bisecting cause commit starting from 4442749a203151a319a5bb8d0b983b84253a6931 building syzkaller on abf9ba4fc75d9b29af15625d44dcfc1360fad3b7 testing commit 4442749a203151a319a5bb8d0b983b84253a6931 with gcc (GCC) 8.1.0 kernel signature: 5c50de86277993dcbb290a344023ce91e65efd08aaf70226b62a76b37c76b322 run #0: crashed: INFO: task can't die in io_finish_async run #1: crashed: INFO: task can't die in io_finish_async run #2: crashed: INFO: task can't die in io_finish_async run #3: crashed: INFO: task can't die in io_finish_async run #4: crashed: INFO: task can't die in io_finish_async run #5: crashed: INFO: task can't die in io_finish_async run #6: crashed: INFO: task can't die in io_finish_async run #7: crashed: INFO: task can't die in io_finish_async run #8: OK run #9: OK testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 350ea0e893140beaaf443da9100a7259a841c722334a8e0df89d4d5a0af06885 all runs: OK # git bisect start 4442749a203151a319a5bb8d0b983b84253a6931 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 9560 revisions left to test after this (roughly 13 steps) [d6efb3ac3e6c19ab722b28bdb9252bae0b9676b6] Merge tag 'tty-5.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit d6efb3ac3e6c19ab722b28bdb9252bae0b9676b6 with gcc (GCC) 8.1.0 kernel signature: 336726cfb5b045dfca1ae8c91d3f47b01fad87fc6128e1468ba2748b607d237f all runs: OK # git bisect good d6efb3ac3e6c19ab722b28bdb9252bae0b9676b6 Bisecting: 4787 revisions left to test after this (roughly 12 steps) [0063a82de937433ccfffe123e12b4503b9155c96] Merge tag 'sched-urgent-2020-08-30' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 0063a82de937433ccfffe123e12b4503b9155c96 with gcc (GCC) 8.1.0 kernel signature: 3bb20e715495c5002ee3c752ce5b31f9057b618725b38b3749426ad621814491 all runs: OK # git bisect good 0063a82de937433ccfffe123e12b4503b9155c96 Bisecting: 2342 revisions left to test after this (roughly 11 steps) [501c4123d9ecf8e38425fa2dae591d87f18a33f9] Merge remote-tracking branch 'wireless-drivers-next/master' into master testing commit 501c4123d9ecf8e38425fa2dae591d87f18a33f9 with gcc (GCC) 8.1.0 kernel signature: a754655b116eba688292bb4d69be8964d43c08434bc2c50869f8d3ed0c8008b9 all runs: OK # git bisect good 501c4123d9ecf8e38425fa2dae591d87f18a33f9 Bisecting: 1187 revisions left to test after this (roughly 10 steps) [571a89375d9c25d2a8a2475fdcbb07012397ebea] Merge remote-tracking branch 'battery/for-next' into master testing commit 571a89375d9c25d2a8a2475fdcbb07012397ebea with gcc (GCC) 8.1.0 kernel signature: 512a42d88be8450b348638af27df3e95675f3103bd6cdcb7b563473bc0e7c668 all runs: crashed: INFO: task hung in io_finish_async # git bisect bad 571a89375d9c25d2a8a2475fdcbb07012397ebea Bisecting: 425 revisions left to test after this (roughly 9 steps) [9f157e0b004231d2dcd32b0be9f4ac0c82aa3bd9] Merge remote-tracking branch 'amdgpu/drm-next' into master testing commit 9f157e0b004231d2dcd32b0be9f4ac0c82aa3bd9 with gcc (GCC) 8.1.0 kernel signature: 23b52b9b5fd8f626fafee56bcd4bfeeccf28f329c949fda750019434d8243cf6 all runs: OK # git bisect good 9f157e0b004231d2dcd32b0be9f4ac0c82aa3bd9 Bisecting: 247 revisions left to test after this (roughly 8 steps) [c931ccf0ad38398554a565a665e063d03bfb27a1] Merge remote-tracking branch 'asoc/for-5.10' into asoc-next testing commit c931ccf0ad38398554a565a665e063d03bfb27a1 with gcc (GCC) 8.1.0 kernel signature: b51747d0bdd77e183257e8f1bafcb9fb3da3211ac86ffe4568617a038a237178 all runs: OK # git bisect good c931ccf0ad38398554a565a665e063d03bfb27a1 Bisecting: 155 revisions left to test after this (roughly 7 steps) [8b02ee3c462859fc17c22f0407bea6c03cab768c] Merge remote-tracking branch 'input/next' into master testing commit 8b02ee3c462859fc17c22f0407bea6c03cab768c with gcc (GCC) 8.1.0 kernel signature: 45f4fccdeafa9e013f83d7450339b77f8537bbd2a3c3d9bdd4aababb81423d86 all runs: OK # git bisect good 8b02ee3c462859fc17c22f0407bea6c03cab768c Bisecting: 76 revisions left to test after this (roughly 6 steps) [4b60276576dccbbbfa90e25407f2d958dcde1793] Merge branch 'for-5.10/io_uring' into for-next testing commit 4b60276576dccbbbfa90e25407f2d958dcde1793 with gcc (GCC) 8.1.0 kernel signature: 5dd59fafaa92dba5f19aef836802b9ff0b8654661462210ef889a9116efd50e0 run #0: crashed: INFO: task hung in io_finish_async run #1: crashed: INFO: task hung in io_finish_async run #2: crashed: INFO: task hung in io_finish_async run #3: crashed: INFO: task hung in io_finish_async run #4: crashed: INFO: task hung in io_finish_async run #5: crashed: INFO: task hung in io_finish_async run #6: crashed: INFO: task hung in io_finish_async run #7: crashed: INFO: task hung in io_finish_async run #8: OK run #9: crashed: INFO: task hung in io_finish_async # git bisect bad 4b60276576dccbbbfa90e25407f2d958dcde1793 Bisecting: 39 revisions left to test after this (roughly 5 steps) [7cf34d97ab45203b975396393ded9d3867dfa8bf] block: remove the discard_alignment field from struct hd_struct testing commit 7cf34d97ab45203b975396393ded9d3867dfa8bf with gcc (GCC) 8.1.0 kernel signature: 27712bec245288808675c296880ac8eb1d6a44c2105494de22065a866c13c959 all runs: OK # git bisect good 7cf34d97ab45203b975396393ded9d3867dfa8bf Bisecting: 19 revisions left to test after this (roughly 4 steps) [93f7d2db80e4aea2731619d7b907a029e0d14259] blk-iocost: restructure surplus donation logic testing commit 93f7d2db80e4aea2731619d7b907a029e0d14259 with gcc (GCC) 8.1.0 kernel signature: cd001285dcf6634ab1f5572b6a59f8f1b8f167e880a74367b88e1625ca441f9a all runs: OK # git bisect good 93f7d2db80e4aea2731619d7b907a029e0d14259 Bisecting: 9 revisions left to test after this (roughly 3 steps) [a7863b3423fd5d1ab82161654ba83973764b570b] blk-iocost: update iocost_monitor.py testing commit a7863b3423fd5d1ab82161654ba83973764b570b with gcc (GCC) 8.1.0 kernel signature: 0262be3a3adf721b5afc8c47b0bfc61f74b9c450c06e0f171e2607a9ba94ac58 all runs: OK # git bisect good a7863b3423fd5d1ab82161654ba83973764b570b Bisecting: 4 revisions left to test after this (roughly 2 steps) [59f1a56b370813ef315189eedc88ae45fd7a1f5e] io_wq: Make io_wqe::lock a raw_spinlock_t testing commit 59f1a56b370813ef315189eedc88ae45fd7a1f5e with gcc (GCC) 8.1.0 kernel signature: 2614c798aee49e2a162853f3b3492216e15b0b09745b6d5c529a5cde8ac58e91 run #0: crashed: INFO: task hung in io_finish_async run #1: crashed: INFO: task hung in io_finish_async run #2: crashed: INFO: task hung in io_finish_async run #3: crashed: INFO: task hung in io_finish_async run #4: crashed: INFO: task hung in io_finish_async run #5: crashed: INFO: task hung in io_finish_async run #6: crashed: INFO: task hung in io_finish_async run #7: crashed: INFO: task hung in io_finish_async run #8: crashed: INFO: task hung in io_finish_async run #9: OK # git bisect bad 59f1a56b370813ef315189eedc88ae45fd7a1f5e Bisecting: 2 revisions left to test after this (roughly 1 step) [793658bdb550800904bfa954d418abb72b0e7b24] io_uring: use an enumeration for io_uring_register(2) opcodes testing commit 793658bdb550800904bfa954d418abb72b0e7b24 with gcc (GCC) 8.1.0 kernel signature: be05a225ddd582c0b2ab86bac150fff6fcb2772ec90b49caa125df542f809c05 all runs: OK # git bisect good 793658bdb550800904bfa954d418abb72b0e7b24 Bisecting: 0 revisions left to test after this (roughly 1 step) [dfe127799f8e663c7e3e48b5275ca538b278177b] io_uring: allow disabling rings during the creation testing commit dfe127799f8e663c7e3e48b5275ca538b278177b with gcc (GCC) 8.1.0 kernel signature: 27b6b096d8c4fc9a048b5d6736cf4f5f560268193684dfbd5bcf7c3cc1367d6e all runs: crashed: INFO: task hung in io_finish_async # git bisect bad dfe127799f8e663c7e3e48b5275ca538b278177b Bisecting: 0 revisions left to test after this (roughly 0 steps) [1748079a2c19eb69b3af33bfadc1100c5b1ddc14] io_uring: add IOURING_REGISTER_RESTRICTIONS opcode testing commit 1748079a2c19eb69b3af33bfadc1100c5b1ddc14 with gcc (GCC) 8.1.0 kernel signature: f10767859e3d9b1283071a3aec94ce5051ad78ac82b0b90e65d060637ceec2a8 all runs: OK # git bisect good 1748079a2c19eb69b3af33bfadc1100c5b1ddc14 dfe127799f8e663c7e3e48b5275ca538b278177b is the first bad commit commit dfe127799f8e663c7e3e48b5275ca538b278177b Author: Stefano Garzarella Date: Thu Aug 27 16:58:31 2020 +0200 io_uring: allow disabling rings during the creation This patch adds a new IORING_SETUP_R_DISABLED flag to start the rings disabled, allowing the user to register restrictions, buffers, files, before to start processing SQEs. When IORING_SETUP_R_DISABLED is set, SQE are not processed and SQPOLL kthread is not started. The restrictions registration are allowed only when the rings are disable to prevent concurrency issue while processing SQEs. The rings can be enabled using IORING_REGISTER_ENABLE_RINGS opcode with io_uring_register(2). Suggested-by: Jens Axboe Signed-off-by: Stefano Garzarella Reviewed-by: Kees Cook Signed-off-by: Jens Axboe fs/io_uring.c | 52 +++++++++++++++++++++++++++++++++++++------ include/uapi/linux/io_uring.h | 2 ++ 2 files changed, 47 insertions(+), 7 deletions(-) culprit signature: 27b6b096d8c4fc9a048b5d6736cf4f5f560268193684dfbd5bcf7c3cc1367d6e parent signature: f10767859e3d9b1283071a3aec94ce5051ad78ac82b0b90e65d060637ceec2a8 revisions tested: 17, total time: 4h5m28.930336384s (build: 1h22m21.048927865s, test: 2h41m9.891853s) first bad commit: dfe127799f8e663c7e3e48b5275ca538b278177b io_uring: allow disabling rings during the creation recipients (to): ["axboe@kernel.dk" "keescook@chromium.org" "sgarzare@redhat.com"] recipients (cc): [] crash: INFO: task hung in io_finish_async INFO: task syz-executor.2:7035 blocked for more than 143 seconds. Not tainted 5.9.0-rc3-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.2 state:D stack:14520 pid: 7035 ppid: 6964 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x404/0x8a0 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_timeout+0x224/0x2d0 kernel/time/timer.c:1855 do_wait_for_common kernel/sched/completion.c:85 [inline] __wait_for_common kernel/sched/completion.c:106 [inline] wait_for_common kernel/sched/completion.c:117 [inline] wait_for_completion+0xa7/0x110 kernel/sched/completion.c:138 io_sq_thread_stop fs/io_uring.c:6900 [inline] io_finish_async+0x1a/0x60 fs/io_uring.c:6914 io_sq_offload_create fs/io_uring.c:7589 [inline] io_uring_create fs/io_uring.c:8665 [inline] io_uring_setup+0xa6f/0xca0 fs/io_uring.c:8738 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d5b9 Code: Bad RIP value. RSP: 002b:00007f58299f8bf8 EFLAGS: 00000206 ORIG_RAX: 00000000000001a9 RAX: ffffffffffffffda RBX: 0000000020000240 RCX: 000000000045d5b9 RDX: 00000000206d5000 RSI: 0000000020000240 RDI: 0000000000007e71 RBP: 000000000118cf98 R08: 0000000020000100 R09: 0000000020000100 R10: 0000000000000000 R11: 0000000000000206 R12: 00000000206d5000 R13: 00000000206d4000 R14: 0000000020000100 R15: 0000000000000000 INFO: task io_uring-sq:7063 blocked for more than 143 seconds. Not tainted 5.9.0-rc3-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:io_uring-sq state:D stack:15360 pid: 7063 ppid: 2 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x404/0x8a0 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 kthread+0xe4/0x170 kernel/kthread.c:285 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Showing all locks held in the system: 1 lock held by khungtaskd/1170: #0: ffffffff842f5dc0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x15/0x17a kernel/locking/lockdep.c:5830 1 lock held by in:imklog/6372: #0: ffff88811f14daf0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x45/0x50 fs/file.c:930 3 locks held by kworker/u4:6/8312: #0: ffff88812c02dbd8 (&rq->lock){-.-.}-{2:2}, at: newidle_balance+0x430/0x630 kernel/sched/fair.c:10555 #1: ffffffff842f5dc0 (rcu_read_lock){....}-{1:2}, at: __update_idle_core+0x0/0x200 kernel/sched/fair.c:5211 #2: ffff88812c01d5d8 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x62/0x80 kernel/time/timer.c:947 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 1170 Comm: khungtaskd Not tainted 5.9.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa3/0xcc lib/dump_stack.c:118 nmi_cpu_backtrace.cold.8+0x3e/0x58 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0xd5/0xec lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:209 [inline] watchdog+0x58e/0x680 kernel/hung_task.c:295 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 8312 Comm: kworker/u4:6 Not tainted 5.9.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_nc_worker RIP: 0010:lockdep_recursion_finish kernel/locking/lockdep.c:398 [inline] RIP: 0010:lock_is_held_type+0xc4/0x120 kernel/locking/lockdep.c:5046 Code: fd ff ff 85 c0 74 d8 41 83 fe ff b9 01 00 00 00 74 0f 0f b6 43 22 31 c9 83 e0 03 44 39 f0 0f 94 c1 65 48 8b 14 25 c0 7e 01 00 <8b> 82 e4 08 00 00 83 e8 01 66 85 c0 89 82 e4 08 00 00 75 37 48 83 RSP: 0018:ffffc900025cfd00 EFLAGS: 00000046 RAX: 0000000000000000 RBX: ffff88810f968d90 RCX: 0000000000000000 RDX: ffff88810f968480 RSI: ffffffff842f5d40 RDI: ffff88810f968d90 RBP: ffff88810f968480 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88810f968480 R11: 30a6c5f261525aea R12: ffffffff842f5d40 R13: ffff88810f968d68 R14: 00000000ffffffff R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f37a0a09000 CR3: 00000001241cb000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_is_held include/linux/lockdep.h:267 [inline] rcu_read_lock_sched_held+0x4d/0x80 kernel/rcu/update.c:136 trace_lock_acquire include/trace/events/lock.h:13 [inline] lock_acquire+0x362/0x3e0 kernel/locking/lockdep.c:4980 rcu_lock_acquire include/linux/rcupdate.h:241 [inline] rcu_read_lock include/linux/rcupdate.h:634 [inline] batadv_nc_process_nc_paths.part.18+0x62/0x180 net/batman-adv/network-coding.c:686 batadv_nc_process_nc_paths net/batman-adv/network-coding.c:678 [inline] batadv_nc_worker+0x22c/0x240 net/batman-adv/network-coding.c:727 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269 worker_thread+0x38/0x380 kernel/workqueue.c:2415 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294