ci2 starts bisection 2023-01-24 00:47:36.418479862 +0000 UTC m=+39547.399063260 bisecting fixing commit since b229b6ca5abbd63ff40c1396095b1b36b18139c3 building syzkaller on 2a71366bacf3bf9a3a1a149e631fb15a7d0f2077 ensuring issue is reproducible on original commit b229b6ca5abbd63ff40c1396095b1b36b18139c3 testing commit b229b6ca5abbd63ff40c1396095b1b36b18139c3 gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a4e7807b5447a48a504f9da28f84d04194b56762830e8e893c5647acbfd6d13c run #0: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #1: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #2: crashed: KASAN: use-after-free Read in move_expired_inodes run #3: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #4: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #5: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #6: crashed: KASAN: use-after-free Read in move_expired_inodes run #7: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #8: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #9: crashed: KASAN: use-after-free Read in move_expired_inodes run #10: crashed: KASAN: use-after-free Read in move_expired_inodes run #11: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #12: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #13: crashed: KASAN: use-after-free Read in move_expired_inodes run #14: crashed: KASAN: use-after-free Read in move_expired_inodes run #15: crashed: KASAN: use-after-free Read in move_expired_inodes run #16: crashed: KASAN: use-after-free Read in move_expired_inodes run #17: crashed: KASAN: use-after-free Read in move_expired_inodes run #18: crashed: KASAN: use-after-free Read in move_expired_inodes run #19: crashed: KASAN: use-after-free Read in move_expired_inodes testing current HEAD 7bf70dbb18820b37406fdfa2aaf14c2f5c71a11a testing commit 7bf70dbb18820b37406fdfa2aaf14c2f5c71a11a gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ab9e3921fadbbb15ce248ba77acf24168b2e0d8fb42f545c6785a25587028bdd run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start 7bf70dbb18820b37406fdfa2aaf14c2f5c71a11a b229b6ca5abbd63ff40c1396095b1b36b18139c3 Bisecting: 9082 revisions left to test after this (roughly 13 steps) [86a0b4255e84563739d137ad374af6c7215bb3ff] Merge tag 'input-for-v6.2-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input testing commit 86a0b4255e84563739d137ad374af6c7215bb3ff gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 63ef1a21e027c3195cc65bba6c21d9e1d5e06cfce708c46954f7eecfcdae641c run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 86a0b4255e84563739d137ad374af6c7215bb3ff Bisecting: 4539 revisions left to test after this (roughly 12 steps) [40deb5e41ac783d49371940581db2ae108a754d1] Merge tag 'x86_fpu_for_6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 40deb5e41ac783d49371940581db2ae108a754d1 gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bb09b8395fc22b90fd2926feac2a6f46d8aa927e290fcc64be33e21c82d0d828 all runs: OK # git bisect bad 40deb5e41ac783d49371940581db2ae108a754d1 Bisecting: 2289 revisions left to test after this (roughly 11 steps) [830b3c68c1fb1e9176028d02ef86f3cf76aa2476] Linux 6.1 testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e9617ee87b167570f156b544ccccf8c575bb110e4da821c9de3667970916d896 all runs: OK # git bisect bad 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 Bisecting: 1119 revisions left to test after this (roughly 10 steps) [af7a056891899fd3942afec79fb219f58271e319] Merge tag 'mips-fixes_6.1_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit af7a056891899fd3942afec79fb219f58271e319 gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: baa73026caa9e441d05f9e2417d11f7fa1b5bc8fd7cabd88803b3fc4a7e17d03 run #0: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #1: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #2: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #3: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #4: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #5: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #6: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #7: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #8: crashed: KASAN: use-after-free Read in move_expired_inodes run #9: crashed: KASAN: use-after-free Read in __mark_inode_dirty # git bisect good af7a056891899fd3942afec79fb219f58271e319 Bisecting: 543 revisions left to test after this (roughly 9 steps) [6fe0e074e76985c7be3eaa7a8fd51401a8999cae] Merge tag 'drm-fixes-2022-11-25' of git://anongit.freedesktop.org/drm/drm testing commit 6fe0e074e76985c7be3eaa7a8fd51401a8999cae gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f06eaa5093913b14202d0414207899d6d512c973726a584e4314b9ca5612ea26 all runs: OK # git bisect bad 6fe0e074e76985c7be3eaa7a8fd51401a8999cae Bisecting: 288 revisions left to test after this (roughly 8 steps) [f4408c3dfcbcc7669caa48786973e88635f3d5e8] Merge tag 'block-6.1-2022-11-18' of git://git.kernel.dk/linux testing commit f4408c3dfcbcc7669caa48786973e88635f3d5e8 gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4096a3d9573ad2b7c4c1151b8f160776c47471441c31f1bb3f291025e84a9b5c run #0: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #1: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #2: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #3: crashed: KASAN: use-after-free Read in move_expired_inodes run #4: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #5: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #6: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #7: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #8: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #9: crashed: KASAN: use-after-free Read in move_expired_inodes # git bisect good f4408c3dfcbcc7669caa48786973e88635f3d5e8 Bisecting: 142 revisions left to test after this (roughly 7 steps) [cd89db60e22824b82f9458753fa6cb770cca8bde] Merge tag 'soc-fixes-6.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit cd89db60e22824b82f9458753fa6cb770cca8bde gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a1818f8d575e34c4d9a2d3499486044902f86eff70ed430aa3171dd0b80cde22 all runs: OK # git bisect bad cd89db60e22824b82f9458753fa6cb770cca8bde Bisecting: 76 revisions left to test after this (roughly 6 steps) [5239ddeb4872390856bb79655dba85350936681e] Merge tag 'trace-v6.1-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace testing commit 5239ddeb4872390856bb79655dba85350936681e gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7eb2ce5a4285d983f47688a5c483caf9299a78a30db9e3ffe78e080f69d29009 all runs: crashed: KASAN: use-after-free Read in __mark_inode_dirty # git bisect good 5239ddeb4872390856bb79655dba85350936681e Bisecting: 37 revisions left to test after this (roughly 5 steps) [b11266ac91f2d0afc154cdcfc7d7d58fd393fc4a] Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm testing commit b11266ac91f2d0afc154cdcfc7d7d58fd393fc4a gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 788cf5e8b6366b45d9c923fd0fd264ef4e7d0fa663c3f7d337f9162f533297c7 all runs: OK # git bisect bad b11266ac91f2d0afc154cdcfc7d7d58fd393fc4a Bisecting: 17 revisions left to test after this (roughly 4 steps) [4312098baf37ee17a8350725e6e0d0e8590252d4] Merge tag 'spi-fix-v6.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi testing commit 4312098baf37ee17a8350725e6e0d0e8590252d4 gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5b2f75059d4498c5f4ca8be0c6fa0b8af8a40a1b3ce354367b85480ed9992234 run #0: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #1: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #2: crashed: KASAN: use-after-free Read in move_expired_inodes run #3: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #4: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #5: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #6: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #7: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #8: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #9: crashed: KASAN: use-after-free Read in __mark_inode_dirty # git bisect good 4312098baf37ee17a8350725e6e0d0e8590252d4 Bisecting: 9 revisions left to test after this (roughly 3 steps) [fa0e381290b134da53e65fb421b65825f23221b4] docs/zh_CN/LoongArch: Fix wrong description of FPRs Note testing commit fa0e381290b134da53e65fb421b65825f23221b4 gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 578e1d04d8dcda5e1d2aa7a9107bb81bb61836d93e02fbc30498d014da509d42 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #2: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #3: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #4: crashed: KASAN: use-after-free Read in move_expired_inodes run #5: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #6: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #7: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #8: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #9: crashed: KASAN: use-after-free Read in __mark_inode_dirty # git bisect good fa0e381290b134da53e65fb421b65825f23221b4 Bisecting: 3 revisions left to test after this (roughly 2 steps) [6fd2152fd1ff9a5ea488674a97af396e4047eaed] Merge tag 'ext4_for_linus_stable2' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 testing commit 6fd2152fd1ff9a5ea488674a97af396e4047eaed gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4b2f1b79641e02fdf4247a314ed4d317f06067a3bad828a03bf99e4b63250165 all runs: OK # git bisect bad 6fd2152fd1ff9a5ea488674a97af396e4047eaed Bisecting: 2 revisions left to test after this (roughly 2 steps) [c3eb11fbb826879be773c137f281569efce67aa8] Merge tag 'pci-v6.1-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci testing commit c3eb11fbb826879be773c137f281569efce67aa8 gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 578493f920d93b0a2ab0f2df4edd49a6e5e1295fc66ae539f6dfd5a9ea449aaf all runs: crashed: KASAN: use-after-free Read in __mark_inode_dirty # git bisect good c3eb11fbb826879be773c137f281569efce67aa8 Bisecting: 0 revisions left to test after this (roughly 1 step) [4e3c51f4e805291b057d12f5dda5aeb50a538dc4] fs: do not update freeing inode i_io_list testing commit 4e3c51f4e805291b057d12f5dda5aeb50a538dc4 gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a8913e7d25d6669a99177aa8e2c8a9d564aabbce18e5d3be7660247561ff16ba all runs: OK # git bisect bad 4e3c51f4e805291b057d12f5dda5aeb50a538dc4 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f6b1a1cf1c3ee430d3f5e47847047ce789a690aa] ext4: fix use-after-free in ext4_ext_shift_extents testing commit f6b1a1cf1c3ee430d3f5e47847047ce789a690aa gcc compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 48e0f3ade266a6db8c899fac6f1f4447e670785421cc2d9ebc2c271c0ed33f23 run #0: crashed: KASAN: use-after-free Read in move_expired_inodes run #1: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #2: crashed: KASAN: use-after-free Read in move_expired_inodes run #3: crashed: KASAN: use-after-free Read in move_expired_inodes run #4: crashed: KASAN: use-after-free Read in move_expired_inodes run #5: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #6: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #7: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #8: crashed: KASAN: use-after-free Read in __mark_inode_dirty run #9: crashed: KASAN: use-after-free Read in __mark_inode_dirty # git bisect good f6b1a1cf1c3ee430d3f5e47847047ce789a690aa 4e3c51f4e805291b057d12f5dda5aeb50a538dc4 is the first bad commit commit 4e3c51f4e805291b057d12f5dda5aeb50a538dc4 Author: Svyatoslav Feldsherov Date: Tue Nov 15 20:20:01 2022 +0000 fs: do not update freeing inode i_io_list After commit cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE") writeback_single_inode can push inode with I_DIRTY_TIME set to b_dirty_time list. In case of freeing inode with I_DIRTY_TIME set this can happen after deletion of inode from i_io_list at evict. Stack trace is following. evict fat_evict_inode fat_truncate_blocks fat_flush_inodes writeback_inode sync_inode_metadata(inode, sync=0) writeback_single_inode(inode, wbc) <- wbc->sync_mode == WB_SYNC_NONE This will lead to use after free in flusher thread. Similar issue can be triggered if writeback_single_inode in the stack trace update inode->i_io_list. Add explicit check to avoid it. Fixes: cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE") Reported-by: syzbot+6ba92bd00d5093f7e371@syzkaller.appspotmail.com Reviewed-by: Jan Kara Signed-off-by: Svyatoslav Feldsherov Link: https://lore.kernel.org/r/20221115202001.324188-1-feldsherov@google.com Signed-off-by: Theodore Ts'o fs/fs-writeback.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) culprit signature: a8913e7d25d6669a99177aa8e2c8a9d564aabbce18e5d3be7660247561ff16ba parent signature: 48e0f3ade266a6db8c899fac6f1f4447e670785421cc2d9ebc2c271c0ed33f23 revisions tested: 17, total time: 8h8m24.747348214s (build: 5h41m57.710836162s, test: 2h9m36.887327867s) first good commit: 4e3c51f4e805291b057d12f5dda5aeb50a538dc4 fs: do not update freeing inode i_io_list recipients (to): ["feldsherov@google.com" "jack@suse.cz" "tytso@mit.edu"] recipients (cc): []