Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp1331120pxu; Thu, 8 Oct 2020 08:56:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzkELmLd3IZQByEuLMdcZwz8lZm/7KF1pu2pC7PRxgVy6Y8LA9yTOxRr2ZMzOZQv5co66gX X-Received: by 2002:a17:906:eb55:: with SMTP id mc21mr9422054ejb.49.1602172601166; Thu, 08 Oct 2020 08:56:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602172601; cv=none; d=google.com; s=arc-20160816; b=nasmxY3mDCBKZUQT34Nyf0FvGRQjagVu9EWqwHUqSsD6Vf+5GMXvlZM5Bu6nC+N8jD e9kJOShTMkvF70ttVO/uKXPcwQG+CZSH++qNWDBDiiUXuU2R3lYquYvPTXxEDHnTBuIC ATOnnBjf7dwbKEguwoD2rgY1+Zq5MoNazL+QEp9ShI1uwJ8LJw8TBZAvSRtBcnvm9Wzs fEytNyYExa5fRfAqEmeUuZNhGFchkx/pRpja57etAtmUC4tnAorAZQJbIXqzC5FCLR3F 1PufmYEgi2HE1etd6suIWjG+I/pzrJ3rgzA84bfuwF8KVestWhxC9VCI+otCvooTlIf6 hX5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=KTnCY2TC0EEDY87TJ5e0IxZJrc3I29yWn7wm8w//0YU=; b=SKtoYuprKlq7K0tC8MHmHzwP1H1mKb21mbt9wbyskiugLRtRb6LsM02zDDQmX/uGwd aXNmYbFUY0FmcrJD0lydr9AJ69zwAQBFayJAelFrvOlmvpNbcoa/tPz4ZL0loNqxJ34m BLwEOJ01qVMOhl0Ykf0JT6yDN4j0UcP6OayYJRKVQcwupnkZ3U6hmhHlMETkOIDYjGMF ENxeqng4ISAt9KvXZ0zJHvcRIpFZFpBRVao6s1M1jpAfNk2dEE+6XfZfu4b49b9CFdJg GMrvW0v3TzKXNde6XeDFsFW1AKSlkucw2I1Lh4L6rjYyOVhCgJvq/IuB2uCejVOl9pfS /1qQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=cn4jHTWH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d12si3899312eds.287.2020.10.08.08.56.17; Thu, 08 Oct 2020 08:56:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=cn4jHTWH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731035AbgJHP2s (ORCPT + 99 others); Thu, 8 Oct 2020 11:28:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37578 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730550AbgJHP2r (ORCPT ); Thu, 8 Oct 2020 11:28:47 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AAF17C061755; Thu, 8 Oct 2020 08:28:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=KTnCY2TC0EEDY87TJ5e0IxZJrc3I29yWn7wm8w//0YU=; b=cn4jHTWHF0dMQGfH+Wlmn7RoRc wKxkeGZGZX5O0bvFm1r83vQWN7GJbqR6S0K+eJQ/13r99OV/DCtx/Jmtf9z5x7hj3S0iB4FYDMs9Z XwhZ5tdZXLHej+oIqdV7VuTXMrN1KFIvsHz3UoY3jOWbznZZdqNpPF8v5kwJhg8BhE/xcvgyz51Sq 8ZA2QvO64ZgK1Jfj+SHPqy+8jyOPGCNZGunwf2SYrFRVSIN3bQcn2a7UWPyuUNWEA3OJA3x3YcZNA QOngRmq70pf/bcKP77QCMQx8faIAMZ3T+rxnnc6kHKnFnB1xUntDLLwWpON61lWVaPozN76OAVhYi Hz93dyqQ==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kQXqW-00007S-Lh; Thu, 08 Oct 2020 15:28:44 +0000 Date: Thu, 8 Oct 2020 16:28:44 +0100 From: Matthew Wilcox To: Jens Axboe Cc: syzbot , io-uring@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk Subject: Re: inconsistent lock state in xa_destroy Message-ID: <20201008152844.GI20115@casper.infradead.org> References: <00000000000045ac4605b12a1720@google.com> <20201008150518.GG20115@casper.infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 08, 2020 at 09:06:56AM -0600, Jens Axboe wrote: > On 10/8/20 9:05 AM, Matthew Wilcox wrote: > > On Thu, Oct 08, 2020 at 09:01:57AM -0600, Jens Axboe wrote: > >> On 10/8/20 9:00 AM, syzbot wrote: > >>> Hello, > >>> > >>> syzbot found the following issue on: > >>> > >>> HEAD commit: e4fb79c7 Add linux-next specific files for 20201008 > >>> git tree: linux-next > >>> console output: https://syzkaller.appspot.com/x/log.txt?x=12555227900000 > >>> kernel config: https://syzkaller.appspot.com/x/.config?x=568d41fe4341ed0f > >>> dashboard link: https://syzkaller.appspot.com/bug?extid=cdcbdc0bd42e559b52b9 > >>> compiler: gcc (GCC) 10.1.0-syz 20200507 > >>> > >>> Unfortunately, I don't have any reproducer for this issue yet. > >>> > >>> IMPORTANT: if you fix the issue, please add the following tag to the commit: > >>> Reported-by: syzbot+cdcbdc0bd42e559b52b9@syzkaller.appspotmail.com > >> > >> Already pushed out a fix for this, it's really an xarray issue where it just > >> assumes that destroy can irq grab the lock. > > > > ... nice of you to report the issue to the XArray maintainer. > > This is from not even 12h ago, 10h of which I was offline. It wasn't on > the top of my list of priority items to tackle this morning, but it > is/was on the list. How's this? diff --git a/lib/xarray.c b/lib/xarray.c index 1e4ed5bce5dc..d84cb98d5485 100644 --- a/lib/xarray.c +++ b/lib/xarray.c @@ -1999,21 +1999,32 @@ EXPORT_SYMBOL_GPL(xa_delete_node); /* For the benefit of the test suite */ * xa_destroy() - Free all internal data structures. * @xa: XArray. * - * After calling this function, the XArray is empty and has freed all memory - * allocated for its internal data structures. You are responsible for - * freeing the objects referenced by the XArray. - * - * Context: Any context. Takes and releases the xa_lock, interrupt-safe. + * After calling this function, the XArray is empty and has freed all + * memory allocated for its internal data structures. You are responsible + * for freeing the objects referenced by the XArray. + * + * You do not need to call xa_destroy() if you know the XArray is + * already empty. The IDR used to require this, so you may see some + * old code calling idr_destroy() or xa_destroy() on arrays which we + * know to be empty, but new code should not do this. + * + * Context: If the XArray is protected by an IRQ-safe lock, this function + * must not be called from interrupt context or with interrupts disabled. + * Otherwise it may be called from any context. It will take and release + * the xa_lock with the appropriate disabling & enabling of softirqs + * or interrupts. */ void xa_destroy(struct xarray *xa) { XA_STATE(xas, xa, 0); - unsigned long flags; + unsigned int lock_type = xa_lock_type(xa); void *entry; xas.xa_node = NULL; - xas_lock_irqsave(&xas, flags); + xas_lock_type(&xas, lock_type); entry = xa_head_locked(xa); + if (!entry) + goto out; RCU_INIT_POINTER(xa->xa_head, NULL); xas_init_marks(&xas); if (xa_zero_busy(xa)) @@ -2021,7 +2032,8 @@ void xa_destroy(struct xarray *xa) /* lockdep checks we're still holding the lock in xas_free_nodes() */ if (xa_is_node(entry)) xas_free_nodes(&xas, xa_to_node(entry)); - xas_unlock_irqrestore(&xas, flags); +out: + xas_unlock_type(&xas, lock_type); } EXPORT_SYMBOL(xa_destroy);