: crashed: KASAN: use-after-free Read in rdma_listen # git bisect good b12448912c5e3c38f5baa58fb1f8912a1926a542 Bisecting: 203 revisions left to test after this (roughly 8 steps) [570fbaeac923d25b31a09dca534a604f9552d77a] x86/resctrl: Fix invalid attempt at removing the default resource group testing commit 570fbaeac923d25b31a09dca534a604f9552d77a with gcc (GCC) 8.1.0 kernel signature: 49ed7e46d0fb2b7c173969171b41099d47bb19216d56297740d3927f4cb765c4 all runs: OK # git bisect bad 570fbaeac923d25b31a09dca534a604f9552d77a Bisecting: 101 revisions left to test after this (roughly 7 steps) [de2ac8a719fd077456a0e8cdc1aabd6704a38a6a] KVM: s390: vsie: Fix delivery of addressing exceptions testing commit de2ac8a719fd077456a0e8cdc1aabd6704a38a6a with gcc (GCC) 8.1.0 kernel signature: 86343aeaa7b41bfd86de802c83b9ec57bbcbb804d1ae267e72f262f3a8d4e672 all runs: OK # git bisect bad de2ac8a719fd077456a0e8cdc1aabd6704a38a6a Bisecting: 50 revisions left to test after this (roughly 6 steps) [cf535659b37d079b7e631e1a148dafe1624fb7cb] block: Fix use-after-free issue accessing struct io_cq testing commit cf535659b37d079b7e631e1a148dafe1624fb7cb with gcc (GCC) 8.1.0 kernel signature: 04596bac9e4605cc0c8d3cac1af39dee801e561eecc1d2c9a6a884aba2519440 all runs: OK # git bisect bad cf535659b37d079b7e631e1a148dafe1624fb7cb Bisecting: 25 revisions left to test after this (roughly 5 steps) [565fcc44698e1824fe00d4ffd06943f2d1241ec2] net: vxge: fix wrong __VA_ARGS__ usage testing commit 565fcc44698e1824fe00d4ffd06943f2d1241ec2 with gcc (GCC) 8.1.0 kernel signature: 4040eb89c1ce9ac265aa357e61ee15d9947557abfcabec241ebaf2fea9df8788 all runs: OK # git bisect bad 565fcc44698e1824fe00d4ffd06943f2d1241ec2 Bisecting: 12 revisions left to test after this (roughly 4 steps) [78a4ad28608a530b5bd85da60307d61133e68040] Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl testing commit 78a4ad28608a530b5bd85da60307d61133e68040 with gcc (GCC) 8.1.0 kernel signature: 0a5ec27b06119bd7f67442dd4445f869fef86fad2a6bee5265f66d1c373cabc3 all runs: OK # git bisect bad 78a4ad28608a530b5bd85da60307d61133e68040 Bisecting: 5 revisions left to test after this (roughly 3 steps) [8e2335d85414583d7827fec5b6275d17d1cfded6] IB/hfi1: Call kobject_put() when kobject_init_and_add() fails testing commit 8e2335d85414583d7827fec5b6275d17d1cfded6 with gcc (GCC) 8.1.0 kernel signature: d2787dcd7580cc7dc0c58583dc2b5c12a93ea34be64e2063702a171942cdbe15 all runs: crashed: KASAN: use-after-free Read in rdma_listen # git bisect good 8e2335d85414583d7827fec5b6275d17d1cfded6 Bisecting: 2 revisions left to test after this (roughly 2 steps) [4eeddc6229e7c10a220afae4bb63ddb69200d218] ceph: canonicalize server path in place testing commit 4eeddc6229e7c10a220afae4bb63ddb69200d218 with gcc (GCC) 8.1.0 kernel signature: 45999fea71b42edded4598bc9fdeb0cc17768518a4d4b7cc38191b1e2511cf91 all runs: crashed: KASAN: use-after-free Read in rdma_listen # git bisect good 4eeddc6229e7c10a220afae4bb63ddb69200d218 Bisecting: 0 revisions left to test after this (roughly 1 step) [ee433d1cdee016c73707b4636c9dd4424aaaad53] RDMA/cma: Teach lockdep about the order of rtnl and lock testing commit ee433d1cdee016c73707b4636c9dd4424aaaad53 with gcc (GCC) 8.1.0 kernel signature: 06801b7e6886f6dffa925eaa2c7a61e9cdf44e3e362971b5e4870e93df044ef6 all runs: OK # git bisect bad ee433d1cdee016c73707b4636c9dd4424aaaad53 Bisecting: 0 revisions left to test after this (roughly 0 steps) [abc4ea7f1345398261295345fd9b30243e4f4f8e] RDMA/ucma: Put a lock around every call to the rdma_cm layer testing commit abc4ea7f1345398261295345fd9b30243e4f4f8e with gcc (GCC) 8.1.0 kernel signature: 20a6a4aaf1c963b8736ffdc9d9f898a977c595681c43f295ead440b96adee473 all runs: OK # git bisect bad abc4ea7f1345398261295345fd9b30243e4f4f8e abc4ea7f1345398261295345fd9b30243e4f4f8e is the first bad commit commit abc4ea7f1345398261295345fd9b30243e4f4f8e Author: Jason Gunthorpe Date: Tue Feb 18 15:45:38 2020 -0400 RDMA/ucma: Put a lock around every call to the rdma_cm layer commit 7c11910783a1ea17e88777552ef146cace607b3c upstream. The rdma_cm must be used single threaded. This appears to be a bug in the design, as it does have lots of locking that seems like it should allow concurrency. However, when it is all said and done every single place that uses the cma_exch() scheme is broken, and all the unlocked reads from the ucma of the cm_id data are wrong too. syzkaller has been finding endless bugs related to this. Fixing this in any elegant way is some enormous amount of work. Take a very big hammer and put a mutex around everything to do with the ucma_context at the top of every syscall. Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace") Link: https://lore.kernel.org/r/20200218210432.GA31966@ziepe.ca Reported-by: syzbot+adb15cf8c2798e4e0db4@syzkaller.appspotmail.com Reported-by: syzbot+e5579222b6a3edd96522@syzkaller.appspotmail.com Reported-by: syzbot+4b628fcc748474003457@syzkaller.appspotmail.com Reported-by: syzbot+29ee8f76017ce6cf03da@syzkaller.appspotmail.com Reported-by: syzbot+6956235342b7317ec564@syzkaller.appspotmail.com Reported-by: syzbot+b358909d8d01556b790b@syzkaller.appspotmail.com Reported-by: syzbot+6b46b135602a3f3ac99e@syzkaller.appspotmail.com Reported-by: syzbot+8458d13b13562abf6b77@syzkaller.appspotmail.com Reported-by: syzbot+bd034f3fdc0402e942ed@syzkaller.appspotmail.com Reported-by: syzbot+c92378b32760a4eef756@syzkaller.appspotmail.com Reported-by: syzbot+68b44a1597636e0b342c@syzkaller.appspotmail.com Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman drivers/infiniband/core/ucma.c | 49 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) culprit signature: 20a6a4aaf1c963b8736ffdc9d9f898a977c595681c43f295ead440b96adee473 parent signature: 45999fea71b42edded4598bc9fdeb0cc17768518a4d4b7cc38191b1e2511cf91 revisions tested: 13, total time: 3h53m11.10989221s (build: 2h0m7.816542522s, test: 1h51m0.63987337s) first good commit: abc4ea7f1345398261295345fd9b30243e4f4f8e RDMA/ucma: Put a lock around every call to the rdma_cm layer cc: ["dledford@redhat.com" "gregkh@linuxfoundation.org" "jgg@mellanox.com" "jgg@ziepe.ca" "linux-kernel@vger.kernel.org" "linux-rdma@vger.kernel.org"]