bisecting fixing commit since 7c60610d476766e128cc4284bb6349732cbd6606 building syzkaller on 2489ab887a86e8b1b253aef742e365a606db3a4f testing commit 7c60610d476766e128cc4284bb6349732cbd6606 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 914c598cdb8b1df1f43bc055801be0076bc222e2ade96164c382fa11f3901653 run #0: crashed: KASAN: use-after-free Read in skb_dequeue run #1: crashed: KASAN: use-after-free Read in h4_recv_buf run #2: crashed: KASAN: use-after-free Read in h4_recv_buf run #3: crashed: KASAN: use-after-free Read in h4_recv_buf run #4: crashed: KASAN: use-after-free Read in h4_recv_buf run #5: crashed: KASAN: use-after-free Write in hci_recv_frame run #6: crashed: KASAN: use-after-free Read in h4_recv_buf run #7: crashed: KASAN: use-after-free Read in skb_dequeue run #8: crashed: KASAN: use-after-free Read in h4_recv_buf run #9: crashed: KASAN: use-after-free Read in skb_dequeue run #10: crashed: KASAN: use-after-free Read in h4_recv_buf run #11: crashed: KASAN: use-after-free Write in hci_recv_frame run #12: crashed: KASAN: use-after-free Read in h4_recv_buf run #13: crashed: KASAN: use-after-free Read in skb_dequeue run #14: crashed: KASAN: use-after-free Read in h4_recv_buf run #15: crashed: KASAN: use-after-free Read in h4_recv_buf run #16: crashed: KASAN: use-after-free Read in h4_recv_buf run #17: crashed: KASAN: use-after-free Read in h4_recv_buf run #18: crashed: KASAN: use-after-free Read in h4_recv_buf run #19: crashed: KASAN: use-after-free Read in h4_recv_buf testing current HEAD 3ca706c189db861b2ca2019a0901b94050ca49d8 testing commit 3ca706c189db861b2ca2019a0901b94050ca49d8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7f426b5a4af4703d2440feaad860712c8efc4afc757abd4cc2748ebee9ba1dfe all runs: OK # git bisect start 3ca706c189db861b2ca2019a0901b94050ca49d8 7c60610d476766e128cc4284bb6349732cbd6606 Bisecting: 5809 revisions left to test after this (roughly 13 steps) [2037e5d6fbbcee276a10737a0ed40694dcd2d071] Merge tag 'usb-serial-5.15-rc1-2' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next testing commit 2037e5d6fbbcee276a10737a0ed40694dcd2d071 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d938ddd06413a90f07491a82562f2cac4181b1a10a3d7bc20e094dc6a4934908 run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 2037e5d6fbbcee276a10737a0ed40694dcd2d071 Bisecting: 2917 revisions left to test after this (roughly 12 steps) [c793011242d182e5f12800c12dbaf37af80be735] Merge tag 'pinctrl-v5.15-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit c793011242d182e5f12800c12dbaf37af80be735 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ae1946acafcfe6628a22186bb0eaf442910c6bbe782b4020d850c11b1b5527a5 run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: crashed: KASAN: use-after-free Read in __d_alloc run #9: OK # git bisect good c793011242d182e5f12800c12dbaf37af80be735 Bisecting: 1466 revisions left to test after this (roughly 11 steps) [5e6a5845dd651b00754a62edec2f0a439182024d] Merge tag 'gpio-updates-for-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux testing commit 5e6a5845dd651b00754a62edec2f0a439182024d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: be8e9a4c94d93484d4e57fae48317aa2330bf0ddd02fa9c3b6d2060bb8ca554a run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: crashed: KASAN: use-after-free Read in __d_alloc run #9: OK # git bisect good 5e6a5845dd651b00754a62edec2f0a439182024d Bisecting: 738 revisions left to test after this (roughly 10 steps) [9c566611ac5cc7b45af943632f7a9b1b6a642991] Merge tag 'acpi-5.15-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 9c566611ac5cc7b45af943632f7a9b1b6a642991 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3f9af698c82680becc68c64e9f74707d7877e7f2fade67d070741ce975fc8a84 run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: OK run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: OK run #8: OK run #9: crashed: KASAN: use-after-free Read in __d_alloc # git bisect good 9c566611ac5cc7b45af943632f7a9b1b6a642991 Bisecting: 394 revisions left to test after this (roughly 9 steps) [a668acb8f01fc0d1e3877cddecbe319ef2ef651c] Merge tag 'drm-next-2021-09-10' of git://anongit.freedesktop.org/drm/drm testing commit a668acb8f01fc0d1e3877cddecbe319ef2ef651c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b3a2a44d2283f84c6a493661cc0ce3519b38ace2cd6521708a89f38d99a9d828 run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: OK run #8: crashed: KASAN: use-after-free Read in __d_alloc run #9: crashed: KASAN: use-after-free Read in __d_alloc # git bisect good a668acb8f01fc0d1e3877cddecbe319ef2ef651c Bisecting: 196 revisions left to test after this (roughly 8 steps) [6701e7e7d8ee4f80d0c450aeab101e4a2a2678fa] Merge tag 'pwm/for-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm testing commit 6701e7e7d8ee4f80d0c450aeab101e4a2a2678fa compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1586d2d08443b5465b748f5a4f1f5aad26213a03981158cb45b2d7de763171c6 all runs: crashed: KASAN: use-after-free Read in __d_alloc # git bisect good 6701e7e7d8ee4f80d0c450aeab101e4a2a2678fa Bisecting: 90 revisions left to test after this (roughly 7 steps) [78e709522d2c012cb0daad2e668506637bffb7c2] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit 78e709522d2c012cb0daad2e668506637bffb7c2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 746b8f786dcef1cc99dc1b5adde05b2ad6c49c1c271143d08ab2e72f63143f79 run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: OK run #4: OK run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: OK run #9: OK # git bisect good 78e709522d2c012cb0daad2e668506637bffb7c2 Bisecting: 45 revisions left to test after this (roughly 6 steps) [c3e46874dfb9a2ef08085bb147dc371e72738673] Merge tag 'compiler-attributes-for-linus-v5.15-rc1-v2' of git://github.com/ojeda/linux testing commit c3e46874dfb9a2ef08085bb147dc371e72738673 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a35bfa6b3f3ff9a8718304a919d1b6e9fa8433f3f1325bbc0093fda6f5aad77e all runs: OK # git bisect bad c3e46874dfb9a2ef08085bb147dc371e72738673 Bisecting: 23 revisions left to test after this (roughly 5 steps) [165d05d88c27697fe444a6eae4f3882834ef8826] Merge tag 'locking_urgent_for_v5.15_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 165d05d88c27697fe444a6eae4f3882834ef8826 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2ec778274e2cc07358da08f81ae371d4780582a17e758477a04ec5f0e394be32 all runs: OK # git bisect bad 165d05d88c27697fe444a6eae4f3882834ef8826 Bisecting: 9 revisions left to test after this (roughly 3 steps) [fdfc346302a7b63e3d5b9168be74bb12b1975999] Merge branch 'misc.namei' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit fdfc346302a7b63e3d5b9168be74bb12b1975999 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 19b77146faa503012d5de7d97fb34da7f1a55732fe874787f4e01c16b70e892e all runs: OK # git bisect bad fdfc346302a7b63e3d5b9168be74bb12b1975999 Bisecting: 5 revisions left to test after this (roughly 3 steps) [ea47ab111669b187808b3080602788dec26cb9bc] putname(): IS_ERR_OR_NULL() is wrong here testing commit ea47ab111669b187808b3080602788dec26cb9bc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d07e7d721e7a5589e2e0739a3d5c80d42fd8706dc6a9853b695d1c5fc1d0c1a4 all runs: OK # git bisect bad ea47ab111669b187808b3080602788dec26cb9bc Bisecting: 2 revisions left to test after this (roughly 1 step) [c5f563f9e9e66c0ad0b23abe25165c124579b70e] rename __filename_parentat() to filename_parentat() testing commit c5f563f9e9e66c0ad0b23abe25165c124579b70e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fd49278afd171ccda24a47e68dd90c579defad33744b49fcc62327dc0b3d3225 all runs: OK # git bisect bad c5f563f9e9e66c0ad0b23abe25165c124579b70e Bisecting: 0 revisions left to test after this (roughly 0 steps) [0766ec82e5fb26fc5dc6d592bc61865608bdc651] namei: Fix use after free in kern_path_locked testing commit 0766ec82e5fb26fc5dc6d592bc61865608bdc651 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0fbd0c348f78a140f34350ce5a542750c02004fdf265f175ff163319c26a54cc all runs: OK # git bisect bad 0766ec82e5fb26fc5dc6d592bc61865608bdc651 0766ec82e5fb26fc5dc6d592bc61865608bdc651 is the first bad commit commit 0766ec82e5fb26fc5dc6d592bc61865608bdc651 Author: Stephen Brennan Date: Wed Sep 1 10:51:41 2021 -0700 namei: Fix use after free in kern_path_locked In 0ee50b47532a ("namei: change filename_parentat() calling conventions"), filename_parentat() was made to always call putname() on the filename before returning, and kern_path_locked() was migrated to this calling convention. However, kern_path_locked() uses the "last" parameter to lookup and potentially create a new dentry. The last parameter contains the last component of the path and points within the filename, which was recently freed at the end of filename_parentat(). Thus, when kern_path_locked() calls __lookup_hash(), it is using the filename after it has already been freed. In other words, these calling conventions had been wrong for the only remaining caller of filename_parentat(). Everything else is using __filename_parentat(), which does not drop the reference; so should kern_path_locked(). Switch kern_path_locked() to use of __filename_parentat() and move getting/dropping struct filename into wrapper. Remove filename_parentat(), now that we have no remaining callers. Fixes: 0ee50b47532a ("namei: change filename_parentat() calling conventions") Link: https://lore.kernel.org/linux-fsdevel/YS9D4AlEsaCxLFV0@infradead.org/ Link: https://lore.kernel.org/linux-fsdevel/YS+csMTV2tTXKg3s@zeniv-ca.linux.org.uk/ Cc: Christoph Hellwig Cc: Al Viro Reported-by: syzbot+fb0d60a179096e8c2731@syzkaller.appspotmail.com Signed-off-by: Stephen Brennan Co-authored-by: Dmitry Kadashev Signed-off-by: Al Viro fs/namei.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) parent commit 4b93c544e90e2b28326182d31ee008eb80e02074 wasn't tested testing commit 4b93c544e90e2b28326182d31ee008eb80e02074 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3762c211781004bbb518c024b89fa1bce14fd3a9b1936975143fe425caa68b57 culprit signature: 0fbd0c348f78a140f34350ce5a542750c02004fdf265f175ff163319c26a54cc parent signature: 3762c211781004bbb518c024b89fa1bce14fd3a9b1936975143fe425caa68b57 revisions tested: 15, total time: 4h29m28.732117163s (build: 1h43m14.620221647s, test: 2h44m42.531010502s) first good commit: 0766ec82e5fb26fc5dc6d592bc61865608bdc651 namei: Fix use after free in kern_path_locked recipients (to): ["linux-kernel@vger.kernel.org" "stephen.s.brennan@oracle.com" "viro@zeniv.linux.org.uk"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"]