Re: WARNING: locking bug in lock_downgrade

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Waiman Long <longman@redhat.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
	peterz@infradead.org, "mingo@redhat.com" <mingo@redhat.com>
Cc: Yang Shi <yang.shi@linux.alibaba.com>,
	syzbot <syzbot+53383ae265fb161ef488@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org, kirill.shutemov@linux.intel.com,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	linux@dominikbrodowski.net, mhocko@suse.com, rientjes@google.com,
	syzkaller-bugs@googlegroups.com, vbabka@suse.cz,
	boqun.feng@gmail.com
Subject: Re: WARNING: locking bug in lock_downgrade
Date: Wed, 9 Jan 2019 17:46:03 -0500	[thread overview]
Message-ID: <864e2d6b-f471-cc04-311f-473da43b409a@redhat.com> (raw)
In-Reply-To: <d61e0a3e-a71e-9e42-7a56-d6fcfc0f6b63@I-love.SAKURA.ne.jp>

On 01/09/2019 09:18 AM, Tetsuo Handa wrote:
> On 2018/12/14 4:46, Waiman Long wrote:
>> On 12/12/2018 08:14 PM, Yang Shi wrote:
>>> By looking into lockdep code, I'm not sure if lockdep may get confused
>>> by such sequence or not?
>>>
>>>
>>> Any hint is appreciated.
>>>
>>>
>>> Regards,
>>>
>>> Yang 
>> The warning was printed because hlock->read was set when doing the
>> downgrade_write(). So it is either downgrade_write() was called a second
>> time or a read lock was held originally. It is hard to tell what is the
>> root cause without a reproducer.
>>
>> Cheers,
>> Longman
>>
> Comparing with output from
>
>         struct rw_semaphore *sem = &current->mm->mmap_sem;
>
>         down_write(sem);
>         pr_warn("mmap_sem: count=%ld current=%px, owner=%px\n", atomic_long_read(&sem->count), current, READ_ONCE(sem->owner));
>         /* mmap_sem: count=-4294967295 current=ffff88813095ca80, owner=ffff88813095ca80 */
>         downgrade_write(sem);
>         pr_warn("mmap_sem: count=%ld current=%px, owner=%px\n", atomic_long_read(&sem->count), current, READ_ONCE(sem->owner));
>         /* mmap_sem: count=1 current=ffff88813095ca80, owner=ffff88813095ca83 */
>         up_read(sem);
>         pr_warn("mmap_sem: count=%ld current=%px, owner=%px\n", atomic_long_read(&sem->count), current, READ_ONCE(sem->owner));
>         /* mmap_sem: count=0 current=ffff88813095ca80, owner=0000000000000003 */

The behavior is correct. The current code will leave the reader task
structure pointer in owner even if it is a read lock. You have to look
at bit 0 to know if the owner is a reader or writer.

> what we got with debug printk() patch
>
>   https://syzkaller.appspot.com/text?tag=CrashLog&x=169dbb9b400000
>
>   [ 2580.337550][ T3645] mmap_sem: hlock->read=1 count=-4294967295 current=ffff888050e04140, owner=ffff888050e04140
>   [ 2580.353526][ T3645] ------------[ cut here ]------------
>   [ 2580.367859][ T3645] downgrading a read lock
>   [ 2580.367935][ T3645] WARNING: CPU: 1 PID: 3645 at kernel/locking/lockdep.c:3572 lock_downgrade+0x35d/0xbe0
>   [ 2580.382206][ T3645] Kernel panic - not syncing: panic_on_warn set ...
>
>   https://syzkaller.appspot.com/text?tag=CrashLog&x=1542da4f400000
>
>   [  386.342585][T16698] mmap_sem: hlock->read=1 count=-4294967295 current=ffff8880512ae180, owner=ffff8880512ae180
>   [  386.348586][T16698] ------------[ cut here ]------------
>   [  386.357203][T16698] downgrading a read lock
>   [  386.357294][T16698] WARNING: CPU: 1 PID: 16698 at kernel/locking/lockdep.c:3572 lock_downgrade+0x35d/0xbe0
>   [  386.372148][T16698] Kernel panic - not syncing: panic_on_warn set ...
>
> indicates that lockdep is saying that "current->mm->mmap_sem is held for read"
> while "struct rw_semaphore" is saying that "current->mm->mmap_sem is held for write".
> Something made lockdep confused. Possibly a lockdep bug.
>
It could be a bug in lockdep regarding downgrade. Someone else has
reported similar problem before.

-Longman

next prev parent reply	other threads:[~2019-01-09 22:46 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-26 20:38 WARNING: locking bug in lock_downgrade syzbot
2018-12-13  1:14 ` Yang Shi
2018-12-13 19:46   ` Waiman Long
2019-01-09 14:18     ` Tetsuo Handa
2019-01-09 22:46       ` Waiman Long [this message]
2019-01-10  2:45         ` Tetsuo Handa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=864e2d6b-f471-cc04-311f-473da43b409a@redhat.com \
    --to=longman@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=boqun.feng@gmail.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux@dominikbrodowski.net \
    --cc=mhocko@suse.com \
    --cc=mingo@redhat.com \
    --cc=penguin-kernel@I-love.SAKURA.ne.jp \
    --cc=peterz@infradead.org \
    --cc=rientjes@google.com \
    --cc=syzbot+53383ae265fb161ef488@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=vbabka@suse.cz \
    --cc=yang.shi@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).