bisecting cause commit starting from 1438cde7c87cb5d59c4caa292f3d32e4ee06b763 building syzkaller on db842eb61c746adfefd27d79e6da5467501e1456 testing commit 1438cde7c87cb5d59c4caa292f3d32e4ee06b763 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: slab-out-of-bounds Read in class_equal run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: kernel panic: corrupted stack end in corrupted run #4: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle run #5: crashed: KASAN: slab-out-of-bounds Read in class_equal run #6: crashed: KASAN: slab-out-of-bounds Read in class_equal run #7: crashed: KASAN: slab-out-of-bounds Read in class_equal run #8: crashed: KASAN: use-after-free Read in class_equal run #9: crashed: kernel panic: corrupted stack end in corrupted testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 run #0: crashed: kernel panic: corrupted stack end in corrupted run #1: crashed: KASAN: use-after-free Read in class_equal run #2: crashed: KASAN: slab-out-of-bounds Read in class_equal run #3: crashed: KASAN: use-after-free Read in class_equal run #4: crashed: kernel panic: corrupted stack end in corrupted run #5: crashed: KASAN: slab-out-of-bounds Read in class_equal run #6: crashed: KASAN: use-after-free Read in class_equal run #7: crashed: KASAN: slab-out-of-bounds Read in class_equal run #8: crashed: KASAN: use-after-free Read in class_equal run #9: crashed: KASAN: use-after-free Read in class_equal testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: crashed: WARNING: ODEBUG bug in del_timer testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in strp_done testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in class_equal run #1: crashed: KASAN: slab-out-of-bounds Read in class_equal run #2: crashed: KASAN: use-after-free Read in class_equal run #3: crashed: KASAN: slab-out-of-bounds Read in class_equal run #4: crashed: KASAN: use-after-free Read in class_equal run #5: crashed: KASAN: slab-out-of-bounds Read in class_equal run #6: crashed: KASAN: use-after-free Read in class_equal run #7: crashed: KASAN: use-after-free Read in class_equal run #8: crashed: KASAN: use-after-free Read in class_equal run #9: crashed: KASAN: slab-out-of-bounds Read in class_equal testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in psock_map_pop run #1: crashed: KASAN: use-after-free Read in psock_map_pop run #2: crashed: KASAN: use-after-free Read in psock_map_pop run #3: crashed: KASAN: use-after-free Read in psock_map_pop run #4: crashed: KASAN: use-after-free Read in psock_map_pop run #5: crashed: KASAN: use-after-free Read in psock_map_pop run #6: crashed: KASAN: use-after-free Read in psock_map_pop run #7: OK run #8: crashed: KASAN: use-after-free Read in bpf_tcp_remove run #9: OK testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in psock_map_pop run #1: crashed: KASAN: use-after-free Write in bpf_tcp_close run #2: crashed: KASAN: use-after-free Write in bpf_tcp_close run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.18 v4.17 Bisecting: 7032 revisions left to test after this (roughly 13 steps) [3036bc45364f98515a2c446d7fac2c34dcfbeff4] Merge tag 'media/v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 3036bc45364f98515a2c446d7fac2c34dcfbeff4 with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect good 3036bc45364f98515a2c446d7fac2c34dcfbeff4 Bisecting: 3348 revisions left to test after this (roughly 12 steps) [721afaa2aeb860067decdddadc84ed16f42f2048] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc testing commit 721afaa2aeb860067decdddadc84ed16f42f2048 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 721afaa2aeb860067decdddadc84ed16f42f2048 Bisecting: 1674 revisions left to test after this (roughly 11 steps) [7b72717a20bba8bdd01b14c0460be7d15061cd6b] iw_cxgb4: correctly enforce the max reg_mr depth testing commit 7b72717a20bba8bdd01b14c0460be7d15061cd6b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 7b72717a20bba8bdd01b14c0460be7d15061cd6b Bisecting: 837 revisions left to test after this (roughly 10 steps) [47f7dc4b845a9fe60c53b84b8c88cf14efd0de7f] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 47f7dc4b845a9fe60c53b84b8c88cf14efd0de7f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 47f7dc4b845a9fe60c53b84b8c88cf14efd0de7f Bisecting: 414 revisions left to test after this (roughly 9 steps) [0723090656a03940c5ea536342f109e34b8d1257] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 0723090656a03940c5ea536342f109e34b8d1257 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in bpf_tcp_close run #1: crashed: KASAN: use-after-free Read in psock_map_pop run #2: crashed: KASAN: use-after-free Write in bpf_tcp_close run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 0723090656a03940c5ea536342f109e34b8d1257 Bisecting: 210 revisions left to test after this (roughly 8 steps) [b4394c34356180adb783a5cba2aee469e76a52ff] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 testing commit b4394c34356180adb783a5cba2aee469e76a52ff with gcc (GCC) 8.1.0 all runs: OK # git bisect good b4394c34356180adb783a5cba2aee469e76a52ff Bisecting: 108 revisions left to test after this (roughly 7 steps) [ef81e63e17ab34cea26f24b951188d16143efc92] Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit ef81e63e17ab34cea26f24b951188d16143efc92 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in bpf_tcp_close run #1: crashed: KASAN: use-after-free Write in bpf_tcp_close run #2: crashed: KASAN: use-after-free Write in bpf_tcp_close run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad ef81e63e17ab34cea26f24b951188d16143efc92 Bisecting: 47 revisions left to test after this (roughly 6 steps) [2a0ea7df1ffb6bb46a8cf9b4d6f0bfca1e93a761] Merge tag 'arc-4.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc testing commit 2a0ea7df1ffb6bb46a8cf9b4d6f0bfca1e93a761 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in bpf_tcp_close run #1: crashed: KASAN: use-after-free Write in bpf_tcp_close run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 2a0ea7df1ffb6bb46a8cf9b4d6f0bfca1e93a761 Bisecting: 22 revisions left to test after this (roughly 5 steps) [28c20cc73b9cc4288c86c2a3fc62af4087de4b19] Merge tag 'drm-fixes-2018-07-20' of git://anongit.freedesktop.org/drm/drm testing commit 28c20cc73b9cc4288c86c2a3fc62af4087de4b19 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in bpf_tcp_close run #1: crashed: KASAN: use-after-free Write in bpf_tcp_close run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 28c20cc73b9cc4288c86c2a3fc62af4087de4b19 Bisecting: 14 revisions left to test after this (roughly 4 steps) [fb7d1bcf1602b46f37ada72178516c01a250e434] Merge tag 'pci-v4.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci testing commit fb7d1bcf1602b46f37ada72178516c01a250e434 with gcc (GCC) 8.1.0 all runs: OK # git bisect good fb7d1bcf1602b46f37ada72178516c01a250e434 Bisecting: 7 revisions left to test after this (roughly 3 steps) [eb493fbc150f4a28151ae1ee84f24395989f3600] drm/nouveau: Set DRIVER_ATOMIC cap earlier to fix debugfs testing commit eb493fbc150f4a28151ae1ee84f24395989f3600 with gcc (GCC) 8.1.0 all runs: OK # git bisect good eb493fbc150f4a28151ae1ee84f24395989f3600 Bisecting: 3 revisions left to test after this (roughly 2 steps) [2d95ceb45459357288058c646022019d257ae04b] drm/amd/amdgpu: creating two I2S instances for stoney/cz (v2) testing commit 2d95ceb45459357288058c646022019d257ae04b with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in bpf_tcp_close run #1: crashed: KASAN: use-after-free Write in bpf_tcp_close run #2: crashed: KASAN: use-after-free Write in bpf_tcp_close run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 2d95ceb45459357288058c646022019d257ae04b Bisecting: 1 revision left to test after this (roughly 1 step) [263318eea710a6dd9770f9b4f570889b5dfd0d39] drm/amd/display: Fix DP HBR2 Eye Diagram Pattern on Carrizo testing commit 263318eea710a6dd9770f9b4f570889b5dfd0d39 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in bpf_tcp_close run #1: crashed: KASAN: use-after-free Write in bpf_tcp_close run #2: crashed: KASAN: use-after-free Write in bpf_tcp_close run #3: OK run #4: crashed: KASAN: use-after-free Write in bpf_tcp_close run #5: crashed: KASAN: use-after-free Write in bpf_tcp_close run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 263318eea710a6dd9770f9b4f570889b5dfd0d39 Bisecting: 0 revisions left to test after this (roughly 0 steps) [96a5d8d4915f3e241ebb48d5decdd110ab9c7dcf] drm/amdgpu: Make sure IB tests flushed after IP resume testing commit 96a5d8d4915f3e241ebb48d5decdd110ab9c7dcf with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Write in bpf_tcp_close run #1: crashed: KASAN: use-after-free Write in bpf_tcp_close run #2: crashed: KASAN: use-after-free Read in psock_map_pop run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 96a5d8d4915f3e241ebb48d5decdd110ab9c7dcf 96a5d8d4915f3e241ebb48d5decdd110ab9c7dcf is the first bad commit commit 96a5d8d4915f3e241ebb48d5decdd110ab9c7dcf Author: Leo Liu Date: Fri Jul 13 11:26:28 2018 -0400 drm/amdgpu: Make sure IB tests flushed after IP resume Fixes: 2c773de2 (drm/amdgpu: defer test IBs on the rings at boot (V3)) Signed-off-by: Leo Liu Reviewed-by: Christian König Signed-off-by: Alex Deucher :040000 040000 7c39637b415512566c7e34e2976de8cb82cf95c1 02fd47b3365eeba424eb325730b93d70762f1626 M drivers revisions tested: 22, total time: 5h26m11.691762599s (build: 1h58m26.319429539s, test: 3h20m49.429173767s) first bad commit: 96a5d8d4915f3e241ebb48d5decdd110ab9c7dcf drm/amdgpu: Make sure IB tests flushed after IP resume cc: ["airlied@linux.ie" "alexander.deucher@amd.com" "amd-gfx@lists.freedesktop.org" "christian.koenig@amd.com" "david1.zhou@amd.com" "dri-devel@lists.freedesktop.org" "leo.liu@amd.com" "linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in psock_map_pop ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3455/0x4950 kernel/locking/lockdep.c:3314 Read of size 8 at addr ffff88009e9b6b88 by task syz-executor.2/21505 CPU: 0 PID: 21505 Comm: syz-executor.2 Not tainted 4.18.0-rc4+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x109/0x15a lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __lock_acquire+0x3455/0x4950 kernel/locking/lockdep.c:3314 lock_acquire+0x173/0x400 kernel/locking/lockdep.c:3924 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:315 [inline] psock_map_pop.isra.27+0x1f/0x1b0 kernel/bpf/sockmap.c:297 bpf_tcp_close+0x489/0xb90 kernel/bpf/sockmap.c:371 inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:427 inet6_release+0x46/0x60 net/ipv6/af_inet6.c:459 __sock_release+0xc2/0x230 net/socket.c:599 sock_close+0x10/0x20 net/socket.c:1150 __fput+0x232/0x780 fs/file_table.c:209 ____fput+0x9/0x10 fs/file_table.c:243 task_work_run+0x111/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:192 [inline] exit_to_usermode_loop+0x1a4/0x200 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x407/0x4d0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x413501 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fff8cef3b60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413501 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff R10: 00007fff8cef3c40 R11: 0000000000000293 R12: 000000000075bf20 R13: 000000000006412b R14: 0000000000761178 R15: ffffffffffffffff Allocated by task 21507: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_node_trace+0x14c/0x770 mm/slab.c:3663 kmalloc_node include/linux/slab.h:551 [inline] kzalloc_node include/linux/slab.h:718 [inline] smap_init_psock kernel/bpf/sockmap.c:1594 [inline] __sock_map_ctx_update_elem.isra.21+0x53d/0xd10 kernel/bpf/sockmap.c:1885 sock_map_ctx_update_elem.isra.22+0x137/0x310 kernel/bpf/sockmap.c:1972 sock_map_update_elem+0x14a/0x2b0 kernel/bpf/sockmap.c:2072 map_update_elem+0x480/0xa30 kernel/bpf/syscall.c:765 __do_sys_bpf kernel/bpf/syscall.c:2296 [inline] __se_sys_bpf kernel/bpf/syscall.c:2267 [inline] __x64_sys_bpf+0x208/0x380 kernel/bpf/syscall.c:2267 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe kobject: 'loop4' (00000000a50b6666): fill_kobj_path: path = '/devices/virtual/block/loop4' Freed by task 7389: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x270 mm/slab.c:3813 smap_gc_work+0x76b/0xa80 kernel/bpf/sockmap.c:1587 process_one_work+0x830/0x1650 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x316/0x3d0 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412 The buggy address belongs to the object at ffff88009e9b6940 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 584 bytes inside of 1024-byte region [ffff88009e9b6940, ffff88009e9b6d40) The buggy address belongs to the page: page:ffffea00027a6d80 count:1 mapcount:0 mapping:ffff8800aa800ac0 index:0xffff88009e9b7b40 compound_mapcount: 0 flags: 0x1fffc0000008100(slab|head) raw: 01fffc0000008100 ffffea0002872a88 ffffea00029fd188 ffff8800aa800ac0 raw: ffff88009e9b7b40 ffff88009e9b6040 0000000100000004 0000000000000000 page dumped because: kasan: bad access detected kobject: 'loop1' (00000000d154c21a): kobject_uevent_env kobject: 'loop1' (00000000d154c21a): fill_kobj_path: path = '/devices/virtual/block/loop1' Memory state around the buggy address: ffff88009e9b6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88009e9b6b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88009e9b6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88009e9b6c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88009e9b6c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================