Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp2734153rdh; Sun, 26 Nov 2023 17:56:36 -0800 (PST) X-Google-Smtp-Source: AGHT+IHtYNDKuH04FrCvQ9pODfJqSQXR/MNmRShcaNnlshXSRFDPYf8eyyjR1JH+qoulRgKCHd0X X-Received: by 2002:a17:90b:1c8b:b0:285:6943:eca2 with SMTP id oo11-20020a17090b1c8b00b002856943eca2mr9019282pjb.29.1701050195735; Sun, 26 Nov 2023 17:56:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701050195; cv=none; d=google.com; s=arc-20160816; b=Uep7kXoR5rUOO7QrASgrQl4jzmf1UZOJfRZ6mlBtjdNxMixWqm0QNH3og26ESASwwT c3mU/XMRib5cCSUpr6n9ECu6Zy/rPjYjWlQ8zrqtlnLus4Onqm+K5Lvizug0se2YgOHt C42LGdZlMoGzPK6wH9o8UZRuKT+0l+Z+EjzocPRv1yHzjtm2PQ2uYe7uUgRDFVkEgCUJ nYW5ejxq1NmwiuFCBANFtgRuIl4H+HyOnlfGbklDARzQW+fsnDz1YbXqBMSFta8dV7Nf rp/J6S/zFNAeFsLAokxJPxuu0PA99f7nTNMSJsMB0KMzjvTCyk6Z7r4Y7XK8LsQ7LouK Pn9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=HrpW/mblbGR2zQK+f0lTXDIxL2r3yJ0KWZHVyIahz68=; fh=lBK0XfBvEnqqxfxLPZU4X/MPPZZxrdcN9ClokIt6q6w=; b=v8CKcdJo9SKrTlVu9gMbUwtTMUa35D945XVruzfGh2S9++8NjmomatPIZVWcqtGLha L0QZg36aXVrDatj4JmeOhfinnZ9ZkrDk5HApiUKRZ90g6+UGJb3j6OCaNweNiXSltB3Z UVHkEk2eR4YvYdJq2U90RsEMydWA6yXKhnHBrwOpjGrpQJpNBcYx+9pCXvPGDkhXY8sI 7tbIY4U/5PF0v6Q8DBy/9wMYRTWfVuqdNQ1M8yjwc8otds6scc+MbC8RdMgp9wPBrQ2A loPmStdKoLMcW+coldqS92np8Zb7nbFFNys6xJh/JdyEoLRVhztv+wzH63hVmzgyt6CS ntPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OqMsPhZZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id f24-20020a17090aa79800b002839bc84a0esi9185914pjq.139.2023.11.26.17.56.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Nov 2023 17:56:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OqMsPhZZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 1C1BF8061563; Sun, 26 Nov 2023 17:56:33 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229502AbjK0B4I (ORCPT + 99 others); Sun, 26 Nov 2023 20:56:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229480AbjK0B4H (ORCPT ); Sun, 26 Nov 2023 20:56:07 -0500 Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF128B5 for ; Sun, 26 Nov 2023 17:56:13 -0800 (PST) Received: by mail-pg1-x52c.google.com with SMTP id 41be03b00d2f7-5c229dabbb6so2272306a12.0 for ; Sun, 26 Nov 2023 17:56:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701050173; x=1701654973; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=HrpW/mblbGR2zQK+f0lTXDIxL2r3yJ0KWZHVyIahz68=; b=OqMsPhZZk1+if8UIVbmfU3Ixk+CTv+r9+N6NDxeKYwxR8e518NxP5J1o8kT380ScPh YFsyXcEU21DUsVw46w63wWBMf53tlSC6D5iRzdmskPc35RLyiiXg0QWCVMuJ5+9O17uf a0qAjlPHiNTilvdGA9CIywdrIzsGOZDUwWDebON+Rtcu9j7/421OybUFGIsjcNnV8mKC ffwBhskLlcL+JJ/EZMs9N8zJsVz7vV8QYjDReQbknvNZGfZr5vbbDP8BphMUBh/2dhLh LwGkql3BeZftKdBrj6kfRIBzkHB+RZCkVHSFUoMvDKnTcGWgw+a84W7Xg+ZDJpATRdG5 ooTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701050173; x=1701654973; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=HrpW/mblbGR2zQK+f0lTXDIxL2r3yJ0KWZHVyIahz68=; b=eF/d/3F/PXt1TK+yu/sUDbdeGyWblL1aitYZixrfjdUgZeoYo9gtiQQO4oBH+SZfbA O71miurS4XvXxsLclIG7BeAHkYenxxASo/fAgOtJ8o6gcq9rGD/ZhrvHNtIG/YOon4Zn vyKjg6mZTfEHttCzdXPRkcADBT00eLCFB0bN+U7MnGOdYNlwH3U5F2+I/4EjPpiKBXcK LxNBc3VQzkMg87vLPrqD97kyzUEy3R3a64kdZwLlUKayzPFEC/X1p7gLiPQtwD9/sfTy XFQDepRUAm4YdXrw94V2TsG07LriKo3ptlsF951l5N1yb86rl6Dpde+EzqJzKaIlAHHa 24Gw== X-Gm-Message-State: AOJu0YwmK5YE67w5K4tRwUX4wPerLbr4KP0yV8lxyjcSlr7U4bo6RE5b N6hKfSfIPmm8WSeJyKLFu8JWV5fuunHa6L/gzVE= X-Received: by 2002:a17:90b:4a45:b0:285:9d40:192e with SMTP id lb5-20020a17090b4a4500b002859d40192emr5611260pjb.6.1701050172992; Sun, 26 Nov 2023 17:56:12 -0800 (PST) MIME-Version: 1.0 From: xingwei lee Date: Mon, 27 Nov 2023 09:56:02 +0800 Message-ID: Subject: Re: [syzbot] [kernel?] possible deadlock in stack_depot_put To: syzbot+186b55175d8360728234@syzkaller.appspotmail.com Cc: frederic@kernel.org, linux-kernel@vger.kernel.org, mingo@kernel.org, syzkaller-bugs@googlegroups.com, tglx@linutronix.de Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Sun, 26 Nov 2023 17:56:33 -0800 (PST) Sorry for containing HTML subpart, I'll repeat this mail. Hi, I reproduce this bug with repro.c and repro.txt and confirmed crash. repro.txt r0 = socket$alg(0x26, 0x5, 0x0) bind$alg(r0, &(0x7f0000000440)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb-cipher_null\x00'}, 0x58) r1 = accept$alg(r0, 0x0, 0x0) r2 = dup(r1) open(&(0x7f0000000140)='./file1\x00', 0x10f0c2, 0x0) r3 = dup(r1) mount$9p_fd(0x0, &(0x7f0000000000)='./file1\x00', &(0x7f0000000040), 0x0, &(0x7f0000000a40)=ANY=[@ANYBLOB='trans=fd,rfdno=', @ANYRESHEX=r3, @ANYBLOB=',wfdno=', @ANYRESHEX=r2]) repro.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syscall(__NR_socket, /*domain=*/0x26ul, /*type=*/5ul, /*proto=*/0); if (res != -1) r[0] = res; *(uint16_t*)0x20000440 = 0x26; memcpy((void*)0x20000442, "skcipher\000\000\000\000\000\000", 14); *(uint32_t*)0x20000450 = 0; *(uint32_t*)0x20000454 = 0; memcpy((void*)0x20000458, "ecb-cipher_null\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 64); syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000440ul, /*addrlen=*/0x58ul); res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul); if (res != -1) r[1] = res; res = syscall(__NR_dup, /*oldfd=*/r[1]); if (res != -1) r[2] = res; memcpy((void*)0x20000140, "./file1\000", 8); syscall(__NR_open, /*file=*/0x20000140ul, /*flags=*/0x10f0c2ul, /*mode=*/0ul); res = syscall(__NR_dup, /*oldfd=*/r[1]); if (res != -1) r[3] = res; memcpy((void*)0x20000000, "./file1\000", 8); memcpy((void*)0x20000040, "9p\000", 3); memcpy((void*)0x20000a40, "trans=fd,rfdno=", 15); sprintf((char*)0x20000a4f, "0x%016llx", (long long)r[3]); memcpy((void*)0x20000a61, ",wfdno=", 7); sprintf((char*)0x20000a68, "0x%016llx", (long long)r[2]); syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x20000000ul, /*type=*/0x20000040ul, /*flags=*/0ul, /*opts=*/0x20000a40ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); loop(); return 0; }