Re: WARNING in lock_release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 17, 2017 at 10:02 PM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
> On Thu, Nov 16, 2017 at 02:56:00AM -0800, syzbot wrote:
>> Hello,
>>
>> syzkaller hit the following crash on
>> 5515cf16e270538121e4fa9283fed86c6cfd8c9c
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>> C reproducer is attached
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>
> Hmm...   That's alloc_super() buggering off on allocation failure and
> hitting up_write(s->s_umount) in destroy_unused_super(), since it has
> not done
>         init_rwsem(&s->s_umount);
>         lockdep_set_class(&s->s_umount, &type->s_umount_key);
>         down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING);
> part yet.  The sucker is just all-zeroes here.  The easiest way to fix
> that would probably be to move that bit of initialization in the very
> beginning...
>
> diff --git a/fs/super.c b/fs/super.c
> index 8ca15415351a..2808aeaf5337 100644
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -190,6 +190,24 @@ static struct super_block *alloc_super(struct file_system_type *type, int flags,
>
>         INIT_LIST_HEAD(&s->s_mounts);
>         s->s_user_ns = get_user_ns(user_ns);
> +       init_rwsem(&s->s_umount);
> +       lockdep_set_class(&s->s_umount, &type->s_umount_key);
> +       /*
> +        * sget() can have s_umount recursion.
> +        *
> +        * When it cannot find a suitable sb, it allocates a new
> +        * one (this one), and tries again to find a suitable old
> +        * one.
> +        *
> +        * In case that succeeds, it will acquire the s_umount
> +        * lock of the old one. Since these are clearly distrinct
> +        * locks, and this object isn't exposed yet, there's no
> +        * risk of deadlocks.
> +        *
> +        * Annotate this by putting this lock in a different
> +        * subclass.
> +        */
> +       down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING);
>
>         if (security_sb_alloc(s))
>                 goto fail;
> @@ -217,25 +235,6 @@ static struct super_block *alloc_super(struct file_system_type *type, int flags,
>                 goto fail;
>         if (list_lru_init_memcg(&s->s_inode_lru))
>                 goto fail;
> -
> -       init_rwsem(&s->s_umount);
> -       lockdep_set_class(&s->s_umount, &type->s_umount_key);
> -       /*
> -        * sget() can have s_umount recursion.
> -        *
> -        * When it cannot find a suitable sb, it allocates a new
> -        * one (this one), and tries again to find a suitable old
> -        * one.
> -        *
> -        * In case that succeeds, it will acquire the s_umount
> -        * lock of the old one. Since these are clearly distrinct
> -        * locks, and this object isn't exposed yet, there's no
> -        * risk of deadlocks.
> -        *
> -        * Annotate this by putting this lock in a different
> -        * subclass.
> -        */
> -       down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING);
>         s->s_count = 1;
>         atomic_set(&s->s_active, 1);
>         mutex_init(&s->s_vfs_rename_mutex);


Hi,

We are rolling out patch testing feature for syzbot:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot
So if you are asking for testing, feel free to use it. If not, let's
still give it a try (it also needs testing):

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master
diff --git a/fs/super.c b/fs/super.c
index 8ca15415351a..2808aeaf5337 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -190,6 +190,24 @@ static struct super_block *alloc_super(struct file_system_type *type, int flags,
 
 	INIT_LIST_HEAD(&s->s_mounts);
 	s->s_user_ns = get_user_ns(user_ns);
+	init_rwsem(&s->s_umount);
+	lockdep_set_class(&s->s_umount, &type->s_umount_key);
+	/*
+	 * sget() can have s_umount recursion.
+	 *
+	 * When it cannot find a suitable sb, it allocates a new
+	 * one (this one), and tries again to find a suitable old
+	 * one.
+	 *
+	 * In case that succeeds, it will acquire the s_umount
+	 * lock of the old one. Since these are clearly distrinct
+	 * locks, and this object isn't exposed yet, there's no
+	 * risk of deadlocks.
+	 *
+	 * Annotate this by putting this lock in a different
+	 * subclass.
+	 */
+	down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING);
 
 	if (security_sb_alloc(s))
 		goto fail;
@@ -217,25 +235,6 @@ static struct super_block *alloc_super(struct file_system_type *type, int flags,
 		goto fail;
 	if (list_lru_init_memcg(&s->s_inode_lru))
 		goto fail;
-
-	init_rwsem(&s->s_umount);
-	lockdep_set_class(&s->s_umount, &type->s_umount_key);
-	/*
-	 * sget() can have s_umount recursion.
-	 *
-	 * When it cannot find a suitable sb, it allocates a new
-	 * one (this one), and tries again to find a suitable old
-	 * one.
-	 *
-	 * In case that succeeds, it will acquire the s_umount
-	 * lock of the old one. Since these are clearly distrinct
-	 * locks, and this object isn't exposed yet, there's no
-	 * risk of deadlocks.
-	 *
-	 * Annotate this by putting this lock in a different
-	 * subclass.
-	 */
-	down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING);
 	s->s_count = 1;
 	atomic_set(&s->s_active, 1);
 	mutex_init(&s->s_vfs_rename_mutex);


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux