bisecting cause commit starting from 0238df646e6224016a45505d2c111a24669ebe21 building syzkaller on 8b311eafa7f32ebcae67cdf5e16aa1ab3fc77e7f testing commit 0238df646e6224016a45505d2c111a24669ebe21 with gcc (GCC) 8.1.0 run #0: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #1: crashed: WARNING in request_end run #2: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #3: OK run #4: OK testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in request_end run #1: crashed: WARNING in request_end run #2: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #3: crashed: WARNING in request_end run #4: OK testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.18 v4.17 Bisecting: 7032 revisions left to test after this (roughly 13 steps) [3036bc45364f98515a2c446d7fac2c34dcfbeff4] Merge tag 'media/v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 3036bc45364f98515a2c446d7fac2c34dcfbeff4 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in request_end run #1: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor281452211" "root@10.128.15.214:./syz-executor281452211"]: exit status 1 ssh: connect to host 10.128.15.214 port 22: Connection timed out lost connection run #2: crashed: WARNING in request_end run #3: crashed: WARNING in request_end run #4: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 3036bc45364f98515a2c446d7fac2c34dcfbeff4 Bisecting: 3644 revisions left to test after this (roughly 12 steps) [135c5504a600ff9b06e321694fbcac78a9530cd4] Merge tag 'drm-next-2018-06-06-1' of git://anongit.freedesktop.org/drm/drm testing commit 135c5504a600ff9b06e321694fbcac78a9530cd4 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 135c5504a600ff9b06e321694fbcac78a9530cd4 Bisecting: 1830 revisions left to test after this (roughly 11 steps) [f39c6b29ae1d3727d9c65a4ab99d5150b558be5e] Merge tag 'mlx5e-updates-2018-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit f39c6b29ae1d3727d9c65a4ab99d5150b558be5e with gcc (GCC) 8.1.0 run #0: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: OK run #2: OK run #3: OK run #4: OK # git bisect good f39c6b29ae1d3727d9c65a4ab99d5150b558be5e Bisecting: 773 revisions left to test after this (roughly 10 steps) [1c8c5a9d38f607c0b6fd12c91cbe1a4418762a21] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 1c8c5a9d38f607c0b6fd12c91cbe1a4418762a21 with gcc (GCC) 8.1.0 run #0: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #2: OK run #3: OK run #4: OK # git bisect skip 1c8c5a9d38f607c0b6fd12c91cbe1a4418762a21 Bisecting: 773 revisions left to test after this (roughly 10 steps) [0872f4f4f13c116844fc7308cd21431c6d187665] media: ov13858: Remove owner assignment from i2c_driver testing commit 0872f4f4f13c116844fc7308cd21431c6d187665 with gcc (GCC) 8.1.0 all runs: basic kernel testing failed: lost connection to test machine # git bisect skip 0872f4f4f13c116844fc7308cd21431c6d187665 Bisecting: 773 revisions left to test after this (roughly 10 steps) [9de071536c87cb814e210bd762fcf7f645d514a9] kconfig: begin PARAM state only when seeing a command keyword testing commit 9de071536c87cb814e210bd762fcf7f645d514a9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9de071536c87cb814e210bd762fcf7f645d514a9 Bisecting: 773 revisions left to test after this (roughly 10 steps) [a74d51ba0e17ec9b6c4cc32cbf06eac32747fda2] ASoC: add mt6351 codec driver testing commit a74d51ba0e17ec9b6c4cc32cbf06eac32747fda2 with gcc (GCC) 8.1.0 all runs: basic kernel testing failed: lost connection to test machine # git bisect skip a74d51ba0e17ec9b6c4cc32cbf06eac32747fda2 Bisecting: 773 revisions left to test after this (roughly 10 steps) [fce34e49e4a75b3bc6cada6ae5147e410b443399] media: vsp1: Move video suspend resume handling to video object testing commit fce34e49e4a75b3bc6cada6ae5147e410b443399 with gcc (GCC) 8.1.0 all runs: OK # git bisect good fce34e49e4a75b3bc6cada6ae5147e410b443399 Bisecting: 738 revisions left to test after this (roughly 10 steps) [285767604576148fc1be7fcd112e4a90eb0d6ad2] Merge tag 'overflow-v4.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux testing commit 285767604576148fc1be7fcd112e4a90eb0d6ad2 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 285767604576148fc1be7fcd112e4a90eb0d6ad2 Bisecting: 369 revisions left to test after this (roughly 9 steps) [96a3c9a4896d752f2ad06c3b7f6b303cd5b93df0] Merge branch 'hns3-next' testing commit 96a3c9a4896d752f2ad06c3b7f6b303cd5b93df0 with gcc (GCC) 8.1.0 run #0: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: OK run #2: OK run #3: OK run #4: OK # git bisect good 96a3c9a4896d752f2ad06c3b7f6b303cd5b93df0 Bisecting: 184 revisions left to test after this (roughly 8 steps) [2dc20f454dcf82c52ed41362ce0b3140ce8ad4be] powerpc: rtas: clean up time handling testing commit 2dc20f454dcf82c52ed41362ce0b3140ce8ad4be with gcc (GCC) 8.1.0 all runs: OK # git bisect good 2dc20f454dcf82c52ed41362ce0b3140ce8ad4be Bisecting: 113 revisions left to test after this (roughly 7 steps) [ff5bc793e47b537bf3e904fada585e102c54dd8b] powerpc/64s/radix: Fix missing ptesync in flush_cache_vmap testing commit ff5bc793e47b537bf3e904fada585e102c54dd8b with gcc (GCC) 8.1.0 all runs: OK # git bisect good ff5bc793e47b537bf3e904fada585e102c54dd8b Bisecting: 56 revisions left to test after this (roughly 6 steps) [8d7ab3a0d72d3c98bcd12ff553c5ead0b5e32c31] media: media/radio/Kconfig: add back RADIO_ISA testing commit 8d7ab3a0d72d3c98bcd12ff553c5ead0b5e32c31 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 8d7ab3a0d72d3c98bcd12ff553c5ead0b5e32c31 Bisecting: 24 revisions left to test after this (roughly 5 steps) [70f2ae1f002b0ed4b4382210df8e4b6e54079012] Merge tag 'ovl-fixes-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 70f2ae1f002b0ed4b4382210df8e4b6e54079012 with gcc (GCC) 8.1.0 run #0: boot failed: can't ssh into the instance run #1: crashed: WARNING in request_end run #2: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: crashed: WARNING in request_end run #4: OK # git bisect bad 70f2ae1f002b0ed4b4382210df8e4b6e54079012 Bisecting: 17 revisions left to test after this (roughly 4 steps) [543b8f8662fe6d21f19958b666ab0051af9db21a] fuse: don't keep dead fuse_conn at fuse_fill_super(). testing commit 543b8f8662fe6d21f19958b666ab0051af9db21a with gcc (GCC) 8.1.0 run #0: crashed: WARNING in request_end run #1: crashed: WARNING in request_end run #2: crashed: WARNING in request_end run #3: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #4: OK # git bisect bad 543b8f8662fe6d21f19958b666ab0051af9db21a Bisecting: 6 revisions left to test after this (roughly 3 steps) [ff1b89f389a8e64d0a583ce0b0308696f4ab5860] fuse: honor AT_STATX_DONT_SYNC testing commit ff1b89f389a8e64d0a583ce0b0308696f4ab5860 with gcc (GCC) 8.1.0 all runs: OK # git bisect good ff1b89f389a8e64d0a583ce0b0308696f4ab5860 Bisecting: 2 revisions left to test after this (roughly 2 steps) [4ad769f3c346ec3d458e255548dec26ca5284cf6] fuse: Allow fully unprivileged mounts testing commit 4ad769f3c346ec3d458e255548dec26ca5284cf6 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in request_end run #1: crashed: WARNING in request_end run #2: crashed: KASAN: use-after-free Read in fuse_dev_do_read run #3: OK run #4: OK # git bisect bad 4ad769f3c346ec3d458e255548dec26ca5284cf6 Bisecting: 1 revision left to test after this (roughly 1 step) [5ba24197b94d4070d8c2a17fa4944a55cc39ef03] fuse: add writeback documentation testing commit 5ba24197b94d4070d8c2a17fa4944a55cc39ef03 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 5ba24197b94d4070d8c2a17fa4944a55cc39ef03 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e45b2546e23c2d10f8585063a15c745a7603fac9] fuse: Ensure posix acls are translated outside of init_user_ns testing commit e45b2546e23c2d10f8585063a15c745a7603fac9 with gcc (GCC) 8.1.0 all runs: OK # git bisect good e45b2546e23c2d10f8585063a15c745a7603fac9 4ad769f3c346ec3d458e255548dec26ca5284cf6 is the first bad commit commit 4ad769f3c346ec3d458e255548dec26ca5284cf6 Author: Eric W. Biederman Date: Tue May 29 09:04:46 2018 -0500 fuse: Allow fully unprivileged mounts Now that the fuse and the vfs work is complete. Allow the fuse filesystem to be mounted by the root user in a user namespace. Signed-off-by: "Eric W. Biederman" Signed-off-by: Miklos Szeredi :040000 040000 5b62e82440aecafb4e96175c97526e75746c29ef 1493ce0f6e48777c7fa01aaada55ed407462040a M fs revisions tested: 22, total time: 6h11m43.423185809s (build: 2h2m20.514689258s, test: 4h2m29.513529843s) first bad commit: 4ad769f3c346ec3d458e255548dec26ca5284cf6 fuse: Allow fully unprivileged mounts cc: ["ebiederm@xmission.com" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com"] crash: KASAN: use-after-free Read in fuse_dev_do_read ================================================================== BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:328 [inline] BUG: KASAN: use-after-free in fuse_dev_do_read.isra.24+0x166f/0x1be0 fs/fuse/dev.c:1305 Read of size 8 at addr ffff8801cec98430 by task syz-executor0/9001 CPU: 1 PID: 9001 Comm: syz-executor0 Not tainted 4.16.0-rc6+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x153/0x201 lib/dump_stack.c:53 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 constant_test_bit arch/x86/include/asm/bitops.h:328 [inline] fuse_dev_do_read.isra.24+0x166f/0x1be0 fs/fuse/dev.c:1305 fuse_dev_read+0x185/0x240 fs/fuse/dev.c:1347 call_read_iter include/linux/fs.h:1776 [inline] new_sync_read fs/read_write.c:401 [inline] __vfs_read+0x54a/0xd20 fs/read_write.c:413 vfs_read+0xf5/0x300 fs/read_write.c:447 SYSC_read fs/read_write.c:573 [inline] SyS_read+0xf5/0x250 fs/read_write.c:566 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3d5/0x1016 arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f8fcb9 RSP: 002b:00000000f7f8b0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020001000 RDX: 00000000ffffff20 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 9010: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:552 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x790 mm/slab.c:3541 __fuse_request_alloc+0x23/0xc0 fs/fuse/dev.c:58 fuse_request_alloc fs/fuse/dev.c:86 [inline] __fuse_get_req+0x186/0x8d0 fs/fuse/dev.c:151 fuse_get_req fs/fuse/dev.c:181 [inline] fuse_simple_request+0x20/0x610 fs/fuse/dev.c:536 fuse_do_setattr+0x820/0x1f60 fs/fuse/dir.c:1680 fuse_setattr+0x1a6/0x470 fs/fuse/dir.c:1780 notify_change+0x779/0xda0 fs/attr.c:313 utimes_common.isra.1+0x3f8/0x7f0 fs/utimes.c:91 do_utimes+0x199/0x250 fs/utimes.c:156 C_SYSC_futimesat fs/utimes.c:272 [inline] compat_SyS_futimesat fs/utimes.c:256 [inline] C_SYSC_utimes fs/utimes.c:277 [inline] compat_SyS_utimes+0x1f8/0x2e0 fs/utimes.c:275 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3d5/0x1016 arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Freed by task 9010: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:520 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 __cache_free mm/slab.c:3485 [inline] kmem_cache_free+0x83/0x2d0 mm/slab.c:3743 fuse_request_free+0x77/0x90 fs/fuse/dev.c:101 fuse_put_request+0x22a/0x2d0 fs/fuse/dev.c:291 fuse_simple_request+0x38a/0x610 fs/fuse/dev.c:558 fuse_do_setattr+0x820/0x1f60 fs/fuse/dir.c:1680 fuse_setattr+0x1a6/0x470 fs/fuse/dir.c:1780 notify_change+0x779/0xda0 fs/attr.c:313 utimes_common.isra.1+0x3f8/0x7f0 fs/utimes.c:91 do_utimes+0x199/0x250 fs/utimes.c:156 C_SYSC_futimesat fs/utimes.c:272 [inline] compat_SyS_futimesat fs/utimes.c:256 [inline] C_SYSC_utimes fs/utimes.c:277 [inline] compat_SyS_utimes+0x1f8/0x2e0 fs/utimes.c:275 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3d5/0x1016 arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 The buggy address belongs to the object at ffff8801cec98400 which belongs to the cache fuse_request of size 448 The buggy address is located 48 bytes inside of 448-byte region [ffff8801cec98400, ffff8801cec985c0) The buggy address belongs to the page: page:ffffea00073b2600 count:1 mapcount:0 mapping:ffff8801cec98000 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801cec98000 0000000000000000 0000000100000008 raw: ffffea0007656660 ffffea00076359e0 ffff8801d4de8680 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cec98300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cec98380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8801cec98400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801cec98480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cec98500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================