Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp951670ybx;
        Wed, 30 Oct 2019 07:42:49 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxuqy7JFwKvzmeFhTGpcTvm1j1kvXLlj44LaUKtwC5N2CnDDd8tkQj93wTxtTV+j9ME3Ug/
X-Received: by 2002:a17:906:6d4f:: with SMTP id a15mr9163779ejt.33.1572446569612;
        Wed, 30 Oct 2019 07:42:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572446569; cv=none;
        d=google.com; s=arc-20160816;
        b=wLECGTHlJC+NR1Szj+zbOduVHX3sPjPvPlmpR1rzNShEk8ARp1TXu9Zs+NRYUA3oad
         WBBX/tuD2Nhn17UCWd1Avs/xX9Xl9SJ9jJymPZWUdWHCFSgVTqG6CXkOwndbtP7/ZOrv
         Osyf4hoJPmX/uclwBxonwNo7C3h7CfXoLY9xERemMvKaVOWhFocSYvJowtEznU7I4GYs
         xpu2PQqhjjsXDJkRm5y5vF7B5TwUGSTF725Vp6DqikjHy3jcSeRsu7tbeZgL3DM1LVNI
         J4bTZVP52mhen6EAEUIHxknnsPsDT1N2jpZFs4Lwjmpw5IuJtI/QU/KppyM71qn/Kakx
         dg1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature;
        bh=8M4Q/hulOLKq5QBH7SseZicRn46BDfUKYYJB1woZ9F8=;
        b=pRSJ08wMakf8PByTFvfzaRCi1RWkIOip9hqNmRU8MIm6/wW8D5+7ntQGZ/yd6G5JiC
         ng+kq/3/nEgqnVje8RTx7KILTYV08d/F/IeIUpjDeNZ5yY19e0kriZ3B+DcKvChQA5bu
         AjOBR3yp6bJJrpGT5unZkxynDFqmhiXo1CyqAalal+goUnPmFg8mZJl3O8RzbIqiOCaj
         GvfZ6WQPJwp9po9+f8v191dgT79rGNV9WdU1hYf648wnEkAGyOymN6GHuhgHG5egrDfS
         xNuQwu1hpeSKyYnuEp53VabPL44TsKd4rY9vfJ/xPvBmD4o5EMfPEGiTRC+t6oDZRsna
         P2Ng==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=O0gGjKRr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w27si1562772eda.296.2019.10.30.07.42.25;
        Wed, 30 Oct 2019 07:42:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=O0gGjKRr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726359AbfJ3Olu (ORCPT <rfc822;sbrunau@gmail.com> + 99 others);
        Wed, 30 Oct 2019 10:41:50 -0400
Received: from mail-il1-f196.google.com ([209.85.166.196]:44212 "EHLO
        mail-il1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726246AbfJ3Olu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 30 Oct 2019 10:41:50 -0400
Received: by mail-il1-f196.google.com with SMTP id h5so2308562ilh.11
        for <linux-kernel@vger.kernel.org>; Wed, 30 Oct 2019 07:41:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20150623.gappssmtp.com; s=20150623;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=8M4Q/hulOLKq5QBH7SseZicRn46BDfUKYYJB1woZ9F8=;
        b=O0gGjKRrxHys6Q2aujV+4MT2j/ZjsSYkDi9GKfTadrp+3OsaEj9MpPZeaVUYjh3jga
         Lt/pb1YjDeKkLIc9X0ysapeDeMirJQ5DAoWssEDfb1y9SMHca7Cpner/0PwQkojLHkpx
         N4TSDBzSztYw8kJfiT9Daj01/md5WfML34mttZWozPOAn5dmoM5foBsQXL+jEaHnmEzW
         RhhGAMAO5fVn+TzVSsErUinwOJRVAltcO+jIVr/z2lFeIAA+i5gdvsrvJVYsoFn6iVDd
         5t2q0XNohZr2NnrrDWO1Q8lxvwtpuTZKxxUQL9BKAIZqMKdtPXdqb1BwFUAK4RSsm2wv
         ZkIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=8M4Q/hulOLKq5QBH7SseZicRn46BDfUKYYJB1woZ9F8=;
        b=LbL7iXYSb4EqAdz8xm1gObWy0HhNukhBc1vxtsglf0Gent6ThyZM6BE1pvZ3MAxUNI
         qpPiKXEeytFIyUJsEwfivcHhGP8YUdcPDk2vKzfEC5uwlq6CTruL93vRZ7/5AI+xfWIZ
         iSGeWtHjOo+RkbNIWjIfHIAkkG7xe0bEJHA57TReCF5gjtscmYHhpMqxScI7Evo9hQ1z
         h0u/npuJbPonKA7I4ILvo7vvo2K1bdsvE3laM/vMIOY5F+s//3SgYH6LYsLk7t4Ta7Xh
         yE8TlZeprDOp81uOLnPj61rXmehMXm4I9wmwIcya3sICl0yhbSyxs47c+4gWTFOX6B+m
         bVNQ==
X-Gm-Message-State: APjAAAXrdoi6wse8Tbr6XWF2w7Yb0jMo61SW5dXuNyGVLhtbosAHJtX1
        Vgpf2+73fUPvLIZnPdErtGgy0Q==
X-Received: by 2002:a92:580c:: with SMTP id m12mr389533ilb.225.1572446509207;
        Wed, 30 Oct 2019 07:41:49 -0700 (PDT)
Received: from [192.168.1.159] ([65.144.74.34])
        by smtp.gmail.com with ESMTPSA id i79sm55737ild.6.2019.10.30.07.41.47
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 30 Oct 2019 07:41:48 -0700 (PDT)
Subject: Re: BUG: unable to handle kernel paging request in io_wq_cancel_all
To:     syzbot <syzbot+221cc24572a2fed23b6b@syzkaller.appspotmail.com>,
        akpm@linux-foundation.org, dan.j.williams@intel.com,
        dhowells@redhat.com, gregkh@linuxfoundation.org,
        hannes@cmpxchg.org, joel@joelfernandes.org,
        linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, mchehab+samsung@kernel.org,
        mingo@redhat.com, patrick.bellasi@arm.com, rgb@redhat.com,
        rostedt@goodmis.org, syzkaller-bugs@googlegroups.com,
        viro@zeniv.linux.org.uk, yamada.masahiro@socionext.com
References: <00000000000069801e05961be5fb@google.com>
From:   Jens Axboe <axboe@kernel.dk>
Message-ID: <0e2bc2bf-2a7a-73c5-03e2-9d08f89f0ffa@kernel.dk>
Date:   Wed, 30 Oct 2019 08:41:46 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <00000000000069801e05961be5fb@google.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10/30/19 1:44 AM, syzbot wrote:
> syzbot has bisected this bug to:
> 
> commit ef0524d3654628ead811f328af0a4a2953a8310f
> Author: Jens Axboe <axboe@kernel.dk>
> Date:   Thu Oct 24 13:25:42 2019 +0000
> 
>       io_uring: replace workqueue usage with io-wq
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=16acf5d0e00000
> start commit:   c57cf383 Add linux-next specific files for 20191029
> git tree:       linux-next
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=15acf5d0e00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=11acf5d0e00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=cb86688f30db053d
> dashboard link: https://syzkaller.appspot.com/bug?extid=221cc24572a2fed23b6b
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=168671d4e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=140f4898e00000
> 
> Reported-by: syzbot+221cc24572a2fed23b6b@syzkaller.appspotmail.com
> Fixes: ef0524d36546 ("io_uring: replace workqueue usage with io-wq")

Good catch, it's a case of NULL vs ERR_PTR() confusion. I'll fold in
the below fix.


diff --git a/fs/io_uring.c b/fs/io_uring.c
index af1937d66aee..76d653085987 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3534,8 +3534,9 @@ static int io_sq_offload_start(struct io_ring_ctx *ctx,
 	/* Do QD, or 4 * CPUS, whatever is smallest */
 	concurrency = min(ctx->sq_entries, 4 * num_online_cpus());
 	ctx->io_wq = io_wq_create(concurrency, ctx->sqo_mm);
-	if (!ctx->io_wq) {
-		ret = -ENOMEM;
+	if (IS_ERR(ctx->io_wq)) {
+		ret = PTR_ERR(ctx->io_wq);
+		ctx->io_wq = NULL;
 		goto err;
 	}
 

-- 
Jens Axboe