ci2 starts bisection 2024-10-20 21:45:36.883139182 +0000 UTC m=+178155.306512926 bisecting fixing commit since b95c01af211304429c11b8c8bdf791ab11f7f395 building syzkaller on e104824c06ba54122c1d17b5b26dd21c57e427b6 ensuring issue is reproducible on original commit b95c01af211304429c11b8c8bdf791ab11f7f395 testing commit b95c01af211304429c11b8c8bdf791ab11f7f395 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ed0a5f568a23b9f0bb0042c5c98632580c67e614d2c7b06b19bd9eb1539dd014 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit b95c01af211304429c11b8c8bdf791ab11f7f395 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: af1cbbf153a38c6b06f8ee6521a578642c7e1ad10851f05e1ad6ba7ef978c424 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=3706 full=7262 leaves diff=1978 split chunks (needed=false): <1978> split chunk #0 of len 1978 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit b95c01af211304429c11b8c8bdf791ab11f7f395 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e5005329cb86743c7c71dd58952e44412d5ae6aebd9d15ba072a730425c5b6f4 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit b95c01af211304429c11b8c8bdf791ab11f7f395 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5ad7ecf8b1c316fbe7e1e6189ada04f6eb3f32d35933d90e7a3c1bfb2af78b0c all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit b95c01af211304429c11b8c8bdf791ab11f7f395 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d2045c973816c0d06f541687e548a20daca291f31c84be195ca77c6de636dbe5 all runs: OK false negative chance: 0.000 testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit b95c01af211304429c11b8c8bdf791ab11f7f395 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 86c3b286d74445eb82d04fe1aaf1a4f933510e7d1978effbb087cc417faaf9a9 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit b95c01af211304429c11b8c8bdf791ab11f7f395 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 096bfb6171150e78ba25e871bd0d94bb0681742041d2089fd5678edd418b138d all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] the chunk can be dropped minimized to 396 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB FSCACHE HAMRADIO HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_VS ISDN JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMPAT KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_INTEL KVM_MMIO KVM_VFIO KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_TRIGGER_AUDIO LEGACY_PTYS LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_DEBUGFS MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MD_LINEAR MD_MULTIPATH MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_CONTROLLER_REQUEST_API MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEDIA_TUNER_XC2028 MEDIA_TUNER_XC5000 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_HOTPLUG_DEFAULT_ONLINE MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MMU_NOTIFIER MODULE_SRCVERSION_ALL MODVERSIONS MOST MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BLK ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETFS_SUPPORT NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_IPT NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_CGROUP NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_DEVLINK NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EGRESS NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V2_ACL NFSD_V3 NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_COUNTER NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OBJREF NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_SNMP NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_FLOW_TABLE_IPV4 NF_FLOW_TABLE_IPV6 NF_NAT_AMANDA NF_NAT_H323 NF_NAT_PPTP NF_NAT_REDIRECT NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TABLES NF_TABLES_ARP NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV NF_TPROXY_IPV4 NF_TPROXY_IPV6 NILFS2_FS NLMON NLS_CODEPAGE_1250 NLS_CODEPAGE_1251 NLS_CODEPAGE_737 NLS_CODEPAGE_775 NLS_CODEPAGE_850 NLS_CODEPAGE_852 NLS_CODEPAGE_855 PARTITION_ADVANCED PSAMPLE RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV VIDEO_V4L2 WAN WATCH_QUEUE WIRELESS WLAN WWAN X25 X86_X32] disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing current HEAD 584a40a22cb9bf5a03135869f11c3106b6200453 testing commit 584a40a22cb9bf5a03135869f11c3106b6200453 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bc232f1daec803bd854d986bfc0b7cc65bd846d34915b9eeab8daa4994325c78 all runs: OK false negative chance: 0.000 # git bisect start 584a40a22cb9bf5a03135869f11c3106b6200453 b95c01af211304429c11b8c8bdf791ab11f7f395 Bisecting: 2010 revisions left to test after this (roughly 11 steps) [2e0d73a2abb0f7b8b7a9ddea69b13efeaf16b98a] drm/lima: add mask irq callback to gp and pp determine whether the revision contains the guilty commit revision b95c01af211304429c11b8c8bdf791ab11f7f395 crashed and is reachable testing commit 2e0d73a2abb0f7b8b7a9ddea69b13efeaf16b98a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 27999045ae02c449c1b216bdf0089f45dfe922bffbc24414f60da4d527dc3543 all runs: OK false negative chance: 0.000 # git bisect bad 2e0d73a2abb0f7b8b7a9ddea69b13efeaf16b98a Bisecting: 1004 revisions left to test after this (roughly 10 steps) [ff45899e732e57088985e3a497b1d9100571c0f5] net: dsa: fix panic when DSA master device unbinds on shutdown determine whether the revision contains the guilty commit revision b95c01af211304429c11b8c8bdf791ab11f7f395 crashed and is reachable testing commit ff45899e732e57088985e3a497b1d9100571c0f5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 96e16a0efa2a964429cc7ef33007184233fec5444598953fd19cbe4f8e4a894f all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good ff45899e732e57088985e3a497b1d9100571c0f5 Bisecting: 502 revisions left to test after this (roughly 9 steps) [97f0f81eca30b40b1704ed7b6ec3f46fa33ec0c0] sched/fair: Add EAS checks before updating root_domain::overutilized determine whether the revision contains the guilty commit revision b95c01af211304429c11b8c8bdf791ab11f7f395 crashed and is reachable testing commit 97f0f81eca30b40b1704ed7b6ec3f46fa33ec0c0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e675631d4bc45e3934c0c9e38edc3fbf971d356ad9e40fe3bc55c4cd96cf21ef all runs: OK false negative chance: 0.000 # git bisect bad 97f0f81eca30b40b1704ed7b6ec3f46fa33ec0c0 Bisecting: 250 revisions left to test after this (roughly 8 steps) [b65fb50e04a95eec34a9d1bc138454a98a5578d8] HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up determine whether the revision contains the guilty commit revision b95c01af211304429c11b8c8bdf791ab11f7f395 crashed and is reachable testing commit b65fb50e04a95eec34a9d1bc138454a98a5578d8 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8e33e30fdfcdbcf10caa7a0873ada1f940110018c64b84cb8b5a353e4f1cdda1 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good b65fb50e04a95eec34a9d1bc138454a98a5578d8 Bisecting: 125 revisions left to test after this (roughly 7 steps) [dd69c1c99a545e6670acc10b979967ba8e70529a] net: hns3: create new cmdq hardware description structure hclge_comm_hw determine whether the revision contains the guilty commit revision ff45899e732e57088985e3a497b1d9100571c0f5 crashed and is reachable testing commit dd69c1c99a545e6670acc10b979967ba8e70529a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 174773b64452ac98bddcd00bc1e753fa77c543c9e9c8ac4441577b71c7a5a505 run #0: crashed: KASAN: use-after-free Read in try_to_wake_up run #1: crashed: KASAN: use-after-free Read in try_to_wake_up run #2: crashed: KASAN: use-after-free Read in try_to_wake_up run #3: crashed: KASAN: use-after-free Read in try_to_wake_up run #4: crashed: KASAN: slab-out-of-bounds Read in try_to_wake_up run #5: crashed: KASAN: use-after-free Read in try_to_wake_up run #6: crashed: KASAN: use-after-free Read in try_to_wake_up run #7: crashed: KASAN: slab-out-of-bounds Read in try_to_wake_up run #8: crashed: KASAN: use-after-free Read in try_to_wake_up run #9: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good dd69c1c99a545e6670acc10b979967ba8e70529a Bisecting: 62 revisions left to test after this (roughly 6 steps) [c9f2b6d88e650bdb0f285a0622eef796d3e04be6] KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection determine whether the revision contains the guilty commit revision b95c01af211304429c11b8c8bdf791ab11f7f395 crashed and is reachable testing commit c9f2b6d88e650bdb0f285a0622eef796d3e04be6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e4f5daac53702dc6d410af3728981bfd0e6f82223abf720d988114db81630981 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good c9f2b6d88e650bdb0f285a0622eef796d3e04be6 Bisecting: 31 revisions left to test after this (roughly 5 steps) [3218fd551406ffd0d1ec78e38e999cbb5594591c] drm/amd/display: Set color_mgmt_changed to true on unsuspend determine whether the revision contains the guilty commit revision ff45899e732e57088985e3a497b1d9100571c0f5 crashed and is reachable testing commit 3218fd551406ffd0d1ec78e38e999cbb5594591c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8b5411b0806ac9c2691e43fe1fc46d6315c9d479caaaaba609001ac3a8b9afab all runs: OK false negative chance: 0.000 # git bisect bad 3218fd551406ffd0d1ec78e38e999cbb5594591c Bisecting: 15 revisions left to test after this (roughly 4 steps) [528a620c1397a6fa329e9d62ee0d49898e31b4f6] Revert "r8169: don't try to disable interrupts if NAPI is, scheduled already" determine whether the revision contains the guilty commit revision b65fb50e04a95eec34a9d1bc138454a98a5578d8 crashed and is reachable testing commit 528a620c1397a6fa329e9d62ee0d49898e31b4f6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 12bad0b88f5cce7bf4bf48f96fc76de640a6c9c67fa152429e5ceac6f8a494ff all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good 528a620c1397a6fa329e9d62ee0d49898e31b4f6 Bisecting: 7 revisions left to test after this (roughly 3 steps) [7ab0c256964ef5b52b0d9d1d65fb0febec48f62c] fs/ntfs3: Taking DOS names into account during link counting determine whether the revision contains the guilty commit revision ff45899e732e57088985e3a497b1d9100571c0f5 crashed and is reachable testing commit 7ab0c256964ef5b52b0d9d1d65fb0febec48f62c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5a3ab927d0987df7c038d725e7ad913267b2c83365232b8d7d5662905412481b all runs: OK false negative chance: 0.000 # git bisect bad 7ab0c256964ef5b52b0d9d1d65fb0febec48f62c Bisecting: 3 revisions left to test after this (roughly 2 steps) [e6062c494b9362b04c042924d3dc5468979c92ce] net: smc91x: Fix m68k kernel compilation for ColdFire CPU determine whether the revision contains the guilty commit revision ff45899e732e57088985e3a497b1d9100571c0f5 crashed and is reachable testing commit e6062c494b9362b04c042924d3dc5468979c92ce gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7deb4c8e2a4bb84cb833e3b53f4d099deefcfe9b7a1a84c38f925397d5745990 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good e6062c494b9362b04c042924d3dc5468979c92ce Bisecting: 1 revision left to test after this (roughly 1 step) [06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd] nilfs2: fix potential hang in nilfs_detach_log_writer() determine whether the revision contains the guilty commit revision 528a620c1397a6fa329e9d62ee0d49898e31b4f6 crashed and is reachable testing commit 06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5a3ab927d0987df7c038d725e7ad913267b2c83365232b8d7d5662905412481b all runs: OK false negative chance: 0.000 # git bisect bad 06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd Bisecting: 0 revisions left to test after this (roughly 0 steps) [257d6c90dc38eb063b81ab077166f91864e93107] nilfs2: fix unexpected freezing of nilfs_segctor_sync() determine whether the revision contains the guilty commit revision dd69c1c99a545e6670acc10b979967ba8e70529a crashed and is reachable testing commit 257d6c90dc38eb063b81ab077166f91864e93107 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 02d82cd99869c7f8e1f24aa5151a33255cb3cb371cadae40e9784ecf528ac101 all runs: crashed: KASAN: use-after-free Read in try_to_wake_up representative crash: KASAN: use-after-free Read in try_to_wake_up, types: [KASAN] # git bisect good 257d6c90dc38eb063b81ab077166f91864e93107 06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd is the first bad commit commit 06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd Author: Ryusuke Konishi Date: Mon May 20 22:26:21 2024 +0900 nilfs2: fix potential hang in nilfs_detach_log_writer() commit eb85dace897c5986bc2f36b3c783c6abb8a4292e upstream. Syzbot has reported a potential hang in nilfs_detach_log_writer() called during nilfs2 unmount. Analysis revealed that this is because nilfs_segctor_sync(), which synchronizes with the log writer thread, can be called after nilfs_segctor_destroy() terminates that thread, as shown in the call trace below: nilfs_detach_log_writer nilfs_segctor_destroy nilfs_segctor_kill_thread --> Shut down log writer thread flush_work nilfs_iput_work_func nilfs_dispose_list iput nilfs_evict_inode nilfs_transaction_commit nilfs_construct_segment (if inode needs sync) nilfs_segctor_sync --> Attempt to synchronize with log writer thread *** DEADLOCK *** Fix this issue by changing nilfs_segctor_sync() so that the log writer thread returns normally without synchronizing after it terminates, and by forcing tasks that are already waiting to complete once after the thread terminates. The skipped inode metadata flushout will then be processed together in the subsequent cleanup work in nilfs_segctor_destroy(). Link: https://lkml.kernel.org/r/20240520132621.4054-4-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+e3973c409251e136fdd0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=e3973c409251e136fdd0 Tested-by: Ryusuke Konishi Cc: Cc: "Bai, Shuangpeng" Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman fs/nilfs2/segment.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) accumulated error probability: 0.00 culprit signature: 5a3ab927d0987df7c038d725e7ad913267b2c83365232b8d7d5662905412481b parent signature: 02d82cd99869c7f8e1f24aa5151a33255cb3cb371cadae40e9784ecf528ac101 revisions tested: 20, total time: 5h21m42.387839696s (build: 2h38m1.809733461s, test: 2h35m39.530959672s) first good commit: 06afce714d87c7cd1dcfccbcd800c5c5d2cf1cfd nilfs2: fix potential hang in nilfs_detach_log_writer() recipients (to): ["akpm@linux-foundation.org" "gregkh@linuxfoundation.org" "konishi.ryusuke@gmail.com"] recipients (cc): []