ci starts bisection 2024-10-29 00:54:25.464895162 +0000 UTC m=+31539.416141748 bisecting fixing commit since a430d95c5efa2b545d26a094eb5f624e36732af0 building syzkaller on c673ca06b23cea94091ab496ef62c3513e434585 ensuring issue is reproducible on original commit a430d95c5efa2b545d26a094eb5f624e36732af0 testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8e5229980c3799530c9a6528961a51f2a572d0e93b750bf83d95d4517799ddc8 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5ffeb9af16a0462a13ef6862f7797899651e6c1022ddeb4826120a52a767280c all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=4047 full=8155 leaves diff=2104 split chunks (needed=false): <2104> split chunk #0 of len 2104 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f30c710bbb7bc0d51a23c6228b971ca4ed401c66d020b24cb04e520f7b59463d all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 529658a9de25d361abdad70b83b3d03376a4fdf5d2b8bfb1024f0b77def1c8c3 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7839ba1f08c2f1f8fb767506813a58fbdde83483347dca8f2b25e7618af061e0 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2064c4546abb8b111b727f581e465f63fd5d788f4d57a3bd64688498d6941c8d all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fbf35ffecf937e2b38c3a238af3d660de3f464c1cc817a37b353e9299fa8ece4 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing current HEAD e42b1a9a2557aa94fee47f078633677198386a52 testing commit e42b1a9a2557aa94fee47f078633677198386a52 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: db1ce794f7ef2a953ca2ba349afc544eb48e6724e1e7624f0d4bf24a005ccaa6 all runs: OK false negative chance: 0.000 # git bisect start e42b1a9a2557aa94fee47f078633677198386a52 a430d95c5efa2b545d26a094eb5f624e36732af0 Bisecting: 5584 revisions left to test after this (roughly 13 steps) [2d8721364ce83956d0a184a64052928589ef15df] s390/vfio-ap: Driver feature advertisement determine whether the revision contains the guilty commit revision a430d95c5efa2b545d26a094eb5f624e36732af0 crashed and is reachable testing commit 2d8721364ce83956d0a184a64052928589ef15df gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 82fdd65d3eb3ad226683220e22a03cc52b4b501ddda0028485a5745bf7442687 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect good 2d8721364ce83956d0a184a64052928589ef15df Bisecting: 2770 revisions left to test after this (roughly 12 steps) [4965ddb166992557a25848049f1a70e56050eb7a] Merge tag 'usb-6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb determine whether the revision contains the guilty commit revision a430d95c5efa2b545d26a094eb5f624e36732af0 crashed and is reachable testing commit 4965ddb166992557a25848049f1a70e56050eb7a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fe0d9fc5b231f85579593917a38dea9efbf516034ebdf6ae77cc921b60f913af all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect good 4965ddb166992557a25848049f1a70e56050eb7a Bisecting: 1384 revisions left to test after this (roughly 11 steps) [43454e83916dc515e3d11fd07d50c40e6e555873] Merge tag 'io_uring-6.12-20241004' of git://git.kernel.dk/linux determine whether the revision contains the guilty commit revision a430d95c5efa2b545d26a094eb5f624e36732af0 crashed and is reachable testing commit 43454e83916dc515e3d11fd07d50c40e6e555873 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b6197af5994259f15844e709396857024ad96d272db6d5387071b527ed821ad0 all runs: OK false negative chance: 0.000 # git bisect bad 43454e83916dc515e3d11fd07d50c40e6e555873 Bisecting: 700 revisions left to test after this (roughly 10 steps) [f801850bc263d7fa0a4e6d9a36cddf4966c79c14] netfs: Fix the netfs_folio tracepoint to handle NULL mapping determine whether the revision contains the guilty commit revision 4965ddb166992557a25848049f1a70e56050eb7a crashed and is reachable testing commit f801850bc263d7fa0a4e6d9a36cddf4966c79c14 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 308e8f1d286cd96a8bb49395be3ab0ecc5580a3a9e8e7f2664c90775b3178065 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect good f801850bc263d7fa0a4e6d9a36cddf4966c79c14 Bisecting: 411 revisions left to test after this (roughly 9 steps) [e08d227840bb9366c6321ae1e480b37ba5eec29b] Merge tag 's390-6.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux determine whether the revision contains the guilty commit revision 2d8721364ce83956d0a184a64052928589ef15df crashed and is reachable testing commit e08d227840bb9366c6321ae1e480b37ba5eec29b gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ab37253fd7e06636b98f796bdce922b8982dd36bb4ca8572eba0a30b22fd3af0 all runs: OK false negative chance: 0.000 # git bisect bad e08d227840bb9366c6321ae1e480b37ba5eec29b Bisecting: 147 revisions left to test after this (roughly 7 steps) [ba33a49fcd42a94d405221cd0677388db1b69ed2] Merge tag 'tomoyo-pr-20240927' of git://git.code.sf.net/p/tomoyo/tomoyo determine whether the revision contains the guilty commit revision 4965ddb166992557a25848049f1a70e56050eb7a crashed and is reachable testing commit ba33a49fcd42a94d405221cd0677388db1b69ed2 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6e23f29f023e0e2a9a35094d414252da653cfc47127ce198024cb33f879180dc all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect good ba33a49fcd42a94d405221cd0677388db1b69ed2 Bisecting: 80 revisions left to test after this (roughly 6 steps) [d7d2688bf4ea58734d73e18edcbf4684b1496d30] drm/amd/pm: update workload mask after the setting determine whether the revision contains the guilty commit checking the merge base da3ea35007d0af457a0afc87e84fddaebc4e0b63 no existing result, test the revision testing commit da3ea35007d0af457a0afc87e84fddaebc4e0b63 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 67d83550d8216e0fab8ee6aea6cdb91e9f3faecc3ce5f13692b8eb68ea70b510 all runs: OK false negative chance: 0.000 the bug was not introduced yet; pretend that kernel crashed # git bisect good d7d2688bf4ea58734d73e18edcbf4684b1496d30 Bisecting: 38 revisions left to test after this (roughly 5 steps) [9717d5343849beb4ccf96df7bbf347660fd8898d] Merge tag 'v6.12-rc-ksmbd-server-fixes' of git://git.samba.org/ksmbd determine whether the revision contains the guilty commit revision ba33a49fcd42a94d405221cd0677388db1b69ed2 crashed and is reachable testing commit 9717d5343849beb4ccf96df7bbf347660fd8898d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3c11b5acedf5b00b46d5c74811534d761f6442f85adc0efd9e1395a39630adb4 all runs: OK false negative chance: 0.000 # git bisect bad 9717d5343849beb4ccf96df7bbf347660fd8898d Bisecting: 26 revisions left to test after this (roughly 4 steps) [381d2f95c8aa575d5d42bf1fe0ea9a70c4bec0cf] um: fix time-travel syscall scheduling hack determine whether the revision contains the guilty commit checking the merge base 431c1646e1f86b949fa3685efc50b660a364c2b6 no existing result, test the revision testing commit 431c1646e1f86b949fa3685efc50b660a364c2b6 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 63927cc711a2e57efcbb18faaec83123ddaabe8ca9ed51cc0534c5ca57235059 all runs: OK false negative chance: 0.000 the bug was not introduced yet; pretend that kernel crashed # git bisect good 381d2f95c8aa575d5d42bf1fe0ea9a70c4bec0cf Bisecting: 12 revisions left to test after this (roughly 4 steps) [ad46e8f95e931e113cb98253daf6d443ac244cde] Merge tag 'pm-6.12-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm determine whether the revision contains the guilty commit revision ba33a49fcd42a94d405221cd0677388db1b69ed2 crashed and is reachable testing commit ad46e8f95e931e113cb98253daf6d443ac244cde gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8f104de25ce27992b52b3072ba265fa5dc6a475154af4e3b242a92250f1f45be all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect good ad46e8f95e931e113cb98253daf6d443ac244cde Bisecting: 6 revisions left to test after this (roughly 3 steps) [220d83b52c7d16ec3c168b82f4e6ce59c645f7ab] smb: client: make SHA-512 TFM ephemeral determine whether the revision contains the guilty commit revision a430d95c5efa2b545d26a094eb5f624e36732af0 crashed and is reachable testing commit 220d83b52c7d16ec3c168b82f4e6ce59c645f7ab gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 052d07896ead591247ecc4843cf9a3df8581eeb0b89f5422f9a1a307ba1eefe3 run #0: boot failed: can't ssh into the instance run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect bad 220d83b52c7d16ec3c168b82f4e6ce59c645f7ab Bisecting: 2 revisions left to test after this (roughly 2 steps) [f7025d861694362348efc14eaad6a17840c4e9a4] smb: client: allocate crypto only for primary server determine whether the revision contains the guilty commit revision a430d95c5efa2b545d26a094eb5f624e36732af0 crashed and is reachable testing commit f7025d861694362348efc14eaad6a17840c4e9a4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bb0144ea08959799d8487f970f783f82014f6ea69d5097bad37a4766cbd71828 run #0: boot failed: can't ssh into the instance run #1: boot failed: can't ssh into the instance run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect bad f7025d861694362348efc14eaad6a17840c4e9a4 Bisecting: 0 revisions left to test after this (roughly 1 step) [b0abcd65ec545701b8793e12bc27dc98042b151a] smb: client: fix UAF in async decryption determine whether the revision contains the guilty commit revision a430d95c5efa2b545d26a094eb5f624e36732af0 crashed and is reachable testing commit b0abcd65ec545701b8793e12bc27dc98042b151a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1653b0e26b452456ead0eb07436f8d09d69ad0e0998256640fb5ad12945f746f all runs: OK false negative chance: 0.000 # git bisect bad b0abcd65ec545701b8793e12bc27dc98042b151a Bisecting: 0 revisions left to test after this (roughly 0 steps) [df9b455633aee0bad3e5c3dc9fc1c860b13c96d2] netfs: Fix write oops in generic/346 (9p) and generic/074 (cifs) determine whether the revision contains the guilty commit revision a430d95c5efa2b545d26a094eb5f624e36732af0 crashed and is reachable testing commit df9b455633aee0bad3e5c3dc9fc1c860b13c96d2 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 42dc026a5f82cc06a252ddffc2f45d2357c28065edfa310f0fd9835c26fb161d all runs: OK false negative chance: 0.000 # git bisect bad df9b455633aee0bad3e5c3dc9fc1c860b13c96d2 df9b455633aee0bad3e5c3dc9fc1c860b13c96d2 is the first bad commit commit df9b455633aee0bad3e5c3dc9fc1c860b13c96d2 Author: David Howells Date: Thu Sep 26 14:58:30 2024 +0100 netfs: Fix write oops in generic/346 (9p) and generic/074 (cifs) In netfslib, a buffered writeback operation has a 'write queue' of folios that are being written, held in a linear sequence of folio_queue structs. The 'issuer' adds new folio_queues on the leading edge of the queue and populates each one progressively; the 'collector' pops them off the trailing edge and discards them and the folios they point to as they are consumed. The queue is required to always retain at least one folio_queue structure. This allows the queue to be accessed without locking and with just a bit of barriering. When a new subrequest is prepared, its ->io_iter iterator is pointed at the current end of the write queue and then the iterator is extended as more data is added to the queue until the subrequest is committed. Now, the problem is that the folio_queue at the leading edge of the write queue when a subrequest is prepared might have been entirely consumed - but not yet removed from the queue as it is the only remaining one and is preventing the queue from collapsing. So, what happens is that subreq->io_iter is pointed at the spent folio_queue, then a new folio_queue is added, and, at that point, the collector is at entirely at liberty to immediately delete the spent folio_queue. This leaves the subreq->io_iter pointing at a freed object. If the system is lucky, iterate_folioq() sees ->io_iter, sees the as-yet uncorrupted freed object and advances to the next folio_queue in the queue. In the case seen, however, the freed object gets recycled and put back onto the queue at the tail and filled to the end. This confuses iterate_folioq() and it tries to step ->next, which may be NULL - resulting in an oops. Fix this by the following means: (1) When preparing a write subrequest, make sure there's a folio_queue struct with space in it at the leading edge of the queue. A function to make space is split out of the function to append a folio so that it can be called for this purpose. (2) If the request struct iterator is pointing to a completely spent folio_queue when we make space, then advance the iterator to the newly allocated folio_queue. The subrequest's iterator will then be set from this. The oops could be triggered using the generic/346 xfstest with a filesystem on9P over TCP with cache=loose. The oops looked something like: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page ... RIP: 0010:_copy_from_iter+0x2db/0x530 ... Call Trace: ... p9pdu_vwritef+0x3d8/0x5d0 p9_client_prepare_req+0xa8/0x140 p9_client_rpc+0x81/0x280 p9_client_write+0xcf/0x1c0 v9fs_issue_write+0x87/0xc0 netfs_advance_write+0xa0/0xb0 netfs_write_folio.isra.0+0x42d/0x500 netfs_writepages+0x15a/0x1f0 do_writepages+0xd1/0x220 filemap_fdatawrite_wbc+0x5c/0x80 v9fs_mmap_vm_close+0x7d/0xb0 remove_vma+0x35/0x70 vms_complete_munmap_vmas+0x11a/0x170 do_vmi_align_munmap+0x17d/0x1c0 do_vmi_munmap+0x13e/0x150 __vm_munmap+0x92/0xd0 __x64_sys_munmap+0x17/0x20 do_syscall_64+0x80/0xe0 entry_SYSCALL_64_after_hwframe+0x71/0x79 This also fixed a similar-looking issue with cifs and generic/074. Fixes: cd0277ed0c18 ("netfs: Use new folio_queue data type and iterator instead of xarray iter") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202409180928.f20b5a08-oliver.sang@intel.com Closes: https://lore.kernel.org/oe-lkp/202409131438.3f225fbf-oliver.sang@intel.com Signed-off-by: David Howells Tested-by: kernel test robot cc: Eric Van Hensbergen cc: Latchesar Ionkov cc: Dominique Martinet cc: Christian Schoenebeck cc: Paulo Alcantara cc: Jeff Layton cc: v9fs@lists.linux.dev cc: linux-cifs@vger.kernel.org cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Steve French fs/netfs/internal.h | 1 + fs/netfs/misc.c | 74 ++++++++++++++++++++++++++++++++++++-------------- fs/netfs/write_issue.c | 12 +++++++- 3 files changed, 65 insertions(+), 22 deletions(-) accumulated error probability: 0.00 parent commit ac34bb40f748593e585f4c414a59cf4404249a15 wasn't tested testing commit ac34bb40f748593e585f4c414a59cf4404249a15 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ffb3c7bba04e4304ad520ab99f41fb5549db264c02e2d1731a925caf5e9584a6 culprit signature: 42dc026a5f82cc06a252ddffc2f45d2357c28065edfa310f0fd9835c26fb161d parent signature: ffb3c7bba04e4304ad520ab99f41fb5549db264c02e2d1731a925caf5e9584a6 revisions tested: 22, total time: 7h20m24.450381184s (build: 3h55m33.90419165s, test: 2h44m23.041691046s) first good commit: df9b455633aee0bad3e5c3dc9fc1c860b13c96d2 netfs: Fix write oops in generic/346 (9p) and generic/074 (cifs) recipients (to): ["dhowells@redhat.com" "oliver.sang@intel.com" "stfrench@microsoft.com"] recipients (cc): []