bisecting cause commit starting from 09d4f10a5e78d76a53e3e584f1e6a701b6d24108 building syzkaller on 0342f8c7bc656ea8ee3c45e49edeb4ee9cc12cce testing commit 09d4f10a5e78d76a53e3e584f1e6a701b6d24108 with gcc (GCC) 8.1.0 kernel signature: 6af77c2ef1f96c2f0dd119a3917326c2c247a9be all runs: crashed: KASAN: slab-out-of-bounds Read in bitmap_ip_ext_cleanup testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: f202a6b416de7ff60a119665f22d0cfafcae4b9a all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: a9d1c74f910fa1b37dee84f593c3cff57661969d all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 9f8a84338874a5442c7240e585429d8f051c6183 all runs: OK # git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36 Bisecting: 7848 revisions left to test after this (roughly 13 steps) [43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0 kernel signature: 7d0c0a084116616248771db4498d03b8430e6d14 all runs: crashed: KASAN: use-after-free Read in bitmap_ip_ext_cleanup # git bisect bad 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 Bisecting: 4619 revisions left to test after this (roughly 12 steps) [8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0 kernel signature: 8cad70e81d78935c044a350fdd139e489d57cba3 run #0: crashed: general protection fault in batadv_iv_ogm_queue_add run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 Bisecting: 1595 revisions left to test after this (roughly 11 steps) [ed63b9c873601ca113da5c7b1745e3946493e9f3] Merge tag 'media/v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit ed63b9c873601ca113da5c7b1745e3946493e9f3 with gcc (GCC) 8.1.0 kernel signature: 22ba3c45c801583cae650d3e7845839dfa1309d9 all runs: OK # git bisect good ed63b9c873601ca113da5c7b1745e3946493e9f3 Bisecting: 798 revisions left to test after this (roughly 10 steps) [4b4704520d97b74e045154fc3b844b73ae4e7ebd] Merge tag 'acpi-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 4b4704520d97b74e045154fc3b844b73ae4e7ebd with gcc (GCC) 8.1.0 kernel signature: 473231c6a1c6fa657f731ab53efc9db0933208a1 all runs: OK # git bisect good 4b4704520d97b74e045154fc3b844b73ae4e7ebd Bisecting: 345 revisions left to test after this (roughly 9 steps) [608745f12462e2d8d94d5cc5dc94bf0960a881e3] Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 608745f12462e2d8d94d5cc5dc94bf0960a881e3 with gcc (GCC) 8.1.0 kernel signature: 54b97c5b04a347daee310934f247812ce4f1f677 all runs: OK # git bisect good 608745f12462e2d8d94d5cc5dc94bf0960a881e3 Bisecting: 175 revisions left to test after this (roughly 8 steps) [988052f47adc5c3b0b004180b59bb3761d91b752] Merge tag 'locks-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux testing commit 988052f47adc5c3b0b004180b59bb3761d91b752 with gcc (GCC) 8.1.0 kernel signature: bd2f9c8b071ac410892782f32ef6d89f563e18e3 all runs: OK # git bisect good 988052f47adc5c3b0b004180b59bb3761d91b752 Bisecting: 83 revisions left to test after this (roughly 7 steps) [2e756758e5cb4ea29cba5865d00fad476ce94a93] Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit 2e756758e5cb4ea29cba5865d00fad476ce94a93 with gcc (GCC) 8.1.0 kernel signature: cf1a672332ccf36b6b0caf228c641b6fd477eab0 all runs: OK # git bisect good 2e756758e5cb4ea29cba5865d00fad476ce94a93 Bisecting: 49 revisions left to test after this (roughly 5 steps) [b78fa45d4edb92fd7b882b2ec25b936cad412670] nfsd: Make __get_nfsdfs_client() static testing commit b78fa45d4edb92fd7b882b2ec25b936cad412670 with gcc (GCC) 8.1.0 kernel signature: cc48411c63a4b217e588802fbc4b726e7af87a0b all runs: OK # git bisect good b78fa45d4edb92fd7b882b2ec25b936cad412670 Bisecting: 29 revisions left to test after this (roughly 5 steps) [d2b6b4c832f7e3067709e8d4970b7b82b44419ac] Merge tag 'nfsd-5.3' of git://linux-nfs.org/~bfields/linux testing commit d2b6b4c832f7e3067709e8d4970b7b82b44419ac with gcc (GCC) 8.1.0 kernel signature: 36d4c210dd0181585baef543eed4536b82d86b2c all runs: OK # git bisect good d2b6b4c832f7e3067709e8d4970b7b82b44419ac Bisecting: 14 revisions left to test after this (roughly 4 steps) [a445d988b4790e06bb94e927e740017675d7e700] binfmt_flat: move the MAX_SHARED_LIBS definition to binfmt_flat.c testing commit a445d988b4790e06bb94e927e740017675d7e700 with gcc (GCC) 8.1.0 kernel signature: ae1a7bf3792008c933f2f442ea5cbb3fa4153fdd all runs: OK # git bisect good a445d988b4790e06bb94e927e740017675d7e700 Bisecting: 9 revisions left to test after this (roughly 3 steps) [172bb24a4f480c180bee646f6616f714ac4bcab2] tests: add pidfd_open() tests testing commit 172bb24a4f480c180bee646f6616f714ac4bcab2 with gcc (GCC) 8.1.0 kernel signature: a87b6f5da2293b75c5ca9e0cb0ad6b36bff353ad all runs: OK # git bisect good 172bb24a4f480c180bee646f6616f714ac4bcab2 Bisecting: 4 revisions left to test after this (roughly 2 steps) [29cd581b59496c26334c910a8b848baa81a6becd] Merge tag 'm68k-for-v5.3-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k testing commit 29cd581b59496c26334c910a8b848baa81a6becd with gcc (GCC) 8.1.0 kernel signature: f6e545c4c1a42c4e29649a44b559678b2426ecd8 all runs: OK # git bisect good 29cd581b59496c26334c910a8b848baa81a6becd Bisecting: 2 revisions left to test after this (roughly 1 step) [8f3220a806545442f6f26195bc491520f5276e7c] arch: wire-up clone3() syscall testing commit 8f3220a806545442f6f26195bc491520f5276e7c with gcc (GCC) 8.1.0 kernel signature: 8c95a4927e353ceb043fae76fac3ab99e7342c51 all runs: OK # git bisect good 8f3220a806545442f6f26195bc491520f5276e7c Bisecting: 1 revision left to test after this (roughly 1 step) [d68dbb0c9ac8b1ff52eb09aa58ce6358400fa939] arch: handle arches who do not yet define clone3 testing commit d68dbb0c9ac8b1ff52eb09aa58ce6358400fa939 with gcc (GCC) 8.1.0 kernel signature: 9ccc149bb217708ff4aa9a9f5c24762bdcf68ebd run #0: crashed: general protection fault in batadv_iv_ogm_queue_add run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad d68dbb0c9ac8b1ff52eb09aa58ce6358400fa939 d68dbb0c9ac8b1ff52eb09aa58ce6358400fa939 is the first bad commit commit d68dbb0c9ac8b1ff52eb09aa58ce6358400fa939 Author: Christian Brauner Date: Fri Jun 21 01:26:35 2019 +0200 arch: handle arches who do not yet define clone3 This cleanly handles arches who do not yet define clone3. clone3() was initially placed under __ARCH_WANT_SYS_CLONE under the assumption that this would cleanly handle all architectures. It does not. Architectures such as nios2 or h8300 simply take the asm-generic syscall definitions and generate their syscall table from it. Since they don't define __ARCH_WANT_SYS_CLONE the build would fail complaining about sys_clone3 missing. The reason this doesn't happen for legacy clone is that nios2 and h8300 provide assembly stubs for sys_clone. This seems to be done for architectural reasons. The build failures for nios2 and h8300 were caught int -next luckily. The solution is to define __ARCH_WANT_SYS_CLONE3 that architectures can add. Additionally, we need a cond_syscall(clone3) for architectures such as nios2 or h8300 that generate their syscall table in the way I explained above. Fixes: 8f3220a80654 ("arch: wire-up clone3() syscall") Signed-off-by: Christian Brauner Cc: Arnd Bergmann Cc: Kees Cook Cc: David Howells Cc: Andrew Morton Cc: Oleg Nesterov Cc: Adrian Reber Cc: Linus Torvalds Cc: Al Viro Cc: Florian Weimer Cc: linux-api@vger.kernel.org Cc: linux-arch@vger.kernel.org Cc: x86@kernel.org arch/arm/include/asm/unistd.h | 1 + arch/arm64/include/asm/unistd.h | 1 + arch/x86/include/asm/unistd.h | 1 + arch/xtensa/include/asm/unistd.h | 1 + kernel/fork.c | 2 ++ kernel/sys_ni.c | 2 ++ 6 files changed, 8 insertions(+) culprit signature: 9ccc149bb217708ff4aa9a9f5c24762bdcf68ebd parent signature: 8c95a4927e353ceb043fae76fac3ab99e7342c51 revisions tested: 18, total time: 4h53m6.688135269s (build: 1h56m20.790681706s, test: 2h53m44.079058182s) first bad commit: d68dbb0c9ac8b1ff52eb09aa58ce6358400fa939 arch: handle arches who do not yet define clone3 cc: ["akpm@linux-foundation.org" "allison@lohutok.net" "arnd@arndb.de" "axboe@kernel.dk" "bp@alien8.de" "catalin.marinas@arm.com" "chris@zankel.net" "christian@brauner.io" "elena.reshetova@intel.com" "geert@linux-m68k.org" "hare@suse.com" "heiko.carstens@de.ibm.com" "hpa@zytor.com" "info@metux.net" "jcmvbkbc@gmail.com" "linux-api@vger.kernel.org" "linux-arm-kernel@lists.infradead.org" "linux-kernel@vger.kernel.org" "linux-xtensa@linux-xtensa.org" "linux@armlinux.org.uk" "mingo@redhat.com" "peterz@infradead.org" "tglx@linutronix.de" "viro@zeniv.linux.org.uk" "will@kernel.org" "x86@kernel.org"] crash: general protection fault in batadv_iv_ogm_queue_add kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 2586 Comm: kworker/u4:4 Not tainted 5.2.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:599 Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00 RSP: 0018:ffff8880a0c3fab8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88808bc0dd80 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: ffff8880a0c3fbd0 R08: ffff888085dec340 R09: 0000000000000001 R10: ffffed1014187f8f R11: 0000000000000003 R12: 0000000000000007 R13: ffff888085dec368 R14: ffff888085dec340 R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555555ebb50 CR3: 000000009801a000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: batadv_iv_ogm_schedule+0xb60/0xe90 net/batman-adv/bat_iv_ogm.c:807 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 net/batman-adv/bat_iv_ogm.c:1669 process_one_work+0x830/0x16a0 kernel/workqueue.c:2268 worker_thread+0x85/0xb60 kernel/workqueue.c:2414 kthread+0x324/0x3e0 kernel/kthread.c:254 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: ---[ end trace 3f8c7cce68172a66 ]--- RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:599 Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00 RSP: 0018:ffff8880a0c3fab8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88808bc0dd80 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: ffff8880a0c3fbd0 R08: ffff888085dec340 R09: 0000000000000001 R10: ffffed1014187f8f R11: 0000000000000003 R12: 0000000000000007 R13: ffff888085dec368 R14: ffff888085dec340 R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004bf968 CR3: 0000000097c57000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400