bisecting fixing commit since 7c60610d476766e128cc4284bb6349732cbd6606 building syzkaller on 2489ab887a86e8b1b253aef742e365a606db3a4f testing commit 7c60610d476766e128cc4284bb6349732cbd6606 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 914c598cdb8b1df1f43bc055801be0076bc222e2ade96164c382fa11f3901653 run #0: crashed: KASAN: use-after-free Read in h4_recv_buf run #1: crashed: KASAN: use-after-free Read in skb_dequeue run #2: crashed: KASAN: use-after-free Read in h4_recv_buf run #3: crashed: KASAN: use-after-free Read in h4_recv_buf run #4: crashed: KASAN: use-after-free Read in h4_recv_buf run #5: crashed: KASAN: use-after-free Read in h4_recv_buf run #6: crashed: KASAN: use-after-free Read in h4_recv_buf run #7: crashed: KASAN: use-after-free Read in h4_recv_buf run #8: crashed: KASAN: use-after-free Read in h4_recv_buf run #9: crashed: KASAN: use-after-free Read in h4_recv_buf run #10: crashed: KASAN: use-after-free Read in h4_recv_buf run #11: crashed: KASAN: use-after-free Read in h4_recv_buf run #12: crashed: KASAN: use-after-free Read in h4_recv_buf run #13: crashed: KASAN: use-after-free Read in h4_recv_buf run #14: crashed: KASAN: use-after-free Read in h4_recv_buf run #15: crashed: KASAN: use-after-free Read in skb_dequeue run #16: crashed: KASAN: use-after-free Read in h4_recv_buf run #17: crashed: KASAN: use-after-free Read in h4_recv_buf run #18: crashed: KASAN: use-after-free Read in h4_recv_buf run #19: crashed: KASAN: use-after-free Read in skb_dequeue testing current HEAD bdb575f872175ed0ecf2638369da1cb7a6e86a14 testing commit bdb575f872175ed0ecf2638369da1cb7a6e86a14 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 26b2aad9777e784a654475c8b39d57e56819a2c1d051c72e60ae7ad3e49a11d0 all runs: OK # git bisect start bdb575f872175ed0ecf2638369da1cb7a6e86a14 7c60610d476766e128cc4284bb6349732cbd6606 Bisecting: 5952 revisions left to test after this (roughly 13 steps) [1b4f3dfb4792f03b139edf10124fcbeb44e608e6] Merge tag 'usb-serial-5.15-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-next testing commit 1b4f3dfb4792f03b139edf10124fcbeb44e608e6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d78329e8c7141349a9de4bb2f3598eb5980f8ba3d49200d1f56cc0c8bd1d92a4 run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: OK run #9: OK # git bisect good 1b4f3dfb4792f03b139edf10124fcbeb44e608e6 Bisecting: 3018 revisions left to test after this (roughly 12 steps) [83ec91697412ae64d25dcca74597ed03029aa00d] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid testing commit 83ec91697412ae64d25dcca74597ed03029aa00d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0f520a0954b7d981fe4cb942a5f710ee38a979d2d3d1b90473fde87f97db08ff run #0: basic kernel testing failed: kernel panic: panic_on_warn set run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: boot failed: possible deadlock in blktrans_open run #9: OK # git bisect good 83ec91697412ae64d25dcca74597ed03029aa00d Bisecting: 1561 revisions left to test after this (roughly 11 steps) [a2b28235335fee2586b4bd16448fb59ed6c80eef] Merge branch 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging testing commit a2b28235335fee2586b4bd16448fb59ed6c80eef compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1f788fd228d5e540096ed1ad69abdc8bd6219e91b179c2889656ea14f4b3225f run #0: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/bin/linux_amd64/syz-fuzzer" "root@10.128.15.207:./syz-fuzzer"] Warning: Permanently added '10.128.15.207' (ECDSA) to the list of known hosts. run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: OK run #9: OK # git bisect good a2b28235335fee2586b4bd16448fb59ed6c80eef Bisecting: 741 revisions left to test after this (roughly 10 steps) [0aa2516017123a7c35a2c0c35c4dc7727579b8a3] Merge tag 'dmaengine-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine testing commit 0aa2516017123a7c35a2c0c35c4dc7727579b8a3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a7963995772d9a3c320d9ee5c3d26fff248f267f8fca1ae6596e3240370a8ffd run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: OK run #8: OK run #9: OK # git bisect good 0aa2516017123a7c35a2c0c35c4dc7727579b8a3 Bisecting: 396 revisions left to test after this (roughly 9 steps) [dd4703876ea83b5fb5f4f0a1ec58f786143f5064] Merge tag 'thermal-v5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux testing commit dd4703876ea83b5fb5f4f0a1ec58f786143f5064 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1586d2d08443b5465b748f5a4f1f5aad26213a03981158cb45b2d7de763171c6 run #0: basic kernel testing failed: timed out run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: crashed: KASAN: use-after-free Read in __d_alloc run #9: OK # git bisect good dd4703876ea83b5fb5f4f0a1ec58f786143f5064 Bisecting: 200 revisions left to test after this (roughly 8 steps) [f306b90c69ce3994bb8046b54374a90a27f66be6] Merge tag 'smp-urgent-2021-09-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit f306b90c69ce3994bb8046b54374a90a27f66be6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a35bfa6b3f3ff9a8718304a919d1b6e9fa8433f3f1325bbc0093fda6f5aad77e all runs: OK # git bisect bad f306b90c69ce3994bb8046b54374a90a27f66be6 Bisecting: 93 revisions left to test after this (roughly 7 steps) [c0f7e49fc480a97770e448e0c0493e7ba46a9852] Merge tag 'block-5.15-2021-09-11' of git://git.kernel.dk/linux-block testing commit c0f7e49fc480a97770e448e0c0493e7ba46a9852 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 55a4d61431a7b4998008a67298c1771db4fb2363e007ff19cf5fe81e5fbbe572 run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: crashed: KASAN: use-after-free Read in __d_alloc run #8: crashed: KASAN: use-after-free Read in __d_alloc run #9: OK # git bisect good c0f7e49fc480a97770e448e0c0493e7ba46a9852 Bisecting: 54 revisions left to test after this (roughly 6 steps) [7bc7f61897b66bef78bb5952e3d1e9f3aaf9ccca] Documentation: Add documentation for VDUSE testing commit 7bc7f61897b66bef78bb5952e3d1e9f3aaf9ccca compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6b4a72ebbd30dd304baa88d49b13a561e31fe2ed9d571189c544ca4f2153bfff run #0: crashed: KASAN: use-after-free Read in h4_recv_buf run #1: crashed: KASAN: use-after-free Read in h4_recv_buf run #2: crashed: KASAN: use-after-free Read in h4_recv_buf run #3: crashed: KASAN: use-after-free Read in h4_recv_buf run #4: crashed: KASAN: use-after-free Read in h4_recv_buf run #5: crashed: KASAN: use-after-free Read in h4_recv_buf run #6: crashed: KASAN: use-after-free Read in h4_recv_buf run #7: crashed: KASAN: use-after-free Read in h4_recv_buf run #8: crashed: KASAN: use-after-free Read in h4_recv_buf run #9: crashed: KASAN: use-after-free Read in skb_dequeue # git bisect good 7bc7f61897b66bef78bb5952e3d1e9f3aaf9ccca Bisecting: 29 revisions left to test after this (roughly 5 steps) [8d4a0b5d0813c990637fa9f3c9bea5dab1fedb8f] Merge tag '5.15-rc-cifs-part2' of git://git.samba.org/sfrench/cifs-2.6 testing commit 8d4a0b5d0813c990637fa9f3c9bea5dab1fedb8f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2e84e57a1d2f5698460b22e1f809b8a13bc45ac35367c08c1271d89f9d72e718 run #0: crashed: KASAN: use-after-free Read in __d_alloc run #1: crashed: KASAN: use-after-free Read in __d_alloc run #2: crashed: KASAN: use-after-free Read in __d_alloc run #3: crashed: KASAN: use-after-free Read in __d_alloc run #4: crashed: KASAN: use-after-free Read in __d_alloc run #5: crashed: KASAN: use-after-free Read in __d_alloc run #6: crashed: KASAN: use-after-free Read in __d_alloc run #7: OK run #8: OK run #9: OK # git bisect good 8d4a0b5d0813c990637fa9f3c9bea5dab1fedb8f Bisecting: 13 revisions left to test after this (roughly 4 steps) [165d05d88c27697fe444a6eae4f3882834ef8826] Merge tag 'locking_urgent_for_v5.15_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 165d05d88c27697fe444a6eae4f3882834ef8826 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2ec778274e2cc07358da08f81ae371d4780582a17e758477a04ec5f0e394be32 all runs: OK # git bisect bad 165d05d88c27697fe444a6eae4f3882834ef8826 Bisecting: 7 revisions left to test after this (roughly 3 steps) [7bf3142625c193db2dfbd7df2176b7cd910d9e4f] Merge tag 'timers_urgent_for_v5.15_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 7bf3142625c193db2dfbd7df2176b7cd910d9e4f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3891722691b2e2cadaef213a188d394a650751f749d427bbfe9be7506c0e8f30 all runs: OK # git bisect bad 7bf3142625c193db2dfbd7df2176b7cd910d9e4f Bisecting: 3 revisions left to test after this (roughly 2 steps) [b4a4f213a39d5e55baf38c96042acaeaf927ec74] namei: Standardize callers of filename_create() testing commit b4a4f213a39d5e55baf38c96042acaeaf927ec74 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fdea017cf62d70d68ba79472d62200ce2c7565747449d19ce0db83dae14e190c all runs: OK # git bisect bad b4a4f213a39d5e55baf38c96042acaeaf927ec74 Bisecting: 1 revision left to test after this (roughly 1 step) [c5f563f9e9e66c0ad0b23abe25165c124579b70e] rename __filename_parentat() to filename_parentat() testing commit c5f563f9e9e66c0ad0b23abe25165c124579b70e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fd49278afd171ccda24a47e68dd90c579defad33744b49fcc62327dc0b3d3225 all runs: OK # git bisect bad c5f563f9e9e66c0ad0b23abe25165c124579b70e Bisecting: 0 revisions left to test after this (roughly 0 steps) [0766ec82e5fb26fc5dc6d592bc61865608bdc651] namei: Fix use after free in kern_path_locked testing commit 0766ec82e5fb26fc5dc6d592bc61865608bdc651 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0fbd0c348f78a140f34350ce5a542750c02004fdf265f175ff163319c26a54cc all runs: OK # git bisect bad 0766ec82e5fb26fc5dc6d592bc61865608bdc651 0766ec82e5fb26fc5dc6d592bc61865608bdc651 is the first bad commit commit 0766ec82e5fb26fc5dc6d592bc61865608bdc651 Author: Stephen Brennan Date: Wed Sep 1 10:51:41 2021 -0700 namei: Fix use after free in kern_path_locked In 0ee50b47532a ("namei: change filename_parentat() calling conventions"), filename_parentat() was made to always call putname() on the filename before returning, and kern_path_locked() was migrated to this calling convention. However, kern_path_locked() uses the "last" parameter to lookup and potentially create a new dentry. The last parameter contains the last component of the path and points within the filename, which was recently freed at the end of filename_parentat(). Thus, when kern_path_locked() calls __lookup_hash(), it is using the filename after it has already been freed. In other words, these calling conventions had been wrong for the only remaining caller of filename_parentat(). Everything else is using __filename_parentat(), which does not drop the reference; so should kern_path_locked(). Switch kern_path_locked() to use of __filename_parentat() and move getting/dropping struct filename into wrapper. Remove filename_parentat(), now that we have no remaining callers. Fixes: 0ee50b47532a ("namei: change filename_parentat() calling conventions") Link: https://lore.kernel.org/linux-fsdevel/YS9D4AlEsaCxLFV0@infradead.org/ Link: https://lore.kernel.org/linux-fsdevel/YS+csMTV2tTXKg3s@zeniv-ca.linux.org.uk/ Cc: Christoph Hellwig Cc: Al Viro Reported-by: syzbot+fb0d60a179096e8c2731@syzkaller.appspotmail.com Signed-off-by: Stephen Brennan Co-authored-by: Dmitry Kadashev Signed-off-by: Al Viro fs/namei.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) parent commit 4b93c544e90e2b28326182d31ee008eb80e02074 wasn't tested testing commit 4b93c544e90e2b28326182d31ee008eb80e02074 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3762c211781004bbb518c024b89fa1bce14fd3a9b1936975143fe425caa68b57 culprit signature: 0fbd0c348f78a140f34350ce5a542750c02004fdf265f175ff163319c26a54cc parent signature: 3762c211781004bbb518c024b89fa1bce14fd3a9b1936975143fe425caa68b57 revisions tested: 16, total time: 4h44m19.068807817s (build: 1h52m38.796316253s, test: 2h49m53.613913626s) first good commit: 0766ec82e5fb26fc5dc6d592bc61865608bdc651 namei: Fix use after free in kern_path_locked recipients (to): ["linux-kernel@vger.kernel.org" "stephen.s.brennan@oracle.com" "viro@zeniv.linux.org.uk"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"]