bisecting cause commit starting from 8903263671cb22bc33545eb7cbd68c875bb87e95 building syzkaller on bc238812ae6d1f5a7e99ff60b5b3089a73f1cfb3 testing commit 8903263671cb22bc33545eb7cbd68c875bb87e95 with gcc (GCC) 8.1.0 kernel signature: c1cab4f91e643aa76c061afb5a4c00f53d5e690061cab4201d6e7be9eee2776c run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: WARNING in __mmdrop run #3: crashed: BUG: Bad rss-counter state run #4: crashed: BUG: Bad rss-counter state run #5: crashed: WARNING in __mmdrop run #6: crashed: BUG: Bad rss-counter state run #7: crashed: WARNING in __mmdrop run #8: crashed: WARNING in __mmdrop run #9: crashed: BUG: Bad rss-counter state testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: c9631746ff7225b0f989861909f66c4e0507db10a758a96404375c030b7bde95 all runs: OK # git bisect start 8903263671cb22bc33545eb7cbd68c875bb87e95 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Bisecting: 11518 revisions left to test after this (roughly 14 steps) [3b69e8b4571125bec1f77f886174fe6cab6b9d75] Merge tag 'sh-for-5.8' of git://git.libc.org/linux-sh testing commit 3b69e8b4571125bec1f77f886174fe6cab6b9d75 with gcc (GCC) 8.1.0 kernel signature: 62cd702ae8e99e24b1fbd49e4edf0d1ccbe445e1be02614b82d74caa4a362534 run #0: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in corrupted run #1: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #2: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #3: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #4: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #5: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #6: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #7: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #8: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks run #9: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 3b69e8b4571125bec1f77f886174fe6cab6b9d75 Bisecting: 11518 revisions left to test after this (roughly 14 steps) [342ed2400b78072cc01c0130ce41240dec60d56d] workqueue: Remove unnecessary kfree() call in rcu_free_wq() testing commit 342ed2400b78072cc01c0130ce41240dec60d56d with gcc (GCC) 8.1.0 kernel signature: 52fcdfc1d6e4f4e4bc2df6652bf981bd7a4e0a2def16173d9161928db0a10c5d all runs: OK # git bisect good 342ed2400b78072cc01c0130ce41240dec60d56d Bisecting: 11518 revisions left to test after this (roughly 14 steps) [234ef0d085b353798583d758f983bc49943c6fcf] btrfs: make insert_reserved_file_extent take btrfs_inode testing commit 234ef0d085b353798583d758f983bc49943c6fcf with gcc (GCC) 8.1.0 kernel signature: 6f8cbc5476c5881ee1e8da55b1a1424dd0c2a43b13b67ed6f8589b999e9d8161 all runs: OK # git bisect good 234ef0d085b353798583d758f983bc49943c6fcf Bisecting: 3572 revisions left to test after this (roughly 12 steps) [8344b918c68afb44575ac387600e29b22f426bbb] Merge remote-tracking branch 'crypto/master' testing commit 8344b918c68afb44575ac387600e29b22f426bbb with gcc (GCC) 8.1.0 kernel signature: c8518989e82f0e78149aff1c67a3103750317883ee3239faaa42f25cbc8e1393 all runs: OK # git bisect good 8344b918c68afb44575ac387600e29b22f426bbb Bisecting: 1777 revisions left to test after this (roughly 11 steps) [3b4036f7fdca4f6139ee41e18dc8ca9b0d26a37c] Merge remote-tracking branch 'regulator/for-next' testing commit 3b4036f7fdca4f6139ee41e18dc8ca9b0d26a37c with gcc (GCC) 8.1.0 kernel signature: cd3fd244b45d04d7ebb04211e699e3b5d25b54d433cd81500f199738e553d5e0 all runs: OK # git bisect good 3b4036f7fdca4f6139ee41e18dc8ca9b0d26a37c Bisecting: 881 revisions left to test after this (roughly 10 steps) [6564efb0a3f904acf5fced3bbebfc822db2ee3c8] Merge remote-tracking branch 'thunderbolt/next' testing commit 6564efb0a3f904acf5fced3bbebfc822db2ee3c8 with gcc (GCC) 8.1.0 kernel signature: 1604bd9bf058fbf8f5ccf6b24aa3752cf50339921b2815460a88f7584257a04a run #0: crashed: WARNING in __mmdrop run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in __mmdrop run #3: crashed: BUG: Bad rss-counter state run #4: crashed: WARNING in __mmdrop run #5: crashed: BUG: Bad rss-counter state run #6: crashed: BUG: Bad rss-counter state run #7: crashed: WARNING in __mmdrop run #8: crashed: WARNING in __mmdrop run #9: crashed: WARNING in __mmdrop # git bisect bad 6564efb0a3f904acf5fced3bbebfc822db2ee3c8 Bisecting: 376 revisions left to test after this (roughly 9 steps) [e6d4e6a67ba0bc0799434d6436b17f9c0640bd55] Merge remote-tracking branch 'rcu/rcu/next' testing commit e6d4e6a67ba0bc0799434d6436b17f9c0640bd55 with gcc (GCC) 8.1.0 kernel signature: afe275e398384d0918f283dc636fb5d674273076a05725fa9ddca837bfc19800 run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: BUG: Bad rss-counter state run #3: crashed: BUG: Bad rss-counter state run #4: crashed: WARNING in __mmdrop run #5: crashed: WARNING in __mmdrop run #6: crashed: WARNING in __mmdrop run #7: crashed: BUG: Bad rss-counter state run #8: crashed: WARNING in __mmdrop run #9: crashed: BUG: Bad rss-counter state # git bisect bad e6d4e6a67ba0bc0799434d6436b17f9c0640bd55 Bisecting: 248 revisions left to test after this (roughly 8 steps) [4822d10d0adf0c9ddcd2a15a1885e4b838b2f4de] Merge remote-tracking branch 'tip/auto-latest' testing commit 4822d10d0adf0c9ddcd2a15a1885e4b838b2f4de with gcc (GCC) 8.1.0 kernel signature: eb471e419d784c3b65f1c8f5f376b6bb1a7e376bbb66b6e27cbadfdf6d662aef run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: BUG: Bad rss-counter state run #3: crashed: WARNING in __mmdrop run #4: crashed: WARNING in __mmdrop run #5: crashed: BUG: Bad rss-counter state run #6: crashed: BUG: Bad rss-counter state run #7: crashed: WARNING in __mmdrop run #8: crashed: WARNING in __mmdrop run #9: crashed: WARNING in __mmdrop # git bisect bad 4822d10d0adf0c9ddcd2a15a1885e4b838b2f4de Bisecting: 134 revisions left to test after this (roughly 7 steps) [f16cac26d056fb472c6eef0efc0f0767ce3aba0c] Merge branch 'irq/urgent' testing commit f16cac26d056fb472c6eef0efc0f0767ce3aba0c with gcc (GCC) 8.1.0 kernel signature: b03db826fab5bf343902d4abf2fd5c3897eea1396050ee01cd0eb6d304c4e168 all runs: OK # git bisect good f16cac26d056fb472c6eef0efc0f0767ce3aba0c Bisecting: 65 revisions left to test after this (roughly 6 steps) [0aebf937d7e482c60f44f6dcc91885941ff7b6b4] Merge remote-tracking branch 'devicetree/for-next' testing commit 0aebf937d7e482c60f44f6dcc91885941ff7b6b4 with gcc (GCC) 8.1.0 kernel signature: 7b0f9ccdf06721695e3f5d87433877de3e49f0e9804bf93e1725b7788b608c06 run #0: crashed: BUG: Bad rss-counter state run #1: crashed: WARNING in __mmdrop run #2: crashed: WARNING in __mmdrop run #3: crashed: BUG: Bad rss-counter state run #4: crashed: BUG: Bad rss-counter state run #5: crashed: BUG: Bad rss-counter state run #6: crashed: WARNING in __mmdrop run #7: crashed: BUG: Bad rss-counter state run #8: crashed: BUG: Bad rss-counter state run #9: crashed: WARNING in __mmdrop # git bisect bad 0aebf937d7e482c60f44f6dcc91885941ff7b6b4 Bisecting: 38 revisions left to test after this (roughly 5 steps) [e5640f21b63d2a5d3e4e0c4111b2b38e99fe5164] Merge branches 'iommu/fixes', 'arm/renesas', 'arm/qcom', 'ppc/pamu', 'x86/amd' and 'core' into next testing commit e5640f21b63d2a5d3e4e0c4111b2b38e99fe5164 with gcc (GCC) 8.1.0 kernel signature: eb8272047527498c84d63d1be77187bfae098b7edc71ca9bb25a3269eb88bac6 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect good e5640f21b63d2a5d3e4e0c4111b2b38e99fe5164 Bisecting: 16 revisions left to test after this (roughly 4 steps) [23dfc658b6c1ae7e760e6ccc701fcf5dd32bce88] Merge remote-tracking branch 'audit/next' testing commit 23dfc658b6c1ae7e760e6ccc701fcf5dd32bce88 with gcc (GCC) 8.1.0 kernel signature: df367f8e950772935027dbb75c81f6613505dde224136c31a190a90b80e0d1fb run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: BUG: Bad rss-counter state run #3: crashed: WARNING in __mmdrop run #4: crashed: WARNING in __mmdrop run #5: crashed: BUG: Bad rss-counter state run #6: crashed: BUG: Bad rss-counter state run #7: crashed: WARNING in __mmdrop run #8: crashed: BUG: Bad rss-counter state run #9: crashed: WARNING in __mmdrop # git bisect bad 23dfc658b6c1ae7e760e6ccc701fcf5dd32bce88 Bisecting: 10 revisions left to test after this (roughly 4 steps) [2ca8e9e94b24d3d1b665696cf7a3a299cfa537f8] Merge remote-tracking branch 'safesetid/safesetid-next' testing commit 2ca8e9e94b24d3d1b665696cf7a3a299cfa537f8 with gcc (GCC) 8.1.0 kernel signature: 9fdd8da3977fff800dbbbbad0eef8a19043c8f03ac0226e0f4e7d436d3346d34 run #0: crashed: WARNING in __mmdrop run #1: crashed: WARNING in __mmdrop run #2: crashed: WARNING in __mmdrop run #3: crashed: BUG: Bad rss-counter state run #4: crashed: WARNING in __mmdrop run #5: crashed: BUG: Bad rss-counter state run #6: crashed: WARNING in __mmdrop run #7: crashed: WARNING in __mmdrop run #8: crashed: BUG: Bad rss-counter state run #9: crashed: WARNING in __mmdrop # git bisect bad 2ca8e9e94b24d3d1b665696cf7a3a299cfa537f8 Bisecting: 3 revisions left to test after this (roughly 3 steps) [8ca4a830cefa75ef1f5ec7bc828a0b84b71b714f] Merge branch 'next-general' into next-testing testing commit 8ca4a830cefa75ef1f5ec7bc828a0b84b71b714f with gcc (GCC) 8.1.0 kernel signature: 2f4611e693bee99e6b33c5bb65a278f2f39c02524fb85f09748faac5a1b0399c all runs: crashed: KASAN: use-after-free Read in userfaultfd_release # git bisect bad 8ca4a830cefa75ef1f5ec7bc828a0b84b71b714f Bisecting: 2 revisions left to test after this (roughly 2 steps) [cfcfb65869382c7cb075e50684d7f53553b9e37e] Merge branch 'secure_uffd_v5.9' into next-testing testing commit cfcfb65869382c7cb075e50684d7f53553b9e37e with gcc (GCC) 8.1.0 kernel signature: 233d4db815b165c395ccd50e88263b3203293b6c4bba0ea04e501f715c317271 all runs: crashed: KASAN: use-after-free Read in userfaultfd_release # git bisect bad cfcfb65869382c7cb075e50684d7f53553b9e37e Bisecting: 1 revision left to test after this (roughly 1 step) [2b72259a271aa8a8562afb63419cefe75c6455f3] Teach SELinux about anonymous inodes testing commit 2b72259a271aa8a8562afb63419cefe75c6455f3 with gcc (GCC) 8.1.0 kernel signature: 622b4632b93a42c471ba89d7504c2a4dc89c00c10e8c19f2afd613101857d016 all runs: OK # git bisect good 2b72259a271aa8a8562afb63419cefe75c6455f3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [d08ac70b1e0dc71ac2315007bcc3efb283b2eae4] Wire UFFD up to SELinux testing commit d08ac70b1e0dc71ac2315007bcc3efb283b2eae4 with gcc (GCC) 8.1.0 kernel signature: 4b695219e3c8ef5bbdc411a9122ca737c09619a5f5bc45dfc02606bffca7155b all runs: crashed: KASAN: use-after-free Read in userfaultfd_release # git bisect bad d08ac70b1e0dc71ac2315007bcc3efb283b2eae4 d08ac70b1e0dc71ac2315007bcc3efb283b2eae4 is the first bad commit commit d08ac70b1e0dc71ac2315007bcc3efb283b2eae4 Author: Daniel Colascione Date: Wed Apr 1 14:39:03 2020 -0700 Wire UFFD up to SELinux This change gives userfaultfd file descriptors a real security context, allowing policy to act on them. Signed-off-by: Daniel Colascione Acked-by: Casey Schaufler Acked-by: Stephen Smalley Cc: Al Viro Cc: Andrew Morton Signed-off-by: James Morris fs/userfaultfd.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) culprit signature: 4b695219e3c8ef5bbdc411a9122ca737c09619a5f5bc45dfc02606bffca7155b parent signature: 622b4632b93a42c471ba89d7504c2a4dc89c00c10e8c19f2afd613101857d016 revisions tested: 19, total time: 3h34m33.936391726s (build: 1h39m16.241354681s, test: 1h52m58.01963482s) first bad commit: d08ac70b1e0dc71ac2315007bcc3efb283b2eae4 Wire UFFD up to SELinux cc: ["casey@schaufler-ca.com" "dancol@google.com" "jmorris@namei.org" "stephen.smalley.work@gmail.com"] crash: KASAN: use-after-free Read in userfaultfd_release ================================================================== BUG: KASAN: use-after-free in userfaultfd_release+0x56d/0x6e0 fs/userfaultfd.c:879 Read of size 8 at addr ffff8880a6af7f88 by task syz-executor.2/8433 CPU: 1 PID: 8433 Comm: syz-executor.2 Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x41e mm/kasan/report.c:382 __kasan_report.cold.11+0x20/0x38 mm/kasan/report.c:511 kasan_report+0x32/0x50 mm/kasan/common.c:625 userfaultfd_release+0x56d/0x6e0 fs/userfaultfd.c:879 __fput+0x2a4/0x7a0 fs/file_table.c:280 task_work_run+0xc2/0x160 kernel/task_work.c:123 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x23d/0x2d0 arch/x86/entry/common.c:165 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x52a/0x620 arch/x86/entry/common.c:305 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45cba9 Code: 8d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fd64969fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000143 RAX: ffffffffffffffe8 RBX: 000000000050c520 RCX: 000000000045cba9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000cab R14: 00000000004cf0b7 R15: 00007fd6496a06d4 Allocated by task 8433: save_stack+0x19/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:495 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x11b/0x750 mm/slab.c:3484 __do_sys_userfaultfd fs/userfaultfd.c:2026 [inline] __se_sys_userfaultfd fs/userfaultfd.c:2008 [inline] __x64_sys_userfaultfd+0x90/0x430 fs/userfaultfd.c:2008 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 8433: save_stack+0x19/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456 __cache_free mm/slab.c:3426 [inline] kmem_cache_free+0x7f/0x320 mm/slab.c:3694 __do_sys_userfaultfd fs/userfaultfd.c:2061 [inline] __se_sys_userfaultfd fs/userfaultfd.c:2008 [inline] __x64_sys_userfaultfd+0x36e/0x430 fs/userfaultfd.c:2008 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 The buggy address belongs to the object at ffff8880a6af7e00 which belongs to the cache userfaultfd_ctx_cache of size 408 The buggy address is located 392 bytes inside of 408-byte region [ffff8880a6af7e00, ffff8880a6af7f98) The buggy address belongs to the page: page:ffffea00029abdc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a7c37b00 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffff8880a49d1950 ffff8880a49d1950 ffff88821978d700 raw: ffff8880a7c37b00 ffff8880a6af7000 0000000100000008 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a6af7e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a6af7f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a6af7f80: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880a6af8000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a6af8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================