bisecting cause commit starting from 51dba6e335ff9d1f6f50b5cacced8598956e1437
building syzkaller on f111d03be02771a52d5610a70bca229e552c7753
testing commit 51dba6e335ff9d1f6f50b5cacced8598956e1437
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 6a3f3fb7068f3814c1deb59abe6989cebdda191214942113ad119dbfeb985429
all runs: crashed: KASAN: use-after-free Read in blk_mq_sched_tags_teardown
testing release v5.14
testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: de5d0644639cc5c360c5e4129b2c3253ccb03fa29846cb1eb6936ee1da8e68ac
all runs: OK
# git bisect start 51dba6e335ff9d1f6f50b5cacced8598956e1437 7d2a07b769330c34b4deabeed939325c77a7ec2f
Bisecting: 11234 revisions left to test after this (roughly 14 steps)
[0c7985e1b90c1eabc75b01f971eb89733cc51979] Merge existing fixes from asoc/for-5.15

testing commit 0c7985e1b90c1eabc75b01f971eb89733cc51979
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8a63e05df24343ca37d4f71a1a60495ed55c690c9c04211fc1528e3723586fd6
all runs: OK
# git bisect good 0c7985e1b90c1eabc75b01f971eb89733cc51979
Bisecting: 5459 revisions left to test after this (roughly 13 steps)
[02c0ea81ad6d30183c9413014631cc1e359f20ff] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git

testing commit 02c0ea81ad6d30183c9413014631cc1e359f20ff
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b9463b66b0e46c1e2a9a4fd224ccccb3651dccb63f7d758936d634f01b6c687e
all runs: OK
# git bisect good 02c0ea81ad6d30183c9413014631cc1e359f20ff
Bisecting: 2804 revisions left to test after this (roughly 11 steps)
[b739ee7cdb3337a8ddf8654a75aa96e0a90f87df] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git

testing commit b739ee7cdb3337a8ddf8654a75aa96e0a90f87df
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1de8d314206ecb0abb6b7a15c67ffb2794048c3bbd184b1d299904734f0150f9
all runs: crashed: KASAN: use-after-free Read in blk_mq_sched_tags_teardown
# git bisect bad b739ee7cdb3337a8ddf8654a75aa96e0a90f87df
Bisecting: 1315 revisions left to test after this (roughly 10 steps)
[adbe62179b0d4e926f78689da5d5e068a1e9f8cd] Merge branch 'for-linux-next' of git://anongit.freedesktop.org/drm/drm-misc

testing commit adbe62179b0d4e926f78689da5d5e068a1e9f8cd
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 33236627a2c576871b877900db10442164543d031d37e7416f4025f5b0d19603
all runs: OK
# git bisect good adbe62179b0d4e926f78689da5d5e068a1e9f8cd
Bisecting: 687 revisions left to test after this (roughly 9 steps)
[fd98f22c4d095ab6598824d3f766f94c9f404488] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input.git

testing commit fd98f22c4d095ab6598824d3f766f94c9f404488
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: bae21a8ff347a693ed02f6e2c86e1adba3df24edbdaf6ba76fe111e46ca48d98
all runs: OK
# git bisect good fd98f22c4d095ab6598824d3f766f94c9f404488
Bisecting: 358 revisions left to test after this (roughly 9 steps)
[de1f8121784ea28fd806185c5777ff541f071eaa] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata.git

testing commit de1f8121784ea28fd806185c5777ff541f071eaa
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b316d66d9edaa7d9251376b114277abb889461b67a581cbeaf22a3890f7ec0b6
all runs: crashed: KASAN: use-after-free Read in blk_mq_sched_tags_teardown
# git bisect bad de1f8121784ea28fd806185c5777ff541f071eaa
Bisecting: 164 revisions left to test after this (roughly 7 steps)
[8663b210f8c169a49aaeed3af92471a147545477] nbd: fix uaf in nbd_handle_reply()

testing commit 8663b210f8c169a49aaeed3af92471a147545477
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 62a79ab242081ba58bd3eb2dd481abd26cf851549eebb11b5762c13f8b8fe451
all runs: boot failed: general protection fault in blk_mq_free_request
# git bisect skip 8663b210f8c169a49aaeed3af92471a147545477
Bisecting: 164 revisions left to test after this (roughly 7 steps)
[6d63416dc57eb27a3d35e7b7526e9915479d7eff] io_uring: optimise plugging

testing commit 6d63416dc57eb27a3d35e7b7526e9915479d7eff
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8e6a2f293c4ea147f8f31af511dce321dd98bd4a1edd781bc997adb893b35192
all runs: crashed: KASAN: use-after-free Read in blk_mq_sched_tags_teardown
# git bisect bad 6d63416dc57eb27a3d35e7b7526e9915479d7eff
Bisecting: 81 revisions left to test after this (roughly 6 steps)
[fac7c6d529acf2b5428ad08c1b1127e29e570790] block: cache bdev in struct file for raw bdev IO

testing commit fac7c6d529acf2b5428ad08c1b1127e29e570790
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d016b0c6402f1548c70c8ace40efaf1140c4333b74cced0580b32e94f3492f0c
all runs: crashed: KASAN: use-after-free Read in blk_mq_sched_tags_teardown
# git bisect bad fac7c6d529acf2b5428ad08c1b1127e29e570790
Bisecting: 40 revisions left to test after this (roughly 5 steps)
[47c122e35d7e43b14129ceb9ed3a7e67599978fa] block: pre-allocate requests if plug is started and is a batch

testing commit 47c122e35d7e43b14129ceb9ed3a7e67599978fa
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 600d0810cbcfe420e29276721534e0ce1cdb15833d6686fb733bcf3fd6d99a60
all runs: crashed: KASAN: use-after-free Read in blk_mq_sched_tags_teardown
# git bisect bad 47c122e35d7e43b14129ceb9ed3a7e67599978fa
Bisecting: 20 revisions left to test after this (roughly 4 steps)
[32f64cad97187f4aed50aca3ed1b5a51a00f848b] block/mq-deadline: Add an invariant check

testing commit 32f64cad97187f4aed50aca3ed1b5a51a00f848b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 19128762c6d9ca033e379cd43ef257e1a59852eefc4a53760791bf6b8c1d8a57
all runs: OK
# git bisect good 32f64cad97187f4aed50aca3ed1b5a51a00f848b
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[4f245d5bf0f7432c881e22a77066160a6cba8e03] blk-mq: Don't clear driver tags own mapping

testing commit 4f245d5bf0f7432c881e22a77066160a6cba8e03
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 7d8c498cf0876a718a6f7d285765d1cc46c0a8b8110e3907ec87302f7c215b6d
all runs: OK
# git bisect good 4f245d5bf0f7432c881e22a77066160a6cba8e03
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[ae0f1a732f4a5db284e2af02c305255734efd19c] blk-mq: Stop using pointers for blk_mq_tags bitmap tags

testing commit ae0f1a732f4a5db284e2af02c305255734efd19c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 80f2d829d2860d092d2e010f2a567ae433e2a62c32b7b0146088e0191b85d7e0
all runs: crashed: KASAN: use-after-free Read in blk_mq_sched_tags_teardown
# git bisect bad ae0f1a732f4a5db284e2af02c305255734efd19c
Bisecting: 2 revisions left to test after this (roughly 1 step)
[63064be150e4b1ba1e4af594ef5aa81adf21a52d] blk-mq: Add blk_mq_alloc_map_and_rqs()

testing commit 63064be150e4b1ba1e4af594ef5aa81adf21a52d
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c13b68b76b90b4db4a23506daf85401f7783af4307ebdde4d13a392840b020d8
all runs: OK
# git bisect good 63064be150e4b1ba1e4af594ef5aa81adf21a52d
Bisecting: 1 revision left to test after this (roughly 1 step)
[645db34e50501aac141713fb47a315e5202ff890] blk-mq: Refactor and rename blk_mq_free_map_and_{requests->rqs}()

testing commit 645db34e50501aac141713fb47a315e5202ff890
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d49ad3cd24b91ce44c233630bb7e779efba8b507c862868bc1752594583a4398
run #0: crashed: WARNING: ODEBUG bug in netdev_run_todo
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
reproducer seems to be flaky
# git bisect bad 645db34e50501aac141713fb47a315e5202ff890
645db34e50501aac141713fb47a315e5202ff890 is the first bad commit
commit 645db34e50501aac141713fb47a315e5202ff890
Author: John Garry <john.garry@huawei.com>
Date:   Tue Oct 5 18:23:36 2021 +0800

    blk-mq: Refactor and rename blk_mq_free_map_and_{requests->rqs}()
    
    Refactor blk_mq_free_map_and_requests() such that it can be used at many
    sites at which the tag map and rqs are freed.
    
    Also rename to blk_mq_free_map_and_rqs(), which is shorter and matches the
    alloc equivalent.
    
    Suggested-by: Ming Lei <ming.lei@redhat.com>
    Signed-off-by: John Garry <john.garry@huawei.com>
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Link: https://lore.kernel.org/r/1633429419-228500-12-git-send-email-john.garry@huawei.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

 block/blk-mq-tag.c |  3 +--
 block/blk-mq.c     | 40 ++++++++++++++++++++++++----------------
 block/blk-mq.h     |  4 +++-
 3 files changed, 28 insertions(+), 19 deletions(-)

culprit signature: d49ad3cd24b91ce44c233630bb7e779efba8b507c862868bc1752594583a4398
parent  signature: c13b68b76b90b4db4a23506daf85401f7783af4307ebdde4d13a392840b020d8
Reproducer flagged being flaky
revisions tested: 17, total time: 4h12m6.684717121s (build: 1h51m59.746389725s, test: 2h18m21.754447787s)
first bad commit: 645db34e50501aac141713fb47a315e5202ff890 blk-mq: Refactor and rename blk_mq_free_map_and_{requests->rqs}()
recipients (to): ["axboe@kernel.dk" "hare@suse.de" "john.garry@huawei.com"]
recipients (cc): []
crash: WARNING: ODEBUG bug in netdev_run_todo
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:1623
WARNING: CPU: 1 PID: 254 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505
Modules linked in:
CPU: 1 PID: 254 Comm: kworker/u4:3 Not tainted 5.15.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505
Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 20 7c 20 89 4c 89 ee 48 c7 c7 20 70 20 89 e8 f9 78 9e 04 <0f> 0b 83 05 75 42 f4 08 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffc90001edf888 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff89206c00 RDI: fffff520003dbf03
RBP: 0000000000000001 R08: 0000000000000001 R09: ffff8880b9f2bf87
R10: ffffed10173e57f0 R11: 657461747320654f R12: ffffffff88cd2980
R13: ffffffff89207660 R14: ffffffff815c5c40 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd9f261e9a0 CR3: 000000001d169000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __debug_check_no_obj_freed lib/debugobjects.c:992 [inline]
 debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1023
 slab_free_hook mm/slub.c:1675 [inline]
 slab_free_freelist_hook+0xde/0x190 mm/slub.c:1725
 slab_free mm/slub.c:3483 [inline]
 kfree+0xe4/0x530 mm/slub.c:4543
 device_release+0x93/0x200 drivers/base/core.c:2232
 kobject_cleanup lib/kobject.c:705 [inline]
 kobject_release lib/kobject.c:736 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x139/0x410 lib/kobject.c:753
 netdev_run_todo+0x63b/0x910 net/core/dev.c:10604
 default_device_exit_batch+0x2aa/0x360 net/core/dev.c:11574
 cleanup_net+0x423/0x980 net/core/net_namespace.c:591
 process_one_work+0x87f/0x1450 kernel/workqueue.c:2297
 worker_thread+0x598/0x1040 kernel/workqueue.c:2444
 kthread+0x38b/0x460 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295