bisecting cause commit starting from 5591cf003452dc3cb5047dc774151ff36c8d9cf7
building syzkaller on dc438b91deb00a8ad5634a9c55903e0b1a537c61
testing commit 5591cf003452dc3cb5047dc774151ff36c8d9cf7 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: invalid-free in io_sqe_files_unregister
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 5591cf003452dc3cb5047dc774151ff36c8d9cf7 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Bisecting: 12638 revisions left to test after this (roughly 14 steps)
[a7b7b772bb4abaa4b2d9df67b50bf7208203da82] Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit a7b7b772bb4abaa4b2d9df67b50bf7208203da82 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good a7b7b772bb4abaa4b2d9df67b50bf7208203da82
Bisecting: 6664 revisions left to test after this (roughly 13 steps)
[c45b14490031917d5188da0d760a08102c01c39c] Merge remote-tracking branch 'rdma/for-next'
testing commit c45b14490031917d5188da0d760a08102c01c39c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good c45b14490031917d5188da0d760a08102c01c39c
Bisecting: 3322 revisions left to test after this (roughly 12 steps)
[405d477ba85a59d1bfa9af27510569834bb78b30] Merge remote-tracking branch 'drm-msm/msm-next'
testing commit 405d477ba85a59d1bfa9af27510569834bb78b30 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 405d477ba85a59d1bfa9af27510569834bb78b30
Bisecting: 1626 revisions left to test after this (roughly 11 steps)
[100d6a5f1c666d5782a5cf13c45dfe59a83aa748] Merge remote-tracking branch 'usb/usb-next'
testing commit 100d6a5f1c666d5782a5cf13c45dfe59a83aa748 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: invalid-free in io_sqe_files_unregister
# git bisect bad 100d6a5f1c666d5782a5cf13c45dfe59a83aa748
Bisecting: 860 revisions left to test after this (roughly 10 steps)
[21f0ec902ffdd5efea1829896895673f01d5e3df] Merge remote-tracking branch 'watchdog/master'
testing commit 21f0ec902ffdd5efea1829896895673f01d5e3df with gcc (GCC) 8.1.0
all runs: crashed: KASAN: invalid-free in io_sqe_files_unregister
# git bisect bad 21f0ec902ffdd5efea1829896895673f01d5e3df
Bisecting: 394 revisions left to test after this (roughly 9 steps)
[54bab1d5579ff5b9aeff4353b212736aa8e0fb78] Merge remote-tracking branch 'input/next'
testing commit 54bab1d5579ff5b9aeff4353b212736aa8e0fb78 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 54bab1d5579ff5b9aeff4353b212736aa8e0fb78
Bisecting: 212 revisions left to test after this (roughly 8 steps)
[3d8b301873f1be6cff65a87bad83d966f7a37bfb] Merge remote-tracking branch 'device-mapper/for-next'
testing commit 3d8b301873f1be6cff65a87bad83d966f7a37bfb with gcc (GCC) 8.1.0
all runs: crashed: KASAN: invalid-free in io_sqe_files_unregister
# git bisect bad 3d8b301873f1be6cff65a87bad83d966f7a37bfb
Bisecting: 96 revisions left to test after this (roughly 7 steps)
[22e99acf3061d4eb18342ce65f6befb3921dc1b7] Merge branch 'for-5.5/block' into for-next
testing commit 22e99acf3061d4eb18342ce65f6befb3921dc1b7 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: invalid-free in io_sqe_files_unregister
# git bisect bad 22e99acf3061d4eb18342ce65f6befb3921dc1b7
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[e6cea1802911083e616a45643e2836adf2538182] Merge branch 'for-5.5/io_uring' into for-next
testing commit e6cea1802911083e616a45643e2836adf2538182 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: invalid-free in io_sqe_files_unregister
# git bisect bad e6cea1802911083e616a45643e2836adf2538182
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[3b8a8fd547c2e4c121cd1234f7fda4ea86e2d4ee] Merge branch 'for-5.5/drivers' into for-next
testing commit 3b8a8fd547c2e4c121cd1234f7fda4ea86e2d4ee with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3b8a8fd547c2e4c121cd1234f7fda4ea86e2d4ee
Bisecting: 10 revisions left to test after this (roughly 4 steps)
[771b53d033e8663abdf59704806aa856b236dcdb] io-wq: small threadpool implementation for io_uring
testing commit 771b53d033e8663abdf59704806aa856b236dcdb with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 771b53d033e8663abdf59704806aa856b236dcdb
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[b7620121dc04e44ce654297050f9eaf39d414a34] io_uring: protect fixed file indexing with array_index_nospec()
testing commit b7620121dc04e44ce654297050f9eaf39d414a34 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good b7620121dc04e44ce654297050f9eaf39d414a34
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[4c81446283360690465f7bd99d5aefadabd76432] Merge branch 'for-5.5/libata' into for-next
testing commit 4c81446283360690465f7bd99d5aefadabd76432 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 4c81446283360690465f7bd99d5aefadabd76432
Bisecting: 0 revisions left to test after this (roughly 1 step)
[842f96124c5617b060cc0f071dcfb6ab24bdd042] io_uring: fix race with canceling timeouts
testing commit 842f96124c5617b060cc0f071dcfb6ab24bdd042 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: invalid-free in io_sqe_files_unregister
# git bisect bad 842f96124c5617b060cc0f071dcfb6ab24bdd042
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[65e19f54d29cd8559ce60cfd0d751bef7afbdc5c] io_uring: support for larger fixed file sets
testing commit 65e19f54d29cd8559ce60cfd0d751bef7afbdc5c with gcc (GCC) 8.1.0
all runs: crashed: KASAN: invalid-free in io_sqe_files_unregister
# git bisect bad 65e19f54d29cd8559ce60cfd0d751bef7afbdc5c
65e19f54d29cd8559ce60cfd0d751bef7afbdc5c is the first bad commit
commit 65e19f54d29cd8559ce60cfd0d751bef7afbdc5c
Author: Jens Axboe <axboe@kernel.dk>
Date:   Sat Oct 26 07:20:21 2019 -0600

    io_uring: support for larger fixed file sets
    
    There's been a few requests for supporting more fixed files than 1024.
    This isn't really tricky to do, we just need to split up the file table
    into multiple tables and index appropriately. As we do so, reduce the
    max single file table to 512. This enables us to do single page allocs
    always for the tables, which is an improvement over the situation prior.
    
    This patch adds support for up to 64K files, which should be enough for
    everyone.
    
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

:040000 040000 0614a891f0dcf20d4de637f28b174c44f77cffe8 31d916869f1c24c0f50e032aea2a7e0d33b8b17d M	fs
revisions tested: 17, total time: 3h50m19.197781869s (build: 1h45m57.578235907s, test: 1h58m37.462412348s)
first bad commit: 65e19f54d29cd8559ce60cfd0d751bef7afbdc5c io_uring: support for larger fixed file sets
cc: ["axboe@kernel.dk" "linux-block@vger.kernel.org" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk"]
crash: KASAN: invalid-free in io_sqe_files_unregister
==================================================================
BUG: KASAN: double-free or invalid-free in io_sqe_files_unregister+0x1a0/0x2a0 fs/io_uring.c:3013

CPU: 1 PID: 7653 Comm: syz-executor.0 Not tainted 5.4.0-rc5+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374
 kasan_report_invalid_free+0x64/0xa0 mm/kasan/report.c:468
 __kasan_slab_free+0x13a/0x150 mm/kasan/common.c:450
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x108/0x2c0 mm/slab.c:3756
 io_sqe_files_unregister+0x1a0/0x2a0 fs/io_uring.c:3013
 io_ring_ctx_free fs/io_uring.c:3825 [inline]
 io_ring_ctx_wait_and_kill+0x2ac/0x610 fs/io_uring.c:3887
 io_uring_release+0x3d/0x50 fs/io_uring.c:3895
 __fput+0x25a/0x770 fs/file_table.c:280
 ____fput+0x9/0x10 fs/file_table.c:313
 task_work_run+0x108/0x180 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x24e/0x2e0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x4e8/0x5d0 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x413db1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd2c8cb990 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000413db1
RDX: 0000001b2dd20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffd2c8cba70 R11: 0000000000000293 R12: 000000000075c9a0
R13: 000000000075c9a0 R14: 00000000007605e0 R15: 000000000075bf2c

Allocated by task 7655:
 save_stack+0x21/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:510
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x164/0x790 mm/slab.c:3664
 kmalloc_array include/linux/slab.h:618 [inline]
 kcalloc include/linux/slab.h:629 [inline]
 io_sqe_files_register fs/io_uring.c:3201 [inline]
 __io_uring_register+0xb1c/0x2f30 fs/io_uring.c:4297
 __do_sys_io_uring_register fs/io_uring.c:4349 [inline]
 __se_sys_io_uring_register fs/io_uring.c:4331 [inline]
 __x64_sys_io_uring_register+0x162/0x460 fs/io_uring.c:4331
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7655:
 save_stack+0x21/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x108/0x2c0 mm/slab.c:3756
 io_sqe_files_register fs/io_uring.c:3207 [inline]
 __io_uring_register+0xc9b/0x2f30 fs/io_uring.c:4297
 __do_sys_io_uring_register fs/io_uring.c:4349 [inline]
 __se_sys_io_uring_register fs/io_uring.c:4331 [inline]
 __x64_sys_io_uring_register+0x162/0x460 fs/io_uring.c:4331
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888097814080
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [ffff888097814080, ffff8880978140a0)
The buggy address belongs to the page:
page:ffffea00025e0500 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888097814fc1
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002825bc8 ffffea00025dd308 ffff8880aa4001c0
raw: ffff888097814fc1 ffff888097814000 000000010000003f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888097813f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888097814000: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
>ffff888097814080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
                   ^
 ffff888097814100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff888097814180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================