bisecting cause commit starting from 15bc20c6af4ceee97a1f90b43c0e386643c071b4 building syzkaller on 816e0689d7d9d8321f8bf360740f0e516aee15ca testing commit 15bc20c6af4ceee97a1f90b43c0e386643c071b4 with gcc (GCC) 8.1.0 kernel signature: 3ccc99c3dd89a6080c431e6a827fe6103c333bc1e3d28a979c3c8a3e5dd37f72 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: kernel BUG at fs/inode.c:LINE! run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __fput run #6: crashed: kernel BUG at fs/inode.c:LINE! run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 405f66fb95198108dd6a9deccc53b5428150e31e7208bd048732cc14a8e3421b all runs: OK # git bisect start 15bc20c6af4ceee97a1f90b43c0e386643c071b4 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 5975 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: 7be10583d24ebd6c1791e5d6fb2f1f9336f0bcbab8fb6ffeadd51925a489b7d9 all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 2845 revisions left to test after this (roughly 12 steps) [fa73e212318a3277ae1f304febbc617c75d4d2db] Merge tag 'media/v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit fa73e212318a3277ae1f304febbc617c75d4d2db with gcc (GCC) 8.1.0 kernel signature: ce715e48433c2c1c2890df348c3fa12699f1e794e3600019f76bb04c659e7d0b all runs: OK # git bisect good fa73e212318a3277ae1f304febbc617c75d4d2db Bisecting: 1420 revisions left to test after this (roughly 11 steps) [9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c] Merge branch 'akpm' (patches from Andrew) testing commit 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c with gcc (GCC) 8.1.0 kernel signature: 28300bc0b094d8b3b7509273921a300eb30541c6e839cf2b1ebec18ed3dca170 all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c Bisecting: 1420 revisions left to test after this (roughly 11 steps) [2f059db0b8313f8964ac917394e7425d966a6884] ktest.pl: Always show log file location if defined even on success testing commit 2f059db0b8313f8964ac917394e7425d966a6884 with gcc (GCC) 8.1.0 kernel signature: dade89be4ff4839b04e72f72c512a6829783372e4c947333f8983347a9e9ea32 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect good 2f059db0b8313f8964ac917394e7425d966a6884 Bisecting: 1420 revisions left to test after this (roughly 11 steps) [44a7f3e8222a7345b72a83a26d6d599bba815cf9] clk: socfpga: agilex: mpu_l2ram_clk should be mpu_ccu_clk testing commit 44a7f3e8222a7345b72a83a26d6d599bba815cf9 with gcc (GCC) 8.1.0 kernel signature: 95e7b316b8d4a1ea5d4a9a158c6a33ee20a2cdbc9e628ceeffd8dfbe0ef2f5e2 all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 44a7f3e8222a7345b72a83a26d6d599bba815cf9 Bisecting: 1420 revisions left to test after this (roughly 11 steps) [347a7389a7cc9b91f80deb8d7043e9827d08b328] perf intel-pt: Add support for decoding PSB+ only testing commit 347a7389a7cc9b91f80deb8d7043e9827d08b328 with gcc (GCC) 8.1.0 kernel signature: 3abab8edc11b86d719d05fe12f4c002c45b91832333029886452d468856e88a3 all runs: OK # git bisect good 347a7389a7cc9b91f80deb8d7043e9827d08b328 Bisecting: 1343 revisions left to test after this (roughly 10 steps) [ea6ec774372740b024a6c27caac0d0af8960ea15] Merge tag 'drm-next-2020-08-12' of git://anongit.freedesktop.org/drm/drm testing commit ea6ec774372740b024a6c27caac0d0af8960ea15 with gcc (GCC) 8.1.0 kernel signature: bf9edc0ada76f57364ab8d2a93307339a11741c5d8f03811979c016c5b1e8e23 all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip ea6ec774372740b024a6c27caac0d0af8960ea15 Bisecting: 1343 revisions left to test after this (roughly 10 steps) [43b1bb4a9b3e183af12225f56c27164c10d06223] clk: at91: clk-sam9x60-pll: re-factor to support plls with multiple outputs testing commit 43b1bb4a9b3e183af12225f56c27164c10d06223 with gcc (GCC) 8.1.0 kernel signature: df566234c146840535b4db1b52dc389c232e53e19a2fa992b23d28d9077bf743 all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 43b1bb4a9b3e183af12225f56c27164c10d06223 Bisecting: 1343 revisions left to test after this (roughly 10 steps) [35759383133f64d90eba120a0d3efe8f71241650] mptcp: sendmsg: reset iter on error testing commit 35759383133f64d90eba120a0d3efe8f71241650 with gcc (GCC) 8.1.0 kernel signature: 27dc137dcf55f38e182a8a4d016e1827d781f41bb23b9988ad0c10d3daff9f52 all runs: OK # git bisect good 35759383133f64d90eba120a0d3efe8f71241650 Bisecting: 432 revisions left to test after this (roughly 9 steps) [4cf7562190c795f1f95be6ee0d161107d0dc5d49] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 4cf7562190c795f1f95be6ee0d161107d0dc5d49 with gcc (GCC) 8.1.0 kernel signature: 0d018af6bbdd87ffba70faf3e007e27cb33fc848f668b79990cf99eb4f1def27 all runs: OK # git bisect good 4cf7562190c795f1f95be6ee0d161107d0dc5d49 Bisecting: 215 revisions left to test after this (roughly 8 steps) [9e574b74b781f14fa7348ba8b980b19a250a9c83] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 9e574b74b781f14fa7348ba8b980b19a250a9c83 with gcc (GCC) 8.1.0 kernel signature: a8b63ac5a12579945cfb9e252d6d86cd72253d31e371febccb4fc82cd2802dc2 all runs: OK # git bisect good 9e574b74b781f14fa7348ba8b980b19a250a9c83 Bisecting: 112 revisions left to test after this (roughly 7 steps) [550c2129d93d5eb198835ac83c05ef672e8c491c] Merge tag 'x86-urgent-2020-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 550c2129d93d5eb198835ac83c05ef672e8c491c with gcc (GCC) 8.1.0 kernel signature: 4d4f44754ad680a167b9a46b8f3c52092cc7b5a9f14b3247996c3dabcc7f48b1 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #3: crashed: kernel BUG at fs/inode.c:LINE! run #4: crashed: kernel BUG at fs/inode.c:LINE! run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad 550c2129d93d5eb198835ac83c05ef672e8c491c Bisecting: 51 revisions left to test after this (roughly 6 steps) [4af7b32f84aa4cd60e39b355bc8a1eab6cd8d8a4] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 4af7b32f84aa4cd60e39b355bc8a1eab6cd8d8a4 with gcc (GCC) 8.1.0 kernel signature: 138b05383fd335b3314de3c190cd28fe8cf1f39d13bb412c7d8e5e43e2ad47ef all runs: OK # git bisect good 4af7b32f84aa4cd60e39b355bc8a1eab6cd8d8a4 Bisecting: 20 revisions left to test after this (roughly 5 steps) [c3d8f220d01220a5b253e422be407d068dc65511] Merge tag 'kbuild-fixes-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit c3d8f220d01220a5b253e422be407d068dc65511 with gcc (GCC) 8.1.0 kernel signature: 35c654a948df4bd235b53bc4d1ff5d9d257efd296ef78c6eaf3696d59fb1284f all runs: OK # git bisect good c3d8f220d01220a5b253e422be407d068dc65511 Bisecting: 11 revisions left to test after this (roughly 3 steps) [e99b2507baccca79394ec646e3d1a0884667ea98] Merge tag 'core-urgent-2020-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit e99b2507baccca79394ec646e3d1a0884667ea98 with gcc (GCC) 8.1.0 kernel signature: 1e423d57826096c481fe704ec143a38c1777749e516754963f2f1b5a0fb60467 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: kernel BUG at fs/inode.c:LINE! run #6: crashed: WARNING: ODEBUG bug in get_signal run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: kernel BUG at fs/inode.c:LINE! run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad e99b2507baccca79394ec646e3d1a0884667ea98 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9d045ed1ebe1a6115d3fa9930c5371defb31d95a] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 9d045ed1ebe1a6115d3fa9930c5371defb31d95a with gcc (GCC) 8.1.0 kernel signature: 99e99dea4f23c754f59c48d46a16777b30858c93c0a45cb569b27f8357e69049 run #0: crashed: kernel BUG at fs/inode.c:LINE! run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: kernel BUG at fs/inode.c:LINE! run #6: crashed: kernel BUG at fs/inode.c:LINE! run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: kernel BUG at fs/inode.c:LINE! run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad 9d045ed1ebe1a6115d3fa9930c5371defb31d95a Bisecting: 2 revisions left to test after this (roughly 1 step) [52c479697c9b73f628140dcdfcd39ea302d05482] do_epoll_ctl(): clean the failure exits up a bit testing commit 52c479697c9b73f628140dcdfcd39ea302d05482 with gcc (GCC) 8.1.0 kernel signature: f21666d63cc8e988d86fa71c883c0538a735db3ae5df0fcf9dc0af2a2ce0a8d7 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #3: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #4: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #5: crashed: kernel BUG at fs/inode.c:LINE! run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: kernel BUG at fs/inode.c:LINE! # git bisect bad 52c479697c9b73f628140dcdfcd39ea302d05482 Bisecting: 0 revisions left to test after this (roughly 0 steps) [a9ed4a6560b8562b7e2e2bed9527e88001f7b682] epoll: Keep a reference on files added to the check list testing commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 with gcc (GCC) 8.1.0 kernel signature: 523d003cb33b3af83fa147911352c28688c684e76c2191ddc11a83f5fff478a6 run #0: crashed: kernel BUG at fs/inode.c:LINE! run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #4: crashed: kernel BUG at fs/inode.c:LINE! run #5: crashed: kernel BUG at fs/inode.c:LINE! run #6: crashed: kernel BUG at fs/inode.c:LINE! run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad a9ed4a6560b8562b7e2e2bed9527e88001f7b682 a9ed4a6560b8562b7e2e2bed9527e88001f7b682 is the first bad commit commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 Author: Marc Zyngier Date: Wed Aug 19 17:12:17 2020 +0100 epoll: Keep a reference on files added to the check list When adding a new fd to an epoll, and that this new fd is an epoll fd itself, we recursively scan the fds attached to it to detect cycles, and add non-epool files to a "check list" that gets subsequently parsed. However, this check list isn't completely safe when deletions can happen concurrently. To sidestep the issue, make sure that a struct file placed on the check list sees its f_count increased, ensuring that a concurrent deletion won't result in the file disapearing from under our feet. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Al Viro fs/eventpoll.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) parent commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 wasn't tested testing commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 with gcc (GCC) 8.1.0 kernel signature: 86a803e2471633b521d254c9e4238822f0934299c20dda70ebad22ae712c1574 culprit signature: 523d003cb33b3af83fa147911352c28688c684e76c2191ddc11a83f5fff478a6 parent signature: 86a803e2471633b521d254c9e4238822f0934299c20dda70ebad22ae712c1574 revisions tested: 20, total time: 4h13m3.830459228s (build: 1h45m52.448248987s, test: 2h25m11.346258297s) first bad commit: a9ed4a6560b8562b7e2e2bed9527e88001f7b682 epoll: Keep a reference on files added to the check list recipients (to): ["linux-kernel@vger.kernel.org" "maz@kernel.org" "viro@zeniv.linux.org.uk"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: BUG: unable to handle kernel NULL pointer dereference in __sock_release BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 10e5a9067 P4D 10e5a9067 PUD 10ef18067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 9347 Comm: syz-executor.3 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__sock_release+0x2f/0xa0 net/socket.c:596 Code: 8b 47 20 48 89 fb 48 85 c0 74 42 48 85 f6 4c 8b 60 08 74 5b 48 8d ae e0 00 00 00 48 89 ef e8 88 f7 7f 00 48 8b 43 20 48 89 df 50 10 48 c7 43 18 00 00 00 00 48 89 ef e8 ae 4f 9e fe 48 c7 43 RSP: 0018:ffffc90002933e88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888111181980 RCX: 0000000000000001 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff888111181980 RBP: ffff888111181b20 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc90002933e88 R11: bdf2b9bae115a1bb R12: 0000000000000000 R13: ffff88812b0d8e60 R14: ffff88810e8afd68 R15: 0000000000000000 FS: 00007ff412ee8700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010e528000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sock_close+0xf/0x20 net/socket.c:1277 __fput+0xaa/0x250 fs/file_table.c:281 task_work_run+0x68/0xb0 kernel/task_work.c:141 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:139 [inline] exit_to_user_mode_prepare+0x1e2/0x1f0 kernel/entry/common.c:166 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:241 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d5b9 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ff412ee7c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000005 RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000200003c0 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007ffc8d967e3f R14: 00007ff412ee89c0 R15: 000000000118cf4c Modules linked in: CR2: 0000000000000010 ---[ end trace 24d1e4f06d227066 ]--- RIP: 0010:__sock_release+0x2f/0xa0 net/socket.c:596 Code: 8b 47 20 48 89 fb 48 85 c0 74 42 48 85 f6 4c 8b 60 08 74 5b 48 8d ae e0 00 00 00 48 89 ef e8 88 f7 7f 00 48 8b 43 20 48 89 df 50 10 48 c7 43 18 00 00 00 00 48 89 ef e8 ae 4f 9e fe 48 c7 43 RSP: 0018:ffffc90002933e88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888111181980 RCX: 0000000000000001 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff888111181980 RBP: ffff888111181b20 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc90002933e88 R11: bdf2b9bae115a1bb R12: 0000000000000000 R13: ffff88812b0d8e60 R14: ffff88810e8afd68 R15: 0000000000000000 FS: 00007ff412ee8700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffebcff77e0 CR3: 000000010e528000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400