ci starts bisection 2022-10-09 15:27:54.139194437 +0000 UTC m=+107619.160606253 bisecting cause commit starting from a6afa4199d3d038fbfdff5511f7523b0e30cb774 building syzkaller on aea5da898f473385f3b66c94f8aa49ca9a1c9744 ensuring issue is reproducible on original commit a6afa4199d3d038fbfdff5511f7523b0e30cb774 testing commit a6afa4199d3d038fbfdff5511f7523b0e30cb774 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ff6e56de3117f52baf0ae6f42e57cda974484eef80ce10eae29828986828bc25 run #0: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #1: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #2: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #3: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #4: crashed: KASAN: slab-out-of-bounds Read in io_uring_show_fdinfo run #5: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #6: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #7: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #8: crashed: KASAN: slab-out-of-bounds Read in io_uring_show_fdinfo run #9: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #10: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #11: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #12: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #13: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #14: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #15: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #16: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #17: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #18: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #19: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo testing release v6.0 testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9d62a8a0946c3e65994145752c6df766465194087e0f2cf18b3fdb4c7e83f8f6 all runs: OK # git bisect start a6afa4199d3d038fbfdff5511f7523b0e30cb774 4fe89d07dcc2804c8b562f6c7896a45643d34b2f Bisecting: 4399 revisions left to test after this (roughly 12 steps) [7e6739b9336e61fe23ca4e2c8d1fda8f19f979bf] Merge tag 'drm-next-2022-10-05' of git://anongit.freedesktop.org/drm/drm testing commit 7e6739b9336e61fe23ca4e2c8d1fda8f19f979bf gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2d918274fc30d6c27bb0bb1ff9db16c344229759d2a66da4a30b040441498066 all runs: OK # git bisect good 7e6739b9336e61fe23ca4e2c8d1fda8f19f979bf Bisecting: 2232 revisions left to test after this (roughly 11 steps) [4078aa68509746d0c1a70c50ab22a761ad7c2e0d] Merge tag 'ata-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata testing commit 4078aa68509746d0c1a70c50ab22a761ad7c2e0d gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: af853418d043fa84bb2c8c56101443c72ea8ab269ab8b04d4255fe1cf318a386 all runs: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo # git bisect bad 4078aa68509746d0c1a70c50ab22a761ad7c2e0d Bisecting: 800 revisions left to test after this (roughly 10 steps) [7171a8da00035e7913c3013ca5fb5beb5b8b22f0] Merge tag 'arm-dt-6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 7171a8da00035e7913c3013ca5fb5beb5b8b22f0 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2ed8890362986f9be10870567a9036d06d86c8fc3082adea1a34a9d62f967432 all runs: OK # git bisect good 7171a8da00035e7913c3013ca5fb5beb5b8b22f0 Bisecting: 389 revisions left to test after this (roughly 9 steps) [76e45035348c247a70ed50eb29a9906657e4444f] Merge tag 'for-6.1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 76e45035348c247a70ed50eb29a9906657e4444f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cdfb1d114f87f9bbab83e91e1c0b46ae50647d15bb308a778af3331176a035f7 all runs: OK # git bisect good 76e45035348c247a70ed50eb29a9906657e4444f Bisecting: 222 revisions left to test after this (roughly 8 steps) [736feaa3a08124020afe6e51f50bae8598c99f55] Merge branch 'for-6.1/block' into for-6.1/passthrough testing commit 736feaa3a08124020afe6e51f50bae8598c99f55 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bdd6055e93caaa04a0ca1107eb087d9ec3f22d85f909f29a249e73cf4e8d3268 all runs: OK # git bisect good 736feaa3a08124020afe6e51f50bae8598c99f55 Bisecting: 126 revisions left to test after this (roughly 7 steps) [188943a15638ceb91f960e072ed7609b2d7f2a55] Merge tag 'fs-for_v6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs testing commit 188943a15638ceb91f960e072ed7609b2d7f2a55 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 96b7333cccfcbdfdbc72da5b2ec9775e13410e1ab76970e8f1aa5520a817333e all runs: OK # git bisect good 188943a15638ceb91f960e072ed7609b2d7f2a55 Bisecting: 63 revisions left to test after this (roughly 6 steps) [851eb780decb7180bcf09fad0035cba9aae669df] nvme: enable batched completions of passthrough IO testing commit 851eb780decb7180bcf09fad0035cba9aae669df gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 569b0524123c442789b6bb99b3df1f80b6a6331cc6fb69f2ad17c5c1463fb741 run #0: failed: failed to run binary in VM: broken console: Permission denied (publickey) run #1: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #2: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #3: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #4: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #5: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #6: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #7: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #8: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #9: crashed: KASAN: slab-out-of-bounds Read in io_uring_show_fdinfo # git bisect bad 851eb780decb7180bcf09fad0035cba9aae669df Bisecting: 31 revisions left to test after this (roughly 5 steps) [c0dc995eb2295e1be6b95b60c90c59f87b009bdb] io_uring: remove unused return from io_disarm_next testing commit c0dc995eb2295e1be6b95b60c90c59f87b009bdb gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4e5a8be3f3903609b61043e621015613d329aa2fccd1817444d204e45c0ad01f all runs: OK # git bisect good c0dc995eb2295e1be6b95b60c90c59f87b009bdb Bisecting: 15 revisions left to test after this (roughly 4 steps) [4c17a496a7a0730fdfc9e249b83cc58249111532] io_uring/net: fix cleanup double free free_iov init testing commit 4c17a496a7a0730fdfc9e249b83cc58249111532 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 46ae95834c31ddec0134262eeef1f4a2a4e9301637ab2c3da3f15097d92238a9 all runs: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo # git bisect bad 4c17a496a7a0730fdfc9e249b83cc58249111532 Bisecting: 7 revisions left to test after this (roughly 3 steps) [516e82f0e043a1a0e8d00800ed0ffe2137cf0e7e] io_uring/net: support non-zerocopy sendto testing commit 516e82f0e043a1a0e8d00800ed0ffe2137cf0e7e gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0362292d72b514428506d75b4b470076ecc066d36eb5c340c985bbf09e8f9aa8 run #0: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #1: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #2: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #3: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #4: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #5: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #6: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #7: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #8: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #9: crashed: KASAN: slab-out-of-bounds Read in io_uring_show_fdinfo # git bisect bad 516e82f0e043a1a0e8d00800ed0ffe2137cf0e7e Bisecting: 3 revisions left to test after this (roughly 2 steps) [47b4c68660752facfa6247b1fc9ca9d722b8b601] io_uring/rw: don't lose partial IO result on fail testing commit 47b4c68660752facfa6247b1fc9ca9d722b8b601 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 98d0f38da027ee5650113fa0eb6c0acce1b9b75d4f87213375dafedf3f9225e1 all runs: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo # git bisect bad 47b4c68660752facfa6247b1fc9ca9d722b8b601 Bisecting: 1 revision left to test after this (roughly 1 step) [3b8fdd1dc35e395d19efbc8391a809a5b954ecf4] io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128 testing commit 3b8fdd1dc35e395d19efbc8391a809a5b954ecf4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cff60715716d41df52c3eca6805a0d307aa10320c3691f959d171209451be4ea run #0: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #1: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #2: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #3: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #4: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #5: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #6: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #7: crashed: KASAN: slab-out-of-bounds Read in io_uring_show_fdinfo run #8: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo run #9: crashed: KASAN: use-after-free Read in io_uring_show_fdinfo # git bisect bad 3b8fdd1dc35e395d19efbc8391a809a5b954ecf4 Bisecting: 0 revisions left to test after this (roughly 0 steps) [4f731705cc1f1591e15e1c3133de8ae3843c68ff] io_uring/fdinfo: get rid of unnecessary is_cqe32 variable testing commit 4f731705cc1f1591e15e1c3133de8ae3843c68ff gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4a369d039ac73ed2298c54231bac778fc28227293d2496456e5abe3ec3fe239b all runs: OK # git bisect good 4f731705cc1f1591e15e1c3133de8ae3843c68ff 3b8fdd1dc35e395d19efbc8391a809a5b954ecf4 is the first bad commit commit 3b8fdd1dc35e395d19efbc8391a809a5b954ecf4 Author: Jens Axboe Date: Sun Sep 11 06:40:37 2022 -0600 io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128 If we have doubly sized SQEs, then we need to shift the sq index by 1 to account for using two entries for a single request. The CQE dumping gets this right, but the SQE one does not. Improve the SQE dumping in general, the information dumped is pretty sparse and doesn't even cover the whole basic part of the SQE. Include information on the extended part of the SQE, if doubly sized SQEs are in use. A typical dump now looks like the following: [...] SQEs: 32 32: opcode:URING_CMD, fd:0, flags:1, off:3225964160, addr:0x0, rw_flags:0x0, buf_index:0 user_data:2721, e0:0x0, e1:0xffffb8041000, e2:0x100000000000, e3:0x5500, e4:0x7, e5:0x0, e6:0x0, e7:0x0 33: opcode:URING_CMD, fd:0, flags:1, off:3225964160, addr:0x0, rw_flags:0x0, buf_index:0 user_data:2722, e0:0x0, e1:0xffffb8043000, e2:0x100000000000, e3:0x5508, e4:0x7, e5:0x0, e6:0x0, e7:0x0 34: opcode:URING_CMD, fd:0, flags:1, off:3225964160, addr:0x0, rw_flags:0x0, buf_index:0 user_data:2723, e0:0x0, e1:0xffffb8045000, e2:0x100000000000, e3:0x5510, e4:0x7, e5:0x0, e6:0x0, e7:0x0 [...] Fixes: ebdeb7c01d02 ("io_uring: add support for 128-byte SQEs") Signed-off-by: Jens Axboe io_uring/fdinfo.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) culprit signature: cff60715716d41df52c3eca6805a0d307aa10320c3691f959d171209451be4ea parent signature: 4a369d039ac73ed2298c54231bac778fc28227293d2496456e5abe3ec3fe239b revisions tested: 15, total time: 3h18m43.405701892s (build: 1h45m8.403458112s, test: 1h30m55.659091724s) first bad commit: 3b8fdd1dc35e395d19efbc8391a809a5b954ecf4 io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128 recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in io_uring_show_fdinfo ================================================================== BUG: KASAN: use-after-free in __io_uring_show_fdinfo io_uring/fdinfo.c:98 [inline] BUG: KASAN: use-after-free in io_uring_show_fdinfo+0x559/0x15df io_uring/fdinfo.c:206 Read of size 8 at addr ffff88806f7fff20 by task syz-executor.0/4172 CPU: 1 PID: 4172 Comm: syz-executor.0 Not tainted 6.0.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __io_uring_show_fdinfo io_uring/fdinfo.c:98 [inline] io_uring_show_fdinfo+0x559/0x15df io_uring/fdinfo.c:206 seq_show+0x4aa/0x6d0 fs/proc/fd.c:68 seq_read_iter+0x3fa/0x1090 fs/seq_file.c:230 seq_read+0x161/0x200 fs/seq_file.c:162 vfs_read+0x1b8/0x7c0 fs/read_write.c:468 ksys_pread64 fs/read_write.c:659 [inline] __do_sys_pread64 fs/read_write.c:669 [inline] __se_sys_pread64 fs/read_write.c:666 [inline] __x64_sys_pread64+0x192/0x1e0 fs/read_write.c:666 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f87d628a5a9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f87d7359168 EFLAGS: 00000246 ORIG_RAX: 0000000000000011 RAX: ffffffffffffffda RBX: 00007f87d63abf80 RCX: 00007f87d628a5a9 RDX: 0000000000000011 RSI: 0000000020002140 RDI: 0000000000000005 RBP: 00007f87d62e5580 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffce164f1f R14: 00007f87d7359300 R15: 0000000000022000 The buggy address belongs to the physical page: page:ffffea0001bdffc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6f7ff flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 9, migratetype Movable, gfp_mask 0x3d24ca(GFP_TRANSHUGE|__GFP_NORETRY|__GFP_THISNODE), pid 3600, tgid 3592 (syz-fuzzer), ts 34787143565, free_ts 36525392267 prep_new_page mm/page_alloc.c:2532 [inline] get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515 __folio_alloc+0x12/0x40 mm/page_alloc.c:5546 __folio_alloc_node include/linux/gfp.h:252 [inline] vma_alloc_folio+0x44c/0x5b0 mm/mempolicy.c:2212 do_huge_pmd_anonymous_page+0x1d9/0x1680 mm/huge_memory.c:834 create_huge_pmd mm/memory.c:4776 [inline] __handle_mm_fault+0x1a22/0x2b70 mm/memory.c:5023 handle_mm_fault+0x166/0x5e0 mm/memory.c:5151 do_user_addr_fault+0x2da/0xcf0 arch/x86/mm/fault.c:1397 handle_page_fault arch/x86/mm/fault.c:1488 [inline] exc_page_fault+0x5a/0xc0 arch/x86/mm/fault.c:1544 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1449 [inline] free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499 free_unref_page_prepare mm/page_alloc.c:3380 [inline] free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476 __folio_put_large mm/swap.c:118 [inline] release_pages+0x291/0x1080 mm/swap.c:978 tlb_batch_pages_flush+0x85/0x160 mm/mmu_gather.c:58 tlb_flush_mmu_free mm/mmu_gather.c:255 [inline] tlb_flush_mmu mm/mmu_gather.c:262 [inline] tlb_finish_mmu+0x110/0x6c0 mm/mmu_gather.c:353 exit_mmap+0x19d/0x3f0 mm/mmap.c:3118 __mmput+0xed/0x430 kernel/fork.c:1187 exit_mm kernel/exit.c:510 [inline] do_exit+0x8c8/0x2440 kernel/exit.c:782 do_group_exit+0xb2/0x2a0 kernel/exit.c:925 __do_sys_exit_group kernel/exit.c:936 [inline] __se_sys_exit_group kernel/exit.c:934 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:934 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88806f7ffe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88806f7ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88806f7fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88806f7fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88806f800000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================