bisecting cause commit starting from 5e60366d56c630e32befce7ef05c569e04391ca3 building syzkaller on 04201c0669446145fd9c347c5538da0ca13ff29b testing commit 5e60366d56c630e32befce7ef05c569e04391ca3 with gcc (GCC) 8.1.0 kernel signature: 01825cbba90804af60ff77ae0ded5055a816f397fe535df94df4bfbd1e90d5f6 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in filp_close testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: f5760b2c445d15f5ece92b856df5a49be8c93d3d22f6cda3cb5ed85afe8f4ee1 all runs: OK # git bisect start 5e60366d56c630e32befce7ef05c569e04391ca3 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 5079 revisions left to test after this (roughly 12 steps) [15b447361794271f4d03c04d82276a841fe06328] mm/lru: revise the comments of lru_lock testing commit 15b447361794271f4d03c04d82276a841fe06328 with gcc (GCC) 8.1.0 kernel signature: a3116d07de48abcba96d0a5aeacdd8a3f0b0826ac5f69adce1dacb14a8d36760 all runs: OK # git bisect good 15b447361794271f4d03c04d82276a841fe06328 Bisecting: 2484 revisions left to test after this (roughly 11 steps) [c367caf1a38b6f0a1aababafd88b00fefa625f9e] Merge tag 'sound-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit c367caf1a38b6f0a1aababafd88b00fefa625f9e with gcc (GCC) 8.1.0 kernel signature: 805eae9903bed9f2a4a22194291fba773f1e1cb567d1a206029fc4f55bc04a2e all runs: OK # git bisect good c367caf1a38b6f0a1aababafd88b00fefa625f9e Bisecting: 1263 revisions left to test after this (roughly 10 steps) [9d0d886799e49e0f6d51e70c823416919544fdb7] Merge branch 'i2c/for-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit 9d0d886799e49e0f6d51e70c823416919544fdb7 with gcc (GCC) 8.1.0 kernel signature: 7851a94468992c8c079fb285477a8f76e6aaf321c3868f6e8db2aa5afb51e2d3 all runs: OK # git bisect good 9d0d886799e49e0f6d51e70c823416919544fdb7 Bisecting: 631 revisions left to test after this (roughly 9 steps) [d58b0b1a416595a0e5ad6eac559b1d5229397e38] drivers/misc/lkdtm/lkdtm.h: correct wrong filenames in comment testing commit d58b0b1a416595a0e5ad6eac559b1d5229397e38 with gcc (GCC) 8.1.0 kernel signature: f3ef2c95844700e05e6fb4ea8786f38c6d82333c36b81a056aef0d437db3893f all runs: OK # git bisect good d58b0b1a416595a0e5ad6eac559b1d5229397e38 Bisecting: 348 revisions left to test after this (roughly 8 steps) [9867cb1fd510187d8f828540bdb48f78fceb70b3] Merge tag 'jfs-5.11' of git://github.com/kleikamp/linux-shaggy testing commit 9867cb1fd510187d8f828540bdb48f78fceb70b3 with gcc (GCC) 8.1.0 kernel signature: 82a78e7cd448ce98607f15296f48a6e2b74cf127d93f4ec8e3691f98bca505d0 all runs: OK # git bisect good 9867cb1fd510187d8f828540bdb48f78fceb70b3 Bisecting: 175 revisions left to test after this (roughly 8 steps) [37373d9c37a3401c08f22b61de1726b4f584b2e7] Merge branch 'regset.followup' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 37373d9c37a3401c08f22b61de1726b4f584b2e7 with gcc (GCC) 8.1.0 kernel signature: 505a903c3c17e0bd15eb4b2fd6ab63853e439d13722a83b77e3f9be4bc938721 all runs: OK # git bisect good 37373d9c37a3401c08f22b61de1726b4f584b2e7 Bisecting: 77 revisions left to test after this (roughly 7 steps) [f986e350833347cb605d9d1ed517325c9a97808d] Merge branch 'akpm' (patches from Andrew) testing commit f986e350833347cb605d9d1ed517325c9a97808d with gcc (GCC) 8.1.0 kernel signature: ac24f06bcecee9eb172b918e440dc6dea825c4429b790d0416a582105745f36a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in filp_close # git bisect bad f986e350833347cb605d9d1ed517325c9a97808d Bisecting: 48 revisions left to test after this (roughly 6 steps) [f9a90501faac55ddbea93c1f73497857f1997227] reboot: refactor and comment the cpu selection code testing commit f9a90501faac55ddbea93c1f73497857f1997227 with gcc (GCC) 8.1.0 kernel signature: dbee899b10ac6a7e6ac1af266245c9c6a06fd36f9d57c173c56605d05fd7519c all runs: OK # git bisect good f9a90501faac55ddbea93c1f73497857f1997227 Bisecting: 24 revisions left to test after this (roughly 5 steps) [9fe83c43e71cdb8e5b9520bcb98706a2b3c680c8] file: Rename __close_fd_get_file close_fd_get_file testing commit 9fe83c43e71cdb8e5b9520bcb98706a2b3c680c8 with gcc (GCC) 8.1.0 kernel signature: 9acb4c5e5bf7304df9b6fcbe0f52a9841b0fe5676f989da350f8fee4ea49bea6 all runs: OK # git bisect good 9fe83c43e71cdb8e5b9520bcb98706a2b3c680c8 Bisecting: 12 revisions left to test after this (roughly 4 steps) [faf145d6f3f3d6f2c066f65602ba9d0a03106915] Merge branch 'exec-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace testing commit faf145d6f3f3d6f2c066f65602ba9d0a03106915 with gcc (GCC) 8.1.0 kernel signature: 8bea95ce019280cc39abcbd7fd23a157e269e92f69022c59134cfeec1e049825 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in filp_close # git bisect bad faf145d6f3f3d6f2c066f65602ba9d0a03106915 Bisecting: 6 revisions left to test after this (roughly 3 steps) [345d4ab5e0a226e0e27219bef9ad150504666b0d] Merge tag 'close-range-openat2-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux testing commit 345d4ab5e0a226e0e27219bef9ad150504666b0d with gcc (GCC) 8.1.0 kernel signature: ab6c70b503498d5bf392953c6931fbf29b830167ac7717567990592530f217a5 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in filp_close # git bisect bad 345d4ab5e0a226e0e27219bef9ad150504666b0d Bisecting: 2 revisions left to test after this (roughly 1 step) [4e62d55d77bbdb33d821f5e16306caab38d42267] selftests: openat2: add RESOLVE_ conflict test testing commit 4e62d55d77bbdb33d821f5e16306caab38d42267 with gcc (GCC) 8.1.0 kernel signature: 702213986cbd1a170644bf59ed22ee614de9081faa2daa40fca12cd762f3a765 all runs: OK # git bisect good 4e62d55d77bbdb33d821f5e16306caab38d42267 Bisecting: 0 revisions left to test after this (roughly 1 step) [23afeaeff3d985b07abf2c76fd12b8c548da8367] selftests: core: add tests for CLOSE_RANGE_CLOEXEC testing commit 23afeaeff3d985b07abf2c76fd12b8c548da8367 with gcc (GCC) 8.1.0 kernel signature: 9a3d8691c0bc15036ff0c596ebb0fa63f4f48db876b9e01cac444c3daa924fc5 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in filp_close # git bisect bad 23afeaeff3d985b07abf2c76fd12b8c548da8367 Bisecting: 0 revisions left to test after this (roughly 0 steps) [582f1fb6b721facf04848d2ca57f34468da1813e] fs, close_range: add flag CLOSE_RANGE_CLOEXEC testing commit 582f1fb6b721facf04848d2ca57f34468da1813e with gcc (GCC) 8.1.0 kernel signature: 9a3d8691c0bc15036ff0c596ebb0fa63f4f48db876b9e01cac444c3daa924fc5 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in filp_close # git bisect bad 582f1fb6b721facf04848d2ca57f34468da1813e 582f1fb6b721facf04848d2ca57f34468da1813e is the first bad commit commit 582f1fb6b721facf04848d2ca57f34468da1813e Author: Giuseppe Scrivano Date: Wed Nov 18 11:47:45 2020 +0100 fs, close_range: add flag CLOSE_RANGE_CLOEXEC When the flag CLOSE_RANGE_CLOEXEC is set, close_range doesn't immediately close the files but it sets the close-on-exec bit. It is useful for e.g. container runtimes that usually install a seccomp profile "as late as possible" before execv'ing the container process itself. The container runtime could either do: 1 2 - install_seccomp_profile(); - close_range(MIN_FD, MAX_INT, 0); - close_range(MIN_FD, MAX_INT, 0); - install_seccomp_profile(); - execve(...); - execve(...); Both alternative have some disadvantages. In the first variant the seccomp_profile cannot block the close_range syscall, as well as opendir/read/close/... for the fallback on older kernels. In the second variant, close_range() can be used only on the fds that are not going to be needed by the runtime anymore, and it must be potentially called multiple times to account for the different ranges that must be closed. Using close_range(..., ..., CLOSE_RANGE_CLOEXEC) solves these issues. The runtime is able to use the existing open fds, the seccomp profile can block close_range() and the syscalls used for its fallback. Signed-off-by: Giuseppe Scrivano Link: https://lore.kernel.org/r/20201118104746.873084-2-gscrivan@redhat.com Signed-off-by: Christian Brauner fs/file.c | 44 +++++++++++++++++++++++++++++++--------- include/uapi/linux/close_range.h | 3 +++ 2 files changed, 37 insertions(+), 10 deletions(-) culprit signature: 9a3d8691c0bc15036ff0c596ebb0fa63f4f48db876b9e01cac444c3daa924fc5 parent signature: 702213986cbd1a170644bf59ed22ee614de9081faa2daa40fca12cd762f3a765 revisions tested: 16, total time: 3h19m20.325723792s (build: 1h16m4.066606332s, test: 2h1m38.227061433s) first bad commit: 582f1fb6b721facf04848d2ca57f34468da1813e fs, close_range: add flag CLOSE_RANGE_CLOEXEC recipients (to): ["christian.brauner@ubuntu.com" "gscrivan@redhat.com" "linux-kernel@vger.kernel.org"] recipients (cc): ["christian.brauner@ubuntu.com" "linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: BUG: unable to handle kernel NULL pointer dereference in filp_close BUG: kernel NULL pointer dereference, address: 0000000000000077 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 10214 Comm: syz-executor.2 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:arch_atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline] RIP: 0010:atomic64_read include/asm-generic/atomic-instrumented.h:838 [inline] RIP: 0010:atomic_long_read include/asm-generic/atomic-long.h:29 [inline] RIP: 0010:filp_close+0x4/0x60 fs/open.c:1274 Code: 66 0f 1f 44 00 00 8b 86 84 00 00 00 25 e3 7f ff ff 0d 00 00 20 00 89 86 84 00 00 00 31 c0 c3 0f 1f 80 00 00 00 00 41 54 55 53 <48> 8b 47 78 48 85 c0 0f 84 bf f9 37 02 48 8b 47 28 45 31 e4 48 89 RSP: 0018:ffffc90002ddbd28 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88810dcb09c0 RCX: ffff88811e87ba20 RDX: ffff88811ea53800 RSI: ffff88810dcb09c0 RDI: ffffffffffffffff RBP: ffffffffffffffff R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88811e87eb80 FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000077 CR3: 000000000508a000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: close_files fs/file.c:402 [inline] put_files_struct+0x67/0xc0 fs/file.c:430 do_exit+0x392/0xd40 kernel/exit.c:804 do_group_exit+0x34/0xb0 kernel/exit.c:906 get_signal+0x180/0xdb0 kernel/signal.c:2758 arch_do_signal+0x2b/0x8d0 arch/x86/kernel/signal.c:811 exit_to_user_mode_loop kernel/entry/common.c:161 [inline] exit_to_user_mode_prepare+0xec/0x1c0 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e149 Code: Unable to access opcode bytes at RIP 0x45e11f. RSP: 002b:00007f637e3f9cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 000000000119bf88 RCX: 000000000045e149 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000119bf8c RBP: 000000000119bf80 R08: 0000000000000018 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 000000000119bf8c R13: 00007fffd7515bbf R14: 00007f637e3fa9c0 R15: 000000000119bf8c Modules linked in: CR2: 0000000000000077 ---[ end trace b7138e616e0159ea ]--- RIP: 0010:arch_atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline] RIP: 0010:atomic64_read include/asm-generic/atomic-instrumented.h:838 [inline] RIP: 0010:atomic_long_read include/asm-generic/atomic-long.h:29 [inline] RIP: 0010:filp_close+0x4/0x60 fs/open.c:1274 Code: 66 0f 1f 44 00 00 8b 86 84 00 00 00 25 e3 7f ff ff 0d 00 00 20 00 89 86 84 00 00 00 31 c0 c3 0f 1f 80 00 00 00 00 41 54 55 53 <48> 8b 47 78 48 85 c0 0f 84 bf f9 37 02 48 8b 47 28 45 31 e4 48 89 RSP: 0018:ffffc90002ddbd28 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88810dcb09c0 RCX: ffff88811e87ba20 RDX: ffff88811ea53800 RSI: ffff88810dcb09c0 RDI: ffffffffffffffff RBP: ffffffffffffffff R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88811e87eb80 FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000077 CR3: 000000000508a000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400