bisecting cause commit starting from b94ae8ad9fe79da61231999f347f79645b909bda building syzkaller on a76bf83ffac5c0bed0a686f8ebc98c74bfb34a0c testing commit b94ae8ad9fe79da61231999f347f79645b909bda with gcc (GCC) 8.1.0 kernel signature: 916d663e05be4edf1711eef24b5cf580c38fdbb7 all runs: crashed: kernel BUG at fs/pipe.c:LINE! testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 4fd37eef1dc79e33c0433f85bdf28079e0c88531 all runs: OK # git bisect start b94ae8ad9fe79da61231999f347f79645b909bda 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 4915 revisions left to test after this (roughly 12 steps) [361b0d286afea0d867537536977a695b5557d133] Merge tag 'devprop-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 361b0d286afea0d867537536977a695b5557d133 with gcc (GCC) 8.1.0 kernel signature: b7d39bbbf36e2ee94bc0033951017df73169b635 all runs: OK # git bisect good 361b0d286afea0d867537536977a695b5557d133 Bisecting: 2468 revisions left to test after this (roughly 11 steps) [8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0 kernel signature: 64d8c4ab2f01df9d49d5651ad39076374f22bc03 all runs: OK # git bisect good 8c39f71ee2019e77ee14f88b1321b2348db51820 Bisecting: 1215 revisions left to test after this (roughly 10 steps) [60845e34f0c5c19a9e86af477b429993952f585b] Merge tag 'drm-next-5.5-2019-10-25' of git://people.freedesktop.org/~agd5f/linux into drm-next testing commit 60845e34f0c5c19a9e86af477b429993952f585b with gcc (GCC) 8.1.0 kernel signature: 48f68b64263095b4e8bfe13a1aa15d33c6084bc4 all runs: OK # git bisect good 60845e34f0c5c19a9e86af477b429993952f585b Bisecting: 607 revisions left to test after this (roughly 9 steps) [17eee668b3cad423a47c090fe2275733c55db910] Merge tag 'drm-misc-next-fixes-2019-11-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-next testing commit 17eee668b3cad423a47c090fe2275733c55db910 with gcc (GCC) 8.1.0 kernel signature: 58d830d6981d858c2d026866854e8bb2cd6ae926 all runs: OK # git bisect good 17eee668b3cad423a47c090fe2275733c55db910 Bisecting: 292 revisions left to test after this (roughly 8 steps) [21b26d2679584c6a60e861aa3e5ca09a6bab0633] Merge tag '5.5-rc-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 testing commit 21b26d2679584c6a60e861aa3e5ca09a6bab0633 with gcc (GCC) 8.1.0 kernel signature: 5e65d3e19bfe23c9d02bc98d8e6fdb040a1c5963 all runs: OK # git bisect good 21b26d2679584c6a60e861aa3e5ca09a6bab0633 Bisecting: 146 revisions left to test after this (roughly 7 steps) [c9029ef9c95765e7b63c4d9aa780674447db1ec0] powerpc: Avoid clang warnings around setjmp and longjmp testing commit c9029ef9c95765e7b63c4d9aa780674447db1ec0 with gcc (GCC) 8.1.0 kernel signature: 3472af90fdb65e914607a70d8e8bc640cb820165 all runs: OK # git bisect good c9029ef9c95765e7b63c4d9aa780674447db1ec0 Bisecting: 85 revisions left to test after this (roughly 6 steps) [2309d0768237476c3144aa296264ad9e19598461] Merge tag 'nds32-for-linus-5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/greentime/linux testing commit 2309d0768237476c3144aa296264ad9e19598461 with gcc (GCC) 8.1.0 kernel signature: 5f7b745d67fefc4c109649fa9ca87a4ae2197c4c all runs: crashed: kernel BUG at fs/pipe.c:LINE! # git bisect bad 2309d0768237476c3144aa296264ad9e19598461 Bisecting: 31 revisions left to test after this (roughly 5 steps) [545886fead7abfdbeb46d3ac62256e1db72739a3] ext2: code cleanup for descriptor_loc() testing commit 545886fead7abfdbeb46d3ac62256e1db72739a3 with gcc (GCC) 8.1.0 kernel signature: 24a5537247613b7cc9f0bb6923e0694fb53b072a all runs: OK # git bisect good 545886fead7abfdbeb46d3ac62256e1db72739a3 Bisecting: 17 revisions left to test after this (roughly 4 steps) [32ef9553635ab1236c33951a8bd9b5af1c3b1646] Merge tag 'fsnotify_for_v5.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs testing commit 32ef9553635ab1236c33951a8bd9b5af1c3b1646 with gcc (GCC) 8.1.0 kernel signature: 04ef07e0caf1f82239991b412192b7957346e7f4 all runs: OK # git bisect good 32ef9553635ab1236c33951a8bd9b5af1c3b1646 Bisecting: 8 revisions left to test after this (roughly 3 steps) [7e25a73f1a52b58fc8206557e40d990cd791ad25] pipe: Remove redundant wakeup from pipe_write() testing commit 7e25a73f1a52b58fc8206557e40d990cd791ad25 with gcc (GCC) 8.1.0 kernel signature: eb702237f70e943b9fa2b47f94b976d4168d7516 all runs: crashed: kernel BUG at fs/pipe.c:LINE! # git bisect bad 7e25a73f1a52b58fc8206557e40d990cd791ad25 Bisecting: 4 revisions left to test after this (roughly 2 steps) [8cefc107ca54c8b06438b7dc9cc08bc0a11d5b98] pipe: Use head and tail pointers for the ring, not cursor and length testing commit 8cefc107ca54c8b06438b7dc9cc08bc0a11d5b98 with gcc (GCC) 8.1.0 kernel signature: bf789a0d56a548b8605b9e4e70a6b884d0fdc06a run #0: crashed: kernel BUG at fs/pipe.c:LINE! run #1: crashed: kernel BUG at fs/pipe.c:LINE! run #2: crashed: kernel BUG at fs/pipe.c:LINE! run #3: crashed: kernel BUG at fs/pipe.c:LINE! run #4: crashed: kernel BUG at fs/pipe.c:LINE! run #5: crashed: kernel BUG at fs/pipe.c:LINE! run #6: crashed: kernel BUG at fs/pipe.c:LINE! run #7: crashed: kernel BUG at fs/pipe.c:LINE! run #8: crashed: kernel BUG at fs/pipe.c:LINE! run #9: OK # git bisect bad 8cefc107ca54c8b06438b7dc9cc08bc0a11d5b98 Bisecting: 1 revision left to test after this (roughly 1 step) [ce4dd4429b3c7e4506870796f3b8b06d707d2928] Remove the nr_exclusive argument from __wake_up_sync_key() testing commit ce4dd4429b3c7e4506870796f3b8b06d707d2928 with gcc (GCC) 8.1.0 kernel signature: c60c019afa58901bc6cd5627af1aa670da450129 all runs: OK # git bisect good ce4dd4429b3c7e4506870796f3b8b06d707d2928 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f94df9890e98f2090c6a8d70c795134863b70201] Add wake_up_interruptible_sync_poll_locked() testing commit f94df9890e98f2090c6a8d70c795134863b70201 with gcc (GCC) 8.1.0 kernel signature: 7931c547522035d5803d52dd54409bd4522473e7 all runs: OK # git bisect good f94df9890e98f2090c6a8d70c795134863b70201 8cefc107ca54c8b06438b7dc9cc08bc0a11d5b98 is the first bad commit commit 8cefc107ca54c8b06438b7dc9cc08bc0a11d5b98 Author: David Howells Date: Fri Nov 15 13:30:32 2019 +0000 pipe: Use head and tail pointers for the ring, not cursor and length Convert pipes to use head and tail pointers for the buffer ring rather than pointer and length as the latter requires two atomic ops to update (or a combined op) whereas the former only requires one. (1) The head pointer is the point at which production occurs and points to the slot in which the next buffer will be placed. This is equivalent to pipe->curbuf + pipe->nrbufs. The head pointer belongs to the write-side. (2) The tail pointer is the point at which consumption occurs. It points to the next slot to be consumed. This is equivalent to pipe->curbuf. The tail pointer belongs to the read-side. (3) head and tail are allowed to run to UINT_MAX and wrap naturally. They are only masked off when the array is being accessed, e.g.: pipe->bufs[head & mask] This means that it is not necessary to have a dead slot in the ring as head == tail isn't ambiguous. (4) The ring is empty if "head == tail". A helper, pipe_empty(), is provided for this. (5) The occupancy of the ring is "head - tail". A helper, pipe_occupancy(), is provided for this. (6) The number of free slots in the ring is "pipe->ring_size - occupancy". A helper, pipe_space_for_user() is provided to indicate how many slots userspace may use. (7) The ring is full if "head - tail >= pipe->ring_size". A helper, pipe_full(), is provided for this. Signed-off-by: David Howells drivers/char/virtio_console.c | 16 ++- fs/fuse/dev.c | 31 +++-- fs/pipe.c | 170 ++++++++++++++------------ fs/splice.c | 190 +++++++++++++++++------------ include/linux/pipe_fs_i.h | 60 +++++++++- include/linux/uio.h | 4 +- lib/iov_iter.c | 269 ++++++++++++++++++++++++------------------ 7 files changed, 448 insertions(+), 292 deletions(-) kernel signature: bf789a0d56a548b8605b9e4e70a6b884d0fdc06a previous signature: 7931c547522035d5803d52dd54409bd4522473e7 revisions tested: 15, total time: 4h28m36.024558964s (build: 1h40m29.31576543s, test: 2h42m56.143703681s) first bad commit: 8cefc107ca54c8b06438b7dc9cc08bc0a11d5b98 pipe: Use head and tail pointers for the ring, not cursor and length cc: ["amit@kernel.org" "arnd@arndb.de" "dhowells@redhat.com" "gregkh@linuxfoundation.org" "jannh@google.com" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "miklos@szeredi.hu" "rostedt@goodmis.org" "viro@zeniv.linux.org.uk" "virtualization@lists.linux-foundation.org" "willy@infradead.org"] crash: kernel BUG at fs/pipe.c:LINE! ------------[ cut here ]------------ kernel BUG at fs/pipe.c:562! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 22227 Comm: syz-executor.2 Not tainted 5.4.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:pipe_poll+0x275/0x350 fs/pipe.c:562 Code: c2 03 38 ca 7c 08 84 c9 0f 85 ab 00 00 00 8b 93 d4 00 00 00 85 d2 75 03 83 c8 08 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b 48 89 75 d0 e8 20 76 f5 ff 48 8b 75 d0 e9 1e fe ff ff 48 89 RSP: 0018:ffff88808a127748 EFLAGS: 00010217 RAX: 0000000000000000 RBX: ffff8880a3bce280 RCX: 0000000000000010 RDX: 00000000ffffffff RSI: ffff88808a127900 RDI: ffff8880a3bce350 RBP: ffff88808a127780 R08: ffff888097e6ba00 R09: ffffffff81a67bf0 R10: fffffbfff13146a8 R11: ffffffff898a3547 R12: ffff888097e6ba00 R13: 0000000000000280 R14: ffff8880a3bce300 R15: 0000000000000281 FS: 00007fd4a9b9c700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020200000 CR3: 00000000907dc000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vfs_poll include/linux/poll.h:90 [inline] do_select+0x8d9/0x11a0 fs/select.c:534 core_sys_select+0x40e/0x680 fs/select.c:677 do_pselect fs/select.c:759 [inline] __do_sys_pselect6 fs/select.c:784 [inline] __se_sys_pselect6 fs/select.c:769 [inline] __x64_sys_pselect6+0x2f1/0x430 fs/select.c:769 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a679 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fd4a9b9bc78 EFLAGS: 00000246 ORIG_RAX: 000000000000010e RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679 RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040 RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000020000140 R11: 0000000000000246 R12: 00007fd4a9b9c6d4 R13: 00000000004c811d R14: 00000000004de930 R15: 00000000ffffffff Modules linked in: ---[ end trace 91cca8a5cbf57005 ]--- RIP: 0010:pipe_poll+0x275/0x350 fs/pipe.c:562 Code: c2 03 38 ca 7c 08 84 c9 0f 85 ab 00 00 00 8b 93 d4 00 00 00 85 d2 75 03 83 c8 08 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b 48 89 75 d0 e8 20 76 f5 ff 48 8b 75 d0 e9 1e fe ff ff 48 89 RSP: 0018:ffff88808a127748 EFLAGS: 00010217 RAX: 0000000000000000 RBX: ffff8880a3bce280 RCX: 0000000000000010 RDX: 00000000ffffffff RSI: ffff88808a127900 RDI: ffff8880a3bce350 RBP: ffff88808a127780 R08: ffff888097e6ba00 R09: ffffffff81a67bf0 R10: fffffbfff13146a8 R11: ffffffff898a3547 R12: ffff888097e6ba00 R13: 0000000000000280 R14: ffff8880a3bce300 R15: 0000000000000281 FS: 00007fd4a9b9c700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020200000 CR3: 00000000907dc000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400