[syzbot] [iommu?] WARNING in iommufd_device_unbind

[syzbot] [iommu?] WARNING in iommufd_device_unbind

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c6d64479d609 Merge tag 'pull-statx' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=129a0ae8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b3b3b2f3eaae51f9
dashboard link: https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17da1bf7980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9d212f6bb1af/disk-c6d64479.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/21a14342211b/vmlinux-c6d64479.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f96c41f3e4a6/bzImage-c6d64479.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com

iommufd: Time out waiting for iommufd object to become free
------------[ cut here ]------------
WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208 iommufd_object_destroy_user drivers/iommu/iommufd/iommufd_private.h:208 [inline]
WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208 iommufd_device_unbind+0x81/0xa0 drivers/iommu/iommufd/device.c:280
Modules linked in:
CPU: 1 UID: 0 PID: 6050 Comm: syz.3.18 Not tainted 6.12.0-syzkaller-00239-gc6d64479d609 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
RIP: 0010:iommufd_object_destroy_user drivers/iommu/iommufd/iommufd_private.h:208 [inline]
RIP: 0010:iommufd_device_unbind+0x81/0xa0 drivers/iommu/iommufd/device.c:280
Code: 00 e8 83 76 01 00 89 c3 31 ff 89 c6 e8 b8 85 43 fc 85 db 75 0f e8 6f 81 43 fc 5b 41 5e 41 5f c3 cc cc cc cc e8 60 81 43 fc 90 <0f> 0b 90 eb eb 89 f9 80 e1 07 80 c1 03 38 c1 7c b8 e8 d9 44 aa fc
RSP: 0018:ffffc90003017c38 EFLAGS: 00010293
RAX: ffffffff85516f50 RBX: 00000000fffffff0 RCX: ffff88802c693c00
RDX: 0000000000000000 RSI: 00000000fffffff0 RDI: 0000000000000000
RBP: ffffc90003017d70 R08: ffffffff85516f38 R09: 1ffff11005b9b140
R10: dffffc0000000000 R11: ffffed1005b9b141 R12: ffff888034149718
R13: ffff888034149700 R14: ffff888028d2c400 R15: dffffc0000000000
FS:  00007f2573c136c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c001633e80 CR3: 0000000032fda000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 iommufd_selftest_destroy+0x95/0xe0 drivers/iommu/iommufd/selftest.c:1439
 iommufd_object_remove+0x3b6/0x530 drivers/iommu/iommufd/main.c:211
 iommufd_fops_ioctl+0x4d6/0x5a0 drivers/iommu/iommufd/main.c:424
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2572d7e759
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2573c13038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2572f36058 RCX: 00007f2572d7e759
RDX: 0000000020000400 RSI: 0000000000003b80 RDI: 0000000000000003
RBP: 00007f2572df175e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f2572f36058 R15: 00007ffefd725ea8
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[Suraj Sonawane]

[-- Attachment #1.1: Type: text/plain, Size: 5455 bytes --]

#syz test

On Fri, Nov 22, 2024 at 1:47 PM syzbot <
syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    c6d64479d609 Merge tag 'pull-statx' of
> git://git.kernel.or..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=129a0ae8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b3b3b2f3eaae51f9
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17da1bf7980000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/9d212f6bb1af/disk-c6d64479.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/21a14342211b/vmlinux-c6d64479.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/f96c41f3e4a6/bzImage-c6d64479.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com
>
> iommufd: Time out waiting for iommufd object to become free
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_object_destroy_user drivers/iommu/iommufd/iommufd_private.h:208
> [inline]
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_device_unbind+0x81/0xa0 drivers/iommu/iommufd/device.c:280
> Modules linked in:
> CPU: 1 UID: 0 PID: 6050 Comm: syz.3.18 Not tainted
> 6.12.0-syzkaller-00239-gc6d64479d609 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:iommufd_object_destroy_user
> drivers/iommu/iommufd/iommufd_private.h:208 [inline]
> RIP: 0010:iommufd_device_unbind+0x81/0xa0
> drivers/iommu/iommufd/device.c:280
> Code: 00 e8 83 76 01 00 89 c3 31 ff 89 c6 e8 b8 85 43 fc 85 db 75 0f e8 6f
> 81 43 fc 5b 41 5e 41 5f c3 cc cc cc cc e8 60 81 43 fc 90 <0f> 0b 90 eb eb
> 89 f9 80 e1 07 80 c1 03 38 c1 7c b8 e8 d9 44 aa fc
> RSP: 0018:ffffc90003017c38 EFLAGS: 00010293
> RAX: ffffffff85516f50 RBX: 00000000fffffff0 RCX: ffff88802c693c00
> RDX: 0000000000000000 RSI: 00000000fffffff0 RDI: 0000000000000000
> RBP: ffffc90003017d70 R08: ffffffff85516f38 R09: 1ffff11005b9b140
> R10: dffffc0000000000 R11: ffffed1005b9b141 R12: ffff888034149718
> R13: ffff888034149700 R14: ffff888028d2c400 R15: dffffc0000000000
> FS:  00007f2573c136c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c001633e80 CR3: 0000000032fda000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  iommufd_selftest_destroy+0x95/0xe0 drivers/iommu/iommufd/selftest.c:1439
>  iommufd_object_remove+0x3b6/0x530 drivers/iommu/iommufd/main.c:211
>  iommufd_fops_ioctl+0x4d6/0x5a0 drivers/iommu/iommufd/main.c:424
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:906 [inline]
>  __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f2572d7e759
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f2573c13038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f2572f36058 RCX: 00007f2572d7e759
> RDX: 0000000020000400 RSI: 0000000000003b80 RDI: 0000000000000003
> RBP: 00007f2572df175e R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007f2572f36058 R15: 00007ffefd725ea8
>  </TASK>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/67403e13.050a0220.3c9d61.018d.GAE%40google.com
> .
>

[-- Attachment #1.2: Type: text/html, Size: 7295 bytes --]

[-- Attachment #2: 0001-fix-WARNING-in-iommufd_device_unbind.patch --]
[-- Type: text/x-patch, Size: 1876 bytes --]

From 62b873bc70ab8f259b229ccab1ace3f6ba435ce5 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Fri, 22 Nov 2024 21:50:07 +0530
Subject: [PATCH] fix WARNING in iommufd_device_unbind

syz test

Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
 drivers/iommu/iommufd/main.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
index 0a96cc8f2..d2683ad82 100644
--- a/drivers/iommu/iommufd/main.c
+++ b/drivers/iommu/iommufd/main.c
@@ -122,6 +122,7 @@ int iommufd_object_remove(struct iommufd_ctx *ictx,
 {
 	struct iommufd_object *obj;
 	XA_STATE(xas, &ictx->objects, id);
+	DEFINE_MUTEX(remove_mutex); // Mutex for thread safety
 	bool zerod_shortterm = false;
 	int ret;
 
@@ -139,11 +140,14 @@ int iommufd_object_remove(struct iommufd_ctx *ictx,
 			 * defer cleaning this object until close.
 			 */
 			refcount_dec(&to_destroy->users);
+			mutex_unlock(&remove_mutex);
 			return ret;
 		}
 		zerod_shortterm = true;
 	}
 
+	mutex_lock(&remove_mutex);
+
 	xa_lock(&ictx->objects);
 	obj = xas_load(&xas);
 	if (to_destroy) {
@@ -176,6 +180,9 @@ int iommufd_object_remove(struct iommufd_ctx *ictx,
 	 * Since users is zero any positive users_shortterm must be racing
 	 * iommufd_put_object(), or we have a bug.
 	 */
+
+	mutex_unlock(&remove_mutex);
+
 	if (!zerod_shortterm) {
 		ret = iommufd_object_dec_wait_shortterm(ictx, obj);
 		if (WARN_ON(ret))
@@ -187,11 +194,13 @@ int iommufd_object_remove(struct iommufd_ctx *ictx,
 	return 0;
 
 err_xa:
+	xa_unlock(&ictx->objects);
+	mutex_unlock(&remove_mutex);
+
 	if (zerod_shortterm) {
 		/* Restore the xarray owned reference */
 		refcount_set(&obj->shortterm_users, 1);
 	}
-	xa_unlock(&ictx->objects);
 
 	/* The returned object reference count is zero */
 	return ret;
-- 
2.34.1

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: trying to register non-static key in iommufd_object_remove

INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 1 UID: 0 PID: 6664 Comm: syz.3.18 Not tainted 6.12.0-syzkaller-07749-g28eb75e178d3-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 assign_lock_key+0x241/0x280 kernel/locking/lockdep.c:981
 register_lock_class+0x1cf/0x980 kernel/locking/lockdep.c:1295
 __lock_acquire+0xf3/0x2100 kernel/locking/lockdep.c:5101
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
 __mutex_lock_common kernel/locking/mutex.c:585 [inline]
 __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
 iommufd_object_remove+0x3b7/0x770 drivers/iommu/iommufd/main.c:149
 iommufd_fops_ioctl+0x4d6/0x5a0 drivers/iommu/iommufd/main.c:418
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd7df57e759
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd7e0445038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fd7df736058 RCX: 00007fd7df57e759
RDX: 0000000020000400 RSI: 0000000000003b80 RDI: 0000000000000003
RBP: 00007fd7df5f175e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fd7df736058 R15: 00007ffc4693c708
 </TASK>


Tested on:

commit:         28eb75e1 Merge tag 'drm-next-2024-11-21' of https://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12817ec0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=402159daa216c89d
dashboard link: https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16933930580000

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[Suraj Sonawane]

[-- Attachment #1.1: Type: text/plain, Size: 5455 bytes --]

#syz test

On Fri, Nov 22, 2024 at 1:47 PM syzbot <
syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    c6d64479d609 Merge tag 'pull-statx' of
> git://git.kernel.or..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=129a0ae8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b3b3b2f3eaae51f9
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17da1bf7980000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/9d212f6bb1af/disk-c6d64479.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/21a14342211b/vmlinux-c6d64479.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/f96c41f3e4a6/bzImage-c6d64479.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com
>
> iommufd: Time out waiting for iommufd object to become free
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_object_destroy_user drivers/iommu/iommufd/iommufd_private.h:208
> [inline]
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_device_unbind+0x81/0xa0 drivers/iommu/iommufd/device.c:280
> Modules linked in:
> CPU: 1 UID: 0 PID: 6050 Comm: syz.3.18 Not tainted
> 6.12.0-syzkaller-00239-gc6d64479d609 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:iommufd_object_destroy_user
> drivers/iommu/iommufd/iommufd_private.h:208 [inline]
> RIP: 0010:iommufd_device_unbind+0x81/0xa0
> drivers/iommu/iommufd/device.c:280
> Code: 00 e8 83 76 01 00 89 c3 31 ff 89 c6 e8 b8 85 43 fc 85 db 75 0f e8 6f
> 81 43 fc 5b 41 5e 41 5f c3 cc cc cc cc e8 60 81 43 fc 90 <0f> 0b 90 eb eb
> 89 f9 80 e1 07 80 c1 03 38 c1 7c b8 e8 d9 44 aa fc
> RSP: 0018:ffffc90003017c38 EFLAGS: 00010293
> RAX: ffffffff85516f50 RBX: 00000000fffffff0 RCX: ffff88802c693c00
> RDX: 0000000000000000 RSI: 00000000fffffff0 RDI: 0000000000000000
> RBP: ffffc90003017d70 R08: ffffffff85516f38 R09: 1ffff11005b9b140
> R10: dffffc0000000000 R11: ffffed1005b9b141 R12: ffff888034149718
> R13: ffff888034149700 R14: ffff888028d2c400 R15: dffffc0000000000
> FS:  00007f2573c136c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c001633e80 CR3: 0000000032fda000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  iommufd_selftest_destroy+0x95/0xe0 drivers/iommu/iommufd/selftest.c:1439
>  iommufd_object_remove+0x3b6/0x530 drivers/iommu/iommufd/main.c:211
>  iommufd_fops_ioctl+0x4d6/0x5a0 drivers/iommu/iommufd/main.c:424
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:906 [inline]
>  __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f2572d7e759
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f2573c13038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f2572f36058 RCX: 00007f2572d7e759
> RDX: 0000000020000400 RSI: 0000000000003b80 RDI: 0000000000000003
> RBP: 00007f2572df175e R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007f2572f36058 R15: 00007ffefd725ea8
>  </TASK>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/67403e13.050a0220.3c9d61.018d.GAE%40google.com
> .
>

[-- Attachment #1.2: Type: text/html, Size: 7295 bytes --]

[-- Attachment #2: 0001-fix2-WARNING-in-iommufd_device_unbind.patch --]
[-- Type: text/x-patch, Size: 905 bytes --]

From a525eed14d42a9ebf16439d81e861fc0bfcbf8a7 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Sat, 23 Nov 2024 12:44:56 +0530
Subject: [PATCH] fix2 WARNING in iommufd_device_unbind

syz test

Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
 drivers/iommu/iommufd/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
index d2683ad82..954c021e9 100644
--- a/drivers/iommu/iommufd/main.c
+++ b/drivers/iommu/iommufd/main.c
@@ -104,7 +104,7 @@ static int iommufd_object_dec_wait_shortterm(struct iommufd_ctx *ictx,
 	if (wait_event_timeout(ictx->destroy_wait,
 				refcount_read(&to_destroy->shortterm_users) ==
 					0,
-				msecs_to_jiffies(10000)))
+				msecs_to_jiffies(30000)))
 		return 0;
 
 	pr_crit("Time out waiting for iommufd object to become free\n");
-- 
2.34.1

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com
Tested-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com

Tested on:

commit:         228a1157 Merge tag '6.13-rc-part1-SMB3-client-fixes' o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16f5bb78580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=402159daa216c89d
dashboard link: https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1350975f980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[Suraj Sonawane]

[-- Attachment #1.1: Type: text/plain, Size: 5455 bytes --]

#syz test

On Fri, Nov 22, 2024 at 1:47 PM syzbot <
syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    c6d64479d609 Merge tag 'pull-statx' of
> git://git.kernel.or..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=129a0ae8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b3b3b2f3eaae51f9
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17da1bf7980000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/9d212f6bb1af/disk-c6d64479.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/21a14342211b/vmlinux-c6d64479.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/f96c41f3e4a6/bzImage-c6d64479.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com
>
> iommufd: Time out waiting for iommufd object to become free
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_object_destroy_user drivers/iommu/iommufd/iommufd_private.h:208
> [inline]
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_device_unbind+0x81/0xa0 drivers/iommu/iommufd/device.c:280
> Modules linked in:
> CPU: 1 UID: 0 PID: 6050 Comm: syz.3.18 Not tainted
> 6.12.0-syzkaller-00239-gc6d64479d609 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:iommufd_object_destroy_user
> drivers/iommu/iommufd/iommufd_private.h:208 [inline]
> RIP: 0010:iommufd_device_unbind+0x81/0xa0
> drivers/iommu/iommufd/device.c:280
> Code: 00 e8 83 76 01 00 89 c3 31 ff 89 c6 e8 b8 85 43 fc 85 db 75 0f e8 6f
> 81 43 fc 5b 41 5e 41 5f c3 cc cc cc cc e8 60 81 43 fc 90 <0f> 0b 90 eb eb
> 89 f9 80 e1 07 80 c1 03 38 c1 7c b8 e8 d9 44 aa fc
> RSP: 0018:ffffc90003017c38 EFLAGS: 00010293
> RAX: ffffffff85516f50 RBX: 00000000fffffff0 RCX: ffff88802c693c00
> RDX: 0000000000000000 RSI: 00000000fffffff0 RDI: 0000000000000000
> RBP: ffffc90003017d70 R08: ffffffff85516f38 R09: 1ffff11005b9b140
> R10: dffffc0000000000 R11: ffffed1005b9b141 R12: ffff888034149718
> R13: ffff888034149700 R14: ffff888028d2c400 R15: dffffc0000000000
> FS:  00007f2573c136c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c001633e80 CR3: 0000000032fda000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  iommufd_selftest_destroy+0x95/0xe0 drivers/iommu/iommufd/selftest.c:1439
>  iommufd_object_remove+0x3b6/0x530 drivers/iommu/iommufd/main.c:211
>  iommufd_fops_ioctl+0x4d6/0x5a0 drivers/iommu/iommufd/main.c:424
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:906 [inline]
>  __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f2572d7e759
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f2573c13038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f2572f36058 RCX: 00007f2572d7e759
> RDX: 0000000020000400 RSI: 0000000000003b80 RDI: 0000000000000003
> RBP: 00007f2572df175e R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007f2572f36058 R15: 00007ffefd725ea8
>  </TASK>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/67403e13.050a0220.3c9d61.018d.GAE%40google.com
> .
>

[-- Attachment #1.2: Type: text/html, Size: 7295 bytes --]

[-- Attachment #2: 0001-fix2-WARNING-in-iommufd_device_unbind.patch --]
[-- Type: text/x-patch, Size: 905 bytes --]

From a525eed14d42a9ebf16439d81e861fc0bfcbf8a7 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Sat, 23 Nov 2024 12:44:56 +0530
Subject: [PATCH] fix2 WARNING in iommufd_device_unbind

syz test

Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
 drivers/iommu/iommufd/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
index d2683ad82..954c021e9 100644
--- a/drivers/iommu/iommufd/main.c
+++ b/drivers/iommu/iommufd/main.c
@@ -104,7 +104,7 @@ static int iommufd_object_dec_wait_shortterm(struct iommufd_ctx *ictx,
 	if (wait_event_timeout(ictx->destroy_wait,
 				refcount_read(&to_destroy->shortterm_users) ==
 					0,
-				msecs_to_jiffies(10000)))
+				msecs_to_jiffies(15000)))
 		return 0;
 
 	pr_crit("Time out waiting for iommufd object to become free\n");
-- 
2.34.1

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com
Tested-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com

Tested on:

commit:         228a1157 Merge tag '6.13-rc-part1-SMB3-client-fixes' o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=102a81c0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=402159daa216c89d
dashboard link: https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1686975f980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[Suraj Sonawane]

[-- Attachment #1.1: Type: text/plain, Size: 5455 bytes --]

#syz test

On Fri, Nov 22, 2024 at 1:47 PM syzbot <
syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    c6d64479d609 Merge tag 'pull-statx' of
> git://git.kernel.or..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=129a0ae8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b3b3b2f3eaae51f9
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17da1bf7980000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/9d212f6bb1af/disk-c6d64479.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/21a14342211b/vmlinux-c6d64479.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/f96c41f3e4a6/bzImage-c6d64479.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com
>
> iommufd: Time out waiting for iommufd object to become free
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_object_destroy_user drivers/iommu/iommufd/iommufd_private.h:208
> [inline]
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_device_unbind+0x81/0xa0 drivers/iommu/iommufd/device.c:280
> Modules linked in:
> CPU: 1 UID: 0 PID: 6050 Comm: syz.3.18 Not tainted
> 6.12.0-syzkaller-00239-gc6d64479d609 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:iommufd_object_destroy_user
> drivers/iommu/iommufd/iommufd_private.h:208 [inline]
> RIP: 0010:iommufd_device_unbind+0x81/0xa0
> drivers/iommu/iommufd/device.c:280
> Code: 00 e8 83 76 01 00 89 c3 31 ff 89 c6 e8 b8 85 43 fc 85 db 75 0f e8 6f
> 81 43 fc 5b 41 5e 41 5f c3 cc cc cc cc e8 60 81 43 fc 90 <0f> 0b 90 eb eb
> 89 f9 80 e1 07 80 c1 03 38 c1 7c b8 e8 d9 44 aa fc
> RSP: 0018:ffffc90003017c38 EFLAGS: 00010293
> RAX: ffffffff85516f50 RBX: 00000000fffffff0 RCX: ffff88802c693c00
> RDX: 0000000000000000 RSI: 00000000fffffff0 RDI: 0000000000000000
> RBP: ffffc90003017d70 R08: ffffffff85516f38 R09: 1ffff11005b9b140
> R10: dffffc0000000000 R11: ffffed1005b9b141 R12: ffff888034149718
> R13: ffff888034149700 R14: ffff888028d2c400 R15: dffffc0000000000
> FS:  00007f2573c136c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c001633e80 CR3: 0000000032fda000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  iommufd_selftest_destroy+0x95/0xe0 drivers/iommu/iommufd/selftest.c:1439
>  iommufd_object_remove+0x3b6/0x530 drivers/iommu/iommufd/main.c:211
>  iommufd_fops_ioctl+0x4d6/0x5a0 drivers/iommu/iommufd/main.c:424
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:906 [inline]
>  __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f2572d7e759
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f2573c13038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f2572f36058 RCX: 00007f2572d7e759
> RDX: 0000000020000400 RSI: 0000000000003b80 RDI: 0000000000000003
> RBP: 00007f2572df175e R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007f2572f36058 R15: 00007ffefd725ea8
>  </TASK>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/67403e13.050a0220.3c9d61.018d.GAE%40google.com
> .
>

[-- Attachment #1.2: Type: text/html, Size: 7295 bytes --]

[-- Attachment #2: 0001-fix2-WARNING-in-iommufd_device_unbind.patch --]
[-- Type: text/x-patch, Size: 905 bytes --]

From a525eed14d42a9ebf16439d81e861fc0bfcbf8a7 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Sat, 23 Nov 2024 12:44:56 +0530
Subject: [PATCH] fix2 WARNING in iommufd_device_unbind

syz test

Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
 drivers/iommu/iommufd/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
index d2683ad82..954c021e9 100644
--- a/drivers/iommu/iommufd/main.c
+++ b/drivers/iommu/iommufd/main.c
@@ -104,7 +104,7 @@ static int iommufd_object_dec_wait_shortterm(struct iommufd_ctx *ictx,
 	if (wait_event_timeout(ictx->destroy_wait,
 				refcount_read(&to_destroy->shortterm_users) ==
 					0,
-				msecs_to_jiffies(10000)))
+				msecs_to_jiffies(12000)))
 		return 0;
 
 	pr_crit("Time out waiting for iommufd object to become free\n");
-- 
2.34.1

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com
Tested-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com

Tested on:

commit:         228a1157 Merge tag '6.13-rc-part1-SMB3-client-fixes' o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17ab7b78580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=402159daa216c89d
dashboard link: https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=121981c0580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[Suraj Sonawane]

[-- Attachment #1.1: Type: text/plain, Size: 5455 bytes --]

#syz test

On Fri, Nov 22, 2024 at 1:47 PM syzbot <
syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    c6d64479d609 Merge tag 'pull-statx' of
> git://git.kernel.or..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=129a0ae8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b3b3b2f3eaae51f9
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17da1bf7980000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/9d212f6bb1af/disk-c6d64479.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/21a14342211b/vmlinux-c6d64479.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/f96c41f3e4a6/bzImage-c6d64479.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+c92878e123785b1fa2db@syzkaller.appspotmail.com
>
> iommufd: Time out waiting for iommufd object to become free
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_object_destroy_user drivers/iommu/iommufd/iommufd_private.h:208
> [inline]
> WARNING: CPU: 1 PID: 6050 at drivers/iommu/iommufd/iommufd_private.h:208
> iommufd_device_unbind+0x81/0xa0 drivers/iommu/iommufd/device.c:280
> Modules linked in:
> CPU: 1 UID: 0 PID: 6050 Comm: syz.3.18 Not tainted
> 6.12.0-syzkaller-00239-gc6d64479d609 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:iommufd_object_destroy_user
> drivers/iommu/iommufd/iommufd_private.h:208 [inline]
> RIP: 0010:iommufd_device_unbind+0x81/0xa0
> drivers/iommu/iommufd/device.c:280
> Code: 00 e8 83 76 01 00 89 c3 31 ff 89 c6 e8 b8 85 43 fc 85 db 75 0f e8 6f
> 81 43 fc 5b 41 5e 41 5f c3 cc cc cc cc e8 60 81 43 fc 90 <0f> 0b 90 eb eb
> 89 f9 80 e1 07 80 c1 03 38 c1 7c b8 e8 d9 44 aa fc
> RSP: 0018:ffffc90003017c38 EFLAGS: 00010293
> RAX: ffffffff85516f50 RBX: 00000000fffffff0 RCX: ffff88802c693c00
> RDX: 0000000000000000 RSI: 00000000fffffff0 RDI: 0000000000000000
> RBP: ffffc90003017d70 R08: ffffffff85516f38 R09: 1ffff11005b9b140
> R10: dffffc0000000000 R11: ffffed1005b9b141 R12: ffff888034149718
> R13: ffff888034149700 R14: ffff888028d2c400 R15: dffffc0000000000
> FS:  00007f2573c136c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c001633e80 CR3: 0000000032fda000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  iommufd_selftest_destroy+0x95/0xe0 drivers/iommu/iommufd/selftest.c:1439
>  iommufd_object_remove+0x3b6/0x530 drivers/iommu/iommufd/main.c:211
>  iommufd_fops_ioctl+0x4d6/0x5a0 drivers/iommu/iommufd/main.c:424
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:906 [inline]
>  __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f2572d7e759
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f2573c13038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f2572f36058 RCX: 00007f2572d7e759
> RDX: 0000000020000400 RSI: 0000000000003b80 RDI: 0000000000000003
> RBP: 00007f2572df175e R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007f2572f36058 R15: 00007ffefd725ea8
>  </TASK>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/67403e13.050a0220.3c9d61.018d.GAE%40google.com
> .
>

[-- Attachment #1.2: Type: text/html, Size: 7295 bytes --]

[-- Attachment #2: 0001-fix2-WARNING-in-iommufd_device_unbind.patch --]
[-- Type: text/x-patch, Size: 905 bytes --]

From a525eed14d42a9ebf16439d81e861fc0bfcbf8a7 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Sat, 23 Nov 2024 12:44:56 +0530
Subject: [PATCH] fix2 WARNING in iommufd_device_unbind

syz test

Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
 drivers/iommu/iommufd/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/main.c b/drivers/iommu/iommufd/main.c
index d2683ad82..954c021e9 100644
--- a/drivers/iommu/iommufd/main.c
+++ b/drivers/iommu/iommufd/main.c
@@ -104,7 +104,7 @@ static int iommufd_object_dec_wait_shortterm(struct iommufd_ctx *ictx,
 	if (wait_event_timeout(ictx->destroy_wait,
 				refcount_read(&to_destroy->shortterm_users) ==
 					0,
-				msecs_to_jiffies(10000)))
+				msecs_to_jiffies(11000)))
 		return 0;
 
 	pr_crit("Time out waiting for iommufd object to become free\n");
-- 
2.34.1

Re: [syzbot] [iommu?] WARNING in iommufd_device_unbind

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in iommufd_device_unbind

iommufd: Time out waiting for iommufd object to become free
------------[ cut here ]------------
WARNING: CPU: 1 PID: 7718 at drivers/iommu/iommufd/iommufd_private.h:190 iommufd_object_destroy_user drivers/iommu/iommufd/iommufd_private.h:190 [inline]
WARNING: CPU: 1 PID: 7718 at drivers/iommu/iommufd/iommufd_private.h:190 iommufd_device_unbind+0x81/0xa0 drivers/iommu/iommufd/device.c:280
Modules linked in:
CPU: 1 UID: 0 PID: 7718 Comm: syz.2.28 Not tainted 6.12.0-syzkaller-08446-g228a1157fb9f-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:iommufd_object_destroy_user drivers/iommu/iommufd/iommufd_private.h:190 [inline]
RIP: 0010:iommufd_device_unbind+0x81/0xa0 drivers/iommu/iommufd/device.c:280
Code: 00 e8 13 a6 01 00 89 c3 31 ff 89 c6 e8 78 61 4c fc 85 db 75 0f e8 2f 5d 4c fc 5b 41 5e 41 5f c3 cc cc cc cc e8 20 5d 4c fc 90 <0f> 0b 90 eb eb 89 f9 80 e1 07 80 c1 03 38 c1 7c b8 e8 a9 f1 b3 fc
RSP: 0000:ffffc9000558fc38 EFLAGS: 00010293
RAX: ffffffff8548efc0 RBX: 00000000fffffff0 RCX: ffff88802b943c00
RDX: 0000000000000000 RSI: 00000000fffffff0 RDI: 0000000000000000
RBP: ffffc9000558fd70 R08: ffffffff8548efa8 R09: 1ffff11004af9f00
R10: dffffc0000000000 R11: ffffed1004af9f01 R12: ffff88803200d698
R13: ffff88803200d680 R14: ffff88807d293c00 R15: dffffc0000000000
FS:  00007f8c8c5a06c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020b04000 CR3: 000000006c9d0000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 iommufd_selftest_destroy+0x95/0xe0 drivers/iommu/iommufd/selftest.c:1621
 iommufd_object_remove+0x3b6/0x530 drivers/iommu/iommufd/main.c:185
 iommufd_fops_ioctl+0x4d6/0x5a0 drivers/iommu/iommufd/main.c:409
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8c8b77e759
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8c8c5a0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8c8b936058 RCX: 00007f8c8b77e759
RDX: 0000000020000400 RSI: 0000000000003b80 RDI: 0000000000000003
RBP: 00007f8c8b7f175e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f8c8b936058 R15: 00007fffb80aeab8
 </TASK>


Tested on:

commit:         228a1157 Merge tag '6.13-rc-part1-SMB3-client-fixes' o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=178f975f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=402159daa216c89d
dashboard link: https://syzkaller.appspot.com/bug?extid=c92878e123785b1fa2db
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1585a9c0580000