bisecting cause commit starting from da690031a5d6d50a361e3f19f3eeabd086a6f20d building syzkaller on 4a77ae0bdc5cd75ebe88ce7c896aae6bbf457a29 testing commit da690031a5d6d50a361e3f19f3eeabd086a6f20d with gcc (GCC) 8.1.0 kernel signature: 45be175f635461b91386358bccfd59aa1aacdc8bbc6c1718ada6eb172cf74d5c run #0: crashed: WARNING in udf_truncate_extents run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: c8e76bd576d17a3da7d4c04675d695d50c50a29d2841a6f17b484f81b639c306 run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: crashed: WARNING in udf_truncate_extents run #3: crashed: WARNING in udf_truncate_extents run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: 6c79a1274846e1dd35e051f11e5da60649d2f713717c461e4116c55f65b7924c run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: 31cb6ec86e01e8d2d4c6c243fb9d4b5e3a51b51fb0a78db6365b00d2381e9dc2 all runs: OK # git bisect start 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 7542 revisions left to test after this (roughly 13 steps) [50a5de895dbe5df947b3a695777db5b2c313e065] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 50a5de895dbe5df947b3a695777db5b2c313e065 with gcc (GCC) 8.1.0 kernel signature: 09b4d4099c10633f04783fe24ed72511f52324bce9fecf6760c5a6662eb1a538 run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: crashed: WARNING in udf_truncate_extents run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 50a5de895dbe5df947b3a695777db5b2c313e065 Bisecting: 4204 revisions left to test after this (roughly 12 steps) [56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.1.0 kernel signature: 8be92e28ac675455399cf9c18e8a48d6d31d8fb1967a99909258da4b4a080b2b run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 56a451b780676bc1cdac011735fe2869fa2e9abf Bisecting: 1643 revisions left to test after this (roughly 11 steps) [49835c15a55225e9b3ff9cc9317135b334ea2d49] Merge tag 'pm-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 49835c15a55225e9b3ff9cc9317135b334ea2d49 with gcc (GCC) 8.1.0 kernel signature: 747fa8b9f7d934dd1d51693be253fff123720c47d86b06debcad4fdfac7ed439 run #0: crashed: WARNING in udf_truncate_extents run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 49835c15a55225e9b3ff9cc9317135b334ea2d49 Bisecting: 934 revisions left to test after this (roughly 10 steps) [063d1942247668eb0bb800aef5afbbef337344be] Merge tag 'media/v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 063d1942247668eb0bb800aef5afbbef337344be with gcc (GCC) 8.1.0 kernel signature: 8468f3595c25d14f4a081363e32f3de6f7478cdddb68edd375370d82e9bcf3d7 run #0: crashed: WARNING in udf_truncate_extents run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 063d1942247668eb0bb800aef5afbbef337344be Bisecting: 302 revisions left to test after this (roughly 9 steps) [481ed297d900af0ce395f6ca8975903b76a5a59e] Merge tag 'docs-5.7' of git://git.lwn.net/linux testing commit 481ed297d900af0ce395f6ca8975903b76a5a59e with gcc (GCC) 8.1.0 kernel signature: 91e1b6928bbeae9a9071d9eb1c2bdc883ee8c7f37c3a35a7906bc58049b13055 run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 481ed297d900af0ce395f6ca8975903b76a5a59e Bisecting: 181 revisions left to test after this (roughly 8 steps) [1592614838cb52f4313ceff64894e2ca78591498] Merge tag 'for-5.7/drivers-2020-03-29' of git://git.kernel.dk/linux-block testing commit 1592614838cb52f4313ceff64894e2ca78591498 with gcc (GCC) 8.1.0 kernel signature: a75dc21b4ed2e6a713393179ccd37e060fa375c3926fedc2edaeacc2f32eba18 run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 1592614838cb52f4313ceff64894e2ca78591498 Bisecting: 121 revisions left to test after this (roughly 7 steps) [766c3297d7e1584394d4af0cc8368e838124b023] null_blk: add trace in null_blk_zoned.c testing commit 766c3297d7e1584394d4af0cc8368e838124b023 with gcc (GCC) 8.1.0 kernel signature: 06448407a938a9be55bb35782e8cdbaf5eaa5705a88a9d26675505162af07f4e run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 766c3297d7e1584394d4af0cc8368e838124b023 Bisecting: 45 revisions left to test after this (roughly 6 steps) [5ae3a2c03d1f5b33f53ce2ba2e57773fc8b35128] bcache: remove dupplicated declaration from btree.h testing commit 5ae3a2c03d1f5b33f53ce2ba2e57773fc8b35128 with gcc (GCC) 8.1.0 kernel signature: e13bb347f0c8242312ce0a7ed75cdaa67bfb0abdc83eec0b0b61071792a0c4ac run #0: crashed: WARNING in udf_truncate_extents run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 5ae3a2c03d1f5b33f53ce2ba2e57773fc8b35128 Bisecting: 22 revisions left to test after this (roughly 5 steps) [121e297955e312bee9edb151c9f68a550c28284b] floppy: cleanup: expand macro UDRWE testing commit 121e297955e312bee9edb151c9f68a550c28284b with gcc (GCC) 8.1.0 kernel signature: 9a2b1ca64f3df5878de4f1bb249498c5388cba167083144141b725b5f9d77979 run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 121e297955e312bee9edb151c9f68a550c28284b Bisecting: 10 revisions left to test after this (roughly 4 steps) [034851049082d084a6e616900293e14590b4e0e1] block: aoe: Use scnprintf() for avoiding potential buffer overflow testing commit 034851049082d084a6e616900293e14590b4e0e1 with gcc (GCC) 8.1.0 kernel signature: e989710c23937c25b9efb6e951ef5822187e3a6adb00758690d99394e4b69bf6 run #0: crashed: WARNING in udf_truncate_extents run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect bad 034851049082d084a6e616900293e14590b4e0e1 Bisecting: 5 revisions left to test after this (roughly 3 steps) [78b10be23d42e66fc42e52b9ae620f0a6ef5b8c7] null_blk: Fix changing the number of hardware queues testing commit 78b10be23d42e66fc42e52b9ae620f0a6ef5b8c7 with gcc (GCC) 8.1.0 kernel signature: 3ccf10e3ced5da3d5aedcbba922800eedd12f97a14fadebd845091deafbf08c8 all runs: OK # git bisect good 78b10be23d42e66fc42e52b9ae620f0a6ef5b8c7 Bisecting: 2 revisions left to test after this (roughly 2 steps) [596444e7570587867924c3ab025183b1a8726897] null_blk: Add support for init_hctx() fault injection testing commit 596444e7570587867924c3ab025183b1a8726897 with gcc (GCC) 8.1.0 kernel signature: 37c50c4ba72d23d8253103cd3e2aaa4a2aa6ab06b563a539f3dbb5cb3dc44e19 run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 596444e7570587867924c3ab025183b1a8726897 Bisecting: 0 revisions left to test after this (roughly 1 step) [9b03b713082a31a5b90e0a893c72aa620e255c26] null_blk: Handle null_add_dev() failures properly testing commit 9b03b713082a31a5b90e0a893c72aa620e255c26 with gcc (GCC) 8.1.0 kernel signature: 9f03152d4db6a4b8547a7bbbcb83a76b28700ebcc8b91af83a58728ec75e1f18 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/syzkaller/jobs/linux/workdir/repro.prog" "root@10.128.15.196:./repro.prog"]: exit status 1 Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. /syzkaller/jobs/linux/workdir/repro.prog: Broken pipe run #1: crashed: WARNING in udf_truncate_extents run #2: crashed: WARNING in udf_truncate_extents run #3: crashed: WARNING in udf_truncate_extents run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 9b03b713082a31a5b90e0a893c72aa620e255c26 Bisecting: 0 revisions left to test after this (roughly 0 steps) [2004bfdef945fe55196db6b9cdf321fbc75bb0de] null_blk: Fix the null_add_dev() error path testing commit 2004bfdef945fe55196db6b9cdf321fbc75bb0de with gcc (GCC) 8.1.0 kernel signature: 0ca81b5262a59692df9beaa9b011b1a0f6f80e199652dfebc7c1180f19e26de6 run #0: crashed: WARNING in udf_truncate_extents run #1: crashed: WARNING in udf_truncate_extents run #2: crashed: WARNING in udf_truncate_extents run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 2004bfdef945fe55196db6b9cdf321fbc75bb0de 2004bfdef945fe55196db6b9cdf321fbc75bb0de is the first bad commit commit 2004bfdef945fe55196db6b9cdf321fbc75bb0de Author: Bart Van Assche Date: Mon Mar 9 21:26:21 2020 -0700 null_blk: Fix the null_add_dev() error path If null_add_dev() fails, clear dev->nullb. This patch fixes the following KASAN complaint: BUG: KASAN: use-after-free in nullb_device_submit_queues_store+0xcf/0x160 [null_blk] Read of size 8 at addr ffff88803280fc30 by task check/8409 Call Trace: dump_stack+0xa5/0xe6 print_address_description.constprop.0+0x26/0x260 __kasan_report.cold+0x7b/0x99 kasan_report+0x16/0x20 __asan_load8+0x58/0x90 nullb_device_submit_queues_store+0xcf/0x160 [null_blk] configfs_write_file+0x1c4/0x250 [configfs] __vfs_write+0x4c/0x90 vfs_write+0x145/0x2c0 ksys_write+0xd7/0x180 __x64_sys_write+0x47/0x50 do_syscall_64+0x6f/0x2f0 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7ff370926317 Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007fff2dd2da48 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007ff370926317 RDX: 0000000000000002 RSI: 0000559437ef23f0 RDI: 0000000000000001 RBP: 0000559437ef23f0 R08: 000000000000000a R09: 0000000000000001 R10: 0000559436703471 R11: 0000000000000246 R12: 0000000000000002 R13: 00007ff370a006a0 R14: 00007ff370a014a0 R15: 00007ff370a008a0 Allocated by task 8409: save_stack+0x23/0x90 __kasan_kmalloc.constprop.0+0xcf/0xe0 kasan_kmalloc+0xd/0x10 kmem_cache_alloc_node_trace+0x129/0x4c0 null_add_dev+0x24a/0xe90 [null_blk] nullb_device_power_store+0x1b6/0x270 [null_blk] configfs_write_file+0x1c4/0x250 [configfs] __vfs_write+0x4c/0x90 vfs_write+0x145/0x2c0 ksys_write+0xd7/0x180 __x64_sys_write+0x47/0x50 do_syscall_64+0x6f/0x2f0 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8409: save_stack+0x23/0x90 __kasan_slab_free+0x112/0x160 kasan_slab_free+0x12/0x20 kfree+0xdf/0x250 null_add_dev+0xaf3/0xe90 [null_blk] nullb_device_power_store+0x1b6/0x270 [null_blk] configfs_write_file+0x1c4/0x250 [configfs] __vfs_write+0x4c/0x90 vfs_write+0x145/0x2c0 ksys_write+0xd7/0x180 __x64_sys_write+0x47/0x50 do_syscall_64+0x6f/0x2f0 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 2984c8684f96 ("nullb: factor disk parameters") Signed-off-by: Bart Van Assche Reviewed-by: Chaitanya Kulkarni Cc: Johannes Thumshirn Cc: Hannes Reinecke Cc: Ming Lei Cc: Christoph Hellwig Signed-off-by: Jens Axboe drivers/block/null_blk_main.c | 1 + 1 file changed, 1 insertion(+) culprit signature: 0ca81b5262a59692df9beaa9b011b1a0f6f80e199652dfebc7c1180f19e26de6 parent signature: 3ccf10e3ced5da3d5aedcbba922800eedd12f97a14fadebd845091deafbf08c8 revisions tested: 18, total time: 5h6m44.246710611s (build: 2h6m10.9125238s, test: 2h58m37.605235756s) first bad commit: 2004bfdef945fe55196db6b9cdf321fbc75bb0de null_blk: Fix the null_add_dev() error path recipients (to): ["axboe@kernel.dk" "bvanassche@acm.org" "chaitanya.kulkarni@wdc.com"] recipients (cc): [] crash: WARNING in udf_truncate_extents ------------[ cut here ]------------ WARNING: CPU: 1 PID: 17494 at fs/udf/truncate.c:226 mark_inode_dirty include/linux/fs.h:2183 [inline] WARNING: CPU: 1 PID: 17494 at fs/udf/truncate.c:226 udf_truncate_extents+0x69a/0x7fd fs/udf/truncate.c:283 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 17494 Comm: syz-executor.5 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x140/0x1a6 lib/dump_stack.c:118 panic+0x2e1/0x5aa kernel/panic.c:221 __warn.cold.10+0x25/0x2f kernel/panic.c:582 report_bug+0x1ad/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x12d/0x230 arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:udf_truncate_extents+0x69a/0x7fd fs/udf/truncate.c:226 Code: 03 38 d0 7c 09 84 d2 74 05 e8 32 15 2a ff 8b 44 24 10 be 07 00 00 00 48 89 df 89 83 e4 fe ff ff e8 3b e7 3d ff e9 1f fe ff ff <0f> 0b e9 83 fe ff ff 0f 0b 48 c7 c7 60 81 d2 89 e8 4c 1f 1f 01 48 RSP: 0018:ffffc900015a7748 EFLAGS: 00010206 RAX: 00000000ffffffff RBX: ffff888073921180 RCX: 00000000001b8000 RDX: 0000000000000400 RSI: dffffc0000000000 RDI: 0000000000000400 RBP: ffffc900015a78c0 R08: 00000000ffffffff R09: ffff8880a646e800 R10: 0000000000000400 R11: ffff88807392114b R12: ffffc900015a7840 R13: ffff888095f6c000 R14: ffff888073921080 R15: ffffc900015a77c0 udf_write_failed+0xb1/0xf0 fs/udf/inode.c:176 udf_write_begin+0x48/0x50 fs/udf/inode.c:212 generic_perform_write+0x253/0x410 mm/filemap.c:3287 __generic_file_write_iter+0x1ff/0x520 mm/filemap.c:3416 udf_file_write_iter+0x235/0x450 fs/udf/file.c:169 call_write_iter include/linux/fs.h:1901 [inline] do_iter_readv_writev+0x4e5/0x7c0 fs/read_write.c:693 do_iter_write+0x123/0x530 fs/read_write.c:998 vfs_writev+0x16d/0x2d0 fs/read_write.c:1071 do_pwritev+0x14c/0x1f0 fs/read_write.c:1168 do_syscall_64+0xc6/0x670 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45de59 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007eff02964c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000128 RAX: ffffffffffffffda RBX: 0000000000026400 RCX: 000000000045de59 RDX: 0000000000000001 RSI: 00000000200014c0 RDI: 0000000000000003 RBP: 000000000118bf70 R08: 0000000000000020 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffd647330df R14: 00007eff029659c0 R15: 000000000118bf2c Kernel Offset: disabled Rebooting in 86400 seconds..