bisecting cause commit starting from 04fe99a8d936d46a310ca61b8b63dc270962bf01 building syzkaller on 0230ba3e7ee638765ace8e2c3b436e703017b46c testing commit 04fe99a8d936d46a310ca61b8b63dc270962bf01 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4946ec11a50fb09ab6aee6c775693a1a2169abdb50baf07866d1756033451b6c all runs: crashed: KASAN: use-after-free Write in io_submit_one testing release v5.15 testing commit 8bb7eca972ad531c9b149c0a51ab43a417385813 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 40b6138c9eecbffa8b1478870eef79b1f8987b54c913f036e51773f6b6530f63 all runs: OK # git bisect start 04fe99a8d936d46a310ca61b8b63dc270962bf01 8bb7eca972ad531c9b149c0a51ab43a417385813 Bisecting: 9834 revisions left to test after this (roughly 13 steps) [5c904c66ed4e86c31ac7c033b64274cebed04e0e] Merge tag 'char-misc-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 5c904c66ed4e86c31ac7c033b64274cebed04e0e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 65dde99f04d2b459eb12b3b4e6996b690cd3705412a34258beb47cf61bd1d75b all runs: crashed: KASAN: use-after-free Write in io_submit_one # git bisect bad 5c904c66ed4e86c31ac7c033b64274cebed04e0e Bisecting: 4926 revisions left to test after this (roughly 12 steps) [78805cbe5d72ad27a56962a8072edbcb45ca1180] Merge tag 'gfs2-v5.15-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 testing commit 78805cbe5d72ad27a56962a8072edbcb45ca1180 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 51c717a90158c443a5372dde3c42f7c188060053918f32783dfbe9bf42bccd48 all runs: crashed: KASAN: use-after-free Write in io_submit_one # git bisect bad 78805cbe5d72ad27a56962a8072edbcb45ca1180 Bisecting: 2605 revisions left to test after this (roughly 11 steps) [84882cf72cd774cf16fd338bdbf00f69ac9f9194] Revert "net: avoid double accounting for pure zerocopy skbs" testing commit 84882cf72cd774cf16fd338bdbf00f69ac9f9194 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e139bd2eeab214f0ba085eb751664fe939dcbe7ba5ca0a1e6c8501fa48fb8143 all runs: OK # git bisect good 84882cf72cd774cf16fd338bdbf00f69ac9f9194 Bisecting: 1300 revisions left to test after this (roughly 10 steps) [f594e28d805aca2c6e158cc647f133cab58a8bb4] Merge tag 'hardening-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux testing commit f594e28d805aca2c6e158cc647f133cab58a8bb4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 480ed243e18617f8ca6c7085d8c15583819eaa4f348318ac0cebb144a326fe58 all runs: crashed: KASAN: use-after-free Write in io_submit_one # git bisect bad f594e28d805aca2c6e158cc647f133cab58a8bb4 Bisecting: 720 revisions left to test after this (roughly 9 steps) [2cf3f8133bda2a0945cc4c70e681ecb25b52b913] btrfs: fix lzo_decompress_bio() kmap leakage testing commit 2cf3f8133bda2a0945cc4c70e681ecb25b52b913 compiler: gcc (GCC) 10.2.1 20210217 ./include/linux/page-flags.h:806:29: error: macro "PAGEFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:807:32: error: macro "TESTSCFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:806:1: error: unknown type name 'PAGEFLAG_FALSE' ./include/linux/page-flags.h:807:18: error: expected ';' before 'static' # git bisect skip 2cf3f8133bda2a0945cc4c70e681ecb25b52b913 Bisecting: 720 revisions left to test after this (roughly 9 steps) [785d584c30ffc1224027536fe55bdc15ee509f14] nvme: add new discovery log page entry definitions testing commit 785d584c30ffc1224027536fe55bdc15ee509f14 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4d755ba84cea49eed97a4d93baa40ab97a189857a51784bfd235a91073390b47 run #0: boot failed: general protection fault in blk_mq_free_request run #1: boot failed: general protection fault in blk_mq_free_request run #2: boot failed: general protection fault in blk_mq_free_request run #3: boot failed: general protection fault in corrupted run #4: boot failed: general protection fault in blk_mq_free_request run #5: boot failed: general protection fault in blk_mq_free_request run #6: boot failed: general protection fault in blk_mq_free_request run #7: boot failed: general protection fault in blk_mq_free_request run #8: boot failed: general protection fault in blk_mq_free_request run #9: boot failed: general protection fault in blk_mq_free_request # git bisect skip 785d584c30ffc1224027536fe55bdc15ee509f14 Bisecting: 720 revisions left to test after this (roughly 9 steps) [f70299f0d58e0e21f7f5f5ab27e601e8d3f0373e] blk-mq: factor out a blk_qc_to_hctx helper testing commit f70299f0d58e0e21f7f5f5ab27e601e8d3f0373e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6dbab44e1d815b0c70d85b56dbe88f3ba79c3e322a6cb045d01386622ab441f5 all runs: OK # git bisect good f70299f0d58e0e21f7f5f5ab27e601e8d3f0373e Bisecting: 579 revisions left to test after this (roughly 9 steps) [037c50bfbeb33b4c74e120eef5b8b99d8f025418] Merge tag 'for-5.16-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 037c50bfbeb33b4c74e120eef5b8b99d8f025418 compiler: gcc (GCC) 10.2.1 20210217 ./include/linux/page-flags.h:806:29: error: macro "PAGEFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:807:32: error: macro "TESTSCFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:806:1: error: unknown type name 'PAGEFLAG_FALSE' ./include/linux/page-flags.h:807:18: error: expected ';' before 'static' # git bisect skip 037c50bfbeb33b4c74e120eef5b8b99d8f025418 Bisecting: 579 revisions left to test after this (roughly 9 steps) [e0f4c59dc4d39b3e9fa61ceb4cf2384787bcd09d] Merge tag 'x86_cpu_for_v5.16_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit e0f4c59dc4d39b3e9fa61ceb4cf2384787bcd09d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0a8fa89eb4f201efc4e93366fe86fc716e55e684a5647e1bbc2b305cf06c998b all runs: crashed: KASAN: use-after-free Write in io_submit_one # git bisect bad e0f4c59dc4d39b3e9fa61ceb4cf2384787bcd09d Bisecting: 551 revisions left to test after this (roughly 9 steps) [0a2b3e363566c4cc8792d37c5e73b9d9295e075c] bcache: reserve never used bits from bkey.high testing commit 0a2b3e363566c4cc8792d37c5e73b9d9295e075c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: be5206ebf0b05a0b2ee53ce3831e9cf57af6af042d5f9c8fa360086b39036306 run #0: boot failed: failed to delete instance: googleapi: Error 503: The service is currently unavailable., backendError run #1: boot failed: general protection fault in blk_mq_free_request run #2: boot failed: general protection fault in blk_mq_free_request run #3: boot failed: general protection fault in blk_mq_free_request run #4: boot failed: general protection fault in blk_mq_free_request run #5: boot failed: general protection fault in blk_mq_free_request run #6: boot failed: general protection fault in blk_mq_free_request run #7: boot failed: general protection fault in blk_mq_free_request run #8: boot failed: general protection fault in corrupted run #9: boot failed: general protection fault in blk_mq_free_request # git bisect skip 0a2b3e363566c4cc8792d37c5e73b9d9295e075c Bisecting: 551 revisions left to test after this (roughly 9 steps) [1a6f74429c42a3854980359a758e222005712aee] x86/retpoline: Create a retpoline thunk array testing commit 1a6f74429c42a3854980359a758e222005712aee compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 52ad144b553c3956de5475f92d1ec86b920b856af282b9b355fc11867a609e38 all runs: OK # git bisect good 1a6f74429c42a3854980359a758e222005712aee Bisecting: 516 revisions left to test after this (roughly 9 steps) [c234a65392062504acf04afe0ae404cca61a8e1a] nvme: add support for batched completion of polled IO testing commit c234a65392062504acf04afe0ae404cca61a8e1a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fbedac2c4d54f8443f061cbb2b2af5d1a861cfc249083eb7850faf7f829cf78a all runs: boot failed: general protection fault in blk_mq_free_request # git bisect skip c234a65392062504acf04afe0ae404cca61a8e1a Bisecting: 516 revisions left to test after this (roughly 9 steps) [868c250bb4639531ff33b2d879fbef39c1d9ed39] x86/fpu: Include vmalloc.h for vzalloc() testing commit 868c250bb4639531ff33b2d879fbef39c1d9ed39 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9274058d622dcf0f46ff71c84ac99306a3be897e00a6c55ac10081858665d58b all runs: OK # git bisect good 868c250bb4639531ff33b2d879fbef39c1d9ed39 Bisecting: 460 revisions left to test after this (roughly 9 steps) [3f01727f750eae3e61b738b57355b2538ab179f4] Merge tag 'for-5.16/bdev-size-2021-10-29' of git://git.kernel.dk/linux-block testing commit 3f01727f750eae3e61b738b57355b2538ab179f4 compiler: gcc (GCC) 10.2.1 20210217 ./include/linux/page-flags.h:806:29: error: macro "PAGEFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:807:32: error: macro "TESTSCFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:806:1: error: unknown type name 'PAGEFLAG_FALSE' ./include/linux/page-flags.h:807:18: error: expected ';' before 'static' # git bisect skip 3f01727f750eae3e61b738b57355b2538ab179f4 Bisecting: 460 revisions left to test after this (roughly 9 steps) [88459b50b42a4bd58e528006663afabd0b8652f2] io_uring: simplify io_file_supports_nowait() testing commit 88459b50b42a4bd58e528006663afabd0b8652f2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4e0a1f978fa8c6bce97ff8561ace08ee26429cea5af4db202919cac3725e4d81 all runs: OK # git bisect good 88459b50b42a4bd58e528006663afabd0b8652f2 Bisecting: 406 revisions left to test after this (roughly 9 steps) [cb77cb5abe1f4fae4a33b735606aae22f9eaa1c7] blk-crypto: rename blk_keyslot_manager to blk_crypto_profile testing commit cb77cb5abe1f4fae4a33b735606aae22f9eaa1c7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 561077a1fb109e40567a043ee8039f5defc19ef94f17138640a94d846f5ced6b all runs: OK # git bisect good cb77cb5abe1f4fae4a33b735606aae22f9eaa1c7 Bisecting: 406 revisions left to test after this (roughly 9 steps) [e739f98b4b11337a4e3865364b8922a9e5ad32b6] genirq: Move prio assignment into the newly created thread testing commit e739f98b4b11337a4e3865364b8922a9e5ad32b6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 67c4f44aa518b58f7103cb297a8c457784103a4ffc75fe931764e596f4123ceb all runs: OK # git bisect good e739f98b4b11337a4e3865364b8922a9e5ad32b6 Bisecting: 404 revisions left to test after this (roughly 9 steps) [e1654f413fe08ffbc3292d8d2b8958b2cc5cb5e8] nbd: add error handling support for add_disk() testing commit e1654f413fe08ffbc3292d8d2b8958b2cc5cb5e8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 09ae3de565dc48f8a00c77a913320e504f003771b2bcb5e88518764b1e812b0c all runs: boot failed: general protection fault in blk_mq_free_request # git bisect skip e1654f413fe08ffbc3292d8d2b8958b2cc5cb5e8 Bisecting: 404 revisions left to test after this (roughly 9 steps) [8663b210f8c169a49aaeed3af92471a147545477] nbd: fix uaf in nbd_handle_reply() testing commit 8663b210f8c169a49aaeed3af92471a147545477 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7e64996edd989744eb06351333d03317fe635943f46c111e70c281ca093b4e68 all runs: boot failed: general protection fault in blk_mq_free_request # git bisect skip 8663b210f8c169a49aaeed3af92471a147545477 Bisecting: 404 revisions left to test after this (roughly 9 steps) [cbe1de162d8297e941f01ac7dd399a11251352bc] x86/mce: Get rid of machine_check_vector testing commit cbe1de162d8297e941f01ac7dd399a11251352bc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2985ffd309c3f45b6aabcd1c9d6dda32c31c97392d6e582b9079778fca1c3c79 all runs: OK # git bisect good cbe1de162d8297e941f01ac7dd399a11251352bc Bisecting: 400 revisions left to test after this (roughly 9 steps) [4d96f9109109be93618050a50cabb8df7c931ba7] x86/sev: Replace occurrences of sev_active() with cc_platform_has() testing commit 4d96f9109109be93618050a50cabb8df7c931ba7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c811342d32dc78616723e0b37e4015f49c6e9ee09d0a03a8eb8c4500957044db all runs: OK # git bisect good 4d96f9109109be93618050a50cabb8df7c931ba7 Bisecting: 394 revisions left to test after this (roughly 9 steps) [b9a6b8f92f6feebf40609e4f5f22a3c0404afb60] io_uring: kill unused param from io_file_supports_nowait testing commit b9a6b8f92f6feebf40609e4f5f22a3c0404afb60 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4a8d3be8639189b26b93b8a3dbfd58e0479d1a64ee94c27ec37b457261d6a846 all runs: OK # git bisect good b9a6b8f92f6feebf40609e4f5f22a3c0404afb60 Bisecting: 394 revisions left to test after this (roughly 9 steps) [dafc340dbd10a21c133f3b152cee6214fcfbf84a] btrfs: zoned: introduce physical_map to btrfs_block_group testing commit dafc340dbd10a21c133f3b152cee6214fcfbf84a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 811f66700a58b6b0180bcf7c1fbfe251a95d74e7da8b4c0a5b2485217005af81 all runs: OK # git bisect good dafc340dbd10a21c133f3b152cee6214fcfbf84a Bisecting: 364 revisions left to test after this (roughly 9 steps) [121703c1c817b3c77f61002466d0bfca7e39f25d] mm/writeback: Add folio_write_one testing commit 121703c1c817b3c77f61002466d0bfca7e39f25d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c3c77a50177e3729f61698a3925049331ce2933f9ca3c8091f9d36fd197c4603 all runs: OK # git bisect good 121703c1c817b3c77f61002466d0bfca7e39f25d Bisecting: 253 revisions left to test after this (roughly 8 steps) [470b52564cceef62e982283cafbada41ff47903b] EDAC/al_mc: Make use of the helper function devm_add_action_or_reset() testing commit 470b52564cceef62e982283cafbada41ff47903b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 41234b49c93c941cb918ea440b3e5132f6ce8cb1483a3eaa0aaf712c56ea7c0f all runs: OK # git bisect good 470b52564cceef62e982283cafbada41ff47903b Bisecting: 251 revisions left to test after this (roughly 8 steps) [bab4ff1edccd5853c956ac72e5152b073a237b50] irq: mips: stop (ab)using handle_domain_irq() testing commit bab4ff1edccd5853c956ac72e5152b073a237b50 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f8fc3ed4a9c5bc7ed1f63fe5337f60a1228241fd517510d515d5144076092d98 all runs: OK # git bisect good bab4ff1edccd5853c956ac72e5152b073a237b50 Bisecting: 359 revisions left to test after this (roughly 8 steps) [b4c6f86ec2f648b5e6d4b04564fbc6d5351160a8] irq_work: Handle some irq_work in a per-CPU thread on PREEMPT_RT testing commit b4c6f86ec2f648b5e6d4b04564fbc6d5351160a8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6994380bfa764bf6dc6fd2d0a1adbc1262b38857ce5dec45bcf44f1a13b7bab7 all runs: OK # git bisect good b4c6f86ec2f648b5e6d4b04564fbc6d5351160a8 Bisecting: 300 revisions left to test after this (roughly 8 steps) [737f1cd8a8e80fe3243662f04d4d66829facc71a] Merge tag 'for-5.16/cdrom-2021-10-29' of git://git.kernel.dk/linux-block testing commit 737f1cd8a8e80fe3243662f04d4d66829facc71a compiler: gcc (GCC) 10.2.1 20210217 ./include/linux/page-flags.h:806:29: error: macro "PAGEFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:807:32: error: macro "TESTSCFLAG_FALSE" requires 2 arguments, but only 1 given ./include/linux/page-flags.h:806:1: error: unknown type name 'PAGEFLAG_FALSE' ./include/linux/page-flags.h:807:18: error: expected ';' before 'static' # git bisect skip 737f1cd8a8e80fe3243662f04d4d66829facc71a Bisecting: 300 revisions left to test after this (roughly 8 steps) [2adada886b26e998b5a624e72f0834ebfdc54cc7] btrfs: check for relocation inodes on zoned btrfs in should_nocow testing commit 2adada886b26e998b5a624e72f0834ebfdc54cc7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 37099bba4827286fe743abc9f4f7cf3d857731a102d812456c811f035b6e9e4b all runs: OK # git bisect good 2adada886b26e998b5a624e72f0834ebfdc54cc7 Bisecting: 272 revisions left to test after this (roughly 8 steps) [117d5b6d00ee02f73d7065fe906e2ef1af74bb68] nvmet: use struct_size over open coded arithmetic testing commit 117d5b6d00ee02f73d7065fe906e2ef1af74bb68 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ae8b7577fe9aed7aab7b1e7cb7bfa8f910ca98e5260944018fa693bc1de7bd10 run #0: boot failed: general protection fault in blk_mq_free_request run #1: boot failed: general protection fault in blk_mq_free_request run #2: boot failed: general protection fault in blk_mq_free_request run #3: boot failed: general protection fault in blk_mq_free_request run #4: boot failed: general protection fault in blk_mq_free_request run #5: boot failed: general protection fault in blk_mq_free_request run #6: boot failed: general protection fault in corrupted run #7: boot failed: general protection fault in blk_mq_free_request run #8: boot failed: general protection fault in blk_mq_free_request run #9: boot failed: general protection fault in blk_mq_free_request # git bisect skip 117d5b6d00ee02f73d7065fe906e2ef1af74bb68 Bisecting: 272 revisions left to test after this (roughly 8 steps) [56f8da642bd827ef50a952e7bc3728c5830452be] block: add rq_flags to struct blk_mq_alloc_data testing commit 56f8da642bd827ef50a952e7bc3728c5830452be compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4b5d6ebe7574fe42ba122ca28062b03298d999033106ce05fc5c3e1a6ce33288 all runs: crashed: KASAN: use-after-free Write in io_submit_one # git bisect bad 56f8da642bd827ef50a952e7bc3728c5830452be Bisecting: 7 revisions left to test after this (roughly 3 steps) [0c9d338c8443b06da8e8d3bfce824c5ea6d3488f] blk-cgroup: synchronize blkg creation against policy deactivation testing commit 0c9d338c8443b06da8e8d3bfce824c5ea6d3488f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 96f46d66e3f69296f02f52b40f2793ffcd93c7634e84449e529d433f9eec9289 all runs: crashed: KASAN: use-after-free Write in io_submit_one # git bisect bad 0c9d338c8443b06da8e8d3bfce824c5ea6d3488f Bisecting: 2 revisions left to test after this (roughly 2 steps) [599593a82fc57f5e9453c8ef7420df3206934a0c] sched: make task_struct->plug always defined testing commit 599593a82fc57f5e9453c8ef7420df3206934a0c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: eafdb519088dca4ccf8a92fdab104a038c2f3e0c72ad0034652be717d8b49ee5 all runs: OK # git bisect good 599593a82fc57f5e9453c8ef7420df3206934a0c Bisecting: 1 revision left to test after this (roughly 1 step) [54a88eb838d37af930c9f19e1930a4fba6789cb5] block: add single bio async direct IO helper testing commit 54a88eb838d37af930c9f19e1930a4fba6789cb5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 95c39db3b49953523b98b744edf3613decb66aa4a9ed4d02d22b4ce7ac7e67f5 all runs: crashed: KASAN: use-after-free Write in io_submit_one # git bisect bad 54a88eb838d37af930c9f19e1930a4fba6789cb5 54a88eb838d37af930c9f19e1930a4fba6789cb5 is the first bad commit commit 54a88eb838d37af930c9f19e1930a4fba6789cb5 Author: Pavel Begunkov Date: Sat Oct 23 17:21:32 2021 +0100 block: add single bio async direct IO helper As with __blkdev_direct_IO_simple(), we can implement direct IO more efficiently if there is only one bio. Add __blkdev_direct_IO_async() and blkdev_bio_end_io_async(). This patch brings me from 4.45-4.5 MIOPS with nullblk to 4.7+. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/f0ae4109b7a6934adede490f84d188d53b97051b.1635006010.git.asml.silence@gmail.com Signed-off-by: Jens Axboe block/fops.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 84 insertions(+), 3 deletions(-) culprit signature: 95c39db3b49953523b98b744edf3613decb66aa4a9ed4d02d22b4ce7ac7e67f5 parent signature: eafdb519088dca4ccf8a92fdab104a038c2f3e0c72ad0034652be717d8b49ee5 revisions tested: 32, total time: 7h42m19.077928554s (build: 3h27m41.105455579s, test: 4h11m51.429890769s) first bad commit: 54a88eb838d37af930c9f19e1930a4fba6789cb5 block: add single bio async direct IO helper recipients (to): ["asml.silence@gmail.com" "axboe@kernel.dk" "axboe@kernel.dk" "linux-block@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Write in io_submit_one ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:167 [inline] BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in iocb_put fs/aio.c:1162 [inline] BUG: KASAN: use-after-free in io_submit_one+0x54f/0x17d0 fs/aio.c:1883 Write of size 4 at addr ffff88807aa8c0c8 by task syz-executor.0/8650 CPU: 1 PID: 8650 Comm: syz-executor.0 Not tainted 5.15.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:167 [inline] __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] iocb_put fs/aio.c:1162 [inline] io_submit_one+0x54f/0x17d0 fs/aio.c:1883 __do_sys_io_submit fs/aio.c:1939 [inline] __se_sys_io_submit fs/aio.c:1909 [inline] __x64_sys_io_submit+0x148/0x290 fs/aio.c:1909 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f437c98caf9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f437c102188 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 RAX: ffffffffffffffda RBX: 00007f437ca9ff60 RCX: 00007f437c98caf9 RDX: 0000000020000800 RSI: 0000000000000002 RDI: 00007f437ca83000 RBP: 00007f437c9e6ff7 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd9ec405af R14: 00007f437c102300 R15: 0000000000022000 Allocated by task 8650: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:3206 [inline] slab_alloc mm/slub.c:3214 [inline] kmem_cache_alloc+0x209/0x390 mm/slub.c:3219 aio_get_req fs/aio.c:1029 [inline] io_submit_one+0xbf/0x17d0 fs/aio.c:1876 __do_sys_io_submit fs/aio.c:1939 [inline] __se_sys_io_submit fs/aio.c:1909 [inline] __x64_sys_io_submit+0x148/0x290 fs/aio.c:1909 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 8650: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1700 [inline] slab_free_freelist_hook+0x81/0x190 mm/slub.c:1725 slab_free mm/slub.c:3483 [inline] kmem_cache_free+0x8a/0x5b0 mm/slub.c:3499 aio_rw_done fs/aio.c:1511 [inline] aio_read+0x284/0x3c0 fs/aio.c:1538 __io_submit_one fs/aio.c:1831 [inline] io_submit_one+0xb84/0x17d0 fs/aio.c:1880 __do_sys_io_submit fs/aio.c:1939 [inline] __se_sys_io_submit fs/aio.c:1909 [inline] __x64_sys_io_submit+0x148/0x290 fs/aio.c:1909 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88807aa8c000 which belongs to the cache aio_kiocb of size 216 The buggy address is located 200 bytes inside of 216-byte region [ffff88807aa8c000, ffff88807aa8c0d8) The buggy address belongs to the page: page:ffffea0001eaa300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7aa8c flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8881411af500 raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 8650, ts 59997502456, free_ts 45298393216 prep_new_page mm/page_alloc.c:2424 [inline] get_page_from_freelist+0xa6f/0x2f50 mm/page_alloc.c:4153 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375 alloc_slab_page mm/slub.c:1763 [inline] allocate_slab mm/slub.c:1900 [inline] new_slab+0x319/0x490 mm/slub.c:1963 ___slab_alloc+0x923/0xfe0 mm/slub.c:2994 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3081 slab_alloc_node mm/slub.c:3172 [inline] slab_alloc mm/slub.c:3214 [inline] kmem_cache_alloc+0x365/0x390 mm/slub.c:3219 aio_get_req fs/aio.c:1029 [inline] io_submit_one+0xbf/0x17d0 fs/aio.c:1876 __do_sys_io_submit fs/aio.c:1939 [inline] __se_sys_io_submit fs/aio.c:1909 [inline] __x64_sys_io_submit+0x148/0x290 fs/aio.c:1909 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3315 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3394 kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:375 apply_to_pte_range mm/memory.c:2532 [inline] apply_to_pmd_range mm/memory.c:2576 [inline] apply_to_pud_range mm/memory.c:2612 [inline] apply_to_p4d_range mm/memory.c:2648 [inline] __apply_to_page_range+0x4f8/0xbb0 mm/memory.c:2682 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:485 __purge_vmap_area_lazy+0x701/0x2330 mm/vmalloc.c:1704 _vm_unmap_aliases.part.0+0x30a/0x3e0 mm/vmalloc.c:2107 change_page_attr_set_clr+0x19b/0x3b0 arch/x86/mm/pat/set_memory.c:1740 change_page_attr_clear arch/x86/mm/pat/set_memory.c:1797 [inline] set_memory_ro+0x6e/0xa0 arch/x86/mm/pat/set_memory.c:1943 bpf_jit_binary_lock_ro include/linux/filter.h:890 [inline] bpf_int_jit_compile+0xcac/0x1000 arch/x86/net/bpf_jit_comp.c:2368 bpf_prog_select_runtime+0x372/0x710 kernel/bpf/core.c:1914 bpf_migrate_filter+0x266/0x2f0 net/core/filter.c:1295 bpf_prepare_filter net/core/filter.c:1343 [inline] bpf_prog_create_from_user+0x3b8/0x5c0 net/core/filter.c:1437 seccomp_prepare_filter kernel/seccomp.c:666 [inline] seccomp_prepare_user_filter kernel/seccomp.c:703 [inline] seccomp_set_mode_filter kernel/seccomp.c:1824 [inline] do_seccomp+0x2b1/0x2270 kernel/seccomp.c:1944 __do_sys_prctl+0x659/0xc50 kernel/sys.c:2346 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 Memory state around the buggy address: ffff88807aa8bf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807aa8c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807aa8c080: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc ^ ffff88807aa8c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807aa8c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================