ci starts bisection 2025-10-29 23:53:52.469502048 +0000 UTC m=+201475.260643324
bisecting cause commit starting from f9ba12abc5282bf992f9a9ae87ad814fd03a0270
building syzkaller on fd2207e7cf691493b5b81c50a8a625b4b71dd544
ensuring issue is reproducible on original commit f9ba12abc5282bf992f9a9ae87ad814fd03a0270

testing commit f9ba12abc5282bf992f9a9ae87ad814fd03a0270 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 85a7b64f081ebc972466832b58d57aafcb3495c4932a76791bf89c98af6789f0
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
check whether we can drop unnecessary instrumentation
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit f9ba12abc5282bf992f9a9ae87ad814fd03a0270 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 3f7c5944144e3cca4c0c69c65fea0c2613aa87398c48a90e25258676fe592ce1
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
the bug reproduces without the instrumentation
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
kconfig minimization: base=4116 full=8545 leaves diff=2160
split chunks (needed=false): <2160>
split chunk #0 of len 2160 into 5 parts
testing without sub-chunk 1/5
disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed
testing commit f9ba12abc5282bf992f9a9ae87ad814fd03a0270 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: c996d1717888d57f63b5456db1832cc328aa0ff0a22819659b469855d71053bc
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit f9ba12abc5282bf992f9a9ae87ad814fd03a0270 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 312a32ebdb50edba16555149cc095d8a3c90b1a345ff56c0b5adaffc060ad85e
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit f9ba12abc5282bf992f9a9ae87ad814fd03a0270 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 61f8ad7cdfc4f3197bde3f08e0f14f201589f8de23ca3242000e7318bdb9e084
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed
testing commit f9ba12abc5282bf992f9a9ae87ad814fd03a0270 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 2ec7c6b1b58587ec8fd5031b355e27eabe81084773382d6d564e84b4bb4f8305
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
testing commit f9ba12abc5282bf992f9a9ae87ad814fd03a0270 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: f2e9965214d9d0eb05130e57d257dc0cc14cab16e425051698d5d61aa138009d
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
the chunk can be dropped
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
picked [v6.17 v6.16 v6.15 v6.13 v6.11 v6.9 v6.7 v6.5 v6.2 v5.19 v5.16 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 40 release tags
testing release v6.17
testing commit e5f0a698b34ed76002dc5cff3804a61c80233a7a gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: a6cb6fc42a8a26736a551613f446d6489aab86095d8c0fac690b46af5bf6d79a
all runs: OK
false negative chance: 0.000
# git bisect start f9ba12abc5282bf992f9a9ae87ad814fd03a0270 e5f0a698b34ed76002dc5cff3804a61c80233a7a
Bisecting: 9167 revisions left to test after this (roughly 13 steps)
[e64aeecbbb0962601bd2ac502a2f9c0d9be97502] Merge tag 'pull-mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

testing commit e64aeecbbb0962601bd2ac502a2f9c0d9be97502 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 5184939ff23b9aad8849957c1d9f818a40da500e97ba1dddd72c83558de6ef21
all runs: OK
false negative chance: 0.000
# git bisect good e64aeecbbb0962601bd2ac502a2f9c0d9be97502
Bisecting: 4586 revisions left to test after this (roughly 12 steps)
[c9f460284248e70b6cfa96612376afcb4b809989] Merge branch '9p-next' of https://github.com/martinetd/linux

testing commit c9f460284248e70b6cfa96612376afcb4b809989 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: a2ec41e8f09e254c0eae87238c66dd1e4daf098c32efc66e5745b60273391921
all runs: OK
false negative chance: 0.000
# git bisect good c9f460284248e70b6cfa96612376afcb4b809989
Bisecting: 2436 revisions left to test after this (roughly 11 steps)
[196c1d2131e9e2326e4a6a79eaa1ea54bdc90056] Merge branch 'libcrypto-next' of https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git

testing commit 196c1d2131e9e2326e4a6a79eaa1ea54bdc90056 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: c62f5ed4de182510b1678164ecf0115441ae523e264c0022923bb133222e2ae8
all runs: OK
false negative chance: 0.000
# git bisect good 196c1d2131e9e2326e4a6a79eaa1ea54bdc90056
Bisecting: 1177 revisions left to test after this (roughly 10 steps)
[47af99b9fa06d7207d03f53099c58ab145819c20] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git

testing commit 47af99b9fa06d7207d03f53099c58ab145819c20 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 74947397f767ea6780d40681b467c5da53c57f466d215a3a925b78d764c5cf51
all runs: OK
false negative chance: 0.000
# git bisect good 47af99b9fa06d7207d03f53099c58ab145819c20
Bisecting: 599 revisions left to test after this (roughly 9 steps)
[53ac14eeef9a69b4e881a5cd8d56ecf054a25dc3] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/tj/wq.git

testing commit 53ac14eeef9a69b4e881a5cd8d56ecf054a25dc3 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 0a7ead7f83b97bd239c3051f93f127fbfc5b5687975aa1056e3089c01f21944d
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
# git bisect bad 53ac14eeef9a69b4e881a5cd8d56ecf054a25dc3
Bisecting: 329 revisions left to test after this (roughly 8 steps)
[9ac3f65ed6bd03cc83d86c50e51caa1d223e9e76] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git

testing commit 9ac3f65ed6bd03cc83d86c50e51caa1d223e9e76 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 4c0bc43d49de49264a9b6eb44c5598a0c49d9658a32e033f9a1ede521c630cb4
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
# git bisect bad 9ac3f65ed6bd03cc83d86c50e51caa1d223e9e76
Bisecting: 128 revisions left to test after this (roughly 7 steps)
[ddce8ff84e0d4c69dcdc3ae593f2bccfb89b0dbf] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator.git

testing commit ddce8ff84e0d4c69dcdc3ae593f2bccfb89b0dbf gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 053895d96e658b08f02fb25bf24ffb5af5cf0fd0205fbd0d434ad42f51606f28
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
# git bisect bad ddce8ff84e0d4c69dcdc3ae593f2bccfb89b0dbf
Bisecting: 56 revisions left to test after this (roughly 6 steps)
[b094b0e6cc71272d2cec2295dd2fa39d0919e417] Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git

testing commit b094b0e6cc71272d2cec2295dd2fa39d0919e417 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: dbe89c01c1d8ca779428340196f4244d802d3728cdd2326d28ac4057ebd7df49
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
# git bisect bad b094b0e6cc71272d2cec2295dd2fa39d0919e417
Bisecting: 22 revisions left to test after this (roughly 5 steps)
[0479e8e55e84a8b606aeadafd640856c75a9d252] Merge branch 'for-6.19/block' into for-next

testing commit 0479e8e55e84a8b606aeadafd640856c75a9d252 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 9fdaf6872cb74380732da9daceb1f24a2fcbb57cfb874b07d62022a48601848e
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
# git bisect bad 0479e8e55e84a8b606aeadafd640856c75a9d252
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[3f6722816a73e2017599d965683dbe71833afd7a] blktrace: trace zone write plugging operations

testing commit 3f6722816a73e2017599d965683dbe71833afd7a gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 337c7dc62bfb2259cf8c1de3a342f4da89f5df7a19362f096c9a74a7cf4cb960
all runs: OK
false negative chance: 0.000
# git bisect good 3f6722816a73e2017599d965683dbe71833afd7a
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[5b6d8a032e807c48a843fb81d9e3d74391f731ea] io_uring: only publish fully handled mem region

testing commit 5b6d8a032e807c48a843fb81d9e3d74391f731ea gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: c0ec5ade6fea3e3a44a26d2947908720503ce60276ae6581bc3d4fa57da8deb9
all runs: OK
false negative chance: 0.000
# git bisect good 5b6d8a032e807c48a843fb81d9e3d74391f731ea
Bisecting: 5 revisions left to test after this (roughly 2 steps)
[101e596e7404d07a85b38358a392009503aad797] io_uring/fdinfo: cap SQ iteration at max SQ entries

testing commit 101e596e7404d07a85b38358a392009503aad797 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: eef3a2dcef450f08a49055545dfbb4eb12819b2c106bcf5be5bf317fe7c892fe
all runs: crashed: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
representative crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo, types: [KASAN-READ]
# git bisect bad 101e596e7404d07a85b38358a392009503aad797
Bisecting: 1 revision left to test after this (roughly 1 step)
[dde92a5026d81df1a146e9c243d09b27d1bf04bf] io_uring: check for user passing 0 nr_submit

testing commit dde92a5026d81df1a146e9c243d09b27d1bf04bf gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 25bc0e2d14a8672f8e84f837f3ffeb530338c27889896c216fefcc27de513c13
all runs: OK
false negative chance: 0.000
# git bisect good dde92a5026d81df1a146e9c243d09b27d1bf04bf
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0ecf0e6748120842700efc5dbf22a18580f7efcf] io_uring/fdinfo: show SQEs for no array setup

testing commit 0ecf0e6748120842700efc5dbf22a18580f7efcf gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: d46b3dfdfdc5f006202e8e97614ad2979413260806d5278377880f5964ec3899
all runs: OK
false negative chance: 0.000
# git bisect good 0ecf0e6748120842700efc5dbf22a18580f7efcf
101e596e7404d07a85b38358a392009503aad797 is the first bad commit
commit 101e596e7404d07a85b38358a392009503aad797
Author: Jens Axboe <axboe@kernel.dk>
Date:   Mon Oct 27 19:09:28 2025 -0600

    io_uring/fdinfo: cap SQ iteration at max SQ entries
    
    A previous commit changed the logic around how SQ entries are iterated,
    and as a result, had a few bugs. One is that it fully trusts the SQ
    head and tail, which are user exposed. Another is that it fails to
    increment the SQ head if the SQ index is out of range.
    
    Fix both of those up, reverting to the previous logic of how to
    iterate SQ entries.
    
    Link: https://lore.kernel.org/io-uring/68ffdf18.050a0220.3344a1.039e.GAE@google.com/
    Fixes: 1cba30bf9fdd ("io_uring: add support for IORING_SETUP_SQE_MIXED")
    Reported-by: syzbot+10a9b495f54a17b607a6@syzkaller.appspotmail.com
    Tested-by: syzbot+10a9b495f54a17b607a6@syzkaller.appspotmail.com
    Reviewed-by: Keith Busch <kbusch@kernel.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

 io_uring/fdinfo.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

accumulated error probability: 0.00
culprit signature: eef3a2dcef450f08a49055545dfbb4eb12819b2c106bcf5be5bf317fe7c892fe
parent  signature: d46b3dfdfdc5f006202e8e97614ad2979413260806d5278377880f5964ec3899
revisions tested: 22, total time: 5h39m42.833567852s (build: 2h39m4.540966235s, test: 2h28m27.680960654s)
first bad commit: 101e596e7404d07a85b38358a392009503aad797 io_uring/fdinfo: cap SQ iteration at max SQ entries
recipients (to): ["axboe@kernel.dk" "kbusch@kernel.org" "syzbot+10a9b495f54a17b607a6@syzkaller.appspotmail.com"]
recipients (cc): []
crash: KASAN: global-out-of-bounds Read in io_uring_show_fdinfo
==================================================================
BUG: KASAN: global-out-of-bounds in __io_uring_show_fdinfo io_uring/fdinfo.c:112 [inline]
BUG: KASAN: global-out-of-bounds in io_uring_show_fdinfo+0x97a/0x1770 io_uring/fdinfo.c:257
Read of size 2 at addr ffffffff83998c30 by task syz.3.17/2879

CPU: 1 UID: 0 PID: 2879 Comm: syz.3.17 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xf4/0x170 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __io_uring_show_fdinfo io_uring/fdinfo.c:112 [inline]
 io_uring_show_fdinfo+0x97a/0x1770 io_uring/fdinfo.c:257
 seq_show+0x42c/0x4e0 fs/proc/fd.c:68
 traverse+0x1db/0x4b0 fs/seq_file.c:111
 seq_read_iter+0xa62/0xb60 fs/seq_file.c:195
 seq_read+0x274/0x380 fs/seq_file.c:162
 do_loop_readv_writev fs/read_write.c:847 [inline]
 vfs_readv+0x56c/0x8a0 fs/read_write.c:1020
 do_preadv fs/read_write.c:1132 [inline]
 __do_sys_preadv fs/read_write.c:1179 [inline]
 __se_sys_preadv fs/read_write.c:1174 [inline]
 __x64_sys_preadv+0x14b/0x230 fs/read_write.c:1174
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f966ee4efc9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f966ecbf038 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007f966f0a5fa0 RCX: 00007f966ee4efc9
RDX: 0000000000000001 RSI: 00002000000005c0 RDI: 0000000000000004
RBP: 00007f966eed1f91 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f966f0a6038 R14: 00007f966f0a5fa0 R15: 00007ffc6e96fe58
 </TASK>

The buggy address belongs to the variable:
 .str.15+0x10/0x20

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3998
flags: 0x100000000002000(reserved|node=0|zone=1)
raw: 0100000000002000 ffffea00000e6608 ffffea00000e6608 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff83998b00: 00 01 f9 f9 00 04 f9 f9 00 00 f9 f9 00 f9 f9 f9
 ffffffff83998b80: 00 f9 f9 f9 00 f9 f9 f9 00 07 f9 f9 07 f9 f9 f9
>ffffffff83998c00: 00 05 f9 f9 00 05 f9 f9 00 f9 f9 f9 00 02 f9 f9
                                     ^
 ffffffff83998c80: 07 f9 f9 f9 06 f9 f9 f9 00 05 f9 f9 06 f9 f9 f9
 ffffffff83998d00: 05 f9 f9 f9 06 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9
==================================================================