Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755926AbdCWOE7 (ORCPT <rfc822;w@1wt.eu>);
        Thu, 23 Mar 2017 10:04:59 -0400
Received: from mail-vk0-f49.google.com ([209.85.213.49]:33738 "EHLO
        mail-vk0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751823AbdCWOE5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Mar 2017 10:04:57 -0400
MIME-Version: 1.0
From: Dmitry Vyukov <dvyukov@google.com>
Date: Thu, 23 Mar 2017 15:04:35 +0100
Message-ID: <CACT4Y+ZpoM+ZmzGx-F9iY7W+Q24a915r38MzgODdjTN9LBP9Zg@mail.gmail.com>
Subject: lib, fs, cgroup: WARNING in percpu_ref_kill_and_confirm
To: Tejun Heo <tj@kernel.org>, roman.penyaev@profitbricks.com,
        LKML <linux-kernel@vger.kernel.org>, Zefan Li <lizefan@huawei.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>, jweiner@fb.com,
        Andrew Morton <akpm@linux-foundation.org>
Cc: syzkaller <syzkaller@googlegroups.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1984
Lines: 39

Hello,

The following program triggers WARNING in percpu_ref_kill_and_confirm:
https://gist.githubusercontent.com/dvyukov/bcfcef3d6b24b9fd841b88ee20c14d4b/raw/a54aeeb09ad1e0659b0ed87ef5efc4480ab2536f/gistfile1.txt

------------[ cut here ]------------
WARNING: CPU: 3 PID: 19987 at lib/percpu-refcount.c:317
percpu_ref_kill_and_confirm+0x303/0x3c0 lib/percpu-refcount.c:316
percpu_ref_kill_and_confirm called more than once on css_release!
CPU: 3 PID: 19987 Comm: a.out Not tainted 4.11.0-rc3+ #365
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x1b8/0x28d lib/dump_stack.c:52
 panic+0x20c/0x423 kernel/panic.c:180
 __warn+0x1c4/0x1e0 kernel/panic.c:541
 warn_slowpath_fmt+0xc1/0x100 kernel/panic.c:564
 percpu_ref_kill_and_confirm+0x303/0x3c0 lib/percpu-refcount.c:316
 percpu_ref_kill include/linux/percpu-refcount.h:119 [inline]
 cgroup_kill_sb+0x31d/0x480 kernel/cgroup/cgroup.c:1834
 deactivate_locked_super+0x99/0xe0 fs/super.c:309
 deactivate_super+0x151/0x160 fs/super.c:340
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1115
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1122
 task_work_run+0x1a4/0x270 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x24d/0x2d0 arch/x86/entry/common.c:161
 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 syscall_return_slowpath+0x3bd/0x460 arch/x86/entry/common.c:260
 entry_SYSCALL_64_fastpath+0xc0/0xc2
RIP: 0033:0x443129
RSP: 002b:00007ffe06080018 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffec RBX: 00000000004002b0 RCX: 0000000000443129
RDX: 000000002019cff9 RSI: 000000002000c000 RDI: 00000000204ff000
RBP: 00007ffe06080060 R08: 00000000201db000 R09: 0000000000000000
R10: 000000000000c084 R11: 0000000000000202 R12: 0000000000000000
R13: 00000000004025b0 R14: 0000000000402640 R15: 0000000000000000

On commit 093b995e3b55a0ae0670226ddfcb05bfbf0099ae