From: Marc Zyngier <maz@kernel.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: syzbot <syzbot+e24baf53dc389927a7c3@syzkaller.appspotmail.com>,
davem@davemloft.net, kuba@kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: general protection fault in sock_close
Date: Mon, 31 Aug 2020 21:39:27 +0100 [thread overview]
Message-ID: <82748fc422a64d70c706951954a2dcfa@kernel.org> (raw)
In-Reply-To: <20200831200328.GX1236603@ZenIV.linux.org.uk>
On 2020-08-31 21:03, Al Viro wrote:
> On Mon, Aug 31, 2020 at 12:48:13PM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 15bc20c6 Merge tag 'tty-5.9-rc3' of
>> git://git.kernel.org/p..
>> git tree: upstream
>> console output:
>> https://syzkaller.appspot.com/x/log.txt?x=16a85669900000
>> kernel config:
>> https://syzkaller.appspot.com/x/.config?x=891ca5711a9f1650
>> dashboard link:
>> https://syzkaller.appspot.com/bug?extid=e24baf53dc389927a7c3
>> compiler: clang version 10.0.0
>> (https://github.com/llvm/llvm-project/
>> c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>> syz repro:
>> https://syzkaller.appspot.com/x/repro.syz?x=127d3c99900000
>
>> The issue was bisected to:
>>
>> commit a9ed4a6560b8562b7e2e2bed9527e88001f7b682
>> Author: Marc Zyngier <maz@kernel.org>
>> Date: Wed Aug 19 16:12:17 2020 +0000
>>
>> epoll: Keep a reference on files added to the check list
>
> All of those are essentially duplicates.
>
> The minimal fix is below; I'm not happy with it long-term, but I'm
> still
> digging through the eventpoll locking, and there's a good chance that
> this
> is the least intrusive variant for -stable. Folks, could you check if
> the
> following patch fixes those suckers? Again, all reports bisected to
> that
> commit are essentially the same.
>
> diff --git a/fs/eventpoll.c b/fs/eventpoll.c
> index e0decff22ae2..8107e06d7f6f 100644
> --- a/fs/eventpoll.c
> +++ b/fs/eventpoll.c
> @@ -1995,9 +1995,9 @@ static int ep_loop_check_proc(void *priv, void
> *cookie, int call_nests)
> * during ep_insert().
> */
> if (list_empty(&epi->ffd.file->f_tfile_llink)) {
> - get_file(epi->ffd.file);
> - list_add(&epi->ffd.file->f_tfile_llink,
> - &tfile_check_list);
> + if (get_file_rcu(epi->ffd.file))
> + list_add(&epi->ffd.file->f_tfile_llink,
> + &tfile_check_list);
> }
> }
> }
I've managed to reproduce the issue using [1] (throw a few in a VM,
see things explode like clockwork).
With this patch on top of -rc3, the VM keep ticking away. FWIW:
Tested-by: Marc Zyngier <maz@kernel.org>
Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the
check list")
Thanks,
M.
[1] https://syzkaller.appspot.com/x/repro.c?x=140a19a9900000
--
Jazz is not dead. It just smells funny...
prev parent reply other threads:[~2020-08-31 20:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-31 19:48 general protection fault in sock_close syzbot
2020-08-31 20:03 ` Al Viro
2020-08-31 20:39 ` Marc Zyngier [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=82748fc422a64d70c706951954a2dcfa@kernel.org \
--to=maz@kernel.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+e24baf53dc389927a7c3@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.