Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
[syzbot] [xfs?] possible deadlock in xfs_buf_find_insert
2 views
Skip to first unread message
syzbot
Jan 28, 2025, 5:29:24 AMJan 28
to c...@kernel.org, chanda...@oracle.com, djw...@kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: aa22f4da2a46 Merge tag 'rproc-v6.14' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=100175df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=bdecca7d9ba0b0e8
dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/204a46b0b3d6/disk-aa22f4da.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d62db5dd211d/vmlinux-aa22f4da.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d9ef2864f84f/bzImage-aa22f4da.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+acb561...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.13.0-syzkaller-07632-gaa22f4da2a46 #0 Not tainted
------------------------------------------------------
syz.4.192/7178 is trying to acquire lock:
ffff888058756e20 (&bp->b_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff888058756e20 (&bp->b_lock){+.+.}-{3:3}, at: xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
ffff888058756e20 (&bp->b_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
but task is already holding lock:
ffff88802268b180 (&bch->bc_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88802268b180 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x3da/0x1610 fs/xfs/xfs_buf.c:655
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&bch->bc_lock){+.+.}-{3:3}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
xfs_buf_rele_cached fs/xfs/xfs_buf.c:1093 [inline]
xfs_buf_rele+0x2bf/0x1660 fs/xfs/xfs_buf.c:1147
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
worker_thread+0x870/0xd30 kernel/workqueue.c:3398
kthread+0x7a9/0x920 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #0 (&bp->b_lock){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3163 [inline]
check_prevs_add kernel/locking/lockdep.c:3282 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
xfs_buf_get_map+0x149a/0x1ac0 fs/xfs/xfs_buf.c:754
xfs_buf_read_map+0x110/0xa50 fs/xfs/xfs_buf.c:862
xfs_trans_read_buf_map+0x260/0xab0 fs/xfs/xfs_trans_buf.c:304
xfs_trans_read_buf fs/xfs/xfs_trans.h:212 [inline]
xfs_read_agf+0x2dc/0x630 fs/xfs/libxfs/xfs_alloc.c:3378
xfs_alloc_read_agf+0x196/0xbe0 fs/xfs/libxfs/xfs_alloc.c:3413
xfs_trim_gather_extents+0x1b2/0x11a0 fs/xfs/xfs_discard.c:203
xfs_trim_perag_extents fs/xfs/xfs_discard.c:374 [inline]
xfs_trim_datadev_extents+0x4c7/0xbb0 fs/xfs/xfs_discard.c:429
xfs_ioc_trim+0x758/0xa90 fs/xfs/xfs_discard.c:887
xfs_file_ioctl+0x84c/0x1c60 fs/xfs/xfs_ioctl.c:1199
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&bch->bc_lock);
lock(&bp->b_lock);
lock(&bch->bc_lock);
lock(&bp->b_lock);
*** DEADLOCK ***
1 lock held by syz.4.192/7178:
#0: ffff88802268b180 (&bch->bc_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#0: ffff88802268b180 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x3da/0x1610 fs/xfs/xfs_buf.c:655
stack backtrace:
CPU: 1 UID: 0 PID: 7178 Comm: syz.4.192 Not tainted 6.13.0-syzkaller-07632-gaa22f4da2a46 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2076
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2208
check_prev_add kernel/locking/lockdep.c:3163 [inline]
check_prevs_add kernel/locking/lockdep.c:3282 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
xfs_buf_get_map+0x149a/0x1ac0 fs/xfs/xfs_buf.c:754
xfs_buf_read_map+0x110/0xa50 fs/xfs/xfs_buf.c:862
xfs_trans_read_buf_map+0x260/0xab0 fs/xfs/xfs_trans_buf.c:304
xfs_trans_read_buf fs/xfs/xfs_trans.h:212 [inline]
xfs_read_agf+0x2dc/0x630 fs/xfs/libxfs/xfs_alloc.c:3378
xfs_alloc_read_agf+0x196/0xbe0 fs/xfs/libxfs/xfs_alloc.c:3413
xfs_trim_gather_extents+0x1b2/0x11a0 fs/xfs/xfs_discard.c:203
xfs_trim_perag_extents fs/xfs/xfs_discard.c:374 [inline]
xfs_trim_datadev_extents+0x4c7/0xbb0 fs/xfs/xfs_discard.c:429
xfs_ioc_trim+0x758/0xa90 fs/xfs/xfs_discard.c:887
xfs_file_ioctl+0x84c/0x1c60 fs/xfs/xfs_ioctl.c:1199
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2097f8cd29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2098d20038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f20981a6080 RCX: 00007f2097f8cd29
RDX: 00000000200001c0 RSI: 00000000c0185879 RDI: 0000000000000005
RBP: 00007f209800e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f20981a6080 R15: 00007ffefbba5028
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: aa22f4da2a46 Merge tag 'rproc-v6.14' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=100175df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=bdecca7d9ba0b0e8
dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/204a46b0b3d6/disk-aa22f4da.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d62db5dd211d/vmlinux-aa22f4da.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d9ef2864f84f/bzImage-aa22f4da.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+acb561...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.13.0-syzkaller-07632-gaa22f4da2a46 #0 Not tainted
------------------------------------------------------
syz.4.192/7178 is trying to acquire lock:
ffff888058756e20 (&bp->b_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff888058756e20 (&bp->b_lock){+.+.}-{3:3}, at: xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
ffff888058756e20 (&bp->b_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
but task is already holding lock:
ffff88802268b180 (&bch->bc_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88802268b180 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x3da/0x1610 fs/xfs/xfs_buf.c:655
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&bch->bc_lock){+.+.}-{3:3}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
xfs_buf_rele_cached fs/xfs/xfs_buf.c:1093 [inline]
xfs_buf_rele+0x2bf/0x1660 fs/xfs/xfs_buf.c:1147
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
worker_thread+0x870/0xd30 kernel/workqueue.c:3398
kthread+0x7a9/0x920 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
-> #0 (&bp->b_lock){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3163 [inline]
check_prevs_add kernel/locking/lockdep.c:3282 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
xfs_buf_get_map+0x149a/0x1ac0 fs/xfs/xfs_buf.c:754
xfs_buf_read_map+0x110/0xa50 fs/xfs/xfs_buf.c:862
xfs_trans_read_buf_map+0x260/0xab0 fs/xfs/xfs_trans_buf.c:304
xfs_trans_read_buf fs/xfs/xfs_trans.h:212 [inline]
xfs_read_agf+0x2dc/0x630 fs/xfs/libxfs/xfs_alloc.c:3378
xfs_alloc_read_agf+0x196/0xbe0 fs/xfs/libxfs/xfs_alloc.c:3413
xfs_trim_gather_extents+0x1b2/0x11a0 fs/xfs/xfs_discard.c:203
xfs_trim_perag_extents fs/xfs/xfs_discard.c:374 [inline]
xfs_trim_datadev_extents+0x4c7/0xbb0 fs/xfs/xfs_discard.c:429
xfs_ioc_trim+0x758/0xa90 fs/xfs/xfs_discard.c:887
xfs_file_ioctl+0x84c/0x1c60 fs/xfs/xfs_ioctl.c:1199
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&bch->bc_lock);
lock(&bp->b_lock);
lock(&bch->bc_lock);
lock(&bp->b_lock);
*** DEADLOCK ***
1 lock held by syz.4.192/7178:
#0: ffff88802268b180 (&bch->bc_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#0: ffff88802268b180 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x3da/0x1610 fs/xfs/xfs_buf.c:655
stack backtrace:
CPU: 1 UID: 0 PID: 7178 Comm: syz.4.192 Not tainted 6.13.0-syzkaller-07632-gaa22f4da2a46 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2076
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2208
check_prev_add kernel/locking/lockdep.c:3163 [inline]
check_prevs_add kernel/locking/lockdep.c:3282 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
xfs_buf_get_map+0x149a/0x1ac0 fs/xfs/xfs_buf.c:754
xfs_buf_read_map+0x110/0xa50 fs/xfs/xfs_buf.c:862
xfs_trans_read_buf_map+0x260/0xab0 fs/xfs/xfs_trans_buf.c:304
xfs_trans_read_buf fs/xfs/xfs_trans.h:212 [inline]
xfs_read_agf+0x2dc/0x630 fs/xfs/libxfs/xfs_alloc.c:3378
xfs_alloc_read_agf+0x196/0xbe0 fs/xfs/libxfs/xfs_alloc.c:3413
xfs_trim_gather_extents+0x1b2/0x11a0 fs/xfs/xfs_discard.c:203
xfs_trim_perag_extents fs/xfs/xfs_discard.c:374 [inline]
xfs_trim_datadev_extents+0x4c7/0xbb0 fs/xfs/xfs_discard.c:429
xfs_ioc_trim+0x758/0xa90 fs/xfs/xfs_discard.c:887
xfs_file_ioctl+0x84c/0x1c60 fs/xfs/xfs_ioctl.c:1199
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2097f8cd29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2098d20038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f20981a6080 RCX: 00007f2097f8cd29
RDX: 00000000200001c0 RSI: 00000000c0185879 RDI: 0000000000000005
RBP: 00007f209800e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f20981a6080 R15: 00007ffefbba5028
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Carlos Maiolino
Jan 28, 2025, 5:37:06 AMJan 28
to syzbot, chanda...@oracle.com, djw...@kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, h...@lst.de
On Tue, Jan 28, 2025 at 02:29:22AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: aa22f4da2a46 Merge tag 'rproc-v6.14' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=100175df980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bdecca7d9ba0b0e8
> dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>
> Unfortunately, I don't have any reproducer for this issue yet.
#syz test: git://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git next-rc
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: aa22f4da2a46 Merge tag 'rproc-v6.14' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=100175df980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bdecca7d9ba0b0e8
> dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>
> Unfortunately, I don't have any reproducer for this issue yet.
syzbot
Jan 28, 2025, 5:37:07 AMJan 28
to c...@kernel.org, c...@kernel.org, chanda...@oracle.com, djw...@kernel.org, h...@lst.de, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
> On Tue, Jan 28, 2025 at 02:29:22AM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: aa22f4da2a46 Merge tag 'rproc-v6.14' of git://git.kernel.o..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=100175df980000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=bdecca7d9ba0b0e8
>> dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
>> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>
>
> #syz test: git://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git next-rc
This crash does not have a reproducer. I cannot test it.
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: aa22f4da2a46 Merge tag 'rproc-v6.14' of git://git.kernel.o..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=100175df980000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=bdecca7d9ba0b0e8
>> dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
>> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>
>
> #syz test: git://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git next-rc
syzbot
Feb 1, 2025, 7:53:26 PMFeb 1
to c...@kernel.org, chanda...@oracle.com, djw...@kernel.org, h...@lst.de, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 69b8923f5003 Merge tag 'for-linus-6.14-ofs4' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1361fddf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=57ab43c279fa614d
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162e2d18580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ea84ac864e92/disk-69b8923f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6a465997b4e0/vmlinux-69b8923f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d72b67b2bd15/bzImage-69b8923f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/2d5b00530bed/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+acb561...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.13.0-syzkaller-09793-g69b8923f5003 #0 Not tainted
------------------------------------------------------
syz-executor278/5867 is trying to acquire lock:
ffff8880787b0da0 (&bp->b_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff8880787b0da0 (&bp->b_lock){+.+.}-{3:3}, at: xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
ffff8880787b0da0 (&bp->b_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
but task is already holding lock:
ffff888026f07980 (&bch->bc_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff888026f07980 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x3da/0x1610 fs/xfs/xfs_buf.c:655
xfs_imap_to_bp+0x18d/0x380 fs/xfs/libxfs/xfs_inode_buf.c:139
xfs_iget_cache_miss fs/xfs/xfs_icache.c:664 [inline]
xfs_iget+0xbe9/0x2ec0 fs/xfs/xfs_icache.c:806
xfs_lookup+0x356/0x690 fs/xfs/xfs_inode.c:553
xfs_vn_lookup+0x192/0x290 fs/xfs/xfs_iops.c:326
__lookup_slow+0x296/0x400 fs/namei.c:1793
lookup_slow+0x53/0x70 fs/namei.c:1810
walk_component+0x2e1/0x410 fs/namei.c:2114
lookup_last fs/namei.c:2612 [inline]
path_lookupat+0x16f/0x450 fs/namei.c:2636
filename_lookup+0x2a3/0x670 fs/namei.c:2665
do_linkat+0x13f/0x6f0 fs/namei.c:4845
__do_sys_link fs/namei.c:4899 [inline]
__se_sys_link fs/namei.c:4897 [inline]
__x64_sys_link+0x82/0x90 fs/namei.c:4897
#0: ffff8880787e67f0 (&inode->i_sb->s_type->i_mutex_dir_key){.+.+}-{4:4}, at: inode_lock_shared include/linux/fs.h:875 [inline]
#0: ffff8880787e67f0 (&inode->i_sb->s_type->i_mutex_dir_key){.+.+}-{4:4}, at: lookup_slow+0x45/0x70 fs/namei.c:1809
#1: ffff888026f07980 (&bch->bc_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#1: ffff888026f07980 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x3da/0x1610 fs/xfs/xfs_buf.c:655
stack backtrace:
CPU: 0 UID: 0 PID: 5867 Comm: syz-executor278 Not tainted 6.13.0-syzkaller-09793-g69b8923f5003 #0
xfs_iget_cache_miss fs/xfs/xfs_icache.c:664 [inline]
xfs_iget+0xbe9/0x2ec0 fs/xfs/xfs_icache.c:806
xfs_lookup+0x356/0x690 fs/xfs/xfs_inode.c:553
xfs_vn_lookup+0x192/0x290 fs/xfs/xfs_iops.c:326
__lookup_slow+0x296/0x400 fs/namei.c:1793
lookup_slow+0x53/0x70 fs/namei.c:1810
walk_component+0x2e1/0x410 fs/namei.c:2114
lookup_last fs/namei.c:2612 [inline]
path_lookupat+0x16f/0x450 fs/namei.c:2636
filename_lookup+0x2a3/0x670 fs/namei.c:2665
do_linkat+0x13f/0x6f0 fs/namei.c:4845
__do_sys_link fs/namei.c:4899 [inline]
__se_sys_link fs/namei.c:4897 [inline]
__x64_sys_link+0x82/0x90 fs/namei.c:4897
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6813111218 EFLAGS: 00000246 ORIG_RAX: 0000000000000056
RAX: ffffffffffffffda RBX: 00007f681320d6b8 RCX: 00007f681317ba59
RDX: 00007f68131550c6 RSI: 0000000000000000 RDI: 0000000020000040
RBP: 00007f681320d6b0 R08: 00007ffc23404e87 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0031656c69662f2e
R13: 0030656c69662f2e R14: 0031656c69662f30 R15: 2f30656c69662f2e
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 69b8923f5003 Merge tag 'for-linus-6.14-ofs4' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1361fddf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=57ab43c279fa614d
dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174cd5f8580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162e2d18580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ea84ac864e92/disk-69b8923f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6a465997b4e0/vmlinux-69b8923f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d72b67b2bd15/bzImage-69b8923f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/2d5b00530bed/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+acb561...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz-executor278/5867 is trying to acquire lock:
ffff8880787b0da0 (&bp->b_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff8880787b0da0 (&bp->b_lock){+.+.}-{3:3}, at: xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
ffff8880787b0da0 (&bp->b_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
but task is already holding lock:
ffff888026f07980 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x3da/0x1610 fs/xfs/xfs_buf.c:655
xfs_iget_cache_miss fs/xfs/xfs_icache.c:664 [inline]
xfs_iget+0xbe9/0x2ec0 fs/xfs/xfs_icache.c:806
xfs_lookup+0x356/0x690 fs/xfs/xfs_inode.c:553
xfs_vn_lookup+0x192/0x290 fs/xfs/xfs_iops.c:326
__lookup_slow+0x296/0x400 fs/namei.c:1793
lookup_slow+0x53/0x70 fs/namei.c:1810
walk_component+0x2e1/0x410 fs/namei.c:2114
lookup_last fs/namei.c:2612 [inline]
path_lookupat+0x16f/0x450 fs/namei.c:2636
filename_lookup+0x2a3/0x670 fs/namei.c:2665
do_linkat+0x13f/0x6f0 fs/namei.c:4845
__do_sys_link fs/namei.c:4899 [inline]
__se_sys_link fs/namei.c:4897 [inline]
__x64_sys_link+0x82/0x90 fs/namei.c:4897
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&bch->bc_lock);
lock(&bp->b_lock);
lock(&bch->bc_lock);
lock(&bp->b_lock);
*** DEADLOCK ***
2 locks held by syz-executor278/5867:
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&bch->bc_lock);
lock(&bp->b_lock);
lock(&bch->bc_lock);
lock(&bp->b_lock);
*** DEADLOCK ***
#0: ffff8880787e67f0 (&inode->i_sb->s_type->i_mutex_dir_key){.+.+}-{4:4}, at: inode_lock_shared include/linux/fs.h:875 [inline]
#0: ffff8880787e67f0 (&inode->i_sb->s_type->i_mutex_dir_key){.+.+}-{4:4}, at: lookup_slow+0x45/0x70 fs/namei.c:1809
#1: ffff888026f07980 (&bch->bc_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
#1: ffff888026f07980 (&bch->bc_lock){+.+.}-{3:3}, at: xfs_buf_find_insert+0x3da/0x1610 fs/xfs/xfs_buf.c:655
stack backtrace:
CPU: 0 UID: 0 PID: 5867 Comm: syz-executor278 Not tainted 6.13.0-syzkaller-09793-g69b8923f5003 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2076
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2208
check_prev_add kernel/locking/lockdep.c:3163 [inline]
check_prevs_add kernel/locking/lockdep.c:3282 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
xfs_buf_get_map+0x149a/0x1ac0 fs/xfs/xfs_buf.c:754
xfs_buf_read_map+0x110/0xa50 fs/xfs/xfs_buf.c:862
xfs_trans_read_buf_map+0x260/0xab0 fs/xfs/xfs_trans_buf.c:304
xfs_trans_read_buf fs/xfs/xfs_trans.h:212 [inline]
xfs_imap_to_bp+0x18d/0x380 fs/xfs/libxfs/xfs_inode_buf.c:139
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2076
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2208
check_prev_add kernel/locking/lockdep.c:3163 [inline]
check_prevs_add kernel/locking/lockdep.c:3282 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906
__lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
xfs_buf_try_hold fs/xfs/xfs_buf.c:578 [inline]
xfs_buf_find_insert+0x1123/0x1610 fs/xfs/xfs_buf.c:663
xfs_buf_get_map+0x149a/0x1ac0 fs/xfs/xfs_buf.c:754
xfs_buf_read_map+0x110/0xa50 fs/xfs/xfs_buf.c:862
xfs_trans_read_buf_map+0x260/0xab0 fs/xfs/xfs_trans_buf.c:304
xfs_trans_read_buf fs/xfs/xfs_trans.h:212 [inline]
xfs_iget_cache_miss fs/xfs/xfs_icache.c:664 [inline]
xfs_iget+0xbe9/0x2ec0 fs/xfs/xfs_icache.c:806
xfs_lookup+0x356/0x690 fs/xfs/xfs_inode.c:553
xfs_vn_lookup+0x192/0x290 fs/xfs/xfs_iops.c:326
__lookup_slow+0x296/0x400 fs/namei.c:1793
lookup_slow+0x53/0x70 fs/namei.c:1810
walk_component+0x2e1/0x410 fs/namei.c:2114
lookup_last fs/namei.c:2612 [inline]
path_lookupat+0x16f/0x450 fs/namei.c:2636
filename_lookup+0x2a3/0x670 fs/namei.c:2665
do_linkat+0x13f/0x6f0 fs/namei.c:4845
__do_sys_link fs/namei.c:4899 [inline]
__se_sys_link fs/namei.c:4897 [inline]
__x64_sys_link+0x82/0x90 fs/namei.c:4897
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f681317ba59
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6813111218 EFLAGS: 00000246 ORIG_RAX: 0000000000000056
RAX: ffffffffffffffda RBX: 00007f681320d6b8 RCX: 00007f681317ba59
RDX: 00007f68131550c6 RSI: 0000000000000000 RDI: 0000000020000040
RBP: 00007f681320d6b0 R08: 00007ffc23404e87 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0031656c69662f2e
R13: 0030656c69662f2e R14: 0031656c69662f30 R15: 2f30656c69662f2e
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Feb 2, 2025, 10:08:04 AMFeb 2
to c...@kernel.org, chanda...@oracle.com, djw...@kernel.org, h...@lst.de, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has bisected this issue to:
commit ee10f6fcdb961e810d7b16be1285319c15c78ef6
Author: Christoph Hellwig <h...@lst.de>
Date: Thu Jan 16 06:01:42 2025 +0000
xfs: fix buffer lookup vs release race
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1193ad18580000
start commit: 69b8923f5003 Merge tag 'for-linus-6.14-ofs4' of git://git...
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1393ad18580000
console output: https://syzkaller.appspot.com/x/log.txt?x=1593ad18580000
Fixes: ee10f6fcdb96 ("xfs: fix buffer lookup vs release race")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit ee10f6fcdb961e810d7b16be1285319c15c78ef6
Author: Christoph Hellwig <h...@lst.de>
Date: Thu Jan 16 06:01:42 2025 +0000
xfs: fix buffer lookup vs release race
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1193ad18580000
start commit: 69b8923f5003 Merge tag 'for-linus-6.14-ofs4' of git://git...
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1393ad18580000
console output: https://syzkaller.appspot.com/x/log.txt?x=1593ad18580000
kernel config: https://syzkaller.appspot.com/x/.config?x=57ab43c279fa614d
dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174cd5f8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162e2d18580000
Reported-by: syzbot+acb561...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162e2d18580000
Fixes: ee10f6fcdb96 ("xfs: fix buffer lookup vs release race")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Christoph Hellwig
Feb 3, 2025, 2:30:46 AMFeb 3
to syzbot, c...@kernel.org, chanda...@oracle.com, djw...@kernel.org, h...@lst.de, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Feb 3, 2025, 2:55:04 AMFeb 3
to c...@kernel.org, chanda...@oracle.com, djw...@kernel.org, h...@lst.de, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
T0] rcu: Preemptible hierarchical RCU implementation.
[ 2.010612][ T0] rcu: RCU lockdep checking is enabled.
[ 2.011402][ T0] rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
[ 2.012353][ T0] rcu: RCU callback double-/use-after-free debug is enabled.
[ 2.013319][ T0] rcu: RCU debug extended QS entry/exit.
[ 2.014072][ T0] All grace periods are expedited (rcu_expedited).
[ 2.014984][ T0] Trampoline variant of Tasks RCU enabled.
[ 2.015740][ T0] Tracing variant of Tasks RCU enabled.
[ 2.016576][ T0] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[ 2.017799][ T0] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 2.019085][ T0] Running RCU synchronous self tests
[ 2.020120][ T0] RCU Tasks: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 2.021528][ T0] RCU Tasks Trace: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 2.128414][ T0] NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
[ 2.130465][ T0] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[ 2.131983][ T0] kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823be00000-0xffff88823c000000
[ 2.134701][ T0] Console: colour VGA+ 80x25
[ 2.135499][ T0] printk: legacy console [ttyS0] enabled
[ 2.135499][ T0] printk: legacy console [ttyS0] enabled
[ 2.137023][ T0] printk: legacy bootconsole [earlyser0] disabled
[ 2.137023][ T0] printk: legacy bootconsole [earlyser0] disabled
[ 2.138913][ T0] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[ 2.140082][ T0] ... MAX_LOCKDEP_SUBCLASSES: 8
[ 2.140751][ T0] ... MAX_LOCK_DEPTH: 48
[ 2.141484][ T0] ... MAX_LOCKDEP_KEYS: 8192
[ 2.142184][ T0] ... CLASSHASH_SIZE: 4096
[ 2.142884][ T0] ... MAX_LOCKDEP_ENTRIES: 1048576
[ 2.143679][ T0] ... MAX_LOCKDEP_CHAINS: 1048576
[ 2.144453][ T0] ... CHAINHASH_SIZE: 524288
[ 2.145319][ T0] memory used by lock dependency info: 106625 kB
[ 2.146255][ T0] memory used for stack traces: 8320 kB
[ 2.147150][ T0] per task-struct memory footprint: 1920 bytes
[ 2.148349][ T0] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[ 2.150130][ T0] ACPI: Core revision 20240827
[ 2.151799][ T0] APIC: Switch to symmetric I/O mode setup
[ 2.153224][ T0] x2apic enabled
[ 2.157556][ T0] APIC: Switched APIC routing to: physical x2apic
[ 2.164292][ T0] ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
[ 2.165656][ T0] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x1fb6cdb0489, max_idle_ns: 440795236064 ns
[ 2.168007][ T0] Calibrating delay loop (skipped) preset value.. 4400.32 BogoMIPS (lpj=22001640)
[ 2.170708][ T0] Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
[ 2.178063][ T0] Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0, 1GB 4
[ 2.179278][ T0] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[ 2.180882][ T0] Spectre V2 : Spectre BHI mitigation: SW BHB clearing on syscall and VM exit
[ 2.182464][ T0] Spectre V2 : Mitigation: IBRS
[ 2.183352][ T0] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 2.185620][ T0] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
[ 2.187126][ T0] RETBleed: Mitigation: IBRS
[ 2.188042][ T0] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[ 2.189783][ T0] Spectre V2 : User space: Mitigation: STIBP via prctl
[ 2.191308][ T0] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[ 2.192767][ T0] MDS: Mitigation: Clear CPU buffers
[ 2.193900][ T0] TAA: Mitigation: Clear CPU buffers
[ 2.195007][ T0] MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
[ 2.196747][ T0] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 2.198001][ T0] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 2.199054][ T0] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[ 2.200127][ T0] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
[ 2.201210][ T0] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
[ 2.442880][ T0] Freeing SMP alternatives memory: 128K
[ 2.444580][ T0] pid_max: default: 32768 minimum: 301
[ 2.446296][ T0] LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,tomoyo,smack,bpf,ima,evm
[ 2.448422][ T0] landlock: Up and running.
[ 2.449554][ T0] Yama: becoming mindful.
[ 2.451102][ T0] TOMOYO Linux initialized
[ 2.452555][ T0] Smack: Initializing.
[ 2.453285][ T0] Smack: Netfilter enabled.
[ 2.454251][ T0] Smack: IPv6 Netfilter enabled.
[ 2.457026][ T0] LSM support for eBPF active
[ 2.463614][ T0] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
[ 2.468234][ T0] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
[ 2.470255][ T0] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 2.472020][ T0] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 2.477781][ T0] Running RCU synchronous self tests
[ 2.478011][ T0] Running RCU synchronous self tests
[ 2.601188][ T1] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.20GHz (family: 0x6, model: 0x4f, stepping: 0x0)
[ 2.607820][ T1] Running RCU Tasks wait API self tests
[ 2.708457][ T1] Running RCU Tasks Trace wait API self tests
[ 2.709846][ T1] Performance Events: unsupported p6 CPU model 79 no PMU driver, software events only.
[ 2.712156][ T1] signal: max sigframe size: 1776
[ 2.714315][ T1] rcu: Hierarchical SRCU implementation.
[ 2.715360][ T1] rcu: Max phase no-delay instances is 1000.
[ 2.717463][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[ 2.723005][ T1] NMI watchdog: Perf NMI watchdog permanently disabled
[ 2.725256][ T1] smp: Bringing up secondary CPUs ...
[ 2.729771][ T1] smpboot: x86: Booting SMP configuration:
[ 2.730820][ T1] .... node #0, CPUs: #1
[ 2.731034][ T15] Callback from call_rcu_tasks_trace() invoked.
[ 2.733623][ T22] ------------[ cut here ]------------
[ 2.733623][ T22] workqueue: work disable count underflowed
[ 2.733623][ T22] WARNING: CPU: 1 PID: 22 at kernel/workqueue.c:4317 enable_work+0x34d/0x360
[ 2.733623][ T22] Modules linked in:
[ 2.733623][ T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-00134-ga9ab28b3d21a #0
[ 2.735303][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 2.737287][ T22] RIP: 0010:enable_work+0x34d/0x360
[ 2.737989][ T22] Code: d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 18 82 37 00 c6 05 4c c2 9a 0e 01 90 48 c7 c7 a0 d0 09 8c e8 44 25 f8 ff 90 <0f> 0b 90 90 e9 56 ff ff ff e8 e5 76 59 0a 0f 1f 44 00 00 90 90 90
[ 2.737989][ T22] RSP: 0000:ffffc900001c7bc0 EFLAGS: 00010046
[ 2.737989][ T22] RAX: 6282fd934c3ae400 RBX: 0000000000000000 RCX: ffff88801d2cbc00
[ 2.737989][ T22] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 2.737989][ T22] RBP: ffffc900001c7c88 R08: ffffffff815ffac2 R09: 1ffffffff1cfa0f4
[ 2.737989][ T22] R10: dffffc0000000000 R11: fffffbfff1cfa0f5 R12: 1ffff92000038f7c
[ 2.737989][ T22] R13: 1ffff92000038f84 R14: 001fffffffc00001 R15: ffff8880b8738770
[ 2.737989][ T22] FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
[ 2.737989][ T22] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.737989][ T22] CR2: 0000000000000000 CR3: 000000000e736000 CR4: 00000000003506f0
[ 2.737989][ T22] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.737989][ T22] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.737989][ T22] Call Trace:
[ 2.737989][ T22] <TASK>
[ 2.737989][ T22] ? __warn+0x165/0x4d0
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] ? report_bug+0x2b3/0x500
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] ? handle_bug+0x60/0x90
[ 2.737989][ T22] ? exc_invalid_op+0x1a/0x50
[ 2.737989][ T22] ? asm_exc_invalid_op+0x1a/0x20
[ 2.737989][ T22] ? __warn_printk+0x292/0x360
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] ? __pfx_enable_work+0x10/0x10
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] ? rcu_is_watching+0x15/0xb0
[ 2.737989][ T22] vmstat_cpu_online+0xbb/0xe0
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] cpuhp_invoke_callback+0x48d/0x830
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] cpuhp_thread_fun+0x41c/0x810
[ 2.737989][ T22] ? cpuhp_thread_fun+0x130/0x810
[ 2.737989][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.737989][ T22] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 2.737989][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.737989][ T22] smpboot_thread_fn+0x544/0xa30
[ 2.737989][ T22] ? smpboot_thread_fn+0x4e/0xa30
[ 2.737989][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.737989][ T22] kthread+0x2f0/0x390
[ 2.737989][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.737989][ T22] ? __pfx_kthread+0x10/0x10
[ 2.737989][ T22] ret_from_fork+0x4b/0x80
[ 2.737989][ T22] ? __pfx_kthread+0x10/0x10
[ 2.737989][ T22] ret_from_fork_asm+0x1a/0x30
[ 2.737989][ T22] </TASK>
[ 2.737989][ T22] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 2.737989][ T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-00134-ga9ab28b3d21a #0
[ 2.737989][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 2.737989][ T22] Call Trace:
[ 2.737989][ T22] <TASK>
[ 2.737989][ T22] dump_stack_lvl+0x241/0x360
[ 2.737989][ T22] ? __pfx_dump_stack_lvl+0x10/0x10
[ 2.737989][ T22] ? __pfx__printk+0x10/0x10
[ 2.737989][ T22] ? _printk+0xd5/0x120
[ 2.737989][ T22] ? __init_begin+0x41000/0x41000
[ 2.737989][ T22] ? vscnprintf+0x5d/0x90
[ 2.737989][ T22] panic+0x349/0x880
[ 2.737989][ T22] ? __warn+0x174/0x4d0
[ 2.737989][ T22] ? __pfx_panic+0x10/0x10
[ 2.737989][ T22] ? ret_from_fork_asm+0x1a/0x30
[ 2.737989][ T22] __warn+0x344/0x4d0
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] report_bug+0x2b3/0x500
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] handle_bug+0x60/0x90
[ 2.737989][ T22] exc_invalid_op+0x1a/0x50
[ 2.737989][ T22] asm_exc_invalid_op+0x1a/0x20
[ 2.737989][ T22] RIP: 0010:enable_work+0x34d/0x360
[ 2.737989][ T22] Code: d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 18 82 37 00 c6 05 4c c2 9a 0e 01 90 48 c7 c7 a0 d0 09 8c e8 44 25 f8 ff 90 <0f> 0b 90 90 e9 56 ff ff ff e8 e5 76 59 0a 0f 1f 44 00 00 90 90 90
[ 2.737989][ T22] RSP: 0000:ffffc900001c7bc0 EFLAGS: 00010046
[ 2.737989][ T22] RAX: 6282fd934c3ae400 RBX: 0000000000000000 RCX: ffff88801d2cbc00
[ 2.737989][ T22] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 2.737989][ T22] RBP: ffffc900001c7c88 R08: ffffffff815ffac2 R09: 1ffffffff1cfa0f4
[ 2.737989][ T22] R10: dffffc0000000000 R11: fffffbfff1cfa0f5 R12: 1ffff92000038f7c
[ 2.737989][ T22] R13: 1ffff92000038f84 R14: 001fffffffc00001 R15: ffff8880b8738770
[ 2.737989][ T22] ? __warn_printk+0x292/0x360
[ 2.737989][ T22] ? __pfx_enable_work+0x10/0x10
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] ? rcu_is_watching+0x15/0xb0
[ 2.737989][ T22] vmstat_cpu_online+0xbb/0xe0
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] cpuhp_invoke_callback+0x48d/0x830
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] cpuhp_thread_fun+0x41c/0x810
[ 2.737989][ T22] ? cpuhp_thread_fun+0x130/0x810
[ 2.737989][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.737989][ T22] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 2.737989][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.737989][ T22] smpboot_thread_fn+0x544/0xa30
[ 2.737989][ T22] ? smpboot_thread_fn+0x4e/0xa30
[ 2.737989][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.737989][ T22] kthread+0x2f0/0x390
[ 2.737989][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.737989][ T22] ? __pfx_kthread+0x10/0x10
[ 2.737989][ T22] ret_from_fork+0x4b/0x80
[ 2.737989][ T22] ? __pfx_kthread+0x10/0x10
[ 2.737989][ T22] ret_from_fork_asm+0x1a/0x30
[ 2.737989][ T22] </TASK>
[ 2.737989][ T22] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build348862417=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 568559e4e6
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=568559e4e604140cecd9fc4835eaa0298a1cadcc -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250201-125757'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"568559e4e604140cecd9fc4835eaa0298a1cadcc\"
/usr/bin/ld: /tmp/ccNM92bn.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=13491764580000
Tested on:
commit: a9ab28b3 xfs: remove xfs_buf_cache.bc_lock
git tree: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/ for-next
kernel config: https://syzkaller.appspot.com/x/.config?x=c8502218c2b0a864
syzbot tried to test the proposed patch but the build/boot failed:
T0] rcu: Preemptible hierarchical RCU implementation.
[ 2.010612][ T0] rcu: RCU lockdep checking is enabled.
[ 2.011402][ T0] rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
[ 2.012353][ T0] rcu: RCU callback double-/use-after-free debug is enabled.
[ 2.013319][ T0] rcu: RCU debug extended QS entry/exit.
[ 2.014072][ T0] All grace periods are expedited (rcu_expedited).
[ 2.014984][ T0] Trampoline variant of Tasks RCU enabled.
[ 2.015740][ T0] Tracing variant of Tasks RCU enabled.
[ 2.016576][ T0] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[ 2.017799][ T0] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 2.019085][ T0] Running RCU synchronous self tests
[ 2.020120][ T0] RCU Tasks: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 2.021528][ T0] RCU Tasks Trace: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 2.128414][ T0] NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
[ 2.130465][ T0] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[ 2.131983][ T0] kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823be00000-0xffff88823c000000
[ 2.134701][ T0] Console: colour VGA+ 80x25
[ 2.135499][ T0] printk: legacy console [ttyS0] enabled
[ 2.135499][ T0] printk: legacy console [ttyS0] enabled
[ 2.137023][ T0] printk: legacy bootconsole [earlyser0] disabled
[ 2.137023][ T0] printk: legacy bootconsole [earlyser0] disabled
[ 2.138913][ T0] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[ 2.140082][ T0] ... MAX_LOCKDEP_SUBCLASSES: 8
[ 2.140751][ T0] ... MAX_LOCK_DEPTH: 48
[ 2.141484][ T0] ... MAX_LOCKDEP_KEYS: 8192
[ 2.142184][ T0] ... CLASSHASH_SIZE: 4096
[ 2.142884][ T0] ... MAX_LOCKDEP_ENTRIES: 1048576
[ 2.143679][ T0] ... MAX_LOCKDEP_CHAINS: 1048576
[ 2.144453][ T0] ... CHAINHASH_SIZE: 524288
[ 2.145319][ T0] memory used by lock dependency info: 106625 kB
[ 2.146255][ T0] memory used for stack traces: 8320 kB
[ 2.147150][ T0] per task-struct memory footprint: 1920 bytes
[ 2.148349][ T0] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[ 2.150130][ T0] ACPI: Core revision 20240827
[ 2.151799][ T0] APIC: Switch to symmetric I/O mode setup
[ 2.153224][ T0] x2apic enabled
[ 2.157556][ T0] APIC: Switched APIC routing to: physical x2apic
[ 2.164292][ T0] ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
[ 2.165656][ T0] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x1fb6cdb0489, max_idle_ns: 440795236064 ns
[ 2.168007][ T0] Calibrating delay loop (skipped) preset value.. 4400.32 BogoMIPS (lpj=22001640)
[ 2.170708][ T0] Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
[ 2.178063][ T0] Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0, 1GB 4
[ 2.179278][ T0] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[ 2.180882][ T0] Spectre V2 : Spectre BHI mitigation: SW BHB clearing on syscall and VM exit
[ 2.182464][ T0] Spectre V2 : Mitigation: IBRS
[ 2.183352][ T0] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 2.185620][ T0] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
[ 2.187126][ T0] RETBleed: Mitigation: IBRS
[ 2.188042][ T0] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[ 2.189783][ T0] Spectre V2 : User space: Mitigation: STIBP via prctl
[ 2.191308][ T0] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[ 2.192767][ T0] MDS: Mitigation: Clear CPU buffers
[ 2.193900][ T0] TAA: Mitigation: Clear CPU buffers
[ 2.195007][ T0] MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
[ 2.196747][ T0] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 2.198001][ T0] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 2.199054][ T0] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[ 2.200127][ T0] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
[ 2.201210][ T0] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
[ 2.442880][ T0] Freeing SMP alternatives memory: 128K
[ 2.444580][ T0] pid_max: default: 32768 minimum: 301
[ 2.446296][ T0] LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,tomoyo,smack,bpf,ima,evm
[ 2.448422][ T0] landlock: Up and running.
[ 2.449554][ T0] Yama: becoming mindful.
[ 2.451102][ T0] TOMOYO Linux initialized
[ 2.452555][ T0] Smack: Initializing.
[ 2.453285][ T0] Smack: Netfilter enabled.
[ 2.454251][ T0] Smack: IPv6 Netfilter enabled.
[ 2.457026][ T0] LSM support for eBPF active
[ 2.463614][ T0] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
[ 2.468234][ T0] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
[ 2.470255][ T0] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 2.472020][ T0] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 2.477781][ T0] Running RCU synchronous self tests
[ 2.478011][ T0] Running RCU synchronous self tests
[ 2.601188][ T1] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.20GHz (family: 0x6, model: 0x4f, stepping: 0x0)
[ 2.607820][ T1] Running RCU Tasks wait API self tests
[ 2.708457][ T1] Running RCU Tasks Trace wait API self tests
[ 2.709846][ T1] Performance Events: unsupported p6 CPU model 79 no PMU driver, software events only.
[ 2.712156][ T1] signal: max sigframe size: 1776
[ 2.714315][ T1] rcu: Hierarchical SRCU implementation.
[ 2.715360][ T1] rcu: Max phase no-delay instances is 1000.
[ 2.717463][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[ 2.723005][ T1] NMI watchdog: Perf NMI watchdog permanently disabled
[ 2.725256][ T1] smp: Bringing up secondary CPUs ...
[ 2.729771][ T1] smpboot: x86: Booting SMP configuration:
[ 2.730820][ T1] .... node #0, CPUs: #1
[ 2.731034][ T15] Callback from call_rcu_tasks_trace() invoked.
[ 2.733623][ T22] ------------[ cut here ]------------
[ 2.733623][ T22] workqueue: work disable count underflowed
[ 2.733623][ T22] WARNING: CPU: 1 PID: 22 at kernel/workqueue.c:4317 enable_work+0x34d/0x360
[ 2.733623][ T22] Modules linked in:
[ 2.733623][ T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-00134-ga9ab28b3d21a #0
[ 2.735303][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 2.737287][ T22] RIP: 0010:enable_work+0x34d/0x360
[ 2.737989][ T22] Code: d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 18 82 37 00 c6 05 4c c2 9a 0e 01 90 48 c7 c7 a0 d0 09 8c e8 44 25 f8 ff 90 <0f> 0b 90 90 e9 56 ff ff ff e8 e5 76 59 0a 0f 1f 44 00 00 90 90 90
[ 2.737989][ T22] RSP: 0000:ffffc900001c7bc0 EFLAGS: 00010046
[ 2.737989][ T22] RAX: 6282fd934c3ae400 RBX: 0000000000000000 RCX: ffff88801d2cbc00
[ 2.737989][ T22] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 2.737989][ T22] RBP: ffffc900001c7c88 R08: ffffffff815ffac2 R09: 1ffffffff1cfa0f4
[ 2.737989][ T22] R10: dffffc0000000000 R11: fffffbfff1cfa0f5 R12: 1ffff92000038f7c
[ 2.737989][ T22] R13: 1ffff92000038f84 R14: 001fffffffc00001 R15: ffff8880b8738770
[ 2.737989][ T22] FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
[ 2.737989][ T22] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.737989][ T22] CR2: 0000000000000000 CR3: 000000000e736000 CR4: 00000000003506f0
[ 2.737989][ T22] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.737989][ T22] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.737989][ T22] Call Trace:
[ 2.737989][ T22] <TASK>
[ 2.737989][ T22] ? __warn+0x165/0x4d0
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] ? report_bug+0x2b3/0x500
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] ? handle_bug+0x60/0x90
[ 2.737989][ T22] ? exc_invalid_op+0x1a/0x50
[ 2.737989][ T22] ? asm_exc_invalid_op+0x1a/0x20
[ 2.737989][ T22] ? __warn_printk+0x292/0x360
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] ? __pfx_enable_work+0x10/0x10
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] ? rcu_is_watching+0x15/0xb0
[ 2.737989][ T22] vmstat_cpu_online+0xbb/0xe0
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] cpuhp_invoke_callback+0x48d/0x830
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] cpuhp_thread_fun+0x41c/0x810
[ 2.737989][ T22] ? cpuhp_thread_fun+0x130/0x810
[ 2.737989][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.737989][ T22] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 2.737989][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.737989][ T22] smpboot_thread_fn+0x544/0xa30
[ 2.737989][ T22] ? smpboot_thread_fn+0x4e/0xa30
[ 2.737989][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.737989][ T22] kthread+0x2f0/0x390
[ 2.737989][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.737989][ T22] ? __pfx_kthread+0x10/0x10
[ 2.737989][ T22] ret_from_fork+0x4b/0x80
[ 2.737989][ T22] ? __pfx_kthread+0x10/0x10
[ 2.737989][ T22] ret_from_fork_asm+0x1a/0x30
[ 2.737989][ T22] </TASK>
[ 2.737989][ T22] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 2.737989][ T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-00134-ga9ab28b3d21a #0
[ 2.737989][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 2.737989][ T22] Call Trace:
[ 2.737989][ T22] <TASK>
[ 2.737989][ T22] dump_stack_lvl+0x241/0x360
[ 2.737989][ T22] ? __pfx_dump_stack_lvl+0x10/0x10
[ 2.737989][ T22] ? __pfx__printk+0x10/0x10
[ 2.737989][ T22] ? _printk+0xd5/0x120
[ 2.737989][ T22] ? __init_begin+0x41000/0x41000
[ 2.737989][ T22] ? vscnprintf+0x5d/0x90
[ 2.737989][ T22] panic+0x349/0x880
[ 2.737989][ T22] ? __warn+0x174/0x4d0
[ 2.737989][ T22] ? __pfx_panic+0x10/0x10
[ 2.737989][ T22] ? ret_from_fork_asm+0x1a/0x30
[ 2.737989][ T22] __warn+0x344/0x4d0
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] report_bug+0x2b3/0x500
[ 2.737989][ T22] ? enable_work+0x34d/0x360
[ 2.737989][ T22] handle_bug+0x60/0x90
[ 2.737989][ T22] exc_invalid_op+0x1a/0x50
[ 2.737989][ T22] asm_exc_invalid_op+0x1a/0x20
[ 2.737989][ T22] RIP: 0010:enable_work+0x34d/0x360
[ 2.737989][ T22] Code: d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 18 82 37 00 c6 05 4c c2 9a 0e 01 90 48 c7 c7 a0 d0 09 8c e8 44 25 f8 ff 90 <0f> 0b 90 90 e9 56 ff ff ff e8 e5 76 59 0a 0f 1f 44 00 00 90 90 90
[ 2.737989][ T22] RSP: 0000:ffffc900001c7bc0 EFLAGS: 00010046
[ 2.737989][ T22] RAX: 6282fd934c3ae400 RBX: 0000000000000000 RCX: ffff88801d2cbc00
[ 2.737989][ T22] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 2.737989][ T22] RBP: ffffc900001c7c88 R08: ffffffff815ffac2 R09: 1ffffffff1cfa0f4
[ 2.737989][ T22] R10: dffffc0000000000 R11: fffffbfff1cfa0f5 R12: 1ffff92000038f7c
[ 2.737989][ T22] R13: 1ffff92000038f84 R14: 001fffffffc00001 R15: ffff8880b8738770
[ 2.737989][ T22] ? __warn_printk+0x292/0x360
[ 2.737989][ T22] ? __pfx_enable_work+0x10/0x10
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] ? rcu_is_watching+0x15/0xb0
[ 2.737989][ T22] vmstat_cpu_online+0xbb/0xe0
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] cpuhp_invoke_callback+0x48d/0x830
[ 2.737989][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.737989][ T22] cpuhp_thread_fun+0x41c/0x810
[ 2.737989][ T22] ? cpuhp_thread_fun+0x130/0x810
[ 2.737989][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.737989][ T22] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 2.737989][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.737989][ T22] smpboot_thread_fn+0x544/0xa30
[ 2.737989][ T22] ? smpboot_thread_fn+0x4e/0xa30
[ 2.737989][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.737989][ T22] kthread+0x2f0/0x390
[ 2.737989][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.737989][ T22] ? __pfx_kthread+0x10/0x10
[ 2.737989][ T22] ret_from_fork+0x4b/0x80
[ 2.737989][ T22] ? __pfx_kthread+0x10/0x10
[ 2.737989][ T22] ret_from_fork_asm+0x1a/0x30
[ 2.737989][ T22] </TASK>
[ 2.737989][ T22] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build348862417=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 568559e4e6
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=568559e4e604140cecd9fc4835eaa0298a1cadcc -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250201-125757'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"568559e4e604140cecd9fc4835eaa0298a1cadcc\"
/usr/bin/ld: /tmp/ccNM92bn.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=13491764580000
Tested on:
commit: a9ab28b3 xfs: remove xfs_buf_cache.bc_lock
git tree: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/ for-next
kernel config: https://syzkaller.appspot.com/x/.config?x=c8502218c2b0a864
dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Christoph Hellwig
Feb 3, 2025, 3:07:26 AMFeb 3
to syzbot, c...@kernel.org, chanda...@oracle.com, djw...@kernel.org, h...@lst.de, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
From a9ab28b3d21aec6d0f56fe722953e20ce470237b Mon Sep 17 00:00:00 2001
From: Christoph Hellwig <h...@lst.de>
Date: Tue, 28 Jan 2025 06:22:58 +0100
Subject: xfs: remove xfs_buf_cache.bc_lock
xfs_buf_cache.bc_lock serializes adding buffers to and removing them from
the hashtable. But as the rhashtable code already uses fine grained
internal locking for inserts and removals the extra protection isn't
actually required.
It also happens to fix a lock order inversion vs b_lock added by the
recent lookup race fix.
Fixes: ee10f6fcdb96 ("xfs: fix buffer lookup vs release race")
Reported-by: Lai, Yi <yi1...@linux.intel.com>
Signed-off-by: Christoph Hellwig <h...@lst.de>
Reviewed-by: Carlos Maiolino <cmai...@redhat.com>
Reviewed-by: Dave Chinner <dchi...@redhat.com>
Signed-off-by: Carlos Maiolino <c...@kernel.org>
---
fs/xfs/xfs_buf.c | 31 +++++++++++++++++--------------
fs/xfs/xfs_buf.h | 1 -
2 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index f1252ed8bd0a..ef207784876c 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -41,8 +41,7 @@ struct kmem_cache *xfs_buf_cache;
*
* xfs_buf_rele:
* b_lock
- * pag_buf_lock
- * lru_lock
+ * lru_lock
*
* xfs_buftarg_drain_rele
* lru_lock
@@ -220,14 +219,21 @@ _xfs_buf_alloc(
*/
flags &= ~(XBF_UNMAPPED | XBF_TRYLOCK | XBF_ASYNC | XBF_READ_AHEAD);
- spin_lock_init(&bp->b_lock);
+ /*
+ * A new buffer is held and locked by the owner. This ensures that the
+ * buffer is owned by the caller and racing RCU lookups right after
+ * inserting into the hash table are safe (and will have to wait for
+ * the unlock to do anything non-trivial).
+ */
bp->b_hold = 1;
+ sema_init(&bp->b_sema, 0); /* held, no waiters */
+
+ spin_lock_init(&bp->b_lock);
atomic_set(&bp->b_lru_ref, 1);
init_completion(&bp->b_iowait);
INIT_LIST_HEAD(&bp->b_lru);
INIT_LIST_HEAD(&bp->b_list);
INIT_LIST_HEAD(&bp->b_li_list);
- sema_init(&bp->b_sema, 0); /* held, no waiters */
bp->b_target = target;
bp->b_mount = target->bt_mount;
bp->b_flags = flags;
@@ -497,7 +503,6 @@ int
xfs_buf_cache_init(
struct xfs_buf_cache *bch)
{
- spin_lock_init(&bch->bc_lock);
return rhashtable_init(&bch->bc_hash, &xfs_buf_hash_params);
}
@@ -647,17 +652,20 @@ xfs_buf_find_insert(
if (error)
goto out_free_buf;
- spin_lock(&bch->bc_lock);
+ /* The new buffer keeps the perag reference until it is freed. */
+ new_bp->b_pag = pag;
+
+ rcu_read_lock();
bp = rhashtable_lookup_get_insert_fast(&bch->bc_hash,
&new_bp->b_rhash_head, xfs_buf_hash_params);
if (IS_ERR(bp)) {
+ rcu_read_unlock();
error = PTR_ERR(bp);
- spin_unlock(&bch->bc_lock);
goto out_free_buf;
}
if (bp && xfs_buf_try_hold(bp)) {
/* found an existing buffer */
- spin_unlock(&bch->bc_lock);
+ rcu_read_unlock();
error = xfs_buf_find_lock(bp, flags);
if (error)
xfs_buf_rele(bp);
@@ -665,10 +673,8 @@ xfs_buf_find_insert(
*bpp = bp;
goto out_free_buf;
}
+ rcu_read_unlock();
- /* The new buffer keeps the perag reference until it is freed. */
- new_bp->b_pag = pag;
- spin_unlock(&bch->bc_lock);
*bpp = new_bp;
return 0;
@@ -1085,7 +1091,6 @@ xfs_buf_rele_cached(
}
/* we are asked to drop the last reference */
- spin_lock(&bch->bc_lock);
__xfs_buf_ioacct_dec(bp);
if (!(bp->b_flags & XBF_STALE) && atomic_read(&bp->b_lru_ref)) {
/*
@@ -1097,7 +1102,6 @@ xfs_buf_rele_cached(
bp->b_state &= ~XFS_BSTATE_DISPOSE;
else
bp->b_hold--;
- spin_unlock(&bch->bc_lock);
} else {
bp->b_hold--;
/*
@@ -1115,7 +1119,6 @@ xfs_buf_rele_cached(
ASSERT(!(bp->b_flags & _XBF_DELWRI_Q));
rhashtable_remove_fast(&bch->bc_hash, &bp->b_rhash_head,
xfs_buf_hash_params);
- spin_unlock(&bch->bc_lock);
if (pag)
xfs_perag_put(pag);
freebuf = true;
diff --git a/fs/xfs/xfs_buf.h b/fs/xfs/xfs_buf.h
index 7e73663c5d4a..3b4ed42e11c0 100644
--- a/fs/xfs/xfs_buf.h
+++ b/fs/xfs/xfs_buf.h
@@ -80,7 +80,6 @@ typedef unsigned int xfs_buf_flags_t;
#define XFS_BSTATE_IN_FLIGHT (1 << 1) /* I/O in flight */
struct xfs_buf_cache {
- spinlock_t bc_lock;
struct rhashtable bc_hash;
};
--
2.45.2
From a9ab28b3d21aec6d0f56fe722953e20ce470237b Mon Sep 17 00:00:00 2001
From: Christoph Hellwig <h...@lst.de>
Date: Tue, 28 Jan 2025 06:22:58 +0100
Subject: xfs: remove xfs_buf_cache.bc_lock
xfs_buf_cache.bc_lock serializes adding buffers to and removing them from
the hashtable. But as the rhashtable code already uses fine grained
internal locking for inserts and removals the extra protection isn't
actually required.
It also happens to fix a lock order inversion vs b_lock added by the
recent lookup race fix.
Fixes: ee10f6fcdb96 ("xfs: fix buffer lookup vs release race")
Signed-off-by: Christoph Hellwig <h...@lst.de>
Reviewed-by: Carlos Maiolino <cmai...@redhat.com>
Reviewed-by: Dave Chinner <dchi...@redhat.com>
Signed-off-by: Carlos Maiolino <c...@kernel.org>
---
fs/xfs/xfs_buf.c | 31 +++++++++++++++++--------------
fs/xfs/xfs_buf.h | 1 -
2 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index f1252ed8bd0a..ef207784876c 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -41,8 +41,7 @@ struct kmem_cache *xfs_buf_cache;
*
* xfs_buf_rele:
* b_lock
- * pag_buf_lock
- * lru_lock
+ * lru_lock
*
* xfs_buftarg_drain_rele
* lru_lock
@@ -220,14 +219,21 @@ _xfs_buf_alloc(
*/
flags &= ~(XBF_UNMAPPED | XBF_TRYLOCK | XBF_ASYNC | XBF_READ_AHEAD);
- spin_lock_init(&bp->b_lock);
+ /*
+ * A new buffer is held and locked by the owner. This ensures that the
+ * buffer is owned by the caller and racing RCU lookups right after
+ * inserting into the hash table are safe (and will have to wait for
+ * the unlock to do anything non-trivial).
+ */
bp->b_hold = 1;
+ sema_init(&bp->b_sema, 0); /* held, no waiters */
+
+ spin_lock_init(&bp->b_lock);
atomic_set(&bp->b_lru_ref, 1);
init_completion(&bp->b_iowait);
INIT_LIST_HEAD(&bp->b_lru);
INIT_LIST_HEAD(&bp->b_list);
INIT_LIST_HEAD(&bp->b_li_list);
- sema_init(&bp->b_sema, 0); /* held, no waiters */
bp->b_target = target;
bp->b_mount = target->bt_mount;
bp->b_flags = flags;
@@ -497,7 +503,6 @@ int
xfs_buf_cache_init(
struct xfs_buf_cache *bch)
{
- spin_lock_init(&bch->bc_lock);
return rhashtable_init(&bch->bc_hash, &xfs_buf_hash_params);
}
@@ -647,17 +652,20 @@ xfs_buf_find_insert(
if (error)
goto out_free_buf;
- spin_lock(&bch->bc_lock);
+ /* The new buffer keeps the perag reference until it is freed. */
+ new_bp->b_pag = pag;
+
+ rcu_read_lock();
bp = rhashtable_lookup_get_insert_fast(&bch->bc_hash,
&new_bp->b_rhash_head, xfs_buf_hash_params);
if (IS_ERR(bp)) {
+ rcu_read_unlock();
error = PTR_ERR(bp);
- spin_unlock(&bch->bc_lock);
goto out_free_buf;
}
if (bp && xfs_buf_try_hold(bp)) {
/* found an existing buffer */
- spin_unlock(&bch->bc_lock);
+ rcu_read_unlock();
error = xfs_buf_find_lock(bp, flags);
if (error)
xfs_buf_rele(bp);
@@ -665,10 +673,8 @@ xfs_buf_find_insert(
*bpp = bp;
goto out_free_buf;
}
+ rcu_read_unlock();
- /* The new buffer keeps the perag reference until it is freed. */
- new_bp->b_pag = pag;
- spin_unlock(&bch->bc_lock);
*bpp = new_bp;
return 0;
@@ -1085,7 +1091,6 @@ xfs_buf_rele_cached(
}
/* we are asked to drop the last reference */
- spin_lock(&bch->bc_lock);
__xfs_buf_ioacct_dec(bp);
if (!(bp->b_flags & XBF_STALE) && atomic_read(&bp->b_lru_ref)) {
/*
@@ -1097,7 +1102,6 @@ xfs_buf_rele_cached(
bp->b_state &= ~XFS_BSTATE_DISPOSE;
else
bp->b_hold--;
- spin_unlock(&bch->bc_lock);
} else {
bp->b_hold--;
/*
@@ -1115,7 +1119,6 @@ xfs_buf_rele_cached(
ASSERT(!(bp->b_flags & _XBF_DELWRI_Q));
rhashtable_remove_fast(&bch->bc_hash, &bp->b_rhash_head,
xfs_buf_hash_params);
- spin_unlock(&bch->bc_lock);
if (pag)
xfs_perag_put(pag);
freebuf = true;
diff --git a/fs/xfs/xfs_buf.h b/fs/xfs/xfs_buf.h
index 7e73663c5d4a..3b4ed42e11c0 100644
--- a/fs/xfs/xfs_buf.h
+++ b/fs/xfs/xfs_buf.h
@@ -80,7 +80,6 @@ typedef unsigned int xfs_buf_flags_t;
#define XFS_BSTATE_IN_FLIGHT (1 << 1) /* I/O in flight */
struct xfs_buf_cache {
- spinlock_t bc_lock;
struct rhashtable bc_hash;
};
--
2.45.2
syzbot
Feb 3, 2025, 3:36:05 AMFeb 3
to c...@kernel.org, chanda...@oracle.com, djw...@kernel.org, h...@lst.de, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+acb561...@syzkaller.appspotmail.com
Tested-by: syzbot+acb561...@syzkaller.appspotmail.com
Tested on:
commit: 2014c95a Linux 6.14-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10fa43df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=793f583a4388e6da
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+acb561...@syzkaller.appspotmail.com
Tested-by: syzbot+acb561...@syzkaller.appspotmail.com
Tested on:
commit: 2014c95a Linux 6.14-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=10fa43df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=793f583a4388e6da
dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12b3b5f8580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
syzbot
Mar 14, 2025, 12:19:05 PMMar 14
to c...@kernel.org, chanda...@oracle.com, cmai...@redhat.com, dchi...@redhat.com, djw...@kernel.org, h...@lst.de, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit a9ab28b3d21aec6d0f56fe722953e20ce470237b
Author: Christoph Hellwig <h...@lst.de>
Date: Tue Jan 28 05:22:58 2025 +0000
xfs: remove xfs_buf_cache.bc_lock
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17fb5c78580000
#syz fix: xfs: remove xfs_buf_cache.bc_lock
commit a9ab28b3d21aec6d0f56fe722953e20ce470237b
Author: Christoph Hellwig <h...@lst.de>
Date: Tue Jan 28 05:22:58 2025 +0000
xfs: remove xfs_buf_cache.bc_lock
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17fb5c78580000
start commit: 69b8923f5003 Merge tag 'for-linus-6.14-ofs4' of git://git...
git tree: upstream
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=57ab43c279fa614d
dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174cd5f8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162e2d18580000
If the result looks correct, please mark the issue as fixed by replying with:
dashboard link: https://syzkaller.appspot.com/bug?extid=acb56162aef712929d3f
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174cd5f8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162e2d18580000
#syz fix: xfs: remove xfs_buf_cache.bc_lock
syzbot
Apr 22, 2025, 6:29:18 AM (4 days ago) Apr 22
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages