On 01/09/2019 06:47 AM, Tetsuo Handa wrote: > Hello, Peter. > > We got two reports. Neither RWSEM_READER_OWNED nor RWSEM_ANONYMOUSLY_OWNED is set, and > (presumably) sem->owner == current is true, but count is -1. What does this mean? > > https://syzkaller.appspot.com/text?tag=CrashLog&x=169dbb9b400000 > > [ 2580.337550][ T3645] mmap_sem: hlock->read=1 count=-4294967295 current=ffff888050e04140, owner=ffff888050e04140 > [ 2580.353526][ T3645] ------------[ cut here ]------------ > [ 2580.367859][ T3645] downgrading a read lock > [ 2580.367935][ T3645] WARNING: CPU: 1 PID: 3645 at kernel/locking/lockdep.c:3572 lock_downgrade+0x35d/0xbe0 > [ 2580.382206][ T3645] Kernel panic - not syncing: panic_on_warn set ... > > https://syzkaller.appspot.com/text?tag=CrashLog&x=1542da4f400000 > > [ 386.342585][T16698] mmap_sem: hlock->read=1 count=-4294967295 current=ffff8880512ae180, owner=ffff8880512ae180 > [ 386.348586][T16698] ------------[ cut here ]------------ > [ 386.357203][T16698] downgrading a read lock > [ 386.357294][T16698] WARNING: CPU: 1 PID: 16698 at kernel/locking/lockdep.c:3572 lock_downgrade+0x35d/0xbe0 > [ 386.372148][T16698] Kernel panic - not syncing: panic_on_warn set ... > > A call to up_read() while the count was previously 0 will cause the count to become -1. I would suggest adding some debug code in up_read() to catch the offending caller. Cheers, Longman
