bisecting cause commit starting from 56b697c6c13b51887a0c66c8bcbd10cd537476fa
building syzkaller on e41a20c5170a991098742c4f0d04a420c2423bec
testing commit 56b697c6c13b51887a0c66c8bcbd10cd537476fa with gcc (GCC) 8.1.0
run #0: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #1: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #2: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #3: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #4: crashed: WARNING: refcount bug in css_task_iter_next
run #5: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #6: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #7: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #8: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #9: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 56b697c6c13b51887a0c66c8bcbd10cd537476fa v5.1
Bisecting: 8920 revisions left to test after this (roughly 13 steps)
[45182e4e1f8ac04708ca7508c51d9103f07d81ab] Merge branch 'i2c/for-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
testing commit 45182e4e1f8ac04708ca7508c51d9103f07d81ab with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 45182e4e1f8ac04708ca7508c51d9103f07d81ab
Bisecting: 4456 revisions left to test after this (roughly 12 steps)
[e49c8547fb940982a04c98377bf5468a3b4a3fd4] Merge tag 'usb-5.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
testing commit e49c8547fb940982a04c98377bf5468a3b4a3fd4 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good e49c8547fb940982a04c98377bf5468a3b4a3fd4
Bisecting: 2216 revisions left to test after this (roughly 11 steps)
[7989b2967a909b4ace7507430a17654d1e018d75] Merge remote-tracking branch 'wireless-drivers-next/master'
testing commit 7989b2967a909b4ace7507430a17654d1e018d75 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7989b2967a909b4ace7507430a17654d1e018d75
Bisecting: 1102 revisions left to test after this (roughly 10 steps)
[b8dd9404be367fb29549942df6863034b49f1bcd] Merge remote-tracking branch 'security/next-testing'
testing commit b8dd9404be367fb29549942df6863034b49f1bcd with gcc (GCC) 8.1.0
all runs: OK
# git bisect good b8dd9404be367fb29549942df6863034b49f1bcd
Bisecting: 549 revisions left to test after this (roughly 9 steps)
[3da73e220ec0d87072f58a0113f7b61eb5b548ee] Merge remote-tracking branch 'mux/for-next'
testing commit 3da73e220ec0d87072f58a0113f7b61eb5b548ee with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3da73e220ec0d87072f58a0113f7b61eb5b548ee
Bisecting: 267 revisions left to test after this (roughly 8 steps)
[4f7c2aa4a053f9ab0a00162f3863009c29e65a10] Merge remote-tracking branch 'coresight/next'
testing commit 4f7c2aa4a053f9ab0a00162f3863009c29e65a10 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #1: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #2: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #3: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #4: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #5: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #6: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #7: crashed: WARNING: refcount bug in css_task_iter_next
run #8: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #9: crashed: WARNING: refcount bug in css_task_iter_next
# git bisect bad 4f7c2aa4a053f9ab0a00162f3863009c29e65a10
Bisecting: 141 revisions left to test after this (roughly 7 steps)
[a28c202fc6f0adb9a8168035fe4277d388bbdd17] Merge remote-tracking branch 'rpmsg/for-next'
testing commit a28c202fc6f0adb9a8168035fe4277d388bbdd17 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #1: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #2: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #3: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #4: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #5: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #6: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #7: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #8: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #9: crashed: KASAN: use-after-free Read in css_task_iter_advance
# git bisect bad a28c202fc6f0adb9a8168035fe4277d388bbdd17
Bisecting: 69 revisions left to test after this (roughly 6 steps)
[313a13da8cefee043f99b5727cb3702ba8661705] scsi: lpfc: Fix hardlockup in scsi_cmd_iocb_cmpl
testing commit 313a13da8cefee043f99b5727cb3702ba8661705 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 313a13da8cefee043f99b5727cb3702ba8661705
Bisecting: 38 revisions left to test after this (roughly 5 steps)
[1c5176c3dd8cd3c9d15435acaac21efd94276812] Merge branch 'misc' into for-next
testing commit 1c5176c3dd8cd3c9d15435acaac21efd94276812 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 1c5176c3dd8cd3c9d15435acaac21efd94276812
Bisecting: 21 revisions left to test after this (roughly 4 steps)
[055f8dd3255d569e95e793276472425d802cbce3] Merge remote-tracking branch 'slave-dma/next'
testing commit 055f8dd3255d569e95e793276472425d802cbce3 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 055f8dd3255d569e95e793276472425d802cbce3
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[08947749448f3bcf707f58a44eaa9bb3c40c42ec] Merge remote-tracking branch 'scsi/for-next'
testing commit 08947749448f3bcf707f58a44eaa9bb3c40c42ec with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #1: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #2: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #3: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #4: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #5: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #6: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #7: crashed: KASAN: use-after-free Read in css_task_iter_advance
run #8: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_advance
run #9: crashed: KASAN: use-after-free Read in css_task_iter_advance
# git bisect bad 08947749448f3bcf707f58a44eaa9bb3c40c42ec
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[b636fd38dc40113f853337a7d2a6885ad23b8811] cgroup: Implement css_task_iter_skip()
testing commit b636fd38dc40113f853337a7d2a6885ad23b8811 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_next
run #1: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_next
run #2: crashed: KASAN: use-after-free Read in css_task_iter_next
run #3: crashed: KASAN: slab-out-of-bounds Read in css_task_iter_next
run #4: crashed: KASAN: use-after-free Read in css_task_iter_next
run #5: crashed: KASAN: use-after-free Read in css_task_iter_next
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: WARNING: workqueue cpumask: online intersect > possible intersect
# git bisect bad b636fd38dc40113f853337a7d2a6885ad23b8811
Bisecting: 1 revision left to test after this (roughly 1 step)
[8cfeb385e9ebda784dccd447fe0f784464ca6ee1] docs cgroups: add another example size for hugetlb
testing commit 8cfeb385e9ebda784dccd447fe0f784464ca6ee1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 8cfeb385e9ebda784dccd447fe0f784464ca6ee1
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[6b115bf58e6f013ca75e7115aabcbd56c20ff31d] cgroup: Call cgroup_release() before __exit_signal()
testing commit 6b115bf58e6f013ca75e7115aabcbd56c20ff31d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 6b115bf58e6f013ca75e7115aabcbd56c20ff31d
b636fd38dc40113f853337a7d2a6885ad23b8811 is the first bad commit
commit b636fd38dc40113f853337a7d2a6885ad23b8811
Author: Tejun Heo <tj@kernel.org>
Date:   Fri May 31 10:38:58 2019 -0700

    cgroup: Implement css_task_iter_skip()
    
    When a task is moved out of a cset, task iterators pointing to the
    task are advanced using the normal css_task_iter_advance() call.  This
    is fine but we'll be tracking dying tasks on csets and thus moving
    tasks from cset->tasks to (to be added) cset->dying_tasks.  When we
    remove a task from cset->tasks, if we advance the iterators, they may
    move over to the next cset before we had the chance to add the task
    back on the dying list, which can allow the task to escape iteration.
    
    This patch separates out skipping from advancing.  Skipping only moves
    the affected iterators to the next pointer rather than fully advancing
    it and the following advancing will recognize that the cursor has
    already been moved forward and do the rest of advancing.  This ensures
    that when a task moves from one list to another in its cset, as long
    as it moves in the right direction, it's always visible to iteration.
    
    This doesn't cause any visible behavior changes.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Cc: Oleg Nesterov <oleg@redhat.com>

:040000 040000 88454555988ff2266c608d9e5b6b8aeec67ac540 088c129b8cfa0e4f9079a1be18b0c75fad3e6a07 M	include
:040000 040000 f10a4fbe081c7e92f2cfd80c07af9e57ecc007db 365427069cc7df37ba70ba6335c2564f74a57d12 M	kernel
revisions tested: 16, total time: 4h27m22.129076069s (build: 1h28m51.050482278s, test: 2h53m31.819524524s)
first bad commit: b636fd38dc40113f853337a7d2a6885ad23b8811 cgroup: Implement css_task_iter_skip()
cc: ["cgroups@vger.kernel.org" "hannes@cmpxchg.org" "linux-kernel@vger.kernel.org" "lizefan@huawei.com" "oleg@redhat.com" "tj@kernel.org"]
crash: KASAN: use-after-free Read in css_task_iter_next
==================================================================
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in refcount_inc_not_zero_checked+0x72/0x160 lib/refcount.c:123
Read of size 4 at addr ffff88809860a1c8 by task syz-executor.3/21644

CPU: 0 PID: 21644 Comm: syz-executor.3 Not tainted 5.2.0-rc2+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:188
 __kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/generic.c:191
 kasan_check_read+0x11/0x20 mm/kasan/common.c:94
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 refcount_inc_not_zero_checked+0x72/0x160 lib/refcount.c:123
 refcount_inc_checked+0x9/0x30 lib/refcount.c:156
 css_task_iter_next+0xc5/0x140 kernel/cgroup/cgroup.c:4534
 pidlist_array_load+0x148/0x8d0 kernel/cgroup/cgroup-v1.c:373
 cgroup_pidlist_start+0x333/0x530 kernel/cgroup/cgroup-v1.c:442
 cgroup_seqfile_start+0xa7/0x100 kernel/cgroup/cgroup.c:3738
 kernfs_seq_start+0xcc/0x170 fs/kernfs/file.c:118
 seq_read+0x253/0x1000 fs/seq_file.c:224
 kernfs_fop_read+0xcc/0x4f0 fs/kernfs/file.c:252
 do_loop_readv_writev fs/read_write.c:714 [inline]
 do_iter_read+0x366/0x560 fs/read_write.c:935
 vfs_readv+0xc9/0x130 fs/read_write.c:997
 do_preadv+0x158/0x230 fs/read_write.c:1089
 __do_sys_preadv fs/read_write.c:1139 [inline]
 __se_sys_preadv fs/read_write.c:1134 [inline]
 __x64_sys_preadv+0x95/0xf0 fs/read_write.c:1134
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f60b0f29c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000459279
RDX: 0000000000000001 RSI: 0000000020000100 RDI: 0000000000000005
RBP: 000000000075c060 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f60b0f2a6d4
R13: 00000000004c614c R14: 00000000004da9a8 R15: 00000000ffffffff

Allocated by task 21314:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc.constprop.8+0xc7/0xd0 mm/kasan/common.c:489
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
 kmem_cache_alloc_trace+0x154/0x740 mm/slab.c:3555
 kmalloc include/linux/slab.h:547 [inline]
 kzalloc include/linux/slab.h:742 [inline]
 find_css_set+0x5c5/0x1b00 kernel/cgroup/cgroup.c:1202
 cgroup_migrate_prepare_dst+0xf2/0x6e0 kernel/cgroup/cgroup.c:2648
 cgroup_attach_task+0x2df/0x630 kernel/cgroup/cgroup.c:2758
 cgroup_attach_task_all+0xaf/0x120 kernel/cgroup/cgroup-v1.c:76
 vhost_attach_cgroups_work+0x39/0x90 drivers/vhost/vhost.c:472
 vhost_worker+0x251/0x4a0 drivers/vhost/vhost.c:362
 kthread+0x324/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 16:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kfree+0xcf/0x220 mm/slab.c:3755
 __rcu_reclaim kernel/rcu/rcu.h:215 [inline]
 rcu_do_batch kernel/rcu/tree.c:2092 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2310 [inline]
 rcu_core+0xc8e/0x1430 kernel/rcu/tree.c:2291
 __do_softirq+0x260/0x958 kernel/softirq.c:293

The buggy address belongs to the object at ffff88809860a000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 456 bytes inside of
 1024-byte region [ffff88809860a000, ffff88809860a400)
The buggy address belongs to the page:
page:ffffea0002618280 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0xffff88809860ad80 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea000247d908 ffffea0002352c88 ffff8880aa400ac0
raw: ffff88809860ad80 ffff88809860a000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809860a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809860a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809860a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88809860a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809860a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================