bisecting fixing commit since fa54d366a6e4fe3e16322abdb8b5115f8be0da8b building syzkaller on b599f2fcc734e2183016a340d4f6fc2891d8e41f testing commit fa54d366a6e4fe3e16322abdb8b5115f8be0da8b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a1fec9ff1da92056ed6ac63f10d48caa30f383fa91e1081d22dc3faf1932f5d7 all runs: crashed: KASAN: use-after-free Read in em28xx_close_extension testing current HEAD 4de593fb965fc2bd11a0b767e0c65ff43540a6e4 testing commit 4de593fb965fc2bd11a0b767e0c65ff43540a6e4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e3fc5fe89527f654048be42eca84e600468f0d4572902c49154abd1111e797e0 all runs: OK # git bisect start 4de593fb965fc2bd11a0b767e0c65ff43540a6e4 fa54d366a6e4fe3e16322abdb8b5115f8be0da8b Bisecting: 6657 revisions left to test after this (roughly 13 steps) [1b4f3dfb4792f03b139edf10124fcbeb44e608e6] Merge tag 'usb-serial-5.15-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next testing commit 1b4f3dfb4792f03b139edf10124fcbeb44e608e6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b5dde2e426319fada7ca2ef123018c7fd847809f1a40169cd9a556369a4798bb all runs: crashed: KFENCE: use-after-free in kvm_fastop_exception # git bisect good 1b4f3dfb4792f03b139edf10124fcbeb44e608e6 Bisecting: 3331 revisions left to test after this (roughly 12 steps) [5ac749a57e0ebb334b1b2c3d28d4d5b1ef85f8ed] libata: pass over maintainership to Damien Le Moal testing commit 5ac749a57e0ebb334b1b2c3d28d4d5b1ef85f8ed compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b7a7fa450a17cf416485ed969c200b2b452b738390c08e13415a0ece6981117f run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "root@10.128.10.20:./syz-fuzzer"]: exit status 1 Connection timed out during banner exchange Connection to 10.128.10.20 port 22 timed out lost connection run #1: crashed: KFENCE: use-after-free in kvm_fastop_exception run #2: crashed: KFENCE: use-after-free in kvm_fastop_exception run #3: crashed: KFENCE: use-after-free in kvm_fastop_exception run #4: crashed: KFENCE: use-after-free in kvm_fastop_exception run #5: crashed: KFENCE: use-after-free in kvm_fastop_exception run #6: crashed: KFENCE: use-after-free in kvm_fastop_exception run #7: crashed: KFENCE: use-after-free in kvm_fastop_exception run #8: crashed: KFENCE: use-after-free in kvm_fastop_exception run #9: crashed: KFENCE: use-after-free in kvm_fastop_exception # git bisect good 5ac749a57e0ebb334b1b2c3d28d4d5b1ef85f8ed Bisecting: 1643 revisions left to test after this (roughly 11 steps) [2d338201d5311bcd79d42f66df4cecbcbc5f4f2c] Merge branch 'akpm' (patches from Andrew) testing commit 2d338201d5311bcd79d42f66df4cecbcbc5f4f2c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 90cc71fd5a718a1cc08114a7df563ffb4a390a178d2efbeb2e1dba7ec19db5c2 run #0: basic kernel testing failed: KFENCE: use-after-free in kvm_fastop_exception run #1: crashed: KFENCE: use-after-free in kvm_fastop_exception run #2: crashed: KFENCE: use-after-free in kvm_fastop_exception run #3: crashed: KFENCE: use-after-free in kvm_fastop_exception run #4: crashed: KFENCE: use-after-free in kvm_fastop_exception run #5: crashed: KFENCE: use-after-free in kvm_fastop_exception run #6: crashed: KFENCE: use-after-free in kvm_fastop_exception run #7: crashed: KFENCE: use-after-free in kvm_fastop_exception run #8: crashed: KFENCE: use-after-free in kvm_fastop_exception run #9: crashed: KFENCE: use-after-free in kvm_fastop_exception # git bisect good 2d338201d5311bcd79d42f66df4cecbcbc5f4f2c Bisecting: 821 revisions left to test after this (roughly 10 steps) [109f7ea9aedce437b4b7737ab60bfea65d9dbdd3] Merge tag 'amd-drm-fixes-5.15-2021-09-16' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes testing commit 109f7ea9aedce437b4b7737ab60bfea65d9dbdd3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9040bad28fe9c648c2e18f8d328560c70811d9e20f50fbc1f8557dd33d63a4b5 all runs: OK # git bisect bad 109f7ea9aedce437b4b7737ab60bfea65d9dbdd3 Bisecting: 421 revisions left to test after this (roughly 9 steps) [a668acb8f01fc0d1e3877cddecbe319ef2ef651c] Merge tag 'drm-next-2021-09-10' of git://anongit.freedesktop.org/drm/drm testing commit a668acb8f01fc0d1e3877cddecbe319ef2ef651c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8d3e2229cf4332baf4a5ef8f562a6f292eb3707e400f24c237ba86d2ca12e4ed run #0: crashed: KFENCE: use-after-free in kvm_fastop_exception run #1: crashed: KFENCE: use-after-free in kvm_fastop_exception run #2: crashed: KFENCE: use-after-free in kvm_fastop_exception run #3: crashed: KFENCE: use-after-free in kvm_fastop_exception run #4: crashed: KFENCE: use-after-free in kvm_fastop_exception run #5: crashed: KFENCE: use-after-free in kvm_fastop_exception run #6: crashed: KFENCE: use-after-free in kvm_fastop_exception run #7: crashed: KFENCE: use-after-free in kvm_fastop_exception run #8: crashed: KFENCE: use-after-free in kvm_fastop_exception run #9: OK # git bisect good a668acb8f01fc0d1e3877cddecbe319ef2ef651c Bisecting: 207 revisions left to test after this (roughly 8 steps) [107ccc45bb25c7fdc7a744496caa4d8a52af4812] Merge tag 'rtc-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux testing commit 107ccc45bb25c7fdc7a744496caa4d8a52af4812 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2f9efc74c985a40dcc0352f42b5eebe031dd3111cc454f1aa8feb76311ce005d all runs: crashed: KFENCE: use-after-free in kvm_fastop_exception # git bisect good 107ccc45bb25c7fdc7a744496caa4d8a52af4812 Bisecting: 105 revisions left to test after this (roughly 7 steps) [7bf3142625c193db2dfbd7df2176b7cd910d9e4f] Merge tag 'timers_urgent_for_v5.15_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 7bf3142625c193db2dfbd7df2176b7cd910d9e4f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 39c40b64a039bed76233ef937df17a077ff0af40592547f38265834e367d9920 all runs: OK # git bisect bad 7bf3142625c193db2dfbd7df2176b7cd910d9e4f Bisecting: 52 revisions left to test after this (roughly 6 steps) [b79bd0d5102b4a3ea908018fda6b84a4c8fd6235] Merge tag 'riscv-for-linus-5.15-mw1' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux testing commit b79bd0d5102b4a3ea908018fda6b84a4c8fd6235 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ef2e6abe3a1267f7e0cef1c359b23a196805ca70ebd88c34774c0cbe1a23a978 all runs: crashed: KFENCE: use-after-free in kvm_fastop_exception # git bisect good b79bd0d5102b4a3ea908018fda6b84a4c8fd6235 Bisecting: 26 revisions left to test after this (roughly 5 steps) [6105d1fe6f4c24ce8c13e2e6568b16b76e04983d] virtio-blk: remove unneeded "likely" statements testing commit 6105d1fe6f4c24ce8c13e2e6568b16b76e04983d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 75f77fe79e778b63696c7f3b9a36900fe30d5cd0da78cc0ebfb6b931c929f8cd all runs: crashed: KASAN: use-after-free Read in em28xx_close_extension # git bisect good 6105d1fe6f4c24ce8c13e2e6568b16b76e04983d Bisecting: 13 revisions left to test after this (roughly 4 steps) [7bc7f61897b66bef78bb5952e3d1e9f3aaf9ccca] Documentation: Add documentation for VDUSE testing commit 7bc7f61897b66bef78bb5952e3d1e9f3aaf9ccca compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 18fafea79c772f554f585e0de52abc2d7e20f0d4ad45f2eade50d95b0e1709cb all runs: crashed: KASAN: use-after-free Read in em28xx_close_extension # git bisect good 7bc7f61897b66bef78bb5952e3d1e9f3aaf9ccca Bisecting: 7 revisions left to test after this (roughly 3 steps) [8d4a0b5d0813c990637fa9f3c9bea5dab1fedb8f] Merge tag '5.15-rc-cifs-part2' of git://git.samba.org/sfrench/cifs-2.6 testing commit 8d4a0b5d0813c990637fa9f3c9bea5dab1fedb8f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 172c6f0e90d4b78c5a537249305c51f9a7ac9de3354f19134c91b4c330d8e5b6 all runs: crashed: KFENCE: use-after-free in kvm_fastop_exception # git bisect good 8d4a0b5d0813c990637fa9f3c9bea5dab1fedb8f Bisecting: 3 revisions left to test after this (roughly 2 steps) [b4a4f213a39d5e55baf38c96042acaeaf927ec74] namei: Standardize callers of filename_create() testing commit b4a4f213a39d5e55baf38c96042acaeaf927ec74 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bfb623172a3d9016ca22829860013273c9f9dd2560ff0ac15b08dae3cc0f1640 all runs: OK # git bisect bad b4a4f213a39d5e55baf38c96042acaeaf927ec74 Bisecting: 1 revision left to test after this (roughly 1 step) [c5f563f9e9e66c0ad0b23abe25165c124579b70e] rename __filename_parentat() to filename_parentat() testing commit c5f563f9e9e66c0ad0b23abe25165c124579b70e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0bf9f531c6c6f6ad2e9b9532d5489064ce2027f3c0fcb77c3eec330aab222369 all runs: OK # git bisect bad c5f563f9e9e66c0ad0b23abe25165c124579b70e Bisecting: 0 revisions left to test after this (roughly 0 steps) [0766ec82e5fb26fc5dc6d592bc61865608bdc651] namei: Fix use after free in kern_path_locked testing commit 0766ec82e5fb26fc5dc6d592bc61865608bdc651 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 40f3e6961b38bc04cc5f664287f945c05a9a30e72f0977fbd6143b826d59af9a all runs: OK # git bisect bad 0766ec82e5fb26fc5dc6d592bc61865608bdc651 0766ec82e5fb26fc5dc6d592bc61865608bdc651 is the first bad commit commit 0766ec82e5fb26fc5dc6d592bc61865608bdc651 Author: Stephen Brennan Date: Wed Sep 1 10:51:41 2021 -0700 namei: Fix use after free in kern_path_locked In 0ee50b47532a ("namei: change filename_parentat() calling conventions"), filename_parentat() was made to always call putname() on the filename before returning, and kern_path_locked() was migrated to this calling convention. However, kern_path_locked() uses the "last" parameter to lookup and potentially create a new dentry. The last parameter contains the last component of the path and points within the filename, which was recently freed at the end of filename_parentat(). Thus, when kern_path_locked() calls __lookup_hash(), it is using the filename after it has already been freed. In other words, these calling conventions had been wrong for the only remaining caller of filename_parentat(). Everything else is using __filename_parentat(), which does not drop the reference; so should kern_path_locked(). Switch kern_path_locked() to use of __filename_parentat() and move getting/dropping struct filename into wrapper. Remove filename_parentat(), now that we have no remaining callers. Fixes: 0ee50b47532a ("namei: change filename_parentat() calling conventions") Link: https://lore.kernel.org/linux-fsdevel/YS9D4AlEsaCxLFV0@infradead.org/ Link: https://lore.kernel.org/linux-fsdevel/YS+csMTV2tTXKg3s@zeniv-ca.linux.org.uk/ Cc: Christoph Hellwig Cc: Al Viro Reported-by: syzbot+fb0d60a179096e8c2731@syzkaller.appspotmail.com Signed-off-by: Stephen Brennan Co-authored-by: Dmitry Kadashev Signed-off-by: Al Viro fs/namei.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) parent commit 4b93c544e90e2b28326182d31ee008eb80e02074 wasn't tested testing commit 4b93c544e90e2b28326182d31ee008eb80e02074 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5eb393f7637402321f00a4f8c322dd60ecaea58d49b9821c0adb33085eae72c9 culprit signature: 40f3e6961b38bc04cc5f664287f945c05a9a30e72f0977fbd6143b826d59af9a parent signature: 5eb393f7637402321f00a4f8c322dd60ecaea58d49b9821c0adb33085eae72c9 revisions tested: 16, total time: 4h5m40.000783018s (build: 1h56m53.652795546s, test: 2h7m4.500973508s) first good commit: 0766ec82e5fb26fc5dc6d592bc61865608bdc651 namei: Fix use after free in kern_path_locked recipients (to): ["linux-kernel@vger.kernel.org" "stephen.s.brennan@oracle.com" "viro@zeniv.linux.org.uk"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"]