[BUG] io_uring

[BUG] io_uring

[Pavel Begunkov]

[-- Attachment #1.1: Type: text/plain, Size: 4831 bytes --]

I'm hitting a bug with yesterday's for-next (e.g. 126c20adbd98f2eff00c837afc).
I'll debug it in several days, if nobody would do it by then.

kernel: yesterday's for-next (e.g. 126c20adbd98f2eff00c837afc)
How to reproduce: run ./file-update in a loop (for me 10th run hit the problem)


[  303.287859] Running test ./file-update
[  303.600280] BUG: kernel NULL pointer dereference, address: 00000000000000e4
[  303.600290] #PF: supervisor write access in kernel mode
[  303.600292] #PF: error_code(0x0002) - not-present page
[  303.600294] PGD 0 P4D 0
[  303.600301] Oops: 0002 [#1] PREEMPT SMP PTI
[  303.600307] CPU: 4 PID: 252 Comm: kworker/4:2 Not tainted
5.5.0-rc6-00618-gd22ad6beb885-dirty #162
[  303.600309] Hardware name: Dell Inc. Inspiron 15 7000 Gaming/065C71, BIOS
01.00.03 01/10/2017
[  303.600326] Workqueue: events io_ring_file_ref_switch
[  303.600336] RIP: 0010:_raw_spin_lock_irqsave+0x31/0x60
[  303.600339] Code: 89 e5 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66
0f 1f 44 00 00 bf 01 00 00 00 e8 66 9a 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13
75 08 5b 4c 89 e0 41 5c 5d c3 89 c6 48 89 df e8 07 3c
[  303.600341] RSP: 0018:ffff9fc30049fda0 EFLAGS: 00010046
[  303.600344] RAX: 0000000000000000 RBX: 00000000000000e4 RCX: 0000000000000000
[  303.600346] RDX: 0000000000000001 RSI: ffff96976d818eb0 RDI: ffffffffa896d24d
[  303.600347] RBP: ffff9fc30049fdb0 R08: 000073746e657665 R09: 8080808080808080
[  303.600349] R10: 0000000000000018 R11: fefefefefefefeff R12: 0000000000000282
[  303.600351] R13: 00000000000000e4 R14: ffff96976652ea00 R15: 00000000000000d0
[  303.600354] FS:  0000000000000000(0000) GS:ffff96976f500000(0000)
knlGS:0000000000000000
[  303.600355] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  303.600357] CR2: 00000000000000e4 CR3: 00000001cf00a003 CR4: 00000000003606e0
[  303.600360] Call Trace:
[  303.600376]  skb_dequeue+0x1d/0x70
[  303.600380]  io_ring_file_ref_switch+0x85/0x280
[  303.600391]  process_one_work+0x1e6/0x3c0
[  303.600395]  worker_thread+0x4a/0x3d0
[  303.600401]  kthread+0x105/0x140
[  303.600404]  ? process_one_work+0x3c0/0x3c0
[  303.600407]  ? kthread_park+0x90/0x90
[  303.600411]  ret_from_fork+0x35/0x40
[  303.600416] Modules linked in: ccm snd_hda_codec_realtek
snd_hda_codec_generic i915 iwlmvm mac80211 x86_pkg_temp_thermal intel_powerclamp
coretemp kvm_intel kvm snd_hda_codec_hdmi i2c_algo_bit irqbypass drm_kms_helper
libarc4 crct10dif_pclmul iwlwifi joydev crc32_pclmul mousedev
ghash_clmulni_intel snd_hda_intel hid_multitouch snd_intel_dspcfg uvcvideo
dell_laptop iTCO_wdt snd_hda_codec ledtrig_audio aesni_intel drm crypto_simd
dell_wmi videobuf2_vmalloc hid_generic intel_rapl_msr iTCO_vendor_support
dell_smbios videobuf2_memops cryptd dcdbas wmi_bmof cfg80211 glue_helper
videobuf2_v4l2 snd_hda_core dell_wmi_descriptor mxm_wmi intel_cstate
dell_smm_hwmon tpm_crb videobuf2_common snd_hwdep r8169 nls_iso8859_1
intel_uncore tpm_tis videodev nls_cp437 intel_gtt psmouse snd_pcm
intel_rapl_perf agpgart tpm_tis_core input_leds realtek i2c_i801 mei_me
snd_timer libphy mei mc syscopyarea rfkill tpm snd intel_lpss_pci sysfillrect
intel_hid intel_lpss processor_thermal_device intel_pch_thermal idma64
[  303.600496]  intel_rapl_common i2c_hid sysimgblt int3403_thermal hid
sparse_keymap soundcore int3402_thermal intel_soc_dts_iosf fb_sys_fops
int3400_thermal evdev battery rng_core mac_hid int340x_thermal_zone
acpi_thermal_rel ac wmi crypto_user ip_tables x_tables ext4 crc16 mbcache jbd2
sd_mod ahci libahci libata scsi_mod xhci_pci serio_raw xhci_hcd atkbd libps2
crc32c_intel i8042 serio
[  303.600538] CR2: 00000000000000e4
[  303.600544] ---[ end trace b92f8382e98caae3 ]---
[  303.600550] RIP: 0010:_raw_spin_lock_irqsave+0x31/0x60
[  303.600553] Code: 89 e5 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66
0f 1f 44 00 00 bf 01 00 00 00 e8 66 9a 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13
75 08 5b 4c 89 e0 41 5c 5d c3 89 c6 48 89 df e8 07 3c
[  303.600555] RSP: 0018:ffff9fc30049fda0 EFLAGS: 00010046
[  303.600557] RAX: 0000000000000000 RBX: 00000000000000e4 RCX: 0000000000000000
[  303.600559] RDX: 0000000000000001 RSI: ffff96976d818eb0 RDI: ffffffffa896d24d
[  303.600560] RBP: ffff9fc30049fdb0 R08: 000073746e657665 R09: 8080808080808080
[  303.600562] R10: 0000000000000018 R11: fefefefefefefeff R12: 0000000000000282
[  303.600564] R13: 00000000000000e4 R14: ffff96976652ea00 R15: 00000000000000d0
[  303.600567] FS:  0000000000000000(0000) GS:ffff96976f500000(0000)
knlGS:0000000000000000
[  303.600568] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  303.600570] CR2: 00000000000000e4 CR3: 00000001cf00a003 CR4: 00000000003606e0
[  303.600578] note: kworker/4:2[252] exited with preempt_count 1


-- 
Pavel Begunkov


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [BUG] io_uring

[Jens Axboe]

On 1/17/20 3:05 PM, Pavel Begunkov wrote:
> I'm hitting a bug with yesterday's for-next (e.g. 126c20adbd98f2eff00c837afc).
> I'll debug it in several days, if nobody would do it by then.
> 
> kernel: yesterday's for-next (e.g. 126c20adbd98f2eff00c837afc)
> How to reproduce: run ./file-update in a loop (for me 10th run hit the problem)

Let me know if it still happens in the current tree, I fixed the wait on this.
But it might be something new, we'll see.

-- 
Jens Axboe