ci starts bisection 2024-07-17 17:25:46.971980348 +0000 UTC m=+11614.170717771 bisecting cause commit starting from 51835949dda3783d4639cfa74ce13a3c9829de00 building syzkaller on 215bec2d0092e093aeaa7baeea4b670277102694 ensuring issue is reproducible on original commit 51835949dda3783d4639cfa74ce13a3c9829de00 testing commit 51835949dda3783d4639cfa74ce13a3c9829de00 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e4dc463dbaad0c35eea13bcf1aacd304f7d17c17cfb8fd3f355c242276ed0306 all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG KASAN ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 51835949dda3783d4639cfa74ce13a3c9829de00 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 11d4caefdd12d65cda88ffc0468137abd240fa35593e88e7bc937e3a419d2442 all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] the bug reproduces without the instrumentation disabling configs for [KASAN ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed kconfig minimization: base=3993 full=8044 leaves diff=2007 split chunks (needed=false): <2007> split chunk #0 of len 2007 into 5 parts testing without sub-chunk 1/5 disabling configs for [UBSAN BUG KASAN ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 51835949dda3783d4639cfa74ce13a3c9829de00 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 403be28223211626f47dfe41240cddbe5d172df38384783bf826abae0eff344c all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [UBSAN BUG KASAN ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 51835949dda3783d4639cfa74ce13a3c9829de00 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9d5a3ca858e5f4fe6c8c092ece7b133ea5fe4789316ebb4be4f25d4da91266e1 all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG KASAN ATOMIC_SLEEP], they are not needed testing commit 51835949dda3783d4639cfa74ce13a3c9829de00 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f400268254b5a639b1f2ee20e00f62020b4ef6ea812687ad21ce1527c1669a72 all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LEAK UBSAN BUG KASAN ATOMIC_SLEEP HANG], they are not needed testing commit 51835949dda3783d4639cfa74ce13a3c9829de00 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d0a454fe98c71540f8815500bf4718c13e4d7dd7ee891fcf07f5d5f10844d699 all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 51835949dda3783d4639cfa74ce13a3c9829de00 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fb40162e7356922304e78a8223ac43d8127ca51b60639d46ad3b1fe1ca409cdb all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] the chunk can be dropped disabling configs for [KASAN ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed picked [v6.10 v6.9 v6.8 v6.6 v6.4 v6.2 v6.0 v5.18 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 33 release tags testing release v6.10 testing commit 0c3836482481200ead7b416ca80c68a29cfdaabd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 21e19600e759e15bc9c49cb373ff1f49124d45b7fa091e7c41460b2a3f2d015a all runs: OK false negative chance: 0.000 # git bisect start 51835949dda3783d4639cfa74ce13a3c9829de00 0c3836482481200ead7b416ca80c68a29cfdaabd Bisecting: 2238 revisions left to test after this (roughly 11 steps) [e3950967f6e6b74a3606739ec50ed19f3398c7d8] Merge tag 'soc-dt-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit e3950967f6e6b74a3606739ec50ed19f3398c7d8 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4027de32b1a4c986e4ae548544ac5d2f6ba54912dd0abc5f51b60717bbf1c6f4 all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] # git bisect bad e3950967f6e6b74a3606739ec50ed19f3398c7d8 Bisecting: 1121 revisions left to test after this (roughly 10 steps) [1d86d352411dab9bf9312c9eb4b2d4020195be45] Merge tag 'x86_build_for_v6.11_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 1d86d352411dab9bf9312c9eb4b2d4020195be45 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 376e10990bd9cca38a3487021a284f5ce248d839e28afddee7ed9740b6f7574a all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] # git bisect bad 1d86d352411dab9bf9312c9eb4b2d4020195be45 Bisecting: 556 revisions left to test after this (roughly 9 steps) [bbb3556c014dc8ed1645b725ad84477603553743] Merge tag 'keys-next-6.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd testing commit bbb3556c014dc8ed1645b725ad84477603553743 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f3437b84a4202785be5890f8289c1d4ddc20c2011762c031019a5fbc607d38eb all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] # git bisect bad bbb3556c014dc8ed1645b725ad84477603553743 Bisecting: 341 revisions left to test after this (roughly 8 steps) [3c1743a685b19bc17cf65af4a2eb149fd3b15c50] floppy: add missing MODULE_DESCRIPTION() macro testing commit 3c1743a685b19bc17cf65af4a2eb149fd3b15c50 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4a6ae5a9ac82d6e8380903ef3191b11060e7bf5168ff285dcb61fafeff92e3da all runs: OK false negative chance: 0.000 # git bisect good 3c1743a685b19bc17cf65af4a2eb149fd3b15c50 Bisecting: 179 revisions left to test after this (roughly 8 steps) [4f5e249ec0ea8872e1644df23cffffbe28007188] Merge tag 'vfs-6.11.iomap' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs testing commit 4f5e249ec0ea8872e1644df23cffffbe28007188 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 05bafadb6ad0d1215e935d6d077270382723acc6d066389043f94b95aeb1cef3 all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] # git bisect bad 4f5e249ec0ea8872e1644df23cffffbe28007188 Bisecting: 87 revisions left to test after this (roughly 6 steps) [aff31330e037f75de7820bc7deb494eeaeaadd35] Merge tag 'vfs-6.11.pg_error' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs testing commit aff31330e037f75de7820bc7deb494eeaeaadd35 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 97d69c48637d38ba3a69d3785c27ad8a8280e3248b93945fa5e2962e3e160aa2 all runs: OK false negative chance: 0.000 # git bisect good aff31330e037f75de7820bc7deb494eeaeaadd35 Bisecting: 44 revisions left to test after this (roughly 6 steps) [b8fc1bd73a5a12e48f9fd2e7ccea60cadf718c93] Merge tag 'vfs-6.11.mount.api' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs testing commit b8fc1bd73a5a12e48f9fd2e7ccea60cadf718c93 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0866872677de5bc250099f2662595a6296fa14803a4759ec248e384a601b67f9 all runs: OK false negative chance: 0.000 # git bisect good b8fc1bd73a5a12e48f9fd2e7ccea60cadf718c93 Bisecting: 22 revisions left to test after this (roughly 5 steps) [4bed843b10004d9101b49ac7270131051c39a92b] fs: reject invalid last mount id early testing commit 4bed843b10004d9101b49ac7270131051c39a92b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 85b7a7741a960b47e08f60c6964c5275ee1f6484d7d2c3d288a131417ca36225 all runs: OK false negative chance: 0.000 # git bisect good 4bed843b10004d9101b49ac7270131051c39a92b Bisecting: 10 revisions left to test after this (roughly 4 steps) [1b074abe885f43b2c207b5e748ffa60604dbc020] Merge tag 'vfs-6.11.nsfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs testing commit 1b074abe885f43b2c207b5e748ffa60604dbc020 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fb33ce7756b912595abab55558584c63d51cb4fcd4a7fab246509c6cfdff393c all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] # git bisect bad 1b074abe885f43b2c207b5e748ffa60604dbc020 Bisecting: 5 revisions left to test after this (roughly 3 steps) [267574dee6ae0da68f5b454a30ff276d45976cf8] bcachefs: remove now spurious i_state initialization testing commit 267574dee6ae0da68f5b454a30ff276d45976cf8 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a4e4aa157f8d8dfd94898641ce66ec907e1151c2c1d0a3c5290419325f48c45a all runs: OK false negative chance: 0.000 # git bisect good 267574dee6ae0da68f5b454a30ff276d45976cf8 Bisecting: 2 revisions left to test after this (roughly 2 steps) [2aae1d67fd1d9070f8f23a6e7d9a7a093cf35fbb] Merge tag 'vfs-6.11.inode' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs testing commit 2aae1d67fd1d9070f8f23a6e7d9a7a093cf35fbb gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b88511e7821b2c027c18e22239689bbb6c7038f9424421ea5bcf4bd4e093c95b all runs: OK false negative chance: 0.000 # git bisect good 2aae1d67fd1d9070f8f23a6e7d9a7a093cf35fbb Bisecting: 1 revision left to test after this (roughly 1 step) [ca567df74a28a9fb368c6b2d93e864113f73f5c2] nsfs: add pid translation ioctls testing commit ca567df74a28a9fb368c6b2d93e864113f73f5c2 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ea17acaf959db02cc635921317465383dfbd7a36d2a88092836f18ca5a007065 all runs: crashed: WARNING: lock held when returning to user space in ns_ioctl representative crash: WARNING: lock held when returning to user space in ns_ioctl, types: [LOCKDEP] # git bisect bad ca567df74a28a9fb368c6b2d93e864113f73f5c2 ca567df74a28a9fb368c6b2d93e864113f73f5c2 is the first bad commit commit ca567df74a28a9fb368c6b2d93e864113f73f5c2 Author: Christian Brauner Date: Sun Jun 7 22:47:08 2020 +0200 nsfs: add pid translation ioctls Add ioctl()s to translate pids between pid namespaces. LXCFS is a tiny fuse filesystem used to virtualize various aspects of procfs. LXCFS is run on the host. The files and directories it creates can be bind-mounted by e.g. a container at startup and mounted over the various procfs files the container wishes to have virtualized. When e.g. a read request for uptime is received, LXCFS will receive the pid of the reader. In order to virtualize the corresponding read, LXCFS needs to know the pid of the init process of the reader's pid namespace. In order to do this, LXCFS first needs to fork() two helper processes. The first helper process setns() to the readers pid namespace. The second helper process is needed to create a process that is a proper member of the pid namespace. The second helper process then creates a ucred message with ucred.pid set to 1 and sends it back to LXCFS. The kernel will translate the ucred.pid field to the corresponding pid number in LXCFS's pid namespace. This way LXCFS can learn the init pid number of the reader's pid namespace and can go on to virtualize. Since these two forks() are costly LXCFS maintains an init pid cache that caches a given pid for a fixed amount of time. The cache is pruned during new read requests. However, even with the cache the hit of the two forks() is singificant when a very large number of containers are running. With this simple patch we add an ns ioctl that let's a caller retrieve the init pid nr of a pid namespace through its pid namespace fd. This significantly improves performance with a very simple change. Support translation of pids and tgids. Other concepts can be added but there are no obvious users for this right now. To protect against races pidfds can be used to check whether the process is still valid. If needed, this can also be extended to work on pidfds directly. Link: https://lore.kernel.org/r/20240619-work-ns_ioctl-v1-1-7c0097e6bb6b@kernel.org Reviewed-by: Alexander Mikhalitsyn Signed-off-by: Christian Brauner fs/nsfs.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++- include/uapi/linux/nsfs.h | 8 +++++++ 2 files changed, 60 insertions(+), 1 deletion(-) accumulated error probability: 0.00 parent commit 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0 wasn't tested testing commit 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a7dee464b94092a4a104ae96471fa4477af27ffb3ec917aa51af84917450d92e culprit signature: ea17acaf959db02cc635921317465383dfbd7a36d2a88092836f18ca5a007065 parent signature: a7dee464b94092a4a104ae96471fa4477af27ffb3ec917aa51af84917450d92e revisions tested: 20, total time: 6h28m35.144299824s (build: 4h8m22.460859686s, test: 2h6m19.904809628s) first bad commit: ca567df74a28a9fb368c6b2d93e864113f73f5c2 nsfs: add pid translation ioctls recipients (to): ["aleksandr.mikhalitsyn@canonical.com" "brauner@kernel.org" "linux-kernel@vger.kernel.org"] recipients (cc): ["brauner@kernel.org" "jack@suse.cz" "linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: WARNING: lock held when returning to user space in ns_ioctl ================================================ WARNING: lock held when returning to user space! 6.10.0-rc1-syzkaller #0 Not tainted ------------------------------------------------ syz.0.15/2801 is leaving the kernel with locks still held! 1 lock held by syz.0.15/2801: #0: ffffffff82775290 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff82775290 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline] #0: ffffffff82775290 (rcu_read_lock){....}-{1:2}, at: ns_ioctl+0x77/0x3b0 fs/nsfs.c:163