bisecting cause commit starting from 8565d64430f8278bea38dab0a3ab60b4e11c71e4 building syzkaller on e2d91b1d0dd8c8b4760986ec8114469246022bb8 testing commit 8565d64430f8278bea38dab0a3ab60b4e11c71e4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a0be0b5dc341eb5197f50bacfec58ea9ed391efce13e4b1823e12ba868ec77cd run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: KASAN: use-after-free Read in tty_release run #2: crashed: BUG: corrupted list in add_wait_queue run #3: crashed: KASAN: use-after-free Read in add_wait_queue run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in tty_release run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: KASAN: use-after-free Read in add_wait_queue run #9: crashed: KASAN: use-after-free Read in add_wait_queue run #10: crashed: KASAN: use-after-free Read in add_wait_queue run #11: crashed: BUG: unable to handle kernel paging request in corrupted run #12: crashed: KASAN: use-after-free Read in tty_release run #13: crashed: KASAN: use-after-free Read in tty_release run #14: crashed: KASAN: use-after-free Read in tty_release run #15: crashed: KASAN: use-after-free Read in add_wait_queue run #16: crashed: KASAN: use-after-free Read in tty_release run #17: crashed: KASAN: use-after-free Read in add_wait_queue run #18: crashed: BUG: corrupted list in add_wait_queue run #19: crashed: KASAN: use-after-free Read in tty_release testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 96590acb2a66c06d08ea76165f1ebf6dad36cfefd0cc853ab26ae838d2691188 all runs: OK # git bisect start 8565d64430f8278bea38dab0a3ab60b4e11c71e4 f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 708 revisions left to test after this (roughly 10 steps) [5628b8de1228436d47491c662dc521bc138a3d43] Merge tag 'random-5.18-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random testing commit 5628b8de1228436d47491c662dc521bc138a3d43 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5c92fc17d24e2d669eaa227576e57c4543d6e675724f466c2afb37c6d9dcacb4 all runs: OK # git bisect good 5628b8de1228436d47491c662dc521bc138a3d43 Bisecting: 315 revisions left to test after this (roughly 9 steps) [69d1dea852b54eecd8ad2ec92a7fd371e9aec4bd] Merge tag 'for-5.18/drivers-2022-03-18' of git://git.kernel.dk/linux-block testing commit 69d1dea852b54eecd8ad2ec92a7fd371e9aec4bd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9289e5a9a756d192d1b5a86988bd42a0ecf888ed15c35a22619cca2526f873c5 run #0: crashed: KASAN: use-after-free Read in add_wait_queue run #1: crashed: KASAN: use-after-free Read in tty_release run #2: crashed: BUG: corrupted list in add_wait_queue run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in add_wait_queue run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: boot failed: WARNING in blk_release_queue # git bisect bad 69d1dea852b54eecd8ad2ec92a7fd371e9aec4bd Bisecting: 209 revisions left to test after this (roughly 8 steps) [b080cee72ef355669cbc52ff55dc513d37433600] Merge tag 'for-5.18/io_uring-statx-2022-03-18' of git://git.kernel.dk/linux-block testing commit b080cee72ef355669cbc52ff55dc513d37433600 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e244ccf8e6553e68ecffc43d222c042a5ee2828be4d24ec845416a72dabc1432 run #0: crashed: KASAN: use-after-free Read in tty_release run #1: crashed: KASAN: use-after-free Read in add_wait_queue run #2: crashed: KASAN: use-after-free Read in add_wait_queue run #3: crashed: KASAN: use-after-free Read in tty_release run #4: crashed: KASAN: use-after-free Read in add_wait_queue run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: KASAN: use-after-free Read in tty_release run #7: crashed: KASAN: use-after-free Read in add_wait_queue run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: KASAN: use-after-free Read in add_wait_queue # git bisect bad b080cee72ef355669cbc52ff55dc513d37433600 Bisecting: 91 revisions left to test after this (roughly 7 steps) [c4f51eab6ce0b7138f375673dbb2789e49b6d028] hwrng: atmel - add runtime pm support testing commit c4f51eab6ce0b7138f375673dbb2789e49b6d028 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 84de335413ba59d1c7617f886ce0dd01e94c9b11f20e96a6978cdef0beb2dbac all runs: OK # git bisect good c4f51eab6ce0b7138f375673dbb2789e49b6d028 Bisecting: 45 revisions left to test after this (roughly 6 steps) [0e03b8fd29363f2df44e2a7a176d486de550757a] crypto: xilinx - Turn SHA into a tristate and allow COMPILE_TEST testing commit 0e03b8fd29363f2df44e2a7a176d486de550757a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bd90c7c6364b209de2fa16b67561f67660bc73ae5d711dafb75a846616c06418 all runs: OK # git bisect good 0e03b8fd29363f2df44e2a7a176d486de550757a Bisecting: 22 revisions left to test after this (roughly 5 steps) [2be2eb02e2f5a096c351e5b70c46cfef259dabcd] io_uring: ensure reads re-import for selected buffers testing commit 2be2eb02e2f5a096c351e5b70c46cfef259dabcd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 221d1c52b600b37c6ab95d8ad6ebd0b5c0b370d806be7752778f38ee3ef4a919 all runs: OK # git bisect good 2be2eb02e2f5a096c351e5b70c46cfef259dabcd Bisecting: 11 revisions left to test after this (roughly 4 steps) [3b2b78a8eb7cc38d207c5ee516769bc3f44d19ea] io_uring: extend provided buf return to fails testing commit 3b2b78a8eb7cc38d207c5ee516769bc3f44d19ea compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c8d4ec6bead409ec061058b53dc8456557f03f762f3bd99e10669b13900e913f run #0: crashed: KASAN: use-after-free Read in tty_release run #1: crashed: KASAN: use-after-free Read in add_wait_queue run #2: crashed: KASAN: use-after-free Read in add_wait_queue run #3: crashed: KASAN: use-after-free Read in add_wait_queue run #4: crashed: KASAN: use-after-free Read in add_wait_queue run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in tty_release run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: KASAN: use-after-free Read in tty_release # git bisect bad 3b2b78a8eb7cc38d207c5ee516769bc3f44d19ea Bisecting: 5 revisions left to test after this (roughly 3 steps) [052ebf1fbb1cab86b145a68d80219c8c57321cbd] io_uring: make tracing format consistent testing commit 052ebf1fbb1cab86b145a68d80219c8c57321cbd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2b6b958383af6089b62d0aa0840aab4c69cc561a0891837e5389e796e011dca5 all runs: OK # git bisect good 052ebf1fbb1cab86b145a68d80219c8c57321cbd Bisecting: 2 revisions left to test after this (roughly 2 steps) [91eac1c69c202d9dad8bf717ae5b92db70bfe5cf] io_uring: cache poll/double-poll state with a request flag testing commit 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b0392732235965dbe625b66e2c49f7d4afac60442135d85bdc16996ab382451c run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: KASAN: use-after-free Read in add_wait_queue run #2: crashed: KASAN: use-after-free Read in io_poll_remove_entries run #3: crashed: KASAN: use-after-free Read in add_wait_queue run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in io_poll_remove_entries run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: KASAN: use-after-free Read in tty_release # git bisect bad 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf Bisecting: 0 revisions left to test after this (roughly 1 step) [81459350d581e958ee9c6e76031f77333881c23c] io_uring: cache req->apoll->events in req->cflags testing commit 81459350d581e958ee9c6e76031f77333881c23c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fc61d08cd8939cc3dee8e67125a96c19fb43f90006f1f87e0a8e2d4de1d3a82d run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 81459350d581e958ee9c6e76031f77333881c23c 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf is the first bad commit commit 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf Author: Jens Axboe Date: Wed Mar 16 16:59:10 2022 -0600 io_uring: cache poll/double-poll state with a request flag With commit "io_uring: cache req->apoll->events in req->cflags" applied, we now have just io_poll_remove_entries() dipping into req->apoll when it isn't strictly necessary. Mark poll and double-poll with a flag, so we know if we need to look at apoll->double_poll. This avoids pulling in those cachelines if we don't need them. The common case is that the poll wake handler already removed these entries while hot off the completion path. Signed-off-by: Jens Axboe fs/io_uring.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) culprit signature: b0392732235965dbe625b66e2c49f7d4afac60442135d85bdc16996ab382451c parent signature: fc61d08cd8939cc3dee8e67125a96c19fb43f90006f1f87e0a8e2d4de1d3a82d revisions tested: 12, total time: 2h29m43.74281334s (build: 1h29m41.554313031s, test: 58m56.547478079s) first bad commit: 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf io_uring: cache poll/double-poll state with a request flag recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in tty_release ================================================================== BUG: KASAN: use-after-free in __wake_up_common+0x637/0x650 kernel/sched/wait.c:101 Read of size 8 at addr ffff88801e99a930 by task syz-executor325/4127 CPU: 0 PID: 4127 Comm: syz-executor325 Not tainted 5.17.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 __wake_up_common+0x637/0x650 kernel/sched/wait.c:101 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 tty_release+0x504/0xf80 drivers/tty/tty_io.c:1781 __fput+0x204/0x8d0 fs/file_table.c:317 task_work_run+0xc0/0x160 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x9ab/0x2500 kernel/exit.c:806 do_group_exit+0xb2/0x2a0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f055552cc59 Code: Unable to access opcode bytes at RIP 0x7f055552cc2f. RSP: 002b:00007ffd929d23c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f05555a1330 RCX: 00007f055552cc59 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000030000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f05555a1330 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 Allocated by task 4112: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 kasan_kmalloc include/linux/kasan.h:270 [inline] kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567 kmalloc include/linux/slab.h:581 [inline] io_arm_poll_handler+0x30e/0x880 fs/io_uring.c:6209 io_queue_sqe_arm_apoll+0x52/0x350 fs/io_uring.c:7459 __io_queue_sqe fs/io_uring.c:7501 [inline] io_queue_sqe fs/io_uring.c:7528 [inline] io_submit_sqe fs/io_uring.c:7736 [inline] io_submit_sqes+0x6360/0x80f0 fs/io_uring.c:7842 __do_sys_io_uring_enter+0x6d3/0x1030 fs/io_uring.c:10873 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 4112: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 io_clean_op+0x198/0xbc0 fs/io_uring.c:7097 io_dismantle_req fs/io_uring.c:2245 [inline] __io_req_complete_post+0x77d/0xaf0 fs/io_uring.c:2083 io_req_complete_post+0x53/0x1f0 fs/io_uring.c:2096 handle_tw_list fs/io_uring.c:2455 [inline] tctx_task_work+0x50f/0xf10 fs/io_uring.c:2489 task_work_run+0xc0/0x160 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x9ab/0x2500 kernel/exit.c:806 do_group_exit+0xb2/0x2a0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88801e99a900 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 48 bytes inside of 96-byte region [ffff88801e99a900, ffff88801e99a960) The buggy address belongs to the page: page:ffffea00007a6680 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801e99a280 pfn:0x1e99a flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0000671788 ffffea0001e73288 ffff88800fc40300 raw: ffff88801e99a280 ffff88801e99a000 0000000100000013 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x242040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 2966, ts 21056071229, free_ts 21047006864 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa6f/0x2f10 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 __alloc_pages_node include/linux/gfp.h:572 [inline] kmem_getpages mm/slab.c:1378 [inline] cache_grow_begin+0x75/0x390 mm/slab.c:2584 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957 ____cache_alloc mm/slab.c:3040 [inline] ____cache_alloc mm/slab.c:3023 [inline] __do_cache_alloc mm/slab.c:3267 [inline] slab_alloc mm/slab.c:3308 [inline] __do_kmalloc mm/slab.c:3692 [inline] __kmalloc+0x3b3/0x4d0 mm/slab.c:3703 kmalloc include/linux/slab.h:586 [inline] kzalloc include/linux/slab.h:714 [inline] tomoyo_encode2.part.0+0x92/0x310 security/tomoyo/realpath.c:45 tomoyo_realpath_from_path+0x140/0x6a0 security/tomoyo/realpath.c:288 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x21c/0x2c0 security/tomoyo/file.c:771 security_file_open+0x34/0x80 security/security.c:1638 do_dentry_open+0x30c/0x1050 fs/open.c:811 do_open fs/namei.c:3476 [inline] path_openat+0x9ea/0x2390 fs/namei.c:3609 do_filp_open+0x199/0x3d0 fs/namei.c:3636 do_sys_openat2+0x11e/0x400 fs/open.c:1214 do_sys_open fs/open.c:1230 [inline] __do_sys_openat fs/open.c:1246 [inline] __se_sys_openat fs/open.c:1241 [inline] __x64_sys_openat+0x11b/0x1d0 fs/open.c:1241 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3404 slab_destroy mm/slab.c:1630 [inline] slabs_destroy+0x89/0xc0 mm/slab.c:1650 cache_flusharray mm/slab.c:3410 [inline] ___cache_free+0x303/0x600 mm/slab.c:3472 qlink_free mm/kasan/quarantine.c:157 [inline] qlist_free_all+0x50/0x1a0 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0x97/0xb0 mm/kasan/common.c:446 kasan_slab_alloc include/linux/kasan.h:260 [inline] slab_post_alloc_hook mm/slab.h:732 [inline] slab_alloc mm/slab.c:3315 [inline] kmem_cache_alloc+0x265/0x560 mm/slab.c:3499 getname_flags.part.0+0x4a/0x440 fs/namei.c:138 user_path_at_empty+0x1e/0x50 fs/namei.c:2850 user_path_at include/linux/namei.h:57 [inline] vfs_statx+0xd6/0x2e0 fs/stat.c:221 vfs_fstatat fs/stat.c:243 [inline] __do_sys_newfstatat+0x7d/0xd0 fs/stat.c:412 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88801e99a800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88801e99a880: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88801e99a900: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88801e99a980: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff88801e99aa00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================