BUG: sleeping function called from invalid context in __kmalloc

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 90568ecf Merge tag 'kvm-5.6-2' of git://git.kernel.org/pub..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=107413bee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=69fa012479f9a62
dashboard link: https://syzkaller.appspot.com/bug?extid=98704a51af8e3d9425a9
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+98704a...@syzkaller.appspotmail.com

BUG: sleeping function called from invalid context at mm/slab.h:565
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 12445, name: syz-executor.1
1 lock held by syz-executor.1/12445:
#0: ffffffff89310218 (sb_lock){+.+.}, at: spin_lock include/linux/spinlock.h:338 [inline]
#0: ffffffff89310218 (sb_lock){+.+.}, at: sget_fc+0xdc/0x640 fs/super.c:521
Preemption disabled at:
[<ffffffff81be818c>] spin_lock include/linux/spinlock.h:338 [inline]
[<ffffffff81be818c>] sget_fc+0xdc/0x640 fs/super.c:521
CPU: 0 PID: 12445 Comm: syz-executor.1 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fb/0x318 lib/dump_stack.c:118
___might_sleep+0x449/0x5e0 kernel/sched/core.c:6800
__might_sleep+0x8f/0x100 kernel/sched/core.c:6753
slab_pre_alloc_hook mm/slab.h:565 [inline]
slab_alloc mm/slab.c:3306 [inline]
__do_kmalloc mm/slab.c:3654 [inline]
__kmalloc+0x6f/0x340 mm/slab.c:3665
kmalloc include/linux/slab.h:560 [inline]
path_remove_extra_slash+0xae/0x2a0 fs/ceph/super.c:495
compare_mount_options fs/ceph/super.c:553 [inline]
ceph_compare_super+0x1d4/0x560 fs/ceph/super.c:1052
sget_fc+0x139/0x640 fs/super.c:524
ceph_get_tree+0x467/0x1540 fs/ceph/super.c:1127
vfs_get_tree+0x8b/0x2a0 fs/super.c:1547
do_new_mount fs/namespace.c:2822 [inline]
do_mount+0x18ee/0x25a0 fs/namespace.c:3142
__do_sys_mount fs/namespace.c:3351 [inline]
__se_sys_mount+0xdd/0x110 fs/namespace.c:3328
__x64_sys_mount+0xbf/0xd0 fs/namespace.c:3328
do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45b399
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f77dba0ec78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f77dba0f6d4 RCX: 000000000045b399
RDX: 0000000020000140 RSI: 00000000200000c0 RDI: 0000000020000040
RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000745 R14: 00000000004c8c38 R15: 000000000075c07c
ceph: No mds server is up or the cluster is laggy


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 90568ecf Merge tag 'kvm-5.6-2' of git://git.kernel.org/pub..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=15b26831e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=69fa012479f9a62
dashboard link: https://syzkaller.appspot.com/bug?extid=98704a51af8e3d9425a9
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172182b5e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1590aab5e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+98704a...@syzkaller.appspotmail.com

BUG: sleeping function called from invalid context at mm/slab.h:565

in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 8873, name: syz-executor545
1 lock held by syz-executor545/8873:

#0: ffffffff89310218 (sb_lock){+.+.}, at: spin_lock include/linux/spinlock.h:338 [inline]
#0: ffffffff89310218 (sb_lock){+.+.}, at: sget_fc+0xdc/0x640 fs/super.c:521
Preemption disabled at:
[<ffffffff81be818c>] spin_lock include/linux/spinlock.h:338 [inline]
[<ffffffff81be818c>] sget_fc+0xdc/0x640 fs/super.c:521

CPU: 1 PID: 8873 Comm: syz-executor545 Not tainted 5.5.0-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fb/0x318 lib/dump_stack.c:118
___might_sleep+0x449/0x5e0 kernel/sched/core.c:6800
__might_sleep+0x8f/0x100 kernel/sched/core.c:6753
slab_pre_alloc_hook mm/slab.h:565 [inline]
slab_alloc mm/slab.c:3306 [inline]
__do_kmalloc mm/slab.c:3654 [inline]
__kmalloc+0x6f/0x340 mm/slab.c:3665
kmalloc include/linux/slab.h:560 [inline]
path_remove_extra_slash+0xae/0x2a0 fs/ceph/super.c:495
compare_mount_options fs/ceph/super.c:553 [inline]
ceph_compare_super+0x1d4/0x560 fs/ceph/super.c:1052
sget_fc+0x139/0x640 fs/super.c:524
ceph_get_tree+0x467/0x1540 fs/ceph/super.c:1127
vfs_get_tree+0x8b/0x2a0 fs/super.c:1547
do_new_mount fs/namespace.c:2822 [inline]
do_mount+0x18ee/0x25a0 fs/namespace.c:3142
__do_sys_mount fs/namespace.c:3351 [inline]
__se_sys_mount+0xdd/0x110 fs/namespace.c:3328
__x64_sys_mount+0xbf/0xd0 fs/namespace.c:3328
do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe

RIP: 0033:0x441289
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe85f476d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441289

RDX: 0000000020000140 RSI: 00000000200000c0 RDI: 0000000020000040

RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402000
R13: 0000000000402090 R14: 0000000000000000 R15: 0000000000000000

[Al Viro]

On Fri, Feb 07, 2020 at 09:44:10AM -0800, syzbot wrote:
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit: 90568ecf Merge tag 'kvm-5.6-2' of git://git.kernel.org/pub..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15b26831e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=69fa012479f9a62
> dashboard link: https://syzkaller.appspot.com/bug?extid=98704a51af8e3d9425a9
> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172182b5e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1590aab5e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+98704a...@syzkaller.appspotmail.com

commit 4fbc0c711b2464ee1551850b85002faae0b775d5
Author: Xiubo Li <xiu...@redhat.com>
Date: Fri Dec 20 09:34:04 2019 -0500

ceph: remove the extra slashes in the server path

is broken. You really should not do blocking allocations under spinlocks.
What's more, this is pointless - all you do with the results of two such
calls is strcmp_null, for pity sake... You could do the comparison in
one pass, no need for all of that. Or you could do a normalized copy when
you parse options, store that normalized copy in addition to what you are
storing now and compare _that_.

[Jeff Layton]

Thanks Al,

I'll take a closer look and we'll either fix this up or drop it for now.

--
Jeff Layton <jla...@kernel.org>

[syzbot]

syzbot has bisected this bug to:

commit 4fbc0c711b2464ee1551850b85002faae0b775d5
Author: Xiubo Li <xiu...@redhat.com>

Date: Fri Dec 20 14:34:04 2019 +0000

ceph: remove the extra slashes in the server path

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=166a57bee00000
start commit: 90568ecf Merge tag 'kvm-5.6-2' of git://git.kernel.org/pub..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=156a57bee00000
console output: https://syzkaller.appspot.com/x/log.txt?x=116a57bee00000

kernel config: https://syzkaller.appspot.com/x/.config?x=69fa012479f9a62
dashboard link: https://syzkaller.appspot.com/bug?extid=98704a51af8e3d9425a9

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172182b5e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1590aab5e00000

Reported-by: syzbot+98704a...@syzkaller.appspotmail.com
Fixes: 4fbc0c711b24 ("ceph: remove the extra slashes in the server path")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection