bisecting cause commit starting from 7ae77150d94d3b535c7b85e6b3647113095e79bf building syzkaller on 7751efd04aebb07bc82b5c0e8eeaca07be1ae112 testing commit 7ae77150d94d3b535c7b85e6b3647113095e79bf with gcc (GCC) 8.1.0 kernel signature: dafb5a437ae5e883272ffc4720cc9439e629b19efb78a71b143572eaf484cddc all runs: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: 58b1c43073f048a5c583eeb239386bfed8cf06f13ed2fcc6d429f734020d3fff all runs: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 9e1eb0e8629574d5511fa5b4895d52e911a0a6bbce9e54b13190eee482e95dc0 all runs: OK # git bisect start 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 7542 revisions left to test after this (roughly 13 steps) [50a5de895dbe5df947b3a695777db5b2c313e065] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 50a5de895dbe5df947b3a695777db5b2c313e065 with gcc (GCC) 8.1.0 kernel signature: 9e72dc2999275eef919a50a0fc00e8701a952b420851a9d8cff7536f447da35e all runs: OK # git bisect good 50a5de895dbe5df947b3a695777db5b2c313e065 Bisecting: 3742 revisions left to test after this (roughly 12 steps) [d38c07afc356ddebaa3ed8ecb3f553340e05c969] Merge tag 'powerpc-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit d38c07afc356ddebaa3ed8ecb3f553340e05c969 with gcc (GCC) 8.1.0 kernel signature: 0375ad3b1706e36f2918535e3c179dadb5d8bf8a3c8cc958e582bbbc3e523929 all runs: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object # git bisect bad d38c07afc356ddebaa3ed8ecb3f553340e05c969 Bisecting: 1850 revisions left to test after this (roughly 11 steps) [bef7b2a7be28638770972ab2709adf11d601c11a] Merge tag 'devicetree-for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit bef7b2a7be28638770972ab2709adf11d601c11a with gcc (GCC) 8.1.0 kernel signature: ce8c4ee85ecf488750f30efe9218cd9229284616334e10d6d340036ef2834375 run #0: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #1: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #2: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #3: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #4: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #5: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #6: crashed: KASAN: use-after-free Read in iput run #7: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #8: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #9: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object # git bisect bad bef7b2a7be28638770972ab2709adf11d601c11a Bisecting: 1022 revisions left to test after this (roughly 10 steps) [bc3b3f4bfbded031a11c4284106adddbfacd05bb] Merge tag 'pinctrl-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit bc3b3f4bfbded031a11c4284106adddbfacd05bb with gcc (GCC) 8.1.0 kernel signature: ef4a24a42c1fc0c1ab79dc0db22f045232169d245fb2b8fc0365027244a3c080 all runs: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object # git bisect bad bc3b3f4bfbded031a11c4284106adddbfacd05bb Bisecting: 406 revisions left to test after this (roughly 9 steps) [6cad420cc695867b4ca710bac21fde21a4102e4b] Merge branch 'akpm' (patches from Andrew) testing commit 6cad420cc695867b4ca710bac21fde21a4102e4b with gcc (GCC) 8.1.0 kernel signature: b3a3da72e8f07bfbcf41cf1ef9e4eca12762a386c267093302b426eca9615318 all runs: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object # git bisect bad 6cad420cc695867b4ca710bac21fde21a4102e4b Bisecting: 264 revisions left to test after this (roughly 8 steps) [7db83c070bd29e73c8bb42d4b48c976be76f1dbe] Merge tag 'vfs-5.7-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit 7db83c070bd29e73c8bb42d4b48c976be76f1dbe with gcc (GCC) 8.1.0 kernel signature: 78656481d97f281c5dc03643912a099dfe7058e892a060400212553e563412c8 all runs: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object # git bisect bad 7db83c070bd29e73c8bb42d4b48c976be76f1dbe Bisecting: 126 revisions left to test after this (roughly 7 steps) [fd72926c332eaa28845b1f655b24006158ec5207] RDMA/hns: Adjust the qp status value sequence of the hardware testing commit fd72926c332eaa28845b1f655b24006158ec5207 with gcc (GCC) 8.1.0 kernel signature: 2ca336ff6856b14de4fe649cd1386df3761ef7ae89a4cc436496100e54f6c297 all runs: OK # git bisect good fd72926c332eaa28845b1f655b24006158ec5207 Bisecting: 63 revisions left to test after this (roughly 6 steps) [c5971b8c6354a95c9ee7eb722928af5000bac247] take post-lookup part of do_last() out of loop testing commit c5971b8c6354a95c9ee7eb722928af5000bac247 with gcc (GCC) 8.1.0 kernel signature: 1da22092ad1727d84ac91173f930e529fccd0576ee1c25695a7f42004e20f892 all runs: OK # git bisect good c5971b8c6354a95c9ee7eb722928af5000bac247 Bisecting: 35 revisions left to test after this (roughly 5 steps) [d1e7fd6462ca9fc76650fbe6ca800e35b24267da] signal: Extend exec_id to 64bits testing commit d1e7fd6462ca9fc76650fbe6ca800e35b24267da with gcc (GCC) 8.1.0 kernel signature: 7f46584ac008908d2fa16ab88129715eebcca08e36133dccddfb33c657d44307 all runs: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object # git bisect bad d1e7fd6462ca9fc76650fbe6ca800e35b24267da Bisecting: 13 revisions left to test after this (roughly 4 steps) [021691559245498dfa15454c9fc4351f367d0b7f] exec: Factor unshare_sighand out of de_thread and call it separately testing commit 021691559245498dfa15454c9fc4351f367d0b7f with gcc (GCC) 8.1.0 kernel signature: 09286c3132c87b5f3cf4d1abde2a7ad3320dff1d4bced05059198a57beb7e3e0 run #0: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #1: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #2: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #3: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #4: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #5: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #6: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #7: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #8: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object run #9: boot failed: can't ssh into the instance # git bisect bad 021691559245498dfa15454c9fc4351f367d0b7f Bisecting: 6 revisions left to test after this (roughly 3 steps) [a13ae6971599dd01a5fa8da9ee1bd5bb3efa01b3] proc: Dentry flushing without proc_mnt testing commit a13ae6971599dd01a5fa8da9ee1bd5bb3efa01b3 with gcc (GCC) 8.1.0 kernel signature: cf45a4b66ac88377e8dbe81ec4bcd3c0f303d13a79c7cca77d7a0cb8562d0b05 all runs: OK # git bisect good a13ae6971599dd01a5fa8da9ee1bd5bb3efa01b3 Bisecting: 3 revisions left to test after this (roughly 2 steps) [69879c01a0c3f70e0887cfb4d9ff439814361e46] proc: Remove the now unnecessary internal mount of proc testing commit 69879c01a0c3f70e0887cfb4d9ff439814361e46 with gcc (GCC) 8.1.0 kernel signature: 42631ef6244829a9684129da9d86691e1165e42a9073d4e92c771d5fb7d6b3b8 all runs: crashed: KASAN: use-after-free Write in fsnotify_detach_connector_from_object # git bisect bad 69879c01a0c3f70e0887cfb4d9ff439814361e46 Bisecting: 0 revisions left to test after this (roughly 1 step) [76313c70c52f930af4afd21684509ca52297ea71] uml: Create a private mount of proc for mconsole testing commit 76313c70c52f930af4afd21684509ca52297ea71 with gcc (GCC) 8.1.0 kernel signature: d5a06e6fc805d2a51835c4064e56af67c586095323d00fb5b37d65ae5a06fd43 run #0: OK run #1: OK run #2: OK run #3: OK run #4: crashed: general protection fault in batadv_iv_ogm_schedule_buff run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 76313c70c52f930af4afd21684509ca52297ea71 Bisecting: 0 revisions left to test after this (roughly 0 steps) [af1abab986b85fdeb3e98c037988cfa4bf9d4018] uml: Don't consult current to find the proc_mnt in mconsole_proc testing commit af1abab986b85fdeb3e98c037988cfa4bf9d4018 with gcc (GCC) 8.1.0 kernel signature: 5dcc6294c0c1686fac9875794216e0ebd67f69343cfef3c62efd1b495cfed9a9 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor350418670" "root@10.128.15.201:./syz-executor350418670"]: exit status 1 ssh: connect to host 10.128.15.201 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good af1abab986b85fdeb3e98c037988cfa4bf9d4018 76313c70c52f930af4afd21684509ca52297ea71 is the first bad commit commit 76313c70c52f930af4afd21684509ca52297ea71 Author: Eric W. Biederman Date: Wed Feb 19 10:37:15 2020 -0600 uml: Create a private mount of proc for mconsole The mconsole code only ever accesses proc for the initial pid namespace. Instead of depending upon the proc_mnt which is for proc_flush_task have uml create it's own mount of proc instead. This allows proc_flush_task to evolve and remove the need for having a proc_mnt to do it's job. Cc: Jeff Dike Cc: Richard Weinberger Cc: Anton Ivanov Signed-off-by: Eric W. Biederman arch/um/drivers/mconsole_kern.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) culprit signature: d5a06e6fc805d2a51835c4064e56af67c586095323d00fb5b37d65ae5a06fd43 parent signature: 5dcc6294c0c1686fac9875794216e0ebd67f69343cfef3c62efd1b495cfed9a9 revisions tested: 17, total time: 3h49m38.236199196s (build: 1h45m37.563549345s, test: 2h2m45.921491052s) first bad commit: 76313c70c52f930af4afd21684509ca52297ea71 uml: Create a private mount of proc for mconsole cc: ["adobriyan@gmail.com" "akpm@linux-foundation.org" "alex.dewar@gmx.co.uk" "anton.ivanov@cambridgegreys.com" "ebiederm@xmission.com" "jdike@addtoit.com" "linux-kernel@vger.kernel.org" "linux-um@lists.infradead.org" "richard@nod.at" "sfr@canb.auug.org.au"] crash: general protection fault in batadv_iv_ogm_schedule_buff general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 0 PID: 18420 Comm: kworker/u4:3 Not tainted 5.6.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet RIP: 0010:batadv_iv_ogm_schedule_buff+0x2d2/0xef0 net/batman-adv/bat_iv_ogm.c:814 Code: 03 80 3c 11 00 0f 85 66 0b 00 00 48 8b 8b 88 00 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d 79 16 49 89 ce 48 89 f9 48 c1 e9 03 <0f> b6 0c 11 48 89 fa 83 e2 07 83 c2 01 38 ca 7c 08 84 c9 0f 85 90 RSP: 0018:ffffc900035f7c00 EFLAGS: 00010203 RAX: 0000000000000000 RBX: ffff888086da9000 RCX: 0000000000000002 RDX: dffffc0000000000 RSI: ffff888086da9088 RDI: 0000000000000016 RBP: ffffc900035f7cf0 R08: fffffbfff1333f79 R09: fffffbfff1333f79 R10: fffffbfff1333f78 R11: ffffffff8999fbc7 R12: ffff8880a28bac00 R13: ffff888086da9000 R14: 0000000000000000 R15: ffff88808777c000 FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004ccab0 CR3: 00000000a8068000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:865 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0x582/0x810 net/batman-adv/bat_iv_ogm.c:1718 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: ---[ end trace f598012a8265a09d ]--- RIP: 0010:batadv_iv_ogm_schedule_buff+0x2d2/0xef0 net/batman-adv/bat_iv_ogm.c:814 Code: 03 80 3c 11 00 0f 85 66 0b 00 00 48 8b 8b 88 00 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d 79 16 49 89 ce 48 89 f9 48 c1 e9 03 <0f> b6 0c 11 48 89 fa 83 e2 07 83 c2 01 38 ca 7c 08 84 c9 0f 85 90 RSP: 0018:ffffc900035f7c00 EFLAGS: 00010203 RAX: 0000000000000000 RBX: ffff888086da9000 RCX: 0000000000000002 RDX: dffffc0000000000 RSI: ffff888086da9088 RDI: 0000000000000016 RBP: ffffc900035f7cf0 R08: fffffbfff1333f79 R09: fffffbfff1333f79 R10: fffffbfff1333f78 R11: ffffffff8999fbc7 R12: ffff8880a28bac00 R13: ffff888086da9000 R14: 0000000000000000 R15: ffff88808777c000 FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004ccab0 CR3: 0000000008a6d000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400