WARNING in schedule_bh - Dae R. Jeong

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Dae R. Jeong" <threeearcat@gmail.com>
To: efremov@linux.com, axboe@kernel.dk, linux-block@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: yjkwon@kaist.ac.kr
Subject: WARNING in schedule_bh
Date: Mon, 13 Dec 2021 13:22:23 +0900	[thread overview]
Message-ID: <YbbKf6fU7y3GGZum@archdragon> (raw)

Hello,

During fuzzing, I observed a few warnings in the floppy driver, which
seems similar with the one found by Syzkaller.
(https://syzkaller.appspot.com/bug?id=7c17d936536dc3864e5df2d79ea11cdd946f81bf).

One of the warning reports is as follow:
------------[ cut here ]------------
WARNING: CPU: 2 PID: 11682 at drivers/block/floppy.c:1000 schedule_bh drivers/block/floppy.c:1000 [inline]
WARNING: CPU: 2 PID: 11682 at drivers/block/floppy.c:1000 process_fd_request drivers/block/floppy.c:2851 [inline]
WARNING: CPU: 2 PID: 11682 at drivers/block/floppy.c:1000 fd_locked_ioctl drivers/block/floppy.c:3506 [inline]
WARNING: CPU: 2 PID: 11682 at drivers/block/floppy.c:1000 fd_ioctl+0x4825/0x4e90 drivers/block/floppy.c:3555
Modules linked in:
...
(skipped)
...
Call Trace:
 <TASK>
 blkdev_ioctl+0x45f/0xb20 block/ioctl.c:609
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0x12c/0x1e0 fs/ioctl.c:860
 __x64_sys_ioctl+0x9e/0xe0 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x6f/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x478b29
...
(skipped)
...
 </TASK>
------------------------------------

A similar warning seems to occur in places where schedule_bh() is
called (e.g., floppy_queue_rq, floppy_interrupt, ...).

I am trying to understand why this happens. The below execution
scenario is my best guess (but different with the above call
trace). Since I don't fully understand the semantic of the floppy
driver, please execuse me if this is wrong.


fd_locked_ioctl(FDRESET)      kworkerd                                  floppy_interrupt
  user_reset_fdc()
    cont = &reset_cont;
    wait_til_done(reset_fdc)
      schedule_bh(reset_fdc)
	  wait_event(command_done)
                              reset_fdc()
                                do_floppy = reset_interrupt
                                /* triggering an interrupt
                                   as stated in the comment */
                                                                        handler = do_floppy // reset_interrupt
                                                                        schedule_bh(handler)
                              reset_interrupt()
                                success_and_wakeup // reset_cont.redo
								  genric_success()
                                    generic_done(1)  // reset_cont.done
                                      cont = &wakeup_cont
                                  do_wakeup()      // wakeup_cont.redo
                                    reschedule_timeout()
                                    cont = NULL
                                    wake_up(command_done) // fd_locked_ioctl() can now resume

                              floppy_shutdown() // invoked by the above reschedule_timeout()
                                process_fd_request() // cont is NULL by reset_interrupt()
                                  schedule_bh(redo_fd_request)
    process_fd_request()
      schedule_bh(redo_fd_request) <- WARNING


So, for me, concurrent execution of floppy_shutdown() and
fd_locked_ioctl() is suspicious. Could you please check the above
scenario is reasonable?


Best regards,
Dae R. Jeong.

next             reply	other threads:[~2021-12-13  4:25 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-13  4:22 Dae R. Jeong [this message]
2021-12-17  6:44 ` WARNING in schedule_bh Denis Efremov
  -- strict thread matches above, loose matches on Subject: below --
2021-09-13  2:49 Hao Sun
2020-01-15 16:15 syzbot
2018-07-27  1:42 Dae R. Jeong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YbbKf6fU7y3GGZum@archdragon \
    --to=threeearcat@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=efremov@linux.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=yjkwon@kaist.ac.kr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox