bisecting cause commit starting from 88b06399c9c766c283e070b022b5ceafa4f63f19 building syzkaller on da958a4d24db4dfddd875298efb23733d05272d5 testing commit 88b06399c9c766c283e070b022b5ceafa4f63f19 with gcc (GCC) 10.2.1 20210217 kernel signature: dc2d0e09867a5698534b2c637a1d2319b0d53caf835e49a89bea215126002008 all runs: crashed: BUG: unable to handle kernel paging request in corrupted testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217 kernel signature: 1109f9be8385a1b187df831786445ddf0445ad7ec30cbcbf6eddc2eec6f9ddc3 all runs: OK # git bisect start 88b06399c9c766c283e070b022b5ceafa4f63f19 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 Bisecting: 7571 revisions left to test after this (roughly 13 steps) [c969f2451b5343a01635d35542f48bc14b44f6b3] Merge tag 'backlight-next-5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight testing commit c969f2451b5343a01635d35542f48bc14b44f6b3 with gcc (GCC) 10.2.1 20210217 kernel signature: ebb636c2ce66e4167ed9928c1e7b684cd16372c5554b402f9cc80aaa33f91aef all runs: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect bad c969f2451b5343a01635d35542f48bc14b44f6b3 Bisecting: 3731 revisions left to test after this (roughly 12 steps) [55ba0fe059a577fa08f23223991b24564962620f] Merge tag 'for-5.13-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 55ba0fe059a577fa08f23223991b24564962620f with gcc (GCC) 10.2.1 20210217 kernel signature: 2f2eb023e5da11d7de3db83443529ab4bd47349d11ecbbc508fae3b328fd0ab9 all runs: OK # git bisect good 55ba0fe059a577fa08f23223991b24564962620f Bisecting: 2319 revisions left to test after this (roughly 11 steps) [a1a1ca70deb3ec600eeabb21de7f3f48aaae5695] Merge tag 'drm-misc-next-fixes-2021-04-22' of git://anongit.freedesktop.org/drm/drm-misc into drm-next testing commit a1a1ca70deb3ec600eeabb21de7f3f48aaae5695 with gcc (GCC) 10.2.1 20210217 kernel signature: 4ae96a7fed8da65a1169e30336d8be6c0d15dd69bac02108f44807b89b788807 all runs: OK # git bisect good a1a1ca70deb3ec600eeabb21de7f3f48aaae5695 Bisecting: 1034 revisions left to test after this (roughly 10 steps) [3aa139aa9fdc138a84243dc49dc18d9b40e1c6e4] Merge tag 'media/v5.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 3aa139aa9fdc138a84243dc49dc18d9b40e1c6e4 with gcc (GCC) 10.2.1 20210217 kernel signature: 0c443da1307580ed6b460aed1d5f593e34036af8987abf9fc54cbff91832327f all runs: OK # git bisect good 3aa139aa9fdc138a84243dc49dc18d9b40e1c6e4 Bisecting: 513 revisions left to test after this (roughly 9 steps) [c05a182bf45681c5529a58c71ce5647535b3ae7a] Merge tag 'for-5.13/libata-2021-04-27' of git://git.kernel.dk/linux-block testing commit c05a182bf45681c5529a58c71ce5647535b3ae7a with gcc (GCC) 10.2.1 20210217 kernel signature: 2a1d5cae9d7632a0fde44f88044350b0d47dabbf5cf2024c6fb986588c1798ce all runs: OK # git bisect good c05a182bf45681c5529a58c71ce5647535b3ae7a Bisecting: 254 revisions left to test after this (roughly 8 steps) [5a69e9bce9984806029926f405b4517878e703e2] Merge tag 'for-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply testing commit 5a69e9bce9984806029926f405b4517878e703e2 with gcc (GCC) 10.2.1 20210217 kernel signature: e6f0d3830784a73994a22ea1283fd89414924e3743365bfc5f76021a5b6c15d4 all runs: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect bad 5a69e9bce9984806029926f405b4517878e703e2 Bisecting: 129 revisions left to test after this (roughly 7 steps) [734551df6f9bedfbefcd113ede665945e9de0b99] io_uring: fix shared sqpoll cancellation hangs testing commit 734551df6f9bedfbefcd113ede665945e9de0b99 with gcc (GCC) 10.2.1 20210217 kernel signature: ac0c9a9d17b025d6163ca884e8a424908a224d99e5d77abdd93fa46509ec464e all runs: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect bad 734551df6f9bedfbefcd113ede665945e9de0b99 Bisecting: 64 revisions left to test after this (roughly 6 steps) [40ae0ff70fb1379cb00041ef4061681e5e84e7f9] io_uring: move rsrc_put callback into io_rsrc_data testing commit 40ae0ff70fb1379cb00041ef4061681e5e84e7f9 with gcc (GCC) 10.2.1 20210217 kernel signature: e4d44413f6d672da1691f8f936f317e1f7539dc5be8fb5a6bcc2f09747779436 all runs: OK # git bisect good 40ae0ff70fb1379cb00041ef4061681e5e84e7f9 Bisecting: 32 revisions left to test after this (roughly 5 steps) [4af3417a347d06c8632346a6a9035c28b1dd94b4] io_uring: refactor compat_msghdr import testing commit 4af3417a347d06c8632346a6a9035c28b1dd94b4 with gcc (GCC) 10.2.1 20210217 kernel signature: a29d1cf219feb4655018dca11ce06453448c22774a924a1176e8657032aeb758 all runs: OK # git bisect good 4af3417a347d06c8632346a6a9035c28b1dd94b4 Bisecting: 16 revisions left to test after this (roughly 4 steps) [fd9c7bc542dae7cca3b02c77f7863823d54ddee0] io_uring: refactor hrtimer_try_to_cancel uses testing commit fd9c7bc542dae7cca3b02c77f7863823d54ddee0 with gcc (GCC) 10.2.1 20210217 kernel signature: c98939b04560eeb488ce774d44cbf8c3a53a9d1b137959cd712174a0851bcc0d all runs: OK # git bisect good fd9c7bc542dae7cca3b02c77f7863823d54ddee0 Bisecting: 8 revisions left to test after this (roughly 3 steps) [c5de00366e3e675f9e321983d9bd357c1fbea0e9] io_uring: move poll update into remove not add testing commit c5de00366e3e675f9e321983d9bd357c1fbea0e9 with gcc (GCC) 10.2.1 20210217 kernel signature: 323860e82ad3e89ff27c2cc6e0f60aee44383084c46858d44d424bae828a88f6 all runs: OK # git bisect good c5de00366e3e675f9e321983d9bd357c1fbea0e9 Bisecting: 4 revisions left to test after this (roughly 2 steps) [a7be7c23cfdd2cb57609fd2d607923a9cb2a305d] io_uring: fix merge error for async resubmit testing commit a7be7c23cfdd2cb57609fd2d607923a9cb2a305d with gcc (GCC) 10.2.1 20210217 kernel signature: 3bd6723998356f9c97f9bdadac96fa2dabd4efcd374f40d420cf8ea2d3958854 all runs: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect bad a7be7c23cfdd2cb57609fd2d607923a9cb2a305d Bisecting: 1 revision left to test after this (roughly 1 step) [4e3d9ff905cd3e6fc80a1f54b89c3aca67bc72be] io_uring: put flag checking for needing req cleanup in one spot testing commit 4e3d9ff905cd3e6fc80a1f54b89c3aca67bc72be with gcc (GCC) 10.2.1 20210217 kernel signature: 41286df6ec2ff79c03dc8a90ccb7d7d539d92f1d96b55e1b687f1db0b8915fca all runs: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect bad 4e3d9ff905cd3e6fc80a1f54b89c3aca67bc72be Bisecting: 0 revisions left to test after this (roughly 0 steps) [ea6a693d862d4f0edd748a1fa3fc6faf2c39afb2] io_uring: disable multishot poll for double poll add cases testing commit ea6a693d862d4f0edd748a1fa3fc6faf2c39afb2 with gcc (GCC) 10.2.1 20210217 kernel signature: 1331a8fc2014967597e6ed53eb0aa548083f740f3b4440fdb678b5a25011f076 all runs: crashed: BUG: unable to handle kernel paging request in corrupted # git bisect bad ea6a693d862d4f0edd748a1fa3fc6faf2c39afb2 ea6a693d862d4f0edd748a1fa3fc6faf2c39afb2 is the first bad commit commit ea6a693d862d4f0edd748a1fa3fc6faf2c39afb2 Author: Jens Axboe Date: Thu Apr 15 09:47:13 2021 -0600 io_uring: disable multishot poll for double poll add cases The re-add handling isn't correct for the multi wait case, so let's just disable it for now explicitly until we can get that sorted out. This just turns it into a one-shot request. Since we pass back whether or not a poll request terminates in multishot mode on completion, this should not break properly behaving applications that check for IORING_CQE_F_MORE on completion. Signed-off-by: Jens Axboe fs/io_uring.c | 6 ++++++ 1 file changed, 6 insertions(+) culprit signature: 1331a8fc2014967597e6ed53eb0aa548083f740f3b4440fdb678b5a25011f076 parent signature: 323860e82ad3e89ff27c2cc6e0f60aee44383084c46858d44d424bae828a88f6 revisions tested: 16, total time: 3h41m10.00532877s (build: 1h54m38.459086755s, test: 1h44m43.223329549s) first bad commit: ea6a693d862d4f0edd748a1fa3fc6faf2c39afb2 io_uring: disable multishot poll for double poll add cases recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: BUG: unable to handle kernel paging request in corrupted BUG: unable to handle page fault for address: ffffffffc1c28a40 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD a68f067 P4D a68f067 PUD a691067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 1 PID: 10148 Comm: iou-wrk-10147 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0xffffffffc1c28a40 Code: Unable to access opcode bytes at RIP 0xffffffffc1c28a16. RSP: 0018:ffffc9000ac6f958 EFLAGS: 00010246 RAX: ffffffffc1c28a40 RBX: ffff888041673800 RCX: ffff888021a97380 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88802631e8c0 RBP: ffff88802631e8c0 R08: 0000000000000000 R09: 1ffff11004352e93 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffffffffc1c28a40 R14: ffff88802631e918 R15: ffff88802631e900 FS: 00007f89329a4700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffc1c28a16 CR3: 0000000041646000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: Modules linked in: CR2: ffffffffc1c28a40 ---[ end trace 156ae6410378d715 ]--- RIP: 0010:0xffffffffc1c28a40 Code: Unable to access opcode bytes at RIP 0xffffffffc1c28a16. RSP: 0018:ffffc9000ac6f958 EFLAGS: 00010246 RAX: ffffffffc1c28a40 RBX: ffff888041673800 RCX: ffff888021a97380 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88802631e8c0 RBP: ffff88802631e8c0 R08: 0000000000000000 R09: 1ffff11004352e93 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffffffffc1c28a40 R14: ffff88802631e918 R15: ffff88802631e900 FS: 00007f89329a4700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffc1c28a16 CR3: 0000000041646000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400