bisecting cause commit starting from 6da6c0db5316275015e8cc2959f12a17584aeb64 building syzkaller on 06db3cec94c54e1cf720cdd5db72761514569d56 testing commit 6da6c0db5316275015e8cc2959f12a17584aeb64 with gcc (GCC) 8.1.0 kernel signature: 662a62e3e82922d0f36606c575ffe12db3a414c9 run #0: crashed: WARNING in loop_add run #1: crashed: WARNING in loop_add run #2: crashed: WARNING in loop_add run #3: crashed: WARNING in loop_add run #4: crashed: WARNING in loop_add run #5: crashed: KASAN: use-after-free Read in debugfs_remove run #6: crashed: KASAN: use-after-free Read in debugfs_remove run #7: crashed: KASAN: use-after-free Read in debugfs_remove run #8: crashed: KASAN: use-after-free Read in debugfs_remove run #9: crashed: KASAN: use-after-free Read in debugfs_remove testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 kernel signature: 15b12b07a8d1aa2be2b51669a25c0c8bd471aad7 run #0: crashed: WARNING in loop_add run #1: crashed: WARNING in loop_add run #2: crashed: WARNING: kobject bug in device_create_groups_vargs run #3: crashed: WARNING in loop_add run #4: crashed: WARNING in loop_add run #5: crashed: WARNING in loop_add run #6: crashed: WARNING in loop_add run #7: crashed: WARNING: kobject bug in device_create_groups_vargs run #8: crashed: WARNING in loop_add run #9: crashed: WARNING in loop_add testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 kernel signature: af6a0f4e882369208424920643d7420338d4886c run #0: crashed: WARNING in loop_add run #1: crashed: WARNING: kobject bug in device_create_groups_vargs run #2: crashed: WARNING in loop_add run #3: crashed: WARNING in loop_add run #4: crashed: WARNING in loop_add run #5: crashed: WARNING: kobject bug in device_create_groups_vargs run #6: crashed: WARNING in loop_add run #7: crashed: WARNING: kobject bug in device_create_groups_vargs run #8: crashed: WARNING: kobject bug in device_create_groups_vargs run #9: crashed: WARNING in loop_add testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 kernel signature: f537726f779b65128b3f6cb80d6a549780d718e4 run #0: crashed: general protection fault in sysfs_do_create_link_sd run #1: crashed: general protection fault in sysfs_do_create_link_sd run #2: crashed: WARNING: kobject bug in device_create_groups_vargs run #3: crashed: general protection fault in sysfs_do_create_link_sd run #4: crashed: WARNING: kobject bug in device_create_groups_vargs run #5: crashed: WARNING: kobject bug in device_create_groups_vargs run #6: crashed: general protection fault in sysfs_do_create_link_sd run #7: crashed: general protection fault in sysfs_do_create_link_sd run #8: crashed: WARNING: kobject bug in device_create_groups_vargs run #9: crashed: WARNING: kobject bug in device_create_groups_vargs testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 kernel signature: 7779fe5da292bc08f34b52bda9e54f32f07b6715 run #0: crashed: WARNING: kobject bug in device_create_groups_vargs run #1: crashed: general protection fault in sysfs_do_create_link_sd run #2: crashed: WARNING: kobject bug in device_create_groups_vargs run #3: crashed: WARNING: kobject bug in device_create_groups_vargs run #4: crashed: general protection fault in sysfs_do_create_link_sd run #5: crashed: WARNING: kobject bug in device_create_groups_vargs run #6: crashed: general protection fault in sysfs_do_create_link_sd run #7: crashed: general protection fault in sysfs_do_create_link_sd run #8: crashed: WARNING: kobject bug in device_create_groups_vargs run #9: crashed: general protection fault in sysfs_do_create_link_sd testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 kernel signature: a8758bb82391e3b20183f580be75a83b40285101 all runs: OK # git bisect start 569dbb88e80deb68974ef6fdd6a13edb9d686261 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c Bisecting: 7028 revisions left to test after this (roughly 13 steps) [ac7b75966c9c86426b55fe1c50ae148aa4571075] Merge tag 'pinctrl-v4.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit ac7b75966c9c86426b55fe1c50ae148aa4571075 with gcc (GCC) 8.1.0 kernel signature: 0cd531d215e40b7f31ff7c07d4312ee2c9126e68 all runs: OK # git bisect good ac7b75966c9c86426b55fe1c50ae148aa4571075 Bisecting: 3520 revisions left to test after this (roughly 12 steps) [9c284c41c0886f09e75c323a16278b6d353b0b4a] mmc: tmio-mmc: fix bad pointer math testing commit 9c284c41c0886f09e75c323a16278b6d353b0b4a with gcc (GCC) 8.1.0 kernel signature: ecba80ed4cf39964e1569045be38573347636ea2 all runs: OK # git bisect good 9c284c41c0886f09e75c323a16278b6d353b0b4a Bisecting: 1754 revisions left to test after this (roughly 11 steps) [505d5c11192960a3f0639d1d9e05dffeddd4e874] Merge tag 'nfs-for-4.13-2' of git://git.linux-nfs.org/projects/anna/linux-nfs testing commit 505d5c11192960a3f0639d1d9e05dffeddd4e874 with gcc (GCC) 8.1.0 kernel signature: 6a0f1b1004dffc837f31cdefc8fba81df6372778 run #0: crashed: WARNING: kobject bug in device_create_groups_vargs run #1: crashed: WARNING: kobject bug in device_create_groups_vargs run #2: crashed: general protection fault in sysfs_do_create_link_sd run #3: crashed: WARNING: kobject bug in device_create_groups_vargs run #4: crashed: general protection fault in sysfs_do_create_link_sd run #5: crashed: WARNING: kobject bug in device_create_groups_vargs run #6: crashed: WARNING: kobject bug in device_create_groups_vargs run #7: crashed: general protection fault in sysfs_do_create_link_sd run #8: crashed: WARNING: kobject bug in device_create_groups_vargs run #9: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad 505d5c11192960a3f0639d1d9e05dffeddd4e874 Bisecting: 909 revisions left to test after this (roughly 10 steps) [62403005975c678ba7594a36670ae3bf0273d7c4] Merge tag 'nfsd-4.13' of git://linux-nfs.org/~bfields/linux testing commit 62403005975c678ba7594a36670ae3bf0273d7c4 with gcc (GCC) 8.1.0 kernel signature: e2f8dcf687d53b73a5dde9288141c6b0423cd46c run #0: crashed: general protection fault in sysfs_do_create_link_sd run #1: crashed: WARNING: kobject bug in device_create_groups_vargs run #2: crashed: general protection fault in sysfs_do_create_link_sd run #3: crashed: WARNING: kobject bug in device_create_groups_vargs run #4: crashed: WARNING in sysfs_warn_dup run #5: crashed: general protection fault in sysfs_do_create_link_sd run #6: crashed: WARNING: kobject bug in device_create_groups_vargs run #7: crashed: general protection fault in sysfs_do_create_link_sd run #8: crashed: general protection fault in sysfs_do_create_link_sd run #9: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad 62403005975c678ba7594a36670ae3bf0273d7c4 Bisecting: 430 revisions left to test after this (roughly 9 steps) [38f7d2da4e39d454f2cb3e7c1ae35afde3d61123] Merge tag 'pwm/for-4.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm testing commit 38f7d2da4e39d454f2cb3e7c1ae35afde3d61123 with gcc (GCC) 8.1.0 kernel signature: 333fd1418803358be826295da3057fa913bfd504 all runs: OK # git bisect good 38f7d2da4e39d454f2cb3e7c1ae35afde3d61123 Bisecting: 212 revisions left to test after this (roughly 8 steps) [6735a1971a00a29a96aa3ea5dc08912bfee95c51] Merge tag 'platform-drivers-x86-v4.13-2' of git://git.infradead.org/linux-platform-drivers-x86 testing commit 6735a1971a00a29a96aa3ea5dc08912bfee95c51 with gcc (GCC) 8.1.0 kernel signature: 30457e0393175ad5e67117509dbd147e8af89667 all runs: OK # git bisect good 6735a1971a00a29a96aa3ea5dc08912bfee95c51 Bisecting: 100 revisions left to test after this (roughly 7 steps) [bc0f51d35994bc14ae9bebadc9523399711fedf8] Merge tag 'trace-v4.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit bc0f51d35994bc14ae9bebadc9523399711fedf8 with gcc (GCC) 8.1.0 kernel signature: a1f65e521e8ff1c6db17faea1f190b06b595aff4 run #0: crashed: WARNING: kobject bug in device_create_groups_vargs run #1: crashed: WARNING: kobject bug in device_create_groups_vargs run #2: crashed: WARNING: kobject bug in device_create_groups_vargs run #3: crashed: WARNING: kobject bug in device_create_groups_vargs run #4: crashed: general protection fault in sysfs_do_create_link_sd run #5: crashed: general protection fault in sysfs_do_create_link_sd run #6: crashed: WARNING: kobject bug in device_create_groups_vargs run #7: crashed: WARNING in sysfs_warn_dup run #8: crashed: WARNING: kobject bug in device_create_groups_vargs run #9: crashed: WARNING: kobject bug in device_create_groups_vargs # git bisect bad bc0f51d35994bc14ae9bebadc9523399711fedf8 Bisecting: 55 revisions left to test after this (roughly 6 steps) [a10a842ff81a7e3810817b3b04e4c432b6191e21] kernel/watchdog: provide watchdog_nmi_reconfigure() for arch watchdogs testing commit a10a842ff81a7e3810817b3b04e4c432b6191e21 with gcc (GCC) 8.1.0 kernel signature: 6730709a402fc8a07d54ea72ac65c3112a2e2cf4 run #0: crashed: WARNING: kobject bug in device_create_groups_vargs run #1: crashed: WARNING in sysfs_warn_dup run #2: crashed: general protection fault in sysfs_do_create_link_sd run #3: crashed: general protection fault in sysfs_do_create_link_sd run #4: crashed: general protection fault in sysfs_do_create_link_sd run #5: crashed: general protection fault in sysfs_do_create_link_sd run #6: crashed: WARNING: kobject bug in device_create_groups_vargs run #7: crashed: WARNING: kobject bug in device_create_groups_vargs run #8: crashed: general protection fault in sysfs_do_create_link_sd run #9: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad a10a842ff81a7e3810817b3b04e4c432b6191e21 Bisecting: 27 revisions left to test after this (roughly 5 steps) [77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f] procfs: fdinfo: extend information about epoll target files testing commit 77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f with gcc (GCC) 8.1.0 kernel signature: 6d50eb9f416c06378852206ea42e0d907f1c6330 all runs: OK # git bisect good 77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f Bisecting: 13 revisions left to test after this (roughly 4 steps) [52f908904e7e05b6300162faa48152df073be645] ipc/msg: avoid ipc_rcu_alloc() testing commit 52f908904e7e05b6300162faa48152df073be645 with gcc (GCC) 8.1.0 kernel signature: cdf8202217f872832edd67b1b59d208af1351704 run #0: crashed: general protection fault in sysfs_do_create_link_sd run #1: crashed: general protection fault in sysfs_do_create_link_sd run #2: crashed: WARNING: kobject bug in device_create_groups_vargs run #3: crashed: WARNING: kobject bug in device_create_groups_vargs run #4: crashed: WARNING: kobject bug in device_create_groups_vargs run #5: crashed: WARNING: kobject bug in device_create_groups_vargs run #6: crashed: WARNING in sysfs_warn_dup run #7: crashed: general protection fault in sysfs_do_create_link_sd run #8: crashed: general protection fault in sysfs_do_create_link_sd run #9: crashed: WARNING: kobject bug in device_create_groups_vargs # git bisect bad 52f908904e7e05b6300162faa48152df073be645 Bisecting: 6 revisions left to test after this (roughly 3 steps) [f8dbe8d290637ac3f68600e30d092393fe9b40a5] ipc: drop non-RCU allocation testing commit f8dbe8d290637ac3f68600e30d092393fe9b40a5 with gcc (GCC) 8.1.0 kernel signature: 34d68e8693192c7dd2477ff4e2dade0102712fb9 run #0: crashed: WARNING: kobject bug in device_create_groups_vargs run #1: crashed: WARNING: kobject bug in device_create_groups_vargs run #2: crashed: general protection fault in sysfs_do_create_link_sd run #3: crashed: WARNING: kobject bug in device_create_groups_vargs run #4: crashed: WARNING: kobject bug in device_create_groups_vargs run #5: crashed: WARNING in sysfs_warn_dup run #6: crashed: general protection fault in sysfs_do_create_link_sd run #7: crashed: WARNING: kobject bug in device_create_groups_vargs run #8: crashed: WARNING: kobject bug in device_create_groups_vargs run #9: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad f8dbe8d290637ac3f68600e30d092393fe9b40a5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [e41d58185f1444368873d4d7422f7664a68be61d] fault-inject: support systematic fault injection testing commit e41d58185f1444368873d4d7422f7664a68be61d with gcc (GCC) 8.1.0 kernel signature: eae40807f617fb10e87fd1424346f32becb1e3e0 run #0: crashed: general protection fault in sysfs_do_create_link_sd run #1: crashed: general protection fault in sysfs_do_create_link_sd run #2: crashed: general protection fault in sysfs_do_create_link_sd run #3: crashed: WARNING in sysfs_warn_dup run #4: crashed: WARNING: kobject bug in device_create_groups_vargs run #5: crashed: WARNING: kobject bug in device_create_groups_vargs run #6: crashed: WARNING in sysfs_warn_dup run #7: crashed: general protection fault in sysfs_do_create_link_sd run #8: crashed: general protection fault in sysfs_do_create_link_sd run #9: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad e41d58185f1444368873d4d7422f7664a68be61d Bisecting: 0 revisions left to test after this (roughly 1 step) [92ef6da3d06ff551a86de41ae37df9cc4b58d7a0] kcmp: fs/epoll: wrap kcmp code with CONFIG_CHECKPOINT_RESTORE testing commit 92ef6da3d06ff551a86de41ae37df9cc4b58d7a0 with gcc (GCC) 8.1.0 kernel signature: 5bef83f3c8bd466faa17bb0a458f96ea64aa695a all runs: OK # git bisect good 92ef6da3d06ff551a86de41ae37df9cc4b58d7a0 e41d58185f1444368873d4d7422f7664a68be61d is the first bad commit commit e41d58185f1444368873d4d7422f7664a68be61d Author: Dmitry Vyukov Date: Wed Jul 12 14:34:35 2017 -0700 fault-inject: support systematic fault injection Add /proc/self/task//fail-nth file that allows failing 0-th, 1-st, 2-nd and so on calls systematically. Excerpt from the added documentation: "Write to this file of integer N makes N-th call in the current task fail (N is 0-based). Read from this file returns a single char 'Y' or 'N' that says if the fault setup with a previous write to this file was injected or not, and disables the fault if it wasn't yet injected. Note that this file enables all types of faults (slab, futex, etc). This setting takes precedence over all other generic settings like probability, interval, times, etc. But per-capability settings (e.g. fail_futex/ignore-private) take precedence over it. This feature is intended for systematic testing of faults in a single system call. See an example below" Why add a new setting: 1. Existing settings are global rather than per-task. So parallel testing is not possible. 2. attr->interval is close but it depends on attr->count which is non reset to 0, so interval does not work as expected. 3. Trying to model this with existing settings requires manipulations of all of probability, interval, times, space, task-filter and unexposed count and per-task make-it-fail files. 4. Existing settings are per-failure-type, and the set of failure types is potentially expanding. 5. make-it-fail can't be changed by unprivileged user and aggressive stress testing better be done from an unprivileged user. Similarly, this would require opening the debugfs files to the unprivileged user, as he would need to reopen at least times file (not possible to pre-open before dropping privs). The proposed interface solves all of the above (see the example). We want to integrate this into syzkaller fuzzer. A prototype has found 10 bugs in kernel in first day of usage: https://groups.google.com/forum/#!searchin/syzkaller/%22FAULT_INJECTION%22%7Csort:relevance I've made the current interface work with all types of our sandboxes. For setuid the secret sauce was prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) to make /proc entries non-root owned. So I am fine with the current version of the code. [akpm@linux-foundation.org: fix build] Link: http://lkml.kernel.org/r/20170328130128.101773-1-dvyukov@google.com Signed-off-by: Dmitry Vyukov Cc: Akinobu Mita Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds :040000 040000 5ff23b4f717faa09a3a303c852d1f879e5c93424 dee40d91ff399cf23471067637b29ba5e1d89733 M Documentation :040000 040000 27977119aa5c7d9e92fc80003c42eb2b4f32cd8a 17fc845fd59fd4d9cd4b38fc91096cf8dfa8cbe3 M fs :040000 040000 ed948d2418da0ee21a502e292d26d30545d58083 67b2b84dc7ad4f73ffe68c2027ef782fb3f91120 M include :040000 040000 5a5aae0ff0d0ab5471e6a7da1dade99054f3438d 5649fd62cab2718586583d958d93c058385fdd52 M kernel :040000 040000 1394cb104a7599e44373b833e369563c29cb2560 d6b4eb0e7b6f9335a6e35b9dbe3f136c0c8dc3b7 M lib kernel signature: eae40807f617fb10e87fd1424346f32becb1e3e0 previous signature: 5bef83f3c8bd466faa17bb0a458f96ea64aa695a revisions tested: 19, total time: 3h22m30.076909077s (build: 1h26m44.006343719s, test: 1h51m2.07576915s) first bad commit: e41d58185f1444368873d4d7422f7664a68be61d fault-inject: support systematic fault injection cc: ["akinobu.mita@gmail.com" "akpm@linux-foundation.org" "dvyukov@google.com" "mhocko@kernel.org" "torvalds@linux-foundation.org"] crash: general protection fault in sysfs_do_create_link_sd RBP: 0000000000000082 R08: 00007f2b6b06db20 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ba65d R13: 00007f2b6b06dbb8 R14: 00000000004ba65d R15: 0000000000000000 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Modules linked in: CPU: 0 PID: 4236 Comm: syz-executor2 Not tainted 4.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801c99fc000 task.stack: ffff8801cb310000 RIP: 0010:sysfs_do_create_link_sd.isra.2+0x48/0xf0 fs/sysfs/symlink.c:35 RSP: 0018:ffff8801cb317628 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffff8714fac0 RCX: 0000000000000000 RDX: 0000000000000008 RSI: ffff8801c99fc870 RDI: ffffffff88007844 RBP: ffff8801cb317650 R08: 000000000000000c R09: 2d3095780206e719 R10: ffff8801c99fc870 R11: ffff8801c99fc000 R12: ffff8801c9996308 R13: 0000000000000040 R14: 0000000000000001 R15: ffff8801ce88e580 FS: 00007f2b6b06e700(0000) GS:ffff8801dac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc8a466ca20 CR3: 00000001ceca4000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sysfs_do_create_link fs/sysfs/symlink.c:80 [inline] sysfs_create_link+0x43/0xb0 fs/sysfs/symlink.c:92 device_add_disk+0xb19/0xf60 block/genhd.c:631 add_disk include/linux/genhd.h:404 [inline] loop_add+0x5d4/0x7f0 drivers/block/loop.c:1845 loop_probe+0x15a/0x190 drivers/block/loop.c:1917 kobj_lookup+0x20d/0x410 drivers/base/map.c:124 get_gendisk+0x2d/0x1d0 block/genhd.c:728 bd_start_claiming fs/block_dev.c:1107 [inline] blkdev_get+0x100/0x9d0 fs/block_dev.c:1593 blkdev_get_by_path+0x37/0x70 fs/block_dev.c:1678 mount_bdev+0x43/0x330 fs/super.c:1078 fuse_mount_blk+0x10/0x20 fs/fuse/inode.c:1219 mount_fs+0x7f/0x269 fs/super.c:1223 vfs_kern_mount.part.32+0xbf/0x5c0 fs/namespace.c:977 vfs_kern_mount fs/namespace.c:967 [inline] do_new_mount fs/namespace.c:2513 [inline] do_mount+0x372/0x2cc0 fs/namespace.c:2835 SYSC_mount fs/namespace.c:3051 [inline] SyS_mount+0xb8/0xd0 fs/namespace.c:3028 entry_SYSCALL_64_fastpath+0x23/0xc2 RIP: 0033:0x455ac9 RSP: 002b:00007f2b6b06db08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000455ac9 RDX: 00000000004ba385 RSI: 0000000020000080 RDI: 00000000200000c0 RBP: 0000000000000082 R08: 00007f2b6b06db20 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ba65d R13: 00007f2b6b06dbb8 R14: 00000000004ba65d R15: 0000000000000000 Code: 41 55 49 89 f5 41 54 49 89 fc 48 c7 c7 40 78 00 88 53 48 89 d3 e8 a9 62 ff 04 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 4d 85 ed 74 52 4c 89 RIP: sysfs_do_create_link_sd.isra.2+0x48/0xf0 fs/sysfs/symlink.c:35 RSP: ffff8801cb317628 ---[ end trace 6834d1957a4a13e9 ]---