bisecting fixing commit since dd86e7fa07a3ec33c92c957ea7b642c4702516a0 building syzkaller on 23a562dfb3a9986a066a1341c2cfc9e87a8fa164 testing commit dd86e7fa07a3ec33c92c957ea7b642c4702516a0 with gcc (GCC) 10.2.1 20210217 kernel signature: 0143b01785f8efb18319c099463cd08e9fd1946ba65a1fffaf0aa26b8333b18f all runs: crashed: KASAN: use-after-free Read in idr_for_each testing current HEAD 7f75285ca572eaabc028cf78c6ab5473d0d160be testing commit 7f75285ca572eaabc028cf78c6ab5473d0d160be with gcc (GCC) 10.2.1 20210217 kernel signature: 09bd5fba15d63123e3884f621c884b482b18357a8271788d95646ea25b9458d5 all runs: OK # git bisect start 7f75285ca572eaabc028cf78c6ab5473d0d160be dd86e7fa07a3ec33c92c957ea7b642c4702516a0 Bisecting: 6586 revisions left to test after this (roughly 13 steps) [d99676af540c2dc829999928fb81c58c80a1dce4] Merge tag 'drm-next-2021-02-19' of git://anongit.freedesktop.org/drm/drm testing commit d99676af540c2dc829999928fb81c58c80a1dce4 with gcc (GCC) 10.2.1 20210217 kernel signature: c35a33b8f64a4e4f7e9837150d4cf7ef6685db1a5d6e45b375248075718939a3 all runs: crashed: KASAN: use-after-free Read in idr_for_each # git bisect good d99676af540c2dc829999928fb81c58c80a1dce4 Bisecting: 3294 revisions left to test after this (roughly 12 steps) [e40242b9820817a7afe520228c6a6a535e40d222] Merge tag 'rpmsg-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc testing commit e40242b9820817a7afe520228c6a6a535e40d222 with gcc (GCC) 10.2.1 20210217 kernel signature: df4f843ba96afa8a9c0e46b4690e4fe291c49e93fe0fde6d320d2a50182c260b run #0: crashed: KASAN: use-after-free Read in idr_for_each run #1: crashed: KASAN: use-after-free Read in idr_for_each run #2: crashed: KASAN: use-after-free Read in idr_for_each run #3: crashed: KASAN: use-after-free Read in idr_for_each run #4: crashed: KASAN: use-after-free Read in idr_for_each run #5: crashed: KASAN: use-after-free Read in idr_for_each run #6: crashed: KASAN: use-after-free Read in idr_for_each run #7: crashed: KASAN: use-after-free Read in idr_for_each run #8: crashed: KASAN: use-after-free Read in idr_for_each run #9: OK # git bisect good e40242b9820817a7afe520228c6a6a535e40d222 Bisecting: 1646 revisions left to test after this (roughly 11 steps) [b77b5fdd052e7ee61b35164abb10e8433d3160e8] Merge tag 'gfs2-v5.12-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 testing commit b77b5fdd052e7ee61b35164abb10e8433d3160e8 with gcc (GCC) 10.2.1 20210217 kernel signature: a1c5b4274625385e6b0b0ed1a91daa26dc948bbbef023b196312d4ddb1eda7e0 run #0: crashed: KASAN: use-after-free Read in idr_for_each run #1: crashed: KASAN: use-after-free Read in idr_for_each run #2: crashed: KASAN: use-after-free Read in idr_for_each run #3: crashed: KASAN: use-after-free Read in idr_for_each run #4: crashed: KASAN: use-after-free Read in idr_for_each run #5: crashed: KASAN: use-after-free Read in idr_for_each run #6: crashed: KASAN: use-after-free Read in idr_for_each run #7: crashed: KASAN: use-after-free Read in idr_for_each run #8: OK run #9: OK # git bisect good b77b5fdd052e7ee61b35164abb10e8433d3160e8 Bisecting: 823 revisions left to test after this (roughly 10 steps) [e138138003eb3b3d06cc91cf2e8c5dec77e2a31e] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit e138138003eb3b3d06cc91cf2e8c5dec77e2a31e with gcc (GCC) 10.2.1 20210217 kernel signature: 81ae944bd454af62d0fab6868e7a3ee085705eca2a4813d8f844ad02c68c9119 all runs: OK # git bisect bad e138138003eb3b3d06cc91cf2e8c5dec77e2a31e Bisecting: 402 revisions left to test after this (roughly 9 steps) [769e155c5395100fc468aa87703c486f276c16cd] Merge tag 'sound-5.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 769e155c5395100fc468aa87703c486f276c16cd with gcc (GCC) 10.2.1 20210217 kernel signature: 3c6fc4079fdaa24d78d4945292390976ba517460bfc25f668da5a872b2896f26 all runs: OK # git bisect bad 769e155c5395100fc468aa87703c486f276c16cd Bisecting: 215 revisions left to test after this (roughly 8 steps) [88fe49249c99de14e543c632a46248d85411ab9e] Merge tag 'char-misc-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 88fe49249c99de14e543c632a46248d85411ab9e with gcc (GCC) 10.2.1 20210217 kernel signature: 962f8be6890c390fbc34b495cc86e25731e84e1ac019f609d39211caf2ef8453 all runs: OK # git bisect bad 88fe49249c99de14e543c632a46248d85411ab9e Bisecting: 106 revisions left to test after this (roughly 7 steps) [ce307084c96d0ec92c04fcc38b107241b168df11] Merge tag 'block-5.12-2021-03-12-v2' of git://git.kernel.dk/linux-block testing commit ce307084c96d0ec92c04fcc38b107241b168df11 with gcc (GCC) 10.2.1 20210217 kernel signature: 957ce5174f3e0c2bd53461fcfb8979b870706ccfb86c33a03a267b18bda36a1d all runs: OK # git bisect bad ce307084c96d0ec92c04fcc38b107241b168df11 Bisecting: 56 revisions left to test after this (roughly 6 steps) [261410082d01f2f2d4fcd19abee6b8e84f399c51] Merge tag 'devprop-5.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 261410082d01f2f2d4fcd19abee6b8e84f399c51 with gcc (GCC) 10.2.1 20210217 kernel signature: 8ef2d3a60b7a4349d513591bce41c7b8f1e7f7dfa5d93aab95abcd42662084e8 run #0: crashed: KASAN: use-after-free Read in idr_for_each run #1: crashed: KASAN: use-after-free Read in idr_for_each run #2: crashed: KASAN: use-after-free Read in idr_for_each run #3: crashed: KASAN: use-after-free Read in idr_for_each run #4: crashed: KASAN: use-after-free Read in idr_for_each run #5: crashed: KASAN: use-after-free Read in idr_for_each run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 261410082d01f2f2d4fcd19abee6b8e84f399c51 Bisecting: 28 revisions left to test after this (roughly 5 steps) [5c2469e0a22e035d52f3ba768151cc75e3d4a1cd] io_uring: force creation of separate context for ATTACH_WQ and non-threads testing commit 5c2469e0a22e035d52f3ba768151cc75e3d4a1cd with gcc (GCC) 10.2.1 20210217 kernel signature: ce94e0c2ba6fb710b8a6ee0f63eda1529ef0245cea7b3a8fe125a581756d4b1a all runs: OK # git bisect bad 5c2469e0a22e035d52f3ba768151cc75e3d4a1cd Bisecting: 13 revisions left to test after this (roughly 4 steps) [f458dd8441e56d122ddf1d8e2af0b6ee62f52af9] io_uring: fix unrelated ctx reqs cancellation testing commit f458dd8441e56d122ddf1d8e2af0b6ee62f52af9 with gcc (GCC) 10.2.1 20210217 kernel signature: de96626e9905f1d5b71e8699c683c0e90fce8e3281de3fbb6e9469bd0b635d14 run #0: crashed: KASAN: use-after-free Read in idr_for_each run #1: crashed: KASAN: use-after-free Read in idr_for_each run #2: crashed: KASAN: use-after-free Read in idr_for_each run #3: crashed: KASAN: use-after-free Read in idr_for_each run #4: crashed: KASAN: use-after-free Read in idr_for_each run #5: crashed: KASAN: use-after-free Read in idr_for_each run #6: crashed: KASAN: use-after-free Read in idr_for_each run #7: crashed: KASAN: use-after-free Read in idr_for_each run #8: crashed: KASAN: use-after-free Read in idr_for_each run #9: OK # git bisect good f458dd8441e56d122ddf1d8e2af0b6ee62f52af9 Bisecting: 6 revisions left to test after this (roughly 3 steps) [70e35125093b05b0e607ba1f5358ddf76946756c] io-wq: fix ref leak for req in case of exit cancelations testing commit 70e35125093b05b0e607ba1f5358ddf76946756c with gcc (GCC) 10.2.1 20210217 kernel signature: e64e44547c08b5acc7223be1a419531dae2466a1cea65510a60d698fee5a97ca all runs: OK # git bisect bad 70e35125093b05b0e607ba1f5358ddf76946756c Bisecting: 3 revisions left to test after this (roughly 2 steps) [cc20e3fec682700b673fcd286e6bef8e9da947e2] io-wq: remove unused 'user' member of io_wq testing commit cc20e3fec682700b673fcd286e6bef8e9da947e2 with gcc (GCC) 10.2.1 20210217 kernel signature: 6e4df9820538c8b817845621f666af870907edccc65683b36f2ce8bb4c2b6f31 all runs: OK # git bisect bad cc20e3fec682700b673fcd286e6bef8e9da947e2 Bisecting: 0 revisions left to test after this (roughly 1 step) [61cf93700fe6359552848ed5e3becba6cd760efa] io_uring: Convert personality_idr to XArray testing commit 61cf93700fe6359552848ed5e3becba6cd760efa with gcc (GCC) 10.2.1 20210217 kernel signature: cba1c674d85759890e2ad70fea273b4950692752495ac97fc74bf6aced4de5f9 all runs: OK # git bisect bad 61cf93700fe6359552848ed5e3becba6cd760efa Bisecting: 0 revisions left to test after this (roughly 0 steps) [0298ef969a110ca03654f0cea9b50e3f3b331acc] io_uring: clean R_DISABLED startup mess testing commit 0298ef969a110ca03654f0cea9b50e3f3b331acc with gcc (GCC) 10.2.1 20210217 kernel signature: ccd5ae650f38d00a0dd802d6ca07006967e287914505a788f076ee2d8eeb5044 run #0: crashed: KASAN: use-after-free Read in idr_for_each run #1: crashed: KASAN: use-after-free Read in idr_for_each run #2: crashed: KASAN: use-after-free Read in idr_for_each run #3: crashed: KASAN: use-after-free Read in idr_for_each run #4: crashed: KASAN: use-after-free Read in idr_for_each run #5: crashed: KASAN: use-after-free Read in idr_for_each run #6: crashed: KASAN: use-after-free Read in idr_for_each run #7: crashed: KASAN: use-after-free Read in idr_for_each run #8: OK run #9: crashed: KASAN: use-after-free Read in idr_for_each # git bisect good 0298ef969a110ca03654f0cea9b50e3f3b331acc 61cf93700fe6359552848ed5e3becba6cd760efa is the first bad commit commit 61cf93700fe6359552848ed5e3becba6cd760efa Author: Matthew Wilcox (Oracle) Date: Mon Mar 8 14:16:16 2021 +0000 io_uring: Convert personality_idr to XArray You can't call idr_remove() from within a idr_for_each() callback, but you can call xa_erase() from an xa_for_each() loop, so switch the entire personality_idr from the IDR to the XArray. This manifests as a use-after-free as idr_for_each() attempts to walk the rest of the node after removing the last entry from it. Fixes: 071698e13ac6 ("io_uring: allow registering credentials") Cc: stable@vger.kernel.org # 5.6+ Reported-by: yangerkun Signed-off-by: Matthew Wilcox (Oracle) [Pavel: rebased (creds load was moved into io_init_req())] Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/7ccff36e1375f2b0ebf73d957f037b43becc0dde.1615212806.git.asml.silence@gmail.com Signed-off-by: Jens Axboe fs/io_uring.c | 47 ++++++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 23 deletions(-) culprit signature: cba1c674d85759890e2ad70fea273b4950692752495ac97fc74bf6aced4de5f9 parent signature: ccd5ae650f38d00a0dd802d6ca07006967e287914505a788f076ee2d8eeb5044 revisions tested: 16, total time: 4h55m4.208767193s (build: 1h52m58.27244362s, test: 2h59m52.551156893s) first good commit: 61cf93700fe6359552848ed5e3becba6cd760efa io_uring: Convert personality_idr to XArray recipients (to): ["asml.silence@gmail.com" "axboe@kernel.dk" "willy@infradead.org"] recipients (cc): []