bisecting cause commit starting from fdcbcd1348f4ef713668bae1b0fa9774e1811205 building syzkaller on 9d49f3a7c56a414597a16f28dd8b6b2be6352ad8 testing commit fdcbcd1348f4ef713668bae1b0fa9774e1811205 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0252be48aec40734118d61a0fb37baeb1674f6bcbc904411fafcae90c944be6a all runs: crashed: KASAN: null-ptr-deref Write in io_file_get_normal testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fa708b88af7061ed5936fbed1e9b0c903e963e968d1a481e799ec59cc366a2c9 all runs: OK # git bisect start fdcbcd1348f4ef713668bae1b0fa9774e1811205 f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 7396 revisions left to test after this (roughly 13 steps) [169e77764adc041b1dacba84ea90516a895d43b2] Merge tag 'net-next-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 169e77764adc041b1dacba84ea90516a895d43b2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ab1e6ece12a7c116e15382f1cef2ad5af6dbc67b534ed04ae8ecc607a6ad57f2 all runs: OK # git bisect good 169e77764adc041b1dacba84ea90516a895d43b2 Bisecting: 3697 revisions left to test after this (roughly 12 steps) [1523cc875a6ba127f63a5a8e4e63dd6d199050d9] Merge branch 'for-5.18/alloc-cleanups' into for-next testing commit 1523cc875a6ba127f63a5a8e4e63dd6d199050d9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: edeb9d994c425c8ed221483699b8386370286c467239f78233d3b5a4d3b3c099 all runs: crashed: KASAN: null-ptr-deref Write in io_file_get_normal # git bisect bad 1523cc875a6ba127f63a5a8e4e63dd6d199050d9 Bisecting: 1856 revisions left to test after this (roughly 11 steps) [b1f8ccdaae0310332d16f65bf0f622f9d4ae2391] Merge tag 'for-5.18/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm testing commit b1f8ccdaae0310332d16f65bf0f622f9d4ae2391 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 57fe77aadae31355235dd3427dc8e7e6c12a3c4854d44e9f70ce1dc7e9761058 all runs: OK # git bisect good b1f8ccdaae0310332d16f65bf0f622f9d4ae2391 Bisecting: 930 revisions left to test after this (roughly 10 steps) [5e206459f670b579da9b7861a0f3ce3b989a68b6] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid testing commit 5e206459f670b579da9b7861a0f3ce3b989a68b6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5fccbf4bd1e3183af24a59488859740795247b08e50bef90c8c5be624284eadd all runs: OK # git bisect good 5e206459f670b579da9b7861a0f3ce3b989a68b6 Bisecting: 496 revisions left to test after this (roughly 9 steps) [bddac7c1e02ba47f0570e494c9289acea3062cc1] Revert "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" testing commit bddac7c1e02ba47f0570e494c9289acea3062cc1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c66f15e01f3920d4f2c688f56d6965640a6c608e69fc7cd3f55ef17bbdb17612 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good bddac7c1e02ba47f0570e494c9289acea3062cc1 Bisecting: 292 revisions left to test after this (roughly 8 steps) [5627ecb8374a00163d90bc92c33f829ac27895b2] Merge branch 'i2c/for-mergewindow' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit 5627ecb8374a00163d90bc92c33f829ac27895b2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a30608008029e700543457df51ebdd946ef988f74906c1c489aa510d53fe51b7 all runs: OK # git bisect good 5627ecb8374a00163d90bc92c33f829ac27895b2 Bisecting: 146 revisions left to test after this (roughly 7 steps) [b6c44bee2a1c2d05023c9faab609290614159005] usb: gadget: s3c-hsudc: remove usage of list iterator past the loop body testing commit b6c44bee2a1c2d05023c9faab609290614159005 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 49e370be91cb5ce1ebe0382b061981bc8764cfe041f613a0036ef7d66b4a5e1e all runs: OK # git bisect good b6c44bee2a1c2d05023c9faab609290614159005 Bisecting: 89 revisions left to test after this (roughly 6 steps) [3986f65d4f408ce9d0a361e3226a3246a5fb701c] kvm/emulate: Fix SETcc emulation for ENDBR testing commit 3986f65d4f408ce9d0a361e3226a3246a5fb701c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6c83e6c16d3c576b5686f4f4184760935f709c88779fc76075214fa47f8201ac all runs: OK # git bisect good 3986f65d4f408ce9d0a361e3226a3246a5fb701c Bisecting: 51 revisions left to test after this (roughly 6 steps) [88b3be5c6391a5b4be1dcdc4bb8dca8438105438] Merge tag 'for-linus' of https://github.com/openrisc/linux testing commit 88b3be5c6391a5b4be1dcdc4bb8dca8438105438 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5f1ff807e6e2355fcc6c11b4e19408e4db457778cd4a3de1a87fd45418ada203 all runs: OK # git bisect good 88b3be5c6391a5b4be1dcdc4bb8dca8438105438 Bisecting: 24 revisions left to test after this (roughly 5 steps) [3b255fe79c9eaa84a48e35e8cd6406788ba90d9c] Merge branch 'for-5.18/drivers' into for-next testing commit 3b255fe79c9eaa84a48e35e8cd6406788ba90d9c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8b1a1a29377f87421defe3f7a8ea6339e5e310304c76cdd2eab95a5739745432 all runs: OK # git bisect good 3b255fe79c9eaa84a48e35e8cd6406788ba90d9c Bisecting: 14 revisions left to test after this (roughly 4 steps) [c02b67509585dcd8c5561759dc78165230519d9c] Merge branch 'for-5.18/drivers' into for-next testing commit c02b67509585dcd8c5561759dc78165230519d9c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: aee23d12978377c5b7814f0c256b9f57188658d1843500a8f32f6c90bd47eac6 all runs: OK # git bisect good c02b67509585dcd8c5561759dc78165230519d9c Bisecting: 7 revisions left to test after this (roughly 3 steps) [7f07e5f0e0d1e59e7a3e09ca7f8dff7b99a45ce0] Merge branch 'for-5.18/io_uring' into for-next testing commit 7f07e5f0e0d1e59e7a3e09ca7f8dff7b99a45ce0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4f5dc90eaa6b8488a5fbc9721fdf92aa5d1260fb627c0cec12bbc48be6294a40 all runs: crashed: KASAN: null-ptr-deref Write in io_file_get_normal # git bisect bad 7f07e5f0e0d1e59e7a3e09ca7f8dff7b99a45ce0 Bisecting: 3 revisions left to test after this (roughly 2 steps) [c686f7a5cbe2eff3c9b41f225fb7cf9e163cde5c] io_uring: defer splice/tee file validity check until command issue testing commit c686f7a5cbe2eff3c9b41f225fb7cf9e163cde5c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 99745cdc0ef22fd92032b76504553ee780e38a1273fe979d17031f45a4cc8320 all runs: crashed: KASAN: null-ptr-deref Write in io_file_get_normal # git bisect bad c686f7a5cbe2eff3c9b41f225fb7cf9e163cde5c Bisecting: 0 revisions left to test after this (roughly 1 step) [3f1d52abf098c85b177b8c6f5b310e8347d1bc42] io_uring: defer msg-ring file validity check until command issue testing commit 3f1d52abf098c85b177b8c6f5b310e8347d1bc42 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 44a072b8c82bb125c2202252a5638fc92cf4b12c14668e2567c3651c1857670c run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 3f1d52abf098c85b177b8c6f5b310e8347d1bc42 c686f7a5cbe2eff3c9b41f225fb7cf9e163cde5c is the first bad commit commit c686f7a5cbe2eff3c9b41f225fb7cf9e163cde5c Author: Jens Axboe Date: Tue Mar 29 10:59:20 2022 -0600 io_uring: defer splice/tee file validity check until command issue In preparation for not using the file at prep time, defer checking if this file refers to a valid io_uring instance until issue time. This also means we can get rid of the cleanup flag for splice and tee. Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Jens Axboe fs/io_uring.c | 49 +++++++++++++++++++++---------------------------- 1 file changed, 21 insertions(+), 28 deletions(-) culprit signature: 99745cdc0ef22fd92032b76504553ee780e38a1273fe979d17031f45a4cc8320 parent signature: 44a072b8c82bb125c2202252a5638fc92cf4b12c14668e2567c3651c1857670c revisions tested: 16, total time: 2h52m26.960144959s (build: 1h38m29.99725798s, test: 1h12m22.766655762s) first bad commit: c686f7a5cbe2eff3c9b41f225fb7cf9e163cde5c io_uring: defer splice/tee file validity check until command issue recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: KASAN: null-ptr-deref Write in io_file_get_normal ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: null-ptr-deref in atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline] BUG: KASAN: null-ptr-deref in io_req_track_inflight fs/io_uring.c:1644 [inline] BUG: KASAN: null-ptr-deref in io_file_get_normal+0x23e/0x280 fs/io_uring.c:7470 Write of size 4 at addr 0000000000000118 by task iou-wrk-4054/4055 CPU: 1 PID: 4055 Comm: iou-wrk-4054 Not tainted 5.17.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [inline] kasan_report.cold+0x66/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline] io_req_track_inflight fs/io_uring.c:1644 [inline] io_file_get_normal+0x23e/0x280 fs/io_uring.c:7470 io_file_get fs/io_uring.c:7480 [inline] io_tee fs/io_uring.c:4391 [inline] io_issue_sqe+0x40f5/0x7ae0 fs/io_uring.c:7311 io_wq_submit_work+0x159/0x4a0 fs/io_uring.c:7396 io_worker_handle_work+0x6c6/0x19c0 fs/io-wq.c:595 io_wqe_worker+0x50c/0xb70 fs/io-wq.c:642 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ================================================================== Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4055 Comm: iou-wrk-4054 Tainted: G B 5.17.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 panic+0x214/0x49f kernel/panic.c:233 end_report.cold+0x63/0x6f mm/kasan/report.c:128 __kasan_report mm/kasan/report.c:449 [inline] kasan_report.cold+0x71/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline] io_req_track_inflight fs/io_uring.c:1644 [inline] io_file_get_normal+0x23e/0x280 fs/io_uring.c:7470 io_file_get fs/io_uring.c:7480 [inline] io_tee fs/io_uring.c:4391 [inline] io_issue_sqe+0x40f5/0x7ae0 fs/io_uring.c:7311 io_wq_submit_work+0x159/0x4a0 fs/io_uring.c:7396 io_worker_handle_work+0x6c6/0x19c0 fs/io-wq.c:595 io_wqe_worker+0x50c/0xb70 fs/io-wq.c:642 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Kernel Offset: disabled Rebooting in 86400 seconds..