bisecting cause commit starting from ff539ac73ea559a8c146d99ab14bfcaddd30547a building syzkaller on 0d5abf15b74358009a02efb629f7bc7c84841a1f testing commit ff539ac73ea559a8c146d99ab14bfcaddd30547a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3ffa2e213bb90c8dcdb0cb0dec808668767f9a1268b015e70b0fa75b03dfc6fe all runs: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8b2fbbc58e7328c30d360e13a3ae25329a0211016c731945c051d72ad0c29189 all runs: OK # git bisect start ff539ac73ea559a8c146d99ab14bfcaddd30547a 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 8209 revisions left to test after this (roughly 13 steps) [c011dd537ffe47462051930413fed07dbdc80313] Merge tag 'arm-soc-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit c011dd537ffe47462051930413fed07dbdc80313 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6523541427e185566742f6fcd702dc870f8ceed9ece69f34b5cb2e88e1ed065c run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good c011dd537ffe47462051930413fed07dbdc80313 Bisecting: 4107 revisions left to test after this (roughly 12 steps) [17d8e3d90b6989419806c1926b894d7d7483a25b] Merge tag 'ceph-for-5.19-rc1' of https://github.com/ceph/ceph-client testing commit 17d8e3d90b6989419806c1926b894d7d7483a25b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f1f5c30633d3e44f09a9e229421d2cf4c4af1b320c3f03042cf24713fea056d6 all runs: OK # git bisect good 17d8e3d90b6989419806c1926b894d7d7483a25b Bisecting: 2053 revisions left to test after this (roughly 11 steps) [1bd8965d7bbb6fdf92cb67ade3e4357ed5daeac1] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git testing commit 1bd8965d7bbb6fdf92cb67ade3e4357ed5daeac1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c46a93a55e51673f316dadf4322cfbb50d95c6a67b6e70191c4456ee2444bad4 run #0: OK run #1: OK run #2: OK run #3: OK run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good 1bd8965d7bbb6fdf92cb67ade3e4357ed5daeac1 Bisecting: 971 revisions left to test after this (roughly 10 steps) [58bd6da6f44bde76216a6c33eafa5bfed66737be] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git testing commit 58bd6da6f44bde76216a6c33eafa5bfed66737be compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ea314ffc57e2f5d2e451582a2ecec81710d739181e4988a415e1a075f5fe1ad3 run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #2: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #3: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #4: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect bad 58bd6da6f44bde76216a6c33eafa5bfed66737be Bisecting: 551 revisions left to test after this (roughly 9 steps) [906a46499d453204f2f5a936193413eb3893e0e1] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux.git testing commit 906a46499d453204f2f5a936193413eb3893e0e1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c55fb84ec25d47aa9687eeedef921d748ae721d4792808263f72b3ff1dbbc90c run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #2: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #3: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #4: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #5: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #6: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect bad 906a46499d453204f2f5a936193413eb3893e0e1 Bisecting: 263 revisions left to test after this (roughly 8 steps) [be1417d3f78e7d23587456b20ca51dee5bdf06f6] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nsaenz/linux-rpi.git testing commit be1417d3f78e7d23587456b20ca51dee5bdf06f6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6d3463c01edd2c3788ef1b89ca8e30ac8e0500c180788b714e2c6788f43a7e48 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good be1417d3f78e7d23587456b20ca51dee5bdf06f6 Bisecting: 156 revisions left to test after this (roughly 7 steps) [fcd9d7b494de1f4acfbdf1f8f912ad23633fa9b3] Merge branch 'fscache-next' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git testing commit fcd9d7b494de1f4acfbdf1f8f912ad23633fa9b3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ebeaf3fa92342bb9aa7afe3baff793e33ac6e2130e0f90123884eb82471f1170 run #0: OK run #1: OK run #2: OK run #3: OK run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good fcd9d7b494de1f4acfbdf1f8f912ad23633fa9b3 Bisecting: 78 revisions left to test after this (roughly 6 steps) [c549e3874b4855d0fecd11e9c668e4ba6e3bf49d] btrfs: open code inexact rbtree search in tree_search testing commit c549e3874b4855d0fecd11e9c668e4ba6e3bf49d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 780e32e690f1b4ef5b0d26ea7e9249ea9817dfaae5a0dd74293262aa89c6eb13 run #0: OK run #1: OK run #2: OK run #3: boot failed: INFO: task hung in add_early_randomness run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect skip c549e3874b4855d0fecd11e9c668e4ba6e3bf49d Bisecting: 78 revisions left to test after this (roughly 6 steps) [2352da072a0952d4f336f7f8219256cf79791587] btrfs: use the new read repair code for buffered reads testing commit 2352da072a0952d4f336f7f8219256cf79791587 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3a94d46a4ddded65b6d5d139b0fced043c904cd627dd0a667adb94560e91691c run #0: OK run #1: OK run #2: OK run #3: OK run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good 2352da072a0952d4f336f7f8219256cf79791587 Bisecting: 38 revisions left to test after this (roughly 5 steps) [df2a7e0733cc8ea3408833c395a26fd4fa73b95b] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2.git testing commit df2a7e0733cc8ea3408833c395a26fd4fa73b95b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 32ae769669909de8b2d41ed4b6dca0d84630002b3815020d0db48cb6885f0157 run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #2: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #3: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #4: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #5: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect bad df2a7e0733cc8ea3408833c395a26fd4fa73b95b Bisecting: 20 revisions left to test after this (roughly 4 steps) [1599d5e99eb6d31673b3b015275ff1c83cba2ab2] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git testing commit 1599d5e99eb6d31673b3b015275ff1c83cba2ab2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 496cbf6a9d395d5e0ce32ef79576562e404d114912df48cbec3788f7af657ed7 run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #2: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #3: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #4: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #5: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect bad 1599d5e99eb6d31673b3b015275ff1c83cba2ab2 Bisecting: 9 revisions left to test after this (roughly 3 steps) [62221b54b299b54442187a9675e9a9532b6e4cbd] btrfs: unify tree search helper returning prev and next nodes testing commit 62221b54b299b54442187a9675e9a9532b6e4cbd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5adcfa9d25ca19d93c95a7e177268581af0a02f9bf1135647eb925e9d3f23fe4 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good 62221b54b299b54442187a9675e9a9532b6e4cbd Bisecting: 4 revisions left to test after this (roughly 2 steps) [753e9f329627a383ab9fd78bbb2b9891ee8d85d6] Merge branch 'dev/extent-io-tree-cleanups' into for-next-next-v5.19-20220608 testing commit 753e9f329627a383ab9fd78bbb2b9891ee8d85d6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fedb148baaecff462b7374583d19d9b1ff6d5ec32e2a234880cbff75680bf53e run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #2: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #3: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #4: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #5: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #6: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect bad 753e9f329627a383ab9fd78bbb2b9891ee8d85d6 Bisecting: 2 revisions left to test after this (roughly 1 step) [4cd4aed63125ccd4efc35162627827491c2a7be7] btrfs: fold repair_io_failure into btrfs_repair_eb_io_failure testing commit 4cd4aed63125ccd4efc35162627827491c2a7be7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 76077f1e647285f0152faeda2deb2e894dd8d918c1e498b9a868cba7896accc8 run #0: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #1: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #2: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #3: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #4: crashed: KASAN: use-after-free Read in copy_page_from_iter_atomic run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect bad 4cd4aed63125ccd4efc35162627827491c2a7be7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9847626fded0932b1e362f3b63b57b8c5f55af6e] btrfs: remove io_failure_record infrastructure completely testing commit 9847626fded0932b1e362f3b63b57b8c5f55af6e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 646fc4db596fcfc1bd8cb46fd62041252f5aea71ebcfdd710c709b9bde856063 run #0: OK run #1: OK run #2: OK run #3: OK run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: boot failed: INFO: task hung in add_early_randomness # git bisect good 9847626fded0932b1e362f3b63b57b8c5f55af6e 4cd4aed63125ccd4efc35162627827491c2a7be7 is the first bad commit commit 4cd4aed63125ccd4efc35162627827491c2a7be7 Author: Christoph Hellwig Date: Fri May 27 10:43:20 2022 +0200 btrfs: fold repair_io_failure into btrfs_repair_eb_io_failure Fold repair_io_failure into the only remaining caller. This is still inefficient with single page I/Os, but I have some ideas on how to improve the metadata repair in the future. Signed-off-by: Christoph Hellwig Signed-off-by: David Sterba fs/btrfs/extent_io.c | 51 +++++++++++++++++---------------------------------- 1 file changed, 17 insertions(+), 34 deletions(-) culprit signature: 76077f1e647285f0152faeda2deb2e894dd8d918c1e498b9a868cba7896accc8 parent signature: 646fc4db596fcfc1bd8cb46fd62041252f5aea71ebcfdd710c709b9bde856063 revisions tested: 17, total time: 4h40m23.203648253s (build: 1h58m30.846595976s, test: 2h40m3.878913631s) first bad commit: 4cd4aed63125ccd4efc35162627827491c2a7be7 btrfs: fold repair_io_failure into btrfs_repair_eb_io_failure recipients (to): ["clm@fb.com" "dsterba@suse.com" "dsterba@suse.com" "hch@lst.de" "josef@toxicpanda.com" "linux-btrfs@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in copy_page_from_iter_atomic BTRFS error (device loop0): bad tree block start, want 30490624 have 0 ================================================================== BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0xb95/0x1560 lib/iov_iter.c:969 Read of size 4096 at addr ffff88817db41000 by task kworker/u4:0/8 CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.19.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: loop0 loop_workfn Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x20/0x60 mm/kasan/shadow.c:65 copy_page_from_iter_atomic+0xb95/0x1560 lib/iov_iter.c:969 generic_perform_write+0x25f/0x480 mm/filemap.c:3777 __generic_file_write_iter+0x20e/0x400 mm/filemap.c:3897 generic_file_write_iter+0xb9/0x1c0 mm/filemap.c:3929 call_write_iter include/linux/fs.h:2058 [inline] do_iter_readv_writev+0x2b4/0x5b0 fs/read_write.c:742 do_iter_write+0x124/0x620 fs/read_write.c:868 lo_write_bvec drivers/block/loop.c:249 [inline] lo_write_simple drivers/block/loop.c:271 [inline] do_req_filebacked drivers/block/loop.c:495 [inline] loop_handle_cmd drivers/block/loop.c:1859 [inline] loop_process_work+0xb4f/0x1b90 drivers/block/loop.c:1894 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289 worker_thread+0x598/0xec0 kernel/workqueue.c:2436 kthread+0x299/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 The buggy address belongs to the physical page: page:ffffea0005f6d040 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17db41 flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) raw: 057ff00000000000 ffffea0005f6d048 ffffea0005f6d048 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffff88817db40f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88817db40f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88817db41000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88817db41080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88817db41100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================