WARNING: lock held when returning to user space in rcu_lock_acquire
Hello,
syzbot found the following crash on:
HEAD commit:54ecb8f7 Linux 5.4-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11c03fcd60
kernel config: https://syzkaller.appspot.com/x/.config?x=fb0b431ccdf08c1c
dashboard link: https://syzkaller.appspot.com/bug?extid=fef86971c84310f1c8cd
compiler: clang version 9.0.0 (/home/glider/llvm/clang
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d52e3360
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1582402b60
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fef86971c84310f1c...@syzkaller.appspotmail.com
WARNING: lock held when returning to user space!
5.4.0-rc1 #0 Not tainted
syz-executor670/7923 is leaving the kernel with locks still held!
1 lock held by syz-executor670/7923:
#0: 888d3cc0 (rcu_read_lock){}, at: rcu_lock_acquire+0x4/0x30
include/linux/rcupdate.h:207
[ cut here ]
WARNING: CPU: 0 PID: 7923 at kernel/rcu/tree_plugin.h:293
rcu_note_context_switch+0xdde/0xee0 kernel/rcu/tree_plugin.h:293
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 7923 Comm: syz-executor670 Not tainted 5.4.0-rc1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
panic+0x25c/0x799 kernel/panic.c:220
__warn+0x20e/0x210 kernel/panic.c:581
report_bug+0x1b6/0x2f0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:179 [inline]
do_error_trap+0xd7/0x440 arch/x86/kernel/traps.c:272
do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:rcu_note_context_switch+0xdde/0xee0 kernel/rcu/tree_plugin.h:293
Code: c8 73 4b 00 e9 b8 f3 ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 22 f3
ff ff 48 89 df e8 4b 73 4b 00 83 3b 00 0f 8e 1a f3 ff ff <0f> 0b e9 13 f3
ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c c9 f2 ff
RSP: :8880921bfd20 EFLAGS: 00010002
RAX: 111012bc6100 RBX: 888095e30978 RCX: 81608604
RDX: RSI: 0008 RDI: 88be39a0
RBP: 8880921bfe00 R08: dc00 R09: fbfff117c735
R10: fbfff117c735 R11: R12: dc00
R13: 888095e30600 R14: R15: 8880aea35740
__schedule+0xce/0xb80 kernel/sched/core.c:4007
schedule+0x131/0x1e0 kernel/sched/core.c:4136
exit_to_usermode_loop arch/x86/entry/common.c:149 [inline]
prepare_exit_to_usermode+0x2aa/0x580 arch/x86/entry/common.c:194
retint_user+0x8/0x18
RIP: 0033:0x446fb9
Code: e8 8c 19 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 4b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7fd680470db8 EFLAGS: 0246 ORIG_RAX: ff13
RAX: RBX: 006ddc28 RCX: 00446fb9
RDX: 00446fb9 RSI: RDI: 00010008
RBP: 006ddc20 R08: R09:
R10: R11: 0246 R12: 006ddc2c
R13: 7fffb42e414f R14: 7fd6804719c0 R15:
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Re: WARNING: lock held when returning to user space in membarrier_private_expedited
On Tue, Oct 01, 2019 at 01:09:07AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:afb37288 Add linux-next specific files for 20191001
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1761963560
> kernel config: https://syzkaller.appspot.com/x/.config?x=659cb5bf73e72c6c
> dashboard link: https://syzkaller.appspot.com/bug?extid=6b6a46cc150b19f54ad6
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=176faa1360
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b825cd60
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+6b6a46cc150b19f54...@syzkaller.appspotmail.com
>
> ================
> WARNING: lock held when returning to user space!
> 5.4.0-rc1-next-20191001 #0 Not tainted
>
> syz-executor589/9088 is leaving the kernel with locks still held!
> 1 lock held by syz-executor589/9088:
> #0: 88faadc0 (rcu_read_lock){}, at:
> membarrier_private_expedited+0x180/0x590 kernel/sched/membarrier.c:150
https://lkml.kernel.org/r/20191001071921.gj4...@hirez.programming.kicks-ass.net
WARNING: lock held when returning to user space in membarrier_private_expedited
Hello,
syzbot found the following crash on:
HEAD commit:afb37288 Add linux-next specific files for 20191001
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1761963560
kernel config: https://syzkaller.appspot.com/x/.config?x=659cb5bf73e72c6c
dashboard link: https://syzkaller.appspot.com/bug?extid=6b6a46cc150b19f54ad6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=176faa1360
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b825cd60
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6b6a46cc150b19f54...@syzkaller.appspotmail.com
WARNING: lock held when returning to user space!
5.4.0-rc1-next-20191001 #0 Not tainted
syz-executor589/9088 is leaving the kernel with locks still held!
1 lock held by syz-executor589/9088:
#0: 88faadc0 (rcu_read_lock){}, at:
membarrier_private_expedited+0x180/0x590 kernel/sched/membarrier.c:150
[ cut here ]
WARNING: CPU: 0 PID: 9088 at kernel/rcu/tree_plugin.h:293
rcu_note_context_switch+0x373/0x1910 kernel/rcu/tree_plugin.h:293
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 9088 Comm: syz-executor589 Not tainted 5.4.0-rc1-next-20191001
#0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x2dc/0x755 kernel/panic.c:220
__warn.cold+0x2f/0x3c kernel/panic.c:581
report_bug+0x289/0x300 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028
RIP: 0010:rcu_note_context_switch+0x373/0x1910 kernel/rcu/tree_plugin.h:293
Code: 8b 13 48 85 d2 75 c3 48 8b 5d c8 65 ff 0d dd 75 a1 7e 0f 85 fa fc ff
ff e8 4a df 9f ff e9 f0 fc ff ff 85 d2 0f 8e 62 fe ff ff <0f> 0b e9 1f fe
ff ff 65 8b 1d ff 0a a1 7e 83 fb 3f 0f 87 0d 0e 00
RSP: :888090017d60 EFLAGS: 00010002
RAX: 89c60674 RBX: 8880ae835ac0 RCX: 1110148334c7
RDX: 0001 RSI: RDI: 8880a419a638
RBP: 888090017dd0 R08: 1138ba90 R09: fbfff138ba91
R10: fbfff138ba90 R11: 89c5d487 R12:
R13: 8880a419a2c0 R14: R15: 8880ae834d18
__schedule+0x25e/0x1e70 kernel/sched/core.c:4007
schedule+0xd9/0x260 kernel/sched/core.c:4136
exit_to_usermode_loop+0x195/0x380 arch/x86/entry/common.c:149
prepare_exit_to_usermode+0x2ff/0x370 arch/x86/entry/common.c:194
retint_user+0x8/0x18
RIP: 0033:0x446ed9
Code: e8 5c 14 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7f082bf04db8 EFLAGS: 0246 ORIG_RAX: ff13
RAX: RBX: 006dcc38 RCX: 00446ed9
RDX: 00403494 RSI: RDI: 00010008
RBP: 006dcc30 R08: 7f082bf05700 R09:
R10: 7f082bf05700 R11: 0246 R12: 006dcc3c
R13: 7ffef65e667f R14: 7f082bf059c0 R15: 0001
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Re: WARNING: lock held when returning to user space in set_property_atomic
On 2019/01/03 18:04, Dmitry Vyukov wrote:
> On Thu, Jan 3, 2019 at 9:55 AM Maarten Lankhorst
> wrote:
>> Just guessing..
>>
>> Does this help?
Yes it will. And while at it, let's fix another one together.
>From 291e42211e3cc6d85c915772717dd08d40fb5fed Mon Sep 17 00:00:00 2001
From: Tetsuo Handa
Date: Fri, 4 Jan 2019 15:23:47 +0900
Subject: [PATCH] gpu/drm: Fix lock held when returning to user space.
We need to call drm_modeset_acquire_fini() when drm_atomic_state_alloc()
failed or call drm_modeset_acquire_init() after drm_atomic_state_alloc()
succeeded.
Signed-off-by: Tetsuo Handa
Reported-by: syzbot
---
drivers/gpu/drm/drm_atomic_uapi.c | 3 +--
drivers/gpu/drm/drm_mode_object.c | 4 ++--
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/drm_atomic_uapi.c
b/drivers/gpu/drm/drm_atomic_uapi.c
index c408898..9a1f41a 100644
--- a/drivers/gpu/drm/drm_atomic_uapi.c
+++ b/drivers/gpu/drm/drm_atomic_uapi.c
@@ -1296,12 +1296,11 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
(arg->flags & DRM_MODE_PAGE_FLIP_EVENT))
return -EINVAL;
- drm_modeset_acquire_init(&ctx, DRM_MODESET_ACQUIRE_INTERRUPTIBLE);
-
state = drm_atomic_state_alloc(dev);
if (!state)
return -ENOMEM;
+ drm_modeset_acquire_init(&ctx, DRM_MODESET_ACQUIRE_INTERRUPTIBLE);
state->acquire_ctx = &ctx;
state->allow_modeset = !!(arg->flags & DRM_MODE_ATOMIC_ALLOW_MODESET);
diff --git a/drivers/gpu/drm/drm_mode_object.c
b/drivers/gpu/drm/drm_mode_object.c
index cd9bc0c..004191d 100644
--- a/drivers/gpu/drm/drm_mode_object.c
+++ b/drivers/gpu/drm/drm_mode_object.c
@@ -459,11 +459,11 @@ static int set_property_atomic(struct drm_mode_object
*obj,
struct drm_modeset_acquire_ctx ctx;
int ret;
- drm_modeset_acquire_init(&ctx, 0);
-
state = drm_atomic_state_alloc(dev);
if (!state)
return -ENOMEM;
+
+ drm_modeset_acquire_init(&ctx, 0);
state->acquire_ctx = &ctx;
retry:
if (prop == state->dev->mode_config.dpms_property) {
--
1.8.3.1
Re: WARNING: lock held when returning to user space in set_property_atomic
On Thu, Jan 3, 2019 at 9:55 AM Maarten Lankhorst
wrote:
>
> Op 30-12-2018 om 07:21 schreef syzbot:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12d0f55340
> > kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606
> > dashboard link: https://syzkaller.appspot.com/bug?extid=6ea337c427f5083ebdf2
> > compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120d906f40
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1024673b40
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+6ea337c427f5083eb...@syzkaller.appspotmail.com
> >
> > RBP: 7ffe369ca7a0 R08: 0001 R09: 004009ce
> > R10: R11: 0246 R12: 0005
> > R13: ffff R14: 00000000 R15:
> >
> >
> > WARNING: lock held when returning to user space!
> > 4.20.0+ #174 Not tainted
> >
> > syz-executor556/8153 is leaving the kernel with locks still held!
> > 1 lock held by syz-executor556/8153:
> > #0: 5100c85c (crtc_ww_class_acquire){+.+.}, at:
> > set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkal...@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> > syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
>
> Just guessing..
>
> Does this help?
Hi Maarten,
Please either test or ask syzbot to test:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
> -
> diff --git a/drivers/gpu/drm/drm_mode_object.c
> b/drivers/gpu/drm/drm_mode_object.c
> index cd9bc0ce9be0..004191d01772 100644
> --- a/drivers/gpu/drm/drm_mode_object.c
> +++ b/drivers/gpu/drm/drm_mode_object.c
> @@ -459,11 +459,11 @@ static int set_property_atomic(struct drm_mode_object
> *obj,
> struct drm_modeset_acquire_ctx ctx;
> int ret;
>
> - drm_modeset_acquire_init(&ctx, 0);
> -
> state = drm_atomic_state_alloc(dev);
> if (!state)
> return -ENOMEM;
> +
> + drm_modeset_acquire_init(&ctx, 0);
> state->acquire_ctx = &ctx;
> retry:
> if (prop == state->dev->mode_config.dpms_property) {
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/fea9b565-06e4-fbb5-7e92-efd133a7028c%40linux.intel.com.
> For more options, visit https://groups.google.com/d/optout.
Re: WARNING: lock held when returning to user space in set_property_atomic
Op 30-12-2018 om 07:21 schreef syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12d0f55340
> kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606
> dashboard link: https://syzkaller.appspot.com/bug?extid=6ea337c427f5083ebdf2
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120d906f40
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1024673b40
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+6ea337c427f5083eb...@syzkaller.appspotmail.com
>
> RBP: 7ffe369ca7a0 R08: 0001 R09: 004009ce
> R10: R11: 0246 R12: 0005
> R13: R14: R15: 00000000
>
> ============
> WARNING: lock held when returning to user space!
> 4.20.0+ #174 Not tainted
>
> syz-executor556/8153 is leaving the kernel with locks still held!
> 1 lock held by syz-executor556/8153:
> #0: 5100c85c (crtc_ww_class_acquire){+.+.}, at:
> set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkal...@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
Just guessing..
Does this help?
-
diff --git a/drivers/gpu/drm/drm_mode_object.c
b/drivers/gpu/drm/drm_mode_object.c
index cd9bc0ce9be0..004191d01772 100644
--- a/drivers/gpu/drm/drm_mode_object.c
+++ b/drivers/gpu/drm/drm_mode_object.c
@@ -459,11 +459,11 @@ static int set_property_atomic(struct drm_mode_object
*obj,
struct drm_modeset_acquire_ctx ctx;
int ret;
- drm_modeset_acquire_init(&ctx, 0);
-
state = drm_atomic_state_alloc(dev);
if (!state)
return -ENOMEM;
+
+ drm_modeset_acquire_init(&ctx, 0);
state->acquire_ctx = &ctx;
retry:
if (prop == state->dev->mode_config.dpms_property) {
Re: WARNING: lock held when returning to user space in grab_super
On Thu, Jan 03, 2019 at 01:49:55AM +0900, Tetsuo Handa wrote: > kernfs_node_dentry() calls lookup_one_len_unlocked() which involves > memory allocation, and memory allocation fault injection made > lookup_one_len_unlocked() fail, and thus kernfs_node_dentry() failed. > What's strange? So, kernfs_node_dentry() is called on the root kn, which should trigger "if (!kn->parent) return dentry" in kernfs_node_dentry(), so it shouldn't reach lookup_on_len_unlocked(). Oh I see. This is the namespaced mount path, so kn can be non-root. Will fix it. Thanks. -- tejun
Re: WARNING: lock held when returning to user space in grab_super
On 2019/01/03 1:16, Tejun Heo wrote:
> Happy new year, Tetsuo.
>
> On Wed, Jan 02, 2019 at 09:08:56PM +0900, Tetsuo Handa wrote:
>> According to commit 633feee310de6b6c ("cgroup: refactor mount path and
>> clearly distinguish v1 and v2 paths"), cgroup_do_mount() is failing to
>> do full teardown steps for kernfs_mount() (deactivate_locked_super() ?)
>> when kernfs_node_dentry() failed.
>
> Hmm... that's basically dget()'ing the root dentry of the sb. I'm not
> sure how that could fail. Can it?
kernfs_node_dentry() calls lookup_one_len_unlocked() which involves
memory allocation, and memory allocation fault injection made
lookup_one_len_unlocked() fail, and thus kernfs_node_dentry() failed.
What's strange?
Re: WARNING: lock held when returning to user space in grab_super
Happy new year, Tetsuo.
On Wed, Jan 02, 2019 at 09:08:56PM +0900, Tetsuo Handa wrote:
> According to commit 633feee310de6b6c ("cgroup: refactor mount path and
> clearly distinguish v1 and v2 paths"), cgroup_do_mount() is failing to
> do full teardown steps for kernfs_mount() (deactivate_locked_super() ?)
> when kernfs_node_dentry() failed.
Hmm... that's basically dget()'ing the root dentry of the sb. I'm not
sure how that could fail. Can it?
Thanks.
--
tejun
Re: WARNING: lock held when returning to user space in grab_super
Hello, Tejun.
[ 1100.561812] FAULT_INJECTION: forcing a failure.
[ 1100.561812] name failslab, interval 1, probability 0, space 0, times 0
[ 1100.625231] CPU: 1 PID: 29677 Comm: syz-executor0 Not tainted 4.20.0+ #396
[ 1100.632289] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 01/01/2011
[ 1100.641646] Call Trace:
[ 1100.644355] dump_stack+0x1d3/0x2c6
[ 1100.662152] should_fail.cold.4+0xa/0x17
[ 1100.709512] __should_failslab+0x124/0x180
[ 1100.713784] should_failslab+0x9/0x14
[ 1100.717604] kmem_cache_alloc+0x2c4/0x730
[ 1100.721784] __d_alloc+0xc8/0xb90
[ 1100.755462] d_alloc+0x96/0x380
[ 1100.775659] d_alloc_parallel+0x15a/0x1f40
[ 1100.852877] __lookup_slow+0x1e6/0x540
[ 1100.864887] lookup_slow+0x57/0x80
[ 1100.868448] lookup_one_len_unlocked+0xf1/0x100
[ 1100.876873] kernfs_node_dentry+0x1c7/0x2d0
[ 1100.881215] cgroup_do_mount+0x1b1/0x330
[ 1100.899627] cgroup_mount+0xb6d/0xd30
[ 1100.937317] mount_fs+0xae/0x31d
[ 1100.940710] vfs_kern_mount.part.35+0xdc/0x4f0
[ 1100.957015] do_mount+0x581/0x31f0
[ 1100.998447] ksys_mount+0x12d/0x140
[ 1101.002098] __x64_sys_mount+0xbe/0x150
[ 1101.006095] do_syscall_64+0x1b9/0x820
[ 1101.127520] WARNING: lock held when returning to user space!
[ 1101.133310] 4.20.0+ #396 Not tainted
[ 1101.137004]
[ 1101.142780] syz-executor0/29677 is leaving the kernel with locks still held!
[ 1101.149944] 1 lock held by syz-executor0/29677:
[ 1101.154599] #0: ec5f6915 (&type->s_umount_key#43){}, at:
grab_super+0xcc/0x400
According to commit 633feee310de6b6c ("cgroup: refactor mount path and
clearly distinguish v1 and v2 paths"), cgroup_do_mount() is failing to
do full teardown steps for kernfs_mount() (deactivate_locked_super() ?)
when kernfs_node_dentry() failed.
+ if (!IS_ERR(dentry) && ns != &init_cgroup_ns) {
+ struct dentry *nsdentry;
+ struct cgroup *cgrp;
- if (is_v2) {
- if (data) {
- pr_err("cgroup2: unknown option \"%s\"\n", (char
*)data);
- put_cgroup_ns(ns);
- return ERR_PTR(-EINVAL);
- }
- cgrp_dfl_visible = true;
- root = &cgrp_dfl_root;
- cgroup_get(&root->cgrp);
- goto out_mount;
+ mutex_lock(&cgroup_mutex);
+ spin_lock_irq(&css_set_lock);
+
+ cgrp = cset_cgroup_from_root(ns->root_cset, root);
+
+ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+
+ nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb);
+ dput(dentry);
+ dentry = nsdentry;
}
+ if (IS_ERR(dentry) || !new_sb)
+ cgroup_put(&root->cgrp);
+
+ return dentry;
+}
WARNING: lock held when returning to user space in grab_super
Hello,
syzbot found the following crash on:
HEAD commit:195303136f19 Merge tag 'kconfig-v4.21-2' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=118961fd40
kernel config: https://syzkaller.appspot.com/x/.config?x=5e7dc790609552d7
dashboard link: https://syzkaller.appspot.com/bug?extid=87b93137e0280beaeba1
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+87b93137e0280beae...@syzkaller.appspotmail.com
WARNING: lock held when returning to user space!
4.20.0+ #396 Not tainted
syz-executor0/29677 is leaving the kernel with locks still held!
1 lock held by syz-executor0/29677:
#0: ec5f6915 (&type->s_umount_key#43){}, at:
grab_super+0xcc/0x400 fs/super.c:383
kobject: 'loop5' (edd59d60): kobject_uevent_env
kobject: 'loop5' (edd59d60): fill_kobj_path: path
= '/devices/virtual/block/loop5'
==
BUG: KASAN: use-after-free in owner_on_cpu kernel/locking/rwsem-xadd.c:367
[inline]
BUG: KASAN: use-after-free in rwsem_can_spin_on_owner
kernel/locking/rwsem-xadd.c:384 [inline]
BUG: KASAN: use-after-free in rwsem_optimistic_spin
kernel/locking/rwsem-xadd.c:437 [inline]
BUG: KASAN: use-after-free in
__rwsem_down_write_failed_common+0x14ea/0x15e0
kernel/locking/rwsem-xadd.c:518
Read of size 4 at addr 88805631c738 by task syz-executor0/29718
CPU: 0 PID: 29718 Comm: syz-executor0 Not tainted 4.20.0+ #396
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
kobject: 'loop2' (6e1a6a52): kobject_uevent_env
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113
print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
kobject: 'loop2' (6e1a6a52): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
kobject: 'loop1' (42cf1ea5): kobject_uevent_env
__asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
owner_on_cpu kernel/locking/rwsem-xadd.c:367 [inline]
rwsem_can_spin_on_owner kernel/locking/rwsem-xadd.c:384 [inline]
rwsem_optimistic_spin kernel/locking/rwsem-xadd.c:437 [inline]
__rwsem_down_write_failed_common+0x14ea/0x15e0
kernel/locking/rwsem-xadd.c:518
kobject: 'loop1' (42cf1ea5): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (6e1a6a52): kobject_uevent_env
kobject: 'loop2' (6e1a6a52): fill_kobj_path: path
= '/devices/virtual/block/loop2'
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:606
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
kobject: 'loop5' (edd59d60): kobject_uevent_env
grab_super+0xcc/0x400 fs/super.c:383
kobject: 'loop5' (edd59d60): fill_kobj_path: path
= '/devices/virtual/block/loop5'
sget_userns+0x435/0xed0 fs/super.c:511
kernfs_mount_ns+0x1d7/0xa80 fs/kernfs/mount.c:324
kernfs_mount include/linux/kernfs.h:554 [inline]
cgroup_do_mount+0xc4/0x330 kernel/cgroup/cgroup.c:2038
cgroup_mount+0xb6d/0xd30 kernel/cgroup/cgroup.c:2102
mount_fs+0xae/0x31d fs/super.c:1261
vfs_kern_mount.part.35+0xdc/0x4f0 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2469 [inline]
do_mount+0x581/0x31f0 fs/namespace.c:2801
ksys_mount+0x12d/0x140 fs/namespace.c:3017
__do_sys_mount fs/namespace.c:3031 [inline]
__se_sys_mount fs/namespace.c:3028 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3028
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7fbd6c16dc78 EFLAGS: 0246 ORIG_RAX: 00a5
RAX: ffda RBX: 7fbd6c16dc90 RCX: 00457ec9
RDX: 2200 RSI: 2080 RDI:
RBP: 0073bf00 R08: R09:
R10: R11: 0246 R12: 7fbd6c16e6d4
R13: 004c3a19 R14: 004d64a8 R15: 0003
Allocated by task 29676:
save_stack+0x43/0xd0 mm/kasan/common.c:73
set_track mm/kasan/common.c:85 [inline]
kasan_kmalloc+0xcb/0xd0 mm/kasan/common.c:482
kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:397
kmem_cache_a
Re: WARNING: lock held when returning to user space! (3)
On Wed, Jan 2, 2019 at 11:59 AM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1424673b40 > kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606 > dashboard link: https://syzkaller.appspot.com/bug?extid=42e36e1ae3de3f22a7ed > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1453eabf40 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14a492bf40 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+42e36e1ae3de3f22a...@syzkaller.appspotmail.com #syz dup: WARNING: lock held when returning to user space in set_property_atomic > RBP: 006cf018 R08: 0001 R09: 0032 > R10: R11: 0246 R12: 0005 > R13: R14: R15: 00000000 > > ============ > WARNING: lock held when returning to user space! > 4.20.0+ #395 Not tainted > > syz-executor520/8085 is leaving the kernel with locks still held! > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/c2c4b9057e7788d1%40google.com. > For more options, visit https://groups.google.com/d/optout.
WARNING: lock held when returning to user space! (3)
Hello, syzbot found the following crash on: HEAD commit:903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1424673b40 kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606 dashboard link: https://syzkaller.appspot.com/bug?extid=42e36e1ae3de3f22a7ed compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1453eabf40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14a492bf40 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+42e36e1ae3de3f22a...@syzkaller.appspotmail.com RBP: 006cf018 R08: 0001 R09: 0032 R10: R11: 0246 R12: 0005 R13: R14: R15: ======== WARNING: lock held when returning to user space! 4.20.0+ #395 Not tainted syz-executor520/8085 is leaving the kernel with locks still held! --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
WARNING: lock held when returning to user space in set_property_atomic
Hello,
syzbot found the following crash on:
HEAD commit:903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12d0f55340
kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606
dashboard link: https://syzkaller.appspot.com/bug?extid=6ea337c427f5083ebdf2
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120d906f40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1024673b40
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6ea337c427f5083eb...@syzkaller.appspotmail.com
RBP: 7ffe369ca7a0 R08: 0001 R09: 004009ce
R10: R11: 0246 R12: 0005
R13: R14: R15:
========
WARNING: lock held when returning to user space!
4.20.0+ #174 Not tainted
syz-executor556/8153 is leaving the kernel with locks still held!
1 lock held by syz-executor556/8153:
#0: 5100c85c (crtc_ww_class_acquire){+.+.}, at:
set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Re: WARNING: lock held when returning to user space in fuse_lock_inode
On Tue, Jul 17, 2018 at 5:46 AM Miklos Szeredi wrote:
> On Tue, Jul 17, 2018 at 1:36 PM, Dmitry Vyukov wrote:
> > On Tue, Jul 17, 2018 at 1:14 PM, Miklos Szeredi wrote:
> >> On Thu, Jul 12, 2018 at 5:49 PM, syzbot
> >> wrote:
> >>> Hello,
> >>>
> >>> syzbot found the following crash on:
> >>>
> >>> HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of
> >>> git://git.ke..
> >>> git tree: upstream
> >>> console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240
> >>> kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
> >>> dashboard link:
> >>> https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be
> >>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> >>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840
> >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840
> >>>
> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >>> Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com
> >>>
> >>> random: sshd: uninitialized urandom read (32 bytes read)
> >>> random: sshd: uninitialized urandom read (32 bytes read)
> >>> random: sshd: uninitialized urandom read (32 bytes read)
> >>>
> >>>
> >>> WARNING: lock held when returning to user space!
> >>> 4.18.0-rc4+ #143 Not tainted
> >>>
> >>> syz-executor012/4539 is leaving the kernel with locks still held!
> >>> 1 lock held by syz-executor012/4539:
> >>> #0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
> >>> fs/fuse/inode.c:363
> >>
> >> False positive.
> >>
> >> fi->mutex is definitely not held by the acquiring task when returning
> >> to userspace. Maybe syzkaller is confused by the fact that there are
> >> several interdependent tasks involved with fuse: the one calling into
> >> fuse by doing something (looking up ./file0/file0) and the one that
> >> reads the fuse device (returning with the LOOKUP request for "file0").
> >> The second one will return with that lock held, but it's not the one
> >> that acquired it, so there's no bug at all here.
> >
> > Hi Miklos,
> >
> > syzkaller is unrelated here. That's what kernel self-detects and
> > prints. So either way there is something to fix in kernel here: either
> > fuse or lockdep.
> >
> > +Alistair did some analysis offline, hope you don't mind if I repost
> > your description:
> > ===
> > Just from reading the code, I think I can see how this happens. Fuse
> > is wrapping its inode mutex with a check for "parallel_dirops", which
> > is set up in process_init_reply(). The FUSE_PARALLEL_DIROPS appears to
> > always be set, in fuse_send_init(), but its initial state is to be
> > disabled. So if the mutex gets taken, and it'll never be unlocked if
> > the initial command is flushed by fuse_readdir()'s use of
> > fuse_lock_inode().
> > ===
>
> Ah, indeed. Fix attached.
Looks good to me.
Tested-by: Alistair Strachan
> Thanks,
> Miklos
Re: WARNING: lock held when returning to user space in fuse_lock_inode
On Tue, Jul 17, 2018 at 1:36 PM, Dmitry Vyukov wrote:
> On Tue, Jul 17, 2018 at 1:14 PM, Miklos Szeredi wrote:
>> On Thu, Jul 12, 2018 at 5:49 PM, syzbot
>> wrote:
>>> Hello,
>>>
>>> syzbot found the following crash on:
>>>
>>> HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke..
>>> git tree: upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be
>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840
>>>
>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>> Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com
>>>
>>> random: sshd: uninitialized urandom read (32 bytes read)
>>> random: sshd: uninitialized urandom read (32 bytes read)
>>> random: sshd: uninitialized urandom read (32 bytes read)
>>>
>>>
>>> WARNING: lock held when returning to user space!
>>> 4.18.0-rc4+ #143 Not tainted
>>>
>>> syz-executor012/4539 is leaving the kernel with locks still held!
>>> 1 lock held by syz-executor012/4539:
>>> #0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
>>> fs/fuse/inode.c:363
>>
>> False positive.
>>
>> fi->mutex is definitely not held by the acquiring task when returning
>> to userspace. Maybe syzkaller is confused by the fact that there are
>> several interdependent tasks involved with fuse: the one calling into
>> fuse by doing something (looking up ./file0/file0) and the one that
>> reads the fuse device (returning with the LOOKUP request for "file0").
>> The second one will return with that lock held, but it's not the one
>> that acquired it, so there's no bug at all here.
>
> Hi Miklos,
>
> syzkaller is unrelated here. That's what kernel self-detects and
> prints. So either way there is something to fix in kernel here: either
> fuse or lockdep.
>
> +Alistair did some analysis offline, hope you don't mind if I repost
> your description:
> ===
> Just from reading the code, I think I can see how this happens. Fuse
> is wrapping its inode mutex with a check for "parallel_dirops", which
> is set up in process_init_reply(). The FUSE_PARALLEL_DIROPS appears to
> always be set, in fuse_send_init(), but its initial state is to be
> disabled. So if the mutex gets taken, and it'll never be unlocked if
> the initial command is flushed by fuse_readdir()'s use of
> fuse_lock_inode().
> ===
Ah, indeed. Fix attached.
Thanks,
Miklos
From: Miklos Szeredi
Subject: fuse: fix inital parallel dirops
If parallel dirops are enabled in FUSE_INIT reply, then first operation may
leave fi->mutex held.
Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com
Signed-off-by: Miklos Szeredi
---
fs/fuse/dir.c| 10 ++
fs/fuse/fuse_i.h |4 ++--
fs/fuse/inode.c | 14 ++
3 files changed, 18 insertions(+), 10 deletions(-)
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -355,11 +355,12 @@ static struct dentry *fuse_lookup(struct
struct inode *inode;
struct dentry *newent;
bool outarg_valid = true;
+ bool locked;
- fuse_lock_inode(dir);
+ locked = fuse_lock_inode(dir);
err = fuse_lookup_name(dir->i_sb, get_node_id(dir), &entry->d_name,
&outarg, &inode);
- fuse_unlock_inode(dir);
+ fuse_unlock_inode(dir, locked);
if (err == -ENOENT) {
outarg_valid = false;
err = 0;
@@ -1340,6 +1341,7 @@ static int fuse_readdir(struct file *fil
struct fuse_conn *fc = get_fuse_conn(inode);
struct fuse_req *req;
u64 attr_version = 0;
+ bool locked;
if (is_bad_inode(inode))
return -EIO;
@@ -1367,9 +1369,9 @@ static int fuse_readdir(struct file *fil
fuse_read_fill(req, file, ctx->pos, PAGE_SIZE,
FUSE_READDIR);
}
- fuse_lock_inode(inode);
+ locked = fuse_lock_inode(inode);
fuse_request_send(fc, req);
- fuse_unlock_inode(inode);
+ fuse_unlock_inode(inode, locked);
nbytes = req->out.args[0].size;
err = req->out.h.error;
fuse_put_request(fc, req);
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -974,8 +974,8 @@ int fuse_do_setattr(struct dentry *dentr
void fuse_set_initialized(struct fuse_conn *fc);
-void fuse_unlock_inode(struct inode *
Re: WARNING: lock held when returning to user space in fuse_lock_inode
On Tue, Jul 17, 2018 at 1:14 PM, Miklos Szeredi wrote:
> On Thu, Jul 12, 2018 at 5:49 PM, syzbot
> wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240
>> kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
>> dashboard link: https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com
>>
>> random: sshd: uninitialized urandom read (32 bytes read)
>> random: sshd: uninitialized urandom read (32 bytes read)
>> random: sshd: uninitialized urandom read (32 bytes read)
>>
>>
>> WARNING: lock held when returning to user space!
>> 4.18.0-rc4+ #143 Not tainted
>>
>> syz-executor012/4539 is leaving the kernel with locks still held!
>> 1 lock held by syz-executor012/4539:
>> #0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
>> fs/fuse/inode.c:363
>
> False positive.
>
> fi->mutex is definitely not held by the acquiring task when returning
> to userspace. Maybe syzkaller is confused by the fact that there are
> several interdependent tasks involved with fuse: the one calling into
> fuse by doing something (looking up ./file0/file0) and the one that
> reads the fuse device (returning with the LOOKUP request for "file0").
> The second one will return with that lock held, but it's not the one
> that acquired it, so there's no bug at all here.
Hi Miklos,
syzkaller is unrelated here. That's what kernel self-detects and
prints. So either way there is something to fix in kernel here: either
fuse or lockdep.
+Alistair did some analysis offline, hope you don't mind if I repost
your description:
===
Just from reading the code, I think I can see how this happens. Fuse
is wrapping its inode mutex with a check for "parallel_dirops", which
is set up in process_init_reply(). The FUSE_PARALLEL_DIROPS appears to
always be set, in fuse_send_init(), but its initial state is to be
disabled. So if the mutex gets taken, and it'll never be unlocked if
the initial command is flushed by fuse_readdir()'s use of
fuse_lock_inode().
===
Re: WARNING: lock held when returning to user space in fuse_lock_inode
On Thu, Jul 12, 2018 at 5:49 PM, syzbot
wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240
> kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com
>
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
>
> ============
> WARNING: lock held when returning to user space!
> 4.18.0-rc4+ #143 Not tainted
>
> syz-executor012/4539 is leaving the kernel with locks still held!
> 1 lock held by syz-executor012/4539:
> #0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
> fs/fuse/inode.c:363
False positive.
fi->mutex is definitely not held by the acquiring task when returning
to userspace. Maybe syzkaller is confused by the fact that there are
several interdependent tasks involved with fuse: the one calling into
fuse by doing something (looking up ./file0/file0) and the one that
reads the fuse device (returning with the LOOKUP request for "file0").
The second one will return with that lock held, but it's not the one
that acquired it, so there's no bug at all here.
Thanks,
Miklos
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkal...@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
WARNING: lock held when returning to user space in fuse_lock_inode
Hello,
syzbot found the following crash on:
HEAD commit:c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=177bcec240
kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
dashboard link: https://syzkaller.appspot.com/bug?extid=3f7b29af1baa9d0a55be
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13aa767840
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1749267840
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3f7b29af1baa9d0a5...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
========
WARNING: lock held when returning to user space!
4.18.0-rc4+ #143 Not tainted
syz-executor012/4539 is leaving the kernel with locks still held!
1 lock held by syz-executor012/4539:
#0: (ptrval) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
fs/fuse/inode.c:363
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Re: WARNING: lock held when returning to user space!
The patch was sent to linux.git as commit bdac616db9bbadb9. #syz fix: loop: fix LOOP_GET_STATUS lock imbalance
Re: WARNING: lock held when returning to user space!
On 4/6/18 8:57 AM, Dmitry Vyukov wrote:
> On Fri, Apr 6, 2018 at 4:27 PM, Jens Axboe wrote:
>> On 4/6/18 7:02 AM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot hit the following crash on upstream commit
>>> 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +)
>>> Merge tag 'armsoc-drivers' of
>>> git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
>>> syzbot dashboard link:
>>> https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2
>>>
>>> So far this crash happened 9 times on upstream.
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6407930337296384
>>> syzkaller reproducer:
>>> https://syzkaller.appspot.com/x/repro.syz?id=4942413340606464
>>> Raw console output:
>>> https://syzkaller.appspot.com/x/log.txt?id=4764483918495744
>>> Kernel config:
>>> https://syzkaller.appspot.com/x/.config?id=-5813481738265533882
>>> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
>>>
>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>> Reported-by: syzbot+31e8daa8b3fc129e7...@syzkaller.appspotmail.com
>>> It will help syzbot understand when the bug is fixed. See footer for
>>> details.
>>> If you forward the report, please keep this part and the footer.
>>>
>>>
>>>
>>> WARNING: lock held when returning to user space!
>>> 4.16.0+ #3 Not tainted
>>>
>>> syzkaller433111/4462 is leaving the kernel with locks still held!
>>> 1 lock held by syzkaller433111/4462:
>>> #0: 03a06fae (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x1ec0
>>> drivers/block/loop.c:1363
>>
>> Is this a new regression? Omar did just fiddle with the locking a bit,
>> seems suspicious.
>
> Looking at:
> https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2
> It first happened 4 hours ago and 9 times since then, so probably a
> just introduced regression.
After writing that, I saw the discussion in another
thread ("INFO: task hung in lo_ioctl"), so I think we can definitely say
that it's a recently introduced regression in loop due to the killable
lock changes.
--
Jens Axboe
Re: WARNING: lock held when returning to user space!
On Fri, Apr 6, 2018 at 4:27 PM, Jens Axboe wrote:
> On 4/6/18 7:02 AM, syzbot wrote:
>> Hello,
>>
>> syzbot hit the following crash on upstream commit
>> 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +)
>> Merge tag 'armsoc-drivers' of
>> git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
>> syzbot dashboard link:
>> https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2
>>
>> So far this crash happened 9 times on upstream.
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6407930337296384
>> syzkaller reproducer:
>> https://syzkaller.appspot.com/x/repro.syz?id=4942413340606464
>> Raw console output:
>> https://syzkaller.appspot.com/x/log.txt?id=4764483918495744
>> Kernel config:
>> https://syzkaller.appspot.com/x/.config?id=-5813481738265533882
>> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+31e8daa8b3fc129e7...@syzkaller.appspotmail.com
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>>
>>
>>
>> WARNING: lock held when returning to user space!
>> 4.16.0+ #3 Not tainted
>>
>> syzkaller433111/4462 is leaving the kernel with locks still held!
>> 1 lock held by syzkaller433111/4462:
>> #0: 03a06fae (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x1ec0
>> drivers/block/loop.c:1363
>
> Is this a new regression? Omar did just fiddle with the locking a bit,
> seems suspicious.
Looking at:
https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2
It first happened 4 hours ago and 9 times since then, so probably a
just introduced regression.
> --
> Jens Axboe
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/0e998b77-14f0-aee0-8d32-bc1dd96fcc4c%40kernel.dk.
> For more options, visit https://groups.google.com/d/optout.
Re: WARNING: lock held when returning to user space!
On 4/6/18 7:02 AM, syzbot wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +)
> Merge tag 'armsoc-drivers' of
> git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
> syzbot dashboard link:
> https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2
>
> So far this crash happened 9 times on upstream.
> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6407930337296384
> syzkaller reproducer:
> https://syzkaller.appspot.com/x/repro.syz?id=4942413340606464
> Raw console output:
> https://syzkaller.appspot.com/x/log.txt?id=4764483918495744
> Kernel config:
> https://syzkaller.appspot.com/x/.config?id=-5813481738265533882
> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+31e8daa8b3fc129e7...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
>
> ====
> WARNING: lock held when returning to user space!
> 4.16.0+ #3 Not tainted
>
> syzkaller433111/4462 is leaving the kernel with locks still held!
> 1 lock held by syzkaller433111/4462:
> #0: 03a06fae (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x1ec0
> drivers/block/loop.c:1363
Is this a new regression? Omar did just fiddle with the locking a bit,
seems suspicious.
--
Jens Axboe
WARNING: lock held when returning to user space!
Hello,
syzbot hit the following crash on upstream commit
38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +)
Merge tag 'armsoc-drivers' of
git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=31e8daa8b3fc129e75f2
So far this crash happened 9 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6407930337296384
syzkaller reproducer:
https://syzkaller.appspot.com/x/repro.syz?id=4942413340606464
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=4764483918495744
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-5813481738265533882
compiler: gcc (GCC) 8.0.1 20180301 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+31e8daa8b3fc129e7...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
========
WARNING: lock held when returning to user space!
4.16.0+ #3 Not tainted
syzkaller433111/4462 is leaving the kernel with locks still held!
1 lock held by syzkaller433111/4462:
#0: 03a06fae (&lo->lo_ctl_mutex/1){+.+.}, at: lo_ioctl+0x8d/0x1ec0
drivers/block/loop.c:1363
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkal...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
