ci starts bisection 2022-08-25 13:10:23.646115323 +0000 UTC m=+86022.795009624 bisecting fixing commit since 4b0986a3613c92f4ec1bdc7f60ec66fea135991f building syzkaller on 4c7657cb23023fd64d0585c979e6fec4ef441f04 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a612a36b92916ffb721db076afd5563b93f09789bab4befe0eb25742333d100c run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: KASAN: use-after-free Write in udf_close_lvid run #2: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #3: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #4: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #5: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #6: crashed: KASAN: use-after-free Write in udf_open_lvid run #7: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #8: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #9: crashed: KASAN: use-after-free Write in udf_open_lvid run #10: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #11: crashed: KASAN: use-after-free Write in udf_close_lvid run #12: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #13: crashed: KASAN: use-after-free Write in udf_close_lvid run #14: crashed: KASAN: use-after-free Write in udf_open_lvid run #15: crashed: KASAN: use-after-free Write in udf_open_lvid run #16: crashed: KASAN: use-after-free Write in udf_open_lvid run #17: crashed: KASAN: use-after-free Write in udf_close_lvid run #18: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #19: OK testing current HEAD c40e8341e3b3bb27e3a65b06b5b454626234c4f0 testing commit c40e8341e3b3bb27e3a65b06b5b454626234c4f0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 508471dc81410cfe774d0d9d3d48f7bda7085b8c38ab744865292451308de8bb run #0: crashed: KASAN: slab-out-of-bounds Write in udf_open_lvid run #1: crashed: KASAN: use-after-free Write in udf_open_lvid run #2: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #3: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #4: crashed: KASAN: use-after-free Write in udf_close_lvid run #5: crashed: general protection fault in batadv_tt_purge run #6: crashed: KASAN: slab-out-of-bounds Write in udf_close_lvid run #7: crashed: KASAN: use-after-free Write in udf_open_lvid run #8: crashed: KASAN: use-after-free Write in udf_open_lvid run #9: OK revisions tested: 2, total time: 39m8.788509403s (build: 15m50.012669543s, test: 22m24.581257508s) the crash still happens on HEAD commit msg: Merge tag 'cgroup-for-6.0-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup crash: KASAN: use-after-free Write in udf_open_lvid ================================================================== BUG: KASAN: use-after-free in udf_open_lvid.isra.0+0x221/0x270 fs/udf/super.c:2042 Write of size 1 at addr ffff88801f069f80 by task syz-executor405/13407 CPU: 0 PID: 13407 Comm: syz-executor405 Not tainted 6.0.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 udf_open_lvid.isra.0+0x221/0x270 fs/udf/super.c:2042 udf_fill_super+0x112a/0x16c0 fs/udf/super.c:2278 mount_bdev+0x2cb/0x3b0 fs/super.c:1400 legacy_get_tree+0xfa/0x1f0 fs/fs_context.c:610 vfs_get_tree+0x7f/0x2c0 fs/super.c:1530 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x43a/0x1a10 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x1f5/0x260 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f5dbcdde07a Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5dbcd89168 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f5dbcd891c0 RCX: 00007f5dbcdde07a RDX: 0000000020000000 RSI: 0000000020000700 RDI: 00007f5dbcd89180 RBP: 000000000000000e R08: 00007f5dbcd891c0 R09: 00007f5dbcd896b8 R10: 0000000000000810 R11: 0000000000000286 R12: 00007f5dbcd89180 R13: 0000000020000350 R14: 0000000000000003 R15: 0000000000000004 The buggy address belongs to the physical page: page:ffffea00007c1a40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f069 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 ffffffff007c0301 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3606, tgid 3606 (syz-executor.0), ts 38518566478, free_ts 441977580990 prep_new_page mm/page_alloc.c:2532 [inline] get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515 alloc_slab_page mm/slub.c:1824 [inline] allocate_slab+0x27e/0x3d0 mm/slub.c:1969 new_slab mm/slub.c:2029 [inline] ___slab_alloc+0x7f1/0xe00 mm/slub.c:3031 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118 slab_alloc_node mm/slub.c:3209 [inline] slab_alloc mm/slub.c:3251 [inline] __kmalloc_track_caller+0x30f/0x330 mm/slub.c:4924 kmemdup+0x18/0x40 mm/util.c:129 neigh_sysctl_register+0x92/0x5f0 net/core/neighbour.c:3787 devinet_sysctl_register+0x8a/0x1e0 net/ipv4/devinet.c:2623 inetdev_init+0x221/0x480 net/ipv4/devinet.c:279 inetdev_event+0x92d/0x1500 net/ipv4/devinet.c:1534 notifier_call_chain+0x94/0x170 kernel/notifier.c:87 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] register_netdevice+0xd85/0x1320 net/core/dev.c:10103 rtnl_newlink_create net/core/rtnetlink.c:3365 [inline] __rtnl_newlink+0x1108/0x14c0 net/core/rtnetlink.c:3580 rtnl_newlink+0x5a/0x90 net/core/rtnetlink.c:3593 rtnetlink_rcv_msg+0x32d/0x9a0 net/core/rtnetlink.c:6090 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1449 [inline] free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499 free_unref_page_prepare mm/page_alloc.c:3380 [inline] free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:727 [inline] slab_alloc_node mm/slub.c:3243 [inline] slab_alloc mm/slub.c:3251 [inline] __kmem_cache_alloc_lru mm/slub.c:3258 [inline] kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3268 getname_flags.part.0+0x4a/0x440 fs/namei.c:139 do_sys_openat2+0xd2/0x3f0 fs/open.c:1305 do_sys_open fs/open.c:1327 [inline] __do_sys_openat fs/open.c:1343 [inline] __se_sys_openat fs/open.c:1338 [inline] __x64_sys_openat+0x11b/0x1d0 fs/open.c:1338 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88801f069e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801f069f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88801f069f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88801f06a000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801f06a080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================