bisecting cause commit starting from fe75a21824e78405b8d812421974524092250c63 building syzkaller on 52e3731913ab2677be27c29ed8142b04e8f28521 testing commit fe75a21824e78405b8d812421974524092250c63 with gcc (GCC) 8.1.0 kernel signature: 888c076d55c6c46f118aed083e5a565bc01bed69898741c2acad2e1fe52bf104 run #0: crashed: BUG: corrupted list in kobject_add_internal run #1: crashed: BUG: corrupted list in kobject_add_internal run #2: crashed: BUG: corrupted list in kobject_add_internal run #3: crashed: BUG: corrupted list in kobject_add_internal run #4: crashed: BUG: corrupted list in kobject_add_internal run #5: crashed: BUG: corrupted list in kobj_kset_leave run #6: crashed: BUG: corrupted list in kmem_cache_destroy run #7: crashed: BUG: corrupted list in kobject_add_internal run #8: crashed: BUG: corrupted list in kmem_cache_destroy run #9: crashed: BUG: corrupted list in kobject_add_internal testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: e508189465d39ffd8a9dcf9ccae50cef7d9bf7cb4686aa21cb801f2c95ce4704 all runs: crashed: BUG: corrupted list in kobject_add_internal testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: b0669908e972d5961842171da3a8b0dc1740fd1cd57a3632345365e6d92d2536 all runs: crashed: BUG: corrupted list in kobject_add_internal testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: ce3310a5b3e1c3295d73e0faafb06452de190f31f47c7d2c554179e95531b680 run #0: crashed: BUG: corrupted list in kobject_add_internal run #1: crashed: BUG: corrupted list in kobject_add_internal run #2: crashed: BUG: corrupted list in kobject_add_internal run #3: crashed: BUG: corrupted list in kobject_add_internal run #4: crashed: BUG: corrupted list in kobject_add_internal run #5: crashed: BUG: corrupted list in kobject_add_internal run #6: crashed: BUG: corrupted list in kobject_add_internal run #7: crashed: BUG: corrupted list in kobject_add_internal run #8: crashed: BUG: corrupted list in kobject_add_internal run #9: crashed: INFO: rcu detected stall in corrupted testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: 7cd99adf0fef5b2dcb30a48a4dca138dc666a4d8d6b386418460f81c452b4dbc all runs: OK # git bisect start bcf876870b95592b52519ed4aafcf9d95999bc9c 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Bisecting: 8752 revisions left to test after this (roughly 13 steps) [694b5a5d313f3997764b67d52bab66ec7e59e714] Merge tag 'arm-soc-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 694b5a5d313f3997764b67d52bab66ec7e59e714 with gcc (GCC) 8.1.0 kernel signature: c5bcb2a3ec06b7602aa083306b0f1fea3d5add22a586bf0c0a739493bf4b249a all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad 694b5a5d313f3997764b67d52bab66ec7e59e714 Bisecting: 4417 revisions left to test after this (roughly 12 steps) [2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63] Merge branch 'uaccess.comedi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 with gcc (GCC) 8.1.0 kernel signature: a0346766786ea6a4bd69edf1324d3eeabae91c7dac014d9730b088cee905c9ad all runs: OK # git bisect good 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 Bisecting: 2208 revisions left to test after this (roughly 11 steps) [5df42c8267418bfb8da54cc4772b397ea4c88aea] ice: fix MAC write command testing commit 5df42c8267418bfb8da54cc4772b397ea4c88aea with gcc (GCC) 8.1.0 kernel signature: 43e8da30e64b3d75f5f93eaa97b3f6c927eb6a9b44d8f445ac68efaeffa031a5 all runs: OK # git bisect good 5df42c8267418bfb8da54cc4772b397ea4c88aea Bisecting: 1032 revisions left to test after this (roughly 10 steps) [a98f670e41a99f53acb1fb33cee9c6abbb2e6f23] Merge tag 'media/v5.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit a98f670e41a99f53acb1fb33cee9c6abbb2e6f23 with gcc (GCC) 8.1.0 kernel signature: eb0886a24baaf6ba24137f18a1f5876e9acfc291ff3fa82c79f9608bdf6daa46 all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad a98f670e41a99f53acb1fb33cee9c6abbb2e6f23 Bisecting: 636 revisions left to test after this (roughly 9 steps) [c444eb564fb16645c172d550359cb3d75fe8a040] mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked() testing commit c444eb564fb16645c172d550359cb3d75fe8a040 with gcc (GCC) 8.1.0 kernel signature: 08b5d6f4d00d330a42a763ec6da6612a54762846acbd462ed229c98ee44c7402 all runs: OK # git bisect good c444eb564fb16645c172d550359cb3d75fe8a040 Bisecting: 318 revisions left to test after this (roughly 8 steps) [3b5af3171e2d5a73ae6f04965ed653d039904eb6] media: cec: silence shift wrapping warning in __cec_s_log_addrs() testing commit 3b5af3171e2d5a73ae6f04965ed653d039904eb6 with gcc (GCC) 8.1.0 kernel signature: 2df62fecff92193fe72b483d95e05e8ee502c076cc8a2f275afa8bc3243c19eb all runs: boot failed: kernel panic: VFS: Unable to mount root fs on unknown-block(8,1) # git bisect skip 3b5af3171e2d5a73ae6f04965ed653d039904eb6 Bisecting: 318 revisions left to test after this (roughly 8 steps) [abb242f57196dbaa108271575353a0453f6834ef] mm: memcontrol: fix stat-corrupting race in charge moving testing commit abb242f57196dbaa108271575353a0453f6834ef with gcc (GCC) 8.1.0 kernel signature: 6ca403342c371fe07dfbc4519b33836feef96401f078566b0950b1ffa64b451d all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad abb242f57196dbaa108271575353a0453f6834ef Bisecting: 41 revisions left to test after this (roughly 5 steps) [3334a45eb9e2bb040c880ef65e1d72357a0a008b] mm/page_alloc: use ac->high_zoneidx for classzone_idx testing commit 3334a45eb9e2bb040c880ef65e1d72357a0a008b with gcc (GCC) 8.1.0 kernel signature: fa45783f5c409c833ce6ea561d3b8f71dbadaf4616566588d237aeb235c03cca all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad 3334a45eb9e2bb040c880ef65e1d72357a0a008b Bisecting: 20 revisions left to test after this (roughly 4 steps) [625bf73ed27f337ccc7d750087423df679a7f733] parisc: simplify detection of memory zone boundaries testing commit 625bf73ed27f337ccc7d750087423df679a7f733 with gcc (GCC) 8.1.0 kernel signature: 2386a9be78178c8011354fd99f84c917cdf4aa993e6881af5aa2bb0f6373f123 all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad 625bf73ed27f337ccc7d750087423df679a7f733 Bisecting: 10 revisions left to test after this (roughly 3 steps) [574c1ae66c12410a08aeef8474936baa50e0371d] mm: clarify __GFP_MEMALLOC usage testing commit 574c1ae66c12410a08aeef8474936baa50e0371d with gcc (GCC) 8.1.0 kernel signature: 78f6a8832a835cdf5ffbaa30e0bd9c61a5ab8caf36f623a8c4dbb82aa9aaf320 all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad 574c1ae66c12410a08aeef8474936baa50e0371d Bisecting: 4 revisions left to test after this (roughly 2 steps) [104acc327648b347d1716374586803e82fa1dc95] mm/gup: introduce pin_user_pages_fast_only() testing commit 104acc327648b347d1716374586803e82fa1dc95 with gcc (GCC) 8.1.0 kernel signature: ae8e02180cb08d84204e7df37e5ce75dc360554843510f6c2748135d40057a79 all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad 104acc327648b347d1716374586803e82fa1dc95 Bisecting: 1 revision left to test after this (roughly 1 step) [9e1f0580d37e0d3fcfc2274128a5cc476feba5d0] mm/gup: move __get_user_pages_fast() down a few lines in gup.c testing commit 9e1f0580d37e0d3fcfc2274128a5cc476feba5d0 with gcc (GCC) 8.1.0 kernel signature: d64a1bbdf14104d14031bc42101978217c0d4d2500b17cab77d7152ee49bb6fd all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad 9e1f0580d37e0d3fcfc2274128a5cc476feba5d0 Bisecting: 0 revisions left to test after this (roughly 1 step) [dd8657b6c1cb5e65b13445b4a038736e81cf80ea] mm/memcg: optimize memory.numa_stat like memory.stat testing commit dd8657b6c1cb5e65b13445b4a038736e81cf80ea with gcc (GCC) 8.1.0 kernel signature: 0da72a5803cd90033c3224032b403c934faf26bf0530aaba32d8d2aaee47737f all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad dd8657b6c1cb5e65b13445b4a038736e81cf80ea Bisecting: 0 revisions left to test after this (roughly 0 steps) [dde3c6b72a16c2db826f54b2d49bdea26c3534a2] mm/slub: fix a memory leak in sysfs_slab_add() testing commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2 with gcc (GCC) 8.1.0 kernel signature: 79aaafe8fb076e1896c627a64e605cd7386d0308c5d68046a78992dd62101948 all runs: crashed: KASAN: invalid-free in create_cache # git bisect bad dde3c6b72a16c2db826f54b2d49bdea26c3534a2 dde3c6b72a16c2db826f54b2d49bdea26c3534a2 is the first bad commit commit dde3c6b72a16c2db826f54b2d49bdea26c3534a2 Author: Wang Hai Date: Wed Jun 3 15:56:21 2020 -0700 mm/slub: fix a memory leak in sysfs_slab_add() syzkaller reports for memory leak when kobject_init_and_add() returns an error in the function sysfs_slab_add() [1] When this happened, the function kobject_put() is not called for the corresponding kobject, which potentially leads to memory leak. This patch fixes the issue by calling kobject_put() even if kobject_init_and_add() fails. [1] BUG: memory leak unreferenced object 0xffff8880a6d4be88 (size 8): comm "syz-executor.3", pid 946, jiffies 4295772514 (age 18.396s) hex dump (first 8 bytes): 70 69 64 5f 33 00 ff ff pid_3... backtrace: kstrdup+0x35/0x70 mm/util.c:60 kstrdup_const+0x3d/0x50 mm/util.c:82 kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 kobject_set_name_vargs+0x55/0x130 lib/kobject.c:289 kobject_add_varg lib/kobject.c:384 [inline] kobject_init_and_add+0xd8/0x170 lib/kobject.c:473 sysfs_slab_add+0x1d8/0x290 mm/slub.c:5811 __kmem_cache_create+0x50a/0x570 mm/slub.c:4384 create_cache+0x113/0x1e0 mm/slab_common.c:407 kmem_cache_create_usercopy+0x1a1/0x260 mm/slab_common.c:505 kmem_cache_create+0xd/0x10 mm/slab_common.c:564 create_pid_cachep kernel/pid_namespace.c:54 [inline] create_pid_namespace kernel/pid_namespace.c:96 [inline] copy_pid_ns+0x77c/0x8f0 kernel/pid_namespace.c:148 create_new_namespaces+0x26b/0xa30 kernel/nsproxy.c:95 unshare_nsproxy_namespaces+0xa7/0x1e0 kernel/nsproxy.c:229 ksys_unshare+0x3d2/0x770 kernel/fork.c:2969 __do_sys_unshare kernel/fork.c:3037 [inline] __se_sys_unshare kernel/fork.c:3035 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3035 do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295 Fixes: 80da026a8e5d ("mm/slub: fix slab double-free in case of duplicate sysfs filename") Reported-by: Hulk Robot Signed-off-by: Wang Hai Signed-off-by: Andrew Morton Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Link: http://lkml.kernel.org/r/20200602115033.1054-1-wanghai38@huawei.com Signed-off-by: Linus Torvalds mm/slub.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) parent commit d6f9469a03d832dcd17041ed67774ffb5f3e73b3 wasn't tested testing commit d6f9469a03d832dcd17041ed67774ffb5f3e73b3 with gcc (GCC) 8.1.0 kernel signature: 4b5c90368e95c461540343e7b8a099a84b7abb512c08cd5a63b3d2cd2495622b culprit signature: 79aaafe8fb076e1896c627a64e605cd7386d0308c5d68046a78992dd62101948 parent signature: 4b5c90368e95c461540343e7b8a099a84b7abb512c08cd5a63b3d2cd2495622b revisions tested: 19, total time: 3h37m54.215973094s (build: 1h50m10.24038018s, test: 1h45m42.354058827s) first bad commit: dde3c6b72a16c2db826f54b2d49bdea26c3534a2 mm/slub: fix a memory leak in sysfs_slab_add() recipients (to): ["akpm@linux-foundation.org" "torvalds@linux-foundation.org" "wanghai38@huawei.com"] recipients (cc): [] crash: KASAN: invalid-free in create_cache R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000020 R13: 00007ffe9f4c013f R14: 00007fceaab459c0 R15: 000000000119bf8c kobject_add_internal failed for 9p-fcall-cache (error: -12 parent: slab) ================================================================== BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3072 [inline] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x8b/0x390 mm/slub.c:3088 CPU: 0 PID: 10425 Comm: syz-executor.2 Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x96/0xe0 lib/dump_stack.c:118 print_address_description.constprop.7.cold.9+0x9/0x455 mm/kasan/report.c:383 kasan_report_invalid_free+0x50/0x80 mm/kasan/report.c:477 __kasan_slab_free+0x158/0x170 mm/kasan/common.c:434 slab_free_hook mm/slub.c:1474 [inline] slab_free_freelist_hook+0x53/0x140 mm/slub.c:1507 slab_free mm/slub.c:3072 [inline] kmem_cache_free+0x8b/0x390 mm/slub.c:3088 create_cache+0x100/0x1f0 mm/slab_common.c:421 kmem_cache_create_usercopy+0x1a0/0x260 mm/slab_common.c:505 p9_client_create+0xaaa/0x10f0 net/9p/client.c:1061 v9fs_session_init+0x1f0/0x13f0 fs/9p/v9fs.c:406 v9fs_mount+0x6f/0x7f0 fs/9p/vfs_super.c:124 legacy_get_tree+0xfe/0x200 fs/fs_context.c:592 vfs_get_tree+0x7e/0x330 fs/super.c:1547 do_new_mount fs/namespace.c:2869 [inline] do_mount+0x1039/0x1750 fs/namespace.c:3194 __do_sys_mount fs/namespace.c:3404 [inline] __se_sys_mount fs/namespace.c:3381 [inline] __x64_sys_mount+0x15d/0x1b0 fs/namespace.c:3381 do_syscall_64+0x8e/0x4f0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45e219 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fceaab44c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 000000000045e219 RDX: 0000000020000280 RSI: 00000000200002c0 RDI: 0000000000000000 RBP: 00007fceaab44ca0 R08: 0000000020000480 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000020 R13: 00007ffe9f4c013f R14: 00007fceaab459c0 R15: 000000000119bf8c Allocated by task 10425: save_stack+0x19/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.15+0xc1/0xd0 mm/kasan/common.c:494 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc_node mm/slub.c:2824 [inline] slab_alloc mm/slub.c:2832 [inline] kmem_cache_alloc+0xaa/0x2a0 mm/slub.c:2837 kmem_cache_zalloc include/linux/slab.h:659 [inline] create_cache+0x3d/0x1f0 mm/slab_common.c:392 kmem_cache_create_usercopy+0x1a0/0x260 mm/slab_common.c:505 p9_client_create+0xaaa/0x10f0 net/9p/client.c:1061 v9fs_session_init+0x1f0/0x13f0 fs/9p/v9fs.c:406 v9fs_mount+0x6f/0x7f0 fs/9p/vfs_super.c:124 legacy_get_tree+0xfe/0x200 fs/fs_context.c:592 vfs_get_tree+0x7e/0x330 fs/super.c:1547 do_new_mount fs/namespace.c:2869 [inline] do_mount+0x1039/0x1750 fs/namespace.c:3194 __do_sys_mount fs/namespace.c:3404 [inline] __se_sys_mount fs/namespace.c:3381 [inline] __x64_sys_mount+0x15d/0x1b0 fs/namespace.c:3381 do_syscall_64+0x8e/0x4f0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 10425: save_stack+0x19/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0x124/0x170 mm/kasan/common.c:455 slab_free_hook mm/slub.c:1474 [inline] slab_free_freelist_hook+0x53/0x140 mm/slub.c:1507 slab_free mm/slub.c:3072 [inline] kmem_cache_free+0x8b/0x390 mm/slub.c:3088 kobject_cleanup lib/kobject.c:693 [inline] kobject_release lib/kobject.c:722 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x191/0x430 lib/kobject.c:739 sysfs_slab_add+0x200/0x2b0 mm/slub.c:5839 __kmem_cache_create+0x4b5/0x620 mm/slub.c:4421 create_cache+0xdc/0x1f0 mm/slab_common.c:407 kmem_cache_create_usercopy+0x1a0/0x260 mm/slab_common.c:505 p9_client_create+0xaaa/0x10f0 net/9p/client.c:1061 v9fs_session_init+0x1f0/0x13f0 fs/9p/v9fs.c:406 v9fs_mount+0x6f/0x7f0 fs/9p/vfs_super.c:124 legacy_get_tree+0xfe/0x200 fs/fs_context.c:592 vfs_get_tree+0x7e/0x330 fs/super.c:1547 do_new_mount fs/namespace.c:2869 [inline] do_mount+0x1039/0x1750 fs/namespace.c:3194 __do_sys_mount fs/namespace.c:3404 [inline] __se_sys_mount fs/namespace.c:3381 [inline] __x64_sys_mount+0x15d/0x1b0 fs/namespace.c:3381 do_syscall_64+0x8e/0x4f0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 The buggy address belongs to the object at ffff8880b4eb4a00 which belongs to the cache kmem_cache of size 488 The buggy address is located 0 bytes inside of 488-byte region [ffff8880b4eb4a00, ffff8880b4eb4be8) The buggy address belongs to the page: page:ffffea0002d3ad00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0002d3ad00 order:1 compound_mapcount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 dead000000000100 dead000000000122 ffff8880b5802000 raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880b4eb4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff8880b4eb4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880b4eb4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880b4eb4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880b4eb4b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================