bisecting cause commit starting from f5d582777bcb1c7ff19a5a2343f66ea01de401c6 building syzkaller on 7795ae03c0d2358a40130693e40e0fcab5232ed2 testing commit f5d582777bcb1c7ff19a5a2343f66ea01de401c6 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: crashed: kernel panic: corrupted stack end in wb_workfn run #4: crashed: kernel panic: corrupted stack end in wb_workfn run #5: crashed: kernel panic: corrupted stack end in wb_workfn run #6: crashed: kernel panic: corrupted stack end in wb_workfn run #7: crashed: general protection fault in freeary run #8: OK run #9: crashed: kernel panic: corrupted stack end in wb_workfn testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: basic kernel testing failed: timed out run #5: OK run #6: crashed: kernel panic: corrupted stack end in wb_workfn run #7: OK run #8: OK run #9: OK testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start v4.19 v4.18 Bisecting: 7596 revisions left to test after this (roughly 13 steps) [db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 Bisecting: 3768 revisions left to test after this (roughly 12 steps) [cd9b44f90763c3367e8dd0601849ffb028e8ba52] Merge branch 'akpm' (patches from Andrew) testing commit cd9b44f90763c3367e8dd0601849ffb028e8ba52 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good cd9b44f90763c3367e8dd0601849ffb028e8ba52 Bisecting: 1886 revisions left to test after this (roughly 11 steps) [4290d5b9ca018be10c7582524f7500df731bfab0] Merge tag 'for-linus-4.19b-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 4290d5b9ca018be10c7582524f7500df731bfab0 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: basic kernel testing failed: timed out run #5: basic kernel testing failed: timed out run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 4290d5b9ca018be10c7582524f7500df731bfab0 Bisecting: 942 revisions left to test after this (roughly 10 steps) [576156bb01a62c1f64b32b416593862bb34bddaa] Merge branch 'for-upstream/malidp-fixes' of git://linux-arm.org/linux-ld into drm-fixes testing commit 576156bb01a62c1f64b32b416593862bb34bddaa with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: basic kernel testing failed: timed out run #4: basic kernel testing failed: timed out run #5: OK run #6: crashed: kernel panic: corrupted stack end in wb_workfn run #7: crashed: kernel panic: corrupted stack end in wb_workfn run #8: OK run #9: OK # git bisect bad 576156bb01a62c1f64b32b416593862bb34bddaa Bisecting: 482 revisions left to test after this (roughly 9 steps) [67b076095dd7a13ff24e9b5f830fcb1291ae0678] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 67b076095dd7a13ff24e9b5f830fcb1291ae0678 with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: crashed: kernel panic: corrupted stack end in wb_workfn run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 67b076095dd7a13ff24e9b5f830fcb1291ae0678 Bisecting: 230 revisions left to test after this (roughly 8 steps) [4851bfd64d42d9fb6d2d30a41c8523614b412a7a] Merge branch 'nfp-flower-fixes' testing commit 4851bfd64d42d9fb6d2d30a41c8523614b412a7a with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: timed out run #1: basic kernel testing failed: timed out run #2: basic kernel testing failed: timed out run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 4851bfd64d42d9fb6d2d30a41c8523614b412a7a Bisecting: 116 revisions left to test after this (roughly 7 steps) [a12ed06ba2d3fa60e08e7449fe0c1715de401395] Merge tag 'ceph-for-4.19-rc3' of https://github.com/ceph/ceph-client testing commit a12ed06ba2d3fa60e08e7449fe0c1715de401395 with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: crashed: kernel panic: corrupted stack end in wb_workfn run #3: crashed: kernel panic: corrupted stack end in wb_workfn run #4: OK run #5: crashed: kernel panic: corrupted stack end in wb_workfn run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad a12ed06ba2d3fa60e08e7449fe0c1715de401395 Bisecting: 57 revisions left to test after this (roughly 6 steps) [b36fdc6853a38a6f8749897a33435635019e0647] Merge tag 'gpio-v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio testing commit b36fdc6853a38a6f8749897a33435635019e0647 with gcc (GCC) 8.1.0 all runs: OK # git bisect good b36fdc6853a38a6f8749897a33435635019e0647 Bisecting: 29 revisions left to test after this (roughly 5 steps) [2601dd392dd1cabd11935448c0afe3293feb27a3] Merge tag 'mips_fixes_4.19_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit 2601dd392dd1cabd11935448c0afe3293feb27a3 with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: crashed: kernel panic: corrupted stack end in wb_workfn run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 2601dd392dd1cabd11935448c0afe3293feb27a3 Bisecting: 14 revisions left to test after this (roughly 4 steps) [db44bf4b4768a0664d3c9d9000ecb747de31ded8] Merge tag 'apparmor-pr-2018-09-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor testing commit db44bf4b4768a0664d3c9d9000ecb747de31ded8 with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: crashed: kernel panic: corrupted stack end in wb_workfn run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad db44bf4b4768a0664d3c9d9000ecb747de31ded8 Bisecting: 6 revisions left to test after this (roughly 3 steps) [b9b8a41adeff5666b402996020b698504c927353] btrfs: use after free in btrfs_quota_enable testing commit b9b8a41adeff5666b402996020b698504c927353 with gcc (GCC) 8.1.0 run #0: crashed: kernel panic: corrupted stack end in wb_workfn run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad b9b8a41adeff5666b402996020b698504c927353 Bisecting: 2 revisions left to test after this (roughly 2 steps) [de02b9f6bb65a6a1848f346f7a3617b7a9b930c0] Btrfs: fix data corruption when deduplicating between different files testing commit de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 Bisecting: 0 revisions left to test after this (roughly 1 step) [801660b040d132f67fac6a95910ad307c5929b49] btrfs: btrfs_shrink_device should call commit transaction at the end testing commit 801660b040d132f67fac6a95910ad307c5929b49 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 801660b040d132f67fac6a95910ad307c5929b49 b9b8a41adeff5666b402996020b698504c927353 is the first bad commit commit b9b8a41adeff5666b402996020b698504c927353 Author: Dan Carpenter Date: Mon Aug 20 11:25:33 2018 +0300 btrfs: use after free in btrfs_quota_enable The issue here is that btrfs_commit_transaction() frees "trans" on both the error and the success path. So the problem would be if btrfs_commit_transaction() succeeds, and then qgroup_rescan_init() fails. That means that "ret" is non-zero and "trans" is non-NULL and it leads to a use after free inside the btrfs_end_transaction() macro. Fixes: 340f1aa27f36 ("btrfs: qgroups: Move transaction management inside btrfs_quota_enable/disable") Signed-off-by: Dan Carpenter Reviewed-by: Nikolay Borisov Reviewed-by: David Sterba Signed-off-by: David Sterba :040000 040000 2e6a95ae173b52e1a2d1838e1d8090e70fd2f32d 576efc9d3bdfbd6dcc30b4a59f9cc1c3f50db8aa M fs revisions tested: 16, total time: 4h35m33.50506061s (build: 1h35m28.215910221s, test: 2h54m41.286313577s) first bad commit: b9b8a41adeff5666b402996020b698504c927353 btrfs: use after free in btrfs_quota_enable cc: ["clm@fb.com" "dan.carpenter@oracle.com" "dsterba@suse.com" "jbacik@fb.com" "linux-btrfs@vger.kernel.org" "linux-kernel@vger.kernel.org" "nborisov@suse.com"] crash: kernel panic: corrupted stack end in wb_workfn IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready 8021q: adding VLAN 0 to HW filter on device team0 IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready Kernel panic - not syncing: corrupted stack end detected inside scheduler CPU: 0 PID: 2268 Comm: kworker/u4:4 Not tainted 4.18.0-rc8+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: writeback wb_workfn (flush-8:0) Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16e/0x22a lib/dump_stack.c:113 panic+0x1c6/0x37d kernel/panic.c:184 schedule_debug kernel/sched/core.c:3314 [inline] __schedule+0x1f28/0x1f30 kernel/sched/core.c:3423 preempt_schedule_irq+0x87/0x110 kernel/sched/core.c:3728 retint_kernel+0x1b/0x2d RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783 [inline] RIP: 0010:lock_is_held_type+0x18b/0x210 kernel/locking/lockdep.c:3964 Code: ff df 41 c7 84 24 74 08 00 00 00 00 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 75 63 48 83 3d b4 54 99 07 00 74 30 48 89 df 57 9d <0f> 1f 44 00 00 48 83 c4 08 44 89 e8 5b 41 5c 41 5d 5d c3 48 83 c4 RSP: 0018:ffff8801cf754748 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: 0000000000000286 RCX: 1ffff10039eea8df RDX: 1ffffffff11e3095 RSI: 0000000000000000 RDI: 0000000000000286 RBP: ffff8801cf754768 R08: ffffed003b58472b R09: ffffed003b58472a R10: ffffed003b58472a R11: ffff8801dac23953 R12: ffff8801cf02e500 R13: 0000000000000000 R14: ffffffffffffffff R15: ffff8801cf7547e8 lock_is_held include/linux/lockdep.h:344 [inline] list_lru_from_memcg_idx mm/list_lru.c:60 [inline] __list_lru_count_one mm/list_lru.c:173 [inline] list_lru_count_one+0x24d/0x380 mm/list_lru.c:183 list_lru_shrink_count include/linux/list_lru.h:118 [inline] super_cache_count+0x18a/0x2a0 fs/super.c:145 do_shrink_slab mm/vmscan.c:374 [inline] shrink_slab.part.44+0x2fe/0xd70 mm/vmscan.c:531 shrink_slab mm/vmscan.c:506 [inline] shrink_node+0xc0d/0x14b0 mm/vmscan.c:2603 shrink_zones mm/vmscan.c:2810 [inline] do_try_to_free_pages+0x35e/0x1270 mm/vmscan.c:2872 try_to_free_pages+0x3f7/0xa20 mm/vmscan.c:3079 __perform_reclaim mm/page_alloc.c:3769 [inline] __alloc_pages_direct_reclaim mm/page_alloc.c:3790 [inline] __alloc_pages_slowpath+0x99a/0x2e50 mm/page_alloc.c:4190 __alloc_pages_nodemask+0xaae/0xe10 mm/page_alloc.c:4389 __alloc_pages include/linux/gfp.h:456 [inline] __alloc_pages_node include/linux/gfp.h:469 [inline] kmem_getpages mm/slab.c:1409 [inline] cache_grow_begin+0x91/0x8c0 mm/slab.c:2677 fallback_alloc+0x203/0x2e0 mm/slab.c:3219 ____cache_alloc_node+0x1c7/0x1e0 mm/slab.c:3287 __do_cache_alloc mm/slab.c:3356 [inline] slab_alloc mm/slab.c:3384 [inline] kmem_cache_alloc+0x1f8/0x780 mm/slab.c:3552 mempool_alloc_slab+0x3a/0x50 mm/mempool.c:504 mempool_alloc+0x148/0x490 mm/mempool.c:384 bvec_alloc+0xe3/0x250 block/bio.c:216 bio_alloc_bioset+0x32c/0x600 block/bio.c:507 bio_alloc include/linux/bio.h:438 [inline] io_submit_init_bio fs/ext4/page-io.c:374 [inline] io_submit_add_bh fs/ext4/page-io.c:399 [inline] ext4_bio_write_page+0xd05/0x1763 fs/ext4/page-io.c:506 mpage_submit_page+0x116/0x210 fs/ext4/inode.c:2207 mpage_process_page_bufs+0x39a/0x620 fs/ext4/inode.c:2318 mpage_prepare_extent_to_map+0xa37/0x15f0 fs/ext4/inode.c:2680 ext4_writepages+0x1107/0x38e0 fs/ext4/inode.c:2807 do_writepages+0x74/0x130 mm/page-writeback.c:2341 __writeback_single_inode+0x1b0/0x1290 fs/fs-writeback.c:1323 writeback_sb_inodes+0x639/0x1420 fs/fs-writeback.c:1587 __writeback_inodes_wb+0x190/0x2e0 fs/fs-writeback.c:1656 wb_writeback+0x82a/0xd50 fs/fs-writeback.c:1765 wb_check_start_all fs/fs-writeback.c:1889 [inline] wb_do_writeback fs/fs-writeback.c:1915 [inline] wb_workfn+0xc5b/0x14c0 fs/fs-writeback.c:1949 process_one_work+0xadf/0x1ac0 kernel/workqueue.c:2153 worker_thread+0x176/0x12a0 kernel/workqueue.c:2296 kthread+0x319/0x3e0 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 Kernel Offset: disabled Rebooting in 86400 seconds..