bisecting cause commit starting from b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c building syzkaller on 7eb7e15259fddd67759f90feb2b016da878f76c7 testing commit b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b007515cd24d3b375f1ed3eff0b6d9ad499e6d3e3669714bef42c21613bfcc62 all runs: crashed: general protection fault in __io_file_supports_nowait testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 79cfbe6ba65cdc68e532bb45904c0b0e2d42f2351312b4c5e311a14033e423a2 all runs: OK # git bisect start b91db6a0b52e019b6bdabea3f1dbe36d85c7e52c 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 552 revisions left to test after this (roughly 9 steps) [5d3c0db4598c5de511824649df2aa976259cf10a] Merge tag 'sched-core-2021-08-30' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 5d3c0db4598c5de511824649df2aa976259cf10a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 6b7111bc1cc367e7431ff3a840bf96b49e018e05e5a4a01105974b39c5871df8 all runs: OK # git bisect good 5d3c0db4598c5de511824649df2aa976259cf10a Bisecting: 297 revisions left to test after this (roughly 8 steps) [8596e589b787732c8346f0482919e83cc9362db1] Merge tag 'timers-core-2021-08-30' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 8596e589b787732c8346f0482919e83cc9362db1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 0d06905dbee0a33f980ba06d6b4b1b1f98697fb4d458d00bc124072427673294 all runs: OK # git bisect good 8596e589b787732c8346f0482919e83cc9362db1 Bisecting: 167 revisions left to test after this (roughly 7 steps) [679369114e55f422dc593d0628cfde1d04ae59b3] Merge tag 'for-5.15/block-2021-08-30' of git://git.kernel.dk/linux-block testing commit 679369114e55f422dc593d0628cfde1d04ae59b3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bf62929e15598ba8e821d7aa3ac50d02ae3e185de2889a98c4156f7b50c898c9 all runs: OK # git bisect good 679369114e55f422dc593d0628cfde1d04ae59b3 Bisecting: 83 revisions left to test after this (roughly 6 steps) [f1042b6ccb887f07301f6b096b3d0cfcf9189323] io_uring: allow updating linked timeouts testing commit f1042b6ccb887f07301f6b096b3d0cfcf9189323 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: cc884ca3945a892c57353297a272a2f2c14acf390195447f57a57de8c514d4a2 all runs: crashed: general protection fault in __io_file_supports_nowait # git bisect bad f1042b6ccb887f07301f6b096b3d0cfcf9189323 Bisecting: 41 revisions left to test after this (roughly 5 steps) [f552a27afe67f05c47bb0c33b92af2a23b684c31] io_uring: remove files pointer in cancellation functions testing commit f552a27afe67f05c47bb0c33b92af2a23b684c31 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 52c4c7dc975aa833f987749b9f37770054f5a205113e67bd8ace571849a54b58 all runs: OK # git bisect good f552a27afe67f05c47bb0c33b92af2a23b684c31 Bisecting: 20 revisions left to test after this (roughly 4 steps) [3a1b8a4e843f96b636431450d8d79061605cf74b] io_uring: limit fixed table size by RLIMIT_NOFILE testing commit 3a1b8a4e843f96b636431450d8d79061605cf74b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 35996750e9b712dade04e69eabb4a98b5f2dd7aed0c1f3cdbc0120a7ef9e0ff9 all runs: OK # git bisect good 3a1b8a4e843f96b636431450d8d79061605cf74b Bisecting: 10 revisions left to test after this (roughly 3 steps) [a7083ad5e30767ede4ff49d7471ea9c078702db2] io_uring: hand code io_accept() fd installing testing commit a7083ad5e30767ede4ff49d7471ea9c078702db2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 53f9f01a5802152350b150c5f451dff347e18e575b1b5f2d272c7ebb5187d353 all runs: OK # git bisect good a7083ad5e30767ede4ff49d7471ea9c078702db2 Bisecting: 5 revisions left to test after this (roughly 3 steps) [9a10867ae54e02a0f204d2eebea5a446fb7a86f9] io_uring: add task-refs-get helper testing commit 9a10867ae54e02a0f204d2eebea5a446fb7a86f9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 73c467b124ce69a6086893abe715a6028903f85651c0edf79fc3e94960d0a87b all runs: crashed: general protection fault in __io_file_supports_nowait # git bisect bad 9a10867ae54e02a0f204d2eebea5a446fb7a86f9 Bisecting: 2 revisions left to test after this (roughly 1 step) [0c6e1d7fd5e7560fdc4bb3418c2c0f0d7a95bf76] io_uring: don't free request to slab testing commit 0c6e1d7fd5e7560fdc4bb3418c2c0f0d7a95bf76 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 545806150e6ce1d6f3a8e79063a4c26b04f82b86b62792bfe66f88baef73cf29 all runs: OK # git bisect good 0c6e1d7fd5e7560fdc4bb3418c2c0f0d7a95bf76 Bisecting: 0 revisions left to test after this (roughly 1 step) [a8295b982c46d4a7c259a4cdd58a2681929068a9] io_uring: fix failed linkchain code logic testing commit a8295b982c46d4a7c259a4cdd58a2681929068a9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 08334962f27c3856cb7d5fe08f903931dbd165302dd30064cd2657c1568ddc26 all runs: crashed: general protection fault in __io_file_supports_nowait # git bisect bad a8295b982c46d4a7c259a4cdd58a2681929068a9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [14afdd6ee3a0db7bcae887d1951ed21c4d1539cd] io_uring: remove redundant req_set_fail() testing commit 14afdd6ee3a0db7bcae887d1951ed21c4d1539cd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4e31edcadd5055e50fba5f87e85c76315235f572dda32a587a4a7d44378ea1d4 all runs: OK # git bisect good 14afdd6ee3a0db7bcae887d1951ed21c4d1539cd a8295b982c46d4a7c259a4cdd58a2681929068a9 is the first bad commit commit a8295b982c46d4a7c259a4cdd58a2681929068a9 Author: Hao Xu Date: Fri Aug 27 17:46:09 2021 +0800 io_uring: fix failed linkchain code logic Given a linkchain like this: req0(link_flag)-->req1(link_flag)-->...-->reqn(no link_flag) There is a problem: - if some intermediate linked req like req1 's submittion fails, reqs after it won't be cancelled. - sqpoll disabled: maybe it's ok since users can get the error info of req1 and stop submitting the following sqes. - sqpoll enabled: definitely a problem, the following sqes will be submitted in the next round. The solution is to refactor the code logic to: - if a linked req's submittion fails, just mark it and the head(if it exists) as REQ_F_FAIL. Leverage req->result to indicate whether it is failed or cancelled. - submit or fail the whole chain when we come to the end of it. Signed-off-by: Hao Xu Reviewed-by: Pavel Begunkov Link: https://lore.kernel.org/r/20210827094609.36052-3-haoxu@linux.alibaba.com Signed-off-by: Jens Axboe fs/io_uring.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 47 insertions(+), 14 deletions(-) culprit signature: 08334962f27c3856cb7d5fe08f903931dbd165302dd30064cd2657c1568ddc26 parent signature: 4e31edcadd5055e50fba5f87e85c76315235f572dda32a587a4a7d44378ea1d4 revisions tested: 13, total time: 2h59m27.232509199s (build: 1h25m29.521403808s, test: 1h32m50.830624005s) first bad commit: a8295b982c46d4a7c259a4cdd58a2681929068a9 io_uring: fix failed linkchain code logic recipients (to): ["asml.silence@gmail.com" "axboe@kernel.dk" "haoxu@linux.alibaba.com"] recipients (cc): [] crash: general protection fault in __io_file_supports_nowait general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] CPU: 0 PID: 10164 Comm: syz-executor.4 Not tainted 5.14.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:file_inode include/linux/fs.h:1304 [inline] RIP: 0010:__io_file_supports_nowait+0x20/0x460 fs/io_uring.c:2733 Code: ba e1 ff eb ae 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 41 54 55 53 48 89 fb 48 83 c7 20 48 89 fa 48 83 ec 08 48 c1 ea 03 <80> 3c 02 00 0f 85 83 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b RSP: 0018:ffffc9000413f950 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff92000827f41 RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000020 RBP: ffff888034908780 R08: 0000000000000000 R09: ffff8880349087b8 R10: ffff8880349087ca R11: 0000000000000000 R12: ffffc9000413fa28 R13: 0000000000000001 R14: 0000000000000000 R15: ffffc9000413fa78 FS: 00007f12b8548700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000005680c0 CR3: 000000001e427000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: io_file_supports_nowait fs/io_uring.c:2771 [inline] io_file_supports_nowait fs/io_uring.c:2764 [inline] io_read+0x3ae/0x1090 fs/io_uring.c:3388 io_issue_sqe+0x1c8/0x5cc0 fs/io_uring.c:6291 __io_queue_sqe+0x85/0x960 fs/io_uring.c:6586 tctx_task_work+0x171/0x4b0 fs/io_uring.c:2090 task_work_run+0xc0/0x160 kernel/task_work.c:164 tracehook_notify_signal include/linux/tracehook.h:212 [inline] handle_signal_work kernel/entry/common.c:146 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x256/0x290 kernel/entry/common.c:209 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f12b8548188 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: 0000000000000200 RBX: 000000000056bf80 RCX: 00000000004665f9 RDX: 0000000000000000 RSI: 00000000000045f5 RDI: 0000000000000003 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007fff78e614af R14: 00007f12b8548300 R15: 0000000000022000 Modules linked in: ---[ end trace 2c80a1c2b8f438cd ]--- RIP: 0010:file_inode include/linux/fs.h:1304 [inline] RIP: 0010:__io_file_supports_nowait+0x20/0x460 fs/io_uring.c:2733 Code: ba e1 ff eb ae 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 41 54 55 53 48 89 fb 48 83 c7 20 48 89 fa 48 83 ec 08 48 c1 ea 03 <80> 3c 02 00 0f 85 83 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b RSP: 0018:ffffc9000413f950 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff92000827f41 RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000020 RBP: ffff888034908780 R08: 0000000000000000 R09: ffff8880349087b8 R10: ffff8880349087ca R11: 0000000000000000 R12: ffffc9000413fa28 R13: 0000000000000001 R14: 0000000000000000 R15: ffffc9000413fa78 FS: 00007f12b8548700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005589f00ad9a0 CR3: 000000001e427000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: ba e1 ff eb ae mov $0xaeebffe1,%edx 5: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 11: fc ff df 14: 41 54 push %r12 16: 55 push %rbp 17: 53 push %rbx 18: 48 89 fb mov %rdi,%rbx 1b: 48 83 c7 20 add $0x20,%rdi 1f: 48 89 fa mov %rdi,%rdx 22: 48 83 ec 08 sub $0x8,%rsp 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 83 03 00 00 jne 0x3b7 34: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 3b: fc ff df 3e: 48 rex.W 3f: 8b .byte 0x8b