bisecting cause commit starting from b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be building syzkaller on d88ef0c5c80d45a060e170c2706371f6b2957f55 testing commit b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b2539916f9e32adc5a257cda15569b78d9f27c4a153b777007b6f9957a4b787e run #0: crashed: BUG: unable to handle kernel paging request in corrupted run #1: crashed: KASAN: use-after-free Read in tty_release run #2: crashed: KASAN: use-after-free Read in add_wait_queue run #3: crashed: KASAN: use-after-free Read in tty_release run #4: crashed: KASAN: use-after-free Read in add_wait_queue run #5: crashed: BUG: unable to handle kernel paging request in corrupted run #6: crashed: KASAN: use-after-free Read in add_wait_queue run #7: crashed: KASAN: use-after-free Read in add_wait_queue run #8: crashed: BUG: corrupted list in add_wait_queue run #9: crashed: KASAN: use-after-free Read in tty_release run #10: crashed: KASAN: use-after-free Read in add_wait_queue run #11: crashed: KASAN: use-after-free Read in add_wait_queue run #12: crashed: BUG: corrupted list in add_wait_queue run #13: crashed: KASAN: use-after-free Read in tty_release run #14: crashed: KASAN: use-after-free Read in add_wait_queue run #15: crashed: KASAN: use-after-free Read in tty_release run #16: crashed: KASAN: use-after-free Read in tty_release run #17: crashed: KASAN: use-after-free Read in add_wait_queue run #18: crashed: KASAN: use-after-free Read in tty_release run #19: crashed: BUG: unable to handle kernel paging request in corrupted testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8d2b7a0a216ca1dcb2783385324bf6197659484bcbca39e5c76a958e3198d3a9 all runs: OK # git bisect start b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 748 revisions left to test after this (roughly 10 steps) [5628b8de1228436d47491c662dc521bc138a3d43] Merge tag 'random-5.18-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random testing commit 5628b8de1228436d47491c662dc521bc138a3d43 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b637f9e5d05ad8381209dc366cbefb4369b4905713a06cd0de9308991250d510 all runs: OK # git bisect good 5628b8de1228436d47491c662dc521bc138a3d43 Bisecting: 355 revisions left to test after this (roughly 9 steps) [69d1dea852b54eecd8ad2ec92a7fd371e9aec4bd] Merge tag 'for-5.18/drivers-2022-03-18' of git://git.kernel.dk/linux-block testing commit 69d1dea852b54eecd8ad2ec92a7fd371e9aec4bd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 065f0f0bb6d3f8e0027dc65f01529068b1ced07c952e18cf40eea7c9cca79cf8 run #0: crashed: KASAN: use-after-free Read in tty_release run #1: crashed: KASAN: use-after-free Read in tty_release run #2: crashed: KASAN: use-after-free Read in add_wait_queue run #3: crashed: KASAN: use-after-free Read in add_wait_queue run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: KASAN: use-after-free Read in add_wait_queue run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect bad 69d1dea852b54eecd8ad2ec92a7fd371e9aec4bd Bisecting: 209 revisions left to test after this (roughly 8 steps) [b080cee72ef355669cbc52ff55dc513d37433600] Merge tag 'for-5.18/io_uring-statx-2022-03-18' of git://git.kernel.dk/linux-block testing commit b080cee72ef355669cbc52ff55dc513d37433600 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 952634faca72702aeea9dcd25cd6c18337a4ee77b8aaf59bdf633fb893dec43c run #0: crashed: KASAN: use-after-free Read in add_wait_queue run #1: crashed: KASAN: use-after-free Read in add_wait_queue run #2: crashed: BUG: corrupted list in add_wait_queue run #3: crashed: KASAN: use-after-free Read in add_wait_queue run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in add_wait_queue run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: KASAN: use-after-free Read in add_wait_queue # git bisect bad b080cee72ef355669cbc52ff55dc513d37433600 Bisecting: 91 revisions left to test after this (roughly 7 steps) [c4f51eab6ce0b7138f375673dbb2789e49b6d028] hwrng: atmel - add runtime pm support testing commit c4f51eab6ce0b7138f375673dbb2789e49b6d028 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 066ef4f1cc9cfebf1e86fbc64d38cd0f0740657a2eaf7df415e4142c59ad7848 all runs: OK # git bisect good c4f51eab6ce0b7138f375673dbb2789e49b6d028 Bisecting: 45 revisions left to test after this (roughly 6 steps) [0e03b8fd29363f2df44e2a7a176d486de550757a] crypto: xilinx - Turn SHA into a tristate and allow COMPILE_TEST testing commit 0e03b8fd29363f2df44e2a7a176d486de550757a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e2b8239014902a4b82bca7c7a88c65e0eadd77bdac85bfc303cb0efe915a59e0 all runs: OK # git bisect good 0e03b8fd29363f2df44e2a7a176d486de550757a Bisecting: 22 revisions left to test after this (roughly 5 steps) [2be2eb02e2f5a096c351e5b70c46cfef259dabcd] io_uring: ensure reads re-import for selected buffers testing commit 2be2eb02e2f5a096c351e5b70c46cfef259dabcd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: af27003d606b3152702b56c2eece4ea987986767ab9ad8042c342cf273ba5799 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 2be2eb02e2f5a096c351e5b70c46cfef259dabcd Bisecting: 11 revisions left to test after this (roughly 4 steps) [3b2b78a8eb7cc38d207c5ee516769bc3f44d19ea] io_uring: extend provided buf return to fails testing commit 3b2b78a8eb7cc38d207c5ee516769bc3f44d19ea compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 35ded9e7f64be6cf1110d72e13f947b38f244c0c7003b9ddfb4c5dabe829723b run #0: crashed: KASAN: use-after-free Read in add_wait_queue run #1: crashed: KASAN: use-after-free Read in add_wait_queue run #2: crashed: KASAN: use-after-free Read in add_wait_queue run #3: crashed: KASAN: use-after-free Read in tty_release run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in io_poll_remove_entries run #7: crashed: KASAN: use-after-free Read in add_wait_queue run #8: crashed: KASAN: use-after-free Read in add_wait_queue run #9: crashed: KASAN: use-after-free Read in add_wait_queue # git bisect bad 3b2b78a8eb7cc38d207c5ee516769bc3f44d19ea Bisecting: 5 revisions left to test after this (roughly 3 steps) [052ebf1fbb1cab86b145a68d80219c8c57321cbd] io_uring: make tracing format consistent testing commit 052ebf1fbb1cab86b145a68d80219c8c57321cbd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b4f7c7567807ed12ca73f00b66e6f31e102b33eb977b3da726523ef346f64a2a all runs: OK # git bisect good 052ebf1fbb1cab86b145a68d80219c8c57321cbd Bisecting: 2 revisions left to test after this (roughly 2 steps) [91eac1c69c202d9dad8bf717ae5b92db70bfe5cf] io_uring: cache poll/double-poll state with a request flag testing commit 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b8d56e542da8ab6cf2d5318e749abba2938d6bfd1921c3c05893abdca9f9be0f run #0: crashed: KASAN: use-after-free Read in add_wait_queue run #1: crashed: KASAN: use-after-free Read in add_wait_queue run #2: crashed: KASAN: use-after-free Read in tty_release run #3: crashed: KASAN: use-after-free Read in tty_release run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: KASAN: use-after-free Read in add_wait_queue run #6: crashed: KASAN: use-after-free Read in add_wait_queue run #7: crashed: KASAN: use-after-free Read in add_wait_queue run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: KASAN: use-after-free Read in tty_release # git bisect bad 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf Bisecting: 0 revisions left to test after this (roughly 1 step) [81459350d581e958ee9c6e76031f77333881c23c] io_uring: cache req->apoll->events in req->cflags testing commit 81459350d581e958ee9c6e76031f77333881c23c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b89fd83f69b0f86ff92af11c5bf8bbef990ca8d2f7aee3f47b390675f550ceaa all runs: OK # git bisect good 81459350d581e958ee9c6e76031f77333881c23c 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf is the first bad commit commit 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf Author: Jens Axboe Date: Wed Mar 16 16:59:10 2022 -0600 io_uring: cache poll/double-poll state with a request flag With commit "io_uring: cache req->apoll->events in req->cflags" applied, we now have just io_poll_remove_entries() dipping into req->apoll when it isn't strictly necessary. Mark poll and double-poll with a flag, so we know if we need to look at apoll->double_poll. This avoids pulling in those cachelines if we don't need them. The common case is that the poll wake handler already removed these entries while hot off the completion path. Signed-off-by: Jens Axboe fs/io_uring.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) culprit signature: b8d56e542da8ab6cf2d5318e749abba2938d6bfd1921c3c05893abdca9f9be0f parent signature: b89fd83f69b0f86ff92af11c5bf8bbef990ca8d2f7aee3f47b390675f550ceaa revisions tested: 12, total time: 2h4m3.007058673s (build: 1h13m17.299491721s, test: 49m38.40076111s) first bad commit: 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf io_uring: cache poll/double-poll state with a request flag recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in tty_release ================================================================== BUG: KASAN: use-after-free in __wake_up_common+0x637/0x650 kernel/sched/wait.c:101 Read of size 8 at addr ffff88807e940db0 by task syz-executor202/4099 CPU: 0 PID: 4099 Comm: syz-executor202 Not tainted 5.17.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 __wake_up_common+0x637/0x650 kernel/sched/wait.c:101 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 tty_release+0x504/0xf80 drivers/tty/tty_io.c:1781 __fput+0x204/0x8d0 fs/file_table.c:317 task_work_run+0xc0/0x160 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x9ab/0x2500 kernel/exit.c:806 do_group_exit+0xb2/0x2a0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f6689f25c59 Code: Unable to access opcode bytes at RIP 0x7f6689f25c2f. RSP: 002b:00007ffcf4776288 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f6689f9a330 RCX: 00007f6689f25c59 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6689f9a330 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 Allocated by task 4098: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc include/linux/slab.h:581 [inline] io_arm_poll_handler+0x30e/0x880 fs/io_uring.c:6209 io_queue_sqe_arm_apoll+0x52/0x350 fs/io_uring.c:7459 __io_queue_sqe fs/io_uring.c:7501 [inline] io_queue_sqe fs/io_uring.c:7528 [inline] io_submit_sqe fs/io_uring.c:7736 [inline] io_submit_sqes+0x632e/0x80c0 fs/io_uring.c:7842 __do_sys_io_uring_enter+0x6d3/0x1030 fs/io_uring.c:10873 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 4098: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3509 [inline] kfree+0xd0/0x390 mm/slub.c:4562 io_clean_op+0x198/0xbc0 fs/io_uring.c:7097 io_dismantle_req fs/io_uring.c:2245 [inline] __io_req_complete_post+0x77d/0xaf0 fs/io_uring.c:2083 io_req_complete_post+0x53/0x1f0 fs/io_uring.c:2096 handle_tw_list fs/io_uring.c:2455 [inline] tctx_task_work+0x50f/0xf10 fs/io_uring.c:2489 task_work_run+0xc0/0x160 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x9ab/0x2500 kernel/exit.c:806 do_group_exit+0xb2/0x2a0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88807e940d80 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 48 bytes inside of 96-byte region [ffff88807e940d80, ffff88807e940de0) The buggy address belongs to the page: page:ffffea0001fa5000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e940 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 dead000000000100 dead000000000122 ffff88800fc41780 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 2950, ts 10696564408, free_ts 10534418381 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa6f/0x2f10 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x27f/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0xbe3/0x12a0 mm/slub.c:3018 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] slab_alloc mm/slub.c:3238 [inline] __kmalloc+0x372/0x450 mm/slub.c:4420 kmalloc include/linux/slab.h:586 [inline] kzalloc include/linux/slab.h:714 [inline] tomoyo_commit_ok+0x18/0x60 security/tomoyo/memory.c:76 tomoyo_update_domain+0x50c/0x7b0 security/tomoyo/domain.c:139 tomoyo_update_path_number_acl security/tomoyo/file.c:691 [inline] tomoyo_write_file+0x513/0x690 security/tomoyo/file.c:1034 tomoyo_write_domain2+0xe8/0x180 security/tomoyo/common.c:1152 tomoyo_add_entry security/tomoyo/common.c:2042 [inline] tomoyo_supervisor+0x46f/0xef0 security/tomoyo/common.c:2103 tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline] tomoyo_path_number_perm+0x37d/0x4e0 security/tomoyo/file.c:734 security_file_ioctl+0x44/0x80 security/security.c:1544 __do_sys_ioctl fs/ioctl.c:868 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x99/0x190 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3441 release_pages+0x223/0xee0 mm/swap.c:980 tlb_batch_pages_flush mm/mmu_gather.c:50 [inline] tlb_flush_mmu_free mm/mmu_gather.c:243 [inline] tlb_flush_mmu mm/mmu_gather.c:250 [inline] tlb_finish_mmu+0x127/0x790 mm/mmu_gather.c:341 exit_mmap+0x1d1/0x5b0 mm/mmap.c:3180 __mmput+0xed/0x430 kernel/fork.c:1114 exit_mm kernel/exit.c:507 [inline] do_exit+0x90e/0x2500 kernel/exit.c:793 do_group_exit+0xb2/0x2a0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88807e940c80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ffff88807e940d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88807e940d80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88807e940e00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff88807e940e80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================