bisecting cause commit starting from b2924447b98afa42f13f16b1a4786f0872a2fc37 building syzkaller on bfb4a51e30c8c04658a2675333b9b89a9d327c4a testing commit b2924447b98afa42f13f16b1a4786f0872a2fc37 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: OK # git bisect start b2924447b98afa42f13f16b1a4786f0872a2fc37 v5.1 Bisecting: 9096 revisions left to test after this (roughly 13 steps) [8e4ff713ce313dcabbb60e6ede1ffc193e67631f] Merge tag 'rtc-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux testing commit 8e4ff713ce313dcabbb60e6ede1ffc193e67631f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8e4ff713ce313dcabbb60e6ede1ffc193e67631f Bisecting: 4548 revisions left to test after this (roughly 12 steps) [119a7fdfeecefa5a4062256ac2dcd3b69eaa8414] Merge 5.2-rc3 into usb-next testing commit 119a7fdfeecefa5a4062256ac2dcd3b69eaa8414 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 119a7fdfeecefa5a4062256ac2dcd3b69eaa8414 Bisecting: 2296 revisions left to test after this (roughly 11 steps) [303b6ea0cbdb2b2a7a4b5c672ac9ad441df9de34] Merge remote-tracking branch 'nand/nand/next' testing commit 303b6ea0cbdb2b2a7a4b5c672ac9ad441df9de34 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #1: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #2: OK run #3: OK run #4: OK run #5: OK run #6: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #7: OK run #8: OK run #9: OK # git bisect bad 303b6ea0cbdb2b2a7a4b5c672ac9ad441df9de34 Bisecting: 1159 revisions left to test after this (roughly 10 steps) [83ef50f9f13dea5eff9389eec5288f36edb7cc12] Merge remote-tracking branch 'pstore/for-next/pstore' testing commit 83ef50f9f13dea5eff9389eec5288f36edb7cc12 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #1: crashed: KASAN: use-after-free Read in unregister_shrinker run #2: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #3: crashed: KASAN: use-after-free Read in unregister_shrinker run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 83ef50f9f13dea5eff9389eec5288f36edb7cc12 Bisecting: 546 revisions left to test after this (roughly 9 steps) [c3b1b31d020da31682a482beb2385d4714d02138] Merge remote-tracking branch 'bcm2835/for-next' testing commit c3b1b31d020da31682a482beb2385d4714d02138 with gcc (GCC) 8.1.0 all runs: OK # git bisect good c3b1b31d020da31682a482beb2385d4714d02138 Bisecting: 273 revisions left to test after this (roughly 8 steps) [82cf7972b14b2ccef42916bf0a0553fa0d831b7a] Merge remote-tracking branch 'm68k/for-next' testing commit 82cf7972b14b2ccef42916bf0a0553fa0d831b7a with gcc (GCC) 8.1.0 all runs: OK # git bisect good 82cf7972b14b2ccef42916bf0a0553fa0d831b7a Bisecting: 142 revisions left to test after this (roughly 7 steps) [87a93bdbaa06f50349e0bc45ddd04b460ca24ae5] Merge remote-tracking branch 'xtensa/xtensa-for-next' testing commit 87a93bdbaa06f50349e0bc45ddd04b460ca24ae5 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 87a93bdbaa06f50349e0bc45ddd04b460ca24ae5 Bisecting: 68 revisions left to test after this (roughly 6 steps) [3c0da55c440ccb1521aac0400232bb56bab81e12] Merge remote-tracking branch 'nfs-anna/linux-next' testing commit 3c0da55c440ccb1521aac0400232bb56bab81e12 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 3c0da55c440ccb1521aac0400232bb56bab81e12 Bisecting: 33 revisions left to test after this (roughly 5 steps) [fb91ba1dc35a20430c3537380ef33082f1c56417] Merge remote-tracking branch 'printk/for-next' testing commit fb91ba1dc35a20430c3537380ef33082f1c56417 with gcc (GCC) 8.1.0 run #0: crashed: BUG: corrupted list in unregister_shrinker run #1: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #2: OK run #3: OK run #4: OK run #5: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad fb91ba1dc35a20430c3537380ef33082f1c56417 Bisecting: 19 revisions left to test after this (roughly 4 steps) [35995fd9d93655f36ee0a296a79b0a095f1028d3] Merge remote-tracking branch 'overlayfs/overlayfs-next' testing commit 35995fd9d93655f36ee0a296a79b0a095f1028d3 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #1: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #2: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 35995fd9d93655f36ee0a296a79b0a095f1028d3 Bisecting: 7 revisions left to test after this (roughly 3 steps) [90f1e4919e9114ae4f43d8bcab5662424d1bef8e] lockd: Show pid of lockd for remote locks testing commit 90f1e4919e9114ae4f43d8bcab5662424d1bef8e with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #1: crashed: KASAN: use-after-free Read in unregister_shrinker run #2: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #3: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #4: crashed: KASAN: use-after-free Read in unregister_shrinker run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 90f1e4919e9114ae4f43d8bcab5662424d1bef8e Bisecting: 3 revisions left to test after this (roughly 2 steps) [181ae8abae17b8434ecb70ed91364d9a91b2a1c9] nfsd: note inadequate stats locking testing commit 181ae8abae17b8434ecb70ed91364d9a91b2a1c9 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #1: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #2: crashed: KASAN: use-after-free Read in unregister_shrinker run #3: crashed: KASAN: use-after-free Read in unregister_shrinker run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 181ae8abae17b8434ecb70ed91364d9a91b2a1c9 Bisecting: 0 revisions left to test after this (roughly 1 step) [db17b61765c2c63b9552d316551550557ff0fcfd] nfsd4: drc containerization testing commit db17b61765c2c63b9552d316551550557ff0fcfd with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #1: crashed: KASAN: slab-out-of-bounds Read in unregister_shrinker run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad db17b61765c2c63b9552d316551550557ff0fcfd Bisecting: 0 revisions left to test after this (roughly 0 steps) [4f0b1394aaada2d5ef7dcda02fc4b4b8daa2104c] nfsd: don't call nfsd_reply_cache_shutdown twice testing commit 4f0b1394aaada2d5ef7dcda02fc4b4b8daa2104c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 4f0b1394aaada2d5ef7dcda02fc4b4b8daa2104c db17b61765c2c63b9552d316551550557ff0fcfd is the first bad commit commit db17b61765c2c63b9552d316551550557ff0fcfd Author: J. Bruce Fields Date: Fri May 17 09:03:38 2019 -0400 nfsd4: drc containerization The nfsd duplicate reply cache should not be shared between network namespaces. The most straightforward way to fix this is just to move every global in the code to per-net-namespace memory, so that's what we do. Still todo: sort out which members of nfsd_stats should be global and which per-net-namespace. Signed-off-by: J. Bruce Fields :040000 040000 cf1ac68779c089f4313acb433beb38f6e38f001b d64fa0cd1e34d9c460d32bbd8361049330bbf174 M fs revisions tested: 16, total time: 4h41m14.708229734s (build: 1h29m51.849832497s, test: 3h6m33.2222654s) first bad commit: db17b61765c2c63b9552d316551550557ff0fcfd nfsd4: drc containerization cc: ["bfields@fieldses.org" "bfields@redhat.com" "jlayton@kernel.org" "linux-kernel@vger.kernel.org" "linux-nfs@vger.kernel.org"] crash: KASAN: slab-out-of-bounds Read in unregister_shrinker ================================================================== BUG: KASAN: slab-out-of-bounds in __list_del_entry_valid+0xf1/0xf3 lib/list_debug.c:51 Read of size 8 at addr ffff888076713568 by task kworker/u4:3/29 CPU: 0 PID: 29 Comm: kworker/u4:3 Not tainted 5.2.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:188 __kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __list_del_entry_valid+0xf1/0xf3 lib/list_debug.c:51 __list_del_entry include/linux/list.h:117 [inline] list_del include/linux/list.h:125 [inline] unregister_shrinker+0x92/0x2a0 mm/vmscan.c:443 nfsd_reply_cache_shutdown+0x20/0x300 fs/nfsd/nfscache.c:194 nfsd_exit_net+0xee/0x330 fs/nfsd/nfsctl.c:1272 ops_exit_list.isra.5+0x8b/0x120 net/core/net_namespace.c:154 cleanup_net+0x363/0x850 net/core/net_namespace.c:553 process_one_work+0x830/0x16a0 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x324/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 10418: save_stack+0x21/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc.constprop.8+0xc7/0xd0 mm/kasan/common.c:489 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 __do_kmalloc mm/slab.c:3660 [inline] __kmalloc+0x15d/0x760 mm/slab.c:3669 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:742 [inline] __register_sysctl_table+0xaa/0xdf0 fs/proc/proc_sysctl.c:1323 register_net_sysctl+0x10/0x20 net/sysctl_net.c:121 neigh_sysctl_register+0x2f9/0x7e0 net/core/neighbour.c:3692 addrconf_sysctl_register+0x94/0x190 net/ipv6/addrconf.c:6876 ipv6_add_dev+0x822/0xec0 net/ipv6/addrconf.c:447 addrconf_notify+0x4de/0x1f50 net/ipv6/addrconf.c:3492 notifier_call_chain+0x8a/0x160 kernel/notifier.c:95 __raw_notifier_call_chain kernel/notifier.c:396 [inline] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:403 call_netdevice_notifiers_info+0x28/0x60 net/core/dev.c:1753 call_netdevice_notifiers_extack net/core/dev.c:1765 [inline] call_netdevice_notifiers net/core/dev.c:1779 [inline] register_netdevice+0x8c5/0x1100 net/core/dev.c:8772 __ip_tunnel_create+0x2fb/0x4a0 net/ipv4/ip_tunnel.c:282 ip_tunnel_init_net+0x29e/0x7f0 net/ipv4/ip_tunnel.c:1073 ipgre_tap_init_net+0x1d/0x20 net/ipv4/ip_gre.c:1577 ops_init+0x95/0x370 net/core/net_namespace.c:130 setup_net+0x2c1/0x660 net/core/net_namespace.c:316 copy_net_ns+0x199/0x2a0 net/core/net_namespace.c:439 create_new_namespaces+0x487/0x760 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0x87/0x1a0 kernel/nsproxy.c:206 ksys_unshare+0x31b/0x710 kernel/fork.c:2692 __do_sys_unshare kernel/fork.c:2760 [inline] __se_sys_unshare kernel/fork.c:2758 [inline] __x64_sys_unshare+0x2c/0x40 kernel/fork.c:2758 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9748: save_stack+0x21/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kfree+0xcf/0x220 mm/slab.c:3755 ops_init+0xa3/0x370 net/core/net_namespace.c:135 setup_net+0x2c1/0x660 net/core/net_namespace.c:316 copy_net_ns+0x199/0x2a0 net/core/net_namespace.c:439 create_new_namespaces+0x487/0x760 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0x87/0x1a0 kernel/nsproxy.c:206 ksys_unshare+0x31b/0x710 kernel/fork.c:2692 __do_sys_unshare kernel/fork.c:2760 [inline] __se_sys_unshare kernel/fork.c:2758 [inline] __x64_sys_unshare+0x2c/0x40 kernel/fork.c:2758 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888076713200 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 872 bytes inside of 1024-byte region [ffff888076713200, ffff888076713600) The buggy address belongs to the page: page:ffffea0001d9c480 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea00028f1a88 ffffea0001e13008 ffff8880aa400ac0 raw: 0000000000000000 ffff888076712000 0000000100000007 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888076713400: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff888076713480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888076713500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888076713580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888076713600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================