bisecting fixing commit since 1a05924366694d17a36e6b086d5bba1a8d74b977 building syzkaller on f62e1e85cf54ccfa990868a402eca32bf4513b21 testing commit 1a05924366694d17a36e6b086d5bba1a8d74b977 with gcc (GCC) 8.1.0 kernel signature: a7255802ea7f23a2611bfe16455f4f6c35c342ed run #0: crashed: possible deadlock in io_submit_one run #1: crashed: possible deadlock in io_submit_one run #2: crashed: possible deadlock in io_submit_one run #3: crashed: possible deadlock in io_submit_one run #4: crashed: possible deadlock in io_submit_one run #5: crashed: possible deadlock in io_submit_one run #6: crashed: possible deadlock in io_submit_one run #7: crashed: possible deadlock in free_ioctx_users run #8: crashed: possible deadlock in io_submit_one run #9: crashed: possible deadlock in io_submit_one testing current HEAD 312017a460d5ea31d646e7148e400e13db799ddc testing commit 312017a460d5ea31d646e7148e400e13db799ddc with gcc (GCC) 8.1.0 kernel signature: 7572b8c05f4ddcbf9b34430a3ff5c7831daa6fc4 all runs: OK # git bisect start 312017a460d5ea31d646e7148e400e13db799ddc 1a05924366694d17a36e6b086d5bba1a8d74b977 Bisecting: 2085 revisions left to test after this (roughly 11 steps) [31604075ceb49366fbd2f50aa8dd7135a773b61b] USB: usb-skeleton: fix NULL-deref on disconnect testing commit 31604075ceb49366fbd2f50aa8dd7135a773b61b with gcc (GCC) 8.1.0 kernel signature: a47c0ef8c2094ed6b3bc60932f80974912bc9418 all runs: OK # git bisect bad 31604075ceb49366fbd2f50aa8dd7135a773b61b Bisecting: 1042 revisions left to test after this (roughly 10 steps) [f6f9c4491ec52e13c6621b04b0c05301611b1711] HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52 testing commit f6f9c4491ec52e13c6621b04b0c05301611b1711 with gcc (GCC) 8.1.0 kernel signature: 0fe7520431038459e34202b7fe900b39109f750a all runs: OK # git bisect bad f6f9c4491ec52e13c6621b04b0c05301611b1711 Bisecting: 521 revisions left to test after this (roughly 9 steps) [6323c238bb4374d1477348cfbd5854f2bebe9a21] tcp: be more careful in tcp_fragment() testing commit 6323c238bb4374d1477348cfbd5854f2bebe9a21 with gcc (GCC) 8.1.0 kernel signature: 80472cd4eded681d9991ea8d9717bb79fc8fd11d all runs: OK # git bisect bad 6323c238bb4374d1477348cfbd5854f2bebe9a21 Bisecting: 260 revisions left to test after this (roughly 8 steps) [ea904c9f6a33698c4e6223d6be4a4e99fd60eeb2] media: mc-device.c: don't memset __user pointer contents testing commit ea904c9f6a33698c4e6223d6be4a4e99fd60eeb2 with gcc (GCC) 8.1.0 kernel signature: a1265408395c804b43fbc4484c38865cb68369f6 all runs: OK # git bisect bad ea904c9f6a33698c4e6223d6be4a4e99fd60eeb2 Bisecting: 129 revisions left to test after this (roughly 7 steps) [4c2ce7addda888c17db7625a07e79b24fdce6211] bpf, devmap: Add missing RCU read lock on flush testing commit 4c2ce7addda888c17db7625a07e79b24fdce6211 with gcc (GCC) 8.1.0 kernel signature: 5731eec6ce39050536d961c55c481e6f13127195 all runs: OK # git bisect bad 4c2ce7addda888c17db7625a07e79b24fdce6211 Bisecting: 64 revisions left to test after this (roughly 6 steps) [3ddc2a10070675fc93cf36d0496ba5bf78ef667a] net/smc: move unhash before release of clcsock testing commit 3ddc2a10070675fc93cf36d0496ba5bf78ef667a with gcc (GCC) 8.1.0 kernel signature: 12a367afe3410090246bdd3ec2bfe0edb8397ec8 all runs: OK # git bisect bad 3ddc2a10070675fc93cf36d0496ba5bf78ef667a Bisecting: 32 revisions left to test after this (roughly 5 steps) [7cf431edfb718cc555ac4af29e731df4e4120efa] platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow testing commit 7cf431edfb718cc555ac4af29e731df4e4120efa with gcc (GCC) 8.1.0 kernel signature: 2f84640018dd2ee1d4d471fb276886a78e1c70c1 all runs: crashed: possible deadlock in io_submit_one # git bisect good 7cf431edfb718cc555ac4af29e731df4e4120efa Bisecting: 16 revisions left to test after this (roughly 4 steps) [899377c50e603c3be243c0349b447159c3ed556d] ALSA: hda/realtek: Add quirks for several Clevo notebook barebones testing commit 899377c50e603c3be243c0349b447159c3ed556d with gcc (GCC) 8.1.0 kernel signature: 33bf121969cfe987a4e463180dac430412f8814e run #0: crashed: possible deadlock in io_submit_one run #1: crashed: possible deadlock in free_ioctx_users run #2: crashed: possible deadlock in io_submit_one run #3: crashed: possible deadlock in io_submit_one run #4: crashed: possible deadlock in io_submit_one run #5: crashed: possible deadlock in io_submit_one run #6: crashed: possible deadlock in io_submit_one run #7: crashed: possible deadlock in io_submit_one run #8: crashed: possible deadlock in free_ioctx_users run #9: crashed: possible deadlock in io_submit_one # git bisect good 899377c50e603c3be243c0349b447159c3ed556d Bisecting: 8 revisions left to test after this (roughly 3 steps) [ec5d99e18d306bed13935b0f0634bd00caa26a42] drm/amdgpu/gfx9: use reset default for PA_SC_FIFO_SIZE testing commit ec5d99e18d306bed13935b0f0634bd00caa26a42 with gcc (GCC) 8.1.0 kernel signature: ac33298b9f89ce11e36974537189f4d14fb44b63 all runs: OK # git bisect bad ec5d99e18d306bed13935b0f0634bd00caa26a42 Bisecting: 3 revisions left to test after this (roughly 2 steps) [c8790d7f76be43997e11e3e88857cf841b42b35f] tracing/snapshot: Resize spare buffer if size changed testing commit c8790d7f76be43997e11e3e88857cf841b42b35f with gcc (GCC) 8.1.0 kernel signature: 595f7778d46bbcb3f67b89339123842d0471c9d3 all runs: OK # git bisect bad c8790d7f76be43997e11e3e88857cf841b42b35f Bisecting: 1 revision left to test after this (roughly 1 step) [ea38007107d656e40173da3fed59287ac2a7e11b] lib/mpi: Fix karactx leak in mpi_powm testing commit ea38007107d656e40173da3fed59287ac2a7e11b with gcc (GCC) 8.1.0 kernel signature: 5ec4d645989bbb91db01a72ebf3caea7b2bd21ea run #0: crashed: possible deadlock in io_submit_one run #1: crashed: possible deadlock in io_submit_one run #2: crashed: possible deadlock in io_submit_one run #3: crashed: possible deadlock in free_ioctx_users run #4: crashed: possible deadlock in io_submit_one run #5: crashed: possible deadlock in io_submit_one run #6: crashed: possible deadlock in io_submit_one run #7: crashed: possible deadlock in io_submit_one run #8: crashed: possible deadlock in io_submit_one run #9: crashed: possible deadlock in io_submit_one # git bisect good ea38007107d656e40173da3fed59287ac2a7e11b Bisecting: 0 revisions left to test after this (roughly 0 steps) [052b318100856aa86f4e0c03cfe43a1bb6bfb487] fs/userfaultfd.c: disable irqs for fault_pending and event locks testing commit 052b318100856aa86f4e0c03cfe43a1bb6bfb487 with gcc (GCC) 8.1.0 kernel signature: 1118e8755097f8885d436ad7b1b00295a2cff335 all runs: OK # git bisect bad 052b318100856aa86f4e0c03cfe43a1bb6bfb487 052b318100856aa86f4e0c03cfe43a1bb6bfb487 is the first bad commit commit 052b318100856aa86f4e0c03cfe43a1bb6bfb487 Author: Eric Biggers Date: Thu Jul 4 15:14:39 2019 -0700 fs/userfaultfd.c: disable irqs for fault_pending and event locks commit cbcfa130a911c613a1d9d921af2eea171c414172 upstream. When IOCB_CMD_POLL is used on a userfaultfd, aio_poll() disables IRQs and takes kioctx::ctx_lock, then userfaultfd_ctx::fd_wqh.lock. This may have to wait for userfaultfd_ctx::fd_wqh.lock to be released by userfaultfd_ctx_read(), which in turn can be waiting for userfaultfd_ctx::fault_pending_wqh.lock or userfaultfd_ctx::event_wqh.lock. But elsewhere the fault_pending_wqh and event_wqh locks are taken with IRQs enabled. Since the IRQ handler may take kioctx::ctx_lock, lockdep reports that a deadlock is possible. Fix it by always disabling IRQs when taking the fault_pending_wqh and event_wqh locks. Commit ae62c16e105a ("userfaultfd: disable irqs when taking the waitqueue lock") didn't fix this because it only accounted for the fd_wqh lock, not the other locks nested inside it. Link: http://lkml.kernel.org/r/20190627075004.21259-1-ebiggers@kernel.org Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL") Signed-off-by: Eric Biggers Reported-by: syzbot+fab6de82892b6b9c6191@syzkaller.appspotmail.com Reported-by: syzbot+53c0b767f7ca0dc0c451@syzkaller.appspotmail.com Reported-by: syzbot+a3accb352f9c22041cfa@syzkaller.appspotmail.com Reviewed-by: Andrew Morton Cc: Christoph Hellwig Cc: Andrea Arcangeli Cc: [4.19+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/userfaultfd.c | 42 ++++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 16 deletions(-) culprit signature: 1118e8755097f8885d436ad7b1b00295a2cff335 parent signature: 5ec4d645989bbb91db01a72ebf3caea7b2bd21ea revisions tested: 14, total time: 3h49m21.518723405s (build: 1h55m16.161002731s, test: 1h52m23.190804085s) first good commit: 052b318100856aa86f4e0c03cfe43a1bb6bfb487 fs/userfaultfd.c: disable irqs for fault_pending and event locks cc: ["akpm@linux-foundation.org" "ebiggers@google.com" "gregkh@linuxfoundation.org" "torvalds@linux-foundation.org"]