bisecting fixing commit since 7aa823a959e1f50c0dab9e01c1940235eccc04cc building syzkaller on 442206d76b974cca2d83ec763d4cf5ee829eb7d6 testing commit 7aa823a959e1f50c0dab9e01c1940235eccc04cc with gcc (GCC) 8.1.0 kernel signature: a4bc24de875c227ea1ffa65451f3619db3f10b9c all runs: crashed: possible deadlock in free_ioctx_users testing current HEAD 14260788bbb9c94b0e36abc17294266b69dd46e4 testing commit 14260788bbb9c94b0e36abc17294266b69dd46e4 with gcc (GCC) 8.1.0 kernel signature: c3d148747667d6aa25e458aa25d19f3514ede544 all runs: OK # git bisect start 14260788bbb9c94b0e36abc17294266b69dd46e4 7aa823a959e1f50c0dab9e01c1940235eccc04cc Bisecting: 1804 revisions left to test after this (roughly 11 steps) [4b30a06982088e07eea04284137566bc7925de7b] firmware: ti_sci: Always request response from firmware testing commit 4b30a06982088e07eea04284137566bc7925de7b with gcc (GCC) 8.1.0 kernel signature: b207c41c59f6e8e2bfc53728bed650f4800e3e23 all runs: OK # git bisect bad 4b30a06982088e07eea04284137566bc7925de7b Bisecting: 901 revisions left to test after this (roughly 10 steps) [e7f206f42fb64adc8a4b9b0ea24d4e2c666c9cb9] drm/msm: Depopulate platform on probe failure testing commit e7f206f42fb64adc8a4b9b0ea24d4e2c666c9cb9 with gcc (GCC) 8.1.0 kernel signature: f03e64637c968f0a51c5f5514df92802a4f57357 all runs: OK # git bisect bad e7f206f42fb64adc8a4b9b0ea24d4e2c666c9cb9 Bisecting: 450 revisions left to test after this (roughly 9 steps) [740b2ac495187f33e7ad7c216382ef171150d358] ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL testing commit 740b2ac495187f33e7ad7c216382ef171150d358 with gcc (GCC) 8.1.0 kernel signature: 49462311cf9a859a56685f9d58f012a80e0161cc all runs: OK # git bisect bad 740b2ac495187f33e7ad7c216382ef171150d358 Bisecting: 225 revisions left to test after this (roughly 8 steps) [64e370233a0781aa0954ed4079e90d0bdb748b0e] staging: erofs: add requirements field in superblock testing commit 64e370233a0781aa0954ed4079e90d0bdb748b0e with gcc (GCC) 8.1.0 kernel signature: 892595d0c2c1b8984880b8089653bae0796b99f1 all runs: crashed: possible deadlock in free_ioctx_users # git bisect good 64e370233a0781aa0954ed4079e90d0bdb748b0e Bisecting: 112 revisions left to test after this (roughly 7 steps) [8be5629b9622eaa98a75f1763aa348f8eb37f504] scsi: hpsa: correct ioaccel2 chaining testing commit 8be5629b9622eaa98a75f1763aa348f8eb37f504 with gcc (GCC) 8.1.0 kernel signature: 9018813e5f6d4927714671a623278ad8060e7783 all runs: crashed: possible deadlock in free_ioctx_users # git bisect good 8be5629b9622eaa98a75f1763aa348f8eb37f504 Bisecting: 56 revisions left to test after this (roughly 6 steps) [f6472f50fbfc1130b16df90b081db0c45e23a20c] KVM: x86: degrade WARN to pr_warn_ratelimited testing commit f6472f50fbfc1130b16df90b081db0c45e23a20c with gcc (GCC) 8.1.0 kernel signature: c4f81ba2ebdae8cc4383ad9b102e856a82b4231d all runs: OK # git bisect bad f6472f50fbfc1130b16df90b081db0c45e23a20c Bisecting: 27 revisions left to test after this (roughly 5 steps) [b6d56f4f6a491d80169c666b64953d8395b47b4b] arm64: kaslr: keep modules inside module region when KASAN is enabled testing commit b6d56f4f6a491d80169c666b64953d8395b47b4b with gcc (GCC) 8.1.0 kernel signature: c50e3c4ed3bb8bfe79a22190b242665071a9b8ee all runs: OK # git bisect bad b6d56f4f6a491d80169c666b64953d8395b47b4b Bisecting: 13 revisions left to test after this (roughly 4 steps) [600d3712ae122be3ceab0d7ac8246caa3d87dcea] drm/i915/dmc: protect against reading random memory testing commit 600d3712ae122be3ceab0d7ac8246caa3d87dcea with gcc (GCC) 8.1.0 kernel signature: 3ed26ed6aff69a294c4af623bc4b5087ae6500ca all runs: crashed: possible deadlock in free_ioctx_users # git bisect good 600d3712ae122be3ceab0d7ac8246caa3d87dcea Bisecting: 6 revisions left to test after this (roughly 3 steps) [d9b6936b134eb95c75274906ad0c1bd78712471d] ALSA: usb-audio: fix sign unintended sign extension on left shifts testing commit d9b6936b134eb95c75274906ad0c1bd78712471d with gcc (GCC) 8.1.0 kernel signature: 76dd8cfc7d288cd3160af35df7c234cfb48302ed all runs: crashed: possible deadlock in free_ioctx_users # git bisect good d9b6936b134eb95c75274906ad0c1bd78712471d Bisecting: 3 revisions left to test after this (roughly 2 steps) [ea38007107d656e40173da3fed59287ac2a7e11b] lib/mpi: Fix karactx leak in mpi_powm testing commit ea38007107d656e40173da3fed59287ac2a7e11b with gcc (GCC) 8.1.0 kernel signature: 19d8b6926f96b18965408ec13b2730938487f229 all runs: crashed: possible deadlock in free_ioctx_users # git bisect good ea38007107d656e40173da3fed59287ac2a7e11b Bisecting: 1 revision left to test after this (roughly 1 step) [c8790d7f76be43997e11e3e88857cf841b42b35f] tracing/snapshot: Resize spare buffer if size changed testing commit c8790d7f76be43997e11e3e88857cf841b42b35f with gcc (GCC) 8.1.0 kernel signature: 3bf967ad7c83cb5767385166b0729abfd5994bcf all runs: OK # git bisect bad c8790d7f76be43997e11e3e88857cf841b42b35f Bisecting: 0 revisions left to test after this (roughly 0 steps) [052b318100856aa86f4e0c03cfe43a1bb6bfb487] fs/userfaultfd.c: disable irqs for fault_pending and event locks testing commit 052b318100856aa86f4e0c03cfe43a1bb6bfb487 with gcc (GCC) 8.1.0 kernel signature: 8d052fec579369baae714a2a943f340189ffa288 all runs: OK # git bisect bad 052b318100856aa86f4e0c03cfe43a1bb6bfb487 052b318100856aa86f4e0c03cfe43a1bb6bfb487 is the first bad commit commit 052b318100856aa86f4e0c03cfe43a1bb6bfb487 Author: Eric Biggers Date: Thu Jul 4 15:14:39 2019 -0700 fs/userfaultfd.c: disable irqs for fault_pending and event locks commit cbcfa130a911c613a1d9d921af2eea171c414172 upstream. When IOCB_CMD_POLL is used on a userfaultfd, aio_poll() disables IRQs and takes kioctx::ctx_lock, then userfaultfd_ctx::fd_wqh.lock. This may have to wait for userfaultfd_ctx::fd_wqh.lock to be released by userfaultfd_ctx_read(), which in turn can be waiting for userfaultfd_ctx::fault_pending_wqh.lock or userfaultfd_ctx::event_wqh.lock. But elsewhere the fault_pending_wqh and event_wqh locks are taken with IRQs enabled. Since the IRQ handler may take kioctx::ctx_lock, lockdep reports that a deadlock is possible. Fix it by always disabling IRQs when taking the fault_pending_wqh and event_wqh locks. Commit ae62c16e105a ("userfaultfd: disable irqs when taking the waitqueue lock") didn't fix this because it only accounted for the fd_wqh lock, not the other locks nested inside it. Link: http://lkml.kernel.org/r/20190627075004.21259-1-ebiggers@kernel.org Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL") Signed-off-by: Eric Biggers Reported-by: syzbot+fab6de82892b6b9c6191@syzkaller.appspotmail.com Reported-by: syzbot+53c0b767f7ca0dc0c451@syzkaller.appspotmail.com Reported-by: syzbot+a3accb352f9c22041cfa@syzkaller.appspotmail.com Reviewed-by: Andrew Morton Cc: Christoph Hellwig Cc: Andrea Arcangeli Cc: [4.19+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman fs/userfaultfd.c | 42 ++++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 16 deletions(-) kernel signature: 8d052fec579369baae714a2a943f340189ffa288 previous signature: 19d8b6926f96b18965408ec13b2730938487f229 revisions tested: 14, total time: 3h37m45.241992285s (build: 1h54m3.094566234s, test: 1h39m2.46499947s) first good commit: 052b318100856aa86f4e0c03cfe43a1bb6bfb487 fs/userfaultfd.c: disable irqs for fault_pending and event locks cc: ["aarcange@redhat.com" "akpm@linux-foundation.org" "ebiggers@google.com" "gregkh@linuxfoundation.org" "hch@lst.de" "torvalds@linux-foundation.org"]