bisecting cause commit starting from 4ef8451b332662d004df269d4cdeb7d9f31419b5 building syzkaller on cba33199be220cbf61f7c0c8223d88a25a913d6f testing commit 4ef8451b332662d004df269d4cdeb7d9f31419b5 with gcc (GCC) 8.1.0 kernel signature: 02d55375427ef8360271ef0636931afac1d7740ea323df1bf33488b1379ef55c run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #7: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: 934f0a134532bbbd345c7e8b605e59600f755e76ac937b8aa8fb348b839f419b all runs: OK # git bisect start 4ef8451b332662d004df269d4cdeb7d9f31419b5 bbf5c979011a099af5dc76498918ed7df445635b Bisecting: 7648 revisions left to test after this (roughly 13 steps) [ca5387e448e1f88440dc93e143b353592f8a8af6] Merge tag 'configfs-5.10' of git://git.infradead.org/users/hch/configfs testing commit ca5387e448e1f88440dc93e143b353592f8a8af6 with gcc (GCC) 8.1.0 kernel signature: 736060cb764d05cb49cf8a065ce04237714b3b13800cb566f89177e0799f93ee all runs: OK # git bisect good ca5387e448e1f88440dc93e143b353592f8a8af6 Bisecting: 3825 revisions left to test after this (roughly 12 steps) [2a934b38c066ff221b08a9c703314a2a1c885dbd] Merge tag 'i3c/for-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux testing commit 2a934b38c066ff221b08a9c703314a2a1c885dbd with gcc (GCC) 8.1.0 kernel signature: 35c4b21c28cbd5077c8db4433cd7fa41acbca33ddff6f1add39511b72dcf8cb7 all runs: OK # git bisect good 2a934b38c066ff221b08a9c703314a2a1c885dbd Bisecting: 1937 revisions left to test after this (roughly 11 steps) [0adc313c4f20639f7e235b8d6719d96a2024cf91] Merge tag 'gfs2-for-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 testing commit 0adc313c4f20639f7e235b8d6719d96a2024cf91 with gcc (GCC) 8.1.0 kernel signature: 48e9e74e036668dba0ad57c71756626b2fcf0b8fa87e91df7a5fa5d7f6018c7b run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #3: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred # git bisect bad 0adc313c4f20639f7e235b8d6719d96a2024cf91 Bisecting: 957 revisions left to test after this (roughly 10 steps) [68a3633694ab37b368edc30d59235e8348e2d00e] Merge branch 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging testing commit 68a3633694ab37b368edc30d59235e8348e2d00e with gcc (GCC) 8.1.0 kernel signature: 80d487258d0fdbf4f3003fa52997a2f1c07c13237dcde4c725cd0496767e0115 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #1: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #7: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred # git bisect bad 68a3633694ab37b368edc30d59235e8348e2d00e Bisecting: 448 revisions left to test after this (roughly 9 steps) [41eea65e2aaadc0611fd56a1b177ce25dcc4c1df] Merge tag 'core-rcu-2020-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 41eea65e2aaadc0611fd56a1b177ce25dcc4c1df with gcc (GCC) 8.1.0 kernel signature: d57ef5ee18bb5d7e10e7d7791d481cb46e6c01f4c80f1910ac33727b0db371c2 all runs: OK # git bisect good 41eea65e2aaadc0611fd56a1b177ce25dcc4c1df Bisecting: 199 revisions left to test after this (roughly 8 steps) [38525c6919e2f6b27c1855905f342a0def3cbdcf] Merge tag 'for-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 38525c6919e2f6b27c1855905f342a0def3cbdcf with gcc (GCC) 8.1.0 kernel signature: 7bf74169b52180b2f8671dd7c70ae64605d6fabac4484d8f35318d60f15aeea5 all runs: OK # git bisect good 38525c6919e2f6b27c1855905f342a0def3cbdcf Bisecting: 111 revisions left to test after this (roughly 7 steps) [c4d6fe7311762f2e03b3c27ad38df7c40c80cc93] Merge tag 'xarray-5.9' of git://git.infradead.org/users/willy/xarray testing commit c4d6fe7311762f2e03b3c27ad38df7c40c80cc93 with gcc (GCC) 8.1.0 kernel signature: 568345f36739406b523df7045784a3c4eb98911a6d7a94733bbfbf77397c2630 run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #4: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #9: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred # git bisect bad c4d6fe7311762f2e03b3c27ad38df7c40c80cc93 Bisecting: 43 revisions left to test after this (roughly 6 steps) [06216ecbd93688f7acb617e186b9556a565a13bd] SUNRPC: Split out xdr_realign_pages() from xdr_align_pages() testing commit 06216ecbd93688f7acb617e186b9556a565a13bd with gcc (GCC) 8.1.0 kernel signature: d0455958d87850326482f106ddef8f681b1bb0730c2c1938041798dbf08945c1 all runs: OK # git bisect good 06216ecbd93688f7acb617e186b9556a565a13bd Bisecting: 21 revisions left to test after this (roughly 5 steps) [4962a85696f9439970bfd84f7ce23b2721f13549] Merge tag 'io_uring-5.10-2020-10-20' of git://git.kernel.dk/linux-block testing commit 4962a85696f9439970bfd84f7ce23b2721f13549 with gcc (GCC) 8.1.0 kernel signature: f3d0baa8aa57d105bd0421e58bf031cc5ef7281212aecf5a733781e330a19d1a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred # git bisect bad 4962a85696f9439970bfd84f7ce23b2721f13549 Bisecting: 10 revisions left to test after this (roughly 4 steps) [dfead8a8e2c494b947480bac90a6f9792f08bc12] io_uring: rely solely on work flags to determine personality. testing commit dfead8a8e2c494b947480bac90a6f9792f08bc12 with gcc (GCC) 8.1.0 kernel signature: 6e5be5e483378cc6f11e954c9473fca185f90c6a47ded6a9d8b180e1fd4fc912 all runs: OK # git bisect good dfead8a8e2c494b947480bac90a6f9792f08bc12 Bisecting: 5 revisions left to test after this (roughly 3 steps) [d8a6df10aac9f2e4d5f30aff3129d552d2984ce7] io_uring: use percpu counters to track inflight requests testing commit d8a6df10aac9f2e4d5f30aff3129d552d2984ce7 with gcc (GCC) 8.1.0 kernel signature: ff6a952c0980f8f31071198827a9df8fc690d20de2b13be6fb2a0c3f1cc33bfb run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #3: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #4: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #7: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #9: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred # git bisect bad d8a6df10aac9f2e4d5f30aff3129d552d2984ce7 Bisecting: 2 revisions left to test after this (roughly 1 step) [1e6fa5216a0e59ef02e8b6b40d553238a3b81d49] io_uring: COW io_identity on mismatch testing commit 1e6fa5216a0e59ef02e8b6b40d553238a3b81d49 with gcc (GCC) 8.1.0 kernel signature: 74ff9bd751290a41bb5be5ef0900ef55a85144dd1540fd5e12f9d4ae977bef72 run #0: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #5: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #7: crashed: BUG: unable to handle kernel paging request in io_uring_show_cred run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred # git bisect bad 1e6fa5216a0e59ef02e8b6b40d553238a3b81d49 Bisecting: 0 revisions left to test after this (roughly 0 steps) [98447d65b4a7a59f8ea37dc6e5d743247d9a7b01] io_uring: move io identity items into separate struct testing commit 98447d65b4a7a59f8ea37dc6e5d743247d9a7b01 with gcc (GCC) 8.1.0 kernel signature: ad9c284bc13e7a9b2df479479dd228f35de4cf75ea1978c05161e53ce612fdbc all runs: OK # git bisect good 98447d65b4a7a59f8ea37dc6e5d743247d9a7b01 1e6fa5216a0e59ef02e8b6b40d553238a3b81d49 is the first bad commit commit 1e6fa5216a0e59ef02e8b6b40d553238a3b81d49 Author: Jens Axboe Date: Thu Oct 15 08:46:24 2020 -0600 io_uring: COW io_identity on mismatch If the io_identity doesn't completely match the task, then create a copy of it and use that. The existing copy remains valid until the last user of it has gone away. This also changes the personality lookup to be indexed by io_identity, instead of creds directly. Signed-off-by: Jens Axboe fs/io_uring.c | 222 ++++++++++++++++++++++++++++++++++++----------- include/linux/io_uring.h | 1 + 2 files changed, 171 insertions(+), 52 deletions(-) culprit signature: 74ff9bd751290a41bb5be5ef0900ef55a85144dd1540fd5e12f9d4ae977bef72 parent signature: ad9c284bc13e7a9b2df479479dd228f35de4cf75ea1978c05161e53ce612fdbc revisions tested: 15, total time: 2h45m45.714543058s (build: 1h5m41.858344642s, test: 1h38m33.187717137s) first bad commit: 1e6fa5216a0e59ef02e8b6b40d553238a3b81d49 io_uring: COW io_identity on mismatch recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_cred BUG: kernel NULL pointer dereference, address: 0000000000000004 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 11e691067 P4D 11e691067 PUD 11e6d3067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 10230 Comm: syz-executor.5 Not tainted 5.9.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:io_uring_show_cred+0x134/0x1e0 fs/io_uring.c:8935 Code: 73 df ff 48 c7 c6 4e 1c 63 84 48 89 ef 89 c2 e8 52 c7 fb ff 48 c7 c6 f3 15 4c 84 48 89 ef e8 b3 b5 fb ff 4d 8b a6 a0 00 00 00 <41> 8b 44 24 04 85 c0 7e 52 41 8b 74 24 08 4c 89 ef 31 db 49 c7 c7 RSP: 0018:ffffc90002f83c68 EFLAGS: 00010216 RAX: ffff88811e6520ca RBX: 0000000000000000 RCX: 0000000000000000 RDX: 000000000000000a RSI: ffffffff844c15fd RDI: ffff88811e6520d4 RBP: ffff888106dc0488 R08: 0000000000000009 R09: 0000000000ffff0a R10: ffffc90002f83ca0 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffff84aff680 R14: ffff88811e56c2c0 R15: 0000000000000000 FS: 00007f633a743700(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000004 CR3: 000000011e6d1000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: idr_for_each+0x57/0xc0 lib/idr.c:208 __io_uring_show_fdinfo fs/io_uring.c:8987 [inline] io_uring_show_fdinfo+0x24b/0x4e0 fs/io_uring.c:9009 seq_show+0x163/0x260 fs/proc/fd.c:65 seq_read+0x120/0x3e0 fs/seq_file.c:208 do_loop_readv_writev fs/read_write.c:742 [inline] do_iter_read+0x13f/0x1b0 fs/read_write.c:784 vfs_readv+0x68/0xa0 fs/read_write.c:902 do_preadv+0x87/0xd0 fs/read_write.c:994 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45deb9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f633a742c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 RAX: ffffffffffffffda RBX: 0000000000025e40 RCX: 000000000045deb9 RDX: 0000000000000001 RSI: 0000000020001400 RDI: 0000000000000004 RBP: 000000000118bf70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffdac59826f R14: 00007f633a7439c0 R15: 000000000118bf2c Modules linked in: CR2: 0000000000000004 ---[ end trace 329d263723125e6b ]--- RIP: 0010:io_uring_show_cred+0x134/0x1e0 fs/io_uring.c:8935 Code: 73 df ff 48 c7 c6 4e 1c 63 84 48 89 ef 89 c2 e8 52 c7 fb ff 48 c7 c6 f3 15 4c 84 48 89 ef e8 b3 b5 fb ff 4d 8b a6 a0 00 00 00 <41> 8b 44 24 04 85 c0 7e 52 41 8b 74 24 08 4c 89 ef 31 db 49 c7 c7 RSP: 0018:ffffc90002f83c68 EFLAGS: 00010216 RAX: ffff88811e6520ca RBX: 0000000000000000 RCX: 0000000000000000 RDX: 000000000000000a RSI: ffffffff844c15fd RDI: ffff88811e6520d4 RBP: ffff888106dc0488 R08: 0000000000000009 R09: 0000000000ffff0a R10: ffffc90002f83ca0 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffff84aff680 R14: ffff88811e56c2c0 R15: 0000000000000000 FS: 00007f633a743700(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f84c22d1740 CR3: 000000011e6d1000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400