ci2 starts bisection 2023-09-01 11:54:10.387202083 +0000 UTC m=+66761.269573373 bisecting cause commit starting from 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f building syzkaller on 696ea0d2f4fdaa17db929e152edba19bf7666d84 ensuring issue is reproducible on original commit 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f testing commit 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 04dc8bab4b2c7114b1b6a8f6958c59b4d16ee991ddbcf9f0d79ee4743497af6b all runs: crashed: general protection fault in io_uring_show_fdinfo representative crash: general protection fault in io_uring_show_fdinfo, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e182f7e04d86905b5ae14342f16c6c92e630fbe2e44185e328c17592a25b9b56 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=3876 full=7669 leaves diff=2017 split chunks (needed=false): <2017> split chunk #0 of len 2017 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: de1bc9e1e956547e62c2381b1caee8d1e488f4669abe8ee97cf2ff4666f78e32 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d2701eacd4cdcc392fa2ffb3ea96394a7e4d16ff19aec144e9ea87f943584c4e all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 28d71a28fbd6e74ff2afa20e00c931943f0c66847d0784fa8bddeed19df229ee all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0b9b857c8593990b9f67e26049f9ac86de25ec2d1363484a4577b6d4c23edd3f all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 919f06335514b07fd4c648b8f3ac816563ac75887224ef5c85b11dda7dab34c6 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] the chunk can be dropped disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed picked [%!d(string=v6.5) %!d(string=v6.4) %!d(string=v6.3) %!d(string=v6.1) %!d(string=v5.19) %!d(string=v5.17) %!d(string=v5.15) %!d(string=v5.13) %!d(string=v5.10) %!d(string=v5.7) %!d(string=v5.4) %!d(string=v5.1) %!d(string=v4.19)] out of %!d(MISSING) release tags testing release v6.5 testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: df1ba160f86c1465ce7bdeec0f37062ebba5276f273fd977c77731871dfb3e86 all runs: OK false negative chance: 0.000 # git bisect start 99d99825fc075fd24b60cc9cf0fb1e20b9c16b0f 2dde18cd1d8fac735875f2e4987f11817cc0bc2c Bisecting: 4651 revisions left to test after this (roughly 12 steps) [adfd671676c922bada16477eb68b5eb5f065addc] Merge tag 'sysctl-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux testing commit adfd671676c922bada16477eb68b5eb5f065addc gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9a6b759aa50f93baad167a34be1445dd6f447300a69b9d7df8f1f8172a1779b7 all runs: OK false negative chance: 0.000 # git bisect good adfd671676c922bada16477eb68b5eb5f065addc Bisecting: 2151 revisions left to test after this (roughly 11 steps) [4fb0dacb78c6a041bbd38ddd998df806af5c2c69] Merge tag 'sound-6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 4fb0dacb78c6a041bbd38ddd998df806af5c2c69 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5bc7b389a760d9a4a658ebe25d80c5e3cefee330719a83ec6dff99a042d9f9da all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] # git bisect bad 4fb0dacb78c6a041bbd38ddd998df806af5c2c69 Bisecting: 1274 revisions left to test after this (roughly 10 steps) [cfd48ad8c4a9137b0fde7f0ecf463d44b01875dc] drm/i915: Fix HPD polling, reenabling the output poll work as needed testing commit cfd48ad8c4a9137b0fde7f0ecf463d44b01875dc gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: be408d077d543555a2719cf46545c90451e8ad736b02bb2c3049d1e2d4618cff all runs: OK false negative chance: 0.000 # git bisect good cfd48ad8c4a9137b0fde7f0ecf463d44b01875dc Bisecting: 675 revisions left to test after this (roughly 9 steps) [199cd64140f222c66b68ebe288a3fcd0570e2e41] ASoC: soc-core.c: Do not error if a DAI link component is not found testing commit 199cd64140f222c66b68ebe288a3fcd0570e2e41 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ba2ef11e225101f5c8f1b1ef2479d2036965bbd415b5d5dba852b326847c5f0e all runs: OK false negative chance: 0.000 # git bisect good 199cd64140f222c66b68ebe288a3fcd0570e2e41 Bisecting: 345 revisions left to test after this (roughly 8 steps) [63580f669d7ff5aa5a1fa2e3994114770a491722] Merge tag 'ovl-update-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs testing commit 63580f669d7ff5aa5a1fa2e3994114770a491722 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3aa09af225aec7625b5213ce0c2a413aff6568bf554670f5ce8862907e58cf1c all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] # git bisect bad 63580f669d7ff5aa5a1fa2e3994114770a491722 Bisecting: 164 revisions left to test after this (roughly 7 steps) [3d3dfeb3aec7b612d266d500c82054f1fded4980] Merge tag 'for-6.6/block-2023-08-28' of git://git.kernel.dk/linux testing commit 3d3dfeb3aec7b612d266d500c82054f1fded4980 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7f76fd73bdd3a90824b0b14145c65b1e900190a81ea5ebe61de175bb99b24c73 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] # git bisect bad 3d3dfeb3aec7b612d266d500c82054f1fded4980 Bisecting: 82 revisions left to test after this (roughly 6 steps) [e24721e441a7c640e4e7b2b63c23c06d9a750880] ublk: fix 'warn: variable dereferenced before check 'req'' from Smatch testing commit e24721e441a7c640e4e7b2b63c23c06d9a750880 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c27d9f7711665956dd88de3ff5a2f5be9dae8278fef312ea713239bb8b48060b all runs: OK false negative chance: 0.000 # git bisect good e24721e441a7c640e4e7b2b63c23c06d9a750880 Bisecting: 41 revisions left to test after this (roughly 5 steps) [e5598d6ae62626d261b046a2f19347c38681ff51] io_uring: compact SQ/CQ heads/tails testing commit e5598d6ae62626d261b046a2f19347c38681ff51 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c37f2a5c43be1f622da1e0b02a09c96d6a7d83c817aec61087ba1486a5575a56 all runs: OK false negative chance: 0.000 # git bisect good e5598d6ae62626d261b046a2f19347c38681ff51 Bisecting: 20 revisions left to test after this (roughly 4 steps) [c069da449a13669ffa754fd971747e7e17e7d691] md/raid1: hold the barrier until handle_read_error() finishes testing commit c069da449a13669ffa754fd971747e7e17e7d691 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1bc1aed9126d1a05e3a089321486c2299dc7a9eaab9c3e6e8deafb195007a968 all runs: OK false negative chance: 0.000 # git bisect good c069da449a13669ffa754fd971747e7e17e7d691 Bisecting: 10 revisions left to test after this (roughly 3 steps) [9fb10726ecc5145550180aec4fd0adf0a7b1d634] block: sed-opal: Implement IOC_OPAL_DISCOVERY testing commit 9fb10726ecc5145550180aec4fd0adf0a7b1d634 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bdcca36a11f01dc1f20b0ae5fb9d4d71d2ba5dd249a00646f9c5c3a0a1e21c53 all runs: OK false negative chance: 0.000 # git bisect good 9fb10726ecc5145550180aec4fd0adf0a7b1d634 Bisecting: 5 revisions left to test after this (roughly 3 steps) [0aa7aa5f766933d4f91b22d9658cd688e1f15dab] io_uring: move multishot cqe cache in ctx testing commit 0aa7aa5f766933d4f91b22d9658cd688e1f15dab gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b9d4fcf5b6388eb70f0dc2d97a4327b15cbc62f06ff3110f62f85d548071f0a4 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] # git bisect bad 0aa7aa5f766933d4f91b22d9658cd688e1f15dab Bisecting: 2 revisions left to test after this (roughly 1 step) [d7f06fea5d6be78403d42c9637f67bc883870094] io_uring: move non aligned field to the end testing commit d7f06fea5d6be78403d42c9637f67bc883870094 gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3e60bb6a35ec011718cc4613b56f026f6ec49223e1ade0d7012b48c5439b149c all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] # git bisect bad d7f06fea5d6be78403d42c9637f67bc883870094 Bisecting: 0 revisions left to test after this (roughly 0 steps) [2af89abda7d9c2aeb573677e2c498ddb09f8058a] io_uring: add option to remove SQ indirection testing commit 2af89abda7d9c2aeb573677e2c498ddb09f8058a gcc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 089df1c19ba5c179d3b3b25bd44352e5e13234ba2419b392a4b42aef3170b9e4 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo representative crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo, types: [UNKNOWN] # git bisect bad 2af89abda7d9c2aeb573677e2c498ddb09f8058a 2af89abda7d9c2aeb573677e2c498ddb09f8058a is the first bad commit commit 2af89abda7d9c2aeb573677e2c498ddb09f8058a Author: Pavel Begunkov Date: Thu Aug 24 23:53:32 2023 +0100 io_uring: add option to remove SQ indirection Not many aware, but io_uring submission queue has two levels. The first level usually appears as sq_array and stores indexes into the actual SQ. To my knowledge, no one has ever seriously used it, nor liburing exposes it to users. Add IORING_SETUP_NO_SQARRAY, when set we don't bother creating and using the sq_array and SQ heads/tails will be pointing directly into the SQ. Improves memory footprint, in term of both allocations as well as cache usage, and also should make io_get_sqe() less branchy in the end. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/0ffa3268a5ef61d326201ff43a233315c96312e0.1692916914.git.asml.silence@gmail.com Signed-off-by: Jens Axboe include/uapi/linux/io_uring.h | 5 +++++ io_uring/io_uring.c | 52 ++++++++++++++++++++++++++----------------- 2 files changed, 37 insertions(+), 20 deletions(-) accumulated error probability: 0.00 culprit signature: 089df1c19ba5c179d3b3b25bd44352e5e13234ba2419b392a4b42aef3170b9e4 parent signature: c37f2a5c43be1f622da1e0b02a09c96d6a7d83c817aec61087ba1486a5575a56 revisions tested: 21, total time: 3h1m19.036860952s (build: 1h5m7.901971467s, test: 1h46m49.963980934s) first bad commit: 2af89abda7d9c2aeb573677e2c498ddb09f8058a io_uring: add option to remove SQ indirection recipients (to): ["asml.silence@gmail.com" "axboe@kernel.dk"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in io_uring_show_fdinfo BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 103ba8067 P4D 103ba8067 PUD 103bd4067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 1838 Comm: syz-executor.0 Not tainted 6.5.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 RIP: 0010:io_uring_show_fdinfo+0x15c/0x6d0 io_uring/fdinfo.c:96 Code: 83 e0 01 89 44 24 28 45 31 ff 48 89 5c 24 30 48 89 6c 24 18 44 89 64 24 2c 41 8d 04 2f 49 8b 8d d0 00 00 00 8b 54 24 04 21 d0 <44> 8b 2c 81 41 39 d5 0f 87 ad 00 00 00 44 89 ed 8b 4c 24 28 d3 e5 RSP: 0018:ffffc90001977dc0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888104300000 RCX: 0000000000000000 RDX: 0000000000003fff RSI: ffffffff8210b865 RDI: ffff888101bd3099 RBP: 0000000000000000 R08: ffff0a00ffffff00 R09: 00000000ffff0a00 R10: 0000001000000000 R11: 0000000400000001 R12: 0000000000000001 R13: ffff88810aa70000 R14: ffff88810928c0e8 R15: 0000000000000000 FS: 00007fd8542af6c0(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000103b92000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: seq_show+0x190/0x1d0 fs/proc/fd.c:70 traverse+0x9d/0x1a0 fs/seq_file.c:111 seq_lseek+0x5a/0xc0 fs/seq_file.c:323 vfs_llseek fs/read_write.c:289 [inline] ksys_lseek fs/read_write.c:302 [inline] __do_sys_lseek fs/read_write.c:313 [inline] __se_sys_lseek fs/read_write.c:311 [inline] __x64_sys_lseek+0x54/0x90 fs/read_write.c:311 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fd85472cae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd8542af0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000008 RAX: ffffffffffffffda RBX: 00007fd85484bf80 RCX: 00007fd85472cae9 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 RBP: 00007fd85477847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007fd85484bf80 R15: 00007ffc1f53e308 Modules linked in: CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:io_uring_show_fdinfo+0x15c/0x6d0 io_uring/fdinfo.c:96 Code: 83 e0 01 89 44 24 28 45 31 ff 48 89 5c 24 30 48 89 6c 24 18 44 89 64 24 2c 41 8d 04 2f 49 8b 8d d0 00 00 00 8b 54 24 04 21 d0 <44> 8b 2c 81 41 39 d5 0f 87 ad 00 00 00 44 89 ed 8b 4c 24 28 d3 e5 RSP: 0018:ffffc90001977dc0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888104300000 RCX: 0000000000000000 RDX: 0000000000003fff RSI: ffffffff8210b865 RDI: ffff888101bd3099 RBP: 0000000000000000 R08: ffff0a00ffffff00 R09: 00000000ffff0a00 R10: 0000001000000000 R11: 0000000400000001 R12: 0000000000000001 R13: ffff88810aa70000 R14: ffff88810928c0e8 R15: 0000000000000000 FS: 00007fd8542af6c0(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000103b92000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 83 e0 01 and $0x1,%eax 3: 89 44 24 28 mov %eax,0x28(%rsp) 7: 45 31 ff xor %r15d,%r15d a: 48 89 5c 24 30 mov %rbx,0x30(%rsp) f: 48 89 6c 24 18 mov %rbp,0x18(%rsp) 14: 44 89 64 24 2c mov %r12d,0x2c(%rsp) 19: 41 8d 04 2f lea (%r15,%rbp,1),%eax 1d: 49 8b 8d d0 00 00 00 mov 0xd0(%r13),%rcx 24: 8b 54 24 04 mov 0x4(%rsp),%edx 28: 21 d0 and %edx,%eax * 2a: 44 8b 2c 81 mov (%rcx,%rax,4),%r13d <-- trapping instruction 2e: 41 39 d5 cmp %edx,%r13d 31: 0f 87 ad 00 00 00 ja 0xe4 37: 44 89 ed mov %r13d,%ebp 3a: 8b 4c 24 28 mov 0x28(%rsp),%ecx 3e: d3 e5 shl %cl,%ebp