bisecting cause commit starting from 15bc20c6af4ceee97a1f90b43c0e386643c071b4 building syzkaller on 816e0689d7d9d8321f8bf360740f0e516aee15ca testing commit 15bc20c6af4ceee97a1f90b43c0e386643c071b4 with gcc (GCC) 8.1.0 kernel signature: cbc1c0b52d1dc84c89e45cfc8ebacc9802b9b8d1c10fa09e7515deecb3679e89 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: kernel BUG at fs/inode.c:LINE! run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: kernel BUG at fs/inode.c:LINE! run #6: crashed: kernel BUG at fs/inode.c:LINE! run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: kernel BUG at fs/inode.c:LINE! run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 70fa342f94aad2d6f813068b00f5cb7fd339bf6091b5549c68a43cc629a701c6 all runs: OK # git bisect start 15bc20c6af4ceee97a1f90b43c0e386643c071b4 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 5975 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: cc2647b19c6888fd3fd11066bfa3d07b366317860a560683746a7225aacc1346 all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 2845 revisions left to test after this (roughly 12 steps) [fa73e212318a3277ae1f304febbc617c75d4d2db] Merge tag 'media/v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit fa73e212318a3277ae1f304febbc617c75d4d2db with gcc (GCC) 8.1.0 kernel signature: 61ddea4b8d517aa26a1dada7609546c7e4b8498535bc1d283e2775b379a2430c all runs: OK # git bisect good fa73e212318a3277ae1f304febbc617c75d4d2db Bisecting: 1420 revisions left to test after this (roughly 11 steps) [9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c] Merge branch 'akpm' (patches from Andrew) testing commit 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c with gcc (GCC) 8.1.0 kernel signature: b995c021ad0056983cc6969c053d73442198e4c1df340e3d3cfb77f3f34e6b6e all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip 9ad57f6dfc2345ed5d3a8bf4dabac0a34069c54c Bisecting: 1420 revisions left to test after this (roughly 11 steps) [2f059db0b8313f8964ac917394e7425d966a6884] ktest.pl: Always show log file location if defined even on success testing commit 2f059db0b8313f8964ac917394e7425d966a6884 with gcc (GCC) 8.1.0 kernel signature: 9c2e71d8937cad704dbb2697c63934898aab5b2b848f6cc3e4b1dc36f8fa52a9 all runs: OK # git bisect good 2f059db0b8313f8964ac917394e7425d966a6884 Bisecting: 1420 revisions left to test after this (roughly 11 steps) [44a7f3e8222a7345b72a83a26d6d599bba815cf9] clk: socfpga: agilex: mpu_l2ram_clk should be mpu_ccu_clk testing commit 44a7f3e8222a7345b72a83a26d6d599bba815cf9 with gcc (GCC) 8.1.0 kernel signature: ef9294b7ec7b2a713e0356d3072334d6afa65685de93acc9e5695e05210cc32e all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 44a7f3e8222a7345b72a83a26d6d599bba815cf9 Bisecting: 1420 revisions left to test after this (roughly 11 steps) [347a7389a7cc9b91f80deb8d7043e9827d08b328] perf intel-pt: Add support for decoding PSB+ only testing commit 347a7389a7cc9b91f80deb8d7043e9827d08b328 with gcc (GCC) 8.1.0 kernel signature: 35b3e0d2b1622c412f21ce4bf18a33caceacaca473062cec6452383c9bb96c1e all runs: OK # git bisect good 347a7389a7cc9b91f80deb8d7043e9827d08b328 Bisecting: 1343 revisions left to test after this (roughly 10 steps) [ea6ec774372740b024a6c27caac0d0af8960ea15] Merge tag 'drm-next-2020-08-12' of git://anongit.freedesktop.org/drm/drm testing commit ea6ec774372740b024a6c27caac0d0af8960ea15 with gcc (GCC) 8.1.0 kernel signature: c3e1aae339a5071e26aaf1e809a0c3304d494c877f7563e3203df9b3445c5e3e all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip ea6ec774372740b024a6c27caac0d0af8960ea15 Bisecting: 1343 revisions left to test after this (roughly 10 steps) [43b1bb4a9b3e183af12225f56c27164c10d06223] clk: at91: clk-sam9x60-pll: re-factor to support plls with multiple outputs testing commit 43b1bb4a9b3e183af12225f56c27164c10d06223 with gcc (GCC) 8.1.0 kernel signature: a292431ea5c24ce7af3fe566a6574bbd9c4f3bdd78aa0bf01a91174736b706ed all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 43b1bb4a9b3e183af12225f56c27164c10d06223 Bisecting: 1343 revisions left to test after this (roughly 10 steps) [35759383133f64d90eba120a0d3efe8f71241650] mptcp: sendmsg: reset iter on error testing commit 35759383133f64d90eba120a0d3efe8f71241650 with gcc (GCC) 8.1.0 kernel signature: 282a707dce9097a7988a9ad4b0586afcc6734c095bd5a5fbd30618e4b1dc8ff1 all runs: OK # git bisect good 35759383133f64d90eba120a0d3efe8f71241650 Bisecting: 432 revisions left to test after this (roughly 9 steps) [4cf7562190c795f1f95be6ee0d161107d0dc5d49] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 4cf7562190c795f1f95be6ee0d161107d0dc5d49 with gcc (GCC) 8.1.0 kernel signature: 0554fdfca18e008f480cfb36b8a22c0952749f00ef53c2a5a9ba0378e09df80d all runs: OK # git bisect good 4cf7562190c795f1f95be6ee0d161107d0dc5d49 Bisecting: 215 revisions left to test after this (roughly 8 steps) [9e574b74b781f14fa7348ba8b980b19a250a9c83] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 9e574b74b781f14fa7348ba8b980b19a250a9c83 with gcc (GCC) 8.1.0 kernel signature: 6c759eeb3c518506750c05fac06b19cd0d0494fcac8e353268ceb4ce845cf91c all runs: OK # git bisect good 9e574b74b781f14fa7348ba8b980b19a250a9c83 Bisecting: 112 revisions left to test after this (roughly 7 steps) [550c2129d93d5eb198835ac83c05ef672e8c491c] Merge tag 'x86-urgent-2020-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 550c2129d93d5eb198835ac83c05ef672e8c491c with gcc (GCC) 8.1.0 kernel signature: 195d293bfb6edd9cb5a5e61f66e70fb808f7bafa910ce2705020e1c392d2ffc4 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: kernel BUG at fs/inode.c:LINE! run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: kernel BUG at fs/inode.c:LINE! run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad 550c2129d93d5eb198835ac83c05ef672e8c491c Bisecting: 51 revisions left to test after this (roughly 6 steps) [4af7b32f84aa4cd60e39b355bc8a1eab6cd8d8a4] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 4af7b32f84aa4cd60e39b355bc8a1eab6cd8d8a4 with gcc (GCC) 8.1.0 kernel signature: 9fc407aae6a2b6cd75f2fe3eb6a556da35806564bbbd64fc1175416bae069531 all runs: OK # git bisect good 4af7b32f84aa4cd60e39b355bc8a1eab6cd8d8a4 Bisecting: 20 revisions left to test after this (roughly 5 steps) [c3d8f220d01220a5b253e422be407d068dc65511] Merge tag 'kbuild-fixes-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit c3d8f220d01220a5b253e422be407d068dc65511 with gcc (GCC) 8.1.0 kernel signature: 333092e98b0dd37694ad4196d39fe5d04f8d2c61ff1f382f5aff7736cff4df51 all runs: OK # git bisect good c3d8f220d01220a5b253e422be407d068dc65511 Bisecting: 11 revisions left to test after this (roughly 3 steps) [e99b2507baccca79394ec646e3d1a0884667ea98] Merge tag 'core-urgent-2020-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit e99b2507baccca79394ec646e3d1a0884667ea98 with gcc (GCC) 8.1.0 kernel signature: 79332b27e247dbeba9e2a2864e9e3f9c121da8c7e929395c34b2f6fd65881c61 run #0: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: kernel BUG at fs/inode.c:LINE! run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad e99b2507baccca79394ec646e3d1a0884667ea98 Bisecting: 3 revisions left to test after this (roughly 2 steps) [9d045ed1ebe1a6115d3fa9930c5371defb31d95a] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 9d045ed1ebe1a6115d3fa9930c5371defb31d95a with gcc (GCC) 8.1.0 kernel signature: f2a8d95eebf313e312e0342b111d1aadbf61f0ea7e79a03d664da9fbe2be8cc4 run #0: crashed: kernel BUG at fs/inode.c:LINE! run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: kernel BUG at fs/inode.c:LINE! run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: kernel BUG at fs/inode.c:LINE! run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __fput # git bisect bad 9d045ed1ebe1a6115d3fa9930c5371defb31d95a Bisecting: 2 revisions left to test after this (roughly 1 step) [52c479697c9b73f628140dcdfcd39ea302d05482] do_epoll_ctl(): clean the failure exits up a bit testing commit 52c479697c9b73f628140dcdfcd39ea302d05482 with gcc (GCC) 8.1.0 kernel signature: 109e119def27eb1cc534c13dc9830023938bd23662afad6f29ca4415614cf7f9 run #0: crashed: kernel BUG at fs/inode.c:LINE! run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #4: crashed: kernel BUG at fs/inode.c:LINE! run #5: crashed: kernel BUG at fs/inode.c:LINE! run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad 52c479697c9b73f628140dcdfcd39ea302d05482 Bisecting: 0 revisions left to test after this (roughly 0 steps) [a9ed4a6560b8562b7e2e2bed9527e88001f7b682] epoll: Keep a reference on files added to the check list testing commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 with gcc (GCC) 8.1.0 kernel signature: d74f218f1d3e6ebc6587d06f4c6b8ab094736c04f79d789ad8f0a35063a371f1 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #1: crashed: kernel BUG at fs/inode.c:LINE! run #2: crashed: kernel BUG at fs/inode.c:LINE! run #3: crashed: kernel BUG at fs/inode.c:LINE! run #4: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #5: crashed: kernel BUG at fs/inode.c:LINE! run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in __sock_release # git bisect bad a9ed4a6560b8562b7e2e2bed9527e88001f7b682 a9ed4a6560b8562b7e2e2bed9527e88001f7b682 is the first bad commit commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 Author: Marc Zyngier Date: Wed Aug 19 17:12:17 2020 +0100 epoll: Keep a reference on files added to the check list When adding a new fd to an epoll, and that this new fd is an epoll fd itself, we recursively scan the fds attached to it to detect cycles, and add non-epool files to a "check list" that gets subsequently parsed. However, this check list isn't completely safe when deletions can happen concurrently. To sidestep the issue, make sure that a struct file placed on the check list sees its f_count increased, ensuring that a concurrent deletion won't result in the file disapearing from under our feet. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Al Viro fs/eventpoll.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) parent commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 wasn't tested testing commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 with gcc (GCC) 8.1.0 kernel signature: 5f9e6f6678a9cc6935d8cc91dec323a053695e719003b31173e9efa2cbe8ffda culprit signature: d74f218f1d3e6ebc6587d06f4c6b8ab094736c04f79d789ad8f0a35063a371f1 parent signature: 5f9e6f6678a9cc6935d8cc91dec323a053695e719003b31173e9efa2cbe8ffda revisions tested: 20, total time: 4h5m23.75280005s (build: 1h40m7.456185652s, test: 2h23m19.992795514s) first bad commit: a9ed4a6560b8562b7e2e2bed9527e88001f7b682 epoll: Keep a reference on files added to the check list recipients (to): ["linux-kernel@vger.kernel.org" "maz@kernel.org" "viro@zeniv.linux.org.uk"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: BUG: unable to handle kernel NULL pointer dereference in __sock_release BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 10e844067 P4D 10e844067 PUD 10e810067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 15344 Comm: syz-executor.2 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__sock_release+0x2f/0xa0 net/socket.c:596 Code: 8b 47 20 48 89 fb 48 85 c0 74 42 48 85 f6 4c 8b 60 08 74 5b 48 8d ae e0 00 00 00 48 89 ef e8 88 f7 7f 00 48 8b 43 20 48 89 df 50 10 48 c7 43 18 00 00 00 00 48 89 ef e8 ae 4f 9e fe 48 c7 43 RSP: 0018:ffffc90003e37e88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810f926040 RCX: 0000000000000001 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88810f926040 RBP: ffff88810f9261e0 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc90003e37e88 R11: 43a3b80a781bfedb R12: 0000000000000000 R13: ffff88821ba6b560 R14: ffff88810f967270 R15: 0000000000000000 FS: 00007f012b2be700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010ee3d000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sock_close+0xf/0x20 net/socket.c:1277 __fput+0xaa/0x250 fs/file_table.c:281 task_work_run+0x68/0xb0 kernel/task_work.c:141 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:139 [inline] exit_to_user_mode_prepare+0x1e2/0x1f0 kernel/entry/common.c:166 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:241 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d5b9 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f012b2bdc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000005 RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000200003c0 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007ffff23cd18f R14: 00007f012b2be9c0 R15: 000000000118cf4c Modules linked in: CR2: 0000000000000010 ---[ end trace e8ef522c782667f6 ]--- RIP: 0010:__sock_release+0x2f/0xa0 net/socket.c:596 Code: 8b 47 20 48 89 fb 48 85 c0 74 42 48 85 f6 4c 8b 60 08 74 5b 48 8d ae e0 00 00 00 48 89 ef e8 88 f7 7f 00 48 8b 43 20 48 89 df 50 10 48 c7 43 18 00 00 00 00 48 89 ef e8 ae 4f 9e fe 48 c7 43 RSP: 0018:ffffc90003e37e88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810f926040 RCX: 0000000000000001 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88810f926040 RBP: ffff88810f9261e0 R08: 0000000000000000 R09: 0000000000000001 R10: ffffc90003e37e88 R11: 43a3b80a781bfedb R12: 0000000000000000 R13: ffff88821ba6b560 R14: ffff88810f967270 R15: 0000000000000000 FS: 00007f012b2be700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000744138 CR3: 000000010ee3d000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400