From: Hillf Danton <hdanton@sina.com>
To: Qian Cai <cai@lca.pw>
Cc: LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>, Jens Axboe <axboe@kernel.dk>
Subject: Re: [PATCH 0/2] mm: Two small fixes for recent syzbot reports
Date: Tue, 14 Apr 2020 12:07:17 +0800 [thread overview]
Message-ID: <20200414040717.22040-1-hdanton@sina.com> (raw)
In-Reply-To: <20200410092951.6db32bfe@canb.auug.org.au>
On Mon, 13 Apr 2020 18:06:21 -0400 Qian Cai wrote:
>
> BTW, I=E2=80=99ll be adding fuzzers to my daily linux-next routines =
> where it triggers this
> io_uring/scheduler bug almost immediately, so hopefully would buy syzbot =
> some
> time to resume on linux-next.
>
> [67493.516737][T211750] BUG: unable to handle page fault for address: =
> ffffffffffffffe8
> [67493.557315][T211750] #PF: supervisor read access in kernel mode
> [67493.586726][T211750] #PF: error_code(0x0000) - not-present page
> [67493.614434][T211750] PGD f96e17067 P4D f96e17067 PUD f96e19067 PMD 0=20=
>
> [67493.644846][T211750] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
> [67493.674127][T211750] CPU: 55 PID: 211750 Comm: trinity-c127 Tainted: =
> G B L 5.7.0-rc1-next-20200413 #4
> [67493.722516][T211750] Hardware name: HP ProLiant DL380 Gen9/ProLiant =
> DL380 Gen9, BIOS P89 04/12/2017
> [67493.764925][T211750] RIP: 0010:__wake_up_common+0x98/0x290
> __wake_up_common at kernel/sched/wait.c:87
> [67493.790675][T211750] Code: 40 4d 8d 78 e8 49 8d 7f 18 49 39 fd 0f 84 =
> 80 00 00 00 e8 6b bd 2b 00 49 8b 5f 18 45 31 e4 48 83 eb 18 4c 89 ff e8 =
> 08 bc 2b 00 <45> 8b 37 41 f6 c6 04 75 71 49 8d 7f 10 e8 46 bd 2b 00 49 =
> 8b 47 10
> [67493.881650][T211750] RSP: 0018:ffffc9000adbfaf0 EFLAGS: 00010046
> [67493.909854][T211750] RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: =
> ffffffffaa9636b8
> [67493.947131][T211750] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: =
> ffffffffffffffe8
> [67493.983829][T211750] RBP: ffffc9000adbfb40 R08: fffffbfff582c5fd R09: =
> fffffbfff582c5fd
> [67494.020861][T211750] R10: ffffffffac162fe3 R11: fffffbfff582c5fc R12: =
> 0000000000000000
> [67494.059249][T211750] R13: ffff888ef82b0960 R14: ffffc9000adbfb80 R15: =
> ffffffffffffffe8
> [67494.099699][T211750] FS: 00007fdcba4c4740(0000) =
> GS:ffff889033780000(0000) knlGS:0000000000000000
> [67494.141858][T211750] CS: 0010 DS: 0000 ES: 0000 CR0: =
> 0000000080050033
> [67494.172660][T211750] CR2: ffffffffffffffe8 CR3: 0000000f776a0004 CR4: =
> 00000000001606e0
> [67494.209760][T211750] Call Trace:
> [67494.224720][T211750] __wake_up_common_lock+0xea/0x150
> (inlined by) __wake_up_common_lock at kernel/sched/wait.c:124
> [67494.248753][T211750] ? __wake_up_common+0x290/0x290
> [67494.272014][T211750] ? lockdep_hardirqs_on+0x16/0x2c0
> [67494.296139][T211750] __wake_up+0x13/0x20
> [67494.314946][T211750] io_cqring_ev_posted+0x75/0xe0
> (inlined by) io_cqring_ev_posted at fs/io_uring.c:1160
> [67494.337726][T211750] io_ring_ctx_wait_and_kill+0x1c0/0x2f0
> io_ring_ctx_wait_and_kill at fs/io_uring.c:7305
> [67494.363840][T211750] io_uring_create+0xa8d/0x13b0
> [67494.386526][T211750] ? io_req_defer_prep+0x990/0x990
> [67494.410119][T211750] ? __kasan_check_write+0x14/0x20
> [67494.433646][T211750] io_uring_setup+0xb8/0x130
> [67494.454870][T211750] ? io_uring_create+0x13b0/0x13b0
> [67494.478342][T211750] ? check_flags.part.28+0x220/0x220
> [67494.502947][T211750] ? lockdep_hardirqs_on+0x16/0x2c0
> [67494.526965][T211750] __x64_sys_io_uring_setup+0x31/0x40
> [67494.551820][T211750] do_syscall_64+0xcc/0xaf0
> [67494.574829][T211750] ? syscall_return_slowpath+0x580/0x580
> [67494.604591][T211750] ? lockdep_hardirqs_off+0x1f/0x140
> [67494.628901][T211750] ? entry_SYSCALL_64_after_hwframe+0x3e/0xb3
> [67494.657616][T211750] ? trace_hardirqs_off_caller+0x3a/0x150
> [67494.683999][T211750] ? trace_hardirqs_off_thunk+0x1a/0x1c
> [67494.709982][T211750] entry_SYSCALL_64_after_hwframe+0x49/0xb3
See if it makes your fuzzers happy.
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -934,6 +934,7 @@ static struct io_ring_ctx *io_ring_ctx_a
idr_init(&ctx->personality_idr);
mutex_init(&ctx->uring_lock);
init_waitqueue_head(&ctx->wait);
+ init_waitqueue_head(&ctx->sqo_wait);
spin_lock_init(&ctx->completion_lock);
INIT_LIST_HEAD(&ctx->poll_list);
INIT_LIST_HEAD(&ctx->defer_list);
@@ -6824,7 +6825,6 @@ static int io_sq_offload_start(struct io
{
int ret;
- init_waitqueue_head(&ctx->sqo_wait);
mmgrab(current->mm);
ctx->sqo_mm = current->mm;
next prev parent reply other threads:[~2020-04-14 4:07 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-08 1:40 [PATCH 0/2] mm: Two small fixes for recent syzbot reports Peter Xu
2020-04-08 1:40 ` [PATCH 1/2] mm/mempolicy: Allow lookup_node() to handle fatal signal Peter Xu
2020-04-08 10:21 ` Michal Hocko
2020-04-08 14:20 ` Peter Xu
2020-04-08 14:30 ` Michal Hocko
2020-04-08 15:24 ` Peter Xu
2020-04-08 15:26 ` Michal Hocko
2020-04-09 7:02 ` Michal Hocko
2020-04-09 12:52 ` Peter Xu
2020-04-09 13:00 ` Peter Xu
2020-04-09 13:53 ` Michal Hocko
2020-04-09 16:42 ` Linus Torvalds
2020-04-09 16:42 ` Linus Torvalds
2020-04-14 11:04 ` Michal Hocko
2020-04-14 13:49 ` Peter Xu
2020-04-14 14:18 ` Michal Hocko
2020-04-20 12:47 ` Michal Hocko
2020-04-20 17:31 ` Linus Torvalds
2020-04-20 17:31 ` Linus Torvalds
2020-04-21 7:09 ` Michal Hocko
2020-04-08 1:40 ` [PATCH 2/2] mm/gup: Mark lock taken only after a successful retake Peter Xu
2020-04-09 0:47 ` [PATCH 0/2] mm: Two small fixes for recent syzbot reports Andrew Morton
2020-04-09 11:49 ` Matthew Wilcox
2020-04-09 13:00 ` Dmitry Vyukov
2020-04-09 13:00 ` Dmitry Vyukov
2020-04-09 18:16 ` Andrew Morton
2020-04-09 18:53 ` Linus Torvalds
2020-04-09 18:53 ` Linus Torvalds
2020-04-09 19:12 ` Andrew Morton
2020-04-09 19:46 ` Linus Torvalds
2020-04-09 19:46 ` Linus Torvalds
2020-04-09 19:56 ` Matthew Wilcox
2020-04-09 19:58 ` Linus Torvalds
2020-04-09 19:58 ` Linus Torvalds
2020-04-09 20:27 ` Eric Biggers
2020-04-09 20:34 ` Linus Torvalds
2020-04-09 20:34 ` Linus Torvalds
2020-04-09 23:34 ` Stephen Rothwell
2020-04-10 1:11 ` Theodore Y. Ts'o
2020-04-09 12:55 ` Dmitry Vyukov
2020-04-09 12:55 ` Dmitry Vyukov
2020-04-09 16:32 ` Linus Torvalds
2020-04-09 16:32 ` Linus Torvalds
2020-04-09 16:58 ` Qian Cai
2020-04-09 17:05 ` Linus Torvalds
2020-04-09 17:05 ` Linus Torvalds
2020-04-09 17:58 ` Qian Cai
2020-04-09 18:06 ` Linus Torvalds
2020-04-09 18:06 ` Linus Torvalds
2020-04-09 21:14 ` Qian Cai
2020-04-10 13:12 ` Tetsuo Handa
2020-04-10 14:26 ` Qian Cai
2020-04-10 17:26 ` Andrew Morton
2020-04-10 19:46 ` Qian Cai
2020-04-09 23:29 ` Stephen Rothwell
2020-04-13 22:06 ` Qian Cai
2020-04-13 23:05 ` Jens Axboe
2020-04-14 11:12 ` Dmitry Vyukov
2020-04-14 11:12 ` Dmitry Vyukov
2020-04-14 11:59 ` Qian Cai
2020-04-14 12:05 ` Dmitry Vyukov
2020-04-14 12:05 ` Dmitry Vyukov
2020-04-14 19:28 ` Dan Rue
2020-04-15 11:09 ` Dmitry Vyukov
2020-04-15 11:09 ` Dmitry Vyukov
2020-04-15 16:23 ` Dan Rue
2020-04-16 0:34 ` Stephen Rothwell
2020-05-11 15:29 ` Dmitry Vyukov
2020-05-11 15:29 ` Dmitry Vyukov
2020-04-14 4:07 ` Hillf Danton [this message]
2020-04-14 4:31 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200414040717.22040-1-hdanton@sina.com \
--to=hdanton@sina.com \
--cc=axboe@kernel.dk \
--cc=cai@lca.pw \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.