bisecting cause commit starting from 7fca4dee610dffbe119714231cac0d59496bc193 building syzkaller on 424dd8e7b52828cad44ce653a5d4ac30670f5e2c testing commit 7fca4dee610dffbe119714231cac0d59496bc193 with gcc (GCC) 8.1.0 kernel signature: 93a502c4a485da56401237978aabe171a3cfc8b087004ae489bb7718fae76621 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_poll_double_wake testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: dc2f20c94a206ab0d8094324dec7d4712dab8cd48a5b15fb6b5714aa9d8f6576 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in io_poll_double_wake testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: cef20ebd0728380fdb5b30ecfb577071898486e74f572a6bb9425ab8793529a2 all runs: OK # git bisect start bcf876870b95592b52519ed4aafcf9d95999bc9c 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Bisecting: 8752 revisions left to test after this (roughly 13 steps) [694b5a5d313f3997764b67d52bab66ec7e59e714] Merge tag 'arm-soc-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 694b5a5d313f3997764b67d52bab66ec7e59e714 with gcc (GCC) 8.1.0 kernel signature: 9954cde38497816f400b72046deabfb5304f9528446585d061e0ab237e05541a all runs: crashed: WARNING: refcount bug in io_poll_remove_double # git bisect bad 694b5a5d313f3997764b67d52bab66ec7e59e714 Bisecting: 4417 revisions left to test after this (roughly 12 steps) [2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63] Merge branch 'uaccess.comedi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 with gcc (GCC) 8.1.0 kernel signature: 45c061bafd1499044184c271c70d6c1fe0b575a2aef1d983e61899ad2f86929c all runs: crashed: WARNING: refcount bug in io_poll_remove_double # git bisect bad 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 Bisecting: 2658 revisions left to test after this (roughly 11 steps) [cfa3b8068b09f25037146bfd5eed041b78878bee] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit cfa3b8068b09f25037146bfd5eed041b78878bee with gcc (GCC) 8.1.0 kernel signature: a90eeec10eba9806c6d0796081514b17102c7c64acec89129e9ddb3a28eb439a all runs: OK # git bisect good cfa3b8068b09f25037146bfd5eed041b78878bee Bisecting: 1328 revisions left to test after this (roughly 10 steps) [c41219fda6e04255c44d37fd2c0d898c1c46abf1] Merge tag 'drm-intel-next-fixes-2020-05-20' of git://anongit.freedesktop.org/drm/drm-intel into drm-next testing commit c41219fda6e04255c44d37fd2c0d898c1c46abf1 with gcc (GCC) 8.1.0 kernel signature: 778253b16186d3a299e91d370196eaaee3d09435a056b36c67258368ce745586 all runs: OK # git bisect good c41219fda6e04255c44d37fd2c0d898c1c46abf1 Bisecting: 602 revisions left to test after this (roughly 9 steps) [f3cdc8ae116e27d84e1f33c7a2995960cebb73ac] Merge tag 'for-5.8-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit f3cdc8ae116e27d84e1f33c7a2995960cebb73ac with gcc (GCC) 8.1.0 kernel signature: f1588014d500110b7d840c72e7e57c1bc7902d4b52a741bad333b341cf789e0c all runs: crashed: WARNING: refcount bug in io_poll_remove_double # git bisect bad f3cdc8ae116e27d84e1f33c7a2995960cebb73ac Bisecting: 327 revisions left to test after this (roughly 9 steps) [bce159d734091fe31340976081577333f52a85e4] Merge tag 'for-5.8/drivers-2020-06-01' of git://git.kernel.dk/linux-block testing commit bce159d734091fe31340976081577333f52a85e4 with gcc (GCC) 8.1.0 kernel signature: fdf8c2ee6d240e4b03df6d1bca132b689305b3fe1d08dd09ca933c4b9fa08397 all runs: OK # git bisect good bce159d734091fe31340976081577333f52a85e4 Bisecting: 140 revisions left to test after this (roughly 7 steps) [16d91548d1057691979de4686693f0ff92f46000] Merge tag 'xfs-5.8-merge-8' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit 16d91548d1057691979de4686693f0ff92f46000 with gcc (GCC) 8.1.0 kernel signature: 602c07a98d27e7277542d3f8de68e26f28c1f4266eebb0faca283db8f53df594 all runs: crashed: WARNING: refcount bug in io_poll_remove_double # git bisect bad 16d91548d1057691979de4686693f0ff92f46000 Bisecting: 93 revisions left to test after this (roughly 7 steps) [0f45a1b20cd8f9cfc985a1f91a1e7a86e5e14dd6] xfs: improve local fork verification testing commit 0f45a1b20cd8f9cfc985a1f91a1e7a86e5e14dd6 with gcc (GCC) 8.1.0 kernel signature: e8a3e46268ae44e0b4b27ed4af35cb13b5bbd3441807245d4ad77e32c9384b5c all runs: OK # git bisect good 0f45a1b20cd8f9cfc985a1f91a1e7a86e5e14dd6 Bisecting: 52 revisions left to test after this (roughly 6 steps) [9d99b1647fa56805c1cfef2d81ee7b9855359b62] Merge tag 'audit-pr-20200601' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit testing commit 9d99b1647fa56805c1cfef2d81ee7b9855359b62 with gcc (GCC) 8.1.0 kernel signature: 7651d7e32b3743d8a6cb179581529d8895151826aaa9a6dfc072309f7395e222 all runs: crashed: WARNING: refcount bug in io_poll_remove_double # git bisect bad 9d99b1647fa56805c1cfef2d81ee7b9855359b62 Bisecting: 20 revisions left to test after this (roughly 4 steps) [56080b02ed6e71fbc0add2d05a32ed7361dd736a] io_uring: don't re-read sqe->off in timeout_prep() testing commit 56080b02ed6e71fbc0add2d05a32ed7361dd736a with gcc (GCC) 8.1.0 kernel signature: 1daaa5d383fff204a99b0374fe6522aadbc883f6cfd1e75b16c6e0efdced7108 all runs: crashed: WARNING: refcount bug in io_poll_remove_double # git bisect bad 56080b02ed6e71fbc0add2d05a32ed7361dd736a Bisecting: 9 revisions left to test after this (roughly 3 steps) [3bfa5bcb26f0b52d7ae8416aa0618fff21aceaaf] io_uring: cleanup io_poll_remove_one() logic testing commit 3bfa5bcb26f0b52d7ae8416aa0618fff21aceaaf with gcc (GCC) 8.1.0 kernel signature: eda30bf65210d005a6597b853aa1a3def75098e391bd52a4f508b9a47569c091 all runs: crashed: WARNING: refcount bug in io_poll_remove_double # git bisect bad 3bfa5bcb26f0b52d7ae8416aa0618fff21aceaaf Bisecting: 4 revisions left to test after this (roughly 2 steps) [4a38aed2a0a729ccecd84dca5b76d827b9e1294d] io_uring: batch reap of dead file registrations testing commit 4a38aed2a0a729ccecd84dca5b76d827b9e1294d with gcc (GCC) 8.1.0 kernel signature: 9e4d17b1da9250bb610eca2025d9e0e57c3fd6a0190bd8e5542b0435500c4f7a all runs: OK # git bisect good 4a38aed2a0a729ccecd84dca5b76d827b9e1294d Bisecting: 2 revisions left to test after this (roughly 1 step) [0d9b5b3af134cddfdc1dd31d41946a0ad389bbf2] io_uring: add 'cq_flags' field for the CQ ring testing commit 0d9b5b3af134cddfdc1dd31d41946a0ad389bbf2 with gcc (GCC) 8.1.0 kernel signature: f41b074c217b3b15976d8e153a08bd7263c9158e5d9fcd29220dcdb5b3bf0b5c all runs: crashed: WARNING: refcount bug in io_poll_remove_double # git bisect bad 0d9b5b3af134cddfdc1dd31d41946a0ad389bbf2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [18bceab101adde8f38de76016bc77f3f25cf22f4] io_uring: allow POLL_ADD with double poll_wait() users testing commit 18bceab101adde8f38de76016bc77f3f25cf22f4 with gcc (GCC) 8.1.0 kernel signature: 57bbffbfdc227dd8f7d9c9e802253db9b1e6baf1e61563c3fc649515c7ae696d all runs: crashed: WARNING: refcount bug in io_poll_remove_double # git bisect bad 18bceab101adde8f38de76016bc77f3f25cf22f4 18bceab101adde8f38de76016bc77f3f25cf22f4 is the first bad commit commit 18bceab101adde8f38de76016bc77f3f25cf22f4 Author: Jens Axboe Date: Fri May 15 11:56:54 2020 -0600 io_uring: allow POLL_ADD with double poll_wait() users Some file descriptors use separate waitqueues for their f_ops->poll() handler, most commonly one for read and one for write. The io_uring poll implementation doesn't work with that, as the 2nd poll_wait() call will cause the io_uring poll request to -EINVAL. This affects (at least) tty devices and /dev/random as well. This is a big problem for event loops where some file descriptors work, and others don't. With this fix, io_uring handles multiple waitqueues. Signed-off-by: Jens Axboe fs/io_uring.c | 218 +++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 146 insertions(+), 72 deletions(-) culprit signature: 57bbffbfdc227dd8f7d9c9e802253db9b1e6baf1e61563c3fc649515c7ae696d parent signature: 9e4d17b1da9250bb610eca2025d9e0e57c3fd6a0190bd8e5542b0435500c4f7a revisions tested: 17, total time: 3h17m13.363256718s (build: 1h38m53.095271225s, test: 1h36m41.412775979s) first bad commit: 18bceab101adde8f38de76016bc77f3f25cf22f4 io_uring: allow POLL_ADD with double poll_wait() users recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org"] recipients (cc): ["linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "viro@zeniv.linux.org.uk"] crash: WARNING: refcount bug in io_poll_remove_double ------------[ cut here ]------------ refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 1 PID: 8498 at lib/refcount.c:31 refcount_warn_saturate+0x7d/0x140 lib/refcount.c:31 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 8498 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x26 kernel/panic.c:582 report_bug+0x1ad/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:175 [inline] do_error_trap+0x123/0x210 arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:refcount_warn_saturate+0x7d/0x140 lib/refcount.c:31 Code: 12 6a 6e 06 00 0f 84 ba 00 00 00 5b 5d c3 80 3d 01 6a 6e 06 00 75 f4 48 c7 c7 60 84 ce 87 c6 05 f1 69 6e 06 01 e8 df 6a f2 fd <0f> 0b eb dd 80 3d e5 69 6e 06 00 75 d4 48 c7 c7 00 83 ce 87 c6 05 RSP: 0018:ffffc90009be7d38 EFLAGS: 00010086 RAX: 0000000000000000 RBX: ffff8880a15cad2c RCX: 0000000000000000 RDX: 0000000000000003 RSI: 0000000000000007 RDI: ffffffff8b8ef160 RBP: 0000000000000004 R08: ffffed1015d245f1 R09: ffffed1015d245f1 R10: ffff8880ae922f83 R11: ffffed1015d245f0 R12: ffff888092c74518 R13: ffff8880a15cad2c R14: ffff8880a7ac4e88 R15: ffff8880a7ac4eb8 refcount_dec include/linux/refcount.h:310 [inline] io_poll_remove_double+0x26b/0x330 fs/io_uring.c:4165 io_poll_remove_one+0x3f2/0x800 fs/io_uring.c:4473 io_poll_remove_all fs/io_uring.c:4515 [inline] io_ring_ctx_wait_and_kill+0x294/0x5d0 fs/io_uring.c:7415 io_uring_release+0x39/0x50 fs/io_uring.c:7434 __fput+0x2a4/0x7a0 fs/file_table.c:280 task_work_run+0xc2/0x160 kernel/task_work.c:123 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x23d/0x2d0 arch/x86/entry/common.c:165 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x52a/0x620 arch/x86/entry/common.c:305 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45d28a Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4e 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 RSP: 002b:00007f163c2e3bc8 EFLAGS: 00000206 ORIG_RAX: 0000000000000009 RAX: 0000000020ffb000 RBX: 0000000000000003 RCX: 000000000045d28a RDX: 0000000000000003 RSI: 0000000000200000 RDI: 0000000020ffb000 RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000010000000 R10: 0000000000008011 R11: 0000000000000206 R12: 0000000020ffb000 R13: 0000000000200000 R14: 0000000000008011 R15: 0000000010000000 ======================================================