bisecting cause commit starting from 7ddd09fc4b745fb1d8942f95389583e08412e0cd building syzkaller on bc5869180f69e2ad6c6b823e129e08a8e523d800 testing commit 7ddd09fc4b745fb1d8942f95389583e08412e0cd with gcc (GCC) 8.1.0 kernel signature: 9523ce896b8f6b37d4c14304ccb56d094a6ff3b4 run #0: crashed: WARNING in percpu_ref_exit run #1: crashed: WARNING in percpu_ref_exit run #2: crashed: WARNING in percpu_ref_exit run #3: crashed: WARNING: ODEBUG bug in io_sqe_files_unregister run #4: crashed: WARNING in percpu_ref_exit run #5: crashed: WARNING in percpu_ref_exit run #6: crashed: WARNING in percpu_ref_exit run #7: crashed: WARNING in percpu_ref_exit run #8: crashed: WARNING in percpu_ref_exit run #9: crashed: WARNING in percpu_ref_exit testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: bd7106f6161746ea3f7e1cd1d38fc866dcaa1d98 all runs: OK # git bisect start 7ddd09fc4b745fb1d8942f95389583e08412e0cd 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 9519 revisions left to test after this (roughly 13 steps) [ddebe839c6013ab42f376bdeaaaf66bd0c0d68d6] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit ddebe839c6013ab42f376bdeaaaf66bd0c0d68d6 with gcc (GCC) 8.1.0 kernel signature: aa143c56f9d3a4530d74cbdd1b48913a4aea4ce6 all runs: OK # git bisect good ddebe839c6013ab42f376bdeaaaf66bd0c0d68d6 Bisecting: 4770 revisions left to test after this (roughly 12 steps) [9bd7eaa8e6e729307781b9f19cf514a2977c7832] Merge remote-tracking branch 'kbuild/for-next' testing commit 9bd7eaa8e6e729307781b9f19cf514a2977c7832 with gcc (GCC) 8.1.0 kernel signature: f566b133f56e1ef16a105aa5897684f8799fe647 all runs: OK # git bisect good 9bd7eaa8e6e729307781b9f19cf514a2977c7832 Bisecting: 2154 revisions left to test after this (roughly 11 steps) [58d1cf12662cdc07057a90ae6b9ecf7f1409b0f9] Merge remote-tracking branch 'drm/drm-next' testing commit 58d1cf12662cdc07057a90ae6b9ecf7f1409b0f9 with gcc (GCC) 8.1.0 kernel signature: 33cc3a16d933d675d2898cec8c40b27dffe8c5fe all runs: OK # git bisect good 58d1cf12662cdc07057a90ae6b9ecf7f1409b0f9 Bisecting: 1077 revisions left to test after this (roughly 10 steps) [a6874cba62db51cc00ecea752b6fc6a799498730] Merge remote-tracking branch 'battery/for-next' testing commit a6874cba62db51cc00ecea752b6fc6a799498730 with gcc (GCC) 8.1.0 kernel signature: c1a000b847105928019989aba29181d317bc48a2 run #0: crashed: WARNING in percpu_ref_exit run #1: crashed: WARNING in percpu_ref_exit run #2: crashed: WARNING in percpu_ref_exit run #3: crashed: general protection fault in __io_uring_register run #4: crashed: WARNING: ODEBUG bug in io_sqe_files_unregister run #5: crashed: WARNING in percpu_ref_exit run #6: crashed: WARNING in percpu_ref_exit run #7: crashed: WARNING in percpu_ref_exit run #8: crashed: WARNING in percpu_ref_exit run #9: crashed: WARNING in percpu_ref_exit # git bisect bad a6874cba62db51cc00ecea752b6fc6a799498730 Bisecting: 512 revisions left to test after this (roughly 9 steps) [dadf05112e514305c7bf901f9d15ecf3bc54a465] Merge remote-tracking branch 'drm-intel/for-linux-next' testing commit dadf05112e514305c7bf901f9d15ecf3bc54a465 with gcc (GCC) 8.1.0 kernel signature: 01e429887efb31d60682c17b15f84f266bd653de all runs: OK # git bisect good dadf05112e514305c7bf901f9d15ecf3bc54a465 Bisecting: 276 revisions left to test after this (roughly 8 steps) [76fc7298494407ab00cffbd9466dd739aead864f] Merge remote-tracking branch 'sound/for-next' testing commit 76fc7298494407ab00cffbd9466dd739aead864f with gcc (GCC) 8.1.0 kernel signature: f3ae92b93c68033cb8d43a8059da091fc6c342c1 all runs: OK # git bisect good 76fc7298494407ab00cffbd9466dd739aead864f Bisecting: 138 revisions left to test after this (roughly 7 steps) [0f501c7cde4086d15c396a95c59631b05dbc0351] ASoC: SOF: move arch_ops under ops testing commit 0f501c7cde4086d15c396a95c59631b05dbc0351 with gcc (GCC) 8.1.0 kernel signature: fdff954790dd0138af81f21dd592d53fa350f001 all runs: OK # git bisect good 0f501c7cde4086d15c396a95c59631b05dbc0351 Bisecting: 77 revisions left to test after this (roughly 6 steps) [6b70fabbcbd15005b550c0778d941ef98d34647e] Merge remote-tracking branch 'pcmcia/pcmcia-next' testing commit 6b70fabbcbd15005b550c0778d941ef98d34647e with gcc (GCC) 8.1.0 kernel signature: 3ad929523bc9688b6bb9d8fe5fcb041f4002d828 run #0: crashed: general protection fault in __io_uring_register run #1: crashed: WARNING in percpu_ref_exit run #2: crashed: WARNING in percpu_ref_exit run #3: crashed: WARNING in percpu_ref_exit run #4: crashed: WARNING in percpu_ref_exit run #5: crashed: WARNING in percpu_ref_exit run #6: crashed: WARNING in percpu_ref_exit run #7: crashed: WARNING in percpu_ref_exit run #8: crashed: WARNING in percpu_ref_exit run #9: crashed: WARNING in percpu_ref_exit # git bisect bad 6b70fabbcbd15005b550c0778d941ef98d34647e Bisecting: 30 revisions left to test after this (roughly 5 steps) [7fa07c60d3b014cff1b931ba979c3aec4e9052e6] io_uring: remove two unnecessary function declarations testing commit 7fa07c60d3b014cff1b931ba979c3aec4e9052e6 with gcc (GCC) 8.1.0 kernel signature: cee4c2e12c8aa7729e2ebf5e7368ebfd6858a7ba run #0: crashed: WARNING in percpu_ref_exit run #1: crashed: WARNING in percpu_ref_exit run #2: crashed: WARNING in percpu_ref_exit run #3: crashed: WARNING in percpu_ref_exit run #4: crashed: WARNING: ODEBUG bug in io_sqe_files_unregister run #5: crashed: WARNING in percpu_ref_exit run #6: crashed: WARNING: ODEBUG bug in io_sqe_files_unregister run #7: crashed: WARNING in percpu_ref_exit run #8: crashed: WARNING in percpu_ref_exit run #9: crashed: WARNING in percpu_ref_exit # git bisect bad 7fa07c60d3b014cff1b931ba979c3aec4e9052e6 Bisecting: 14 revisions left to test after this (roughly 4 steps) [2c28d602400c7bef103a5ffc0d10608099f695dc] io_uring: add support for fallocate() testing commit 2c28d602400c7bef103a5ffc0d10608099f695dc with gcc (GCC) 8.1.0 kernel signature: 5e19f6b2e5de447ce832beaf97e750f4842b2151 all runs: OK # git bisect good 2c28d602400c7bef103a5ffc0d10608099f695dc Bisecting: 7 revisions left to test after this (roughly 3 steps) [0325bbcd2dd2d303d6e8f78edeefdab3a39f38ff] io_uring: add support for IORING_OP_CLOSE testing commit 0325bbcd2dd2d303d6e8f78edeefdab3a39f38ff with gcc (GCC) 8.1.0 kernel signature: dedb3a436828b6fa775a8ef27b90156957212f6a all runs: OK # git bisect good 0325bbcd2dd2d303d6e8f78edeefdab3a39f38ff Bisecting: 3 revisions left to test after this (roughly 2 steps) [7420542ba233956799f78caf70d5b3e3d818fe12] io-wq: support concurrent non-blocking work testing commit 7420542ba233956799f78caf70d5b3e3d818fe12 with gcc (GCC) 8.1.0 kernel signature: 9fd17a9ce8afeb4084d205476bbde02fdce6e1fa run #0: crashed: WARNING: ODEBUG bug in io_sqe_files_unregister run #1: crashed: WARNING in percpu_ref_exit run #2: crashed: WARNING in percpu_ref_exit run #3: crashed: WARNING in percpu_ref_exit run #4: crashed: WARNING in percpu_ref_exit run #5: crashed: WARNING in percpu_ref_exit run #6: crashed: WARNING in percpu_ref_exit run #7: crashed: WARNING in percpu_ref_exit run #8: crashed: WARNING: ODEBUG bug in io_sqe_files_unregister run #9: crashed: WARNING in percpu_ref_exit # git bisect bad 7420542ba233956799f78caf70d5b3e3d818fe12 Bisecting: 1 revision left to test after this (roughly 1 step) [03448cdee0278f77adca6018d8754f244b050ee7] fs: make two stat prep helpers available testing commit 03448cdee0278f77adca6018d8754f244b050ee7 with gcc (GCC) 8.1.0 kernel signature: 558f2b77f2f9330f53354fbe6c204cce4f71c583 run #0: crashed: WARNING in percpu_ref_exit run #1: crashed: WARNING in percpu_ref_exit run #2: crashed: WARNING in percpu_ref_exit run #3: crashed: general protection fault in __io_uring_register run #4: crashed: WARNING in percpu_ref_exit run #5: crashed: WARNING in percpu_ref_exit run #6: crashed: WARNING in percpu_ref_exit run #7: crashed: general protection fault in __io_uring_register run #8: crashed: general protection fault in __io_uring_register run #9: crashed: WARNING: ODEBUG bug in io_sqe_files_unregister # git bisect bad 03448cdee0278f77adca6018d8754f244b050ee7 Bisecting: 0 revisions left to test after this (roughly 0 steps) [cbb537634780172137459dead490d668d437ef4d] io_uring: avoid ring quiesce for fixed file set unregister and update testing commit cbb537634780172137459dead490d668d437ef4d with gcc (GCC) 8.1.0 kernel signature: 0aae18d1595740f959dc257f5db625ace8e94e58 run #0: crashed: WARNING in percpu_ref_exit run #1: crashed: WARNING in percpu_ref_exit run #2: crashed: WARNING in percpu_ref_exit run #3: crashed: WARNING in percpu_ref_exit run #4: crashed: WARNING in percpu_ref_exit run #5: crashed: WARNING in percpu_ref_exit run #6: crashed: KASAN: use-after-free Read in percpu_ref_switch_to_atomic_rcu run #7: crashed: WARNING in percpu_ref_exit run #8: crashed: WARNING in percpu_ref_exit run #9: crashed: WARNING: ODEBUG bug in io_sqe_files_unregister # git bisect bad cbb537634780172137459dead490d668d437ef4d cbb537634780172137459dead490d668d437ef4d is the first bad commit commit cbb537634780172137459dead490d668d437ef4d Author: Jens Axboe Date: Mon Dec 9 11:22:50 2019 -0700 io_uring: avoid ring quiesce for fixed file set unregister and update We currently fully quiesce the ring before an unregister or update of the fixed fileset. This is very expensive, and we can be a bit smarter about this. Add a percpu refcount for the file tables as a whole. Grab a percpu ref when we use a registered file, and put it on completion. This is cheap to do. Upon removal of a file from a set, switch the ref count to atomic mode. When we hit zero ref on the completion side, then we know we can drop the previously registered files. When the old files have been dropped, switch the ref back to percpu mode for normal operation. Since there's a period between doing the update and the kernel being done with it, add a IORING_OP_FILES_UPDATE opcode that can perform the same action. The application knows the update has completed when it gets the CQE for it. Between doing the update and receiving this completion, the application must continue to use the unregistered fd if submitting IO on this particular file. This takes the runtime of test/file-register from liburing from 14s to about 0.7s. Signed-off-by: Jens Axboe fs/io_uring.c | 406 ++++++++++++++++++++++++++++++------------ include/uapi/linux/io_uring.h | 1 + 2 files changed, 298 insertions(+), 109 deletions(-) culprit signature: 0aae18d1595740f959dc257f5db625ace8e94e58 parent signature: dedb3a436828b6fa775a8ef27b90156957212f6a revisions tested: 16, total time: 3h35m22.115012242s (build: 1h34m44.22860774s, test: 1h59m4.764345354s) first bad commit: cbb537634780172137459dead490d668d437ef4d io_uring: avoid ring quiesce for fixed file set unregister and update cc: ["axboe@kernel.dk" "linux-block@vger.kernel.org" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: WARNING: ODEBUG bug in io_sqe_files_unregister ------------[ cut here ]------------ ODEBUG: free active (active state 0) object type: work_struct hint: io_ring_file_ref_switch+0x0/0xc90 include/linux/refcount.h:191 WARNING: CPU: 1 PID: 22173 at lib/debugobjects.c:484 debug_print_object+0x168/0x210 lib/debugobjects.c:481 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 22173 Comm: syz-executor.5 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x2a kernel/panic.c:582 report_bug+0x1b0/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:debug_print_object+0x168/0x210 lib/debugobjects.c:481 Code: cc 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14 dd 20 4f cc 87 4c 89 fe 48 c7 c7 80 44 cc 87 e8 10 e6 f0 fd <0f> 0b 83 05 b3 09 60 06 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f RSP: 0018:ffffc90005287a20 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000007 RDI: ffffffff8a91f560 RBP: ffffc90005287a60 R08: ffffed1015d645c9 R09: ffffed1015d645c9 R10: ffffed1015d645c8 R11: ffff8880aeb22e43 R12: 0000000000000001 R13: ffffffff88d6e7e0 R14: ffffffff8144e950 R15: ffffffff87cc4b80 __debug_check_no_obj_freed lib/debugobjects.c:963 [inline] debug_check_no_obj_freed+0x2db/0x436 lib/debugobjects.c:994 kfree+0xf6/0x2c0 mm/slab.c:3756 io_sqe_files_unregister+0x1b0/0x290 fs/io_uring.c:4412 io_ring_ctx_free fs/io_uring.c:5356 [inline] io_ring_ctx_wait_and_kill+0x395/0x8d0 fs/io_uring.c:5425 io_uring_release+0x3d/0x50 fs/io_uring.c:5433 __fput+0x25a/0x770 fs/file_table.c:280 ____fput+0x9/0x10 fs/file_table.c:313 task_work_run+0x108/0x180 kernel/task_work.c:113 get_signal+0x1696/0x1d40 kernel/signal.c:2528 do_signal+0x87/0x1710 arch/x86/kernel/signal.c:815 exit_to_usermode_loop+0x114/0x2e0 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath arch/x86/entry/common.c:278 [inline] do_syscall_64+0x4ff/0x5f0 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a919 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f040a10ac78 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab RAX: 0000000000000000 RBX: 0000000000000004 RCX: 000000000045a919 RDX: 0000000020000180 RSI: 0000000000000002 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 00007f040a10b6d4 R13: 00000000004cf7f0 R14: 00000000004d7080 R15: 00000000ffffffff Kernel Offset: disabled Rebooting in 86400 seconds..