bisecting cause commit starting from 8fe28cb58bcb235034b64cbbb7550a8a43fd88be building syzkaller on 8a41a0ad8ed91a6c7a65663b1bacaf6d79cde558 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 run #0: crashed: BUG: unable to handle kernel paging request in slhc_free run #1: crashed: BUG: unable to handle kernel paging request in slhc_free run #2: crashed: BUG: unable to handle kernel paging request in slhc_free run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in slhc_free run #5: crashed: BUG: unable to handle kernel paging request in slhc_free run #6: crashed: BUG: unable to handle kernel paging request in slhc_free run #7: crashed: BUG: unable to handle kernel paging request in slhc_free run #8: crashed: BUG: unable to handle kernel paging request in slhc_free run #9: crashed: BUG: unable to handle kernel paging request in slhc_free testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 all runs: OK # git bisect start 569dbb88e80deb68974ef6fdd6a13edb9d686261 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c Bisecting: 7028 revisions left to test after this (roughly 13 steps) [ac7b75966c9c86426b55fe1c50ae148aa4571075] Merge tag 'pinctrl-v4.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit ac7b75966c9c86426b55fe1c50ae148aa4571075 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ac7b75966c9c86426b55fe1c50ae148aa4571075 Bisecting: 3520 revisions left to test after this (roughly 12 steps) [9c284c41c0886f09e75c323a16278b6d353b0b4a] mmc: tmio-mmc: fix bad pointer math testing commit 9c284c41c0886f09e75c323a16278b6d353b0b4a with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9c284c41c0886f09e75c323a16278b6d353b0b4a Bisecting: 1754 revisions left to test after this (roughly 11 steps) [505d5c11192960a3f0639d1d9e05dffeddd4e874] Merge tag 'nfs-for-4.13-2' of git://git.linux-nfs.org/projects/anna/linux-nfs testing commit 505d5c11192960a3f0639d1d9e05dffeddd4e874 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect bad 505d5c11192960a3f0639d1d9e05dffeddd4e874 Bisecting: 909 revisions left to test after this (roughly 10 steps) [62403005975c678ba7594a36670ae3bf0273d7c4] Merge tag 'nfsd-4.13' of git://linux-nfs.org/~bfields/linux testing commit 62403005975c678ba7594a36670ae3bf0273d7c4 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect bad 62403005975c678ba7594a36670ae3bf0273d7c4 Bisecting: 430 revisions left to test after this (roughly 9 steps) [38f7d2da4e39d454f2cb3e7c1ae35afde3d61123] Merge tag 'pwm/for-4.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm testing commit 38f7d2da4e39d454f2cb3e7c1ae35afde3d61123 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 38f7d2da4e39d454f2cb3e7c1ae35afde3d61123 Bisecting: 212 revisions left to test after this (roughly 8 steps) [6735a1971a00a29a96aa3ea5dc08912bfee95c51] Merge tag 'platform-drivers-x86-v4.13-2' of git://git.infradead.org/linux-platform-drivers-x86 testing commit 6735a1971a00a29a96aa3ea5dc08912bfee95c51 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 6735a1971a00a29a96aa3ea5dc08912bfee95c51 Bisecting: 100 revisions left to test after this (roughly 7 steps) [bc0f51d35994bc14ae9bebadc9523399711fedf8] Merge tag 'trace-v4.13-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit bc0f51d35994bc14ae9bebadc9523399711fedf8 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect bad bc0f51d35994bc14ae9bebadc9523399711fedf8 Bisecting: 55 revisions left to test after this (roughly 6 steps) [a10a842ff81a7e3810817b3b04e4c432b6191e21] kernel/watchdog: provide watchdog_nmi_reconfigure() for arch watchdogs testing commit a10a842ff81a7e3810817b3b04e4c432b6191e21 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect bad a10a842ff81a7e3810817b3b04e4c432b6191e21 Bisecting: 27 revisions left to test after this (roughly 5 steps) [77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f] procfs: fdinfo: extend information about epoll target files testing commit 77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f with gcc (GCC) 8.1.0 all runs: OK # git bisect good 77493f04b74cdff3a61fb3fb14b1f5a71d88fd5f Bisecting: 13 revisions left to test after this (roughly 4 steps) [52f908904e7e05b6300162faa48152df073be645] ipc/msg: avoid ipc_rcu_alloc() testing commit 52f908904e7e05b6300162faa48152df073be645 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect bad 52f908904e7e05b6300162faa48152df073be645 Bisecting: 6 revisions left to test after this (roughly 3 steps) [f8dbe8d290637ac3f68600e30d092393fe9b40a5] ipc: drop non-RCU allocation testing commit f8dbe8d290637ac3f68600e30d092393fe9b40a5 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect bad f8dbe8d290637ac3f68600e30d092393fe9b40a5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [e41d58185f1444368873d4d7422f7664a68be61d] fault-inject: support systematic fault injection testing commit e41d58185f1444368873d4d7422f7664a68be61d with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in slhc_free # git bisect bad e41d58185f1444368873d4d7422f7664a68be61d Bisecting: 0 revisions left to test after this (roughly 1 step) [92ef6da3d06ff551a86de41ae37df9cc4b58d7a0] kcmp: fs/epoll: wrap kcmp code with CONFIG_CHECKPOINT_RESTORE testing commit 92ef6da3d06ff551a86de41ae37df9cc4b58d7a0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 92ef6da3d06ff551a86de41ae37df9cc4b58d7a0 e41d58185f1444368873d4d7422f7664a68be61d is the first bad commit commit e41d58185f1444368873d4d7422f7664a68be61d Author: Dmitry Vyukov Date: Wed Jul 12 14:34:35 2017 -0700 fault-inject: support systematic fault injection Add /proc/self/task//fail-nth file that allows failing 0-th, 1-st, 2-nd and so on calls systematically. Excerpt from the added documentation: "Write to this file of integer N makes N-th call in the current task fail (N is 0-based). Read from this file returns a single char 'Y' or 'N' that says if the fault setup with a previous write to this file was injected or not, and disables the fault if it wasn't yet injected. Note that this file enables all types of faults (slab, futex, etc). This setting takes precedence over all other generic settings like probability, interval, times, etc. But per-capability settings (e.g. fail_futex/ignore-private) take precedence over it. This feature is intended for systematic testing of faults in a single system call. See an example below" Why add a new setting: 1. Existing settings are global rather than per-task. So parallel testing is not possible. 2. attr->interval is close but it depends on attr->count which is non reset to 0, so interval does not work as expected. 3. Trying to model this with existing settings requires manipulations of all of probability, interval, times, space, task-filter and unexposed count and per-task make-it-fail files. 4. Existing settings are per-failure-type, and the set of failure types is potentially expanding. 5. make-it-fail can't be changed by unprivileged user and aggressive stress testing better be done from an unprivileged user. Similarly, this would require opening the debugfs files to the unprivileged user, as he would need to reopen at least times file (not possible to pre-open before dropping privs). The proposed interface solves all of the above (see the example). We want to integrate this into syzkaller fuzzer. A prototype has found 10 bugs in kernel in first day of usage: https://groups.google.com/forum/#!searchin/syzkaller/%22FAULT_INJECTION%22%7Csort:relevance I've made the current interface work with all types of our sandboxes. For setuid the secret sauce was prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) to make /proc entries non-root owned. So I am fine with the current version of the code. [akpm@linux-foundation.org: fix build] Link: http://lkml.kernel.org/r/20170328130128.101773-1-dvyukov@google.com Signed-off-by: Dmitry Vyukov Cc: Akinobu Mita Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds :040000 040000 5ff23b4f717faa09a3a303c852d1f879e5c93424 dee40d91ff399cf23471067637b29ba5e1d89733 M Documentation :040000 040000 27977119aa5c7d9e92fc80003c42eb2b4f32cd8a 17fc845fd59fd4d9cd4b38fc91096cf8dfa8cbe3 M fs :040000 040000 ed948d2418da0ee21a502e292d26d30545d58083 67b2b84dc7ad4f73ffe68c2027ef782fb3f91120 M include :040000 040000 5a5aae0ff0d0ab5471e6a7da1dade99054f3438d 5649fd62cab2718586583d958d93c058385fdd52 M kernel :040000 040000 1394cb104a7599e44373b833e369563c29cb2560 d6b4eb0e7b6f9335a6e35b9dbe3f136c0c8dc3b7 M lib revisions tested: 22, total time: 4h6m10.272610308s (build: 1h52m40.411769943s, test: 2h7m3.698750389s) first bad commit: e41d58185f1444368873d4d7422f7664a68be61d fault-inject: support systematic fault injection cc: ["akinobu.mita@gmail.com" "akpm@linux-foundation.org" "dvyukov@google.com" "mhocko@kernel.org" "torvalds@linux-foundation.org"] crash: BUG: unable to handle kernel paging request in slhc_free RAX: ffffffffffffffda RBX: 00007f65e1c2ac90 RCX: 00000000004578a9 RDX: 0000000020000080 RSI: 0000000000005423 RDI: 0000000000000003 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f65e1c2b6d4 R13: 00000000004c59b1 R14: 00000000004da4f8 R15: 00000000ffffffff BUG: unable to handle kernel paging request at fffffbfffffffffe IP: slhc_free+0x1e/0x80 drivers/net/slip/slhc.c:159 PGD 21fff4067 P4D 21fff4067 PUD 21fff3067 PMD 21fff2067 PTE 0 Oops: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 8316 Comm: syz-executor4 Not tainted 4.12.0+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801b8926280 task.stack: ffff8801bc830000 RIP: 0010:slhc_free+0x1e/0x80 drivers/net/slip/slhc.c:159 RSP: 0018:ffff8801bc8379d0 EFLAGS: 00010a03 RAX: dffffc0000000000 RBX: fffffffffffffff4 RCX: 1ffff10037124d6a RDX: 1ffffffffffffffe RSI: ffff8801b8926b30 RDI: fffffffffffffff4 RBP: ffff8801bc8379d8 R08: ffff8801b8926b50 R09: 0000000000000006 R10: 0000000000000000 R11: ffff8801b8926280 R12: fffffffffffffff4 R13: ffff8801b89515c0 R14: ffff8801b89515c8 R15: ffff8801b8950b00 FS: 00007f65e1c2b700(0000) GS:ffff8801dac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfffffffffe CR3: 00000001c0b82000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sl_alloc_bufs drivers/net/slip/slip.c:197 [inline] slip_open+0xd22/0x1097 drivers/net/slip/slip.c:826 tty_ldisc_open.isra.1+0x60/0xa0 drivers/tty/tty_ldisc.c:466 tty_set_ldisc+0x25a/0x750 drivers/tty/tty_ldisc.c:594 tiocsetd drivers/tty/tty_io.c:2220 [inline] tty_ioctl+0xd92/0x1320 drivers/tty/tty_io.c:2464 vfs_ioctl fs/ioctl.c:45 [inline] file_ioctl fs/ioctl.c:499 [inline] do_vfs_ioctl+0x183/0x15a0 fs/ioctl.c:683 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x74/0x80 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x23/0xc2 RIP: 0033:0x4578a9 RSP: 002b:00007f65e1c2ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f65e1c2ac90 RCX: 00000000004578a9 RDX: 0000000020000080 RSI: 0000000000005423 RDI: 0000000000000003 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f65e1c2b6d4 R13: 00000000004c59b1 R14: 00000000004da4f8 R15: 00000000ffffffff Code: 55 fd eb ed 66 0f 1f 84 00 00 00 00 00 48 85 ff 74 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 c1 ea 03 48 89 e5 53 48 89 fb <80> 3c 02 00 75 42 48 8b 3b 48 85 ff 74 05 e8 6f fa 54 fd 48 8d RIP: slhc_free+0x1e/0x80 drivers/net/slip/slhc.c:159 RSP: ffff8801bc8379d0 CR2: fffffbfffffffffe ---[ end trace 305830fe9e66b546 ]---