Re: [syzbot] possible deadlock in io_poll_double_wake (3)
On Thu, Apr 15, 2021 at 9:23 AM Hillf Danton wrote: > > On Tue, 13 Apr 2021 14:07:16 > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit:17e7124a Merge tag '5.12-rc6-smb3' of git://git.samba.org/.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=102c3891d0 > > kernel config: https://syzkaller.appspot.com/x/.config?x=9320464bf47598bd > > dashboard link: https://syzkaller.appspot.com/bug?extid=e654d4e15e6b3b9deb53 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fe3096d0 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=147b9431d0 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+e654d4e15e6b3b9de...@syzkaller.appspotmail.com > > > > > > WARNING: possible recursive locking detected > > 5.12.0-rc6-syzkaller #0 Not tainted > > > > swapper/0/0 is trying to acquire lock: > > 88802108c130 (>sleep){..-.}-{2:2}, at: spin_lock > > include/linux/spinlock.h:354 [inline] > > 88802108c130 (>sleep){..-.}-{2:2}, at: > > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4988 > > > > but task is already holding lock: > > 888014fd8130 (>sleep){..-.}-{2:2}, at: > > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > > > other info that might help us debug this: > > Possible unsafe locking scenario: > > > >CPU0 > > > > lock(>sleep); > > lock(>sleep); > > > > *** DEADLOCK *** > > Wasnt it fixed by 1c3b3e6527e57, given the same call trace at the first > glance? 1c3b3e6527e57 is present in the tested tree on 17e7124a. So syzbot just gave the answer to your question. > > May be due to missing lock nesting notation > > > > 2 locks held by swapper/0/0: > > #0: 888020d18108 (>lock){..-.}-{2:2}, at: > > _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 > > #1: 888014fd8130 (>sleep){..-.}-{2:2}, at: > > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > > > stack backtrace: > > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc6-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > > > __dump_stack lib/dump_stack.c:79 [inline] > > dump_stack+0x141/0x1d7 lib/dump_stack.c:120 > > print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] > > check_deadlock kernel/locking/lockdep.c:2872 [inline] > > validate_chain kernel/locking/lockdep.c:3661 [inline] > > __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 > > lock_acquire kernel/locking/lockdep.c:5510 [inline] > > lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5475 > > __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] > > _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 > > spin_lock include/linux/spinlock.h:354 [inline] > > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4988 > > __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 > > __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 > > snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 > > snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 > > snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 > > dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:377 > > __run_hrtimer kernel/time/hrtimer.c:1537 [inline] > > __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1601 > > hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1618 > > __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 > > invoke_softirq kernel/softirq.c:221 [inline] > > __irq_exit_rcu kernel/softirq.c:422 [inline] > > irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 > > sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 > > > > asm_sysvec_apic_timer_interrupt+0x12/0x20 > > arch/x86/include/asm/idtentry.h:632 > > RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] > > RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline] > > RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline] > > RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:112 [inline] > > RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:517 > > Code: cd cb 6e f8 84 db 75 ac e8 14 c5 6e f8 e8 1f b4 74 f8 e9 0c 00 00 00 > > e8 05 c5 6e f8 0f 00 2d 0e 18 c8 00 e8 f9 c4 6e f8 fb f4 <9c> 5b 81 e3 00 > > 02 00 00 fa 31 ff 48 89 de e8 04 cd 6e f8 48 85 db > > RSP: 0018:8bc07d60 EFLAGS: 0293 > > RAX: RBX: RCX: > > RDX: 8bcbc400 RSI: 89052c17 RDI: > > RBP: 888015078064 R08: 0001 R09: 0001 > > R10: 8179e058 R11: R12: 0001 > > R13: 888015078000 R14: 888015078064 R15: 888143a48004 > > acpi_idle_enter+0x361/0x500
[syzbot] possible deadlock in io_poll_double_wake (3)
Hello, syzbot found the following issue on: HEAD commit:17e7124a Merge tag '5.12-rc6-smb3' of git://git.samba.org/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=102c3891d0 kernel config: https://syzkaller.appspot.com/x/.config?x=9320464bf47598bd dashboard link: https://syzkaller.appspot.com/bug?extid=e654d4e15e6b3b9deb53 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fe3096d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=147b9431d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+e654d4e15e6b3b9de...@syzkaller.appspotmail.com WARNING: possible recursive locking detected 5.12.0-rc6-syzkaller #0 Not tainted swapper/0/0 is trying to acquire lock: 88802108c130 (>sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] 88802108c130 (>sleep){..-.}-{2:2}, at: io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4988 but task is already holding lock: 888014fd8130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>sleep); lock(>sleep); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by swapper/0/0: #0: 888020d18108 (>lock){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 #1: 888014fd8130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 stack backtrace: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] check_deadlock kernel/locking/lockdep.c:2872 [inline] validate_chain kernel/locking/lockdep.c:3661 [inline] __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 lock_acquire kernel/locking/lockdep.c:5510 [inline] lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5475 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4988 __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:377 __run_hrtimer kernel/time/hrtimer.c:1537 [inline] __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1601 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1618 __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu kernel/softirq.c:422 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline] RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline] RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:112 [inline] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:517 Code: cd cb 6e f8 84 db 75 ac e8 14 c5 6e f8 e8 1f b4 74 f8 e9 0c 00 00 00 e8 05 c5 6e f8 0f 00 2d 0e 18 c8 00 e8 f9 c4 6e f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 04 cd 6e f8 48 85 db RSP: 0018:8bc07d60 EFLAGS: 0293 RAX: RBX: RCX: RDX: 8bcbc400 RSI: 89052c17 RDI: RBP: 888015078064 R08: 0001 R09: 0001 R10: 8179e058 R11: R12: 0001 R13: 888015078000 R14: 888015078064 R15: 888143a48004 acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:654 cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351 call_cpuidle kernel/sched/idle.c:158 [inline] cpuidle_idle_call kernel/sched/idle.c:239 [inline] do_idle+0x3e1/0x590 kernel/sched/idle.c:300 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see:
Re: possible deadlock in io_poll_double_wake (2)
On 3/2/21 11:52 PM, Hillf Danton wrote: > Tue, 02 Mar 2021 10:59:05 -0800 >> Hello, >> >> syzbot has tested the proposed patch but the reproducer is still triggering >> an issue: >> possible deadlock in io_poll_double_wake >> >> >> WARNING: possible recursive locking detected >> 5.12.0-rc1-syzkaller #0 Not tainted >> >> syz-executor.4/10454 is trying to acquire lock: >> 8880343cc130 (>sleep){..-.}-{2:2}, at: spin_lock >> include/linux/spinlock.h:354 [inline] >> 8880343cc130 (>sleep){..-.}-{2:2}, at: >> io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4925 >> >> but task is already holding lock: >> 888034e3b130 (>sleep){..-.}-{2:2}, at: >> __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 >> >> other info that might help us debug this: >> Possible unsafe locking scenario: >> >>CPU0 >> >> lock(>sleep); >> lock(>sleep); >> >> *** DEADLOCK *** >> >> May be due to missing lock nesting notation >> >> 4 locks held by syz-executor.4/10454: >> #0: 888018cc8128 (>uring_lock){+.+.}-{3:3}, at: >> __do_sys_io_uring_enter+0x1146/0x2200 fs/io_uring.c:9113 >> #1: 888021692440 (>oss.params_lock){+.+.}-{3:3}, at: >> snd_pcm_oss_change_params sound/core/oss/pcm_oss.c:1087 [inline] >> #1: 888021692440 (>oss.params_lock){+.+.}-{3:3}, at: >> snd_pcm_oss_make_ready+0xc7/0x1b0 sound/core/oss/pcm_oss.c:1149 >> #2: 888020273908 (>lock){..-.}-{2:2}, at: >> _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 >> #3: 888034e3b130 (>sleep){..-.}-{2:2}, at: >> __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 >> >> stack backtrace: >> CPU: 0 PID: 10454 Comm: syz-executor.4 Not tainted 5.12.0-rc1-syzkaller #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> Google 01/01/2011 >> Call Trace: >> >> __dump_stack lib/dump_stack.c:79 [inline] >> dump_stack+0xfa/0x151 lib/dump_stack.c:120 >> print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] >> check_deadlock kernel/locking/lockdep.c:2872 [inline] >> validate_chain kernel/locking/lockdep.c:3661 [inline] >> __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 >> lock_acquire kernel/locking/lockdep.c:5510 [inline] >> lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 >> __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] >> _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 >> spin_lock include/linux/spinlock.h:354 [inline] >> io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4925 >> __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 >> __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 >> snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 >> snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 >> snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 >> dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 >> __run_hrtimer kernel/time/hrtimer.c:1519 [inline] >> __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 >> hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 >> __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 >> invoke_softirq kernel/softirq.c:221 [inline] >> __irq_exit_rcu kernel/softirq.c:422 [inline] >> irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 >> sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 >> >> asm_sysvec_apic_timer_interrupt+0x12/0x20 >> arch/x86/include/asm/idtentry.h:632 >> RIP: 0010:unwind_next_frame+0xde0/0x2000 arch/x86/kernel/unwind_orc.c:611 >> Code: 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 >> 74 08 3c 03 0f 8e 83 0f 00 00 41 3b 2f 0f 84 c1 05 00 00 01 00 00 00 e8 >> 16 95 1b 00 b8 01 00 00 00 65 8b 15 ca a8 cf 7e >> RSP: 0018:c9000b447168 EFLAGS: 0287 >> RAX: c9000b448001 RBX: 192001688e35 RCX: 192001688e01 >> RDX: c9000b447ae8 RSI: c9000b447ab0 RDI: c9000b447250 >> RBP: c9000b447ae0 R08: 8dac0810 R09: 0001 >> R10: 00084087 R11: 0001 R12: c9000b44 >> R13: c9000b447275 R14: c9000b447290 R15: c9000b447240 >> arch_stack_walk+0x7d/0xe0 arch/x86/kernel/stacktrace.c:25 >> stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:121 >> kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 >> kasan_set_track+0x1c/0x30 mm/kasan/common.c:
回复: possible deadlock in io_poll_double_wake (2)
发件人: Zhang, Qiang 发送时间: 2021年3月3日 20:15 收件人: Jens Axboe; syzbot; asml.sile...@gmail.com; io-ur...@vger.kernel.org; linux-fsde...@vger.kernel.org; linux-kernel@vger.kernel.org; syzkaller-b...@googlegroups.com; v...@zeniv.linux.org.uk 主题: 回复: possible deadlock in io_poll_double_wake (2) 发件人: Jens Axboe 发送时间: 2021年3月3日 1:20 收件人: syzbot; asml.sile...@gmail.com; io-ur...@vger.kernel.org; linux-fsde...@vger.kernel.org; linux-kernel@vger.kernel.org; syzkaller-b...@googlegroups.com; v...@zeniv.linux.org.uk 主题: Re: possible deadlock in io_poll_double_wake (2) [Please note: This e-mail is from an EXTERNAL e-mail address] On 2/28/21 9:18 PM, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering > an issue: > possible deadlock in io_poll_double_wake > > ==== > WARNING: possible recursive locking detected > 5.11.0-syzkaller #0 Not tainted > > syz-executor.0/10241 is trying to acquire lock: > 888012e09130 (>sleep){..-.}-{2:2}, at: spin_lock > include/linux/spinlock.h:354 [inline] > 888012e09130 (>sleep){..-.}-{2:2}, at: > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4921 > > but task is already holding lock: > 888013b00130 (>sleep){..-.}-{2:2}, at: > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > other info that might help us debug this: > Possible unsafe locking scenario: > >CPU0 > > lock(>sleep); > lock(>sleep); > > *** DEADLOCK *** > > May be due to missing lock nesting notation > >Since the fix is in yet this keeps failing (and I didn't get it), >I looked >closer at this report. While the names of the locks are the >same, they are >really two different locks. So let's try this... >Hello Jens Axboe Sorry for I make noise, please ignore this information. >Sorry, I provided the wrong information before. >I'm not very familiar with io_uring, before we start >vfs_poll again, should >we set 'poll->head = NULL' ? > >diff --git a/fs/io_uring.c b/fs/io_uring.c >index 42b675939582..cae605c14510 100644 >--- a/fs/io_uring.c >+++ b/fs/io_uring.c >@@ -4824,7 +4824,7 @@ static bool io_poll_rewait(struct >io_kiocb *req, struct >io_poll_iocb *poll) > >if (!req->result && !READ_ONCE(poll->canceled)) { >struct poll_table_struct pt = { ._key = poll->events >}; >- >+ poll->head = NULL; >req->result = vfs_poll(req->file, ) & >poll->events; >} >Thanks >Qiang > >#syz test: git://git.kernel.dk/linux-block syzbot-test > >-- >Jens Axboe
回复: possible deadlock in io_poll_double_wake (2)
发件人: Jens Axboe 发送时间: 2021年3月3日 1:20 收件人: syzbot; asml.sile...@gmail.com; io-ur...@vger.kernel.org; linux-fsde...@vger.kernel.org; linux-kernel@vger.kernel.org; syzkaller-b...@googlegroups.com; v...@zeniv.linux.org.uk 主题: Re: possible deadlock in io_poll_double_wake (2) [Please note: This e-mail is from an EXTERNAL e-mail address] On 2/28/21 9:18 PM, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering > an issue: > possible deadlock in io_poll_double_wake > > ==== > WARNING: possible recursive locking detected > 5.11.0-syzkaller #0 Not tainted > > syz-executor.0/10241 is trying to acquire lock: > 888012e09130 (>sleep){..-.}-{2:2}, at: spin_lock > include/linux/spinlock.h:354 [inline] > 888012e09130 (>sleep){..-.}-{2:2}, at: > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4921 > > but task is already holding lock: > 888013b00130 (>sleep){..-.}-{2:2}, at: > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > other info that might help us debug this: > Possible unsafe locking scenario: > >CPU0 > > lock(>sleep); > lock(>sleep); > > *** DEADLOCK *** > > May be due to missing lock nesting notation > >Since the fix is in yet this keeps failing (and I didn't get it), >I looked >closer at this report. While the names of the locks are the >same, they are >really two different locks. So let's try this... Hello Jens Axboe Sorry, I provided the wrong information before. I'm not very familiar with io_uring, before we start vfs_poll again, should we set 'poll->head = NULL' ? diff --git a/fs/io_uring.c b/fs/io_uring.c index 42b675939582..cae605c14510 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4824,7 +4824,7 @@ static bool io_poll_rewait(struct io_kiocb *req, struct io_poll_iocb *poll) if (!req->result && !READ_ONCE(poll->canceled)) { struct poll_table_struct pt = { ._key = poll->events }; - + poll->head = NULL; req->result = vfs_poll(req->file, ) & poll->events; } Thanks Qiang > >#syz test: git://git.kernel.dk/linux-block syzbot-test > >-- >Jens Axboe
Re: possible deadlock in io_poll_double_wake (2)
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: possible deadlock in io_poll_double_wake poll and dpoll head different WARNING: possible recursive locking detected 5.12.0-rc1-syzkaller #0 Not tainted kworker/1:3/8637 is trying to acquire lock: 888040471130 (>sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] 888040471130 (>sleep){..-.}-{2:2}, at: io_poll_double_wake.cold+0x115/0x4e0 fs/io_uring.c:4931 but task is already holding lock: 888040473130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>sleep); lock(>sleep); *** DEADLOCK *** May be due to missing lock nesting notation 5 locks held by kworker/1:3/8637: #0: 888020d60938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: 888020d60938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: 888020d60938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: 888020d60938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: 888020d60938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: 888020d60938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x871/0x1600 kernel/workqueue.c:2246 #1: c900027bfda8 ((work_completion)(&(>dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250 #2: 8ce7d028 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xa3/0x12b0 net/ipv6/addrconf.c:4031 #3: 8880209d8908 (>lock){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 #4: 888040473130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 stack backtrace: CPU: 1 PID: 8637 Comm: kworker/1:3 Not tainted 5.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xfa/0x151 lib/dump_stack.c:120 print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] check_deadlock kernel/locking/lockdep.c:2872 [inline] validate_chain kernel/locking/lockdep.c:3661 [inline] __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 lock_acquire kernel/locking/lockdep.c:5510 [inline] lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake.cold+0x115/0x4e0 fs/io_uring.c:4931 __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 do_softirq.part.0+0xc8/0x110 kernel/softirq.c:248 do_softirq kernel/softirq.c:240 [inline] __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:198 mld_send_initial_cr.part.0+0xf4/0x150 net/ipv6/mcast.c:2094 mld_send_initial_cr net/ipv6/mcast.c:1191 [inline] ipv6_mc_dad_complete+0x1bb/0x6b0 net/ipv6/mcast.c:2103 addrconf_dad_completed+0x94d/0xc70 net/ipv6/addrconf.c:4175 addrconf_dad_work+0x79f/0x12b0 net/ipv6/addrconf.c:4105 process_one_work+0x98d/0x1600 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different poll and dpoll head different pol
Re: possible deadlock in io_poll_double_wake (2)
On 3/2/21 11:59 AM, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering > an issue: > possible deadlock in io_poll_double_wake > > ==== > WARNING: possible recursive locking detected > 5.12.0-rc1-syzkaller #0 Not tainted > > syz-executor.4/10454 is trying to acquire lock: > 8880343cc130 (>sleep){..-.}-{2:2}, at: spin_lock > include/linux/spinlock.h:354 [inline] > 8880343cc130 (>sleep){..-.}-{2:2}, at: > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4925 > > but task is already holding lock: > 888034e3b130 (>sleep){..-.}-{2:2}, at: > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > other info that might help us debug this: > Possible unsafe locking scenario: > >CPU0 > > lock(>sleep); > lock(>sleep); This still makes no sense to me - naming is the same, but address of waitqueue_head is not (which is what matters). Unless I'm missing something obvious here. Anyway, added some debug printks, so let's try again. #syz test: git://git.kernel.dk/linux-block syzbot-test -- Jens Axboe
Re: possible deadlock in io_poll_double_wake (2)
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: possible deadlock in io_poll_double_wake WARNING: possible recursive locking detected 5.12.0-rc1-syzkaller #0 Not tainted syz-executor.4/10454 is trying to acquire lock: 8880343cc130 (>sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] 8880343cc130 (>sleep){..-.}-{2:2}, at: io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4925 but task is already holding lock: 888034e3b130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>sleep); lock(>sleep); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by syz-executor.4/10454: #0: 888018cc8128 (>uring_lock){+.+.}-{3:3}, at: __do_sys_io_uring_enter+0x1146/0x2200 fs/io_uring.c:9113 #1: 888021692440 (>oss.params_lock){+.+.}-{3:3}, at: snd_pcm_oss_change_params sound/core/oss/pcm_oss.c:1087 [inline] #1: 888021692440 (>oss.params_lock){+.+.}-{3:3}, at: snd_pcm_oss_make_ready+0xc7/0x1b0 sound/core/oss/pcm_oss.c:1149 #2: 888020273908 (>lock){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 #3: 888034e3b130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 stack backtrace: CPU: 0 PID: 10454 Comm: syz-executor.4 Not tainted 5.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xfa/0x151 lib/dump_stack.c:120 print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] check_deadlock kernel/locking/lockdep.c:2872 [inline] validate_chain kernel/locking/lockdep.c:3661 [inline] __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 lock_acquire kernel/locking/lockdep.c:5510 [inline] lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4925 __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu kernel/softirq.c:422 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:unwind_next_frame+0xde0/0x2000 arch/x86/kernel/unwind_orc.c:611 Code: 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 83 0f 00 00 41 3b 2f 0f 84 c1 05 00 00 01 00 00 00 e8 16 95 1b 00 b8 01 00 00 00 65 8b 15 ca a8 cf 7e RSP: 0018:c9000b447168 EFLAGS: 0287 RAX: c9000b448001 RBX: 192001688e35 RCX: 192001688e01 RDX: c9000b447ae8 RSI: c9000b447ab0 RDI: c9000b447250 RBP: c9000b447ae0 R08: 8dac0810 R09: 0001 R10: 00084087 R11: 0001 R12: c9000b44 R13: c9000b447275 R14: c9000b447290 R15: c9000b447240 arch_stack_walk+0x7d/0xe0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:121 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 kasan_slab_free mm/kasan/common.c:360 [inline] kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xf5/0x130 mm/kasan/common.c:367 kasan_slab_free include/linux/kasan.h:199 [inline] slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x72/0x1b0 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kfree+0xe5/0x7b0 mm/slub.c:4213 snd_pcm_hw_param_near.constprop.0+0x7b0/0x8f0 sound/core/oss/pcm_oss.c:438 snd_pcm_oss_change_params_locked+0x18c6/0x39a0 sound/core/oss/pcm_oss.c:936 snd_pcm_oss_change_params sound/core/oss/pcm_oss.c:1090 [inline] snd_pcm_oss_make_ready+0xe7/0x1b0 sound/core/oss/pcm_oss.c:1149 snd_pcm_oss_set_trigger.isra.0+0x30f/0x6e0 sound/core/oss/pcm_oss.c:2057 snd_pcm_oss_poll+0x661/0xb10 sound/core/oss/pcm_oss.c:2841 vfs_poll include/linux/poll.h:90 [inline] __io_arm_poll_han
Re: possible deadlock in io_poll_double_wake (2)
On 2/28/21 9:18 PM, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering > an issue: > possible deadlock in io_poll_double_wake > > ==== > WARNING: possible recursive locking detected > 5.11.0-syzkaller #0 Not tainted > > syz-executor.0/10241 is trying to acquire lock: > 888012e09130 (>sleep){..-.}-{2:2}, at: spin_lock > include/linux/spinlock.h:354 [inline] > 888012e09130 (>sleep){..-.}-{2:2}, at: > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4921 > > but task is already holding lock: > 888013b00130 (>sleep){..-.}-{2:2}, at: > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > other info that might help us debug this: > Possible unsafe locking scenario: > >CPU0 > > lock(>sleep); > lock(>sleep); > > *** DEADLOCK *** > > May be due to missing lock nesting notation Since the fix is in yet this keeps failing (and I didn't get it), I looked closer at this report. While the names of the locks are the same, they are really two different locks. So let's try this... #syz test: git://git.kernel.dk/linux-block syzbot-test -- Jens Axboe
Re: possible deadlock in io_poll_double_wake (2)
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: possible deadlock in io_poll_double_wake WARNING: possible recursive locking detected 5.11.0-syzkaller #0 Not tainted syz-executor.3/8853 is trying to acquire lock: 88802cfbd130 (>sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] 88802cfbd130 (>sleep){..-.}-{2:2}, at: io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4921 but task is already holding lock: 888018ac2130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>sleep); lock(>sleep); *** DEADLOCK *** May be due to missing lock nesting notation 5 locks held by syz-executor.3/8853: #0: 8b63e390 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:479 [inline] #0: 8b63e390 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm+0x108/0x1380 kernel/fork.c:1360 #1: 8880249cb958 (>mmap_lock#2){}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline] #1: 8880249cb958 (>mmap_lock#2){}-{3:3}, at: dup_mmap kernel/fork.c:480 [inline] #1: 8880249cb958 (>mmap_lock#2){}-{3:3}, at: dup_mm+0x12e/0x1380 kernel/fork.c:1360 #2: 88802b225558 (>mmap_lock/1){+.+.}-{3:3}, at: mmap_write_lock_nested include/linux/mmap_lock.h:78 [inline] #2: 88802b225558 (>mmap_lock/1){+.+.}-{3:3}, at: dup_mmap kernel/fork.c:489 [inline] #2: 88802b225558 (>mmap_lock/1){+.+.}-{3:3}, at: dup_mm+0x18a/0x1380 kernel/fork.c:1360 #3: 888020f6c908 (>lock){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 #4: 888018ac2130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 stack backtrace: CPU: 1 PID: 8853 Comm: syz-executor.3 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xfa/0x151 lib/dump_stack.c:120 print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] check_deadlock kernel/locking/lockdep.c:2872 [inline] validate_chain kernel/locking/lockdep.c:3661 [inline] __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 lock_acquire kernel/locking/lockdep.c:5510 [inline] lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4921 __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:226 [inline] __irq_exit_rcu kernel/softirq.c:420 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:432 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x0/0x70 kernel/kcov.c:290 Code: fe 72 22 44 89 c6 48 83 c2 01 48 89 4c 38 f0 48 c7 44 38 e0 05 00 00 00 48 89 74 38 e8 4e 89 54 c8 20 48 89 10 c3 0f 1f 40 00 <49> 89 f8 bf 03 00 00 00 4c 8b 14 24 48 89 f1 65 48 8b 34 25 00 f0 RSP: 0018:c90001a6f808 EFLAGS: 0246 RAX: RBX: c90001a6fa00 RCX: 0001 RDX: RSI: RDI: RBP: 0004 R08: R09: 888022c75ea3 R10: ed100458ebd4 R11: R12: 88802b225800 R13: dc00 R14: R15: copy_pte_range mm/memory.c:1018 [inline] copy_pmd_range mm/memory.c:1070 [inline] copy_pud_range mm/memory.c:1107 [inline] copy_p4d_range mm/memory.c:1131 [inline] copy_page_range+0x127f/0x3fb0 mm/memory.c:1204 dup_mmap kernel/fork.c:594 [inline] dup_mm+0x9ed/0x1380 kernel/fork.c:1360 copy_mm kernel/fork.c:1416 [inline] copy_process+0x2a4c/0x6fd0 kernel/fork.c:2097 kernel_clone+0xe7/0xab0 kernel/fork.c:2462 __do_sys_clone+0xc8/0x110 ker
Re: possible deadlock in io_poll_double_wake (2)
#syz test: git://git.kernel.dk/linux-block syzbot-test -- Jens Axboe
Re: possible deadlock in io_poll_double_wake (2)
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: possible deadlock in io_poll_double_wake WARNING: possible recursive locking detected 5.11.0-syzkaller #0 Not tainted syz-executor.0/10241 is trying to acquire lock: 888012e09130 (>sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] 888012e09130 (>sleep){..-.}-{2:2}, at: io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4921 but task is already holding lock: 888013b00130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>sleep); lock(>sleep); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by syz-executor.0/10241: #0: 88801b1ce128 (>uring_lock){+.+.}-{3:3}, at: __do_sys_io_uring_enter+0x1155/0x22b0 fs/io_uring.c:9139 #1: 8b574460 (rcu_read_lock){}-{1:2}, at: file_ctx security/apparmor/include/file.h:33 [inline] #1: 8b574460 (rcu_read_lock){}-{1:2}, at: aa_file_perm+0x119/0x1100 security/apparmor/file.c:607 #2: 888020842108 (>lock){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 #3: 888013b00130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 stack backtrace: CPU: 1 PID: 10241 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xfa/0x151 lib/dump_stack.c:120 print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] check_deadlock kernel/locking/lockdep.c:2872 [inline] validate_chain kernel/locking/lockdep.c:3661 [inline] __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 lock_acquire kernel/locking/lockdep.c:5510 [inline] lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4921 __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:226 [inline] __irq_exit_rcu kernel/softirq.c:420 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:432 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:lock_acquire+0x1e4/0x730 kernel/locking/lockdep.c:5478 Code: 07 b8 ff ff ff ff 65 0f c1 05 e8 b3 a8 7e 83 f8 01 0f 85 d9 03 00 00 48 83 7c 24 08 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24 RSP: 0018:c9000b0e7468 EFLAGS: 0206 RAX: dc00 RBX: 19200161ce8f RCX: 013c4b5b RDX: 1110030b54a9 RSI: RDI: RBP: R08: R09: 8f0a77a7 R10: fbfff1e14ef4 R11: R12: 0002 R13: 8b574460 R14: R15: rcu_lock_acquire include/linux/rcupdate.h:267 [inline] rcu_read_lock include/linux/rcupdate.h:656 [inline] aa_file_perm+0x14d/0x1100 security/apparmor/file.c:609 common_file_perm security/apparmor/lsm.c:466 [inline] apparmor_file_permission+0x163/0x4e0 security/apparmor/lsm.c:480 security_file_permission+0x56/0x560 security/security.c:1456 rw_verify_area+0x115/0x350 fs/read_write.c:400 io_read+0x267/0xaf0 fs/io_uring.c:3235 io_issue_sqe+0x2e1/0x59d0 fs/io_uring.c:5937 __io_queue_sqe+0x18c/0xc40 fs/io_uring.c:6204 io_queue_sqe+0x60d/0xf60 fs/io_uring.c:6257 io_submit_sqe fs/io_uring.c:6421 [inline] io_submit_sqes+0x519a/0x6320 fs/io_uring.c:6535 __do_sys_io_uring_enter+0x1161/0x22b0 fs/io_uring.c:9140 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x465ef9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89
Re: 回复: possible deadlock in io_poll_double_wake (2)
On 2/28/21 7:08 PM, Zhang, Qiang wrote: > > > > 发件人: Jens Axboe > 发送时间: 2021年3月1日 7:08 > 收件人: syzbot; asml.sile...@gmail.com; io-ur...@vger.kernel.org; > linux-fsde...@vger.kernel.org; linux-kernel@vger.kernel.org; > syzkaller-b...@googlegroups.com; v...@zeniv.linux.org.uk > 主题: Re: possible deadlock in io_poll_double_wake (2) > > [Please note: This e-mail is from an EXTERNAL e-mail address] > > On 2/27/21 5:42 PM, syzbot wrote: >> syzbot has found a reproducer for the following issue on: >> >> HEAD commit:5695e516 Merge tag 'io_uring-worker.v3-2021-02-25' of git:.. >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=114e3866d0 >> kernel config: https://syzkaller.appspot.com/x/.config?x=8c76dad0946df1f3 >> dashboard link: https://syzkaller.appspot.com/bug?extid=28abd693db9e92c160d8 >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122ed9b6d0 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d5a292d0 >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+28abd693db9e92c16...@syzkaller.appspotmail.com >> >> >> WARNING: possible recursive locking detected >> 5.11.0-syzkaller #0 Not tainted >> >> swapper/1/0 is trying to acquire lock: >> 88801b2b1130 (>sleep){..-.}-{2:2}, at: spin_lock >> include/linux/spinlock.h:354 [inline] >> 88801b2b1130 (>sleep){..-.}-{2:2}, at: >> io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 >> >> but task is already holding lock: >> 88801b2b3130 (>sleep){..-.}-{2:2}, at: >> __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 >> >> other info that might help us debug this: >> Possible unsafe locking scenario: >> >>CPU0 >> >> lock(>sleep); >> lock(>sleep); >> >> *** DEADLOCK *** >> >> May be due to missing lock nesting notation >> >> 2 locks held by swapper/1/0: >> #0: 888147474908 (>lock){..-.}-{2:2}, at: >> _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 >> #1: 88801b2b3130 (>sleep){..-.}-{2:2}, at: >> __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 >> >> stack backtrace: >> CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-syzkaller #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> Google 01/01/2011 >> Call Trace: >> >> __dump_stack lib/dump_stack.c:79 [inline] >> dump_stack+0xfa/0x151 lib/dump_stack.c:120 >> print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] >> check_deadlock kernel/locking/lockdep.c:2872 [inline] >> validate_chain kernel/locking/lockdep.c:3661 [inline] >> __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 >> lock_acquire kernel/locking/lockdep.c:5510 [inline] >> lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 >> __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] >> _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 >> spin_lock include/linux/spinlock.h:354 [inline] >> io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 >> __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 >> __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 >> snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 >> snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 >> snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 >> dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 >> __run_hrtimer kernel/time/hrtimer.c:1519 [inline] >> __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 >> hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 >> __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 >> invoke_softirq kernel/softirq.c:221 [inline] >> __irq_exit_rcu kernel/softirq.c:422 [inline] >> irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 >> sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 >> >> asm_sysvec_apic_timer_interrupt+0x12/0x20 >> arch/x86/include/asm/idtentry.h:632 >> RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] >> RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline] >> RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline] >> RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] >> RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 driv
回复: possible deadlock in io_poll_double_wake (2)
发件人: Jens Axboe 发送时间: 2021年3月1日 7:08 收件人: syzbot; asml.sile...@gmail.com; io-ur...@vger.kernel.org; linux-fsde...@vger.kernel.org; linux-kernel@vger.kernel.org; syzkaller-b...@googlegroups.com; v...@zeniv.linux.org.uk 主题: Re: possible deadlock in io_poll_double_wake (2) [Please note: This e-mail is from an EXTERNAL e-mail address] On 2/27/21 5:42 PM, syzbot wrote: > syzbot has found a reproducer for the following issue on: > > HEAD commit:5695e516 Merge tag 'io_uring-worker.v3-2021-02-25' of git:.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=114e3866d0 > kernel config: https://syzkaller.appspot.com/x/.config?x=8c76dad0946df1f3 > dashboard link: https://syzkaller.appspot.com/bug?extid=28abd693db9e92c160d8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122ed9b6d0 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d5a292d0 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+28abd693db9e92c16...@syzkaller.appspotmail.com > > > WARNING: possible recursive locking detected > 5.11.0-syzkaller #0 Not tainted > > swapper/1/0 is trying to acquire lock: > 88801b2b1130 (>sleep){..-.}-{2:2}, at: spin_lock > include/linux/spinlock.h:354 [inline] > 88801b2b1130 (>sleep){..-.}-{2:2}, at: > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 > > but task is already holding lock: > 88801b2b3130 (>sleep){..-.}-{2:2}, at: > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > other info that might help us debug this: > Possible unsafe locking scenario: > >CPU0 > > lock(>sleep); > lock(>sleep); > > *** DEADLOCK *** > > May be due to missing lock nesting notation > > 2 locks held by swapper/1/0: > #0: 888147474908 (>lock){..-.}-{2:2}, at: > _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 > #1: 88801b2b3130 (>sleep){..-.}-{2:2}, at: > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > stack backtrace: > CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > > __dump_stack lib/dump_stack.c:79 [inline] > dump_stack+0xfa/0x151 lib/dump_stack.c:120 > print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] > check_deadlock kernel/locking/lockdep.c:2872 [inline] > validate_chain kernel/locking/lockdep.c:3661 [inline] > __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 > lock_acquire kernel/locking/lockdep.c:5510 [inline] > lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 > __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] > _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 > spin_lock include/linux/spinlock.h:354 [inline] > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 > __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 > __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 > snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 > snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 > snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 > dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 > __run_hrtimer kernel/time/hrtimer.c:1519 [inline] > __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 > hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 > __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 > invoke_softirq kernel/softirq.c:221 [inline] > __irq_exit_rcu kernel/softirq.c:422 [inline] > irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 > sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 > > asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 > RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] > RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline] > RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline] > RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] > RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:516 > Code: dd 38 6e f8 84 db 75 ac e8 54 32 6e f8 e8 0f 1c 74 f8 e9 0c 00 00 00 e8 > 45 32 6e f8 0f 00 2d 4e 4a c5 00 e8 39 32 6e f8 fb f4 <9c> 5b 81 e3 00 02 00 > 00 fa 31 ff 48 89 de e8 14 3a 6e f8 48 85 db > RSP: 0018:c9d47d18 EFLAGS: 0293 > RAX: RBX: RCX: > RDX: 8880115c3780 RSI: 89052537 RDI: > RBP:
Re: possible deadlock in io_poll_double_wake (2)
On 2/27/21 5:42 PM, syzbot wrote: > syzbot has found a reproducer for the following issue on: > > HEAD commit:5695e516 Merge tag 'io_uring-worker.v3-2021-02-25' of git:.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=114e3866d0 > kernel config: https://syzkaller.appspot.com/x/.config?x=8c76dad0946df1f3 > dashboard link: https://syzkaller.appspot.com/bug?extid=28abd693db9e92c160d8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122ed9b6d0 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d5a292d0 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+28abd693db9e92c16...@syzkaller.appspotmail.com > > > WARNING: possible recursive locking detected > 5.11.0-syzkaller #0 Not tainted > > swapper/1/0 is trying to acquire lock: > 88801b2b1130 (>sleep){..-.}-{2:2}, at: spin_lock > include/linux/spinlock.h:354 [inline] > 88801b2b1130 (>sleep){..-.}-{2:2}, at: > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 > > but task is already holding lock: > 88801b2b3130 (>sleep){..-.}-{2:2}, at: > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > other info that might help us debug this: > Possible unsafe locking scenario: > >CPU0 > > lock(>sleep); > lock(>sleep); > > *** DEADLOCK *** > > May be due to missing lock nesting notation > > 2 locks held by swapper/1/0: > #0: 888147474908 (>lock){..-.}-{2:2}, at: > _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 > #1: 88801b2b3130 (>sleep){..-.}-{2:2}, at: > __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 > > stack backtrace: > CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > > __dump_stack lib/dump_stack.c:79 [inline] > dump_stack+0xfa/0x151 lib/dump_stack.c:120 > print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] > check_deadlock kernel/locking/lockdep.c:2872 [inline] > validate_chain kernel/locking/lockdep.c:3661 [inline] > __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 > lock_acquire kernel/locking/lockdep.c:5510 [inline] > lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 > __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] > _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 > spin_lock include/linux/spinlock.h:354 [inline] > io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 > __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 > __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 > snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 > snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 > snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 > dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 > __run_hrtimer kernel/time/hrtimer.c:1519 [inline] > __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 > hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 > __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 > invoke_softirq kernel/softirq.c:221 [inline] > __irq_exit_rcu kernel/softirq.c:422 [inline] > irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 > sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 > > asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 > RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] > RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline] > RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline] > RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] > RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:516 > Code: dd 38 6e f8 84 db 75 ac e8 54 32 6e f8 e8 0f 1c 74 f8 e9 0c 00 00 00 e8 > 45 32 6e f8 0f 00 2d 4e 4a c5 00 e8 39 32 6e f8 fb f4 <9c> 5b 81 e3 00 02 00 > 00 fa 31 ff 48 89 de e8 14 3a 6e f8 48 85 db > RSP: 0018:c9d47d18 EFLAGS: 0293 > RAX: RBX: RCX: > RDX: 8880115c3780 RSI: 89052537 RDI: > RBP: 888141127064 R08: 0001 R09: 0001 > R10: 81794168 R11: R12: 0001 > R13: 888141127000 R14: 888141127064 R15: 888143331804 > acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:647 > cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237 > cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351 > call_cpuidle kernel/sched/idle.c:158 [inline] > cpuidle_idle_call kernel/sched/idle.c:239 [inline] > do_idle+0x3e1/0x590 kernel/sched/idle.c:300 > cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:397 > start_secondary+0x274/0x350 arch/x86/kernel/smpboot.c:272 >
Re: possible deadlock in io_poll_double_wake (2)
syzbot has found a reproducer for the following issue on: HEAD commit:5695e516 Merge tag 'io_uring-worker.v3-2021-02-25' of git:.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=114e3866d0 kernel config: https://syzkaller.appspot.com/x/.config?x=8c76dad0946df1f3 dashboard link: https://syzkaller.appspot.com/bug?extid=28abd693db9e92c160d8 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122ed9b6d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d5a292d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+28abd693db9e92c16...@syzkaller.appspotmail.com WARNING: possible recursive locking detected 5.11.0-syzkaller #0 Not tainted swapper/1/0 is trying to acquire lock: 88801b2b1130 (>sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] 88801b2b1130 (>sleep){..-.}-{2:2}, at: io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 but task is already holding lock: 88801b2b3130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>sleep); lock(>sleep); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by swapper/1/0: #0: 888147474908 (>lock){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 #1: 88801b2b3130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137 stack backtrace: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xfa/0x151 lib/dump_stack.c:120 print_deadlock_bug kernel/locking/lockdep.c:2829 [inline] check_deadlock kernel/locking/lockdep.c:2872 [inline] validate_chain kernel/locking/lockdep.c:3661 [inline] __lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900 lock_acquire kernel/locking/lockdep.c:5510 [inline] lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960 __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464 snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu kernel/softirq.c:422 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline] RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline] RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:516 Code: dd 38 6e f8 84 db 75 ac e8 54 32 6e f8 e8 0f 1c 74 f8 e9 0c 00 00 00 e8 45 32 6e f8 0f 00 2d 4e 4a c5 00 e8 39 32 6e f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 14 3a 6e f8 48 85 db RSP: 0018:c9d47d18 EFLAGS: 0293 RAX: RBX: RCX: RDX: 8880115c3780 RSI: 89052537 RDI: RBP: 888141127064 R08: 0001 R09: 0001 R10: 81794168 R11: R12: 0001 R13: 888141127000 R14: 888141127064 R15: 888143331804 acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:647 cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351 call_cpuidle kernel/sched/idle.c:158 [inline] cpuidle_idle_call kernel/sched/idle.c:239 [inline] do_idle+0x3e1/0x590 kernel/sched/idle.c:300 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:397 start_secondary+0x274/0x350 arch/x86/kernel/smpboot.c:272 secondary_startup_64_no_verify+0xb0/0xbb
possible deadlock in io_poll_double_wake (2)
Hello, syzbot found the following issue on: HEAD commit:d1d2220c Add linux-next specific files for 20200924 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=14cd5cd390 kernel config: https://syzkaller.appspot.com/x/.config?x=254e028a642027c dashboard link: https://syzkaller.appspot.com/bug?extid=28abd693db9e92c160d8 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13ba388190 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+28abd693db9e92c16...@syzkaller.appspotmail.com WARNING: possible recursive locking detected 5.9.0-rc6-next-20200924-syzkaller #0 Not tainted kworker/0:1/12 is trying to acquire lock: 88808d998130 (>sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] 88808d998130 (>sleep){..-.}-{2:2}, at: io_poll_double_wake+0x156/0x510 fs/io_uring.c:4855 but task is already holding lock: 888093f4c130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:122 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>sleep); lock(>sleep); *** DEADLOCK *** May be due to missing lock nesting notation 6 locks held by kworker/0:1/12: #0: 8880aa063d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: 8880aa063d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: 8880aa063d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: 8880aa063d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: 8880aa063d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: 8880aa063d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x821/0x15a0 kernel/workqueue.c:2240 #1: c9d2fda8 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x854/0x15a0 kernel/workqueue.c:2244 #2: 8b6c5648 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xb/0x60 net/core/link_watch.c:250 #3: 8a553d40 (rcu_read_lock){}-{1:2}, at: ib_device_get_by_netdev+0x0/0x4f0 drivers/infiniband/core/device.c:2550 #4: 888214d31908 (>lock){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170 #5: 888093f4c130 (>sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:122 stack backtrace: CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.9.0-rc6-next-20200924-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events linkwatch_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fb lib/dump_stack.c:118 print_deadlock_bug kernel/locking/lockdep.c:2714 [inline] check_deadlock kernel/locking/lockdep.c:2755 [inline] validate_chain kernel/locking/lockdep.c:3546 [inline] __lock_acquire.cold+0x12e/0x3ad kernel/locking/lockdep.c:4796 lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5398 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake+0x156/0x510 fs/io_uring.c:4855 __wake_up_common+0x147/0x650 kernel/sched/wait.c:93 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:123 snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203 snd_pcm_update_hw_ptr0+0xa71/0x1a50 sound/core/pcm_lib.c:464 snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805 dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378 __run_hrtimer kernel/time/hrtimer.c:1524 [inline] __hrtimer_run_queues+0x693/0xea0 kernel/time/hrtimer.c:1588 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1605 __do_softirq+0x203/0xab6 kernel/softirq.c:298 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:786 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x235/0x280 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x51/0xf0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:653 [inline] RIP: 0010:lock_acquire+0x27b/0xaa0 kernel/locking/lockdep.c:5401 Code: 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d2 06 00 00 48 83 3d 89 bc e1 08 00 0f 84 2d 05 00 00 48 8b 3c 24 57 9d <0f> 1f 44 00 00 48 b8 00 00 00 00 00 fc
Re: possible deadlock in io_poll_double_wake
#syz dup general protection fault in io_poll_double_wake -- Jens Axboe
Re: possible deadlock in io_poll_double_wake
#syz dupe general protection fault in io_poll_double_wake -- Jens Axboe
Re: possible deadlock in io_poll_double_wake
syzbot has found a reproducer for the following issue on: HEAD commit:c9c9735c Merge tag 'scsi-misc' of git://git.kernel.org/pub.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=165d3b6a90 kernel config: https://syzkaller.appspot.com/x/.config?x=adea84f38e7bc8d dashboard link: https://syzkaller.appspot.com/bug?extid=0d56cfeec64f045baffc compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1018494a90 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c8e1e290 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+0d56cfeec64f045ba...@syzkaller.appspotmail.com WARNING: possible recursive locking detected 5.8.0-syzkaller #0 Not tainted syz-executor639/6830 is trying to acquire lock: 8880a6bc5530 (>write_wait){-.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] 8880a6bc5530 (>write_wait){-.-.}-{2:2}, at: io_poll_double_wake+0x108/0x360 fs/io_uring.c:4599 but task is already holding lock: 8880a6bc5530 (>write_wait){-.-.}-{2:2}, at: __wake_up_common_lock kernel/sched/wait.c:122 [inline] 8880a6bc5530 (>write_wait){-.-.}-{2:2}, at: __wake_up+0xb8/0x150 kernel/sched/wait.c:142 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>write_wait); lock(>write_wait); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by syz-executor639/6830: #0: 8880a6bc5098 (>ldisc_sem){}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:267 #1: 8880a6bc52e8 (>termios_rwsem){}-{3:3}, at: tty_set_termios+0xc5/0x1510 drivers/tty/tty_ioctl.c:328 #2: 8880a6bc5098 (>ldisc_sem){}-{0:0}, at: tty_ldisc_ref+0x18/0x80 drivers/tty/tty_ldisc.c:288 #3: 8880a6bc5530 (>write_wait){-.-.}-{2:2}, at: __wake_up_common_lock kernel/sched/wait.c:122 [inline] #3: 8880a6bc5530 (>write_wait){-.-.}-{2:2}, at: __wake_up+0xb8/0x150 kernel/sched/wait.c:142 stack backtrace: CPU: 0 PID: 6830 Comm: syz-executor639 Not tainted 5.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1f0/0x31e lib/dump_stack.c:118 print_deadlock_bug kernel/locking/lockdep.c:2391 [inline] check_deadlock kernel/locking/lockdep.c:2432 [inline] validate_chain+0x69a4/0x88a0 kernel/locking/lockdep.c:3202 __lock_acquire+0x1161/0x2ab0 kernel/locking/lockdep.c:4426 lock_acquire+0x160/0x730 kernel/locking/lockdep.c:5005 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake+0x108/0x360 fs/io_uring.c:4599 __wake_up_common+0x30a/0x4e0 kernel/sched/wait.c:93 __wake_up_common_lock kernel/sched/wait.c:123 [inline] __wake_up+0xd4/0x150 kernel/sched/wait.c:142 n_tty_set_termios+0xa60/0x1080 drivers/tty/n_tty.c:1874 tty_set_termios+0xcac/0x1510 drivers/tty/tty_ioctl.c:341 set_termios+0x4a1/0x580 drivers/tty/tty_ioctl.c:414 tty_mode_ioctl+0x7b2/0xa80 drivers/tty/tty_ioctl.c:770 tty_ioctl+0xf81/0x15c0 drivers/tty/tty_io.c:2665 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4405b9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffdae6bfd28 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0004 RCX: 004405b9 RDX: 2000 RSI: 5404 RDI: 0003 RBP: 006ca018 R08: R09: R10: R11: 0246 R12: 00401e20 R13: 00401eb0 R14: R15:
Re: Re: possible deadlock in io_poll_double_wake
> #syz dupe general protection fault in io_poll_double_wake unknown command "dupe" > > -- > Jens Axboe >
Re: Re: possible deadlock in io_poll_double_wake
> #syz dupe general protection fault in io_poll_double_wake unknown command "dupe" > > -- > Jens Axboe > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/e3494c53-f84e-5152-42b0-f8ddd3ad4ccb%40kernel.dk.
possible deadlock in io_poll_double_wake
Hello, syzbot found the following issue on: HEAD commit:c9c9735c Merge tag 'scsi-misc' of git://git.kernel.org/pub.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=127399f690 kernel config: https://syzkaller.appspot.com/x/.config?x=adea84f38e7bc8d dashboard link: https://syzkaller.appspot.com/bug?extid=0d56cfeec64f045baffc compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+0d56cfeec64f045ba...@syzkaller.appspotmail.com WARNING: possible recursive locking detected 5.8.0-syzkaller #0 Not tainted syz-executor.1/9155 is trying to acquire lock: 8880a1fcc530 (>write_wait){-.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] 8880a1fcc530 (>write_wait){-.-.}-{2:2}, at: io_poll_double_wake+0x108/0x360 fs/io_uring.c:4599 but task is already holding lock: 8880a1fcc530 (>write_wait){-.-.}-{2:2}, at: __wake_up_common_lock kernel/sched/wait.c:122 [inline] 8880a1fcc530 (>write_wait){-.-.}-{2:2}, at: __wake_up+0xb8/0x150 kernel/sched/wait.c:142 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(>write_wait); lock(>write_wait); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by syz-executor.1/9155: #0: 8880a1fcc098 (>ldisc_sem){}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:267 #1: 8880a1fcc2e8 (>termios_rwsem){}-{3:3}, at: tty_set_termios+0xc5/0x1510 drivers/tty/tty_ioctl.c:328 #2: 8880a1fcc098 (>ldisc_sem){}-{0:0}, at: tty_ldisc_ref+0x18/0x80 drivers/tty/tty_ldisc.c:288 #3: 8880a1fcc530 (>write_wait){-.-.}-{2:2}, at: __wake_up_common_lock kernel/sched/wait.c:122 [inline] #3: 8880a1fcc530 (>write_wait){-.-.}-{2:2}, at: __wake_up+0xb8/0x150 kernel/sched/wait.c:142 stack backtrace: CPU: 0 PID: 9155 Comm: syz-executor.1 Not tainted 5.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1f0/0x31e lib/dump_stack.c:118 print_deadlock_bug kernel/locking/lockdep.c:2391 [inline] check_deadlock kernel/locking/lockdep.c:2432 [inline] validate_chain+0x69a4/0x88a0 kernel/locking/lockdep.c:3202 __lock_acquire+0x1161/0x2ab0 kernel/locking/lockdep.c:4426 lock_acquire+0x160/0x730 kernel/locking/lockdep.c:5005 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151 spin_lock include/linux/spinlock.h:354 [inline] io_poll_double_wake+0x108/0x360 fs/io_uring.c:4599 __wake_up_common+0x30a/0x4e0 kernel/sched/wait.c:93 __wake_up_common_lock kernel/sched/wait.c:123 [inline] __wake_up+0xd4/0x150 kernel/sched/wait.c:142 n_tty_set_termios+0xa60/0x1080 drivers/tty/n_tty.c:1874 tty_set_termios+0xcac/0x1510 drivers/tty/tty_ioctl.c:341 set_termios+0x4a1/0x580 drivers/tty/tty_ioctl.c:414 tty_mode_ioctl+0x7b2/0xa80 drivers/tty/tty_ioctl.c:770 tty_ioctl+0xf81/0x15c0 drivers/tty/tty_io.c:2665 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d239 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f063db5fc78 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 00017cc0 RCX: 0045d239 RDX: 2000 RSI: 5404 RDI: 0003 RBP: 0118cf80 R08: R09: R10: R11: 0246 R12: 0118cf4c R13: 7ffc7ff6341f R14: 7f063db609c0 R15: 0118cf4c --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.