syzbot


inconsistent lock state in sp_get

Status: fixed on 2020/02/14 01:19
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 5c9934b6767b 6pack,mkiss: fix possible deadlock
First crash: 927d, last: 927d

Cause bisection: the cause commit could be any of (bisect log):
  9211bfbff80a netfilter: add missing IS_ENABLED(CONFIG_BRIDGE_NETFILTER) checks to header-file.
  47e640af2e49 netfilter: add missing IS_ENABLED(CONFIG_NF_TABLES) check to header-file.
  a1b2f04ea527 netfilter: add missing includes to a number of header-files.
  0abc8bf4f284 netfilter: add missing IS_ENABLED(CONFIG_NF_CONNTRACK) checks to some header-files.
  bd96b4c75675 netfilter: inline four headers files into another one.
  43dd16efc7f2 netfilter: nf_tables: store data in offload context registers
  78458e3e08cd netfilter: add missing IS_ENABLED(CONFIG_NETFILTER) checks to some header-files.
  20a9379d9a03 netfilter: remove "#ifdef __KERNEL__" guards from some headers.
  bd8699e9e292 netfilter: nft_bitwise: add offload support
  2a475c409fe8 kbuild: remove all netfilter headers from header-test blacklist.
  7e59b3fea2a2 netfilter: remove unnecessary spaces
  1b90af292e71 ipvs: Improve robustness to the ipvs sysctl
  5785cf15fd74 netfilter: nf_tables: add missing prototypes.
  0a30ba509fde netfilter: nf_nat_proto: make tables static
  e84fb4b3666d netfilter: conntrack: use shared sysctl constants
  105333435b4f netfilter: connlabels: prefer static lock initialiser
  8c0bb7873815 netfilter: synproxy: rename mss synproxy_options field
  c162610c7db2 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 inconsistent lock state in sp_get C done 2 927d 927d 1/1 fixed on 2020/01/12 10:29
linux-4.19 inconsistent lock state in sp_get C done 1 927d 927d 1/1 fixed on 2020/01/12 10:29

Sample crash report:
================================
WARNING: inconsistent lock state
5.5.0-rc1-syzkaller #0 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
udevd/8960 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
{HARDIRQ-ON-W} state was registered at:
  lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
  __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
  _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
  sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
  tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
  tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
  tiocsetd drivers/tty/tty_io.c:2337 [inline]
  tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
  vfs_ioctl fs/ioctl.c:47 [inline]
  file_ioctl fs/ioctl.c:545 [inline]
  do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
  ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
  __do_sys_ioctl fs/ioctl.c:756 [inline]
  __se_sys_ioctl fs/ioctl.c:754 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
  do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
irq event stamp: 10726
hardirqs last  enabled at (10725): [<ffffffff81a9262a>] seqcount_lockdep_reader_access include/linux/seqlock.h:83 [inline]
hardirqs last  enabled at (10725): [<ffffffff81a9262a>] read_seqcount_begin include/linux/seqlock.h:164 [inline]
hardirqs last  enabled at (10725): [<ffffffff81a9262a>] read_seqbegin include/linux/seqlock.h:433 [inline]
hardirqs last  enabled at (10725): [<ffffffff81a9262a>] zone_span_seqbegin include/linux/memory_hotplug.h:75 [inline]
hardirqs last  enabled at (10725): [<ffffffff81a9262a>] page_outside_zone_boundaries mm/page_alloc.c:569 [inline]
hardirqs last  enabled at (10725): [<ffffffff81a9262a>] bad_range+0xea/0x420 mm/page_alloc.c:598
hardirqs last disabled at (10726): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
softirqs last  enabled at (10602): [<ffffffff812aa7ce>] memcpy include/linux/string.h:380 [inline]
softirqs last  enabled at (10602): [<ffffffff812aa7ce>] fpu__copy+0x17e/0x8c0 arch/x86/kernel/fpu/core.c:195
softirqs last disabled at (10600): [<ffffffff812aa6f7>] fpu__copy+0xa7/0x8c0 arch/x86/kernel/fpu/core.c:183

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(disc_data_lock);
  <Interrupt>
    lock(disc_data_lock);

 *** DEADLOCK ***

7 locks held by udevd/8960:
 #0: ffffffff89a14e90 (dup_mmap_sem.rw_sem){.+.+}, at: dup_mmap kernel/fork.c:490 [inline]
 #0: ffffffff89a14e90 (dup_mmap_sem.rw_sem){.+.+}, at: dup_mm+0x104/0x1430 kernel/fork.c:1360
 #1: ffff888095e6cd18 (&mm->mmap_sem#2){++++}, at: dup_mmap kernel/fork.c:491 [inline]
 #1: ffff888095e6cd18 (&mm->mmap_sem#2){++++}, at: dup_mm+0x120/0x1430 kernel/fork.c:1360
 #2: ffff88808dd1d4d8 (&mm->mmap_sem/1){+.+.}, at: dup_mmap kernel/fork.c:500 [inline]
 #2: ffff88808dd1d4d8 (&mm->mmap_sem/1){+.+.}, at: dup_mm+0x165/0x1430 kernel/fork.c:1360
 #3: ffffffff89a41e40 (fs_reclaim){+.+.}, at: fs_reclaim_acquire.part.0+0x0/0x30 include/linux/uaccess.h:173
 #4: ffff8880a73edf30 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
 #4: ffff8880a73edf30 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
 #5: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
 #6: ffff88809510c090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288

stack backtrace:
CPU: 1 PID: 8960 Comm: udevd Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
 valid_state kernel/locking/lockdep.c:3112 [inline]
 mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
 mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
 mark_usage kernel/locking/lockdep.c:3554 [inline]
 __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
 lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
 __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
 _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
 sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
 sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
 tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
 tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
 tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
 uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
 serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
 serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
 serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
 serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
 __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
 handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
 handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
 handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
 generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
 do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
 </IRQ>
RIP: 0010:lock_release+0x33/0x960 kernel/locking/lockdep.c:4493
Code: df 55 48 89 e5 41 57 41 56 4c 8d 75 d8 41 55 49 89 f5 41 54 49 89 fc 53 48 8d 9d 58 ff ff ff 48 c1 eb 03 48 81 ec a8 00 00 00 <48> c7 85 58 ff ff ff b3 8a b5 41 48 c7 85 60 ff ff ff 48 dc 3e 89
RSP: 0018:ffffc90001cb7690 EFLAGS: 00000286 ORIG_RAX: ffffffffffffffd7
RAX: 0000000000000001 RBX: 1ffff92000396ed7 RCX: ffffffff815ac222
RDX: dffffc0000000000 RSI: ffffffff81a9148f RDI: ffffffff89a41e40
RBP: ffffc90001cb7760 R08: 0000000000002c5e R09: fffffbfff1659da7
R10: ffff8880a88e6910 R11: ffff8880a88e6000 R12: ffffffff89a41e40
R13: ffffffff81a9148f R14: ffffc90001cb7738 R15: 0000000000000cc0
 __fs_reclaim_release mm/page_alloc.c:4089 [inline]
 fs_reclaim_release mm/page_alloc.c:4102 [inline]
 fs_reclaim_release+0x22/0x30 mm/page_alloc.c:4099
 slab_pre_alloc_hook mm/slab.h:563 [inline]
 slab_alloc mm/slab.c:3306 [inline]
 kmem_cache_alloc+0x30/0x710 mm/slab.c:3484
 ptlock_alloc mm/memory.c:4739 [inline]
 ptlock_init include/linux/mm.h:1915 [inline]
 pgtable_pmd_page_ctor include/linux/mm.h:2001 [inline]
 pmd_alloc_one arch/x86/include/asm/pgalloc.h:99 [inline]
 __pmd_alloc+0xc9/0x460 mm/memory.c:4193
 pmd_alloc include/linux/mm.h:1865 [inline]
 copy_pmd_range mm/memory.c:872 [inline]
 copy_pud_range mm/memory.c:926 [inline]
 copy_p4d_range mm/memory.c:948 [inline]
 copy_page_range+0x184e/0x20b0 mm/memory.c:1010
 dup_mmap kernel/fork.c:604 [inline]
 dup_mm+0xa67/0x1430 kernel/fork.c:1360
 copy_mm kernel/fork.c:1416 [inline]
 copy_process+0x2ad6/0x7230 kernel/fork.c:2072
 _do_fork+0x146/0x1090 kernel/fork.c:2421
 __do_sys_clone kernel/fork.c:2576 [inline]
 __se_sys_clone kernel/fork.c:2557 [inline]
 __x64_sys_clone+0x19a/0x260 kernel/fork.c:2557
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fe919c1cf46
Code: f7 d8 64 89 04 25 d4 02 00 00 64 4c 8b 14 25 10 00 00 00 31 d2 49 81 c2 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 31 01 00 00 85 c0 41 89 c4 0f 85 3b 01 00
RSP: 002b:00007fffdc9036d0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007fffdc9036d0 RCX: 00007fe919c1cf46
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007fffdc903730 R08: 0000000000002300 R09: 0000000000002300
R10: 00007fe91a539a70 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fffdc9036f0 R14: 0000000000000000 R15: 0000000000d16540

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2019/12/12 13:22 upstream 687dec9b9459 d973f528 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/12 12:52 upstream 687dec9b9459 d973f528 .config log report syz C