bisecting cause commit starting from 999569d59a0aa2509ae4a67ecc266c1134e37e7b building syzkaller on e2776ee417c18d6e0056b058f3b6055f65206ee9 testing commit 999569d59a0aa2509ae4a67ecc266c1134e37e7b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 45831d6110a19a35dc7b89c43ad0d31a69a7560b3f4b7e8d4083264dc090f5a3 run #0: crashed: KASAN: null-ptr-deref Write in dst_release run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: boot failed: KFENCE: use-after-free in kvm_fastop_exception run #19: boot failed: KFENCE: use-after-free in kvm_fastop_exception reproducer seems to be flaky testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c7a96685f36d300f914d643ce230ea254f68b922997290f143876a9044cd0b7f all runs: OK # git bisect start 999569d59a0aa2509ae4a67ecc266c1134e37e7b 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 6680 revisions left to test after this (roughly 13 steps) [1b4f3dfb4792f03b139edf10124fcbeb44e608e6] Merge tag 'usb-serial-5.15-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next testing commit 1b4f3dfb4792f03b139edf10124fcbeb44e608e6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 6b6949e077e3c34ee590786c52614c6a994f2dca04a168ce617e1a247e8d66a7 all runs: OK # git bisect good 1b4f3dfb4792f03b139edf10124fcbeb44e608e6 Bisecting: 3355 revisions left to test after this (roughly 12 steps) [7a8526a5cd51cf5f070310c6c37dd7293334ac49] libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD. testing commit 7a8526a5cd51cf5f070310c6c37dd7293334ac49 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 58ebf49dc8975aabe50e561bbf783a483248ac0ae403184346921109f235943a run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: boot failed: possible deadlock in blktrans_open # git bisect good 7a8526a5cd51cf5f070310c6c37dd7293334ac49 Bisecting: 1675 revisions left to test after this (roughly 11 steps) [b62021f84889feef41a328af26da02717ed5a46d] Merge remote-tracking branch 'imx-mxs/for-next' testing commit b62021f84889feef41a328af26da02717ed5a46d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 7d633aa84bf10a6082870ddc53ea4f220c5672b61e36656a93333c13c9fd86c9 all runs: OK # git bisect good b62021f84889feef41a328af26da02717ed5a46d Bisecting: 837 revisions left to test after this (roughly 10 steps) [d418135874d88b412bf39c087bfbb1002f27fde3] Merge remote-tracking branch 'tip/auto-latest' testing commit d418135874d88b412bf39c087bfbb1002f27fde3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 50caa48c4d3af92bf8f1b700375dd8afdd620bd78daed0eb720ec1c6cd6d24b4 run #0: basic kernel testing failed: KFENCE: use-after-free in kvm_fastop_exception run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good d418135874d88b412bf39c087bfbb1002f27fde3 Bisecting: 417 revisions left to test after this (roughly 9 steps) [66b73d346dd17e150428bdec82ad4ffdc2d9c130] Merge remote-tracking branch 'rtc/rtc-next' testing commit 66b73d346dd17e150428bdec82ad4ffdc2d9c130 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 2c580d7a7dcbd5a2372dd8c9e21bc1e36d54b4d8ae781c3bce9958877120b016 all runs: OK # git bisect good 66b73d346dd17e150428bdec82ad4ffdc2d9c130 Bisecting: 218 revisions left to test after this (roughly 8 steps) [1f057be10f020efbbdbc82a728d2045bdc4fa277] Merge remote-tracking branch 'folio/for-next' testing commit 1f057be10f020efbbdbc82a728d2045bdc4fa277 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 6ad1c8652c8e84c7e2b62d5b5ebad822e14063163f91aa3b29f1f25588ae4ab2 all runs: OK # git bisect good 1f057be10f020efbbdbc82a728d2045bdc4fa277 Bisecting: 109 revisions left to test after this (roughly 7 steps) [6032f6341170e8be4ae444f8b6de68899a47f162] mm/damon/dbgfs: export kdamond pid to the user space testing commit 6032f6341170e8be4ae444f8b6de68899a47f162 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a73a66b2969dd1899ad434745cefcd921de889bdd647711f4b5fd72dd6b39098 all runs: OK # git bisect good 6032f6341170e8be4ae444f8b6de68899a47f162 Bisecting: 54 revisions left to test after this (roughly 6 steps) [5d2458ce0f5d41410103eb987dbcb1e50a03f203] checkpatch: support wide strings testing commit 5d2458ce0f5d41410103eb987dbcb1e50a03f203 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 30e16288d2c3499b76b225f1dd483d03f6d76dc1b64ed3b50e7a23a3463a83cf all runs: OK # git bisect good 5d2458ce0f5d41410103eb987dbcb1e50a03f203 Bisecting: 27 revisions left to test after this (roughly 5 steps) [ec14ea3dfa1415b11ded126b8aa3d95f4b15d01f] ipc: replace costly bailout check in sysvipc_find_ipc() testing commit ec14ea3dfa1415b11ded126b8aa3d95f4b15d01f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 42d20d7e0aefe443c6b2439cee0d1ac6cd72a8e7daab1818123c3e0bd666c42c all runs: OK # git bisect good ec14ea3dfa1415b11ded126b8aa3d95f4b15d01f Bisecting: 13 revisions left to test after this (roughly 4 steps) [bbcf876eedebd583c5e23bacd5f6d99c2402f31e] slab: add __alloc_size attributes for better bounds checking testing commit bbcf876eedebd583c5e23bacd5f6d99c2402f31e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 656d962aee01619a2e5be11e4633c4fabe6303eec2a8c33cd0404226d2701001 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: boot failed: KFENCE: use-after-free in kvm_fastop_exception # git bisect good bbcf876eedebd583c5e23bacd5f6d99c2402f31e Bisecting: 6 revisions left to test after this (roughly 3 steps) [b8516ad19fe8f49704d7224c3a0d71b04e12af33] mm: simplify compat_sys_move_pages testing commit b8516ad19fe8f49704d7224c3a0d71b04e12af33 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: aeb121405e5419c76234ea84dc94dc1b862b4dba1e120b6c9dd9edb92d8f5974 all runs: OK # git bisect good b8516ad19fe8f49704d7224c3a0d71b04e12af33 Bisecting: 3 revisions left to test after this (roughly 2 steps) [63616fa803b4ea54892c012ba27372cb2968d184] compat: remove some compat entry points testing commit 63616fa803b4ea54892c012ba27372cb2968d184 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 86bb1f8181587ba35d21c78fa148d6804b45333d1df2afc9fc100e66497a8ec5 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: boot failed: KFENCE: use-after-free in kvm_fastop_exception run #19: boot failed: KFENCE: use-after-free in kvm_fastop_exception # git bisect good 63616fa803b4ea54892c012ba27372cb2968d184 Bisecting: 1 revision left to test after this (roughly 1 step) [2619b99c7b36f86ee1d1bb57aade7f03aaf5773d] Merge branch 'akpm/master' testing commit 2619b99c7b36f86ee1d1bb57aade7f03aaf5773d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bba9dfb3b510189e8b58a3bb8f1e6c05f96ba254da845c621955f57bc7ff7494 all runs: OK # git bisect good 2619b99c7b36f86ee1d1bb57aade7f03aaf5773d Bisecting: 0 revisions left to test after this (roughly 0 steps) [c4690d5ad7f0d511e2c8d0922efc380b928eaf86] kbuild: Only default to -Werror if COMPILE_TEST testing commit c4690d5ad7f0d511e2c8d0922efc380b928eaf86 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bba9dfb3b510189e8b58a3bb8f1e6c05f96ba254da845c621955f57bc7ff7494 run #0: crashed: KFENCE: use-after-free in kvm_fastop_exception run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad c4690d5ad7f0d511e2c8d0922efc380b928eaf86 c4690d5ad7f0d511e2c8d0922efc380b928eaf86 is the first bad commit commit c4690d5ad7f0d511e2c8d0922efc380b928eaf86 Author: Marco Elver Date: Tue Sep 7 23:12:08 2021 +0200 kbuild: Only default to -Werror if COMPILE_TEST The cross-product of the kernel's supported toolchains, architectures, and configuration options is large. So large, that it's generally accepted to be infeasible to enumerate and build+test them all (many compile-testers rely on randomly generated configs). Without the possibility to enumerate all possible combinations of toolchains, architectures, and configuration options, it is inevitable that compiler warnings in this space exist. With -Werror, this means that an innumerable set of kernels are now broken, yet had been perfectly usable before (confused compilers, code with warnings unused, or luck). Distributors will necessarily pick a point in the toolchain X arch X config space, and if unlucky, will have a broken build. Granted, those will likely disable CONFIG_WERROR and move on. The kernel's default configuration is unlikely to be suitable for all users, but it's inappropriate to force many users to set CONFIG_WERROR=n. This also holds for CI systems which are focused on runtime testing, where the odd warning in some subsystem will disrupt testing of the rest of the kernel. Many of those runtime-focused CI systems run tests or fuzz the kernel using runtime debugging tools. Runtime testing of different subsystems can proceed in parallel, and potentially uncover serious bugs; halting runtime testing of the entire kernel because of the odd warning (now error) in a subsystem or driver is simply inappropriate. Therefore, runtime-focused CI systems will likely choose CONFIG_WERROR=n as well. The appropriate usecase for -Werror is therefore compile-test focused builds (often done by developers or CI systems). Reflect this in the Kconfig option by making the default value of WERROR match COMPILE_TEST. Signed-off-by: Marco Elver Acked-by: Guenter Roeck Acked-by: Randy Dunlap Reviwed-by: Mark Brown Reviewed-by: Nathan Chancellor Signed-off-by: Linus Torvalds init/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) culprit signature: bba9dfb3b510189e8b58a3bb8f1e6c05f96ba254da845c621955f57bc7ff7494 parent signature: bba9dfb3b510189e8b58a3bb8f1e6c05f96ba254da845c621955f57bc7ff7494 Reproducer flagged being flaky revisions tested: 16, total time: 4h24m5.873705237s (build: 1h46m51.097757662s, test: 2h35m19.072004944s) first bad commit: c4690d5ad7f0d511e2c8d0922efc380b928eaf86 kbuild: Only default to -Werror if COMPILE_TEST recipients (to): ["elver@google.com" "linux@roeck-us.net" "nathan@kernel.org" "rdunlap@infradead.org" "torvalds@linux-foundation.org"] recipients (cc): [] crash: KFENCE: use-after-free in kvm_fastop_exception ================================================================== BUG: KFENCE: use-after-free read in kvm_fastop_exception+0xf58/0x1045 Use-after-free read at 0xffff88823bc2a020 (in kfence-#20): kvm_fastop_exception+0xf58/0x1045 d_lookup+0x72/0xd0 fs/dcache.c:2370 lookup_dcache+0x14/0xd0 fs/namei.c:1520 __lookup_hash+0x1b/0x140 fs/namei.c:1543 kern_path_locked+0x146/0x300 fs/namei.c:2567 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 kfence-#20: 0xffff88823bc2a000-0xffff88823bc2afff, size=4096, cache=names_cache allocated by task 22 on cpu 0 at 69.151391s: getname_kernel+0x48/0x330 fs/namei.c:226 kern_path_locked+0x6f/0x300 fs/namei.c:2558 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 freed by task 22 on cpu 0 at 69.151414s: putname include/linux/err.h:41 [inline] filename_parentat fs/namei.c:2547 [inline] kern_path_locked+0xa7/0x300 fs/namei.c:2558 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 CPU: 0 PID: 22 Comm: kdevtmpfs Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvm_fastop_exception+0xf58/0x1045 Code: 49 d3 eb e9 c9 b2 15 f9 48 8d 0b 48 83 e1 f8 48 8b 31 8d 0b 83 e1 07 c1 e1 03 48 d3 ee e9 c5 bc 15 f9 48 8d 4d 00 48 83 e1 f8 <4c> 8b 11 8d 4d 00 83 e1 07 c1 e1 03 49 d3 ea e9 27 c5 15 f9 b8 f2 RSP: 0018:ffffc90000dcfb10 EFLAGS: 00010282 RAX: 0000003336706174 RBX: ffff88806fe884d8 RCX: ffff88823bc2a020 RDX: ffffed100dfd109c RSI: 0000000000000001 RDI: ffff88806fe884d8 RBP: ffff88823bc2a020 R08: 0000000000000000 R09: ffff88806fe884d8 R10: ffffed100dfd109b R11: 0000000000000001 R12: dffffc0000000000 R13: 0000000000000005 R14: 0000000000000005 R15: ffff88806fe884a8 FS: 0000000000000000(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bc2a020 CR3: 000000006f075000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: d_lookup+0x72/0xd0 fs/dcache.c:2370 lookup_dcache+0x14/0xd0 fs/namei.c:1520 __lookup_hash+0x1b/0x140 fs/namei.c:1543 kern_path_locked+0x146/0x300 fs/namei.c:2567 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ================================================================== ---------------- Code disassembly (best guess): 0: 49 d3 eb shr %cl,%r11 3: e9 c9 b2 15 f9 jmpq 0xf915b2d1 8: 48 8d 0b lea (%rbx),%rcx b: 48 83 e1 f8 and $0xfffffffffffffff8,%rcx f: 48 8b 31 mov (%rcx),%rsi 12: 8d 0b lea (%rbx),%ecx 14: 83 e1 07 and $0x7,%ecx 17: c1 e1 03 shl $0x3,%ecx 1a: 48 d3 ee shr %cl,%rsi 1d: e9 c5 bc 15 f9 jmpq 0xf915bce7 22: 48 8d 4d 00 lea 0x0(%rbp),%rcx 26: 48 83 e1 f8 and $0xfffffffffffffff8,%rcx * 2a: 4c 8b 11 mov (%rcx),%r10 <-- trapping instruction 2d: 8d 4d 00 lea 0x0(%rbp),%ecx 30: 83 e1 07 and $0x7,%ecx 33: c1 e1 03 shl $0x3,%ecx 36: 49 d3 ea shr %cl,%r10 39: e9 27 c5 15 f9 jmpq 0xf915c565 3e: b8 .byte 0xb8 3f: f2 repnz