From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE01DC7EE2E for ; Tue, 28 Feb 2023 01:59:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3D9ED6B0071; Mon, 27 Feb 2023 20:59:34 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 38A776B0072; Mon, 27 Feb 2023 20:59:34 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 251F86B0073; Mon, 27 Feb 2023 20:59:34 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 1603A6B0071 for ; Mon, 27 Feb 2023 20:59:34 -0500 (EST) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id D7281AB361 for ; Tue, 28 Feb 2023 01:59:33 +0000 (UTC) X-FDA: 80515043826.11.E9B02A6 Received: from r3-17.sinamail.sina.com.cn (r3-17.sinamail.sina.com.cn [202.108.3.17]) by imf08.hostedemail.com (Postfix) with ESMTP id 8EBAA160003 for ; Tue, 28 Feb 2023 01:59:30 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf08.hostedemail.com: domain of hdanton@sina.com designates 202.108.3.17 as permitted sender) smtp.mailfrom=hdanton@sina.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1677549572; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dXTxfzk4IpQEFh4vRA+D1B2de5fc6DX0A+lupVCowEk=; b=Fx/wxw1p1kpViBhct4V2w/k5u+5LnHelI5CEbvA4jkRKmzMwIe9PPm0Dt8YZkc6EpLVfpL wPIr+NJ69YmFKM7WcsyxZkYF4sYFFvbWe3lS/1zPrZTOFyVfbsc6Y+Vt80hYLQyzXLCEXQ oUstxfBIam+pczAjeK1Ory+ZsudJfak= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf08.hostedemail.com: domain of hdanton@sina.com designates 202.108.3.17 as permitted sender) smtp.mailfrom=hdanton@sina.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1677549572; a=rsa-sha256; cv=none; b=BdV7TfjDOUS+NkfCxK3uGmK8nmmCuEAnAljqQMOGh9wt4mFp16P0B3dL8wROf7kkCehYxd 4T4LD2JICaQwgBfds41iSOQBKE5m4p3GBEt9d2vpyvXC6I/nQ1cUCmyIrmOcWLd30C5AC8 QxuJZvdP1fbm/zypWjVC62u8La2rZY4= Received: from unknown (HELO localhost.localdomain)([114.249.61.130]) by sina.com (172.16.97.27) with ESMTP id 63FD5FF900034632; Tue, 28 Feb 2023 09:59:22 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com X-SMAIL-MID: 68932449291968 From: Hillf Danton To: Thomas Gleixner Cc: syzbot , dhowells@redhat.com, jarkko@kernel.org, jmorris@namei.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-security-module@vger.kernel.org, paul@paul-moore.com, serge@hallyn.com, syzkaller-bugs@googlegroups.com, Tetsuo Handa , Linus Torvalds , Peter Zijlstra Subject: Re: [syzbot] [keyrings?] [lsm?] WARNING in __mod_timer Date: Tue, 28 Feb 2023 09:59:15 +0800 Message-Id: <20230228015915.2198-1-hdanton@sina.com> In-Reply-To: <87ttz6n91c.ffs@tglx> References: <000000000000af8f7c05f5a673bb@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 8EBAA160003 X-Stat-Signature: sw7xzh6mfnrq97n66zid8jqghd5zkegj X-Rspam-User: X-HE-Tag: 1677549570-22009 X-HE-Meta: U2FsdGVkX19lFFAr9KrnS/pM2/20zBR5foeo3alPMX9KjIPy31K+2/XgB5PaowKNqHgPsSWT1nAZpZ6H8lq9W0PlNj1TrxasmmicM95FDGQB6fGeb/M6hCvqKzK7wNjv43nnhLH1zyOMb42mbS8x6b4WLhMSZqnfX1xzwZQU89I1lGggn01pwNfnF8L29jkWjRDrNBDayxK3Dd8Wo6U+zCF+uEquT2dyUbVV/24oP4Qb1i3FPOWtOjloanwJehWIcDi3puh4vmUvlA02TqYh4wRtVK0hLhb2cyX82yjADJDiIysbnyuM0Jp3e3fMDXA+wjqgCC1Tjf55SX9VkA4NYlSH7CFr5EDlTlJ4e8sbwu2g1LXWfUa1dUMekGROVp+nQkfm6eOgy5H64uZRZr3s6lMpbon0fk+2k3Jj2j4f09HAYDuPAWjfA3eTqge8LDnpcal3/99dWARzsTpIc1R+iOEv3xSaF3lo0j/ortzWB0a24mQxKIw/KT0wDEHczHiSIpD/iqwMMr3kFAdts/3u7wrQXCjBDhu+sLwxjK1mZFD91SqxkhKxFh888OyTclM+O7dEFTPrHtfSyW0xKUZEx4g69xWfkh8fdH18IS3UsfdzaFl8ggbCN1ppQCXSeYaHmsDsS6Nof08tyaJKm7ryadpVOkIT4uwvae1PnfZkTjZrEuPJnqTyPeSoefwPAAFi3nuseRvmoNCsHmglDwGzxRgj9AmywGBt1iOcaJS4/f25qMRXJe1LPF5DWjAH3r+4TBk9hIiOLBPlaM696cbzq0TGzgodX/3oJUUtzfh4VN08lOUHd1uqa2GYwBhxkiI6bWQrL+AY5vNSgfiGJ3+vDhvwWrRHdCR2paEMx/v5UqNaGLIxEQOS5U0aD6eO79Nk9bpaLmr8raF8dc85wDaStvOM51FenLD2GOxiCLrRyXhlb7lOX35friBFOpgxL+aIQmZDxUgvVlnHTDwlbaN A7C+u9HD pQfuFtBV0oGkwcbGfBzPUnjM+R478WCDhoYPXE0hGEpA/w0Js2HvBHmeLxc0e022TsuBnyOlp53EQIhrhQd80JwirqXDABV0ahzRYL1QJ1GOZHo6dc6swKo8hys7YfWydwUbvIynK1BeXuDKr2QmJSU8d002Rum+P+RCpZQwb4BV6wHqss7msMdRr2eBv7C2xshbh97jqEUK/szxJ8n3f1WeeeFjvzmPoeiLWP4zKKxqS4lP6g1QKEfH/5XPYnjEJAdQXQlKhsrl9GsPZwtIzlb0fmxQaFYZ4MMoLPptxIF+Zm86xM6JR27VtrOoScGZtG2sf7iV3aEq4PC2DVngR97SJNJ9ztpzki8HovENaMbiTrZZIBN/x4QRvkA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, 27 Feb 2023 21:33:03 +0100 Thomas Gleixner > On Sun, Feb 26 2023 at 19:55, syzbot wrote: > > ODEBUG: assert_init not available (active state 0) object: ffffffff8d4fcbc0 object type: timer_list hint: key_gc_timer_func+0x0/0x80 security/keys/gc.c:117 > > > WARNING: CPU: 1 PID: 10646 at lib/debugobjects.c:512 debug_object_assert_init+0x1f2/0x240 lib/debugobjects.c:899 > > debug_assert_init kernel/time/timer.c:837 [inline] > > __mod_timer+0x10d/0xf40 kernel/time/timer.c:1020 > > key_reject_and_link+0x3f5/0x6e0 security/keys/key.c:610 > > key_negate_and_link include/linux/key-type.h:187 [inline] > > complete_request_key security/keys/request_key.c:64 [inline] > > call_sbin_request_key+0xa7b/0xcd0 security/keys/request_key.c:213 > > construct_key security/keys/request_key.c:244 [inline] > > construct_key_and_link security/keys/request_key.c:503 [inline] > > request_key_and_link+0x11e3/0x18e0 security/keys/request_key.c:637 > > __do_sys_request_key security/keys/keyctl.c:222 [inline] > > __se_sys_request_key+0x271/0x3b0 security/keys/keyctl.c:167 > > This is odd. The timer object is statically allocated via > DEFINE_TIMER(). That macro sets > > timer.entry.next = TIMER_ENTRY_STATIC > > which is used to detect statically allocated timer objects via > timer_is_static_object() and that checks for: > > timer.entry.pprev == NULL && timer.entry.next == TIMER_ENTRY_STATIC List operations like hlist_add_head() and __hlist_del() make timer_is_static_object() return false positive result. > > The only function which touches key_gc_timer is > > key_reject_and_link() > mod_timer() > __mod_timer() > debug_assert_init() Commit d02e382cef06 ("timers: Silently ignore timers with a NULL function") added this assert. > debug_timer_assert_init() > debug_object_assert_init() > if (!lookup_object()) { > if (!check_for_static_object()) <- Invokes timer_is_static_object() > WARN() cpu 0 cpu 2 --- --- mod_timer() mod_timer() __mod_timer() __mod_timer() ... ... debug_object_assert_init() raw_spin_lock_irqsave(&db->lock, flags); if (!lookup_object()) { raw_spin_unlock_irqrestore(&db->lock, flags); raw_spin_lock_irqsave(&db->lock, flags); if (!lookup_object()) { raw_spin_unlock_irqrestore(&db->lock, flags); if (check_for_static_object()) fine; if (!check_for_static_object()) WARN; Depending on TIMER_ENTRY_STATIC makes check_for_static_object() fragile as a static timer is always static regardless if it is enqueued. The fragility is another explanation. > > If this is the first invocation of mod_timer(&key_gc_timer,...) then > key_gc_timer is corrupted. > > If this is not the first invocation of mod_timer(&key_gc_timer,...) then > the debugobjects hash is corrupted. > > Either way neither the timer code nor debugobjects have been changed > since the 6.2 release and certainly are innocent here. > > That smells like a nasty memory corruption issue and the two other > syzbot reports which arrived in my filtered inbox: > > https://lore.kernel.org/all/000000000000d7894b05f5924787@google.com > https://lore.kernel.org/all/000000000000840dae05f5a7fb53@google.com > > point to memory corruption as well. > > The first one has a C reproducer. Can that be used for bisection? > > Thanks, > > tglx >