lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 24 Dec 2023 18:31:04 -0800
From: syzbot <syzbot+a3981d3c93cde53224be@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, lizhi.xu@...driver.com, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [reiserfs?] possible deadlock in __run_timers

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
inconsistent lock state in unlink_file_vma

================================
WARNING: inconsistent lock state
6.7.0-rc5-syzkaller-00042-g88035e5694a8-dirty #0 Not tainted
--------------------------------
inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
syz-executor.0/5423 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffff888071f79078
 (timekeeper_lock
){?.-.}-{2:2}
, at: i_mmap_lock_write include/linux/fs.h:512 [inline]
, at: unlink_file_vma+0x81/0x120 mm/mmap.c:128
{IN-HARDIRQ-W} state was registered at:
  lock_acquire kernel/locking/lockdep.c:5754 [inline]
  lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719
  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
  _raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
  timekeeping_advance+0x82/0xf10 kernel/time/timekeeping.c:2159
  update_wall_time+0x11/0x40 kernel/time/timekeeping.c:2231
  tick_periodic+0x18b/0x230 kernel/time/tick-common.c:97
  tick_handle_periodic+0x45/0x120 kernel/time/tick-common.c:112
  timer_interrupt+0x48/0x70 arch/x86/kernel/time.c:57
  __handle_irq_event_percpu+0x22a/0x750 kernel/irq/handle.c:158
  handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
  handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
  handle_edge_irq+0x261/0xcf0 kernel/irq/chip.c:831
  generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
  handle_irq arch/x86/kernel/irq.c:238 [inline]
  __common_interrupt+0xdb/0x240 arch/x86/kernel/irq.c:257
  common_interrupt+0xab/0xd0 arch/x86/kernel/irq.c:247
  asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
  console_flush_all+0xa0e/0xd60 kernel/printk/printk.c:2973
  console_unlock+0x10c/0x260 kernel/printk/printk.c:3036
  vprintk_emit+0x17f/0x5f0 kernel/printk/printk.c:2303
  vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
  _printk+0xc8/0x100 kernel/printk/printk.c:2328
  setup_umip arch/x86/kernel/cpu/common.c:379 [inline]
  identify_cpu+0xcfe/0x2390 arch/x86/kernel/cpu/common.c:1878
  identify_boot_cpu arch/x86/kernel/cpu/common.c:1980 [inline]
  arch_cpu_finalize_init+0x11/0x160 arch/x86/kernel/cpu/common.c:2343
  start_kernel+0x32c/0x480 init/main.c:1039
  x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:555
  x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:536
  secondary_startup_64_no_verify+0x166/0x16b
irq event stamp: 165397
hardirqs last  enabled at (165397): [<ffffffff81de4612>] kasan_quarantine_put+0x102/0x230 mm/kasan/quarantine.c:242
hardirqs last disabled at (165396): [<ffffffff81de45ba>] kasan_quarantine_put+0xaa/0x230 mm/kasan/quarantine.c:215
softirqs last  enabled at (165306): [<ffffffff8130d599>] local_bh_enable include/linux/bottom_half.h:33 [inline]
softirqs last  enabled at (165306): [<ffffffff8130d599>] fpregs_unlock arch/x86/include/asm/fpu/api.h:80 [inline]
softirqs last  enabled at (165306): [<ffffffff8130d599>] fpu__clear_user_states+0xf9/0x1e0 arch/x86/kernel/fpu/core.c:771
softirqs last disabled at (165304): [<ffffffff8130d4d9>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last disabled at (165304): [<ffffffff8130d4d9>] fpregs_lock arch/x86/include/asm/fpu/api.h:72 [inline]
softirqs last disabled at (165304): [<ffffffff8130d4d9>] fpu__clear_user_states+0x39/0x1e0 arch/x86/kernel/fpu/core.c:745

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(
timekeeper_lock);
  <Interrupt>
    lock(timekeeper_lock
);

 *** DEADLOCK ***

1 lock held by syz-executor.0/5423:
 #0: ffff888016694420
 (&mm->mmap_lock
){++++}-{3:3}
, at: mmap_write_lock include/linux/mmap_lock.h:108 [inline]
, at: exit_mmap+0x1ef/0xa70 mm/mmap.c:3316

stack backtrace:
CPU: 0 PID: 5423 Comm: syz-executor.0 Not tainted 6.7.0-rc5-syzkaller-00042-g88035e5694a8-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_usage_bug kernel/locking/lockdep.c:3971 [inline]
 valid_state kernel/locking/lockdep.c:4013 [inline]
 mark_lock_irq kernel/locking/lockdep.c:4216 [inline]
 mark_lock+0x91a/0xc50 kernel/locking/lockdep.c:4678
 mark_usage kernel/locking/lockdep.c:4587 [inline]
 __lock_acquire+0x931/0x3b20 kernel/locking/lockdep.c:5091
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719
 down_write+0x3a/0x50 kernel/locking/rwsem.c:1579
 i_mmap_lock_write include/linux/fs.h:512 [inline]
 unlink_file_vma+0x81/0x120 mm/mmap.c:128
 free_pgtables+0x311/0x800 mm/memory.c:401
 exit_mmap+0x383/0xa70 mm/mmap.c:3319
 __mmput+0x12a/0x4d0 kernel/fork.c:1349
 mmput+0x62/0x70 kernel/fork.c:1371
 exit_mm kernel/exit.c:567 [inline]
 do_exit+0x9ad/0x2ae0 kernel/exit.c:858
 do_group_exit+0xd4/0x2a0 kernel/exit.c:1021
 __do_sys_exit_group kernel/exit.c:1032 [inline]
 __se_sys_exit_group kernel/exit.c:1030 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1030
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f8e26c7cba9
Code: Unable to access opcode bytes at 0x7f8e26c7cb7f.
RSP: 002b:00007ffc0e242a78 EFLAGS: 00000246
 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f8e26c7cba9
RDX: 00007f8e26ca7fb5 RSI: 0000000000000000 RDI: 000000000000000b
RBP: 00007ffc0e24314c R08: 0000000000000001 R09: 000000000000000b
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
R13: 0000000000014683 R14: 0000000000014581 R15: 0000000000000000
 </TASK>


Tested on:

commit:         88035e56 Merge tag 'hid-for-linus-2023121201' of git:/..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=157106d9e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=be2bd0a72b52d4da
dashboard link: https://syzkaller.appspot.com/bug?extid=a3981d3c93cde53224be
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=138e1e16e80000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ