bisecting cause commit starting from ac5b84a1ffe93c9fb882c0f2bdfac1c33077b920
building syzkaller on c34fde03ec2b778c7cb3f4463dac2e6b9c7934c9
testing commit ac5b84a1ffe93c9fb882c0f2bdfac1c33077b920 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in d_alloc_pseudo
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start ac5b84a1ffe93c9fb882c0f2bdfac1c33077b920 v5.0
Bisecting: 9462 revisions left to test after this (roughly 13 steps)
[2901752c14b8e1b7dd898d2e5245c93e531aa624] Merge tag 'pci-v5.1-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
testing commit 2901752c14b8e1b7dd898d2e5245c93e531aa624 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2901752c14b8e1b7dd898d2e5245c93e531aa624
Bisecting: 4771 revisions left to test after this (roughly 12 steps)
[7650b1dafbfe45070a713219de1e5a2c00ad4182] Merge remote-tracking branch 'pci/next'
testing commit 7650b1dafbfe45070a713219de1e5a2c00ad4182 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in d_alloc_pseudo
# git bisect bad 7650b1dafbfe45070a713219de1e5a2c00ad4182
Bisecting: 2329 revisions left to test after this (roughly 11 steps)
[636deed6c0bc137a7c4f4a97ae1fcf0ad75323da] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
testing commit 636deed6c0bc137a7c4f4a97ae1fcf0ad75323da with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 636deed6c0bc137a7c4f4a97ae1fcf0ad75323da
Bisecting: 1145 revisions left to test after this (roughly 10 steps)
[0548740e53e6fe674f850d36db51eccb0557d938] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit 0548740e53e6fe674f850d36db51eccb0557d938 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 0548740e53e6fe674f850d36db51eccb0557d938
Bisecting: 551 revisions left to test after this (roughly 9 steps)
[13596f215f9b17f91538bf7cb570efdddb3e0fff] Merge remote-tracking branch 'renesas/next'
testing commit 13596f215f9b17f91538bf7cb570efdddb3e0fff with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 13596f215f9b17f91538bf7cb570efdddb3e0fff
Bisecting: 281 revisions left to test after this (roughly 8 steps)
[7fd845506878a29b22aa62766af5b21b641bb8ad] Merge remote-tracking branch 's390/features'
testing commit 7fd845506878a29b22aa62766af5b21b641bb8ad with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7fd845506878a29b22aa62766af5b21b641bb8ad
Bisecting: 146 revisions left to test after this (roughly 7 steps)
[d0d85ba55d62b334ac9f5d6d2e511e4855e87b23] Merge branch 'for-next-stale-20190328' into for-next-20190328
testing commit d0d85ba55d62b334ac9f5d6d2e511e4855e87b23 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good d0d85ba55d62b334ac9f5d6d2e511e4855e87b23
Bisecting: 78 revisions left to test after this (roughly 6 steps)
[a9e12ea0100637d5f1eaf53621d155fee6000e93] Merge remote-tracking branch 'btrfs-kdave/for-next'
testing commit a9e12ea0100637d5f1eaf53621d155fee6000e93 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good a9e12ea0100637d5f1eaf53621d155fee6000e93
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[5efad99b0b366fd4ec3e523307c2b60451766f1c] Merge remote-tracking branch 'f2fs/dev'
testing commit 5efad99b0b366fd4ec3e523307c2b60451766f1c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 5efad99b0b366fd4ec3e523307c2b60451766f1c
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[0eb7d8757140044829adb36848fdc5e93f7fa2fa] Merge remote-tracking branch 'printk/for-next'
testing commit 0eb7d8757140044829adb36848fdc5e93f7fa2fa with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in d_alloc_pseudo
# git bisect bad 0eb7d8757140044829adb36848fdc5e93f7fa2fa
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[03bd14009425542fa3604eeb86afe625f126c9ba] Merge branch 'work.dcache' into for-next
testing commit 03bd14009425542fa3604eeb86afe625f126c9ba with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in d_alloc_pseudo
# git bisect bad 03bd14009425542fa3604eeb86afe625f126c9ba
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[41e83cfd5c51733abc8b0eaa7e218b4b56de4ec8] sysv: bury the broken "quietly truncate the long filenames" logics
testing commit 41e83cfd5c51733abc8b0eaa7e218b4b56de4ec8 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in d_alloc_pseudo
# git bisect bad 41e83cfd5c51733abc8b0eaa7e218b4b56de4ec8
Bisecting: 1 revision left to test after this (roughly 1 step)
[c869381f66c51a3981cb34882bf05d814799817f] unexport d_alloc_pseudo()
testing commit c869381f66c51a3981cb34882bf05d814799817f with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in d_alloc_pseudo
# git bisect bad c869381f66c51a3981cb34882bf05d814799817f
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[56deac897903018e2672de8b784749f948e44be1] dcache: sort the freeing-without-RCU-delay mess for good.
testing commit 56deac897903018e2672de8b784749f948e44be1 with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in d_alloc_pseudo
# git bisect bad 56deac897903018e2672de8b784749f948e44be1
56deac897903018e2672de8b784749f948e44be1 is the first bad commit
commit 56deac897903018e2672de8b784749f948e44be1
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Mar 15 22:23:19 2019 -0400

    dcache: sort the freeing-without-RCU-delay mess for good.
    
    For lockless accesses to dentries we don't have pinned we rely
    (among other things) upon having an RCU delay between dropping
    the last reference and actually freeing the memory.
    
    On the other hand, for things like pipes and sockets we neither
    do that kind of lockless access, nor want to deal with the
    overhead of an RCU delay every time a socket gets closed.
    
    So delay was made optional - setting DCACHE_RCUACCESS in ->d_flags
    made sure it would happen.  We tried to avoid setting it unless
    we knew we need it.  Unfortunately, that had led to recurring
    class of bugs, in which we missed the need to set it.
    
    We only really need it for dentries that are created by
    d_alloc_pseudo(), so let's not bother with trying to be smart -
    just make having an RCU delay the default.  The ones that do
    *not* get it set the replacement flag (DCACHE_NORCU) and we'd
    better use that sparingly.  d_alloc_pseudo() is the only
    such user right now.
    
    FWIW, the race that finally prompted that switch had been
    between __lock_parent() of immediate subdirectory of what's
    currently the root of a disconnected tree (e.g. from
    open-by-handle in progress) racing with d_splice_alias()
    elsewhere picking another alias for the same inode, either
    on outright corrupted fs image, or (in case of open-by-handle
    on NFS) that subdirectory having been just moved on server.
    It's not easy to hit, so the sky is not falling, but that's
    not the first race on similar missed cases and the logics
    for settinf DCACHE_RCUACCESS has gotten ridiculously
    convoluted.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

:040000 040000 b068ff00dc1c2f999044d063852685201b9c144f 699fcbf9b252d9c770bed7b9b5f050e3789914d1 M	Documentation
:040000 040000 c1e9737160dda086132f75ee7167587c57125219 60d25467660818f013001fa338087a8f9236cfd9 M	fs
:040000 040000 9db86b4709fce8f65f25ec9f242ac5017843c25e a7cc5ed0c5c8eb1eb8bf1e58afc69a5358e19f7b M	include
revisions tested: 16, total time: 3h54m13.018768867s (build: 1h33m12.30068689s, test: 2h14m43.260519669s)
first bad commit: 56deac897903018e2672de8b784749f948e44be1 dcache: sort the freeing-without-RCU-delay mess for good.
cc: ["adilger@dilger.ca" "amir73il@gmail.com" "corbet@lwn.net" "darrick.wong@oracle.com" "david@fromorbit.com" "linux-doc@vger.kernel.org" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "longman@redhat.com" "mszeredi@redhat.com" "viro@zeniv.linux.org.uk"]
crash: general protection fault in d_alloc_pseudo
RSP: 002b:00007fe634a7bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00007fe634a7bc90 RCX: 00000000004582b9
RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe634a7c6d4
R13: 00000000004c679a R14: 00000000004dbeb8 R15: 0000000000000003
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7147 Comm: syz-executor.1 Not tainted 5.1.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:d_alloc_pseudo+0x1e/0x50 fs/dcache.c:1749
Code: 5d c3 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83 ec 08 e8 23 f3 ff ff 48 ba 00 00 00 00 00 fc ff df 48 89 c1 48 c1 e9 03 <0f> b6 14 11 84 d2 74 05 80 fa 03 7e 08 81 08 00 00 00 40 c9 c3 48
RSP: 0018:ffff8880853dfd10 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff11010a7bfaa RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 00000000ffffffff RDI: 0000000000000282
RBP: ffff8880853dfd18 R08: ffffed1015d45bc8 R09: ffffed1015d45bc7
R10: ffffed1015d45bc7 R11: ffff8880aea2de3b R12: ffff8880853dfdf0
R13: dffffc0000000000 R14: ffff88821b69e620 R15: ffff88821b69e628
FS:  00007fe634a7c700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000073c061 CR3: 0000000093528000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 alloc_file_pseudo+0xe5/0x260 fs/file_table.c:224
 sock_alloc_file+0x39/0x160 net/socket.c:394
 sock_map_fd net/socket.c:417 [inline]
 __sys_socket+0x102/0x1d0 net/socket.c:1372
 __do_sys_socket net/socket.c:1377 [inline]
 __se_sys_socket net/socket.c:1375 [inline]
 __x64_sys_socket+0x6e/0xb0 net/socket.c:1375
 do_syscall_64+0xd6/0x4e0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4582b9
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe634a7bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00007fe634a7bc90 RCX: 00000000004582b9
RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe634a7c6d4
R13: 00000000004c679a R14: 00000000004dbeb8 R15: 0000000000000003
Modules linked in:
---[ end trace 5ac1b9622246c1c6 ]---
RIP: 0010:d_alloc_pseudo+0x1e/0x50 fs/dcache.c:1749
Code: 5d c3 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83 ec 08 e8 23 f3 ff ff 48 ba 00 00 00 00 00 fc ff df 48 89 c1 48 c1 e9 03 <0f> b6 14 11 84 d2 74 05 80 fa 03 7e 08 81 08 00 00 00 40 c9 c3 48
RSP: 0018:ffff8880853dfd10 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff11010a7bfaa RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 00000000ffffffff RDI: 0000000000000282
RBP: ffff8880853dfd18 R08: ffffed1015d45bc8 R09: ffffed1015d45bc7
R10: ffffed1015d45bc7 R11: ffff8880aea2de3b R12: ffff8880853dfdf0
R13: dffffc0000000000 R14: ffff88821b69e620 R15: ffff88821b69e628
FS:  00007fe634a7c700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd8bbb73000 CR3: 0000000093528000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400