ci starts bisection 2024-07-15 05:38:34.691821779 +0000 UTC m=+103.115494502 bisecting cause commit starting from 3fe121b622825ff8cc995a1e6b026181c48188db building syzkaller on eaeb5c15ad704753a93bc8f8c7fc422d2a189581 ensuring issue is reproducible on original commit 3fe121b622825ff8cc995a1e6b026181c48188db testing commit 3fe121b622825ff8cc995a1e6b026181c48188db gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dd48ac3cbd68d8d562681c08ada958a44b94a04fbcc6a4ea18d716b9ec22f36f run #0: crashed: WARNING in rcu_note_context_switch run #1: crashed: WARNING in rcu_note_context_switch run #2: crashed: WARNING in rcu_note_context_switch run #3: crashed: WARNING in rcu_note_context_switch run #4: crashed: WARNING in rcu_note_context_switch run #5: crashed: WARNING in rcu_note_context_switch run #6: crashed: WARNING in rcu_note_context_switch run #7: crashed: WARNING in rcu_note_context_switch run #8: crashed: WARNING in rcu_note_context_switch run #9: crashed: WARNING in rcu_note_context_switch run #10: crashed: WARNING in rcu_note_context_switch run #11: crashed: WARNING in rcu_note_context_switch run #12: crashed: WARNING in rcu_note_context_switch run #13: crashed: WARNING in rcu_note_context_switch run #14: crashed: WARNING in rcu_note_context_switch run #15: crashed: WARNING in rcu_note_context_switch run #16: crashed: BUG: sleeping function called from invalid context in get_signal run #17: crashed: WARNING in rcu_note_context_switch run #18: crashed: WARNING in rcu_note_context_switch run #19: crashed: WARNING in rcu_note_context_switch representative crash: WARNING in rcu_note_context_switch, types: [WARNING] check whether we can drop unnecessary instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 3fe121b622825ff8cc995a1e6b026181c48188db gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6b5e26a3cb57e885dcf3e8e557c8d2c6d808fd04a5c72076a48152ebcc2f24ab all runs: basic kernel testing failed: WARNING in alloc_workqueue unable to determine the verdict: 0 good runs (wanted 5), for bad wanted 5 in total, got 0 kconfig minimization: base=4001 full=8092 leaves diff=2012 split chunks (needed=false): <2012> split chunk #0 of len 2012 into 5 parts testing without sub-chunk 1/5 testing commit 3fe121b622825ff8cc995a1e6b026181c48188db gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f6da6076939c42152dffb1c6b85d34d9eac77836d4695c895551b196d72aa971 all runs: crashed: WARNING in rcu_note_context_switch representative crash: WARNING in rcu_note_context_switch, types: [WARNING] the chunk can be dropped testing without sub-chunk 2/5 testing commit 3fe121b622825ff8cc995a1e6b026181c48188db gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 62d580b88c60443a81f57af3f1137e59dd10d58e5cddfa9b67d22752be4227ec run #0: crashed: BUG: sleeping function called from invalid context in get_signal run #1: crashed: WARNING in rcu_note_context_switch run #2: crashed: WARNING in rcu_note_context_switch run #3: crashed: WARNING in rcu_note_context_switch run #4: crashed: WARNING in rcu_note_context_switch run #5: crashed: WARNING in rcu_note_context_switch run #6: crashed: WARNING in rcu_note_context_switch run #7: crashed: WARNING in rcu_note_context_switch run #8: crashed: WARNING in rcu_note_context_switch run #9: crashed: WARNING in rcu_note_context_switch representative crash: WARNING in rcu_note_context_switch, types: [WARNING] the chunk can be dropped testing without sub-chunk 3/5 testing commit 3fe121b622825ff8cc995a1e6b026181c48188db gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 40848575fee11e9ec2b0128870edff536a2a0bd308574172409109ab8d0134bd all runs: crashed: WARNING in rcu_note_context_switch representative crash: WARNING in rcu_note_context_switch, types: [WARNING] the chunk can be dropped testing without sub-chunk 4/5 testing commit 3fe121b622825ff8cc995a1e6b026181c48188db gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e3f0726cac8668f0387ae4a387477e7b9ffbf7986f63b7554ffd6ac3b87f4586 all runs: crashed: WARNING in rcu_note_context_switch representative crash: WARNING in rcu_note_context_switch, types: [WARNING] the chunk can be dropped testing without sub-chunk 5/5 testing commit 3fe121b622825ff8cc995a1e6b026181c48188db gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 771174ad0a1317e02d493bbbd07e866402daff22b422662a88d5d29526a9f36d all runs: crashed: WARNING in rcu_note_context_switch representative crash: WARNING in rcu_note_context_switch, types: [WARNING] the chunk can be dropped picked [v6.9 v6.8 v6.7 v6.5 v6.3 v6.1 v5.19 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 32 release tags testing release v6.9 testing commit a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0462321ac41277d31dce4a0ed009aa286f973b89b0ea6f986441ffee23713849 all runs: OK false negative chance: 0.000 # git bisect start 3fe121b622825ff8cc995a1e6b026181c48188db a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 Bisecting: 13585 revisions left to test after this (roughly 14 steps) [d6c941570680d4d11e5c7480c3bcbeff8d3860f9] Merge tag 'drm-fixes-2024-06-22' of https://gitlab.freedesktop.org/drm/kernel testing commit d6c941570680d4d11e5c7480c3bcbeff8d3860f9 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 03e604245d8669f28b9ca5053efc44f49dfa0c2a55c88f12d9a0ad14b68fea76 all runs: OK false negative chance: 0.000 # git bisect good d6c941570680d4d11e5c7480c3bcbeff8d3860f9 Bisecting: 6643 revisions left to test after this (roughly 13 steps) [7a2a233b7cda0a8d617f0fc634e552559c202b98] Merge branch 'main' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git testing commit 7a2a233b7cda0a8d617f0fc634e552559c202b98 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 322dad345212ab4839287c20bc0ca62a3212e8685f45afd00c8c65138062c14a all runs: crashed: WARNING in rcu_note_context_switch representative crash: WARNING in rcu_note_context_switch, types: [WARNING] # git bisect bad 7a2a233b7cda0a8d617f0fc634e552559c202b98 Bisecting: 3485 revisions left to test after this (roughly 12 steps) [607502816e557cb59aaec7c76a01b86f990d98b5] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git testing commit 607502816e557cb59aaec7c76a01b86f990d98b5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 98d536944537ae3642c71381ceb8ee6cea99ce7b7be19b214df4ad3557d3b810 all runs: OK false negative chance: 0.000 # git bisect good 607502816e557cb59aaec7c76a01b86f990d98b5 Bisecting: 1735 revisions left to test after this (roughly 11 steps) [57cc00bd3bc9219a9af85b952d3b899cbe28dac7] Merge branch 'master' of git://linuxtv.org/mchehab/media-next.git testing commit 57cc00bd3bc9219a9af85b952d3b899cbe28dac7 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 54b65814128ba15585a79d9be824c5708d8202e41523b57f635de29d3c7621e4 all runs: crashed: WARNING in rcu_note_context_switch representative crash: WARNING in rcu_note_context_switch, types: [WARNING] # git bisect bad 57cc00bd3bc9219a9af85b952d3b899cbe28dac7 Bisecting: 830 revisions left to test after this (roughly 10 steps) [4a2ff6a0e86e5c3a7dfabc53e25421877ccc2f4c] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux.git testing commit 4a2ff6a0e86e5c3a7dfabc53e25421877ccc2f4c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4cd7ca6696cf8ec6f83ec5e86d42f23ee322c634425fea601e8c1d15fae5b0a5 all runs: crashed: WARNING in rcu_note_context_switch representative crash: WARNING in rcu_note_context_switch, types: [WARNING] # git bisect bad 4a2ff6a0e86e5c3a7dfabc53e25421877ccc2f4c Bisecting: 429 revisions left to test after this (roughly 9 steps) [c901d2bf882ab34946a191b9a838193d0fedfd08] Merge branch 'linux-next' of git://git.linux-nfs.org/projects/anna/linux-nfs.git testing commit c901d2bf882ab34946a191b9a838193d0fedfd08 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9652911adf50a82f0451b949a8e3706d3df1302ca9ef1e97b21de601545836be all runs: OK false negative chance: 0.000 # git bisect good c901d2bf882ab34946a191b9a838193d0fedfd08 Bisecting: 280 revisions left to test after this (roughly 8 steps) [0325b8038edaf3793f547bb69b059b200f2eea5a] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs.git testing commit 0325b8038edaf3793f547bb69b059b200f2eea5a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f316a49990d749a6dae72f23c3f50a2fc30ab028649aef19e1874a2aa0c38e76 all runs: OK false negative chance: 0.000 # git bisect good 0325b8038edaf3793f547bb69b059b200f2eea5a Bisecting: 139 revisions left to test after this (roughly 7 steps) [5f30e082ab8b3431a51fbca289dbf116cfdec1dd] Merge branch 'vfs.iomap' into vfs.all Signed-off-by: Christian Brauner testing commit 5f30e082ab8b3431a51fbca289dbf116cfdec1dd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ac1255c6863b5180a53cc6848b5d11c76b3ece2d6fbffc19d4ff9f5007564911 all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] # git bisect bad 5f30e082ab8b3431a51fbca289dbf116cfdec1dd Bisecting: 77 revisions left to test after this (roughly 6 steps) [18ac3e3e1049b38714867eae890fcd6b4601e1c0] Merge branch 'vfs.pg_error' into vfs.all testing commit 18ac3e3e1049b38714867eae890fcd6b4601e1c0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2c02207111202368afe8065e842a800ca6c265613d3fd70553cb45561f1c8deb all runs: OK false negative chance: 0.000 # git bisect good 18ac3e3e1049b38714867eae890fcd6b4601e1c0 Bisecting: 39 revisions left to test after this (roughly 5 steps) [46a70ee7702cdca88733ae2684f5589b0be8b866] Merge branch 'vfs.inode.rcu' into vfs.all testing commit 46a70ee7702cdca88733ae2684f5589b0be8b866 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9d83c4ea106cf3a61c9f0dea48a73e1b579f4c792953a1e700352a0518a6ada8 all runs: OK false negative chance: 0.000 # git bisect good 46a70ee7702cdca88733ae2684f5589b0be8b866 Bisecting: 19 revisions left to test after this (roughly 4 steps) [f012e5018283c5719c405fa1ff908f55e75b4178] fs: find root mount of the namespace testing commit f012e5018283c5719c405fa1ff908f55e75b4178 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a84c7ba2be69e61bf0dd1ff0c1356a5a8b16a370c8cf69e1f638129fe0a184a5 all runs: OK false negative chance: 0.000 # git bisect good f012e5018283c5719c405fa1ff908f55e75b4178 Bisecting: 10 revisions left to test after this (roughly 3 steps) [70f14de978c3d40884451152d7c1803ac1dc286d] Merge branch 'vfs.nsfs' into vfs.all testing commit 70f14de978c3d40884451152d7c1803ac1dc286d gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fe721e9fc3bbeeb2570b91c22d7887c969641746a49acff0068cf8eed4f921ee all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] # git bisect bad 70f14de978c3d40884451152d7c1803ac1dc286d Bisecting: 5 revisions left to test after this (roughly 2 steps) [94fe19a4c094001010e83f42f227a397c9cf25fa] Merge branch 'vfs.netfs' into vfs.all Signed-off-by: Christian Brauner testing commit 94fe19a4c094001010e83f42f227a397c9cf25fa gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 05f3abb8f2e3f4f831d1bbba1fe63b3c68cb47c6497184462d9c7b7835166717 all runs: OK false negative chance: 0.000 # git bisect good 94fe19a4c094001010e83f42f227a397c9cf25fa Bisecting: 2 revisions left to test after this (roughly 2 steps) [ac6f95117426bdbe4bf7453d6de1a25eacbbb110] Merge branch 'vfs.procfs' into vfs.all Signed-off-by: Christian Brauner testing commit ac6f95117426bdbe4bf7453d6de1a25eacbbb110 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5777ede9f36a1e827c1662436fd5cab51348a28385889ae68bf14a0963be72da all runs: OK false negative chance: 0.000 # git bisect good ac6f95117426bdbe4bf7453d6de1a25eacbbb110 Bisecting: 1 revision left to test after this (roughly 1 step) [ca567df74a28a9fb368c6b2d93e864113f73f5c2] nsfs: add pid translation ioctls testing commit ca567df74a28a9fb368c6b2d93e864113f73f5c2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7a06de310db4a18722a9771dd501714033621d21239a31590bbaaf72b4d6d4aa all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] # git bisect bad ca567df74a28a9fb368c6b2d93e864113f73f5c2 ca567df74a28a9fb368c6b2d93e864113f73f5c2 is the first bad commit commit ca567df74a28a9fb368c6b2d93e864113f73f5c2 Author: Christian Brauner Date: Sun Jun 7 22:47:08 2020 +0200 nsfs: add pid translation ioctls Add ioctl()s to translate pids between pid namespaces. LXCFS is a tiny fuse filesystem used to virtualize various aspects of procfs. LXCFS is run on the host. The files and directories it creates can be bind-mounted by e.g. a container at startup and mounted over the various procfs files the container wishes to have virtualized. When e.g. a read request for uptime is received, LXCFS will receive the pid of the reader. In order to virtualize the corresponding read, LXCFS needs to know the pid of the init process of the reader's pid namespace. In order to do this, LXCFS first needs to fork() two helper processes. The first helper process setns() to the readers pid namespace. The second helper process is needed to create a process that is a proper member of the pid namespace. The second helper process then creates a ucred message with ucred.pid set to 1 and sends it back to LXCFS. The kernel will translate the ucred.pid field to the corresponding pid number in LXCFS's pid namespace. This way LXCFS can learn the init pid number of the reader's pid namespace and can go on to virtualize. Since these two forks() are costly LXCFS maintains an init pid cache that caches a given pid for a fixed amount of time. The cache is pruned during new read requests. However, even with the cache the hit of the two forks() is singificant when a very large number of containers are running. With this simple patch we add an ns ioctl that let's a caller retrieve the init pid nr of a pid namespace through its pid namespace fd. This significantly improves performance with a very simple change. Support translation of pids and tgids. Other concepts can be added but there are no obvious users for this right now. To protect against races pidfds can be used to check whether the process is still valid. If needed, this can also be extended to work on pidfds directly. Link: https://lore.kernel.org/r/20240619-work-ns_ioctl-v1-1-7c0097e6bb6b@kernel.org Reviewed-by: Alexander Mikhalitsyn Signed-off-by: Christian Brauner fs/nsfs.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++- include/uapi/linux/nsfs.h | 8 +++++++ 2 files changed, 60 insertions(+), 1 deletion(-) accumulated error probability: 0.00 parent commit 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0 wasn't tested testing commit 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4038b46f62e42a642ac2a4d32dcf6b0ff31a84671adc9aea8f94dbe81256a807 culprit signature: 7a06de310db4a18722a9771dd501714033621d21239a31590bbaaf72b4d6d4aa parent signature: 4038b46f62e42a642ac2a4d32dcf6b0ff31a84671adc9aea8f94dbe81256a807 revisions tested: 23, total time: 6h46m36.723257998s (build: 2h54m7.050038073s, test: 2h19m54.599084277s) first bad commit: ca567df74a28a9fb368c6b2d93e864113f73f5c2 nsfs: add pid translation ioctls recipients (to): ["aleksandr.mikhalitsyn@canonical.com" "brauner@kernel.org" "linux-kernel@vger.kernel.org"] recipients (cc): ["brauner@kernel.org" "jack@suse.cz" "linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: WARNING: lock held when returning to user space in ns_ioctl ================================================ WARNING: lock held when returning to user space! 6.10.0-rc1-syzkaller #0 Not tainted ------------------------------------------------ syz.0.15/2819 is leaving the kernel with locks still held! 1 lock held by syz.0.15/2819: #0: ffffffff84665200 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff84665200 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #0: ffffffff84665200 (rcu_read_lock){....}-{1:2}, at: ns_ioctl+0x127/0x630 fs/nsfs.c:163 ------------[ cut here ]------------ Voluntary context switch within RCU read-side critical section! WARNING: CPU: 0 PID: 2819 at kernel/rcu/tree_plugin.h:320 rcu_note_context_switch+0xc35/0xed0 kernel/rcu/tree_plugin.h:320 Modules linked in: CPU: 0 PID: 2819 Comm: syz.0.15 Not tainted 6.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 RIP: 0010:rcu_note_context_switch+0xc35/0xed0 kernel/rcu/tree_plugin.h:320 Code: 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc c6 05 e0 bc 8a 03 01 90 48 c7 c7 c0 a1 a7 83 e8 8c 54 e2 ff 90 <0f> 0b 90 90 e9 01 f5 ff ff 90 0f 0b 90 45 84 e4 0f 84 c7 f4 ff ff RSP: 0000:ffffc900029efc00 EFLAGS: 00010046 RAX: 8c1f981257135d00 RBX: ffff88811bfe3d7c RCX: 0000000000000003 RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 RBP: ffffc900029efd50 R08: ffff8881f7028a93 R09: 1ffff1103ee05152 R10: dffffc0000000000 R11: ffffed103ee05153 R12: 0000000000000000 R13: ffffc900029efe50 R14: dffffc0000000000 R15: ffff88811bfe3980 FS: 00007f47277fd6c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2f85ffff CR3: 000000011cf2c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __schedule+0x306/0x24d0 kernel/sched/core.c:6634 __schedule_loop kernel/sched/core.c:6822 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6837 exit_to_user_mode_loop kernel/entry/common.c:102 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] irqentry_exit_to_user_mode+0xd3/0x220 kernel/entry/common.c:231 asm_sysvec_reschedule_ipi+0x1a/0x20 arch/x86/include/asm/idtentry.h:707 RIP: 0033:0x7f4727d73bd9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f47277fd048 EFLAGS: 00000246 RAX: fffffffffffffffd RBX: 00007f4727f01f60 RCX: 00007f4727d73bd9 RDX: 0000000000000000 RSI: 000000008004b706 RDI: 0000000000000003 RBP: 00007f4727de2e60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f4727f01f60 R15: 00007ffe9d90a538