ci2 starts bisection 2023-09-17 14:01:32.342157549 +0000 UTC m=+366224.371331732 bisecting cause commit starting from d3212c2dbababf849d940f5f7001f4fde222b888 building syzkaller on 0b6a67ac4b0dc26f43030c5edd01c9175f13b784 ensuring issue is reproducible on original commit d3212c2dbababf849d940f5f7001f4fde222b888 testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 188fe7e0339d701d88c44ed87c9fe47727552b5c142e4b001724d2dfae8ea504 all runs: crashed: general protection fault in do_renameat2 representative crash: general protection fault in do_renameat2, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 27039fb813ab361bbe838863536553ec6f8dcb53177aea3322b54b737ed9ac06 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=5179 full=6487 leaves diff=250 split chunks (needed=false): <250> split chunk #0 of len 250 into 5 parts testing without sub-chunk 1/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5b6e80a36b211f45001855b458f9928d16a701133d31f8089fb19fc90188753c all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bae73831726791c6831b55c69adc2ef3ae3fb78fbf475d1dffa7c46447bd3e1e all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: da0a11249fd673b3ab31a45daa6ad83393e2d44a6d9e5d59a1822b856f072d90 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3c08671c80f767715cb3288941a0b7fddb474e46dce643304fbb39a6c6bac755 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit d3212c2dbababf849d940f5f7001f4fde222b888 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building d3212c2dbababf849d940f5f7001f4fde222b888: net/socket.c:1225: undefined reference to `wext_handle_ioctl' net/socket.c:3420: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed picked [v6.1.25 v6.1.24 v6.1.13 v6.1 v6.0 v5.19 v5.17 v5.15 v5.13 v5.11 v5.9 v5.6 v5.3 v5.0 v4.19] out of 49 release tags testing release v6.1.25 testing commit f17b0ab65d17988d5e6d6fe22f708ef3721080bf gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d47fd4791bec80c47843792f599302897e4ff741b76b7ee5cac55786a24d8754 all runs: OK false negative chance: 0.000 # git bisect start d3212c2dbababf849d940f5f7001f4fde222b888 f17b0ab65d17988d5e6d6fe22f708ef3721080bf Bisecting: 3160 revisions left to test after this (roughly 12 steps) [5edbbb399d066288accf1588999ad7e5edd89364] ANDROID: kbuild: add Kconfig support for external modules testing commit 5edbbb399d066288accf1588999ad7e5edd89364 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3cdda6a618e367a55ff9cc18885f92aa47921d9f2af3043a80881f4e00d9efe7 all runs: OK false negative chance: 0.000 # git bisect good 5edbbb399d066288accf1588999ad7e5edd89364 Bisecting: 1580 revisions left to test after this (roughly 11 steps) [359585d6903cf8ebadbd85650d0bbf099077a539] FROMGIT: scsi: core: Support failing requests while recovering testing commit 359585d6903cf8ebadbd85650d0bbf099077a539 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 37cc3b5eebbd6e45f6de9bcf2543a9c034c66e33aaaa566dadb1d706ec3bfc52 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] # git bisect bad 359585d6903cf8ebadbd85650d0bbf099077a539 Bisecting: 789 revisions left to test after this (roughly 10 steps) [61869b3bb6f664db608f8529bea5221f4fb606b5] Merge 9832fb87834e ("mm/demotion: expose memory tier details via sysfs") into android-mainline testing commit 61869b3bb6f664db608f8529bea5221f4fb606b5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 30dbf3e5fa2208f976f9265df02ddf49ef67802e9e7435f690d1d073daf076c1 all runs: OK false negative chance: 0.000 # git bisect good 61869b3bb6f664db608f8529bea5221f4fb606b5 Bisecting: 397 revisions left to test after this (roughly 9 steps) [9933cd0873aa445bb081d227c39146b2237b152f] Revert "ANDROID: GKI: remove CONFIG_CMDLINE_EXTEND from arm64 gki_defconfig" testing commit 9933cd0873aa445bb081d227c39146b2237b152f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bafbdcaa2fc10621f0304b07be55a4298b494dcd21e6127c3ff035398d03f99e all runs: OK false negative chance: 0.000 # git bisect good 9933cd0873aa445bb081d227c39146b2237b152f Bisecting: 198 revisions left to test after this (roughly 8 steps) [5749a9d6ba095a40e6053e0c9eedbfadc4a915ee] ANDROID: gki_defconfig: sample large page_alloc allocations with HW_TAGS KASAN testing commit 5749a9d6ba095a40e6053e0c9eedbfadc4a915ee gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ca44ad46dc5ad4fa78bc4d28c2d81ef00caafd683ede671355ba59d6e6f07cbc all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] # git bisect bad 5749a9d6ba095a40e6053e0c9eedbfadc4a915ee Bisecting: 92 revisions left to test after this (roughly 7 steps) [34d1cfdc4a71992542a18ed95f509803c8e1d8c7] Merge remote-tracking branch 'aosp/upstream-f2fs-stable-linux-6.1.y' into android14-6.1 testing commit 34d1cfdc4a71992542a18ed95f509803c8e1d8c7 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e81b9a87cae99117aa75a87762334a05e9bd7c2c7c917d860229371a27eb807a all runs: OK false negative chance: 0.000 # git bisect good 34d1cfdc4a71992542a18ed95f509803c8e1d8c7 Bisecting: 46 revisions left to test after this (roughly 6 steps) [a2a9e34d164e90fc08d35fd097a164b9101d72ef] FROMLIST: kasan: allow sampling page_alloc allocations for HW_TAGS testing commit a2a9e34d164e90fc08d35fd097a164b9101d72ef gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 057b66636a54e0d433ac9eb2154407682477277d7c37720d22c5e1a024ea3eb8 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] # git bisect bad a2a9e34d164e90fc08d35fd097a164b9101d72ef Bisecting: 22 revisions left to test after this (roughly 5 steps) [1c0ab9432e0a96d7f4430d388e376608db6d30b5] ANDROID: crypto: lib/aes - add vendor hooks for AES library routines testing commit 1c0ab9432e0a96d7f4430d388e376608db6d30b5 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9963b1472ab0163ede9e50332cbe9a958feb6775e39adbd4fdc28657ba807075 all runs: OK false negative chance: 0.000 # git bisect good 1c0ab9432e0a96d7f4430d388e376608db6d30b5 Bisecting: 11 revisions left to test after this (roughly 4 steps) [b17ff311f3cc2c812901ca85260e533474f14271] ANDROID: KVM: arm64: Ignore modules with empty .hyp.text section testing commit b17ff311f3cc2c812901ca85260e533474f14271 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cd4eaafc74d5a6fa1b6fefb244cf906e5c48cd1c71372c523b790ed5278989ad all runs: OK false negative chance: 0.000 # git bisect good b17ff311f3cc2c812901ca85260e533474f14271 Bisecting: 5 revisions left to test after this (roughly 3 steps) [f6d21159ccbd638ac6e9de50fb5085ce54fb3735] ANDROID: fuse-bpf: Make sure to declare functions testing commit f6d21159ccbd638ac6e9de50fb5085ce54fb3735 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8970f777a9682ddf4a96fcca151422883e124559a0e0228860791469d9fe05e1 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] # git bisect bad f6d21159ccbd638ac6e9de50fb5085ce54fb3735 Bisecting: 2 revisions left to test after this (roughly 2 steps) [53b3a7721b7aec74d8fa2ee55c2480044cc7c1b8] Merge 6.1.1 into android14-6.1 testing commit 53b3a7721b7aec74d8fa2ee55c2480044cc7c1b8 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 92a9ffc318f2700cf31dd434691d61fae014e4f60996b54ff5d35b950fa45b92 all runs: OK false negative chance: 0.000 # git bisect good 53b3a7721b7aec74d8fa2ee55c2480044cc7c1b8 Bisecting: 0 revisions left to test after this (roughly 1 step) [57f3ff9648991998d008ecf32f2f9e78a08bfb8b] ANDROID: fuse-bpf v1.1 testing commit 57f3ff9648991998d008ecf32f2f9e78a08bfb8b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d5ed4f22c35674ba6051ae345c0e5586070a9d9e0b9b17abee0802614915a205 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 representative crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2, types: [UNKNOWN] # git bisect bad 57f3ff9648991998d008ecf32f2f9e78a08bfb8b Bisecting: 0 revisions left to test after this (roughly 0 steps) [fb5ea70e2e33932b5b35fedd7a30cf5d9170126c] ANDROID: KVM: arm64: Add helper for pKVM modules addr conversion testing commit fb5ea70e2e33932b5b35fedd7a30cf5d9170126c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0cef2383425acf8a40a09890b190ec4bb2875cbb446a87cd6ab434ae2797b554 all runs: OK false negative chance: 0.000 # git bisect good fb5ea70e2e33932b5b35fedd7a30cf5d9170126c 57f3ff9648991998d008ecf32f2f9e78a08bfb8b is the first bad commit commit 57f3ff9648991998d008ecf32f2f9e78a08bfb8b Author: Daniel Rosenberg Date: Thu Dec 2 13:50:02 2021 -0800 ANDROID: fuse-bpf v1.1 This is a squash of these changes cherry-picked from common-android13-5.10 ANDROID: fuse-bpf: Make compile and pass test ANDROID: fuse-bpf: set error_in to ENOENT in negative lookup ANDROID: fuse-bpf: Add ability to run ranges of tests to fuse_test ANDROID: fuse-bpf: Add test for lookup postfilter ANDROID: fuse-bpf: readddir postfilter fixes ANDROID: fix kernelci error in fs/fuse/dir.c ANDROID: fuse-bpf: Fix RCU/reference issue ANDROID: fuse-bpf: Always call revalidate for backing ANDROID: fuse-bpf: Adjust backing handle funcs ANDROID: fuse-bpf: Fix revalidate error path and backing handling ANDROID: fuse-bpf: Fix use of get_fuse_inode ANDROID: fuse: Don't use readdirplus w/ nodeid 0 ANDROID: fuse-bpf: Introduce readdirplus test case for fuse bpf ANDROID: fuse-bpf: Make sure force_again flag is false by default ANDROID: fuse-bpf: Make inodes with backing_fd reachable for regular FUSE fuse_iget Revert "ANDROID: fuse-bpf: use target instead of parent inode to execute backing revalidate" ANDROID: fuse-bpf: use target instead of parent inode to execute backing revalidate ANDROID: fuse-bpf: Fix misuse of args.out_args ANDROID: fuse-bpf: Fix non-fusebpf build ANDROID: fuse-bpf: Use fuse_bpf_args in uapi ANDROID: fuse-bpf: Fix read_iter ANDROID: fuse-bpf: Use cache and refcount ANDROID: fuse-bpf: Rename iocb_fuse to iocb_orig ANDROID: fuse-bpf: Fix fixattr in rename ANDROID: fuse-bpf: Fix readdir ANDROID: fuse-bpf: Fix lseek return value for offset 0 ANDROID: fuse-bpf: fix read_iter and write_iter ANDROID: fuse-bpf: fix special devices ANDROID: fuse-bpf: support FUSE_LSEEK ANDROID: fuse-bpf: Add support for FUSE_COPY_FILE_RANGE ANDROID: fuse-bpf: Report errors to finalize ANDROID: fuse-bpf: Avoid reusing uint64_t for file ANDROID: fuse-bpf: Fix CONFIG_FUSE_BPF typo in FUSE_FSYNCDIR ANDROID: fuse-bpf: Move fd operations to be synchronous ANDROID: fuse-bpf: Invalidate if lower is unhashed ANDROID: fuse-bpf: Move bpf earlier in fuse_permission ANDROID: fuse-bpf: Update attributes on file write ANDROID: fuse: allow mounting with no userspace daemon ANDROID: fuse-bpf: Support FUSE_STATFS ANDROID: fuse-bpf: Fix filldir ANDROID: fuse-bpf: fix fuse_create_open_finalize ANDROID: fuse: add bpf support for removexattr ANDROID: fuse-bpf: Fix truncate ANDROID: fuse-bpf: Support inotify ANDROID: fuse-bpf: Make compile with CONFIG_FUSE but no CONFIG_FUSE_BPF ANDROID: fuse-bpf: Fix perms on readdir ANDROID: fuse: Fix umasking in backing ANDROID: fs/fuse: Backing move returns EXDEV if TO not backed ANDROID: bpf-fuse: Fix Setattr ANDROID: fuse-bpf: Check if mkdir dentry setup ANDROID: fuse-bpf: Close backing fds in fuse_dentry_revalidate ANDROID: fuse-bpf: Close backing-fd on both paths ANDROID: fuse-bpf: Partial fix for mmap'd files ANDROID: fuse-bpf: Restore a missing const ANDROID: Add fuse-bpf self tests ANDROID: Add FUSE_BPF to gki_defconfig ANDROID: fuse-bpf v1 ANDROID: fuse: Move functions in preparation for fuse-bpf Bug: 202785178 Bug: 265206112 Test: test_fuse passes on linux. On cuttlefish, atest android.scopedstorage.cts.host.ScopedStorageHostTest passes with fuse-bpf enabled and disabled Change-Id: Idb099c281f9b39ff2c46fa3ebc63e508758416ee Signed-off-by: Paul Lawrence Signed-off-by: Daniel Rosenberg arch/arm64/configs/gki_defconfig | 1 + arch/x86/configs/gki_defconfig | 1 + fs/fuse/Kconfig | 8 + fs/fuse/Makefile | 1 + fs/fuse/backing.c | 2468 ++++++++++++++++++++ fs/fuse/control.c | 2 +- fs/fuse/dev.c | 19 + fs/fuse/dir.c | 532 +++-- fs/fuse/file.c | 130 ++ fs/fuse/fuse_i.h | 720 +++++- fs/fuse/inode.c | 322 ++- fs/fuse/passthrough.c | 2 +- fs/fuse/readdir.c | 22 + fs/fuse/xattr.c | 40 + include/linux/bpf_types.h | 3 + include/uapi/linux/android_fuse.h | 95 + include/uapi/linux/bpf.h | 10 + kernel/bpf/Makefile | 3 + kernel/bpf/bpf_fuse.c | 128 + kernel/bpf/btf.c | 1 + .../testing/selftests/filesystems/fuse/.gitignore | 2 + tools/testing/selftests/filesystems/fuse/Makefile | 34 + tools/testing/selftests/filesystems/fuse/OWNERS | 2 + .../selftests/filesystems/fuse/bpf_loader.c | 791 +++++++ tools/testing/selftests/filesystems/fuse/fd.txt | 21 + tools/testing/selftests/filesystems/fuse/fd_bpf.c | 252 ++ .../selftests/filesystems/fuse/fuse_daemon.c | 294 +++ .../testing/selftests/filesystems/fuse/fuse_test.c | 2142 +++++++++++++++++ .../testing/selftests/filesystems/fuse/test_bpf.c | 507 ++++ .../selftests/filesystems/fuse/test_framework.h | 179 ++ .../testing/selftests/filesystems/fuse/test_fuse.h | 337 +++ .../selftests/filesystems/fuse/test_fuse_bpf.h | 65 + 32 files changed, 8929 insertions(+), 205 deletions(-) create mode 100644 fs/fuse/backing.c create mode 100644 include/uapi/linux/android_fuse.h create mode 100644 kernel/bpf/bpf_fuse.c create mode 100644 tools/testing/selftests/filesystems/fuse/.gitignore create mode 100644 tools/testing/selftests/filesystems/fuse/Makefile create mode 100644 tools/testing/selftests/filesystems/fuse/OWNERS create mode 100644 tools/testing/selftests/filesystems/fuse/bpf_loader.c create mode 100644 tools/testing/selftests/filesystems/fuse/fd.txt create mode 100644 tools/testing/selftests/filesystems/fuse/fd_bpf.c create mode 100644 tools/testing/selftests/filesystems/fuse/fuse_daemon.c create mode 100644 tools/testing/selftests/filesystems/fuse/fuse_test.c create mode 100644 tools/testing/selftests/filesystems/fuse/test_bpf.c create mode 100644 tools/testing/selftests/filesystems/fuse/test_framework.h create mode 100644 tools/testing/selftests/filesystems/fuse/test_fuse.h create mode 100644 tools/testing/selftests/filesystems/fuse/test_fuse_bpf.h accumulated error probability: 0.00 culprit signature: d5ed4f22c35674ba6051ae345c0e5586070a9d9e0b9b17abee0802614915a205 parent signature: 0cef2383425acf8a40a09890b190ec4bb2875cbb446a87cd6ab434ae2797b554 revisions tested: 20, total time: 4h21m0.003430476s (build: 1h31m20.724542726s, test: 2h34m46.099248154s) first bad commit: 57f3ff9648991998d008ecf32f2f9e78a08bfb8b ANDROID: fuse-bpf v1.1 recipients (to): ["drosen@google.com" "paullawrence@google.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in do_renameat2 BUG: kernel NULL pointer dereference, address: 0000000000000012 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 10c6cd067 P4D 10c6cd067 PUD 10c435067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 349 Comm: syz-executor.0 Not tainted 6.1.1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 RIP: 0010:d_is_miss include/linux/dcache.h:391 [inline] RIP: 0010:d_is_negative include/linux/dcache.h:437 [inline] RIP: 0010:do_renameat2+0x2f0/0x600 fs/namei.c:4879 Code: ee e8 d4 b9 ff ff 48 89 c3 48 8d bd 60 ff ff ff 4c 89 ee 44 89 e2 e8 9f e1 ff ff 49 89 c7 48 3d 00 f0 ff ff 0f 87 7b 01 00 00 <41> f6 47 02 70 48 8b b5 30 ff ff ff 0f 84 09 01 00 00 48 89 9d 00 RSP: 0018:ffffc9000073fde8 EFLAGS: 00010203 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000004 RDX: 0000000400000000 RSI: 0000000000000000 RDI: ffff88810aa73540 RBP: ffffc9000073ff00 R08: 00000000ffffff9c R09: 000000008080007f R10: ffff88810a76f1e0 R11: ffff888100041400 R12: 0000000000000000 R13: ffff888100525f00 R14: 0000000020000101 R15: 0000000000000010 FS: 00007f8390f0d6c0(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 000000010c789000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __do_sys_rename fs/namei.c:4976 [inline] __se_sys_rename fs/namei.c:4974 [inline] __x64_sys_rename+0x3f/0x50 fs/namei.c:4974 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f839027cae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8390f0d0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052 RAX: ffffffffffffffda RBX: 00007f839039bf80 RCX: 00007f839027cae9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000020000100 RBP: 00007f83902c847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f839039bf80 R15: 00007fffc0a4ebf8 Modules linked in: CR2: 0000000000000012 ---[ end trace 0000000000000000 ]--- RIP: 0010:d_is_miss include/linux/dcache.h:391 [inline] RIP: 0010:d_is_negative include/linux/dcache.h:437 [inline] RIP: 0010:do_renameat2+0x2f0/0x600 fs/namei.c:4879 Code: ee e8 d4 b9 ff ff 48 89 c3 48 8d bd 60 ff ff ff 4c 89 ee 44 89 e2 e8 9f e1 ff ff 49 89 c7 48 3d 00 f0 ff ff 0f 87 7b 01 00 00 <41> f6 47 02 70 48 8b b5 30 ff ff ff 0f 84 09 01 00 00 48 89 9d 00 RSP: 0018:ffffc9000073fde8 EFLAGS: 00010203 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000004 RDX: 0000000400000000 RSI: 0000000000000000 RDI: ffff88810aa73540 RBP: ffffc9000073ff00 R08: 00000000ffffff9c R09: 000000008080007f R10: ffff88810a76f1e0 R11: ffff888100041400 R12: 0000000000000000 R13: ffff888100525f00 R14: 0000000020000101 R15: 0000000000000010 FS: 00007f8390f0d6c0(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 000000010c789000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: ee out %al,(%dx) 1: e8 d4 b9 ff ff call 0xffffb9da 6: 48 89 c3 mov %rax,%rbx 9: 48 8d bd 60 ff ff ff lea -0xa0(%rbp),%rdi 10: 4c 89 ee mov %r13,%rsi 13: 44 89 e2 mov %r12d,%edx 16: e8 9f e1 ff ff call 0xffffe1ba 1b: 49 89 c7 mov %rax,%r15 1e: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 24: 0f 87 7b 01 00 00 ja 0x1a5 * 2a: 41 f6 47 02 70 testb $0x70,0x2(%r15) <-- trapping instruction 2f: 48 8b b5 30 ff ff ff mov -0xd0(%rbp),%rsi 36: 0f 84 09 01 00 00 je 0x145 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 9d popf