bisecting fixing commit since 9fa690a2a016e1b55356835f047b952e67d3d73a
building syzkaller on 93e5e33559b98e47f3743e6d907ca8444fbba5d4
testing commit 9fa690a2a016e1b55356835f047b952e67d3d73a with gcc (GCC) 8.1.0
kernel signature: 97df90a705f80424812f9bec64ea290cd4b824200f4c3faac182e66f41401401
all runs: crashed: general protection fault in path_openat
testing current HEAD 78d697fc93f98054e36a3ab76dca1a88802ba7be
testing commit 78d697fc93f98054e36a3ab76dca1a88802ba7be with gcc (GCC) 8.1.0
kernel signature: 29f5c3784eb73ed0854a44c51a730718826029dd1ba3f5da971e14fff2a35cce
all runs: OK
# git bisect start 78d697fc93f98054e36a3ab76dca1a88802ba7be 9fa690a2a016e1b55356835f047b952e67d3d73a
Bisecting: 248 revisions left to test after this (roughly 8 steps)
[d73066c047a0cf2e4286023320512d059ac2b405] KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections
testing commit d73066c047a0cf2e4286023320512d059ac2b405 with gcc (GCC) 8.1.0
kernel signature: 0598f84752f3ed39d4836602832fe0af0e975771b6f17c687a0f0e3b3e05a3a3
all runs: OK
# git bisect bad d73066c047a0cf2e4286023320512d059ac2b405
Bisecting: 123 revisions left to test after this (roughly 7 steps)
[5823cb6e4cb50e332e0947291ab79ea1b869ed69] powerpc/xmon: don't access ASDR in VMs
testing commit 5823cb6e4cb50e332e0947291ab79ea1b869ed69 with gcc (GCC) 8.1.0
kernel signature: ac0681a344d63f69346157379116d61fdfea5d82e020869bd7500563efcad21e
all runs: OK
# git bisect bad 5823cb6e4cb50e332e0947291ab79ea1b869ed69
Bisecting: 61 revisions left to test after this (roughly 6 steps)
[f5929c9f3a52a6137b8c5ed2007a4cd725ab7aaf] qmi_wwan: Add support for Quectel RM500Q
testing commit f5929c9f3a52a6137b8c5ed2007a4cd725ab7aaf with gcc (GCC) 8.1.0
kernel signature: e301de79aba82393de04549e27d833ca53e707b256fadddb65a244ae921ad054
all runs: OK
# git bisect bad f5929c9f3a52a6137b8c5ed2007a4cd725ab7aaf
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[c662ea4fab81c530590c2be3e86e26313d047e3b] rsi: fix use-after-free on probe errors
testing commit c662ea4fab81c530590c2be3e86e26313d047e3b with gcc (GCC) 8.1.0
kernel signature: e960538dd8996092baf43ebc5170c43295c2c5790a25520cdedcbc12a137a1cd
all runs: crashed: general protection fault in path_openat
# git bisect good c662ea4fab81c530590c2be3e86e26313d047e3b
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[b7fae41e420f3db83466b9dcd26e06ae706b85ab] media: af9005: uninitialized variable printked
testing commit b7fae41e420f3db83466b9dcd26e06ae706b85ab with gcc (GCC) 8.1.0
kernel signature: 3e0b0b0462f03d737b51921d3b1db35f04d64f0807467c4717d999ff6cbee9ea
all runs: OK
# git bisect bad b7fae41e420f3db83466b9dcd26e06ae706b85ab
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[806dbe2dfa4855c97ec1da876fbd2fdfb61426f5] perf c2c: Fix return type for histogram sorting comparision functions
testing commit 806dbe2dfa4855c97ec1da876fbd2fdfb61426f5 with gcc (GCC) 8.1.0
kernel signature: eaef6b8159a98e6fcce805e93f2054c37d0a046e65e41ead97a4ed9489eac3fd
all runs: OK
# git bisect bad 806dbe2dfa4855c97ec1da876fbd2fdfb61426f5
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[d20edc0bca5577bab38acb5b190619c922ddebf8] x86/resctrl: Fix use-after-free when deleting resource groups
testing commit d20edc0bca5577bab38acb5b190619c922ddebf8 with gcc (GCC) 8.1.0
kernel signature: a5185eb8cfc2c2576616b2d3045f36b684a5c81161ad1183e6e7d4cb9805e132
all runs: OK
# git bisect bad d20edc0bca5577bab38acb5b190619c922ddebf8
Bisecting: 0 revisions left to test after this (roughly 1 step)
[40642747dd9feab4912157882166c05722cec7b0] vfs: fix do_last() regression
testing commit 40642747dd9feab4912157882166c05722cec7b0 with gcc (GCC) 8.1.0
kernel signature: 31a6463439fce37031b91ff8f6cd810c61060c18c4b20bc6473734f4a4fb9a83
all runs: OK
# git bisect bad 40642747dd9feab4912157882166c05722cec7b0
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[713ff7e4d605c4dd1efd838e3f0092cd93733f0c] crypto: af_alg - Use bh_lock_sock in sk_destruct
testing commit 713ff7e4d605c4dd1efd838e3f0092cd93733f0c with gcc (GCC) 8.1.0
kernel signature: 2244c153223c61b76d291050f8945a62d6cba839b9cbc6fbd6a5721c0273f0a0
all runs: crashed: general protection fault in path_openat
# git bisect good 713ff7e4d605c4dd1efd838e3f0092cd93733f0c
40642747dd9feab4912157882166c05722cec7b0 is the first bad commit
commit 40642747dd9feab4912157882166c05722cec7b0
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Feb 1 16:26:45 2020 +0000

    vfs: fix do_last() regression
    
    commit 6404674acd596de41fd3ad5f267b4525494a891a upstream.
    
    Brown paperbag time: fetching ->i_uid/->i_mode really should've been
    done from nd->inode.  I even suggested that, but the reason for that has
    slipped through the cracks and I went for dir->d_inode instead - made
    for more "obvious" patch.
    
    Analysis:
    
     - at the entry into do_last() and all the way to step_into(): dir (aka
       nd->path.dentry) is known not to have been freed; so's nd->inode and
       it's equal to dir->d_inode unless we are already doomed to -ECHILD.
       inode of the file to get opened is not known.
    
     - after step_into(): inode of the file to get opened is known; dir
       might be pointing to freed memory/be negative/etc.
    
     - at the call of may_create_in_sticky(): guaranteed to be out of RCU
       mode; inode of the file to get opened is known and pinned; dir might
       be garbage.
    
    The last was the reason for the original patch.  Except that at the
    do_last() entry we can be in RCU mode and it is possible that
    nd->path.dentry->d_inode has already changed under us.
    
    In that case we are going to fail with -ECHILD, but we need to be
    careful; nd->inode is pointing to valid struct inode and it's the same
    as nd->path.dentry->d_inode in "won't fail with -ECHILD" case, so we
    should use that.
    
    Reported-by: "Rantala, Tommi T. (Nokia - FI/Espoo)" <tommi.t.rantala@nokia.com>
    Reported-by: syzbot+190005201ced78a74ad6@syzkaller.appspotmail.com
    Wearing-brown-paperbag: Al Viro <viro@zeniv.linux.org.uk>
    Cc: stable@kernel.org
    Fixes: d0cb50185ae9 ("do_last(): fetch directory ->i_mode and ->i_uid before it's too late")
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 fs/namei.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
culprit signature: 31a6463439fce37031b91ff8f6cd810c61060c18c4b20bc6473734f4a4fb9a83
parent  signature: 2244c153223c61b76d291050f8945a62d6cba839b9cbc6fbd6a5721c0273f0a0
revisions tested: 11, total time: 3h30m35.715588349s (build: 1h33m42.028647944s, test: 1h55m39.480182595s)
first good commit: 40642747dd9feab4912157882166c05722cec7b0 vfs: fix do_last() regression
cc: ["gregkh@linuxfoundation.org" "torvalds@linux-foundation.org" "viro@zeniv.linux.org.uk"]