ci2 starts bisection 2025-09-29 00:51:56.147166882 +0000 UTC m=+195229.507725129 bisecting fixing commit since c79648372d02944bf4a54d87e3901db05d0ac82e building syzkaller on bf27483f963359281b2d9b6d6efd36289f82e282 ensuring issue is reproducible on original commit c79648372d02944bf4a54d87e3901db05d0ac82e testing commit c79648372d02944bf4a54d87e3901db05d0ac82e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a4c0cb1e48e0bccd4d629b538fb5b781351d2c424c51213f7b0f31e7c6d02fed all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit c79648372d02944bf4a54d87e3901db05d0ac82e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: da75b59493035f27556ec7544b8070b9722dd65220daab9b9dff50410e7faa20 all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed kconfig minimization: base=3707 full=7423 leaves diff=2099 split chunks (needed=false): <2099> split chunk #0 of len 2099 into 5 parts testing without sub-chunk 1/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit c79648372d02944bf4a54d87e3901db05d0ac82e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 62874bcb5a6606ef7395976f0e967f7860502ab0911fcaa68796555d7c613901 all runs: OK false negative chance: 0.000 testing without sub-chunk 2/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit c79648372d02944bf4a54d87e3901db05d0ac82e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 638d38ed31d53b0b455b0fd097cf610d78aacfca1c54528af91d0986870381d2 all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit c79648372d02944bf4a54d87e3901db05d0ac82e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 05e15448dddd801e5fa0110cccf1bc143bc38be8c65e0b9effc1bc29633a93bd all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit c79648372d02944bf4a54d87e3901db05d0ac82e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8eab473ec32af321c956a79b90723e74f2e7263a6d2a2580205df4625eb9ce72 all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed testing commit c79648372d02944bf4a54d87e3901db05d0ac82e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f67f9f533c989e8576703635fbbdb095d80e57064dfac7f0c41ab68452b9313d all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped minimized to 420 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_PLATFORM_PROFILE ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMD_SFH_HID AMIGA_PARTITION ANDROID ANDROID_BINDERFS ANDROID_BINDER_IPC APPLE_MFI_FASTCHARGE AR5523 ARCH_ENABLE_THP_MIGRATION ASHMEM ASM_MODVERSIONS ASN1_ENCODER ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_COMMON_SPECTRAL ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP BLK_CGROUP_IOCOST BLK_CGROUP_IOLATENCY BLK_CGROUP_RWSTAT BLK_DEBUG_FS_ZONED BLK_DEV_BSGLIB BLK_DEV_CRYPTOLOOP BLK_DEV_INTEGRITY BLK_DEV_INTEGRITY_T10 BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_MQ_RDMA BLK_RQ_ALLOC_TIME BLK_WBT BLK_WBT_MQ BLOCK_LEGACY_AUTOLOAD BONDING BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_CMTP BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_AUTOSUSPEND BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_HIDP BT_HS BT_INTEL BT_LE BT_LEDS BT_MSFTEXT BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_ESD_USB2 CAN_ETAS_ES58X CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_PEAK_USB CAN_RAW CAN_SLCAN CAN_UCAN CAN_VCAN CAN_VXCAN CAPI_TRACE CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_DEVICE CGROUP_HUGETLB CGROUP_NET_CLASSID CGROUP_NET_PRIO CGROUP_PERF CGROUP_RDMA CGROUP_WRITEBACK CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MBYTES CMDLINE_PARTITION COMEDI COMEDI_8254 COMEDI_8255 COMEDI_8255_PCI COMEDI_8255_SA COMEDI_ADL_PCI9118 COMEDI_ADQ12B COMEDI_AIO_AIO12_8 COMEDI_AIO_IIRO_16 COMEDI_AMPLC_DIO200 COMEDI_AMPLC_DIO200_ISA COMEDI_AMPLC_PC236 COMEDI_AMPLC_PC236_ISA COMEDI_AMPLC_PC263_ISA COMEDI_BOND COMEDI_C6XDIGIO COMEDI_DAC02 COMEDI_DAS08 COMEDI_DAS08_ISA COMEDI_DAS16M1 COMEDI_DAS1800 COMEDI_DAS6402 COMEDI_DAS800 COMEDI_DMM32AT COMEDI_DT2801 COMEDI_DT2811 COMEDI_DT2814 COMEDI_DT2815 COMEDI_DT2817 COMEDI_DT282X COMEDI_DT9812 COMEDI_FL512 COMEDI_ISADMA COMEDI_ISA_DRIVERS COMEDI_KCOMEDILIB COMEDI_MISC_DRIVERS COMEDI_MPC624 COMEDI_MULTIQ3 COMEDI_NI_ATMIO16D COMEDI_NI_AT_A2150 COMEDI_NI_AT_AO COMEDI_NI_DAQ_700_CS COMEDI_NI_LABPC COMEDI_NI_LABPC_CS COMEDI_NI_LABPC_ISA COMEDI_NI_LABPC_ISADMA COMEDI_NI_LABPC_PCI COMEDI_NI_USB6501 COMEDI_PARPORT COMEDI_PCI_DRIVERS COMEDI_PCL711 COMEDI_PCL724 COMEDI_PCL726 COMEDI_PCL730 COMEDI_PCL812 COMEDI_PCL816 COMEDI_PCL818 COMEDI_PCM3724 COMEDI_PCMAD COMEDI_PCMCIA_DRIVERS COMEDI_PCMDA12 COMEDI_PCMMIO COMEDI_PCMUIO COMEDI_RTI800 COMEDI_RTI802 COMEDI_S526 COMEDI_TEST COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC4 CRC64 CRC7 CRC8 CRC_ITU_T CRC_T10DIF CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32 CRYPTO_CRC32C_INTEL CRYPTO_CRC32_PCLMUL CRYPTO_CRCT10DIF CRYPTO_CRCT10DIF_PCLMUL CRYPTO_CRYPTD CRYPTO_CTS CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECB CRYPTO_ECC CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CHACHA_GENERIC CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_DES CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LIB_SM4 CRYPTO_LRW CRYPTO_MICHAEL_MIC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM2 CRYPTO_SM3 CRYPTO_SM4 CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XTS CRYPTO_XXHASH CUSE CYPRESS_FIRMWARE DAMON DAMON_DBGFS DAMON_VADDR DCA DCB DEBUG_PREEMPT DMA_CMA FSCACHE FUSE_FS HAMRADIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_RTRS_CLIENT IOSCHED_BFQ ISDN ISDN_CAPI LIBNVDIMM MAC80211 MAC80211_LEDS MEDIA_SUPPORT MTD NET_CLS_U32 PARTITION_ADVANCED PCCARD PCMCIA PREEMPTION RFKILL SERIAL_DEV_BUS STAGING TLS TLS_DEVICE USB_GADGET USB_PHY VLAN_8021Q WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH] disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing current HEAD 43bb85222e53926decace01ce6584ca88e09a0a9 testing commit 43bb85222e53926decace01ce6584ca88e09a0a9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1cd51ae0a63fa079538df8f199cf2a7743d10439fbaaa0feccf0851fae9c74d9 all runs: OK false negative chance: 0.000 # git bisect start 43bb85222e53926decace01ce6584ca88e09a0a9 c79648372d02944bf4a54d87e3901db05d0ac82e Bisecting: 376 revisions left to test after this (roughly 9 steps) [56c4837283ebe72b409688286ab39ad262fc76b8] wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() determine whether the revision contains the guilty commit revision c79648372d02944bf4a54d87e3901db05d0ac82e crashed and is reachable testing commit 56c4837283ebe72b409688286ab39ad262fc76b8 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8ff1c29d9049ee9752191105ced78ddec42b807c9fcda8c7535f8487876f1fd6 all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 56c4837283ebe72b409688286ab39ad262fc76b8 Bisecting: 188 revisions left to test after this (roughly 8 steps) [c3e0a66fd9991491011cdc18bf6d8935c051e0a5] memstick: Fix deadlock by moving removing flag earlier determine whether the revision contains the guilty commit revision c79648372d02944bf4a54d87e3901db05d0ac82e crashed and is reachable testing commit c3e0a66fd9991491011cdc18bf6d8935c051e0a5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 90bb4e9dba28d5e938c87571c1cfec691d8170cd427106a7e86cd6de6deff2d9 all runs: OK false negative chance: 0.000 # git bisect bad c3e0a66fd9991491011cdc18bf6d8935c051e0a5 Bisecting: 93 revisions left to test after this (roughly 7 steps) [5396de17bceae8e7628e439c1027638559b8c788] ext4: don't try to clear the orphan_present feature block device is r/o determine whether the revision contains the guilty commit revision c79648372d02944bf4a54d87e3901db05d0ac82e crashed and is reachable testing commit 5396de17bceae8e7628e439c1027638559b8c788 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ab5ff5e788b0e8f62b91f15d93031f57130021d50d912fdfa2e31efe122b580d all runs: OK false negative chance: 0.000 # git bisect bad 5396de17bceae8e7628e439c1027638559b8c788 Bisecting: 46 revisions left to test after this (roughly 6 steps) [19b9461829789d6f88adc466c03c17df1323e02f] ipmi: Use dev_warn_ratelimited() for incorrect message warnings determine whether the revision contains the guilty commit revision c79648372d02944bf4a54d87e3901db05d0ac82e crashed and is reachable testing commit 19b9461829789d6f88adc466c03c17df1323e02f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 96421ecf187c0978d824af4b7af85a664ebf5e7b9d4ed08f62866c94481c603b all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 19b9461829789d6f88adc466c03c17df1323e02f Bisecting: 23 revisions left to test after this (roughly 5 steps) [fa6e0cc6a7201ca6b1d7f88e9e392259f8302904] cdc-acm: fix race between initial clearing halt and open determine whether the revision contains the guilty commit revision 56c4837283ebe72b409688286ab39ad262fc76b8 crashed and is reachable testing commit fa6e0cc6a7201ca6b1d7f88e9e392259f8302904 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d2582fc49e956daae657864f83760b3c4f19a5e4f88a28c166fb96567aee3cfa all runs: OK false negative chance: 0.000 # git bisect bad fa6e0cc6a7201ca6b1d7f88e9e392259f8302904 Bisecting: 11 revisions left to test after this (roughly 4 steps) [481701300b7b58c4b5a1cd78a9e3ab5fbfe57e85] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe determine whether the revision contains the guilty commit revision 19b9461829789d6f88adc466c03c17df1323e02f crashed and is reachable testing commit 481701300b7b58c4b5a1cd78a9e3ab5fbfe57e85 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 93b555376ed21eb29f42c598ac8e2fdd5d7aa3c05f416d793dd65fb41ddb396f all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 481701300b7b58c4b5a1cd78a9e3ab5fbfe57e85 Bisecting: 5 revisions left to test after this (roughly 3 steps) [91789de2ed201b336991394429e8447bc5b3d8f0] ext4: fix largest free orders lists corruption on mb_optimize_scan switch determine whether the revision contains the guilty commit revision 56c4837283ebe72b409688286ab39ad262fc76b8 crashed and is reachable testing commit 91789de2ed201b336991394429e8447bc5b3d8f0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 18def0388d792ad30f6639231037c60dd10eea633606b2ccac472c6bbf141fa1 all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 91789de2ed201b336991394429e8447bc5b3d8f0 Bisecting: 2 revisions left to test after this (roughly 2 steps) [56b9177f17abad62315ee5fde530f80e0c62200e] usb: typec: ucsi: Update power_supply on power role change determine whether the revision contains the guilty commit revision 481701300b7b58c4b5a1cd78a9e3ab5fbfe57e85 crashed and is reachable testing commit 56b9177f17abad62315ee5fde530f80e0c62200e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8d565fa954c8b93639dc99a06dd44921bdd66c7e4bd1d505a2c827c4ef644d53 all runs: crashed: KASAN: use-after-free Read in remove_wait_queue representative crash: KASAN: use-after-free Read in remove_wait_queue, types: [KASAN-USE-AFTER-FREE-READ] # git bisect good 56b9177f17abad62315ee5fde530f80e0c62200e Bisecting: 0 revisions left to test after this (roughly 1 step) [6eb63a710da36a1d88b7fc5096408093569302be] thunderbolt: Fix copy+paste error in match_service_id() determine whether the revision contains the guilty commit revision 481701300b7b58c4b5a1cd78a9e3ab5fbfe57e85 crashed and is reachable testing commit 6eb63a710da36a1d88b7fc5096408093569302be gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d2582fc49e956daae657864f83760b3c4f19a5e4f88a28c166fb96567aee3cfa all runs: OK false negative chance: 0.000 # git bisect bad 6eb63a710da36a1d88b7fc5096408093569302be Bisecting: 0 revisions left to test after this (roughly 0 steps) [d85fac8729c9acfd72368faff1d576ec585e5c8f] comedi: fix race between polling and detaching determine whether the revision contains the guilty commit revision c79648372d02944bf4a54d87e3901db05d0ac82e crashed and is reachable testing commit d85fac8729c9acfd72368faff1d576ec585e5c8f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d2582fc49e956daae657864f83760b3c4f19a5e4f88a28c166fb96567aee3cfa all runs: OK false negative chance: 0.000 # git bisect bad d85fac8729c9acfd72368faff1d576ec585e5c8f d85fac8729c9acfd72368faff1d576ec585e5c8f is the first bad commit commit d85fac8729c9acfd72368faff1d576ec585e5c8f Author: Ian Abbott Date: Tue Jul 22 16:53:16 2025 +0100 comedi: fix race between polling and detaching commit 35b6fc51c666fc96355be5cd633ed0fe4ccf68b2 upstream. syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the `COMEDI_DEVCONFIG` ioctl. Tasks will read-lock `dev->attach_lock` before adding themselves to the subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl handler by write-locking `dev->attach_lock` before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the `comedi_device_detach()` function to be refactored slightly, moving the bulk of it into new function `comedi_device_detach_locked()`. Note that the refactor of `comedi_device_detach()` results in `comedi_device_cancel_all()` now being called while `dev->attach_lock` is write-locked, which wasn't the case previously, but that does not matter. Thanks to Jens Axboe for diagnosing the problem and co-developing this patch. Cc: stable Fixes: 2f3fdcd7ce93 ("staging: comedi: add rw_semaphore to protect against device detachment") Link: https://lore.kernel.org/all/687bd5fe.a70a0220.693ce.0091.GAE@google.com/ Reported-by: syzbot+01523a0ae5600aef5895@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=01523a0ae5600aef5895 Co-developed-by: Jens Axboe Signed-off-by: Jens Axboe Signed-off-by: Ian Abbott Tested-by: Jens Axboe Link: https://lore.kernel.org/r/20250722155316.27432-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman drivers/comedi/comedi_fops.c | 31 ++++++++++++++++++++++++------- drivers/comedi/comedi_internal.h | 1 + drivers/comedi/drivers.c | 13 ++++++++++--- 3 files changed, 35 insertions(+), 10 deletions(-) accumulated error probability: 0.00 culprit signature: d2582fc49e956daae657864f83760b3c4f19a5e4f88a28c166fb96567aee3cfa parent signature: 8d565fa954c8b93639dc99a06dd44921bdd66c7e4bd1d505a2c827c4ef644d53 revisions tested: 18, total time: 3h31m2.332704681s (build: 1h9m33.355655828s, test: 2h16m16.752015494s) first good commit: d85fac8729c9acfd72368faff1d576ec585e5c8f comedi: fix race between polling and detaching recipients (to): ["abbotti@mev.co.uk" "axboe@kernel.dk" "gregkh@linuxfoundation.org"] recipients (cc): []