syzbot


KCSAN: data-race in blk_stat_add / run_timer_softirq

Status: auto-closed as invalid on 2020/03/19 14:36
Subsystems: block
[Documentation on labels]
First crash: 1540d, last: 1540d

Sample crash report:
==================================================================
BUG: KCSAN: data-race in blk_stat_add / run_timer_softirq

read to 0xffff8881293d2a18 of 8 bytes by interrupt on cpu 1:
 blk_stat_is_active block/blk-stat.h:131 [inline]
 blk_stat_add+0x103/0x2c0 block/blk-stat.c:66
 __blk_mq_end_request+0x22d/0x270 block/blk-mq.c:527
 scsi_end_request+0x1dd/0x360 drivers/scsi/scsi_lib.c:610
 scsi_io_completion+0x11d/0xc80 drivers/scsi/scsi_lib.c:960
 scsi_finish_command+0x283/0x380 drivers/scsi/scsi.c:228
 scsi_softirq_done+0x259/0x280 drivers/scsi/scsi_lib.c:1476
 blk_done_softirq+0x1eb/0x250 block/blk-softirq.c:37
 __do_softirq+0x115/0x33f kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0xbb/0xe0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 do_IRQ+0x81/0x130 arch/x86/kernel/irq.c:263
 ret_from_intr+0x0/0x21
 arch_local_irq_restore arch/x86/include/asm/paravirt.h:752 [inline]
 kcsan_setup_watchpoint+0x1d4/0x460 kernel/kcsan/core.c:429
 check_access kernel/kcsan/core.c:459 [inline]
 __tsan_read8+0xc6/0x100 kernel/kcsan/core.c:589
 task_css include/linux/cgroup.h:491 [inline]
 mem_cgroup_from_task mm/memcontrol.c:909 [inline]
 memcg_kmem_get_cache+0xc8/0x320 mm/memcontrol.c:2765
 slab_pre_alloc_hook mm/slab.h:572 [inline]
 slab_alloc mm/slab.c:3306 [inline]
 kmem_cache_alloc+0x117/0x5d0 mm/slab.c:3484
 vm_area_dup+0x49/0xf0 kernel/fork.c:359
 dup_mmap kernel/fork.c:544 [inline]
 dup_mm+0x330/0xba0 kernel/fork.c:1360
 copy_mm kernel/fork.c:1416 [inline]
 copy_process+0x3138/0x3c40 kernel/fork.c:2072
 _do_fork+0xfe/0x7a0 kernel/fork.c:2421
 __do_sys_clone kernel/fork.c:2576 [inline]
 __se_sys_clone kernel/fork.c:2557 [inline]
 __x64_sys_clone+0x130/0x170 kernel/fork.c:2557
 do_syscall_64+0xcc/0x3a0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

write to 0xffff8881293d2a18 of 8 bytes by interrupt on cpu 0:
 detach_timer kernel/time/timer.c:817 [inline]
 expire_timers kernel/time/timer.c:1438 [inline]
 __run_timers kernel/time/timer.c:1773 [inline]
 __run_timers kernel/time/timer.c:1740 [inline]
 run_timer_softirq+0x411/0xcd0 kernel/time/timer.c:1786
 __do_softirq+0x115/0x33f kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0xbb/0xe0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
 __rcu_read_unlock+0x1/0x3d0 kernel/rcu/tree_plugin.h:373
 unlock_page_memcg+0x23/0x30 mm/memcontrol.c:2028
 page_remove_file_rmap mm/rmap.c:1273 [inline]
 page_remove_rmap+0x371/0x7a0 mm/rmap.c:1330
 zap_pte_range mm/memory.c:1080 [inline]
 zap_pmd_range mm/memory.c:1184 [inline]
 zap_pud_range mm/memory.c:1213 [inline]
 zap_p4d_range mm/memory.c:1234 [inline]
 unmap_page_range+0xb31/0x1940 mm/memory.c:1255
 unmap_single_vma+0x144/0x200 mm/memory.c:1300
 unmap_vmas+0xda/0x1a0 mm/memory.c:1332
 exit_mmap+0x13e/0x300 mm/mmap.c:3140
 __mmput kernel/fork.c:1082 [inline]
 mmput+0xea/0x280 kernel/fork.c:1103
 exit_mm kernel/exit.c:485 [inline]
 do_exit+0x4ac/0x18c0 kernel/exit.c:784
 do_group_exit+0xb4/0x1c0 kernel/exit.c:895
 __do_sys_exit_group kernel/exit.c:906 [inline]
 __se_sys_exit_group kernel/exit.c:904 [inline]
 __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:904
 do_syscall_64+0xcc/0x3a0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 8163 Comm: syz-executor.3 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/01/09 14:30 https://github.com/google/ktsan.git kcsan 245a43005292 4de4e9f0 .config console log report ci2-upstream-kcsan-gce
* Struck through repros no longer work on HEAD.