Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp320673rdb; Mon, 29 Jan 2024 03:29:12 -0800 (PST) X-Google-Smtp-Source: AGHT+IEoENV0Hv5D4/RmqsTznlGePMfKwYVugP+fWRSVv6uwvdCwz51q1OZa+I5fD2HslVTQBQtp X-Received: by 2002:a05:6808:1701:b0:3be:baf:42fa with SMTP id bc1-20020a056808170100b003be0baf42famr6578367oib.10.1706527752528; Mon, 29 Jan 2024 03:29:12 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706527752; cv=pass; d=google.com; s=arc-20160816; b=iMnGKBYZ0mua8yDO/wkg0POlehcY38TQ9mh0bznNrXdSScdwjy3w5qkypY+F4wpBEL BH3LOSHZ2kPp+NjPz2iaswczMtCFDCNbjbYpiVyEYD7Bts7Ww48tEHkqvQah5Hue0Q3m wLrkkI0lAAuZNEECY+VPDe/Sezc/Mk9nekr5v8wJ4H0Itf1BphedbD60ONIbjZvLZaw3 rf37wAIxELaFiM2GFB7KpRuyxjbKT5dxYPrBUlLMEPagn21lKeHyUSh1UVwyx8vilL1O cmezQjhcnhAvHJYp9EvHbJt2Ma7vrz99n8souSO4YvIRc4v72Zpmr3qawQZ6KqdYc70l kdFA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=gG3IE1PA0F3PHF5PkRGGZn+6jWSLkF4TKY6qJ75V6I4=; fh=7k5EzdY2sHR/9nOBKuPSDc6YKW97izpDSOzu4b+mEHM=; b=h92DlKYHeJZ37Mbil+E+Omcj8HC65Pklrf5Z3gjBx/TxzG2xqLAy4Vtsglxt9KdDH/ MqSKWTn+cnr1oa+j9QYu7EaBpgp0gLGzp9Ek02t9Rn2ckQJzmYSxOkC7g1/x8yBYrx6j ZXjX2hOOUOuPt22XwQiLgpfr03SgXxQpbYKfyeCQrCjNrqwJAO71vEwp2e7+cQfOYpQx f6UqEFiDoWSyavvvDrANdsrPakm1dA28i3BbM81CiLALW7VlIyVH62wgiKBqgYnCAm5y b/IYfpyrfkl0Xnz53AO7pg9MsJNddUXlf8rm5d13BucrL2g//GcxYMw697CCl6s8+zfH kk4g== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-42615-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-42615-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id a10-20020aa78e8a000000b006ddc6a4a5ddsi5553910pfr.94.2024.01.29.03.29.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 03:29:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-42615-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-42615-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-42615-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 82173285F80 for ; Mon, 29 Jan 2024 11:29:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 45AC960242; Mon, 29 Jan 2024 11:28:57 +0000 (UTC) Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2A005FEF9 for ; Mon, 29 Jan 2024 11:28:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706527736; cv=none; b=HwnwCzzP6RCOdkpEnMBSDQkAcdy1mGr0JoebnKOHsN6j3XYTkmfdm8d3QFS1fds/P/LJ1sphj9CkwYccNpSBZ73LRaWy6qnuhiYn42CqrwSf1ohOYds/AgnQ4bVjQDxPVYSZlwO+7gh8Rw2wiFfnEFTTT2JQqcBzXGKkkK/pD1w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706527736; c=relaxed/simple; bh=SI/uKxzS8VQ4/JvIfm7PqZ1opzWLrFvAnZI93dLX+Cs=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=QHaKbkYwBqBhpQkh9kbFOPkJ+GaO/Y4ok81MJblmQYO/T8FWhefd3tfhcPvDUXhwC+Ah26f7JAZd1NpA5bsgU47pKhVWHbX/PnUdfSB8K1UgaOVm1et65KCrjFWn/jaePEfWU6A+Ur5uCtIIKsXgHtFvvJzHzKFo8/MQZQqI6i8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp Received: from fsav314.sakura.ne.jp (fsav314.sakura.ne.jp [153.120.85.145]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 40TBSpoX098267; Mon, 29 Jan 2024 20:28:51 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav314.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav314.sakura.ne.jp); Mon, 29 Jan 2024 20:28:51 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav314.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 40TBSpWb098262 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Mon, 29 Jan 2024 20:28:51 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Mon, 29 Jan 2024 20:28:50 +0900 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [bluetooth?] INFO: task hung in hci_conn_failed Content-Language: en-US To: Hillf Danton Cc: syzbot , eadavis@qq.com, Peter Zijlstra , Boqun Feng , Linus Torvalds , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <20240129044824.1218-1-hdanton@sina.com> <20240129104753.1328-1-hdanton@sina.com> From: Tetsuo Handa In-Reply-To: <20240129104753.1328-1-hdanton@sina.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 2024/01/29 19:47, Hillf Danton wrote: > On Mon, 29 Jan 2024 14:53:20 +0900 Tetsuo Handa wrote: >> On 2024/01/29 13:48, Hillf Danton wrote: >>>> 3 locks held by kworker/1:2/779: >>>> #0: ffff8880b993ccd8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:559 >>>> #1: ffffc900038c7d80 ((work_completion)(&aux->work)#2){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609 >>>> #2: ffff888052984c80 (&aux->poke_mutex){+.+.}-{3:3}, at: __fd_array_map_delete_elem+0x125/0x2f0 kernel/bpf/arraymap.c:884 >>> >>> Could locking people shed any light on the failure of detecting the >>> poke_mutex with rq lock held? >>> >> >> Showing held locks (lockdep_print_held_locks()) is not a snapshot. >> Synchronous printk() can make #0 already released by the moment #2 is taken. >> >> Please consult printk() people for possibility of making printk() from >> lockdep reports (and/or hung task reports) asynchronous. > > If printk did its work well then we have difficulty explaining why RCU > stalled more than two minutes. > The report you are talking about is https://syzkaller.appspot.com/x/report.txt?x=14300d80180000 . It says INFO: task kworker/u5:2:5062 blocked for more than 143 seconds. Not tainted 6.8.0-rc1-syzkaller-g8a696a29c690-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u5:2 state:D stack:27840 pid:5062 tgid:5062 ppid:2 flags:0x00004000 Workqueue: hci5 hci_cmd_sync_work Call Trace: context_switch kernel/sched/core.c:5400 [inline] __schedule+0xf12/0x5c00 kernel/sched/core.c:6727 __schedule_loop kernel/sched/core.c:6802 [inline] schedule+0xe9/0x270 kernel/sched/core.c:6817 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752 hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline] hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289 hci_abort_conn_sync+0x7f8/0xb70 net/bluetooth/hci_sync.c:5356 abort_conn_sync+0x187/0x390 net/bluetooth/hci_conn.c:2988 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:306 process_one_work+0x886/0x15d0 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787 kthread+0x2c6/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 and lockdep says kworker/u5:2/5062 was blocked at 5 locks held by kworker/u5:2/5062: #0: ffff88802271a938 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608 #1: ffffc900041cfd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609 #2: ffff888019ff1060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305 #3: ffff888019ff0078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb70 net/bluetooth/hci_sync.c:5337 #4: ffffffff8ef23348 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline] #4: ffffffff8ef23348 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289 and ffffffff8ef23348 was held by kworker/u5:0/51. 6 locks held by kworker/u5:0/51: #0: ffff88802a730d38 ((wq_completion)hci2){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608 #1: ffffc90000bc7d80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609 #2: ffff888020989060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305 #3: ffff888020988078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb70 net/bluetooth/hci_sync.c:5337 #4: ffffffff8ef23348 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline] #4: ffffffff8ef23348 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289 #5: ffffffff8d1b83f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline] #5: ffffffff8d1b83f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ff/0x800 kernel/rcu/tree_exp.h:995 Since RCU reader side is not permitted to sleep, kworker/u5:0/51 should have released ffffffff8ef23348 shortly. But the thread who was blocking ffffffff8d1b83f8 is not reported (presumably one of threads that are reported as "X lock[s] held by Y" without stack trace), we can't know what the thread blocking ffffffff8d1b83f8 was doing. Showing all backtraces of threads (including TASK_RUNNING state) could explain. So, your question will be "Lockdep developers, can we please make it possible to report all backtraces of threads which are holding at least one lock, tolerating increasing possibility of UAF when trying to report locks held?" Although Linus does not like, maybe we need to tune hung task report using a kernel config option.