bisecting cause commit starting from bb7ba8069de933d69cb45dd0a5806b61033796a3 building syzkaller on 984250d5080e0bf455725ff96551e35c3ae59457 testing commit bb7ba8069de933d69cb45dd0a5806b61033796a3 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 all runs: crashed: WARNING in loop_add testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in sysfs_do_create_link_sd testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in sysfs_do_create_link_sd testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.13 v4.12 Bisecting: 7028 revisions left to test after this (roughly 13 steps) [ac7b75966c9c86426b55fe1c50ae148aa4571075] Merge tag 'pinctrl-v4.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit ac7b75966c9c86426b55fe1c50ae148aa4571075 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ac7b75966c9c86426b55fe1c50ae148aa4571075 Bisecting: 3520 revisions left to test after this (roughly 12 steps) [9c284c41c0886f09e75c323a16278b6d353b0b4a] mmc: tmio-mmc: fix bad pointer math testing commit 9c284c41c0886f09e75c323a16278b6d353b0b4a with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9c284c41c0886f09e75c323a16278b6d353b0b4a Bisecting: 1754 revisions left to test after this (roughly 11 steps) [505d5c11192960a3f0639d1d9e05dffeddd4e874] Merge tag 'nfs-for-4.13-2' of git://git.linux-nfs.org/projects/anna/linux-nfs testing commit 505d5c11192960a3f0639d1d9e05dffeddd4e874 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad 505d5c11192960a3f0639d1d9e05dffeddd4e874 Bisecting: 909 revisions left to test after this (roughly 10 steps) [62403005975c678ba7594a36670ae3bf0273d7c4] Merge tag 'nfsd-4.13' of git://linux-nfs.org/~bfields/linux testing commit 62403005975c678ba7594a36670ae3bf0273d7c4 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in sysfs_do_create_link_sd run #1: crashed: general protection fault in sysfs_do_create_link_sd run #2: crashed: general protection fault in sysfs_do_create_link_sd run #3: crashed: general protection fault in sysfs_do_create_link_sd run #4: crashed: general protection fault in sysfs_do_create_link_sd run #5: crashed: general protection fault in sysfs_do_create_link_sd run #6: crashed: general protection fault in sysfs_do_create_link_sd run #7: crashed: general protection fault in sysfs_do_create_link_sd run #8: crashed: general protection fault in sysfs_do_create_link_sd run #9: crashed: WARNING: kobject bug in device_create_groups_vargs # git bisect bad 62403005975c678ba7594a36670ae3bf0273d7c4 Bisecting: 430 revisions left to test after this (roughly 9 steps) [38f7d2da4e39d454f2cb3e7c1ae35afde3d61123] Merge tag 'pwm/for-4.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm testing commit 38f7d2da4e39d454f2cb3e7c1ae35afde3d61123 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 38f7d2da4e39d454f2cb3e7c1ae35afde3d61123 Bisecting: 212 revisions left to test after this (roughly 8 steps) [6735a1971a00a29a96aa3ea5dc08912bfee95c51] Merge tag 'platform-drivers-x86-v4.13-2' of git://git.infradead.org/linux-platform-drivers-x86 testing commit 6735a1971a00a29a96aa3ea5dc08912bfee95c51 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6735a1971a00a29a96aa3ea5dc08912bfee95c51 Bisecting: 100 revisions left to test after this (roughly 7 steps) [bc0f51d35994bc14ae9bebadc9523399711fedf8] Merge tag 'trace-v4.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit bc0f51d35994bc14ae9bebadc9523399711fedf8 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad bc0f51d35994bc14ae9bebadc9523399711fedf8 Bisecting: 55 revisions left to test after this (roughly 6 steps) [a10a842ff81a7e3810817b3b04e4c432b6191e21] kernel/watchdog: provide watchdog_nmi_reconfigure() for arch watchdogs testing commit a10a842ff81a7e3810817b3b04e4c432b6191e21 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad a10a842ff81a7e3810817b3b04e4c432b6191e21 Bisecting: 27 revisions left to test after this (roughly 5 steps) [77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f] procfs: fdinfo: extend information about epoll target files testing commit 77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f Bisecting: 13 revisions left to test after this (roughly 4 steps) [52f908904e7e05b6300162faa48152df073be645] ipc/msg: avoid ipc_rcu_alloc() testing commit 52f908904e7e05b6300162faa48152df073be645 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad 52f908904e7e05b6300162faa48152df073be645 Bisecting: 6 revisions left to test after this (roughly 3 steps) [f8dbe8d290637ac3f68600e30d092393fe9b40a5] ipc: drop non-RCU allocation testing commit f8dbe8d290637ac3f68600e30d092393fe9b40a5 with gcc (GCC) 8.1.0 run #0: crashed: general protection fault in sysfs_do_create_link_sd run #1: crashed: general protection fault in sysfs_do_create_link_sd run #2: crashed: general protection fault in sysfs_do_create_link_sd run #3: crashed: general protection fault in sysfs_do_create_link_sd run #4: crashed: general protection fault in sysfs_do_create_link_sd run #5: crashed: general protection fault in sysfs_do_create_link_sd run #6: crashed: general protection fault in sysfs_do_create_link_sd run #7: crashed: WARNING: kobject bug in device_create_groups_vargs run #8: crashed: general protection fault in sysfs_do_create_link_sd run #9: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad f8dbe8d290637ac3f68600e30d092393fe9b40a5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [e41d58185f1444368873d4d7422f7664a68be61d] fault-inject: support systematic fault injection testing commit e41d58185f1444368873d4d7422f7664a68be61d with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in sysfs_do_create_link_sd # git bisect bad e41d58185f1444368873d4d7422f7664a68be61d Bisecting: 0 revisions left to test after this (roughly 1 step) [92ef6da3d06ff551a86de41ae37df9cc4b58d7a0] kcmp: fs/epoll: wrap kcmp code with CONFIG_CHECKPOINT_RESTORE testing commit 92ef6da3d06ff551a86de41ae37df9cc4b58d7a0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 92ef6da3d06ff551a86de41ae37df9cc4b58d7a0 e41d58185f1444368873d4d7422f7664a68be61d is the first bad commit commit e41d58185f1444368873d4d7422f7664a68be61d Author: Dmitry Vyukov Date: Wed Jul 12 14:34:35 2017 -0700 fault-inject: support systematic fault injection Add /proc/self/task//fail-nth file that allows failing 0-th, 1-st, 2-nd and so on calls systematically. Excerpt from the added documentation: "Write to this file of integer N makes N-th call in the current task fail (N is 0-based). Read from this file returns a single char 'Y' or 'N' that says if the fault setup with a previous write to this file was injected or not, and disables the fault if it wasn't yet injected. Note that this file enables all types of faults (slab, futex, etc). This setting takes precedence over all other generic settings like probability, interval, times, etc. But per-capability settings (e.g. fail_futex/ignore-private) take precedence over it. This feature is intended for systematic testing of faults in a single system call. See an example below" Why add a new setting: 1. Existing settings are global rather than per-task. So parallel testing is not possible. 2. attr->interval is close but it depends on attr->count which is non reset to 0, so interval does not work as expected. 3. Trying to model this with existing settings requires manipulations of all of probability, interval, times, space, task-filter and unexposed count and per-task make-it-fail files. 4. Existing settings are per-failure-type, and the set of failure types is potentially expanding. 5. make-it-fail can't be changed by unprivileged user and aggressive stress testing better be done from an unprivileged user. Similarly, this would require opening the debugfs files to the unprivileged user, as he would need to reopen at least times file (not possible to pre-open before dropping privs). The proposed interface solves all of the above (see the example). We want to integrate this into syzkaller fuzzer. A prototype has found 10 bugs in kernel in first day of usage: https://groups.google.com/forum/#!searchin/syzkaller/%22FAULT_INJECTION%22%7Csort:relevance I've made the current interface work with all types of our sandboxes. For setuid the secret sauce was prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) to make /proc entries non-root owned. So I am fine with the current version of the code. [akpm@linux-foundation.org: fix build] Link: http://lkml.kernel.org/r/20170328130128.101773-1-dvyukov@google.com Signed-off-by: Dmitry Vyukov Cc: Akinobu Mita Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds :040000 040000 5ff23b4f717faa09a3a303c852d1f879e5c93424 dee40d91ff399cf23471067637b29ba5e1d89733 M Documentation :040000 040000 27977119aa5c7d9e92fc80003c42eb2b4f32cd8a 17fc845fd59fd4d9cd4b38fc91096cf8dfa8cbe3 M fs :040000 040000 ed948d2418da0ee21a502e292d26d30545d58083 67b2b84dc7ad4f73ffe68c2027ef782fb3f91120 M include :040000 040000 5a5aae0ff0d0ab5471e6a7da1dade99054f3438d 5649fd62cab2718586583d958d93c058385fdd52 M kernel :040000 040000 1394cb104a7599e44373b833e369563c29cb2560 d6b4eb0e7b6f9335a6e35b9dbe3f136c0c8dc3b7 M lib revisions tested: 26, total time: 4h51m32.963326591s (build: 2h16m25.886263691s, test: 2h27m30.596377172s) first bad commit: e41d58185f1444368873d4d7422f7664a68be61d fault-inject: support systematic fault injection cc: ["akinobu.mita@gmail.com" "akpm@linux-foundation.org" "dvyukov@google.com" "mhocko@kernel.org" "torvalds@linux-foundation.org"] crash: general protection fault in sysfs_do_create_link_sd kobject: 'iosched' (ffff8801190df250): kobject_add_internal: parent: 'queue', set: '' kobject: 'iosched' (ffff8801190df250): kobject_uevent_env kobject: 'iosched' (ffff8801190df250): kobject_uevent_env: filter function caused the event to drop! kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 6710 Comm: syz-executor.3 Not tainted 4.12.0+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff88011c750000 task.stack: ffff880117c78000 RIP: 0010:sysfs_do_create_link_sd.isra.2+0x48/0xf0 fs/sysfs/symlink.c:35 RSP: 0018:ffff880117c7f9b0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffffffff875a07a0 RCX: 0000000000000000 RDX: 0000000000000008 RSI: ffff88011c750888 RDI: ffffffff88411c04 RBP: ffff880117c7f9d8 R08: ffff88011c7508a8 R09: 000000000000000c R10: ffff88011c750888 R11: ffff88011c750000 R12: ffff88011b0c0aa0 R13: 0000000000000040 R14: 0000000000000001 R15: ffff8801190daf60 FS: 00007f1fd4470700(0000) GS:ffff88012c000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcbf986c18 CR3: 000000010859d000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sysfs_do_create_link fs/sysfs/symlink.c:80 [inline] sysfs_create_link+0x43/0xb0 fs/sysfs/symlink.c:92 device_add_disk+0xafd/0xf50 block/genhd.c:631 add_disk include/linux/genhd.h:404 [inline] loop_add+0x612/0x8c0 drivers/block/loop.c:1845 loop_control_ioctl+0x278/0x430 drivers/block/loop.c:1942 vfs_ioctl fs/ioctl.c:45 [inline] file_ioctl fs/ioctl.c:499 [inline] do_vfs_ioctl+0x183/0x15a0 fs/ioctl.c:683 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x74/0x80 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x23/0xc2 RIP: 0033:0x459829 RSP: 002b:00007f1fd446fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f1fd446fc90 RCX: 0000000000459829 RDX: 0000000000000000 RSI: 0000000000004c80 RDI: 0000000000000003 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1fd44706d4 R13: 00000000004c871d R14: 00000000004df438 R15: 00000000ffffffff Code: 41 55 49 89 f5 41 54 49 89 fc 48 c7 c7 00 1c 41 88 53 48 89 d3 e8 e9 55 36 05 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 4d 85 ed 74 52 4c 89 RIP: sysfs_do_create_link_sd.isra.2+0x48/0xf0 fs/sysfs/symlink.c:35 RSP: ffff880117c7f9b0 ---[ end trace f1d897357896ea32 ]---