bisecting cause commit starting from e5071887cd2296a7704dbcd10c1cedf0f11cdbd5 building syzkaller on 68fc921ad90a9ed3604448913e66d02ea8d11de6 testing commit e5071887cd2296a7704dbcd10c1cedf0f11cdbd5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: db5ea3c6d39341099b72df2dc42b527a0bafe39ca04b59f9915e6d9b0ecf9fe0 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: general protection fault in io_poll_check_events run #2: crashed: general protection fault in io_poll_check_events run #3: crashed: general protection fault in io_poll_check_events run #4: crashed: general protection fault in io_poll_check_events run #5: crashed: general protection fault in io_poll_check_events run #6: crashed: general protection fault in io_poll_check_events run #7: crashed: general protection fault in io_poll_check_events run #8: crashed: general protection fault in io_poll_check_events run #9: crashed: general protection fault in io_poll_check_events run #10: crashed: general protection fault in io_poll_check_events run #11: crashed: general protection fault in io_poll_check_events run #12: crashed: general protection fault in io_poll_check_events run #13: crashed: general protection fault in io_poll_check_events run #14: crashed: general protection fault in io_poll_check_events run #15: crashed: general protection fault in io_poll_check_events run #16: crashed: general protection fault in io_poll_check_events run #17: crashed: general protection fault in io_poll_check_events run #18: crashed: general protection fault in io_poll_check_events run #19: crashed: general protection fault in io_poll_check_events testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f48172e34ba9bda97aefcafae6d8d981c879428c85d5ae9ac1225ffb63cd5ca7 all runs: OK # git bisect start e5071887cd2296a7704dbcd10c1cedf0f11cdbd5 f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 7450 revisions left to test after this (roughly 13 steps) [169e77764adc041b1dacba84ea90516a895d43b2] Merge tag 'net-next-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 169e77764adc041b1dacba84ea90516a895d43b2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: da1e8b02f56d1379d5ebb54e4beb69536c5d9c1a4b3c1e7ac9c36f0d187028d1 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 169e77764adc041b1dacba84ea90516a895d43b2 Bisecting: 3747 revisions left to test after this (roughly 12 steps) [20658b141b8fc13b0dff08f04f34deb4492653ac] Merge branch 'for-5.18/io_uring' into for-next testing commit 20658b141b8fc13b0dff08f04f34deb4492653ac compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5d47325dbd8b4423b58a2101e3a7c9fa49cd1dc1947e2cd96f8bd61805fadbce all runs: crashed: general protection fault in io_poll_check_events # git bisect bad 20658b141b8fc13b0dff08f04f34deb4492653ac Bisecting: 1860 revisions left to test after this (roughly 11 steps) [b1f8ccdaae0310332d16f65bf0f622f9d4ae2391] Merge tag 'for-5.18/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm testing commit b1f8ccdaae0310332d16f65bf0f622f9d4ae2391 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9f7c575d6c7ad917839cb99559ceeba538f545b50fc2e23ad2b995afd6081c0d all runs: OK # git bisect good b1f8ccdaae0310332d16f65bf0f622f9d4ae2391 Bisecting: 934 revisions left to test after this (roughly 10 steps) [5e206459f670b579da9b7861a0f3ce3b989a68b6] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid testing commit 5e206459f670b579da9b7861a0f3ce3b989a68b6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 29917e341610b7fb7343b5859c8ff10aeefcdd9791d662803b94adbc4be30960 all runs: OK # git bisect good 5e206459f670b579da9b7861a0f3ce3b989a68b6 Bisecting: 500 revisions left to test after this (roughly 9 steps) [bddac7c1e02ba47f0570e494c9289acea3062cc1] Revert "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" testing commit bddac7c1e02ba47f0570e494c9289acea3062cc1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 132cb29777f26e115a24c55471eda7fbfb3e3ab1b60b942b703dca97953f9985 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good bddac7c1e02ba47f0570e494c9289acea3062cc1 Bisecting: 296 revisions left to test after this (roughly 8 steps) [5627ecb8374a00163d90bc92c33f829ac27895b2] Merge branch 'i2c/for-mergewindow' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux testing commit 5627ecb8374a00163d90bc92c33f829ac27895b2 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e94e21041f1ed89813ae28c3de9f4fc3752ffd4b3aefce23a8f173ada020e5a3 all runs: OK # git bisect good 5627ecb8374a00163d90bc92c33f829ac27895b2 Bisecting: 148 revisions left to test after this (roughly 7 steps) [6163d4991172b8fff453d2260185d8af971b415e] usb: gadget: aspeed: remove usage of list iterator past the loop body testing commit 6163d4991172b8fff453d2260185d8af971b415e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0398758009c468aee1568d655f4c33487366f3d71530113386c33df6f9c9d152 all runs: OK # git bisect good 6163d4991172b8fff453d2260185d8af971b415e Bisecting: 57 revisions left to test after this (roughly 6 steps) [7001052160d172f6de06adeffde24dde9935ece8] Merge tag 'x86_core_for_5.18_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 7001052160d172f6de06adeffde24dde9935ece8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 69cb703346d10015135b87367178d67e6832bcdde8718fcf944ca9c5a4a04244 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 7001052160d172f6de06adeffde24dde9935ece8 Bisecting: 28 revisions left to test after this (roughly 5 steps) [3b255fe79c9eaa84a48e35e8cd6406788ba90d9c] Merge branch 'for-5.18/drivers' into for-next testing commit 3b255fe79c9eaa84a48e35e8cd6406788ba90d9c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0be07c8b7950d2ad56693862eafabbffee3afe50948ec4cd197d95761dea9703 all runs: OK # git bisect good 3b255fe79c9eaa84a48e35e8cd6406788ba90d9c Bisecting: 15 revisions left to test after this (roughly 4 steps) [6d35d04a9e18990040e87d2bbf72689252669d54] nbd: fix possible overflow on 'first_minor' in nbd_dev_add() testing commit 6d35d04a9e18990040e87d2bbf72689252669d54 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3ce00891d89bd6dd83a1c4492296e34df4c4e6c7d731816f1b96d71ad2a096f4 all runs: OK # git bisect good 6d35d04a9e18990040e87d2bbf72689252669d54 Bisecting: 7 revisions left to test after this (roughly 3 steps) [7f07e5f0e0d1e59e7a3e09ca7f8dff7b99a45ce0] Merge branch 'for-5.18/io_uring' into for-next testing commit 7f07e5f0e0d1e59e7a3e09ca7f8dff7b99a45ce0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c827b49275fc40e36b115cfd7cdbef2d781369b0a71cc90e61213895acd51d6b all runs: OK # git bisect good 7f07e5f0e0d1e59e7a3e09ca7f8dff7b99a45ce0 Bisecting: 3 revisions left to test after this (roughly 2 steps) [655f91655ffe5660c21a8d94e790d9705add9d4c] Merge branch 'for-5.18/block' into for-next testing commit 655f91655ffe5660c21a8d94e790d9705add9d4c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9e1d0051bd547fb8c7eb5f3dbbc7e093760b42664b8d1609bce4763b0d55fd64 all runs: OK # git bisect good 655f91655ffe5660c21a8d94e790d9705add9d4c Bisecting: 1 revision left to test after this (roughly 1 step) [e27ea4eb2127c6afa9398197ef62d5742e9ab73e] Merge branch 'for-5.18/block' into for-next testing commit e27ea4eb2127c6afa9398197ef62d5742e9ab73e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4745bbc8d1f96ccb00ec648df97c598af0d5be44828f013a84de509547d98f47 all runs: OK # git bisect good e27ea4eb2127c6afa9398197ef62d5742e9ab73e Bisecting: 0 revisions left to test after this (roughly 0 steps) [d570aa1c4f191100f502edfc240e8d49687f62ac] io_uring: drop the old style inflight file tracking testing commit d570aa1c4f191100f502edfc240e8d49687f62ac compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d0d8d040cd99da1d810ae46bdd1a052bad397ef7f2c49733c058e880714ec955 all runs: crashed: general protection fault in io_poll_check_events # git bisect bad d570aa1c4f191100f502edfc240e8d49687f62ac d570aa1c4f191100f502edfc240e8d49687f62ac is the first bad commit commit d570aa1c4f191100f502edfc240e8d49687f62ac Author: Jens Axboe Date: Thu Mar 31 12:38:46 2022 -0600 io_uring: drop the old style inflight file tracking io_uring tracks requests that are referencing an io_uring descriptor to be able to cancel without worrying about loops in the references. Since we now assign the file at execution time, the easier approach is to drop a potentially problematic reference before we punt the request. This eliminates the need to special case these types of files beyond just marking them as such, and simplifies cancelation quite a bit. This also fixes a recent issue where an async punted tee operation would with the io_uring descriptor as the output file would crash when attempting to get a reference to the file from the io-wq worker. We could have worked around that, but this is the much cleaner fix. Fixes: 734a69489dd7 ("io_uring: defer file assignment") Reported-by: syzbot+c4b9303500a21750b250@syzkaller.appspotmail.com Signed-off-by: Jens Axboe fs/io_uring.c | 79 +++++++++++++++++------------------------------------------ 1 file changed, 22 insertions(+), 57 deletions(-) parent commit 734a69489dd7f892224dcb7e9198e4e12cfe9df5 wasn't tested testing commit 734a69489dd7f892224dcb7e9198e4e12cfe9df5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ab44934cf7858dc1ef59d3a73d7a3679badb4a2551e225026ec2a0740c0b7952 culprit signature: d0d8d040cd99da1d810ae46bdd1a052bad397ef7f2c49733c058e880714ec955 parent signature: ab44934cf7858dc1ef59d3a73d7a3679badb4a2551e225026ec2a0740c0b7952 revisions tested: 16, total time: 3h3m15.959552475s (build: 1h47m20.83147059s, test: 1h14m11.391786139s) first bad commit: d570aa1c4f191100f502edfc240e8d49687f62ac io_uring: drop the old style inflight file tracking recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: general protection fault in io_poll_check_events general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 0 PID: 4047 Comm: syz-executor875 Not tainted 5.17.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:vfs_poll include/linux/poll.h:86 [inline] RIP: 0010:io_poll_check_events+0x1d4/0x750 fs/io_uring.c:5945 Code: f0 48 c7 44 24 60 00 00 00 00 48 c1 e8 03 89 54 24 68 80 3c 18 00 0f 85 db 04 00 00 4d 8b 06 49 8d 78 28 48 89 f8 48 c1 e8 03 <80> 3c 18 00 0f 85 a7 04 00 00 49 8b 40 28 48 8d 78 48 48 89 f9 48 RSP: 0018:ffffc900026cfca8 EFLAGS: 00010206 RAX: 0000000000000005 RBX: dffffc0000000000 RCX: ffffffff81ca29d6 RDX: 0000000040002038 RSI: 0000000000000004 RDI: 0000000000000028 RBP: ffff88807e178944 R08: 0000000000000000 R09: ffff88807e178947 R10: ffffed100fc2f128 R11: 0000000000000001 R12: ffff88807e178914 R13: 0000000000000001 R14: ffff88807e1788c0 R15: ffff888072478000 FS: 0000555555b54300(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f324e872140 CR3: 000000006e5f6000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: io_poll_task_func+0x3c/0x480 fs/io_uring.c:5980 handle_tw_list fs/io_uring.c:2463 [inline] tctx_task_work+0x550/0xf50 fs/io_uring.c:2497 task_work_run+0xc0/0x160 kernel/task_work.c:164 tracehook_notify_signal include/linux/tracehook.h:213 [inline] handle_signal_work kernel/entry/common.c:146 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x256/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0x80 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f324e800fe9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff7a11b9f8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: 0000000000000200 RBX: 0000000000000000 RCX: 00007f324e800fe9 RDX: 0000000000000000 RSI: 000000000000146f RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f324e7c4870 R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:vfs_poll include/linux/poll.h:86 [inline] RIP: 0010:io_poll_check_events+0x1d4/0x750 fs/io_uring.c:5945 Code: f0 48 c7 44 24 60 00 00 00 00 48 c1 e8 03 89 54 24 68 80 3c 18 00 0f 85 db 04 00 00 4d 8b 06 49 8d 78 28 48 89 f8 48 c1 e8 03 <80> 3c 18 00 0f 85 a7 04 00 00 49 8b 40 28 48 8d 78 48 48 89 f9 48 RSP: 0018:ffffc900026cfca8 EFLAGS: 00010206 RAX: 0000000000000005 RBX: dffffc0000000000 RCX: ffffffff81ca29d6 RDX: 0000000040002038 RSI: 0000000000000004 RDI: 0000000000000028 RBP: ffff88807e178944 R08: 0000000000000000 R09: ffff88807e178947 R10: ffffed100fc2f128 R11: 0000000000000001 R12: ffff88807e178914 R13: 0000000000000001 R14: ffff88807e1788c0 R15: ffff888072478000 FS: 0000555555b54300(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d5e232f008 CR3: 000000006e5f6000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: f0 48 c7 44 24 60 00 lock movq $0x0,0x60(%rsp) 7: 00 00 00 a: 48 c1 e8 03 shr $0x3,%rax e: 89 54 24 68 mov %edx,0x68(%rsp) 12: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1) 16: 0f 85 db 04 00 00 jne 0x4f7 1c: 4d 8b 06 mov (%r14),%r8 1f: 49 8d 78 28 lea 0x28(%r8),%rdi 23: 48 89 f8 mov %rdi,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1) <-- trapping instruction 2e: 0f 85 a7 04 00 00 jne 0x4db 34: 49 8b 40 28 mov 0x28(%r8),%rax 38: 48 8d 78 48 lea 0x48(%rax),%rdi 3c: 48 89 f9 mov %rdi,%rcx 3f: 48 rex.W