ci starts bisection 2025-11-02 10:06:40.493542221 +0000 UTC m=+219080.028891847 bisecting fixing commit since ad1b832bf1cf2df9304f8eb72943111625c7e5a7 building syzkaller on 40a34ec944732a2502ee67d92cc8c023355dfad4 ensuring issue is reproducible on original commit ad1b832bf1cf2df9304f8eb72943111625c7e5a7 testing commit ad1b832bf1cf2df9304f8eb72943111625c7e5a7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 650b55bb5fe492333ce88828a12d78c2ce946974ffa1cd2ac2b6088fb11a3d8b all runs: crashed: INFO: task hung in pipe_write representative crash: INFO: task hung in pipe_write, types: [HANG] check whether we can drop unnecessary instrumentation disabling configs for [atomic_sleep memleak ubsan bug_or_warning kasan locking], they are not needed testing commit ad1b832bf1cf2df9304f8eb72943111625c7e5a7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 7707e5a5da2c6d88b319e7b3bbb9d29da08b243a15c74013a99813864dfe1ea8 all runs: crashed: INFO: task hung in pipe_write representative crash: INFO: task hung in pipe_write, types: [HANG] the bug reproduces without the instrumentation disabling configs for [kasan locking atomic_sleep memleak ubsan bug_or_warning], they are not needed kconfig minimization: base=4109 full=8256 leaves diff=2158 split chunks (needed=false): <2158> split chunk #0 of len 2158 into 5 parts testing without sub-chunk 1/5 disabling configs for [kasan locking atomic_sleep memleak ubsan bug_or_warning], they are not needed testing commit ad1b832bf1cf2df9304f8eb72943111625c7e5a7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: fefc8a76b3a87bdc9da9287aec159e8a43d77a6b4d5eb832011993b762c2581c all runs: crashed: INFO: task hung in pipe_write representative crash: INFO: task hung in pipe_write, types: [HANG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit ad1b832bf1cf2df9304f8eb72943111625c7e5a7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 16d794a5020c02c7eff1fc2fc5a000e1a1a0f16a96ad4590d1de59da0d2870e6 all runs: crashed: INFO: task hung in pipe_write representative crash: INFO: task hung in pipe_write, types: [HANG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [locking atomic_sleep memleak ubsan bug_or_warning kasan], they are not needed testing commit ad1b832bf1cf2df9304f8eb72943111625c7e5a7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 29f898e6487b0dcd3b419587b48e5d2e5f500a7d5a3d524e07b71934501f0d48 all runs: crashed: INFO: task hung in pipe_write representative crash: INFO: task hung in pipe_write, types: [HANG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit ad1b832bf1cf2df9304f8eb72943111625c7e5a7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 02f127f026146efe0bedbc029d6557060ca8172e4005e1356ac982efcd901fde all runs: crashed: INFO: task hung in pipe_write representative crash: INFO: task hung in pipe_write, types: [HANG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [locking atomic_sleep memleak ubsan bug_or_warning kasan], they are not needed testing commit ad1b832bf1cf2df9304f8eb72943111625c7e5a7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b9d53b312c4dc56b6691fbfcdc3c625217871f6eeaf410ee686c4340b8473b25 all runs: crashed: INFO: task hung in pipe_write representative crash: INFO: task hung in pipe_write, types: [HANG] the chunk can be dropped disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing current HEAD 691d401c7e0e5ea34ac6f8151bc0696db1b2500a testing commit 691d401c7e0e5ea34ac6f8151bc0696db1b2500a gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 7739f6ab91c7cafba91da10d529488a9f3ab3801936a67487ab8aca1fff7d6f7 all runs: OK false negative chance: 0.000 # git bisect start 691d401c7e0e5ea34ac6f8151bc0696db1b2500a ad1b832bf1cf2df9304f8eb72943111625c7e5a7 Bisecting: 30851 revisions left to test after this (roughly 15 steps) [378ec25aec5a8444879f8696d580c94950a1f1df] Merge tag 'tty-6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty determine whether the revision contains the guilty commit revision ad1b832bf1cf2df9304f8eb72943111625c7e5a7 crashed and is reachable testing commit 378ec25aec5a8444879f8696d580c94950a1f1df gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 737196a1c866b6e2682082ca1a9925b34976e13500ec629edbf58f43deb7f600 all runs: crashed: INFO: task hung in anon_pipe_write representative crash: INFO: task hung in anon_pipe_write, types: [HANG] # git bisect good 378ec25aec5a8444879f8696d580c94950a1f1df Bisecting: 15433 revisions left to test after this (roughly 14 steps) [edeee68c42747c9d9b237f06fbc4cd1a2348fefb] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi determine whether the revision contains the guilty commit revision 378ec25aec5a8444879f8696d580c94950a1f1df crashed and is reachable testing commit edeee68c42747c9d9b237f06fbc4cd1a2348fefb gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5b99b483f02c5c55261df0cf8d63151505e54bd26dc820278ce03a8f0aa57318 all runs: crashed: INFO: task hung in anon_pipe_write representative crash: INFO: task hung in anon_pipe_write, types: [HANG] # git bisect good edeee68c42747c9d9b237f06fbc4cd1a2348fefb Bisecting: 7457 revisions left to test after this (roughly 13 steps) [58809f614e0e3f4e12b489bddf680bfeb31c0a20] Merge tag 'drm-next-2025-10-01' of https://gitlab.freedesktop.org/drm/kernel determine whether the revision contains the guilty commit revision 378ec25aec5a8444879f8696d580c94950a1f1df crashed and is reachable testing commit 58809f614e0e3f4e12b489bddf680bfeb31c0a20 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b046271c09c60df89f98b64103e80aed03df1848fdd671b9a6644f8a42ae7810 all runs: crashed: INFO: task hung in anon_pipe_write representative crash: INFO: task hung in anon_pipe_write, types: [HANG] # git bisect good 58809f614e0e3f4e12b489bddf680bfeb31c0a20 Bisecting: 3688 revisions left to test after this (roughly 12 steps) [f3826aa9962b4572d01083c84ac0f8345f121168] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm determine whether the revision contains the guilty commit revision ad1b832bf1cf2df9304f8eb72943111625c7e5a7 crashed and is reachable testing commit f3826aa9962b4572d01083c84ac0f8345f121168 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5b5ad34e6805f9a748fd5b42becd9645761f7dfe24407d46ba5ff5223265f62a all runs: crashed: INFO: task hung in anon_pipe_write representative crash: INFO: task hung in anon_pipe_write, types: [HANG] # git bisect good f3826aa9962b4572d01083c84ac0f8345f121168 Bisecting: 1685 revisions left to test after this (roughly 11 steps) [522ba450b56fff29f868b1552bdc2965f55de7ed] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux determine whether the revision contains the guilty commit revision 58809f614e0e3f4e12b489bddf680bfeb31c0a20 crashed and is reachable testing commit 522ba450b56fff29f868b1552bdc2965f55de7ed gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 73028546ee31927b41eaf3151e2bccd31f860ce8755ec0b6a36823750c2dce9c all runs: crashed: INFO: task hung in anon_pipe_write representative crash: INFO: task hung in anon_pipe_write, types: [HANG] # git bisect good 522ba450b56fff29f868b1552bdc2965f55de7ed Bisecting: 842 revisions left to test after this (roughly 10 steps) [bb65e0c141f879cdf54db11ae446ee3605fb54d5] net/mlx5: Add PPHCR to PCAM supported registers mask determine whether the revision contains the guilty commit revision 378ec25aec5a8444879f8696d580c94950a1f1df crashed and is reachable testing commit bb65e0c141f879cdf54db11ae446ee3605fb54d5 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a054ccda468c39410cd6d9456eb1469d279949f5898ba4a0c9538596f7b9f349 all runs: OK false negative chance: 0.000 # git bisect bad bb65e0c141f879cdf54db11ae446ee3605fb54d5 Bisecting: 421 revisions left to test after this (roughly 9 steps) [b014a4e066c555185b7c367efacdc33f16695495] tls: wait for async encrypt in case of error during latter iterations of sendmsg determine whether the revision contains the guilty commit revision 58809f614e0e3f4e12b489bddf680bfeb31c0a20 crashed and is reachable testing commit b014a4e066c555185b7c367efacdc33f16695495 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 484bc1d93fe06c70d8240aecec19525fc22cc11cb16316b1a2caaa4fe842cb55 all runs: crashed: INFO: task hung in anon_pipe_write representative crash: INFO: task hung in anon_pipe_write, types: [HANG] # git bisect good b014a4e066c555185b7c367efacdc33f16695495 Bisecting: 211 revisions left to test after this (roughly 8 steps) [971370a88c3b1be1144c11468b4c84e3ed17af6d] Merge tag 'mm-hotfixes-stable-2025-10-10-15-00' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm determine whether the revision contains the guilty commit revision ad1b832bf1cf2df9304f8eb72943111625c7e5a7 crashed and is reachable testing commit 971370a88c3b1be1144c11468b4c84e3ed17af6d gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 55e8da82a1a79868195f4e0d344dc5ccc08d431af80f78be873be3378efea4ba all runs: OK false negative chance: 0.000 # git bisect bad 971370a88c3b1be1144c11468b4c84e3ed17af6d Bisecting: 102 revisions left to test after this (roughly 7 steps) [1b1391b9c4bfadcaeb89a87edf6c3520dd349e35] Merge tag 'block-6.18-20251009' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux determine whether the revision contains the guilty commit revision f3826aa9962b4572d01083c84ac0f8345f121168 crashed and is reachable testing commit 1b1391b9c4bfadcaeb89a87edf6c3520dd349e35 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 6f0d9981d3c743f38f1e27d43aaa539e04d1bf9d8e7d3778deb1f172567c4b5c all runs: OK false negative chance: 0.000 # git bisect bad 1b1391b9c4bfadcaeb89a87edf6c3520dd349e35 Bisecting: 56 revisions left to test after this (roughly 6 steps) [9976831f401eeb302d699b2d37624153d7cd2892] Merge tag 'gpio-fixes-for-v6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux determine whether the revision contains the guilty commit revision ad1b832bf1cf2df9304f8eb72943111625c7e5a7 crashed and is reachable testing commit 9976831f401eeb302d699b2d37624153d7cd2892 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: cbffa17dea1eb061b1d05664165cd856d44af56dafa6ded23864f1caa40b1257 all runs: OK false negative chance: 0.000 # git bisect bad 9976831f401eeb302d699b2d37624153d7cd2892 Bisecting: 23 revisions left to test after this (roughly 5 steps) [0ae452440cb9fee9079dc925f40cd824c1a9de2a] Merge tag 'v6.18-p3' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 determine whether the revision contains the guilty commit revision ad1b832bf1cf2df9304f8eb72943111625c7e5a7 crashed and is reachable testing commit 0ae452440cb9fee9079dc925f40cd824c1a9de2a gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: d6be01def62bf0bb5c2c5bfdf92d491d0b321fda3d66e4303726ab7d2ed74d2a all runs: OK false negative chance: 0.000 # git bisect bad 0ae452440cb9fee9079dc925f40cd824c1a9de2a Bisecting: 15 revisions left to test after this (roughly 4 steps) [80b7065ec19485943fa00d60f27b447c3f17069c] Merge tag '9p-for-6.18-rc1' of https://github.com/martinetd/linux determine whether the revision contains the guilty commit revision ad1b832bf1cf2df9304f8eb72943111625c7e5a7 crashed and is reachable testing commit 80b7065ec19485943fa00d60f27b447c3f17069c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: a7347498593c0c911c2b00f40e8f91a2bff4c26d357e11013dd5f5e3010ee2a0 all runs: OK false negative chance: 0.000 # git bisect bad 80b7065ec19485943fa00d60f27b447c3f17069c Bisecting: 4 revisions left to test after this (roughly 2 steps) [674b56aa57f9379854cb6798c3bbcef7e7b51ab7] net/9p: fix double req put in p9_fd_cancelled determine whether the revision contains the guilty commit revision ad1b832bf1cf2df9304f8eb72943111625c7e5a7 crashed and is reachable testing commit 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: aee6d26ffd91546bed0940d5d6b8f406c5739c13f6faf72518af669ffb215f2b all runs: crashed: INFO: task hung in anon_pipe_write representative crash: INFO: task hung in anon_pipe_write, types: [HANG] # git bisect good 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 Bisecting: 2 revisions left to test after this (roughly 1 step) [623fa18f6c94e589b29c4e6277943364f1bb71d6] 9p: clean up comment typos determine whether the revision contains the guilty commit revision 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 crashed and is reachable testing commit 623fa18f6c94e589b29c4e6277943364f1bb71d6 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 516e374954c0462da53dca4296a35fda4f48fa0d8837dabf2432a7398026e8dc all runs: OK false negative chance: 0.000 # git bisect bad 623fa18f6c94e589b29c4e6277943364f1bb71d6 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e8fe3f07a357c39d429e02ca34f740692d88967a] 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN determine whether the revision contains the guilty commit revision ad1b832bf1cf2df9304f8eb72943111625c7e5a7 crashed and is reachable testing commit e8fe3f07a357c39d429e02ca34f740692d88967a gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 98116b4f6dec7c3f664c3f1f1e16c13e037e55901832ea51a94d0b688b08a6fb all runs: OK false negative chance: 0.000 # git bisect bad e8fe3f07a357c39d429e02ca34f740692d88967a e8fe3f07a357c39d429e02ca34f740692d88967a is the first bad commit commit e8fe3f07a357c39d429e02ca34f740692d88967a Author: Oleg Nesterov Date: Tue Aug 19 18:10:13 2025 +0200 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 ("pipe_read: don't wake up the writer if the pipe is still full"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT. Reported-by: syzbot+d1b5dace43896bc386c3@syzkaller.appspotmail.com Tested-by: syzbot+d1b5dace43896bc386c3@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68a2de8f.050a0220.e29e5.0097.GAE@google.com/ Link: https://lore.kernel.org/all/67dedd2f.050a0220.31a16b.003f.GAE@google.com/ Co-developed-by: K Prateek Nayak Signed-off-by: K Prateek Nayak Signed-off-by: Oleg Nesterov Tested-by: K Prateek Nayak Message-ID: <20250819161013.GB11345@redhat.com> Signed-off-by: Dominique Martinet net/9p/trans_fd.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) accumulated error probability: 0.00 culprit signature: 98116b4f6dec7c3f664c3f1f1e16c13e037e55901832ea51a94d0b688b08a6fb parent signature: aee6d26ffd91546bed0940d5d6b8f406c5739c13f6faf72518af669ffb215f2b revisions tested: 23, total time: 7h30m30.331234961s (build: 2h49m35.853448212s, test: 4h0m55.783946402s) first good commit: e8fe3f07a357c39d429e02ca34f740692d88967a 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN recipients (to): ["asmadeus@codewreck.org" "kprateek.nayak@amd.com" "oleg@redhat.com" "syzbot+d1b5dace43896bc386c3@syzkaller.appspotmail.com"] recipients (cc): []