Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp4270591rwe; Tue, 30 Aug 2022 07:24:57 -0700 (PDT) X-Google-Smtp-Source: AA6agR67TK2XUDJBPzYBs2f5KiekOIEXgHylZz9Rden4XiutERMrF0O1yVto+Kamy8HeDTKQ/F+F X-Received: by 2002:a17:902:f64d:b0:172:d004:8b2d with SMTP id m13-20020a170902f64d00b00172d0048b2dmr21628875plg.14.1661869497085; Tue, 30 Aug 2022 07:24:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661869497; cv=none; d=google.com; s=arc-20160816; b=c/5C7BETZ+O+HCARWZ3I+K09qNlpP73lDlQ9ddEm+9uxwiy0v+y902YpArsq07uZTL jxpoD8ik9qahGvM6ySTVknm3EhrsT0xBHh4Lvc2+4yskKs9ntuXjBaa3R9C3Z9R5pr9Q AyQuW3fVaEKTdNMYNBBj/FMfKhv0s34LIcaCZgKFE4VbmsLQP/zYpygPO9gKzylu/Log qOc8K+xf8wcGMvSIIJqt+k/FUS3KODLDqALkWTPGrU53MWhG6tS3V3/Zghu5w39/uP6v WLcLZVtkJ5MCVQjpwtcd2DpihV7/zELWQnhRG6nx118Fb9DP0EjZZOCFhebdc6Mu9Nfv pUvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=HSNPxzUzHRGtN8cgh2TeKBnrRCslwohB3AmisvQmdg8=; b=Zwau3sVGKQpT+7oAEWJTOk8YU1p1E2hdZKtToTlhe0C/vEAZgSZBwNstKX65T6HC7B X0C94+lQs9oJsHzNCbUbndkdQOO3cwNSd8B2Lvi7eFnjpM9LNThMcuOqZ3o/BTboffwW EhItw7LISmR3xyOalOZOycwKPMZsozsP+PXTHVLgEzyfR54NHMfpBF47K3+UIhA154AE CRFEWrwJgwumYBmb+JGgA3667T5x2tsRfeyDjkcnRdye96/eIK9kUtEQXUvmNjgTYT/Q 0jV6i3RxcTzxCXJP4SD7dFi5uMkH4hBQ7J4bAGEbyi+hgXtCNG9aN+pk2sqktFIJVh3o a8cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20210112.gappssmtp.com header.s=20210112 header.b=T2xvhwKi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b13-20020a6541cd000000b00429a7919f37si2454847pgq.458.2022.08.30.07.24.44; Tue, 30 Aug 2022 07:24:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20210112.gappssmtp.com header.s=20210112 header.b=T2xvhwKi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231415AbiH3N7f (ORCPT + 99 others); Tue, 30 Aug 2022 09:59:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54918 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231597AbiH3N7C (ORCPT ); Tue, 30 Aug 2022 09:59:02 -0400 Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5E6712F120 for ; Tue, 30 Aug 2022 06:58:16 -0700 (PDT) Received: by mail-io1-xd2b.google.com with SMTP id d68so9246484iof.11 for ; Tue, 30 Aug 2022 06:58:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc; bh=HSNPxzUzHRGtN8cgh2TeKBnrRCslwohB3AmisvQmdg8=; b=T2xvhwKiDBFFkE8e5Bn3ekOZbolaeI3IgHEWw4JBED3+nJLWVWZ2e4oIGvBHNz3taJ 51TbyI38FUGy3cQzFFA4K+N48Bcrb0uK46HsZQERTo7R5e0pXq94e5rFsClRQHfuMhZO nOPl9Ldc1LTRwOSLFZlVz5ehIuLCNedhCrkU/4PfZ5caob+UORvSrOupcUAqAdfz6CRN ItwXwb90QdOEv8uvPtv/ksweur0uetgROAgcfnwGM3XKb8aXucB0djFfSKxiIYIhb4kc bwCZtjr286atudk+CcDJTtdKceBJ1XNFMoh0psdzlIXYU5zp1JgqtdwDaVYox+rAjJ9O 1HUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc; bh=HSNPxzUzHRGtN8cgh2TeKBnrRCslwohB3AmisvQmdg8=; b=xg0kA+/ULneymyGM1l1Mw591NQj66Wc0KCLap7tq9QLsm1MwHZX2od4KprQ1Vfhg0c c6wPkzESabFyVgd+ZxK+ZXHxT4UcNE0AKVQ244NP9+Y17dkCdY+aBWvv+Lz/G+kHlzRz FaunUsT6OVGfzEDq0UBkc9EdY2ORuA9oBOY6YUs52T3UIPJJjy2yxEv9T4Q8eHS99ecS L4uB2iawudg+hKbr8kDYih3noEryfjFy3y8fdctR2Zgjetq6d7jfpFP7EDa+gtH54QHw TZYm915j976Bn9SN/oJhgORIwPzEqtBAAQ9YoSiq9ryYaqY6AP9mlPCQnEJR59OMLWq+ Wk1w== X-Gm-Message-State: ACgBeo0K3zRq3hy2j3zyGNypu4RM67kLjMDsQVuRd63zj7uM2T0xZJyU sRbqQbR9j5HBoSxEjd1J0Zv9tpM6qnLhnw== X-Received: by 2002:a05:6638:22c5:b0:346:dc09:b0f5 with SMTP id j5-20020a05663822c500b00346dc09b0f5mr13021822jat.194.1661867895182; Tue, 30 Aug 2022 06:58:15 -0700 (PDT) Received: from [192.168.1.94] ([207.135.234.126]) by smtp.gmail.com with ESMTPSA id s5-20020a056e0210c500b002eafe62193asm2778639ilj.36.2022.08.30.06.58.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 30 Aug 2022 06:58:14 -0700 (PDT) Message-ID: <54a4b5b1-c527-813b-128d-e0ccc51db4a4@kernel.dk> Date: Tue, 30 Aug 2022 07:58:13 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Thunderbird/102.1.2 Subject: Re: possible deadlock in io_poll_double_wake Content-Language: en-US To: Jiacheng Xu <578001344xu@gmail.com>, linux-kernel@vger.kernel.org, asml.silence@gmail.com, Qiang.Zhang@windriver.com Cc: io-uring@vger.kernel.org References: From: Jens Axboe In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/30/22 7:33 AM, Jiacheng Xu wrote: > Hello, > > When using modified Syzkaller to fuzz the Linux kernel-5.19, the > following crash was triggered. Though the issue seems to get fixed on > syzbot(https://syzkaller.appspot.com/bug?id=12e4415bf5272f433acefa690478208f3be3be2d), > it could still be triggered with the following repro. > We would appreciate a CVE ID if this is a security issue. It's not, and in any case, the kernel has nothing to do with CVEs. > HEAD commit: 568035b01cfb Linux-5.15.58 > git tree: upstream > > console output: > https://drive.google.com/file/d/1e4DHaUKhY9DLZJK_pNScWHydUv-MaD9_/view?usp=sharing > https://drive.google.com/file/d/1NmOGWcfPnY2kSrS0nOwvG1AZ923jFQ3p/view?usp=sharing > kernel config: https://drive.google.com/file/d/1wgIUDwP5ho29AM-K7HhysSTfWFpfXYkG/view?usp=sharing > syz repro: https://drive.google.com/file/d/1e5xY8AOMimLbpAlOOupmGYC_tUA3sa8k/view?usp=sharing > C reproducer: https://drive.google.com/file/d/1esAe__18Lt7and43QdXFfI6GJCsF85_z/view?usp=sharing > > Description: > spin_lock_irqsave() in __wake_up_common_lock() is called before waking > up a task. However, spin_lock_irqsave() has to be called once in > io_poll_double_wake(). > such call stack is: > > snd_pcm_post_stop() > __wake_up_common_lock() > spin_lock_irqsave() > io_poll_double_wake() > spin_lock_irqsave() Please prove that this is actually trying to lock the same waitq. -- Jens Axboe