Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp1285693ybg; Fri, 18 Oct 2019 15:14:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqzuQrjIgYjqj9DWZKaOCv/mxWq9pvWLq1h/05wpBGKVNwedMiPHtLz7ALCdEX/EdwXemy7y X-Received: by 2002:aa7:c603:: with SMTP id h3mr12328201edq.44.1571436845313; Fri, 18 Oct 2019 15:14:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571436845; cv=none; d=google.com; s=arc-20160816; b=dsYz8fOX1CZlMN5dXHC9pQnCg4tXfato/wkbQZXZT+ScZfH3pBR62nHQx8UZRleG/i APTfGfqy3NZrym8SZS1B6mNL0PbGxRkmsR7lasQBz6q8CbQRNfFCEXkKm5jDias2m5/S LB2jRK5OPrEOv676Dnr+4oCkC84/94+CtzOkfSKXa8/Rwyy6wVuDL26jaCegGeYpE3k5 4WqsUUgFj4csOqzn9klWte7mMnr/f4iYFqqdXHcinLtOAMxYUdZEvIeDkufCF53747s4 memcyOQMhRepx7QUL868P1eD8MTx3HiHRGdkVYCAJh6cNED2kBS/wKCXWbCZ2ZBdJCx4 +1SQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=SeNS1mszIYg47Gf6phLQe9gpL6k5/Daun7T9IBCmzZE=; b=itk9qAK3bkpaHCNvz6d6KZFY2cNs20ttNUlAMNcAbANRPUWH83vgpxlB05lIEfCfXt 6IpzSQkpBql0U6G1KUlXJycunadmjaq0t1RsC7hLH7AHwxXeNYzpi/ggvC8cNlnFDxhu D4DBxZwHUtbTa/z6eodiMDSrnilaCVSP95CKt3Brxgmy+kbsuLbnUtQXqtz5o32eR9h+ 4yOgO+81LT1GghkcygmRtY33Xi9g3C0mtD3Dcz8HjA394x5tetaIb6RIy3M8/vKP5DBr RXu5CJqgvmkfb0K7pPMmSr6dOeQpJzNUBrOzrr5Mopxu/PTLwNTWdgkfXs0S28EdYT7E qR+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MWYc6Pci; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j28si5570735eda.161.2019.10.18.15.13.42; Fri, 18 Oct 2019 15:14:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MWYc6Pci; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392448AbfJQSdM (ORCPT + 99 others); Thu, 17 Oct 2019 14:33:12 -0400 Received: from mail-oi1-f195.google.com ([209.85.167.195]:37352 "EHLO mail-oi1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731227AbfJQSdM (ORCPT ); Thu, 17 Oct 2019 14:33:12 -0400 Received: by mail-oi1-f195.google.com with SMTP id i16so3034092oie.4 for ; Thu, 17 Oct 2019 11:33:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SeNS1mszIYg47Gf6phLQe9gpL6k5/Daun7T9IBCmzZE=; b=MWYc6PciC370wUG/bLJf6TqLQ5PqzHBkTVMqSRY+biAIl26gaCA3FSQBOa5a4E5Pzz hg5eG0h3O89uEXNugIwgmO0I44gjmMbKSwjnlnBOH45xfzzvg50cAFdxMLOrYP7DG34I 04NwlZLj/jK2XTvyNRCw4SRNh3zDkKFyuQFJp8zgQu9EcMLnsDjSdyWUfnu2MqVSD7ue 08O2t6N3YFmoEG78mhAvvKK47AW4BCbAWSqLNLCNGWM2gsXgHn51ASSkdF/Ea8ls/KV8 sTQA20kgHpSKEbY+sFsyggvimw41r6SEblKtBYZOQJtFc4xQxikhK+iR23Gj1irfwSq0 6WkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SeNS1mszIYg47Gf6phLQe9gpL6k5/Daun7T9IBCmzZE=; b=Tu2E6rrJGtiZ6c+/39ywMMvWUSx1Y0pU0JgtRZDg3jO7WLVuq4E7SXdN+CXWratj0o 1CphUfT0E7Go5JL9CZ9O6Ibxp2oIWuey7TdPzQ8MhdL1r1LcsGm9n8raDuHY07we1YB+ G5VsapNSh/rnlHjlM8zxHtpyWfc+QQu8CCmCyapHRdK+zSucasJCX/hcfpryaJGWzLmk pKax46Jd9+rFfTgC5qQGFNoRix717Nfc+c0FVYjje2kuP6DXY4b1Jy9mLqL9Ro7tGBwR Gs0gkREZMpx+oI5SyqGcDlrOoKqarvIJHu1pqJ/K6oXrudUSuVuyHF66LzdVEGrw/aZ/ R5Kw== X-Gm-Message-State: APjAAAW6b2H6IWZixf244HYXRI/cIJ8sIorsIVucHB7CTcVXYayXJKtK 2B5CIaIhZd29tGUKqDoN9hPectpEAWQwFqJISajG1u7qSPuF1A== X-Received: by 2002:aca:f1a:: with SMTP id 26mr4519807oip.172.1571337189006; Thu, 17 Oct 2019 11:33:09 -0700 (PDT) MIME-Version: 1.0 References: <000000000000328b2905951a7667@google.com> <20191017181709.GA5312@avx2> In-Reply-To: <20191017181709.GA5312@avx2> From: Marco Elver Date: Thu, 17 Oct 2019 20:32:57 +0200 Message-ID: Subject: Re: KCSAN: data-race in task_dump_owner / task_dump_owner To: Alexey Dobriyan Cc: syzbot , Andrew Morton , casey@schaufler-ca.com, christian@brauner.io, Kees Cook , kent.overstreet@gmail.com, khlebnikov@yandex-team.ru, linux-fsdevel@vger.kernel.org, LKML , mhocko@suse.com, Shakeel Butt , syzkaller-bugs@googlegroups.com, Thomas Gleixner Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 17 Oct 2019 at 20:17, Alexey Dobriyan wrote: > > On Thu, Oct 17, 2019 at 02:56:47PM +0200, Marco Elver wrote: > > Hi, > > > > On Thu, 17 Oct 2019 at 14:36, syzbot > > wrote: > > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: d724f94f x86, kcsan: Enable KCSAN for x86 > > > git tree: https://github.com/google/ktsan.git kcsan > > > console output: https://syzkaller.appspot.com/x/log.txt?x=17884db3600000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=c0906aa620713d80 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=e392f8008a294fdf8891 > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+e392f8008a294fdf8891@syzkaller.appspotmail.com > > > > > > ================================================================== > > > BUG: KCSAN: data-race in task_dump_owner / task_dump_owner > > > > > > write to 0xffff8881255bb7fc of 4 bytes by task 7804 on cpu 0: > > > task_dump_owner+0xd8/0x260 fs/proc/base.c:1742 > > > pid_update_inode+0x3c/0x70 fs/proc/base.c:1818 > > > pid_revalidate+0x91/0xd0 fs/proc/base.c:1841 > > > d_revalidate fs/namei.c:765 [inline] > > > d_revalidate fs/namei.c:762 [inline] > > > lookup_fast+0x7cb/0x7e0 fs/namei.c:1613 > > > walk_component+0x6d/0xe80 fs/namei.c:1804 > > > link_path_walk.part.0+0x5d3/0xa90 fs/namei.c:2139 > > > link_path_walk fs/namei.c:2070 [inline] > > > path_openat+0x14f/0x3530 fs/namei.c:3532 > > > do_filp_open+0x11e/0x1b0 fs/namei.c:3563 > > > do_sys_open+0x3b3/0x4f0 fs/open.c:1089 > > > __do_sys_open fs/open.c:1107 [inline] > > > __se_sys_open fs/open.c:1102 [inline] > > > __x64_sys_open+0x55/0x70 fs/open.c:1102 > > > do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296 > > > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > > > write to 0xffff8881255bb7fc of 4 bytes by task 7813 on cpu 1: > > > task_dump_owner+0xd8/0x260 fs/proc/base.c:1742 > > > pid_update_inode+0x3c/0x70 fs/proc/base.c:1818 > > > pid_revalidate+0x91/0xd0 fs/proc/base.c:1841 > > > d_revalidate fs/namei.c:765 [inline] > > > d_revalidate fs/namei.c:762 [inline] > > > lookup_fast+0x7cb/0x7e0 fs/namei.c:1613 > > > walk_component+0x6d/0xe80 fs/namei.c:1804 > > > lookup_last fs/namei.c:2271 [inline] > > > path_lookupat.isra.0+0x13a/0x5a0 fs/namei.c:2316 > > > filename_lookup+0x145/0x2d0 fs/namei.c:2346 > > > user_path_at_empty+0x4c/0x70 fs/namei.c:2606 > > > user_path_at include/linux/namei.h:60 [inline] > > > vfs_statx+0xd9/0x190 fs/stat.c:187 > > > vfs_stat include/linux/fs.h:3188 [inline] > > > __do_sys_newstat+0x51/0xb0 fs/stat.c:341 > > > __se_sys_newstat fs/stat.c:337 [inline] > > > __x64_sys_newstat+0x3a/0x50 fs/stat.c:337 > > > do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296 > > > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > > > Reported by Kernel Concurrency Sanitizer on: > > > CPU: 1 PID: 7813 Comm: ps Not tainted 5.3.0+ #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > Google 01/01/2011 > > > ================================================================== > > > > My understanding is, that for every access to /proc/, > > d_revalidate is called, and /proc-fs implementation simply says that > > pid_revalidate always revalidates by rewriting uid/gid because "owning > > task may have performed a setuid(), etc." presumably so every access > > to a /proc/ entry always has the right uid/gid (in effect > > updating /proc/ lazily via d_revalidate). > > > > Is it possible that one of the tasks above could be preempted after > > doing its writes to *ruid/*rgid, another thread writing some other > > values (after setuid / seteuid), and then the preempted thread seeing > > the other values? Assertion here should never fail: > > === TASK 1 === > > | seteuid(1000); > > | seteuid(0); > > | stat("/proc/", &fstat); > > | assert(fstat.st_uid == 0); > > === TASK 2 === > > | stat("/proc/", ...); > > Is it the same as > pid_revalidate() snapshots (uid,gid) correctly > but writeback is done in any order? Yes, I think so. Snapshot is done in RCU reader critical section, but the writes can race with another thread. Is there logic that ensures this doesn't lead to the observable outcome above?