KCSAN: data-race in __mod_timer / expire

KCSAN: data-race in __mod_timer / expire_timers (2)
Status: auto-closed as invalid on 2021/06/30 10:55
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 146d, last: 146d

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KCSAN: data-race in __mod_timer / expire_timers				343	187d	471d	0/22	auto-closed as invalid on 2021/05/19 22:44

Sample crash report:

==================================================================
BUG: KCSAN: data-race in __mod_timer / expire_timers

write to 0xffff888237d1b688 of 8 bytes by interrupt on cpu 1:
 expire_timers+0x17f/0x250 kernel/time/timer.c:1472
 __run_timers+0x358/0x420 kernel/time/timer.c:1745
 run_timer_softirq+0x19/0x30 kernel/time/timer.c:1758
 __do_softirq+0x12c/0x275 kernel/softirq.c:559
 invoke_softirq kernel/softirq.c:433 [inline]
 __irq_exit_rcu+0xa5/0xb0 kernel/softirq.c:637
 sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1100
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:647
 _raw_spin_unlock_irqrestore+0x34/0x40 kernel/locking/spinlock.c:192
 spin_unlock_irqrestore include/linux/spinlock.h:409 [inline]
 unlock_page_lruvec_irqrestore include/linux/memcontrol.h:1516 [inline]
 __pagevec_lru_add+0x24b/0x2b0 mm/swap.c:1064
 lru_cache_add mm/swap.c:475 [inline]
 lru_cache_add_inactive_or_unevictable+0x156/0x270 mm/swap.c:506
 wp_page_copy+0x7f8/0x10c0 mm/memory.c:2953
 do_wp_page+0x5a8/0xba0 include/linux/spinlock_api_smp.h:152
 handle_pte_fault mm/memory.c:4385 [inline]
 __handle_mm_fault mm/memory.c:4502 [inline]
 handle_mm_fault+0xb31/0x1a70 mm/memory.c:4600
 do_user_addr_fault+0x60c/0xc00 arch/x86/mm/fault.c:1390
 handle_page_fault arch/x86/mm/fault.c:1475 [inline]
 exc_page_fault+0x94/0x230 arch/x86/mm/fault.c:1531
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:577

read to 0xffff888237d1b688 of 8 bytes by interrupt on cpu 0:
 __mod_timer+0x44e/0xbe0 kernel/time/timer.c:1035
 add_timer+0x38/0x50 kernel/time/timer.c:1142
 __queue_delayed_work+0xec/0x150 kernel/workqueue.c:1656
 mod_delayed_work_on+0x6a/0xd0 kernel/workqueue.c:1719
 mod_delayed_work include/linux/workqueue.h:537 [inline]
 io_rsrc_node_ref_zero+0x1b6/0x1d0 fs/io_uring.c:7603
 percpu_ref_put_many include/linux/percpu-refcount.h:322 [inline]
 percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
 percpu_ref_call_confirm_rcu lib/percpu-refcount.c:163 [inline]
 percpu_ref_switch_to_atomic_rcu+0x352/0x360 lib/percpu-refcount.c:205
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 rcu_core+0xb95/0xd50 kernel/rcu/tree.c:2793
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2806
 __do_softirq+0x12c/0x275 kernel/softirq.c:559
 invoke_softirq kernel/softirq.c:433 [inline]
 __irq_exit_rcu+0xa5/0xb0 kernel/softirq.c:637
 sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1100
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:647
 check_kcov_mode kernel/kcov.c:163 [inline]
 write_comp_data kernel/kcov.c:218 [inline]
 __sanitizer_cov_trace_const_cmp8+0x2b/0x90 kernel/kcov.c:291
 PageHuge+0x4e/0xc0 mm/hugetlb.c:1551
 page_remove_file_rmap mm/rmap.c:1257 [inline]
 page_remove_rmap+0x72/0x230 mm/rmap.c:1351
 zap_pte_range+0x583/0xe20 mm/memory.c:1270
 zap_pmd_range mm/memory.c:1374 [inline]
 zap_pud_range mm/memory.c:1403 [inline]
 zap_p4d_range mm/memory.c:1424 [inline]
 unmap_page_range+0x2dc/0x3d0 mm/memory.c:1445
 unmap_single_vma+0x157/0x210 mm/memory.c:1490
 unmap_vmas+0xc0/0x170 mm/memory.c:1522
 exit_mmap+0x1be/0x400 mm/mmap.c:3208
 __mmput+0x27/0x1c0 kernel/fork.c:1096
 mmput+0x3d/0x50 kernel/fork.c:1117
 exit_mm+0x360/0x450 kernel/exit.c:502
 do_exit+0x3ff/0x1560 kernel/exit.c:813
 do_group_exit+0xce/0x1a0 kernel/exit.c:923
 get_signal+0xfc3/0x1610 kernel/signal.c:2835
 arch_do_signal_or_restart+0x2a/0x220 arch/x86/kernel/signal.c:789
 handle_signal_work kernel/entry/common.c:147 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x109/0x190 kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
 syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:301
 do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 20971 Comm: syz-executor.0 Not tainted 5.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================

Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci2-upstream-kcsan-gce	2021/05/26 10:49	upstream	ad9f25d33860	750ce164	.config	log	report			info	KCSAN: data-race in __mod_timer / expire_timers