bisecting fixing commit since fb683b5e3f53a73e761952735736180939a313df building syzkaller on d973f52833e0e3cec5406aa9cdf606a463d85c46 testing commit fb683b5e3f53a73e761952735736180939a313df with gcc (GCC) 8.1.0 kernel signature: f8af5d2e57299926721b54fe47a5db7b09fb6c01 all runs: crashed: inconsistent lock state in sp_get testing current HEAD cb1f9a169a0e197f93816ace48a6520e8640809d testing commit cb1f9a169a0e197f93816ace48a6520e8640809d with gcc (GCC) 8.1.0 kernel signature: 6c4f374053671ab2066d336cc627832827993269 all runs: OK # git bisect start cb1f9a169a0e197f93816ace48a6520e8640809d fb683b5e3f53a73e761952735736180939a313df Bisecting: 453 revisions left to test after this (roughly 9 steps) [009484c9411838b3be72ccd67690120f43530150] dma-buf: Fix memory leak in sync_file_merge() testing commit 009484c9411838b3be72ccd67690120f43530150 with gcc (GCC) 8.1.0 kernel signature: 4738118ff23c37766e01ba0bfbbddc26aabc51a7 all runs: crashed: inconsistent lock state in sp_get # git bisect good 009484c9411838b3be72ccd67690120f43530150 Bisecting: 226 revisions left to test after this (roughly 8 steps) [c7ecf3e3a71c216327980f26b1e895ce9b07ad31] Linux 4.19.92 testing commit c7ecf3e3a71c216327980f26b1e895ce9b07ad31 with gcc (GCC) 8.1.0 kernel signature: a7d979d61ebcf1eae2821b2e9cd5e1e225a99764 all runs: crashed: inconsistent lock state in sp_get # git bisect good c7ecf3e3a71c216327980f26b1e895ce9b07ad31 Bisecting: 113 revisions left to test after this (roughly 7 steps) [3d40d7117e353b84627c1e8c5ed9ae0b1237ef5c] Linux 4.19.93 testing commit 3d40d7117e353b84627c1e8c5ed9ae0b1237ef5c with gcc (GCC) 8.1.0 kernel signature: b9e4b8f289eee9ca4e1393632127fb760ef5433f all runs: OK # git bisect bad 3d40d7117e353b84627c1e8c5ed9ae0b1237ef5c Bisecting: 56 revisions left to test after this (roughly 6 steps) [b0aede21b4f55ea7fe4411509c6d69604bfdb8d2] scsi: target: iscsi: Wait for all commands to finish before freeing a session testing commit b0aede21b4f55ea7fe4411509c6d69604bfdb8d2 with gcc (GCC) 8.1.0 kernel signature: d6dd45dfffd847aa9dfaa7250862be339392005a all runs: crashed: inconsistent lock state in sp_get # git bisect good b0aede21b4f55ea7fe4411509c6d69604bfdb8d2 Bisecting: 28 revisions left to test after this (roughly 5 steps) [9079830e74b2583ef6e723abb15ff5a1b6e8caa4] net: add a READ_ONCE() in skb_peek_tail() testing commit 9079830e74b2583ef6e723abb15ff5a1b6e8caa4 with gcc (GCC) 8.1.0 kernel signature: 0617c2f03dbd57b021883a03292f845f7865d81e all runs: OK # git bisect bad 9079830e74b2583ef6e723abb15ff5a1b6e8caa4 Bisecting: 13 revisions left to test after this (roughly 4 steps) [9df1ac5dd935ced295e291443c13415200b0afee] userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK testing commit 9df1ac5dd935ced295e291443c13415200b0afee with gcc (GCC) 8.1.0 kernel signature: f0018bc23b6b37bd8fdcabd8a0f245e244eed2b3 all runs: crashed: inconsistent lock state in sp_get # git bisect good 9df1ac5dd935ced295e291443c13415200b0afee Bisecting: 6 revisions left to test after this (roughly 3 steps) [332ed88d96d8ac5d4510d8205affd1bb10e2cf6a] perf strbuf: Remove redundant va_end() in strbuf_addv() testing commit 332ed88d96d8ac5d4510d8205affd1bb10e2cf6a with gcc (GCC) 8.1.0 kernel signature: 74e275e695f7682634427b9c2906a265e89a7205 all runs: crashed: inconsistent lock state in sp_get # git bisect good 332ed88d96d8ac5d4510d8205affd1bb10e2cf6a Bisecting: 3 revisions left to test after this (roughly 2 steps) [751e2557dec2138de64ef9d63078305b051ca04a] netfilter: ebtables: compat: reject all padding in matches/watchers testing commit 751e2557dec2138de64ef9d63078305b051ca04a with gcc (GCC) 8.1.0 kernel signature: 9192d95d294e47ef46e5c6f7f46af8724c03d622 all runs: crashed: inconsistent lock state in sp_get # git bisect good 751e2557dec2138de64ef9d63078305b051ca04a Bisecting: 1 revision left to test after this (roughly 1 step) [2ad86afcd92a9cfdd986369d0c2209260869c0f3] netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() testing commit 2ad86afcd92a9cfdd986369d0c2209260869c0f3 with gcc (GCC) 8.1.0 kernel signature: 325df7b1234bb061c61916135d5f5b893b522128 all runs: OK # git bisect bad 2ad86afcd92a9cfdd986369d0c2209260869c0f3 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9b8e63d0a6e8d39bcbff3d99c8c52dab7771a68f] 6pack,mkiss: fix possible deadlock testing commit 9b8e63d0a6e8d39bcbff3d99c8c52dab7771a68f with gcc (GCC) 8.1.0 kernel signature: 250b45338d51b6879dc5308fd71aa1d81a3c88ff all runs: OK # git bisect bad 9b8e63d0a6e8d39bcbff3d99c8c52dab7771a68f 9b8e63d0a6e8d39bcbff3d99c8c52dab7771a68f is the first bad commit commit 9b8e63d0a6e8d39bcbff3d99c8c52dab7771a68f Author: Eric Dumazet Date: Thu Dec 12 10:32:13 2019 -0800 6pack,mkiss: fix possible deadlock commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d upstream. We got another syzbot report [1] that tells us we must use write_lock_irq()/write_unlock_irq() to avoid possible deadlock. [1] WARNING: inconsistent lock state 5.5.0-rc1-syzkaller #0 Not tainted -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage. syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes: ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 {HARDIRQ-ON-W} state was registered at: lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline] _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319 sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657 tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489 tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585 tiocsetd drivers/tty/tty_io.c:2337 [inline] tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe irq event stamp: 3946 hardirqs last enabled at (3945): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] hardirqs last enabled at (3945): [] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199 hardirqs last disabled at (3946): [] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42 softirqs last enabled at (2658): [] spin_unlock_bh include/linux/spinlock.h:383 [inline] softirqs last enabled at (2658): [] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222 softirqs last disabled at (2656): [] spin_lock_bh include/linux/spinlock.h:343 [inline] softirqs last disabled at (2656): [] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(disc_data_lock); lock(disc_data_lock); *** DEADLOCK *** 5 locks held by syz-executor826/9605: #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413 #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116 #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823 #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288 stack backtrace: CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101 valid_state kernel/locking/lockdep.c:3112 [inline] mark_lock_irq kernel/locking/lockdep.c:3309 [inline] mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666 mark_usage kernel/locking/lockdep.c:3554 [inline] __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909 lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223 sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402 tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536 tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50 tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387 uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104 serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761 serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline] serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850 serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126 __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149 handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189 handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206 handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830 generic_handle_irq_desc include/linux/irqdesc.h:156 [inline] do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607 RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline] RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579 Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7 RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7 RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000 RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899 R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138 R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000 mutex_optimistic_spin kernel/locking/mutex.c:673 [inline] __mutex_lock_common kernel/locking/mutex.c:962 [inline] __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121 tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665 __fput+0x2ff/0x890 fs/file_table.c:280 ____fput+0x16/0x20 fs/file_table.c:313 task_work_run+0x145/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x8e7/0x2ef0 kernel/exit.c:797 do_group_exit+0x135/0x360 kernel/exit.c:895 __do_sys_exit_group kernel/exit.c:906 [inline] __se_sys_exit_group kernel/exit.c:904 [inline] __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fef8 Code: Bad RIP value. RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8 RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0 R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Arnd Bergmann Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman drivers/net/hamradio/6pack.c | 4 ++-- drivers/net/hamradio/mkiss.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) culprit signature: 250b45338d51b6879dc5308fd71aa1d81a3c88ff parent signature: 9192d95d294e47ef46e5c6f7f46af8724c03d622 revisions tested: 12, total time: 3h3m26.918292715s (build: 1h44m27.055193947s, test: 1h18m3.984137607s) first good commit: 9b8e63d0a6e8d39bcbff3d99c8c52dab7771a68f 6pack,mkiss: fix possible deadlock cc: ["edumazet@google.com" "gregkh@linuxfoundation.org" "jakub.kicinski@netronome.com"]