bisecting cause commit starting from c57cf3833c66cd86c9bdee7112fc992377143f74 building syzkaller on 5ea87a6638e52a94361b26b8576a1605585815fb testing commit c57cf3833c66cd86c9bdee7112fc992377143f74 with gcc (GCC) 8.1.0 run #0: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all run #1: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all run #2: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all run #3: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all run #4: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all run #5: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all run #6: crashed: INFO: task hung in mpage_prepare_extent_to_map run #7: crashed: INFO: task hung in mpage_prepare_extent_to_map run #8: crashed: INFO: task hung in mpage_prepare_extent_to_map run #9: crashed: INFO: task hung in mpage_prepare_extent_to_map testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 all runs: OK # git bisect start c57cf3833c66cd86c9bdee7112fc992377143f74 v5.3 Bisecting: 11049 revisions left to test after this (roughly 14 steps) [10fd71780f7d155f4e35fecfad0ebd4a725a244b] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 10fd71780f7d155f4e35fecfad0ebd4a725a244b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 10fd71780f7d155f4e35fecfad0ebd4a725a244b Bisecting: 5472 revisions left to test after this (roughly 13 steps) [40432ce5462a53edd618032c5950bd9b2fb81f7b] Merge remote-tracking branch 'hid/for-next' testing commit 40432ce5462a53edd618032c5950bd9b2fb81f7b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 40432ce5462a53edd618032c5950bd9b2fb81f7b Bisecting: 2672 revisions left to test after this (roughly 12 steps) [783871e087f33f62953bab7b1e2ea812ec398a75] Merge remote-tracking branch 'amdgpu/drm-next' testing commit 783871e087f33f62953bab7b1e2ea812ec398a75 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 783871e087f33f62953bab7b1e2ea812ec398a75 Bisecting: 1338 revisions left to test after this (roughly 10 steps) [ac58aa8de2dc8e26caaec24e94755308c9b5a9ab] Merge remote-tracking branch 'kvm-arm/next' testing commit ac58aa8de2dc8e26caaec24e94755308c9b5a9ab with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all # git bisect bad ac58aa8de2dc8e26caaec24e94755308c9b5a9ab Bisecting: 666 revisions left to test after this (roughly 9 steps) [60f9aea76b135612f3844f7a4c75dc8b11248762] Merge remote-tracking branch 'backlight/for-backlight-next' testing commit 60f9aea76b135612f3844f7a4c75dc8b11248762 with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all # git bisect bad 60f9aea76b135612f3844f7a4c75dc8b11248762 Bisecting: 360 revisions left to test after this (roughly 8 steps) [879a2b87fc14eda25bee596e6b6c82726d05a09b] Merge remote-tracking branch 'sound/for-next' testing commit 879a2b87fc14eda25bee596e6b6c82726d05a09b with gcc (GCC) 8.1.0 all runs: OK # git bisect good 879a2b87fc14eda25bee596e6b6c82726d05a09b Bisecting: 180 revisions left to test after this (roughly 8 steps) [07932563686a6c51b26266c8572901c46fd1cd55] ASoC: tegra: add a TDM configuration callback testing commit 07932563686a6c51b26266c8572901c46fd1cd55 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 07932563686a6c51b26266c8572901c46fd1cd55 Bisecting: 116 revisions left to test after this (roughly 7 steps) [44f11ae1b7f7080f966264f9f5b2976262a9778c] Merge remote-tracking branch 'input/next' testing commit 44f11ae1b7f7080f966264f9f5b2976262a9778c with gcc (GCC) 8.1.0 all runs: OK # git bisect good 44f11ae1b7f7080f966264f9f5b2976262a9778c Bisecting: 63 revisions left to test after this (roughly 6 steps) [7bb67bd5dd623c9ead3493a0f60159819904993e] Merge remote-tracking branch 'block/for-next' testing commit 7bb67bd5dd623c9ead3493a0f60159819904993e with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all # git bisect bad 7bb67bd5dd623c9ead3493a0f60159819904993e Bisecting: 23 revisions left to test after this (roughly 5 steps) [acbc4293091756c0f729438fdc6a12e07ab793f7] Merge branch 'for-5.5/drivers' into for-next testing commit acbc4293091756c0f729438fdc6a12e07ab793f7 with gcc (GCC) 8.1.0 all runs: OK # git bisect good acbc4293091756c0f729438fdc6a12e07ab793f7 Bisecting: 11 revisions left to test after this (roughly 4 steps) [ef0524d3654628ead811f328af0a4a2953a8310f] io_uring: replace workqueue usage with io-wq testing commit ef0524d3654628ead811f328af0a4a2953a8310f with gcc (GCC) 8.1.0 all runs: crashed: BUG: unable to handle kernel paging request in io_wq_cancel_all # git bisect bad ef0524d3654628ead811f328af0a4a2953a8310f Bisecting: 5 revisions left to test after this (roughly 3 steps) [a9d8b0b0613cc4b2221e5c345a9959b0134863d1] io_uring: add support for absolute timeouts testing commit a9d8b0b0613cc4b2221e5c345a9959b0134863d1 with gcc (GCC) 8.1.0 all runs: OK # git bisect good a9d8b0b0613cc4b2221e5c345a9959b0134863d1 Bisecting: 2 revisions left to test after this (roughly 2 steps) [04e24bf1d5c43c52035b74e8cb5ec78756867a05] io_uring: remove index from sqe_submit testing commit 04e24bf1d5c43c52035b74e8cb5ec78756867a05 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 04e24bf1d5c43c52035b74e8cb5ec78756867a05 Bisecting: 0 revisions left to test after this (roughly 1 step) [d780bb5b77d3f545f1161f08eee450e1f516e990] io-wq: small threadpool implementation for io_uring testing commit d780bb5b77d3f545f1161f08eee450e1f516e990 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d780bb5b77d3f545f1161f08eee450e1f516e990 ef0524d3654628ead811f328af0a4a2953a8310f is the first bad commit commit ef0524d3654628ead811f328af0a4a2953a8310f Author: Jens Axboe Date: Thu Oct 24 07:25:42 2019 -0600 io_uring: replace workqueue usage with io-wq Drop various work-arounds we have for workqueues: - We no longer need the async_list for tracking sequential IO. - We don't have to maintain our own mm tracking/setting. - We don't need a separate workqueue for buffered writes. This didn't even work that well to begin with, as it was suboptimal for multiple buffered writers on multiple files. - We can properly cancel pending interruptible work. This fixes deadlocks with particularly socket IO, where we cannot cancel them when the io_uring is closed. Hence the ring will wait forever for these requests to complete, which may never happen. This is different from disk IO where we know requests will complete in a finite amount of time. - Due to being able to cancel work interruptible work that is already running, we can implement file table support for work. We need that for supporting system calls that add to a process file table. - It gets us one step closer to adding async support for any system call. Signed-off-by: Jens Axboe :040000 040000 e06573eb171d045461d80bef80e39aab14ecfb60 0952d637526961314fae099a93cd3fa00c3fef73 M fs :040000 040000 157ea496cd6121360830b53a6ccc905ca19e1f34 85b4c49736bfc58a78a7516a110eb319d46900d7 M include :040000 040000 ceda7e59c359fb11616071c1af447af9c94b7a85 85a16f73da800a0b58036ca1f8094ed06f3c62ea M init revisions tested: 16, total time: 4h5m40.404848943s (build: 1h39m2.181526858s, test: 2h21m20.934202664s) first bad commit: ef0524d3654628ead811f328af0a4a2953a8310f io_uring: replace workqueue usage with io-wq cc: ["akpm@linux-foundation.org" "axboe@kernel.dk" "dan.j.williams@intel.com" "dhowells@redhat.com" "gregkh@linuxfoundation.org" "hannes@cmpxchg.org" "joel@joelfernandes.org" "linux-block@vger.kernel.org" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "mchehab+samsung@kernel.org" "mingo@redhat.com" "patrick.bellasi@arm.com" "rgb@redhat.com" "rostedt@goodmis.org" "viro@zeniv.linux.org.uk" "yamada.masahiro@socionext.com"] crash: BUG: unable to handle kernel paging request in io_wq_cancel_all BUG: unable to handle page fault for address: fffffc0000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 7652 Comm: syz-executor.1 Not tainted 5.4.0-rc4+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:92 [inline] RIP: 0010:memory_is_nonzero mm/kasan/generic.c:109 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:135 [inline] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:166 [inline] RIP: 0010:check_memory_region_inline mm/kasan/generic.c:182 [inline] RIP: 0010:check_memory_region+0x128/0x1d0 mm/kasan/generic.c:192 Code: 75 49 4c 89 e3 48 29 c3 e9 60 ff ff ff 48 85 db 74 2a 41 80 39 00 75 30 48 b8 01 00 00 00 00 fc ff df 49 01 d9 49 01 c0 eb 0d <41> 80 38 00 49 8d 40 01 75 8e 49 89 c0 4d 39 c8 75 ee 5b b8 01 00 RSP: 0018:ffff88809030fd40 EFLAGS: 00010216 RAX: dffffc0000000001 RBX: e000000000000002 RCX: ffffffff81b9ee92 RDX: 0000000000000001 RSI: 0000000000000008 RDI: fffffffffffffffc RBP: ffff88809030fd58 R08: fffffc0000000000 R09: dffffc0000000001 R10: dffffc0000000000 R11: 0000000000000003 R12: dffffc0000000001 R13: ffff8880a4bb9080 R14: ffff8880a4bb9380 R15: fffffffffffffff4 FS: 0000000001cd3940(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffc0000000000 CR3: 000000008d933000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __kasan_check_write+0x14/0x20 mm/kasan/common.c:98 set_bit include/asm-generic/bitops-instrumented.h:28 [inline] io_wq_cancel_all+0x22/0x210 fs/io-wq.c:595 io_ring_ctx_wait_and_kill+0x1aa/0x610 fs/io_uring.c:3697 io_uring_release+0x3d/0x50 fs/io_uring.c:3709 __fput+0x25a/0x770 fs/file_table.c:280 ____fput+0x9/0x10 fs/file_table.c:313 task_work_run+0x108/0x180 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x24e/0x2e0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] syscall_return_slowpath arch/x86/entry/common.c:274 [inline] do_syscall_64+0x4e8/0x5d0 arch/x86/entry/common.c:300 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x413ae1 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fffe31c0bb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000413ae1 RDX: fffffffffffffff7 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff R10: 00007fffe31c0c90 R11: 0000000000000293 R12: 000000000075c9a0 R13: 000000000075c9a0 R14: 00000000007604b0 R15: 000000000075bf2c Modules linked in: CR2: fffffc0000000000 ---[ end trace 458a880078c2e369 ]--- RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:92 [inline] RIP: 0010:memory_is_nonzero mm/kasan/generic.c:109 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:135 [inline] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:166 [inline] RIP: 0010:check_memory_region_inline mm/kasan/generic.c:182 [inline] RIP: 0010:check_memory_region+0x128/0x1d0 mm/kasan/generic.c:192 Code: 75 49 4c 89 e3 48 29 c3 e9 60 ff ff ff 48 85 db 74 2a 41 80 39 00 75 30 48 b8 01 00 00 00 00 fc ff df 49 01 d9 49 01 c0 eb 0d <41> 80 38 00 49 8d 40 01 75 8e 49 89 c0 4d 39 c8 75 ee 5b b8 01 00 RSP: 0018:ffff88809030fd40 EFLAGS: 00010216 RAX: dffffc0000000001 RBX: e000000000000002 RCX: ffffffff81b9ee92 RDX: 0000000000000001 RSI: 0000000000000008 RDI: fffffffffffffffc RBP: ffff88809030fd58 R08: fffffc0000000000 R09: dffffc0000000001 R10: dffffc0000000000 R11: 0000000000000003 R12: dffffc0000000001 R13: ffff8880a4bb9080 R14: ffff8880a4bb9380 R15: fffffffffffffff4 FS: 0000000001cd3940(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffc0000000000 CR3: 000000008d933000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400