I did a regression search. e039c0b5985999b150594126225e1ee51df7b4c9 is the first bad commit
commit e039c0b5985999b150594126225e1ee51df7b4c9
Author: Kuniyuki Iwashima <kuniyu@xxxxxxxxxxxx>
Date: Fri Apr 29 14:38:01 2022 -0700
list: fix a data-race around ep->rdllist
[ Upstream commit d679ae94fdd5d3ab00c35078f5af5f37e068b03d ]
ep_poll() first calls ep_events_available() with no lock held and checks
if ep->rdllist is empty by list_empty_careful(), which reads
rdllist->prev. Thus all accesses to it need some protection to avoid
store/load-tearing.
Note INIT_LIST_HEAD_RCU() already has the annotation for both prev
and next.
Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket
fds.") added the first lockless ep_events_available(), and commit
c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()")
made some ep_events_available() calls lockless and added single call under
a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock
for zero timeout") made the last ep_events_available() lockless.
BUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait
write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0:
INIT_LIST_HEAD include/linux/list.h:38 [inline]
list_splice_init include/linux/list.h:492 [inline]
ep_start_scan fs/eventpoll.c:622 [inline]
ep_send_events fs/eventpoll.c:1656 [inline]
ep_poll fs/eventpoll.c:1806 [inline]
do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234
do_epoll_pwait fs/eventpoll.c:2268 [inline]
__do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
__se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
__x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1:
list_empty_careful include/linux/list.h:329 [inline]
ep_events_available fs/eventpoll.c:381 [inline]
ep_poll fs/eventpoll.c:1797 [inline]
do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234
do_epoll_pwait fs/eventpoll.c:2268 [inline]
__do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
__se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
__x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0xffff88810480c7d0 -> 0xffff888103c15098
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Link: https://lkml.kernel.org/r/20220322002653.33865-3-kuniyu@xxxxxxxxxxxx
Fixes: e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout")
Fixes: c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()")
Fixes: bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket fds.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxxxx>
Reported-by: syzbot+bdd6e38a1ed5ee58d8bd@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Kuniyuki Iwashima <kuniyu@xxxxxxxxxxxx>
Cc: Kuniyuki Iwashima <kuni1840@xxxxxxxxx>
Cc: "Soheil Hassas Yeganeh" <soheil@xxxxxxxxxx>
Cc: Davidlohr Bueso <dave@xxxxxxxxxxxx>
Cc: "Sridhar Samudrala" <sridhar.samudrala@xxxxxxxxx>
Cc: Alexander Duyck <alexander.h.duyck@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
include/linux/list.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Reverting above change fixes v5.18.3 boot.
It seems the most significant byte of the "ldd -10(r3),rp" instruction in mpt_reply has been
set to 0:
4084: bf 80 21 18 cmpb,*<> r0,ret0,4118 <mpt_reply+0x1b8>
4088: 08 04 02 5b copy r4,dp
408c: 00 00 04 00 sync
4090: 0c 61 10 c2 ldd -10(r3),rp
See IIR value in crash output.
On 2022-06-09 2:13 p.m., John David Anglin wrote:
[...]
ata3: SATA link down (SStatus 0 SControl 0)
_______________________________
< Your System ate a SPARC! Gah! >
-------------------------------
\ ^__^
(__)\ )\/\
U ||----w |
|| ||
swapper/0 (pid 0): Illegal instruction (code 8)
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.18.3+ #1
Hardware name: 9000/785/C8000
YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
PSW: 00001000000001000001101100001110 Not tainted
r00-03 0000000008041b0e 000000004e8045b0 0000000010bbda78 000000004e804470
r04-07 0000000010bb5000 0000000000001440 0000000054355000 0000000000001400
r08-11 0000000055000000 000000000000000e 000000000000000f 0000000055002800
r12-15 0000000000000000 0000000055002800 0000000040b668c0 0000000040b668c0
r16-19 0000000000000001 0000000000000001 0000000051b799f0 0000000000000000
r20-23 0000000000000001 fffffffffffff5b9 0000000000000000 0000000000200000
r24-27 000000000000000c 000000000800000e 0000000054355144 0000000040b3e0c0
r28-31 0000000000010001 000000004e804620 000000004e8045b0 0000000040edd040
sr00-03 00000000000a5c00 0000000000000000 0000000000000000 00000000000a5c00
sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000010bbd9e0 0000000010bbd9e4
IIR: 006110c2 ISR: 0000000010240000 IOR: 00000003b76dd048
CPU: 0 CR30: 0000000040edd040 CR31: ffffffffffffffff
ORIG_R28: 0000000000000000
IAOQ[0]: mpt_reply+0x130/0x4f0 [mptbase]
IAOQ[1]: mpt_reply+0x134/0x4f0 [mptbase]
RP(r2): mpt_reply+0x1c8/0x4f0 [mptbase]
Backtrace:
[<0000000010bbde24>] mpt_interrupt+0x84/0xe8 [mptbase]
[<000000004026dd64>] __handle_irq_event_percpu+0xc4/0x250
[<000000004026df28>] handle_irq_event_percpu+0x38/0xd8
[<00000000402776c4>] handle_percpu_irq+0xb4/0xf0
[<000000004026c90c>] generic_handle_irq+0x5c/0x90
[<00000000401a20e4>] call_on_stack+0x18/0x24
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.18.3+ #1
Hardware name: 9000/785/C8000
Backtrace:
[<00000000401a8cd8>] show_stack+0x70/0x90
[<0000000040a8e238>] dump_stack_lvl+0xd8/0x128
[<0000000040a8e2bc>] dump_stack+0x34/0x48
[<00000000401a8efc>] die_if_kernel+0x1e4/0x3f8
[<00000000401a9af4>] handle_interruption+0x59c/0xb58
[<00000000401a107c>] intr_check_sig+0x0/0x3c
Kernel panic - not syncing: Fatal exception in interrupt
v5.18.2 with similar config is okay. The fault seems consistent. IIR contains illegal instruction.
Attached config.
Dave
--
John David Anglin dave.anglin@xxxxxxxx
