INFO: task hung in pipe_release
8 views
Skip to first unread message
syzbot
Apr 14, 2019, 5:30:20 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 7bebf33f Merge 4.9.131 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1657d5b9400000
kernel config: https://syzkaller.appspot.com/x/.config?x=79019780e5795c29
dashboard link: https://syzkaller.appspot.com/bug?extid=03c6d2a475b35bd19756
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+03c6d2...@syzkaller.appspotmail.com
INFO: task syz-executor2:32011 blocked for more than 140 seconds.
Not tainted 4.9.131+ #50
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor2 D29896 32011 32010 0x00000000
ffff8801cb08df00 0000000000000000 ffff8801c579dd80 ffff8801cb08af80
ffff8801db621018 ffff88018d457c88 ffffffff827f3542 0000000000000000
ffff8801cb08e7b0 ffffed0039611cf5 00ff8801cb08df00 ffff8801db6218f0
Call Trace:
[<ffffffff827f4a6f>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
[<ffffffff827f53f3>] schedule_preempt_disabled+0x13/0x20
kernel/sched/core.c:3586
[<ffffffff827f746d>] __mutex_lock_common kernel/locking/mutex.c:582
[inline]
[<ffffffff827f746d>] mutex_lock_nested+0x38d/0x900
kernel/locking/mutex.c:621
[<ffffffff815269e0>] __pipe_lock fs/pipe.c:87 [inline]
[<ffffffff815269e0>] pipe_release+0x50/0x250 fs/pipe.c:568
[<ffffffff815103c3>] __fput+0x263/0x700 fs/file_table.c:208
[<ffffffff815108e5>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8113da0c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
[<ffffffff81003e49>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff81003e49>] exit_to_usermode_loop+0x129/0x150
arch/x86/entry/common.c:162
[<ffffffff81005932>] prepare_exit_to_usermode arch/x86/entry/common.c:194
[inline]
[<ffffffff81005932>] syscall_return_slowpath arch/x86/entry/common.c:263
[inline]
[<ffffffff81005932>] do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290
[<ffffffff828037d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Showing all locks held in the system:
2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<ffffffff8131bbcc>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131bbcc>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.?..}, at: [<ffffffff813fe394>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
2 locks held by getty/2025:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82801892>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d2b2b2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor2/32010:
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81523d4e>] pipe_lock_nested
fs/pipe.c:66 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81523d4e>]
pipe_lock+0x5e/0x70 fs/pipe.c:74
1 lock held by syz-executor2/32011:
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff815269e0>] __pipe_lock
fs/pipe.c:87 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff815269e0>]
pipe_release+0x50/0x250 fs/pipe.c:568
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 24 Comm: khungtaskd Not tainted 4.9.131+ #50
ffff8801d9907d08 ffffffff81b37029 0000000000000000 0000000000000001
0000000000000001 0000000000000001 ffffffff81098450 ffff8801d9907d40
ffffffff81b42139 0000000000000001 0000000000000000 0000000000000003
Call Trace:
[<ffffffff81b37029>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b37029>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81b42139>] nmi_cpu_backtrace.cold.0+0x48/0x87
lib/nmi_backtrace.c:99
[<ffffffff81b420cc>] nmi_trigger_cpumask_backtrace+0x12c/0x151
lib/nmi_backtrace.c:60
[<ffffffff81098554>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<ffffffff8131c15d>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff8131c15d>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff8131c15d>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff8131c15d>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
[<ffffffff811429fd>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff8280399c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.131+ #50
task: ffffffff83029180 task.stack: ffffffff83000000
RIP: 0010:[<ffffffff8120cceb>] c [<ffffffff8120cceb>] __lock_release
kernel/locking/lockdep.c:3550 [inline]
RIP: 0010:[<ffffffff8120cceb>] c [<ffffffff8120cceb>]
lock_release+0x39b/0xc20 kernel/locking/lockdep.c:3775
RSP: 0018:ffff8801db607e88 EFLAGS: 00000046
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff83029a30 RDI: 0000000000000000
RBP: ffff8801db607f30 R08: ffffffff83029a50 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000
R13: ffffffff83029a30 R14: ffffffff83029a08 R15: ffffffff83029a52
FS: 0000000000000000(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000c2f978 CR3: 00000001a912f000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Stack:
093622b1e709bef8 c 0000000000000046 c ffffffff83029180 c 0000000000000000 c
0000000000000000 c 0000000000000002 c ffff8801db607f30 c 0000000000000046 c
0000000000000000 c ffffffff83029a28 c ffffffff83029a30 c 0000000000000046 c
Call Trace:
[<ffffffff8127c53f>] seqcount_lockdep_reader_access
include/linux/seqlock.h:81 [inline]
[<ffffffff8127c53f>] read_seqcount_begin include/linux/seqlock.h:163
[inline]
[<ffffffff8127c53f>] ktime_get+0x12f/0x1e0 kernel/time/timekeeping.c:757
[<ffffffff81296b0c>] tick_nohz_irq_enter kernel/time/tick-sched.c:1144
[inline]
[<ffffffff81296b0c>] tick_irq_enter+0xcc/0x220
kernel/time/tick-sched.c:1165
[<ffffffff810efb13>] irq_enter+0xb3/0xd0 kernel/softirq.c:349
[<ffffffff828065fa>] smp_reschedule_interrupt+0xa/0x90
arch/x86/kernel/smp.c:267
[<ffffffff828054ed>] reschedule_interrupt+0x9d/0xb0
arch/x86/entry/entry_64.S:671
<EOI> d [<ffffffff828023d6>] ? native_safe_halt+0x6/0x10
arch/x86/include/asm/irqflags.h:56
[<ffffffff82801935>] arch_safe_halt arch/x86/include/asm/paravirt.h:104
[inline]
[<ffffffff82801935>] default_idle+0x55/0x360 arch/x86/kernel/process.c:437
[<ffffffff81068910>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:428
[<ffffffff82802835>] default_idle_call+0x45/0x60 kernel/sched/idle.c:97
[<ffffffff811f0865>] cpuidle_idle_call kernel/sched/idle.c:155 [inline]
[<ffffffff811f0865>] cpu_idle_loop kernel/sched/idle.c:248 [inline]
[<ffffffff811f0865>] cpu_startup_entry+0x2b5/0x380 kernel/sched/idle.c:303
[<ffffffff827f0e2c>] rest_init+0x183/0x189 init/main.c:409
[<ffffffff8341991b>] start_kernel+0x5fb/0x62f init/main.c:664
[<ffffffff8341829a>] x86_64_start_reservations+0x29/0x2b
arch/x86/kernel/head64.c:196
[<ffffffff834183d6>] x86_64_start_kernel+0x13a/0x15d
arch/x86/kernel/head64.c:177
Code: c03 c0f cb6 c04 c02 c84 cc0 c74 c0f c3c c03 c7f c0b c89
c4d cc0 ce8 cfb c63 c2e c00 c8b c4d cc0 c66 c41 c83 c6d c22
c10 c66 c41 cf7 c45 c22 cf0 cff c0f c85 c71 c01 c00 c00
c<48> cb8 c00 c00 c00 c00 c00 cfc cff cdf c48 c8b c55 ca0
c48 cc1 cea c03 c0f cb6 c04 c
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 7bebf33f Merge 4.9.131 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1657d5b9400000
kernel config: https://syzkaller.appspot.com/x/.config?x=79019780e5795c29
dashboard link: https://syzkaller.appspot.com/bug?extid=03c6d2a475b35bd19756
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+03c6d2...@syzkaller.appspotmail.com
INFO: task syz-executor2:32011 blocked for more than 140 seconds.
Not tainted 4.9.131+ #50
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor2 D29896 32011 32010 0x00000000
ffff8801cb08df00 0000000000000000 ffff8801c579dd80 ffff8801cb08af80
ffff8801db621018 ffff88018d457c88 ffffffff827f3542 0000000000000000
ffff8801cb08e7b0 ffffed0039611cf5 00ff8801cb08df00 ffff8801db6218f0
Call Trace:
[<ffffffff827f4a6f>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
[<ffffffff827f53f3>] schedule_preempt_disabled+0x13/0x20
kernel/sched/core.c:3586
[<ffffffff827f746d>] __mutex_lock_common kernel/locking/mutex.c:582
[inline]
[<ffffffff827f746d>] mutex_lock_nested+0x38d/0x900
kernel/locking/mutex.c:621
[<ffffffff815269e0>] __pipe_lock fs/pipe.c:87 [inline]
[<ffffffff815269e0>] pipe_release+0x50/0x250 fs/pipe.c:568
[<ffffffff815103c3>] __fput+0x263/0x700 fs/file_table.c:208
[<ffffffff815108e5>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8113da0c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
[<ffffffff81003e49>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff81003e49>] exit_to_usermode_loop+0x129/0x150
arch/x86/entry/common.c:162
[<ffffffff81005932>] prepare_exit_to_usermode arch/x86/entry/common.c:194
[inline]
[<ffffffff81005932>] syscall_return_slowpath arch/x86/entry/common.c:263
[inline]
[<ffffffff81005932>] do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290
[<ffffffff828037d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Showing all locks held in the system:
2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<ffffffff8131bbcc>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131bbcc>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.?..}, at: [<ffffffff813fe394>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
2 locks held by getty/2025:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82801892>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d2b2b2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor2/32010:
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81523d4e>] pipe_lock_nested
fs/pipe.c:66 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81523d4e>]
pipe_lock+0x5e/0x70 fs/pipe.c:74
1 lock held by syz-executor2/32011:
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff815269e0>] __pipe_lock
fs/pipe.c:87 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff815269e0>]
pipe_release+0x50/0x250 fs/pipe.c:568
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 24 Comm: khungtaskd Not tainted 4.9.131+ #50
ffff8801d9907d08 ffffffff81b37029 0000000000000000 0000000000000001
0000000000000001 0000000000000001 ffffffff81098450 ffff8801d9907d40
ffffffff81b42139 0000000000000001 0000000000000000 0000000000000003
Call Trace:
[<ffffffff81b37029>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b37029>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81b42139>] nmi_cpu_backtrace.cold.0+0x48/0x87
lib/nmi_backtrace.c:99
[<ffffffff81b420cc>] nmi_trigger_cpumask_backtrace+0x12c/0x151
lib/nmi_backtrace.c:60
[<ffffffff81098554>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<ffffffff8131c15d>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff8131c15d>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff8131c15d>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff8131c15d>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
[<ffffffff811429fd>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff8280399c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.131+ #50
task: ffffffff83029180 task.stack: ffffffff83000000
RIP: 0010:[<ffffffff8120cceb>] c [<ffffffff8120cceb>] __lock_release
kernel/locking/lockdep.c:3550 [inline]
RIP: 0010:[<ffffffff8120cceb>] c [<ffffffff8120cceb>]
lock_release+0x39b/0xc20 kernel/locking/lockdep.c:3775
RSP: 0018:ffff8801db607e88 EFLAGS: 00000046
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff83029a30 RDI: 0000000000000000
RBP: ffff8801db607f30 R08: ffffffff83029a50 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000
R13: ffffffff83029a30 R14: ffffffff83029a08 R15: ffffffff83029a52
FS: 0000000000000000(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000c2f978 CR3: 00000001a912f000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Stack:
093622b1e709bef8 c 0000000000000046 c ffffffff83029180 c 0000000000000000 c
0000000000000000 c 0000000000000002 c ffff8801db607f30 c 0000000000000046 c
0000000000000000 c ffffffff83029a28 c ffffffff83029a30 c 0000000000000046 c
Call Trace:
[<ffffffff8127c53f>] seqcount_lockdep_reader_access
include/linux/seqlock.h:81 [inline]
[<ffffffff8127c53f>] read_seqcount_begin include/linux/seqlock.h:163
[inline]
[<ffffffff8127c53f>] ktime_get+0x12f/0x1e0 kernel/time/timekeeping.c:757
[<ffffffff81296b0c>] tick_nohz_irq_enter kernel/time/tick-sched.c:1144
[inline]
[<ffffffff81296b0c>] tick_irq_enter+0xcc/0x220
kernel/time/tick-sched.c:1165
[<ffffffff810efb13>] irq_enter+0xb3/0xd0 kernel/softirq.c:349
[<ffffffff828065fa>] smp_reschedule_interrupt+0xa/0x90
arch/x86/kernel/smp.c:267
[<ffffffff828054ed>] reschedule_interrupt+0x9d/0xb0
arch/x86/entry/entry_64.S:671
<EOI> d [<ffffffff828023d6>] ? native_safe_halt+0x6/0x10
arch/x86/include/asm/irqflags.h:56
[<ffffffff82801935>] arch_safe_halt arch/x86/include/asm/paravirt.h:104
[inline]
[<ffffffff82801935>] default_idle+0x55/0x360 arch/x86/kernel/process.c:437
[<ffffffff81068910>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:428
[<ffffffff82802835>] default_idle_call+0x45/0x60 kernel/sched/idle.c:97
[<ffffffff811f0865>] cpuidle_idle_call kernel/sched/idle.c:155 [inline]
[<ffffffff811f0865>] cpu_idle_loop kernel/sched/idle.c:248 [inline]
[<ffffffff811f0865>] cpu_startup_entry+0x2b5/0x380 kernel/sched/idle.c:303
[<ffffffff827f0e2c>] rest_init+0x183/0x189 init/main.c:409
[<ffffffff8341991b>] start_kernel+0x5fb/0x62f init/main.c:664
[<ffffffff8341829a>] x86_64_start_reservations+0x29/0x2b
arch/x86/kernel/head64.c:196
[<ffffffff834183d6>] x86_64_start_kernel+0x13a/0x15d
arch/x86/kernel/head64.c:177
Code: c03 c0f cb6 c04 c02 c84 cc0 c74 c0f c3c c03 c7f c0b c89
c4d cc0 ce8 cfb c63 c2e c00 c8b c4d cc0 c66 c41 c83 c6d c22
c10 c66 c41 cf7 c45 c22 cf0 cff c0f c85 c71 c01 c00 c00
c<48> cb8 c00 c00 c00 c00 c00 cfc cff cdf c48 c8b c55 ca0
c48 cc1 cea c03 c0f cb6 c04 c
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jul 14, 2019, 4:38:04 PM7/14/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages