bisecting fixing commit since 7cdefde351b6911ec5ef39322980296c091f6c52 building syzkaller on 0eb59c27682ecbe1d467de4c4accbb3f9c807042 testing commit 7cdefde351b6911ec5ef39322980296c091f6c52 with gcc (GCC) 8.1.0 kernel signature: 7303070644396de42986b065048ed75e3b579148a0cc1a0f0f57781abf189b88 run #0: crashed: general protection fault in path_openat run #1: crashed: general protection fault in path_openat run #2: crashed: general protection fault in path_openat run #3: crashed: general protection fault in path_openat run #4: crashed: general protection fault in path_openat run #5: crashed: general protection fault in path_openat run #6: crashed: general protection fault in path_openat run #7: OK run #8: OK run #9: OK testing current HEAD 7472c4028e2357202949f99ad94c5a5a34f95666 testing commit 7472c4028e2357202949f99ad94c5a5a34f95666 with gcc (GCC) 8.1.0 kernel signature: 51aa0c6c38b5e11bb0ab94e63184ae0d6e2a880dc3c370f79731e8e6a5c0ccc5 all runs: OK # git bisect start 7472c4028e2357202949f99ad94c5a5a34f95666 7cdefde351b6911ec5ef39322980296c091f6c52 Bisecting: 392 revisions left to test after this (roughly 9 steps) [bda71c14e115dbdff20136930ac289fed9ef3767] ext4: fix checksum errors with indexed dirs testing commit bda71c14e115dbdff20136930ac289fed9ef3767 with gcc (GCC) 8.1.0 kernel signature: 9847755b1355418e899d8d9167009129472a1a1a34aa769e8865538730faa5d6 all runs: OK # git bisect bad bda71c14e115dbdff20136930ac289fed9ef3767 Bisecting: 195 revisions left to test after this (roughly 8 steps) [2554cdfa1d0369083bca97df2a5b121a276e11ad] crypto: geode-aes - convert to skcipher API and make thread-safe testing commit 2554cdfa1d0369083bca97df2a5b121a276e11ad with gcc (GCC) 8.1.0 kernel signature: f98481611d66552a7015b946d9ee07daf8e16d5d2e9173c005bc825447de7a3a all runs: OK # git bisect bad 2554cdfa1d0369083bca97df2a5b121a276e11ad Bisecting: 97 revisions left to test after this (roughly 7 steps) [dc9a80e48e853cacf87a11884beaadd335439e44] wireless: fix enabling channel 12 for custom regulatory domain testing commit dc9a80e48e853cacf87a11884beaadd335439e44 with gcc (GCC) 8.1.0 kernel signature: 79ed0cdbc25958d410fb9722c5b00296650cd5bdd0d32032be652ead0281dc91 all runs: OK # git bisect bad dc9a80e48e853cacf87a11884beaadd335439e44 Bisecting: 48 revisions left to test after this (roughly 6 steps) [71b815b0cc40f06c605ed77b6df9c50ba1f5a7fe] rsi: fix memory leak on failed URB submission testing commit 71b815b0cc40f06c605ed77b6df9c50ba1f5a7fe with gcc (GCC) 8.1.0 kernel signature: df12a3cf17c7c8d38c562ae87fc58269ef63437881e3f95df7896c3ca045fbed run #0: crashed: general protection fault in path_openat run #1: crashed: general protection fault in path_openat run #2: crashed: general protection fault in path_openat run #3: crashed: general protection fault in path_openat run #4: crashed: general protection fault in path_openat run #5: crashed: general protection fault in path_openat run #6: crashed: general protection fault in path_openat run #7: crashed: general protection fault in path_openat run #8: crashed: general protection fault in path_openat run #9: OK # git bisect good 71b815b0cc40f06c605ed77b6df9c50ba1f5a7fe Bisecting: 24 revisions left to test after this (roughly 5 steps) [373403c65479168ff6cf9b437447ac1a3eb3beef] media: vp7045: do not read uninitialized values if usb transfer fails testing commit 373403c65479168ff6cf9b437447ac1a3eb3beef with gcc (GCC) 8.1.0 kernel signature: 4db34a402d2d77cae2d44e40dfa4648f96cc038d9f348db6c92a076c56b36b0e all runs: OK # git bisect bad 373403c65479168ff6cf9b437447ac1a3eb3beef Bisecting: 11 revisions left to test after this (roughly 4 steps) [47ef5cb878817127bd3d54c3578bbbd3f7c2bf2c] crypto: pcrypt - Fix user-after-free on module unload testing commit 47ef5cb878817127bd3d54c3578bbbd3f7c2bf2c with gcc (GCC) 8.1.0 kernel signature: af72039877940d78c7ce4229846f6cba5486544cf5f8f61e6557e25a46f6bc5c all runs: OK # git bisect bad 47ef5cb878817127bd3d54c3578bbbd3f7c2bf2c Bisecting: 5 revisions left to test after this (roughly 3 steps) [e4143b60ae6b2eee83f4eee4db4d5c30890bcbe1] KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE testing commit e4143b60ae6b2eee83f4eee4db4d5c30890bcbe1 with gcc (GCC) 8.1.0 kernel signature: 33a767cf1c0e943a4628b1863e31f6e92c459a011211458b8fb2f072690d763d run #0: crashed: general protection fault in path_openat run #1: crashed: general protection fault in path_openat run #2: crashed: general protection fault in path_openat run #3: crashed: general protection fault in path_openat run #4: crashed: general protection fault in path_openat run #5: OK run #6: crashed: general protection fault in path_openat run #7: OK run #8: OK run #9: OK # git bisect good e4143b60ae6b2eee83f4eee4db4d5c30890bcbe1 Bisecting: 2 revisions left to test after this (roughly 2 steps) [1b006f8cbde9f3dabdfafe2ff7aa9f831ed5b625] x86/resctrl: Fix use-after-free when deleting resource groups testing commit 1b006f8cbde9f3dabdfafe2ff7aa9f831ed5b625 with gcc (GCC) 8.1.0 kernel signature: 0bc758b2b8df49fe97ad5c9964cf1eefb1b6fb42655bc5fa8fe16708f51aeeae all runs: OK # git bisect bad 1b006f8cbde9f3dabdfafe2ff7aa9f831ed5b625 Bisecting: 0 revisions left to test after this (roughly 1 step) [8d7a5100e29dde6b6557beb31ea9f2bbc9e998ca] vfs: fix do_last() regression testing commit 8d7a5100e29dde6b6557beb31ea9f2bbc9e998ca with gcc (GCC) 8.1.0 kernel signature: 4f65627d3e444a32e908d885e3e8d6a4e6a2e83c11da5f6e94e5b5c54a19c3ae all runs: OK # git bisect bad 8d7a5100e29dde6b6557beb31ea9f2bbc9e998ca Bisecting: 0 revisions left to test after this (roughly 0 steps) [32ee7492f104d82b01a44fc4b4ae17d5d2bb237b] Linux 4.19.101 testing commit 32ee7492f104d82b01a44fc4b4ae17d5d2bb237b with gcc (GCC) 8.1.0 kernel signature: 8ac6f92eda4059b02728a5ebc7e9c05db0de9cb5e58e3440f246c6adcfdcaba6 run #0: crashed: general protection fault in path_openat run #1: crashed: general protection fault in path_openat run #2: crashed: general protection fault in path_openat run #3: crashed: general protection fault in path_openat run #4: crashed: general protection fault in path_openat run #5: crashed: general protection fault in path_openat run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 32ee7492f104d82b01a44fc4b4ae17d5d2bb237b 8d7a5100e29dde6b6557beb31ea9f2bbc9e998ca is the first bad commit commit 8d7a5100e29dde6b6557beb31ea9f2bbc9e998ca Author: Al Viro Date: Sat Feb 1 16:26:45 2020 +0000 vfs: fix do_last() regression commit 6404674acd596de41fd3ad5f267b4525494a891a upstream. Brown paperbag time: fetching ->i_uid/->i_mode really should've been done from nd->inode. I even suggested that, but the reason for that has slipped through the cracks and I went for dir->d_inode instead - made for more "obvious" patch. Analysis: - at the entry into do_last() and all the way to step_into(): dir (aka nd->path.dentry) is known not to have been freed; so's nd->inode and it's equal to dir->d_inode unless we are already doomed to -ECHILD. inode of the file to get opened is not known. - after step_into(): inode of the file to get opened is known; dir might be pointing to freed memory/be negative/etc. - at the call of may_create_in_sticky(): guaranteed to be out of RCU mode; inode of the file to get opened is known and pinned; dir might be garbage. The last was the reason for the original patch. Except that at the do_last() entry we can be in RCU mode and it is possible that nd->path.dentry->d_inode has already changed under us. In that case we are going to fail with -ECHILD, but we need to be careful; nd->inode is pointing to valid struct inode and it's the same as nd->path.dentry->d_inode in "won't fail with -ECHILD" case, so we should use that. Reported-by: "Rantala, Tommi T. (Nokia - FI/Espoo)" Reported-by: syzbot+190005201ced78a74ad6@syzkaller.appspotmail.com Wearing-brown-paperbag: Al Viro Cc: stable@kernel.org Fixes: d0cb50185ae9 ("do_last(): fetch directory ->i_mode and ->i_uid before it's too late") Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/namei.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) culprit signature: 4f65627d3e444a32e908d885e3e8d6a4e6a2e83c11da5f6e94e5b5c54a19c3ae parent signature: 8ac6f92eda4059b02728a5ebc7e9c05db0de9cb5e58e3440f246c6adcfdcaba6 revisions tested: 12, total time: 4h2m27.520477573s (build: 1h47m23.189094711s, test: 2h13m33.742270257s) first good commit: 8d7a5100e29dde6b6557beb31ea9f2bbc9e998ca vfs: fix do_last() regression cc: ["gregkh@linuxfoundation.org" "torvalds@linux-foundation.org" "viro@zeniv.linux.org.uk"]