bisecting cause commit starting from b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be building syzkaller on d88ef0c5c80d45a060e170c2706371f6b2957f55 testing commit b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e2e8190eaa94ccbc86333cbf04e87f3c268509ce060c22b741e473af8b6ed33b run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: crashed: KASAN: use-after-free Read in add_wait_queue run #2: crashed: KASAN: use-after-free Read in tty_release run #3: crashed: BUG: unable to handle kernel paging request in corrupted run #4: crashed: BUG: unable to handle kernel paging request in corrupted run #5: crashed: KASAN: use-after-free Read in add_wait_queue run #6: crashed: KASAN: use-after-free Read in add_wait_queue run #7: crashed: BUG: corrupted list in add_wait_queue run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: BUG: unable to handle kernel paging request in corrupted run #10: crashed: KASAN: use-after-free Read in tty_release run #11: crashed: BUG: unable to handle kernel paging request in corrupted run #12: crashed: KASAN: use-after-free Read in add_wait_queue run #13: crashed: KASAN: use-after-free Read in tty_release run #14: crashed: KASAN: use-after-free Read in add_wait_queue run #15: crashed: KASAN: use-after-free Read in tty_release run #16: crashed: KASAN: use-after-free Read in tty_release run #17: crashed: BUG: unable to handle kernel paging request in corrupted run #18: crashed: KASAN: use-after-free Read in add_wait_queue run #19: crashed: KASAN: use-after-free Read in tty_release testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6a6f3e1f37baf9b70eddac79e3bee413acbada6f28d7eb3f13642370c123e7f9 all runs: OK # git bisect start b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 748 revisions left to test after this (roughly 10 steps) [5628b8de1228436d47491c662dc521bc138a3d43] Merge tag 'random-5.18-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random testing commit 5628b8de1228436d47491c662dc521bc138a3d43 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 56cb96337c7d8f141b38bbb674be55d18f56ea6de50ebe5f65d9b548033336cb all runs: OK # git bisect good 5628b8de1228436d47491c662dc521bc138a3d43 Bisecting: 355 revisions left to test after this (roughly 9 steps) [69d1dea852b54eecd8ad2ec92a7fd371e9aec4bd] Merge tag 'for-5.18/drivers-2022-03-18' of git://git.kernel.dk/linux-block testing commit 69d1dea852b54eecd8ad2ec92a7fd371e9aec4bd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 807a4f574c5faed3890ea6adf65419f6b9be2165ec8466d9e1f660282ef36238 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #2: crashed: KASAN: use-after-free Read in tty_release run #3: crashed: BUG: corrupted list in add_wait_queue run #4: crashed: KASAN: use-after-free Read in add_wait_queue run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: BUG: unable to handle kernel paging request in corrupted run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: BUG: unable to handle kernel paging request in corrupted run #9: crashed: KASAN: use-after-free Read in tty_release # git bisect bad 69d1dea852b54eecd8ad2ec92a7fd371e9aec4bd Bisecting: 209 revisions left to test after this (roughly 8 steps) [b080cee72ef355669cbc52ff55dc513d37433600] Merge tag 'for-5.18/io_uring-statx-2022-03-18' of git://git.kernel.dk/linux-block testing commit b080cee72ef355669cbc52ff55dc513d37433600 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 79d7cf118e8612e86df50d88f0a3201ae47fd55323ed2120ee2ad49cf9dc99c5 run #0: crashed: KASAN: use-after-free Read in tty_release run #1: crashed: KASAN: use-after-free Read in add_wait_queue run #2: crashed: KASAN: use-after-free Read in tty_release run #3: crashed: BUG: corrupted list in add_wait_queue run #4: crashed: KASAN: use-after-free Read in add_wait_queue run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in add_wait_queue run #7: crashed: KASAN: use-after-free Read in add_wait_queue run #8: crashed: KASAN: use-after-free Read in add_wait_queue run #9: crashed: BUG: corrupted list in add_wait_queue # git bisect bad b080cee72ef355669cbc52ff55dc513d37433600 Bisecting: 91 revisions left to test after this (roughly 7 steps) [c4f51eab6ce0b7138f375673dbb2789e49b6d028] hwrng: atmel - add runtime pm support testing commit c4f51eab6ce0b7138f375673dbb2789e49b6d028 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d50bf329a037fd38625a2c160be624820e150b8001c7a603a451117966bffb95 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good c4f51eab6ce0b7138f375673dbb2789e49b6d028 Bisecting: 45 revisions left to test after this (roughly 6 steps) [0e03b8fd29363f2df44e2a7a176d486de550757a] crypto: xilinx - Turn SHA into a tristate and allow COMPILE_TEST testing commit 0e03b8fd29363f2df44e2a7a176d486de550757a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6f1a6b4e96389d9a305f4b2d0b23c483ad962d7b1e65683f0e72fd89a5802708 all runs: OK # git bisect good 0e03b8fd29363f2df44e2a7a176d486de550757a Bisecting: 22 revisions left to test after this (roughly 5 steps) [2be2eb02e2f5a096c351e5b70c46cfef259dabcd] io_uring: ensure reads re-import for selected buffers testing commit 2be2eb02e2f5a096c351e5b70c46cfef259dabcd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4be51f39b29eb89ed63f5d6e0b233254be30d31c6145de892d718e6aa80fe7e3 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 2be2eb02e2f5a096c351e5b70c46cfef259dabcd Bisecting: 11 revisions left to test after this (roughly 4 steps) [3b2b78a8eb7cc38d207c5ee516769bc3f44d19ea] io_uring: extend provided buf return to fails testing commit 3b2b78a8eb7cc38d207c5ee516769bc3f44d19ea compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3f08f08e4c44bcad051d7136ca191ca908a4d03a4dec6aa06444c2f36d783757 run #0: crashed: KASAN: use-after-free Read in add_wait_queue run #1: crashed: KASAN: use-after-free Read in tty_release run #2: crashed: KASAN: use-after-free Read in io_poll_remove_entries run #3: crashed: KASAN: use-after-free Read in io_poll_remove_entries run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: KASAN: use-after-free Read in add_wait_queue run #7: crashed: KASAN: use-after-free Read in add_wait_queue run #8: crashed: KASAN: use-after-free Read in add_wait_queue run #9: crashed: KASAN: use-after-free Read in tty_release # git bisect bad 3b2b78a8eb7cc38d207c5ee516769bc3f44d19ea Bisecting: 5 revisions left to test after this (roughly 3 steps) [052ebf1fbb1cab86b145a68d80219c8c57321cbd] io_uring: make tracing format consistent testing commit 052ebf1fbb1cab86b145a68d80219c8c57321cbd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8375e0ab2c3667c22841b653f64d4e56ff921485cd0e9044a786be756ab5cd43 all runs: OK # git bisect good 052ebf1fbb1cab86b145a68d80219c8c57321cbd Bisecting: 2 revisions left to test after this (roughly 2 steps) [91eac1c69c202d9dad8bf717ae5b92db70bfe5cf] io_uring: cache poll/double-poll state with a request flag testing commit 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 59313123c824d18af1c2d822486a037c6ecb563d8790dafba20f8598ddf880e9 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: crashed: KASAN: use-after-free Read in tty_release run #2: crashed: KASAN: use-after-free Read in add_wait_queue run #3: crashed: KASAN: use-after-free Read in tty_release run #4: crashed: KASAN: use-after-free Read in tty_release run #5: crashed: KASAN: use-after-free Read in tty_release run #6: crashed: BUG: corrupted list in add_wait_queue run #7: crashed: KASAN: use-after-free Read in tty_release run #8: crashed: KASAN: use-after-free Read in tty_release run #9: crashed: KASAN: use-after-free Read in add_wait_queue # git bisect bad 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf Bisecting: 0 revisions left to test after this (roughly 1 step) [81459350d581e958ee9c6e76031f77333881c23c] io_uring: cache req->apoll->events in req->cflags testing commit 81459350d581e958ee9c6e76031f77333881c23c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f058d66a9e589b6b9a1806299743ec6d08883a1d5faff494b051c9893ee9309c all runs: OK # git bisect good 81459350d581e958ee9c6e76031f77333881c23c 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf is the first bad commit commit 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf Author: Jens Axboe Date: Wed Mar 16 16:59:10 2022 -0600 io_uring: cache poll/double-poll state with a request flag With commit "io_uring: cache req->apoll->events in req->cflags" applied, we now have just io_poll_remove_entries() dipping into req->apoll when it isn't strictly necessary. Mark poll and double-poll with a flag, so we know if we need to look at apoll->double_poll. This avoids pulling in those cachelines if we don't need them. The common case is that the poll wake handler already removed these entries while hot off the completion path. Signed-off-by: Jens Axboe fs/io_uring.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) culprit signature: 59313123c824d18af1c2d822486a037c6ecb563d8790dafba20f8598ddf880e9 parent signature: f058d66a9e589b6b9a1806299743ec6d08883a1d5faff494b051c9893ee9309c revisions tested: 12, total time: 2h22m9.967856901s (build: 1h30m49.386855603s, test: 50m18.593610136s) first bad commit: 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf io_uring: cache poll/double-poll state with a request flag recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in add_wait_queue ================================================================== BUG: KASAN: use-after-free in __add_wait_queue include/linux/wait.h:177 [inline] BUG: KASAN: use-after-free in add_wait_queue+0x1c0/0x260 kernel/sched/wait.c:24 Read of size 4 at addr ffff88801ac1ff18 by task syz-executor110/4140 CPU: 0 PID: 4140 Comm: syz-executor110 Not tainted 5.17.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 __add_wait_queue include/linux/wait.h:177 [inline] add_wait_queue+0x1c0/0x260 kernel/sched/wait.c:24 poll_wait include/linux/poll.h:49 [inline] n_tty_poll+0x5c/0x790 drivers/tty/n_tty.c:2322 tty_poll+0x10e/0x180 drivers/tty/tty_io.c:2212 vfs_poll include/linux/poll.h:88 [inline] __io_arm_poll_handler+0x373/0xb90 fs/io_uring.c:6126 io_arm_poll_handler+0x39e/0x880 fs/io_uring.c:6218 io_queue_sqe_arm_apoll+0x52/0x350 fs/io_uring.c:7459 __io_queue_sqe fs/io_uring.c:7501 [inline] io_queue_sqe fs/io_uring.c:7528 [inline] io_submit_sqe fs/io_uring.c:7736 [inline] io_submit_sqes+0x6360/0x80f0 fs/io_uring.c:7842 __do_sys_io_uring_enter+0x6d3/0x1030 fs/io_uring.c:10873 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f6059d99fc9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe6874fa88 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6059d99fc9 RDX: 0000000000000000 RSI: 0000000000001261 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000fa32 R13: 00007ffe6874faac R14: 00007ffe6874fac0 R15: 00007ffe6874fab0 Allocated by task 4135: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc include/linux/slab.h:581 [inline] io_arm_poll_handler+0x30e/0x880 fs/io_uring.c:6209 io_queue_sqe_arm_apoll+0x52/0x350 fs/io_uring.c:7459 __io_queue_sqe fs/io_uring.c:7501 [inline] io_queue_sqe fs/io_uring.c:7528 [inline] io_submit_sqe fs/io_uring.c:7736 [inline] io_submit_sqes+0x6360/0x80f0 fs/io_uring.c:7842 __do_sys_io_uring_enter+0x6d3/0x1030 fs/io_uring.c:10873 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 4135: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3509 [inline] kfree+0xd0/0x390 mm/slub.c:4562 io_clean_op+0x198/0xbc0 fs/io_uring.c:7097 io_dismantle_req fs/io_uring.c:2245 [inline] __io_req_complete_post+0x77d/0xaf0 fs/io_uring.c:2083 io_req_complete_post+0x53/0x1f0 fs/io_uring.c:2096 handle_tw_list fs/io_uring.c:2455 [inline] tctx_task_work+0x50f/0xf10 fs/io_uring.c:2489 task_work_run+0xc0/0x160 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x9ab/0x2500 kernel/exit.c:806 do_group_exit+0xb2/0x2a0 kernel/exit.c:935 __do_sys_exit_group kernel/exit.c:946 [inline] __se_sys_exit_group kernel/exit.c:944 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:944 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88801ac1ff00 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 24 bytes inside of 96-byte region [ffff88801ac1ff00, ffff88801ac1ff60) The buggy address belongs to the page: page:ffffea00006b07c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ac1f flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 dead000000000100 dead000000000122 ffff88800fc41780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 44, ts 4884089645, free_ts 4883325258 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa6f/0x2f10 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x27f/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0xbe3/0x12a0 mm/slub.c:3018 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] slab_alloc mm/slub.c:3238 [inline] kmem_cache_alloc_trace+0x2f8/0x3d0 mm/slub.c:3255 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:714 [inline] blk_mq_alloc_ctxs block/blk-mq.c:3815 [inline] blk_mq_init_allocated_queue+0x178/0x14e0 block/blk-mq.c:4033 blk_mq_init_queue_data block/blk-mq.c:3876 [inline] blk_mq_init_queue+0x98/0x100 block/blk-mq.c:3886 scsi_alloc_sdev+0x827/0xc00 drivers/scsi/scsi_scan.c:330 scsi_probe_and_add_lun+0x1789/0x2e00 drivers/scsi/scsi_scan.c:1167 __scsi_scan_target+0x1ab/0xad0 drivers/scsi/scsi_scan.c:1649 scsi_scan_channel drivers/scsi/scsi_scan.c:1737 [inline] scsi_scan_channel+0xdf/0x160 drivers/scsi/scsi_scan.c:1713 scsi_scan_host_selected+0x1ef/0x2a0 drivers/scsi/scsi_scan.c:1766 do_scan_async+0x3a/0x450 drivers/scsi/scsi_scan.c:1915 async_run_entry_fn+0x8e/0x4f0 kernel/async.c:127 process_one_work+0x879/0x1410 kernel/workqueue.c:2307 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3404 __vunmap+0x5af/0x9e0 mm/vmalloc.c:2635 free_work+0x4b/0x70 mm/vmalloc.c:97 process_one_work+0x879/0x1410 kernel/workqueue.c:2307 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454 kthread+0x299/0x340 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff88801ac1fe00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff88801ac1fe80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff88801ac1ff00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88801ac1ff80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ffff88801ac20000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================