ci2 starts bisection 2023-12-04 18:01:45.39215817 +0000 UTC m=+407616.038735471 bisecting cause commit starting from 6465e29536ed740086d2e3b79106f597c977acbd building syzkaller on f819d6f7cb99737851dcaaa51f11190138fd48d5 ensuring issue is reproducible on original commit 6465e29536ed740086d2e3b79106f597c977acbd testing commit 6465e29536ed740086d2e3b79106f597c977acbd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9893d18581b37c13fdf319d4e80338f7cdf95955e8f5eb7650d7c66f4981e112 all runs: crashed: general protection fault in do_rmdir representative crash: general protection fault in do_rmdir, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 6465e29536ed740086d2e3b79106f597c977acbd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 213fda90c4b31f5293d23f3e1fbb453feaa1e0c86a664557bd8f760501d84262 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed kconfig minimization: base=5179 full=6490 leaves diff=254 split chunks (needed=false): <254> split chunk #0 of len 254 into 5 parts testing without sub-chunk 1/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 6465e29536ed740086d2e3b79106f597c977acbd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c9ef70cfa06ac6d8b08076f2c7e0c9881bd582fe46afeb54150b829c4f4384fb all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 6465e29536ed740086d2e3b79106f597c977acbd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 65622bbd58567286c6ffaf1a062d2cd0dbc0c92b83660f2401ece9bce6b84f3c all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 6465e29536ed740086d2e3b79106f597c977acbd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9f287dc19467a61d79957f0e9479ebef66c6f3d1f3c1def7b993b9c996d491ee all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 6465e29536ed740086d2e3b79106f597c977acbd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d52cd8eb77dc7a716ab04a9db47148ba8dd0cafd07de4834ce706a8ccf80d73c all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 6465e29536ed740086d2e3b79106f597c977acbd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 failed building 6465e29536ed740086d2e3b79106f597c977acbd: net/socket.c:1242: undefined reference to `wext_handle_ioctl' net/socket.c:3437: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:329: undefined reference to `wext_proc_init' net/core/net-procfs.c:345: undefined reference to `wext_proc_exit' minimized to 50 configs; suspects: [HID_ZEROPLUS USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS X86_X32_ABI ZEROPLUS_FF] disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed picked [v6.1.57 v6.1.56 v6.1.29 v6.1 v6.0 v5.19 v5.17 v5.15 v5.13 v5.11 v5.9 v5.6 v5.3 v5.0 v4.19] out of 81 release tags testing release v6.1.57 testing commit 082280fe94a09462c727fb6e7b0c982efb36dede gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: df583ee400f8502d75fe5874f9466dfafcd4f02093eddb11300111f5fe5277af all runs: OK false negative chance: 0.000 # git bisect start 6465e29536ed740086d2e3b79106f597c977acbd 082280fe94a09462c727fb6e7b0c982efb36dede Bisecting: 3309 revisions left to test after this (roughly 12 steps) [952bcb0e68b7ee9a661d66a462f1a4f2be7bbb51] ANDROID: Revert switch mainline driver update revert testing commit 952bcb0e68b7ee9a661d66a462f1a4f2be7bbb51 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a9c5c15de087bc4071a662ef1458c5c4199f7d8df532e8c1471b6f1fe7917bac all runs: OK false negative chance: 0.000 # git bisect good 952bcb0e68b7ee9a661d66a462f1a4f2be7bbb51 Bisecting: 1653 revisions left to test after this (roughly 11 steps) [efa2b2fcf5bcf2f1b33e8c2d8af9973c0c49aa4e] Merge "Merge 6.1.19 into android14-6.1" into android14-6.1 testing commit efa2b2fcf5bcf2f1b33e8c2d8af9973c0c49aa4e gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 201b2277afc274de7077761a48e025954f8535a73f015c9391bb1119879d9f5c all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] # git bisect bad efa2b2fcf5bcf2f1b33e8c2d8af9973c0c49aa4e Bisecting: 827 revisions left to test after this (roughly 10 steps) [0faf32c7273ffe5dd7d71ec73d12db8eddfe18b6] ANDROID: KVM: arm64: Add HVC handling for protected guests at EL2 testing commit 0faf32c7273ffe5dd7d71ec73d12db8eddfe18b6 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 13afd197e54e6ba1230952d3e5619c2c77caa97dabcea3b156b015ca8fd8d746 all runs: OK false negative chance: 0.000 # git bisect good 0faf32c7273ffe5dd7d71ec73d12db8eddfe18b6 Bisecting: 413 revisions left to test after this (roughly 9 steps) [df602cf0277ab50aee36e63ab32da75ac4246457] ANDROID: KVM: arm64: Use sanitized values in __check_override in nVHE testing commit df602cf0277ab50aee36e63ab32da75ac4246457 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 82010651b055927080124c646c5f6c3869fa73fcb563cc5785304f8c6633fa7e all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] # git bisect bad df602cf0277ab50aee36e63ab32da75ac4246457 Bisecting: 208 revisions left to test after this (roughly 8 steps) [9933cd0873aa445bb081d227c39146b2237b152f] Revert "ANDROID: GKI: remove CONFIG_CMDLINE_EXTEND from arm64 gki_defconfig" testing commit 9933cd0873aa445bb081d227c39146b2237b152f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6f56c2376991445e36e9d0905db9515d7b7071ddc6f113337f4c7b0a64d8cb82 all runs: OK false negative chance: 0.000 # git bisect good 9933cd0873aa445bb081d227c39146b2237b152f Bisecting: 102 revisions left to test after this (roughly 7 steps) [34d1cfdc4a71992542a18ed95f509803c8e1d8c7] Merge remote-tracking branch 'aosp/upstream-f2fs-stable-linux-6.1.y' into android14-6.1 testing commit 34d1cfdc4a71992542a18ed95f509803c8e1d8c7 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 509237b6eba2fecdd448ae190f596092e79a10391f88af3495bfdbf998aaf757 all runs: OK false negative chance: 0.000 # git bisect good 34d1cfdc4a71992542a18ed95f509803c8e1d8c7 Bisecting: 51 revisions left to test after this (roughly 6 steps) [d46c47acf9b85b401f2373377b9bf6d84ffd2edd] ANDROID: arm64: kvm: Add new module functions used by s2mpu. testing commit d46c47acf9b85b401f2373377b9bf6d84ffd2edd gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 89a746686db5e476344e10a0f05bd31cdafec8ce5bd06783e5f8f1b9d9685c90 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] # git bisect bad d46c47acf9b85b401f2373377b9bf6d84ffd2edd Bisecting: 25 revisions left to test after this (roughly 5 steps) [ff4aa3372440a94311c59ada261367caba7bd52c] ANDROID: jump_label: disable jump labels in fips140.ko testing commit ff4aa3372440a94311c59ada261367caba7bd52c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cdbeb1f8aa8ca10802587873c3c55a109b11b6afc544eede0b18c96b219e17cf all runs: OK false negative chance: 0.000 # git bisect good ff4aa3372440a94311c59ada261367caba7bd52c Bisecting: 12 revisions left to test after this (roughly 4 steps) [fb5ea70e2e33932b5b35fedd7a30cf5d9170126c] ANDROID: KVM: arm64: Add helper for pKVM modules addr conversion testing commit fb5ea70e2e33932b5b35fedd7a30cf5d9170126c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f51273a387593ef5d9ea2da9dbd8514f473de4efb387970aefb87feac3437e14 all runs: OK false negative chance: 0.000 # git bisect good fb5ea70e2e33932b5b35fedd7a30cf5d9170126c Bisecting: 6 revisions left to test after this (roughly 3 steps) [f70e13c34987fda9e65ae7c18b31fa2deb8c0b7c] ANDROID: GKI: Enable CONFIG_NF_CONNTRACK_PROCFS testing commit f70e13c34987fda9e65ae7c18b31fa2deb8c0b7c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5c159b2482066d5463393e2a0eed3ce6e4647a261cc25af45dc58137d2bb9d44 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] # git bisect bad f70e13c34987fda9e65ae7c18b31fa2deb8c0b7c Bisecting: 2 revisions left to test after this (roughly 2 steps) [ae696a5a231d6d9e5ae318b48179c96557412db0] ANDROID: fuse-bpf: Add /sys/fs flags for fuse-bpf version testing commit ae696a5a231d6d9e5ae318b48179c96557412db0 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 26b226c8ca39f0c28ba88e86ea27018669099d55afd9d75c0ec7da8ff5eafc37 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] # git bisect bad ae696a5a231d6d9e5ae318b48179c96557412db0 Bisecting: 0 revisions left to test after this (roughly 1 step) [f6d21159ccbd638ac6e9de50fb5085ce54fb3735] ANDROID: fuse-bpf: Make sure to declare functions testing commit f6d21159ccbd638ac6e9de50fb5085ce54fb3735 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ff30e2e1b2c1f0bbdfe6938de8f526c4a89cb330babe630697665d8788609fda all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] # git bisect bad f6d21159ccbd638ac6e9de50fb5085ce54fb3735 Bisecting: 0 revisions left to test after this (roughly 0 steps) [57f3ff9648991998d008ecf32f2f9e78a08bfb8b] ANDROID: fuse-bpf v1.1 testing commit 57f3ff9648991998d008ecf32f2f9e78a08bfb8b gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 02c7848c98b62b288f2eaae407b7a0fd3ce976f7357c5d52ee2801bd33c12ffb all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in do_rmdir representative crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir, types: [UNKNOWN] # git bisect bad 57f3ff9648991998d008ecf32f2f9e78a08bfb8b 57f3ff9648991998d008ecf32f2f9e78a08bfb8b is the first bad commit commit 57f3ff9648991998d008ecf32f2f9e78a08bfb8b Author: Daniel Rosenberg Date: Thu Dec 2 13:50:02 2021 -0800 ANDROID: fuse-bpf v1.1 This is a squash of these changes cherry-picked from common-android13-5.10 ANDROID: fuse-bpf: Make compile and pass test ANDROID: fuse-bpf: set error_in to ENOENT in negative lookup ANDROID: fuse-bpf: Add ability to run ranges of tests to fuse_test ANDROID: fuse-bpf: Add test for lookup postfilter ANDROID: fuse-bpf: readddir postfilter fixes ANDROID: fix kernelci error in fs/fuse/dir.c ANDROID: fuse-bpf: Fix RCU/reference issue ANDROID: fuse-bpf: Always call revalidate for backing ANDROID: fuse-bpf: Adjust backing handle funcs ANDROID: fuse-bpf: Fix revalidate error path and backing handling ANDROID: fuse-bpf: Fix use of get_fuse_inode ANDROID: fuse: Don't use readdirplus w/ nodeid 0 ANDROID: fuse-bpf: Introduce readdirplus test case for fuse bpf ANDROID: fuse-bpf: Make sure force_again flag is false by default ANDROID: fuse-bpf: Make inodes with backing_fd reachable for regular FUSE fuse_iget Revert "ANDROID: fuse-bpf: use target instead of parent inode to execute backing revalidate" ANDROID: fuse-bpf: use target instead of parent inode to execute backing revalidate ANDROID: fuse-bpf: Fix misuse of args.out_args ANDROID: fuse-bpf: Fix non-fusebpf build ANDROID: fuse-bpf: Use fuse_bpf_args in uapi ANDROID: fuse-bpf: Fix read_iter ANDROID: fuse-bpf: Use cache and refcount ANDROID: fuse-bpf: Rename iocb_fuse to iocb_orig ANDROID: fuse-bpf: Fix fixattr in rename ANDROID: fuse-bpf: Fix readdir ANDROID: fuse-bpf: Fix lseek return value for offset 0 ANDROID: fuse-bpf: fix read_iter and write_iter ANDROID: fuse-bpf: fix special devices ANDROID: fuse-bpf: support FUSE_LSEEK ANDROID: fuse-bpf: Add support for FUSE_COPY_FILE_RANGE ANDROID: fuse-bpf: Report errors to finalize ANDROID: fuse-bpf: Avoid reusing uint64_t for file ANDROID: fuse-bpf: Fix CONFIG_FUSE_BPF typo in FUSE_FSYNCDIR ANDROID: fuse-bpf: Move fd operations to be synchronous ANDROID: fuse-bpf: Invalidate if lower is unhashed ANDROID: fuse-bpf: Move bpf earlier in fuse_permission ANDROID: fuse-bpf: Update attributes on file write ANDROID: fuse: allow mounting with no userspace daemon ANDROID: fuse-bpf: Support FUSE_STATFS ANDROID: fuse-bpf: Fix filldir ANDROID: fuse-bpf: fix fuse_create_open_finalize ANDROID: fuse: add bpf support for removexattr ANDROID: fuse-bpf: Fix truncate ANDROID: fuse-bpf: Support inotify ANDROID: fuse-bpf: Make compile with CONFIG_FUSE but no CONFIG_FUSE_BPF ANDROID: fuse-bpf: Fix perms on readdir ANDROID: fuse: Fix umasking in backing ANDROID: fs/fuse: Backing move returns EXDEV if TO not backed ANDROID: bpf-fuse: Fix Setattr ANDROID: fuse-bpf: Check if mkdir dentry setup ANDROID: fuse-bpf: Close backing fds in fuse_dentry_revalidate ANDROID: fuse-bpf: Close backing-fd on both paths ANDROID: fuse-bpf: Partial fix for mmap'd files ANDROID: fuse-bpf: Restore a missing const ANDROID: Add fuse-bpf self tests ANDROID: Add FUSE_BPF to gki_defconfig ANDROID: fuse-bpf v1 ANDROID: fuse: Move functions in preparation for fuse-bpf Bug: 202785178 Bug: 265206112 Test: test_fuse passes on linux. On cuttlefish, atest android.scopedstorage.cts.host.ScopedStorageHostTest passes with fuse-bpf enabled and disabled Change-Id: Idb099c281f9b39ff2c46fa3ebc63e508758416ee Signed-off-by: Paul Lawrence Signed-off-by: Daniel Rosenberg arch/arm64/configs/gki_defconfig | 1 + arch/x86/configs/gki_defconfig | 1 + fs/fuse/Kconfig | 8 + fs/fuse/Makefile | 1 + fs/fuse/backing.c | 2468 ++++++++++++++++++++ fs/fuse/control.c | 2 +- fs/fuse/dev.c | 19 + fs/fuse/dir.c | 532 +++-- fs/fuse/file.c | 130 ++ fs/fuse/fuse_i.h | 720 +++++- fs/fuse/inode.c | 322 ++- fs/fuse/passthrough.c | 2 +- fs/fuse/readdir.c | 22 + fs/fuse/xattr.c | 40 + include/linux/bpf_types.h | 3 + include/uapi/linux/android_fuse.h | 95 + include/uapi/linux/bpf.h | 10 + kernel/bpf/Makefile | 3 + kernel/bpf/bpf_fuse.c | 128 + kernel/bpf/btf.c | 1 + .../testing/selftests/filesystems/fuse/.gitignore | 2 + tools/testing/selftests/filesystems/fuse/Makefile | 34 + tools/testing/selftests/filesystems/fuse/OWNERS | 2 + .../selftests/filesystems/fuse/bpf_loader.c | 791 +++++++ tools/testing/selftests/filesystems/fuse/fd.txt | 21 + tools/testing/selftests/filesystems/fuse/fd_bpf.c | 252 ++ .../selftests/filesystems/fuse/fuse_daemon.c | 294 +++ .../testing/selftests/filesystems/fuse/fuse_test.c | 2142 +++++++++++++++++ .../testing/selftests/filesystems/fuse/test_bpf.c | 507 ++++ .../selftests/filesystems/fuse/test_framework.h | 179 ++ .../testing/selftests/filesystems/fuse/test_fuse.h | 337 +++ .../selftests/filesystems/fuse/test_fuse_bpf.h | 65 + 32 files changed, 8929 insertions(+), 205 deletions(-) create mode 100644 fs/fuse/backing.c create mode 100644 include/uapi/linux/android_fuse.h create mode 100644 kernel/bpf/bpf_fuse.c create mode 100644 tools/testing/selftests/filesystems/fuse/.gitignore create mode 100644 tools/testing/selftests/filesystems/fuse/Makefile create mode 100644 tools/testing/selftests/filesystems/fuse/OWNERS create mode 100644 tools/testing/selftests/filesystems/fuse/bpf_loader.c create mode 100644 tools/testing/selftests/filesystems/fuse/fd.txt create mode 100644 tools/testing/selftests/filesystems/fuse/fd_bpf.c create mode 100644 tools/testing/selftests/filesystems/fuse/fuse_daemon.c create mode 100644 tools/testing/selftests/filesystems/fuse/fuse_test.c create mode 100644 tools/testing/selftests/filesystems/fuse/test_bpf.c create mode 100644 tools/testing/selftests/filesystems/fuse/test_framework.h create mode 100644 tools/testing/selftests/filesystems/fuse/test_fuse.h create mode 100644 tools/testing/selftests/filesystems/fuse/test_fuse_bpf.h accumulated error probability: 0.00 culprit signature: 02c7848c98b62b288f2eaae407b7a0fd3ce976f7357c5d52ee2801bd33c12ffb parent signature: f51273a387593ef5d9ea2da9dbd8514f473de4efb387970aefb87feac3437e14 revisions tested: 20, total time: 2h37m21.796880695s (build: 52m33.705055953s, test: 1h37m21.87042652s) first bad commit: 57f3ff9648991998d008ecf32f2f9e78a08bfb8b ANDROID: fuse-bpf v1.1 recipients (to): ["drosen@google.com" "paullawrence@google.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in do_rmdir BUG: kernel NULL pointer dereference, address: 0000000000000038 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 11552f067 P4D 11552f067 PUD 115533067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 347 Comm: syz-executor.0 Not tainted 6.1.1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:do_rmdir+0xfa/0x1c0 fs/namei.c:4174 Code: 8b 7e 30 b8 a0 00 00 00 48 01 c7 e8 80 2f b5 00 48 8d 7d b0 4c 89 f6 44 89 e2 e8 61 03 00 00 48 89 c3 48 3d 00 f0 ff ff 77 2d <48> 83 7b 30 00 74 15 49 8b 7f 18 49 8b 76 30 48 89 da e8 ef fa ff RSP: 0018:ffffc90000707eb0 EFLAGS: 00010203 RAX: 0000000000000008 RBX: 0000000000000008 RCX: 0000000000000003 RDX: 0000000300000000 RSI: 0000000000000000 RDI: ffff88810b276a80 RBP: ffffc90000707f10 R08: 00000000ffffff9c R09: 000000008080007f R10: ffff8881137bac00 R11: ffff888100041400 R12: 0000000000000000 R13: 0000000000000001 R14: ffff88810ba91780 R15: ffff888113726ca0 FS: 00007f48d5ba46c0(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 0000000115521000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __do_sys_rmdir fs/namei.c:4201 [inline] __se_sys_rmdir fs/namei.c:4199 [inline] __x64_sys_rmdir+0x1e/0x30 fs/namei.c:4199 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f48d4e7cae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f48d5ba40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 RAX: ffffffffffffffda RBX: 00007f48d4f9bf80 RCX: 00007f48d4e7cae9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080 RBP: 00007f48d4ec847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f48d4f9bf80 R15: 00007ffc81ecc498 Modules linked in: CR2: 0000000000000038 ---[ end trace 0000000000000000 ]--- RIP: 0010:do_rmdir+0xfa/0x1c0 fs/namei.c:4174 Code: 8b 7e 30 b8 a0 00 00 00 48 01 c7 e8 80 2f b5 00 48 8d 7d b0 4c 89 f6 44 89 e2 e8 61 03 00 00 48 89 c3 48 3d 00 f0 ff ff 77 2d <48> 83 7b 30 00 74 15 49 8b 7f 18 49 8b 76 30 48 89 da e8 ef fa ff RSP: 0018:ffffc90000707eb0 EFLAGS: 00010203 RAX: 0000000000000008 RBX: 0000000000000008 RCX: 0000000000000003 RDX: 0000000300000000 RSI: 0000000000000000 RDI: ffff88810b276a80 RBP: ffffc90000707f10 R08: 00000000ffffff9c R09: 000000008080007f R10: ffff8881137bac00 R11: ffff888100041400 R12: 0000000000000000 R13: 0000000000000001 R14: ffff88810ba91780 R15: ffff888113726ca0 FS: 00007f48d5ba46c0(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 0000000115521000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 8b 7e 30 mov 0x30(%rsi),%edi 3: b8 a0 00 00 00 mov $0xa0,%eax 8: 48 01 c7 add %rax,%rdi b: e8 80 2f b5 00 call 0xb52f90 10: 48 8d 7d b0 lea -0x50(%rbp),%rdi 14: 4c 89 f6 mov %r14,%rsi 17: 44 89 e2 mov %r12d,%edx 1a: e8 61 03 00 00 call 0x380 1f: 48 89 c3 mov %rax,%rbx 22: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 28: 77 2d ja 0x57 * 2a: 48 83 7b 30 00 cmpq $0x0,0x30(%rbx) <-- trapping instruction 2f: 74 15 je 0x46 31: 49 8b 7f 18 mov 0x18(%r15),%rdi 35: 49 8b 76 30 mov 0x30(%r14),%rsi 39: 48 89 da mov %rbx,%rdx 3c: e8 .byte 0xe8 3d: ef out %eax,(%dx) 3e: fa cli 3f: ff .byte 0xff