bisecting cause commit starting from 8515d05bf6bcdc8873c576ae6a721985389a3bd1 building syzkaller on ee339263ba6b1a08006ea3e8e1862e15181a640d testing commit 8515d05bf6bcdc8873c576ae6a721985389a3bd1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bfbf4f9f679e19ddf85e6932c8f62a4f741cee7dbee034cdae5073238d465f03 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: crashed: general protection fault in dma_fence_array_first run #2: crashed: general protection fault in dma_fence_array_first run #3: crashed: general protection fault in dma_fence_array_first run #4: crashed: general protection fault in dma_fence_array_first run #5: crashed: general protection fault in dma_fence_array_first run #6: crashed: general protection fault in dma_fence_array_first run #7: crashed: general protection fault in dma_fence_array_first run #8: crashed: general protection fault in dma_fence_array_first run #9: crashed: general protection fault in dma_fence_array_first run #10: crashed: general protection fault in dma_fence_array_first run #11: crashed: general protection fault in dma_fence_array_first run #12: crashed: general protection fault in dma_fence_array_first run #13: crashed: general protection fault in dma_fence_array_first run #14: crashed: general protection fault in dma_fence_array_first run #15: crashed: general protection fault in dma_fence_array_first run #16: crashed: general protection fault in dma_fence_array_first run #17: crashed: general protection fault in dma_fence_array_first run #18: crashed: general protection fault in dma_fence_array_first run #19: crashed: general protection fault in dma_fence_array_first testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 21d24be8e5306336f0546eb444d21b1ee62903c3992abaddb6bd7ea7e68dd8b2 all runs: OK # git bisect start 8515d05bf6bcdc8873c576ae6a721985389a3bd1 f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 7041 revisions left to test after this (roughly 13 steps) [169e77764adc041b1dacba84ea90516a895d43b2] Merge tag 'net-next-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 169e77764adc041b1dacba84ea90516a895d43b2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5d0832c2813f2c35ae27823b51a67f2ca3d09978cd1e0e2b21a51886bfbfdef4 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 169e77764adc041b1dacba84ea90516a895d43b2 Bisecting: 3456 revisions left to test after this (roughly 12 steps) [710f5d627a98e86f821aceb840b8f2f1fcc6cf75] Merge tag 'usb-5.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit 710f5d627a98e86f821aceb840b8f2f1fcc6cf75 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a97d7045da92a8cd3a16d65f5cf709fd2ca134dc99a32682abb9150c4f17bc41 all runs: OK # git bisect good 710f5d627a98e86f821aceb840b8f2f1fcc6cf75 Bisecting: 1716 revisions left to test after this (roughly 11 steps) [d3e20c27fd1e68eaf548b81dbebc204ac6ad431d] Merge branch 'tty-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git testing commit d3e20c27fd1e68eaf548b81dbebc204ac6ad431d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7948e2254e64c642ccdd1512f1b9c6de74c5b8ad07c51b2583a6b5b067ae3157 all runs: crashed: general protection fault in dma_fence_array_first # git bisect bad d3e20c27fd1e68eaf548b81dbebc204ac6ad431d Bisecting: 869 revisions left to test after this (roughly 10 steps) [3bcf9ef9335b1d83128e7faa60a261749ae553b4] Merge branch 'h8300-next' of git://git.sourceforge.jp/gitroot/uclinux-h8/linux.git testing commit 3bcf9ef9335b1d83128e7faa60a261749ae553b4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a744be365dd4efcb29f2cd143914a4e7cb69a66d4ab2f88ed95a9ccaa17c64db all runs: OK # git bisect good 3bcf9ef9335b1d83128e7faa60a261749ae553b4 Bisecting: 451 revisions left to test after this (roughly 9 steps) [be6f51b8e2bda6149c2cf83820cb33747f03d0df] Merge branch 'for-linux-next' of git://anongit.freedesktop.org/drm/drm-misc testing commit be6f51b8e2bda6149c2cf83820cb33747f03d0df compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 555f94e9389fd7290b5b7044703fbd4b9f6477c1e638fbc6502f9dd7a24905d2 all runs: crashed: general protection fault in dma_fence_array_first # git bisect bad be6f51b8e2bda6149c2cf83820cb33747f03d0df Bisecting: 163 revisions left to test after this (roughly 8 steps) [4b284f3617902146c02b33df7d56b83a0916a086] Merge branch 'linux-next' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6.git testing commit 4b284f3617902146c02b33df7d56b83a0916a086 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ffb692a7797e3b11c2e0263d3b5b233a67a9ad9f9153660eb9653b88b459d588 all runs: OK # git bisect good 4b284f3617902146c02b33df7d56b83a0916a086 Bisecting: 89 revisions left to test after this (roughly 6 steps) [9fedf3f20599e6cd127cbf04d6646f63f3b9ab07] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git testing commit 9fedf3f20599e6cd127cbf04d6646f63f3b9ab07 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e8df5d08ba8d5f4ef267fe1f9e17111528c6604035d16dbcd822b82d177bf398 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 9fedf3f20599e6cd127cbf04d6646f63f3b9ab07 Bisecting: 56 revisions left to test after this (roughly 6 steps) [d7c37bca37f841711ee192e341fae44f54e6f6be] Merge branch 'pm-docs' into linux-next testing commit d7c37bca37f841711ee192e341fae44f54e6f6be compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2692bc2d76a82441d3d83fad3bc47aeb31d4725dc8800a1bfa9e028727d0be22 all runs: OK # git bisect good d7c37bca37f841711ee192e341fae44f54e6f6be Bisecting: 26 revisions left to test after this (roughly 5 steps) [10fab9deb685d0030ad75d2073a431356e4bdf01] Merge branch 'i3c/next' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux.git testing commit 10fab9deb685d0030ad75d2073a431356e4bdf01 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 112ec70212b0496960655501abb288e0241b3a66aa444389abd97bf941359a06 all runs: OK # git bisect good 10fab9deb685d0030ad75d2073a431356e4bdf01 Bisecting: 13 revisions left to test after this (roughly 4 steps) [9eb1950bb6f4bc0880210be05e674ad35aa43d5c] PM / devfreq: rk3399_dmc: Avoid static (reused) profile testing commit 9eb1950bb6f4bc0880210be05e674ad35aa43d5c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6af51db671ca80f93e2802fef45d1dc7c8ad4e4bf5ad5debd808229b504943c8 all runs: OK # git bisect good 9eb1950bb6f4bc0880210be05e674ad35aa43d5c Bisecting: 6 revisions left to test after this (roughly 3 steps) [6d02585611eea6c1a8f02fdef1c3b06898a7abf0] Merge branch 'thermal/linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux.git testing commit 6d02585611eea6c1a8f02fdef1c3b06898a7abf0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: eda3443d82c21b534265b5bec596be31925d4fda2c18a539e910cebf2abe723d all runs: OK # git bisect good 6d02585611eea6c1a8f02fdef1c3b06898a7abf0 Bisecting: 3 revisions left to test after this (roughly 2 steps) [519f490db07e1a539490612f376487f61e48e39c] dma-buf/sync-file: fix warning about fence containers testing commit 519f490db07e1a539490612f376487f61e48e39c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 121019adcb798d55a790d7b6b0014b2b42fb028b23c023a6a957af9676de4bdf all runs: crashed: general protection fault in dma_fence_array_first # git bisect bad 519f490db07e1a539490612f376487f61e48e39c Bisecting: 0 revisions left to test after this (roughly 1 step) [64a8f92fd783e750cdb81af75942dcd53bbf61bd] dma-buf: add dma_fence_unwrap v2 testing commit 64a8f92fd783e750cdb81af75942dcd53bbf61bd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 983c9f7bdf32815fd5500a3ed5bf3cee0aea39d29193f01eed8a0ebc9d3310ef all runs: OK # git bisect good 64a8f92fd783e750cdb81af75942dcd53bbf61bd 519f490db07e1a539490612f376487f61e48e39c is the first bad commit commit 519f490db07e1a539490612f376487f61e48e39c Author: Christian König Date: Fri Mar 11 10:32:26 2022 +0100 dma-buf/sync-file: fix warning about fence containers The dma_fence_chain containers can show up in sync_files as well resulting in warnings that those can't be added to dma_fence_array containers when merging multiple sync_files together. Solve this by using the dma_fence_unwrap iterator to deep dive into the contained fences and then add those flatten out into a dma_fence_array. Signed-off-by: Christian König Reviewed-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20220311110244.1245-2-christian.koenig@amd.com drivers/dma-buf/sync_file.c | 141 +++++++++++++++++++++++--------------------- 1 file changed, 73 insertions(+), 68 deletions(-) culprit signature: 121019adcb798d55a790d7b6b0014b2b42fb028b23c023a6a957af9676de4bdf parent signature: 983c9f7bdf32815fd5500a3ed5bf3cee0aea39d29193f01eed8a0ebc9d3310ef revisions tested: 15, total time: 3h15m24.891053751s (build: 2h33m54.560900839s, test: 39m42.364172046s) first bad commit: 519f490db07e1a539490612f376487f61e48e39c dma-buf/sync-file: fix warning about fence containers recipients (to): ["christian.koenig@amd.com" "christian.koenig@amd.com" "daniel.vetter@ffwll.ch" "dri-devel@lists.freedesktop.org" "linaro-mm-sig@lists.linaro.org" "linux-media@vger.kernel.org" "sumit.semwal@linaro.org"] recipients (cc): ["gustavo@padovan.org" "linux-kernel@vger.kernel.org"] crash: general protection fault in dma_fence_array_first general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 4051 Comm: syz-executor410 Not tainted 5.17.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:dma_fence_array_first+0x67/0x90 drivers/dma-buf/dma-fence-array.c:234 Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 37 48 8b 9b 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 75 0f 48 8b 03 5b c3 31 c0 c3 e8 d6 d4 81 fd eb a8 48 RSP: 0018:ffffc9000272fd60 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000010 RCX: ffffffff842958a2 RDX: 0000000000000002 RSI: 0000000000000004 RDI: ffff888011dedf88 RBP: ffff888011dedf00 R08: 0000000000000001 R09: ffff888011dedf3b R10: ffffed10023bdbe7 R11: 0000000000000001 R12: ffff888011dedd90 R13: ffff888011dedf38 R14: ffff888076a2ea00 R15: 0000000000000000 FS: 00005555571ae300(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020001528 CR3: 0000000017620000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __dma_fence_unwrap_array include/linux/dma-fence-unwrap.h:42 [inline] dma_fence_unwrap_first include/linux/dma-fence-unwrap.h:57 [inline] sync_file_ioctl_fence_info drivers/dma-buf/sync_file.c:414 [inline] sync_file_ioctl+0x1ca/0x1c60 drivers/dma-buf/sync_file.c:477 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x11f/0x190 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa133515ce9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff70bfe7a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa133515ce9 RDX: 0000000020001840 RSI: 00000000c0383e04 RDI: 0000000000000007 RBP: 00007fa1334d9e90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa1334d9f20 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:dma_fence_array_first+0x67/0x90 drivers/dma-buf/dma-fence-array.c:234 Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 37 48 8b 9b 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 75 0f 48 8b 03 5b c3 31 c0 c3 e8 d6 d4 81 fd eb a8 48 RSP: 0018:ffffc9000272fd60 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000010 RCX: ffffffff842958a2 RDX: 0000000000000002 RSI: 0000000000000004 RDI: ffff888011dedf88 RBP: ffff888011dedf00 R08: 0000000000000001 R09: ffff888011dedf3b R10: ffffed10023bdbe7 R11: 0000000000000001 R12: ffff888011dedd90 R13: ffff888011dedf38 R14: ffff888076a2ea00 R15: 0000000000000000 FS: 00005555571ae300(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020001528 CR3: 0000000017620000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 4 bytes skipped: 0: df 48 89 fisttps -0x77(%rax) 3: fa cli 4: 48 c1 ea 03 shr $0x3,%rdx 8: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) c: 75 37 jne 0x45 e: 48 8b 9b 88 00 00 00 mov 0x88(%rbx),%rbx 15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1c: fc ff df 1f: 48 89 da mov %rbx,%rdx 22: 48 c1 ea 03 shr $0x3,%rdx * 26: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2a: 75 0f jne 0x3b 2c: 48 8b 03 mov (%rbx),%rax 2f: 5b pop %rbx 30: c3 retq 31: 31 c0 xor %eax,%eax 33: c3 retq 34: e8 d6 d4 81 fd callq 0xfd81d50f 39: eb a8 jmp 0xffffffe3 3b: 48 rex.W