On 4/20/22 11:00, syzbot wrote:
Hello, syzbot found the following issue on: HEAD commit: 634de1db0e9b Add linux-next specific files for 20220419 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=10c92db8f00000 kernel config: https://syzkaller.appspot.com/x/.config?x=bbd6f9b0a89865b0 dashboard link: https://syzkaller.appspot.com/bug?extid=57e67273f92d7f5f1931 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a02f68f00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=138e3008f00000 The issue was bisected to: commit 78bfbdd1a4977df1dded20f9783a6ec174e67ef8 Author: Pavel Begunkov <asml.silence@xxxxxxxxx> Date: Fri Apr 15 21:08:23 2022 +0000 io_uring: kill io_put_req_deferred()
#syz test: https://github.com/isilence/linux.git syz_timeout_deadlock
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13039c0cf00000 final oops: https://syzkaller.appspot.com/x/report.txt?x=10839c0cf00000 console output: https://syzkaller.appspot.com/x/log.txt?x=17039c0cf00000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+57e67273f92d7f5f1931@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 78bfbdd1a497 ("io_uring: kill io_put_req_deferred()") ============================================ WARNING: possible recursive locking detected 5.18.0-rc3-next-20220419-syzkaller #0 Not tainted -------------------------------------------- syz-executor162/3588 is trying to acquire lock: ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:379 [inline] ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: io_disarm_next+0x545/0xaa0 fs/io_uring.c:2452 but task is already holding lock: ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:379 [inline] ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: io_kill_timeouts+0x4c/0x227 fs/io_uring.c:10432 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ctx->timeout_lock); lock(&ctx->timeout_lock); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by syz-executor162/3588: #0: ffff888011a45398 (&ctx->completion_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline] #0: ffff888011a45398 (&ctx->completion_lock){+.+.}-{2:2}, at: io_kill_timeouts+0x38/0x227 fs/io_uring.c:10431 #1: ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:379 [inline] #1: ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: io_kill_timeouts+0x4c/0x227 fs/io_uring.c:10432 stack backtrace: CPU: 1 PID: 3588 Comm: syz-executor162 Not tainted 5.18.0-rc3-next-20220419-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x1f5/0x3b4 kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5665 [inline] lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline] _raw_spin_lock_irq+0x32/0x50 kernel/locking/spinlock.c:170 spin_lock_irq include/linux/spinlock.h:379 [inline] io_disarm_next+0x545/0xaa0 fs/io_uring.c:2452 __io_req_complete_post+0x794/0xd90 fs/io_uring.c:2200 io_kill_timeout fs/io_uring.c:1815 [inline] io_kill_timeout+0x210/0x21d fs/io_uring.c:1803 io_kill_timeouts+0xe2/0x227 fs/io_uring.c:10435 io_ring_ctx_wait_and_kill+0x1eb/0x360 fs/io_uring.c:10462 io_uring_release+0x42/0x46 fs/io_uring.c:10483 __fput+0x277/0x9d0 fs/file_table.c:317 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:37 [inline] do_exit+0xaff/0x2a00 kernel/exit.c:796 do_group_exit+0xd2/0x2f0 kernel/exit.c:926 __do_sys_exit_group kernel/exit.c:937 [inline] __se_sys_exit_group kernel/exit.c:935 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:935 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f786cb8ccb9 Code: Unable to access opcode bytes at RIP 0x7f786cb8cc8f. RSP: 002b:00007ffcf6b5b088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f786cc01350 RCX: 00007f786cb8ccb9 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f786cc01350 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK> --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
-- Pavel Begunkov
