bisecting cause commit starting from 3b0720ba00a7413997ad331838d22c81f252556a building syzkaller on b599f2fcc734e2183016a340d4f6fc2891d8e41f testing commit 3b0720ba00a7413997ad331838d22c81f252556a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 030255eb01317a21010553242a2443c28ee3fdb2b640dad774e45d307dea89a7 all runs: crashed: WARNING: ODEBUG bug in qdisc_create testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 909f5b513362d755e99068620c19525cb2afd91ca8725228219fd46574a48866 run #0: crashed: WARNING: ODEBUG bug in qdisc_create run #1: crashed: WARNING: ODEBUG bug in qdisc_create run #2: crashed: WARNING: ODEBUG bug in qdisc_create run #3: crashed: WARNING: ODEBUG bug in qdisc_create run #4: crashed: WARNING: ODEBUG bug in qdisc_create run #5: crashed: WARNING: ODEBUG bug in qdisc_create run #6: crashed: WARNING: ODEBUG bug in qdisc_create run #7: crashed: WARNING: ODEBUG bug in qdisc_create run #8: crashed: WARNING: ODEBUG bug in qdisc_create run #9: crashed: KASAN: use-after-free Read in advance_sched testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bb4e26dd8f4a005b0fd76547575ef29621d4d502b5251ddaf0a5696974104629 run #0: crashed: WARNING: ODEBUG bug in qdisc_create run #1: crashed: WARNING: ODEBUG bug in corrupted run #2: crashed: WARNING: ODEBUG bug in qdisc_create run #3: crashed: WARNING: ODEBUG bug in qdisc_create run #4: crashed: WARNING: ODEBUG bug in corrupted run #5: crashed: WARNING: ODEBUG bug in qdisc_create run #6: crashed: WARNING: ODEBUG bug in qdisc_create run #7: crashed: WARNING: ODEBUG bug in qdisc_create run #8: crashed: WARNING: ODEBUG bug in qdisc_create run #9: crashed: WARNING: ODEBUG bug in qdisc_create testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 3222e6ed80513dd888ba5df1ed0bb0fed90b38311471a07f8ebfef14f678fd42 run #0: crashed: WARNING: ODEBUG bug in qdisc_create run #1: crashed: WARNING: ODEBUG bug in qdisc_create run #2: crashed: WARNING: ODEBUG bug in corrupted run #3: crashed: WARNING: ODEBUG bug in qdisc_create run #4: crashed: WARNING: ODEBUG bug in qdisc_create run #5: crashed: WARNING: ODEBUG bug in qdisc_create run #6: crashed: WARNING: ODEBUG bug in qdisc_create run #7: crashed: WARNING: ODEBUG bug in qdisc_create run #8: crashed: WARNING: ODEBUG bug in qdisc_create run #9: crashed: WARNING: ODEBUG bug in qdisc_create testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 35c88fb67e0626f0232c5254d6e9f188ff33bdc5ecf75a2e20b39b0354577e82 all runs: OK # git bisect start f40ddce88593482919761f74910f42f4b84c004b 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 7761 revisions left to test after this (roughly 13 steps) [538fcf57aaee6ad78a05f52b69a99baa22b33418] Merge branches 'acpi-scan', 'acpi-pnp' and 'acpi-sleep' testing commit 538fcf57aaee6ad78a05f52b69a99baa22b33418 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1ef6b345e5c596086feb8b12cc4c95c17a8b186b8865c838c98c3e922de4d325 all runs: OK # git bisect good 538fcf57aaee6ad78a05f52b69a99baa22b33418 Bisecting: 3868 revisions left to test after this (roughly 12 steps) [d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214] Merge tag 'net-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 3455be25f61fd64cb9dbb3d6ef3bd6988ec12585b238347e362ffb7c45f0720e all runs: crashed: WARNING: ODEBUG bug in qdisc_create # git bisect bad d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 Bisecting: 1915 revisions left to test after this (roughly 11 steps) [f68e4041ef63f03091e44b4eebf1ab5c5d427e6f] Merge tag 'pinctrl-v5.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit f68e4041ef63f03091e44b4eebf1ab5c5d427e6f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 48c76e528dd45d3cdc3f3c8690b0d59b4fcc12e96564db0ad07a012de66333c8 all runs: OK # git bisect good f68e4041ef63f03091e44b4eebf1ab5c5d427e6f Bisecting: 1037 revisions left to test after this (roughly 10 steps) [9805529ec544ea7a82d891d5239a8ebd3dbb2a3e] Merge tag 'arm-soc-dt-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 24bdfaa456199bd11340c24f2d861624a89ab030d3fa46c3cfa622bc696a0d55 all runs: OK # git bisect good 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e Bisecting: 485 revisions left to test after this (roughly 9 steps) [74f602dc96dd854c7b2034947798c1e2a6b84066] Merge tag 'nfs-for-5.11-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 74f602dc96dd854c7b2034947798c1e2a6b84066 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5c2a65dff353c206478e4a101ac737a70e54ba621c0851bb4e8438b6d564e44d all runs: OK # git bisect good 74f602dc96dd854c7b2034947798c1e2a6b84066 Bisecting: 242 revisions left to test after this (roughly 8 steps) [a6a50d8495d098b6459166c3707ab251d3dc9e06] powerpc/32s: Remove CONFIG_PPC_BOOK3S_6xx testing commit a6a50d8495d098b6459166c3707ab251d3dc9e06 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 48c58718c1815f4e1d3e509f8b5a536cb7dcfc18b75f040580286ee213027965 all runs: OK # git bisect good a6a50d8495d098b6459166c3707ab251d3dc9e06 Bisecting: 108 revisions left to test after this (roughly 7 steps) [09c0796adf0c793462fda1d7c8c43324551405c7] Merge tag 'trace-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 09c0796adf0c793462fda1d7c8c43324551405c7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1c158518ee204debb7e822ce481f192862ea41d5115f072eba27ccf93fa2404d all runs: OK # git bisect good 09c0796adf0c793462fda1d7c8c43324551405c7 Bisecting: 54 revisions left to test after this (roughly 6 steps) [2198d4934ee8b81341a84c9ec8bb25b4b0d02522] powerpc/mm: Fix hugetlb_free_pmd_range() and hugetlb_free_pud_range() testing commit 2198d4934ee8b81341a84c9ec8bb25b4b0d02522 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 48c58718c1815f4e1d3e509f8b5a536cb7dcfc18b75f040580286ee213027965 all runs: OK # git bisect good 2198d4934ee8b81341a84c9ec8bb25b4b0d02522 Bisecting: 27 revisions left to test after this (roughly 5 steps) [0c14846032f2c0a3b63234e1fc2759f4155b6067] mptcp: fix security context on server socket testing commit 0c14846032f2c0a3b63234e1fc2759f4155b6067 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5e0e9270eb34a5ca3aa3f6e96ee9915b93a1bc93c036003d82cbf7618fa7e0e4 all runs: OK # git bisect good 0c14846032f2c0a3b63234e1fc2759f4155b6067 Bisecting: 9 revisions left to test after this (roughly 4 steps) [0c6c887835b59c10602add88057c9c06f265effe] Merge tag 'for-linus' of git://github.com/openrisc/linux testing commit 0c6c887835b59c10602add88057c9c06f265effe compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5e8b7518f91e8122d188a764200834abb9cbfc7ef447bfd0e556cbe3f3245c2c all runs: OK # git bisect good 0c6c887835b59c10602add88057c9c06f265effe Bisecting: 4 revisions left to test after this (roughly 2 steps) [0d52848632a357948028eab67ff9b7cc0c12a0fb] qlcnic: Fix error code in probe testing commit 0d52848632a357948028eab67ff9b7cc0c12a0fb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a645f92528fe0e355a023fb812afaff2daa55f9575bd00e363d42d5741dc2cca all runs: OK # git bisect good 0d52848632a357948028eab67ff9b7cc0c12a0fb Bisecting: 2 revisions left to test after this (roughly 1 step) [d8a4ea350f1fff71c9988ea3da3c913ec30bbfbe] octeontx2-af: Fix undetected unmap PF error check testing commit d8a4ea350f1fff71c9988ea3da3c913ec30bbfbe compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a645f92528fe0e355a023fb812afaff2daa55f9575bd00e363d42d5741dc2cca all runs: OK # git bisect good d8a4ea350f1fff71c9988ea3da3c913ec30bbfbe Bisecting: 0 revisions left to test after this (roughly 1 step) [44d4775ca51805b376a8db5b34f650434a08e556] net/sched: sch_taprio: reset child qdiscs before freeing them testing commit 44d4775ca51805b376a8db5b34f650434a08e556 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 7592ce8a55a24635faee795ced8da1320c8d8a6976ec739126dfdfa89d6e1664 run #0: crashed: WARNING: ODEBUG bug in qdisc_create run #1: crashed: WARNING: ODEBUG bug in corrupted run #2: crashed: WARNING: ODEBUG bug in qdisc_create run #3: crashed: WARNING: ODEBUG bug in qdisc_create run #4: crashed: WARNING: ODEBUG bug in qdisc_create run #5: crashed: WARNING: ODEBUG bug in qdisc_create run #6: crashed: WARNING: ODEBUG bug in qdisc_create run #7: crashed: WARNING: ODEBUG bug in qdisc_create run #8: crashed: WARNING: ODEBUG bug in qdisc_create run #9: crashed: WARNING: ODEBUG bug in qdisc_create # git bisect bad 44d4775ca51805b376a8db5b34f650434a08e556 Bisecting: 0 revisions left to test after this (roughly 0 steps) [5b33afee93a1e7665a5ffae027fc66f9376f4ea7] nfp: move indirect block cleanup to flower app stop callback testing commit 5b33afee93a1e7665a5ffae027fc66f9376f4ea7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a645f92528fe0e355a023fb812afaff2daa55f9575bd00e363d42d5741dc2cca all runs: OK # git bisect good 5b33afee93a1e7665a5ffae027fc66f9376f4ea7 44d4775ca51805b376a8db5b34f650434a08e556 is the first bad commit commit 44d4775ca51805b376a8db5b34f650434a08e556 Author: Davide Caratti Date: Wed Dec 16 19:33:29 2020 +0100 net/sched: sch_taprio: reset child qdiscs before freeing them syzkaller shows that packets can still be dequeued while taprio_destroy() is running. Let sch_taprio use the reset() function to cancel the advance timer and drop all skbs from the child qdiscs. Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler") Link: https://syzkaller.appspot.com/bug?id=f362872379bf8f0017fb667c1ab158f2d1e764ae Reported-by: syzbot+8971da381fb5a31f542d@syzkaller.appspotmail.com Signed-off-by: Davide Caratti Acked-by: Vinicius Costa Gomes Link: https://lore.kernel.org/r/63b6d79b0e830ebb0283e020db4df3cdfdfb2b94.1608142843.git.dcaratti@redhat.com Signed-off-by: Jakub Kicinski net/sched/sch_taprio.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) culprit signature: 7592ce8a55a24635faee795ced8da1320c8d8a6976ec739126dfdfa89d6e1664 parent signature: a645f92528fe0e355a023fb812afaff2daa55f9575bd00e363d42d5741dc2cca revisions tested: 19, total time: 4h28m37.902093583s (build: 2h7m49.019974891s, test: 2h18m11.782200477s) first bad commit: 44d4775ca51805b376a8db5b34f650434a08e556 net/sched: sch_taprio: reset child qdiscs before freeing them recipients (to): ["dcaratti@redhat.com" "kuba@kernel.org" "vinicius.gomes@intel.com"] recipients (cc): [] crash: WARNING: ODEBUG bug in qdisc_create ------------[ cut here ]------------ ODEBUG: free active (active state 0) object type: hrtimer hint: advance_sched+0x0/0x9b0 net/sched/sch_taprio.c:593 WARNING: CPU: 0 PID: 10138 at lib/debugobjects.c:505 debug_print_object+0x194/0x2b0 lib/debugobjects.c:505 Modules linked in: CPU: 0 PID: 10138 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:debug_print_object+0x194/0x2b0 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 e3 00 00 00 48 8b 14 dd c0 3a 84 8b 4c 89 ee 48 c7 c7 00 25 1f 89 e8 59 85 a9 04 <0f> 0b 83 05 5f 6f 96 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffc9000a7b73a8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff8a5a9720 RDI: fffff520014f6e67 RBP: 0000000000000001 R08: 0000000000000001 R09: ffff8880b9c4c827 R10: ffffed1017389904 R11: 203a47554245444f R12: ffffffff88cd02a0 R13: ffffffff891f2a80 R14: ffffffff815cba90 R15: dffffc0000000000 FS: 00007f7d6fd03700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9801214000 CR3: 00000000276b7000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __debug_check_no_obj_freed lib/debugobjects.c:987 [inline] debug_check_no_obj_freed+0x309/0x430 lib/debugobjects.c:1018 slab_free_hook mm/slub.c:1536 [inline] slab_free_freelist_hook+0x107/0x150 mm/slub.c:1577 slab_free mm/slub.c:3140 [inline] kfree+0xdb/0x400 mm/slub.c:4122 qdisc_create+0xadb/0xf70 net/sched/sch_api.c:1298 tc_modify_qdisc+0x3cb/0x1670 net/sched/sch_api.c:1662 rtnetlink_rcv_msg+0x33e/0x870 net/core/rtnetlink.c:5564 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x75f/0xc10 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xab/0xf0 net/socket.c:672 ____sys_sendmsg+0x5cb/0x7b0 net/socket.c:2336