bisecting cause commit starting from b51594df17d0ce80b9f9f35394a1f42d7ac94472 building syzkaller on d5a3ae1f760e7cb2cd5a721d9645ae22eae114fe testing commit b51594df17d0ce80b9f9f35394a1f42d7ac94472 with gcc (GCC) 8.1.0 kernel signature: 1e15fe21cf5534fca32efb13094e3b6d5d7e8a39e5d8f915e6a7fcb6a70060fd run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #6: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 718b6f7905ada9eb80c45b4a1c04a47d1b4c3bfeb28e466dca751eb7b2b2ee11 all runs: OK # git bisect start b51594df17d0ce80b9f9f35394a1f42d7ac94472 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 6220 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: e5ae058a5a3bdd7b08e34d59dc28b6a9e358e62dce594d54a469aa08dda20405 all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 3090 revisions left to test after this (roughly 12 steps) [fa73e212318a3277ae1f304febbc617c75d4d2db] Merge tag 'media/v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit fa73e212318a3277ae1f304febbc617c75d4d2db with gcc (GCC) 8.1.0 kernel signature: 61bcc770983417be4e013d5d989d2bb993342b0cbb469f89775aaf63dd8c9796 all runs: OK # git bisect good fa73e212318a3277ae1f304febbc617c75d4d2db Bisecting: 1542 revisions left to test after this (roughly 11 steps) [4586039427fab2b8c4edd49c73002e13e04315cf] Merge tag 'linux-watchdog-5.9-rc1' of git://www.linux-watchdog.org/linux-watchdog testing commit 4586039427fab2b8c4edd49c73002e13e04315cf with gcc (GCC) 8.1.0 kernel signature: c6d11bbcddb29d751511e177a35733767ef3f3e5f85dbb596a57b96547a85684 all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip 4586039427fab2b8c4edd49c73002e13e04315cf Bisecting: 1542 revisions left to test after this (roughly 11 steps) [e97644ebcdc83854e6e29e96285b25042445c28c] drm/vmwgfx: fix spelling mistake "Cant" -> "Can't" testing commit e97644ebcdc83854e6e29e96285b25042445c28c with gcc (GCC) 8.1.0 kernel signature: e7ee104a8e28efc0d24ce345182c9eaa8133bab3c5908bf56841f2c168642a1c all runs: OK # git bisect good e97644ebcdc83854e6e29e96285b25042445c28c Bisecting: 1542 revisions left to test after this (roughly 11 steps) [ca7c20b2132d228ec76df3c96f5d0b5ae3d6f218] backlight: backlight: Improve backlight_ops documentation testing commit ca7c20b2132d228ec76df3c96f5d0b5ae3d6f218 with gcc (GCC) 8.1.0 kernel signature: 327532c962530eeb01266dbb11976f6579c98bfdf110ba6280d3b8ad146bafab all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip ca7c20b2132d228ec76df3c96f5d0b5ae3d6f218 Bisecting: 1542 revisions left to test after this (roughly 11 steps) [fe124c95df9e2acf202910b0510300e37afe074b] x86/mm: use max memory block size on bare metal testing commit fe124c95df9e2acf202910b0510300e37afe074b with gcc (GCC) 8.1.0 kernel signature: cff62f64209fc341a956fc1a03945e71e675f4cfaaa2c19d1d27633a74795ef6 all runs: boot failed: WARNING in mem_cgroup_css_alloc # git bisect skip fe124c95df9e2acf202910b0510300e37afe074b Bisecting: 1542 revisions left to test after this (roughly 11 steps) [ccbb5239d495923cb24b84a73eb814626c5bfa57] sh: remove -Werror from Makefiles testing commit ccbb5239d495923cb24b84a73eb814626c5bfa57 with gcc (GCC) 8.1.0 kernel signature: 95750e87c25cefbff6b2094da899ca2320938b1ae0b07006ad4d2295e20be0b3 all runs: OK # git bisect good ccbb5239d495923cb24b84a73eb814626c5bfa57 Bisecting: 1522 revisions left to test after this (roughly 11 steps) [fddf9055a60dfcc97bda5ef03c8fa4108ed555c5] lockdep: Use raw_cpu_*() for per-cpu variables testing commit fddf9055a60dfcc97bda5ef03c8fa4108ed555c5 with gcc (GCC) 8.1.0 kernel signature: 17b91598f6f4c91e99a084367dd55a7435e1ef40f233cf2e49493c1a6e5319b1 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release # git bisect bad fddf9055a60dfcc97bda5ef03c8fa4108ed555c5 Bisecting: 1423 revisions left to test after this (roughly 10 steps) [492e4edba6e2fc0620a69266d33f29c4a1f9ac1e] perf ftrace: Make option description initials all capital letters testing commit 492e4edba6e2fc0620a69266d33f29c4a1f9ac1e with gcc (GCC) 8.1.0 kernel signature: 266283de4802d718f31d4982b541ac15cc3a8baac064e72436aa2c72adc5f54d all runs: OK # git bisect good 492e4edba6e2fc0620a69266d33f29c4a1f9ac1e Bisecting: 711 revisions left to test after this (roughly 10 steps) [b1a3e75e466d96383508634f3d2e477ac45f2fc1] lz4: fix kernel decompression speed testing commit b1a3e75e466d96383508634f3d2e477ac45f2fc1 with gcc (GCC) 8.1.0 kernel signature: 50637d309a1c759b0c256ef60ba8cc16b51da0220d40d528bdff163d968c4598 all runs: OK # git bisect good b1a3e75e466d96383508634f3d2e477ac45f2fc1 Bisecting: 337 revisions left to test after this (roughly 9 steps) [4cf7562190c795f1f95be6ee0d161107d0dc5d49] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 4cf7562190c795f1f95be6ee0d161107d0dc5d49 with gcc (GCC) 8.1.0 kernel signature: ddf5cb6819558ce405208d600614543f61ddbbd6c54043d3b654033ae00684d7 all runs: OK # git bisect good 4cf7562190c795f1f95be6ee0d161107d0dc5d49 Bisecting: 172 revisions left to test after this (roughly 7 steps) [f22c5579a7d600fa03f8c1d150cf78188f8709b6] Merge tag 'riscv-for-linus-5.9-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux testing commit f22c5579a7d600fa03f8c1d150cf78188f8709b6 with gcc (GCC) 8.1.0 kernel signature: 9806b6303f307028192b2bd2299c066e28b70bd97ff1839c97df5c513d9e7d3f all runs: OK # git bisect good f22c5579a7d600fa03f8c1d150cf78188f8709b6 Bisecting: 86 revisions left to test after this (roughly 7 steps) [f320ac6e131669345c7f4abefbb228b570eb9199] Merge branch 'work.epoll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit f320ac6e131669345c7f4abefbb228b570eb9199 with gcc (GCC) 8.1.0 kernel signature: 0987c4c7b8a511c212580b352874279f0fd1cb7a173f92c393a8db7dfd3d2b48 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #5: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #8: crashed: BUG: corrupted list in snd_ctl_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release # git bisect bad f320ac6e131669345c7f4abefbb228b570eb9199 Bisecting: 33 revisions left to test after this (roughly 6 steps) [9e574b74b781f14fa7348ba8b980b19a250a9c83] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 9e574b74b781f14fa7348ba8b980b19a250a9c83 with gcc (GCC) 8.1.0 kernel signature: 08cde2f93a07cda899901d2a544e4d10855698806c6db86de0a6aea44f1a372c all runs: OK # git bisect good 9e574b74b781f14fa7348ba8b980b19a250a9c83 Bisecting: 18 revisions left to test after this (roughly 4 steps) [d57ce84004a0d13ada89fbceec21539559cb72f2] Merge tag 's390-5.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux testing commit d57ce84004a0d13ada89fbceec21539559cb72f2 with gcc (GCC) 8.1.0 kernel signature: fabc38917ed55ae82601612ae9f172c6fed77780cd9db8d45e5535f3f27e831e all runs: OK # git bisect good d57ce84004a0d13ada89fbceec21539559cb72f2 Bisecting: 8 revisions left to test after this (roughly 3 steps) [510bc3cb1ddc32f9533e6ed0a68c980544c3ca3f] kconfig: qconf: replace deprecated QString::sprintf() with QTextStream testing commit 510bc3cb1ddc32f9533e6ed0a68c980544c3ca3f with gcc (GCC) 8.1.0 kernel signature: 23dbcb0bbf35add7c8a5f9692a14486ac28bf47a32c50c667ec9fa70c335769d all runs: OK # git bisect good 510bc3cb1ddc32f9533e6ed0a68c980544c3ca3f Bisecting: 4 revisions left to test after this (roughly 2 steps) [8d75785a814241587802655cc33e384230744f0c] ARM64: vdso32: Install vdso32 from vdso_install testing commit 8d75785a814241587802655cc33e384230744f0c with gcc (GCC) 8.1.0 kernel signature: 89f5833543be5a6f50ebc8d2d9141d54165188e10ed9bbff1654200492caf745 all runs: OK # git bisect good 8d75785a814241587802655cc33e384230744f0c Bisecting: 2 revisions left to test after this (roughly 1 step) [52c479697c9b73f628140dcdfcd39ea302d05482] do_epoll_ctl(): clean the failure exits up a bit testing commit 52c479697c9b73f628140dcdfcd39ea302d05482 with gcc (GCC) 8.1.0 kernel signature: f15e699ee952683e8316c9ebb93d4ddb1c094896ec85c69ddededb9d56a4d802 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #3: crashed: WARNING: ODEBUG bug in exit_to_user_mode_prepare run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #6: crashed: WARNING: ODEBUG bug in get_signal run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release # git bisect bad 52c479697c9b73f628140dcdfcd39ea302d05482 Bisecting: 0 revisions left to test after this (roughly 0 steps) [a9ed4a6560b8562b7e2e2bed9527e88001f7b682] epoll: Keep a reference on files added to the check list testing commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 with gcc (GCC) 8.1.0 kernel signature: 04c11f3c043d86cecf522b7f1a483aa16918bba799b395af468151d1e8ba8e6f run #0: crashed: BUG: corrupted list in snd_ctl_release run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #7: crashed: BUG: corrupted list in snd_ctl_release run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release # git bisect bad a9ed4a6560b8562b7e2e2bed9527e88001f7b682 a9ed4a6560b8562b7e2e2bed9527e88001f7b682 is the first bad commit commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682 Author: Marc Zyngier Date: Wed Aug 19 17:12:17 2020 +0100 epoll: Keep a reference on files added to the check list When adding a new fd to an epoll, and that this new fd is an epoll fd itself, we recursively scan the fds attached to it to detect cycles, and add non-epool files to a "check list" that gets subsequently parsed. However, this check list isn't completely safe when deletions can happen concurrently. To sidestep the issue, make sure that a struct file placed on the check list sees its f_count increased, ensuring that a concurrent deletion won't result in the file disapearing from under our feet. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Al Viro fs/eventpoll.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) parent commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 wasn't tested testing commit 9123e3a74ec7b934a4a099e98af6a61c2f80bbf5 with gcc (GCC) 8.1.0 kernel signature: 601b7645cd196b61667ab33f062018a81231e28b56342224aa044188511bd709 culprit signature: 04c11f3c043d86cecf522b7f1a483aa16918bba799b395af468151d1e8ba8e6f parent signature: 601b7645cd196b61667ab33f062018a81231e28b56342224aa044188511bd709 revisions tested: 21, total time: 4h34m51.453956889s (build: 1h45m13.759448138s, test: 2h47m29.984141808s) first bad commit: a9ed4a6560b8562b7e2e2bed9527e88001f7b682 epoll: Keep a reference on files added to the check list recipients (to): ["linux-kernel@vger.kernel.org" "maz@kernel.org" "viro@zeniv.linux.org.uk"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: BUG: unable to handle kernel NULL pointer dereference in snd_ctl_release BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 10f36d067 P4D 10f36d067 PUD 10ee5c067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 17060 Comm: syz-executor.2 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:snd_ctl_release+0x1d/0x120 sound/core/control.c:114 Code: 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 49 89 f4 55 53 48 8b 9e b0 01 00 00 48 c7 86 b0 01 00 00 00 00 00 00 <48> 8b 6b 10 4c 8d ad 48 07 00 00 4c 89 ef e8 b0 7c 8a 00 48 89 df RSP: 0018:ffffc9000238be80 EFLAGS: 00010282 RAX: ffffffff827a3bb0 RBX: 0000000000000000 RCX: ffffc9000238be24 RDX: 0000000000000000 RSI: ffff8881218e7e00 RDI: ffff8881255dfba0 RBP: 00000000002a0001 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 9a7ba35b2ac72ee4 R12: ffff8881218e7e00 R13: ffff88812a944460 R14: ffff8881288d4618 R15: 0000000000000000 FS: 00007fa1169c5700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f279000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __fput+0xaa/0x250 fs/file_table.c:281 task_work_run+0x68/0xb0 kernel/task_work.c:141 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:139 [inline] exit_to_user_mode_prepare+0x1e2/0x1f0 kernel/entry/common.c:166 syscall_exit_to_user_mode+0x59/0x2b0 kernel/entry/common.c:241 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d5b9 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fa1169c4c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000006 RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000020000180 R11: 0000000000000246 R12: 000000000118cf4c R13: 000000000169fb6f R14: 00007fa1169c59c0 R15: 000000000118cf4c Modules linked in: CR2: 0000000000000010 ---[ end trace 33939c14a4d85cad ]--- RIP: 0010:snd_ctl_release+0x1d/0x120 sound/core/control.c:114 Code: 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 49 89 f4 55 53 48 8b 9e b0 01 00 00 48 c7 86 b0 01 00 00 00 00 00 00 <48> 8b 6b 10 4c 8d ad 48 07 00 00 4c 89 ef e8 b0 7c 8a 00 48 89 df RSP: 0018:ffffc9000238be80 EFLAGS: 00010282 RAX: ffffffff827a3bb0 RBX: 0000000000000000 RCX: ffffc9000238be24 RDX: 0000000000000000 RSI: ffff8881218e7e00 RDI: ffff8881255dfba0 RBP: 00000000002a0001 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 9a7ba35b2ac72ee4 R12: ffff8881218e7e00 R13: ffff88812a944460 R14: ffff8881288d4618 R15: 0000000000000000 FS: 00007fa1169c5700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005639e0268160 CR3: 000000010f279000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400