bisecting cause commit starting from 40354149f4d738dc3492d9998e45b3f02950369a building syzkaller on b17b2923e60fea9f22c4a2161742e16f41b84980 testing commit 40354149f4d738dc3492d9998e45b3f02950369a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7a9e8c0e4ab2478975c1997ddf89918c0297a8fe23bfdb39012802faed2b3aab all runs: crashed: kernel BUG in commit_creds testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8eecf6eebc931bd8cf55b5a8b2b05120798bba44a8e0232db4f8e0f29c044e8d all runs: OK # git bisect start 40354149f4d738dc3492d9998e45b3f02950369a f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 9460 revisions left to test after this (roughly 13 steps) [b1f8ccdaae0310332d16f65bf0f622f9d4ae2391] Merge tag 'for-5.18/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm testing commit b1f8ccdaae0310332d16f65bf0f622f9d4ae2391 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a2a801353d2eaae89a71b1ffef5bbd4ca2594e4a067d31939f3b544e3ea3b299 all runs: OK # git bisect good b1f8ccdaae0310332d16f65bf0f622f9d4ae2391 Bisecting: 4733 revisions left to test after this (roughly 12 steps) [25d96e6996281868b85c91ed4fb12eb98f4e2d70] Merge branch 'v5.19/dt64' into for-next testing commit 25d96e6996281868b85c91ed4fb12eb98f4e2d70 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ba9798326e5a5502428014fc662315d539cf7a8400ddc3140da0aca99dc7a603 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 25d96e6996281868b85c91ed4fb12eb98f4e2d70 Bisecting: 2368 revisions left to test after this (roughly 11 steps) [484800ae75a5126f11ca3a2834792ff5d14ec837] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git testing commit 484800ae75a5126f11ca3a2834792ff5d14ec837 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 09ef602661ca636063ac5aa6f4cdc5e2c4c56f51248e2c2c8449f8ab8b48a262 all runs: crashed: kernel BUG in commit_creds # git bisect bad 484800ae75a5126f11ca3a2834792ff5d14ec837 Bisecting: 1159 revisions left to test after this (roughly 10 steps) [7ea1e6199e844b3331cea249570894a38c5ebdfe] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel.git testing commit 7ea1e6199e844b3331cea249570894a38c5ebdfe compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d009830bc79202ba915a1046a6be624ba9089eeeeec98ed91a23fc95f6486cfb all runs: crashed: kernel BUG in commit_creds # git bisect bad 7ea1e6199e844b3331cea249570894a38c5ebdfe Bisecting: 583 revisions left to test after this (roughly 9 steps) [ba21cabe948131ae01b9332a17d29d33b5d150ff] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git testing commit ba21cabe948131ae01b9332a17d29d33b5d150ff compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 45832146bdf198813d04ece0233b389f48174ef8f4264833b0a08c7ea142561f run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: crashed: kernel BUG in commit_creds run #2: crashed: kernel BUG in commit_creds run #3: crashed: kernel BUG in commit_creds run #4: crashed: kernel BUG in commit_creds run #5: crashed: kernel BUG in commit_creds run #6: crashed: kernel BUG in commit_creds run #7: crashed: kernel BUG in commit_creds run #8: crashed: kernel BUG in commit_creds run #9: crashed: kernel BUG in commit_creds # git bisect bad ba21cabe948131ae01b9332a17d29d33b5d150ff Bisecting: 314 revisions left to test after this (roughly 8 steps) [940a445a904088eac715dd985c01847311a42459] perf annotate: Drop objdump stderr to avoid getting stuck waiting for stdout output testing commit 940a445a904088eac715dd985c01847311a42459 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0a4f14eba7b6f053aa9277e8aec4619438c4e5b00b4d03df7489a00964128346 all runs: crashed: kernel BUG in commit_creds # git bisect bad 940a445a904088eac715dd985c01847311a42459 Bisecting: 121 revisions left to test after this (roughly 7 steps) [1831fed559732b132aef0ea8261ac77e73f7eadf] Merge tag 'drm-fixes-2022-04-08' of git://anongit.freedesktop.org/drm/drm testing commit 1831fed559732b132aef0ea8261ac77e73f7eadf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9f327fb3f8ed34d4656f383b1a891cbc12ced233dd30d2722ac9c065da7f4586 all runs: OK # git bisect good 1831fed559732b132aef0ea8261ac77e73f7eadf Bisecting: 56 revisions left to test after this (roughly 6 steps) [911b2b95168c7790ed5ea2703d804086c03088df] Merge branch 'akpm' (patches from Andrew) testing commit 911b2b95168c7790ed5ea2703d804086c03088df compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6c80661aaf6c53855bcc049a6b35f4b61f2b19f5b7f5734f1a9db1efdb52293d all runs: OK # git bisect good 911b2b95168c7790ed5ea2703d804086c03088df Bisecting: 34 revisions left to test after this (roughly 5 steps) [f335af10482a41ad5d28b4a2b0bee3ea35f771ce] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit f335af10482a41ad5d28b4a2b0bee3ea35f771ce compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 26be9622929ed08834c6474bf70f372b162b47d19ddab8c9a633d0b60c07aac3 all runs: OK # git bisect good f335af10482a41ad5d28b4a2b0bee3ea35f771ce Bisecting: 15 revisions left to test after this (roughly 4 steps) [f1b45d8ccb9839b48e5884664470e54520e17f4c] Merge tag 'block-5.18-2022-04-08' of git://git.kernel.dk/linux-block testing commit f1b45d8ccb9839b48e5884664470e54520e17f4c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3ea7b0a445eb86382a243d532403f6d765b4f228ba4b5dc88223517bd6428a8c all runs: crashed: kernel BUG in commit_creds # git bisect bad f1b45d8ccb9839b48e5884664470e54520e17f4c Bisecting: 9 revisions left to test after this (roughly 3 steps) [34bb77184123ae401100a4d156584f12fa630e5c] io_uring: nospec index for tags on files update testing commit 34bb77184123ae401100a4d156584f12fa630e5c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4ad5710157dcd958662218d752a217ab726c15ce79f793ad613acf72a8857854 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #2: crashed: kernel BUG in commit_creds run #3: crashed: kernel BUG in commit_creds run #4: crashed: kernel BUG in commit_creds run #5: crashed: kernel BUG in commit_creds run #6: crashed: kernel BUG in commit_creds run #7: crashed: kernel BUG in commit_creds run #8: crashed: kernel BUG in commit_creds run #9: crashed: kernel BUG in commit_creds # git bisect bad 34bb77184123ae401100a4d156584f12fa630e5c Bisecting: 4 revisions left to test after this (roughly 2 steps) [5106dd6e74ab6c94daac1c357094f11e6934b36f] io_uring: propagate issue_flags state down to file assignment testing commit 5106dd6e74ab6c94daac1c357094f11e6934b36f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6ca920d8eeea3b3cf56001c6493835f1eb4b07437b6b6011bce07ab19045bb96 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 5106dd6e74ab6c94daac1c357094f11e6934b36f Bisecting: 2 revisions left to test after this (roughly 1 step) [d5361233e9ab920e135819f73dd8466355f1fddd] io_uring: drop the old style inflight file tracking testing commit d5361233e9ab920e135819f73dd8466355f1fddd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1749f23476a53e4ec8da5b139a8db091a5bd75e64a635bd72b8d7f808fbfbd43 all runs: crashed: kernel BUG in commit_creds # git bisect bad d5361233e9ab920e135819f73dd8466355f1fddd Bisecting: 0 revisions left to test after this (roughly 0 steps) [6bf9c47a398911e0ab920e362115153596c80432] io_uring: defer file assignment testing commit 6bf9c47a398911e0ab920e362115153596c80432 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c80dabdfcc05a46e959037d051734d975afa37c66241722e324d364bcc45a70b all runs: crashed: kernel BUG in commit_creds # git bisect bad 6bf9c47a398911e0ab920e362115153596c80432 6bf9c47a398911e0ab920e362115153596c80432 is the first bad commit commit 6bf9c47a398911e0ab920e362115153596c80432 Author: Jens Axboe Date: Tue Mar 29 10:10:08 2022 -0600 io_uring: defer file assignment If an application uses direct open or accept, it knows in advance what direct descriptor value it will get as it picks it itself. This allows combined requests such as: sqe = io_uring_get_sqe(ring); io_uring_prep_openat_direct(sqe, ..., file_slot); sqe->flags |= IOSQE_IO_LINK | IOSQE_CQE_SKIP_SUCCESS; sqe = io_uring_get_sqe(ring); io_uring_prep_read(sqe,file_slot, buf, buf_size, 0); sqe->flags |= IOSQE_FIXED_FILE; io_uring_submit(ring); where we prepare both a file open and read, and only get a completion event for the read when both have completed successfully. Currently links are fully prepared before the head is issued, but that fails if the dependent link needs a file assigned that isn't valid until the head has completed. Conversely, if the same chain is performed but the fixed file slot is already valid, then we would be unexpectedly returning data from the old file slot rather than the newly opened one. Make sure we're consistent here. Allow deferral of file setup, which makes this documented case work. Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Jens Axboe fs/io-wq.h | 1 + fs/io_uring.c | 39 +++++++++++++++++++++++++++++---------- 2 files changed, 30 insertions(+), 10 deletions(-) culprit signature: c80dabdfcc05a46e959037d051734d975afa37c66241722e324d364bcc45a70b parent signature: 6ca920d8eeea3b3cf56001c6493835f1eb4b07437b6b6011bce07ab19045bb96 revisions tested: 16, total time: 2h44m13.006866587s (build: 2h1m5.428213488s, test: 41m31.072413142s) first bad commit: 6bf9c47a398911e0ab920e362115153596c80432 io_uring: defer file assignment recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: kernel BUG in commit_creds ------------[ cut here ]------------ kernel BUG at kernel/cred.c:456! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4058 Comm: syz-executor215 Not tainted 5.18.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:commit_creds+0xcb1/0x11d0 kernel/cred.c:456 Code: ea 03 0f b6 14 02 48 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 fc 03 00 00 41 39 5e 2c 0f 85 8c f9 ff ff e9 94 f9 ff ff <0f> 0b 0f 0b 0f 0b 48 89 cf e8 21 bb 66 00 e9 7d f6 ff ff 4c 89 e7 RSP: 0018:ffffc9000462fc70 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88801d36a518 RCX: ffff88801d369d00 RDX: 1ffff11003a6d4a4 RSI: 0000000000000008 RDI: ffff88801cc8cb00 RBP: ffff88801d369d00 R08: 0000000000000000 R09: ffffc9000462fa37 R10: ffff88801cc8cb78 R11: 0000000000000001 R12: dffffc0000000000 R13: ffff88801d369d00 R14: ffff88801cc8c700 R15: ffff88801cc8cb00 FS: 00005555572483c0(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000007e1e7000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: install_process_keyring security/keys/process_keys.c:306 [inline] lookup_user_key+0x3cc/0xdc0 security/keys/process_keys.c:653 __do_sys_add_key+0x12a/0x300 security/keys/keyctl.c:126 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f7e612de809 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe133dd168 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 00007ffe133dd188 RCX: 00007f7e612de809 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0 RBP: 00007ffe133dd180 R08: 00000000ffffffff R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:commit_creds+0xcb1/0x11d0 kernel/cred.c:456 Code: ea 03 0f b6 14 02 48 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 fc 03 00 00 41 39 5e 2c 0f 85 8c f9 ff ff e9 94 f9 ff ff <0f> 0b 0f 0b 0f 0b 48 89 cf e8 21 bb 66 00 e9 7d f6 ff ff 4c 89 e7 RSP: 0018:ffffc9000462fc70 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88801d36a518 RCX: ffff88801d369d00 RDX: 1ffff11003a6d4a4 RSI: 0000000000000008 RDI: ffff88801cc8cb00 RBP: ffff88801d369d00 R08: 0000000000000000 R09: ffffc9000462fa37 R10: ffff88801cc8cb78 R11: 0000000000000001 R12: dffffc0000000000 R13: ffff88801d369d00 R14: ffff88801cc8c700 R15: ffff88801cc8cb00 FS: 00005555572483c0(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055cf1ef53030 CR3: 000000007e1e7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400