linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Paul E. McKenney" <paulmck@kernel.org>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzbot <syzbot+0f719294463916a3fc0e@syzkaller.appspotmail.com>,
	Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	LKML <linux-kernel@vger.kernel.org>,
	Ingo Molnar <mingo@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	Thomas Gleixner <tglx@linutronix.de>
Subject: Re: KASAN: stack-out-of-bounds Read in csd_lock_record
Date: Thu, 9 Jul 2020 09:45:30 -0700	[thread overview]
Message-ID: <20200709164530.GA9247@paulmck-ThinkPad-P72> (raw)
In-Reply-To: <CACT4Y+Z8yErbDWPxv5tX0hnw7cTa6nJjg5f=MWMYS-2X91TZ9w@mail.gmail.com>

On Thu, Jul 09, 2020 at 12:13:44PM +0200, Dmitry Vyukov wrote:
> On Tue, Jul 7, 2020 at 6:26 PM Paul E. McKenney <paulmck@kernel.org> wrote:
> >
> > On Tue, Jul 07, 2020 at 05:51:48PM +0200, Dmitry Vyukov wrote:
> > > On Sat, Jul 4, 2020 at 8:34 PM Dmitry Vyukov <dvyukov@google.com> wrote:
> > > >
> > > > On Sat, Jul 4, 2020 at 6:45 PM Paul E. McKenney <paulmck@kernel.org> wrote:
> > > > >
> > > > > On Fri, Jul 03, 2020 at 04:31:22PM -0700, syzbot wrote:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit:    9e50b94b Add linux-next specific files for 20200703
> > > > > > git tree:       linux-next
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1024b405100000
> > > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=f99cc0faa1476ed6
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=0f719294463916a3fc0e
> > > > > > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > > > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16dc490f100000
> > > > > >
> > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > Reported-by: syzbot+0f719294463916a3fc0e@syzkaller.appspotmail.com
> > > > >
> > > > > Good catch!  A call to csd_lock_record() was on the wrong side of a
> > > > > call to csd_unlock().
> > > >
> > > > Thanks for taking a look.
> > > >
> > > > > But is folded into another commit for bisectability reasons, so
> > > > > "Reported-by" would not make sense.  I have instead added this to the
> > > > > commit log:
> > > > >
> > > > > [ paulmck: Fix for syzbot+0f719294463916a3fc0e@syzkaller.appspotmail.com ]
> > > > > Link: https://lore.kernel.org/lkml/00000000000042f21905a991ecea@google.com
> > > > > Link: https://lore.kernel.org/lkml/0000000000002ef21705a9933cf3@google.com
> > > >
> > > > This should work, as far as I remember sybot looks for the email+hash
> > > > anywhere in the commit.
> > > > FWIW Tested-by can make sense as well.
> > >
> > > Paul, there is also some spike of stalls in smp_call_function,
> > > if you look at the top ones at:
> > > https://syzkaller.appspot.com/upstream#open
> > >
> > > Can these be caused by the same root cause?
> > > I am not sure what trees the bug was/is present... This seems to only
> > > happen on linux-next and nowhere else. But these stalls equally happen
> > > on mainline...
> >
> > I would be surprised, given that the csd_unlock() was before the faulting
> > reference.  But then again, I have been surprised before.
> 
> Yes, it seems unrelated.
> It looks like something broken in the kernel recently and now instead
> of diagnosing a stall on one CPU, it diagnoses it as a stall in
> smp_call_function on another CPU. This produces large number of
> assorted stall reports which are not too actionable...
> 
> 
> > You aren't running scftorture with its longwait parameter set to a
> > non-zero value, are you?  In that case, stalls are expected behavior.
> > This is to support test the CSD lock diagnostics in -rcu.  Which isn't
> > in mainline yet, so maybe I am asking a stupid question.
> 
> Since I don't know what is scftorture/longwait, I guess I am not running it :)
> 
> > If these are repeatable, one thing to try is to build the kernel with
> > CSD_LOCK_WAIT_DEBUG=y.  This requires c6c67d89c059 ("smp: Add source and
> > destination CPUs to __call_single_data") and 216d15e0d870 ("kernel/smp:
> > Provide CSD lock timeout diagnostics") from the -rcu tree's "dev" branch.
> > This will dump out the smp_call_function() function that was to be
> > invoked, on the off-chance that the problem is something like lock
> > contention in that function.
> 
> Here are some with reproducers:
> https://syzkaller.appspot.com/bug?id=8a1e95291152ce5afea43c103a1fd62a257fcf4b
> https://syzkaller.appspot.com/bug?id=5e3ac329b6304aacc6304cfaab1a514bca12ce82
> https://syzkaller.appspot.com/bug?id=a01b4478f89e19cee91531f7c2b7751f0caf8c0c
> https://syzkaller.appspot.com/bug?id=e4caef9fc41d0c019c532a4257faec129699a42e
> 
> But the question is if this CSD_LOCK_WAIT_DEBUG=y is useful in
> general? Should we enable it all the time?

The CSD_LOCK_WAIT_DEBUG functionality is quite new, so it is quite
possible that it is causing rather than detecting problems.  ;-)

But once it is stable, then yes, it might be quite generally useful.

							Thanx, Paul

  reply	other threads:[~2020-07-09 16:45 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-03 23:31 KASAN: stack-out-of-bounds Read in csd_lock_record syzbot
2020-07-04  0:48 ` syzbot
2020-07-04 16:45 ` Paul E. McKenney
2020-07-04 18:34   ` Dmitry Vyukov
2020-07-07 15:51     ` Dmitry Vyukov
2020-07-07 16:26       ` Paul E. McKenney
2020-07-09 10:13         ` Dmitry Vyukov
2020-07-09 16:45           ` Paul E. McKenney [this message]
2020-10-09  6:35 ` [tip: core/rcu] kernel/smp: Provide CSD lock timeout diagnostics tip-bot2 for Paul E. McKenney

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200709164530.GA9247@paulmck-ThinkPad-P72 \
    --to=paulmck@kernel.org \
    --cc=bigeasy@linutronix.de \
    --cc=dvyukov@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=syzbot+0f719294463916a3fc0e@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).