bisecting cause commit starting from ddf21bd8ab984ccaa924f090fc7f515bb6d51414
building syzkaller on 70b76c1d627711cc3ef109af16d6cb7429a61fe3
testing commit ddf21bd8ab984ccaa924f090fc7f515bb6d51414
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 653349d7f6c7859cbf6ebaa01ec40e3057e0687eddb3d1be9744c9bec5f03614
all runs: crashed: general protection fault in cgroup_sk_free
testing release v5.14
testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 6c09caf48a2f437d45656e74ace828435bf518ecfc6c6c0e45c0e56ff24755f5
all runs: OK
# git bisect start ddf21bd8ab984ccaa924f090fc7f515bb6d51414 7d2a07b769330c34b4deabeed939325c77a7ec2f
Bisecting: 5997 revisions left to test after this (roughly 13 steps)
[1b4f3dfb4792f03b139edf10124fcbeb44e608e6] Merge tag 'usb-serial-5.15-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next

testing commit 1b4f3dfb4792f03b139edf10124fcbeb44e608e6
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: cf629a870e89c7b9dba339caad0ad27f8c5ef0cc1c475fe0004787fe8e67db05
run #0: crashed: KASAN: use-after-free Read in __d_alloc
run #1: crashed: KFENCE: use-after-free in kvm_fastop_exception
run #2: crashed: KFENCE: use-after-free in kvm_fastop_exception
run #3: crashed: KASAN: use-after-free Read in __d_alloc
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: crashed: WARNING: ODEBUG bug in netdev_run_todo
run #9: OK
# git bisect bad 1b4f3dfb4792f03b139edf10124fcbeb44e608e6
Bisecting: 3531 revisions left to test after this (roughly 11 steps)
[29ce8f9701072fc221d9c38ad952de1a9578f95c] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit 29ce8f9701072fc221d9c38ad952de1a9578f95c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ebf08d6d1535aeb45de229605d4adf5d9ed4056f0cd258a8cd977a9772105c6a
all runs: OK
# git bisect good 29ce8f9701072fc221d9c38ad952de1a9578f95c
Bisecting: 1760 revisions left to test after this (roughly 11 steps)
[e7c1bbcf0c315c56cd970642214aa1df3d8cf61d] Merge tag 'hwmon-for-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

testing commit e7c1bbcf0c315c56cd970642214aa1df3d8cf61d
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0fb459dfde3c037ab4e92d828ac4d1ce1eed8e402ce1c29056f7856c871d70d1
run #0: crashed: KASAN: use-after-free Read in __d_alloc
run #1: OK
run #2: crashed: KASAN: use-after-free Read in __d_alloc
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
reproducer seems to be flaky
# git bisect bad e7c1bbcf0c315c56cd970642214aa1df3d8cf61d
Bisecting: 838 revisions left to test after this (roughly 10 steps)
[679369114e55f422dc593d0628cfde1d04ae59b3] Merge tag 'for-5.15/block-2021-08-30' of git://git.kernel.dk/linux-block

testing commit 679369114e55f422dc593d0628cfde1d04ae59b3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4fcb638f01bab1eefe32a12645b0cad1a5d0dec76fbd7b3b48bf1969cd1906cc
all runs: OK
# git bisect good 679369114e55f422dc593d0628cfde1d04ae59b3
Bisecting: 416 revisions left to test after this (roughly 9 steps)
[9c849ce86e0fa93a218614eac562ace44053d7ce] Merge tag '5.15-rc-smb3-fixes-part1' of git://git.samba.org/sfrench/cifs-2.6

testing commit 9c849ce86e0fa93a218614eac562ace44053d7ce
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 456917c6461e1f90d946fffdb01615460a4dfe13be67c0eab70d073d9a68709a
run #0: crashed: KFENCE: use-after-free in kvm_fastop_exception
run #1: crashed: KASAN: use-after-free Read in __d_alloc
run #2: crashed: KASAN: use-after-free Read in __d_alloc
run #3: crashed: KASAN: use-after-free Read in __d_alloc
run #4: crashed: KASAN: use-after-free Read in __d_alloc
run #5: crashed: KFENCE: use-after-free in kvm_fastop_exception
run #6: crashed: KASAN: use-after-free Read in __d_alloc
run #7: crashed: KASAN: use-after-free Read in __d_alloc
run #8: crashed: KASAN: use-after-free Read in __d_alloc
run #9: crashed: KASAN: use-after-free Read in __d_alloc
run #10: crashed: KFENCE: use-after-free in kvm_fastop_exception
run #11: crashed: KASAN: use-after-free Read in __d_alloc
run #12: crashed: KASAN: use-after-free Read in __d_alloc
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 9c849ce86e0fa93a218614eac562ace44053d7ce
Bisecting: 210 revisions left to test after this (roughly 8 steps)
[777cad1604d68ed4379ec899d1f7d2f6a29f01f0] ksmbd: remove select FS_POSIX_ACL in Kconfig

testing commit 777cad1604d68ed4379ec899d1f7d2f6a29f01f0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8eb4603ed21a24939926c9c77a1c7ac7c0cadecdbb0d5b0f4afa24350409dce2
all runs: OK
# git bisect good 777cad1604d68ed4379ec899d1f7d2f6a29f01f0
Bisecting: 123 revisions left to test after this (roughly 7 steps)
[87df7fb922d18e96992aa5e824aa34b2065fef59] io-wq: fix wakeup race when adding new work

testing commit 87df7fb922d18e96992aa5e824aa34b2065fef59
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d2fb213877d5ab6d5be28cd1fe1cddf7dcdb31522f00c1db5a221465da4f2ba8
all runs: OK
# git bisect good 87df7fb922d18e96992aa5e824aa34b2065fef59
Bisecting: 63 revisions left to test after this (roughly 6 steps)
[c547d89a9a445f6bb757b93247de43d312e722da] Merge tag 'for-5.15/io_uring-2021-08-30' of git://git.kernel.dk/linux-block

testing commit c547d89a9a445f6bb757b93247de43d312e722da
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: da1ffa0e21889a31226338a95045a2cf1d53d36a185a475aa9736978bb5fd364
all runs: OK
# git bisect good c547d89a9a445f6bb757b93247de43d312e722da
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[7d5d8d7156892f82cf40b63228ce788248cc57a3] ksmbd: fix __write_overflow warning in ndr_read_string

testing commit 7d5d8d7156892f82cf40b63228ce788248cc57a3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8eb4603ed21a24939926c9c77a1c7ac7c0cadecdbb0d5b0f4afa24350409dce2
all runs: OK
# git bisect good 7d5d8d7156892f82cf40b63228ce788248cc57a3
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c] Merge tag 'for-5.15/io_uring-vfs-2021-08-30' of git://git.kernel.dk/linux-block

testing commit b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: eafa337aaa8a8a4b53446dad1da8a75c4e885b1f9c9eb85ff5f14818c84f9f2c
run #0: crashed: KASAN: use-after-free Read in __d_alloc
run #1: crashed: KFENCE: use-after-free in kvm_fastop_exception
run #2: crashed: KASAN: use-after-free Read in __d_alloc
run #3: crashed: KASAN: use-after-free Read in __d_alloc
run #4: crashed: KASAN: use-after-free Read in __d_alloc
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[7a8721f84fcb3b2946a92380b6fc311e017ff02c] io_uring: add support for IORING_OP_SYMLINKAT

testing commit 7a8721f84fcb3b2946a92380b6fc311e017ff02c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 492ce90e9cef886a98e351c2bbaad2d7caa8d94453a6d2cefe6d2f5e3d3a921f
run #0: crashed: KFENCE: use-after-free in kvm_fastop_exception
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 7a8721f84fcb3b2946a92380b6fc311e017ff02c
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[da2d0cede330192879e8e16ddb3158aa76ba5ec2] namei: make do_symlinkat() take struct filename

testing commit da2d0cede330192879e8e16ddb3158aa76ba5ec2
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: eafb677bdb9130ea30cbbb01952963732ba903af495879857b41bd458f634d65
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: boot failed: KFENCE: use-after-free in kvm_fastop_exception
# git bisect good da2d0cede330192879e8e16ddb3158aa76ba5ec2
Bisecting: 2 revisions left to test after this (roughly 1 step)
[020250f31c4c75ac7687a673e29c00786582a5f4] namei: make do_linkat() take struct filename

testing commit 020250f31c4c75ac7687a673e29c00786582a5f4
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: de6af474ce2a315306510c5aa10fed21f65ae52990a633f2ea4bb2ed9a1f70aa
run #0: crashed: KASAN: use-after-free Read in __d_alloc
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
# git bisect bad 020250f31c4c75ac7687a673e29c00786582a5f4
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[8228e2c313194f13f1d1806ed5734a26c38d49ac] namei: add getname_uflags()

testing commit 8228e2c313194f13f1d1806ed5734a26c38d49ac
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e4c8ee98d43ccba6f3e5cb6645119379ccc60ea2bccc5998efe0d84c54d77b14
all runs: OK
# git bisect good 8228e2c313194f13f1d1806ed5734a26c38d49ac
020250f31c4c75ac7687a673e29c00786582a5f4 is the first bad commit
commit 020250f31c4c75ac7687a673e29c00786582a5f4
Author: Dmitry Kadashev <dkadashev@gmail.com>
Date:   Thu Jul 8 13:34:43 2021 +0700

    namei: make do_linkat() take struct filename
    
    Pass in the struct filename pointers instead of the user string, for
    uniformity with do_renameat2, do_unlinkat, do_mknodat, etc.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christian Brauner <christian.brauner@ubuntu.com>
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Link: https://lore.kernel.org/io-uring/20210330071700.kpjoyp5zlni7uejm@wittgenstein/
    Signed-off-by: Dmitry Kadashev <dkadashev@gmail.com>
    Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
    Link: https://lore.kernel.org/r/20210708063447.3556403-8-dkadashev@gmail.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

 fs/namei.c | 45 +++++++++++++++++++++++++++++----------------
 1 file changed, 29 insertions(+), 16 deletions(-)

culprit signature: de6af474ce2a315306510c5aa10fed21f65ae52990a633f2ea4bb2ed9a1f70aa
parent  signature: e4c8ee98d43ccba6f3e5cb6645119379ccc60ea2bccc5998efe0d84c54d77b14
Reproducer flagged being flaky
revisions tested: 16, total time: 4h11m15.700599915s (build: 1h43m28.406045987s, test: 2h25m44.81059473s)
first bad commit: 020250f31c4c75ac7687a673e29c00786582a5f4 namei: make do_linkat() take struct filename
recipients (to): ["axboe@kernel.dk" "christian.brauner@ubuntu.com" "dkadashev@gmail.com" "torvalds@linux-foundation.org"]
recipients (cc): []
crash: KASAN: use-after-free Read in __d_alloc
==================================================================
BUG: KASAN: use-after-free in __d_alloc+0x16a/0x8f0 fs/dcache.c:1775
Read of size 5 at addr ffff88802f126620 by task kdevtmpfs/22

CPU: 1 PID: 22 Comm: kdevtmpfs Not tainted 5.14.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x20/0x60 mm/kasan/shadow.c:65
 __d_alloc+0x16a/0x8f0 fs/dcache.c:1775
 d_alloc+0x3f/0x200 fs/dcache.c:1823
 __lookup_hash+0x97/0x140 fs/namei.c:1554
 kern_path_locked+0x146/0x300 fs/namei.c:2567
 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312
 handle drivers/base/devtmpfs.c:382 [inline]
 devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline]
 devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437
 kthread+0x38b/0x460 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 22:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:2959 [inline]
 slab_alloc mm/slub.c:2967 [inline]
 kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2972
 getname_kernel+0x48/0x330 fs/namei.c:226
 kern_path_locked+0x6f/0x300 fs/namei.c:2558
 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312
 handle drivers/base/devtmpfs.c:382 [inline]
 devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline]
 devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437
 kthread+0x38b/0x460 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 22:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1628 [inline]
 slab_free_freelist_hook+0xe3/0x250 mm/slub.c:1653
 slab_free mm/slub.c:3213 [inline]
 kmem_cache_free+0x8a/0x5b0 mm/slub.c:3229
 putname include/linux/err.h:41 [inline]
 filename_parentat fs/namei.c:2547 [inline]
 kern_path_locked+0xa7/0x300 fs/namei.c:2558
 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312
 handle drivers/base/devtmpfs.c:382 [inline]
 devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline]
 devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437
 kthread+0x38b/0x460 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff88802f126600
 which belongs to the cache names_cache of size 4096
The buggy address is located 32 bytes inside of
 4096-byte region [ffff88802f126600, ffff88802f127600)
The buggy address belongs to the page:
page:ffffea0000bc4800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f120
head:ffffea0000bc4800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88800f9c4500
raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4866, ts 187367782852, free_ts 187350157780
 prep_new_page mm/page_alloc.c:2436 [inline]
 get_page_from_freelist+0xa6f/0x2f50 mm/page_alloc.c:4168
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5390
 alloc_slab_page mm/slub.c:1691 [inline]
 allocate_slab+0x32e/0x4b0 mm/slub.c:1831
 new_slab mm/slub.c:1894 [inline]
 new_slab_objects mm/slub.c:2640 [inline]
 ___slab_alloc+0x4ba/0x820 mm/slub.c:2803
 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2843
 slab_alloc_node mm/slub.c:2925 [inline]
 slab_alloc mm/slub.c:2967 [inline]
 kmem_cache_alloc+0x3e1/0x4a0 mm/slub.c:2972
 getname_flags.part.0+0x4a/0x440 fs/namei.c:138
 user_path_at_empty+0x1e/0x60 fs/namei.c:2770
 user_path_at include/linux/namei.h:57 [inline]
 do_faccessat+0xc0/0x660 fs/open.c:425
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1346 [inline]
 free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397
 free_unref_page_prepare mm/page_alloc.c:3332 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3411
 unfreeze_partials+0x17c/0x1d0 mm/slub.c:2421
 put_cpu_partial+0x13d/0x230 mm/slub.c:2457
 qlink_free mm/kasan/quarantine.c:146 [inline]
 qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
 __kasan_slab_alloc+0x95/0xb0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:2959 [inline]
 slab_alloc mm/slub.c:2967 [inline]
 kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2972
 getname_flags.part.0+0x4a/0x440 fs/namei.c:138
 user_path_at_empty+0x1e/0x60 fs/namei.c:2770
 user_path_at include/linux/namei.h:57 [inline]
 vfs_statx+0xd6/0x2e0 fs/stat.c:203
 vfs_fstatat fs/stat.c:225 [inline]
 vfs_lstat include/linux/fs.h:3387 [inline]
 __do_sys_newlstat+0x85/0xe0 fs/stat.c:380
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff88802f126500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802f126580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802f126600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88802f126680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802f126700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================