KCSAN: data-race in __rb_rotate_set_parents / vm_area_dup

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+c034966b0b02f94f7f34@syzkaller.appspotmail.com>
To: aarcange@redhat.com, akpm@linux-foundation.org,
	christian@brauner.io, cyphar@cyphar.com,
	elena.reshetova@intel.com, elver@google.com, guro@fb.com,
	keescook@chromium.org, ldv@altlinux.org,
	linux-kernel@vger.kernel.org, luto@amacapital.net,
	mhocko@suse.com, mingo@kernel.org, peterz@infradead.org,
	syzkaller-bugs@googlegroups.com, tglx@linutronix.de,
	viro@zeniv.linux.org.uk, wad@chromium.org
Subject: KCSAN: data-race in __rb_rotate_set_parents / vm_area_dup
Date: Thu, 24 Oct 2019 09:07:08 -0700	[thread overview]
Message-ID: <000000000000b49e190595aa39fe@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    05f22368 x86, kcsan: Enable KCSAN for x86
git tree:       https://github.com/google/ktsan.git kcsan
console output: https://syzkaller.appspot.com/x/log.txt?x=1060c47b600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=87d111955f40591f
dashboard link: https://syzkaller.appspot.com/bug?extid=c034966b0b02f94f7f34
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c034966b0b02f94f7f34@syzkaller.appspotmail.com

==================================================================
BUG: KCSAN: data-race in __rb_rotate_set_parents / vm_area_dup

read to 0xffff88811eef53e8 of 200 bytes by task 7738 on cpu 0:
  vm_area_dup+0x70/0xf0 kernel/fork.c:359
  __split_vma+0x88/0x350 mm/mmap.c:2678
  __do_munmap+0xb02/0xb60 mm/mmap.c:2803
  do_munmap mm/mmap.c:2856 [inline]
  mmap_region+0x165/0xd50 mm/mmap.c:1749
  do_mmap+0x6d4/0xba0 mm/mmap.c:1577
  do_mmap_pgoff include/linux/mm.h:2353 [inline]
  vm_mmap_pgoff+0x12d/0x190 mm/util.c:496
  ksys_mmap_pgoff+0x2d8/0x420 mm/mmap.c:1629
  __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
  __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
  __x64_sys_mmap+0x91/0xc0 arch/x86/kernel/sys_x86_64.c:91
  do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

write to 0xffff88811eef5440 of 8 bytes by task 7737 on cpu 1:
  __rb_rotate_set_parents+0x4d/0xf0 lib/rbtree.c:79
  __rb_insert lib/rbtree.c:215 [inline]
  __rb_insert_augmented+0x109/0x370 lib/rbtree.c:459
  rb_insert_augmented include/linux/rbtree_augmented.h:50 [inline]
  rb_insert_augmented_cached include/linux/rbtree_augmented.h:60 [inline]
  vma_interval_tree_insert+0x196/0x230 mm/interval_tree.c:23
  __vma_link_file+0xd9/0x110 mm/mmap.c:634
  __vma_adjust+0x1ac/0x12a0 mm/mmap.c:842
  vma_adjust include/linux/mm.h:2276 [inline]
  __split_vma+0x208/0x350 mm/mmap.c:2707
  split_vma+0x73/0xa0 mm/mmap.c:2736
  mprotect_fixup+0x43f/0x510 mm/mprotect.c:413
  do_mprotect_pkey+0x3eb/0x660 mm/mprotect.c:553
  __do_sys_mprotect mm/mprotect.c:578 [inline]
  __se_sys_mprotect mm/mprotect.c:575 [inline]
  __x64_sys_mprotect+0x51/0x70 mm/mprotect.c:575
  do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 7737 Comm: blkid Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

next             reply	other threads:[~2019-10-24 16:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-24 16:07 syzbot [this message]
2019-10-24 16:24 ` KCSAN: data-race in __rb_rotate_set_parents / vm_area_dup Peter Zijlstra
2019-10-24 18:59   ` Marco Elver
2019-10-25  9:01     ` Peter Zijlstra
2019-10-25 17:35       ` Marco Elver

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000b49e190595aa39fe@google.com \
    --to=syzbot+c034966b0b02f94f7f34@syzkaller.appspotmail.com \
    --cc=aarcange@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=christian@brauner.io \
    --cc=cyphar@cyphar.com \
    --cc=elena.reshetova@intel.com \
    --cc=elver@google.com \
    --cc=guro@fb.com \
    --cc=keescook@chromium.org \
    --cc=ldv@altlinux.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mhocko@suse.com \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wad@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.