bisecting cause commit starting from ca04b3cca11acbaf904f707f2d9ca9654d7cc226 building syzkaller on f25e57704183544b0d540ef0035acfa6fb9071d7 testing commit ca04b3cca11acbaf904f707f2d9ca9654d7cc226 with gcc (GCC) 8.1.0 all runs: crashed: KASAN: use-after-free Read in __queue_work testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in p9_read_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: WARNING: ODEBUG bug in p9_fd_close run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: WARNING: ODEBUG bug in p9_fd_close run #3: crashed: KASAN: use-after-free Read in p9_read_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: WARNING: ODEBUG bug in p9_fd_close run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 all runs: OK # git bisect start 0adb32858b0bddf4ada5f364a84ed60b196dbcda d8a5b80568a9cb66810e75b182018e9edb68e8ff Bisecting: 7566 revisions left to test after this (roughly 13 steps) [c14376de3a1befa70d9811ca2872d47367b48767] printk: Wake klogd when passing console_lock owner testing commit c14376de3a1befa70d9811ca2872d47367b48767 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: WARNING: ODEBUG bug in p9_fd_close run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: WARNING: ODEBUG bug in p9_fd_close # git bisect bad c14376de3a1befa70d9811ca2872d47367b48767 Bisecting: 3620 revisions left to test after this (roughly 12 steps) [a103950e0dd2058df5e8a8d4a915707bdcf205f0] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 testing commit a103950e0dd2058df5e8a8d4a915707bdcf205f0 with gcc (GCC) 8.1.0 run #0: crashed: WARNING: ODEBUG bug in p9_fd_close run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect bad a103950e0dd2058df5e8a8d4a915707bdcf205f0 Bisecting: 1793 revisions left to test after this (roughly 11 steps) [d8b91dde38f4c43bd0bbbf17a90f735b16aaff2c] Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit d8b91dde38f4c43bd0bbbf17a90f735b16aaff2c with gcc (GCC) 8.1.0 all runs: OK # git bisect good d8b91dde38f4c43bd0bbbf17a90f735b16aaff2c Bisecting: 813 revisions left to test after this (roughly 10 steps) [28bc6fb9596fe1e577d09fc17ee6e1bb051c6ba3] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 28bc6fb9596fe1e577d09fc17ee6e1bb051c6ba3 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in work_debug_hint run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in __queue_work run #8: crashed: WARNING: ODEBUG bug in p9_fd_close run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect bad 28bc6fb9596fe1e577d09fc17ee6e1bb051c6ba3 Bisecting: 489 revisions left to test after this (roughly 9 steps) [19e7b5f99474107e8d0b4b3e4652fa19ddb87efc] Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 19e7b5f99474107e8d0b4b3e4652fa19ddb87efc with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: WARNING: ODEBUG bug in __queue_work run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: WARNING: ODEBUG bug in __queue_work run #9: crashed: WARNING: ODEBUG bug in __queue_work # git bisect bad 19e7b5f99474107e8d0b4b3e4652fa19ddb87efc Bisecting: 227 revisions left to test after this (roughly 8 steps) [168fe32a072a4b8dc81a3aebf0e5e588d38e2955] Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 168fe32a072a4b8dc81a3aebf0e5e588d38e2955 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: WARNING: ODEBUG bug in p9_fd_close run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: WARNING: ODEBUG bug in p9_fd_close run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: KASAN: use-after-free Read in __queue_work run #8: crashed: KASAN: use-after-free Read in __queue_work run #9: crashed: WARNING: ODEBUG bug in p9_fd_close # git bisect bad 168fe32a072a4b8dc81a3aebf0e5e588d38e2955 Bisecting: 117 revisions left to test after this (roughly 7 steps) [0aebc6a440b942df6221a7765f077f02217e0114] Merge tag 'arm64-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit 0aebc6a440b942df6221a7765f077f02217e0114 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 0aebc6a440b942df6221a7765f077f02217e0114 Bisecting: 64 revisions left to test after this (roughly 6 steps) [f8cc87b6c1e333ce7adc9fb2cb698d93b16eabe3] Merge branch 'for-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq testing commit f8cc87b6c1e333ce7adc9fb2cb698d93b16eabe3 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f8cc87b6c1e333ce7adc9fb2cb698d93b16eabe3 Bisecting: 32 revisions left to test after this (roughly 5 steps) [7594bf37ae9ffc434da425120c576909eb33b0bc] 9p: untangle ->poll() mess testing commit 7594bf37ae9ffc434da425120c576909eb33b0bc with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in __queue_work run #1: crashed: KASAN: use-after-free Read in __queue_work run #2: crashed: KASAN: use-after-free Read in __queue_work run #3: crashed: KASAN: use-after-free Read in __queue_work run #4: crashed: KASAN: use-after-free Read in __queue_work run #5: crashed: KASAN: use-after-free Read in __queue_work run #6: crashed: KASAN: use-after-free Read in __queue_work run #7: crashed: WARNING: ODEBUG bug in p9_fd_close run #8: crashed: WARNING: ODEBUG bug in p9_fd_close run #9: crashed: KASAN: use-after-free Read in __queue_work # git bisect bad 7594bf37ae9ffc434da425120c576909eb33b0bc Bisecting: 15 revisions left to test after this (roughly 4 steps) [8153a5ead0898ba5a932282e571dfccd61940bba] ppc: annotate ->poll() instances testing commit 8153a5ead0898ba5a932282e571dfccd61940bba with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8153a5ead0898ba5a932282e571dfccd61940bba Bisecting: 7 revisions left to test after this (roughly 3 steps) [e6c5a7d997db73aaab2fb8337710f109e5d931b1] apparmor: annotate ->poll() instances testing commit e6c5a7d997db73aaab2fb8337710f109e5d931b1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good e6c5a7d997db73aaab2fb8337710f109e5d931b1 Bisecting: 3 revisions left to test after this (roughly 2 steps) [c23e0cb81e4021b9712b1093d54713991fd9b7c2] media: annotate ->poll() instances testing commit c23e0cb81e4021b9712b1093d54713991fd9b7c2 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c23e0cb81e4021b9712b1093d54713991fd9b7c2 Bisecting: 1 revision left to test after this (roughly 1 step) [ecf927000ce3265e9871c79d43c10ceed8bd61c9] ring_buffer_poll_wait() return value used as return value of ->poll() testing commit ecf927000ce3265e9871c79d43c10ceed8bd61c9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ecf927000ce3265e9871c79d43c10ceed8bd61c9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [5dc533c66b131726a1a747eb3c92b20a9ede9219] ->si_band gets POLL... bitmap stored into a user-visible long field testing commit 5dc533c66b131726a1a747eb3c92b20a9ede9219 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 5dc533c66b131726a1a747eb3c92b20a9ede9219 7594bf37ae9ffc434da425120c576909eb33b0bc is the first bad commit commit 7594bf37ae9ffc434da425120c576909eb33b0bc Author: Al Viro Date: Sun Jul 16 22:53:08 2017 -0400 9p: untangle ->poll() mess First of all, NULL ->poll() means "always POLLIN, always POLLOUT", not an error. Furthermore, mixing -EREMOTEIO with POLL... masks and expecting it to do anything good is insane - both are arch-dependent, to start with. Pass a pointer to store the error value separately and make it return POLLERR in such case. And ->poll() calling conventions do *not* include "return -Esomething". Never had. Signed-off-by: Al Viro :040000 040000 1f38c5faf8cf9f5938d82f8e33d3a4ff1954b31a a98bd73b791a9505430a9704e0e199b660a5d7e8 M net revisions tested: 18, total time: 3h54m2.434323982s (build: 1h25m46.727320526s, test: 2h23m31.314950664s) first bad commit: 7594bf37ae9ffc434da425120c576909eb33b0bc 9p: untangle ->poll() mess cc: ["davem@davemloft.net" "ericvh@gmail.com" "linux-kernel@vger.kernel.org" "lucho@ionkov.net" "netdev@vger.kernel.org" "rminnich@sandia.gov" "v9fs-developer@lists.sourceforge.net" "viro@zeniv.linux.org.uk"] crash: KASAN: use-after-free Read in __queue_work ================================================================== BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:325 [inline] BUG: KASAN: use-after-free in work_is_static_object+0x31/0x40 kernel/workqueue.c:443 Read of size 8 at addr ffff8801c96dd8e0 by task kworker/0:0/3 CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.15.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events p9_poll_workfn Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x145/0x1e7 lib/dump_stack.c:53 print_address_description+0x6c/0x20b mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.7+0x11a/0x2d3 mm/kasan/report.c:409 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 constant_test_bit arch/x86/include/asm/bitops.h:325 [inline] work_is_static_object+0x31/0x40 kernel/workqueue.c:443 debug_object_activate+0x2bd/0x5c0 lib/debugobjects.c:470 debug_work_activate kernel/workqueue.c:492 [inline] __queue_work+0x18b/0x11d0 kernel/workqueue.c:1381 queue_work_on+0x146/0x180 kernel/workqueue.c:1487 queue_work include/linux/workqueue.h:488 [inline] schedule_work include/linux/workqueue.h:546 [inline] p9_poll_mux net/9p/trans_fd.c:638 [inline] p9_poll_workfn+0x493/0x740 net/9p/trans_fd.c:1118 process_one_work+0x9c9/0x1a40 kernel/workqueue.c:2112 worker_thread+0x215/0x1a30 kernel/workqueue.c:2246 kthread+0x355/0x410 kernel/kthread.c:238 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441 Allocated by task 10435: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:551 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3613 kmalloc include/linux/slab.h:499 [inline] kzalloc include/linux/slab.h:688 [inline] p9_fd_open net/9p/trans_fd.c:806 [inline] p9_fd_create+0x165/0x380 net/9p/trans_fd.c:1047 p9_client_create+0x78e/0x1343 net/9p/client.c:1060 v9fs_session_init+0x1ee/0x1820 fs/9p/v9fs.c:401 v9fs_mount+0x73/0x7a0 fs/9p/vfs_super.c:135 mount_fs+0x7f/0x2a9 fs/super.c:1219 vfs_kern_mount.part.34+0xbf/0x5c0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x38b/0x2f30 fs/namespace.c:2841 SYSC_mount fs/namespace.c:3057 [inline] SyS_mount+0xb8/0xd0 fs/namespace.c:3034 entry_SYSCALL_64_fastpath+0x23/0x9a Freed by task 10435: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3491 [inline] kfree+0xd6/0x250 mm/slab.c:3806 p9_fd_close+0x3ac/0x5b0 net/9p/trans_fd.c:904 p9_client_create+0x8e2/0x1343 net/9p/client.c:1074 v9fs_session_init+0x1ee/0x1820 fs/9p/v9fs.c:401 v9fs_mount+0x73/0x7a0 fs/9p/vfs_super.c:135 mount_fs+0x7f/0x2a9 fs/super.c:1219 vfs_kern_mount.part.34+0xbf/0x5c0 fs/namespace.c:1037 vfs_kern_mount fs/namespace.c:1027 [inline] do_new_mount fs/namespace.c:2512 [inline] do_mount+0x38b/0x2f30 fs/namespace.c:2841 SYSC_mount fs/namespace.c:3057 [inline] SyS_mount+0xb8/0xd0 fs/namespace.c:3034 entry_SYSCALL_64_fastpath+0x23/0x9a The buggy address belongs to the object at ffff8801c96dd7c0 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 288 bytes inside of 512-byte region [ffff8801c96dd7c0, ffff8801c96dd9c0) The buggy address belongs to the page: page:ffffea000725b740 count:1 mapcount:0 mapping:ffff8801c96dd040 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801c96dd040 0000000000000000 0000000100000006 raw: ffffea000705ffe0 ffffea000731d960 ffff8801da800940 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c96dd780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801c96dd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801c96dd880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c96dd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c96dd980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================