bisecting cause commit starting from 556e2f6020bf90f63c5dd65e9a2254be6db3185b
building syzkaller on 7509bf360eba1461ac6059e4cacfbc29c9d2d4c7
testing commit 556e2f6020bf90f63c5dd65e9a2254be6db3185b with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in get_task_pid
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 556e2f6020bf90f63c5dd65e9a2254be6db3185b v5.1
Bisecting: 6784 revisions left to test after this (roughly 13 steps)
[a2d635decbfa9c1e4ae15cb05b68b2559f7f827c] Merge tag 'drm-next-2019-05-09' of git://anongit.freedesktop.org/drm/drm
testing commit a2d635decbfa9c1e4ae15cb05b68b2559f7f827c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good a2d635decbfa9c1e4ae15cb05b68b2559f7f827c
Bisecting: 3604 revisions left to test after this (roughly 12 steps)
[22c58fd70ca48a29505922b1563826593b08cc00] Merge tag 'armsoc-soc' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit 22c58fd70ca48a29505922b1563826593b08cc00 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 22c58fd70ca48a29505922b1563826593b08cc00
Bisecting: 1794 revisions left to test after this (roughly 11 steps)
[86c2f5d653058798703549e1be39a819fcac0d5d] Merge tag 'spdx-5.2-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
testing commit 86c2f5d653058798703549e1be39a819fcac0d5d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 86c2f5d653058798703549e1be39a819fcac0d5d
Bisecting: 832 revisions left to test after this (roughly 10 steps)
[9331b6740f86163908de69f4008e434fe0c27691] Merge tag 'spdx-5.2-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
testing commit 9331b6740f86163908de69f4008e434fe0c27691 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9331b6740f86163908de69f4008e434fe0c27691
Bisecting: 394 revisions left to test after this (roughly 9 steps)
[da0f382029868806e88c046eb2560fdee7a9457c] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit da0f382029868806e88c046eb2560fdee7a9457c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good da0f382029868806e88c046eb2560fdee7a9457c
Bisecting: 201 revisions left to test after this (roughly 8 steps)
[cf24242189b935826a88feedb64761cbf483e42c] Merge tag 'usb-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
testing commit cf24242189b935826a88feedb64761cbf483e42c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good cf24242189b935826a88feedb64761cbf483e42c
Bisecting: 100 revisions left to test after this (roughly 7 steps)
[4f07b80c973348a99b5d2a32476a2e7877e94a05] tipc: check msg->req data len in tipc_nl_compat_bearer_disable
testing commit 4f07b80c973348a99b5d2a32476a2e7877e94a05 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 4f07b80c973348a99b5d2a32476a2e7877e94a05
Bisecting: 49 revisions left to test after this (roughly 6 steps)
[c84afab02c311b08b5cb8ea758cc177f81c95d11] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit c84afab02c311b08b5cb8ea758cc177f81c95d11 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good c84afab02c311b08b5cb8ea758cc177f81c95d11
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[fe2da896fd9469317ff693fb08a86d9c435e101a] Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit fe2da896fd9469317ff693fb08a86d9c435e101a with gcc (GCC) 8.1.0
all runs: OK
# git bisect good fe2da896fd9469317ff693fb08a86d9c435e101a
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[7a702b4e82d8730d6964bfd98b3b024c126e9846] Merge tag 'for-linus-20190627' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux
testing commit 7a702b4e82d8730d6964bfd98b3b024c126e9846 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in get_task_pid
# git bisect bad 7a702b4e82d8730d6964bfd98b3b024c126e9846
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[b12bbdc5dd883f6575f57e529af26cd2c521b320] HID: intel-ish-hid: fix wrong driver_data usage
testing commit b12bbdc5dd883f6575f57e529af26cd2c521b320 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good b12bbdc5dd883f6575f57e529af26cd2c521b320
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[6fd2fe494b17bf2dec37b610d23a43a72b16923a] copy_process(): don't use ksys_close() on cleanups
testing commit 6fd2fe494b17bf2dec37b610d23a43a72b16923a with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in get_task_pid
# git bisect bad 6fd2fe494b17bf2dec37b610d23a43a72b16923a
Bisecting: 0 revisions left to test after this (roughly 1 step)
[bee19cd8f241ab3cd1bf79e03884e5371f9ef514] samples: make pidfd-metadata fail gracefully on older kernels
testing commit bee19cd8f241ab3cd1bf79e03884e5371f9ef514 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good bee19cd8f241ab3cd1bf79e03884e5371f9ef514
6fd2fe494b17bf2dec37b610d23a43a72b16923a is the first bad commit
commit 6fd2fe494b17bf2dec37b610d23a43a72b16923a
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Wed Jun 26 22:22:09 2019 -0400

    copy_process(): don't use ksys_close() on cleanups
    
    anon_inode_getfd() should be used *ONLY* in situations when we are
    guaranteed to be past the last failure point (including copying the
    descriptor number to userland, at that).  And ksys_close() should
    not be used for cleanups at all.
    
    anon_inode_getfile() is there for all nontrivial cases like that.
    Just use that...
    
    Fixes: b3e583825266 ("clone: add CLONE_PIDFD")
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Reviewed-by: Jann Horn <jannh@google.com>
    Signed-off-by: Christian Brauner <christian@brauner.io>

:040000 040000 f4b8d05447fb47320500651bccbb419862d11c88 4ffc74012b4d89d4a405a89428a74919869e74e6 M	kernel
revisions tested: 15, total time: 4h13m18.253730728s (build: 1h26m25.534182938s, test: 2h42m17.991540994s)
first bad commit: 6fd2fe494b17bf2dec37b610d23a43a72b16923a copy_process(): don't use ksys_close() on cleanups
cc: ["akpm@linux-foundation.org" "arunks@codeaurora.org" "christian@brauner.io" "ebiederm@xmission.com" "elena.reshetova@intel.com" "guro@fb.com" "jannh@google.com" "linux-kernel@vger.kernel.org" "mhocko@suse.com" "mingo@kernel.org" "peterz@infradead.org" "riel@surriel.com" "viro@zeniv.linux.org.uk" "yuehaibing@huawei.com"]
crash: general protection fault in get_task_pid
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8174 Comm: syz-executor.0 Not tainted 5.2.0-rc6+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:task_pid_ptr kernel/pid.c:273 [inline]
RIP: 0010:get_task_pid+0x69/0x1f0 kernel/pid.c:372
Code: ad 07 00 0f 84 f3 00 00 00 85 db 0f 85 95 00 00 00 49 8d bc 24 38 05 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 5b 01 00 00 49 8b 9c 24 38 05 00 00 e8 60 4d 11
RSP: 0018:ffff88807843fdc0 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8156c074
RDX: 00000000000000a7 RSI: 0000000000000004 RDI: 000000000000053c
RBP: ffff88807843fdd0 R08: ffffed1015d46c70 R09: ffffed1015d46c6f
R10: ffffed1015d46c6f R11: ffff8880aea3637b R12: 0000000000000004
R13: 0000000000000004 R14: 0000000000041ffc R15: ffffffffffffffea
FS:  00007f7a7325c700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000070e158 CR3: 0000000095e91000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 _do_fork+0x1b2/0xb70 kernel/fork.c:2360
 __do_sys_clone kernel/fork.c:2454 [inline]
 __se_sys_clone kernel/fork.c:2448 [inline]
 __x64_sys_clone+0xba/0x140 kernel/fork.c:2448
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459519
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7a7325bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007f7a7325bc90 RCX: 0000000000459519
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000041ffc
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a7325c6d4
R13: 00000000004bf97d R14: 00000000004d1358 R15: 0000000000000003
Modules linked in:
---[ end trace 73a49951ce5262fa ]---
RIP: 0010:task_pid_ptr kernel/pid.c:273 [inline]
RIP: 0010:get_task_pid+0x69/0x1f0 kernel/pid.c:372
Code: ad 07 00 0f 84 f3 00 00 00 85 db 0f 85 95 00 00 00 49 8d bc 24 38 05 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 5b 01 00 00 49 8b 9c 24 38 05 00 00 e8 60 4d 11
RSP: 0018:ffff88807843fdc0 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8156c074
RDX: 00000000000000a7 RSI: 0000000000000004 RDI: 000000000000053c
RBP: ffff88807843fdd0 R08: ffffed1015d46c70 R09: ffffed1015d46c6f
R10: ffffed1015d46c6f R11: ffff8880aea3637b R12: 0000000000000004
R13: 0000000000000004 R14: 0000000000041ffc R15: ffffffffffffffea
FS:  00007f7a7325c700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000960004 CR3: 0000000095e91000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400