bisecting cause commit starting from 15bc20c6af4ceee97a1f90b43c0e386643c071b4 building syzkaller on 816e0689d7d9d8321f8bf360740f0e516aee15ca testing commit 15bc20c6af4ceee97a1f90b43c0e386643c071b4 with gcc (GCC) 8.1.0 kernel signature: 82b17326f5ce667990a08af4ee82c8505225befcdd6b8c044a307507cc58d983 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: kernel BUG at fs/inode.c:LINE! run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: kernel BUG at fs/inode.c:LINE! run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 6f5da9f5932b7f318f260156183c107d87eaf9af61ea8e4a1f21beb54b825334 all runs: OK # git bisect start 15bc20c6af4ceee97a1f90b43c0e386643c071b4 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 5975 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: 49f5432ac35f69f05b88104b798ae08ea4bcc6a6bda5fb8990b6ea8c583f1f82 all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 2845 revisions left to test after this (roughly 12 steps) [fa73e212318a3277ae1f304febbc617c75d4d2db] Merge tag 'media/v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit fa73e212318a3277ae1f304febbc617c75d4d2db with gcc (GCC) 8.1.0 kernel signature: 35ea018486dd41e45a964c336605b1aa12a4a33edd5e72e2e366720c7b3a6062 all runs: OK # git bisect good fa73e212318a3277ae1f304febbc617c75d4d2db Bisecting: 1420 revisions left to test after this (roughly 11 steps) [9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c] Merge branch 'akpm' (patches from Andrew) testing commit 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c with gcc (GCC) 8.1.0 kernel signature: ec0079ad2a2cd37823e1869905c9a0d3489765e871186d9f6ddd5204ad27d903 all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c Bisecting: 1420 revisions left to test after this (roughly 11 steps) [2f059db0b8313f8964ac917394e7425d966a6884] ktest.pl: Always show log file location if defined even on success testing commit 2f059db0b8313f8964ac917394e7425d966a6884 with gcc (GCC) 8.1.0 kernel signature: 38e7994f9a56cf2872a94e5c7a96acc24a64a0f2fc617f6719f0a4d8d117ec23 all runs: OK # git bisect good 2f059db0b8313f8964ac917394e7425d966a6884 Bisecting: 1420 revisions left to test after this (roughly 11 steps) [44a7f3e8222a7345b72a83a26d6d599bba815cf9] clk: socfpga: agilex: mpu_l2ram_clk should be mpu_ccu_clk testing commit 44a7f3e8222a7345b72a83a26d6d599bba815cf9 with gcc (GCC) 8.1.0 kernel signature: acde943d51a0d68c94ffeb2d115a72bc6bace5af78abddfca98b6f69c3d3d316 run #0: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #1: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #2: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #3: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #4: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #5: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #6: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #7: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #8: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #9: boot failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 44a7f3e8222a7345b72a83a26d6d599bba815cf9 Bisecting: 1420 revisions left to test after this (roughly 11 steps) [347a7389a7cc9b91f80deb8d7043e9827d08b328] perf intel-pt: Add support for decoding PSB+ only testing commit 347a7389a7cc9b91f80deb8d7043e9827d08b328 with gcc (GCC) 8.1.0 kernel signature: f044ff7b6f309bb69915dc1c12d2c0e24715117785811705441dde98cf6ecce4 all runs: OK # git bisect good 347a7389a7cc9b91f80deb8d7043e9827d08b328 Bisecting: 1343 revisions left to test after this (roughly 10 steps) [ea6ec774372740b024a6c27caac0d0af8960ea15] Merge tag 'drm-next-2020-08-12' of git://anongit.freedesktop.org/drm/drm testing commit ea6ec774372740b024a6c27caac0d0af8960ea15 with gcc (GCC) 8.1.0 kernel signature: cd6065b44f5538ad2a015b15f5098ee99b3dc7a54bf11ed050d145212507a356 all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip ea6ec774372740b024a6c27caac0d0af8960ea15 Bisecting: 1343 revisions left to test after this (roughly 10 steps) [43b1bb4a9b3e183af12225f56c27164c10d06223] clk: at91: clk-sam9x60-pll: re-factor to support plls with multiple outputs testing commit 43b1bb4a9b3e183af12225f56c27164c10d06223 with gcc (GCC) 8.1.0 kernel signature: 68911925b7c917a69ebc8f59516c30eec2077bffb8f776d87be7c6d147f65e8e all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 43b1bb4a9b3e183af12225f56c27164c10d06223 Bisecting: 1343 revisions left to test after this (roughly 10 steps) [35759383133f64d90eba120a0d3efe8f71241650] mptcp: sendmsg: reset iter on error testing commit 35759383133f64d90eba120a0d3efe8f71241650 with gcc (GCC) 8.1.0 kernel signature: af13e89efdcf85237ef5f302c71a6f62978237f921e4a52b9d24e5b6eec1814b all runs: OK # git bisect good 35759383133f64d90eba120a0d3efe8f71241650 Bisecting: 432 revisions left to test after this (roughly 9 steps) [4cf7562190c795f1f95be6ee0d161107d0dc5d49] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 4cf7562190c795f1f95be6ee0d161107d0dc5d49 with gcc (GCC) 8.1.0 kernel signature: 5401512a8b2d6b6028c2a9b2e794a54a61baf6025ec49b14a73ed38b33300cc2 all runs: OK # git bisect good 4cf7562190c795f1f95be6ee0d161107d0dc5d49 Bisecting: 215 revisions left to test after this (roughly 8 steps) [9e574b74b781f14fa7348ba8b980b19a250a9c83] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 9e574b74b781f14fa7348ba8b980b19a250a9c83 with gcc (GCC) 8.1.0 kernel signature: b60c96a17573a74a532c1438c9b04fdf54187a57d74382a0401c54e3edc05168 all runs: OK # git bisect good 9e574b74b781f14fa7348ba8b980b19a250a9c83 Bisecting: 112 revisions left to test after this (roughly 7 steps) [550c2129d93d5eb198835ac83c05ef672e8c491c] Merge tag 'x86-urgent-2020-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 550c2129d93d5eb198835ac83c05ef672e8c491c with gcc (GCC) 8.1.0 kernel signature: 9b11ab511916b8b0ca85b52eb01461f78c9b82704d6775f3c6b3ddb7b1cb9a34 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #3: crashed: kernel BUG at fs/inode.c:LINE! run #4: crashed: kernel BUG at fs/inode.c:LINE! run #5: crashed: kernel BUG at fs/inode.c:LINE! run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: kernel BUG at fs/inode.c:LINE! run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad 550c2129d93d5eb198835ac83c05ef672e8c491c Bisecting: 51 revisions left to test after this (roughly 6 steps) [4af7b32f84aa4cd60e39b355bc8a1eab6cd8d8a4] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 4af7b32f84aa4cd60e39b355bc8a1eab6cd8d8a4 with gcc (GCC) 8.1.0 kernel signature: e15faf45556627ef7d7fabef5f3c25df22db208317d43c856a4a55000fcaf851 all runs: OK # git bisect good 4af7b32f84aa4cd60e39b355bc8a1eab6cd8d8a4 Bisecting: 20 revisions left to test after this (roughly 5 steps) [c3d8f220d01220a5b253e422be407d068dc65511] Merge tag 'kbuild-fixes-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit c3d8f220d01220a5b253e422be407d068dc65511 with gcc (GCC) 8.1.0 kernel signature: 5ecb18ce76663af6d1a12364a82bb9281dac96865335f794909d60aa74f1ae0c all runs: OK # git bisect good c3d8f220d01220a5b253e422be407d068dc65511 Bisecting: 11 revisions left to test after this (roughly 3 steps) [e99b2507baccca79394ec646e3d1a0884667ea98] Merge tag 'core-urgent-2020-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit e99b2507baccca79394ec646e3d1a0884667ea98 with gcc (GCC) 8.1.0 kernel signature: e041f5c3ded89695849a60a3b3fd59c0c9fbdd18c0417c0addb4a2b8c2ace090 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: kernel BUG at fs/inode.c:LINE! run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #6: crashed: kernel BUG at fs/inode.c:LINE! run #7: crashed: kernel BUG at fs/inode.c:LINE! run #8: crashed: kernel BUG at fs/inode.c:LINE! run #9: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare # git bisect bad e99b2507baccca79394ec646e3d1a0884667ea98 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9d045ed1ebe1a6115d3fa9930c5371defb31d95a] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 9d045ed1ebe1a6115d3fa9930c5371defb31d95a with gcc (GCC) 8.1.0 kernel signature: 3ee05ca19cc76212944f20f1a942aa6e8261c2519b17cbb81a6264acafc8b9e5 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: kernel BUG at fs/inode.c:LINE! run #2: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #3: crashed: kernel BUG at fs/inode.c:LINE! run #4: crashed: kernel BUG at fs/inode.c:LINE! run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: kernel BUG at fs/inode.c:LINE! run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad 9d045ed1ebe1a6115d3fa9930c5371defb31d95a Bisecting: 2 revisions left to test after this (roughly 1 step) [52c479697c9b73f628140dcdfcd39ea302d05482] do_epoll_ctl(): clean the failure exits up a bit testing commit 52c479697c9b73f628140dcdfcd39ea302d05482 with gcc (GCC) 8.1.0 kernel signature: b8741c00c2ebe1a54db6e9c8b027c62d963ed0b352a97caed0dc52ab3d876cb1 run #0: crashed: kernel BUG at fs/inode.c:LINE! run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #3: crashed: kernel BUG at fs/inode.c:LINE! run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: kernel BUG at fs/inode.c:LINE! run #9: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare # git bisect bad 52c479697c9b73f628140dcdfcd39ea302d05482 Bisecting: 0 revisions left to test after this (roughly 0 steps) [a9ed4a6560b8562b7e2e2bed9527e88001f7b682] epoll: Keep a reference on files added to the check list testing commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 with gcc (GCC) 8.1.0 kernel signature: 4876ffa5831e84671cf2e7666fb1d632d1205887f43008b79b9cb70f22991837 run #0: crashed: kernel BUG at fs/inode.c:LINE! run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: kernel BUG at fs/inode.c:LINE! run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #6: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: kernel BUG at fs/inode.c:LINE! # git bisect bad a9ed4a6560b8562b7e2e2bed9527e88001f7b682 a9ed4a6560b8562b7e2e2bed9527e88001f7b682 is the first bad commit commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 Author: Marc Zyngier Date: Wed Aug 19 17:12:17 2020 +0100 epoll: Keep a reference on files added to the check list When adding a new fd to an epoll, and that this new fd is an epoll fd itself, we recursively scan the fds attached to it to detect cycles, and add non-epool files to a "check list" that gets subsequently parsed. However, this check list isn't completely safe when deletions can happen concurrently. To sidestep the issue, make sure that a struct file placed on the check list sees its f_count increased, ensuring that a concurrent deletion won't result in the file disapearing from under our feet. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Al Viro fs/eventpoll.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) parent commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 wasn't tested testing commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 with gcc (GCC) 8.1.0 kernel signature: b9f11e3a81bf438873750726f594321e79fa063a1b9ccf1b89d830e1d75f79bf culprit signature: 4876ffa5831e84671cf2e7666fb1d632d1205887f43008b79b9cb70f22991837 parent signature: b9f11e3a81bf438873750726f594321e79fa063a1b9ccf1b89d830e1d75f79bf revisions tested: 20, total time: 4h18m38.950539318s (build: 1h44m29.784957422s, test: 2h32m10.402475961s) first bad commit: a9ed4a6560b8562b7e2e2bed9527e88001f7b682 epoll: Keep a reference on files added to the check list recipients (to): ["linux-kernel@vger.kernel.org" "maz@kernel.org" "viro@zeniv.linux.org.uk"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: kernel BUG at fs/inode.c:LINE! ------------[ cut here ]------------ kernel BUG at fs/inode.c:1668! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 25469 Comm: syz-executor.0 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:iput+0x26f/0x2b0 fs/inode.c:1668 Code: e0 ef e9 24 ff ff ff 85 d2 0f 84 1c ff ff ff 48 83 bb 90 01 00 00 00 0f 84 0e ff ff ff a9 00 00 01 00 0f 85 03 ff ff ff eb 9b <0f> 0b c3 a9 b7 08 00 00 75 1c 8b 83 08 02 00 00 85 c0 75 12 48 8b RSP: 0018:ffffc90002303e78 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88811db0fe00 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffff88811b350100 RDI: ffff88811b350100 RBP: 00000000002e0003 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffffffed39f8 R11: 0000000000005400 R12: ffff88811b350100 R13: ffff88821ba6d560 R14: ffff88810dd36618 R15: 0000000000000000 FS: 00000000032f6940(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010db0a000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sock_close+0xf/0x20 net/socket.c:1277 __fput+0xaa/0x250 fs/file_table.c:281 task_work_run+0x68/0xb0 kernel/task_work.c:141 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:139 [inline] exit_to_user_mode_prepare+0x1e2/0x1f0 kernel/entry/common.c:166 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:241 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x416f01 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffdeaaa7050 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000001190358 R09: 0000000000000000 R10: 00007ffdeaaa7130 R11: 0000000000000293 R12: 0000000001190360 R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c Modules linked in: ---[ end trace 6ae586297b8a7f6d ]--- RIP: 0010:iput+0x26f/0x2b0 fs/inode.c:1668 Code: e0 ef e9 24 ff ff ff 85 d2 0f 84 1c ff ff ff 48 83 bb 90 01 00 00 00 0f 84 0e ff ff ff a9 00 00 01 00 0f 85 03 ff ff ff eb 9b <0f> 0b c3 a9 b7 08 00 00 75 1c 8b 83 08 02 00 00 85 c0 75 12 48 8b RSP: 0018:ffffc90002303e78 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88811db0fe00 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffff88811b350100 RDI: ffff88811b350100 RBP: 00000000002e0003 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffffffed39f8 R11: 0000000000005400 R12: ffff88811b350100 R13: ffff88821ba6d560 R14: ffff88810dd36618 R15: 0000000000000000 FS: 00000000032f6940(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000557e06dab4a8 CR3: 000000010db0a000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400