bisecting cause commit starting from 7c832d2f9b959e3181370c8b0dacaf9efe13fc05 building syzkaller on 0c5d9412d774262384cbdbe9d672b077364ed776 testing commit 7c832d2f9b959e3181370c8b0dacaf9efe13fc05 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2c741ddeb7fc67524c922aaa5c48c13160e428aae5fafa5e45db74e614c0a53b all runs: crashed: general protection fault in hctx_lock testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: de5d0644639cc5c360c5e4129b2c3253ccb03fa29846cb1eb6936ee1da8e68ac all runs: OK # git bisect start 7c832d2f9b959e3181370c8b0dacaf9efe13fc05 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 10492 revisions left to test after this (roughly 13 steps) [14e2bc4e8c40a876c1ab5597320d523c12a97f39] Merge tag 'nfsd-5.15-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux testing commit 14e2bc4e8c40a876c1ab5597320d523c12a97f39 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b5ac7330f00980c4a84c1dced6473dd4592419cabd72572af26ec7f821dbbbbb all runs: OK # git bisect good 14e2bc4e8c40a876c1ab5597320d523c12a97f39 Bisecting: 5703 revisions left to test after this (roughly 12 steps) [fc25206d8fae5eeb06a24fa3cb3f31848ec2c146] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma.git testing commit fc25206d8fae5eeb06a24fa3cb3f31848ec2c146 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 26e4ec5ffb2a705ead90642fac71623b9723ec5aac47cfb06556b8762bdc641e all runs: OK # git bisect good fc25206d8fae5eeb06a24fa3cb3f31848ec2c146 Bisecting: 2914 revisions left to test after this (roughly 12 steps) [029e7360a7206f14b0c0cbee2e96fb070846d8a1] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input.git testing commit 029e7360a7206f14b0c0cbee2e96fb070846d8a1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bc622aba2f14dbf5aa1d9ecfec2610598f4e2ffd3160702b03661ebb3f63dbff all runs: OK # git bisect good 029e7360a7206f14b0c0cbee2e96fb070846d8a1 Bisecting: 1517 revisions left to test after this (roughly 11 steps) [d8a625620ad72c878ac6cfc3a64039bbd76db079] Merge branch 'next' of git://github.com/awilliam/linux-vfio.git testing commit d8a625620ad72c878ac6cfc3a64039bbd76db079 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7ae6824bd7b02f70640b16bd4b375271bb5cd934aa10af608ade641bad8e173e run #0: crashed: general protection fault in hctx_lock run #1: crashed: general protection fault in hctx_lock run #2: crashed: general protection fault in hctx_lock run #3: crashed: general protection fault in hctx_lock run #4: crashed: general protection fault in hctx_lock run #5: crashed: general protection fault in hctx_lock run #6: crashed: general protection fault in hctx_lock run #7: crashed: general protection fault in hctx_lock run #8: crashed: general protection fault in hctx_lock run #9: OK # git bisect bad d8a625620ad72c878ac6cfc3a64039bbd76db079 Bisecting: 704 revisions left to test after this (roughly 10 steps) [5c6d304fdad0e311dcea28c335888a676d798150] Merge branch 'edac-for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras.git testing commit 5c6d304fdad0e311dcea28c335888a676d798150 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: db285b9cdf81c013cc51d955d9b4143ebde7e2bda442ec05d2ae77b50db1927e all runs: crashed: general protection fault in hctx_lock # git bisect bad 5c6d304fdad0e311dcea28c335888a676d798150 Bisecting: 348 revisions left to test after this (roughly 9 steps) [7780d7d7f0eb1053b604c59b1f225dffc4217823] Merge branch 'next-testing' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git testing commit 7780d7d7f0eb1053b604c59b1f225dffc4217823 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f2e9efe08ccd5bf45da022ad6f4821b1168875de4d0b985452204547d1d858e8 run #0: crashed: general protection fault in hctx_lock run #1: crashed: general protection fault in hctx_lock run #2: crashed: general protection fault in hctx_lock run #3: crashed: general protection fault in hctx_lock run #4: crashed: general protection fault in hctx_lock run #5: crashed: general protection fault in hctx_lock run #6: boot failed: general protection fault in hctx_lock run #7: boot failed: general protection fault in corrupted run #8: boot failed: general protection fault in hctx_lock run #9: boot failed: general protection fault in hctx_lock # git bisect bad 7780d7d7f0eb1053b604c59b1f225dffc4217823 Bisecting: 170 revisions left to test after this (roughly 8 steps) [d1336e88a580f636db71e4a47de67f60518b9a5a] Merge branch 'for-5.16/block-io_uring' into for-next testing commit d1336e88a580f636db71e4a47de67f60518b9a5a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 32bf38af8401c3f450bc8a4f048b6ed1d147171d00e1956e225ceac433329146 run #0: crashed: general protection fault in hctx_lock run #1: crashed: general protection fault in hctx_lock run #2: crashed: general protection fault in hctx_lock run #3: crashed: general protection fault in hctx_lock run #4: crashed: general protection fault in hctx_lock run #5: crashed: general protection fault in hctx_lock run #6: crashed: general protection fault in hctx_lock run #7: crashed: general protection fault in hctx_lock run #8: crashed: general protection fault in hctx_lock run #9: boot failed: general protection fault in hctx_lock # git bisect bad d1336e88a580f636db71e4a47de67f60518b9a5a Bisecting: 80 revisions left to test after this (roughly 7 steps) [7544789c6c992659489fec1fd3b74902bc81ad48] Merge branch 'for-5.16/drivers' into for-next testing commit 7544789c6c992659489fec1fd3b74902bc81ad48 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a504ec60862d25544c6dcd5a8301b96e3a8d40acb849077104e9090d01598bf4 all runs: crashed: general protection fault in hctx_lock # git bisect bad 7544789c6c992659489fec1fd3b74902bc81ad48 Bisecting: 45 revisions left to test after this (roughly 6 steps) [efeed764dfc4309412f2971f1543c957e1275ffa] swim: simplify using blk_cleanup_disk() on swim_remove() testing commit efeed764dfc4309412f2971f1543c957e1275ffa compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 34cd02cbeb7bab8a21b940888843d155d22e4ccabdc1f6dc4aac4c6eaf31d4da all runs: OK # git bisect good efeed764dfc4309412f2971f1543c957e1275ffa Bisecting: 22 revisions left to test after this (roughly 5 steps) [a3a96cbfaa41ac1048fd8162a211bba2d40b6fc3] block: pre-allocate requests if plug is started and is a batch testing commit a3a96cbfaa41ac1048fd8162a211bba2d40b6fc3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 341b8e2090d5aa4beeb66da7f71852048034b7172bc2f715abb71e3844da14c3 run #0: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "/tmp/syz-executor057850654" "root@10.128.0.147:./syz-executor057850654"]: exit status 1 Connection timed out during banner exchange Connection to 10.128.0.147 port 22 timed out lost connection run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good a3a96cbfaa41ac1048fd8162a211bba2d40b6fc3 Bisecting: 11 revisions left to test after this (roughly 4 steps) [8ac366117cc1f0944c4365782b95748f15fd52b7] sx8: fix an error code in carm_init_one() testing commit 8ac366117cc1f0944c4365782b95748f15fd52b7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 34cd02cbeb7bab8a21b940888843d155d22e4ccabdc1f6dc4aac4c6eaf31d4da all runs: OK # git bisect good 8ac366117cc1f0944c4365782b95748f15fd52b7 Bisecting: 6 revisions left to test after this (roughly 3 steps) [f889bf46e0c9097cc4d891123b69115d9a15c33d] block: merge block_ioctl into blkdev_ioctl testing commit f889bf46e0c9097cc4d891123b69115d9a15c33d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f76a809e19d7cae9a31e6f3daaa59958c96b1e7309f65c53b4ad5816061b93eb run #0: crashed: general protection fault in hctx_lock run #1: crashed: general protection fault in hctx_lock run #2: crashed: general protection fault in hctx_lock run #3: crashed: general protection fault in hctx_lock run #4: crashed: general protection fault in hctx_lock run #5: crashed: general protection fault in hctx_lock run #6: crashed: general protection fault in hctx_lock run #7: crashed: general protection fault in hctx_lock run #8: crashed: general protection fault in hctx_lock run #9: boot failed: general protection fault in hctx_lock # git bisect bad f889bf46e0c9097cc4d891123b69115d9a15c33d Bisecting: 2 revisions left to test after this (roughly 1 step) [f328476e373a7ce4b4d16c48fe85571044e025f5] blk-mq: cleanup blk_mq_submit_bio testing commit f328476e373a7ce4b4d16c48fe85571044e025f5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0e668de4123f31471281e0c13b84da1b617b7fa4c477f5a2c6d6e67cf5b516cc run #0: crashed: general protection fault in hctx_lock run #1: crashed: general protection fault in hctx_lock run #2: crashed: general protection fault in hctx_lock run #3: crashed: general protection fault in hctx_lock run #4: crashed: general protection fault in hctx_lock run #5: crashed: general protection fault in hctx_lock run #6: crashed: general protection fault in hctx_lock run #7: crashed: general protection fault in hctx_lock run #8: boot failed: general protection fault in hctx_lock run #9: boot failed: general protection fault in hctx_lock # git bisect bad f328476e373a7ce4b4d16c48fe85571044e025f5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [6fe09c1dd622aa3bb6478cd7343a3396c6e3b2be] blk-mq: cleanup and rename __blk_mq_alloc_request testing commit 6fe09c1dd622aa3bb6478cd7343a3396c6e3b2be compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: eed913e25629e72e606b7ed23a5d33b9d877e0273ca8360d9e9f16feff2340d2 all runs: OK # git bisect good 6fe09c1dd622aa3bb6478cd7343a3396c6e3b2be f328476e373a7ce4b4d16c48fe85571044e025f5 is the first bad commit commit f328476e373a7ce4b4d16c48fe85571044e025f5 Author: Christoph Hellwig Date: Tue Oct 12 12:40:45 2021 +0200 blk-mq: cleanup blk_mq_submit_bio Move the blk_mq_alloc_data stack allocation only into the branch that actually needs it, and use rq->mq_hctx instead of data.hctx to refer to the hctx. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20211012104045.658051-3-hch@lst.de Signed-off-by: Jens Axboe block/blk-mq.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) culprit signature: 0e668de4123f31471281e0c13b84da1b617b7fa4c477f5a2c6d6e67cf5b516cc parent signature: eed913e25629e72e606b7ed23a5d33b9d877e0273ca8360d9e9f16feff2340d2 revisions tested: 16, total time: 4h33m44.048313073s (build: 1h45m3.111238955s, test: 2h46m56.524535454s) first bad commit: f328476e373a7ce4b4d16c48fe85571044e025f5 blk-mq: cleanup blk_mq_submit_bio recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "hch@lst.de" "linux-block@vger.kernel.org"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: general protection fault in hctx_lock general protection fault, probably for non-canonical address 0xdffffc0000000027: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000138-0x000000000000013f] CPU: 1 PID: 9089 Comm: syz-executor.0 Not tainted 5.15.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:hctx_lock+0x22/0x150 block/blk-mq.c:731 Code: 0f 1f 84 00 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 41 54 55 48 89 f5 53 48 89 fb 48 81 c7 38 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 19 01 00 00 f6 83 38 01 00 00 20 75 65 48 b8 00 RSP: 0018:ffffc9000d1af140 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000027 RSI: ffffc9000d1af180 RDI: 0000000000000138 RBP: ffffc9000d1af180 R08: 0000000000000001 R09: 0000000000000001 R10: ffffed10031b04e9 R11: 00000000000001c9 R12: 0000000000000001 R13: dffffc0000000000 R14: ffff88814668eee0 R15: 0000000000000148 FS: 00007f53c0ec3700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe60ae7720 CR3: 0000000073557000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: blk_mq_run_hw_queue+0x71/0x290 block/blk-mq.c:1646 blk_mq_submit_bio+0x10a7/0x17f0 block/blk-mq.c:2282 __submit_bio_noacct_mq block/blk-core.c:1001 [inline] submit_bio_noacct block/blk-core.c:1034 [inline] submit_bio_noacct+0x91b/0xdb0 block/blk-core.c:1017 submit_bio+0xcc/0x3a0 block/blk-core.c:1096 submit_bio_wait+0x100/0x200 block/bio.c:1248 blkdev_issue_flush+0xc0/0x110 block/blk-flush.c:458 blkdev_fsync+0x74/0xa0 block/fops.c:421 generic_write_sync include/linux/fs.h:2955 [inline] blkdev_write_iter+0x312/0x4a0 block/fops.c:521 call_write_iter include/linux/fs.h:2163 [inline] do_iter_readv_writev+0x336/0x6d0 fs/read_write.c:729 do_iter_write+0x12a/0x620 fs/read_write.c:855 iter_file_splice_write+0x598/0xaf0 fs/splice.c:689 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0xfb/0x1c0 fs/splice.c:936 splice_direct_to_actor+0x2dd/0x7c0 fs/splice.c:891 do_splice_direct+0x154/0x260 fs/splice.c:979 do_sendfile+0x91e/0x1120 fs/read_write.c:1249 __do_sys_sendfile64 fs/read_write.c:1314 [inline] __se_sys_sendfile64 fs/read_write.c:1300 [inline] __x64_sys_sendfile64+0x186/0x1d0 fs/read_write.c:1300 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f53c176ea39 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f53c0ec3188 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f53c1872020 RCX: 00007f53c176ea39 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000004 RBP: 00007f53c17c8c5f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000024002da8 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffca138dfcf R14: 00007f53c0ec3300 R15: 0000000000022000 Modules linked in: ---[ end trace cf369608f92e0471 ]--- RIP: 0010:hctx_lock+0x22/0x150 block/blk-mq.c:731 Code: 0f 1f 84 00 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 41 54 55 48 89 f5 53 48 89 fb 48 81 c7 38 01 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 19 01 00 00 f6 83 38 01 00 00 20 75 65 48 b8 00 RSP: 0018:ffffc9000d1af140 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000027 RSI: ffffc9000d1af180 RDI: 0000000000000138 RBP: ffffc9000d1af180 R08: 0000000000000001 R09: 0000000000000001 R10: ffffed10031b04e9 R11: 00000000000001c9 R12: 0000000000000001 R13: dffffc0000000000 R14: ffff88814668eee0 R15: 0000000000000148 FS: 00007f53c0ec3700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555565b5708 CR3: 0000000073557000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 7: 00 8: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax f: fc ff df 12: 41 54 push %r12 14: 55 push %rbp 15: 48 89 f5 mov %rsi,%rbp 18: 53 push %rbx 19: 48 89 fb mov %rdi,%rbx 1c: 48 81 c7 38 01 00 00 add $0x138,%rdi 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 19 01 00 00 jne 0x14d 34: f6 83 38 01 00 00 20 testb $0x20,0x138(%rbx) 3b: 75 65 jne 0xa2 3d: 48 rex.W 3e: b8 .byte 0xb8