bisecting cause commit starting from 4e8f108c3af2d6922a64df9f3d3d488c74f6009d building syzkaller on 048f2d494ee4a016e2386c28bf8cccdd87896cbd testing commit 4e8f108c3af2d6922a64df9f3d3d488c74f6009d with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in io_commit_cqring testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 4e8f108c3af2d6922a64df9f3d3d488c74f6009d 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Bisecting: 13301 revisions left to test after this (roughly 14 steps) [03c3cf006432bc0c61e9c1560205d4e953550de6] Merge branch 'ib-fwnode-gpiod-get-index' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio into regulator-5.5 testing commit 03c3cf006432bc0c61e9c1560205d4e953550de6 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 03c3cf006432bc0c61e9c1560205d4e953550de6 Bisecting: 6038 revisions left to test after this (roughly 13 steps) [5d453d13a5e0ae900103c6b2c0b2b94eb6d08213] Merge remote-tracking branch 'net-next/master' testing commit 5d453d13a5e0ae900103c6b2c0b2b94eb6d08213 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 5d453d13a5e0ae900103c6b2c0b2b94eb6d08213 Bisecting: 3007 revisions left to test after this (roughly 12 steps) [d9d40c71eaac53995b853bc1c43e7423b4f41c10] Merge remote-tracking branch 'mmc/next' testing commit d9d40c71eaac53995b853bc1c43e7423b4f41c10 with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in io_commit_cqring # git bisect bad d9d40c71eaac53995b853bc1c43e7423b4f41c10 Bisecting: 1535 revisions left to test after this (roughly 11 steps) [904ce198dd7bcf6eaa1735e9c0b06959351d4126] Merge tag 'drm/tegra/for-5.5-rc1' of git://anongit.freedesktop.org/tegra/linux into drm-next testing commit 904ce198dd7bcf6eaa1735e9c0b06959351d4126 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 904ce198dd7bcf6eaa1735e9c0b06959351d4126 Bisecting: 764 revisions left to test after this (roughly 10 steps) [d84ca32ab1417ef75a442c7978069c45df875f20] Merge remote-tracking branch 'amdgpu/drm-next' testing commit d84ca32ab1417ef75a442c7978069c45df875f20 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d84ca32ab1417ef75a442c7978069c45df875f20 Bisecting: 382 revisions left to test after this (roughly 9 steps) [e610748ad4388f02a2cd8b3ad051a662c03dbfbc] ASoC: cros_ec_codec: Convert to the common vmalloc memalloc testing commit e610748ad4388f02a2cd8b3ad051a662c03dbfbc with gcc (GCC) 8.1.0 all runs: OK # git bisect good e610748ad4388f02a2cd8b3ad051a662c03dbfbc Bisecting: 207 revisions left to test after this (roughly 8 steps) [2fa08013921fab818593e813c8b03437c6f58161] Merge remote-tracking branch 'input/next' testing commit 2fa08013921fab818593e813c8b03437c6f58161 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 2fa08013921fab818593e813c8b03437c6f58161 Bisecting: 110 revisions left to test after this (roughly 7 steps) [b9f80fe2d6f6613261477621e9d925b8fab1fc1a] Merge branch 'for-5.5/libata' into for-next testing commit b9f80fe2d6f6613261477621e9d925b8fab1fc1a with gcc (GCC) 8.1.0 all runs: OK # git bisect good b9f80fe2d6f6613261477621e9d925b8fab1fc1a Bisecting: 55 revisions left to test after this (roughly 6 steps) [64ebb693c62fac190691c8b1406b058334eb760c] Merge remote-tracking branch 'block/for-next' testing commit 64ebb693c62fac190691c8b1406b058334eb760c with gcc (GCC) 8.1.0 all runs: crashed: general protection fault in io_commit_cqring # git bisect bad 64ebb693c62fac190691c8b1406b058334eb760c Bisecting: 27 revisions left to test after this (roughly 5 steps) [89723d0bd6c77540c01ce7db2cd6f8c3be2fd958] io_uring: enable optimized link handling for IORING_OP_POLL_ADD testing commit 89723d0bd6c77540c01ce7db2cd6f8c3be2fd958 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 89723d0bd6c77540c01ce7db2cd6f8c3be2fd958 Bisecting: 13 revisions left to test after this (roughly 4 steps) [c5def4ab849494d3c97f6c9fc84b2ddb868fe78c] io-wq: add support for bounded vs unbunded work testing commit c5def4ab849494d3c97f6c9fc84b2ddb868fe78c with gcc (GCC) 8.1.0 all runs: crashed: INFO: trying to register non-static key in io_cqring_ev_posted # git bisect bad c5def4ab849494d3c97f6c9fc84b2ddb868fe78c Bisecting: 6 revisions left to test after this (roughly 3 steps) [267bc90442aa47002e2991f7d9dd141e168b466b] io_uring: use inlined struct sqe_submit testing commit 267bc90442aa47002e2991f7d9dd141e168b466b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 267bc90442aa47002e2991f7d9dd141e168b466b Bisecting: 3 revisions left to test after this (roughly 2 steps) [84f97dc2333c626979bb547fce343a1003544dcc] io_uring: make io_cqring_events() take 'ctx' as argument testing commit 84f97dc2333c626979bb547fce343a1003544dcc with gcc (GCC) 8.1.0 all runs: OK # git bisect good 84f97dc2333c626979bb547fce343a1003544dcc Bisecting: 1 revision left to test after this (roughly 1 step) [1d7bb1d50fb4dc141c7431cc21fdd24ffcc83c76] io_uring: add support for backlogged CQ ring testing commit 1d7bb1d50fb4dc141c7431cc21fdd24ffcc83c76 with gcc (GCC) 8.1.0 all runs: crashed: INFO: trying to register non-static key in io_cqring_ev_posted # git bisect bad 1d7bb1d50fb4dc141c7431cc21fdd24ffcc83c76 Bisecting: 0 revisions left to test after this (roughly 0 steps) [78e19bbef38362cebff38aa1ca12e2c82bb72eb8] io_uring: pass in io_kiocb to fill/add CQ handlers testing commit 78e19bbef38362cebff38aa1ca12e2c82bb72eb8 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 78e19bbef38362cebff38aa1ca12e2c82bb72eb8 1d7bb1d50fb4dc141c7431cc21fdd24ffcc83c76 is the first bad commit commit 1d7bb1d50fb4dc141c7431cc21fdd24ffcc83c76 Author: Jens Axboe Date: Wed Nov 6 11:31:17 2019 -0700 io_uring: add support for backlogged CQ ring Currently we drop completion events, if the CQ ring is full. That's fine for requests with bounded completion times, but it may make it harder or impossible to use io_uring with networked IO where request completion times are generally unbounded. Or with POLL, for example, which is also unbounded. After this patch, we never overflow the ring, we simply store requests in a backlog for later flushing. This flushing is done automatically by the kernel. To prevent the backlog from growing indefinitely, if the backlog is non-empty, we apply back pressure on IO submissions. Any attempt to submit new IO with a non-empty backlog will get an -EBUSY return from the kernel. This is a signal to the application that it has backlogged CQ events, and that it must reap those before being allowed to submit more IO. Note that if we do return -EBUSY, we will have filled whatever backlogged events into the CQ ring first, if there's room. This means the application can safely reap events WITHOUT entering the kernel and waiting for them, they are already available in the CQ ring. Signed-off-by: Jens Axboe :040000 040000 50f554dc9306b3933158816358387330f69abb6d 688f376fdd0aca27421f0305b8e1e2aaada7b6e4 M fs :040000 040000 20667184731fb719821118423436c18e8dc85989 a4d049c8bb935dbb6892e832159fe539343e2ae1 M include revisions tested: 17, total time: 4h26m47.407230821s (build: 1h42m5.982826743s, test: 2h38m35.656544937s) first bad commit: 1d7bb1d50fb4dc141c7431cc21fdd24ffcc83c76 io_uring: add support for backlogged CQ ring cc: ["axboe@kernel.dk" "linux-block@vger.kernel.org" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: INFO: trying to register non-static key in io_cqring_ev_posted Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fae597f0c78 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 RAX: ffffffffffffffda RBX: 00007fae597f0c90 RCX: 000000000045a219 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000d0d RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fae597f16d4 R13: 00000000004c1915 R14: 00000000004d55d8 R15: 0000000000000003 INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 0 PID: 7663 Comm: syz-executor.4 Not tainted 5.4.0-rc5+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 assign_lock_key kernel/locking/lockdep.c:881 [inline] register_lock_class+0x2028/0x22d0 kernel/locking/lockdep.c:1190 __lock_acquire+0xff/0x4ef0 kernel/locking/lockdep.c:3837 lock_acquire+0x194/0x410 kernel/locking/lockdep.c:4487 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:159 __wake_up_common_lock+0xc1/0x140 kernel/sched/wait.c:122 __wake_up+0xe/0x10 kernel/sched/wait.c:142 io_cqring_ev_posted+0x92/0xf0 fs/io_uring.c:599 io_cqring_overflow_flush+0x60a/0xa10 fs/io_uring.c:646 io_ring_ctx_wait_and_kill+0x1ea/0x620 fs/io_uring.c:4140 io_uring_create fs/io_uring.c:4477 [inline] io_uring_setup+0x1475/0x19a0 fs/io_uring.c:4503 __do_sys_io_uring_setup fs/io_uring.c:4516 [inline] __se_sys_io_uring_setup fs/io_uring.c:4513 [inline] __x64_sys_io_uring_setup+0x4f/0x70 fs/io_uring.c:4513 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a219 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fae597f0c78 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 RAX: ffffffffffffffda RBX: 00007fae597f0c90 RCX: 000000000045a219 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000d0d RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fae597f16d4 R13: 00000000004c1915 R14: 00000000004d55d8 R15: 0000000000000003 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 7663 Comm: syz-executor.4 Not tainted 5.4.0-rc5+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__wake_up_common+0xdd/0x5f0 kernel/sched/wait.c:86 Code: fc 04 00 00 4c 8b 43 38 49 83 e8 18 49 8d 78 18 49 39 fc 0f 84 5c 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 ef 04 00 00 49 8b 40 18 89 55 b8 31 db 49 be 00 RSP: 0018:ffff88809446fb40 EFLAGS: 00010046 RAX: dffffc0000000000 RBX: ffff8880a70ef118 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000003 RDI: 0000000000000000 RBP: ffff88809446fb98 R08: ffffffffffffffe8 R09: ffff88809446fbd8 R10: ffffed101288df61 R11: 0000000000000003 R12: ffff8880a70ef150 R13: 0000000000000286 R14: ffff88809446fc38 R15: 0000000000000000 FS: 00007fae597f1700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc60288ff8 CR3: 00000000a1b8c000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __wake_up_common_lock+0xe5/0x140 kernel/sched/wait.c:123 __wake_up+0xe/0x10 kernel/sched/wait.c:142 io_cqring_ev_posted+0x92/0xf0 fs/io_uring.c:599 io_cqring_overflow_flush+0x60a/0xa10 fs/io_uring.c:646 io_ring_ctx_wait_and_kill+0x1ea/0x620 fs/io_uring.c:4140 io_uring_create fs/io_uring.c:4477 [inline] io_uring_setup+0x1475/0x19a0 fs/io_uring.c:4503 __do_sys_io_uring_setup fs/io_uring.c:4516 [inline] __se_sys_io_uring_setup fs/io_uring.c:4513 [inline] __x64_sys_io_uring_setup+0x4f/0x70 fs/io_uring.c:4513 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a219 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fae597f0c78 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 RAX: ffffffffffffffda RBX: 00007fae597f0c90 RCX: 000000000045a219 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000d0d RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fae597f16d4 R13: 00000000004c1915 R14: 00000000004d55d8 R15: 0000000000000003 Modules linked in: ---[ end trace 350185e9b24feba4 ]--- RIP: 0010:__wake_up_common+0xdd/0x5f0 kernel/sched/wait.c:86 Code: fc 04 00 00 4c 8b 43 38 49 83 e8 18 49 8d 78 18 49 39 fc 0f 84 5c 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 ef 04 00 00 49 8b 40 18 89 55 b8 31 db 49 be 00 RSP: 0018:ffff88809446fb40 EFLAGS: 00010046 RAX: dffffc0000000000 RBX: ffff8880a70ef118 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000003 RDI: 0000000000000000 RBP: ffff88809446fb98 R08: ffffffffffffffe8 R09: ffff88809446fbd8 R10: ffffed101288df61 R11: 0000000000000003 R12: ffff8880a70ef150 R13: 0000000000000286 R14: ffff88809446fc38 R15: 0000000000000000 FS: 00007fae597f1700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc60288ff8 CR3: 00000000a1b8c000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400