[syzbot] [kernel?] possible deadlock in try_to_wake_up (3)

26 views
Skip to first unread message

syzbot

unread,
Oct 8, 2023, 7:58:54ā€ÆAM10/8/23
to linux-...@vger.kernel.org, lu...@kernel.org, pet...@infradead.org, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,

syzbot found the following issue on:

HEAD commit: 7d730f1bf6f3 Add linux-next specific files for 20231005
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15f02fa1680000
kernel config: https://syzkaller.appspot.com/x/.config?x=f532286be4fff4b5
dashboard link: https://syzkaller.appspot.com/bug?extid=6b8ea5bb987ec6fe0fd1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1d7f28a4398f/disk-7d730f1b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d454d124268e/vmlinux-7d730f1b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dbca966175cb/bzImage-7d730f1b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6b8ea5...@syzkaller.appspotmail.com

batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
======================================================
WARNING: possible circular locking dependency detected
6.6.0-rc4-next-20231005-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/5091 is trying to acquire lock:
ffff88801d41e338 (&p->pi_lock){-.-.}-{2:2}, at: class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:518 [inline]
ffff88801d41e338 (&p->pi_lock){-.-.}-{2:2}, at: try_to_wake_up+0xb0/0x15d0 kernel/sched/core.c:4213

but task is already holding lock:
ffffffff8cb98e18 ((console_sem).lock){-...}-{2:2}, at: up+0x16/0xb0 kernel/locking/semaphore.c:187

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 ((console_sem).lock){-...}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
down_trylock+0x12/0x70 kernel/locking/semaphore.c:139
__down_trylock_console_sem+0x40/0x140 kernel/printk/printk.c:323
console_trylock+0x73/0x130 kernel/printk/printk.c:2652
console_trylock_spinning kernel/printk/printk.c:1924 [inline]
vprintk_emit+0x162/0x5f0 kernel/printk/printk.c:2303
vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
_printk+0xc8/0x100 kernel/printk/printk.c:2329
pick_eevdf kernel/sched/fair.c:963 [inline]
pick_next_entity kernel/sched/fair.c:5247 [inline]
pick_next_task_fair+0x1c5/0x1280 kernel/sched/fair.c:8205
__pick_next_task kernel/sched/core.c:5986 [inline]
pick_next_task kernel/sched/core.c:6061 [inline]
__schedule+0x493/0x5a00 kernel/sched/core.c:6640
preempt_schedule_irq+0x52/0x90 kernel/sched/core.c:6998
irqentry_exit+0x35/0x80 kernel/entry/common.c:432
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
kernel_text_address+0x0/0xf0 kernel/extable.c:71
__kernel_text_address+0xd/0x30 kernel/extable.c:79
unwind_get_return_address+0x78/0xe0 arch/x86/kernel/unwind_orc.c:369
arch_stack_walk+0xbe/0x170 arch/x86/kernel/stacktrace.c:26
stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
save_stack+0x160/0x1f0 mm/page_owner.c:128
__reset_page_owner+0x5a/0x190 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1134 [inline]
free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2383
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2518
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:758 [inline]
slab_alloc_node mm/slub.c:3478 [inline]
slab_alloc mm/slub.c:3486 [inline]
__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
kmem_cache_alloc+0x15d/0x380 mm/slub.c:3502
kmem_cache_zalloc include/linux/slab.h:711 [inline]
alloc_empty_file+0x73/0x1d0 fs/file_table.c:223
path_openat+0xdd/0x2ce0 fs/namei.c:3763
do_filp_open+0x1de/0x430 fs/namei.c:3807
do_sys_openat2+0x176/0x1e0 fs/open.c:1422
do_sys_open fs/open.c:1437 [inline]
__do_sys_openat fs/open.c:1453 [inline]
__se_sys_openat fs/open.c:1448 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1448
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #1 (&rq->__lock){-.-.}-{2:2}:
_raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:558
raw_spin_rq_lock kernel/sched/sched.h:1357 [inline]
rq_lock kernel/sched/sched.h:1671 [inline]
task_fork_fair+0x70/0x240 kernel/sched/fair.c:12399
sched_cgroup_fork+0x3cf/0x510 kernel/sched/core.c:4799
copy_process+0x4580/0x74b0 kernel/fork.c:2609
kernel_clone+0xfd/0x920 kernel/fork.c:2907
user_mode_thread+0xb4/0xf0 kernel/fork.c:2985
rest_init+0x27/0x2b0 init/main.c:691
arch_call_rest_init+0x13/0x30 init/main.c:823
start_kernel+0x39f/0x480 init/main.c:1068
x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:556
x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:537
secondary_startup_64_no_verify+0x166/0x16b

-> #0 (&p->pi_lock){-.-.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3868 [inline]
__lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5136
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:518 [inline]
try_to_wake_up+0xb0/0x15d0 kernel/sched/core.c:4213
up+0x79/0xb0 kernel/locking/semaphore.c:191
__up_console_sem kernel/printk/printk.c:340 [inline]
__console_unlock kernel/printk/printk.c:2699 [inline]
console_unlock+0x1cf/0x260 kernel/printk/printk.c:3031
vprintk_emit+0x17f/0x5f0 kernel/printk/printk.c:2304
vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
_printk+0xc8/0x100 kernel/printk/printk.c:2329
batadv_check_known_mac_addr+0x21f/0x440 net/batman-adv/hard-interface.c:526
batadv_hard_if_event+0x1048/0x1660 net/batman-adv/hard-interface.c:998
notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:1970
call_netdevice_notifiers_extack net/core/dev.c:2008 [inline]
call_netdevice_notifiers net/core/dev.c:2022 [inline]
dev_set_mac_address+0x36f/0x4a0 net/core/dev.c:8860
dev_set_mac_address_user+0x30/0x50 net/core/dev.c:8874
do_setlink+0x6e9/0x3fa0 net/core/rtnetlink.c:2864
__rtnl_newlink+0xc1d/0x1940 net/core/rtnetlink.c:3707
rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3754
rtnetlink_rcv_msg+0x3c4/0xdf0 net/core/rtnetlink.c:6480
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2194
__do_sys_sendto net/socket.c:2206 [inline]
__se_sys_sendto net/socket.c:2202 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2202
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that might help us debug this:

Chain exists of:
&p->pi_lock --> &rq->__lock --> (console_sem).lock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock((console_sem).lock);
lock(&rq->__lock);
lock((console_sem).lock);
lock(&p->pi_lock);

*** DEADLOCK ***

4 locks held by syz-executor.5/5091:
#0: ffffffff8e60db28 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8e60db28 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x36f/0xdf0 net/core/rtnetlink.c:6477
#1: ffffffff8e6001b0 (dev_addr_sem){++++}-{3:3}, at: dev_set_mac_address_user+0x22/0x50 net/core/dev.c:8873
#2: ffffffff8cbab220 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:303 [inline]
#2: ffffffff8cbab220 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:749 [inline]
#2: ffffffff8cbab220 (rcu_read_lock){....}-{1:2}, at: batadv_check_known_mac_addr+0x38/0x440 net/batman-adv/hard-interface.c:513
#3: ffffffff8cb98e18 ((console_sem).lock){-...}-{2:2}, at: up+0x16/0xb0 kernel/locking/semaphore.c:187

stack backtrace:
CPU: 0 PID: 5091 Comm: syz-executor.5 Not tainted 6.6.0-rc4-next-20231005-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
check_noncircular+0x311/0x3f0 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3868 [inline]
__lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5136
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:518 [inline]
try_to_wake_up+0xb0/0x15d0 kernel/sched/core.c:4213
up+0x79/0xb0 kernel/locking/semaphore.c:191
__up_console_sem kernel/printk/printk.c:340 [inline]
__console_unlock kernel/printk/printk.c:2699 [inline]
console_unlock+0x1cf/0x260 kernel/printk/printk.c:3031
vprintk_emit+0x17f/0x5f0 kernel/printk/printk.c:2304
vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
_printk+0xc8/0x100 kernel/printk/printk.c:2329
batadv_check_known_mac_addr+0x21f/0x440 net/batman-adv/hard-interface.c:526
batadv_hard_if_event+0x1048/0x1660 net/batman-adv/hard-interface.c:998
notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:1970
call_netdevice_notifiers_extack net/core/dev.c:2008 [inline]
call_netdevice_notifiers net/core/dev.c:2022 [inline]
dev_set_mac_address+0x36f/0x4a0 net/core/dev.c:8860
dev_set_mac_address_user+0x30/0x50 net/core/dev.c:8874
do_setlink+0x6e9/0x3fa0 net/core/rtnetlink.c:2864
__rtnl_newlink+0xc1d/0x1940 net/core/rtnetlink.c:3707
rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3754
rtnetlink_rcv_msg+0x3c4/0xdf0 net/core/rtnetlink.c:6480
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x536/0x810 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x255/0x340 net/socket.c:2194
__do_sys_sendto net/socket.c:2206 [inline]
__se_sys_sendto net/socket.c:2202 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2202
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f75f027e7dc
Code: 1a 51 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 60 51 02 00 48 8b
RSP: 002b:00007ffece75e400 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f75f0ec4620 RCX: 00007f75f027e7dc
RDX: 000000000000002c RSI: 00007f75f0ec4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffece75e454 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
R13: 0000000000000000 R14: 00007f75f0ec4670 R15: 0000000000000000
</TASK>
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_1
netdevsim netdevsim5 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim5 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim5 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim5 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
ieee80211 phy11: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy14: Selected rate control algorithm 'minstrel_ht'


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Pengfei Xu

unread,
Nov 7, 2023, 9:09:14ā€ÆPM11/7/23
to syzbot, pet...@infradead.org, linux-...@vger.kernel.org, lu...@kernel.org, pet...@infradead.org, syzkall...@googlegroups.com, tg...@linutronix.de, pengf...@intel.com, hen...@intel.com, l...@intel.com
Dear Peter and syzbot,

On 2023-10-08 at 04:58:53 -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 7d730f1bf6f3 Add linux-next specific files for 20231005
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=15f02fa1680000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f532286be4fff4b5
> dashboard link: https://syzkaller.appspot.com/bug?extid=6b8ea5bb987ec6fe0fd1
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/1d7f28a4398f/disk-7d730f1b.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/d454d124268e/vmlinux-7d730f1b.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/dbca966175cb/bzImage-7d730f1b.xz

I found the similar issue and internal syzkaller & bisect tool generated the
reproduced code and bisect info: "possible deadlock in try_to_wake_up in v6.6"

All syzkaller and bisect info: https://github.com/xupengfe/syzkaller_logs/tree/main/231108_011342_try_to_wake_up
Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/231108_011342_try_to_wake_up/repro.c
Syzkaller reproduced syscall steps: https://github.com/xupengfe/syzkaller_logs/blob/main/231108_011342_try_to_wake_up/repro.prog
Syzkaller repro.stats analysis: https://github.com/xupengfe/syzkaller_logs/blob/main/231108_011342_try_to_wake_up/repro.report
Kconfig(then make olddefconfig): https://github.com/xupengfe/syzkaller_logs/blob/main/231108_011342_try_to_wake_up/kconfig_origin
Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/231108_011342_try_to_wake_up/bisect_info.log
Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/231108_011342_try_to_wake_up/ffc253263a1375a65fa6c9f62a893e9767fbebfa_dmesg.log
Reproduced bzImage: https://github.com/xupengfe/syzkaller_logs/blob/main/231108_011342_try_to_wake_up/bzImage_ffc253263a1375a65fa6c9f62a893e9767fbebfa.tar.gz

Bisected and found first bad commit is:
"
f3c0eba28704 perf: Add a few assertions
"

Unfortunately, made reverted commit on top of v6.6 kernel failed, could not
double confirm for this problem.

I hope it's helpful.

Related dmesg info:
"
[ 21.631830]
[ 21.631835] ======================================================
[ 21.631838] WARNING: possible circular locking dependency detected
[ 21.631842] 6.6.0-ffc253263a13+ #1 Not tainted
[ 21.631848] ------------------------------------------------------
[ 21.631850] repro/727 is trying to acquire lock:
[ 21.631856] ffff888010f15760 (&p->pi_lock){-.-.}-{2:2}, at: try_to_wake_up+0xc0/0x1af0
[ 21.631884]
[ 21.631884] but task is already holding lock:
[ 21.631887] ffffffff86c4c0f8 ((console_sem).lock){-...}-{2:2}, at: up+0x21/0xc0
[ 21.631922]
[ 21.631922] which lock already depends on the new lock.
[ 21.631922]
[ 21.631925]
[ 21.631925] the existing dependency chain (in reverse order) is:
[ 21.631928]
[ 21.631928] -> #3 ((console_sem).lock){-...}-{2:2}:
[ 21.631940] _raw_spin_lock_irqsave+0x52/0x80
[ 21.631953] down_trylock+0x1c/0x80
[ 21.631967] __down_trylock_console_sem+0x4f/0xe0
[ 21.631981] console_trylock+0x7f/0x150
[ 21.631995] vprintk_emit+0x278/0x6b0
[ 21.632011] vprintk_default+0x2f/0x40
[ 21.632026] vprintk+0xd0/0x170
[ 21.632034] _printk+0xc4/0x100
[ 21.632046] ex_handler_msr+0x456/0x560
[ 21.632056] fixup_exception+0x8f7/0xce0
[ 21.632066] gp_try_fixup_and_notify.constprop.0+0x30/0x1b0
[ 21.632082] exc_general_protection+0x139/0x340
[ 21.632098] asm_exc_general_protection+0x2b/0x30
[ 21.632113] native_write_msr+0x22/0x60
[ 21.632125] __intel_pmu_enable_all.constprop.0+0x144/0x390
[ 21.632139] intel_pmu_enable_all+0x1e/0x30
[ 21.632152] x86_pmu_enable+0x574/0xe50
[ 21.632164] perf_ctx_enable+0x11e/0x1c0
[ 21.632179] ctx_resched+0x137/0x160
[ 21.632190] __perf_install_in_context+0x244/0x970
[ 21.632203] remote_function+0x136/0x1b0
[ 21.632214] generic_exec_single+0x202/0x560
[ 21.632227] smp_call_function_single+0x196/0x470
[ 21.632239] perf_install_in_context+0x4f4/0x5a0
[ 21.632254] perf_event_create_kernel_counter+0x4e3/0x680
[ 21.632268] hardlockup_detector_event_create+0xd1/0x1d0
[ 21.632282] watchdog_hardlockup_probe+0x34/0xa0
[ 21.632297] lockup_detector_init+0x72/0x100
[ 21.632309] kernel_init_freeable+0x93e/0x1120
[ 21.632320] kernel_init+0x28/0x2e0
[ 21.632329] ret_from_fork+0x56/0x90
[ 21.632343] ret_from_fork_asm+0x1b/0x30
[ 21.632360]
[ 21.632360] -> #2 (&cpuctx_lock){-...}-{2:2}:
[ 21.632372] _raw_spin_lock+0x38/0x50
[ 21.632382] perf_cgroup_switch+0x1af/0x350
[ 21.632394] __perf_event_task_sched_out+0x12d/0x1710
[ 21.632407] __schedule+0x15a7/0x3010
[ 21.632419] schedule+0x141/0x230
[ 21.632430] schedule_preempt_disabled+0x1c/0x30
[ 21.632443] __mutex_lock+0xd8a/0x1a40
[ 21.632456] mutex_lock_nested+0x1f/0x30
[ 21.632470] tty_open+0x5a4/0x1500
[ 21.632481] chrdev_open+0x2b1/0x790
[ 21.632492] do_dentry_open+0x67c/0x1580
[ 21.632503] vfs_open+0xba/0xf0
[ 21.632516] path_openat+0x1d25/0x2920
[ 21.632532] do_filp_open+0x1ce/0x420
[ 21.632541] do_sys_openat2+0x185/0x1f0
[ 21.632555] __x64_sys_openat+0x17a/0x240
[ 21.632570] do_syscall_64+0x3c/0x90
[ 21.632581] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 21.632595]
[ 21.632595] -> #1 (&rq->__lock){-.-.}-{2:2}:
[ 21.632608] _raw_spin_lock_nested+0x3e/0x60
[ 21.632619] raw_spin_rq_lock_nested+0x2c/0x40
[ 21.632629] task_fork_fair+0x69/0x1e0
[ 21.632645] sched_cgroup_fork+0x437/0x6c0
[ 21.632658] copy_process+0x44e0/0x7130
[ 21.632670] kernel_clone+0xfd/0x890
[ 21.632681] user_mode_thread+0xc5/0x100
[ 21.632693] rest_init+0x32/0x2c0
[ 21.632701] arch_call_rest_init+0x1c/0x50
[ 21.632711] start_kernel+0x3dd/0x510
[ 21.632721] x86_64_start_reservations+0x1c/0x30
[ 21.632736] x86_64_start_kernel+0xa0/0xb0
[ 21.632751] secondary_startup_64_no_verify+0x17d/0x18b
[ 21.632771]
[ 21.632771] -> #0 (&p->pi_lock){-.-.}-{2:2}:
[ 21.632783] __lock_acquire+0x2fe2/0x5c70
[ 21.632796] lock_acquire+0x1c9/0x530
[ 21.632808] _raw_spin_lock_irqsave+0x52/0x80
[ 21.632819] try_to_wake_up+0xc0/0x1af0
[ 21.632829] wake_up_process+0x19/0x20
[ 21.632839] __up.isra.0+0xec/0x130
[ 21.632853] up+0x90/0xc0
[ 21.632866] console_unlock+0x2cb/0x310
[ 21.632880] con_install+0x176/0x640
[ 21.632894] tty_init_dev.part.0+0xa8/0x6b0
[ 21.632904] tty_open+0xc86/0x1500
[ 21.632914] chrdev_open+0x2b1/0x790
[ 21.632924] do_dentry_open+0x67c/0x1580
[ 21.632936] vfs_open+0xba/0xf0
[ 21.632949] path_openat+0x1d25/0x2920
[ 21.632964] do_filp_open+0x1ce/0x420
[ 21.632973] do_sys_openat2+0x185/0x1f0
[ 21.632988] __x64_sys_openat+0x17a/0x240
[ 21.633003] do_syscall_64+0x3c/0x90
[ 21.633013] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 21.633028]
[ 21.633028] other info that might help us debug this:
[ 21.633028]
[ 21.633031] Chain exists of:
[ 21.633031] &p->pi_lock --> &cpuctx_lock --> (console_sem).lock
[ 21.633031]
[ 21.633046] Possible unsafe locking scenario:
[ 21.633046]
[ 21.633048] CPU0 CPU1
[ 21.633050] ---- ----
[ 21.633053] lock((console_sem).lock);
[ 21.633058] lock(&cpuctx_lock);
[ 21.633064] lock((console_sem).lock);
[ 21.633071] lock(&p->pi_lock);
[ 21.633076]
[ 21.633076] *** DEADLOCK ***
[ 21.633076]
[ 21.633078] 3 locks held by repro/727:
[ 21.633084] #0: ffffffff87225f28 (tty_mutex){+.+.}-{3:3}, at: tty_open+0x5a4/0x1500
[ 21.633110] #1: ffff88800eed91c0 (&tty->legacy_mutex){+.+.}-{3:3}, at: tty_lock+0x88/0xc0
[ 21.633136] #2: ffffffff86c4c0f8 ((console_sem).lock){-...}-{2:2}, at: up+0x21/0xc0
[ 21.633166]
[ 21.633166] stack backtrace:
[ 21.633168] CPU: 1 PID: 727 Comm: repro Not tainted 6.6.0-ffc253263a13+ #1
[ 21.633180] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 21.633187] Call Trace:
[ 21.633190] <TASK>
[ 21.633194] dump_stack_lvl+0xaa/0x110
[ 21.633209] dump_stack+0x19/0x20
[ 21.633222] print_circular_bug+0x47e/0x750
[ 21.633239] check_noncircular+0x2f7/0x3e0
[ 21.633254] ? __pfx_check_noncircular+0x10/0x10
[ 21.633273] ? __pfx_lockdep_lock+0x10/0x10
[ 21.633284] ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
[ 21.633304] __lock_acquire+0x2fe2/0x5c70
[ 21.633325] ? __pfx___lock_acquire+0x10/0x10
[ 21.633343] ? __kasan_check_read+0x15/0x20
[ 21.633358] lock_acquire+0x1c9/0x530
[ 21.633373] ? try_to_wake_up+0xc0/0x1af0
[ 21.633388] ? __pfx_lock_acquire+0x10/0x10
[ 21.633405] ? __pfx___lock_acquire+0x10/0x10
[ 21.633422] ? __pfx_lock_release+0x10/0x10
[ 21.633442] _raw_spin_lock_irqsave+0x52/0x80
[ 21.633456] ? try_to_wake_up+0xc0/0x1af0
[ 21.633470] try_to_wake_up+0xc0/0x1af0
[ 21.633485] ? __pfx_try_to_wake_up+0x10/0x10
[ 21.633499] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 21.633518] ? __pfx_lock_release+0x10/0x10
[ 21.633536] wake_up_process+0x19/0x20
[ 21.633549] __up.isra.0+0xec/0x130
[ 21.633567] up+0x90/0xc0
[ 21.633585] console_unlock+0x2cb/0x310
[ 21.633603] ? __pfx_console_unlock+0x10/0x10
[ 21.633622] ? tty_init_termios+0x1f8/0x570
[ 21.633642] ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
[ 21.633659] ? tty_standard_install+0x82/0x190
[ 21.633680] con_install+0x176/0x640
[ 21.633698] ? __pfx_con_install+0x10/0x10
[ 21.633716] ? mutex_lock_nested+0x1f/0x30
[ 21.633733] ? __pfx_con_install+0x10/0x10
[ 21.633751] tty_init_dev.part.0+0xa8/0x6b0
[ 21.633766] tty_open+0xc86/0x1500
[ 21.633781] ? __pfx_tty_open+0x10/0x10
[ 21.633796] ? do_raw_spin_unlock+0x15d/0x210
[ 21.633814] ? __pfx_tty_open+0x10/0x10
[ 21.633825] chrdev_open+0x2b1/0x790
[ 21.633838] ? __pfx_chrdev_open+0x10/0x10
[ 21.633849] ? fsnotify_perm.part.0+0x27d/0x660
[ 21.633867] do_dentry_open+0x67c/0x1580
[ 21.633882] ? __pfx_chrdev_open+0x10/0x10
[ 21.633899] vfs_open+0xba/0xf0
[ 21.633915] path_openat+0x1d25/0x2920
[ 21.633941] ? __pfx_path_openat+0x10/0x10
[ 21.633959] ? __this_cpu_preempt_check+0x21/0x30
[ 21.633976] ? lock_is_held_type+0xf0/0x150
[ 21.633994] do_filp_open+0x1ce/0x420
[ 21.634006] ? __pfx_do_filp_open+0x10/0x10
[ 21.634018] ? lock_release+0x417/0x7e0
[ 21.634040] ? do_raw_spin_unlock+0x15d/0x210
[ 21.634067] do_sys_openat2+0x185/0x1f0
[ 21.634083] ? __pfx_do_sys_openat2+0x10/0x10
[ 21.634101] ? trace_hardirqs_on+0x26/0x120
[ 21.634121] ? seqcount_lockdep_reader_access.constprop.0+0xc0/0xd0
[ 21.634140] __x64_sys_openat+0x17a/0x240
[ 21.634158] ? __pfx___x64_sys_openat+0x10/0x10
[ 21.634178] ? syscall_trace_enter.constprop.0+0x160/0x1e0
[ 21.634197] do_syscall_64+0x3c/0x90
[ 21.634210] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 21.634226] RIP: 0033:0x7f7333d3e84b
[ 21.634235] Code: 25 00 00 41 00 3d 00 00 41 00 74 4b 64 8b 04 25 18 00 00 00 85 c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 91 00 00 00 48 8b 54 24 28 64 48 2b 14 25
[ 21.634246] RSP: 002b:00007ffff86ffd70 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 21.634257] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7333d3e84b
[ 21.634265] RDX: 0000000000000002 RSI: 00007ffff86ffe10 RDI: 00000000ffffff9c
[ 21.634272] RBP: 00007ffff86ffe10 R08: 0000000000000000 R09: 00007ffff86ffb86
[ 21.634279] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[ 21.634285] R13: 0000000000401e37 R14: 0000000000403e08 R15: 00007f7333eb0000
[ 21.634302] </TASK>
"

---

If you don't need the following environment to reproduce the problem or if you
already have one reproduced environment, please ignore the following
information.

How to reproduce:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh // it needs qemu-system-x86_64 and I used v7.1.0
// start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
// You could change the bzImage_xxx as you want
// Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
You could use below command to log in, there is no password for root.
ssh -p 10023 root@localhost

After login vm(virtual machine) successfully, you could transfer reproduced
binary to the vm by below way, and reproduce the problem in vm:
gcc -pthread -o repro repro.c
scp -P 10023 repro root@localhost:/root/

Get the bzImage for target kernel:
Please use target kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage //x should equal or less than cpu num your pc has

Fill the bzImage file into above start3.sh to load the target kernel in vm.


Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
yum -y install libslirp-devel.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
make
make install

Best Regards,
Thanks!

syzbot

unread,
Nov 26, 2023, 9:05:17ā€ÆPM11/26/23
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages