bisecting cause commit starting from b61581ae229d8eb9f21f8753be3f4011f7692384 building syzkaller on 5ff41e943946a9e71b55566a02c8b1371fc9b8de testing commit b61581ae229d8eb9f21f8753be3f4011f7692384 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f2cd999e3bf7a20eba95ab1328922f05785560f01237b52cc9203cfa968b5c23 all runs: crashed: general protection fault in io_kill_timeouts testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a9aa552854e3b7d1749e1e16222e1ce115c1e05d9f702fa1a54f2a790d50fcc9 all runs: OK # git bisect start b61581ae229d8eb9f21f8753be3f4011f7692384 f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 6114 revisions left to test after this (roughly 13 steps) [be44089ac25c3804689385e9cdcb065f923ba9af] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git testing commit be44089ac25c3804689385e9cdcb065f923ba9af compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 186fe3784a60f22f5a25bed741f060ba593898920658fe6e259909e075f9c644 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good be44089ac25c3804689385e9cdcb065f923ba9af Bisecting: 3059 revisions left to test after this (roughly 12 steps) [9a3420eaf3b0dacbaf0df13b625ada536a25e6b7] Merge branch 'driver-core-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git testing commit 9a3420eaf3b0dacbaf0df13b625ada536a25e6b7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e3b00b2a3e2b23024a8547090c32d8f962544c2ce0e147b5686e56f390aa37bc run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: general protection fault in io_kill_timeouts run #2: crashed: general protection fault in io_kill_timeouts run #3: crashed: general protection fault in io_kill_timeouts run #4: crashed: general protection fault in io_kill_timeouts run #5: crashed: general protection fault in io_kill_timeouts run #6: crashed: general protection fault in io_kill_timeouts run #7: crashed: general protection fault in io_kill_timeouts run #8: crashed: general protection fault in io_kill_timeouts run #9: crashed: general protection fault in io_kill_timeouts # git bisect bad 9a3420eaf3b0dacbaf0df13b625ada536a25e6b7 Bisecting: 1527 revisions left to test after this (roughly 11 steps) [85ac2021fe3ace59cc0afd6edf005abad35625b0] drm/amdgpu: only check for _PR3 on dGPUs testing commit 85ac2021fe3ace59cc0afd6edf005abad35625b0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 883274d53a40b2064d009032631db25a4dff089b0d1c443fb9376f3d77a81694 all runs: OK # git bisect good 85ac2021fe3ace59cc0afd6edf005abad35625b0 Bisecting: 805 revisions left to test after this (roughly 10 steps) [aa7619d1374c47a29cad7d68b06372ca727be62c] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu.git testing commit aa7619d1374c47a29cad7d68b06372ca727be62c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5be2c2d9d8598d7563d151b4308e048ea1de24d746e9bde1c034371a20e3662e all runs: crashed: general protection fault in io_kill_timeouts # git bisect bad aa7619d1374c47a29cad7d68b06372ca727be62c Bisecting: 373 revisions left to test after this (roughly 9 steps) [2c353fc5dd2ecd27b13e8d569ea68fb55fdc480a] Merge branch 'for-next' of git://git.kernel.dk/linux-block.git testing commit 2c353fc5dd2ecd27b13e8d569ea68fb55fdc480a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1675d67c7fe1b7bae59df7808643a33cf85fd30a26c41654732a1edc7172a8a4 all runs: crashed: general protection fault in io_kill_timeouts # git bisect bad 2c353fc5dd2ecd27b13e8d569ea68fb55fdc480a Bisecting: 173 revisions left to test after this (roughly 8 steps) [b6fb1b64941dd8f32fa97398cd0c39b45f1a1b67] Merge branch 'drm/tegra/for-next' of git://anongit.freedesktop.org/tegra/linux.git testing commit b6fb1b64941dd8f32fa97398cd0c39b45f1a1b67 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d61e3122032ac9bbb90dde9329c900aed56a753c125d25f2336fafdaa0fbc015 failed: failed to create VM pool: failed to create GCE image: create image operation failed: &{Code:PERMISSIONS_ERROR Location: Message:Required 'read' permission for 'disks/ci-upstream-linux-next-kasan-gce-root-bisect-job-bisect-job-image.tar.gz' ForceSendFields:[] NullFields:[]}. # git bisect skip b6fb1b64941dd8f32fa97398cd0c39b45f1a1b67 Bisecting: 173 revisions left to test after this (roughly 8 steps) [78482af095abd9f4f29f1aa3fe575d25c6ae3028] video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() testing commit 78482af095abd9f4f29f1aa3fe575d25c6ae3028 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c76ae09173bb7e27cea60a42a28ce05e67a02dbac1603bc9ad0c2134ac23e38c all runs: OK # git bisect good 78482af095abd9f4f29f1aa3fe575d25c6ae3028 Bisecting: 161 revisions left to test after this (roughly 7 steps) [b9b561be6660774e8573be9a3688dc6888c68dfa] Merge branch 'for-linux-next' of git://anongit.freedesktop.org/drm/drm-misc testing commit b9b561be6660774e8573be9a3688dc6888c68dfa compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d81b4d733bd3d0701782d3bd02bb02ff37884ce48d556746127a7198d29942b2 all runs: OK # git bisect good b9b561be6660774e8573be9a3688dc6888c68dfa Bisecting: 73 revisions left to test after this (roughly 6 steps) [1c35d993a7fb9c4ff66f7de86bb3a5ad1347f1fb] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input.git testing commit 1c35d993a7fb9c4ff66f7de86bb3a5ad1347f1fb compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 188090396ebd262e7fda3d6468290b7a33906f71ad5c34e4ce8b21b0d4dfcc0a all runs: OK # git bisect good 1c35d993a7fb9c4ff66f7de86bb3a5ad1347f1fb Bisecting: 36 revisions left to test after this (roughly 5 steps) [59f59bea7fb9244164baaceba1bf3e62d5f3fa65] Merge branch 'for-5.18/drivers' into for-next testing commit 59f59bea7fb9244164baaceba1bf3e62d5f3fa65 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: da7e68b0122fe0a69b9d4d97e6215a603222dd7b22d40415d7f8df0a7ed8db6c all runs: OK # git bisect good 59f59bea7fb9244164baaceba1bf3e62d5f3fa65 Bisecting: 17 revisions left to test after this (roughly 4 steps) [fa082e1e538aa2c8d3abb0746c4cf392611dc951] Merge branch 'for-5.18/io_uring' into for-next testing commit fa082e1e538aa2c8d3abb0746c4cf392611dc951 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b9405a57b4da332ec93e6926fd6208be1b033efdeb27d3b415cfbf58831a7afe all runs: OK # git bisect good fa082e1e538aa2c8d3abb0746c4cf392611dc951 Bisecting: 8 revisions left to test after this (roughly 3 steps) [613be7b193c8f9727207809da9e580014ed35e5b] Merge branch 'for-5.18/io_uring' into for-next testing commit 613be7b193c8f9727207809da9e580014ed35e5b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ced87330df2939261072a63fcbc5dea829520731ef66e5863e02979ec91b871f all runs: crashed: general protection fault in io_kill_timeouts # git bisect bad 613be7b193c8f9727207809da9e580014ed35e5b Bisecting: 4 revisions left to test after this (roughly 2 steps) [0eab1c46d7db864c6cb4405a4d9e6e75d541c97c] io_uring: optimise io_free_batch_list testing commit 0eab1c46d7db864c6cb4405a4d9e6e75d541c97c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2e2ea4b0e3239bc646734078ae067414b58b67b8dc675e54a63ef83ee47177b8 all runs: crashed: general protection fault in io_kill_timeouts # git bisect bad 0eab1c46d7db864c6cb4405a4d9e6e75d541c97c Bisecting: 1 revision left to test after this (roughly 1 step) [c9be622494c012d56c71e00cb90be841820c3e34] io_uring: remove extra ifs around io_commit_cqring testing commit c9be622494c012d56c71e00cb90be841820c3e34 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bc3971680ecc50f252ca9b2102dd2cb1561b100ff2b132fb14a48ed056ecd847 all runs: crashed: general protection fault in io_kill_timeouts # git bisect bad c9be622494c012d56c71e00cb90be841820c3e34 Bisecting: 0 revisions left to test after this (roughly 0 steps) [15071bf78bd3ee0253a3b57c2e092980dbd91a87] io_uring: small optimisation of tctx_task_work testing commit 15071bf78bd3ee0253a3b57c2e092980dbd91a87 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5a73d448fbfc201783190160ab4ce68b44bc5974623012b508c255aba5662bfd all runs: OK # git bisect good 15071bf78bd3ee0253a3b57c2e092980dbd91a87 c9be622494c012d56c71e00cb90be841820c3e34 is the first bad commit commit c9be622494c012d56c71e00cb90be841820c3e34 Author: Pavel Begunkov Date: Mon Mar 21 22:02:20 2022 +0000 io_uring: remove extra ifs around io_commit_cqring Now io_commit_cqring() is simple and it tolerates well being called without a new CQE filled, so kill a bunch of not needed anymore guards. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/36aed692dff402bba00a444a63a9cd2e97a340ea.1647897811.git.asml.silence@gmail.com Signed-off-by: Jens Axboe fs/io_uring.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) culprit signature: bc3971680ecc50f252ca9b2102dd2cb1561b100ff2b132fb14a48ed056ecd847 parent signature: 5a73d448fbfc201783190160ab4ce68b44bc5974623012b508c255aba5662bfd revisions tested: 17, total time: 2h52m41.940766808s (build: 1h45m8.761168242s, test: 1h5m49.212144184s) first bad commit: c9be622494c012d56c71e00cb90be841820c3e34 io_uring: remove extra ifs around io_commit_cqring recipients (to): ["asml.silence@gmail.com" "axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: general protection fault in io_kill_timeouts RBP: 00007ffdb92e7820 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 general protection fault, probably for non-canonical address 0xdffffc0000000018: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] CPU: 1 PID: 4062 Comm: syz-executor173 Not tainted 5.17.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:io_commit_cqring fs/io_uring.c:1804 [inline] RIP: 0010:io_kill_timeouts+0x1f3/0x23f fs/io_uring.c:10257 Code: c0 74 09 3c 03 7f 05 e8 ed 0c 6b f9 48 8d bb c0 00 00 00 b8 ff ff 37 00 44 8b a5 40 03 00 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <8a> 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 26 RSP: 0018:ffffc90001b4fd00 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000018 RSI: ffffffff88eb94a0 RDI: 00000000000000c0 RBP: ffff888073fde000 R08: 0000000000000001 R09: ffffffff8f0b9a7f R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: dffffc0000000000 R15: ffffc90001b4fd80 FS: 0000555555b45300(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffdb93f1080 CR3: 000000001d748000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: io_ring_ctx_wait_and_kill+0x14f/0x2b4 fs/io_uring.c:10277 io_uring_create fs/io_uring.c:11345 [inline] io_uring_setup.cold+0xf54/0x21b9 fs/io_uring.c:11372 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f2b5b268049 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdb92e7808 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f2b5b268049 RDX: 0000000000000820 RSI: 00000000200000c0 RDI: 00000000000078af RBP: 00007ffdb92e7820 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:io_commit_cqring fs/io_uring.c:1804 [inline] RIP: 0010:io_kill_timeouts+0x1f3/0x23f fs/io_uring.c:10257 Code: c0 74 09 3c 03 7f 05 e8 ed 0c 6b f9 48 8d bb c0 00 00 00 b8 ff ff 37 00 44 8b a5 40 03 00 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <8a> 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 26 RSP: 0018:ffffc90001b4fd00 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000018 RSI: ffffffff88eb94a0 RDI: 00000000000000c0 RBP: ffff888073fde000 R08: 0000000000000001 R09: ffffffff8f0b9a7f R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: dffffc0000000000 R15: ffffc90001b4fd80 FS: 0000555555b45300(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffdb93f1080 CR3: 000000001d748000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: c0 74 09 3c 03 shlb $0x3,0x3c(%rcx,%rcx,1) 5: 7f 05 jg 0xc 7: e8 ed 0c 6b f9 callq 0xf96b0cf9 c: 48 8d bb c0 00 00 00 lea 0xc0(%rbx),%rdi 13: b8 ff ff 37 00 mov $0x37ffff,%eax 18: 44 8b a5 40 03 00 00 mov 0x340(%rbp),%r12d 1f: 48 89 fa mov %rdi,%rdx 22: 48 c1 e0 2a shl $0x2a,%rax 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 8a 14 02 mov (%rdx,%rax,1),%dl <-- trapping instruction 2d: 48 89 f8 mov %rdi,%rax 30: 83 e0 07 and $0x7,%eax 33: 83 c0 03 add $0x3,%eax 36: 38 d0 cmp %dl,%al 38: 7c 09 jl 0x43 3a: 84 d2 test %dl,%dl 3c: 74 05 je 0x43 3e: e8 .byte 0xe8 3f: 26 es