Re: WARNING: bad unlock balance in __get_user_pages_remote

From: Peter Xu
Date: Tue Apr 07 2020 - 16:48:08 EST

Next message: Peter Zijlstra: "Re: [PATCH 0/4] x86/module: Out-of-tree module decode and sanitize"
Previous message: Linus Torvalds: "Re: [GIT PULL] Please pull proc and exec work for 5.7-rc1"
In reply to: syzbot: "WARNING: bad unlock balance in __get_user_pages_remote"
Next in thread: syzbot: "Re: WARNING: bad unlock balance in __get_user_pages_remote"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 07, 2020 at 01:16:11PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 7e634208 Merge tag 'acpi-5.7-rc1-2' of git://git.kernel.or..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=169498ede00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=12205d036cec317f
> dashboard link: https://syzkaller.appspot.com/bug?extid=a8c70b7f3579fc0587dc
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17a41543e00000
>
> The bug was bisected to:
>
> commit 71335f37c5e8ec9225285206f7f875057b9737ad
> Author: Peter Xu <peterx@xxxxxxxxxx>
> Date: Thu Apr 2 04:08:53 2020 +0000
>
> mm/gup: allow to react to fatal signals
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17dba9b3e00000
> final crash: https://syzkaller.appspot.com/x/report.txt?x=143ba9b3e00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=103ba9b3e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a8c70b7f3579fc0587dc@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 71335f37c5e8 ("mm/gup: allow to react to fatal signals")
>
> =====================================
> WARNING: bad unlock balance detected!
> 5.6.0-syzkaller #0 Not tainted
> -------------------------------------
> syz-executor.0/8429 is trying to release lock (&mm->mmap_sem) at:
> [<ffffffff819fbf60>] __get_user_pages_locked mm/gup.c:1366 [inline]
> [<ffffffff819fbf60>] __get_user_pages_remote mm/gup.c:1831 [inline]
> [<ffffffff819fbf60>] __get_user_pages_remote+0x540/0x740 mm/gup.c:1806
> but there are no more locks to release!
>
> other info that might help us debug this:
> no locks held by syz-executor.0/8429.
>
> stack backtrace:
> CPU: 0 PID: 8429 Comm: syz-executor.0 Not tainted 5.6.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x188/0x20d lib/dump_stack.c:118
> __lock_release kernel/locking/lockdep.c:4633 [inline]
> lock_release+0x586/0x800 kernel/locking/lockdep.c:4941
> up_read+0x79/0x750 kernel/locking/rwsem.c:1573
> __get_user_pages_locked mm/gup.c:1366 [inline]
> __get_user_pages_remote mm/gup.c:1831 [inline]
> __get_user_pages_remote+0x540/0x740 mm/gup.c:1806
> pin_user_pages_remote+0x67/0xa0 mm/gup.c:2897
> process_vm_rw_single_vec mm/process_vm_access.c:108 [inline]
> process_vm_rw_core.isra.0+0x423/0x940 mm/process_vm_access.c:218
> process_vm_rw+0x21f/0x240 mm/process_vm_access.c:286
> __do_sys_process_vm_writev mm/process_vm_access.c:308 [inline]
> __se_sys_process_vm_writev mm/process_vm_access.c:303 [inline]
> __x64_sys_process_vm_writev+0xdf/0x1b0 mm/process_vm_access.c:303
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
> RIP: 0033:0x45c879
> Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007fa1008bac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000137
> RAX: ffffffffffffffda RBX: 00007fa1008bb6d4 RCX: 000000000045c879
> RDX: 0000000000000001 RSI: 0000000020c22000 RDI: 0000000000000009
> RBP: 000000000076bf00 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000020c22fa0 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 000000000000085d R14: 00000000004cb1ee R15: 000000000076bf0c
> ------------[ cut here ]------------
> DEBUG_RWSEMS_WARN_ON(tmp < 0): count = 0xffffffffffffff00, magic = 0xffff888094028338, owner = 0x3, curr 0xffff888093cbc500, list empty
> WARNING: CPU: 0 PID: 8429 at kernel/locking/rwsem.c:1435 __up_read kernel/locking/rwsem.c:1435 [inline]
> WARNING: CPU: 0 PID: 8429 at kernel/locking/rwsem.c:1435 up_read+0x5f9/0x750 kernel/locking/rwsem.c:1574

Indeed the original commit is problematic, sorry for that.

Fix should be attached below. According to syzbot document it should
understand the attached patch inline in the email and apply upon the
tree, then I think what we need is just:

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Thanks,

8<-----------------------------------------------------------------------

Next message: Peter Zijlstra: "Re: [PATCH 0/4] x86/module: Out-of-tree module decode and sanitize"
Previous message: Linus Torvalds: "Re: [GIT PULL] Please pull proc and exec work for 5.7-rc1"
In reply to: syzbot: "WARNING: bad unlock balance in __get_user_pages_remote"
Next in thread: syzbot: "Re: WARNING: bad unlock balance in __get_user_pages_remote"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]