[syzbot] [kernel?] inconsistent lock state in sock_hash_delete_elem

13 views

Skip to first unread message

syzbot

unread,

Mar 31, 2024, 3:40:24 PMMar 31

to fred...@kernel.org, linux-...@vger.kernel.org, mi...@kernel.org, syzkall...@googlegroups.com, tg...@linutronix.de

Hello,

syzbot found the following issue on:

HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16f5005e180000
kernel config: https://syzkaller.appspot.com/x/.config?x=aef2a55903e5791c
dashboard link: https://syzkaller.appspot.com/bug?extid=1dab15008502531a13d2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14437c21180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15217b9e180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/089e25869df5/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/423b1787914f/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4c043e30c07d/bzImage-fe46a7dd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1dab15...@syzkaller.appspotmail.com

================================
WARNING: inconsistent lock state
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
--------------------------------
inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
syz-executor164/5064 [HC0[0]:SC0[0]:HE0:SE1] takes:
ffff8880b943e698 (&rq->__lock){?.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:559
{IN-HARDIRQ-W} state was registered at:
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
_raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:559
raw_spin_rq_lock kernel/sched/sched.h:1385 [inline]
rq_lock kernel/sched/sched.h:1699 [inline]
scheduler_tick+0xa2/0x650 kernel/sched/core.c:5679
update_process_times+0x199/0x220 kernel/time/timer.c:2481
tick_periodic+0x7e/0x230 kernel/time/tick-common.c:100
tick_handle_periodic+0x45/0x120 kernel/time/tick-common.c:112
timer_interrupt+0x4e/0x80 arch/x86/kernel/time.c:57
__handle_irq_event_percpu+0x22c/0x750 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
handle_edge_irq+0x263/0xd10 kernel/irq/chip.c:831
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq arch/x86/kernel/irq.c:238 [inline]
__common_interrupt+0xe1/0x250 arch/x86/kernel/irq.c:257
common_interrupt+0xab/0xd0 arch/x86/kernel/irq.c:247
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
console_flush_all+0xa19/0xd70 kernel/printk/printk.c:2979
console_unlock+0xae/0x290 kernel/printk/printk.c:3042
vprintk_emit kernel/printk/printk.c:2342 [inline]
vprintk_emit+0x11a/0x5a0 kernel/printk/printk.c:2297
vprintk+0x7f/0xa0 kernel/printk/printk_safe.c:45
_printk+0xc8/0x100 kernel/printk/printk.c:2367
cpu_detect_tlb arch/x86/kernel/cpu/common.c:860 [inline]
identify_boot_cpu arch/x86/kernel/cpu/common.c:1934 [inline]
arch_cpu_finalize_init+0x7b/0x170 arch/x86/kernel/cpu/common.c:2310
start_kernel+0x32b/0x490 init/main.c:1043
x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:509
x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:490
common_startup_64+0x13e/0x148
irq event stamp: 4834
hardirqs last enabled at (4831): [<ffffffff8ad60263>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
hardirqs last enabled at (4831): [<ffffffff8ad60263>] _raw_spin_unlock_irq+0x23/0x50 kernel/locking/spinlock.c:202
hardirqs last disabled at (4832): [<ffffffff8ad48b14>] __schedule+0x2644/0x5c70 kernel/sched/core.c:6634
softirqs last enabled at (4834): [<ffffffff88cb2754>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last enabled at (4834): [<ffffffff88cb2754>] sock_hash_delete_elem+0x1f4/0x260 net/core/sock_map.c:947
softirqs last disabled at (4833): [<ffffffff88cb262b>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (4833): [<ffffffff88cb262b>] sock_hash_delete_elem+0xcb/0x260 net/core/sock_map.c:939

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(&rq->__lock
);
<Interrupt>
lock(&rq->__lock
);

*** DEADLOCK ***

2 locks held by syz-executor164/5064:
#0: ffff8880b943e698
(&rq->__lock
){?.-.}-{2:2}
, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:559
#1: ffffffff8d7b08e0
(rcu_read_lock
){....}-{1:2}
, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline]
, at: bpf_trace_run4+0x107/0x460 kernel/trace/bpf_trace.c:2422

stack backtrace:
CPU: 0 PID: 5064 Comm: syz-executor164 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_usage_bug kernel/locking/lockdep.c:3971 [inline]
valid_state kernel/locking/lockdep.c:4013 [inline]
mark_lock_irq kernel/locking/lockdep.c:4216 [inline]
mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4678
mark_held_locks+0x9f/0xe0 kernel/locking/lockdep.c:4274
__trace_hardirqs_on_caller kernel/locking/lockdep.c:4292 [inline]
lockdep_hardirqs_on_prepare+0x137/0x420 kernel/locking/lockdep.c:4359
trace_hardirqs_on+0x36/0x40 kernel/trace/trace_preemptirq.c:61
__local_bh_enable_ip+0xa4/0x120 kernel/softirq.c:387
spin_unlock_bh include/linux/spinlock.h:396 [inline]
sock_hash_delete_elem+0x1f4/0x260 net/core/sock_map.c:947
___bpf_prog_run+0x3e51/0xae80 kernel/bpf/core.c:1997
__bpf_prog_run32+0xc1/0x100 kernel/bpf/core.c:2236
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
bpf_trace_run4+0x176/0x460 kernel/trace/bpf_trace.c:2422
__bpf_trace_sched_switch+0x13e/0x190 include/trace/events/sched.h:222
trace_sched_switch include/trace/events/sched.h:222 [inline]
__schedule+0x2266/0x5c70 kernel/sched/core.c:6733
__schedule_loop kernel/sched/core.c:6813 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6828
ptrace_stop.part.0+0x440/0x940 kernel/signal.c:2358
ptrace_stop kernel/signal.c:2260 [inline]
ptrace_do_notify+0x222/0x2d0 kernel/signal.c:2395
ptrace_notify+0xc5/0x130 kernel/signal.c:2407
ptrace_report_syscall include/linux/ptrace.h:415 [inline]
ptrace_report_syscall_entry include/linux/ptrace.h:452 [inline]
syscall_trace_enter+0xb5/0x210 kernel/entry/common.c:45
syscall_enter_from_user_mode_work include/linux/entry-common.h:168 [inline]
syscall_enter_from_user_mode include/linux/entry-common.h:198 [inline]
do_syscall_64+0x1f6/0x260 arch/x86/entry/common.c:79
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f122969f6b3
Code: 00 00 00 00 0f 1f 00 83 ff 03 74 7b 83 ff 02 b8 fa ff ff ff 49 89 ca 0f 44 f8 80 3d ce e9 03 00 00 74 14 b8 e6 00 00 00 0f 05 <f7> d8 c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec 28 48 89 54 24 10
RSP: 002b:00007ffd4d89e018 EFLAGS: 00000202
ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 00000000000013c9 RCX: 00007f122969f6b3
RDX: 00007ffd4d89e030 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000012939 R08: 000000000000004c R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd4d89e06c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Lizhi Xu

unread,

Apr 1, 2024, 2:46:12 AMApr 1

to syzbot+1dab15...@syzkaller.appspotmail.com, syzkall...@googlegroups.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index d44efa0d0611..07a3c1d2c2d8 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5676,7 +5676,7 @@ void scheduler_tick(void)

sched_clock_tick();

- rq_lock(rq, &rf);
+ rq_lock_irqsave(rq, &rf);

update_rq_clock(rq);
thermal_pressure = arch_scale_thermal_pressure(cpu_of(rq));
@@ -5688,7 +5688,7 @@ void scheduler_tick(void)
sched_core_tick(rq);
task_tick_mm_cid(rq, curr);

- rq_unlock(rq, &rf);
+ rq_unlock_irqrestore(rq, &rf);

if (sched_feat(LATENCY_WARN) && resched_latency)
resched_latency_warn(cpu, resched_latency);

syzbot

unread,

Apr 1, 2024, 3:07:04 AMApr 1

to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in console_flush_all

------------[ cut here ]------------
======================================================
WARNING: possible circular locking dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0 Not tainted
------------------------------------------------------
syz-executor.0/5485 is trying to acquire lock:
ffffffff8d6bdea0 (console_owner){....}-{0:0}, at: console_lock_spinning_enable kernel/printk/printk.c:1873 [inline]
ffffffff8d6bdea0 (console_owner){....}-{0:0}, at: console_emit_next_record kernel/printk/printk.c:2901 [inline]
ffffffff8d6bdea0 (console_owner){....}-{0:0}, at: console_flush_all+0x4ff/0xd70 kernel/printk/printk.c:2973

but task is already holding lock:
ffff8880b953e698 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:559

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #4 (&rq->__lock){-.-.}-{2:2}:

_raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:559
raw_spin_rq_lock kernel/sched/sched.h:1385 [inline]
rq_lock kernel/sched/sched.h:1699 [inline]

task_fork_fair+0x70/0x240 kernel/sched/fair.c:12629
sched_cgroup_fork+0x3cf/0x510 kernel/sched/core.c:4845
copy_process+0x4106/0x9160 kernel/fork.c:2498
kernel_clone+0xfd/0x940 kernel/fork.c:2796
user_mode_thread+0xb4/0xf0 kernel/fork.c:2874
rest_init+0x27/0x2b0 init/main.c:695
arch_call_rest_init+0x13/0x40 init/main.c:831
start_kernel+0x3a3/0x490 init/main.c:1077

x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:509
x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:490
common_startup_64+0x13e/0x148

-> #3 (&p->pi_lock){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:553 [inline]
try_to_wake_up+0x9a/0x13e0 kernel/sched/core.c:4262
__wake_up_common+0x131/0x1e0 kernel/sched/wait.c:89
__wake_up_common_lock kernel/sched/wait.c:106 [inline]
__wake_up+0x31/0x60 kernel/sched/wait.c:127
tty_port_default_wakeup+0x2a/0x40 drivers/tty/tty_port.c:69
serial8250_tx_chars+0x55a/0x8b0 drivers/tty/serial/8250/8250_port.c:1835
serial8250_handle_irq+0x5d3/0x780 drivers/tty/serial/8250/8250_port.c:1942
serial8250_default_handle_irq+0x9a/0x210 drivers/tty/serial/8250/8250_port.c:1962
serial8250_interrupt+0x103/0x210 drivers/tty/serial/8250/8250_core.c:127
__handle_irq_event_percpu+0x229/0x750 kernel/irq/handle.c:158

handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
handle_edge_irq+0x263/0xd10 kernel/irq/chip.c:831
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq arch/x86/kernel/irq.c:238 [inline]

__common_interrupt+0xde/0x250 arch/x86/kernel/irq.c:257

common_interrupt+0xab/0xd0 arch/x86/kernel/irq.c:247
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693

__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
uart_port_unlock_irqrestore include/linux/serial_core.h:667 [inline]
serial_port_runtime_resume+0x2b7/0x340 drivers/tty/serial/serial_port.c:41
__rpm_callback+0xc5/0x4c0 drivers/base/power/runtime.c:394
rpm_callback+0x1da/0x220 drivers/base/power/runtime.c:448
rpm_resume+0xcf9/0x12f0 drivers/base/power/runtime.c:914
pm_runtime_work+0x10c/0x150 drivers/base/power/runtime.c:979
process_one_work+0x9a9/0x1a60 kernel/workqueue.c:3254
process_scheduled_works kernel/workqueue.c:3335 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3416
kthread+0x2c1/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243

-> #2 (&tty->write_wait){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
__wake_up_common_lock kernel/sched/wait.c:105 [inline]
__wake_up+0x1c/0x60 kernel/sched/wait.c:127
tty_port_default_wakeup+0x2a/0x40 drivers/tty/tty_port.c:69
serial8250_tx_chars+0x55a/0x8b0 drivers/tty/serial/8250/8250_port.c:1835
serial8250_handle_irq+0x5d3/0x780 drivers/tty/serial/8250/8250_port.c:1942
serial8250_default_handle_irq+0x9a/0x210 drivers/tty/serial/8250/8250_port.c:1962
serial8250_interrupt+0x103/0x210 drivers/tty/serial/8250/8250_core.c:127
__handle_irq_event_percpu+0x229/0x750 kernel/irq/handle.c:158

__common_interrupt+0xde/0x250 arch/x86/kernel/irq.c:257

common_interrupt+0xab/0xd0 arch/x86/kernel/irq.c:247
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693

__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
uart_port_unlock_irqrestore include/linux/serial_core.h:667 [inline]
serial_port_runtime_resume+0x2b7/0x340 drivers/tty/serial/serial_port.c:41
__rpm_callback+0xc5/0x4c0 drivers/base/power/runtime.c:394
rpm_callback+0x1da/0x220 drivers/base/power/runtime.c:448
rpm_resume+0xcf9/0x12f0 drivers/base/power/runtime.c:914
pm_runtime_work+0x10c/0x150 drivers/base/power/runtime.c:979
process_one_work+0x9a9/0x1a60 kernel/workqueue.c:3254
process_scheduled_works kernel/workqueue.c:3335 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3416
kthread+0x2c1/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243

-> #1 (&port_lock_key){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
uart_port_lock_irqsave include/linux/serial_core.h:616 [inline]
serial8250_console_write+0xaa6/0x1090 drivers/tty/serial/8250/8250_port.c:3403
console_emit_next_record kernel/printk/printk.c:2907 [inline]
console_flush_all+0x53f/0xd70 kernel/printk/printk.c:2973

console_unlock+0xae/0x290 kernel/printk/printk.c:3042
vprintk_emit kernel/printk/printk.c:2342 [inline]
vprintk_emit+0x11a/0x5a0 kernel/printk/printk.c:2297
vprintk+0x7f/0xa0 kernel/printk/printk_safe.c:45
_printk+0xc8/0x100 kernel/printk/printk.c:2367

register_console+0xa7b/0x1060 kernel/printk/printk.c:3548
univ8250_console_init+0x35/0x50 drivers/tty/serial/8250/8250_core.c:717
console_init+0xcc/0x5e0 kernel/printk/printk.c:3694
start_kernel+0x259/0x490 init/main.c:1012

x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:509
x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:490
common_startup_64+0x13e/0x148

-> #0 (console_owner){....}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137

lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719

console_lock_spinning_enable kernel/printk/printk.c:1873 [inline]
console_emit_next_record kernel/printk/printk.c:2901 [inline]
console_flush_all+0x514/0xd70 kernel/printk/printk.c:2973

spin_unlock_bh include/linux/spinlock.h:396 [inline]
sock_hash_delete_elem+0x1f4/0x260 net/core/sock_map.c:947
___bpf_prog_run+0x3e51/0xae80 kernel/bpf/core.c:1997
__bpf_prog_run32+0xc1/0x100 kernel/bpf/core.c:2236
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
bpf_trace_run4+0x176/0x460 kernel/trace/bpf_trace.c:2422
__bpf_trace_sched_switch+0x13e/0x190 include/trace/events/sched.h:222
trace_sched_switch include/trace/events/sched.h:222 [inline]
__schedule+0x2266/0x5c70 kernel/sched/core.c:6733

other info that might help us debug this:

Chain exists of:
console_owner --> &p->pi_lock --> &rq->__lock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&rq->__lock);
lock(&p->pi_lock);
lock(&rq->__lock);
lock(console_owner);

*** DEADLOCK ***

4 locks held by syz-executor.0/5485:
#0: ffff8880b953e698 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:559
#1: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#1: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#1: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline]
#1: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run4+0x107/0x460 kernel/trace/bpf_trace.c:2422
#2: ffffffff8d79e2e0 (console_lock){+.+.}-{0:0}, at: vprintk+0x7f/0xa0 kernel/printk/printk_safe.c:45
#3: ffffffff8d79e350 (console_srcu){....}-{0:0}, at: rcu_try_lock_acquire include/linux/rcupdate.h:303 [inline]
#3: ffffffff8d79e350 (console_srcu){....}-{0:0}, at: srcu_read_lock_nmisafe include/linux/srcu.h:232 [inline]
#3: ffffffff8d79e350 (console_srcu){....}-{0:0}, at: console_srcu_read_lock kernel/printk/printk.c:286 [inline]
#3: ffffffff8d79e350 (console_srcu){....}-{0:0}, at: console_flush_all+0x12d/0xd70 kernel/printk/printk.c:2965

stack backtrace:
CPU: 1 PID: 5485 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114

check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137

lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719

console_lock_spinning_enable kernel/printk/printk.c:1873 [inline]
console_emit_next_record kernel/printk/printk.c:2901 [inline]
console_flush_all+0x514/0xd70 kernel/printk/printk.c:2973

__report_bug lib/bug.c:195 [inline]
report_bug+0x4ac/0x580 lib/bug.c:219
handle_bug+0x3d/0x70 arch/x86/kernel/traps.c:239
exc_invalid_op+0x17/0x50 arch/x86/kernel/traps.c:260
asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0010:__local_bh_enable_ip+0xc3/0x120 kernel/softirq.c:362
Code: 00 e8 81 6c 0b 00 e8 9c 69 42 00 fb 65 8b 05 cc 34 b2 7e 85 c0 74 52 5b 5d c3 cc cc cc cc 65 8b 05 4e e9 b0 7e 85 c0 75 9e 90 <0f> 0b 90 eb 98 e8 c3 67 42 00 eb 99 48 89 ef e8 49 e0 19 00 eb a2
RSP: 0018:ffffc900037a7600 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1f3d467
RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff88cb2794
RBP: ffffffff88cb2794 R08: 0000000000000000 R09: ffffed100dab841c
R10: ffff88806d5c20e3 R11: ffffffff934716a8 R12: fffffffffffffffe
R13: ffff88806d5c20e0 R14: ffff88806d5c20d8 R15: 0000000023700e53

preempt_schedule_common+0x44/0xc0 kernel/sched/core.c:6915
preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk_64.S:12
class_preempt_destructor include/linux/preempt.h:480 [inline]
class_preempt_destructor include/linux/preempt.h:480 [inline]
try_to_wake_up+0xc08/0x13e0 kernel/sched/core.c:4233
wake_up_process kernel/sched/core.c:4510 [inline]
wake_up_q+0x91/0x140 kernel/sched/core.c:1029
futex_wake+0x43e/0x4e0 kernel/futex/waitwake.c:199
do_futex+0x1e5/0x350 kernel/futex/syscalls.c:107
__do_sys_futex kernel/futex/syscalls.c:179 [inline]
__se_sys_futex kernel/futex/syscalls.c:160 [inline]
__x64_sys_futex+0x1e1/0x4c0 kernel/futex/syscalls.c:160
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f1002a7dda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f100382d178 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007f1002babf88 RCX: 00007f1002a7dda9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f1002babf8c
RBP: 00007f1002babf80 R08: 0000000000000001 R09: 00007f100382d6c0
R10: 0000000000000005 R11: 0000000000000246 R12: 00007f1002babf8c
R13: 000000000000000b R14: 00007fff6da22fd0 R15: 00007fff6da230b8
</TASK>
WARNING: CPU: 1 PID: 5485 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120 kernel/softirq.c:362
Modules linked in:
CPU: 1 PID: 5485 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__local_bh_enable_ip+0xc3/0x120 kernel/softirq.c:362
Code: 00 e8 81 6c 0b 00 e8 9c 69 42 00 fb 65 8b 05 cc 34 b2 7e 85 c0 74 52 5b 5d c3 cc cc cc cc 65 8b 05 4e e9 b0 7e 85 c0 75 9e 90 <0f> 0b 90 eb 98 e8 c3 67 42 00 eb 99 48 89 ef e8 49 e0 19 00 eb a2
RSP: 0018:ffffc900037a7600 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1f3d467
RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff88cb2794
RBP: ffffffff88cb2794 R08: 0000000000000000 R09: ffffed100dab841c
R10: ffff88806d5c20e3 R11: ffffffff934716a8 R12: fffffffffffffffe
R13: ffff88806d5c20e0 R14: ffff88806d5c20d8 R15: 0000000023700e53
FS: 00007f100382d6c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1002ba80c0 CR3: 000000007c110000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

kernel config: https://syzkaller.appspot.com/x/.config?x=aef2a55903e5791c
dashboard link: https://syzkaller.appspot.com/bug?extid=1dab15008502531a13d2
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11b605e5180000

Lizhi Xu

unread,

Apr 1, 2024, 3:47:34 AMApr 1

to syzbot+1dab15...@syzkaller.appspotmail.com, syzkall...@googlegroups.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e

diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
index d2242679239e..a7aa4f31c0e2 100644
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -1696,6 +1696,7 @@ static inline void
rq_lock(struct rq *rq, struct rq_flags *rf)
__acquires(rq->lock)
{
+ local_irq_save(rf->flags);
raw_spin_rq_lock(rq);
rq_pin_lock(rq, rf);
}
@@ -1722,6 +1723,7 @@ rq_unlock(struct rq *rq, struct rq_flags *rf)
{
rq_unpin_lock(rq, rf);
raw_spin_rq_unlock(rq);
+ local_irq_restore(rf->flags);
}

DEFINE_LOCK_GUARD_1(rq_lock, struct rq,

syzbot

unread,

Apr 1, 2024, 4:21:04 AMApr 1

to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

_data.html for more details.
[ 4.718465][ T1] smp: Brought up 2 nodes, 2 CPUs
[ 4.719648][ T1] smpboot: Total of 2 processors activated (8800.85 BogoMIPS)
[ 4.729601][ T1] devtmpfs: initialized
[ 4.729601][ T1] x86/mm: Memory block size: 128MB
[ 4.809009][ T1] Running RCU synchronous self tests
[ 4.809009][ T1] Running RCU synchronous self tests
[ 4.809643][ T1] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 4.812622][ T1] futex hash table entries: 512 (order: 4, 65536 bytes, vmalloc)
[ 4.818874][ T1] PM: RTC time: 08:12:37, date: 2024-04-01
[ 4.824146][ T1] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 4.832868][ T1] audit: initializing netlink subsys (disabled)
[ 4.835572][ T28] audit: type=2000 audit(1711959157.647:1): state=initialized audit_enabled=0 res=1
[ 4.840900][ T1] thermal_sys: Registered thermal governor 'step_wise'
[ 4.840915][ T1] thermal_sys: Registered thermal governor 'user_space'
[ 4.842716][ T1] cpuidle: using governor menu
[ 4.846928][ T1] NET: Registered PF_QIPCRTR protocol family
[ 4.856743][ T1] dca service started, version 1.12.1
[ 4.857984][ T1] PCI: Using configuration type 1 for base access
[ 4.869693][ T1] HugeTLB: registered 1.00 GiB page size, pre-allocated 0 pages
[ 4.871942][ T1] HugeTLB: 16380 KiB vmemmap can be freed for a 1.00 GiB page
[ 4.873969][ T1] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[ 4.874972][ T1] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page
[ 4.894997][ C0] ------------[ cut here ]------------
[ 4.896611][ C0] raw_local_irq_restore() called with IRQs enabled
[ 4.894981][ T1] cryptd: max_cpu_qlen set to 1000
[ 4.897981][ C0] WARNING: CPU: 0 PID: 3 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x29/0x30
[ 4.901484][ C0] Modules linked in:
[ 4.902651][ C0] CPU: 0 PID: 3 Comm: pool_workqueue_ Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 4.904951][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 4.907171][ C0] RIP: 0010:warn_bogus_irq_restore+0x29/0x30
[ 4.908552][ C0] Code: 90 f3 0f 1e fa 90 80 3d f2 cf b5 04 00 74 06 90 c3 cc cc cc cc c6 05 e3 cf b5 04 01 90 48 c7 c7 c0 b1 0c 8b e8 78 6b 7d f6 90 <0f> 0b 90 90 eb df 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
[ 4.914048][ C0] RSP: 0000:ffffc90000007c10 EFLAGS: 00010286
[ 4.914953][ C0] RAX: 0000000000000000 RBX: ffff8880b943e680 RCX: ffffffff814fafe9
[ 4.917134][ C0] RDX: ffff888016ac3c00 RSI: ffffffff814faff6 RDI: 0000000000000001
[ 4.919117][ C0] RBP: ffffc90000007de8 R08: 0000000000000001 R09: 0000000000000000
[ 4.921608][ C0] R10: 0000000000000000 R11: 0000000000000004 R12: 0000000000000200
[ 4.922975][ C0] R13: ffff8880b953e680 R14: 000000000000d3be R15: dffffc0000000000
[ 4.924954][ C0] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 4.926550][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4.927759][ C0] CR2: ffff88823ffff000 CR3: 000000000d57a000 CR4: 00000000003506f0
[ 4.929068][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4.931048][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 4.932732][ C0] Call Trace:
[ 4.933476][ C0] <IRQ>
[ 4.934953][ C0] ? show_regs+0x8c/0xa0
[ 4.935841][ C0] ? __warn+0xe5/0x390
[ 4.936556][ C0] ? __wake_up_klogd.part.0+0x99/0xf0
[ 4.938066][ C0] ? warn_bogus_irq_restore+0x29/0x30
[ 4.939009][ C0] ? report_bug+0x3c0/0x580
[ 4.939893][ C0] ? handle_bug+0x3d/0x70
[ 4.940924][ C0] ? exc_invalid_op+0x17/0x50
[ 4.941738][ C0] ? asm_exc_invalid_op+0x1a/0x20
[ 4.943099][ C0] ? __warn_printk+0x199/0x350
[ 4.944021][ C0] ? __warn_printk+0x1a6/0x350
[ 4.944956][ C0] ? warn_bogus_irq_restore+0x29/0x30
[ 4.946600][ C0] load_balance+0x1d4a/0x34e0
[ 4.947576][ C0] ? __pfx_load_balance+0x10/0x10
[ 4.948614][ C0] ? __pfx_lock_release+0x10/0x10
[ 4.949809][ C0] rebalance_domains+0x709/0xee0
[ 4.950679][ C0] ? __pfx_rebalance_domains+0x10/0x10
[ 4.952112][ C0] __do_softirq+0x218/0x8de
[ 4.953760][ C0] ? __pfx___do_softirq+0x10/0x10
[ 4.954966][ C0] irq_exit_rcu+0xb9/0x120
[ 4.956487][ C0] sysvec_apic_timer_interrupt+0x95/0xb0
[ 4.958125][ C0] </IRQ>
[ 4.958880][ C0] <TASK>
[ 4.959719][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 4.961420][ C0] RIP: 0010:write_comp_data+0x7d/0x90
[ 4.963185][ C0] Code: 00 00 4a 8d 34 dd 28 00 00 00 48 39 f2 72 1b 48 83 c7 01 48 89 38 4c 89 44 30 e0 4c 89 4c 30 e8 4c 89 54 30 f0 4a 89 4c d8 20 <c3> cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90
[ 4.964967][ C0] RSP: 0000:ffffc90000087998 EFLAGS: 00000293
[ 4.966867][ C0] RAX: 0000000000000000 RBX: ffffffff8fb0dd18 RCX: ffffffff813c8bf4
[ 4.969772][ C0] RDX: ffff888016ac3c00 RSI: ffffffff8174e8e9 RDI: 0000000000000006
[ 4.974953][ C0] RBP: ffffffff8fb0dd28 R08: 0000000000000006 R09: ffffffff8174e8e9
[ 4.976309][ C0] R10: ffffffff8174e864 R11: 0000000000000000 R12: ffffffff8174e8e9
[ 4.977965][ C0] R13: ffffffff8174e864 R14: dffffc0000000000 R15: ffffffff8fb0dd20
[ 4.979513][ C0] ? __call_rcu_common.constprop.0+0x14/0x790
[ 4.980977][ C0] ? __call_rcu_common.constprop.0+0x99/0x790
[ 4.982115][ C0] ? __call_rcu_common.constprop.0+0x14/0x790
[ 4.983204][ C0] ? __call_rcu_common.constprop.0+0x99/0x790
[ 4.984952][ C0] ? __orc_find+0xc4/0x130
[ 4.985757][ C0] ? __call_rcu_common.constprop.0+0x99/0x790
[ 4.986789][ C0] ? unwind_next_frame+0x51/0x23a0
[ 4.987591][ C0] __orc_find+0xc4/0x130
[ 4.988356][ C0] ? __call_rcu_common.constprop.0+0x99/0x790
[ 4.989388][ C0] unwind_next_frame+0x335/0x23a0
[ 4.990403][ C0] ? __call_rcu_common.constprop.0+0x9a/0x790
[ 4.991376][ C0] ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 4.992296][ C0] arch_stack_walk+0x100/0x170
[ 4.993240][ C0] ? __call_rcu_common.constprop.0+0x9a/0x790
[ 4.994953][ C0] stack_trace_save+0x95/0xd0
[ 4.996002][ C0] ? __pfx_stack_trace_save+0x10/0x10
[ 4.996969][ C0] kasan_save_stack+0x33/0x60
[ 4.997858][ C0] ? kasan_save_stack+0x33/0x60
[ 4.998950][ C0] ? __kasan_record_aux_stack+0xba/0xd0
[ 5.000065][ C0] ? __call_rcu_common.constprop.0+0x9a/0x790
[ 5.001080][ C0] __kasan_record_aux_stack+0xba/0xd0
[ 5.002245][ C0] ? __pfx_rcu_free_pwq+0x10/0x10
[ 5.003148][ C0] __call_rcu_common.constprop.0+0x9a/0x790
[ 5.004431][ C0] pwq_release_workfn+0x4ca/0x9d0
[ 5.004955][ C0] ? _raw_spin_unlock_irq+0x23/0x50
[ 5.006685][ C0] kthread_worker_fn+0x305/0xab0
[ 5.007704][ C0] ? __pfx_pwq_release_workfn+0x10/0x10
[ 5.008662][ C0] ? __pfx_kthread_worker_fn+0x10/0x10
[ 5.010047][ C0] kthread+0x2c1/0x3a0
[ 5.011217][ C0] ? _raw_spin_unlock_irq+0x23/0x50
[ 5.012287][ C0] ? __pfx_kthread+0x10/0x10
[ 5.013140][ C0] ret_from_fork+0x45/0x80
[ 5.014089][ C0] ? __pfx_kthread+0x10/0x10
[ 5.014951][ C0] ret_from_fork_asm+0x1a/0x30
[ 5.015989][ C0] </TASK>
[ 5.017349][ C0] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 5.018846][ C0] CPU: 0 PID: 3 Comm: pool_workqueue_ Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 5.020847][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 5.022520][ C0] Call Trace:
[ 5.023086][ C0] <IRQ>
[ 5.023564][ C0] dump_stack_lvl+0x3d/0x1f0
[ 5.024316][ C0] panic+0x6f5/0x7a0
[ 5.024939][ C0] ? __pfx_panic+0x10/0x10
[ 5.024939][ C0] ? show_trace_log_lvl+0x363/0x500
[ 5.024939][ C0] ? check_panic_on_warn+0x1f/0xb0
[ 5.024939][ C0] ? warn_bogus_irq_restore+0x29/0x30
[ 5.024939][ C0] check_panic_on_warn+0xab/0xb0
[ 5.024939][ C0] __warn+0xf1/0x390
[ 5.024939][ C0] ? __wake_up_klogd.part.0+0x99/0xf0
[ 5.024939][ C0] ? warn_bogus_irq_restore+0x29/0x30
[ 5.024939][ C0] report_bug+0x3c0/0x580
[ 5.024939][ C0] handle_bug+0x3d/0x70
[ 5.024939][ C0] exc_invalid_op+0x17/0x50
[ 5.024939][ C0] asm_exc_invalid_op+0x1a/0x20
[ 5.024939][ C0] RIP: 0010:warn_bogus_irq_restore+0x29/0x30
[ 5.024939][ C0] Code: 90 f3 0f 1e fa 90 80 3d f2 cf b5 04 00 74 06 90 c3 cc cc cc cc c6 05 e3 cf b5 04 01 90 48 c7 c7 c0 b1 0c 8b e8 78 6b 7d f6 90 <0f> 0b 90 90 eb df 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
[ 5.024939][ C0] RSP: 0000:ffffc90000007c10 EFLAGS: 00010286
[ 5.024939][ C0] RAX: 0000000000000000 RBX: ffff8880b943e680 RCX: ffffffff814fafe9
[ 5.024939][ C0] RDX: ffff888016ac3c00 RSI: ffffffff814faff6 RDI: 0000000000000001
[ 5.024939][ C0] RBP: ffffc90000007de8 R08: 0000000000000001 R09: 0000000000000000
[ 5.024939][ C0] R10: 0000000000000000 R11: 0000000000000004 R12: 0000000000000200
[ 5.024939][ C0] R13: ffff8880b953e680 R14: 000000000000d3be R15: dffffc0000000000
[ 5.024939][ C0] ? __warn_printk+0x199/0x350
[ 5.024939][ C0] ? __warn_printk+0x1a6/0x350
[ 5.024939][ C0] load_balance+0x1d4a/0x34e0
[ 5.024939][ C0] ? __pfx_load_balance+0x10/0x10
[ 5.024939][ C0] ? __pfx_lock_release+0x10/0x10
[ 5.024939][ C0] rebalance_domains+0x709/0xee0
[ 5.024939][ C0] ? __pfx_rebalance_domains+0x10/0x10
[ 5.024939][ C0] __do_softirq+0x218/0x8de
[ 5.024939][ C0] ? __pfx___do_softirq+0x10/0x10
[ 5.024939][ C0] irq_exit_rcu+0xb9/0x120
[ 5.024939][ C0] sysvec_apic_timer_interrupt+0x95/0xb0
[ 5.024939][ C0] </IRQ>
[ 5.024939][ C0] <TASK>
[ 5.024939][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 5.024939][ C0] RIP: 0010:write_comp_data+0x7d/0x90
[ 5.024939][ C0] Code: 00 00 4a 8d 34 dd 28 00 00 00 48 39 f2 72 1b 48 83 c7 01 48 89 38 4c 89 44 30 e0 4c 89 4c 30 e8 4c 89 54 30 f0 4a 89 4c d8 20 <c3> cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90
[ 5.024939][ C0] RSP: 0000:ffffc90000087998 EFLAGS: 00000293
[ 5.024939][ C0] RAX: 0000000000000000 RBX: ffffffff8fb0dd18 RCX: ffffffff813c8bf4
[ 5.024939][ C0] RDX: ffff888016ac3c00 RSI: ffffffff8174e8e9 RDI: 0000000000000006
[ 5.024939][ C0] RBP: ffffffff8fb0dd28 R08: 0000000000000006 R09: ffffffff8174e8e9
[ 5.024939][ C0] R10: ffffffff8174e864 R11: 0000000000000000 R12: ffffffff8174e8e9
[ 5.024939][ C0] R13: ffffffff8174e864 R14: dffffc0000000000 R15: ffffffff8fb0dd20
[ 5.024939][ C0] ? __call_rcu_common.constprop.0+0x14/0x790
[ 5.024939][ C0] ? __call_rcu_common.constprop.0+0x99/0x790
[ 5.024939][ C0] ? __call_rcu_common.constprop.0+0x14/0x790
[ 5.024939][ C0] ? __call_rcu_common.constprop.0+0x99/0x790
[ 5.024939][ C0] ? __orc_find+0xc4/0x130
[ 5.024939][ C0] ? __call_rcu_common.constprop.0+0x99/0x790
[ 5.024939][ C0] ? unwind_next_frame+0x51/0x23a0
[ 5.024939][ C0] __orc_find+0xc4/0x130
[ 5.024939][ C0] ? __call_rcu_common.constprop.0+0x99/0x790
[ 5.024939][ C0] unwind_next_frame+0x335/0x23a0
[ 5.024939][ C0] ? __call_rcu_common.constprop.0+0x9a/0x790
[ 5.024939][ C0] ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 5.024939][ C0] arch_stack_walk+0x100/0x170
[ 5.024939][ C0] ? __call_rcu_common.constprop.0+0x9a/0x790
[ 5.024939][ C0] stack_trace_save+0x95/0xd0
[ 5.024939][ C0] ? __pfx_stack_trace_save+0x10/0x10
[ 5.024939][ C0] kasan_save_stack+0x33/0x60
[ 5.024939][ C0] ? kasan_save_stack+0x33/0x60
[ 5.024939][ C0] ? __kasan_record_aux_stack+0xba/0xd0
[ 5.024939][ C0] ? __call_rcu_common.constprop.0+0x9a/0x790
[ 5.024939][ C0] __kasan_record_aux_stack+0xba/0xd0
[ 5.024939][ C0] ? __pfx_rcu_free_pwq+0x10/0x10
[ 5.024939][ C0] __call_rcu_common.constprop.0+0x9a/0x790
[ 5.024939][ C0] pwq_release_workfn+0x4ca/0x9d0
[ 5.024939][ C0] ? _raw_spin_unlock_irq+0x23/0x50
[ 5.024939][ C0] kthread_worker_fn+0x305/0xab0
[ 5.024939][ C0] ? __pfx_pwq_release_workfn+0x10/0x10
[ 5.024939][ C0] ? __pfx_kthread_worker_fn+0x10/0x10
[ 5.024939][ C0] kthread+0x2c1/0x3a0
[ 5.024939][ C0] ? _raw_spin_unlock_irq+0x23/0x50
[ 5.024939][ C0] ? __pfx_kthread+0x10/0x10
[ 5.024939][ C0] ret_from_fork+0x45/0x80
[ 5.024939][ C0] ? __pfx_kthread+0x10/0x10
[ 5.024939][ C0] ret_from_fork_asm+0x1a/0x30
[ 5.024939][ C0] </TASK>
[ 5.024939][ C0] Rebooting in 86400 seconds..

syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build860573737=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 454571b6a
nothing to commit, working tree clean

tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=454571b6a16598f5a6e015b9fb1a04932bce7ab9 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240326-163935'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=454571b6a16598f5a6e015b9fb1a04932bce7ab9 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240326-163935'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=454571b6a16598f5a6e015b9fb1a04932bce7ab9 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240326-163935'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"454571b6a16598f5a6e015b9fb1a04932bce7ab9\"

Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1602fe29180000

Tested on:

commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

patch: https://syzkaller.appspot.com/x/patch.diff?x=16de130d180000

Lizhi Xu

unread,

Apr 1, 2024, 4:36:20 AMApr 1

to syzbot+1dab15...@syzkaller.appspotmail.com, syzkall...@googlegroups.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e

diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 27d733c0f65e..ae8f81b26e16 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -932,11 +932,12 @@ static long sock_hash_delete_elem(struct bpf_map *map, void *key)
struct bpf_shtab_bucket *bucket;
struct bpf_shtab_elem *elem;
int ret = -ENOENT;
+ unsigned long flags;

hash = sock_hash_bucket_hash(key, key_size);
bucket = sock_hash_select_bucket(htab, hash);

- spin_lock_bh(&bucket->lock);
+ spin_lock_irqsave(&bucket->lock, flags);
elem = sock_hash_lookup_elem_raw(&bucket->head, hash, key, key_size);
if (elem) {
hlist_del_rcu(&elem->node);
@@ -944,7 +945,7 @@ static long sock_hash_delete_elem(struct bpf_map *map, void *key)
sock_hash_free_elem(htab, elem);
ret = 0;
}
- spin_unlock_bh(&bucket->lock);
+ spin_unlock_irqrestore(&bucket->lock, flags);
return ret;
}

@@ -1136,6 +1137,7 @@ static void sock_hash_free(struct bpf_map *map)
struct bpf_shtab_elem *elem;
struct hlist_node *node;
int i;
+ unsigned long flags;

/* After the sync no updates or deletes will be in-flight so it
* is safe to walk map and remove entries without risking a race
@@ -1151,11 +1153,11 @@ static void sock_hash_free(struct bpf_map *map)
* exists, psock exists and holds a ref to socket. That
* lets us to grab a socket ref too.
*/
- spin_lock_bh(&bucket->lock);
+ spin_lock_irqsave(&bucket->lock, flags);
hlist_for_each_entry(elem, &bucket->head, node)
sock_hold(elem->sk);
hlist_move_list(&bucket->head, &unlink_list);
- spin_unlock_bh(&bucket->lock);
+ spin_unlock_irqrestore(&bucket->lock, flags);

/* Process removed entries out of atomic context to
* block for socket lock before deleting the psock's
--
2.43.0

syzbot

unread,

Apr 1, 2024, 5:11:06 AMApr 1

to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+1dab15...@syzkaller.appspotmail.com

Tested on:

commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11bcf70d180000

patch: https://syzkaller.appspot.com/x/patch.diff?x=129b452d180000

Note: testing is done by a robot and is best-effort only.

Reply all

Reply to author

Forward

0 new messages