bisecting cause commit starting from d19cc4bfbff1ae72c3505a00fb8ce0d3fa519e6c building syzkaller on 6a81331a1d4c744da9204d02ec88d558f7eea9c9 testing commit d19cc4bfbff1ae72c3505a00fb8ce0d3fa519e6c with gcc (GCC) 10.2.1 20210217 kernel signature: 1b534883ce897ef3baf29c9360c54ea65dc476113b19ba88af45dd3cc21e9a34 run #0: crashed: WARNING in mntput_no_expire run #1: crashed: WARNING in mntput_no_expire run #2: crashed: BUG: corrupted list in __dentry_kill run #3: crashed: WARNING in mntput_no_expire run #4: crashed: WARNING in mntput_no_expire run #5: crashed: WARNING in mntput_no_expire run #6: crashed: WARNING in mntput_no_expire run #7: crashed: WARNING in mntput_no_expire run #8: crashed: WARNING in mntput_no_expire run #9: crashed: WARNING in mntput_no_expire run #10: crashed: WARNING in mntput_no_expire run #11: crashed: WARNING in mntput_no_expire run #12: crashed: WARNING in mntput_no_expire run #13: crashed: WARNING in mntput_no_expire run #14: crashed: WARNING in mntput_no_expire run #15: crashed: WARNING in mntput_no_expire run #16: crashed: WARNING in mntput_no_expire run #17: crashed: WARNING in mntput_no_expire run #18: crashed: WARNING in mntput_no_expire run #19: crashed: WARNING in mntput_no_expire testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: e99cd9f143ce9d9fcac692e506c1f42fd7bad007e669bcc2d658384620d3ab58 all runs: OK # git bisect start d19cc4bfbff1ae72c3505a00fb8ce0d3fa519e6c f40ddce88593482919761f74910f42f4b84c004b Bisecting: 5983 revisions left to test after this (roughly 13 steps) [d99676af540c2dc829999928fb81c58c80a1dce4] Merge tag 'drm-next-2021-02-19' of git://anongit.freedesktop.org/drm/drm testing commit d99676af540c2dc829999928fb81c58c80a1dce4 with gcc (GCC) 10.2.1 20210217 kernel signature: 5ad479128f117a1d38bc7ee59edcdb592a5fda3fb52cbc77b71fa4437ceb8a6d run #0: crashed: WARNING in mntput_no_expire run #1: crashed: WARNING in mntput_no_expire run #2: crashed: WARNING in mntput_no_expire run #3: crashed: WARNING in mntput_no_expire run #4: crashed: WARNING in mntput_no_expire run #5: crashed: WARNING in mntput_no_expire run #6: crashed: BUG: corrupted list in __dentry_kill run #7: crashed: WARNING in mntput_no_expire run #8: crashed: WARNING in mntput_no_expire run #9: crashed: WARNING in mntput_no_expire # git bisect bad d99676af540c2dc829999928fb81c58c80a1dce4 Bisecting: 3717 revisions left to test after this (roughly 12 steps) [f9d58de23152f2c16f326d7e014cfa2933b00304] Merge tag 'affs-for-5.12-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit f9d58de23152f2c16f326d7e014cfa2933b00304 with gcc (GCC) 10.2.1 20210217 kernel signature: 0e15079a3ab74417003eea81f14abff1aea815e5e366ab0cff272ccab2f025d2 run #0: boot failed: failed to delete instance: googleapi: Error 503: The service is currently unavailable., backendError run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good f9d58de23152f2c16f326d7e014cfa2933b00304 Bisecting: 1854 revisions left to test after this (roughly 11 steps) [de1617578849acab8e16c9ffdce39b91fb50639d] Merge tag 'media/v5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit de1617578849acab8e16c9ffdce39b91fb50639d with gcc (GCC) 10.2.1 20210217 kernel signature: 7e28e05eb4da68a9f518c2e311ced71a9dc6276ac4662a3b4b036b603ea6bbcd run #0: crashed: WARNING in mntput_no_expire run #1: crashed: WARNING in mntput_no_expire run #2: crashed: WARNING in mntput_no_expire run #3: crashed: WARNING in mntput_no_expire run #4: crashed: WARNING in mntput_no_expire run #5: crashed: BUG: corrupted list in __dentry_kill run #6: crashed: WARNING in mntput_no_expire run #7: crashed: BUG: corrupted list in __dentry_kill run #8: crashed: WARNING in mntput_no_expire run #9: boot failed: WARNING in kvm_wait # git bisect bad de1617578849acab8e16c9ffdce39b91fb50639d Bisecting: 929 revisions left to test after this (roughly 10 steps) [4a037ad5d115b2cc79a5071a7854475f365476fa] Merge tag 'for-linus-5.12-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 4a037ad5d115b2cc79a5071a7854475f365476fa with gcc (GCC) 10.2.1 20210217 kernel signature: 004ba018d015baabd4e7208e2297f7528a5d4a346a8f96386c9b2e5d310cecf1 run #0: crashed: WARNING in mntput_no_expire run #1: crashed: WARNING in mntput_no_expire run #2: crashed: WARNING in mntput_no_expire run #3: crashed: WARNING in mntput_no_expire run #4: crashed: WARNING in mntput_no_expire run #5: crashed: WARNING in mntput_no_expire run #6: boot failed: WARNING in kvm_wait run #7: boot failed: WARNING in kvm_wait run #8: boot failed: WARNING in kvm_wait run #9: boot failed: WARNING in kvm_wait # git bisect bad 4a037ad5d115b2cc79a5071a7854475f365476fa Bisecting: 451 revisions left to test after this (roughly 9 steps) [582cd91f69de8e44857cb610ebca661dac8656b7] Merge tag 'for-5.12/block-2021-02-17' of git://git.kernel.dk/linux-block testing commit 582cd91f69de8e44857cb610ebca661dac8656b7 with gcc (GCC) 10.2.1 20210217 kernel signature: 98a7c4f543254251b4d086d0bfa838a217fd1758106acf0ea8f5cb17b266d9ab run #0: crashed: KASAN: use-after-free Read in chroot_fs_refs run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect bad 582cd91f69de8e44857cb610ebca661dac8656b7 Bisecting: 233 revisions left to test after this (roughly 8 steps) [99f1a5872b706094ece117368170a92c66b2e242] Merge tag 'nfsd-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux testing commit 99f1a5872b706094ece117368170a92c66b2e242 with gcc (GCC) 10.2.1 20210217 kernel signature: bae2727ed3c40f0b295398e3050d35b49dbdbc99019e3aecacc34257a9ac0f69 all runs: OK # git bisect good 99f1a5872b706094ece117368170a92c66b2e242 Bisecting: 107 revisions left to test after this (roughly 7 steps) [24880bef417f6e9069158c750969d18793427a10] Merge tag 'oprofile-removal-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/linux testing commit 24880bef417f6e9069158c750969d18793427a10 with gcc (GCC) 10.2.1 20210217 kernel signature: c5cbfc7f415f44ca281234dcb49b94f92a63314a7a0a82d84c535deb8c727f80 all runs: OK # git bisect good 24880bef417f6e9069158c750969d18793427a10 Bisecting: 53 revisions left to test after this (roughly 6 steps) [482e302a61f1fc62b0e13be20bc7a11a91b5832d] blk: wbt: remove unused parameter from wbt_should_throttle testing commit 482e302a61f1fc62b0e13be20bc7a11a91b5832d with gcc (GCC) 10.2.1 20210217 kernel signature: f67cd83de3bcae26f2c63129a7da48e0e8e56707254555de1f4256f5be1e638b all runs: OK # git bisect good 482e302a61f1fc62b0e13be20bc7a11a91b5832d Bisecting: 26 revisions left to test after this (roughly 5 steps) [f7bf5e24e0b40fdb2321d9cf2b41043425fb4f9d] block: drop removed argument from kernel-doc of blk_execute_rq() testing commit f7bf5e24e0b40fdb2321d9cf2b41043425fb4f9d with gcc (GCC) 10.2.1 20210217 kernel signature: 2d1d0bf3eb3316ff099acb3ef495a184d1c09321385d04551d5b7bf245d30cb2 all runs: OK # git bisect good f7bf5e24e0b40fdb2321d9cf2b41043425fb4f9d Bisecting: 13 revisions left to test after this (roughly 4 steps) [72b043654ba8b8ce2e0cf3da49247b2db3acb2c1] md/raid10: remove dead code in reshape_request testing commit 72b043654ba8b8ce2e0cf3da49247b2db3acb2c1 with gcc (GCC) 10.2.1 20210217 kernel signature: 80c6ea5916545192cb341723a565ee1051fd3e14ee187462cf6947567d5e0e44 all runs: boot failed: general protection fault in mempool_alloc_slab # git bisect skip 72b043654ba8b8ce2e0cf3da49247b2db3acb2c1 Bisecting: 13 revisions left to test after this (roughly 4 steps) [5752dc78a18118ae143962e10e5c28344d8ab731] nullb: use blk_queue_set_zoned() to setup zoned devices testing commit 5752dc78a18118ae143962e10e5c28344d8ab731 with gcc (GCC) 10.2.1 20210217 kernel signature: 8f623763eaacce454d0b3bb5c1c3c3c2c953ebac3141e0f5ae3694037c002d41 run #0: crashed: KASAN: use-after-free Read in chroot_fs_refs run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 5752dc78a18118ae143962e10e5c28344d8ab731 Bisecting: 7 revisions left to test after this (roughly 3 steps) [0f2e6ab851ae146c468bc5151c302c6e2473f70a] block: turn the nr_iovecs argument to bio_alloc* into an unsigned short testing commit 0f2e6ab851ae146c468bc5151c302c6e2473f70a with gcc (GCC) 10.2.1 20210217 kernel signature: 681073781bf879dc53b002e5ff84abf77fcfed41d553ee0b722811fb62c11fc5 all runs: boot failed: general protection fault in mempool_alloc_slab # git bisect skip 0f2e6ab851ae146c468bc5151c302c6e2473f70a Bisecting: 7 revisions left to test after this (roughly 3 steps) [7a800a20ae6329e803c5c646b20811a6ae9ca136] block: use bi_max_vecs to find the bvec pool testing commit 7a800a20ae6329e803c5c646b20811a6ae9ca136 with gcc (GCC) 10.2.1 20210217 kernel signature: af58eb3bad625c7407ebcebe3f137d749c2dfe6d6eb62903b4598539060e571c all runs: OK # git bisect good 7a800a20ae6329e803c5c646b20811a6ae9ca136 Bisecting: 0 revisions left to test after this (roughly 1 step) [73d90386b559d6f4c3c5db5e6bb1b68aae8fd3e7] nvme: cleanup zone information initialization testing commit 73d90386b559d6f4c3c5db5e6bb1b68aae8fd3e7 with gcc (GCC) 10.2.1 20210217 kernel signature: c742c53f9da6cd21d636c3c840bd0bce0e01c9ed861d30e73a1906a12799bc86 run #0: crashed: KASAN: use-after-free Read in chroot_fs_refs run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 73d90386b559d6f4c3c5db5e6bb1b68aae8fd3e7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f1836426cea77fad342aa74bec8bf489a5d64b27] block: document zone_append_max_bytes attribute testing commit f1836426cea77fad342aa74bec8bf489a5d64b27 with gcc (GCC) 10.2.1 20210217 kernel signature: af58eb3bad625c7407ebcebe3f137d749c2dfe6d6eb62903b4598539060e571c all runs: OK # git bisect good f1836426cea77fad342aa74bec8bf489a5d64b27 73d90386b559d6f4c3c5db5e6bb1b68aae8fd3e7 is the first bad commit commit 73d90386b559d6f4c3c5db5e6bb1b68aae8fd3e7 Author: Damien Le Moal Date: Thu Jan 28 13:47:27 2021 +0900 nvme: cleanup zone information initialization For a zoned namespace, in nvme_update_ns_info(), call nvme_update_zone_info() after executing nvme_update_disk_info() so that the namespace queue logical and physical block size limits are set. This allows setting the namespace queue max_zone_append_sectors limit in nvme_update_zone_info() instead of nvme_revalidate_zones(), simplifying this function. Also use blk_queue_set_zoned() to set the namespace zoned model. Signed-off-by: Damien Le Moal Reviewed-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Reviewed-by: Johannes Thumshirn Signed-off-by: Jens Axboe drivers/nvme/host/core.c | 11 ++++++----- drivers/nvme/host/zns.c | 11 +++-------- 2 files changed, 9 insertions(+), 13 deletions(-) culprit signature: c742c53f9da6cd21d636c3c840bd0bce0e01c9ed861d30e73a1906a12799bc86 parent signature: af58eb3bad625c7407ebcebe3f137d749c2dfe6d6eb62903b4598539060e571c Reproducer flagged being flaky revisions tested: 17, total time: 4h36m44.666701376s (build: 2h1m52.685457107s, test: 2h33m10.300446009s) first bad commit: 73d90386b559d6f4c3c5db5e6bb1b68aae8fd3e7 nvme: cleanup zone information initialization recipients (to): ["axboe@kernel.dk" "chaitanya.kulkarni@wdc.com" "damien.lemoal@wdc.com" "hch@lst.de" "johannes.thumshirn@edc.com"] recipients (cc): [] crash: KASAN: use-after-free Read in chroot_fs_refs ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3f13/0x57d0 kernel/locking/lockdep.c:4702 Read of size 8 at addr ffff888011a84320 by task syz-executor.5/8808 CPU: 0 PID: 8808 Comm: syz-executor.5 Not tainted 5.11.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 __lock_acquire+0x3f13/0x57d0 kernel/locking/lockdep.c:4702 lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] chroot_fs_refs+0x104/0x5c0 fs/fs_struct.c:70 __do_sys_pivot_root+0xd6f/0x1990 fs/namespace.c:3774 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x466459 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:0000000000a9ffa8 EFLAGS: 00000246 ORIG_RAX: 000000000000009b RAX: ffffffffffffffda RBX: 0000000001d5a3bc RCX: 0000000000466459 RDX: 0000000000465567 RSI: 00000000004bfcfb RDI: 00000000004bfbb1 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd11bb7288 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000400538 Allocated by task 8793: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 kasan_slab_alloc include/linux/kasan.h:209 [inline] slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2892 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc+0x1c6/0x440 mm/slub.c:2905 copy_fs_struct+0x3e/0x320 fs/fs_struct.c:114 copy_fs kernel/fork.c:1443 [inline] copy_process+0x4645/0x6770 kernel/fork.c:2088 kernel_clone+0xb8/0x7f0 kernel/fork.c:2462 __do_sys_clone+0xaf/0xf0 kernel/fork.c:2579 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 10126: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356 ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362 kasan_slab_free include/linux/kasan.h:192 [inline] slab_free_hook mm/slub.c:1547 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580 slab_free mm/slub.c:3143 [inline] kmem_cache_free+0x82/0x350 mm/slub.c:3159 do_exit+0xa63/0x2570 kernel/exit.c:821 do_group_exit+0xe7/0x290 kernel/exit.c:922 get_signal+0x36c/0x1c30 kernel/signal.c:2773 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888011a84300 which belongs to the cache fs_cache of size 168 The buggy address is located 32 bytes inside of 168-byte region [ffff888011a84300, ffff888011a843a8) The buggy address belongs to the page: page:000000002611c054 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a84 flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea0000424a40 0000000600000006 ffff88800f5bb500 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888011a84200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888011a84280: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc >ffff888011a84300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888011a84380: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff888011a84400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================