bisecting cause commit starting from a3fa7a101dcff93791d1b1bdb3affcad1410c8c1 building syzkaller on e2776ee417c18d6e0056b058f3b6055f65206ee9 testing commit a3fa7a101dcff93791d1b1bdb3affcad1410c8c1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 069b28546439168f36b94c01c26da4f9df5a399c1c145201423edd27cbc05470 run #0: crashed: general protection fault in io_uring_register run #1: crashed: general protection fault in io_uring_register run #2: crashed: general protection fault in io_uring_register run #3: crashed: general protection fault in io_uring_register run #4: crashed: general protection fault in io_uring_register run #5: crashed: general protection fault in io_uring_register run #6: crashed: general protection fault in io_uring_register run #7: crashed: general protection fault in io_uring_register run #8: crashed: general protection fault in io_uring_register run #9: crashed: general protection fault in io_uring_register run #10: crashed: general protection fault in io_uring_register run #11: crashed: general protection fault in io_uring_register run #12: crashed: general protection fault in io_uring_register run #13: crashed: general protection fault in io_uring_register run #14: crashed: general protection fault in io_uring_register run #15: OK run #16: OK run #17: crashed: general protection fault in io_uring_register run #18: OK run #19: boot failed: KFENCE: use-after-free in kvm_fastop_exception testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c7a96685f36d300f914d643ce230ea254f68b922997290f143876a9044cd0b7f all runs: OK # git bisect start a3fa7a101dcff93791d1b1bdb3affcad1410c8c1 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 5330 revisions left to test after this (roughly 12 steps) [0d290223a6c77107b1c3988959e49279a8dafaba] Merge tag 'sound-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 0d290223a6c77107b1c3988959e49279a8dafaba compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: f4243446c6be4122cedba8356676b2daeb98ac82b6dc6ae803a8d37389f348f1 all runs: OK # git bisect good 0d290223a6c77107b1c3988959e49279a8dafaba Bisecting: 2671 revisions left to test after this (roughly 11 steps) [eceae1e7acaefc0a71e4dd4b8cd49270172b4731] Merge tag 'configfs-5.15' of git://git.infradead.org/users/hch/configfs testing commit eceae1e7acaefc0a71e4dd4b8cd49270172b4731 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 003bcd0ca18bc8fc289c7397f27a2f9208d3eb5b3e31db98d81844784318244b all runs: OK # git bisect good eceae1e7acaefc0a71e4dd4b8cd49270172b4731 Bisecting: 1322 revisions left to test after this (roughly 10 steps) [7cca308cfdc0725363ac5943dca9dcd49cc1d2d5] Merge tag 'powerpc-5.15-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux testing commit 7cca308cfdc0725363ac5943dca9dcd49cc1d2d5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5f1ff8dff9225b053853578be7a2d1a0a7f88bdb11a7d4dea2bcef7c4e856675 run #0: basic kernel testing failed: KFENCE: use-after-free in kvm_fastop_exception run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 7cca308cfdc0725363ac5943dca9dcd49cc1d2d5 Bisecting: 730 revisions left to test after this (roughly 9 steps) [a2b28235335fee2586b4bd16448fb59ed6c80eef] Merge branch 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging testing commit a2b28235335fee2586b4bd16448fb59ed6c80eef compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1f6831038d664c65bfff04dfdee9854d15c3389c837392d29a462cd8ffb49bae run #0: crashed: general protection fault in io_uring_register run #1: crashed: general protection fault in io_uring_register run #2: crashed: general protection fault in io_uring_register run #3: crashed: general protection fault in io_uring_register run #4: crashed: general protection fault in io_uring_register run #5: crashed: general protection fault in io_uring_register run #6: crashed: general protection fault in io_uring_register run #7: crashed: general protection fault in io_uring_register run #8: OK run #9: OK # git bisect bad a2b28235335fee2586b4bd16448fb59ed6c80eef Bisecting: 307 revisions left to test after this (roughly 8 steps) [e07af2626643293fa16df655979e7963250abc63] Merge tag 'arc-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc testing commit e07af2626643293fa16df655979e7963250abc63 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 7192da3f1cbde2077905a4db33555b16a8e5fdfb153358db74d0ec486e79eab4 all runs: OK # git bisect good e07af2626643293fa16df655979e7963250abc63 Bisecting: 138 revisions left to test after this (roughly 7 steps) [27151f177827d478508e756c7657273261aaf8a9] Merge tag 'perf-tools-for-v5.15-2021-09-04' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit 27151f177827d478508e756c7657273261aaf8a9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ca01cd56bf2186e7f7c364e65d64e687b78e390812ad58948e14274f5961c8f2 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: KFENCE: use-after-free in kvm_fastop_exception # git bisect good 27151f177827d478508e756c7657273261aaf8a9 Bisecting: 87 revisions left to test after this (roughly 6 steps) [75b96f0ec5faf730128c32187e3e28441c27a094] Merge tag 'fuse-update-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse testing commit 75b96f0ec5faf730128c32187e3e28441c27a094 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b3f7905abf8bb4aaa533318d4ac91d1bde8fcc67d6c1f47c51fc20927c4737f2 all runs: crashed: general protection fault in io_uring_register # git bisect bad 75b96f0ec5faf730128c32187e3e28441c27a094 Bisecting: 27 revisions left to test after this (roughly 5 steps) [03085b3d5a45a60061423ac4857f339c7cb260ff] Merge tag 'misc-5.15-2021-09-05' of git://git.kernel.dk/linux-block testing commit 03085b3d5a45a60061423ac4857f339c7cb260ff compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ea6867b25cbbef52aff24d28a307851c317b9a7e75b95330af79b36860da48a2 all runs: crashed: general protection fault in io_uring_register # git bisect bad 03085b3d5a45a60061423ac4857f339c7cb260ff Bisecting: 11 revisions left to test after this (roughly 4 steps) [3146cba99aa284b1d4a10fbd923df953f1d18035] io-wq: make worker creation resilient against signals testing commit 3146cba99aa284b1d4a10fbd923df953f1d18035 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 7706cb943b20385ada2dd9e9bcae8116706b692a531293fde0a165414c09e5d7 all runs: OK # git bisect good 3146cba99aa284b1d4a10fbd923df953f1d18035 Bisecting: 6 revisions left to test after this (roughly 3 steps) [2fc2a7a62eb58650e71b4550cf6fa6cc0a75b2d2] io_uring: io_uring_complete() trace should take an integer testing commit 2fc2a7a62eb58650e71b4550cf6fa6cc0a75b2d2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 0a636100b2338f1ab3813eca525513cec08d6932c07cbab85a6d3d1752d11661 run #0: crashed: general protection fault in io_uring_register run #1: crashed: general protection fault in io_uring_register run #2: crashed: general protection fault in io_uring_register run #3: crashed: general protection fault in io_uring_register run #4: crashed: general protection fault in io_uring_register run #5: crashed: general protection fault in io_uring_register run #6: crashed: general protection fault in io_uring_register run #7: crashed: general protection fault in io_uring_register run #8: crashed: general protection fault in io_uring_register run #9: OK # git bisect bad 2fc2a7a62eb58650e71b4550cf6fa6cc0a75b2d2 Bisecting: 2 revisions left to test after this (roughly 1 step) [636378535afb837f165beb7de3907896480cf3b2] io_uring: don't disable kiocb_done() CQE batching testing commit 636378535afb837f165beb7de3907896480cf3b2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b841d9dc1c12b3a2c840dff649685b302d183bcec03d33d984a67245b4821b0a run #0: crashed: general protection fault in io_uring_register run #1: crashed: general protection fault in io_uring_register run #2: crashed: general protection fault in io_uring_register run #3: crashed: general protection fault in io_uring_register run #4: crashed: general protection fault in io_uring_register run #5: crashed: general protection fault in io_uring_register run #6: crashed: general protection fault in io_uring_register run #7: crashed: general protection fault in io_uring_register run #8: crashed: general protection fault in io_uring_register run #9: OK # git bisect bad 636378535afb837f165beb7de3907896480cf3b2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [fa84693b3c896460831fe0750554121121a23da8] io_uring: ensure IORING_REGISTER_IOWQ_MAX_WORKERS works with SQPOLL testing commit fa84693b3c896460831fe0750554121121a23da8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1ac977ebbc4243c551311a48f48fa9edfe39de9a4bba6c87b1ab66515f1899b6 run #0: crashed: general protection fault in io_uring_register run #1: crashed: general protection fault in io_uring_register run #2: crashed: general protection fault in io_uring_register run #3: crashed: general protection fault in io_uring_register run #4: crashed: general protection fault in io_uring_register run #5: crashed: general protection fault in io_uring_register run #6: crashed: general protection fault in io_uring_register run #7: crashed: general protection fault in io_uring_register run #8: crashed: general protection fault in io_uring_register run #9: OK # git bisect bad fa84693b3c896460831fe0750554121121a23da8 fa84693b3c896460831fe0750554121121a23da8 is the first bad commit commit fa84693b3c896460831fe0750554121121a23da8 Author: Jens Axboe Date: Wed Sep 1 14:15:59 2021 -0600 io_uring: ensure IORING_REGISTER_IOWQ_MAX_WORKERS works with SQPOLL SQPOLL has a different thread doing submissions, we need to check for that and use the right task context when updating the worker values. Just hold the sqd->lock across the operation, this ensures that the thread cannot go away while we poke at ->io_uring. Link: https://github.com/axboe/liburing/issues/420 Fixes: 2e480058ddc2 ("io-wq: provide a way to limit max number of workers") Reported-by: Johannes Lundberg Tested-by: Johannes Lundberg Signed-off-by: Jens Axboe fs/io_uring.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) culprit signature: 1ac977ebbc4243c551311a48f48fa9edfe39de9a4bba6c87b1ab66515f1899b6 parent signature: 7706cb943b20385ada2dd9e9bcae8116706b692a531293fde0a165414c09e5d7 revisions tested: 14, total time: 3h34m58.069124664s (build: 1h31m5.463136765s, test: 2h2m13.404001075s) first bad commit: fa84693b3c896460831fe0750554121121a23da8 io_uring: ensure IORING_REGISTER_IOWQ_MAX_WORKERS works with SQPOLL recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org" "johalun0@gmail.com"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: general protection fault in io_uring_register general protection fault, probably for non-canonical address 0xdffffc0000000102: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000810-0x0000000000000817] CPU: 1 PID: 28049 Comm: syz-executor.5 Not tainted 5.14.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:io_register_iowq_max_workers fs/io_uring.c:10341 [inline] RIP: 0010:__io_uring_register fs/io_uring.c:10546 [inline] RIP: 0010:__do_sys_io_uring_register+0xb73/0x2380 fs/io_uring.c:10581 Code: 03 80 3c 02 00 0f 85 8e 16 00 00 48 8b 9b a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 10 08 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 5b 16 00 00 48 8b 9b 10 08 00 00 48 85 db 0f 84 RSP: 0018:ffffc90008c4fdf0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000102 RSI: 0000000000000004 RDI: 0000000000000810 RBP: ffff88801c1b6780 R08: 0000000000000000 R09: ffff888045151c13 R10: ffffed1008a2a382 R11: 0000000000000001 R12: ffff88802c70c000 R13: ffff888045151c08 R14: 1ffff92001189fc9 R15: ffff88802c70c040 FS: 00007f5382a2f700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000044 CR3: 0000000013f90000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5382a2f188 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9 RDX: 0000000020004000 RSI: 0000000000000013 RDI: 0000000000000003 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000246 R12: 000000000056c038 R13: 00007ffff62140af R14: 00007f5382a2f300 R15: 0000000000022000 Modules linked in: ---[ end trace c0f0b844abd92675 ]--- RIP: 0010:io_register_iowq_max_workers fs/io_uring.c:10341 [inline] RIP: 0010:__io_uring_register fs/io_uring.c:10546 [inline] RIP: 0010:__do_sys_io_uring_register+0xb73/0x2380 fs/io_uring.c:10581 Code: 03 80 3c 02 00 0f 85 8e 16 00 00 48 8b 9b a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 10 08 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 5b 16 00 00 48 8b 9b 10 08 00 00 48 85 db 0f 84 RSP: 0018:ffffc90008c4fdf0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000102 RSI: 0000000000000004 RDI: 0000000000000810 RBP: ffff88801c1b6780 R08: 0000000000000000 R09: ffff888045151c13 R10: ffffed1008a2a382 R11: 0000000000000001 R12: ffff88802c70c000 R13: ffff888045151c08 R14: 1ffff92001189fc9 R15: ffff88802c70c040 FS: 00007f5382a2f700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fffcb5e8720 CR3: 0000000013f90000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 03 80 3c 02 00 0f add 0xf00023c(%rax),%eax 6: 85 8e 16 00 00 48 test %ecx,0x48000016(%rsi) c: 8b 9b a8 00 00 00 mov 0xa8(%rbx),%ebx 12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 19: fc ff df 1c: 48 8d bb 10 08 00 00 lea 0x810(%rbx),%rdi 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 5b 16 00 00 jne 0x168f 34: 48 8b 9b 10 08 00 00 mov 0x810(%rbx),%rbx 3b: 48 85 db test %rbx,%rbx 3e: 0f .byte 0xf 3f: 84 .byte 0x84