bisecting cause commit starting from de6629eb262e0dc52a2367db38e3d2780cff5427 building syzkaller on c3f3344c78d6f69e1494297262c453f8ed10a844 testing commit de6629eb262e0dc52a2367db38e3d2780cff5427 with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: crashed: WARNING in ovl_instantiate run #3: crashed: WARNING in ovl_instantiate run #4: crashed: WARNING in ovl_instantiate run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 run #0: crashed: WARNING in ovl_instantiate run #1: crashed: WARNING in ovl_instantiate run #2: crashed: WARNING in ovl_instantiate run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 run #0: crashed: WARNING in ovl_instantiate run #1: crashed: WARNING in ovl_instantiate run #2: crashed: WARNING in ovl_instantiate run #3: crashed: WARNING in ovl_instantiate run #4: crashed: WARNING in ovl_instantiate run #5: crashed: WARNING in ovl_instantiate run #6: crashed: WARNING in ovl_instantiate run #7: OK run #8: OK run #9: OK testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in ovl_instantiate run #1: crashed: WARNING in ovl_instantiate run #2: crashed: WARNING in ovl_instantiate run #3: crashed: WARNING in ovl_instantiate run #4: crashed: WARNING in ovl_instantiate run #5: OK run #6: crashed: WARNING in ovl_instantiate run #7: OK run #8: OK run #9: OK testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: OK # git bisect start v4.18 v4.17 Bisecting: 7032 revisions left to test after this (roughly 13 steps) [3036bc45364f98515a2c446d7fac2c34dcfbeff4] Merge tag 'media/v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 3036bc45364f98515a2c446d7fac2c34dcfbeff4 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in ovl_instantiate run #1: crashed: WARNING in ovl_instantiate run #2: crashed: WARNING in ovl_instantiate run #3: crashed: WARNING in ovl_instantiate run #4: crashed: WARNING in ovl_instantiate run #5: OK run #6: OK run #7: OK run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 3036bc45364f98515a2c446d7fac2c34dcfbeff4 Bisecting: 3644 revisions left to test after this (roughly 12 steps) [135c5504a600ff9b06e321694fbcac78a9530cd4] Merge tag 'drm-next-2018-06-06-1' of git://anongit.freedesktop.org/drm/drm testing commit 135c5504a600ff9b06e321694fbcac78a9530cd4 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 135c5504a600ff9b06e321694fbcac78a9530cd4 Bisecting: 1830 revisions left to test after this (roughly 11 steps) [f39c6b29ae1d3727d9c65a4ab99d5150b558be5e] Merge tag 'mlx5e-updates-2018-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit f39c6b29ae1d3727d9c65a4ab99d5150b558be5e with gcc (GCC) 8.1.0 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect good f39c6b29ae1d3727d9c65a4ab99d5150b558be5e Bisecting: 773 revisions left to test after this (roughly 10 steps) [1c8c5a9d38f607c0b6fd12c91cbe1a4418762a21] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next testing commit 1c8c5a9d38f607c0b6fd12c91cbe1a4418762a21 with gcc (GCC) 8.1.0 run #0: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect good 1c8c5a9d38f607c0b6fd12c91cbe1a4418762a21 Bisecting: 386 revisions left to test after this (roughly 9 steps) [50eea4ab9169f9ca4f24f01612005497f708b667] media: i2c: adv748x: Fix pixel rate values testing commit 50eea4ab9169f9ca4f24f01612005497f708b667 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 50eea4ab9169f9ca4f24f01612005497f708b667 Bisecting: 193 revisions left to test after this (roughly 8 steps) [cb094fa5af7c9623084aa4c3cf529b196f5c3b5c] powerpc/perf: Rearrange memory freeing in imc init testing commit cb094fa5af7c9623084aa4c3cf529b196f5c3b5c with gcc (GCC) 8.1.0 all runs: OK # git bisect good cb094fa5af7c9623084aa4c3cf529b196f5c3b5c Bisecting: 78 revisions left to test after this (roughly 7 steps) [c90fca951e90ba470a3dc6087667edffcf8db21b] Merge tag 'powerpc-4.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit c90fca951e90ba470a3dc6087667edffcf8db21b with gcc (GCC) 8.1.0 run #0: crashed: WARNING in ovl_instantiate run #1: crashed: WARNING in ovl_instantiate run #2: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: OK run #4: OK run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: can't ssh into the instance run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad c90fca951e90ba470a3dc6087667edffcf8db21b Bisecting: 57 revisions left to test after this (roughly 6 steps) [eabdb8ca8690eedd461e61ea7780595fbbae8132] powerpc/pkeys: Detach execute_only key on !PROT_EXEC testing commit eabdb8ca8690eedd461e61ea7780595fbbae8132 with gcc (GCC) 8.1.0 all runs: OK # git bisect good eabdb8ca8690eedd461e61ea7780595fbbae8132 Bisecting: 28 revisions left to test after this (roughly 5 steps) [70f2ae1f002b0ed4b4382210df8e4b6e54079012] Merge tag 'ovl-fixes-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 70f2ae1f002b0ed4b4382210df8e4b6e54079012 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in ovl_instantiate run #1: crashed: WARNING in ovl_instantiate run #2: OK run #3: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #4: OK run #5: OK run #6: OK run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 70f2ae1f002b0ed4b4382210df8e4b6e54079012 Bisecting: 14 revisions left to test after this (roughly 4 steps) [543b8f8662fe6d21f19958b666ab0051af9db21a] fuse: don't keep dead fuse_conn at fuse_fill_super(). testing commit 543b8f8662fe6d21f19958b666ab0051af9db21a with gcc (GCC) 8.1.0 all runs: OK # git bisect good 543b8f8662fe6d21f19958b666ab0051af9db21a Bisecting: 7 revisions left to test after this (roughly 3 steps) [137ec526a20c4e4d21d658a6581b471d39860911] ovl: create helper ovl_create_temp() testing commit 137ec526a20c4e4d21d658a6581b471d39860911 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 137ec526a20c4e4d21d658a6581b471d39860911 Bisecting: 3 revisions left to test after this (roughly 2 steps) [80ea09a002bf4384fda5f087b1b198b3a274f9da] vfs: factor out inode_insert5() testing commit 80ea09a002bf4384fda5f087b1b198b3a274f9da with gcc (GCC) 8.1.0 all runs: OK # git bisect good 80ea09a002bf4384fda5f087b1b198b3a274f9da Bisecting: 1 revision left to test after this (roughly 1 step) [01b39dcc95680b04c7af5de7f39f577e9c4865e3] ovl: use inode_insert5() to hash a newly created inode testing commit 01b39dcc95680b04c7af5de7f39f577e9c4865e3 with gcc (GCC) 8.1.0 run #0: crashed: WARNING in ovl_instantiate run #1: crashed: WARNING in ovl_instantiate run #2: crashed: WARNING in ovl_instantiate run #3: OK run #4: crashed: WARNING in ovl_instantiate run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 01b39dcc95680b04c7af5de7f39f577e9c4865e3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ac6a52eb65b5327859135269c9374bf2ff731c9f] ovl: Pass argument to ovl_get_inode() in a structure testing commit ac6a52eb65b5327859135269c9374bf2ff731c9f with gcc (GCC) 8.1.0 all runs: OK # git bisect good ac6a52eb65b5327859135269c9374bf2ff731c9f 01b39dcc95680b04c7af5de7f39f577e9c4865e3 is the first bad commit commit 01b39dcc95680b04c7af5de7f39f577e9c4865e3 Author: Amir Goldstein Date: Fri May 11 11:15:15 2018 +0300 ovl: use inode_insert5() to hash a newly created inode Currently, there is a small window where ovl_obtain_alias() can race with ovl_instantiate() and create two different overlay inodes with the same underlying real non-dir non-hardlink inode. The race requires an adversary to guess the file handle of the yet to be created upper inode and decode the guessed file handle after ovl_creat_real(), but before ovl_instantiate(). This race does not affect overlay directory inodes, because those are decoded via ovl_lookup_real() and not with ovl_obtain_alias(). This patch fixes the race, by using inode_insert5() to add a newly created inode to cache. If the newly created inode apears to already exist in cache (hashed by the same real upper inode), we instantiate the dentry with the old inode and drop the new inode, instead of silently not hashing the new inode. Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi :040000 040000 ceb23c389f1809efac2d69c84d5679ab87e08466 ab0f29fac0ac3d42c6f8d70f8d73d51ce6310613 M fs revisions tested: 19, total time: 5h21m14.222505506s (build: 1h54m34.720745532s, test: 3h19m34.218083701s) first bad commit: 01b39dcc95680b04c7af5de7f39f577e9c4865e3 ovl: use inode_insert5() to hash a newly created inode cc: ["amir73il@gmail.com" "linux-kernel@vger.kernel.org" "linux-unionfs@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com"] crash: WARNING in ovl_instantiate overlayfs: filesystem on './file0' not supported as upperdir overlayfs: filesystem on './file0' not supported as upperdir overlayfs: filesystem on './file0' not supported as upperdir overlayfs: filesystem on './file0' not supported as upperdir overlayfs: filesystem on './file0' not supported as upperdir WARNING: CPU: 0 PID: 7256 at fs/overlayfs/dir.c:261 ovl_instantiate+0x2e5/0x3f0 fs/overlayfs/dir.c:279 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 7256 Comm: syz-executor3 Not tainted 4.17.0-rc7+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x16e/0x22a lib/dump_stack.c:113 panic+0x1c6/0x37d kernel/panic.c:184 __warn.cold.8+0x120/0x16c kernel/panic.c:536 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1df/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:ovl_instantiate+0x2e5/0x3f0 fs/overlayfs/dir.c:261 RSP: 0018:ffff88008702f9c0 EFLAGS: 00010202 RAX: ffffffffffffff8c RBX: 1ffff10010e05f3a RCX: 1ffff10010e05ef2 RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff880092ff17e8 RBP: ffff88008702fa78 R08: ffffed00125fe2fe R09: ffffed00125fe2fd R10: ffffed00125fe2fd R11: ffff880092ff17eb R12: ffff88008702fa50 R13: ffff88008702f9f0 R14: ffff880077a55080 R15: ffffffffffffff8c ovl_create_over_whiteout fs/overlayfs/dir.c:513 [inline] ovl_create_or_link+0x964/0x1110 fs/overlayfs/dir.c:577 ovl_create_object+0x284/0x3f0 fs/overlayfs/dir.c:607 ovl_symlink+0x16/0x20 fs/overlayfs/dir.c:642 vfs_symlink+0x2f9/0x520 fs/namei.c:4097 do_symlinkat+0x1b6/0x220 fs/namei.c:4124 __do_sys_symlink fs/namei.c:4143 [inline] __se_sys_symlink fs/namei.c:4141 [inline] __x64_sys_symlink+0x54/0x80 fs/namei.c:4141 do_syscall_64+0x183/0x700 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x458019 RSP: 002b:00007f3ae7ba4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000458019 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000020000040 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3ae7ba56d4 R13: 00000000004c63bf R14: 00000000004db3a8 R15: 00000000ffffffff Kernel Offset: disabled Rebooting in 86400 seconds..