bisecting cause commit starting from d2a22790db7075dbd0738d24d1c5ee4611421c4c
building syzkaller on 36b0b05078430cbedb73c32bed7f78056ce77536
testing commit d2a22790db7075dbd0738d24d1c5ee4611421c4c with gcc (GCC) 8.1.0
kernel signature: 75032931d59015926f7e975fc950fb90539955d7b74cc5f5f2d847a3fabd1dfa
run #0: crashed: KASAN: use-after-free Read in dput
run #1: crashed: KASAN: use-after-free Read in dput
run #2: crashed: KASAN: use-after-free Read in dput
run #3: crashed: KASAN: use-after-free Read in dput
run #4: crashed: KASAN: use-after-free Read in dput
run #5: crashed: KASAN: use-after-free Read in dput
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 1075e534d6d29a2d01b5a53e5cb35f49b692b8412533bb3e73952ecae7c8a5e1
all runs: OK
# git bisect start d2a22790db7075dbd0738d24d1c5ee4611421c4c 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 6694 revisions left to test after this (roughly 13 steps)
[f365ab31efacb70bed1e821f7435626e0b2528a6] Merge tag 'drm-next-2020-04-01' of git://anongit.freedesktop.org/drm/drm
testing commit f365ab31efacb70bed1e821f7435626e0b2528a6 with gcc (GCC) 8.1.0
kernel signature: c9182fbabe1b54fb62ed269b74b1325b16cc433c19e3705187778f73eedc8fc7
all runs: OK
# git bisect good f365ab31efacb70bed1e821f7435626e0b2528a6
Bisecting: 3344 revisions left to test after this (roughly 12 steps)
[828907ef25e0133f50c346ef5a3c79a707a9b100] Merge tag 'gpio-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
testing commit 828907ef25e0133f50c346ef5a3c79a707a9b100 with gcc (GCC) 8.1.0
kernel signature: ce44d1ea3488bd5d094075a1da7bcc7b30266e4101d74fafea39e3f880717f5e
run #0: crashed: KASAN: use-after-free Read in dput
run #1: crashed: KASAN: use-after-free Read in dput
run #2: crashed: KASAN: use-after-free Read in dput
run #3: crashed: KASAN: use-after-free Read in dput
run #4: crashed: KASAN: use-after-free Read in dput
run #5: crashed: KASAN: use-after-free Read in dput
run #6: crashed: KASAN: use-after-free Read in dput
run #7: crashed: KASAN: use-after-free Read in dput
run #8: crashed: KASAN: use-after-free Read in dput
run #9: OK
# git bisect bad 828907ef25e0133f50c346ef5a3c79a707a9b100
Bisecting: 1639 revisions left to test after this (roughly 11 steps)
[e109f506074152b7241bcbd3949a099e776cb802] Merge tag 'mtd/for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux
testing commit e109f506074152b7241bcbd3949a099e776cb802 with gcc (GCC) 8.1.0
kernel signature: 21e00514635512ea66642df15fa36b591548ccfa322ff7951c6e9ba5aad9c416
run #0: crashed: KASAN: use-after-free Read in dput
run #1: crashed: KASAN: use-after-free Read in dput
run #2: crashed: KASAN: use-after-free Read in dput
run #3: crashed: KASAN: use-after-free Read in dput
run #4: crashed: KASAN: use-after-free Read in dput
run #5: crashed: KASAN: use-after-free Read in dput
run #6: crashed: KASAN: use-after-free Read in dput
run #7: crashed: KASAN: use-after-free Read in dput
run #8: OK
run #9: OK
# git bisect bad e109f506074152b7241bcbd3949a099e776cb802
Bisecting: 801 revisions left to test after this (roughly 10 steps)
[8c1b724ddb218f221612d4c649bc9c7819d8d7a6] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
testing commit 8c1b724ddb218f221612d4c649bc9c7819d8d7a6 with gcc (GCC) 8.1.0
kernel signature: 806bc87428181ef7aaba4159d75d3b90ded451d4e4b896e1075e3237c5943bd6
run #0: crashed: KASAN: use-after-free Read in dput
run #1: crashed: KASAN: use-after-free Read in dput
run #2: crashed: KASAN: use-after-free Read in dput
run #3: crashed: KASAN: use-after-free Read in dput
run #4: crashed: BUG: corrupted list in __dentry_kill
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 8c1b724ddb218f221612d4c649bc9c7819d8d7a6
Bisecting: 450 revisions left to test after this (roughly 9 steps)
[7be97138e7276c71cc9ad1752dcb502d28f4400d] Merge tag 'xfs-5.7-merge-8' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
testing commit 7be97138e7276c71cc9ad1752dcb502d28f4400d with gcc (GCC) 8.1.0
kernel signature: b34d6b2820288194ff2d8984d10cf243b8369d14910824eaf5fe9760a093c589
run #0: crashed: KASAN: use-after-free Read in dput
run #1: crashed: KASAN: use-after-free Read in dput
run #2: crashed: KASAN: use-after-free Read in dput
run #3: crashed: KASAN: use-after-free Read in dput
run #4: crashed: KASAN: use-after-free Read in dput
run #5: crashed: KASAN: use-after-free Read in dput
run #6: crashed: KASAN: use-after-free Read in dput
run #7: crashed: KASAN: use-after-free Read in dput
run #8: OK
run #9: OK
# git bisect bad 7be97138e7276c71cc9ad1752dcb502d28f4400d
Bisecting: 212 revisions left to test after this (roughly 8 steps)
[919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
testing commit 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc with gcc (GCC) 8.1.0
kernel signature: 62a0a6b214dbcf7787352b8a1667dc9bdd3e7f73e7d1476265744016cf1eb144
all runs: OK
# git bisect good 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc
Bisecting: 106 revisions left to test after this (roughly 7 steps)
[d59f44d3e723c4f7143d910dfa333f2bdb587bbc] xfs: directory bestfree check should release buffers
testing commit d59f44d3e723c4f7143d910dfa333f2bdb587bbc with gcc (GCC) 8.1.0
kernel signature: 0bb56592253f5e99017aa4a1fd268db1a969157821f81385fb6e3c8fa6237b0a
all runs: OK
# git bisect good d59f44d3e723c4f7143d910dfa333f2bdb587bbc
Bisecting: 53 revisions left to test after this (roughly 6 steps)
[7ef482fa65513b18eed05a5c5f00413aad137810] helper for mount rootwards traversal
testing commit 7ef482fa65513b18eed05a5c5f00413aad137810 with gcc (GCC) 8.1.0
kernel signature: bdf84ae40b4ce9458896bde647e71b9b907013dfa3026cc045686525528d75d6
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect good 7ef482fa65513b18eed05a5c5f00413aad137810
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[4b871ce26ab2c758ea90b8dd659e4267aae9e943] Merged 'Infrastructure to allow fixing exec deadlocks' from Bernd Edlinger
testing commit 4b871ce26ab2c758ea90b8dd659e4267aae9e943 with gcc (GCC) 8.1.0
kernel signature: 8b8640e8ab45495bb0e9e7e3f75931f568e5aa1efe03a12f1dc5860a92402a7b
run #0: crashed: KASAN: use-after-free Read in dput
run #1: crashed: KASAN: use-after-free Read in dput
run #2: crashed: KASAN: use-after-free Read in dput
run #3: crashed: KASAN: use-after-free Read in dput
run #4: crashed: KASAN: use-after-free Read in dput
run #5: crashed: KASAN: use-after-free Read in dput
run #6: crashed: KASAN: use-after-free Read in dput
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 4b871ce26ab2c758ea90b8dd659e4267aae9e943
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[2ca7be7d55ad84fb0f7c2a23fb700a28fd76b19a] exec: Only compute current once in flush_old_exec
testing commit 2ca7be7d55ad84fb0f7c2a23fb700a28fd76b19a with gcc (GCC) 8.1.0
kernel signature: ae354a1779005748a065cfe25a577f235f90f09d3007da3a56c8fec2501c5e07
run #0: crashed: KASAN: use-after-free Read in dput
run #1: crashed: KASAN: use-after-free Read in dput
run #2: crashed: KASAN: use-after-free Read in dput
run #3: crashed: BUG: corrupted list in __dentry_kill
run #4: crashed: KASAN: use-after-free Read in dput
run #5: crashed: KASAN: use-after-free Read in dput
run #6: crashed: KASAN: use-after-free Read in dput
run #7: crashed: KASAN: use-after-free Read in dput
run #8: OK
run #9: OK
# git bisect bad 2ca7be7d55ad84fb0f7c2a23fb700a28fd76b19a
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[7bc3e6e55acf065500a24621f3b313e7e5998acf] proc: Use a list of inodes to flush from proc
testing commit 7bc3e6e55acf065500a24621f3b313e7e5998acf with gcc (GCC) 8.1.0
kernel signature: c6b86fdbb527b75db37f7fc7724fb72b16cbbd1db53521c46c5a57c4ab23a3fa
all runs: OK
# git bisect good 7bc3e6e55acf065500a24621f3b313e7e5998acf
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[76313c70c52f930af4afd21684509ca52297ea71] uml: Create a private mount of proc for mconsole
testing commit 76313c70c52f930af4afd21684509ca52297ea71 with gcc (GCC) 8.1.0
kernel signature: 27b8d343d6cff72f6db4fe98e381aa5445c645cd90a544d3d074395d621993b1
all runs: OK
# git bisect good 76313c70c52f930af4afd21684509ca52297ea71
Bisecting: 1 revision left to test after this (roughly 1 step)
[af9fe6d607c9f456fb6c1cb87e1dc66a43846efd] pid: Improve the comment about waiting in zap_pid_ns_processes
testing commit af9fe6d607c9f456fb6c1cb87e1dc66a43846efd with gcc (GCC) 8.1.0
kernel signature: 84db211a3efe649416c16c1bca6ab0f5394e8a1eeb1ed78d2fc407f32649caaa
run #0: crashed: KASAN: use-after-free Read in dput
run #1: crashed: KASAN: use-after-free Read in dput
run #2: crashed: KASAN: use-after-free Read in dput
run #3: crashed: KASAN: use-after-free Read in dput
run #4: crashed: KASAN: use-after-free Read in dput
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad af9fe6d607c9f456fb6c1cb87e1dc66a43846efd
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[69879c01a0c3f70e0887cfb4d9ff439814361e46] proc: Remove the now unnecessary internal mount of proc
testing commit 69879c01a0c3f70e0887cfb4d9ff439814361e46 with gcc (GCC) 8.1.0
kernel signature: 36b6f0a97ca9a02d44d732dd71bd1e4f91eb04e3d80070a438e12d1a03c1ace6
run #0: crashed: KASAN: use-after-free Read in dput
run #1: crashed: KASAN: use-after-free Read in dput
run #2: crashed: KASAN: use-after-free Read in dput
run #3: crashed: KASAN: use-after-free Read in dput
run #4: crashed: KASAN: use-after-free Read in dput
run #5: crashed: KASAN: use-after-free Read in dput
run #6: crashed: KASAN: use-after-free Read in dput
run #7: crashed: KASAN: use-after-free Read in dput
run #8: crashed: KASAN: use-after-free Read in dput
run #9: OK
# git bisect bad 69879c01a0c3f70e0887cfb4d9ff439814361e46
69879c01a0c3f70e0887cfb4d9ff439814361e46 is the first bad commit
commit 69879c01a0c3f70e0887cfb4d9ff439814361e46
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Feb 20 08:08:20 2020 -0600

    proc: Remove the now unnecessary internal mount of proc
    
    There remains no more code in the kernel using pids_ns->proc_mnt,
    therefore remove it from the kernel.
    
    The big benefit of this change is that one of the most error prone and
    tricky parts of the pid namespace implementation, maintaining kernel
    mounts of proc is removed.
    
    In addition removing the unnecessary complexity of the kernel mount
    fixes a regression that caused the proc mount options to be ignored.
    Now that the initial mount of proc comes from userspace, those mount
    options are again honored.  This fixes Android's usage of the proc
    hidepid option.
    
    Reported-by: Alistair Strachan <astrachan@google.com>
    Fixes: e94591d0d90c ("proc: Convert proc_mount to use mount_ns.")
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

 fs/proc/root.c                | 36 ------------------------------------
 include/linux/pid_namespace.h |  2 --
 include/linux/proc_ns.h       |  5 -----
 kernel/pid.c                  |  8 --------
 kernel/pid_namespace.c        |  7 -------
 5 files changed, 58 deletions(-)
culprit signature: 36b6f0a97ca9a02d44d732dd71bd1e4f91eb04e3d80070a438e12d1a03c1ace6
parent  signature: 27b8d343d6cff72f6db4fe98e381aa5445c645cd90a544d3d074395d621993b1
revisions tested: 16, total time: 4h22m15.746602877s (build: 1h41m12.671633376s, test: 2h39m55.278452019s)
first bad commit: 69879c01a0c3f70e0887cfb4d9ff439814361e46 proc: Remove the now unnecessary internal mount of proc
cc: ["0x7f454c46@gmail.com" "adobriyan@gmail.com" "areber@redhat.com" "arnd@arndb.de" "avagin@gmail.com" "christian.brauner@ubuntu.com" "cyphar@cyphar.com" "ebiederm@xmission.com" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "mcroce@redhat.com" "oleg@redhat.com" "sargun@sargun.me" "tglx@linutronix.de" "viro@zeniv.linux.org.uk"]
crash: KASAN: use-after-free Read in dput
proc_fill_super: can't allocate /proc/self
==================================================================
BUG: KASAN: use-after-free in fast_dput fs/dcache.c:727 [inline]
BUG: KASAN: use-after-free in dput.part.30+0x367/0xa60 fs/dcache.c:846
Read of size 4 at addr ffff888089661000 by task syz-executor.1/8911

CPU: 0 PID: 8911 Comm: syz-executor.1 Not tainted 5.6.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374
 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 fast_dput fs/dcache.c:727 [inline]
 dput.part.30+0x367/0xa60 fs/dcache.c:846
 proc_kill_sb+0x59/0xb0 fs/proc/root.c:195
 deactivate_locked_super+0x6f/0xc0 fs/super.c:335
 vfs_get_super+0x1f8/0x290 fs/super.c:1212
 vfs_get_tree+0x7e/0x2c0 fs/super.c:1547
 do_new_mount fs/namespace.c:2822 [inline]
 do_mount+0x10c3/0x1710 fs/namespace.c:3107
 __do_sys_mount fs/namespace.c:3316 [inline]
 __se_sys_mount fs/namespace.c:3293 [inline]
 __x64_sys_mount+0x15d/0x1b0 fs/namespace.c:3293
 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c889
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f651cdebc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f651cdec6d4 RCX: 000000000045c889
RDX: 0000000020000140 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000749 R14: 00000000004ca15a R15: 0000000000000013

Allocated by task 8896:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc mm/slab.c:3320 [inline]
 kmem_cache_alloc+0x11b/0x740 mm/slab.c:3484
 __d_alloc+0x25/0x870 fs/dcache.c:1690
 d_alloc+0x3f/0x200 fs/dcache.c:1769
 d_alloc_name+0x70/0xa0 fs/dcache.c:1831
 proc_setup_self+0xde/0x370 fs/proc/self.c:44
 proc_fill_super+0x35c/0x590 fs/proc/root.c:133
 vfs_get_super+0xe8/0x290 fs/super.c:1191
 vfs_get_tree+0x7e/0x2c0 fs/super.c:1547
 do_new_mount fs/namespace.c:2822 [inline]
 do_mount+0x10c3/0x1710 fs/namespace.c:3107
 __do_sys_mount fs/namespace.c:3316 [inline]
 __se_sys_mount fs/namespace.c:3293 [inline]
 __x64_sys_mount+0x15d/0x1b0 fs/namespace.c:3293
 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 16:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:476
 __cache_free mm/slab.c:3426 [inline]
 kmem_cache_free+0x7f/0x320 mm/slab.c:3694
 rcu_do_batch kernel/rcu/tree.c:2186 [inline]
 rcu_core+0x584/0x1290 kernel/rcu/tree.c:2410
 __do_softirq+0x26e/0x9b2 kernel/softirq.c:292

The buggy address belongs to the object at ffff888089661000
 which belongs to the cache dentry of size 288
The buggy address is located 0 bytes inside of
 288-byte region [ffff888089661000, ffff888089661120)
The buggy address belongs to the page:
page:ffffea0002259840 refcount:1 mapcount:0 mapping:ffff8880aa5f8a80 index:0xffff888089661b00
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00021612c8 ffffea0002293388 ffff8880aa5f8a80
raw: ffff888089661b00 ffff888089661000 0000000100000008 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888089660f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888089660f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888089661000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888089661080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888089661100: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00
==================================================================