syzbot


KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check

Status: fixed on 2019/12/13 00:31
Subsystems: kernel
[Documentation on labels]
Fix commit: 56144737e673 hrtimer: Annotate lockless access to timer->state
First crash: 1686d, last: 1662d

Sample crash report:
==================================================================
BUG: KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check

write to 0xffff8880abfbdd88 of 1 bytes by interrupt on cpu 0:
 __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
 __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
 __hrtimer_run_queues+0x23c/0x5f0 kernel/time/hrtimer.c:1576
 hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
 __do_softirq+0x115/0x33f kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0xbb/0xe0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
 preempt_count arch/x86/include/asm/preempt.h:26 [inline]
 get_ctx kernel/kcsan/core.c:175 [inline]
 is_atomic kernel/kcsan/core.c:180 [inline]
 should_watch kernel/kcsan/core.c:211 [inline]
 check_access kernel/kcsan/core.c:465 [inline]
 __tsan_read8+0x71/0x100 kernel/kcsan/core.c:596
 arch_local_irq_disable arch/x86/include/asm/paravirt.h:761 [inline]
 arch_local_irq_save arch/x86/include/asm/paravirt.h:774 [inline]
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
 _raw_spin_lock_irqsave+0x43/0xb0 kernel/locking/spinlock.c:159
 __wake_up_common_lock+0x5b/0xb0 kernel/sched/wait.c:122
 __wake_up_sync_key+0x19/0x20 kernel/sched/wait.c:196
 pipe_write+0x420/0x970 fs/pipe.c:492
 call_write_iter include/linux/fs.h:1895 [inline]
 new_sync_write+0x388/0x4a0 fs/read_write.c:483
 __vfs_write+0xb1/0xc0 fs/read_write.c:496
 vfs_write fs/read_write.c:558 [inline]
 vfs_write+0x18a/0x390 fs/read_write.c:542
 ksys_write+0xd5/0x1b0 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __x64_sys_write+0x4c/0x60 fs/read_write.c:620
 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

read to 0xffff8880abfbdd88 of 1 bytes by task 21129 on cpu 1:
 __tcp_ack_snd_check+0x415/0x4f0 net/ipv4/tcp_input.c:5267
 tcp_ack_snd_check net/ipv4/tcp_input.c:5289 [inline]
 tcp_rcv_established+0x750/0xf50 net/ipv4/tcp_input.c:5710
 tcp_v4_do_rcv+0x3b5/0x520 net/ipv4/tcp_ipv4.c:1564
 sk_backlog_rcv include/net/sock.h:950 [inline]
 __release_sock+0x135/0x1e0 net/core/sock.c:2439
 release_sock+0x61/0x160 net/core/sock.c:2955
 sk_wait_data+0x10b/0x250 net/core/sock.c:2481
 tcp_recvmsg+0x5ac/0x1b40 net/ipv4/tcp.c:2098
 inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
 sock_recvmsg_nosec net/socket.c:871 [inline]
 sock_recvmsg net/socket.c:889 [inline]
 sock_recvmsg+0x92/0xb0 net/socket.c:885
 ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480
 do_recvmmsg+0x19a/0x5c0 net/socket.c:2601
 __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680
 __do_sys_recvmmsg net/socket.c:2703 [inline]
 __se_sys_recvmmsg net/socket.c:2696 [inline]
 __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696
 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 21129 Comm: syz-executor.2 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/27 23:19 https://github.com/google/ktsan.git kcsan ef798c30ba4e 0d63f89c .config console log report ci2-upstream-kcsan-gce
2019/11/13 23:12 https://github.com/google/ktsan.git kcsan 7f2955e0d056 048f2d49 .config console log report ci2-upstream-kcsan-gce
2019/11/04 21:43 https://github.com/google/ktsan.git kcsan 94c006602e13 18e12644 .config console log report ci2-upstream-kcsan-gce
2019/11/03 11:52 https://github.com/google/ktsan.git kcsan 05f2236801fe c9610487 .config console log report ci2-upstream-kcsan-gce
* Struck through repros no longer work on HEAD.