WARNING: suspicious RCU usage in shmem_add_seals
7 views
Skip to first unread message
syzbot
Oct 30, 2019, 6:43:09 AM10/30/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 2bb70f40 Merge 4.14.151 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=12e39774e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=15a2768a52194c6c
dashboard link: https://syzkaller.appspot.com/bug?extid=fbb9e2ae57043cb180e4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fbb9e2...@syzkaller.appspotmail.com
=============================
WARNING: suspicious RCU usage
4.14.151+ #0 Not tainted
-----------------------------
./include/linux/radix-tree.h:238 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by syz-executor.3/20031:
#0: (&sb->s_type->i_mutex_key#10){+.+.}, at: [<00000000cc983a17>]
inode_lock include/linux/fs.h:724 [inline]
#0: (&sb->s_type->i_mutex_key#10){+.+.}, at: [<00000000cc983a17>]
shmem_add_seals+0x12b/0xf80 mm/shmem.c:2831
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [<00000000d960f5b3>]
spin_lock_irq include/linux/spinlock.h:342 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [<00000000d960f5b3>]
shmem_tag_pins mm/shmem.c:2685 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [<00000000d960f5b3>]
shmem_wait_for_pins mm/shmem.c:2726 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [<00000000d960f5b3>]
shmem_add_seals+0x2e1/0xf80 mm/shmem.c:2843
stack backtrace:
CPU: 0 PID: 20031 Comm: syz-executor.3 Not tainted 4.14.151+ #0
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
radix_tree_deref_slot include/linux/radix-tree.h:238 [inline]
shmem_tag_pins mm/shmem.c:2687 [inline]
shmem_wait_for_pins mm/shmem.c:2726 [inline]
shmem_add_seals+0x9d2/0xf80 mm/shmem.c:2843
shmem_fcntl+0xea/0x120 mm/shmem.c:2878
do_fcntl+0x5c8/0xd20 fs/fcntl.c:421
SYSC_fcntl fs/fcntl.c:463 [inline]
SyS_fcntl+0xc6/0x100 fs/fcntl.c:448
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459f49
RSP: 002b:00007fb24689ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000048
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459f49
RDX: 0000000000000009 RSI: 0000000000000409 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb24689b6d4
R13: 00000000004c0904 R14: 00000000004d31f0 R15: 00000000ffffffff
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
selinux_nlmsg_perm: 20 callbacks suppressed
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8224
sclass=netlink_route_socket pig=20288 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14392
sclass=netlink_route_socket pig=20288 comm=syz-executor.3
tc_ctl_action: received NO action attribs
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8224
sclass=netlink_route_socket pig=20288 comm=syz-executor.3
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
print_req_error: I/O error, dev loop4, sector 0
print_req_error: I/O error, dev loop4, sector 1096
print_req_error: I/O error, dev loop4, sector 0
Buffer I/O error on dev loop4, logical block 0, async page read
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20376 comm=syz-executor.2
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20369 comm=syz-executor.2
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20379 comm=syz-executor.2
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20394 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20395 comm=syz-executor.0
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20396 comm=syz-executor.2
print_req_error: I/O error, dev loop4, sector 0
print_req_error: I/O error, dev loop4, sector 0
Buffer I/O error on dev loop4, logical block 0, async page read
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20437 comm=syz-executor.3
print_req_error: I/O error, dev loop4, sector 520
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 2bb70f40 Merge 4.14.151 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=12e39774e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=15a2768a52194c6c
dashboard link: https://syzkaller.appspot.com/bug?extid=fbb9e2ae57043cb180e4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fbb9e2...@syzkaller.appspotmail.com
=============================
WARNING: suspicious RCU usage
4.14.151+ #0 Not tainted
-----------------------------
./include/linux/radix-tree.h:238 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by syz-executor.3/20031:
#0: (&sb->s_type->i_mutex_key#10){+.+.}, at: [<00000000cc983a17>]
inode_lock include/linux/fs.h:724 [inline]
#0: (&sb->s_type->i_mutex_key#10){+.+.}, at: [<00000000cc983a17>]
shmem_add_seals+0x12b/0xf80 mm/shmem.c:2831
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [<00000000d960f5b3>]
spin_lock_irq include/linux/spinlock.h:342 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [<00000000d960f5b3>]
shmem_tag_pins mm/shmem.c:2685 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [<00000000d960f5b3>]
shmem_wait_for_pins mm/shmem.c:2726 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [<00000000d960f5b3>]
shmem_add_seals+0x2e1/0xf80 mm/shmem.c:2843
stack backtrace:
CPU: 0 PID: 20031 Comm: syz-executor.3 Not tainted 4.14.151+ #0
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
radix_tree_deref_slot include/linux/radix-tree.h:238 [inline]
shmem_tag_pins mm/shmem.c:2687 [inline]
shmem_wait_for_pins mm/shmem.c:2726 [inline]
shmem_add_seals+0x9d2/0xf80 mm/shmem.c:2843
shmem_fcntl+0xea/0x120 mm/shmem.c:2878
do_fcntl+0x5c8/0xd20 fs/fcntl.c:421
SYSC_fcntl fs/fcntl.c:463 [inline]
SyS_fcntl+0xc6/0x100 fs/fcntl.c:448
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459f49
RSP: 002b:00007fb24689ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000048
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459f49
RDX: 0000000000000009 RSI: 0000000000000409 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb24689b6d4
R13: 00000000004c0904 R14: 00000000004d31f0 R15: 00000000ffffffff
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
selinux_nlmsg_perm: 20 callbacks suppressed
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8224
sclass=netlink_route_socket pig=20288 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14392
sclass=netlink_route_socket pig=20288 comm=syz-executor.3
tc_ctl_action: received NO action attribs
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8224
sclass=netlink_route_socket pig=20288 comm=syz-executor.3
tc_ctl_action: received NO action attribs
tc_ctl_action: received NO action attribs
print_req_error: I/O error, dev loop4, sector 0
print_req_error: I/O error, dev loop4, sector 1096
print_req_error: I/O error, dev loop4, sector 0
Buffer I/O error on dev loop4, logical block 0, async page read
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20376 comm=syz-executor.2
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20369 comm=syz-executor.2
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20379 comm=syz-executor.2
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20394 comm=syz-executor.3
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20395 comm=syz-executor.0
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20396 comm=syz-executor.2
print_req_error: I/O error, dev loop4, sector 0
print_req_error: I/O error, dev loop4, sector 0
Buffer I/O error on dev loop4, logical block 0, async page read
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21549
sclass=netlink_tcpdiag_socket pig=20437 comm=syz-executor.3
print_req_error: I/O error, dev loop4, sector 520
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 30, 2019, 7:44:10 AM10/30/19
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 2bb70f40 Merge 4.14.151 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=1719ba24e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e72b70e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fbb9e2...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
urandom_read: 1 callbacks suppressed
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1572435631.725:7): avc: denied { map } for
pid=1785 comm="syz-executor603" path="/root/syz-executor603474564"
dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
#0: (&sb->s_type->i_mutex_key#10){+.+.}, at: [< (ptrval)>]
inode_lock include/linux/fs.h:724 [inline]
#0: (&sb->s_type->i_mutex_key#10){+.+.}, at: [< (ptrval)>]
shmem_add_seals+0x12b/0xf80 mm/shmem.c:2831
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [< (ptrval)>]
spin_lock_irq include/linux/spinlock.h:342 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [< (ptrval)>]
shmem_tag_pins mm/shmem.c:2685 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [< (ptrval)>]
shmem_wait_for_pins mm/shmem.c:2726 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [< (ptrval)>]
RSP: 002b:00007ffdde77c7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000048
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440189
RDX: 0000000000000008 RSI: 0000000000000409 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a10
HEAD commit: 2bb70f40 Merge 4.14.151 into android-4.14
git tree: android-4.14
kernel config: https://syzkaller.appspot.com/x/.config?x=15a2768a52194c6c
dashboard link: https://syzkaller.appspot.com/bug?extid=fbb9e2ae57043cb180e4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=115f4898e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=fbb9e2ae57043cb180e4
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e72b70e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fbb9e2...@syzkaller.appspotmail.com
urandom_read: 1 callbacks suppressed
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1572435631.725:7): avc: denied { map } for
pid=1785 comm="syz-executor603" path="/root/syz-executor603474564"
dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
=============================
WARNING: suspicious RCU usage
4.14.151+ #0 Not tainted
-----------------------------
./include/linux/radix-tree.h:238 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by syz-executor603/1785:
WARNING: suspicious RCU usage
4.14.151+ #0 Not tainted
-----------------------------
./include/linux/radix-tree.h:238 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
#0: (&sb->s_type->i_mutex_key#10){+.+.}, at: [< (ptrval)>]
inode_lock include/linux/fs.h:724 [inline]
#0: (&sb->s_type->i_mutex_key#10){+.+.}, at: [< (ptrval)>]
shmem_add_seals+0x12b/0xf80 mm/shmem.c:2831
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [< (ptrval)>]
spin_lock_irq include/linux/spinlock.h:342 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [< (ptrval)>]
shmem_tag_pins mm/shmem.c:2685 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [< (ptrval)>]
shmem_wait_for_pins mm/shmem.c:2726 [inline]
#1: (&(&mapping->tree_lock)->rlock){-.-.}, at: [< (ptrval)>]
shmem_add_seals+0x2e1/0xf80 mm/shmem.c:2843
stack backtrace:
CPU: 1 PID: 1785 Comm: syz-executor603 Not tainted 4.14.151+ #0
stack backtrace:
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
radix_tree_deref_slot include/linux/radix-tree.h:238 [inline]
shmem_tag_pins mm/shmem.c:2687 [inline]
shmem_wait_for_pins mm/shmem.c:2726 [inline]
shmem_add_seals+0x9d2/0xf80 mm/shmem.c:2843
shmem_fcntl+0xea/0x120 mm/shmem.c:2878
do_fcntl+0x5c8/0xd20 fs/fcntl.c:421
SYSC_fcntl fs/fcntl.c:463 [inline]
SyS_fcntl+0xc6/0x100 fs/fcntl.c:448
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440189
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xca/0x134 lib/dump_stack.c:53
radix_tree_deref_slot include/linux/radix-tree.h:238 [inline]
shmem_tag_pins mm/shmem.c:2687 [inline]
shmem_wait_for_pins mm/shmem.c:2726 [inline]
shmem_add_seals+0x9d2/0xf80 mm/shmem.c:2843
shmem_fcntl+0xea/0x120 mm/shmem.c:2878
do_fcntl+0x5c8/0xd20 fs/fcntl.c:421
SYSC_fcntl fs/fcntl.c:463 [inline]
SyS_fcntl+0xc6/0x100 fs/fcntl.c:448
do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RSP: 002b:00007ffdde77c7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000048
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440189
RDX: 0000000000000008 RSI: 0000000000000409 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a10
Reply all
Reply to author
Forward
0 new messages