syzbot


WARNING in percpu_ref_kill_and_confirm (2)

Status: fixed on 2021/03/10 01:48
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+c9937dfb2303a5f18640@syzkaller.appspotmail.com
Fix commit: 9faadcc8abe4 io_uring: fix double io_uring free
First crash: 1282d, last: 1270d
Cause bisection: introduced by (bisect log) :
commit 4d004099a668c41522242aa146a38cc4eb59cb1e
Author: Peter Zijlstra <peterz@infradead.org>
Date: Fri Oct 2 09:04:21 2020 +0000

  lockdep: Fix lockdep recursion

Crash: BUG: using __this_cpu_read() in preemptible code in trace_hardirqs_on (log)
Repro: C syz .config
  
Duplicate bugs (2)
duplicates (2):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: use-after-free Read in io_ring_ctx_wait_and_kill fs 19 1270d 1275d 0/27 closed as dup on 2020/12/23 23:17
WARNING in __percpu_ref_exit fs 15 1197d 1292d 0/27 closed as dup on 2020/12/23 23:15
Discussions (4)
Title Replies (including bot) Last reply
[PATCH 5.10 000/717] 5.10.4-rc1 review 747 (747) 2021/01/05 16:41
[PATCH 0/2] fixes for syzbot reports 3 (3) 2020/12/21 18:34
Re: WARNING in percpu_ref_kill_and_confirm (2) 1 (1) 2020/12/18 16:34
WARNING in percpu_ref_kill_and_confirm (2) 2 (3) 2020/12/16 22:33
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING in percpu_ref_kill_and_confirm C done 443 1875d 1882d 12/27 fixed on 2019/05/27 12:48

Sample crash report:
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000002 RSI: 00000000200000c0 RDI: 0000000000003ad1
RBP: 000000000000f2ae R08: 0000000000000002 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000
------------[ cut here ]------------
percpu_ref_kill_and_confirm called more than once on io_ring_ctx_ref_free!
WARNING: CPU: 0 PID: 8476 at lib/percpu-refcount.c:382 percpu_ref_kill_and_confirm+0x126/0x180 lib/percpu-refcount.c:382
Modules linked in:
CPU: 0 PID: 8476 Comm: syz-executor389 Not tainted 5.10.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:percpu_ref_kill_and_confirm+0x126/0x180 lib/percpu-refcount.c:382
Code: 5d 08 48 8d 7b 08 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5d 48 8b 53 08 48 c7 c6 00 4b 9d 89 48 c7 c7 60 4a 9d 89 e8 c6 97 f6 04 <0f> 0b 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c 02
RSP: 0018:ffffc9000b94fe10 EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff888011da4580 RCX: 0000000000000000
RDX: ffff88801fe84ec0 RSI: ffffffff8158c835 RDI: fffff52001729fb4
RBP: ffff88801539f000 R08: 0000000000000001 R09: ffff8880b9e2011b
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000293
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88802de28758
FS:  00000000014ab880(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2a7046b000 CR3: 0000000023368000 CR4: 0000000000350ef0
Call Trace:
 percpu_ref_kill include/linux/percpu-refcount.h:149 [inline]
 io_ring_ctx_wait_and_kill+0x2b/0x450 fs/io_uring.c:8382
 io_uring_release+0x3e/0x50 fs/io_uring.c:8420
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:151
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:164 [inline]
 exit_to_user_mode_prepare+0x17e/0x1a0 kernel/entry/common.c:191
 syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:266
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441309
Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffed6545d38 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
RAX: fffffffffffffff4 RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000002 RSI: 00000000200000c0 RDI: 0000000000003ad1
RBP: 000000000000f2ae R08: 0000000000000002 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000

Crashes (71):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/13 01:50 upstream 7b1b868e1d91 bca53db9 .config console log report syz C ci-upstream-kasan-gce-root
2020/12/22 08:53 upstream 8653b778e454 04201c06 .config console log report syz ci-upstream-kasan-gce-selinux-root
2020/12/21 18:42 upstream e37b12e4bb21 04201c06 .config console log report syz ci-upstream-kasan-gce
2020/12/21 06:20 upstream 6a447b0e3151 04201c06 .config console log report syz ci-upstream-kasan-gce-selinux-root
2020/12/20 15:32 upstream 467f8165a2b0 04201c06 .config console log report syz ci-upstream-kasan-gce
2020/12/20 06:02 upstream 467f8165a2b0 04201c06 .config console log report syz ci-upstream-kasan-gce
2020/12/19 06:38 upstream a409ed156a90 04201c06 .config console log report syz ci-upstream-kasan-gce-selinux-root
2020/12/19 02:42 upstream a409ed156a90 04201c06 .config console log report syz ci-upstream-kasan-gce-selinux-root
2020/12/22 17:22 linux-next 6c3eb1b174c0 04201c06 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/12/21 11:54 linux-next 4c6ed015c2a5 04201c06 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/12/19 23:15 linux-next 0d52778b8710 04201c06 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/12/24 21:39 upstream 58cf05f597b0 c2c1d1dd .config console log report info ci-upstream-kasan-gce
2020/12/24 09:42 upstream 58cf05f597b0 c2c1d1dd .config console log report info ci-upstream-kasan-gce
2020/12/23 22:23 upstream 614cb5894306 c2c1d1dd .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/23 08:39 upstream 614cb5894306 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/22 15:19 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/22 06:53 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/22 02:08 upstream 8653b778e454 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/22 00:03 upstream e37b12e4bb21 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/21 11:15 upstream 6a447b0e3151 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/21 08:06 upstream 6a447b0e3151 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/20 19:57 upstream 467f8165a2b0 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/19 06:18 upstream a409ed156a90 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/18 03:52 upstream d64c6f96ba86 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/17 09:57 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/17 01:21 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/16 11:20 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce
2020/12/16 07:26 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/16 06:34 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/16 06:16 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce-root
2020/12/16 05:42 upstream d635a69dd498 f213e07e .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/16 02:11 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-root
2020/12/15 22:59 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/15 22:07 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/15 19:13 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-root
2020/12/15 15:33 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/15 14:46 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/15 12:03 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-root
2020/12/15 10:59 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-root
2020/12/15 04:52 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/15 04:22 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-root
2020/12/15 02:39 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/15 02:31 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/15 02:30 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/14 23:53 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 23:44 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-root
2020/12/14 22:54 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/14 21:53 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/14 19:26 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/14 16:01 upstream 2c85ebc57b3e 97183ed7 .config console log report info ci-upstream-kasan-gce
2020/12/14 08:41 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce
2020/12/14 06:05 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce
2020/12/14 04:29 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/14 03:46 upstream 6bff9bb8a292 b22a7ec3 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 16:20 upstream 6bff9bb8a292 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/13 10:56 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/13 07:40 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-root
2020/12/13 06:37 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-root
2020/12/13 05:46 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/13 02:17 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/13 01:36 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-root
2020/12/13 00:49 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/12 22:20 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/12 21:06 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce
2020/12/21 16:34 upstream e37b12e4bb21 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/17 22:04 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/15 16:45 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-386
2020/12/15 07:06 upstream 148842c98a24 97183ed7 .config console log report info ci-upstream-kasan-gce-386
2020/12/13 14:27 upstream 7b1b868e1d91 bca53db9 .config console log report info ci-upstream-kasan-gce-386
2020/12/20 12:18 linux-next 0d52778b8710 04201c06 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/20 05:55 linux-next 0d52778b8710 04201c06 .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.