syzbot


KCSAN: data-race in __fput / __tty_hangup (4)

Status: upstream: reported on 2023/04/21 08:18
Subsystems: serial
[Documentation on labels]
Reported-by: syzbot+b7c3ba8cdc2f6cf83c21@syzkaller.appspotmail.com
Fix commit: tty: tty_io: remove hung_up_tty_fops
Patched on: [ci-upstream-linux-next-kasan-gce-root], missing on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-net-next-test-gce ci2-upstream-usb]
First crash: 333d, last: 202d
Discussions (2)
Title Replies (including bot) Last reply
[PATCH] tty: tty_io: remove hung_up_tty_fops 12 (12) 2023/05/30 12:51
[syzbot] [kernel?] KCSAN: data-race in __fput / __tty_hangup (4) 14 (15) 2023/04/25 22:09
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KCSAN: data-race in __fput / __tty_hangup (3) serial 2 586d 604d 0/26 auto-closed as invalid on 2022/08/23 04:41
upstream KCSAN: data-race in __fput / __tty_hangup (2) serial 1 641d 641d 0/26 auto-closed as invalid on 2022/06/29 01:31
upstream KCSAN: data-race in __fput / __tty_hangup serial 1 1308d 1308d 0/26 auto-closed as invalid on 2020/08/31 10:07

Sample crash report:
==================================================================
BUG: KCSAN: data-race in __fput / __tty_hangup

write to 0xffff888103a29fb0 of 8 bytes by task 4834 on cpu 0:
 __tty_hangup+0x1e8/0x520 drivers/tty/tty_io.c:623
 tty_vhangup+0x17/0x20 drivers/tty/tty_io.c:702
 pty_close+0x262/0x280 drivers/tty/pty.c:79
 tty_release+0x204/0x930 drivers/tty/tty_io.c:1762
 __fput+0x303/0x600 fs/file_table.c:384
 ____fput+0x15/0x20 fs/file_table.c:412
 task_work_run+0x135/0x1a0 kernel/task_work.c:179
 get_signal+0xe6a/0xff0 kernel/signal.c:2657
 arch_do_signal_or_restart+0x89/0x2a0 arch/x86/kernel/signal.c:308
 exit_to_user_mode_loop+0x6f/0xe0 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x6c/0xb0 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:297
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

read to 0xffff888103a29fb0 of 8 bytes by task 4835 on cpu 1:
 __fput+0x2d7/0x600 fs/file_table.c:383
 ____fput+0x15/0x20 fs/file_table.c:412
 task_work_run+0x135/0x1a0 kernel/task_work.c:179
 get_signal+0xe6a/0xff0 kernel/signal.c:2657
 arch_do_signal_or_restart+0x89/0x2a0 arch/x86/kernel/signal.c:308
 exit_to_user_mode_loop+0x6f/0xe0 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0x6c/0xb0 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:297
 do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0xffffffff84e92bb0 -> 0xffffffff84e92a40

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 4835 Comm: syz-executor.2 Not tainted 6.5.0-rc4-syzkaller-00251-gf0ab9f34e59e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/08/07 04:39 upstream f0ab9f34e59e 4ffcc9ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in __fput / __tty_hangup
2023/03/29 08:37 upstream fcd476ea6a88 fc067f05 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-kcsan-gce KCSAN: data-race in __fput / __tty_hangup
* Struck through repros no longer work on HEAD.