Re: kernel BUG at fs/inode.c:LINE! (2)

[Al Viro]

On Fri, Aug 28, 2020 at 06:54:13PM +0100, Al Viro wrote:
> On Fri, Aug 28, 2020 at 04:38:25PM +0100, Al Viro wrote:
> > On Fri, Aug 28, 2020 at 06:18:17AM -0700, syzbot wrote:
> > > Hello,
> > > 
> > > syzbot found the following issue on:
> > > 
> > > HEAD commit:d012a719 Linux 5.9-rc2
> > > git tree:   upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=15aa650e90
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=891ca5711a9f1650
> > > dashboard link: 
> > > https://syzkaller.appspot.com/bug?extid=c92c93d1f1cdb9db
> > > compiler:   clang version 10.0.0 
> > > (https://github.com/llvm/llvm-project/ 
> > > c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=12ecb93990
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140a19a990
> > 
> > Trying to reproduce...
> 
> OK, I think I see what's going on.  ep_loop_check_proc() runs into an already
> doomed file that has already committed to getting killed (->f_count is already
> at 0), but still hadn't gotten through its epitems removal (e.g. has its
> eventpoll_release_file() sitting there trying to get epmutex).
> 
> Blindly bumping refcount here is worse than useless.  Try this, to verify that
> this is what's going on; it's _not_ a proper fix, but it should at least tell
> if we have something else going on.

... and what I think is the right way to fix the original race is (on top of
mainline) this:

[PATCH] Use list_empty_careful() in eventpoll_release()

... to avoid races with list_del_init() in clear_tfile_check_list().
Get rid of pinning files on check list in eventpoll.c - it's not needed
there.

Signed-off-by: Al Viro 
---
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index e0decff22ae2..39eae45bff18 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1995,7 +1995,6 @@ static int ep_loop_check_proc(void *priv, void *cookie, 
int call_nests)
 * during ep_insert().
 */
if (list_empty(>ffd.file->f_tfile_llink)) {
-   get_file(epi->ffd.file);
list_add(>ffd.file->f_tfile_llink,
 _check_list);
}
@@ -2042,7 +2041,6 @@ static void clear_tfile_check_list(void)
file = list_first_entry(_check_list, struct file,
f_tfile_llink);
list_del_init(>f_tfile_llink);
-   fput(file);
}
INIT_LIST_HEAD(_check_list);
 }
@@ -2206,7 +2204,6 @@ int do_epoll_ctl(int epfd, int op, int fd, struct 
epoll_event *epds,
if (ep_loop_check(ep, tf.file) != 0)
goto error_tgt_fput;
} else {
-   get_file(tf.file);
list_add(>f_tfile_llink,
_check_list);
}
diff --git a/include/linux/eventpoll.h b/include/linux/eventpoll.h
index 8f000fada5a4..e2bdefd90cf8 100644
--- a/include/linux/eventpoll.h
+++ b/include/linux/eventpoll.h
@@ -46,11 +46,9 @@ static inline void eventpoll_release(struct file *file)
 * Fast check to avoid the get/release of the semaphore. Since
 * we're doing this outside the semaphore lock, it might return
 * false negatives, but we don't care. It'll help in 99.99% of cases
-* to avoid the semaphore lock. False positives simply cannot happen
-* because the file in on the way to be removed and nobody ( but
-* eventpoll ) has still a reference to this file.
+* to avoid the semaphore lock.
 */
-   if (likely(list_empty(>f_ep_links)))
+   if (likely(list_empty_careful(>f_ep_links)))
return;
 
/*

Re: kernel BUG at fs/inode.c:LINE! (2)

[Al Viro]

On Fri, Aug 28, 2020 at 04:38:25PM +0100, Al Viro wrote:
> On Fri, Aug 28, 2020 at 06:18:17AM -0700, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:d012a719 Linux 5.9-rc2
> > git tree:   upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=15aa650e90
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=891ca5711a9f1650
> > dashboard link: https://syzkaller.appspot.com/bug?extid=c92c93d1f1cdb9db
> > compiler:   clang version 10.0.0 (https://github.com/llvm/llvm-project/ 
> > c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=12ecb93990
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140a19a990
> 
> Trying to reproduce...

OK, I think I see what's going on.  ep_loop_check_proc() runs into an already
doomed file that has already committed to getting killed (->f_count is already
at 0), but still hadn't gotten through its epitems removal (e.g. has its
eventpoll_release_file() sitting there trying to get epmutex).

Blindly bumping refcount here is worse than useless.  Try this, to verify that
this is what's going on; it's _not_ a proper fix, but it should at least tell
if we have something else going on.

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index e0decff22ae2..4590223b2de9 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1995,7 +1995,7 @@ static int ep_loop_check_proc(void *priv, void *cookie, 
int call_nests)
 * during ep_insert().
 */
if (list_empty(>ffd.file->f_tfile_llink)) {
-   get_file(epi->ffd.file);
+   if (get_file_rcu(epi->ffd.file))
list_add(>ffd.file->f_tfile_llink,
 _check_list);
}

Re: kernel BUG at fs/inode.c:LINE! (2)

[Al Viro]

On Fri, Aug 28, 2020 at 06:18:17AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:d012a719 Linux 5.9-rc2
> git tree:   upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15aa650e90
> kernel config:  https://syzkaller.appspot.com/x/.config?x=891ca5711a9f1650
> dashboard link: https://syzkaller.appspot.com/bug?extid=c92c93d1f1cdb9db
> compiler:   clang version 10.0.0 (https://github.com/llvm/llvm-project/ 
> c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=12ecb93990
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140a19a990

Trying to reproduce...

kernel BUG at fs/inode.c:LINE! (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:d012a719 Linux 5.9-rc2
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15aa650e90
kernel config:  https://syzkaller.appspot.com/x/.config?x=891ca5711a9f1650
dashboard link: https://syzkaller.appspot.com/bug?extid=c92c93d1f1cdb9db
compiler:   clang version 10.0.0 (https://github.com/llvm/llvm-project/ 
c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=12ecb93990
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140a19a990

The issue was bisected to:

commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682
Author: Marc Zyngier 
Date:   Wed Aug 19 16:12:17 2020 +

epoll: Keep a reference on files added to the check list

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=16a5051990
final oops: https://syzkaller.appspot.com/x/report.txt?x=15a5051990
console output: https://syzkaller.appspot.com/x/log.txt?x=11a5051990

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c92c93d1f1cdb...@syzkaller.appspotmail.com
Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list")

[ cut here ]
kernel BUG at fs/inode.c:1668!
invalid opcode:  [#1] PREEMPT SMP KASAN
CPU: 0 PID: 29571 Comm: syz-executor709 Not tainted 5.9.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
01/01/2011
RIP: 0010:iput+0x6d8/0x6e0 fs/inode.c:1668
Code: ef ff e9 1a fc ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c c8 fe ff ff 
4c 89 ef e8 a2 51 ef ff e9 bb fe ff ff e8 68 77 af ff <0f> 0b 66 0f 1f 44 00 00 
55 41 57 41 56 53 48 89 f5 48 89 fb 49 bf
RSP: 0018:c9000e25fda8 EFLAGS: 00010293
RAX: 81c580b8 RBX: 888085112600 RCX: 8880a6eea200
RDX:  RSI: 0040 RDI: 
RBP: 0040 R08: 81c57a40 R09: ed10116fe44d
R10: ed10116fe44d R11:  R12: 111010a224ac
R13: dc00 R14: 888085112600 R15: 888085112560
FS:  01665880() GS:8880ae80() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 2000 CR3: 8f752000 CR4: 001506f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 __sock_release net/socket.c:608 [inline]
 sock_close+0x1c3/0x260 net/socket.c:1277
 __fput+0x34f/0x7b0 fs/file_table.c:281
 task_work_run+0x137/0x1c0 kernel/task_work.c:141
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:140 [inline]
 exit_to_user_mode_prepare+0xfa/0x1b0 kernel/entry/common.c:167
 syscall_exit_to_user_mode+0x5e/0x1a0 kernel/entry/common.c:242
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4058e1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48 83 
ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 
b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:7ffc7ca575a0 EFLAGS: 0293 ORIG_RAX: 0003
RAX:  RBX: 0006 RCX: 004058e1
RDX:  RSI:  RDI: 0005
RBP: 0007 R08: 000120080522 R09: 000120080522
R10: 000120080522 R11: 0293 R12: 006dbc5c
R13: 0001 R14: 006dbc50 R15: 0064
Modules linked in:
---[ end trace 35240c511479d576 ]---
RIP: 0010:iput+0x6d8/0x6e0 fs/inode.c:1668
Code: ef ff e9 1a fc ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c c8 fe ff ff 
4c 89 ef e8 a2 51 ef ff e9 bb fe ff ff e8 68 77 af ff <0f> 0b 66 0f 1f 44 00 00 
55 41 57 41 56 53 48 89 f5 48 89 fb 49 bf
RSP: 0018:c9000e25fda8 EFLAGS: 00010293
RAX: 81c580b8 RBX: 888085112600 RCX: 8880a6eea200
RDX:  RSI: 0040 RDI: 
RBP: 0040 R08: 81c57a40 R09: ed10116fe44d
R10: ed10116fe44d R11:  R12: 111010a224ac
R13: dc00 R14: 888085112600 R15: 888085112560
FS:  01665880() GS:8880ae90() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 2000 CR3: 8f752000 CR4: 001506e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for 

Re: kernel BUG at fs/inode.c:LINE!

[Eric Biggers]

Hi Dmitry,

On Fri, Apr 12, 2019 at 01:04:27PM +0200, 'Dmitry Vyukov' via syzkaller-bugs 
wrote:
> On Thu, Apr 11, 2019 at 4:23 AM Al Viro  wrote:
> >
> > On Thu, Apr 11, 2019 at 08:50:17AM +0800, Ian Kent wrote:
> > > On Wed, 2019-04-10 at 14:41 +0200, Dmitry Vyukov wrote:
> > > > On Wed, Apr 10, 2019 at 2:12 PM Al Viro  wrote:
> > > > >
> > > > > On Wed, Apr 10, 2019 at 08:07:15PM +0800, Ian Kent wrote:
> > > > >
> > > > > > > I'm unable to find a branch matching the line numbers.
> > > > > > >
> > > > > > > Given that, on the face of it, the scenario is impossible I'm
> > > > > > > seeking clarification on what linux-next to look at for the
> > > > > > > sake of accuracy.
> > > > > > >
> > > > > > > So I'm wondering if this testing done using the master branch
> > > > > > > or one of the daily branches one would use to check for conflicts
> > > > > > > before posting?
> > > > > >
> > > > > > Sorry those are tags not branches.
> > > > >
> > > > > FWIW, that's next-20181214; it is what master had been in mid-December
> > > > > and master is rebased every day.  Can it be reproduced with the 
> > > > > current
> > > > > tree?
> > > >
> > > > From the info on the dashboard we know that it happened only once on
> > > > d14b746c (the second one is result of reproducing the first one). So
> > > > it was either fixed or just hard to trigger.
> > >
> > > Looking at the source of tag next-20181214 in linux-next-history I see
> > > this is mistake I made due to incorrect error handling which I fixed
> > > soon after (there was in fact a double iput()).
> >
> > Right - "autofs: fix possible inode leak in autofs_fill_super()" had been
> > broken (and completely pointless), leading to double iput() in that failure
> > case.  And yes, double iput() can trigger that BUG_ON(), and with non-zero
> > odds do so with that stack trace.
> >
> > As far as I'm concerned, case closed - bug had been in a misguided "fix"
> > for inexistent leak (coming from misreading the calling conventions for
> > d_make_root()), introduced in -next at next-20181130 and kicked out of
> > there in next-20181219.  Dropped by Ian's request in
> > Message-ID: <66d497c00cffb3e4109ca0d5287c8277954d7132.ca...@themaw.net>
> > which has fixed that crap.  Moreover, that posting had been in reply to
> > that very syzcaller report, AFAICS.
> >
> > I don't know how to tell the bot to STFU and close the report in this
> > situation; up to you, folks.
> 
> 
> Please see the following for this:
> 
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
> > syzbot.
> 
> There are just 3 operations: mark as fixed by a commit, mark as
> invalid, mark as duplicate.
> I won't be always around. Tracking statuses of bug reports is in the
> interests of kernel quality.
> 

As I suggested before, syzbot should automatically invalidate old bug reports,
especially on linux-next, that are unlikely to still be real problems.

And, syzbot should send remainders about bugs that are still occurring.

Instead, currently developers have to waste time debugging bugs caused by
patches that were in linux-next for a few days/weeks and then dropped months
ago, and have to argue with you every time about how to tell syzbot to close the
bug when it never made it into git history.  And meanwhile, no one is looking
into the bugs that are being hit on mainline every hour or even every 10 minutes
for the past year.

That's not a great strategy to actually get bugs fixed.

- Eric

Re: kernel BUG at fs/inode.c:LINE!

[Al Viro]

On Fri, Apr 12, 2019 at 12:59:30PM +0200, Dmitry Vyukov wrote:

> Please don't ignore the bug status tracking part. Or we will only have
> options of not testing kernel or dropping most of the bug reports on
> the floor. Both are equally harmful for kernel quality.
> 
> Let's mark it as fixed by the next commit in series (which already
> made it into mainline):
> 
> #syz fix: autofs: simplify parse_options() function call
> 
> But I won't be around always.

You might want to add something like "commit discarded"...

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Thu, Apr 11, 2019 at 4:23 AM Al Viro  wrote:
>
> On Thu, Apr 11, 2019 at 08:50:17AM +0800, Ian Kent wrote:
> > On Wed, 2019-04-10 at 14:41 +0200, Dmitry Vyukov wrote:
> > > On Wed, Apr 10, 2019 at 2:12 PM Al Viro  wrote:
> > > >
> > > > On Wed, Apr 10, 2019 at 08:07:15PM +0800, Ian Kent wrote:
> > > >
> > > > > > I'm unable to find a branch matching the line numbers.
> > > > > >
> > > > > > Given that, on the face of it, the scenario is impossible I'm
> > > > > > seeking clarification on what linux-next to look at for the
> > > > > > sake of accuracy.
> > > > > >
> > > > > > So I'm wondering if this testing done using the master branch
> > > > > > or one of the daily branches one would use to check for conflicts
> > > > > > before posting?
> > > > >
> > > > > Sorry those are tags not branches.
> > > >
> > > > FWIW, that's next-20181214; it is what master had been in mid-December
> > > > and master is rebased every day.  Can it be reproduced with the current
> > > > tree?
> > >
> > > From the info on the dashboard we know that it happened only once on
> > > d14b746c (the second one is result of reproducing the first one). So
> > > it was either fixed or just hard to trigger.
> >
> > Looking at the source of tag next-20181214 in linux-next-history I see
> > this is mistake I made due to incorrect error handling which I fixed
> > soon after (there was in fact a double iput()).
>
> Right - "autofs: fix possible inode leak in autofs_fill_super()" had been
> broken (and completely pointless), leading to double iput() in that failure
> case.  And yes, double iput() can trigger that BUG_ON(), and with non-zero
> odds do so with that stack trace.
>
> As far as I'm concerned, case closed - bug had been in a misguided "fix"
> for inexistent leak (coming from misreading the calling conventions for
> d_make_root()), introduced in -next at next-20181130 and kicked out of
> there in next-20181219.  Dropped by Ian's request in
> Message-ID: <66d497c00cffb3e4109ca0d5287c8277954d7132.ca...@themaw.net>
> which has fixed that crap.  Moreover, that posting had been in reply to
> that very syzcaller report, AFAICS.
>
> I don't know how to tell the bot to STFU and close the report in this
> situation; up to you, folks.


Please see the following for this:

> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  syzbot.

There are just 3 operations: mark as fixed by a commit, mark as
invalid, mark as duplicate.
I won't be always around. Tracking statuses of bug reports is in the
interests of kernel quality.



> As an aside, the cause of that bug is that d_make_root() calling conventions
> are insufficiently documented.  All we have is
>
> ||[mandatory]
> ||d_alloc_root() is gone, along with a lot of bugs caused by code
> ||misusing it.  Replacement: d_make_root(inode).  The difference is,
> ||d_make_root() drops the reference to inode if dentry allocation fails.
>
> in Documentation/filesystems/porting, and that's not good enough.  Anyone
> willing to take a shot at that?  FWIW, the calling conventions are:
>
> d_make_root(inode) normally allocates and returns a new dentry.
> On failure NULL is returned.  A reference to inode is consumed in all
> cases (on success it is transferred to new dentry, on failure it is
> dropped), so failure handling does not need anything done to inode.
> d_make_root(NULL) quietly returns NULL, which further simplifies the
> error handling in typical caller.  Usually it's something like
> inode = foofs_new_inode();
> s->s_root = d_make_inode(inode);
> if (!s->s_root)
> bugger off, no need to undo inode allocation
> success
> We do not need to check if foofs_new_inode() has returned NULL and we
> do not need any special cleanups in case of failure - not for the
> undoing the inode allocation.
>
> If anyone cares to convert that into coherent (and printable) documentation,
> patches are welcome...

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Thu, Apr 11, 2019 at 2:50 AM Ian Kent  wrote:
>
> On Wed, 2019-04-10 at 14:41 +0200, Dmitry Vyukov wrote:
> > On Wed, Apr 10, 2019 at 2:12 PM Al Viro  wrote:
> > >
> > > On Wed, Apr 10, 2019 at 08:07:15PM +0800, Ian Kent wrote:
> > >
> > > > > I'm unable to find a branch matching the line numbers.
> > > > >
> > > > > Given that, on the face of it, the scenario is impossible I'm
> > > > > seeking clarification on what linux-next to look at for the
> > > > > sake of accuracy.
> > > > >
> > > > > So I'm wondering if this testing done using the master branch
> > > > > or one of the daily branches one would use to check for conflicts
> > > > > before posting?
> > > >
> > > > Sorry those are tags not branches.
> > >
> > > FWIW, that's next-20181214; it is what master had been in mid-December
> > > and master is rebased every day.  Can it be reproduced with the current
> > > tree?
> >
> > From the info on the dashboard we know that it happened only once on
> > d14b746c (the second one is result of reproducing the first one). So
> > it was either fixed or just hard to trigger.
>
> Looking at the source of tag next-20181214 in linux-next-history I see
> this is mistake I made due to incorrect error handling which I fixed
> soon after (there was in fact a double iput()).
>
> I'm pretty sure this never made it to a released kernel so unless
> there's a report of this in a stable released kernel I'm going to
> move on.


Please don't ignore the bug status tracking part. Or we will only have
options of not testing kernel or dropping most of the bug reports on
the floor. Both are equally harmful for kernel quality.

Let's mark it as fixed by the next commit in series (which already
made it into mainline):

#syz fix: autofs: simplify parse_options() function call

But I won't be around always.

Re: kernel BUG at fs/inode.c:LINE!

[Al Viro]

On Thu, Apr 11, 2019 at 08:50:17AM +0800, Ian Kent wrote:
> On Wed, 2019-04-10 at 14:41 +0200, Dmitry Vyukov wrote:
> > On Wed, Apr 10, 2019 at 2:12 PM Al Viro  wrote:
> > > 
> > > On Wed, Apr 10, 2019 at 08:07:15PM +0800, Ian Kent wrote:
> > > 
> > > > > I'm unable to find a branch matching the line numbers.
> > > > > 
> > > > > Given that, on the face of it, the scenario is impossible I'm
> > > > > seeking clarification on what linux-next to look at for the
> > > > > sake of accuracy.
> > > > > 
> > > > > So I'm wondering if this testing done using the master branch
> > > > > or one of the daily branches one would use to check for conflicts
> > > > > before posting?
> > > > 
> > > > Sorry those are tags not branches.
> > > 
> > > FWIW, that's next-20181214; it is what master had been in mid-December
> > > and master is rebased every day.  Can it be reproduced with the current
> > > tree?
> > 
> > From the info on the dashboard we know that it happened only once on
> > d14b746c (the second one is result of reproducing the first one). So
> > it was either fixed or just hard to trigger.
> 
> Looking at the source of tag next-20181214 in linux-next-history I see
> this is mistake I made due to incorrect error handling which I fixed
> soon after (there was in fact a double iput()).

Right - "autofs: fix possible inode leak in autofs_fill_super()" had been
broken (and completely pointless), leading to double iput() in that failure
case.  And yes, double iput() can trigger that BUG_ON(), and with non-zero
odds do so with that stack trace.

As far as I'm concerned, case closed - bug had been in a misguided "fix"
for inexistent leak (coming from misreading the calling conventions for
d_make_root()), introduced in -next at next-20181130 and kicked out of
there in next-20181219.  Dropped by Ian's request in 
Message-ID: <66d497c00cffb3e4109ca0d5287c8277954d7132.ca...@themaw.net>
which has fixed that crap.  Moreover, that posting had been in reply to
that very syzcaller report, AFAICS.

I don't know how to tell the bot to STFU and close the report in this
situation; up to you, folks.

As an aside, the cause of that bug is that d_make_root() calling conventions
are insufficiently documented.  All we have is

||[mandatory]
||d_alloc_root() is gone, along with a lot of bugs caused by code
||misusing it.  Replacement: d_make_root(inode).  The difference is,
||d_make_root() drops the reference to inode if dentry allocation fails.

in Documentation/filesystems/porting, and that's not good enough.  Anyone
willing to take a shot at that?  FWIW, the calling conventions are:

d_make_root(inode) normally allocates and returns a new dentry.
On failure NULL is returned.  A reference to inode is consumed in all
cases (on success it is transferred to new dentry, on failure it is
dropped), so failure handling does not need anything done to inode.
d_make_root(NULL) quietly returns NULL, which further simplifies the
error handling in typical caller.  Usually it's something like
inode = foofs_new_inode();
s->s_root = d_make_inode(inode);
if (!s->s_root)
bugger off, no need to undo inode allocation
success
We do not need to check if foofs_new_inode() has returned NULL and we
do not need any special cleanups in case of failure - not for the
undoing the inode allocation.

If anyone cares to convert that into coherent (and printable) documentation,
patches are welcome...

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Wed, 2019-04-10 at 14:41 +0200, Dmitry Vyukov wrote:
> On Wed, Apr 10, 2019 at 2:12 PM Al Viro  wrote:
> > 
> > On Wed, Apr 10, 2019 at 08:07:15PM +0800, Ian Kent wrote:
> > 
> > > > I'm unable to find a branch matching the line numbers.
> > > > 
> > > > Given that, on the face of it, the scenario is impossible I'm
> > > > seeking clarification on what linux-next to look at for the
> > > > sake of accuracy.
> > > > 
> > > > So I'm wondering if this testing done using the master branch
> > > > or one of the daily branches one would use to check for conflicts
> > > > before posting?
> > > 
> > > Sorry those are tags not branches.
> > 
> > FWIW, that's next-20181214; it is what master had been in mid-December
> > and master is rebased every day.  Can it be reproduced with the current
> > tree?
> 
> From the info on the dashboard we know that it happened only once on
> d14b746c (the second one is result of reproducing the first one). So
> it was either fixed or just hard to trigger.

Looking at the source of tag next-20181214 in linux-next-history I see
this is mistake I made due to incorrect error handling which I fixed
soon after (there was in fact a double iput()).

I'm pretty sure this never made it to a released kernel so unless
there's a report of this in a stable released kernel I'm going to
move on.

Thanks
Ian

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Wed, Apr 10, 2019 at 2:12 PM Al Viro  wrote:
>
> On Wed, Apr 10, 2019 at 08:07:15PM +0800, Ian Kent wrote:
>
> > > I'm unable to find a branch matching the line numbers.
> > >
> > > Given that, on the face of it, the scenario is impossible I'm
> > > seeking clarification on what linux-next to look at for the
> > > sake of accuracy.
> > >
> > > So I'm wondering if this testing done using the master branch
> > > or one of the daily branches one would use to check for conflicts
> > > before posting?
> >
> > Sorry those are tags not branches.
>
> FWIW, that's next-20181214; it is what master had been in mid-December
> and master is rebased every day.  Can it be reproduced with the current
> tree?

>From the info on the dashboard we know that it happened only once on
d14b746c (the second one is result of reproducing the first one). So
it was either fixed or just hard to trigger.

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Wed, Apr 10, 2019 at 2:07 PM Ian Kent  wrote:
>
> On Wed, 2019-04-10 at 19:57 +0800, Ian Kent wrote:
> > On Wed, 2019-04-10 at 13:40 +0200, Dmitry Vyukov wrote:
> > > On Wed, Apr 10, 2019 at 12:35 PM Ian Kent  wrote:
> > > >
> > > > On Wed, 2019-04-10 at 10:27 +0200, Dmitry Vyukov wrote:
> > > > > On Wed, Apr 10, 2019 at 2:26 AM Al Viro  
> > > > > wrote:
> > > > > >
> > > > > > On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> > > > > > > Bisection is inconclusive: the first bad commit could be any of:
> > > > > >
> > > > > > [snip the useless pile]
> > > > > >
> > > > > > > bisection log:
> > > > > > > https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b20
> > > > > > > start commit:   [unknown
> > > > > > > git tree:   linux-next
> > > > > > > dashboard link:
> > > > > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > > > > syz repro:
> > > > > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > > > > C reproducer:
> > > > > > > https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > > > > >
> > > > > > > For information about bisection process see:
> > > > > > > https://goo.gl/tpsmEJ#bisection
> > > > > >
> > > > > > If I'm not misreading the "crash report" there, it has injected an
> > > > > > allocation
> > > > > > failure in dentry allocation in d_make_root() from 
> > > > > > autofs_fill_super()
> > > > > > (
> > > > > > root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> > > > > > root = d_make_root(root_inode);
> > > > > > ) which has triggered iput() on the inode passed to d_make_root() 
> > > > > > (as
> > > > > > it
> > > > > > ought
> > > > > > to).  At which point it stepped into some BUG_ON() in fs/inode.c, 
> > > > > > but
> > > > > > I've
> > > > > > no idea which one it is - line numbers do not match anything in 
> > > > > > linux-
> > > > > > next
> > > > > > or in mainline.  Reported line 1566 is
> > > > > > if (inode->i_nlink && (inode->i_state & 
> > > > > > I_DIRTY_TIME))
> > > > > > {
> > > > > > in all of them; as the matter of fact, the diff in fs/inode.c 
> > > > > > between
> > > > > > -next and mainline is empty.
> > > > > >
> > > > > > There is a BUG_ON() several lines prior, and in 4.20 it used to be
> > > > > > line
> > > > > > 1566,
> > > > > > so _probably_ that's what it is.  With that assumption, it's
> > > > > > BUG_ON(inode->i_state & I_CLEAR);
> > > > > > IOW, we'd got I_CLEAR in the inode passed to d_make_root()
> > > > > > there.  Which
> > > > > > should not happen - the inode must have come from new_inode(), which
> > > > > > gets it from new_inode_pseudo(), which zeroes ->i_state.  And 
> > > > > > I_CLEAR
> > > > > > is set only in clear_inode().  For autofs inodes that can come only
> > > > > > from autofs_evict_inode(), called as ->evict() from evict_inode().
> > > > > > Which should never ever be called for inode with positive 
> > > > > > ->i_count...
> > > > > >
> > > > > > It might be memory corruption; it might be a dangling inode pointer
> > > > > > somewhere, it might be something else.
> > > > > >
> > > > > > To get any further we really need a confirmation of the identity of
> > > > > > triggered BUG_ON().
> > > > > >
> > > > > > As an aside, your "sample crash reports" would've been much more
> > > > > > useful
> > > > > > if
> > > > > > they went with commit SHA1 in question, especially when they contain
> > > > > > line
> > > > > > numbers.
> > > > >
> > > > > Hi Al,
> > > > >
> > > > > This is the commit for matching lines:
> > > > >
> > > > > > HEAD commit:d14b746c6c1c Add linux-next specific files for
> > > > > > 20181214
> > > >
> > > > Are you sure?
> > > > what does 20181214 mean?
> > >
> > > Yes, I just copy-pasted from the report. "d14b746c6c1c" is the commit
> > > hash. "Add linux-next specific files for 20181214" is the commit
> > > subject.
> > >
> > >
> > > > Looking at current next code (and several branches) it doesn't
> > > > appear the problem is possible?
> > > >
> > > > > > git tree:   linux-next
> > > >
> > > > But which branch is it really, master (which doesn't match the
> > > > line numbers btw)?
> > >
> > > This is d14b746c6c1c commit hash. I don't know if there is a branch
> > > with HEAD pointing to this commit or not, but it seems unimportant.
> > > Tree+commit is the identity of code state.
> > >
> > >
> > > > > fs/inode.c:1566 points to:
> > > > >
> > > > > void iput(struct inode *inode)
> > > > > {
> > > > > ...
> > > > > BUG_ON(inode->i_state & I_CLEAR);
> > > > >
> > > > >
> > > > > The dashboard page provides kernel git repository and commit for each
> > > > > crash.
> > > >
> > > > Those links don't seem to make sense to me ...
> > > >
> > > > Help me out here!
> > >
> > > There is git repo name provided and commit hash. It's meant to be
> > > self-explanatory. What exactly is unclear?
> >
> > I'm unable to find a branch matching the line numbers.
> >
> > Given that, on the face of it, the 

Re: kernel BUG at fs/inode.c:LINE!

[Al Viro]

On Wed, Apr 10, 2019 at 08:07:15PM +0800, Ian Kent wrote:

> > I'm unable to find a branch matching the line numbers.
> > 
> > Given that, on the face of it, the scenario is impossible I'm
> > seeking clarification on what linux-next to look at for the
> > sake of accuracy.
> > 
> > So I'm wondering if this testing done using the master branch
> > or one of the daily branches one would use to check for conflicts
> > before posting?
> 
> Sorry those are tags not branches.

FWIW, that's next-20181214; it is what master had been in mid-December
and master is rebased every day.  Can it be reproduced with the current
tree?

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Wed, 2019-04-10 at 19:57 +0800, Ian Kent wrote:
> On Wed, 2019-04-10 at 13:40 +0200, Dmitry Vyukov wrote:
> > On Wed, Apr 10, 2019 at 12:35 PM Ian Kent  wrote:
> > > 
> > > On Wed, 2019-04-10 at 10:27 +0200, Dmitry Vyukov wrote:
> > > > On Wed, Apr 10, 2019 at 2:26 AM Al Viro  wrote:
> > > > > 
> > > > > On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> > > > > > Bisection is inconclusive: the first bad commit could be any of:
> > > > > 
> > > > > [snip the useless pile]
> > > > > 
> > > > > > bisection log:
> > > > > > https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b20
> > > > > > start commit:   [unknown
> > > > > > git tree:   linux-next
> > > > > > dashboard link:
> > > > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > > > syz repro:  
> > > > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > > > C reproducer:   
> > > > > > https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > > > > 
> > > > > > For information about bisection process see:
> > > > > > https://goo.gl/tpsmEJ#bisection
> > > > > 
> > > > > If I'm not misreading the "crash report" there, it has injected an
> > > > > allocation
> > > > > failure in dentry allocation in d_make_root() from autofs_fill_super()
> > > > > (
> > > > > root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> > > > > root = d_make_root(root_inode);
> > > > > ) which has triggered iput() on the inode passed to d_make_root() (as
> > > > > it
> > > > > ought
> > > > > to).  At which point it stepped into some BUG_ON() in fs/inode.c, but
> > > > > I've
> > > > > no idea which one it is - line numbers do not match anything in linux-
> > > > > next
> > > > > or in mainline.  Reported line 1566 is
> > > > > if (inode->i_nlink && (inode->i_state & I_DIRTY_TIME))
> > > > > {
> > > > > in all of them; as the matter of fact, the diff in fs/inode.c between
> > > > > -next and mainline is empty.
> > > > > 
> > > > > There is a BUG_ON() several lines prior, and in 4.20 it used to be
> > > > > line
> > > > > 1566,
> > > > > so _probably_ that's what it is.  With that assumption, it's
> > > > > BUG_ON(inode->i_state & I_CLEAR);
> > > > > IOW, we'd got I_CLEAR in the inode passed to d_make_root()
> > > > > there.  Which
> > > > > should not happen - the inode must have come from new_inode(), which
> > > > > gets it from new_inode_pseudo(), which zeroes ->i_state.  And I_CLEAR
> > > > > is set only in clear_inode().  For autofs inodes that can come only
> > > > > from autofs_evict_inode(), called as ->evict() from evict_inode().
> > > > > Which should never ever be called for inode with positive ->i_count...
> > > > > 
> > > > > It might be memory corruption; it might be a dangling inode pointer
> > > > > somewhere, it might be something else.
> > > > > 
> > > > > To get any further we really need a confirmation of the identity of
> > > > > triggered BUG_ON().
> > > > > 
> > > > > As an aside, your "sample crash reports" would've been much more
> > > > > useful
> > > > > if
> > > > > they went with commit SHA1 in question, especially when they contain
> > > > > line
> > > > > numbers.
> > > > 
> > > > Hi Al,
> > > > 
> > > > This is the commit for matching lines:
> > > > 
> > > > > HEAD commit:d14b746c6c1c Add linux-next specific files for
> > > > > 20181214
> > > 
> > > Are you sure?
> > > what does 20181214 mean?
> > 
> > Yes, I just copy-pasted from the report. "d14b746c6c1c" is the commit
> > hash. "Add linux-next specific files for 20181214" is the commit
> > subject.
> > 
> > 
> > > Looking at current next code (and several branches) it doesn't
> > > appear the problem is possible?
> > > 
> > > > > git tree:   linux-next
> > > 
> > > But which branch is it really, master (which doesn't match the
> > > line numbers btw)?
> > 
> > This is d14b746c6c1c commit hash. I don't know if there is a branch
> > with HEAD pointing to this commit or not, but it seems unimportant.
> > Tree+commit is the identity of code state.
> > 
> > 
> > > > fs/inode.c:1566 points to:
> > > > 
> > > > void iput(struct inode *inode)
> > > > {
> > > > ...
> > > > BUG_ON(inode->i_state & I_CLEAR);
> > > > 
> > > > 
> > > > The dashboard page provides kernel git repository and commit for each
> > > > crash.
> > > 
> > > Those links don't seem to make sense to me ...
> > > 
> > > Help me out here!
> > 
> > There is git repo name provided and commit hash. It's meant to be
> > self-explanatory. What exactly is unclear?
> 
> I'm unable to find a branch matching the line numbers.
> 
> Given that, on the face of it, the scenario is impossible I'm
> seeking clarification on what linux-next to look at for the
> sake of accuracy.
> 
> So I'm wondering if this testing done using the master branch
> or one of the daily branches one would use to check for conflicts
> before posting?

Sorry those are tags not branches.

On a newly updated linux-next I get:
[raven@pluto linux-next.git]$ 

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Wed, Apr 10, 2019 at 2:02 PM Dmitry Vyukov  wrote:
>
> On Wed, Apr 10, 2019 at 1:57 PM Ian Kent  wrote:
> > > > > > On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> > > > > > > Bisection is inconclusive: the first bad commit could be any of:
> > > > > >
> > > > > > [snip the useless pile]
> > > > > >
> > > > > > > bisection log:
> > > > > > > https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b20
> > > > > > > start commit:   [unknown
> > > > > > > git tree:   linux-next
> > > > > > > dashboard link:
> > > > > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > > > > syz repro:
> > > > > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > > > > C reproducer:
> > > > > > > https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > > > > >
> > > > > > > For information about bisection process see:
> > > > > > > https://goo.gl/tpsmEJ#bisection
> > > > > >
> > > > > > If I'm not misreading the "crash report" there, it has injected an
> > > > > > allocation
> > > > > > failure in dentry allocation in d_make_root() from 
> > > > > > autofs_fill_super() (
> > > > > > root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> > > > > > root = d_make_root(root_inode);
> > > > > > ) which has triggered iput() on the inode passed to d_make_root() 
> > > > > > (as it
> > > > > > ought
> > > > > > to).  At which point it stepped into some BUG_ON() in fs/inode.c, 
> > > > > > but
> > > > > > I've
> > > > > > no idea which one it is - line numbers do not match anything in 
> > > > > > linux-
> > > > > > next
> > > > > > or in mainline.  Reported line 1566 is
> > > > > > if (inode->i_nlink && (inode->i_state & 
> > > > > > I_DIRTY_TIME)) {
> > > > > > in all of them; as the matter of fact, the diff in fs/inode.c 
> > > > > > between
> > > > > > -next and mainline is empty.
> > > > > >
> > > > > > There is a BUG_ON() several lines prior, and in 4.20 it used to be 
> > > > > > line
> > > > > > 1566,
> > > > > > so _probably_ that's what it is.  With that assumption, it's
> > > > > > BUG_ON(inode->i_state & I_CLEAR);
> > > > > > IOW, we'd got I_CLEAR in the inode passed to d_make_root() there.  
> > > > > > Which
> > > > > > should not happen - the inode must have come from new_inode(), which
> > > > > > gets it from new_inode_pseudo(), which zeroes ->i_state.  And 
> > > > > > I_CLEAR
> > > > > > is set only in clear_inode().  For autofs inodes that can come only
> > > > > > from autofs_evict_inode(), called as ->evict() from evict_inode().
> > > > > > Which should never ever be called for inode with positive 
> > > > > > ->i_count...
> > > > > >
> > > > > > It might be memory corruption; it might be a dangling inode pointer
> > > > > > somewhere, it might be something else.
> > > > > >
> > > > > > To get any further we really need a confirmation of the identity of
> > > > > > triggered BUG_ON().
> > > > > >
> > > > > > As an aside, your "sample crash reports" would've been much more 
> > > > > > useful
> > > > > > if
> > > > > > they went with commit SHA1 in question, especially when they contain
> > > > > > line
> > > > > > numbers.
> > > > >
> > > > > Hi Al,
> > > > >
> > > > > This is the commit for matching lines:
> > > > >
> > > > > > HEAD commit:d14b746c6c1c Add linux-next specific files for 
> > > > > > 20181214
> > > >
> > > > Are you sure?
> > > > what does 20181214 mean?
> > >
> > > Yes, I just copy-pasted from the report. "d14b746c6c1c" is the commit
> > > hash. "Add linux-next specific files for 20181214" is the commit
> > > subject.
> > >
> > >
> > > > Looking at current next code (and several branches) it doesn't
> > > > appear the problem is possible?
> > > >
> > > > > > git tree:   linux-next
> > > >
> > > > But which branch is it really, master (which doesn't match the
> > > > line numbers btw)?
> > >
> > > This is d14b746c6c1c commit hash. I don't know if there is a branch
> > > with HEAD pointing to this commit or not, but it seems unimportant.
> > > Tree+commit is the identity of code state.
> > >
> > >
> > > > > fs/inode.c:1566 points to:
> > > > >
> > > > > void iput(struct inode *inode)
> > > > > {
> > > > > ...
> > > > > BUG_ON(inode->i_state & I_CLEAR);
> > > > >
> > > > >
> > > > > The dashboard page provides kernel git repository and commit for each
> > > > > crash.
> > > >
> > > > Those links don't seem to make sense to me ...
> > > >
> > > > Help me out here!
> > >
> > > There is git repo name provided and commit hash. It's meant to be
> > > self-explanatory. What exactly is unclear?
> >
> > I'm unable to find a branch matching the line numbers.
> >
> > Given that, on the face of it, the scenario is impossible I'm
> > seeking clarification on what linux-next to look at for the
> > sake of accuracy.
> >
> > So I'm wondering if this testing done using the master branch
> > or one of the daily branches one would use to check for conflicts
> > before posting?
> >
> > Or perhaps the 

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Wed, Apr 10, 2019 at 1:57 PM Ian Kent  wrote:
> > > > > On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> > > > > > Bisection is inconclusive: the first bad commit could be any of:
> > > > >
> > > > > [snip the useless pile]
> > > > >
> > > > > > bisection log:
> > > > > > https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b20
> > > > > > start commit:   [unknown
> > > > > > git tree:   linux-next
> > > > > > dashboard link:
> > > > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > > > syz repro:
> > > > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > > > C reproducer:
> > > > > > https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > > > >
> > > > > > For information about bisection process see:
> > > > > > https://goo.gl/tpsmEJ#bisection
> > > > >
> > > > > If I'm not misreading the "crash report" there, it has injected an
> > > > > allocation
> > > > > failure in dentry allocation in d_make_root() from 
> > > > > autofs_fill_super() (
> > > > > root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> > > > > root = d_make_root(root_inode);
> > > > > ) which has triggered iput() on the inode passed to d_make_root() (as 
> > > > > it
> > > > > ought
> > > > > to).  At which point it stepped into some BUG_ON() in fs/inode.c, but
> > > > > I've
> > > > > no idea which one it is - line numbers do not match anything in linux-
> > > > > next
> > > > > or in mainline.  Reported line 1566 is
> > > > > if (inode->i_nlink && (inode->i_state & 
> > > > > I_DIRTY_TIME)) {
> > > > > in all of them; as the matter of fact, the diff in fs/inode.c between
> > > > > -next and mainline is empty.
> > > > >
> > > > > There is a BUG_ON() several lines prior, and in 4.20 it used to be 
> > > > > line
> > > > > 1566,
> > > > > so _probably_ that's what it is.  With that assumption, it's
> > > > > BUG_ON(inode->i_state & I_CLEAR);
> > > > > IOW, we'd got I_CLEAR in the inode passed to d_make_root() there.  
> > > > > Which
> > > > > should not happen - the inode must have come from new_inode(), which
> > > > > gets it from new_inode_pseudo(), which zeroes ->i_state.  And I_CLEAR
> > > > > is set only in clear_inode().  For autofs inodes that can come only
> > > > > from autofs_evict_inode(), called as ->evict() from evict_inode().
> > > > > Which should never ever be called for inode with positive ->i_count...
> > > > >
> > > > > It might be memory corruption; it might be a dangling inode pointer
> > > > > somewhere, it might be something else.
> > > > >
> > > > > To get any further we really need a confirmation of the identity of
> > > > > triggered BUG_ON().
> > > > >
> > > > > As an aside, your "sample crash reports" would've been much more 
> > > > > useful
> > > > > if
> > > > > they went with commit SHA1 in question, especially when they contain
> > > > > line
> > > > > numbers.
> > > >
> > > > Hi Al,
> > > >
> > > > This is the commit for matching lines:
> > > >
> > > > > HEAD commit:d14b746c6c1c Add linux-next specific files for 
> > > > > 20181214
> > >
> > > Are you sure?
> > > what does 20181214 mean?
> >
> > Yes, I just copy-pasted from the report. "d14b746c6c1c" is the commit
> > hash. "Add linux-next specific files for 20181214" is the commit
> > subject.
> >
> >
> > > Looking at current next code (and several branches) it doesn't
> > > appear the problem is possible?
> > >
> > > > > git tree:   linux-next
> > >
> > > But which branch is it really, master (which doesn't match the
> > > line numbers btw)?
> >
> > This is d14b746c6c1c commit hash. I don't know if there is a branch
> > with HEAD pointing to this commit or not, but it seems unimportant.
> > Tree+commit is the identity of code state.
> >
> >
> > > > fs/inode.c:1566 points to:
> > > >
> > > > void iput(struct inode *inode)
> > > > {
> > > > ...
> > > > BUG_ON(inode->i_state & I_CLEAR);
> > > >
> > > >
> > > > The dashboard page provides kernel git repository and commit for each
> > > > crash.
> > >
> > > Those links don't seem to make sense to me ...
> > >
> > > Help me out here!
> >
> > There is git repo name provided and commit hash. It's meant to be
> > self-explanatory. What exactly is unclear?
>
> I'm unable to find a branch matching the line numbers.
>
> Given that, on the face of it, the scenario is impossible I'm
> seeking clarification on what linux-next to look at for the
> sake of accuracy.
>
> So I'm wondering if this testing done using the master branch
> or one of the daily branches one would use to check for conflicts
> before posting?
>
> Or perhaps the master branch has been updated and the testing was
> done on something different.


Ah, I see. syzbot continuously tests the master branch of linux-next.
So d14b746c6c1c was once the HEAD of the master branch.
I somehow have d14b746c6c1c locally, but if you don't have it you may
need to fetch 
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next-history.git

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Wed, 2019-04-10 at 13:40 +0200, Dmitry Vyukov wrote:
> On Wed, Apr 10, 2019 at 12:35 PM Ian Kent  wrote:
> > 
> > On Wed, 2019-04-10 at 10:27 +0200, Dmitry Vyukov wrote:
> > > On Wed, Apr 10, 2019 at 2:26 AM Al Viro  wrote:
> > > > 
> > > > On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> > > > > Bisection is inconclusive: the first bad commit could be any of:
> > > > 
> > > > [snip the useless pile]
> > > > 
> > > > > bisection log:
> > > > > https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b20
> > > > > start commit:   [unknown
> > > > > git tree:   linux-next
> > > > > dashboard link:
> > > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > > syz repro:  
> > > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > > C reproducer:   
> > > > > https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > > > 
> > > > > For information about bisection process see:
> > > > > https://goo.gl/tpsmEJ#bisection
> > > > 
> > > > If I'm not misreading the "crash report" there, it has injected an
> > > > allocation
> > > > failure in dentry allocation in d_make_root() from autofs_fill_super() (
> > > > root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> > > > root = d_make_root(root_inode);
> > > > ) which has triggered iput() on the inode passed to d_make_root() (as it
> > > > ought
> > > > to).  At which point it stepped into some BUG_ON() in fs/inode.c, but
> > > > I've
> > > > no idea which one it is - line numbers do not match anything in linux-
> > > > next
> > > > or in mainline.  Reported line 1566 is
> > > > if (inode->i_nlink && (inode->i_state & I_DIRTY_TIME)) {
> > > > in all of them; as the matter of fact, the diff in fs/inode.c between
> > > > -next and mainline is empty.
> > > > 
> > > > There is a BUG_ON() several lines prior, and in 4.20 it used to be line
> > > > 1566,
> > > > so _probably_ that's what it is.  With that assumption, it's
> > > > BUG_ON(inode->i_state & I_CLEAR);
> > > > IOW, we'd got I_CLEAR in the inode passed to d_make_root() there.  Which
> > > > should not happen - the inode must have come from new_inode(), which
> > > > gets it from new_inode_pseudo(), which zeroes ->i_state.  And I_CLEAR
> > > > is set only in clear_inode().  For autofs inodes that can come only
> > > > from autofs_evict_inode(), called as ->evict() from evict_inode().
> > > > Which should never ever be called for inode with positive ->i_count...
> > > > 
> > > > It might be memory corruption; it might be a dangling inode pointer
> > > > somewhere, it might be something else.
> > > > 
> > > > To get any further we really need a confirmation of the identity of
> > > > triggered BUG_ON().
> > > > 
> > > > As an aside, your "sample crash reports" would've been much more useful
> > > > if
> > > > they went with commit SHA1 in question, especially when they contain
> > > > line
> > > > numbers.
> > > 
> > > Hi Al,
> > > 
> > > This is the commit for matching lines:
> > > 
> > > > HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
> > 
> > Are you sure?
> > what does 20181214 mean?
> 
> Yes, I just copy-pasted from the report. "d14b746c6c1c" is the commit
> hash. "Add linux-next specific files for 20181214" is the commit
> subject.
> 
> 
> > Looking at current next code (and several branches) it doesn't
> > appear the problem is possible?
> > 
> > > > git tree:   linux-next
> > 
> > But which branch is it really, master (which doesn't match the
> > line numbers btw)?
> 
> This is d14b746c6c1c commit hash. I don't know if there is a branch
> with HEAD pointing to this commit or not, but it seems unimportant.
> Tree+commit is the identity of code state.
> 
> 
> > > fs/inode.c:1566 points to:
> > > 
> > > void iput(struct inode *inode)
> > > {
> > > ...
> > > BUG_ON(inode->i_state & I_CLEAR);
> > > 
> > > 
> > > The dashboard page provides kernel git repository and commit for each
> > > crash.
> > 
> > Those links don't seem to make sense to me ...
> > 
> > Help me out here!
> 
> There is git repo name provided and commit hash. It's meant to be
> self-explanatory. What exactly is unclear?

I'm unable to find a branch matching the line numbers.

Given that, on the face of it, the scenario is impossible I'm
seeking clarification on what linux-next to look at for the
sake of accuracy.

So I'm wondering if this testing done using the master branch
or one of the daily branches one would use to check for conflicts
before posting?

Or perhaps the master branch has been updated and the testing was
done on something different.

Ian

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Wed, Apr 10, 2019 at 12:35 PM Ian Kent  wrote:
>
> On Wed, 2019-04-10 at 10:27 +0200, Dmitry Vyukov wrote:
> > On Wed, Apr 10, 2019 at 2:26 AM Al Viro  wrote:
> > >
> > > On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> > > > Bisection is inconclusive: the first bad commit could be any of:
> > >
> > > [snip the useless pile]
> > >
> > > > bisection log:
> > > > https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b20
> > > > start commit:   [unknown
> > > > git tree:   linux-next
> > > > dashboard link:
> > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > syz repro:  
> > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > >
> > > > For information about bisection process see:
> > > > https://goo.gl/tpsmEJ#bisection
> > >
> > > If I'm not misreading the "crash report" there, it has injected an
> > > allocation
> > > failure in dentry allocation in d_make_root() from autofs_fill_super() (
> > > root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> > > root = d_make_root(root_inode);
> > > ) which has triggered iput() on the inode passed to d_make_root() (as it
> > > ought
> > > to).  At which point it stepped into some BUG_ON() in fs/inode.c, but I've
> > > no idea which one it is - line numbers do not match anything in linux-next
> > > or in mainline.  Reported line 1566 is
> > > if (inode->i_nlink && (inode->i_state & I_DIRTY_TIME)) {
> > > in all of them; as the matter of fact, the diff in fs/inode.c between
> > > -next and mainline is empty.
> > >
> > > There is a BUG_ON() several lines prior, and in 4.20 it used to be line
> > > 1566,
> > > so _probably_ that's what it is.  With that assumption, it's
> > > BUG_ON(inode->i_state & I_CLEAR);
> > > IOW, we'd got I_CLEAR in the inode passed to d_make_root() there.  Which
> > > should not happen - the inode must have come from new_inode(), which
> > > gets it from new_inode_pseudo(), which zeroes ->i_state.  And I_CLEAR
> > > is set only in clear_inode().  For autofs inodes that can come only
> > > from autofs_evict_inode(), called as ->evict() from evict_inode().
> > > Which should never ever be called for inode with positive ->i_count...
> > >
> > > It might be memory corruption; it might be a dangling inode pointer
> > > somewhere, it might be something else.
> > >
> > > To get any further we really need a confirmation of the identity of
> > > triggered BUG_ON().
> > >
> > > As an aside, your "sample crash reports" would've been much more useful if
> > > they went with commit SHA1 in question, especially when they contain line
> > > numbers.
> >
> > Hi Al,
> >
> > This is the commit for matching lines:
> >
> > > HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
>
> Are you sure?
> what does 20181214 mean?

Yes, I just copy-pasted from the report. "d14b746c6c1c" is the commit
hash. "Add linux-next specific files for 20181214" is the commit
subject.


> Looking at current next code (and several branches) it doesn't
> appear the problem is possible?
>
> > > git tree:   linux-next
>
> But which branch is it really, master (which doesn't match the
> line numbers btw)?

This is d14b746c6c1c commit hash. I don't know if there is a branch
with HEAD pointing to this commit or not, but it seems unimportant.
Tree+commit is the identity of code state.


> > fs/inode.c:1566 points to:
> >
> > void iput(struct inode *inode)
> > {
> > ...
> > BUG_ON(inode->i_state & I_CLEAR);
> >
> >
> > The dashboard page provides kernel git repository and commit for each crash.
>
> Those links don't seem to make sense to me ...
>
> Help me out here!

There is git repo name provided and commit hash. It's meant to be
self-explanatory. What exactly is unclear?

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Wed, 2019-04-10 at 10:27 +0200, Dmitry Vyukov wrote:
> On Wed, Apr 10, 2019 at 2:26 AM Al Viro  wrote:
> > 
> > On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> > > Bisection is inconclusive: the first bad commit could be any of:
> > 
> > [snip the useless pile]
> > 
> > > bisection log:  
> > > https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b20
> > > start commit:   [unknown
> > > git tree:   linux-next
> > > dashboard link: 
> > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > 
> > > For information about bisection process see: 
> > > https://goo.gl/tpsmEJ#bisection
> > 
> > If I'm not misreading the "crash report" there, it has injected an
> > allocation
> > failure in dentry allocation in d_make_root() from autofs_fill_super() (
> > root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> > root = d_make_root(root_inode);
> > ) which has triggered iput() on the inode passed to d_make_root() (as it
> > ought
> > to).  At which point it stepped into some BUG_ON() in fs/inode.c, but I've
> > no idea which one it is - line numbers do not match anything in linux-next
> > or in mainline.  Reported line 1566 is
> > if (inode->i_nlink && (inode->i_state & I_DIRTY_TIME)) {
> > in all of them; as the matter of fact, the diff in fs/inode.c between
> > -next and mainline is empty.
> > 
> > There is a BUG_ON() several lines prior, and in 4.20 it used to be line
> > 1566,
> > so _probably_ that's what it is.  With that assumption, it's
> > BUG_ON(inode->i_state & I_CLEAR);
> > IOW, we'd got I_CLEAR in the inode passed to d_make_root() there.  Which
> > should not happen - the inode must have come from new_inode(), which
> > gets it from new_inode_pseudo(), which zeroes ->i_state.  And I_CLEAR
> > is set only in clear_inode().  For autofs inodes that can come only
> > from autofs_evict_inode(), called as ->evict() from evict_inode().
> > Which should never ever be called for inode with positive ->i_count...
> > 
> > It might be memory corruption; it might be a dangling inode pointer
> > somewhere, it might be something else.
> > 
> > To get any further we really need a confirmation of the identity of
> > triggered BUG_ON().
> > 
> > As an aside, your "sample crash reports" would've been much more useful if
> > they went with commit SHA1 in question, especially when they contain line
> > numbers.
> 
> Hi Al,
> 
> This is the commit for matching lines:
> 
> > HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214

Are you sure?
what does 20181214 mean?

Looking at current next code (and several branches) it doesn't
appear the problem is possible?

> > git tree:   linux-next

But which branch is it really, master (which doesn't match the
line numbers btw)?

> 
> fs/inode.c:1566 points to:
> 
> void iput(struct inode *inode)
> {
> ...
> BUG_ON(inode->i_state & I_CLEAR);
> 
> 
> The dashboard page provides kernel git repository and commit for each crash.

Those links don't seem to make sense to me ...

Help me out here!
Ian

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Wed, Apr 10, 2019 at 2:26 AM Al Viro  wrote:
>
> On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> > Bisection is inconclusive: the first bad commit could be any of:
>
> [snip the useless pile]
>
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b20
> > start commit:   [unknown
> > git tree:   linux-next
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> If I'm not misreading the "crash report" there, it has injected an allocation
> failure in dentry allocation in d_make_root() from autofs_fill_super() (
> root_inode = autofs_get_inode(s, S_IFDIR | 0755);
> root = d_make_root(root_inode);
> ) which has triggered iput() on the inode passed to d_make_root() (as it ought
> to).  At which point it stepped into some BUG_ON() in fs/inode.c, but I've
> no idea which one it is - line numbers do not match anything in linux-next
> or in mainline.  Reported line 1566 is
> if (inode->i_nlink && (inode->i_state & I_DIRTY_TIME)) {
> in all of them; as the matter of fact, the diff in fs/inode.c between
> -next and mainline is empty.
>
> There is a BUG_ON() several lines prior, and in 4.20 it used to be line 1566,
> so _probably_ that's what it is.  With that assumption, it's
> BUG_ON(inode->i_state & I_CLEAR);
> IOW, we'd got I_CLEAR in the inode passed to d_make_root() there.  Which
> should not happen - the inode must have come from new_inode(), which
> gets it from new_inode_pseudo(), which zeroes ->i_state.  And I_CLEAR
> is set only in clear_inode().  For autofs inodes that can come only
> from autofs_evict_inode(), called as ->evict() from evict_inode().
> Which should never ever be called for inode with positive ->i_count...
>
> It might be memory corruption; it might be a dangling inode pointer
> somewhere, it might be something else.
>
> To get any further we really need a confirmation of the identity of
> triggered BUG_ON().
>
> As an aside, your "sample crash reports" would've been much more useful if
> they went with commit SHA1 in question, especially when they contain line
> numbers.

Hi Al,

This is the commit for matching lines:

> HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
> git tree:   linux-next

fs/inode.c:1566 points to:

void iput(struct inode *inode)
{
...
BUG_ON(inode->i_state & I_CLEAR);


The dashboard page provides kernel git repository and commit for each crash.

Re: kernel BUG at fs/inode.c:LINE!

[Al Viro]

On Tue, Apr 09, 2019 at 07:36:00AM -0700, syzbot wrote:
> Bisection is inconclusive: the first bad commit could be any of:

[snip the useless pile]

> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15e1fc2b20
> start commit:   [unknown
> git tree:   linux-next
> dashboard link: https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If I'm not misreading the "crash report" there, it has injected an allocation
failure in dentry allocation in d_make_root() from autofs_fill_super() (
root_inode = autofs_get_inode(s, S_IFDIR | 0755);
root = d_make_root(root_inode);
) which has triggered iput() on the inode passed to d_make_root() (as it ought
to).  At which point it stepped into some BUG_ON() in fs/inode.c, but I've
no idea which one it is - line numbers do not match anything in linux-next
or in mainline.  Reported line 1566 is
if (inode->i_nlink && (inode->i_state & I_DIRTY_TIME)) {   
in all of them; as the matter of fact, the diff in fs/inode.c between
-next and mainline is empty.

There is a BUG_ON() several lines prior, and in 4.20 it used to be line 1566,
so _probably_ that's what it is.  With that assumption, it's
BUG_ON(inode->i_state & I_CLEAR);
IOW, we'd got I_CLEAR in the inode passed to d_make_root() there.  Which
should not happen - the inode must have come from new_inode(), which
gets it from new_inode_pseudo(), which zeroes ->i_state.  And I_CLEAR
is set only in clear_inode().  For autofs inodes that can come only
from autofs_evict_inode(), called as ->evict() from evict_inode().
Which should never ever be called for inode with positive ->i_count...

It might be memory corruption; it might be a dangling inode pointer
somewhere, it might be something else.

To get any further we really need a confirmation of the identity of
triggered BUG_ON().

As an aside, your "sample crash reports" would've been much more useful if
they went with commit SHA1 in question, especially when they contain line
numbers.

Re: kernel BUG at fs/inode.c:LINE!

[syzbot]

Bisection is inconclusive: the first bad commit could be any of:

cd4f2a66 lib/genalloc.c: fix allocation of aligned buffer from non-aligned  
chunk

df3f18d3 fls: change parameter to unsigned int
9067c8d5 lib/find_bit_benchmark.c: align test_find_next_and_bit with others
c2824829 include/linux/printk.h: drop silly "static inline asmlinkage" from  
dump_stack()

26e88a47 checkpatch: warn on const char foo[] = "bar"; declarations
e98eceb8 drivers/dma-buf/udmabuf.c: convert to use vm_fault_t
5b6bf71d build_bug.h: remove most of dummy BUILD_BUG_ON stubs for Sparse
f34c9474 fs/epoll: remove max_nests argument from ep_call_nested()
56f6c16e build_bug.h: remove negative-array fallback for BUILD_BUG_ON()
cd2f11e6 fs/epoll: simplify ep_send_events_proc() ready-list loop
74a37b90 Documentation/process/coding-style.rst: don't use "extern" with  
function prototypes

ab1909a8 fs/epoll: drop ovflist branch prediction
499aeb57 proc/sysctl: fix return error for proc_doulongvec_minmax()
b7fa8017 fs/epoll: robustify ep->mtx held checks
d877fd09 fs/proc/base.c: slightly faster /proc/*/limits
f2c37862 fs/epoll: reduce the scope of wq lock in epoll_wait()
860705c8 fs-epoll-reduce-the-scope-of-wq-lock-in-epoll_wait-fix
c62975fb fs/proc/inode.c: delete unnecessary variable in proc_alloc_inode()
9460069d fs/proc/util.c: include fs/proc/internal.h for name_to_int()
ea5f967a fs/epoll: avoid barrier after an epoll_wait(2) timeout
b61909d2 fs-epoll-avoid-barrier-after-an-epoll_wait2-timeout-fix
c768eca0 fs/proc/base.c: use ns_capable instead of capable for timerslack_ns
81553cde fs/epoll: rename check_events label to send_events
b6af7800 fs/buffer.c: add debug print for __getblk_gfp() stall problem
11193e16 mm/page_owner: align with pageblock_nr pages
349afd96 fs/epoll: deal with wait_queue only once
393af37c fs-epoll-deal-with-wait_queue-only-once-fix
c20187bf mm/page_owner: align with pageblock_nr_pages
20fbef31 mm: don't expose page to fast gup before it's ready
ad4f37b8 init/main.c: make "initcall_level_names[]" const char *
0bcbe611 autofs: improve ioctl sbi checks
69ab6b14 mm: fix race between swapoff and mincore
b783d261 autofs-improve-ioctl-sbi-checks-fix
de44564f mm, swap: fix race between swapoff and some swap operations
010a80ff mm, swap: fix race between swapoff and some swap operations
9c82e3b8 autofs: fix possible inode leak in autofs_fill_super()
855b7de1 mm/page_alloc.c: remove software prefetching in __free_pages_core()
cd4d5fa9 autofs: simplify parse_options() function call
e8fed666 memory_hotplug-free-pages-as-higher-order-fix-fix
f7aa1250 autofs: change catatonic setting to a bit flag
578f6458 autofs: add strictexpire mount option
71e7f022 memory_hotplug-free-pages-as-higher-order-fix
8286148b mm/page_alloc.c: memory hotplug: free pages as higher order
e5d8e894 hfsplus: return file attributes on statx
728804fa include/uapi/linux/msdos_fs.h: use MSDOS_NAME for volume label size
e93a0c0d include/linux/memory_hotplug.h: remove duplicate declaration of  
offline_pages()

3d991a59 ptrace: take into account saved_sigmask in PTRACE_{GET,SET}SIGMASK
a7b16608 mm/mmu_notifier: contextual information for event triggering  
invalidation v2
302092c9  
mm-mmu_notifier-use-structure-for-invalidate_range_start-end-calls-v2-checkpatch-fixes

cdd7a0aa fork: fix some -Wmissing-prototypes warnings
137d92bd mm/mmu_notifier: use structure for invalidate_range_start/end  
calls v2

b89cf731 exec: load_script: don't blindly truncate shebang string
42905641  
mm-mmu_notifier-use-structure-for-invalidate_range_start-end-callback-fix-fix

ad2539c7 exec: increase BINPRM_BUF_SIZE to 256
0db734c6 mm/mmu_notifier: use structure for invalidate_range_start/end  
callback

c09b6daf exec: separate MM_ANONPAGES and RLIMIT_STACK accounting
37ba86cc hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined
dc98b124 exec-separate-mm_anonpages-and-rlimit_stack-accounting-fix
28286054  
exec-separate-mm_anonpages-and-rlimit_stack-accounting-checkpatch-fixes

b08acb20 mm-kmemleak-little-optimization-while-scanning-fix
27faeb70 bfs: extra sanity checking and static inode bitmap
79d0fd91 mm, kmemleak: little optimization while scanning
232619fc lib/ioremap: ensure break-before-make is used for huge p4d mappings
7a489f5d panic: add options to print system info when panic happens
784bedb5 kernel/sysctl: add panic_print into sysctl
e5dfd59e lib/ioremap: ensure phys_addr actually corresponds to a physical  
address

5f8d4992 kernel/kcov.c: mark write_comp_data() as notrace
7bdcb055 x86/pgtable: drop pXd_none() checks from pXd_free_pYd_table()
0aa19fc1 arm64: mmu: drop pXd_present() checks from pXd_free_pYd_table()
7ab8b68a scripts/gdb: fix lx-version string output
b2581b70 initramfs: cleanup incomplete rootfs
ee095458 ioremap: rework pXd_free_pYd_page() API
ce10bcf4 mm/page_alloc.c: calculate first_deferred_pfn directly
efae8091 ipc: allow boot time extension of IPCMNI from 32k to 8M
ab7db927  

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Tue, 2018-12-18 at 13:09 -0800, Andrew Morton wrote:
> On Tue, 18 Dec 2018 19:34:57 +0800 Ian Kent  wrote:
> 
> > > See 
> > > 
https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
> > > 
> > > I think this will fix it, I'll forward it to Andrew if you agree:
> > 
> > Actually, looking at it again the above patch is plain not needed,
> > dropping it and updating the patch which follows it in the series
> > is what needs to be done.
> > 
> > Andrew, what should I do to make this easiest for you to handle,
> > a respost with v2 in the subject of the patch affected by dropping
> > the above patch?
> 
> I dropped the patch and fixed up the fallout.

Thanks Andrew, much appreciated.

> 
> The patch wasn't true anyway.  "There is no check at all for a failure
> to allocate the root inode in autofs_fill_super(), handle it." In fact,
> d_make_root(NULL) will just return NULL and autofs_fill_super() handles
> that appropriately.

The not so funny thing is that I'm sure I looked at this some time
in the distant past and saw how d_make_root() behaved.

The lesson for me is don't try and fix other things seen while working
on something else, return later and do it properly.

> 
> However let's note that when autofs_get_inode() or d_make_root() fail,
> autofs_fill_super() will return -EINVAL.  Should have been -ENOMEM, I
> guess?
> 

That's right, but I don't think that's urgent so I'll send a patch for
it after the coming merge window.

The strictexpire option addition is urgent for me so I don't want to
upset any chance of that being merged sooner rather than later.

Ian

Re: kernel BUG at fs/inode.c:LINE!

[Andrew Morton]

On Tue, 18 Dec 2018 19:34:57 +0800 Ian Kent  wrote:

> > See 
> > https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
> > 
> > I think this will fix it, I'll forward it to Andrew if you agree:
> 
> Actually, looking at it again the above patch is plain not needed,
> dropping it and updating the patch which follows it in the series
> is what needs to be done.
> 
> Andrew, what should I do to make this easiest for you to handle,
> a respost with v2 in the subject of the patch affected by dropping
> the above patch?

I dropped the patch and fixed up the fallout.

The patch wasn't true anyway.  "There is no check at all for a failure
to allocate the root inode in autofs_fill_super(), handle it." In fact,
d_make_root(NULL) will just return NULL and autofs_fill_super() handles
that appropriately.

However let's note that when autofs_get_inode() or d_make_root() fail,
autofs_fill_super() will return -EINVAL.  Should have been -ENOMEM, I
guess?

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Tue, 2018-12-18 at 14:19 +0100, Dmitry Vyukov wrote:
> On Tue, Dec 18, 2018 at 1:42 PM Ian Kent  wrote:
> > 
> > On Tue, 2018-12-18 at 13:27 +0100, Dmitry Vyukov wrote:
> > > On Tue, Dec 18, 2018 at 12:35 PM Ian Kent  wrote:
> > > > 
> > > > On Tue, 2018-12-18 at 18:42 +0800, Ian Kent wrote:
> > > > > On Mon, 2018-12-17 at 07:21 +, Al Viro wrote:
> > > > > > On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> > > > > > > Hello,
> > > > > > > 
> > > > > > > syzbot found the following crash on:
> > > > > > > 
> > > > > > > HEAD commit:d14b746c6c1c Add linux-next specific files for
> > > > > > > 20181214
> > > > > > > git tree:   linux-next
> > > > > > > console output:
> > > > > > > https://syzkaller.appspot.com/x/log.txt?x=1370634740
> > > > > > > kernel config:
> > > > > > > https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> > > > > > > dashboard link:
> > > > > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > > > > compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> > > > > > > syz repro:
> > > > > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > > > > C reproducer:
> > > > > > > https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > > > > > 
> > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the
> > > > > > > commit:
> > > > > > > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > > > > > > 
> > > > > > >  slab_pre_alloc_hook mm/slab.h:423 [inline]
> > > > > > >  slab_alloc mm/slab.c:3365 [inline]
> > > > > > >  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
> > > > > > >  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> > > > > > > [ cut here ]
> > > > > > > kernel BUG at fs/inode.c:1566!
> > > > > > >  d_alloc_anon fs/dcache.c:1698 [inline]
> > > > > > >  d_make_root+0x43/0xc0 fs/dcache.c:1885
> > > > > > >  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
> > > > > > 
> > > > > > Huh?  BUG is in iput(), AFAICS, so the stack trace is rather
> > > > > > misreported.
> > > > > > iput() can be called by d_make_root(), provided that dentry
> > > > > > allocation
> > > > > > fails.  So the most straightforward interpretation would be that we
> > > > > > had an allocation failure (injected?), followed by iput() of the
> > > > > > inode
> > > > > > passed to d_make_root().  Which happened to find I_CLEAR in
> > > > > > ->i_state
> > > > > > of that inode somehow, which should be impossible short of seriously
> > > > > > buggered inode refcounting somewhere - the inode has just been
> > > > > > returned
> > > > > > by new_inode(), which clears i_state, and it would have to have
> > > > > > passed
> > > > > > clear_inode() (i.e. has been through inode eviction) since then...
> > > > > 
> > > > > Sorry Al, that's my bad.
> > > > > 
> > > > > See
> > > > > 
> > 
> > 
https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
> > > > > 
> > > > > I think this will fix it, I'll forward it to Andrew if you agree:
> > > > 
> > > > Actually, looking at it again the above patch is plain not needed,
> > > > dropping it and updating the patch which follows it in the series
> > > > is what needs to be done.
> > > > 
> > > > Andrew, what should I do to make this easiest for you to handle,
> > > > a respost with v2 in the subject of the patch affected by dropping
> > > > the above patch?
> > > > 
> > > > Or I could repost the series with above patch dropped and the affected
> > > > patch corrected?
> > > 
> > > Hi Ian,
> > > 
> > > If you going to amend any commits, please add:
> > > Tested-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > > otherwise:
> > > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > 
> > I was thinking about how to handle loosing that information.
> > 
> > I don't think this amounts amending commits since Andrews mmotm is
> > based on patch series so dropping a patch and updating patches before
> > being merged won't capture this.
> > 
> > Adding the "Tested-by" attribution to the updated patch prior to syzbot
> > actually performing the test might be ok since it will get tested along
> > the way. Although the problem patch itself won't exist any more so ... ?
> 
> I am a bit lost.
> There should be some patch that will fix this (new or amended). Either
> that patch needs to include Reporter/Tested-by tag, or we will need to
> tell syzbot about the fix manually with the "#syz fix:" command.

One of the patches that I forwarded to Andrew was plain wrong, it isn't
actually needed so it needs to be dropped altogether (this one caused
the breakage). Doing so then requires a minor (unrelated) change to the
next of my patches in the series I sent.

Andrew forwards certain patches in his patch queue to to the linux-next
tree. I'm not sure if that is done via a cumulative pull request or via
actual patches.

Whether dropping a patch from Andrews mmotm tree when 

Re: kernel BUG at fs/inode.c:LINE!

[Al Viro]

On Tue, Dec 18, 2018 at 06:42:35PM +0800, Ian Kent wrote:

> Sorry Al, that's my bad.
> 
> See 
> https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
> 
> I think this will fix it, I'll forward it to Andrew if you agree:

Just drop it and be done with that.  d_make_root(NULL) returns NULL,
no need to check that in the caller.  There is no leak in the mainline;
the calling conventions for d_make_root() are chosen that way
just for that reason - to minimize the amount of cleanups needed.

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Tue, Dec 18, 2018 at 1:42 PM Ian Kent  wrote:
>
> On Tue, 2018-12-18 at 13:27 +0100, Dmitry Vyukov wrote:
> > On Tue, Dec 18, 2018 at 12:35 PM Ian Kent  wrote:
> > >
> > > On Tue, 2018-12-18 at 18:42 +0800, Ian Kent wrote:
> > > > On Mon, 2018-12-17 at 07:21 +, Al Viro wrote:
> > > > > On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit:d14b746c6c1c Add linux-next specific files for
> > > > > > 20181214
> > > > > > git tree:   linux-next
> > > > > > console output:
> > > > > > https://syzkaller.appspot.com/x/log.txt?x=1370634740
> > > > > > kernel config:
> > > > > > https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> > > > > > dashboard link:
> > > > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > > > compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> > > > > > syz repro:
> > > > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > > > C reproducer:
> > > > > > https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > > > >
> > > > > > IMPORTANT: if you fix the bug, please add the following tag to the
> > > > > > commit:
> > > > > > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > > > > >
> > > > > >  slab_pre_alloc_hook mm/slab.h:423 [inline]
> > > > > >  slab_alloc mm/slab.c:3365 [inline]
> > > > > >  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
> > > > > >  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> > > > > > [ cut here ]
> > > > > > kernel BUG at fs/inode.c:1566!
> > > > > >  d_alloc_anon fs/dcache.c:1698 [inline]
> > > > > >  d_make_root+0x43/0xc0 fs/dcache.c:1885
> > > > > >  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
> > > > >
> > > > > Huh?  BUG is in iput(), AFAICS, so the stack trace is rather
> > > > > misreported.
> > > > > iput() can be called by d_make_root(), provided that dentry allocation
> > > > > fails.  So the most straightforward interpretation would be that we
> > > > > had an allocation failure (injected?), followed by iput() of the inode
> > > > > passed to d_make_root().  Which happened to find I_CLEAR in ->i_state
> > > > > of that inode somehow, which should be impossible short of seriously
> > > > > buggered inode refcounting somewhere - the inode has just been 
> > > > > returned
> > > > > by new_inode(), which clears i_state, and it would have to have passed
> > > > > clear_inode() (i.e. has been through inode eviction) since then...
> > > >
> > > > Sorry Al, that's my bad.
> > > >
> > > > See
> > > >
> https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
> > > >
> > > > I think this will fix it, I'll forward it to Andrew if you agree:
> > >
> > > Actually, looking at it again the above patch is plain not needed,
> > > dropping it and updating the patch which follows it in the series
> > > is what needs to be done.
> > >
> > > Andrew, what should I do to make this easiest for you to handle,
> > > a respost with v2 in the subject of the patch affected by dropping
> > > the above patch?
> > >
> > > Or I could repost the series with above patch dropped and the affected
> > > patch corrected?
> >
> > Hi Ian,
> >
> > If you going to amend any commits, please add:
> > Tested-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > otherwise:
> > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
>
> I was thinking about how to handle loosing that information.
>
> I don't think this amounts amending commits since Andrews mmotm is
> based on patch series so dropping a patch and updating patches before
> being merged won't capture this.
>
> Adding the "Tested-by" attribution to the updated patch prior to syzbot
> actually performing the test might be ok since it will get tested along
> the way. Although the problem patch itself won't exist any more so ... ?

I am a bit lost.
There should be some patch that will fix this (new or amended). Either
that patch needs to include Reporter/Tested-by tag, or we will need to
tell syzbot about the fix manually with the "#syz fix:" command.

> OTOH, if I repost the series I think I can send them to syzbot for testing
> before forwarding to Andrew (I've done something like that before but can't
> remember how now) and add the attribution to the series.
>
> But this all depends on what is best for Andrew and what Al would like to
> see done.

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Tue, 2018-12-18 at 13:27 +0100, Dmitry Vyukov wrote:
> On Tue, Dec 18, 2018 at 12:35 PM Ian Kent  wrote:
> > 
> > On Tue, 2018-12-18 at 18:42 +0800, Ian Kent wrote:
> > > On Mon, 2018-12-17 at 07:21 +, Al Viro wrote:
> > > > On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> > > > > Hello,
> > > > > 
> > > > > syzbot found the following crash on:
> > > > > 
> > > > > HEAD commit:d14b746c6c1c Add linux-next specific files for
> > > > > 20181214
> > > > > git tree:   linux-next
> > > > > console output: 
> > > > > https://syzkaller.appspot.com/x/log.txt?x=1370634740
> > > > > kernel config:  
> > > > > https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> > > > > dashboard link:
> > > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > > compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> > > > > syz repro:  
> > > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > > C reproducer:   
> > > > > https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > > > 
> > > > > IMPORTANT: if you fix the bug, please add the following tag to the
> > > > > commit:
> > > > > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > > > > 
> > > > >  slab_pre_alloc_hook mm/slab.h:423 [inline]
> > > > >  slab_alloc mm/slab.c:3365 [inline]
> > > > >  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
> > > > >  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> > > > > [ cut here ]
> > > > > kernel BUG at fs/inode.c:1566!
> > > > >  d_alloc_anon fs/dcache.c:1698 [inline]
> > > > >  d_make_root+0x43/0xc0 fs/dcache.c:1885
> > > > >  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
> > > > 
> > > > Huh?  BUG is in iput(), AFAICS, so the stack trace is rather
> > > > misreported.
> > > > iput() can be called by d_make_root(), provided that dentry allocation
> > > > fails.  So the most straightforward interpretation would be that we
> > > > had an allocation failure (injected?), followed by iput() of the inode
> > > > passed to d_make_root().  Which happened to find I_CLEAR in ->i_state
> > > > of that inode somehow, which should be impossible short of seriously
> > > > buggered inode refcounting somewhere - the inode has just been returned
> > > > by new_inode(), which clears i_state, and it would have to have passed
> > > > clear_inode() (i.e. has been through inode eviction) since then...
> > > 
> > > Sorry Al, that's my bad.
> > > 
> > > See
> > > 
https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
> > > 
> > > I think this will fix it, I'll forward it to Andrew if you agree:
> > 
> > Actually, looking at it again the above patch is plain not needed,
> > dropping it and updating the patch which follows it in the series
> > is what needs to be done.
> > 
> > Andrew, what should I do to make this easiest for you to handle,
> > a respost with v2 in the subject of the patch affected by dropping
> > the above patch?
> > 
> > Or I could repost the series with above patch dropped and the affected
> > patch corrected?
> 
> Hi Ian,
> 
> If you going to amend any commits, please add:
> Tested-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> otherwise:
> Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com

I was thinking about how to handle loosing that information.

I don't think this amounts amending commits since Andrews mmotm is
based on patch series so dropping a patch and updating patches before
being merged won't capture this.

Adding the "Tested-by" attribution to the updated patch prior to syzbot
actually performing the test might be ok since it will get tested along
the way. Although the problem patch itself won't exist any more so ... ?

OTOH, if I repost the series I think I can send them to syzbot for testing
before forwarding to Andrew (I've done something like that before but can't
remember how now) and add the attribution to the series.

But this all depends on what is best for Andrew and what Al would like to
see done.

> 
> Thanks
> 
> > > autofs - fix handling of d_make_root() return in autofs_fill_super()
> > > 
> > > From: Ian Kent 
> > > 
> > > A previous change to handle a possible inode leak in autofs_fill_super()
> > > added an iput() on d_make_root() failure but d_make_root() already puts
> > > the passed in inode on failure.
> > > 
> > > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > > Signed-off-by: Ian Kent 
> > > ---
> > >  fs/autofs/inode.c |4 +---
> > >  1 file changed, 1 insertion(+), 3 deletions(-)
> > > 
> > > diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
> > > index 501833cc49a8..953f76b95172 100644
> > > --- a/fs/autofs/inode.c
> > > +++ b/fs/autofs/inode.c
> > > @@ -271,7 +271,7 @@ int autofs_fill_super(struct super_block *s, void
> > > *data,
> > > int silent)
> > >   }
> > >   root = d_make_root(root_inode);
> > >   if (!root)
> > > - goto 

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Tue, Dec 18, 2018 at 12:35 PM Ian Kent  wrote:
>
> On Tue, 2018-12-18 at 18:42 +0800, Ian Kent wrote:
> > On Mon, 2018-12-17 at 07:21 +, Al Viro wrote:
> > > On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
> > > > git tree:   linux-next
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1370634740
> > > > kernel config:  
> > > > https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> > > > dashboard link:
> > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> > > > syz repro:  
> > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the 
> > > > commit:
> > > > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > > >
> > > >  slab_pre_alloc_hook mm/slab.h:423 [inline]
> > > >  slab_alloc mm/slab.c:3365 [inline]
> > > >  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
> > > >  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> > > > [ cut here ]
> > > > kernel BUG at fs/inode.c:1566!
> > > >  d_alloc_anon fs/dcache.c:1698 [inline]
> > > >  d_make_root+0x43/0xc0 fs/dcache.c:1885
> > > >  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
> > >
> > > Huh?  BUG is in iput(), AFAICS, so the stack trace is rather misreported.
> > > iput() can be called by d_make_root(), provided that dentry allocation
> > > fails.  So the most straightforward interpretation would be that we
> > > had an allocation failure (injected?), followed by iput() of the inode
> > > passed to d_make_root().  Which happened to find I_CLEAR in ->i_state
> > > of that inode somehow, which should be impossible short of seriously
> > > buggered inode refcounting somewhere - the inode has just been returned
> > > by new_inode(), which clears i_state, and it would have to have passed
> > > clear_inode() (i.e. has been through inode eviction) since then...
> >
> > Sorry Al, that's my bad.
> >
> > See
> > https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
> >
> > I think this will fix it, I'll forward it to Andrew if you agree:
>
> Actually, looking at it again the above patch is plain not needed,
> dropping it and updating the patch which follows it in the series
> is what needs to be done.
>
> Andrew, what should I do to make this easiest for you to handle,
> a respost with v2 in the subject of the patch affected by dropping
> the above patch?
>
> Or I could repost the series with above patch dropped and the affected
> patch corrected?

Hi Ian,

If you going to amend any commits, please add:
Tested-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
otherwise:
Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com

Thanks

> > autofs - fix handling of d_make_root() return in autofs_fill_super()
> >
> > From: Ian Kent 
> >
> > A previous change to handle a possible inode leak in autofs_fill_super()
> > added an iput() on d_make_root() failure but d_make_root() already puts
> > the passed in inode on failure.
> >
> > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > Signed-off-by: Ian Kent 
> > ---
> >  fs/autofs/inode.c |4 +---
> >  1 file changed, 1 insertion(+), 3 deletions(-)
> >
> > diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
> > index 501833cc49a8..953f76b95172 100644
> > --- a/fs/autofs/inode.c
> > +++ b/fs/autofs/inode.c
> > @@ -271,7 +271,7 @@ int autofs_fill_super(struct super_block *s, void *data,
> > int silent)
> >   }
> >   root = d_make_root(root_inode);
> >   if (!root)
> > - goto fail_iput;
> > + goto fail_ino;
> >   pipe = NULL;
> >
> >   root->d_fsdata = ino;
> > @@ -347,8 +347,6 @@ int autofs_fill_super(struct super_block *s, void *data,
> > int silent)
> >  fail_dput:
> >   dput(root);
> >   goto fail_free;
> > -fail_iput:
> > - iput(root_inode);
> >  fail_ino:
> >   autofs_free_ino(ino);
> >  fail_free:
> >
>

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Tue, 2018-12-18 at 13:01 +0200, Amir Goldstein wrote:
> On Tue, Dec 18, 2018 at 12:43 PM Ian Kent  wrote:
> > 
> > On Mon, 2018-12-17 at 07:21 +, Al Viro wrote:
> > > On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> > > > Hello,
> > > > 
> > > > syzbot found the following crash on:
> > > > 
> > > > HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
> > > > git tree:   linux-next
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1370634740
> > > > kernel config:  
> > > > https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> > > > dashboard link: 
> > > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > > compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> > > > syz repro:  
> > > > https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > > 
> > > > IMPORTANT: if you fix the bug, please add the following tag to the
> > > > commit:
> > > > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > > > 
> > > >  slab_pre_alloc_hook mm/slab.h:423 [inline]
> > > >  slab_alloc mm/slab.c:3365 [inline]
> > > >  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
> > > >  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> > > > [ cut here ]
> > > > kernel BUG at fs/inode.c:1566!
> > > >  d_alloc_anon fs/dcache.c:1698 [inline]
> > > >  d_make_root+0x43/0xc0 fs/dcache.c:1885
> > > >  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
> > > 
> > > Huh?  BUG is in iput(), AFAICS, so the stack trace is rather misreported.
> > > iput() can be called by d_make_root(), provided that dentry allocation
> > > fails.  So the most straightforward interpretation would be that we
> > > had an allocation failure (injected?), followed by iput() of the inode
> > > passed to d_make_root().  Which happened to find I_CLEAR in ->i_state
> > > of that inode somehow, which should be impossible short of seriously
> > > buggered inode refcounting somewhere - the inode has just been returned
> > > by new_inode(), which clears i_state, and it would have to have passed
> > > clear_inode() (i.e. has been through inode eviction) since then...
> > 
> > Sorry Al, that's my bad.
> > 
> > See 
> > https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
> > 
> > I think this will fix it, I'll forward it to Andrew if you agree:
> > 
> > autofs - fix handling of d_make_root() return in autofs_fill_super()
> 
> You realize you can just revert that patch.
> d_make_root() can take NULL inode as argument.
> At the very least, please mention the offending commit with Fixes tag.

Thanks Amir, I did get that after looking again once the panic
of my stupid mistake passed, ;)

> 
> Thanks,
> Amir.
> 
> > 
> > From: Ian Kent 
> > 
> > A previous change to handle a possible inode leak in autofs_fill_super()
> > added an iput() on d_make_root() failure but d_make_root() already puts
> > the passed in inode on failure.
> > 
> > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > Signed-off-by: Ian Kent 
> > ---
> >  fs/autofs/inode.c |4 +---
> >  1 file changed, 1 insertion(+), 3 deletions(-)
> > 
> > diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
> > index 501833cc49a8..953f76b95172 100644
> > --- a/fs/autofs/inode.c
> > +++ b/fs/autofs/inode.c
> > @@ -271,7 +271,7 @@ int autofs_fill_super(struct super_block *s, void *data,
> > int silent)
> > }
> > root = d_make_root(root_inode);
> > if (!root)
> > -   goto fail_iput;
> > +   goto fail_ino;
> > pipe = NULL;
> > 
> > root->d_fsdata = ino;
> > @@ -347,8 +347,6 @@ int autofs_fill_super(struct super_block *s, void *data,
> > int silent)
> >  fail_dput:
> > dput(root);
> > goto fail_free;
> > -fail_iput:
> > -   iput(root_inode);
> >  fail_ino:
> > autofs_free_ino(ino);
> >  fail_free:
> > 

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Tue, 2018-12-18 at 18:42 +0800, Ian Kent wrote:
> On Mon, 2018-12-17 at 07:21 +, Al Viro wrote:
> > On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> > > Hello,
> > > 
> > > syzbot found the following crash on:
> > > 
> > > HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
> > > git tree:   linux-next
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=1370634740
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> > > dashboard link: 
> > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> > > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > > 
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > > 
> > >  slab_pre_alloc_hook mm/slab.h:423 [inline]
> > >  slab_alloc mm/slab.c:3365 [inline]
> > >  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
> > >  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> > > [ cut here ]
> > > kernel BUG at fs/inode.c:1566!
> > >  d_alloc_anon fs/dcache.c:1698 [inline]
> > >  d_make_root+0x43/0xc0 fs/dcache.c:1885
> > >  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
> > 
> > Huh?  BUG is in iput(), AFAICS, so the stack trace is rather misreported.
> > iput() can be called by d_make_root(), provided that dentry allocation
> > fails.  So the most straightforward interpretation would be that we
> > had an allocation failure (injected?), followed by iput() of the inode
> > passed to d_make_root().  Which happened to find I_CLEAR in ->i_state
> > of that inode somehow, which should be impossible short of seriously
> > buggered inode refcounting somewhere - the inode has just been returned
> > by new_inode(), which clears i_state, and it would have to have passed
> > clear_inode() (i.e. has been through inode eviction) since then...
> 
> Sorry Al, that's my bad.
> 
> See 
> https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
> 
> I think this will fix it, I'll forward it to Andrew if you agree:

Actually, looking at it again the above patch is plain not needed,
dropping it and updating the patch which follows it in the series
is what needs to be done.

Andrew, what should I do to make this easiest for you to handle,
a respost with v2 in the subject of the patch affected by dropping
the above patch?

Or I could repost the series with above patch dropped and the affected
patch corrected?

> 
> autofs - fix handling of d_make_root() return in autofs_fill_super()
> 
> From: Ian Kent 
> 
> A previous change to handle a possible inode leak in autofs_fill_super()
> added an iput() on d_make_root() failure but d_make_root() already puts
> the passed in inode on failure.
> 
> Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> Signed-off-by: Ian Kent 
> ---
>  fs/autofs/inode.c |4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
> index 501833cc49a8..953f76b95172 100644
> --- a/fs/autofs/inode.c
> +++ b/fs/autofs/inode.c
> @@ -271,7 +271,7 @@ int autofs_fill_super(struct super_block *s, void *data,
> int silent)
>   }
>   root = d_make_root(root_inode);
>   if (!root)
> - goto fail_iput;
> + goto fail_ino;
>   pipe = NULL;
>  
>   root->d_fsdata = ino;
> @@ -347,8 +347,6 @@ int autofs_fill_super(struct super_block *s, void *data,
> int silent)
>  fail_dput:
>   dput(root);
>   goto fail_free;
> -fail_iput:
> - iput(root_inode);
>  fail_ino:
>   autofs_free_ino(ino);
>  fail_free:
> 

Re: kernel BUG at fs/inode.c:LINE!

[Amir Goldstein]

On Tue, Dec 18, 2018 at 12:43 PM Ian Kent  wrote:
>
> On Mon, 2018-12-17 at 07:21 +, Al Viro wrote:
> > On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
> > > git tree:   linux-next
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=1370634740
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> > > dashboard link: 
> > > https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > > compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> > > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > >
> > >  slab_pre_alloc_hook mm/slab.h:423 [inline]
> > >  slab_alloc mm/slab.c:3365 [inline]
> > >  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
> > >  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> > > [ cut here ]
> > > kernel BUG at fs/inode.c:1566!
> > >  d_alloc_anon fs/dcache.c:1698 [inline]
> > >  d_make_root+0x43/0xc0 fs/dcache.c:1885
> > >  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
> >
> > Huh?  BUG is in iput(), AFAICS, so the stack trace is rather misreported.
> > iput() can be called by d_make_root(), provided that dentry allocation
> > fails.  So the most straightforward interpretation would be that we
> > had an allocation failure (injected?), followed by iput() of the inode
> > passed to d_make_root().  Which happened to find I_CLEAR in ->i_state
> > of that inode somehow, which should be impossible short of seriously
> > buggered inode refcounting somewhere - the inode has just been returned
> > by new_inode(), which clears i_state, and it would have to have passed
> > clear_inode() (i.e. has been through inode eviction) since then...
>
> Sorry Al, that's my bad.
>
> See 
> https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch
>
> I think this will fix it, I'll forward it to Andrew if you agree:
>
> autofs - fix handling of d_make_root() return in autofs_fill_super()

You realize you can just revert that patch.
d_make_root() can take NULL inode as argument.
At the very least, please mention the offending commit with Fixes tag.

Thanks,
Amir.

>
> From: Ian Kent 
>
> A previous change to handle a possible inode leak in autofs_fill_super()
> added an iput() on d_make_root() failure but d_make_root() already puts
> the passed in inode on failure.
>
> Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> Signed-off-by: Ian Kent 
> ---
>  fs/autofs/inode.c |4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
> index 501833cc49a8..953f76b95172 100644
> --- a/fs/autofs/inode.c
> +++ b/fs/autofs/inode.c
> @@ -271,7 +271,7 @@ int autofs_fill_super(struct super_block *s, void *data, 
> int silent)
> }
> root = d_make_root(root_inode);
> if (!root)
> -   goto fail_iput;
> +   goto fail_ino;
> pipe = NULL;
>
> root->d_fsdata = ino;
> @@ -347,8 +347,6 @@ int autofs_fill_super(struct super_block *s, void *data, 
> int silent)
>  fail_dput:
> dput(root);
> goto fail_free;
> -fail_iput:
> -   iput(root_inode);
>  fail_ino:
> autofs_free_ino(ino);
>  fail_free:
>

Re: kernel BUG at fs/inode.c:LINE!

[Ian Kent]

On Mon, 2018-12-17 at 07:21 +, Al Viro wrote:
> On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following crash on:
> > 
> > HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
> > git tree:   linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1370634740
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> > 
> >  slab_pre_alloc_hook mm/slab.h:423 [inline]
> >  slab_alloc mm/slab.c:3365 [inline]
> >  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
> >  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> > [ cut here ]
> > kernel BUG at fs/inode.c:1566!
> >  d_alloc_anon fs/dcache.c:1698 [inline]
> >  d_make_root+0x43/0xc0 fs/dcache.c:1885
> >  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
> 
> Huh?  BUG is in iput(), AFAICS, so the stack trace is rather misreported.
> iput() can be called by d_make_root(), provided that dentry allocation
> fails.  So the most straightforward interpretation would be that we
> had an allocation failure (injected?), followed by iput() of the inode
> passed to d_make_root().  Which happened to find I_CLEAR in ->i_state
> of that inode somehow, which should be impossible short of seriously
> buggered inode refcounting somewhere - the inode has just been returned
> by new_inode(), which clears i_state, and it would have to have passed
> clear_inode() (i.e. has been through inode eviction) since then...

Sorry Al, that's my bad.

See 
https://www.ozlabs.org/~akpm/mmotm/broken-out/autofs-fix-possible-inode-leak-in-autofs_fill_super.patch

I think this will fix it, I'll forward it to Andrew if you agree:

autofs - fix handling of d_make_root() return in autofs_fill_super()

From: Ian Kent 

A previous change to handle a possible inode leak in autofs_fill_super()
added an iput() on d_make_root() failure but d_make_root() already puts
the passed in inode on failure.

Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
Signed-off-by: Ian Kent 
---
 fs/autofs/inode.c |4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
index 501833cc49a8..953f76b95172 100644
--- a/fs/autofs/inode.c
+++ b/fs/autofs/inode.c
@@ -271,7 +271,7 @@ int autofs_fill_super(struct super_block *s, void *data, 
int silent)
}
root = d_make_root(root_inode);
if (!root)
-   goto fail_iput;
+   goto fail_ino;
pipe = NULL;
 
root->d_fsdata = ino;
@@ -347,8 +347,6 @@ int autofs_fill_super(struct super_block *s, void *data, 
int silent)
 fail_dput:
dput(root);
goto fail_free;
-fail_iput:
-   iput(root_inode);
 fail_ino:
autofs_free_ino(ino);
 fail_free:

Re: kernel BUG at fs/inode.c:LINE!

[Tetsuo Handa]

On 2018/12/17 19:08, Dmitry Vyukov wrote:
> On Mon, Dec 17, 2018 at 8:21 AM Al Viro  wrote:
>>>  slab_pre_alloc_hook mm/slab.h:423 [inline]
>>>  slab_alloc mm/slab.c:3365 [inline]
>>>  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
>>>  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
>>> [ cut here ]
>>> kernel BUG at fs/inode.c:1566!
>>>  d_alloc_anon fs/dcache.c:1698 [inline]
>>>  d_make_root+0x43/0xc0 fs/dcache.c:1885
>>>  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
>>
>> Huh?  BUG is in iput(), AFAICS, so the stack trace is rather misreported.
> 
> Yes, it's a known problem that kernel is generally incapable of
> producing parsable crash reports. I think Tetsuo is working on a
> solution, but it takes very large amount of discussions and months of
> time.

The solution, CONFIG_PRINTK_FROM option (which will be renamed to 
CONFIG_PRINTK_CALLER
option tomorrow), just arrived at linux-next-20181218. We can try it...

But currently syzbot cannot boot using linux-next-20181218 due to
"Kernel panic - not syncing: Can't create rootfs" presumably due to changes 
merged by
"Merge branches 'work.mount', 'work.misc', 'misc.misc' and 'work.iov_iter' into 
for-next".
I think that we need to examine this "Can't create rootfs" problem, for
the merge window is approaching...

Re: kernel BUG at fs/inode.c:LINE!

[Dmitry Vyukov]

On Mon, Dec 17, 2018 at 8:21 AM Al Viro  wrote:
>
> On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
> > git tree:   linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1370634740
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> > compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> >
> >  slab_pre_alloc_hook mm/slab.h:423 [inline]
> >  slab_alloc mm/slab.c:3365 [inline]
> >  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
> >  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> > [ cut here ]
> > kernel BUG at fs/inode.c:1566!
> >  d_alloc_anon fs/dcache.c:1698 [inline]
> >  d_make_root+0x43/0xc0 fs/dcache.c:1885
> >  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
>
> Huh?  BUG is in iput(), AFAICS, so the stack trace is rather misreported.

Yes, it's a known problem that kernel is generally incapable of
producing parsable crash reports. I think Tetsuo is working on a
solution, but it takes very large amount of discussions and months of
time.

> iput() can be called by d_make_root(), provided that dentry allocation
> fails.  So the most straightforward interpretation would be that we
> had an allocation failure (injected?), followed by iput() of the inode
> passed to d_make_root().  Which happened to find I_CLEAR in ->i_state
> of that inode somehow, which should be impossible short of seriously
> buggered inode refcounting somewhere - the inode has just been returned
> by new_inode(), which clears i_state, and it would have to have passed
> clear_inode() (i.e. has been through inode eviction) since then...

Yes, there are injected failures in the log.
And the repro says:

#{..."fault":true,"fault_call":1,"fault_nth":36 ...}
mkdir(&(0x7f000140)='./file0\x00', 0x0)
mount(0x0, &(0x7f000100)='./file0\x00',
&(0x7f000180)='autofs\x00', 0x0, 0x0)

Since the repro is single-threaded, I would expect that the bug is
directly on the error handling path of the failure allocation.

Re: kernel BUG at fs/inode.c:LINE!

[Al Viro]

On Sun, Dec 16, 2018 at 10:11:04PM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
> git tree:   linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1370634740
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
> dashboard link: https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
> compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101032b340
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com
> 
>  slab_pre_alloc_hook mm/slab.h:423 [inline]
>  slab_alloc mm/slab.c:3365 [inline]
>  kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
>  __d_alloc+0xc8/0xb90 fs/dcache.c:1599
> [ cut here ]
> kernel BUG at fs/inode.c:1566!
>  d_alloc_anon fs/dcache.c:1698 [inline]
>  d_make_root+0x43/0xc0 fs/dcache.c:1885
>  autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273

Huh?  BUG is in iput(), AFAICS, so the stack trace is rather misreported.
iput() can be called by d_make_root(), provided that dentry allocation
fails.  So the most straightforward interpretation would be that we
had an allocation failure (injected?), followed by iput() of the inode
passed to d_make_root().  Which happened to find I_CLEAR in ->i_state
of that inode somehow, which should be impossible short of seriously
buggered inode refcounting somewhere - the inode has just been returned
by new_inode(), which clears i_state, and it would have to have passed
clear_inode() (i.e. has been through inode eviction) since then...

kernel BUG at fs/inode.c:LINE!

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:d14b746c6c1c Add linux-next specific files for 20181214
git tree:   linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1370634740
kernel config:  https://syzkaller.appspot.com/x/.config?x=1da6d2d18f803140
dashboard link: https://syzkaller.appspot.com/bug?extid=5399ed0832693e29f392
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=101032b340
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1653406340

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5399ed0832693e29f...@syzkaller.appspotmail.com

 slab_pre_alloc_hook mm/slab.h:423 [inline]
 slab_alloc mm/slab.c:3365 [inline]
 kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
 __d_alloc+0xc8/0xb90 fs/dcache.c:1599
[ cut here ]
kernel BUG at fs/inode.c:1566!
 d_alloc_anon fs/dcache.c:1698 [inline]
 d_make_root+0x43/0xc0 fs/dcache.c:1885
 autofs_fill_super+0x6f1/0x1c30 fs/autofs/inode.c:273
invalid opcode:  [#1] PREEMPT SMP KASAN
CPU: 1 PID: 6100 Comm: syz-executor637 Not tainted  
4.20.0-rc6-next-20181214+ #171
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:iput+0x915/0xa90 fs/inode.c:1566
Code: e4 0f 84 a8 fe ff ff e8 e9 fe a6 ff 48 89 df e8 61 f4 ff ff 48 8b bd  
f0 fe ff ff e8 35 41 08 06 e9 69 fd ff ff e8 cb fe a6 ff <0f> 0b e8 c4 fe  
a6 ff 0f 0b e9 d5 fb ff ff e8 b8 fe a6 ff 0f 0b e9

RSP: 0018:8881c0ff76b8 EFLAGS: 00010293
RAX: 8881c0fdc100 RBX: 8881b25f44a0 RCX: 81d8fc14
RDX:  RSI: 81d90455 RDI: 0007
RBP: 8881c0ff77f0 R08: 8881c0fdc100 R09: 0006
R10:  R11: 8881c0fdc100 R12: 0040
R13: 8881c0ff7910 R14: ffea R15: 8881d0c4d200
 mount_nodev+0x73/0x120 fs/super.c:1402
FS:  01e1a880() GS:8881dad0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
 autofs_mount+0x34/0x40 fs/autofs/init.c:16
CR2: 006cd0a0 CR3: 0001b2c56000 CR4: 001406e0
DR0:  DR1:  DR2: 
 legacy_get_tree+0x12f/0x260 fs/fs_context.c:714
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 vfs_get_tree+0x1cb/0x5c0 fs/super.c:1795
 do_new_mount fs/namespace.c:2716 [inline]
 do_mount+0x82a/0x1ff0 fs/namespace.c:3042
 autofs_fill_super+0x15fb/0x1c30 fs/autofs/inode.c:352
 ksys_mount+0x12d/0x140 fs/namespace.c:3258
 __do_sys_mount fs/namespace.c:3272 [inline]
 __se_sys_mount fs/namespace.c:3269 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3269
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 mount_nodev+0x73/0x120 fs/super.c:1402
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
 autofs_mount+0x34/0x40 fs/autofs/init.c:16
RIP: 0033:0x441be9
Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 3b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00

 legacy_get_tree+0x12f/0x260 fs/fs_context.c:714
RSP: 002b:76330f88 EFLAGS: 0246 ORIG_RAX: 00a5
RAX: ffda RBX:  RCX: 00441be9
 vfs_get_tree+0x1cb/0x5c0 fs/super.c:1795
RDX: 2180 RSI: 2100 RDI: 
RBP: 76330fe0 R08:  R09: 0100
R10:  R11: 0246 R12: 
 do_new_mount fs/namespace.c:2716 [inline]
 do_mount+0x82a/0x1ff0 fs/namespace.c:3042
R13: 0003 R14:  R15: 
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 6107 Comm: syz-executor637 Not tainted  
4.20.0-rc6-next-20181214+ #171
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 ksys_mount+0x12d/0x140 fs/namespace.c:3258
 __do_sys_mount fs/namespace.c:3272 [inline]
 __se_sys_mount fs/namespace.c:3269 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3269
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold.4+0xa/0x17 lib/fault-inject.c:149
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
 __should_failslab+0x124/0x180 mm/failslab.c:32
RIP: 0033:0x441be9
 should_failslab+0x9/0x14 mm/slab_common.c:1576
Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 3b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00

 slab_pre_alloc_hook mm/slab.h:423 [inline]
 slab_alloc mm/slab.c:3365 [inline]
 kmem_cache_alloc+0x2c4/0x730 mm/slab.c:3539
RSP: 002b:76330f88 EFLAGS: 0246 ORIG_RAX: