bisecting cause commit starting from 1b649e0bcae71c118c1333e02249a7510ba7f70a building syzkaller on 6d25c5a09d4115832b286e56380045283679ce52 testing commit 1b649e0bcae71c118c1333e02249a7510ba7f70a with gcc (GCC) 8.1.0 kernel signature: 1a8cb165cda0df4398a12f992908911e0651141e1d527aae2fb810d0f2efe78c run #0: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue run #1: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue run #2: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue run #3: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue run #4: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue run #5: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue run #6: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue run #7: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue run #8: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue run #9: boot failed: can't ssh into the instance testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: dcfb0ebaab05b2bde661b729b69efdbf51bd530880da464f2b2e5d82a1dd00aa all runs: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 5b3f3b40152723e961ec2f1335e221c50ce5174647b8088e40930061adbce750 all runs: OK # git bisect start d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 219d54332a09e8d8741c1e1982f5eae56099de85 Bisecting: 8639 revisions left to test after this (roughly 13 steps) [8c39f71ee2019e77ee14f88b1321b2348db51820] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8c39f71ee2019e77ee14f88b1321b2348db51820 with gcc (GCC) 8.1.0 kernel signature: 09c2bd12a1f7a91a278b44c6ef7f19a84602810311c6a8931ff8907ab8df195e all runs: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue # git bisect bad 8c39f71ee2019e77ee14f88b1321b2348db51820 Bisecting: 3435 revisions left to test after this (roughly 12 steps) [3b397c7ccafe0624018cb09fc96729f8f6165573] Merge tag 'regmap-v5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap testing commit 3b397c7ccafe0624018cb09fc96729f8f6165573 with gcc (GCC) 8.1.0 kernel signature: a013a72a482c972bb714033a9eb665a73575fc962c0548373439e7b7f88b3e6b all runs: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue # git bisect bad 3b397c7ccafe0624018cb09fc96729f8f6165573 Bisecting: 1709 revisions left to test after this (roughly 11 steps) [924ea58dadea23cc28b60d02b9c0896b7b168a6f] Merge tag 'mt76-for-kvalo-2019-11-20' of https://github.com/nbd168/wireless testing commit 924ea58dadea23cc28b60d02b9c0896b7b168a6f with gcc (GCC) 8.1.0 kernel signature: a234a18312de1a8d70dad939bd9c72c4571f9d9696cb2548dd7579308f917e31 all runs: OK # git bisect good 924ea58dadea23cc28b60d02b9c0896b7b168a6f Bisecting: 901 revisions left to test after this (roughly 10 steps) [3f3c8be973af10875cfa1e7b85a535b6ba76b44f] Merge tag 'for-linus-5.5a-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip testing commit 3f3c8be973af10875cfa1e7b85a535b6ba76b44f with gcc (GCC) 8.1.0 kernel signature: 7851dab08c85799a9532aaa97dc9c26dde125e070434308a5df39b3dea97906f all runs: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue # git bisect bad 3f3c8be973af10875cfa1e7b85a535b6ba76b44f Bisecting: 469 revisions left to test after this (roughly 9 steps) [1b88176b9c72fb4edd5920969aef94c5cd358337] Merge tag 'mtd/for-5.5' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux testing commit 1b88176b9c72fb4edd5920969aef94c5cd358337 with gcc (GCC) 8.1.0 kernel signature: b767e129d9c5c223beebc3ec1e67e7204c855e58d095d8ec3f66788186a14310 all runs: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue # git bisect bad 1b88176b9c72fb4edd5920969aef94c5cd358337 Bisecting: 191 revisions left to test after this (roughly 7 steps) [ff6814b078e33a4d26fee9ea80779c81a6744cd8] Merge tag 'for-5.5/block-20191121' of git://git.kernel.dk/linux-block testing commit ff6814b078e33a4d26fee9ea80779c81a6744cd8 with gcc (GCC) 8.1.0 kernel signature: 7f59c211f384c9cc10b54722fffd6367d7691ae53f6de6383c05396c8e01ba1f all runs: crashed: KASAN: null-ptr-deref Write in blk_mq_map_swqueue # git bisect bad ff6814b078e33a4d26fee9ea80779c81a6744cd8 Bisecting: 81 revisions left to test after this (roughly 6 steps) [eac406c61cd0ec8fe7970ca46ddf23e40a86b579] io_uring: make POLL_ADD/POLL_REMOVE scale better testing commit eac406c61cd0ec8fe7970ca46ddf23e40a86b579 with gcc (GCC) 8.1.0 kernel signature: 4db99796ae01f62110fd74dbfe357125f6987bdc787786b8ac373c1b8b37fb88 run #0: crashed: general protection fault in batadv_iv_ogm_queue_add run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad eac406c61cd0ec8fe7970ca46ddf23e40a86b579 Bisecting: 31 revisions left to test after this (roughly 5 steps) [196be95cd5572078be9deb81cbea145fab246029] io_uring: allocate io_kiocb upfront testing commit 196be95cd5572078be9deb81cbea145fab246029 with gcc (GCC) 8.1.0 kernel signature: c4b124d391361cc28149f1ce3cc16cef992c6c0af0a64636ce558f4c1f42b1a9 all runs: OK # git bisect good 196be95cd5572078be9deb81cbea145fab246029 Bisecting: 15 revisions left to test after this (roughly 4 steps) [8e3cca12706231daf8daf90dbde59f1665135e48] io_uring: convert accept4() -ERESTARTSYS into -EINTR testing commit 8e3cca12706231daf8daf90dbde59f1665135e48 with gcc (GCC) 8.1.0 kernel signature: bd13daf4093abdf897a6d9917f11640f6aacb78d8cf434fccd2246572d4466fc all runs: OK # git bisect good 8e3cca12706231daf8daf90dbde59f1665135e48 Bisecting: 7 revisions left to test after this (roughly 3 steps) [15dff286d0e0087d4dcd7049911f179e4e4cfd94] io_uring: check for validity of ->rings in teardown testing commit 15dff286d0e0087d4dcd7049911f179e4e4cfd94 with gcc (GCC) 8.1.0 kernel signature: 0078e5748ec2d2ff6df2c20736b764bd35a888a0e94caae6cfe2beaa4504adc0 run #0: crashed: general protection fault in batadv_iv_ogm_queue_add run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 15dff286d0e0087d4dcd7049911f179e4e4cfd94 Bisecting: 3 revisions left to test after this (roughly 2 steps) [768134d4f48109b90f4248feecbeeb7d684e410c] io_uring: don't do flush cancel under inflight_lock testing commit 768134d4f48109b90f4248feecbeeb7d684e410c with gcc (GCC) 8.1.0 kernel signature: b315703b7cfce830ded05a97733c65ff9527ba41713dc28f245c74f49252ce35 run #0: crashed: general protection fault in batadv_iv_ogm_queue_add run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 768134d4f48109b90f4248feecbeeb7d684e410c Bisecting: 1 revision left to test after this (roughly 1 step) [47f467686ec02fc07fd5c6bb34b6f6736e2884b0] io_uring: make ASYNC_CANCEL work with poll and timeout testing commit 47f467686ec02fc07fd5c6bb34b6f6736e2884b0 with gcc (GCC) 8.1.0 kernel signature: f14c0d523eac1ee6a7f38e0b4b3db8b82468ebb68a5465fe30958cb5c5f4c08f all runs: OK # git bisect good 47f467686ec02fc07fd5c6bb34b6f6736e2884b0 Bisecting: 0 revisions left to test after this (roughly 0 steps) [c1edbf5f081be9fbbea68c1d564b773e59c1acf3] io_uring: flag SQPOLL busy condition to userspace testing commit c1edbf5f081be9fbbea68c1d564b773e59c1acf3 with gcc (GCC) 8.1.0 kernel signature: ca8b0ef39234ddf7ceea3ac02a50813b20fb2b93ec2a6b2b14ce78ebe8b29ef6 all runs: OK # git bisect good c1edbf5f081be9fbbea68c1d564b773e59c1acf3 768134d4f48109b90f4248feecbeeb7d684e410c is the first bad commit commit 768134d4f48109b90f4248feecbeeb7d684e410c Author: Jens Axboe Date: Sun Nov 10 20:30:53 2019 -0700 io_uring: don't do flush cancel under inflight_lock We can't safely cancel under the inflight lock. If the work hasn't been started yet, then io_wq_cancel_work() simply marks the work as cancelled and invokes the work handler. But if the work completion needs to grab the inflight lock because it's grabbing user files, then we'll deadlock trying to finish the work as we already hold that lock. Instead grab a reference to the request, if it isn't already zero. If it's zero, then we know it's going through completion anyway, and we can safely ignore it. If it's not zero, then we can drop the lock and attempt to cancel from there. This also fixes a missing finish_wait() at the end of io_uring_cancel_files(). Signed-off-by: Jens Axboe fs/io_uring.c | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) culprit signature: b315703b7cfce830ded05a97733c65ff9527ba41713dc28f245c74f49252ce35 parent signature: ca8b0ef39234ddf7ceea3ac02a50813b20fb2b93ec2a6b2b14ce78ebe8b29ef6 revisions tested: 16, total time: 4h0m16.990358222s (build: 1h39m7.50297662s, test: 2h20m5.657116877s) first bad commit: 768134d4f48109b90f4248feecbeeb7d684e410c io_uring: don't do flush cancel under inflight_lock cc: ["axboe@kernel.dk" "linux-block@vger.kernel.org" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: general protection fault in batadv_iv_ogm_queue_add kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 2648 Comm: kworker/u4:4 Not tainted 5.4.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:605 Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00 RSP: 0018:ffff8880a14f7aa8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88808fa88b40 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: ffff8880a14f7bc0 R08: ffff8880a8a09000 R09: 0000000000000001 R10: ffffed101429ef8d R11: 0000000000000003 R12: 0000000000000007 R13: ffff8880a8a09028 R14: ffff8880a8a09000 R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000049f5d0 CR3: 00000000a89d0000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: batadv_iv_ogm_schedule+0xb60/0xe90 net/batman-adv/bat_iv_ogm.c:813 batadv_iv_send_outstanding_bat_ogm_packet+0x539/0x7c6 net/batman-adv/bat_iv_ogm.c:1675 process_one_work+0x856/0x1630 kernel/workqueue.c:2269 worker_thread+0x85/0xb60 kernel/workqueue.c:2415 kthread+0x331/0x3f0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: ---[ end trace d2a84bc08a0985db ]--- RIP: 0010:batadv_iv_ogm_queue_add+0x9b/0xe50 net/batman-adv/bat_iv_ogm.c:605 Code: 44 89 8d 64 ff ff ff c7 02 f1 f1 f1 f1 c7 42 04 04 f2 f2 f2 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4d d0 31 c9 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 a2 0b 00 00 RSP: 0018:ffff8880a14f7aa8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88808fa88b40 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: ffff8880a14f7bc0 R08: ffff8880a8a09000 R09: 0000000000000001 R10: ffffed101429ef8d R11: 0000000000000003 R12: 0000000000000007 R13: ffff8880a8a09028 R14: ffff8880a8a09000 R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000049f5d0 CR3: 00000000a89d0000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400