bisecting cause commit starting from 2187f215ebaac73ddbd814696d7c7fa34f0c3de0 building syzkaller on f2fe0772a950d90c97c9f756cd6c07325344ac9a testing commit 2187f215ebaac73ddbd814696d7c7fa34f0c3de0 with gcc (GCC) 8.1.0 kernel signature: 8a677f5060dcdb087690a963074143fff05c8f36 all runs: crashed: kernel BUG at fs/buffer.c:LINE! testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: e08956e4368de3834920760a36b6218a87ae8f0d all runs: crashed: kernel BUG at fs/buffer.c:LINE! testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: c55acba40f39e02b109e7222433b3fa6d4d82241 run #0: crashed: kernel BUG at fs/buffer.c:LINE! run #1: crashed: kernel BUG at fs/buffer.c:LINE! run #2: crashed: kernel BUG at fs/buffer.c:LINE! run #3: crashed: kernel BUG at fs/buffer.c:LINE! run #4: crashed: WARNING in corrupted run #5: crashed: kernel BUG at fs/buffer.c:LINE! run #6: crashed: kernel BUG at fs/buffer.c:LINE! run #7: crashed: kernel BUG at fs/buffer.c:LINE! run #8: crashed: kernel BUG at fs/buffer.c:LINE! run #9: crashed: kernel BUG at fs/buffer.c:LINE! testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 9da3c0de9d2ab7b1775ad9b9cdcc8bc83ec4d7f9 all runs: crashed: kernel BUG at fs/buffer.c:LINE! testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: b0d6c69eadbd1343b92bfdab4fb82fdf4456071b all runs: crashed: kernel BUG at fs/buffer.c:LINE! testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 3cf6fe2941b0d7f78d7469112e59149e782265a5 all runs: crashed: kernel BUG at fs/buffer.c:LINE! testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: 4796ae713dc6f30919debf4dca995ea59680ad24 all runs: OK # git bisect start 1c163f4c7b3f621efff9b28a47abb36f7378d783 8fe28cb58bcb235034b64cbbb7550a8a43fd88be Bisecting: 7011 revisions left to test after this (roughly 13 steps) [af7ddd8a627c62a835524b3f5b471edbbbcce025] Merge tag 'dma-mapping-4.21' of git://git.infradead.org/users/hch/dma-mapping testing commit af7ddd8a627c62a835524b3f5b471edbbbcce025 with gcc (GCC) 8.1.0 kernel signature: 2818b81acb2e16d4557cf5d920b9a25e9b8e5ffd all runs: OK # git bisect good af7ddd8a627c62a835524b3f5b471edbbbcce025 Bisecting: 3532 revisions left to test after this (roughly 12 steps) [c9bef4a651769927445900564781a9c99fdf6258] Merge tag 'pinctrl-v4.21-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit c9bef4a651769927445900564781a9c99fdf6258 with gcc (GCC) 8.1.0 kernel signature: 786f4c61df94ad42e861c70c21df209bbb02a024 all runs: OK # git bisect good c9bef4a651769927445900564781a9c99fdf6258 Bisecting: 1768 revisions left to test after this (roughly 11 steps) [4d5f6e0201bc568c0758ed3f77a06648ec9fd482] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 4d5f6e0201bc568c0758ed3f77a06648ec9fd482 with gcc (GCC) 8.1.0 kernel signature: 32a63bbd805f496cba36b4e2deb9fd9965a6ddef all runs: crashed: kernel BUG at fs/buffer.c:LINE! # git bisect bad 4d5f6e0201bc568c0758ed3f77a06648ec9fd482 Bisecting: 881 revisions left to test after this (roughly 10 steps) [786ac51a48465da56f333652ec1d8b215bb272fe] kbuild: remove UIMAGE_IN and UIMAGE_OUT testing commit 786ac51a48465da56f333652ec1d8b215bb272fe with gcc (GCC) 8.1.0 kernel signature: 755721757eecb66a305d1642d771a3e21e4e64dc all runs: OK # git bisect good 786ac51a48465da56f333652ec1d8b215bb272fe Bisecting: 439 revisions left to test after this (roughly 9 steps) [c3405d689974555532c12a4f3a5e72dedc660c0b] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit c3405d689974555532c12a4f3a5e72dedc660c0b with gcc (GCC) 8.1.0 kernel signature: c008db95ca30d7ff978c9150f8bb543e867c9910 all runs: OK # git bisect good c3405d689974555532c12a4f3a5e72dedc660c0b Bisecting: 171 revisions left to test after this (roughly 8 steps) [e8746440bf68212f19688f1454dad593c74abee1] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit e8746440bf68212f19688f1454dad593c74abee1 with gcc (GCC) 8.1.0 kernel signature: 47da9fd4464d6baf74156e20d284ec7b9ca863bd all runs: crashed: kernel BUG at fs/buffer.c:LINE! # git bisect bad e8746440bf68212f19688f1454dad593c74abee1 Bisecting: 132 revisions left to test after this (roughly 7 steps) [3a73e73a10a791344587103a1adbe0c5f02fedeb] Merge tag 'backlight-next-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight testing commit 3a73e73a10a791344587103a1adbe0c5f02fedeb with gcc (GCC) 8.1.0 kernel signature: 0e407dd0df1410b3f946001fabe1ad9f315301dd all runs: crashed: kernel BUG at fs/buffer.c:LINE! # git bisect bad 3a73e73a10a791344587103a1adbe0c5f02fedeb Bisecting: 64 revisions left to test after this (roughly 6 steps) [0f9d140a566532175b4555401ee47ed58b01f9c9] Merge tag '5.0-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 testing commit 0f9d140a566532175b4555401ee47ed58b01f9c9 with gcc (GCC) 8.1.0 kernel signature: 4e752fac313c7f5881927c710aa7be89d4a99736 run #0: crashed: kernel BUG at fs/buffer.c:LINE! run #1: crashed: kernel BUG at fs/buffer.c:LINE! run #2: crashed: WARNING in unaccount_page_cache_page run #3: crashed: kernel BUG at fs/buffer.c:LINE! run #4: crashed: kernel BUG at fs/buffer.c:LINE! run #5: crashed: kernel BUG at fs/buffer.c:LINE! run #6: crashed: kernel BUG at fs/buffer.c:LINE! run #7: crashed: kernel BUG at fs/buffer.c:LINE! run #8: crashed: kernel BUG at fs/buffer.c:LINE! run #9: crashed: kernel BUG at fs/buffer.c:LINE! # git bisect bad 0f9d140a566532175b4555401ee47ed58b01f9c9 Bisecting: 38 revisions left to test after this (roughly 5 steps) [66c56cfa64d9dbb9efa8a06c1aece77e8d57ea19] Merge tag 'remove-dma_zalloc_coherent-5.0' of git://git.infradead.org/users/hch/dma-mapping testing commit 66c56cfa64d9dbb9efa8a06c1aece77e8d57ea19 with gcc (GCC) 8.1.0 kernel signature: 7eba04d4d0aefc61938a37960fc1d26a81f92ea2 all runs: OK # git bisect good 66c56cfa64d9dbb9efa8a06c1aece77e8d57ea19 Bisecting: 19 revisions left to test after this (roughly 4 steps) [49e54187ae0b2f9b5c0760e568a103baf4481610] ata: libahci_platform: comply to PHY framework testing commit 49e54187ae0b2f9b5c0760e568a103baf4481610 with gcc (GCC) 8.1.0 kernel signature: dfe42864628d118705344cc90bdb67e2524a23a5 run #0: crashed: kernel BUG at fs/buffer.c:LINE! run #1: crashed: kernel BUG at fs/buffer.c:LINE! run #2: crashed: kernel BUG at fs/buffer.c:LINE! run #3: crashed: WARNING in corrupted run #4: crashed: kernel BUG at fs/buffer.c:LINE! run #5: crashed: kernel BUG at fs/buffer.c:LINE! run #6: crashed: kernel BUG at fs/buffer.c:LINE! run #7: crashed: kernel BUG at fs/buffer.c:LINE! run #8: crashed: kernel BUG at fs/buffer.c:LINE! run #9: crashed: kernel BUG at fs/buffer.c:LINE! # git bisect bad 49e54187ae0b2f9b5c0760e568a103baf4481610 Bisecting: 9 revisions left to test after this (roughly 3 steps) [e9c2edc098921173920df370c69b5c38fe52df56] nvme-tcp: remove dead code testing commit e9c2edc098921173920df370c69b5c38fe52df56 with gcc (GCC) 8.1.0 kernel signature: 97c13adc679d7861702c3457f351c634bb5bad90 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor887554788" "root@10.128.1.47:./syz-executor887554788"]: exit status 1 ssh: connect to host 10.128.1.47 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good e9c2edc098921173920df370c69b5c38fe52df56 Bisecting: 4 revisions left to test after this (roughly 2 steps) [6299358d198a0635da2dd3c4b3ec37789e811e44] nvme: introduce NVME_QUIRK_IGNORE_DEV_SUBNQN testing commit 6299358d198a0635da2dd3c4b3ec37789e811e44 with gcc (GCC) 8.1.0 kernel signature: 828e21e2f57aac83dbbc040fc26cd5fb608c4e6a all runs: OK # git bisect good 6299358d198a0635da2dd3c4b3ec37789e811e44 Bisecting: 2 revisions left to test after this (roughly 1 step) [5db470e229e22b7eda6e23b5566e532c96fb5bc3] loop: drop caches if offset or block_size are changed testing commit 5db470e229e22b7eda6e23b5566e532c96fb5bc3 with gcc (GCC) 8.1.0 kernel signature: 2d904ffa816782b08a9970b5960b4b814b434048 all runs: crashed: kernel BUG at fs/buffer.c:LINE! # git bisect bad 5db470e229e22b7eda6e23b5566e532c96fb5bc3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [649d4968860ba708636ad643bd52b28027367042] block: fix kerneldoc comment for blk_attempt_plug_merge() testing commit 649d4968860ba708636ad643bd52b28027367042 with gcc (GCC) 8.1.0 kernel signature: 726a6639fcee44cd2a9fe2654edd35a426080c8c all runs: OK # git bisect good 649d4968860ba708636ad643bd52b28027367042 5db470e229e22b7eda6e23b5566e532c96fb5bc3 is the first bad commit commit 5db470e229e22b7eda6e23b5566e532c96fb5bc3 Author: Jaegeuk Kim Date: Wed Jan 9 19:17:14 2019 -0800 loop: drop caches if offset or block_size are changed If we don't drop caches used in old offset or block_size, we can get old data from new offset/block_size, which gives unexpected data to user. For example, Martijn found a loopback bug in the below scenario. 1) LOOP_SET_FD loads first two pages on loop file 2) LOOP_SET_STATUS64 changes the offset on the loop file 3) mount is failed due to the cached pages having wrong superblock Cc: Jens Axboe Cc: linux-block@vger.kernel.org Reported-by: Martijn Coenen Reviewed-by: Bart Van Assche Signed-off-by: Jaegeuk Kim Signed-off-by: Jens Axboe drivers/block/loop.c | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) culprit signature: 2d904ffa816782b08a9970b5960b4b814b434048 parent signature: 726a6639fcee44cd2a9fe2654edd35a426080c8c revisions tested: 21, total time: 4h26m55.52805722s (build: 1h52m35.980712519s, test: 2h32m9.267346981s) first bad commit: 5db470e229e22b7eda6e23b5566e532c96fb5bc3 loop: drop caches if offset or block_size are changed cc: ["axboe@kernel.dk" "bvanassche@acm.org" "jaegeuk@kernel.org"] crash: kernel BUG at fs/buffer.c:LINE! ------------[ cut here ]------------ kernel BUG at fs/buffer.c:3046! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 11423 Comm: syz-executor.0 Not tainted 4.20.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:submit_bh_wbc+0x515/0x6b0 fs/buffer.c:3046 Code: 93 fc ff 4c 89 ef e8 3a 2b 6f 01 31 c0 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 f0 41 80 64 24 01 f7 e9 9a fb ff ff 0f 0b <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b e8 6c 07 eb ff e9 2c fe ff ff 48 89 RSP: 0018:ffff8880892479b8 EFLAGS: 00010246 RAX: 0000000000000005 RBX: 0000000000000800 RCX: 0000000000000000 RDX: 1ffff110126f3550 RSI: 0000000000000800 RDI: 0000000000000001 RBP: ffff888089247a00 R08: 0000000000000000 R09: ffffed10126f355c R10: ffffed10126f355c R11: ffff88809379aae3 R12: ffff88809379aa80 R13: 0000000000000800 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f9beaa32700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000758080 CR3: 00000000a62fa000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: submit_bh fs/buffer.c:3093 [inline] __sync_dirty_buffer+0xcd/0x230 fs/buffer.c:3179 sync_dirty_buffer+0xe/0x10 fs/buffer.c:3192 fat_set_state+0x1be/0x280 fs/fat/inode.c:702 fat_fill_super+0x1dc7/0x37e0 fs/fat/inode.c:1873 vfat_fill_super+0x15/0x20 fs/fat/namei_vfat.c:1049 mount_bdev+0x278/0x330 fs/super.c:1158 vfat_mount+0x10/0x20 fs/fat/namei_vfat.c:1056 mount_fs+0x7f/0x2a9 fs/super.c:1261 vfs_kern_mount.part.35+0x58/0x3d0 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2469 [inline] do_mount+0x36e/0x2410 fs/namespace.c:2801 ksys_mount+0xba/0xe0 fs/namespace.c:3017 __do_sys_mount fs/namespace.c:3031 [inline] __se_sys_mount fs/namespace.c:3028 [inline] __x64_sys_mount+0xb9/0x150 fs/namespace.c:3028 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45d36a Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 4d 8c fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 2a 8c fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:00007f9beaa31a68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 000000000045d36a RDX: 00007f9beaa31ae0 RSI: 00000000200002c0 RDI: 00007f9beaa31b00 RBP: 000000000075bf20 R08: 00007f9beaa31b40 R09: 00007f9beaa31ae0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9beaa326d4 R13: 00000000004cae75 R14: 00000000004e4378 R15: 00000000ffffffff Modules linked in: ---[ end trace 5e895aa2904e1ac1 ]--- RIP: 0010:submit_bh_wbc+0x515/0x6b0 fs/buffer.c:3046 Code: 93 fc ff 4c 89 ef e8 3a 2b 6f 01 31 c0 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 f0 41 80 64 24 01 f7 e9 9a fb ff ff 0f 0b <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b e8 6c 07 eb ff e9 2c fe ff ff 48 89 RSP: 0018:ffff8880892479b8 EFLAGS: 00010246 RAX: 0000000000000005 RBX: 0000000000000800 RCX: 0000000000000000 RDX: 1ffff110126f3550 RSI: 0000000000000800 RDI: 0000000000000001 RBP: ffff888089247a00 R08: 0000000000000000 R09: ffffed10126f355c R10: ffffed10126f355c R11: ffff88809379aae3 R12: ffff88809379aa80 R13: 0000000000000800 R14: 0000000000000000 R15: 0000000000000000 kobject: 'loop3' (0000000026adfea9): kobject_uevent_env FS: 00007f9beaa32700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000018e0a78 CR3: 00000000a62fa000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 kobject: 'loop3' (0000000026adfea9): fill_kobj_path: path = '/devices/virtual/block/loop3'