Something is leaking RCU holds from interrupt context

From: Matthew Wilcox
Date: Sun Apr 04 2021 - 06:28:49 EST

Next message: Leon Romanovsky: "Re: [PATCH] RDMA/addr: potential uninitialized variable in ib_nl_process_good_ip_rsep()"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] debugfs: Fix use-after-free in debugfs_create_devm_seqfile()"
In reply to: syzbot: "[syzbot] WARNING: suspicious RCU usage in getname_flags"
Next in thread: Paul E. McKenney: "Re: Something is leaking RCU holds from interrupt context"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Apr 03, 2021 at 09:15:17PM -0700, syzbot wrote:
> HEAD commit: 2bb25b3a Merge tag 'mips-fixes_5.12_3' of git://git.kernel..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1284cc31d00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=78ef1d159159890
> dashboard link: https://syzkaller.appspot.com/bug?extid=dde0cc33951735441301
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+dde0cc33951735441301@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> WARNING: suspicious RCU usage
> 5.12.0-rc5-syzkaller #0 Not tainted
> -----------------------------
> kernel/sched/core.c:8294 Illegal context switch in RCU-bh read-side critical section!
>
> other info that might help us debug this:
>
>
> rcu_scheduler_active = 2, debug_locks = 0
> no locks held by systemd-udevd/4825.

I think we have something that's taking the RCU read lock in
(soft?) interrupt context and not releasing it properly in all
situations. This thread doesn't have any locks recorded, but
lock_is_held(&rcu_bh_lock_map) is true.

Is there some debugging code that could find this? eg should
lockdep_softirq_end() check that rcu_bh_lock_map is not held?
(if it's taken in process context, then BHs can't run, so if it's
held at softirq exit, then there's definitely a problem).

> stack backtrace:
> CPU: 0 PID: 4825 Comm: systemd-udevd Not tainted 5.12.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:79 [inline]
> dump_stack+0x141/0x1d7 lib/dump_stack.c:120
> ___might_sleep+0x229/0x2c0 kernel/sched/core.c:8294
> __might_fault+0x6e/0x180 mm/memory.c:5018
> strncpy_from_user+0x2f/0x3e0 lib/strncpy_from_user.c:117
> getname_flags.part.0+0x95/0x4f0 fs/namei.c:149
> getname_flags fs/namei.c:2733 [inline]
> user_path_at_empty+0xa1/0x100 fs/namei.c:2733
> user_path_at include/linux/namei.h:60 [inline]
> do_faccessat+0x127/0x850 fs/open.c:425
> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46

Nothing in this path calls rcu_read_lock_bh(). It's almost exclusively
used by the networking code.

Next message: Leon Romanovsky: "Re: [PATCH] RDMA/addr: potential uninitialized variable in ib_nl_process_good_ip_rsep()"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] debugfs: Fix use-after-free in debugfs_create_devm_seqfile()"
In reply to: syzbot: "[syzbot] WARNING: suspicious RCU usage in getname_flags"
Next in thread: Paul E. McKenney: "Re: Something is leaking RCU holds from interrupt context"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]