lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+bG+DyGuj__tTaVqzr3D7jxEaxL=vbtcsfhnAS2iSWvTQ@mail.gmail.com>
Date:   Thu, 27 Feb 2020 16:18:04 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Gao Xiang <gaoxiang25@...wei.com>
Cc:     syzbot <syzbot+36baa6c2180e959e19b1@...kaller.appspotmail.com>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Al Viro <viro@...iv.linux.org.uk>,
        Bart Van Assche <bvanassche@....org>,
        Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...nel.org>, Jan Kara <jack@...e.cz>,
        Miao Xie <miaoxie@...wei.com>
Subject: Re: WARNING: bad unlock balance in rcu_core

On Wed, Oct 16, 2019 at 11:58 AM Gao Xiang <gaoxiang25@...wei.com> wrote:
>
> Hi,
>
> On Wed, Oct 16, 2019 at 02:27:07AM -0700, syzbot wrote:
> > syzbot has found a reproducer for the following crash on:
> >
> > HEAD commit:    0e9d28bc Add linux-next specific files for 20191015
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=11745608e00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=3d84ca04228b0bf4
> > dashboard link: https://syzkaller.appspot.com/bug?extid=36baa6c2180e959e19b1
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=159d297f600000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16289b30e00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+36baa6c2180e959e19b1@...kaller.appspotmail.com
> >
> > =====================================
> > WARNING: bad unlock balance detected!
> > 5.4.0-rc3-next-20191015 #0 Not tainted
> > -------------------------------------
> > syz-executor276/8897 is trying to release lock (rcu_callback) at:
> > [<ffffffff8160e7a4>] __write_once_size include/linux/compiler.h:226 [inline]
> > [<ffffffff8160e7a4>] __rcu_reclaim kernel/rcu/rcu.h:221 [inline]
> > [<ffffffff8160e7a4>] rcu_do_batch kernel/rcu/tree.c:2157 [inline]
> > [<ffffffff8160e7a4>] rcu_core+0x574/0x1560 kernel/rcu/tree.c:2377
> > but there are no more locks to release!
> >
> > other info that might help us debug this:
> > 1 lock held by syz-executor276/8897:
> >  #0: ffff88809a3cc0d8 (&type->s_umount_key#40/1){+.+.}, at:
> > alloc_super+0x158/0x910 fs/super.c:229
> >
> > stack backtrace:
> > CPU: 0 PID: 8897 Comm: syz-executor276 Not tainted 5.4.0-rc3-next-20191015
> > #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> >  <IRQ>
> >  __dump_stack lib/dump_stack.c:77 [inline]
> >  dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> >  print_unlock_imbalance_bug kernel/locking/lockdep.c:4008 [inline]
> >  print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3984
> >  __lock_release kernel/locking/lockdep.c:4244 [inline]
> >  lock_release+0x5f2/0x960 kernel/locking/lockdep.c:4505
> >  rcu_lock_release include/linux/rcupdate.h:213 [inline]
> >  __rcu_reclaim kernel/rcu/rcu.h:223 [inline]
>
> I have little knowledge about this kind of stuff, but after seeing
> the dashboard https://syzkaller.appspot.com/bug?extid=36baa6c2180e959e19b1
>
> I guess this is highly related with ntfs, and in ntfs_fill_super, it
> has lockdep_off() in ntfs_fill_super...
>
> In detail, commit 90c1cba2b3b3 ("locking/lockdep: Zap lock classes even
> with lock debugging disabled") [1], and free_zapped_rcu....
>
> static void free_zapped_rcu(struct rcu_head *ch)
> {
>         struct pending_free *pf;
>         unsigned long flags;
>
>         if (WARN_ON_ONCE(ch != &delayed_free.rcu_head))
>                 return;
>
>         raw_local_irq_save(flags);
>         arch_spin_lock(&lockdep_lock);
>         current->lockdep_recursion = 1;   <--- here
>
>         /* closed head */
>         pf = delayed_free.pf + (delayed_free.index ^ 1);
>         __free_zapped_classes(pf);
>         delayed_free.scheduled = false;
>
>         /*
>          * If there's anything on the open list, close and start a new callback.
>          */
>         call_rcu_zapped(delayed_free.pf + delayed_free.index);
>
>         current->lockdep_recursion = 0;
>         arch_spin_unlock(&lockdep_lock);
>         raw_local_irq_restore(flags);
> }
>
> Completely guess and untest since I am not familar with that,
> but in case of that, Cc related people...
> If I'm wrong, ignore my comments and unintentional noise....
>
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=90c1cba2b3b3851c151229f61801919b2904d437
>
> Thanks,
> Gao Xiang


Still happens a lot for the past 10 months:
https://syzkaller.appspot.com/bug?id=0d5bdaf028e4283ad7404609d17e5077f48ff26d


> >  rcu_do_batch kernel/rcu/tree.c:2157 [inline]
> >  rcu_core+0x594/0x1560 kernel/rcu/tree.c:2377
> >  rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
> >  __do_softirq+0x262/0x98c kernel/softirq.c:292
> >  invoke_softirq kernel/softirq.c:373 [inline]
> >  irq_exit+0x19b/0x1e0 kernel/softirq.c:413
> >  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
> >  smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
> >  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
> >  </IRQ>
> > RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:756
> > [inline]
> > RIP: 0010:console_unlock+0xbb8/0xf00 kernel/printk/printk.c:2481
> > Code: f3 88 48 c1 e8 03 42 80 3c 30 00 0f 85 e4 02 00 00 48 83 3d 99 9c 96
> > 07 00 0f 84 91 01 00 00 e8 be c4 16 00 48 8b 7d 98 57 9d <0f> 1f 44 00 00 e9
> > 6d ff ff ff e8 a9 c4 16 00 48 8b 7d 08 c7 05 eb
> > RSP: 0018:ffff88809fd7f8f0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
> > RAX: ffff8880a8bee540 RBX: 0000000000000200 RCX: 1ffffffff138eea6
> > RDX: 0000000000000000 RSI: ffffffff815c8592 RDI: 0000000000000293
> > RBP: ffff88809fd7f978 R08: ffff8880a8bee540 R09: fffffbfff11f4119
> > R10: fffffbfff11f4118 R11: 0000000000000001 R12: 0000000000000000
> > R13: ffffffff843f8ca0 R14: dffffc0000000000 R15: ffffffff895e1130
> >  vprintk_emit+0x2a0/0x700 kernel/printk/printk.c:1996
> >  vprintk_default+0x28/0x30 kernel/printk/printk.c:2023
> >  vprintk_func+0x7e/0x189 kernel/printk/printk_safe.c:386
> >  printk+0xba/0xed kernel/printk/printk.c:2056
> >  __ntfs_error.cold+0x91/0xc7 fs/ntfs/debug.c:89
> >  read_ntfs_boot_sector fs/ntfs/super.c:682 [inline]
> >  ntfs_fill_super+0x1ad3/0x3160 fs/ntfs/super.c:2784
> >  mount_bdev+0x304/0x3c0 fs/super.c:1415
> >  ntfs_mount+0x35/0x40 fs/ntfs/super.c:3051
> >  legacy_get_tree+0x108/0x220 fs/fs_context.c:647
> >  vfs_get_tree+0x8e/0x300 fs/super.c:1545
> >  do_new_mount fs/namespace.c:2823 [inline]
> >  do_mount+0x142e/0x1cf0 fs/namespace.c:3143
> >  ksys_mount+0xdb/0x150 fs/namespace.c:3352
> >  __do_sys_mount fs/namespace.c:3366 [inline]
> >  __se_sys_mount fs/namespace.c:3363 [inline]
> >  __x64_sys_mount+0xbe/0x150 fs/namespace.c:3363
> >  do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x4411a9
> > Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff
> > 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007ffffff57cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004411a9
> > RDX: 0000000020000140 RSI: 0000000020000280 RDI: 00000000200004c0
> > RBP: 00000000000114e0 R08: 0000000000000000 R09: 00000000004002c8
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401fd0
> > R13: 0000000000402060 R14: 0000000000000000 R15: 0000000000000000
> >
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20191016100134.GA20076%40architecture4.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ