bisecting cause commit starting from 1127b219ce9481c84edad9711626d856127d5e51 building syzkaller on d5a3ae1f760e7cb2cd5a721d9645ae22eae114fe testing commit 1127b219ce9481c84edad9711626d856127d5e51 with gcc (GCC) 8.1.0 kernel signature: 1607774a0002317711e7b7863e910057724408231d52f3cb9af60a9152e5e5af run #0: crashed: BUG: corrupted list in mousedev_detach_client run #1: crashed: BUG: corrupted list in mousedev_detach_client run #2: crashed: BUG: corrupted list in mousedev_detach_client run #3: crashed: BUG: corrupted list in mousedev_detach_client run #4: crashed: BUG: corrupted list in mousedev_detach_client run #5: crashed: BUG: corrupted list in mousedev_detach_client run #6: crashed: WARNING: ODEBUG bug in get_signal run #7: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #8: crashed: BUG: corrupted list in mousedev_detach_client run #9: crashed: BUG: corrupted list in mousedev_detach_client testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 5ee7a9bcb8f872f42dd43dc9c281c016b5f7c5c6d5c358d8f834dea0a282c63a run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect start 1127b219ce9481c84edad9711626d856127d5e51 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 6098 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: 73350a526e9fa0467eec32d2d57571b579b15f67a6d069eaad407c846cf129bc all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 2968 revisions left to test after this (roughly 12 steps) [fa73e212318a3277ae1f304febbc617c75d4d2db] Merge tag 'media/v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit fa73e212318a3277ae1f304febbc617c75d4d2db with gcc (GCC) 8.1.0 kernel signature: cbfa9ac0f9d98d3ea25e94da23bdcc600fab638c837a63076e57cb09fb5994e8 all runs: OK # git bisect good fa73e212318a3277ae1f304febbc617c75d4d2db Bisecting: 1466 revisions left to test after this (roughly 11 steps) [ea6ec774372740b024a6c27caac0d0af8960ea15] Merge tag 'drm-next-2020-08-12' of git://anongit.freedesktop.org/drm/drm testing commit ea6ec774372740b024a6c27caac0d0af8960ea15 with gcc (GCC) 8.1.0 kernel signature: abd3cf4339700b055297ceb826f7bdd40ffff5726ffc2fa7db434447bb0e41f6 all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip ea6ec774372740b024a6c27caac0d0af8960ea15 Bisecting: 1466 revisions left to test after this (roughly 11 steps) [25fd529c34d063d1bef23742f2e8f8341c639dc3] sparse: group the defines by functionality testing commit 25fd529c34d063d1bef23742f2e8f8341c639dc3 with gcc (GCC) 8.1.0 kernel signature: 3766ddfee9d045686351d9eea8dc295e419726c645ac109735b210f915df579a all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip 25fd529c34d063d1bef23742f2e8f8341c639dc3 Bisecting: 1466 revisions left to test after this (roughly 11 steps) [a5b90f2db8e0ef6504695cbd36a65fd8296338ee] virtio_config: rewrite using _Generic testing commit a5b90f2db8e0ef6504695cbd36a65fd8296338ee with gcc (GCC) 8.1.0 kernel signature: f86e610c494869c8698534aecf768ef6b3fd67b8ce1adf87ab32551f4724dd78 all runs: OK # git bisect good a5b90f2db8e0ef6504695cbd36a65fd8296338ee Bisecting: 1466 revisions left to test after this (roughly 11 steps) [d49f7d7376d0c0daf8680984a37bd07581ac7d38] arm64: Move handling of erratum 1418040 into C code testing commit d49f7d7376d0c0daf8680984a37bd07581ac7d38 with gcc (GCC) 8.1.0 kernel signature: d53df0b948be8b7627138a50fcd85338232e62724d88ff5c746c8ee8da6bb340 all runs: OK # git bisect good d49f7d7376d0c0daf8680984a37bd07581ac7d38 Bisecting: 318 revisions left to test after this (roughly 8 steps) [dd105d64a0c6976153adea40c034ba26f7cf34ed] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit dd105d64a0c6976153adea40c034ba26f7cf34ed with gcc (GCC) 8.1.0 kernel signature: ac8ecaddc694b7dbcc1a4afd3eb1e110f0ea697b7855ec2b781acf9957956e71 all runs: OK # git bisect good dd105d64a0c6976153adea40c034ba26f7cf34ed Bisecting: 161 revisions left to test after this (roughly 7 steps) [2ac69819ba9e3d8d550bb5d2d2df74848e556812] Merge tag 'nfsd-5.9-1' of git://git.linux-nfs.org/projects/cel/cel-2.6 testing commit 2ac69819ba9e3d8d550bb5d2d2df74848e556812 with gcc (GCC) 8.1.0 kernel signature: 5b5756157c7c1707b3b3afe1d7c326e98a1b52301848776b4b8ae00c8a283603 all runs: crashed: BUG: corrupted list in mousedev_detach_client # git bisect bad 2ac69819ba9e3d8d550bb5d2d2df74848e556812 Bisecting: 77 revisions left to test after this (roughly 6 steps) [10c091b62e7fc3133d652b7212904348398b302e] Merge tag 'efi-urgent-2020-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 10c091b62e7fc3133d652b7212904348398b302e with gcc (GCC) 8.1.0 kernel signature: 7c6e7fff247316309f5e6c1f8ceb5efc044d647beaf7eec081c2686de061f81a all runs: crashed: BUG: corrupted list in mousedev_detach_client # git bisect bad 10c091b62e7fc3133d652b7212904348398b302e Bisecting: 39 revisions left to test after this (roughly 5 steps) [774d977abfd024e6f73484544b9abe5a5cd62de7] net: dsa: b53: check for timeout testing commit 774d977abfd024e6f73484544b9abe5a5cd62de7 with gcc (GCC) 8.1.0 kernel signature: 3751e9e1c89dd0a3fce38e4a615ac41d71078f338788afbc503450cfcb0daa4c all runs: OK # git bisect good 774d977abfd024e6f73484544b9abe5a5cd62de7 Bisecting: 25 revisions left to test after this (roughly 4 steps) [f320ac6e131669345c7f4abefbb228b570eb9199] Merge branch 'work.epoll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit f320ac6e131669345c7f4abefbb228b570eb9199 with gcc (GCC) 8.1.0 kernel signature: 37e0e8f7929f31c23e672bf63f5d75121d511e5a7e7c8c3622565b4a45bbd474 run #0: crashed: WARNING: ODEBUG bug in get_signal run #1: crashed: BUG: corrupted list in mousedev_detach_client run #2: crashed: BUG: corrupted list in mousedev_detach_client run #3: crashed: BUG: corrupted list in mousedev_detach_client run #4: crashed: BUG: corrupted list in mousedev_detach_client run #5: crashed: BUG: corrupted list in mousedev_detach_client run #6: crashed: BUG: corrupted list in mousedev_detach_client run #7: crashed: BUG: corrupted list in mousedev_detach_client run #8: crashed: BUG: corrupted list in mousedev_detach_client run #9: crashed: BUG: corrupted list in mousedev_detach_client # git bisect bad f320ac6e131669345c7f4abefbb228b570eb9199 Bisecting: 6 revisions left to test after this (roughly 3 steps) [66c262be8f50c043bf6d2f43fa8070e5d3ba7bc0] kconfig: qconf: remove unused colNr testing commit 66c262be8f50c043bf6d2f43fa8070e5d3ba7bc0 with gcc (GCC) 8.1.0 kernel signature: 9a3567ad0c6a7599e0635680a42d44e7215e4468238608b069e81f67b6580701 all runs: OK # git bisect good 66c262be8f50c043bf6d2f43fa8070e5d3ba7bc0 Bisecting: 3 revisions left to test after this (roughly 2 steps) [510bc3cb1ddc32f9533e6ed0a68c980544c3ca3f] kconfig: qconf: replace deprecated QString::sprintf() with QTextStream testing commit 510bc3cb1ddc32f9533e6ed0a68c980544c3ca3f with gcc (GCC) 8.1.0 kernel signature: bda49417ed402c199a29361f305a67489997f14a560f89ac2b012aaaa51be0bc all runs: OK # git bisect good 510bc3cb1ddc32f9533e6ed0a68c980544c3ca3f Bisecting: 1 revision left to test after this (roughly 1 step) [52c479697c9b73f628140dcdfcd39ea302d05482] do_epoll_ctl(): clean the failure exits up a bit testing commit 52c479697c9b73f628140dcdfcd39ea302d05482 with gcc (GCC) 8.1.0 kernel signature: 78f9398e329bbc87aeb50d19308f5100423ac520ea7035e72e423f317d426163 all runs: crashed: BUG: corrupted list in mousedev_detach_client # git bisect bad 52c479697c9b73f628140dcdfcd39ea302d05482 Bisecting: 0 revisions left to test after this (roughly 0 steps) [a9ed4a6560b8562b7e2e2bed9527e88001f7b682] epoll: Keep a reference on files added to the check list testing commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 with gcc (GCC) 8.1.0 kernel signature: fb2d503bf55449647279a5bc003adc3feeff9d3615963ee499c65d2850aa0502 run #0: crashed: BUG: corrupted list in mousedev_detach_client run #1: crashed: BUG: corrupted list in mousedev_detach_client run #2: crashed: BUG: corrupted list in mousedev_detach_client run #3: crashed: WARNING: ODEBUG bug in get_signal run #4: crashed: BUG: corrupted list in mousedev_detach_client run #5: crashed: BUG: corrupted list in mousedev_detach_client run #6: crashed: BUG: corrupted list in mousedev_detach_client run #7: crashed: BUG: corrupted list in mousedev_detach_client run #8: crashed: BUG: corrupted list in mousedev_detach_client run #9: crashed: BUG: corrupted list in mousedev_detach_client # git bisect bad a9ed4a6560b8562b7e2e2bed9527e88001f7b682 a9ed4a6560b8562b7e2e2bed9527e88001f7b682 is the first bad commit commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 Author: Marc Zyngier Date: Wed Aug 19 17:12:17 2020 +0100 epoll: Keep a reference on files added to the check list When adding a new fd to an epoll, and that this new fd is an epoll fd itself, we recursively scan the fds attached to it to detect cycles, and add non-epool files to a "check list" that gets subsequently parsed. However, this check list isn't completely safe when deletions can happen concurrently. To sidestep the issue, make sure that a struct file placed on the check list sees its f_count increased, ensuring that a concurrent deletion won't result in the file disapearing from under our feet. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Al Viro fs/eventpoll.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) parent commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 wasn't tested testing commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 with gcc (GCC) 8.1.0 kernel signature: e20d02ebc2e0996f8ab4788c6a3d33663a94b7f8b27bed30d29be8ed773efb20 culprit signature: fb2d503bf55449647279a5bc003adc3feeff9d3615963ee499c65d2850aa0502 parent signature: e20d02ebc2e0996f8ab4788c6a3d33663a94b7f8b27bed30d29be8ed773efb20 revisions tested: 17, total time: 3h34m3.470407489s (build: 1h25m10.619474749s, test: 2h7m10.151845782s) first bad commit: a9ed4a6560b8562b7e2e2bed9527e88001f7b682 epoll: Keep a reference on files added to the check list recipients (to): ["linux-kernel@vger.kernel.org" "maz@kernel.org" "viro@zeniv.linux.org.uk"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: BUG: corrupted list in mousedev_detach_client list_del corruption, ffff88810f0de010->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:50! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 14654 Comm: syz-executor.1 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_del_entry_valid.cold.1+0x45/0x4c lib/list_debug.c:48 Code: e8 95 85 56 ff 0f 0b 48 89 f2 48 89 fe 48 c7 c7 90 54 f1 83 e8 81 85 56 ff 0f 0b 48 89 fe 48 c7 c7 58 54 f1 83 e8 70 85 56 ff <0f> 0b cc cc cc cc cc 41 56 41 55 41 54 55 53 48 81 ec 88 00 00 00 RSP: 0018:ffffc900059d3e50 EFLAGS: 00010246 RAX: 000000000000004e RBX: ffff888124c838b0 RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffffff8401b939 RDI: 00000000ffffffff RBP: ffff88810f0de000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0244c45446ca2ec8 R12: ffff888125415640 R13: ffff88812a8495a0 R14: ffff8881288d6af8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88812c100000(0063) knlGS:00000000f77e7b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00000000080f3938 CR3: 000000010f2a6000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry include/linux/list.h:132 [inline] list_del_rcu include/linux/rculist.h:158 [inline] mousedev_detach_client+0x1d/0x50 drivers/input/mousedev.c:515 mousedev_release+0x18/0x30 drivers/input/mousedev.c:525 __fput+0xaa/0x250 fs/file_table.c:281 task_work_run+0x68/0xb0 kernel/task_work.c:141 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:139 [inline] exit_to_user_mode_prepare+0x1e2/0x1f0 kernel/entry/common.c:166 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:241 __do_fast_syscall_32+0x63/0x80 arch/x86/entry/common.c:127 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7fed549 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f77e70cc EFLAGS: 00000296 ORIG_RAX: 00000000000000ff RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000001 RDX: 0000000000000004 RSI: 0000000020000040 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace 3f90aa3e945a80c8 ]--- RIP: 0010:__list_del_entry_valid.cold.1+0x45/0x4c lib/list_debug.c:48 Code: e8 95 85 56 ff 0f 0b 48 89 f2 48 89 fe 48 c7 c7 90 54 f1 83 e8 81 85 56 ff 0f 0b 48 89 fe 48 c7 c7 58 54 f1 83 e8 70 85 56 ff <0f> 0b cc cc cc cc cc 41 56 41 55 41 54 55 53 48 81 ec 88 00 00 00 RSP: 0018:ffffc900059d3e50 EFLAGS: 00010246 RAX: 000000000000004e RBX: ffff888124c838b0 RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffffff8401b939 RDI: 00000000ffffffff RBP: ffff88810f0de000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0244c45446ca2ec8 R12: ffff888125415640 R13: ffff88812a8495a0 R14: ffff8881288d6af8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88812c100000(0063) knlGS:00000000f77e7b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00000000080f3938 CR3: 000000010f2a6000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400