bisecting cause commit starting from 282ffdf30a3edfb1ab6873cc7f4dc71e9c7afa31 building syzkaller on 4fb74474cf0af2126be3a8989d770c3947ae9478 testing commit 282ffdf30a3edfb1ab6873cc7f4dc71e9c7afa31 with gcc (GCC) 8.1.0 kernel signature: 460b4d10a482e44e0d896846671f2d453ca47508 all runs: crashed: WARNING: refcount bug in put_watch testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 234ae3280834e4c2dfd96aa3934bc5154a3ea777 all runs: OK # git bisect start 282ffdf30a3edfb1ab6873cc7f4dc71e9c7afa31 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 7879 revisions left to test after this (roughly 13 steps) [8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0 kernel signature: 3ef7903a9e9e5178d18315838e3eb6a2d81cd7b5 all runs: OK # git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820 Bisecting: 3845 revisions left to test after this (roughly 12 steps) [ef2cc88e2a205b8a11a19e78db63a70d3728cdf5] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit ef2cc88e2a205b8a11a19e78db63a70d3728cdf5 with gcc (GCC) 8.1.0 kernel signature: cb79476463fc6a31710418057b4adb72160a910f all runs: OK # git bisect good ef2cc88e2a205b8a11a19e78db63a70d3728cdf5 Bisecting: 1781 revisions left to test after this (roughly 11 steps) [31f4543422035fde2e32c3f7fcf03c370c1f44bf] Merge remote-tracking branch 'arm-soc/for-next' testing commit 31f4543422035fde2e32c3f7fcf03c370c1f44bf with gcc (GCC) 8.1.0 kernel signature: 40e5898560e5f625091ca7b27695071781fe7d27 all runs: OK # git bisect good 31f4543422035fde2e32c3f7fcf03c370c1f44bf Bisecting: 904 revisions left to test after this (roughly 10 steps) [98f55caa694044d247c37955a5a0f714372d8c82] Merge remote-tracking branch 'gfs2/for-next' testing commit 98f55caa694044d247c37955a5a0f714372d8c82 with gcc (GCC) 8.1.0 kernel signature: 8b07cb447c98e453123b33c1f17ffdb7a997552e all runs: OK # git bisect good 98f55caa694044d247c37955a5a0f714372d8c82 Bisecting: 452 revisions left to test after this (roughly 9 steps) [68932f958bbe92f2861181f5f86bb98856e81bc9] Merge remote-tracking branch 'block/for-next' testing commit 68932f958bbe92f2861181f5f86bb98856e81bc9 with gcc (GCC) 8.1.0 kernel signature: e521f5cc9311ba4421a6cd7ebeb00ce78f2e0c80 all runs: OK # git bisect good 68932f958bbe92f2861181f5f86bb98856e81bc9 Bisecting: 238 revisions left to test after this (roughly 8 steps) [109b260469cc2f8b25477ffc02ee05e75ff057a0] Merge remote-tracking branch 'y2038/y2038' testing commit 109b260469cc2f8b25477ffc02ee05e75ff057a0 with gcc (GCC) 8.1.0 kernel signature: 5b7901b95062762bbdd32a1858fd0387cef4fc68 all runs: crashed: WARNING: refcount bug in put_watch # git bisect bad 109b260469cc2f8b25477ffc02ee05e75ff057a0 Bisecting: 90 revisions left to test after this (roughly 7 steps) [0e358b88efc770ab1c3a153f5c8bf03180e0cc7b] Merge remote-tracking branch 'tip/auto-latest' testing commit 0e358b88efc770ab1c3a153f5c8bf03180e0cc7b with gcc (GCC) 8.1.0 kernel signature: a1522f63e486bd951e23076ca634dd049a4fe827 all runs: crashed: WARNING: refcount bug in put_watch # git bisect bad 0e358b88efc770ab1c3a153f5c8bf03180e0cc7b Bisecting: 54 revisions left to test after this (roughly 6 steps) [3670f60e5517b01ecdd6feb389de86317203e32a] manual merge of WIP.x86/cleanups testing commit 3670f60e5517b01ecdd6feb389de86317203e32a with gcc (GCC) 8.1.0 kernel signature: 684de4424ad74810813f7c913b56fe95a2ce7a7f all runs: OK # git bisect good 3670f60e5517b01ecdd6feb389de86317203e32a Bisecting: 33 revisions left to test after this (roughly 5 steps) [1ba055f688793b847cdedf95a13e802458145b50] Merge remote-tracking branch 'smack/for-next' testing commit 1ba055f688793b847cdedf95a13e802458145b50 with gcc (GCC) 8.1.0 kernel signature: bd06d058c9ec2ce0cf58e0628d2d4bb841f3bf6c all runs: crashed: WARNING: refcount bug in put_watch # git bisect bad 1ba055f688793b847cdedf95a13e802458145b50 Bisecting: 10 revisions left to test after this (roughly 3 steps) [e1eddc1bde17e6c643e103949ac63e553b80ee84] selinux: Implement the watch_key security hook testing commit e1eddc1bde17e6c643e103949ac63e553b80ee84 with gcc (GCC) 8.1.0 kernel signature: 7261b6afcd8a6366bd127c63e00470a72e4f2677 all runs: OK # git bisect good e1eddc1bde17e6c643e103949ac63e553b80ee84 Bisecting: 4 revisions left to test after this (roughly 3 steps) [02c62bfcbd1c78a788e163291ca054b3ec9740b3] Merge remote-tracking branch 'keys/keys-next' testing commit 02c62bfcbd1c78a788e163291ca054b3ec9740b3 with gcc (GCC) 8.1.0 kernel signature: 75e5669315115854f700a8d4656531cfedfbf101 all runs: crashed: WARNING: refcount bug in put_watch # git bisect bad 02c62bfcbd1c78a788e163291ca054b3ec9740b3 Bisecting: 2 revisions left to test after this (roughly 2 steps) [643bbc0fce60583112530da9435eeae9c58d6b96] Merge remote-tracking branch 'device-mapper/for-next' testing commit 643bbc0fce60583112530da9435eeae9c58d6b96 with gcc (GCC) 8.1.0 kernel signature: 71120b635cebc3b87a56ef25a145424b2a575436 all runs: OK # git bisect good 643bbc0fce60583112530da9435eeae9c58d6b96 Bisecting: 0 revisions left to test after this (roughly 1 step) [48274e1e5d24407bb2acb768c093add00bf92823] Merge branch 'notifications-core' into keys-next testing commit 48274e1e5d24407bb2acb768c093add00bf92823 with gcc (GCC) 8.1.0 kernel signature: 4b7c045cb1506740201eff20d3ed1bc0894ed58a all runs: OK # git bisect good 48274e1e5d24407bb2acb768c093add00bf92823 02c62bfcbd1c78a788e163291ca054b3ec9740b3 is the first bad commit commit 02c62bfcbd1c78a788e163291ca054b3ec9740b3 Merge: 643bbc0fce60 48274e1e5d24 Author: Stephen Rothwell Date: Thu Dec 5 10:32:03 2019 +1100 Merge remote-tracking branch 'keys/keys-next' # Conflicts: # include/linux/security.h # samples/Kconfig # samples/Makefile Documentation/security/keys/core.rst | 58 ++ Documentation/userspace-api/ioctl/ioctl-number.rst | 1 + Documentation/watch_queue.rst | 460 +++++++++++ arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/arm/tools/syscall.tbl | 1 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 2 + arch/ia64/kernel/syscalls/syscall.tbl | 1 + arch/m68k/kernel/syscalls/syscall.tbl | 1 + arch/microblaze/kernel/syscalls/syscall.tbl | 1 + arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + arch/parisc/kernel/syscalls/syscall.tbl | 1 + arch/powerpc/kernel/syscalls/syscall.tbl | 1 + arch/s390/kernel/syscalls/syscall.tbl | 1 + arch/sh/kernel/syscalls/syscall.tbl | 1 + arch/sparc/kernel/syscalls/syscall.tbl | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 1 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/xtensa/kernel/syscalls/syscall.tbl | 1 + block/Kconfig | 9 + block/blk-core.c | 29 + drivers/base/Kconfig | 9 + drivers/base/Makefile | 1 + drivers/base/watch.c | 90 +++ drivers/misc/Kconfig | 13 + drivers/misc/Makefile | 1 + drivers/misc/watch_queue.c | 898 +++++++++++++++++++++ drivers/usb/core/Kconfig | 9 + drivers/usb/core/devio.c | 49 ++ drivers/usb/core/hub.c | 4 + include/linux/blkdev.h | 15 + include/linux/device.h | 7 + include/linux/key.h | 3 + include/linux/lsm_audit.h | 1 + include/linux/lsm_hooks.h | 38 + include/linux/sched/user.h | 3 +- include/linux/security.h | 31 + include/linux/syscalls.h | 1 + include/linux/usb.h | 18 + include/linux/watch_queue.h | 94 +++ include/uapi/asm-generic/unistd.h | 4 +- include/uapi/linux/keyctl.h | 2 + include/uapi/linux/watch_queue.h | 181 +++++ kernel/sys_ni.c | 1 + samples/Kconfig | 8 +- samples/Makefile | 1 + samples/watch_queue/Makefile | 7 + samples/watch_queue/watch_test.c | 231 ++++++ security/keys/Kconfig | 9 + security/keys/compat.c | 3 + security/keys/gc.c | 5 + security/keys/internal.h | 30 +- security/keys/key.c | 38 +- security/keys/keyctl.c | 99 ++- security/keys/keyring.c | 20 +- security/keys/request_key.c | 4 +- security/security.c | 23 + security/selinux/hooks.c | 14 + security/smack/smack_lsm.c | 83 +- 61 files changed, 2593 insertions(+), 32 deletions(-) create mode 100644 Documentation/watch_queue.rst create mode 100644 drivers/base/watch.c create mode 100644 drivers/misc/watch_queue.c create mode 100644 include/linux/watch_queue.h create mode 100644 include/uapi/linux/watch_queue.h create mode 100644 samples/watch_queue/Makefile create mode 100644 samples/watch_queue/watch_test.c revisions tested: 15, total time: 3h35m26.815454485s (build: 1h35m36.970886267s, test: 1h57m41.48417005s) first bad commit: 02c62bfcbd1c78a788e163291ca054b3ec9740b3 Merge remote-tracking branch 'keys/keys-next' cc: ["akpm@linux-foundation.org" "christian@brauner.io" "corbet@lwn.net" "dan.j.williams@intel.com" "dhowells@redhat.com" "gregkh@linuxfoundation.org" "heikki.krogerus@linux.intel.com" "jannh@google.com" "joe@perches.com" "linux-doc@vger.kernel.org" "linux-kernel@vger.kernel.org" "logang@deltatee.com" "mchehab+samsung@kernel.org" "oleg@redhat.com" "rafael.j.wysocki@intel.com" "saravanak@google.com" "sfr@canb.auug.org.au" "suzuki.poulose@arm.com" "tglx@linutronix.de" "viro@zeniv.linux.org.uk" "yamada.masahiro@socionext.com"] crash: WARNING: refcount bug in put_watch ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 7627 at lib/refcount.c:28 refcount_warn_saturate+0x135/0x140 lib/refcount.c:28 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 7627 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x2a kernel/panic.c:582 report_bug+0x1b0/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:refcount_warn_saturate+0x135/0x140 lib/refcount.c:28 Code: bb f4 fd 0f 0b e9 51 ff ff ff 48 89 df e8 83 23 54 fe e9 1f ff ff ff 48 c7 c7 c0 e5 cb 87 c6 05 34 2a 5f 06 01 e8 f3 ba f4 fd <0f> 0b e9 2a ff ff ff 0f 1f 40 00 55 be 04 00 00 00 48 89 e5 41 57 RSP: 0018:ffffc90002917d58 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8880801a9f58 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff8a91c4e0 RBP: ffffc90002917d68 R08: ffffed1015d46621 R09: ffffed1015d46621 R10: ffffed1015d46620 R11: ffff8880aea33107 R12: 0000000000000003 R13: ffff8880801a9f00 R14: ffff8880801a9f28 R15: ffff8880801a9f18 refcount_sub_and_test include/linux/refcount.h:261 [inline] refcount_dec_and_test include/linux/refcount.h:281 [inline] kref_put include/linux/kref.h:64 [inline] put_watch+0x54/0x60 drivers/misc/watch_queue.c:633 watch_queue_clear drivers/misc/watch_queue.c:826 [inline] watch_queue_release+0x275/0xab0 drivers/misc/watch_queue.c:842 __fput+0x25a/0x770 fs/file_table.c:280 ____fput+0x9/0x10 fs/file_table.c:313 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x24e/0x2e0 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath arch/x86/entry/common.c:278 [inline] do_syscall_64+0x4ff/0x5f0 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x414211 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffe3a333830 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000414211 RDX: 0000001b2f320000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff R10: 00007ffe3a333910 R11: 0000000000000293 R12: 000000000075bf20 R13: 000000000000e41e R14: 0000000000760130 R15: 000000000075bf2c Kernel Offset: disabled Rebooting in 86400 seconds..