From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8F57CC2BB54 for ; Tue, 7 Apr 2020 20:48:08 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 4C93920748 for ; Tue, 7 Apr 2020 20:48:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="KV4RWtNm" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4C93920748 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id C911D8E001B; Tue, 7 Apr 2020 16:48:07 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C41D68E0001; Tue, 7 Apr 2020 16:48:07 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B31558E001B; Tue, 7 Apr 2020 16:48:07 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0160.hostedemail.com [216.40.44.160]) by kanga.kvack.org (Postfix) with ESMTP id 9B31A8E0001 for ; Tue, 7 Apr 2020 16:48:07 -0400 (EDT) Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 522B0181AEF39 for ; Tue, 7 Apr 2020 20:48:07 +0000 (UTC) X-FDA: 76682246214.28.back99_46da0a9d1d941 X-HE-Tag: back99_46da0a9d1d941 X-Filterd-Recvd-Size: 9494 Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by imf33.hostedemail.com (Postfix) with ESMTP for ; Tue, 7 Apr 2020 20:48:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1586292486; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=96BSoUSUMYEIAUCdqAQdAH7r3mAavNuqmR7Jf3TFKx8=; b=KV4RWtNm6EQl4dS8p/Kv2zekJLfuFANIG6OtERhbLvGNAo7rifd3rLGJifUlFcxiMEYNgd YOAxdd92QLNBeXsICuWinvlPqDadHvv4q3tFW3fe+icW3mj+8trFcUZdRkGbPI791l/AFK KLvw9x8+XF70mLG9EPTe2yPPzLDgIgE= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-468-3lvCHBYUNO6tt3P4opZTng-1; Tue, 07 Apr 2020 16:48:00 -0400 X-MC-Unique: 3lvCHBYUNO6tt3P4opZTng-1 Received: by mail-wr1-f71.google.com with SMTP id n7so2747970wru.9 for ; Tue, 07 Apr 2020 13:48:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=SNNnS6jMNs/mcFt0zu+7szoqfaJA8/rEUBbigfZagbs=; b=SU0N/8FRb3CwYL33/4B1clz++vKWk8vi3c73ioTKeBZXm6+IfHcwrnePV5S69vC64h IyrNcWpOodsxChh2GnVQ69Pagd78UEQT77ESqLFwj6whxKCU7sxmVAHl6p/n2mQRWA/n weeg+bArzEJEwsIzxxnGiq8CC4XcxhHcev21aha4DYMc3cnycSGwMO4Tbtsmlq8XwWj/ vixrwFRy3F2lGsj+xwjLdeq6PFZtiWfTi39sge4xiqJGUM24349bMIf050l0whde5c0i w4Hn1jOosMqpXb4iC8JDeM0yadkPZ9Ps02VVjbLbAfh2J2IpbPJJdlVGzN7SJ7RvE+pK nAWg== X-Gm-Message-State: AGi0PuYbxguJaWyvvr9jSFbKnrBSepCUZtt6dtMMql3qVe4WtSQLKTad CmyPPQ8a/FVfY0UPxgGxPpCy4S1BBh7x1D7ueD8c5aFgrK7IDTlAHILu0o2sYQAtB1UeLcZOLBR 85IkrKurhPVQ= X-Received: by 2002:adf:ff85:: with SMTP id j5mr4399374wrr.332.1586292478495; Tue, 07 Apr 2020 13:47:58 -0700 (PDT) X-Google-Smtp-Source: APiQypLn3OvfUzYyhWD+1bLiZR8CGLlW8+JmrgXrPqP6ByTbcA+eAxOaiqPdrRt4b8c5q5+FioxHEQ== X-Received: by 2002:adf:ff85:: with SMTP id j5mr4399354wrr.332.1586292478219; Tue, 07 Apr 2020 13:47:58 -0700 (PDT) Received: from xz-x1 ([2607:9880:19c0:32::3]) by smtp.gmail.com with ESMTPSA id l15sm502142wmi.48.2020.04.07.13.47.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2020 13:47:57 -0700 (PDT) Date: Tue, 7 Apr 2020 16:47:54 -0400 From: Peter Xu To: syzbot Cc: akpm@linux-foundation.org, bgeffon@google.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, torvalds@linux-foundation.org Subject: Re: WARNING: bad unlock balance in __get_user_pages_remote Message-ID: <20200407204754.GA66033@xz-x1> References: <00000000000005c65d05a2b90e70@google.com> MIME-Version: 1.0 In-Reply-To: <00000000000005c65d05a2b90e70@google.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Apr 07, 2020 at 01:16:11PM -0700, syzbot wrote: > Hello, >=20 > syzbot found the following crash on: >=20 > HEAD commit: 7e634208 Merge tag 'acpi-5.7-rc1-2' of git://git.kernel.o= r.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=3D169498ede0000= 0 > kernel config: https://syzkaller.appspot.com/x/.config?x=3D12205d036cec3= 17f > dashboard link: https://syzkaller.appspot.com/bug?extid=3Da8c70b7f3579fc0= 587dc > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D17a41543e00= 000 >=20 > The bug was bisected to: >=20 > commit 71335f37c5e8ec9225285206f7f875057b9737ad > Author: Peter Xu > Date: Thu Apr 2 04:08:53 2020 +0000 >=20 > mm/gup: allow to react to fatal signals >=20 > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=3D17dba9b3e0= 0000 > final crash: https://syzkaller.appspot.com/x/report.txt?x=3D143ba9b3e0= 0000 > console output: https://syzkaller.appspot.com/x/log.txt?x=3D103ba9b3e0000= 0 >=20 > IMPORTANT: if you fix the bug, please add the following tag to the commit= : > Reported-by: syzbot+a8c70b7f3579fc0587dc@syzkaller.appspotmail.com > Fixes: 71335f37c5e8 ("mm/gup: allow to react to fatal signals") >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > WARNING: bad unlock balance detected! > 5.6.0-syzkaller #0 Not tainted > ------------------------------------- > syz-executor.0/8429 is trying to release lock (&mm->mmap_sem) at: > [] __get_user_pages_locked mm/gup.c:1366 [inline] > [] __get_user_pages_remote mm/gup.c:1831 [inline] > [] __get_user_pages_remote+0x540/0x740 mm/gup.c:1806 > but there are no more locks to release! >=20 > other info that might help us debug this: > no locks held by syz-executor.0/8429. >=20 > stack backtrace: > CPU: 0 PID: 8429 Comm: syz-executor.0 Not tainted 5.6.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS G= oogle 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x188/0x20d lib/dump_stack.c:118 > __lock_release kernel/locking/lockdep.c:4633 [inline] > lock_release+0x586/0x800 kernel/locking/lockdep.c:4941 > up_read+0x79/0x750 kernel/locking/rwsem.c:1573 > __get_user_pages_locked mm/gup.c:1366 [inline] > __get_user_pages_remote mm/gup.c:1831 [inline] > __get_user_pages_remote+0x540/0x740 mm/gup.c:1806 > pin_user_pages_remote+0x67/0xa0 mm/gup.c:2897 > process_vm_rw_single_vec mm/process_vm_access.c:108 [inline] > process_vm_rw_core.isra.0+0x423/0x940 mm/process_vm_access.c:218 > process_vm_rw+0x21f/0x240 mm/process_vm_access.c:286 > __do_sys_process_vm_writev mm/process_vm_access.c:308 [inline] > __se_sys_process_vm_writev mm/process_vm_access.c:303 [inline] > __x64_sys_process_vm_writev+0xdf/0x1b0 mm/process_vm_access.c:303 > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 > entry_SYSCALL_64_after_hwframe+0x49/0xb3 > RIP: 0033:0x45c879 > Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f= 7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff= ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:00007fa1008bac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000137 > RAX: ffffffffffffffda RBX: 00007fa1008bb6d4 RCX: 000000000045c879 > RDX: 0000000000000001 RSI: 0000000020c22000 RDI: 0000000000000009 > RBP: 000000000076bf00 R08: 0000000000000001 R09: 0000000000000000 > R10: 0000000020c22fa0 R11: 0000000000000246 R12: 00000000ffffffff > R13: 000000000000085d R14: 00000000004cb1ee R15: 000000000076bf0c > ------------[ cut here ]------------ > DEBUG_RWSEMS_WARN_ON(tmp < 0): count =3D 0xffffffffffffff00, magic =3D 0x= ffff888094028338, owner =3D 0x3, curr 0xffff888093cbc500, list empty > WARNING: CPU: 0 PID: 8429 at kernel/locking/rwsem.c:1435 __up_read kernel= /locking/rwsem.c:1435 [inline] > WARNING: CPU: 0 PID: 8429 at kernel/locking/rwsem.c:1435 up_read+0x5f9/0x= 750 kernel/locking/rwsem.c:1574 Indeed the original commit is problematic, sorry for that. Fix should be attached below. According to syzbot document it should understand the attached patch inline in the email and apply upon the tree, then I think what we need is just: #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.g= it master Thanks, 8<----------------------------------------------------------------------- >From 1be80593076b9630265e118696e74fa17276124f Mon Sep 17 00:00:00 2001 From: Peter Xu Date: Tue, 7 Apr 2020 16:34:50 -0400 Subject: [PATCH] mm/gup: Mark lock taken only after a successful retake It's definitely incorrect to mark the lock as taken even if down_read_killable() failed. It's overlooked when we switched from down_read() to down_read_killable() because down_read() won't fail while down_read_killable() could. Reported-by: syzbot+a8c70b7f3579fc0587dc@syzkaller.appspotmail.com Fixes: 71335f37c5e8 ("mm/gup: allow to react to fatal signals") Signed-off-by: Peter Xu --- mm/gup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/gup.c b/mm/gup.c index da3e03185144..1f9a9b3a5869 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -1328,7 +1328,6 @@ static __always_inline long __get_user_pages_locked(s= truct task_struct *tsk, =09=09if (fatal_signal_pending(current)) =09=09=09break; =20 -=09=09*locked =3D 1; =09=09ret =3D down_read_killable(&mm->mmap_sem); =09=09if (ret) { =09=09=09BUG_ON(ret > 0); @@ -1337,6 +1336,7 @@ static __always_inline long __get_user_pages_locked(s= truct task_struct *tsk, =09=09=09break; =09=09} =20 +=09=09*locked =3D 1; =09=09ret =3D __get_user_pages(tsk, mm, start, 1, flags | FOLL_TRIED, =09=09=09=09 pages, NULL, locked); =09=09if (!*locked) { --=20 2.24.1 --=20 Peter Xu