KCSAN: data-race in pipe_double_lock / put_pipe_info

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 7c3cd68e Merge remote-tracking branch 'linux-rcu/kcsan' in..
git tree: https://github.com/google/ktsan.git kcsan
console output: https://syzkaller.appspot.com/x/log.txt?x=146e9b77e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=312e39c74fd784a1
dashboard link: https://syzkaller.appspot.com/bug?extid=53bb66b484eeda1875be
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org vi...@zeniv.linux.org.uk el...@google.com]

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+53bb66...@syzkaller.appspotmail.com

==================================================================
BUG: KCSAN: data-race in pipe_double_lock / put_pipe_info

write to 0xffff8881207f2728 of 4 bytes by task 8740 on cpu 0:
put_pipe_info+0x47/0xb0 fs/pipe.c:704
pipe_release+0x150/0x1a0 fs/pipe.c:734
__fput+0x1e9/0x500 fs/file_table.c:280
____fput+0x1b/0x30 fs/file_table.c:313
task_work_run+0xba/0x120 kernel/task_work.c:123
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x2ae/0x2c0 arch/x86/entry/common.c:165
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x38b/0x3b0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x44/0xa9

read to 0xffff8881207f2728 of 4 bytes by task 8751 on cpu 1:
pipe_lock_nested fs/pipe.c:64 [inline]
pipe_double_lock+0xad/0x120 fs/pipe.c:101
splice_pipe_to_pipe fs/splice.c:1562 [inline]
do_splice+0x216/0xc30 fs/splice.c:1141
__do_sys_splice fs/splice.c:1447 [inline]
__se_sys_splice fs/splice.c:1427 [inline]
__x64_sys_splice+0x1fd/0x210 fs/splice.c:1427
do_syscall_64+0xc7/0x3b0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 8751 Comm: syz-executor.0 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[Dmitry Vyukov]

"if (!--pipe->files)" in put_pipe_info() can temporarily expose
pipe->files == 0 even if it does not drop to zero in presence of
aggressive profile-guided optimization (store 0 early for the expected
case). This will make pipe_lock_nested() falsely not take the lock.
Which will lead to kaboom.

> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzk...@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/000000000000732ae605a37b804f%40google.com.

[syzbot]

Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.