bisecting cause commit starting from a2d635decbfa9c1e4ae15cb05b68b2559f7f827c building syzkaller on 6fc130d3610b8b90ea16c27dd10eb758ae7267a3 testing commit a2d635decbfa9c1e4ae15cb05b68b2559f7f827c with gcc (GCC) 8.1.0 all runs: crashed: WARNING: locking bug in copy_process testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 all runs: OK # git bisect start a2d635decbfa9c1e4ae15cb05b68b2559f7f827c v5.1 Bisecting: 4612 revisions left to test after this (roughly 12 steps) [82efe439599439a5e1e225ce5740e6cfb777a7dd] Merge tag 'devicetree-for-5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux testing commit 82efe439599439a5e1e225ce5740e6cfb777a7dd with gcc (GCC) 8.1.0 all runs: crashed: WARNING: locking bug in copy_process # git bisect bad 82efe439599439a5e1e225ce5740e6cfb777a7dd Bisecting: 1813 revisions left to test after this (roughly 11 steps) [78438ce18f26dbcaa8993bb45d20ffb0cec3bc3e] Merge branch 'stable-fodder' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 78438ce18f26dbcaa8993bb45d20ffb0cec3bc3e with gcc (GCC) 8.1.0 all runs: OK # git bisect good 78438ce18f26dbcaa8993bb45d20ffb0cec3bc3e Bisecting: 688 revisions left to test after this (roughly 10 steps) [e0dccbdf5ac7ccb9da5612100dedba302f3ebcfe] Merge tag 'staging-5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit e0dccbdf5ac7ccb9da5612100dedba302f3ebcfe with gcc (GCC) 8.1.0 all runs: crashed: WARNING: locking bug in copy_process # git bisect bad e0dccbdf5ac7ccb9da5612100dedba302f3ebcfe Bisecting: 564 revisions left to test after this (roughly 9 steps) [817de6b85914a3dda72b971c074d4d342965fba0] Merge 5.1-rc6 into staging-next testing commit 817de6b85914a3dda72b971c074d4d342965fba0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 817de6b85914a3dda72b971c074d4d342965fba0 Bisecting: 280 revisions left to test after this (roughly 8 steps) [41bc10cabe96bbd0ff3e2813d15f9070bff57a03] Merge tag 'stream_open-5.2' of https://lab.nexedi.com/kirr/linux testing commit 41bc10cabe96bbd0ff3e2813d15f9070bff57a03 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 41bc10cabe96bbd0ff3e2813d15f9070bff57a03 Bisecting: 155 revisions left to test after this (roughly 7 steps) [01e5d1830cf54ac45768ef9ceb3e79cea2e1198c] Merge tag 'mmc-v5.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc testing commit 01e5d1830cf54ac45768ef9ceb3e79cea2e1198c with gcc (GCC) 8.1.0 all runs: crashed: WARNING: locking bug in copy_process # git bisect bad 01e5d1830cf54ac45768ef9ceb3e79cea2e1198c Bisecting: 62 revisions left to test after this (roughly 6 steps) [f19337d55fac5db6d703905077c5e251c87c37d3] Revert "mmc: alcor: enable DMA transfer of large buffers" testing commit f19337d55fac5db6d703905077c5e251c87c37d3 with gcc (GCC) 8.1.0 all runs: OK # git bisect good f19337d55fac5db6d703905077c5e251c87c37d3 Bisecting: 35 revisions left to test after this (roughly 5 steps) [ccaa75187a5f1d8131b424160eb90a8a94be287f] memstick: mark expected switch fall-throughs testing commit ccaa75187a5f1d8131b424160eb90a8a94be287f with gcc (GCC) 8.1.0 all runs: OK # git bisect good ccaa75187a5f1d8131b424160eb90a8a94be287f Bisecting: 17 revisions left to test after this (roughly 4 steps) [43d8dabb4074cf7f3b1404bfbaeba5aa6f3e5cfc] mmc: core: Fix tag set memory leak testing commit 43d8dabb4074cf7f3b1404bfbaeba5aa6f3e5cfc with gcc (GCC) 8.1.0 all runs: OK # git bisect good 43d8dabb4074cf7f3b1404bfbaeba5aa6f3e5cfc Bisecting: 8 revisions left to test after this (roughly 3 steps) [2d60d96b6f00de90ec2bc60eb4cdcc46e1e1f161] Merge tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux testing commit 2d60d96b6f00de90ec2bc60eb4cdcc46e1e1f161 with gcc (GCC) 8.1.0 all runs: crashed: WARNING: locking bug in copy_process # git bisect bad 2d60d96b6f00de90ec2bc60eb4cdcc46e1e1f161 Bisecting: 4 revisions left to test after this (roughly 2 steps) [43c6afee48d4d866d5eb984d3a5dbbc7d9b4e7bf] samples: show race-free pidfd metadata access testing commit 43c6afee48d4d866d5eb984d3a5dbbc7d9b4e7bf with gcc (GCC) 8.1.0 all runs: crashed: WARNING: locking bug in copy_process # git bisect bad 43c6afee48d4d866d5eb984d3a5dbbc7d9b4e7bf Bisecting: 1 revision left to test after this (roughly 1 step) [b3e5838252665ee4cfa76b82bdf1198dca81e5be] clone: add CLONE_PIDFD testing commit b3e5838252665ee4cfa76b82bdf1198dca81e5be with gcc (GCC) 8.1.0 run #0: boot failed: failed to get create image operation operation-1557438897629-5887b8040a84d-fb99e2fd-d3f29f4a: Get https://www.googleapis.com/compute/beta/projects/syzkaller/zones/us-central1-c/operations/operation-1557438897629-5887b8040a84d-fb99e2fd-d3f29f4a?alt=json: read tcp 10.128.0.26:38948->64.233.191.95:443: read: connection reset by peer run #1: boot failed: failed to create instance: Post https://www.googleapis.com/compute/beta/projects/syzkaller/zones/us-central1-c/instances?alt=json: read tcp 10.128.0.26:38948->64.233.191.95:443: read: connection reset by peer run #2: boot failed: failed to create instance: Post https://www.googleapis.com/compute/beta/projects/syzkaller/zones/us-central1-c/instances?alt=json: read tcp 10.128.0.26:38948->64.233.191.95:443: read: connection reset by peer run #3: crashed: WARNING: locking bug in copy_process run #4: crashed: WARNING: locking bug in copy_process # git bisect bad b3e5838252665ee4cfa76b82bdf1198dca81e5be Bisecting: 0 revisions left to test after this (roughly 0 steps) [5dd50aaeb1853ee0953b60fa6d1143d95429ae7b] Make anon_inodes unconditional testing commit 5dd50aaeb1853ee0953b60fa6d1143d95429ae7b with gcc (GCC) 8.1.0 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor414228932" "root@10.128.1.13:./syz-executor414228932"]: exit status 1 ssh: connect to host 10.128.1.13 port 22: Connection timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK # git bisect good 5dd50aaeb1853ee0953b60fa6d1143d95429ae7b b3e5838252665ee4cfa76b82bdf1198dca81e5be is the first bad commit commit b3e5838252665ee4cfa76b82bdf1198dca81e5be Author: Christian Brauner Date: Wed Mar 27 13:04:15 2019 +0100 clone: add CLONE_PIDFD This patchset makes it possible to retrieve pid file descriptors at process creation time by introducing the new flag CLONE_PIDFD to the clone() system call. Linus originally suggested to implement this as a new flag to clone() instead of making it a separate system call. As spotted by Linus, there is exactly one bit for clone() left. CLONE_PIDFD creates file descriptors based on the anonymous inode implementation in the kernel that will also be used to implement the new mount api. They serve as a simple opaque handle on pids. Logically, this makes it possible to interpret a pidfd differently, narrowing or widening the scope of various operations (e.g. signal sending). Thus, a pidfd cannot just refer to a tgid, but also a tid, or in theory - given appropriate flag arguments in relevant syscalls - a process group or session. A pidfd does not represent a privilege. This does not imply it cannot ever be that way but for now this is not the case. A pidfd comes with additional information in fdinfo if the kernel supports procfs. The fdinfo file contains the pid of the process in the callers pid namespace in the same format as the procfs status file, i.e. "Pid:\t%d". As suggested by Oleg, with CLONE_PIDFD the pidfd is returned in the parent_tidptr argument of clone. This has the advantage that we can give back the associated pid and the pidfd at the same time. To remove worries about missing metadata access this patchset comes with a sample program that illustrates how a combination of CLONE_PIDFD, and pidfd_send_signal() can be used to gain race-free access to process metadata through /proc/. The sample program can easily be translated into a helper that would be suitable for inclusion in libc so that users don't have to worry about writing it themselves. Suggested-by: Linus Torvalds Signed-off-by: Christian Brauner Co-developed-by: Jann Horn Signed-off-by: Jann Horn Reviewed-by: Oleg Nesterov Cc: Arnd Bergmann Cc: "Eric W. Biederman" Cc: Kees Cook Cc: Thomas Gleixner Cc: David Howells Cc: "Michael Kerrisk (man-pages)" Cc: Andy Lutomirsky Cc: Andrew Morton Cc: Aleksa Sarai Cc: Linus Torvalds Cc: Al Viro :040000 040000 5e62bb54dbe5297af69fc648d6222c3581f81dee 6b7bd4cfae66ee0eadc13978add6f81a75daee8b M include :040000 040000 af1812eea720fc98bd1370ad99c5a9ce3412efb8 fd97d2decd0b9e6bd692335676c5fb362a3e6970 M kernel revisions tested: 15, total time: 4h15m51.08835339s (build: 2h6m11.719495533s, test: 2h2m43.917687378s) first bad commit: b3e5838252665ee4cfa76b82bdf1198dca81e5be clone: add CLONE_PIDFD cc: ["akpm@linux-foundation.org" "arnd@arndb.de" "christian@brauner.io" "cyphar@cyphar.com" "dhowells@redhat.com" "ebiederm@xmission.com" "jannh@google.com" "keescook@chromium.org" "luto@kernel.org" "mtk.manpages@gmail.com" "oleg@redhat.com" "tglx@linutronix.de" "torvalds@linux-foundation.org" "viro@zeniv.linux.org.uk"] crash: WARNING: locking bug in copy_process R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ------------[ cut here ]------------ DEBUG_LOCKS_WARN_ON(depth <= 0) WARNING: CPU: 0 PID: 7214 at kernel/locking/lockdep.c:3961 __lock_release kernel/locking/lockdep.c:3961 [inline] WARNING: CPU: 0 PID: 7214 at kernel/locking/lockdep.c:3961 lock_release+0x613/0x8b0 kernel/locking/lockdep.c:4230 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 7214 Comm: syz-executor.0 Not tainted 5.1.0-rc4+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 panic+0x212/0x41d kernel/panic.c:214 __warn.cold.8+0x1b/0x36 kernel/panic.c:571 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:179 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:__lock_release kernel/locking/lockdep.c:3961 [inline] RIP: 0010:lock_release+0x613/0x8b0 kernel/locking/lockdep.c:4230 Code: 03 38 d0 7c 08 84 d2 0f 85 a3 02 00 00 8b 35 c8 ce 83 07 85 f6 75 15 48 c7 c6 20 af ea 86 48 c7 c7 80 7e ea 86 e8 40 f6 ec ff <0f> 0b 48 8b 95 70 ff ff ff 4c 89 ee 4c 89 f7 e8 69 56 ff ff e9 df RSP: 0018:ffff888090407a98 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 1ffff11012080f57 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000 RBP: ffff888090407b40 R08: fffffbfff10328a1 R09: fffffbfff10328a0 R10: fffffbfff10328a0 R11: ffffffff88194503 R12: ffffffff89cc6a20 R13: ffffffff89ccbab8 R14: ffff8880915fc100 R15: ffff8880915fc978 percpu_up_read.constprop.43+0xa6/0xd0 include/linux/percpu-rwsem.h:92 cgroup_threadgroup_change_end include/linux/cgroup-defs.h:712 [inline] copy_process.part.39+0x4b3d/0x70f0 kernel/fork.c:2214 copy_process kernel/fork.c:1764 [inline] _do_fork+0x160/0xb90 kernel/fork.c:2325 __do_compat_sys_x86_clone arch/x86/ia32/sys_ia32.c:240 [inline] __se_compat_sys_x86_clone arch/x86/ia32/sys_ia32.c:236 [inline] __ia32_compat_sys_x86_clone+0xb7/0x140 arch/x86/ia32/sys_ia32.c:236 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x23b/0xa60 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7ff0849 Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f7fec0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000078 RAX: ffffffffffffffda RBX: 0000000000003ffc RCX: 0000000000000000 RDX: 00000000200005c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Kernel Offset: disabled Rebooting in 86400 seconds..