bisecting cause commit starting from bdcc9f6a568275aed4cc32fd2312432d2ff1b704 building syzkaller on 098b5d530648147c744a7c2eb8b78c1307f9d3ce testing commit bdcc9f6a568275aed4cc32fd2312432d2ff1b704 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 48aa9fa11f09c25fb5e2cc3d4865740e75a46554194fd385db06b63ea44c2bc2 run #0: crashed: WARNING in io_poll_task_func run #1: crashed: WARNING in io_poll_task_func run #2: crashed: WARNING in io_poll_task_func run #3: crashed: WARNING in io_poll_task_func run #4: crashed: WARNING in io_poll_task_func run #5: crashed: WARNING in io_poll_task_func run #6: crashed: WARNING in io_poll_task_func run #7: crashed: WARNING in io_poll_task_func run #8: crashed: WARNING in io_poll_task_func run #9: crashed: INFO: rcu detected stall in tctx_task_work run #10: crashed: INFO: rcu detected stall in tctx_task_work run #11: crashed: INFO: rcu detected stall in tctx_task_work run #12: crashed: INFO: rcu detected stall in tctx_task_work run #13: crashed: INFO: rcu detected stall in tctx_task_work run #14: crashed: INFO: rcu detected stall in tctx_task_work run #15: crashed: INFO: rcu detected stall in tctx_task_work run #16: crashed: INFO: rcu detected stall in tctx_task_work run #17: crashed: INFO: rcu detected stall in tctx_task_work run #18: crashed: INFO: rcu detected stall in tctx_task_work run #19: crashed: INFO: rcu detected stall in tctx_task_work testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 188662a1d46039e68d7e80a1aac184133bb46fdd40eebe4a31907f7a00d06475 all runs: OK # git bisect start bdcc9f6a568275aed4cc32fd2312432d2ff1b704 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 13044 revisions left to test after this (roughly 14 steps) [412a5feba414127a6c69452dfad454086867011f] Merge 5.15-rc6 into tty-next testing commit 412a5feba414127a6c69452dfad454086867011f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 39c44d63e905fce923e37851996f6ee93d8fc08ea46f484c2cb70f7a12333269 all runs: OK # git bisect good 412a5feba414127a6c69452dfad454086867011f Bisecting: 6532 revisions left to test after this (roughly 13 steps) [0306023d64d510a92f6bae2c6759fd854ee5a1c3] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git testing commit 0306023d64d510a92f6bae2c6759fd854ee5a1c3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 29aeb77b276f31963723690075b88c022e169d7c82c90fb45d642cce9077aaff all runs: OK # git bisect good 0306023d64d510a92f6bae2c6759fd854ee5a1c3 Bisecting: 3150 revisions left to test after this (roughly 12 steps) [ed3cecd2f5acb59937ddf0609e8cde33555c31dd] Merge branch 'auto-latest' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git testing commit ed3cecd2f5acb59937ddf0609e8cde33555c31dd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fc80d02fb691b081866741f012c3fc9365a7db1950cd2243140da5e5c58c4d5d run #0: crashed: WARNING in io_poll_task_func run #1: crashed: WARNING in io_poll_task_func run #2: crashed: WARNING in io_poll_task_func run #3: crashed: KASAN: use-after-free Read in tctx_task_work run #4: crashed: INFO: rcu detected stall in tctx_task_work run #5: crashed: INFO: rcu detected stall in tctx_task_work run #6: crashed: INFO: rcu detected stall in tctx_task_work run #7: crashed: INFO: rcu detected stall in tctx_task_work run #8: crashed: INFO: rcu detected stall in tctx_task_work run #9: crashed: INFO: rcu detected stall in tctx_task_work # git bisect bad ed3cecd2f5acb59937ddf0609e8cde33555c31dd Bisecting: 1813 revisions left to test after this (roughly 11 steps) [79e34df59d6c92616a1444f5eac072f796df6fee] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git testing commit 79e34df59d6c92616a1444f5eac072f796df6fee compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fbb84da61b41681a9fb8f77f88b8f1631bbaea8d1a1d3196870ff1db5acb86e7 all runs: OK # git bisect good 79e34df59d6c92616a1444f5eac072f796df6fee Bisecting: 822 revisions left to test after this (roughly 10 steps) [14a490279a2ecacfc5a6e6f805c49a2cd9f1ccbc] Merge branch 'for-next' of git://git.kernel.dk/linux-block.git testing commit 14a490279a2ecacfc5a6e6f805c49a2cd9f1ccbc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a56cf884d63931ab66631ae08f06479d30c232a12fbead1fca21c97665dcd14b all runs: crashed: WARNING in io_poll_task_func # git bisect bad 14a490279a2ecacfc5a6e6f805c49a2cd9f1ccbc Bisecting: 494 revisions left to test after this (roughly 9 steps) [43ceddcd2ee9dde9e4136fdba6131bd34abb8ef4] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input.git testing commit 43ceddcd2ee9dde9e4136fdba6131bd34abb8ef4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 97c8abc8ba67dcaeecf66aedee2041ac2a0694a9413ca0ddcf1342e586b8220b all runs: OK # git bisect good 43ceddcd2ee9dde9e4136fdba6131bd34abb8ef4 Bisecting: 240 revisions left to test after this (roughly 8 steps) [23799b0f0689cc4dc8d1b84ad234284777365c93] Merge branch 'for-5.16/io_uring' into for-next testing commit 23799b0f0689cc4dc8d1b84ad234284777365c93 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1ba0c1abee57a8d9c379c9c8b0013ac0bc3412a44ccc59c7deb9dd6355314af0 all runs: OK # git bisect good 23799b0f0689cc4dc8d1b84ad234284777365c93 Bisecting: 132 revisions left to test after this (roughly 7 steps) [60069ac90ba24cec5a9d161a12f318635b57e4c8] Merge branch 'for-5.16/cdrom' into for-next testing commit 60069ac90ba24cec5a9d161a12f318635b57e4c8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4b5f47faf35cb8abb081c7270e91c67fc099a445b97874752b68bd470ea4b7a3 all runs: OK # git bisect good 60069ac90ba24cec5a9d161a12f318635b57e4c8 Bisecting: 62 revisions left to test after this (roughly 6 steps) [b4961780b13c596316ed956eb57535c3b541b652] Merge branch 'for-5.16/inode-sync' into for-next testing commit b4961780b13c596316ed956eb57535c3b541b652 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4a7b7c881047fec03ba865c978c7b1e04e32030bc10ce9ff526f18a925f0597d all runs: OK # git bisect good b4961780b13c596316ed956eb57535c3b541b652 Bisecting: 32 revisions left to test after this (roughly 5 steps) [801cafd639486ccce436a152c496eb96d0d9c5dd] Merge branch 'for-5.16/block' into for-next testing commit 801cafd639486ccce436a152c496eb96d0d9c5dd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 73093a4a4b4217050f9e0e426013f9e2fcdf96a3a6a89e0247eaa340b509795f all runs: OK # git bisect good 801cafd639486ccce436a152c496eb96d0d9c5dd Bisecting: 17 revisions left to test after this (roughly 4 steps) [8cfa4097726f12013f85496bd16d068aaca13e9b] Merge branch 'for-5.16/block' into for-next testing commit 8cfa4097726f12013f85496bd16d068aaca13e9b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 49941ecd39970527f43e73a630441b31164255451fd5260da2e7fee1009f453a all runs: OK # git bisect good 8cfa4097726f12013f85496bd16d068aaca13e9b Bisecting: 6 revisions left to test after this (roughly 3 steps) [5f6f1dc0433b524633f6f069ae4032ffaa0d81e5] Merge branch 'for-5.16/drivers' into for-next testing commit 5f6f1dc0433b524633f6f069ae4032ffaa0d81e5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d70a59c104183846aa7deb8367646a2d0c2053afe505c03d50fa59c12ec37075 all runs: OK # git bisect good 5f6f1dc0433b524633f6f069ae4032ffaa0d81e5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [57d9cc0f0dfe7453327c4c71ea22074419e2e800] io_uring: don't get completion_lock in io_poll_rewait() testing commit 57d9cc0f0dfe7453327c4c71ea22074419e2e800 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5fa22bd5d1420560c3e4c8af6fc398c9fed26d497b13751190250544293e6237 all runs: crashed: WARNING in io_poll_task_func # git bisect bad 57d9cc0f0dfe7453327c4c71ea22074419e2e800 Bisecting: 0 revisions left to test after this (roughly 1 step) [34ced75ca1f63fac6148497971212583aa0f7a87] io_uring: reduce frequent add_wait_queue() overhead for multi-shot poll request testing commit 34ced75ca1f63fac6148497971212583aa0f7a87 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f27b228839246e670dbf88c4cc4bfa6e078d0d83e55c4984053b76ff0af0a636 run #0: crashed: WARNING in io_poll_task_func run #1: crashed: KASAN: use-after-free Read in tctx_task_work run #2: crashed: WARNING in io_poll_task_func run #3: crashed: WARNING in io_poll_task_func run #4: crashed: WARNING in io_poll_task_func run #5: crashed: WARNING in io_poll_task_func run #6: crashed: WARNING in io_poll_task_func run #7: crashed: WARNING in io_poll_task_func run #8: crashed: WARNING in io_poll_task_func run #9: crashed: WARNING in io_poll_task_func # git bisect bad 34ced75ca1f63fac6148497971212583aa0f7a87 Bisecting: 0 revisions left to test after this (roughly 0 steps) [db3191671f970164d0074039d262d3f402a417eb] io_uring: refactor event check out of __io_async_wake() testing commit db3191671f970164d0074039d262d3f402a417eb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 58285b0be36faa7fe965588885f3392dc4f81e9219843198196b7cc87320b742 all runs: OK # git bisect good db3191671f970164d0074039d262d3f402a417eb 34ced75ca1f63fac6148497971212583aa0f7a87 is the first bad commit commit 34ced75ca1f63fac6148497971212583aa0f7a87 Author: Xiaoguang Wang Date: Mon Oct 25 13:38:48 2021 +0800 io_uring: reduce frequent add_wait_queue() overhead for multi-shot poll request Run echo_server to evaluate io_uring's multi-shot poll performance, perf shows that add_wait_queue() has obvious overhead. Intruduce a new state 'active' in io_poll_iocb to indicate whether io_poll_wake() should queue a task_work. This new state will be set to true initially, be set to false when starting to queue a task work, and be set to true again when a poll cqe has been committed. One concern is that this method may lost waken-up event, but seems it's ok. io_poll_wake io_poll_task_func t1 | t2 | WRITE_ONCE(req->poll.active, true); t3 | t4 | io_commit_cqring(ctx); t5 | t6 | If waken-up events happens before or at t4, it's ok, user app will always see a cqe. If waken-up events happens after t4 and IIUC, io_poll_wake() will see the new req->poll.active value by using READ_ONCE(). Echo_server codes can be cloned from: https://codeup.openanolis.cn/codeup/storage/io_uring-echo-server.git, branch is xiaoguangwang/io_uring_multishot. Without this patch, the tps in our test environment is 284116, with this patch, the tps is 287832, about 1.3% reqs improvement, which is indeed in accord with the saved add_wait_queue() cost. Signed-off-by: Xiaoguang Wang Link: https://lore.kernel.org/r/20211025053849.3139-3-xiaoguang.wang@linux.alibaba.com Signed-off-by: Jens Axboe fs/io_uring.c | 57 +++++++++++++++++++++++++++++++++------------------------ 1 file changed, 33 insertions(+), 24 deletions(-) culprit signature: f27b228839246e670dbf88c4cc4bfa6e078d0d83e55c4984053b76ff0af0a636 parent signature: 58285b0be36faa7fe965588885f3392dc4f81e9219843198196b7cc87320b742 revisions tested: 17, total time: 4h33m25.324457452s (build: 1h47m46.539645333s, test: 2h43m43.764566346s) first bad commit: 34ced75ca1f63fac6148497971212583aa0f7a87 io_uring: reduce frequent add_wait_queue() overhead for multi-shot poll request recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org" "xiaoguang.wang@linux.alibaba.com"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: WARNING in io_poll_task_func ------------[ cut here ]------------ WARNING: CPU: 0 PID: 9196 at fs/io_uring.c:1147 io_put_req_find_next fs/io_uring.c:2361 [inline] WARNING: CPU: 0 PID: 9196 at fs/io_uring.c:1147 io_poll_task_func+0x68f/0x870 fs/io_uring.c:5385 Modules linked in: CPU: 0 PID: 9196 Comm: syz-executor.2 Not tainted 5.15.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:req_ref_put_and_test fs/io_uring.c:1147 [inline] RIP: 0010:req_ref_put_and_test fs/io_uring.c:1142 [inline] RIP: 0010:io_put_req_find_next fs/io_uring.c:2361 [inline] RIP: 0010:io_poll_task_func+0x68f/0x870 fs/io_uring.c:5385 Code: 00 00 00 83 c0 7f 83 f8 7f 76 1f be 04 00 00 00 4c 89 e7 e8 13 00 e0 ff f0 ff 8d 80 00 00 00 0f 85 75 fb ff ff e9 46 ff ff ff <0f> 0b eb dd e8 88 fc df ff e9 97 f9 ff ff e8 4e fc df ff e9 a3 fa RSP: 0018:ffffc9000372fda0 EFLAGS: 00010246 RAX: 000000000000007f RBX: ffff88807178ba14 RCX: ffffffff81c86788 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807178ba80 RBP: ffff88807178ba00 R08: 0000000000000000 R09: ffff88807178ba83 R10: ffffed100e2f1750 R11: ffff88805d6c0000 R12: ffff88807178ba80 R13: ffff88801da443c0 R14: ffff88805d660000 R15: 0000000000000003 FS: 00007f40ddbdd700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffdfe66b720 CR3: 000000005f562000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tctx_task_work+0x151/0x4c0 fs/io_uring.c:2176 task_work_run+0xc0/0x160 kernel/task_work.c:164 tracehook_notify_signal include/linux/tracehook.h:214 [inline] handle_signal_work kernel/entry/common.c:146 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x256/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f40de467ae9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f40ddbdd188 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: 000000000000047d RBX: 00007f40de57af60 RCX: 00007f40de467ae9 RDX: 0000000000000000 RSI: 000000000000450e RDI: 0000000000000006 RBP: 00007f40de4c1f25 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffde537b06f R14: 00007f40ddbdd300 R15: 0000000000022000