bisecting cause commit starting from ed2393ca091048fa9711f4e8ab17ce52856e6412 building syzkaller on fd37b39ea8db38458059092f5f94b582392e8922 testing commit ed2393ca091048fa9711f4e8ab17ce52856e6412 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in kfree testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 all runs: OK # git bisect start ed2393ca091048fa9711f4e8ab17ce52856e6412 v5.2 Bisecting: 12307 revisions left to test after this (roughly 14 steps) [9a2f97bb8ddddbf655ce1fcdf688dcec19deb59f] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf testing commit 9a2f97bb8ddddbf655ce1fcdf688dcec19deb59f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9a2f97bb8ddddbf655ce1fcdf688dcec19deb59f Bisecting: 6560 revisions left to test after this (roughly 13 steps) [fdb65fd6132d8ba299356ba52c9bbb49f9ba6e8c] Merge remote-tracking branch 'rdma/for-next' testing commit fdb65fd6132d8ba299356ba52c9bbb49f9ba6e8c with gcc (GCC) 8.1.0 all runs: crashed: WARNING in kfree # git bisect bad fdb65fd6132d8ba299356ba52c9bbb49f9ba6e8c Bisecting: 2871 revisions left to test after this (roughly 12 steps) [94a76d9b525c2dd81af2a98e26fe01f99b20727d] Merge tag 'for-linus-5.3-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs testing commit 94a76d9b525c2dd81af2a98e26fe01f99b20727d with gcc (GCC) 8.1.0 all runs: OK # git bisect good 94a76d9b525c2dd81af2a98e26fe01f99b20727d Bisecting: 1408 revisions left to test after this (roughly 11 steps) [1d40fc503e2ded06b3c5afa62cf0e6172ceceede] Merge remote-tracking branch 'xtensa/xtensa-for-next' testing commit 1d40fc503e2ded06b3c5afa62cf0e6172ceceede with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1d40fc503e2ded06b3c5afa62cf0e6172ceceede Bisecting: 675 revisions left to test after this (roughly 10 steps) [77fdc06bd725d91aa0a9166dd7aa40e186b3272e] Merge remote-tracking branch 'hid/for-next' testing commit 77fdc06bd725d91aa0a9166dd7aa40e186b3272e with gcc (GCC) 8.1.0 all runs: crashed: WARNING in kfree # git bisect bad 77fdc06bd725d91aa0a9166dd7aa40e186b3272e Bisecting: 369 revisions left to test after this (roughly 9 steps) [1303f71826974277ab87c47e3a8fd296fc6f5122] Merge remote-tracking branch 'nfs-anna/linux-next' testing commit 1303f71826974277ab87c47e3a8fd296fc6f5122 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1303f71826974277ab87c47e3a8fd296fc6f5122 Bisecting: 184 revisions left to test after this (roughly 8 steps) [f5a9f36f8be74bec5b23805bc6806663a037fc55] Merge branch 'for-5.3/upstream-fixes' into for-next testing commit f5a9f36f8be74bec5b23805bc6806663a037fc55 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f5a9f36f8be74bec5b23805bc6806663a037fc55 Bisecting: 98 revisions left to test after this (roughly 7 steps) [c29b6a379c505786c6c69110187402755119f1d8] Merge remote-tracking branch 'printk/for-next' testing commit c29b6a379c505786c6c69110187402755119f1d8 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in kfree # git bisect bad c29b6a379c505786c6c69110187402755119f1d8 Bisecting: 44 revisions left to test after this (roughly 6 steps) [a6b74db0e130ca7d706af8f7105287ab29731493] Merge remote-tracking branch 'file-locks/locks-next' testing commit a6b74db0e130ca7d706af8f7105287ab29731493 with gcc (GCC) 8.1.0 all runs: OK # git bisect good a6b74db0e130ca7d706af8f7105287ab29731493 Bisecting: 22 revisions left to test after this (roughly 5 steps) [8448dbedbfac207a39564dd63d43e24139668204] vfs: Convert squashfs to use the new mount API testing commit 8448dbedbfac207a39564dd63d43e24139668204 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8448dbedbfac207a39564dd63d43e24139668204 Bisecting: 11 revisions left to test after this (roughly 4 steps) [0dac63fad4fdea16a473b4fd30b2991560799a1c] devtmpfs options can't be a string literal ;-/ testing commit 0dac63fad4fdea16a473b4fd30b2991560799a1c with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in __do_page_fault # git bisect bad 0dac63fad4fdea16a473b4fd30b2991560799a1c Bisecting: 5 revisions left to test after this (roughly 3 steps) [7708e1567633e9e5ed997f87a8e9111d67898d7d] vfs: Convert pstore to use the new mount API testing commit 7708e1567633e9e5ed997f87a8e9111d67898d7d with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in __do_page_fault # git bisect bad 7708e1567633e9e5ed997f87a8e9111d67898d7d Bisecting: 2 revisions left to test after this (roughly 1 step) [1c1a86b87eb1bb61153877232fdf9df8953568b5] vfs: Add a single-or-reconfig keying to vfs_get_super() testing commit 1c1a86b87eb1bb61153877232fdf9df8953568b5 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 1c1a86b87eb1bb61153877232fdf9df8953568b5 Bisecting: 0 revisions left to test after this (roughly 1 step) [67782f8ae1483d6a69730eb940d34ecb4055a6d5] vfs: Convert tracefs to use the new mount API testing commit 67782f8ae1483d6a69730eb940d34ecb4055a6d5 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in __do_page_fault # git bisect bad 67782f8ae1483d6a69730eb940d34ecb4055a6d5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [3deadeebafcec6a0a7c9397bd32ea5ac6d5191c1] vfs: Convert debugfs to use the new mount API testing commit 3deadeebafcec6a0a7c9397bd32ea5ac6d5191c1 with gcc (GCC) 8.1.0 all runs: crashed: BUG: sleeping function called from invalid context in __do_page_fault # git bisect bad 3deadeebafcec6a0a7c9397bd32ea5ac6d5191c1 3deadeebafcec6a0a7c9397bd32ea5ac6d5191c1 is the first bad commit commit 3deadeebafcec6a0a7c9397bd32ea5ac6d5191c1 Author: David Howells Date: Mon Jan 21 14:04:22 2019 +0000 vfs: Convert debugfs to use the new mount API Convert the debugfs filesystem to the new internal mount API as the old one will be obsoleted and removed. This allows greater flexibility in communication of mount parameters between userspace, the VFS and the filesystem. See Documentation/filesystems/mount_api.txt for more information. Signed-off-by: David Howells cc: Greg Kroah-Hartman cc: "Rafael J. Wysocki" Signed-off-by: Al Viro :040000 040000 b9ebe586041bd462ebadd428e934808a38c11e4a 3273b7c024ba4fd45e36c770a9e1d1c066f9e5e6 M fs revisions tested: 17, total time: 3h56m47.609701935s (build: 1h39m36.965312537s, test: 2h10m55.219612874s) first bad commit: 3deadeebafcec6a0a7c9397bd32ea5ac6d5191c1 vfs: Convert debugfs to use the new mount API cc: ["dhowells@redhat.com" "gregkh@linuxfoundation.org" "linux-kernel@vger.kernel.org" "rafael@kernel.org" "viro@zeniv.linux.org.uk"] crash: BUG: sleeping function called from invalid context in __do_page_fault BUG: sleeping function called from invalid context at arch/x86/mm/fault.c:1415 in_atomic(): 0, irqs_disabled(): 1, pid: 7287, name: syz-executor.4 2 locks held by syz-executor.4/7287: #0: 000000008c9536e5 (&type->s_umount_key#34){+.+.}, at: deactivate_super+0x12e/0x150 fs/super.c:361 #1: 00000000a272ed4e (&mm->mmap_sem#2){++++}, at: do_user_addr_fault arch/x86/mm/fault.c:1398 [inline] #1: 00000000a272ed4e (&mm->mmap_sem#2){++++}, at: __do_page_fault+0x21d/0xa20 arch/x86/mm/fault.c:1523 irq event stamp: 9350 hardirqs last enabled at (9349): [] __call_rcu.constprop.67+0x292/0x700 kernel/rcu/tree.c:2441 hardirqs last disabled at (9350): [] kfree+0x73/0x220 mm/slab.c:3749 softirqs last enabled at (766): [] memcpy include/linux/string.h:359 [inline] softirqs last enabled at (766): [] fpu__copy+0x142/0x5f0 arch/x86/kernel/fpu/core.c:216 softirqs last disabled at (764): [] fpu__copy+0x99/0x5f0 arch/x86/kernel/fpu/core.c:204 CPU: 0 PID: 7287 Comm: syz-executor.4 Not tainted 5.2.0-rc1+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 ___might_sleep.cold.88+0x1bb/0x1f4 kernel/sched/core.c:6137 __might_sleep+0x95/0x190 kernel/sched/core.c:6090 do_user_addr_fault arch/x86/mm/fault.c:1415 [inline] __do_page_fault+0x238/0xa20 arch/x86/mm/fault.c:1523 do_page_fault+0x64/0x3a7 arch/x86/mm/fault.c:1554 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1156 RIP: 0010:kfree+0xa8/0x220 mm/slab.c:3752 Code: 48 c1 e8 0c 48 89 c2 48 b8 00 00 00 00 00 ea ff ff 48 c1 e2 06 48 01 c2 48 8b 42 08 48 8d 48 ff a8 01 48 0f 45 d1 4c 8b 6a 18 <49> 63 75 74 e8 df ec b7 ff 49 63 75 74 48 89 df e8 03 c0 67 01 4c RSP: 0018:ffff8880a52efa88 EFLAGS: 00010046 RAX: ffffea000005a2c8 RBX: ffffffff8168b550 RCX: ffffea000005a2c7 RDX: ffffea000005a2c0 RSI: 0000000000000000 RDI: ffffffff8168b550 RBP: ffff8880a52efaa8 R08: ffffed1015d46be0 R09: ffffed1015d46bdf R10: ffffed1015d46bdf R11: ffff8880aea35efb R12: 0000000000000282 R13: 0000000000000000 R14: ffff8880aa0eb7e0 R15: ffff88821b841b10 debugfs_release_dentry+0x3b/0x50 fs/debugfs/inode.c:164 __dentry_kill+0x32f/0x550 fs/dcache.c:583 shrink_dentry_list+0x1cc/0x510 fs/dcache.c:1091 shrink_dcache_parent+0x109/0x120 fs/dcache.c:1498 do_one_tree+0xd/0x40 fs/dcache.c:1534 shrink_dcache_for_umount+0x56/0x120 fs/dcache.c:1551 generic_shutdown_super+0x61/0x330 fs/super.c:443 kill_anon_super+0x38/0x60 fs/super.c:1105 kill_litter_super+0x39/0x50 fs/super.c:1114 deactivate_locked_super+0x77/0xd0 fs/super.c:331 deactivate_super+0x136/0x150 fs/super.c:362 put_fs_context+0xa3/0x4b0 fs/fs_context.c:503 fscontext_release+0x42/0x60 fs/fsopen.c:77 __fput+0x25a/0x770 fs/file_table.c:279 ____fput+0x9/0x10 fs/file_table.c:312 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:168 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x447/0x530 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x413561 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffe83cef6d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000413561 RDX: 0000001b2fe20000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff R10: 00007ffe83cef7b0 R11: 0000000000000293 R12: 000000000075bf20 R13: 000000000000de21 R14: 00000000007601f0 R15: ffffffffffffffff BUG: kernel NULL pointer dereference, address: 0000000000000074 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 9221b067 P4D 9221b067 PUD a50b0067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 7287 Comm: syz-executor.4 Tainted: G W 5.2.0-rc1+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kfree+0xa8/0x220 mm/slab.c:3752 Code: 48 c1 e8 0c 48 89 c2 48 b8 00 00 00 00 00 ea ff ff 48 c1 e2 06 48 01 c2 48 8b 42 08 48 8d 48 ff a8 01 48 0f 45 d1 4c 8b 6a 18 <49> 63 75 74 e8 df ec b7 ff 49 63 75 74 48 89 df e8 03 c0 67 01 4c RSP: 0018:ffff8880a52efa88 EFLAGS: 00010046 RAX: ffffea000005a2c8 RBX: ffffffff8168b550 RCX: ffffea000005a2c7 RDX: ffffea000005a2c0 RSI: 0000000000000000 RDI: ffffffff8168b550 RBP: ffff8880a52efaa8 R08: ffffed1015d46be0 R09: ffffed1015d46bdf R10: ffffed1015d46bdf R11: ffff8880aea35efb R12: 0000000000000282 R13: 0000000000000000 R14: ffff8880aa0eb7e0 R15: ffff88821b841b10 FS: 00005555561f8940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000074 CR3: 0000000093444000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: debugfs_release_dentry+0x3b/0x50 fs/debugfs/inode.c:164 __dentry_kill+0x32f/0x550 fs/dcache.c:583 shrink_dentry_list+0x1cc/0x510 fs/dcache.c:1091 shrink_dcache_parent+0x109/0x120 fs/dcache.c:1498 do_one_tree+0xd/0x40 fs/dcache.c:1534 shrink_dcache_for_umount+0x56/0x120 fs/dcache.c:1551 generic_shutdown_super+0x61/0x330 fs/super.c:443 kill_anon_super+0x38/0x60 fs/super.c:1105 kill_litter_super+0x39/0x50 fs/super.c:1114 deactivate_locked_super+0x77/0xd0 fs/super.c:331 deactivate_super+0x136/0x150 fs/super.c:362 put_fs_context+0xa3/0x4b0 fs/fs_context.c:503 fscontext_release+0x42/0x60 fs/fsopen.c:77 __fput+0x25a/0x770 fs/file_table.c:279 ____fput+0x9/0x10 fs/file_table.c:312 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:168 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x447/0x530 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x413561 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffe83cef6d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000413561 RDX: 0000001b2fe20000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff R10: 00007ffe83cef7b0 R11: 0000000000000293 R12: 000000000075bf20 R13: 000000000000de21 R14: 00000000007601f0 R15: ffffffffffffffff Modules linked in: CR2: 0000000000000074 ---[ end trace 6e96a8329b2ade0c ]--- RIP: 0010:kfree+0xa8/0x220 mm/slab.c:3752 Code: 48 c1 e8 0c 48 89 c2 48 b8 00 00 00 00 00 ea ff ff 48 c1 e2 06 48 01 c2 48 8b 42 08 48 8d 48 ff a8 01 48 0f 45 d1 4c 8b 6a 18 <49> 63 75 74 e8 df ec b7 ff 49 63 75 74 48 89 df e8 03 c0 67 01 4c RSP: 0018:ffff8880a52efa88 EFLAGS: 00010046 RAX: ffffea000005a2c8 RBX: ffffffff8168b550 RCX: ffffea000005a2c7 RDX: ffffea000005a2c0 RSI: 0000000000000000 RDI: ffffffff8168b550 RBP: ffff8880a52efaa8 R08: ffffed1015d46be0 R09: ffffed1015d46bdf R10: ffffed1015d46bdf R11: ffff8880aea35efb R12: 0000000000000282 R13: 0000000000000000 R14: ffff8880aa0eb7e0 R15: ffff88821b841b10 FS: 00005555561f8940(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000074 CR3: 0000000093444000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400