bisecting cause commit starting from 4b93c544e90e2b28326182d31ee008eb80e02074 building syzkaller on 6ca601483d056968f63fd4735fc54073f4fe3c75 testing commit 4b93c544e90e2b28326182d31ee008eb80e02074 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bd3c5739fc576408f59c0db282769de575944de125119bc3e0959d67e804219c run #0: crashed: WARNING in io_wq_submit_work run #1: crashed: WARNING in io_wq_submit_work run #2: crashed: WARNING in io_wq_submit_work run #3: crashed: WARNING in io_wq_submit_work run #4: crashed: WARNING in io_wq_submit_work run #5: crashed: WARNING in io_wq_submit_work run #6: crashed: WARNING in io_wq_submit_work run #7: crashed: WARNING in io_wq_submit_work run #8: crashed: WARNING in io_wq_submit_work run #9: crashed: WARNING in io_wq_submit_work run #10: crashed: WARNING in io_wq_submit_work run #11: crashed: WARNING in io_wq_submit_work run #12: crashed: WARNING in io_wq_submit_work run #13: crashed: INFO: task hung in io_wq_put_and_exit run #14: crashed: INFO: task hung in io_wq_put_and_exit run #15: crashed: INFO: task hung in io_wq_put_and_exit run #16: crashed: INFO: task hung in io_wq_put_and_exit run #17: crashed: WARNING in io_wq_submit_work run #18: crashed: KASAN: use-after-free Read in __d_alloc run #19: crashed: KASAN: use-after-free Read in __d_alloc testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1bc25c310b773f41f60536ec01fad7eee81fbd08982b6b34e2bd4f1aafdef1ea all runs: OK # git bisect start 4b93c544e90e2b28326182d31ee008eb80e02074 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 4950 revisions left to test after this (roughly 12 steps) [ea7b4244b3656ca33b19a950f092b5bbc718b40c] x86/setup: Explicitly include acpi.h testing commit ea7b4244b3656ca33b19a950f092b5bbc718b40c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b49a06514e8dee28c6643b746ab3321b6372b4894f3709a70efc11651ff087bb run #0: basic kernel testing failed: kernel panic: panic_on_warn set run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: OK run #9: OK # git bisect bad ea7b4244b3656ca33b19a950f092b5bbc718b40c Bisecting: 2863 revisions left to test after this (roughly 11 steps) [29ce8f9701072fc221d9c38ad952de1a9578f95c] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 29ce8f9701072fc221d9c38ad952de1a9578f95c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 172078f958feb6aa04a9f83d5550faa7365c16ba63c78cf09a117d54e2c3a089 all runs: OK # git bisect good 29ce8f9701072fc221d9c38ad952de1a9578f95c Bisecting: 1394 revisions left to test after this (roughly 11 steps) [87045e6546078dae215d1bd3b2bc82b3ada3ca77] Merge tag 'for-5.15-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 87045e6546078dae215d1bd3b2bc82b3ada3ca77 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4629621b6796b968691a2151a0225b3bc96397032c74d9a714402e0cd10c6c4b run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: OK run #9: OK # git bisect bad 87045e6546078dae215d1bd3b2bc82b3ada3ca77 Bisecting: 716 revisions left to test after this (roughly 10 steps) [7d6e3fa87e732ec1e7761bf325c0907685c8571b] Merge tag 'irq-core-2021-08-30' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 7d6e3fa87e732ec1e7761bf325c0907685c8571b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: db74071d3390e89267625e22bfbf249b96f9a961af20f3232f7afa6757d58dcd all runs: OK # git bisect good 7d6e3fa87e732ec1e7761bf325c0907685c8571b Bisecting: 368 revisions left to test after this (roughly 9 steps) [b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c] Merge tag 'for-5.15/io_uring-vfs-2021-08-30' of git://git.kernel.dk/linux-block testing commit b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: cde66dbed7b91d23c8cf379583ccdf1f82f511ce041a77dbcf96abb3a222422b all runs: crashed: KASAN: use-after-free Read in __d_alloc # git bisect bad b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c Bisecting: 167 revisions left to test after this (roughly 8 steps) [679369114e55f422dc593d0628cfde1d04ae59b3] Merge tag 'for-5.15/block-2021-08-30' of git://git.kernel.dk/linux-block testing commit 679369114e55f422dc593d0628cfde1d04ae59b3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 418c7558259895bb14733b366ab570b3b4893047ef08c85f041079e6df90ad42 all runs: OK # git bisect good 679369114e55f422dc593d0628cfde1d04ae59b3 Bisecting: 83 revisions left to test after this (roughly 6 steps) [f1042b6ccb887f07301f6b096b3d0cfcf9189323] io_uring: allow updating linked timeouts testing commit f1042b6ccb887f07301f6b096b3d0cfcf9189323 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4fcb01aed88cbdeed41c00ae42dbeaf19ebf4ad2c4f9bf5f16dd5d44564223a9 all runs: OK # git bisect good f1042b6ccb887f07301f6b096b3d0cfcf9189323 Bisecting: 41 revisions left to test after this (roughly 5 steps) [6607cd319b6b91bff94e90f798a61c031650b514] raid1: ensure write behind bio has less than BIO_MAX_VECS sectors testing commit 6607cd319b6b91bff94e90f798a61c031650b514 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 6002265eeab04f7231a80bdf39854484f28c0438609f007ada1e872caaba6588 all runs: OK # git bisect good 6607cd319b6b91bff94e90f798a61c031650b514 Bisecting: 20 revisions left to test after this (roughly 4 steps) [c547d89a9a445f6bb757b93247de43d312e722da] Merge tag 'for-5.15/io_uring-2021-08-30' of git://git.kernel.dk/linux-block testing commit c547d89a9a445f6bb757b93247de43d312e722da compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: f2d4d007710e94687ec056a4fba7cf1b22b55fbc36dc91eceff38e5b609708c9 all runs: OK # git bisect good c547d89a9a445f6bb757b93247de43d312e722da Bisecting: 10 revisions left to test after this (roughly 3 steps) [7a8721f84fcb3b2946a92380b6fc311e017ff02c] io_uring: add support for IORING_OP_SYMLINKAT testing commit 7a8721f84fcb3b2946a92380b6fc311e017ff02c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: df69d4a8cd0838e249e39069725e8132ad0635a83c4a1e6c37273a7088998481 run #0: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "root@10.128.1.121:./syz-fuzzer"] Warning: Permanently added '10.128.1.121' (ECDSA) to the list of known hosts. run #1: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "root@10.128.1.123:./syz-fuzzer"] Warning: Permanently added '10.128.1.123' (ECDSA) to the list of known hosts. run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 7a8721f84fcb3b2946a92380b6fc311e017ff02c Bisecting: 5 revisions left to test after this (roughly 3 steps) [394918ebb889f99d89db6843bcc93279b2b745f9] io_uring: enable use of bio alloc cache testing commit 394918ebb889f99d89db6843bcc93279b2b745f9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1e54351464db9683d0276861bf90dc1287e709fa0fb9f0f86d99fab4333a883f all runs: OK # git bisect good 394918ebb889f99d89db6843bcc93279b2b745f9 Bisecting: 2 revisions left to test after this (roughly 2 steps) [3d5b3fbedad65088ec079a4c4d1a2f47e11ae1e7] bio: improve kerneldoc documentation for bio_alloc_kiocb() testing commit 3d5b3fbedad65088ec079a4c4d1a2f47e11ae1e7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 128c481fef801b6b7b70aa4d501751e3a599dbef05048f4bf19706b191ec48a7 all runs: OK # git bisect good 3d5b3fbedad65088ec079a4c4d1a2f47e11ae1e7 Bisecting: 1 revision left to test after this (roughly 1 step) [cf30da90bc3a26911d369f199411f38b701394de] io_uring: add support for IORING_OP_LINKAT testing commit cf30da90bc3a26911d369f199411f38b701394de compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ad9146fa1b5fd6159969b7a30ffcf63c7a41757a4e201688c18b66b5357f5a6c all runs: OK # git bisect good cf30da90bc3a26911d369f199411f38b701394de Bisecting: 0 revisions left to test after this (roughly 0 steps) [3b629f8d6dc04d3af94429c18fe17239d6fbe2c3] Merge tag 'io_uring-bio-cache.5-2021-08-30' of git://git.kernel.dk/linux-block testing commit 3b629f8d6dc04d3af94429c18fe17239d6fbe2c3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 34ec197807273390f46e7889a2fabe6468c7b4eb3729fd4954fb3a9bf6374919 all runs: OK # git bisect good 3b629f8d6dc04d3af94429c18fe17239d6fbe2c3 b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c is the first bad commit commit b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c Merge: 3b629f8d6dc0 cf30da90bc3a Author: Linus Torvalds Date: Mon Aug 30 19:39:59 2021 -0700 Merge tag 'for-5.15/io_uring-vfs-2021-08-30' of git://git.kernel.dk/linux-block Pull io_uring mkdirat/symlinkat/linkat support from Jens Axboe: "This adds io_uring support for mkdirat, symlinkat, and linkat" * tag 'for-5.15/io_uring-vfs-2021-08-30' of git://git.kernel.dk/linux-block: io_uring: add support for IORING_OP_LINKAT io_uring: add support for IORING_OP_SYMLINKAT io_uring: add support for IORING_OP_MKDIRAT namei: update do_*() helpers to return ints namei: make do_linkat() take struct filename namei: add getname_uflags() namei: make do_symlinkat() take struct filename namei: make do_mknodat() take struct filename namei: make do_mkdirat() take struct filename namei: change filename_parentat() calling conventions namei: ignore ERR/NULL names in putname() fs/exec.c | 8 +- fs/internal.h | 8 +- fs/io_uring.c | 198 ++++++++++++++++++++++++++++++++++ fs/namei.c | 239 ++++++++++++++++++++++++------------------ include/linux/fs.h | 1 + include/uapi/linux/io_uring.h | 4 + 6 files changed, 348 insertions(+), 110 deletions(-) revisions tested: 16, total time: 4h59m34.004355189s (build: 1h56m36.88406952s, test: 3h1m5.381968148s) first bad commit: b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c Merge tag 'for-5.15/io_uring-vfs-2021-08-30' of git://git.kernel.dk/linux-block recipients (to): ["torvalds@linux-foundation.org"] recipients (cc): [] crash: KASAN: use-after-free Read in __d_alloc ================================================================== BUG: KASAN: use-after-free in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: use-after-free in __d_alloc+0x161/0x950 fs/dcache.c:1775 Read of size 5 at addr ffff888011f44420 by task kdevtmpfs/22 CPU: 0 PID: 22 Comm: kdevtmpfs Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x20/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline] __d_alloc+0x161/0x950 fs/dcache.c:1775 d_alloc+0x3f/0x200 fs/dcache.c:1823 __lookup_hash+0x97/0x140 fs/namei.c:1554 kern_path_locked+0x146/0x300 fs/namei.c:2567 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 22: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2959 [inline] slab_alloc mm/slub.c:2967 [inline] kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2972 getname_kernel+0x48/0x330 fs/namei.c:226 kern_path_locked+0x6f/0x300 fs/namei.c:2558 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Freed by task 22: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1628 [inline] slab_free_freelist_hook+0xe3/0x250 mm/slub.c:1653 slab_free mm/slub.c:3213 [inline] kmem_cache_free+0x8a/0x5b0 mm/slub.c:3229 putname include/linux/err.h:41 [inline] filename_parentat fs/namei.c:2547 [inline] kern_path_locked+0xa7/0x300 fs/namei.c:2558 handle_remove+0x9a/0x4fa drivers/base/devtmpfs.c:312 handle drivers/base/devtmpfs.c:382 [inline] devtmpfs_work_loop drivers/base/devtmpfs.c:395 [inline] devtmpfsd+0x176/0x24e drivers/base/devtmpfs.c:437 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff888011f44400 which belongs to the cache names_cache of size 4096 The buggy address is located 32 bytes inside of 4096-byte region [ffff888011f44400, ffff888011f45400) The buggy address belongs to the page: page:ffffea000047d000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f40 head:ffffea000047d000 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 0000000100000001 ffff88800fdc43c0 raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6375, ts 24250878650, free_ts 23733110061 prep_new_page mm/page_alloc.c:2436 [inline] get_page_from_freelist+0xa6f/0x2f50 mm/page_alloc.c:4168 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5390 alloc_slab_page mm/slub.c:1691 [inline] allocate_slab+0x32e/0x4b0 mm/slub.c:1831 new_slab mm/slub.c:1894 [inline] new_slab_objects mm/slub.c:2640 [inline] ___slab_alloc+0x4ba/0x820 mm/slub.c:2803 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2843 slab_alloc_node mm/slub.c:2925 [inline] slab_alloc mm/slub.c:2967 [inline] kmem_cache_alloc+0x3e1/0x4a0 mm/slub.c:2972 getname_flags.part.0+0x4a/0x440 fs/namei.c:138 do_sys_openat2+0xd2/0x400 fs/open.c:1194 do_sys_open fs/open.c:1216 [inline] __do_sys_open fs/open.c:1224 [inline] __se_sys_open fs/open.c:1220 [inline] __x64_sys_open+0xfd/0x1a0 fs/open.c:1220 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1346 [inline] free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397 free_unref_page_prepare mm/page_alloc.c:3332 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3411 unfreeze_partials+0x17c/0x1d0 mm/slub.c:2421 put_cpu_partial+0x13d/0x230 mm/slub.c:2457 qlink_free mm/kasan/quarantine.c:146 [inline] qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 __kasan_slab_alloc+0x95/0xb0 mm/kasan/common.c:444 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2959 [inline] slab_alloc mm/slub.c:2967 [inline] kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2972 ptlock_alloc+0x19/0x60 mm/memory.c:5458 ptlock_init include/linux/mm.h:2223 [inline] pgtable_pte_page_ctor include/linux/mm.h:2250 [inline] __pte_alloc_one include/asm-generic/pgalloc.h:66 [inline] pte_alloc_one+0x4c/0x190 arch/x86/mm/pgtable.c:33 __pte_alloc+0x15/0x240 mm/memory.c:439 copy_pte_range mm/memory.c:1021 [inline] copy_pmd_range mm/memory.c:1156 [inline] copy_pud_range mm/memory.c:1193 [inline] copy_p4d_range mm/memory.c:1217 [inline] copy_page_range+0x1009/0x32b0 mm/memory.c:1290 dup_mmap kernel/fork.c:599 [inline] dup_mm+0x7cc/0x1090 kernel/fork.c:1381 copy_mm kernel/fork.c:1433 [inline] copy_process+0x5c89/0x69f0 kernel/fork.c:2121 kernel_clone+0xb8/0x7f0 kernel/fork.c:2511 __do_sys_clone+0xaf/0xf0 kernel/fork.c:2628 Memory state around the buggy address: ffff888011f44300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888011f44380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888011f44400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888011f44480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888011f44500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================