ci2 starts bisection 2024-02-12 12:08:29.272123357 +0000 UTC m=+241184.351846328
bisecting fixing commit since 453f5db0619e2ad64076aab16ff5a00e0f7c53a2
building syzkaller on fb427a0782000106c62de76d251e5a02de5406a9
ensuring issue is reproducible on original commit 453f5db0619e2ad64076aab16ff5a00e0f7c53a2

testing commit 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ced10a9c24c0fa12884c3ee1f52a5d61c772afbe738830fc8f1e09f984980526
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
check whether we can drop unnecessary instrumentation
disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b632467e00b62c45698afb369eb83b744c53409318db449b62a906ed2b995403
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
the bug reproduces without the instrumentation
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed
kconfig minimization: base=3932 full=7652 leaves diff=2009
split chunks (needed=false): <2009>
split chunk #0 of len 2009 into 5 parts
testing without sub-chunk 1/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed
testing commit 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3298027ed8db55b3389985aa6ec3ed040ffd4f83302382abe139f336e121b9f7
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed
testing commit 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d8deefae1759ed62c6d42e3ad4cf9d65303eea92b78763795f1bf9fff4e54bf5
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed
testing commit 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3298ecb090aacc3427a6c6a55ab2de343c417ffb1e4ac1451351b25915ddf176
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed
testing commit 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: bb80e91836175feee45233464f894f59a5fe85d02ae67a9d658f2ab585154fe1
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed
testing commit 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 5a3dc284615424d723e0b219af6bb25f6cdb4d8e4b1e9d1513b8a5ebf1cfedd9
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
the chunk can be dropped
disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed
testing current HEAD 841c35169323cd833294798e58b9bf63fa4fa1de
testing commit 841c35169323cd833294798e58b9bf63fa4fa1de gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: cbefbb447a45b9fe753fccf63ddacc850a5488199149ddca39ad252ef9c5110b
all runs: OK
false negative chance: 0.000
# git bisect start 841c35169323cd833294798e58b9bf63fa4fa1de 453f5db0619e2ad64076aab16ff5a00e0f7c53a2
Bisecting: 8010 revisions left to test after this (roughly 13 steps)
[ba5afb9a84df2e6b26a1b6389b98849cd16ea757] fs: rework listmount() implementation

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit ba5afb9a84df2e6b26a1b6389b98849cd16ea757 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 764cb9a84d88587657aeaf0607965c3617daf488d4a126f03f024c4d13f3bde2
all runs: OK
false negative chance: 0.000
# git bisect bad ba5afb9a84df2e6b26a1b6389b98849cd16ea757
Bisecting: 3542 revisions left to test after this (roughly 12 steps)
[de927f6c0b07d9e698416c5b287c521b07694cac] Merge tag 's390-6.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit de927f6c0b07d9e698416c5b287c521b07694cac gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: cd661571753e7a4b9f8f30471c8acb5654763fc2aac0d71bfd1c4442fd318c66
all runs: OK
false negative chance: 0.000
# git bisect bad de927f6c0b07d9e698416c5b287c521b07694cac
Bisecting: 1488 revisions left to test after this (roughly 11 steps)
[da96801729b43eb6229425a23b7bdf6045685251] Merge tag 'regulator-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit da96801729b43eb6229425a23b7bdf6045685251 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: a1b8da4bdc8b4c7b6e29a33717c5bf2ce6be9580e5e34573969462c8d5bc1416
all runs: OK
false negative chance: 0.000
# git bisect bad da96801729b43eb6229425a23b7bdf6045685251
Bisecting: 691 revisions left to test after this (roughly 10 steps)
[bfe8eb3b85c571f7e94e1039f59b462505b8e0fc] Merge tag 'sched-core-2024-01-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit bfe8eb3b85c571f7e94e1039f59b462505b8e0fc gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 3c14cfb06a15377a3f3bd4dfc40552b8ae5c65871ca7b345d2088c4ab668cb4e
all runs: OK
false negative chance: 0.000
# git bisect bad bfe8eb3b85c571f7e94e1039f59b462505b8e0fc
Bisecting: 363 revisions left to test after this (roughly 9 steps)
[e900042f04848b5be9238d866df0952cfc548cf9] Merge tag 'x86_sev_for_v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit e900042f04848b5be9238d866df0952cfc548cf9 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: ef516a6bbd927c53ba50d1f484f4686612b158f8dc49bb588a4a5a1279305e18
all runs: OK
false negative chance: 0.000
# git bisect bad e900042f04848b5be9238d866df0952cfc548cf9
Bisecting: 178 revisions left to test after this (roughly 8 steps)
[52b1853b080a082ec3749c3a9577f6c71b1d4a90] Merge tag 'i2c-for-6.7-final' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit 52b1853b080a082ec3749c3a9577f6c71b1d4a90 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 7db0f14bc00b1066ac3250a1e2b45106a2aaa116c3d549ad7b4c66f4d5d7f4f0
all runs: OK
false negative chance: 0.000
# git bisect bad 52b1853b080a082ec3749c3a9577f6c71b1d4a90
Bisecting: 118 revisions left to test after this (roughly 7 steps)
[4c8530dc7d7da4abe97d65e8e038ce9852491369] net/tcp: Only produce AO/MD5 logs if there are any keys

determine whether the revision contains the guilty commit
checking the merge base 7c5e046bdcb2513f9decb3765d8bf92d604279cf
no existing result, test the revision
testing commit 7c5e046bdcb2513f9decb3765d8bf92d604279cf gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 1802517d16dffe54beb76ebec4bc460c532968486be3965f3cf8b77de64ecc5d
all runs: OK
false negative chance: 0.000
the bug was not introduced yet; pretend that kernel crashed
# git bisect good 4c8530dc7d7da4abe97d65e8e038ce9852491369
Bisecting: 59 revisions left to test after this (roughly 6 steps)
[5d4acb62853abac1da2deebcb1c1c5b79219bf3b] x86/csum: Remove unnecessary odd handling

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit 5d4acb62853abac1da2deebcb1c1c5b79219bf3b gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 950d5f2b2c7985602622d0cb851970318118546eb1e7aef2dfcf672a0d437fb9
all runs: OK
false negative chance: 0.000
# git bisect bad 5d4acb62853abac1da2deebcb1c1c5b79219bf3b
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[ac865f00af293d081356bec56eea90815094a60e] Merge tag 'pci-v6.7-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit ac865f00af293d081356bec56eea90815094a60e gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fd289caf6cbcd7983b04b2c198e38282b84a7f4d504ed563d2c4c536f05151a0
all runs: OK
false negative chance: 0.000
# git bisect bad ac865f00af293d081356bec56eea90815094a60e
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[0d72ab35a925d66b044cb62b709e53141c3f0143] bcachefs: make RO snapshots actually RO

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit 0d72ab35a925d66b044cb62b709e53141c3f0143 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 8b46efa35b9f984628d70ae73d951b3ffc5072eb4a3069d1d9faae6056b3780c
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
# git bisect good 0d72ab35a925d66b044cb62b709e53141c3f0143
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[360f0342b2e9374298e2222c846f3fe9d0295f0d] Merge tag 'trace-v6.7-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace

determine whether the revision contains the guilty commit
revision 0d72ab35a925d66b044cb62b709e53141c3f0143 crashed and is reachable
testing commit 360f0342b2e9374298e2222c846f3fe9d0295f0d gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 29388d21c1e507dfa51a26fc58316b804fec98e47ce49978f69c819cb52fdd1f
all runs: OK
false negative chance: 0.000
# git bisect bad 360f0342b2e9374298e2222c846f3fe9d0295f0d
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[610a9b8f49fbcf1100716370d3b5f6f884a2835a] Linux 6.7-rc8

determine whether the revision contains the guilty commit
revision 453f5db0619e2ad64076aab16ff5a00e0f7c53a2 crashed and is reachable
testing commit 610a9b8f49fbcf1100716370d3b5f6f884a2835a gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: cd300ea31f0a164a5260a103156b73dbc5c70b5659ae43eda615b961e5bbeb94
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
# git bisect good 610a9b8f49fbcf1100716370d3b5f6f884a2835a
Bisecting: 1 revision left to test after this (roughly 1 step)
[fd56cd5f6d76e93356d9520cf9dabffe1e3d1aa0] eventfs: Fix bitwise fields for "is_events"

determine whether the revision contains the guilty commit
checking the merge base d05cb470663a2a1879277e544f69e660208f08f2
no existing result, test the revision
testing commit d05cb470663a2a1879277e544f69e660208f08f2 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 67c041ad37f47dbe131203a9f3529a7ad830a8d1378b2a5116bc88a96136bfd1
all runs: crashed: BUG: unable to handle kernel paging request in tracefs_apply_options
representative crash: BUG: unable to handle kernel paging request in tracefs_apply_options, types: [UNKNOWN]
testing commit fd56cd5f6d76e93356d9520cf9dabffe1e3d1aa0 gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 63cf68845d72d33d24691ecf937aa6dcac43a65692fe1c52510ed7d0a2d6527a
all runs: OK
false negative chance: 0.000
# git bisect bad fd56cd5f6d76e93356d9520cf9dabffe1e3d1aa0
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ad579864637af46447208254719943179b69d41a] tracefs: Check for dentry->d_inode exists in set_gid()

determine whether the revision contains the guilty commit
revision d05cb470663a2a1879277e544f69e660208f08f2 crashed and is reachable
testing commit ad579864637af46447208254719943179b69d41a gcc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c7b2615ce5b5cfd3d1bca92412473395186d67a2cead40cb4a873ff73d174b64
all runs: OK
false negative chance: 0.000
# git bisect bad ad579864637af46447208254719943179b69d41a
ad579864637af46447208254719943179b69d41a is the first bad commit
commit ad579864637af46447208254719943179b69d41a
Author: Steven Rostedt (Google) <rostedt@goodmis.org>
Date:   Tue Jan 2 15:12:49 2024 -0500

    tracefs: Check for dentry->d_inode exists in set_gid()
    
    If a getdents() is called on the tracefs directory but does not get all
    the files, it can leave a "cursor" dentry in the d_subdirs list of tracefs
    dentry. This cursor dentry does not have a d_inode for it. Before
    referencing tracefs_inode from the dentry, the d_inode must first be
    checked if it has content. If not, then it's not a tracefs_inode and can
    be ignored.
    
    The following caused a crash:
    
     #define getdents64(fd, dirp, count) syscall(SYS_getdents64, fd, dirp, count)
     #define BUF_SIZE 256
     #define TDIR "/tmp/file0"
    
     int main(void)
     {
            char buf[BUF_SIZE];
            int fd;
            int n;
    
            mkdir(TDIR, 0777);
            mount(NULL, TDIR, "tracefs", 0, NULL);
            fd = openat(AT_FDCWD, TDIR, O_RDONLY);
            n = getdents64(fd, buf, BUF_SIZE);
            ret = mount(NULL, TDIR, NULL, MS_NOSUID|MS_REMOUNT|MS_RELATIME|MS_LAZYTIME,
                        "gid=1000");
            return 0;
     }
    
    That's because the 256 BUF_SIZE was not big enough to read all the
    dentries of the tracefs file system and it left a "cursor" dentry in the
    subdirs of the tracefs root inode. Then on remounting with "gid=1000",
    it would cause an iteration of all dentries which hit:
    
            ti = get_tracefs(dentry->d_inode);
            if (ti && (ti->flags & TRACEFS_EVENT_INODE))
                    eventfs_update_gid(dentry, gid);
    
    Which crashed because of the dereference of the cursor dentry which had a NULL
    d_inode.
    
    In the subdir loop of the dentry lookup of set_gid(), if a child has a
    NULL d_inode, simply skip it.
    
    Link: https://lore.kernel.org/all/20240102135637.3a21fb10@gandalf.local.home/
    Link: https://lore.kernel.org/linux-trace-kernel/20240102151249.05da244d@gandalf.local.home
    
    Cc: stable@vger.kernel.org
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Fixes: 7e8358edf503e ("eventfs: Fix file and directory uid and gid ownership")
    Reported-by: "Ubisectech Sirius" <bugreport@ubisectech.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>

 fs/tracefs/inode.c | 4 ++++
 1 file changed, 4 insertions(+)

accumulated error probability: 0.00
culprit signature: c7b2615ce5b5cfd3d1bca92412473395186d67a2cead40cb4a873ff73d174b64
parent  signature: 67c041ad37f47dbe131203a9f3529a7ad830a8d1378b2a5116bc88a96136bfd1
revisions tested: 23, total time: 5h0m59.361831724s (build: 1h44m17.275854625s, test: 3h5m55.989945901s)
first good commit: ad579864637af46447208254719943179b69d41a tracefs: Check for dentry->d_inode exists in set_gid()
recipients (to): ["rostedt@goodmis.org"]
recipients (cc): []