Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp906882imm; Wed, 13 Jun 2018 10:06:36 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJV8yRLya8Z7kKkkHQa3d6Swz4DQ+1Hv2u3TkrFdoZzr0+BNdh0zcNB971NEeSYwZ6Q0/TI X-Received: by 2002:a62:c45a:: with SMTP id y87-v6mr5793507pff.190.1528909596308; Wed, 13 Jun 2018 10:06:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528909596; cv=none; d=google.com; s=arc-20160816; b=Ez3c3ImGEUB+50IZvblGVFBlTExOnIIhVkKk0rIsKgUqhIP1BIRADx5NLBsGD+/g8K oYQfxVDrRKMQUxmVGL5oc+6ktbOSVcP6RUtJrnkbB5VeaZFkQRQouXsBXRLDHgtdDyU0 +FwTUDRmFccPrCA7frAI74KTCe7cqcOR3R7jijtBbrm5eEToUVmzcuEVuxRiIY/LSDr3 /nAPUZdosq74UsDrj6Ql9EmwByLEzW2FsJdvHkETC7MPz712E/KGicSKMS3gUWRu4tJj p11F79qBTFhfL7i8hUWErHMKWyOPV048qnlPMkopvX0Y9rb7hyHs1d9jpiawbpj5u/qf 3chQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=nC4sCDXegUnZKWct62ekpiO17rHDSSE4v8qZ10Rbveo=; b=jNTbV+GrKsNCR06fE1u1niRDjTCKaDAeeEjdX3kU5HuMh65mKffsqdh+BykowViz7f PVha34pCtW+tP9bd8kk7274OMZbRF0dDUXFNVN08osgS4+h/xoSryK8CeOp7ZHfjIAXo zfaqpMhVm5TDRyEevXrjTcF3fS5iSJ2q5JKuJulNY6HRgEi99xoQ5JpBp1jHdJHOuFnA nuLAnDwNSG5lSXclT1Q5rhfFgc0/7wtRVCBhYlfoyxuFFnznrINSlVMXx5q9tlSUkPv4 pRXTtXwyi54tsmdeX+J27SrEmRGDj3MS4/98AskH81p6EudxEM0xPsK+DdsCPgbMSVfi 3ufA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=XFma+8m9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g126-v6si2733043pgc.251.2018.06.13.10.06.18; Wed, 13 Jun 2018 10:06:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=XFma+8m9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935070AbeFMRFv (ORCPT + 99 others); Wed, 13 Jun 2018 13:05:51 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:50697 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934717AbeFMRFu (ORCPT ); Wed, 13 Jun 2018 13:05:50 -0400 Received: by mail-wm0-f66.google.com with SMTP id e16-v6so5994840wmd.0 for ; Wed, 13 Jun 2018 10:05:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=nC4sCDXegUnZKWct62ekpiO17rHDSSE4v8qZ10Rbveo=; b=XFma+8m9kS5+HCwB9VztaRtAvLFVdXiggRRtbVLt451RbOpkHu2FjPergQC4sxPoYh 9hbEXBxx6bCeH1L3Vv4XAfMmeQIJW749JmaLVZPrRbX/yJp45GNtlaXvRVmkBxAKALp8 nHMo7g6BuYtmy8GEjuMIu4GjWu53RAQY9E+z6ktOT8OhL48QwMp7PKkMNleA0VODXHji lH6fhnq9k+V9z+vswFvzbzOhPM76UfEaJbBgDZ8LlgF7hNIXQ4UZsDvdsAVnY3ZT9Arf VPVwMR2eooHJfUXBSXE4SzJmt0TyB1P8gZvMqR/BtRnsAjYjdrQel4xYC/+XZ340L+bg iq7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=nC4sCDXegUnZKWct62ekpiO17rHDSSE4v8qZ10Rbveo=; b=NwAIUr/bLtVy0sNEXp+UX+gv2fGFCpxnzj6Dc1VdNCGWLA9MFhBMP6NzBAUn85xMMc 5umIO1ep/Kuo1s+IS3IP44CFAgT2FHbnjnVPRS+uEPVj4ncMCPWaizy8qe1BVdq1j/Lc 8XGgXdYsIks4/RVl+Q+Pdgvi1JFBhPZVZt2iT20HmX9wb5mFOYqkC7YnDIkrh85baUiZ YYXaq5w0yacLjozdrz5WcJr//Cq+JvB+9bCcX0+IICDFVa50jbo4mlkSrQDiT4tNPN1K o0yRo9SBlE8s64J0cstsALsVGDKimEMA0kgMWHjENU/sC3YJjTpjH8vGH7w4xzhlysd8 u9Ug== X-Gm-Message-State: APt69E2UGfG/zoIguWf8NAe6v1NFxIiFviTqQEpMZhxfn00gyKmfj2Fb F3O31S+d6+AYjqU6wFvJKFqEDZVQpA8= X-Received: by 2002:a1c:8a4b:: with SMTP id m72-v6mr4379804wmd.2.1528909548688; Wed, 13 Jun 2018 10:05:48 -0700 (PDT) Received: from ziepe.ca (S010614cc2056d97f.ed.shawcable.net. [174.3.196.123]) by smtp.gmail.com with ESMTPSA id 74-v6sm5336050wmt.31.2018.06.13.10.05.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Jun 2018 10:05:47 -0700 (PDT) Received: from jgg by mlx.ziepe.ca with local (Exim 4.86_2) (envelope-from ) id 1fT9DL-0000bR-IP; Wed, 13 Jun 2018 11:05:43 -0600 Date: Wed, 13 Jun 2018 11:05:43 -0600 From: Jason Gunthorpe To: syzbot Cc: dasaratharaman.chandramouli@intel.com, dledford@redhat.com, leon@kernel.org, linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, parav@mellanox.com, roland@purestorage.com, sean.hefty@intel.com, syzkaller-bugs@googlegroups.com Subject: Re: WARNING: bad unlock balance in ucma_event_handler Message-ID: <20180613170543.GB30019@ziepe.ca> References: <000000000000af6530056e863794@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000000000000af6530056e863794@google.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 13, 2018 at 06:47:02AM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 73fcb1a370c7 Merge branch 'akpm' (patches from Andrew) > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=16d70827800000 > kernel config: https://syzkaller.appspot.com/x/.config?x=f3b4e30da84ec1ed > dashboard link: https://syzkaller.appspot.com/bug?extid=e5579222b6a3edd96522 > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=176daf97800000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15e7bd57800000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+e5579222b6a3edd96522@syzkaller.appspotmail.com > > > ===================================== > WARNING: bad unlock balance detected! > 4.17.0-rc5+ #58 Not tainted > kworker/u4:0/6 is trying to release lock (&file->mut) at: > [] ucma_event_handler+0x780/0xff0 > drivers/infiniband/core/ucma.c:390 > but there are no more locks to release! > > other info that might help us debug this: > 4 locks held by kworker/u4:0/6: > #0: (ptrval) ((wq_completion)"ib_addr"){+.+.}, at: > __write_once_size include/linux/compiler.h:215 [inline] > #0: (ptrval) ((wq_completion)"ib_addr"){+.+.}, at: > arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] > #0: (ptrval) ((wq_completion)"ib_addr"){+.+.}, at: atomic64_set > include/asm-generic/atomic-instrumented.h:40 [inline] > #0: (ptrval) ((wq_completion)"ib_addr"){+.+.}, at: atomic_long_set > include/asm-generic/atomic-long.h:57 [inline] > #0: (ptrval) ((wq_completion)"ib_addr"){+.+.}, at: set_work_data > kernel/workqueue.c:617 [inline] > #0: (ptrval) ((wq_completion)"ib_addr"){+.+.}, at: > set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] > #0: (ptrval) ((wq_completion)"ib_addr"){+.+.}, at: > process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116 > #1: (ptrval) ((work_completion)(&(&req->work)->work)){+.+.}, at: > process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120 > #2: (ptrval) (&id_priv->handler_mutex){+.+.}, at: > addr_handler+0xa6/0x3d0 drivers/infiniband/core/cma.c:2796 > #3: (ptrval) (&file->mut){+.+.}, at: ucma_event_handler+0x10e/0xff0 > drivers/infiniband/core/ucma.c:350 I think this is probably a use-after-free race, eg when we do ctx->file->mut we have raced with ucma_free_ctx() .. Which probably means something along the way to free_ctx() did not call rdma_addr_cancel? Jason