bisecting fixing commit since cee407c5cc427a7d9b21ee964fbda613e368bdff building syzkaller on 9d751681c8ca1ef150e96f3c1e18bdcaab99c9b9 testing commit cee407c5cc427a7d9b21ee964fbda613e368bdff with gcc (GCC) 10.2.1 20210217 kernel signature: 90619a4b2af22e024bb87c112a19bb0ab12b89eed9e1f1d738859992a64c8656 run #0: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #1: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #2: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #3: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #4: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #5: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK reproducer seems to be flaky testing current HEAD bf05bf16c76bb44ab5156223e1e58e26dfe30a88 testing commit bf05bf16c76bb44ab5156223e1e58e26dfe30a88 with gcc (GCC) 10.2.1 20210217 kernel signature: 9e7e07e4f0db95be30eba77be3f529d5f7d37517da066787f0d3a0e9a0df146c all runs: OK # git bisect start bf05bf16c76bb44ab5156223e1e58e26dfe30a88 cee407c5cc427a7d9b21ee964fbda613e368bdff Bisecting: 1148 revisions left to test after this (roughly 10 steps) [e3512fb67093fabdf27af303066627b921ee9bd8] drm/amdgpu: check alignment on CPU page for bo map testing commit e3512fb67093fabdf27af303066627b921ee9bd8 with gcc (GCC) 10.2.1 20210217 kernel signature: afcc9894d2249aa40ef2606f74135feaf53a3f8dc7369725a31e3e5c3fc5c876 all runs: OK # git bisect bad e3512fb67093fabdf27af303066627b921ee9bd8 Bisecting: 573 revisions left to test after this (roughly 9 steps) [9278be92f22979a026a68206e226722138c9443d] Merge tag 'io_uring-5.12-2021-03-12' of git://git.kernel.dk/linux-block testing commit 9278be92f22979a026a68206e226722138c9443d with gcc (GCC) 10.2.1 20210217 kernel signature: ef580fb608e1e30db5c420dcceca3461e748e1db31734b7b7a0f1fe727797e0e all runs: OK # git bisect bad 9278be92f22979a026a68206e226722138c9443d Bisecting: 351 revisions left to test after this (roughly 8 steps) [6a30bedfdf3be7bb5bf4effb4b2a28920cd2db1a] Merge git://git.kernel.org:/pub/scm/linux/kernel/git/davem/sparc testing commit 6a30bedfdf3be7bb5bf4effb4b2a28920cd2db1a with gcc (GCC) 10.2.1 20210217 kernel signature: 813294579ae03e7d45b3351a91ba62e93a38c59724a13972904322e4f4e8443a all runs: OK # git bisect bad 6a30bedfdf3be7bb5bf4effb4b2a28920cd2db1a Bisecting: 107 revisions left to test after this (roughly 7 steps) [47454caf45f0481988912a4980ef751a1c637b76] Merge tag 'block-5.12-2021-03-05' of git://git.kernel.dk/linux-block testing commit 47454caf45f0481988912a4980ef751a1c637b76 with gcc (GCC) 10.2.1 20210217 kernel signature: 1a6c32d448b5264dfe6c40bb4e78b34c8b1f58577de6ebaf661c931936094367 all runs: OK # git bisect bad 47454caf45f0481988912a4980ef751a1c637b76 Bisecting: 54 revisions left to test after this (roughly 6 steps) [6d47254c063426541e7134fc5632243356ee74b1] Merge tag 'pm-5.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 6d47254c063426541e7134fc5632243356ee74b1 with gcc (GCC) 10.2.1 20210217 kernel signature: 57a70ccec98473e5fa3a7ea90b6d5b12896f22a406d0f7aca15da864e284e915 run #0: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #1: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #2: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #3: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #4: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #5: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 6d47254c063426541e7134fc5632243356ee74b1 Bisecting: 27 revisions left to test after this (roughly 5 steps) [64c7212391e778949aa3055fb3863439417ddba9] io_uring: choose right tctx->io_wq for try cancel testing commit 64c7212391e778949aa3055fb3863439417ddba9 with gcc (GCC) 10.2.1 20210217 kernel signature: bc703109444fa035c3f806713af6dba902d50a48a47fef58d5da27c74d4ec487 all runs: OK # git bisect bad 64c7212391e778949aa3055fb3863439417ddba9 Bisecting: 13 revisions left to test after this (roughly 4 steps) [8452d4a674b0e59bd53baef0b30b018690dde594] io_uring: destroy io-wq on exec testing commit 8452d4a674b0e59bd53baef0b30b018690dde594 with gcc (GCC) 10.2.1 20210217 kernel signature: 155095939e05bbf83278a17d1b502d5958540ec4e93e2c43ed14ce04cafefd25 all runs: OK # git bisect bad 8452d4a674b0e59bd53baef0b30b018690dde594 Bisecting: 6 revisions left to test after this (roughly 3 steps) [470ec4ed8c91b4db398ad607c700e9ce88365202] io-wq: fix double put of 'wq' in error path testing commit 470ec4ed8c91b4db398ad607c700e9ce88365202 with gcc (GCC) 10.2.1 20210217 kernel signature: f4c3177f5cb2ae964d45eccd5db75e4b3a29ce3313616e1f24ffd2fc265579b7 all runs: OK # git bisect bad 470ec4ed8c91b4db398ad607c700e9ce88365202 Bisecting: 2 revisions left to test after this (roughly 2 steps) [613eeb600e3e636a1d3b3711dddaf2b134d5a32c] io-wq: don't ask for a new worker if we're exiting testing commit 613eeb600e3e636a1d3b3711dddaf2b134d5a32c with gcc (GCC) 10.2.1 20210217 kernel signature: 1b1633e25e85acad47446ce7c3242f08d1c734a75e5ef41b5c801171fe5a550d run #0: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #1: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #2: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #3: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #4: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #5: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #6: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 613eeb600e3e636a1d3b3711dddaf2b134d5a32c Bisecting: 0 revisions left to test after this (roughly 1 step) [d364d9e5db41678b77ed95c41e3ccaad9ab99ba0] io-wq: wait for manager exit on wq destroy testing commit d364d9e5db41678b77ed95c41e3ccaad9ab99ba0 with gcc (GCC) 10.2.1 20210217 kernel signature: 4cf84cfd7c37015c884679231e3d6529436c7e6b148a82fb788780789668409c run #0: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #1: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #2: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #3: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #4: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #5: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #6: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #7: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #8: crashed: KASAN: use-after-free Read in __cpuhp_state_remove_instance run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good d364d9e5db41678b77ed95c41e3ccaad9ab99ba0 470ec4ed8c91b4db398ad607c700e9ce88365202 is the first bad commit commit 470ec4ed8c91b4db398ad607c700e9ce88365202 Author: Jens Axboe Date: Fri Feb 26 10:20:34 2021 -0700 io-wq: fix double put of 'wq' in error path We are already freeing the wq struct in both spots, so don't put it and get it freed twice. Reported-by: syzbot+7bf785eedca35ca05501@syzkaller.appspotmail.com Fixes: 4fb6ac326204 ("io-wq: improve manager/worker handling over exec") Signed-off-by: Jens Axboe fs/io-wq.c | 2 -- 1 file changed, 2 deletions(-) culprit signature: f4c3177f5cb2ae964d45eccd5db75e4b3a29ce3313616e1f24ffd2fc265579b7 parent signature: 4cf84cfd7c37015c884679231e3d6529436c7e6b148a82fb788780789668409c Reproducer flagged being flaky revisions tested: 12, total time: 3h19m23.900913828s (build: 1h25m40.840571702s, test: 1h52m21.146010048s) first good commit: 470ec4ed8c91b4db398ad607c700e9ce88365202 io-wq: fix double put of 'wq' in error path recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"]