bisecting fixing commit since b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be building syzkaller on d88ef0c5c80d45a060e170c2706371f6b2957f55 testing commit b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 52146c00d2dde159a2d8662b55dc0ad177ea2c5f64870652fffea6a4a32910db run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: KASAN: use-after-free Read in tty_release run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: KASAN: use-after-free Read in tty_release run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in corrupted run #10: crashed: KASAN: use-after-free Read in tty_release run #11: crashed: KASAN: use-after-free Read in tty_release run #12: crashed: KASAN: use-after-free Read in tty_release run #13: crashed: BUG: unable to handle kernel paging request in corrupted run #14: crashed: KASAN: use-after-free Read in tty_release run #15: crashed: BUG: unable to handle kernel paging request in corrupted run #16: crashed: KASAN: use-after-free Read in tty_release run #17: crashed: BUG: unable to handle kernel paging request in corrupted run #18: crashed: SYZFAIL: wrong response packet run #19: crashed: BUG: unable to handle kernel paging request in corrupted testing current HEAD 8f4dd16603ce834d1c5c4da67803ea82dd282511 testing commit 8f4dd16603ce834d1c5c4da67803ea82dd282511 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6cc5dbe1c1d33a4bf5ae99b47b53ed1e6782216a9e0b17d8747e0c1fc6059e96 all runs: OK # git bisect start 8f4dd16603ce834d1c5c4da67803ea82dd282511 b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be Bisecting: 7510 revisions left to test after this (roughly 13 steps) [25fd2d41b505d0640bdfe67aa77c549de2d3c18a] selftests: kselftest framework: provide "finished" helper testing commit 25fd2d41b505d0640bdfe67aa77c549de2d3c18a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dc461908dd4335f4b17574018eeb91ff3620c02fb00c8449487c9342d8b4875e run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect good 25fd2d41b505d0640bdfe67aa77c549de2d3c18a Bisecting: 3793 revisions left to test after this (roughly 12 steps) [a9fe7fa7d874a536e0540469f314772c054a0323] parisc: Fix patch code locking and flushing testing commit a9fe7fa7d874a536e0540469f314772c054a0323 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7e1b6f90438c0d4215420cc92d92a990f49f38d4ce72f07da32b8bf2a2981267 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect good a9fe7fa7d874a536e0540469f314772c054a0323 Bisecting: 1891 revisions left to test after this (roughly 11 steps) [3312db01db06ace51bb4934e9de64da62fac3f38] Merge tag 'rpmsg-v5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc/linux testing commit 3312db01db06ace51bb4934e9de64da62fac3f38 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 35458466676e7c5ef1fc2fbc136d83cc0ef88f0459c116661fd860990071823a run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: crashed: KASAN: use-after-free Read in io_poll_remove_entries run #2: crashed: KASAN: use-after-free Read in tty_release run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in io_poll_remove_entries run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect good 3312db01db06ace51bb4934e9de64da62fac3f38 Bisecting: 942 revisions left to test after this (roughly 10 steps) [dad32cfeed7c5a375335b04398bf064a9c61cc20] Merge tag 'wireless-2022-04-13' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless testing commit dad32cfeed7c5a375335b04398bf064a9c61cc20 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9278ffdbd3d054e564605a951a4ec4caf3c2fa0caca6e2d679449f9d46fac371 all runs: OK # git bisect bad dad32cfeed7c5a375335b04398bf064a9c61cc20 Bisecting: 468 revisions left to test after this (roughly 9 steps) [b012b3235cb9d05e4ccaff8327bfbed6faf014aa] Merge branch 'akpm' (patches from Andrew) testing commit b012b3235cb9d05e4ccaff8327bfbed6faf014aa compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5447e58153e5a852396e4d75833705ba2b7652e692b4e6448a4b280425f3f6d4 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: KASAN: use-after-free Read in tty_release run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in tty_release run #7: crashed: BUG: unable to handle kernel paging request in corrupted run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect good b012b3235cb9d05e4ccaff8327bfbed6faf014aa Bisecting: 221 revisions left to test after this (roughly 8 steps) [38904911e86495d4690f8d805720b90e65426c71] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 38904911e86495d4690f8d805720b90e65426c71 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a8c781ef63500d4f3af469a8d691ad6f2159d19e28a7ae3d31ed091e7198f5e7 all runs: OK # git bisect bad 38904911e86495d4690f8d805720b90e65426c71 Bisecting: 131 revisions left to test after this (roughly 7 steps) [fe35fdb30511f845608571f7c09062ebb94d96c2] Merge tag 'for-5.18/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm testing commit fe35fdb30511f845608571f7c09062ebb94d96c2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bdc6718ef848c21866da78e4d18892be675c8f67ac021c419f3b42586064c24c run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: KASAN: use-after-free Read in tty_release run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect good fe35fdb30511f845608571f7c09062ebb94d96c2 Bisecting: 66 revisions left to test after this (roughly 6 steps) [a4251ab9896cefd75926b11c45aa477f8464cdec] Merge tag 'vfs-5.18-merge-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit a4251ab9896cefd75926b11c45aa477f8464cdec compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a8f92c592f225bfd2acd460283cd5d0f9fe22a868b9410b2cc0e2ae2ef5a57bf all runs: OK # git bisect bad a4251ab9896cefd75926b11c45aa477f8464cdec Bisecting: 37 revisions left to test after this (roughly 5 steps) [d589ae0d44607a0af65b83113e4cfba1a8af7eb3] Merge tag 'for-5.18/block-2022-04-01' of git://git.kernel.dk/linux-block testing commit d589ae0d44607a0af65b83113e4cfba1a8af7eb3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ab5831de55c3b43319c271b96ca9140b3df27b9b3458191e2139a83c81a9dfdd run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad d589ae0d44607a0af65b83113e4cfba1a8af7eb3 Bisecting: 13 revisions left to test after this (roughly 4 steps) [52dd86406dfa322c8d42b3a4328858abdc6f1d85] io_uring: enable EPOLLEXCLUSIVE for accept poll testing commit 52dd86406dfa322c8d42b3a4328858abdc6f1d85 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 85e6afa721d468175b1cdf68af59bbf6fce41d87217b9aeb5e0e21412fdb3909 all runs: OK # git bisect bad 52dd86406dfa322c8d42b3a4328858abdc6f1d85 Bisecting: 6 revisions left to test after this (roughly 3 steps) [d89a4fac0fbc6fe5fc24d1c9a889440dcf410368] io_uring: fix assuming triggered poll waitqueue is the single poll testing commit d89a4fac0fbc6fe5fc24d1c9a889440dcf410368 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 75aac6ac873b05b569f18e22984c30e6d868cdece79ff8b999d6f8e16b75e39d all runs: OK # git bisect bad d89a4fac0fbc6fe5fc24d1c9a889440dcf410368 Bisecting: 2 revisions left to test after this (roughly 2 steps) [649bb75d19c93f5459f450191953dff4825fda3e] io_uring: fix memory ordering when SQPOLL thread goes to sleep testing commit 649bb75d19c93f5459f450191953dff4825fda3e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 230b20209356ba09011a9bbf187b30e4651a4c22a83ad749564f6214fb855c20 run #0: crashed: KASAN: use-after-free Read in tty_release run #1: crashed: KASAN: use-after-free Read in tty_release run #2: crashed: KASAN: use-after-free Read in tty_release run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: BUG: corrupted list in add_wait_queue run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: KASAN: use-after-free Read in tty_release # git bisect good 649bb75d19c93f5459f450191953dff4825fda3e Bisecting: 0 revisions left to test after this (roughly 1 step) [e2c0cb7c0cc72939b61a7efee376206725796625] io_uring: bump poll refs to full 31-bits testing commit e2c0cb7c0cc72939b61a7efee376206725796625 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a74c1fef5e3241b2687b5757fe3e92979ab1605e21496023543d928d287d98a1 run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: BUG: unable to handle kernel paging request in corrupted run #2: crashed: BUG: unable to handle kernel paging request in corrupted run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect good e2c0cb7c0cc72939b61a7efee376206725796625 d89a4fac0fbc6fe5fc24d1c9a889440dcf410368 is the first bad commit commit d89a4fac0fbc6fe5fc24d1c9a889440dcf410368 Author: Jens Axboe Date: Tue Mar 22 13:11:28 2022 -0600 io_uring: fix assuming triggered poll waitqueue is the single poll syzbot reports a recent regression: BUG: KASAN: use-after-free in __wake_up_common+0x637/0x650 kernel/sched/wait.c:101 Read of size 8 at addr ffff888011e8a130 by task syz-executor413/3618 CPU: 0 PID: 3618 Comm: syz-executor413 Tainted: G W 5.17.0-syzkaller-01402-g8565d64430f8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 __wake_up_common+0x637/0x650 kernel/sched/wait.c:101 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 tty_release+0x657/0x1200 drivers/tty/tty_io.c:1781 __fput+0x286/0x9f0 fs/file_table.c:317 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xaff/0x29d0 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:936 __do_sys_exit_group kernel/exit.c:947 [inline] __se_sys_exit_group kernel/exit.c:945 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:945 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f439a1fac69 which is due to leaving the request on the waitqueue mistakenly. The reproducer is using a tty device, which means we end up arming the same poll queue twice (it uses the same poll waitqueue for both), but in io_poll_wake() we always just clear REQ_F_SINGLE_POLL regardless of which entry triggered. This leaves one waitqueue potentially armed after we're done, which then blows up in tty when the waitqueue is attempted removed. We have no room to store this information, so simply encode it in the wait_queue_entry->private where we store the io_kiocb request pointer. Fixes: 91eac1c69c20 ("io_uring: cache poll/double-poll state with a request flag") Reported-by: syzbot+09ad4050dd3a120bfccd@syzkaller.appspotmail.com Signed-off-by: Jens Axboe fs/io_uring.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) culprit signature: 75aac6ac873b05b569f18e22984c30e6d868cdece79ff8b999d6f8e16b75e39d parent signature: a74c1fef5e3241b2687b5757fe3e92979ab1605e21496023543d928d287d98a1 revisions tested: 15, total time: 3h13m29.184169929s (build: 1h30m17.391618624s, test: 1h41m43.230772426s) first good commit: d89a4fac0fbc6fe5fc24d1c9a889440dcf410368 io_uring: fix assuming triggered poll waitqueue is the single poll recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"]