WARNING: lock held when returning to user space in rcu_lock_acquire
Hello, syzbot found the following crash on: HEAD commit:54ecb8f7 Linux 5.4-rc1 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11c03fcd60 kernel config: https://syzkaller.appspot.com/x/.config?x=fb0b431ccdf08c1c dashboard link: https://syzkaller.appspot.com/bug?extid=fef86971c84310f1c8cd compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d52e3360 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1582402b60 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+fef86971c84310f1c...@syzkaller.appspotmail.com WARNING: lock held when returning to user space! 5.4.0-rc1 #0 Not tainted syz-executor670/7923 is leaving the kernel with locks still held! 1 lock held by syz-executor670/7923: #0: 888d3cc0 (rcu_read_lock){}, at: rcu_lock_acquire+0x4/0x30 include/linux/rcupdate.h:207 [ cut here ] WARNING: CPU: 0 PID: 7923 at kernel/rcu/tree_plugin.h:293 rcu_note_context_switch+0xdde/0xee0 kernel/rcu/tree_plugin.h:293 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 7923 Comm: syz-executor670 Not tainted 5.4.0-rc1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113 panic+0x25c/0x799 kernel/panic.c:220 __warn+0x20e/0x210 kernel/panic.c:581 report_bug+0x1b6/0x2f0 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:179 [inline] do_error_trap+0xd7/0x440 arch/x86/kernel/traps.c:272 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 RIP: 0010:rcu_note_context_switch+0xdde/0xee0 kernel/rcu/tree_plugin.h:293 Code: c8 73 4b 00 e9 b8 f3 ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 22 f3 ff ff 48 89 df e8 4b 73 4b 00 83 3b 00 0f 8e 1a f3 ff ff <0f> 0b e9 13 f3 ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c c9 f2 ff RSP: :8880921bfd20 EFLAGS: 00010002 RAX: 111012bc6100 RBX: 888095e30978 RCX: 81608604 RDX: RSI: 0008 RDI: 88be39a0 RBP: 8880921bfe00 R08: dc00 R09: fbfff117c735 R10: fbfff117c735 R11: R12: dc00 R13: 888095e30600 R14: R15: 8880aea35740 __schedule+0xce/0xb80 kernel/sched/core.c:4007 schedule+0x131/0x1e0 kernel/sched/core.c:4136 exit_to_usermode_loop arch/x86/entry/common.c:149 [inline] prepare_exit_to_usermode+0x2aa/0x580 arch/x86/entry/common.c:194 retint_user+0x8/0x18 RIP: 0033:0x446fb9 Code: e8 8c 19 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fd680470db8 EFLAGS: 0246 ORIG_RAX: ff13 RAX: RBX: 006ddc28 RCX: 00446fb9 RDX: 00446fb9 RSI: RDI: 00010008 RBP: 006ddc20 R08: R09: R10: R11: 0246 R12: 006ddc2c R13: 7fffb42e414f R14: 7fd6804719c0 R15: Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: WARNING: lock held when returning to user space in membarrier_private_expedited
On Tue, Oct 01, 2019 at 01:09:07AM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:afb37288 Add linux-next specific files for 20191001 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=1761963560 > kernel config: https://syzkaller.appspot.com/x/.config?x=659cb5bf73e72c6c > dashboard link: https://syzkaller.appspot.com/bug?extid=6b6a46cc150b19f54ad6 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=176faa1360 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b825cd60 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+6b6a46cc150b19f54...@syzkaller.appspotmail.com > > ================ > WARNING: lock held when returning to user space! > 5.4.0-rc1-next-20191001 #0 Not tainted > > syz-executor589/9088 is leaving the kernel with locks still held! > 1 lock held by syz-executor589/9088: > #0: 88faadc0 (rcu_read_lock){}, at: > membarrier_private_expedited+0x180/0x590 kernel/sched/membarrier.c:150 https://lkml.kernel.org/r/20191001071921.gj4...@hirez.programming.kicks-ass.net
WARNING: lock held when returning to user space in membarrier_private_expedited
Hello, syzbot found the following crash on: HEAD commit:afb37288 Add linux-next specific files for 20191001 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1761963560 kernel config: https://syzkaller.appspot.com/x/.config?x=659cb5bf73e72c6c dashboard link: https://syzkaller.appspot.com/bug?extid=6b6a46cc150b19f54ad6 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=176faa1360 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b825cd60 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6b6a46cc150b19f54...@syzkaller.appspotmail.com WARNING: lock held when returning to user space! 5.4.0-rc1-next-20191001 #0 Not tainted syz-executor589/9088 is leaving the kernel with locks still held! 1 lock held by syz-executor589/9088: #0: 88faadc0 (rcu_read_lock){}, at: membarrier_private_expedited+0x180/0x590 kernel/sched/membarrier.c:150 [ cut here ] WARNING: CPU: 0 PID: 9088 at kernel/rcu/tree_plugin.h:293 rcu_note_context_switch+0x373/0x1910 kernel/rcu/tree_plugin.h:293 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 9088 Comm: syz-executor589 Not tainted 5.4.0-rc1-next-20191001 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 panic+0x2dc/0x755 kernel/panic.c:220 __warn.cold+0x2f/0x3c kernel/panic.c:581 report_bug+0x289/0x300 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:179 [inline] fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 RIP: 0010:rcu_note_context_switch+0x373/0x1910 kernel/rcu/tree_plugin.h:293 Code: 8b 13 48 85 d2 75 c3 48 8b 5d c8 65 ff 0d dd 75 a1 7e 0f 85 fa fc ff ff e8 4a df 9f ff e9 f0 fc ff ff 85 d2 0f 8e 62 fe ff ff <0f> 0b e9 1f fe ff ff 65 8b 1d ff 0a a1 7e 83 fb 3f 0f 87 0d 0e 00 RSP: :888090017d60 EFLAGS: 00010002 RAX: 89c60674 RBX: 8880ae835ac0 RCX: 1110148334c7 RDX: 0001 RSI: RDI: 8880a419a638 RBP: 888090017dd0 R08: 1138ba90 R09: fbfff138ba91 R10: fbfff138ba90 R11: 89c5d487 R12: R13: 8880a419a2c0 R14: R15: 8880ae834d18 __schedule+0x25e/0x1e70 kernel/sched/core.c:4007 schedule+0xd9/0x260 kernel/sched/core.c:4136 exit_to_usermode_loop+0x195/0x380 arch/x86/entry/common.c:149 prepare_exit_to_usermode+0x2ff/0x370 arch/x86/entry/common.c:194 retint_user+0x8/0x18 RIP: 0033:0x446ed9 Code: e8 5c 14 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f082bf04db8 EFLAGS: 0246 ORIG_RAX: ff13 RAX: RBX: 006dcc38 RCX: 00446ed9 RDX: 00403494 RSI: RDI: 00010008 RBP: 006dcc30 R08: 7f082bf05700 R09: R10: 7f082bf05700 R11: 0246 R12: 006dcc3c R13: 7ffef65e667f R14: 7f082bf059c0 R15: 0001 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: WARNING: lock held when returning to user space in set_property_atomic
On 2019/01/03 18:04, Dmitry Vyukov wrote: > On Thu, Jan 3, 2019 at 9:55 AM Maarten Lankhorst > wrote: >> Just guessing.. >> >> Does this help? Yes it will. And while at it, let's fix another one together. >From 291e42211e3cc6d85c915772717dd08d40fb5fed Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Fri, 4 Jan 2019 15:23:47 +0900 Subject: [PATCH] gpu/drm: Fix lock held when returning to user space. We need to call drm_modeset_acquire_fini() when drm_atomic_state_alloc() failed or call drm_modeset_acquire_init() after drm_atomic_state_alloc() succeeded. Signed-off-by: Tetsuo Handa Reported-by: syzbot --- drivers/gpu/drm/drm_atomic_uapi.c | 3 +-- drivers/gpu/drm/drm_mode_object.c | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_atomic_uapi.c b/drivers/gpu/drm/drm_atomic_uapi.c index c408898..9a1f41a 100644 --- a/drivers/gpu/drm/drm_atomic_uapi.c +++ b/drivers/gpu/drm/drm_atomic_uapi.c @@ -1296,12 +1296,11 @@ int drm_mode_atomic_ioctl(struct drm_device *dev, (arg->flags & DRM_MODE_PAGE_FLIP_EVENT)) return -EINVAL; - drm_modeset_acquire_init(&ctx, DRM_MODESET_ACQUIRE_INTERRUPTIBLE); - state = drm_atomic_state_alloc(dev); if (!state) return -ENOMEM; + drm_modeset_acquire_init(&ctx, DRM_MODESET_ACQUIRE_INTERRUPTIBLE); state->acquire_ctx = &ctx; state->allow_modeset = !!(arg->flags & DRM_MODE_ATOMIC_ALLOW_MODESET); diff --git a/drivers/gpu/drm/drm_mode_object.c b/drivers/gpu/drm/drm_mode_object.c index cd9bc0c..004191d 100644 --- a/drivers/gpu/drm/drm_mode_object.c +++ b/drivers/gpu/drm/drm_mode_object.c @@ -459,11 +459,11 @@ static int set_property_atomic(struct drm_mode_object *obj, struct drm_modeset_acquire_ctx ctx; int ret; - drm_modeset_acquire_init(&ctx, 0); - state = drm_atomic_state_alloc(dev); if (!state) return -ENOMEM; + + drm_modeset_acquire_init(&ctx, 0); state->acquire_ctx = &ctx; retry: if (prop == state->dev->mode_config.dpms_property) { -- 1.8.3.1
Re: WARNING: lock held when returning to user space in set_property_atomic
On Thu, Jan 3, 2019 at 9:55 AM Maarten Lankhorst wrote: > > Op 30-12-2018 om 07:21 schreef syzbot: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=12d0f55340 > > kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606 > > dashboard link: https://syzkaller.appspot.com/bug?extid=6ea337c427f5083ebdf2 > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120d906f40 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1024673b40 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+6ea337c427f5083eb...@syzkaller.appspotmail.com > > > > RBP: 7ffe369ca7a0 R08: 0001 R09: 004009ce > > R10: R11: 0246 R12: 0005 > > R13: ffff R14: 00000000 R15: > > > > > > WARNING: lock held when returning to user space! > > 4.20.0+ #174 Not tainted > > > > syz-executor556/8153 is leaving the kernel with locks still held! > > 1 lock held by syz-executor556/8153: > > #0: 5100c85c (crtc_ww_class_acquire){+.+.}, at: > > set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462 > > > > > > --- > > This bug is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkal...@googlegroups.com. > > > > syzbot will keep track of this bug report. See: > > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > > syzbot. > > syzbot can test patches for this bug, for details see: > > https://goo.gl/tpsmEJ#testing-patches > > Just guessing.. > > Does this help? Hi Maarten, Please either test or ask syzbot to test: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches > - > diff --git a/drivers/gpu/drm/drm_mode_object.c > b/drivers/gpu/drm/drm_mode_object.c > index cd9bc0ce9be0..004191d01772 100644 > --- a/drivers/gpu/drm/drm_mode_object.c > +++ b/drivers/gpu/drm/drm_mode_object.c > @@ -459,11 +459,11 @@ static int set_property_atomic(struct drm_mode_object > *obj, > struct drm_modeset_acquire_ctx ctx; > int ret; > > - drm_modeset_acquire_init(&ctx, 0); > - > state = drm_atomic_state_alloc(dev); > if (!state) > return -ENOMEM; > + > + drm_modeset_acquire_init(&ctx, 0); > state->acquire_ctx = &ctx; > retry: > if (prop == state->dev->mode_config.dpms_property) { > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/fea9b565-06e4-fbb5-7e92-efd133a7028c%40linux.intel.com. > For more options, visit https://groups.google.com/d/optout.
Re: WARNING: lock held when returning to user space in set_property_atomic
Op 30-12-2018 om 07:21 schreef syzbot: > Hello, > > syzbot found the following crash on: > > HEAD commit: 903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=12d0f55340 > kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606 > dashboard link: https://syzkaller.appspot.com/bug?extid=6ea337c427f5083ebdf2 > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120d906f40 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1024673b40 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+6ea337c427f5083eb...@syzkaller.appspotmail.com > > RBP: 7ffe369ca7a0 R08: 0001 R09: 004009ce > R10: R11: 0246 R12: 0005 > R13: R14: R15: 00000000 > > ============ > WARNING: lock held when returning to user space! > 4.20.0+ #174 Not tainted > > syz-executor556/8153 is leaving the kernel with locks still held! > 1 lock held by syz-executor556/8153: > #0: 5100c85c (crtc_ww_class_acquire){+.+.}, at: > set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462 > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches Just guessing.. Does this help? - diff --git a/drivers/gpu/drm/drm_mode_object.c b/drivers/gpu/drm/drm_mode_object.c index cd9bc0ce9be0..004191d01772 100644 --- a/drivers/gpu/drm/drm_mode_object.c +++ b/drivers/gpu/drm/drm_mode_object.c @@ -459,11 +459,11 @@ static int set_property_atomic(struct drm_mode_object *obj, struct drm_modeset_acquire_ctx ctx; int ret; - drm_modeset_acquire_init(&ctx, 0); - state = drm_atomic_state_alloc(dev); if (!state) return -ENOMEM; + + drm_modeset_acquire_init(&ctx, 0); state->acquire_ctx = &ctx; retry: if (prop == state->dev->mode_config.dpms_property) {
Re: WARNING: lock held when returning to user space in grab_super
On Thu, Jan 03, 2019 at 01:49:55AM +0900, Tetsuo Handa wrote: > kernfs_node_dentry() calls lookup_one_len_unlocked() which involves > memory allocation, and memory allocation fault injection made > lookup_one_len_unlocked() fail, and thus kernfs_node_dentry() failed. > What's strange? So, kernfs_node_dentry() is called on the root kn, which should trigger "if (!kn->parent) return dentry" in kernfs_node_dentry(), so it shouldn't reach lookup_on_len_unlocked(). Oh I see. This is the namespaced mount path, so kn can be non-root. Will fix it. Thanks. -- tejun
Re: WARNING: lock held when returning to user space in grab_super
On 2019/01/03 1:16, Tejun Heo wrote: > Happy new year, Tetsuo. > > On Wed, Jan 02, 2019 at 09:08:56PM +0900, Tetsuo Handa wrote: >> According to commit 633feee310de6b6c ("cgroup: refactor mount path and >> clearly distinguish v1 and v2 paths"), cgroup_do_mount() is failing to >> do full teardown steps for kernfs_mount() (deactivate_locked_super() ?) >> when kernfs_node_dentry() failed. > > Hmm... that's basically dget()'ing the root dentry of the sb. I'm not > sure how that could fail. Can it? kernfs_node_dentry() calls lookup_one_len_unlocked() which involves memory allocation, and memory allocation fault injection made lookup_one_len_unlocked() fail, and thus kernfs_node_dentry() failed. What's strange?
Re: WARNING: lock held when returning to user space in grab_super
Happy new year, Tetsuo. On Wed, Jan 02, 2019 at 09:08:56PM +0900, Tetsuo Handa wrote: > According to commit 633feee310de6b6c ("cgroup: refactor mount path and > clearly distinguish v1 and v2 paths"), cgroup_do_mount() is failing to > do full teardown steps for kernfs_mount() (deactivate_locked_super() ?) > when kernfs_node_dentry() failed. Hmm... that's basically dget()'ing the root dentry of the sb. I'm not sure how that could fail. Can it? Thanks. -- tejun
Re: WARNING: lock held when returning to user space in grab_super
Hello, Tejun. [ 1100.561812] FAULT_INJECTION: forcing a failure. [ 1100.561812] name failslab, interval 1, probability 0, space 0, times 0 [ 1100.625231] CPU: 1 PID: 29677 Comm: syz-executor0 Not tainted 4.20.0+ #396 [ 1100.632289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1100.641646] Call Trace: [ 1100.644355] dump_stack+0x1d3/0x2c6 [ 1100.662152] should_fail.cold.4+0xa/0x17 [ 1100.709512] __should_failslab+0x124/0x180 [ 1100.713784] should_failslab+0x9/0x14 [ 1100.717604] kmem_cache_alloc+0x2c4/0x730 [ 1100.721784] __d_alloc+0xc8/0xb90 [ 1100.755462] d_alloc+0x96/0x380 [ 1100.775659] d_alloc_parallel+0x15a/0x1f40 [ 1100.852877] __lookup_slow+0x1e6/0x540 [ 1100.864887] lookup_slow+0x57/0x80 [ 1100.868448] lookup_one_len_unlocked+0xf1/0x100 [ 1100.876873] kernfs_node_dentry+0x1c7/0x2d0 [ 1100.881215] cgroup_do_mount+0x1b1/0x330 [ 1100.899627] cgroup_mount+0xb6d/0xd30 [ 1100.937317] mount_fs+0xae/0x31d [ 1100.940710] vfs_kern_mount.part.35+0xdc/0x4f0 [ 1100.957015] do_mount+0x581/0x31f0 [ 1100.998447] ksys_mount+0x12d/0x140 [ 1101.002098] __x64_sys_mount+0xbe/0x150 [ 1101.006095] do_syscall_64+0x1b9/0x820 [ 1101.127520] WARNING: lock held when returning to user space! [ 1101.133310] 4.20.0+ #396 Not tainted [ 1101.137004] [ 1101.142780] syz-executor0/29677 is leaving the kernel with locks still held! [ 1101.149944] 1 lock held by syz-executor0/29677: [ 1101.154599] #0: ec5f6915 (&type->s_umount_key#43){}, at: grab_super+0xcc/0x400 According to commit 633feee310de6b6c ("cgroup: refactor mount path and clearly distinguish v1 and v2 paths"), cgroup_do_mount() is failing to do full teardown steps for kernfs_mount() (deactivate_locked_super() ?) when kernfs_node_dentry() failed. + if (!IS_ERR(dentry) && ns != &init_cgroup_ns) { + struct dentry *nsdentry; + struct cgroup *cgrp; - if (is_v2) { - if (data) { - pr_err("cgroup2: unknown option \"%s\"\n", (char *)data); - put_cgroup_ns(ns); - return ERR_PTR(-EINVAL); - } - cgrp_dfl_visible = true; - root = &cgrp_dfl_root; - cgroup_get(&root->cgrp); - goto out_mount; + mutex_lock(&cgroup_mutex); + spin_lock_irq(&css_set_lock); + + cgrp = cset_cgroup_from_root(ns->root_cset, root); + + spin_unlock_irq(&css_set_lock); + mutex_unlock(&cgroup_mutex); + + nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb); + dput(dentry); + dentry = nsdentry; } + if (IS_ERR(dentry) || !new_sb) + cgroup_put(&root->cgrp); + + return dentry; +}
WARNING: lock held when returning to user space in grab_super
Hello, syzbot found the following crash on: HEAD commit:195303136f19 Merge tag 'kconfig-v4.21-2' of git://git.kern.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=118961fd40 kernel config: https://syzkaller.appspot.com/x/.config?x=5e7dc790609552d7 dashboard link: https://syzkaller.appspot.com/bug?extid=87b93137e0280beaeba1 compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+87b93137e0280beae...@syzkaller.appspotmail.com WARNING: lock held when returning to user space! 4.20.0+ #396 Not tainted syz-executor0/29677 is leaving the kernel with locks still held! 1 lock held by syz-executor0/29677: #0: ec5f6915 (&type->s_umount_key#43){}, at: grab_super+0xcc/0x400 fs/super.c:383 kobject: 'loop5' (edd59d60): kobject_uevent_env kobject: 'loop5' (edd59d60): fill_kobj_path: path = '/devices/virtual/block/loop5' == BUG: KASAN: use-after-free in owner_on_cpu kernel/locking/rwsem-xadd.c:367 [inline] BUG: KASAN: use-after-free in rwsem_can_spin_on_owner kernel/locking/rwsem-xadd.c:384 [inline] BUG: KASAN: use-after-free in rwsem_optimistic_spin kernel/locking/rwsem-xadd.c:437 [inline] BUG: KASAN: use-after-free in __rwsem_down_write_failed_common+0x14ea/0x15e0 kernel/locking/rwsem-xadd.c:518 Read of size 4 at addr 88805631c738 by task syz-executor0/29718 CPU: 0 PID: 29718 Comm: syz-executor0 Not tainted 4.20.0+ #396 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 kobject: 'loop2' (6e1a6a52): kobject_uevent_env Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187 kobject: 'loop2' (6e1a6a52): fill_kobj_path: path = '/devices/virtual/block/loop2' kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317 kobject: 'loop1' (42cf1ea5): kobject_uevent_env __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134 owner_on_cpu kernel/locking/rwsem-xadd.c:367 [inline] rwsem_can_spin_on_owner kernel/locking/rwsem-xadd.c:384 [inline] rwsem_optimistic_spin kernel/locking/rwsem-xadd.c:437 [inline] __rwsem_down_write_failed_common+0x14ea/0x15e0 kernel/locking/rwsem-xadd.c:518 kobject: 'loop1' (42cf1ea5): fill_kobj_path: path = '/devices/virtual/block/loop1' kobject: 'loop2' (6e1a6a52): kobject_uevent_env kobject: 'loop2' (6e1a6a52): fill_kobj_path: path = '/devices/virtual/block/loop2' rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:606 call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117 __down_write arch/x86/include/asm/rwsem.h:142 [inline] down_write+0xa5/0x130 kernel/locking/rwsem.c:72 kobject: 'loop5' (edd59d60): kobject_uevent_env grab_super+0xcc/0x400 fs/super.c:383 kobject: 'loop5' (edd59d60): fill_kobj_path: path = '/devices/virtual/block/loop5' sget_userns+0x435/0xed0 fs/super.c:511 kernfs_mount_ns+0x1d7/0xa80 fs/kernfs/mount.c:324 kernfs_mount include/linux/kernfs.h:554 [inline] cgroup_do_mount+0xc4/0x330 kernel/cgroup/cgroup.c:2038 cgroup_mount+0xb6d/0xd30 kernel/cgroup/cgroup.c:2102 mount_fs+0xae/0x31d fs/super.c:1261 vfs_kern_mount.part.35+0xdc/0x4f0 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2469 [inline] do_mount+0x581/0x31f0 fs/namespace.c:2801 ksys_mount+0x12d/0x140 fs/namespace.c:3017 __do_sys_mount fs/namespace.c:3031 [inline] __se_sys_mount fs/namespace.c:3028 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3028 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457ec9 Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fbd6c16dc78 EFLAGS: 0246 ORIG_RAX: 00a5 RAX: ffda RBX: 7fbd6c16dc90 RCX: 00457ec9 RDX: 2200 RSI: 2080 RDI: RBP: 0073bf00 R08: R09: R10: R11: 0246 R12: 7fbd6c16e6d4 R13: 004c3a19 R14: 004d64a8 R15: 0003 Allocated by task 29676: save_stack+0x43/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] kasan_kmalloc+0xcb/0xd0 mm/kasan/common.c:482 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:397 kmem_cache_a
Re: WARNING: lock held when returning to user space! (3)
On Wed, Jan 2, 2019 at 11:59 AM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1424673b40 > kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606 > dashboard link: https://syzkaller.appspot.com/bug?extid=42e36e1ae3de3f22a7ed > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1453eabf40 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14a492bf40 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+42e36e1ae3de3f22a...@syzkaller.appspotmail.com #syz dup: WARNING: lock held when returning to user space in set_property_atomic > RBP: 006cf018 R08: 0001 R09: 0032 > R10: R11: 0246 R12: 0005 > R13: R14: R15: 00000000 > > ============ > WARNING: lock held when returning to user space! > 4.20.0+ #395 Not tainted > > syz-executor520/8085 is leaving the kernel with locks still held! > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/c2c4b9057e7788d1%40google.com. > For more options, visit https://groups.google.com/d/optout.
WARNING: lock held when returning to user space! (3)
Hello, syzbot found the following crash on: HEAD commit:903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1424673b40 kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606 dashboard link: https://syzkaller.appspot.com/bug?extid=42e36e1ae3de3f22a7ed compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1453eabf40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14a492bf40 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+42e36e1ae3de3f22a...@syzkaller.appspotmail.com RBP: 006cf018 R08: 0001 R09: 0032 R10: R11: 0246 R12: 0005 R13: R14: R15: ======== WARNING: lock held when returning to user space! 4.20.0+ #395 Not tainted syz-executor520/8085 is leaving the kernel with locks still held! --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
WARNING: lock held when returning to user space in set_property_atomic
Hello, syzbot found the following crash on: HEAD commit:903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12d0f55340 kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606 dashboard link: https://syzkaller.appspot.com/bug?extid=6ea337c427f5083ebdf2 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120d906f40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1024673b40 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6ea337c427f5083eb...@syzkaller.appspotmail.com RBP: 7ffe369ca7a0 R08: 0001 R09: 004009ce R10: R11: 0246 R12: 0005 R13: R14: R15: ======== WARNING: lock held when returning to user space! 4.20.0+ #174 Not tainted syz-executor556/8153 is leaving the kernel with locks still held! 1 lock held by syz-executor556/8153: #0: 5100c85c (crtc_ww_class_acquire){+.+.}, at: set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: WARNING: lock held when returning to user space in fuse_lock_inode
On Tue, Jul 17, 2018 at 5:46 AM Miklos Szeredi wrote: > On Tue, Jul 17, 2018 at 1:36 PM, Dmitry Vyukov wrote: > > On Tue, Jul 17, 2018 at 1:14 PM, Miklos Szeredi wrote: > >> On Thu, Jul 12, 2018 at 5:49 PM, syzbot > >> wrote: > >>> Hello, > >>> > >>> syzbot found the following crash on: > >>> > >>> HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of > >>> git://git.ke.. > >>> git tree: upstream > >>> console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240 > >>> kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7 > >>> dashboard link: > >>> https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be > >>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) > >>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840 > >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840 > >>> > >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: > >>> Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com > >>> > >>> random: sshd: uninitialized urandom read (32 bytes read) > >>> random: sshd: uninitialized urandom read (32 bytes read) > >>> random: sshd: uninitialized urandom read (32 bytes read) > >>> > >>> > >>> WARNING: lock held when returning to user space! > >>> 4.18.0-rc4+ #143 Not tainted > >>> > >>> syz-executor012/4539 is leaving the kernel with locks still held! > >>> 1 lock held by syz-executor012/4539: > >>> #0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0 > >>> fs/fuse/inode.c:363 > >> > >> False positive. > >> > >> fi->mutex is definitely not held by the acquiring task when returning > >> to userspace. Maybe syzkaller is confused by the fact that there are > >> several interdependent tasks involved with fuse: the one calling into > >> fuse by doing something (looking up ./file0/file0) and the one that > >> reads the fuse device (returning with the LOOKUP request for "file0"). > >> The second one will return with that lock held, but it's not the one > >> that acquired it, so there's no bug at all here. > > > > Hi Miklos, > > > > syzkaller is unrelated here. That's what kernel self-detects and > > prints. So either way there is something to fix in kernel here: either > > fuse or lockdep. > > > > +Alistair did some analysis offline, hope you don't mind if I repost > > your description: > > === > > Just from reading the code, I think I can see how this happens. Fuse > > is wrapping its inode mutex with a check for "parallel_dirops", which > > is set up in process_init_reply(). The FUSE_PARALLEL_DIROPS appears to > > always be set, in fuse_send_init(), but its initial state is to be > > disabled. So if the mutex gets taken, and it'll never be unlocked if > > the initial command is flushed by fuse_readdir()'s use of > > fuse_lock_inode(). > > === > > Ah, indeed. Fix attached. Looks good to me. Tested-by: Alistair Strachan > Thanks, > Miklos
Re: WARNING: lock held when returning to user space in fuse_lock_inode
On Tue, Jul 17, 2018 at 1:36 PM, Dmitry Vyukov wrote: > On Tue, Jul 17, 2018 at 1:14 PM, Miklos Szeredi wrote: >> On Thu, Jul 12, 2018 at 5:49 PM, syzbot >> wrote: >>> Hello, >>> >>> syzbot found the following crash on: >>> >>> HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke.. >>> git tree: upstream >>> console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7 >>> dashboard link: https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be >>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840 >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com >>> >>> random: sshd: uninitialized urandom read (32 bytes read) >>> random: sshd: uninitialized urandom read (32 bytes read) >>> random: sshd: uninitialized urandom read (32 bytes read) >>> >>> >>> WARNING: lock held when returning to user space! >>> 4.18.0-rc4+ #143 Not tainted >>> >>> syz-executor012/4539 is leaving the kernel with locks still held! >>> 1 lock held by syz-executor012/4539: >>> #0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0 >>> fs/fuse/inode.c:363 >> >> False positive. >> >> fi->mutex is definitely not held by the acquiring task when returning >> to userspace. Maybe syzkaller is confused by the fact that there are >> several interdependent tasks involved with fuse: the one calling into >> fuse by doing something (looking up ./file0/file0) and the one that >> reads the fuse device (returning with the LOOKUP request for "file0"). >> The second one will return with that lock held, but it's not the one >> that acquired it, so there's no bug at all here. > > Hi Miklos, > > syzkaller is unrelated here. That's what kernel self-detects and > prints. So either way there is something to fix in kernel here: either > fuse or lockdep. > > +Alistair did some analysis offline, hope you don't mind if I repost > your description: > === > Just from reading the code, I think I can see how this happens. Fuse > is wrapping its inode mutex with a check for "parallel_dirops", which > is set up in process_init_reply(). The FUSE_PARALLEL_DIROPS appears to > always be set, in fuse_send_init(), but its initial state is to be > disabled. So if the mutex gets taken, and it'll never be unlocked if > the initial command is flushed by fuse_readdir()'s use of > fuse_lock_inode(). > === Ah, indeed. Fix attached. Thanks, Miklos From: Miklos Szeredi Subject: fuse: fix inital parallel dirops If parallel dirops are enabled in FUSE_INIT reply, then first operation may leave fi->mutex held. Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com Signed-off-by: Miklos Szeredi --- fs/fuse/dir.c| 10 ++ fs/fuse/fuse_i.h |4 ++-- fs/fuse/inode.c | 14 ++ 3 files changed, 18 insertions(+), 10 deletions(-) --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -355,11 +355,12 @@ static struct dentry *fuse_lookup(struct struct inode *inode; struct dentry *newent; bool outarg_valid = true; + bool locked; - fuse_lock_inode(dir); + locked = fuse_lock_inode(dir); err = fuse_lookup_name(dir->i_sb, get_node_id(dir), &entry->d_name, &outarg, &inode); - fuse_unlock_inode(dir); + fuse_unlock_inode(dir, locked); if (err == -ENOENT) { outarg_valid = false; err = 0; @@ -1340,6 +1341,7 @@ static int fuse_readdir(struct file *fil struct fuse_conn *fc = get_fuse_conn(inode); struct fuse_req *req; u64 attr_version = 0; + bool locked; if (is_bad_inode(inode)) return -EIO; @@ -1367,9 +1369,9 @@ static int fuse_readdir(struct file *fil fuse_read_fill(req, file, ctx->pos, PAGE_SIZE, FUSE_READDIR); } - fuse_lock_inode(inode); + locked = fuse_lock_inode(inode); fuse_request_send(fc, req); - fuse_unlock_inode(inode); + fuse_unlock_inode(inode, locked); nbytes = req->out.args[0].size; err = req->out.h.error; fuse_put_request(fc, req); --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -974,8 +974,8 @@ int fuse_do_setattr(struct dentry *dentr void fuse_set_initialized(struct fuse_conn *fc); -void fuse_unlock_inode(struct inode *
Re: WARNING: lock held when returning to user space in fuse_lock_inode
On Tue, Jul 17, 2018 at 1:14 PM, Miklos Szeredi wrote: > On Thu, Jul 12, 2018 at 5:49 PM, syzbot > wrote: >> Hello, >> >> syzbot found the following crash on: >> >> HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke.. >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240 >> kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7 >> dashboard link: https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840 >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com >> >> random: sshd: uninitialized urandom read (32 bytes read) >> random: sshd: uninitialized urandom read (32 bytes read) >> random: sshd: uninitialized urandom read (32 bytes read) >> >> >> WARNING: lock held when returning to user space! >> 4.18.0-rc4+ #143 Not tainted >> >> syz-executor012/4539 is leaving the kernel with locks still held! >> 1 lock held by syz-executor012/4539: >> #0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0 >> fs/fuse/inode.c:363 > > False positive. > > fi->mutex is definitely not held by the acquiring task when returning > to userspace. Maybe syzkaller is confused by the fact that there are > several interdependent tasks involved with fuse: the one calling into > fuse by doing something (looking up ./file0/file0) and the one that > reads the fuse device (returning with the LOOKUP request for "file0"). > The second one will return with that lock held, but it's not the one > that acquired it, so there's no bug at all here. Hi Miklos, syzkaller is unrelated here. That's what kernel self-detects and prints. So either way there is something to fix in kernel here: either fuse or lockdep. +Alistair did some analysis offline, hope you don't mind if I repost your description: === Just from reading the code, I think I can see how this happens. Fuse is wrapping its inode mutex with a check for "parallel_dirops", which is set up in process_init_reply(). The FUSE_PARALLEL_DIROPS appears to always be set, in fuse_send_init(), but its initial state is to be disabled. So if the mutex gets taken, and it'll never be unlocked if the initial command is flushed by fuse_readdir()'s use of fuse_lock_inode(). ===
Re: WARNING: lock held when returning to user space in fuse_lock_inode
On Thu, Jul 12, 2018 at 5:49 PM, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240 > kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7 > dashboard link: https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com > > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > random: sshd: uninitialized urandom read (32 bytes read) > > ============ > WARNING: lock held when returning to user space! > 4.18.0-rc4+ #143 Not tainted > > syz-executor012/4539 is leaving the kernel with locks still held! > 1 lock held by syz-executor012/4539: > #0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0 > fs/fuse/inode.c:363 False positive. fi->mutex is definitely not held by the acquiring task when returning to userspace. Maybe syzkaller is confused by the fact that there are several interdependent tasks involved with fuse: the one calling into fuse by doing something (looking up ./file0/file0) and the one that reads the fuse device (returning with the LOOKUP request for "file0"). The second one will return with that lock held, but it's not the one that acquired it, so there's no bug at all here. Thanks, Miklos > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches
WARNING: lock held when returning to user space in fuse_lock_inode
Hello, syzbot found the following crash on: HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240 kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7 dashboard link: https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) ======== WARNING: lock held when returning to user space! 4.18.0-rc4+ #143 Not tainted syz-executor012/4539 is leaving the kernel with locks still held! 1 lock held by syz-executor012/4539: #0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0 fs/fuse/inode.c:363 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: WARNING: lock held when returning to user space!
The patch was sent to linux.git as commit bdac616db9bbadb9. #syz fix: loop: fix LOOP_GET_STATUS lock imbalance
Re: WARNING: lock held when returning to user space!
On 4/6/18 8:57 AM, Dmitry Vyukov wrote: > On Fri, Apr 6, 2018 at 4:27 PM, Jens Axboe wrote: >> On 4/6/18 7:02 AM, syzbot wrote: >>> Hello, >>> >>> syzbot hit the following crash on upstream commit >>> 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +) >>> Merge tag 'armsoc-drivers' of >>> git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc >>> syzbot dashboard link: >>> https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2 >>> >>> So far this crash happened 9 times on upstream. >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6407930337296384 >>> syzkaller reproducer: >>> https://syzkaller.appspot.com/x/repro.syz?id=4942413340606464 >>> Raw console output: >>> https://syzkaller.appspot.com/x/log.txt?id=4764483918495744 >>> Kernel config: >>> https://syzkaller.appspot.com/x/.config?id=-5813481738265533882 >>> compiler: gcc (GCC) 8.0.1 20180301 (experimental) >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+31e8daa8b3fc129e7...@syzkaller.appspotmail.com >>> It will help syzbot understand when the bug is fixed. See footer for >>> details. >>> If you forward the report, please keep this part and the footer. >>> >>> >>> >>> WARNING: lock held when returning to user space! >>> 4.16.0+ #3 Not tainted >>> >>> syzkaller433111/4462 is leaving the kernel with locks still held! >>> 1 lock held by syzkaller433111/4462: >>> #0: 03a06fae (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x1ec0 >>> drivers/block/loop.c:1363 >> >> Is this a new regression? Omar did just fiddle with the locking a bit, >> seems suspicious. > > Looking at: > https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2 > It first happened 4 hours ago and 9 times since then, so probably a > just introduced regression. After writing that, I saw the discussion in another thread ("INFO: task hung in lo_ioctl"), so I think we can definitely say that it's a recently introduced regression in loop due to the killable lock changes. -- Jens Axboe
Re: WARNING: lock held when returning to user space!
On Fri, Apr 6, 2018 at 4:27 PM, Jens Axboe wrote: > On 4/6/18 7:02 AM, syzbot wrote: >> Hello, >> >> syzbot hit the following crash on upstream commit >> 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +) >> Merge tag 'armsoc-drivers' of >> git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc >> syzbot dashboard link: >> https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2 >> >> So far this crash happened 9 times on upstream. >> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6407930337296384 >> syzkaller reproducer: >> https://syzkaller.appspot.com/x/repro.syz?id=4942413340606464 >> Raw console output: >> https://syzkaller.appspot.com/x/log.txt?id=4764483918495744 >> Kernel config: >> https://syzkaller.appspot.com/x/.config?id=-5813481738265533882 >> compiler: gcc (GCC) 8.0.1 20180301 (experimental) >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+31e8daa8b3fc129e7...@syzkaller.appspotmail.com >> It will help syzbot understand when the bug is fixed. See footer for >> details. >> If you forward the report, please keep this part and the footer. >> >> >> >> WARNING: lock held when returning to user space! >> 4.16.0+ #3 Not tainted >> >> syzkaller433111/4462 is leaving the kernel with locks still held! >> 1 lock held by syzkaller433111/4462: >> #0: 03a06fae (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x1ec0 >> drivers/block/loop.c:1363 > > Is this a new regression? Omar did just fiddle with the locking a bit, > seems suspicious. Looking at: https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2 It first happened 4 hours ago and 9 times since then, so probably a just introduced regression. > -- > Jens Axboe > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/0e998b77-14f0-aee0-8d32-bc1dd96fcc4c%40kernel.dk. > For more options, visit https://groups.google.com/d/optout.
Re: WARNING: lock held when returning to user space!
On 4/6/18 7:02 AM, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +) > Merge tag 'armsoc-drivers' of > git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc > syzbot dashboard link: > https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2 > > So far this crash happened 9 times on upstream. > C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6407930337296384 > syzkaller reproducer: > https://syzkaller.appspot.com/x/repro.syz?id=4942413340606464 > Raw console output: > https://syzkaller.appspot.com/x/log.txt?id=4764483918495744 > Kernel config: > https://syzkaller.appspot.com/x/.config?id=-5813481738265533882 > compiler: gcc (GCC) 8.0.1 20180301 (experimental) > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+31e8daa8b3fc129e7...@syzkaller.appspotmail.com > It will help syzbot understand when the bug is fixed. See footer for > details. > If you forward the report, please keep this part and the footer. > > > ==== > WARNING: lock held when returning to user space! > 4.16.0+ #3 Not tainted > > syzkaller433111/4462 is leaving the kernel with locks still held! > 1 lock held by syzkaller433111/4462: > #0: 03a06fae (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x1ec0 > drivers/block/loop.c:1363 Is this a new regression? Omar did just fiddle with the locking a bit, seems suspicious. -- Jens Axboe
WARNING: lock held when returning to user space!
Hello, syzbot hit the following crash on upstream commit 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +) Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2 So far this crash happened 9 times on upstream. C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6407930337296384 syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=4942413340606464 Raw console output: https://syzkaller.appspot.com/x/log.txt?id=4764483918495744 Kernel config: https://syzkaller.appspot.com/x/.config?id=-5813481738265533882 compiler: gcc (GCC) 8.0.1 20180301 (experimental) IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+31e8daa8b3fc129e7...@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer. ======== WARNING: lock held when returning to user space! 4.16.0+ #3 Not tainted syzkaller433111/4462 is leaving the kernel with locks still held! 1 lock held by syzkaller433111/4462: #0: 03a06fae (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x1ec0 drivers/block/loop.c:1363 --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.