Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1019929ybf; Thu, 27 Feb 2020 03:41:50 -0800 (PST) X-Google-Smtp-Source: APXvYqyG6XzsUx4BFnIJ+QJzsWB6Sd8EKYTCG/RO7Xnw59JHCPY4yOV7tPSvFydWmTCVwe0ZU2tk X-Received: by 2002:a05:6808:487:: with SMTP id z7mr2972575oid.59.1582803710127; Thu, 27 Feb 2020 03:41:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582803710; cv=none; d=google.com; s=arc-20160816; b=mr2dhBpW1IIwYD65uPjrypYz5HVwov8PeWolsFtRzRTELjwsthFg8CS3wjLBQ+OV/t ouPiLjxluAplSBToeO+QzPLxTIwtrzF5hsE5zmXYWI/WkT+ceJukSODA4PPpiq7xcEhD /LkXYZHg0CHXTcM5ZG/6M+apcUqWixWws+PYIvJd81owssAbTL929d5DxnlzaO8dqDeE p4JPYDjQGjT6Kf9FWH+Mb+8P3e+AsJbaXC/IUCPDyrAmooMcKjePtIlEiTXXwPw9+8yI 2MShVU/gNaS1PogEPq5RW3MPDbdQsUcOx1wdX8Vx8DE2J+0Eds28aT1gCZryeg9inLm5 FkRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:cc:to:subject; bh=beEq6MZN/x5EMuGVI+R6VnGypgc13D/nnIpr/j6bKUA=; b=vrrmyuCmdvzCPfTofkHYlIjBVGvsFKMrsSMpk10HvgrDZO8x98KxVcpIOyjN/NGGtk Jz2LLA1siyl1wF0iuTm3kF86O1kHLLfhCxgn4QLJCsSgmoQT45il0Rqwb0hxrUqaEoJZ /1+3nnKNhcHqYnlpoFcB3Nj2wjLXUqiu58XDfReY+iUfS5/GIOC4pMNad40MRj1PkDoj EaesFO0+1bLTq1VPwMHsPxh34j4+xd99WBn97P6M3iAk8i/PrvVsIKitsm2bbTPDWJ6A FohZR7eJVJyVQSoGHYfqLok0ulLbr9/0QjFVNW/VBtsNT3Zlv5KcQ+9oMI1VPEYzelMD byYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l10si1314764oth.243.2020.02.27.03.41.37; Thu, 27 Feb 2020 03:41:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728904AbgB0LkQ (ORCPT + 99 others); Thu, 27 Feb 2020 06:40:16 -0500 Received: from mail-wm1-f66.google.com ([209.85.128.66]:54651 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728874AbgB0LkQ (ORCPT ); Thu, 27 Feb 2020 06:40:16 -0500 Received: by mail-wm1-f66.google.com with SMTP id z12so3134348wmi.4 for ; Thu, 27 Feb 2020 03:40:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=beEq6MZN/x5EMuGVI+R6VnGypgc13D/nnIpr/j6bKUA=; b=Eqj3a0D76RWAUZGh5K3DcNTI0F0/NGjvrr1CMBhd1txCaC2vjcMxhHnF65qis80tYH pS7koIvHz4KKSoSpG7S8STZJ0P3l/BgLOd1t177UiVyNHfMObBKJRao4v/yPG7j9m4J8 yEV18CcfNBxGhJ0c4q1Tg2iA4TdlhTjhjuHTzXaCoCYMD0YcmMyGbC/UNcpZh+X+H7oe JrrvpAsAlqja6DQc6vzSWsKXg2eKfSMOcVYdwdYmuXCAq7Jj60MkgDJYKChZF7t2D+G5 sldVJC7NmUNt9AQ/Q+4wm4jXc/c+W0NdTjFUERFCN52Gto3wKrfrMDounvRi5IwaJJ0Z oWAg== X-Gm-Message-State: APjAAAXC4fNkHrcJ5iGSf6SPkmfgIH+SMxIf+u6KKUjnonZGVFOfoOBn WTSMWqo0GlvSaTXruqA9HF0= X-Received: by 2002:a7b:cb86:: with SMTP id m6mr5010570wmi.51.1582803613256; Thu, 27 Feb 2020 03:40:13 -0800 (PST) Received: from ?IPv6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id i4sm7476534wmd.23.2020.02.27.03.40.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 27 Feb 2020 03:40:12 -0800 (PST) Subject: Re: possible deadlock in tty_unthrottle To: Hillf Danton , syzbot Cc: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <20200227113622.4716-1-hdanton@sina.com> From: Jiri Slaby Autocrypt: addr=jslaby@suse.com; prefer-encrypt=mutual; keydata= mQINBE6S54YBEACzzjLwDUbU5elY4GTg/NdotjA0jyyJtYI86wdKraekbNE0bC4zV+ryvH4j rrcDwGs6tFVrAHvdHeIdI07s1iIx5R/ndcHwt4fvI8CL5PzPmn5J+h0WERR5rFprRh6axhOk rSD5CwQl19fm4AJCS6A9GJtOoiLpWn2/IbogPc71jQVrupZYYx51rAaHZ0D2KYK/uhfc6neJ i0WqPlbtIlIrpvWxckucNu6ZwXjFY0f3qIRg3Vqh5QxPkojGsq9tXVFVLEkSVz6FoqCHrUTx wr+aw6qqQVgvT/McQtsI0S66uIkQjzPUrgAEtWUv76rM4ekqL9stHyvTGw0Fjsualwb0Gwdx ReTZzMgheAyoy/umIOKrSEpWouVoBt5FFSZUyjuDdlPPYyPav+hpI6ggmCTld3u2hyiHji2H cDpcLM2LMhlHBipu80s9anNeZhCANDhbC5E+NZmuwgzHBcan8WC7xsPXPaiZSIm7TKaVoOcL 9tE5aN3jQmIlrT7ZUX52Ff/hSdx/JKDP3YMNtt4B0cH6ejIjtqTd+Ge8sSttsnNM0CQUkXps w98jwz+Lxw/bKMr3NSnnFpUZaxwji3BC9vYyxKMAwNelBCHEgS/OAa3EJoTfuYOK6wT6nadm YqYjwYbZE5V/SwzMbpWu7Jwlvuwyfo5mh7w5iMfnZE+vHFwp/wARAQABtBxKaXJpIFNsYWJ5 IDxqc2xhYnlAc3VzZS5jb20+iQI4BBMBAgAiBQJOkujrAhsDBgsJCAcDAgYVCAIJCgsEFgID AQIeAQIXgAAKCRC9JbEEBrRwSc1VD/9CxnyCYkBrzTfbi/F3/tTstr3cYOuQlpmufoEjCIXx PNnBVzP7XWPaHIUpp5tcweG6HNmHgnaJScMHHyG83nNAoCEPihyZC2ANQjgyOcnzDOnW2Gzf 8v34FDQqj8CgHulD5noYBrzYRAss6K42yUxUGHOFI1Ky1602OCBRtyJrMihio0gNuC1lE4YZ juGZEU6MYO1jKn8QwGNpNKz/oBs7YboU7bxNTgKrxX61cSJuknhB+7rHOQJSXdY02Tt31R8G diot+1lO/SoB47Y0Bex7WGTXe13gZvSyJkhZa5llWI/2d/s1aq5pgrpMDpTisIpmxFx2OEkb jM95kLOs/J8bzostEoEJGDL4u8XxoLnOEjWyT82eKkAe4j7IGQlA9QQR2hCMsBdvZ/EoqTcd SqZSOto9eLQkjZLz0BmeYIL8SPkgnVAJ/FEK44NrHUGzjzdkE7a0jNvHt8ztw6S+gACVpysi QYo2OH8hZGaajtJ8mrgN2Lxg7CpQ0F6t/N1aa/+A2FwdRw5sHBqA4PH8s0Apqu66Q94YFzzu 8OWkSPLgTjtyZcez79EQt02u8xH8dikk7API/PYOY+462qqbahpRGaYdvloaw7tOQJ224pWJ 4xePwtGyj4raAeczOcBQbKKW6hSH9iz7E5XUdpJqO3iZ9psILk5XoyO53wwhsLgGcrkCDQRO kueGARAAz5wNYsv5a9z1wuEDY5dn+Aya7s1tgqN+2HVTI64F3l6Yg753hF8UzTZcVMi3gzHC ECvKGwpBBwDiJA2V2RvJ6+Jis8paMtONFdPlwPaWlbOv4nHuZfsidXkk7PVCr4/6clZggGNQ qEjTe7Hz2nnwJiKXbhmnKfYXlxftT6KdjyUkgHAs8Gdz1nQCf8NWdQ4P7TAhxhWdkAoOIhc4 OQapODd+FnBtuL4oCG0c8UzZ8bDZVNR/rYgfNX54FKdqbM84FzVewlgpGjcUc14u5Lx/jBR7 ttZv07ro88Ur9GR6o1fpqSQUF/1V+tnWtMQoDIna6p/UQjWiVicQ2Tj7TQgFr4Fq8ZDxRb10 Zbeds+t+45XlRS9uexJDCPrulJ2sFCqKWvk3/kf3PtUINDR2G4k228NKVN/aJQUGqCTeyaWf fU9RiJU+sw/RXiNrSL2q079MHTWtN9PJdNG2rPneo7l0axiKWIk7lpSaHyzBWmi2Arj/nuHf Maxpc708aCecB2p4pUhNoVMtjUhKD4+1vgqiWKI6OsEyZBRIlW2RRcysIwJ648MYejvf1dzv mVweUa4zfIQH/+G0qPKmtst4t/XLjE/JN54XnOD/TO1Fk0pmJyASbHJQ0EcecEodDHPWP6bM fQeNlm1eMa7YosnXwbTurR+nPZk+TYPndbDf1U0j8n0AEQEAAYkCHwQYAQIACQUCTpLnhgIb DAAKCRC9JbEEBrRwSTe1EACA74MWlvIhrhGWd+lxbXsB+elmL1VHn7Ovj3qfaMf/WV3BE79L 5A1IDyp0AGoxv1YjgE1qgA2ByDQBLjb0yrS1ppYqQCOSQYBPuYPVDk+IuvTpj/4rN2v3R5RW d6ozZNRBBsr4qHsnCYZWtEY2pCsOT6BE28qcbAU15ORMq0nQ/yNh3s/WBlv0XCP1gvGOGf+x UiE2YQEsGgjs8v719sguok8eADBbfmumerh/8RhPKRuTWxrXdNq/pu0n7hA6Btx7NYjBnnD8 lV8Qlb0lencEUBXNFDmdWussMAlnxjmKhZyb30m1IgjFfG30UloZzUGCyLkr/53JMovAswmC IHNtXHwb58Ikn1i2U049aFso+WtDz4BjnYBqCL1Y2F7pd8l2HmDqm2I4gubffSaRHiBbqcSB lXIjJOrd6Q66u5+1Yv32qk/nOL542syYtFDH2J5wM2AWvfjZH1tMOVvVMu5Fv7+0n3x/9shY ivRypCapDfcWBGGsbX5eaXpRfInaMTGaU7wmWO44Z5diHpmQgTLOrN9/MEtdkK6OVhAMVenI w1UnZnA+ZfaZYShi5oFTQk3vAz7/NaA5/bNHCES4PcDZw7Y/GiIh/JQR8H1JKZ99or9LjFeg HrC8YQ1nzkeDfsLtYM11oC3peHa5AiXLmCuSC9ammQ3LhkfET6N42xTu2A== Message-ID: <2dd19dd1-abd7-9a6d-356b-4806841c2671@suse.com> Date: Thu, 27 Feb 2020 12:40:10 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 In-Reply-To: <20200227113622.4716-1-hdanton@sina.com> Content-Type: text/plain; charset=iso-8859-2 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 27. 02. 20, 12:36, Hillf Danton wrote: > > On Thu, 27 Feb 2020 00:39:12 -0800 >> syzbot found the following crash on: >> >> HEAD commit: f8788d86 Linux 5.6-rc3 >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=1102d22de00000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=5d2e033af114153f >> dashboard link: https://syzkaller.appspot.com/bug?extid=26183d9746e62da329b8 >> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) >> >> Unfortunately, I don't have any reproducer for this crash yet. >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+26183d9746e62da329b8@syzkaller.appspotmail.com >> >> ====================================================== >> WARNING: possible circular locking dependency detected >> 5.6.0-rc3-syzkaller #0 Not tainted >> ------------------------------------------------------ >> syz-executor.4/20336 is trying to acquire lock: >> ffff8880a2e952a0 (&tty->termios_rwsem){++++}, at: tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 >> >> but task is already holding lock: >> ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374 >> >> which lock already depends on the new lock. >> >> >> the existing dependency chain (in reverse order) is: >> >> -> #2 (sel_lock){+.+.}: >> lock_acquire+0x154/0x250 kernel/locking/lockdep.c:4484 >> __mutex_lock_common+0x16e/0x2f30 kernel/locking/mutex.c:956 >> __mutex_lock kernel/locking/mutex.c:1103 [inline] >> mutex_lock_nested+0x1b/0x30 kernel/locking/mutex.c:1118 >> set_selection_kernel+0x3b8/0x18a0 drivers/tty/vt/selection.c:217 >> set_selection_user+0x63/0x80 drivers/tty/vt/selection.c:181 >> tioclinux+0x103/0x530 drivers/tty/vt/vt.c:3050 >> vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 >> tty_ioctl+0xee6/0x15c0 drivers/tty/tty_io.c:2660 >> vfs_ioctl fs/ioctl.c:47 [inline] >> ksys_ioctl fs/ioctl.c:763 [inline] >> __do_sys_ioctl fs/ioctl.c:772 [inline] >> __se_sys_ioctl+0x113/0x190 fs/ioctl.c:770 >> __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:770 >> do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> -> #1 (console_lock){+.+.}: >> lock_acquire+0x154/0x250 kernel/locking/lockdep.c:4484 >> console_lock+0x46/0x70 kernel/printk/printk.c:2289 >> con_flush_chars+0x50/0x650 drivers/tty/vt/vt.c:3223 >> n_tty_write+0xeae/0x1200 drivers/tty/n_tty.c:2350 >> do_tty_write drivers/tty/tty_io.c:962 [inline] >> tty_write+0x5a1/0x950 drivers/tty/tty_io.c:1046 >> __vfs_write+0xb8/0x740 fs/read_write.c:494 >> vfs_write+0x270/0x580 fs/read_write.c:558 >> ksys_write+0x117/0x220 fs/read_write.c:611 >> __do_sys_write fs/read_write.c:623 [inline] >> __se_sys_write fs/read_write.c:620 [inline] >> __x64_sys_write+0x7b/0x90 fs/read_write.c:620 >> do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> -> #0 (&tty->termios_rwsem){++++}: >> check_prev_add kernel/locking/lockdep.c:2475 [inline] >> check_prevs_add kernel/locking/lockdep.c:2580 [inline] >> validate_chain+0x1507/0x7be0 kernel/locking/lockdep.c:2970 >> __lock_acquire+0xc5a/0x1bc0 kernel/locking/lockdep.c:3954 >> lock_acquire+0x154/0x250 kernel/locking/lockdep.c:4484 >> down_write+0x57/0x140 kernel/locking/rwsem.c:1534 >> tty_unthrottle+0x22/0x100 drivers/tty/tty_ioctl.c:136 >> mkiss_receive_buf+0x12aa/0x1340 drivers/net/hamradio/mkiss.c:902 >> tty_ldisc_receive_buf+0x12f/0x170 drivers/tty/tty_buffer.c:465 >> paste_selection+0x346/0x470 drivers/tty/vt/selection.c:389 >> tioclinux+0x121/0x530 drivers/tty/vt/vt.c:3055 >> vt_ioctl+0x3f1/0x3a30 drivers/tty/vt/vt_ioctl.c:364 >> tty_ioctl+0xee6/0x15c0 drivers/tty/tty_io.c:2660 >> vfs_ioctl fs/ioctl.c:47 [inline] >> ksys_ioctl fs/ioctl.c:763 [inline] >> __do_sys_ioctl fs/ioctl.c:772 [inline] >> __se_sys_ioctl+0x113/0x190 fs/ioctl.c:770 >> __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:770 >> do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294 >> entry_SYSCALL_64_after_hwframe+0x49/0xbe >> >> other info that might help us debug this: >> >> Chain exists of: >> &tty->termios_rwsem --> console_lock --> sel_lock >> >> Possible unsafe locking scenario: >> >> CPU0 CPU1 >> ---- ---- >> lock(sel_lock); >> lock(console_lock); >> lock(sel_lock); >> lock(&tty->termios_rwsem); >> >> *** DEADLOCK *** >> >> 3 locks held by syz-executor.4/20336: >> #0: ffff8880a2e95090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:267 >> #1: ffff888097ac10a8 (&buf->lock){+.+.}, at: tty_buffer_lock_exclusive+0x33/0x40 drivers/tty/tty_buffer.c:61 >> #2: ffffffff89462e70 (sel_lock){+.+.}, at: paste_selection+0x118/0x470 drivers/tty/vt/selection.c:374 >> > The sel_lock was introduced in > 07e6124a1a46 ("vt: selection, close sel_buffer race") > > and with it in position can we cut one lock for setting selection? Ouch -- I will look into it. (But not until tomorrow.) Thanks. > --- a/drivers/tty/vt/vt.c > +++ b/drivers/tty/vt/vt.c > @@ -3015,8 +3015,6 @@ static struct console vt_console_driver > * > * There are some functions which can sleep for arbitrary periods > * (paste_selection) but we don't need the lock there anyway. > - * > - * set_selection_user has locking, and definitely needs it > */ > > int tioclinux(struct tty_struct *tty, unsigned long arg) > @@ -3035,10 +3033,8 @@ int tioclinux(struct tty_struct *tty, un > switch (type) > { > case TIOCL_SETSEL: > - console_lock(); > ret = set_selection_user((struct tiocl_selection > __user *)(p+1), tty); > - console_unlock(); > break; > case TIOCL_PASTESEL: > ret = paste_selection(tty); > -- js suse labs