bisecting cause commit starting from 5e60366d56c630e32befce7ef05c569e04391ca3 building syzkaller on 04201c0669446145fd9c347c5538da0ca13ff29b testing commit 5e60366d56c630e32befce7ef05c569e04391ca3 with gcc (GCC) 8.1.0 kernel signature: 01825cbba90804af60ff77ae0ded5055a816f397fe535df94df4bfbd1e90d5f6 all runs: crashed: UBSAN: shift-out-of-bounds in tcindex_set_parms testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: f5760b2c445d15f5ece92b856df5a49be8c93d3d22f6cda3cb5ed85afe8f4ee1 all runs: crashed: UBSAN: shift-out-of-bounds in tcindex_set_parms testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 48a44b356059ba46606be11d05f4af2fd4977ae6064a111f191a24ab366037c1 all runs: crashed: UBSAN: shift-out-of-bounds in tcindex_set_parms testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 22aa95b7e7e6aea83bcbde6ee96bb510036c390ecb1edc1d673d8134021fdfef all runs: crashed: UBSAN: shift-out-of-bounds in tcindex_set_parms testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: f5d9faac2087b090050e744a65f37f315c08f987da9cd1b89f915d62396835a7 all runs: crashed: UBSAN: shift-out-of-bounds in tcindex_set_parms testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: c44a15efe9f4dddfd3265e3ee72039e8fedc8e1a971752bf1b7899bdd24b69bf all runs: crashed: UBSAN: undefined-behaviour in tcindex_set_parms testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 0965e741efe2c9a43f96ed4ce7756181094148b594e50125c1ef55585450eb5a all runs: crashed: UBSAN: undefined-behaviour in tcindex_set_parms testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: dc0e86cd1e84b0f0c4d2d664ac1a48c712bc8a201fcae8c2993a60e9b2ae998d all runs: crashed: UBSAN: undefined-behaviour in tcindex_set_parms testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: b037b1dd21cfbbefec3369d9afc20b2628ba8eb7e83fdf09374888aacb7ba29f all runs: crashed: UBSAN: undefined-behaviour in tcindex_set_parms testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 93349bcc046589cc66751b3d8ad6ba9fb4ca2c06a1b85b534c498825df415deb all runs: crashed: WARNING: ODEBUG bug in tcindex_destroy_work testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: baae87b14f521b4d0298531dee49e0a8e580ad4914eded127bc80495085be314 all runs: crashed: WARNING: ODEBUG bug in tcindex_destroy_work testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 56e224fa321819c58e1b7f8aa075ac994eb8feafc73959952675898bf266d174 run #0: crashed: WARNING: ODEBUG bug in tcindex_destroy_work run #1: crashed: WARNING: ODEBUG bug in tcindex_destroy_work run #2: crashed: WARNING: ODEBUG bug in tcindex_destroy_work run #3: crashed: WARNING: ODEBUG bug in tcindex_destroy_work run #4: crashed: WARNING: ODEBUG bug in tcindex_destroy_work run #5: crashed: WARNING: ODEBUG bug in tcindex_destroy_work run #6: crashed: WARNING: ODEBUG bug in tcindex_destroy_work run #7: crashed: WARNING: ODEBUG bug in tcindex_destroy_work run #8: crashed: WARNING: ODEBUG bug in corrupted run #9: crashed: WARNING: ODEBUG bug in tcindex_destroy_work testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: b624f570e4f2edf16e3544dda3969c255dd57fcd9507649a63167761620a02ce run #0: crashed: KASAN: use-after-free Read in __tcf_block_put run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: 6416684352d55ee2a72edae0552c9c1054c0e615f9f11348ba5a34c353e9c532 all runs: OK # git bisect start 8fe28cb58bcb235034b64cbbb7550a8a43fd88be 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d Bisecting: 7499 revisions left to test after this (roughly 13 steps) [ec9c166434595382be3babf266febf876327774d] Merge tag 'mips_fixes_4.20_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit ec9c166434595382be3babf266febf876327774d with gcc (GCC) 8.1.0 kernel signature: 3aadae28a2fac156c42c43b47439fce1cf4d6404a49cf1171a266def5833b8b6 all runs: OK # git bisect good ec9c166434595382be3babf266febf876327774d Bisecting: 3610 revisions left to test after this (roughly 12 steps) [93335e5911dbffccd3b74c4d214268c0fd2bc1b0] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc testing commit 93335e5911dbffccd3b74c4d214268c0fd2bc1b0 with gcc (GCC) 8.1.0 kernel signature: 4130b0de5b2c81def839a3db261bd26e0dd1c03b9e9882b513b8a49c9dd6ba09 all runs: OK # git bisect good 93335e5911dbffccd3b74c4d214268c0fd2bc1b0 Bisecting: 1804 revisions left to test after this (roughly 11 steps) [e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0] Merge tag 'kbuild-fixes-v4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 with gcc (GCC) 8.1.0 kernel signature: 89b20b4f9d4b484717bdf65f3a1a3fa528eb97a0af841bd8e05b18931b824db6 run #0: crashed: KASAN: use-after-free Read in __tcf_block_put run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad e12e00e388dee1d2a86e9b90f79a69f9acd2c9b0 Bisecting: 897 revisions left to test after this (roughly 10 steps) [23a12ddee1ce28065b71f14ccc695b5a0c8a64ff] Merge branch 'core/urgent' into x86/urgent, to pick up objtool fix testing commit 23a12ddee1ce28065b71f14ccc695b5a0c8a64ff with gcc (GCC) 8.1.0 kernel signature: c9a8506817d544ea984956b99671c084c35fa66c2743c45e5fdb1b44c297127e all runs: OK # git bisect good 23a12ddee1ce28065b71f14ccc695b5a0c8a64ff Bisecting: 447 revisions left to test after this (roughly 9 steps) [9a12efc5e01ac1dbad089f22e5d0e6f817970c3c] Merge tag 'kbuild-v4.20-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 9a12efc5e01ac1dbad089f22e5d0e6f817970c3c with gcc (GCC) 8.1.0 kernel signature: 79906e170c961d76173aaca3de7fed34a90f5a168df03ebd18f84f724b919303 all runs: OK # git bisect good 9a12efc5e01ac1dbad089f22e5d0e6f817970c3c Bisecting: 222 revisions left to test after this (roughly 8 steps) [e09d51adfbb110ee1d4af3571b8cb67b0f938756] Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc testing commit e09d51adfbb110ee1d4af3571b8cb67b0f938756 with gcc (GCC) 8.1.0 kernel signature: cf677f4b59f3f2651fca57500d37b50984f89f8d44597ac490144fa77b0063d8 all runs: OK # git bisect good e09d51adfbb110ee1d4af3571b8cb67b0f938756 Bisecting: 131 revisions left to test after this (roughly 7 steps) [1de4f2ef216dade3b5bd5f5247c4c750a953f51c] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace testing commit 1de4f2ef216dade3b5bd5f5247c4c750a953f51c with gcc (GCC) 8.1.0 kernel signature: 09abe04f548dc6b854610535b0d1c9a03f80242cf45456ab66da0bb3a09e247c run #0: crashed: KASAN: use-after-free Read in __tcf_block_put run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 1de4f2ef216dade3b5bd5f5247c4c750a953f51c Bisecting: 45 revisions left to test after this (roughly 6 steps) [d757a3b01e72368176c5ee580ea17f8c2d185cd7] Merge tag 'ceph-for-4.20-rc2' of https://github.com/ceph/ceph-client testing commit d757a3b01e72368176c5ee580ea17f8c2d185cd7 with gcc (GCC) 8.1.0 kernel signature: a67c38be7cdbe8e8c28b91c4bd287d072950010ca499938106317e98fb174b29 all runs: OK # git bisect good d757a3b01e72368176c5ee580ea17f8c2d185cd7 Bisecting: 21 revisions left to test after this (roughly 5 steps) [d5335b3dfc614fbb4ce2b352177f38521ec3ecdd] Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit d5335b3dfc614fbb4ce2b352177f38521ec3ecdd with gcc (GCC) 8.1.0 kernel signature: f024f137b4268bbed4d6b66019495f69124abc160036adc6f0cf9468c64f1f9f run #0: basic kernel testing failed: general protection fault in batadv_iv_ogm_queue_add run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good d5335b3dfc614fbb4ce2b352177f38521ec3ecdd Bisecting: 9 revisions left to test after this (roughly 4 steps) [ab6e1f378f546b0caa616ac0fcc730725cc2d222] Merge tag 'for-linus-4.20a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit ab6e1f378f546b0caa616ac0fcc730725cc2d222 with gcc (GCC) 8.1.0 kernel signature: f024f137b4268bbed4d6b66019495f69124abc160036adc6f0cf9468c64f1f9f all runs: OK # git bisect good ab6e1f378f546b0caa616ac0fcc730725cc2d222 Bisecting: 4 revisions left to test after this (roughly 2 steps) [a1aa42f1d8c00a0767afee28d17caafd2a4dd8ff] Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit a1aa42f1d8c00a0767afee28d17caafd2a4dd8ff with gcc (GCC) 8.1.0 kernel signature: bc1c78e2d3306922776ac711cb9fc38ea98e572ab1536cdfaf1ea922198c7166 all runs: OK # git bisect good a1aa42f1d8c00a0767afee28d17caafd2a4dd8ff Bisecting: 2 revisions left to test after this (roughly 1 step) [25d202ed820ee347edec0bf3bf553544556bf64b] mount: Retest MNT_LOCKED in do_umount testing commit 25d202ed820ee347edec0bf3bf553544556bf64b with gcc (GCC) 8.1.0 kernel signature: 58fbd0cd98389ec34f3eb3cad07a925bb0dcd90c6c3cbd4e65a307038af85cab all runs: OK # git bisect good 25d202ed820ee347edec0bf3bf553544556bf64b Bisecting: 0 revisions left to test after this (roughly 1 step) [9c8e0a1b683525464a2abe9fb4b54404a50ed2b4] mount: Prevent MNT_DETACH from disconnecting locked mounts testing commit 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 with gcc (GCC) 8.1.0 kernel signature: ef7ac262613e5a8f2a5728805c79c8f5e3765f3eab93d633af8e8c802242d46a all runs: OK # git bisect good 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 1de4f2ef216dade3b5bd5f5247c4c750a953f51c is the first bad commit commit 1de4f2ef216dade3b5bd5f5247c4c750a953f51c Merge: a1aa42f1d8c0 9c8e0a1b6835 Author: Linus Torvalds Date: Sat Nov 10 13:27:58 2018 -0600 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull namespace fixes from Eric Biederman: "I believe all of these are simple obviously correct bug fixes. These fall into two groups: - Fixing the implementation of MNT_LOCKED which prevents lesser privileged users from seeing unders mounts created by more privileged users. - Fixing the extended uid and group mapping in user namespaces. As well as ensuring the code looks correct I have spot tested these changes as well and in my testing the fixes are working" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: mount: Prevent MNT_DETACH from disconnecting locked mounts mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts mount: Retest MNT_LOCKED in do_umount userns: also map extents in the reverse map to kernel IDs fs/namespace.c | 22 +++++++++++++++++----- kernel/user_namespace.c | 12 ++++++++---- 2 files changed, 25 insertions(+), 9 deletions(-) Reproducer flagged being flaky revisions tested: 27, total time: 5h40m51.75378522s (build: 2h19m25.881346092s, test: 3h18m18.502856291s) first bad commit: 1de4f2ef216dade3b5bd5f5247c4c750a953f51c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace recipients (to): ["torvalds@linux-foundation.org"] recipients (cc): [] crash: KASAN: use-after-free Read in __tcf_block_put Bluetooth: hci0: command 0x0406 tx timeout Bluetooth: hci4: command 0x0406 tx timeout Bluetooth: hci1: command 0x0406 tx timeout ================================================================== BUG: KASAN: use-after-free in tcf_block_put_all_chains net/sched/cls_api.c:574 [inline] BUG: KASAN: use-after-free in __tcf_block_put+0x4e9/0x5b0 net/sched/cls_api.c:603 Read of size 8 at addr ffff8800ac0fbe40 by task syz-executor.3/17278 CPU: 1 PID: 17278 Comm: syz-executor.3 Not tainted 4.20.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x86/0xca lib/dump_stack.c:113 print_address_description.cold.5+0x9/0x244 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.6+0x242/0x304 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 tcf_block_put_all_chains net/sched/cls_api.c:574 [inline] __tcf_block_put+0x4e9/0x5b0 net/sched/cls_api.c:603 tcf_block_put_ext.part.19+0x57/0x70 net/sched/cls_api.c:880 tcf_block_put_ext net/sched/cls_api.c:875 [inline] tcf_block_put+0xa8/0xf0 net/sched/cls_api.c:890 cake_destroy+0x3e/0x80 net/sched/sch_cake.c:2606 qdisc_destroy+0xe4/0x5a0 net/sched/sch_generic.c:977 qdisc_put+0x46/0x50 net/sched/sch_generic.c:1001 notify_and_destroy+0x34/0x40 net/sched/sch_api.c:941 qdisc_graft+0x86c/0xdf0 net/sched/sch_api.c:999 tc_modify_qdisc+0x9bf/0x1940 net/sched/sch_api.c:1592 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4947 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2477 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4965 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x666/0xc50 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:631 ___sys_sendmsg+0x647/0x950 net/socket.c:2116 __sys_sendmsg+0xd9/0x180 net/socket.c:2154 __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg net/socket.c:2161 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2161 do_syscall_64+0x96/0x3d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45e149 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fb30f12fc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e149 RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000004 RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034 R13: 00007fff5bd3838f R14: 00007fb30f1309c0 R15: 000000000119c034 Allocated by task 17267: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538 kmem_cache_alloc_trace+0x13a/0x2f0 mm/slub.c:2771 kmalloc include/linux/slab.h:546 [inline] kzalloc include/linux/slab.h:741 [inline] tcf_block_create net/sched/cls_api.c:515 [inline] tcf_block_get_ext+0x7f4/0x11d0 net/sched/cls_api.c:810 tcf_block_get+0x88/0xd0 net/sched/cls_api.c:865 cake_init+0x28c/0xc80 net/sched/sch_cake.c:2639 qdisc_create+0x3fb/0xf20 net/sched/sch_api.c:1166 tc_modify_qdisc+0x3f2/0x1940 net/sched/sch_api.c:1581 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4947 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2477 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4965 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x666/0xc50 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:631 ___sys_sendmsg+0x647/0x950 net/socket.c:2116 __sys_sendmsg+0xd9/0x180 net/socket.c:2154 __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg net/socket.c:2161 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2161 do_syscall_64+0x96/0x3d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 16: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x167/0x240 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 slab_free_hook mm/slub.c:1409 [inline] slab_free_freelist_hook mm/slub.c:1436 [inline] slab_free mm/slub.c:2991 [inline] kfree+0xf2/0x310 mm/slub.c:3942 __rcu_reclaim kernel/rcu/rcu.h:233 [inline] rcu_do_batch kernel/rcu/tree.c:2437 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline] rcu_process_callbacks+0x9f1/0x10e0 kernel/rcu/tree.c:2697 __do_softirq+0x21d/0x8d2 kernel/softirq.c:292 The buggy address belongs to the object at ffff8800ac0fbe40 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 0 bytes inside of 128-byte region [ffff8800ac0fbe40, ffff8800ac0fbec0) The buggy address belongs to the page: page:ffffea0002b03ec0 count:1 mapcount:0 mapping:ffff88013ff35200 index:0xffff8800ac0fbd80 flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea0002d02dc0 0000000400000002 ffff88013ff35200 raw: ffff8800ac0fbd80 0000000080150014 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8800ac0fbd00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8800ac0fbd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8800ac0fbe00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8800ac0fbe80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8800ac0fbf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================