From patchwork Mon Mar 20 21:17:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 72466 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp1449621wrt; Mon, 20 Mar 2023 14:37:38 -0700 (PDT) X-Google-Smtp-Source: AK7set/bg4gje0uk2OFKkmC4K06caDeDJ66XPIQGHAT6NaI11HPkn6uXDX91qflMg8pGAKM/bv3n X-Received: by 2002:a05:6a20:6594:b0:d9:458a:4803 with SMTP id p20-20020a056a20659400b000d9458a4803mr25599pzh.0.1679348258637; Mon, 20 Mar 2023 14:37:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679348258; cv=none; d=google.com; s=arc-20160816; b=QFJ6H1OkK4jH5HGYMZXASO7vK7RMfZS06oGeJdgVZNbpI3Vfvq7ajTFHJuCnxJX8Zz UCaFTjTJwcrHothF7BcJYB4/I3D7rdI1XXe5tq2PWT0QF1f4rpD8lLglPYcb2p1HTXp7 JhQsN/wX6LJD8cxh4CBEGjo3aDCBCBxxSyJqyavjw7G5oJRHvhE9Vyhuh6dRdad56MQz sckKu7/4PxL81Pm/4PnBtqXzp0d5Dr3Fh6o457H4JMuSJbAr4X9r/jrfZLUz/HxpGkCG JN2O9ZXIx4hku8sI/+srxrczGoVWETHXG7OOjtNzfotFzCfJISORBi79Yu0X1d6h79uy HXJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:subject:message-id:date:from:mime-version :dkim-signature; bh=5IvFJkz4xXPLrE84iMMtruUbePf5QczlPra34R4OXp0=; b=d0CcK3oAN9pgKSSYFUGsEjm9TX0Mi0Vu/RZ3rEciSqwp/ZLf8rQW7hLOU0p0eUXKYQ mmtd2zfoj1TKBrhp9i354g0rAcCoVKOOCa3Rei5rOKGBMPj4eRgoRfmRW+KaFPfqQ42l bi/geclpjnvQR9qAPV5kA3o63+bx7qhUWZJY20E5wpHuAnesxKP6aYlqjNLHp1g2YL0/ Z/61Q1EuSDQpX2DNvliNzodn6qDC6vTvLvZ8fV2UZsQTyYa1YjCQGDnZlc8AnwdPmUnA cMB1ExaqPkuvL/sZ8LrUyG2yZ0PTCedXE1nyUz0E8P2Ob9Ma+ACPR4gfiOJZMbrt4HjJ cssQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=nZYdn+Aa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y186-20020a638ac3000000b0050bcc13077bsi11353575pgd.21.2023.03.20.14.37.25; Mon, 20 Mar 2023 14:37:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=nZYdn+Aa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229850AbjCTVSI (ORCPT + 99 others); Mon, 20 Mar 2023 17:18:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38996 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229959AbjCTVSH (ORCPT ); Mon, 20 Mar 2023 17:18:07 -0400 Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1BCAB25BBE for ; Mon, 20 Mar 2023 14:18:04 -0700 (PDT) Received: by mail-ua1-x92f.google.com with SMTP id x33so8896559uaf.12 for ; Mon, 20 Mar 2023 14:18:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; t=1679347083; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=5IvFJkz4xXPLrE84iMMtruUbePf5QczlPra34R4OXp0=; b=nZYdn+Aa1fFcVsAAereOGykoJrIOYxmbLsMUG7jufA9uKW0TPVF/qLEuTuU02IqYUs tfUBL4xI4vOdqdeNm401TuiahWGaack/BSF9OOCAGX21cFW1SyRaZ78hh+U0CGBNpUhw MzHMFG6tFQt6kurKFncTc6lt7pAykvlYAPzb6NoKfJ1tSShh5qvzlZByFHmNKT8oIl9C Y9YiI7RkgUHyWm5Sg7QCuGtnk106x714Zs2Tf46GRz0kHA6eh7zkg5ElVWMsa7xmgeQf vQ7LeLgWbIqRD2KwuIsERC3n2trahGwMOG0hk2y+upq1DzG+u2a/rzAi+9HtmlF8eiJg 1GRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679347083; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=5IvFJkz4xXPLrE84iMMtruUbePf5QczlPra34R4OXp0=; b=70CRTB5OYyV7VKdfgML/siD5pyzTdQzJBVJPuA/DGoHU0TXGfhTHi0Q9//8b1G0ucZ G3/qngF4UrSwN45xG5uxw4ZUv+bG9ZmuEcYP0L2GOT10VLWC2uCfgsPuQeuFQ4Blyo3f pzrnfgLr0Frhn+MWma52URXYilVFjQkhzbhfhLMRfLmfbcyhz9hABJ64us1LsoQEkR7/ 83b49UJLiI5ugvkwPlH1/rPFH/8yGnHoUILr5YgfID5Dsplw6GP+Zaor7OG+MIOcD113 sbWqEN5NKjnQbgLMfugcbzhDFH7wK+m6wUk+ISFJYLCrFQFu6Qrr7RWM/xxCkwO6jyKM UfgQ== X-Gm-Message-State: AO0yUKV8W+1QeXlbq+4AWdC+E2vhdNQljY04rXGdbRse2eeq7cU2sspz DVGnFBrouUOKvF2Yt6CZY41uQvFd9gDCTdTV/qzohg== X-Received: by 2002:a1f:2144:0:b0:432:9a63:1696 with SMTP id h65-20020a1f2144000000b004329a631696mr53396vkh.1.1679347083020; Mon, 20 Mar 2023 14:18:03 -0700 (PDT) MIME-Version: 1.0 From: Eric Dumazet Date: Mon, 20 Mar 2023 14:17:50 -0700 Message-ID: Subject: syzbot + epoll To: Paolo Abeni , LKML , Xiumei Mu , Jacob Keller , Soheil Hassas Yeganeh , Andrew Morton X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760924279323467319?= X-GMAIL-MSGID: =?utf-8?q?1760924279323467319?= This is about this recent syzbot report (with a C repro) https://lore.kernel.org/lkml/000000000000c6dc0305f75b4d74@google.com/T/#u I think this is caused by: commit fc02a95bb6d8bf58c6efd7e362814558eea2ef28 Author: Paolo Abeni Date: Tue Mar 7 19:46:37 2023 +0100 epoll: use refcount to reduce ep_mutex contention Problem is that __ep_remove() might return early, without removing epi from the rbtree (ep->rbr) This happens when epi->dying has been set to true here : https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/fs/eventpoll.c?id=6f72958a49f68553f2b6ff713e8c8e51a34c1e1e#n954 So we loop, while holding the ep->mtx held, meaning that the other thread is blocked here https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/fs/eventpoll.c?id=6f72958a49f68553f2b6ff713e8c8e51a34c1e1e#n962 So this dead locks. Maybe fix this with: @@ -810,7 +810,8 @@ static void ep_clear_and_put(struct eventpoll *ep) * Since we still own a reference to the eventpoll struct, the loop can't * dispose it. */ - while ((rbp = rb_first_cached(&ep->rbr)) != NULL) { + for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = next) { + next = rb_next(rbp); epi = rb_entry(rbp, struct epitem, rbn); ep_remove_safe(ep, epi); cond_resched(); diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 25a59640748a0fd22a84a5aecb90815fbbca9cef..1db56c6175aab5af7bc637a452b68ed8bc11fd7f 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -784,7 +784,7 @@ static void ep_remove_safe(struct eventpoll *ep, struct epitem *epi) static void ep_clear_and_put(struct eventpoll *ep) { - struct rb_node *rbp; + struct rb_node *rbp, *next; struct epitem *epi; bool dispose;