INFO: task hung in SyS_io_destroy
11 views
Skip to first unread message
syzbot
Sep 9, 2019, 9:25:12 AM9/9/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11f7fee6600000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=97953a48665489148dcc
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+97953a...@syzkaller.appspotmail.com
INFO: task syz-executor.0:10096 blocked for more than 140 seconds.
Not tainted 4.4.174+ #4
audit_printk_skb: 9 callbacks suppressed
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
audit: type=1400 audit(1568031891.643:900): avc: denied { create } for
pid=17088 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
syz-executor.0 D ffff8800a4a9fb90 30160 10096 10095 0x00000000
ffff8800a4a9fb90 ffffffff811ff385 0000000000000296 ffffffff8406cc08
ffff8800a4a9fb40 0000000000000200 ffff8801db61f180 ffff8801db61f1a8
ffff8801db61e898 ffff8800ba084740 ffff8800a5f90000 ffffed0014953001
audit: type=1400 audit(1568031891.873:901): avc: denied { write } for
pid=17088 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
Call Trace:
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff82715c4b>] schedule_timeout+0x47b/0x7c0 kernel/time/timer.c:1515
[<ffffffff8270b455>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8270b455>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8270b455>] wait_for_common+0x2b5/0x530
kernel/sched/completion.c:101
[<ffffffff8270b6e8>] wait_for_completion+0x18/0x20
kernel/sched/completion.c:122
[<ffffffff81583bb1>] SYSC_io_destroy fs/aio.c:1396 [inline]
[<ffffffff81583bb1>] SyS_io_destroy+0x2c1/0x350 fs/aio.c:1374
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
audit: type=1400 audit(1568031892.253:902): avc: denied { read } for
pid=17088 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1568031892.353:903): avc: denied { create } for
pid=17088 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
no locks held by syz-executor.0/10096.
Sending NMI to all CPUs:
NMI backtrace for cpu 0
CPU: 0 PID: 2113 Comm: syz-executor.1 Not tainted 4.4.174+ #4
task: ffff8801d54e4740 task.stack: ffff8801c0a88000
RIP: 0010:[<ffffffff812002a2>] [<ffffffff812002a2>] validate_chain
kernel/locking/lockdep.c:2149 [inline]
RIP: 0010:[<ffffffff812002a2>] [<ffffffff812002a2>]
__lock_acquire+0xcf2/0x4f50 kernel/locking/lockdep.c:3213
RSP: 0018:ffff8801c0a8f790 EFLAGS: 00000806
RAX: dffffc0000000000 RBX: 00000001a403a04b RCX: 0000000000000001
RDX: 0000000000000004 RSI: ffff8801d54e5008 RDI: ffff8801d54e5079
RBP: ffff8801c0a8f908 R08: 0000000000000002 R09: ffff8801d54e5078
R10: ffffffff82836880 R11: 0000000000000000 R12: ffff8801d54e4740
R13: ffff8801d54e5058 R14: 0000000000000000 R15: 0000000000000000
FS: 00000000027b3940(0063) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7d8ea42000 CR3: 00000001c09e0000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000000 0000000000000000 ffff8801c0a8f930 ffffffff811fffff
0000000000000040 0000000000000000 ffff8801c0a8f950 0000000000000046
ffff8801d54e5070 ffff8801d54e5000 ffff8801d54e5078 0000000000000001
audit: type=1400 audit(1568031892.623:904): avc: denied { create } for
pid=17122 comm="syz-executor.3"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1568031892.643:905): avc: denied { write } for
pid=17122 comm="syz-executor.3" path="socket:[56935]" dev="sockfs"
ino=56935 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1568031892.643:906): avc: denied { write } for
pid=17122 comm="syz-executor.3"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
Call Trace:
[<ffffffff81205f6e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff827186b1>] __raw_spin_trylock
include/linux/spinlock_api_smp.h:92 [inline]
[<ffffffff827186b1>] _raw_spin_trylock kernel/locking/spinlock.c:135
[inline]
[<ffffffff827186b1>] _raw_spin_trylock+0x71/0x90
kernel/locking/spinlock.c:133
[<ffffffff8195346b>] avc_reclaim_node security/selinux/avc.c:526 [inline]
[<ffffffff8195346b>] avc_alloc_node security/selinux/avc.c:559 [inline]
[<ffffffff8195346b>] avc_alloc_node+0x12b/0x3c0 security/selinux/avc.c:547
[<ffffffff81954992>] avc_insert security/selinux/avc.c:670 [inline]
[<ffffffff81954992>] avc_compute_av+0x182/0x610 security/selinux/avc.c:976
[<ffffffff819566e5>] avc_has_perm_noaudit security/selinux/avc.c:1112
[inline]
[<ffffffff819566e5>] avc_has_perm+0x355/0x3a0 security/selinux/avc.c:1146
[<ffffffff819633a0>] task_has_perm+0x200/0x330
security/selinux/hooks.c:1525
[<ffffffff819634f4>] selinux_task_wait+0x24/0x30
security/selinux/hooks.c:3763
[<ffffffff8194fcc3>] security_task_wait+0x73/0xb0 security/security.c:993
[<ffffffff810db16b>] wait_consider_task+0x28b/0x35b0 kernel/exit.c:1334
[<ffffffff810de7e0>] do_wait_thread kernel/exit.c:1447 [inline]
[<ffffffff810de7e0>] do_wait+0x350/0xa00 kernel/exit.c:1518
[<ffffffff810df714>] SYSC_wait4 kernel/exit.c:1649 [inline]
[<ffffffff810df714>] SyS_wait4+0x144/0x210 kernel/exit.c:1614
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 45 20 25 00 80 04 00 3d 00 00 04 00 0f 84 39 04 00 00 48 c7 c2 c0 8b
fb 82 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 14 02 <48> c7 c0 c0
8b fb 82 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
NMI backtrace for cpu 1
CPU: 1 PID: 20 Comm: khungtaskd Not tainted 4.4.174+ #4
task: ffff8801da6c2f80 task.stack: ffff8800001e8000
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>] _flat_send_IPI_mask
arch/x86/kernel/apic/apic_flat_64.c:62 [inline]
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>]
flat_send_IPI_mask+0xf7/0x1b0 arch/x86/kernel/apic/apic_flat_64.c:69
RSP: 0018:ffff8800001efc88 EFLAGS: 00000046
RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
RBP: ffff8800001efcb8 R08: 0000000000000018 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000003000000 R14: ffffffff82e5f2e0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001ede978 CR3: 00000000b934b000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000001 ffffffff82e5f2e0 ffffffff831a6ac0 fffffbfff0634c34
000000000001b6c0 0000000000000008 ffff8800001efcd8 ffffffff81092bee
0000000000000008 ffffffff82924260 ffff8800001efd30 ffffffff81ab8252
Call Trace:
[<ffffffff81092bee>] nmi_raise_cpu_backtrace+0x5e/0x80
arch/x86/kernel/apic/hw_nmi.c:33
[<ffffffff81ab8252>] nmi_trigger_all_cpu_backtrace.cold+0xa1/0xae
lib/nmi_backtrace.c:85
[<ffffffff81092ca4>] arch_trigger_all_cpu_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:38
[<ffffffff813b4762>] trigger_all_cpu_backtrace include/linux/nmi.h:44
[inline]
[<ffffffff813b4762>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff813b4762>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff813b4762>] watchdog.cold+0xd3/0xee kernel/hung_task.c:238
[<ffffffff811342c3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Code: 00 c3 5f ff 80 e6 10 75 e1 41 c1 e5 18 44 89 2c 25 10 c3 5f ff 44 89
fa 09 da 80 cf 04 41 83 ff 02 0f 44 d3 89 14 25 00 c3 5f ff <41> f7 c4 00
02 00 00 75 1e 4c 89 e7 57 9d 0f 1f 44 00 00 e8 f1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11f7fee6600000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=97953a48665489148dcc
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+97953a...@syzkaller.appspotmail.com
INFO: task syz-executor.0:10096 blocked for more than 140 seconds.
Not tainted 4.4.174+ #4
audit_printk_skb: 9 callbacks suppressed
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
audit: type=1400 audit(1568031891.643:900): avc: denied { create } for
pid=17088 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
syz-executor.0 D ffff8800a4a9fb90 30160 10096 10095 0x00000000
ffff8800a4a9fb90 ffffffff811ff385 0000000000000296 ffffffff8406cc08
ffff8800a4a9fb40 0000000000000200 ffff8801db61f180 ffff8801db61f1a8
ffff8801db61e898 ffff8800ba084740 ffff8800a5f90000 ffffed0014953001
audit: type=1400 audit(1568031891.873:901): avc: denied { write } for
pid=17088 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
Call Trace:
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff82715c4b>] schedule_timeout+0x47b/0x7c0 kernel/time/timer.c:1515
[<ffffffff8270b455>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8270b455>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8270b455>] wait_for_common+0x2b5/0x530
kernel/sched/completion.c:101
[<ffffffff8270b6e8>] wait_for_completion+0x18/0x20
kernel/sched/completion.c:122
[<ffffffff81583bb1>] SYSC_io_destroy fs/aio.c:1396 [inline]
[<ffffffff81583bb1>] SyS_io_destroy+0x2c1/0x350 fs/aio.c:1374
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
audit: type=1400 audit(1568031892.253:902): avc: denied { read } for
pid=17088 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1568031892.353:903): avc: denied { create } for
pid=17088 comm="syz-executor.4"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
no locks held by syz-executor.0/10096.
Sending NMI to all CPUs:
NMI backtrace for cpu 0
CPU: 0 PID: 2113 Comm: syz-executor.1 Not tainted 4.4.174+ #4
task: ffff8801d54e4740 task.stack: ffff8801c0a88000
RIP: 0010:[<ffffffff812002a2>] [<ffffffff812002a2>] validate_chain
kernel/locking/lockdep.c:2149 [inline]
RIP: 0010:[<ffffffff812002a2>] [<ffffffff812002a2>]
__lock_acquire+0xcf2/0x4f50 kernel/locking/lockdep.c:3213
RSP: 0018:ffff8801c0a8f790 EFLAGS: 00000806
RAX: dffffc0000000000 RBX: 00000001a403a04b RCX: 0000000000000001
RDX: 0000000000000004 RSI: ffff8801d54e5008 RDI: ffff8801d54e5079
RBP: ffff8801c0a8f908 R08: 0000000000000002 R09: ffff8801d54e5078
R10: ffffffff82836880 R11: 0000000000000000 R12: ffff8801d54e4740
R13: ffff8801d54e5058 R14: 0000000000000000 R15: 0000000000000000
FS: 00000000027b3940(0063) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7d8ea42000 CR3: 00000001c09e0000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000000 0000000000000000 ffff8801c0a8f930 ffffffff811fffff
0000000000000040 0000000000000000 ffff8801c0a8f950 0000000000000046
ffff8801d54e5070 ffff8801d54e5000 ffff8801d54e5078 0000000000000001
audit: type=1400 audit(1568031892.623:904): avc: denied { create } for
pid=17122 comm="syz-executor.3"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1568031892.643:905): avc: denied { write } for
pid=17122 comm="syz-executor.3" path="socket:[56935]" dev="sockfs"
ino=56935 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1568031892.643:906): avc: denied { write } for
pid=17122 comm="syz-executor.3"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
Call Trace:
[<ffffffff81205f6e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff827186b1>] __raw_spin_trylock
include/linux/spinlock_api_smp.h:92 [inline]
[<ffffffff827186b1>] _raw_spin_trylock kernel/locking/spinlock.c:135
[inline]
[<ffffffff827186b1>] _raw_spin_trylock+0x71/0x90
kernel/locking/spinlock.c:133
[<ffffffff8195346b>] avc_reclaim_node security/selinux/avc.c:526 [inline]
[<ffffffff8195346b>] avc_alloc_node security/selinux/avc.c:559 [inline]
[<ffffffff8195346b>] avc_alloc_node+0x12b/0x3c0 security/selinux/avc.c:547
[<ffffffff81954992>] avc_insert security/selinux/avc.c:670 [inline]
[<ffffffff81954992>] avc_compute_av+0x182/0x610 security/selinux/avc.c:976
[<ffffffff819566e5>] avc_has_perm_noaudit security/selinux/avc.c:1112
[inline]
[<ffffffff819566e5>] avc_has_perm+0x355/0x3a0 security/selinux/avc.c:1146
[<ffffffff819633a0>] task_has_perm+0x200/0x330
security/selinux/hooks.c:1525
[<ffffffff819634f4>] selinux_task_wait+0x24/0x30
security/selinux/hooks.c:3763
[<ffffffff8194fcc3>] security_task_wait+0x73/0xb0 security/security.c:993
[<ffffffff810db16b>] wait_consider_task+0x28b/0x35b0 kernel/exit.c:1334
[<ffffffff810de7e0>] do_wait_thread kernel/exit.c:1447 [inline]
[<ffffffff810de7e0>] do_wait+0x350/0xa00 kernel/exit.c:1518
[<ffffffff810df714>] SYSC_wait4 kernel/exit.c:1649 [inline]
[<ffffffff810df714>] SyS_wait4+0x144/0x210 kernel/exit.c:1614
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 45 20 25 00 80 04 00 3d 00 00 04 00 0f 84 39 04 00 00 48 c7 c2 c0 8b
fb 82 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 14 02 <48> c7 c0 c0
8b fb 82 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
NMI backtrace for cpu 1
CPU: 1 PID: 20 Comm: khungtaskd Not tainted 4.4.174+ #4
task: ffff8801da6c2f80 task.stack: ffff8800001e8000
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>] _flat_send_IPI_mask
arch/x86/kernel/apic/apic_flat_64.c:62 [inline]
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>]
flat_send_IPI_mask+0xf7/0x1b0 arch/x86/kernel/apic/apic_flat_64.c:69
RSP: 0018:ffff8800001efc88 EFLAGS: 00000046
RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
RBP: ffff8800001efcb8 R08: 0000000000000018 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000003000000 R14: ffffffff82e5f2e0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001ede978 CR3: 00000000b934b000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000001 ffffffff82e5f2e0 ffffffff831a6ac0 fffffbfff0634c34
000000000001b6c0 0000000000000008 ffff8800001efcd8 ffffffff81092bee
0000000000000008 ffffffff82924260 ffff8800001efd30 ffffffff81ab8252
Call Trace:
[<ffffffff81092bee>] nmi_raise_cpu_backtrace+0x5e/0x80
arch/x86/kernel/apic/hw_nmi.c:33
[<ffffffff81ab8252>] nmi_trigger_all_cpu_backtrace.cold+0xa1/0xae
lib/nmi_backtrace.c:85
[<ffffffff81092ca4>] arch_trigger_all_cpu_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:38
[<ffffffff813b4762>] trigger_all_cpu_backtrace include/linux/nmi.h:44
[inline]
[<ffffffff813b4762>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff813b4762>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff813b4762>] watchdog.cold+0xd3/0xee kernel/hung_task.c:238
[<ffffffff811342c3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Code: 00 c3 5f ff 80 e6 10 75 e1 41 c1 e5 18 44 89 2c 25 10 c3 5f ff 44 89
fa 09 da 80 cf 04 41 83 ff 02 0f 44 d3 89 14 25 00 c3 5f ff <41> f7 c4 00
02 00 00 75 1e 4c 89 e7 57 9d 0f 1f 44 00 00 e8 f1
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 9, 2019, 9:26:12 AM9/9/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=139bd5c1600000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=e02134477c158428c7ba
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
INFO: task syz-executor.3:16091 blocked for more than 140 seconds.
Not tainted 4.9.141+ #23
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.3 D29816 16091 16088 0x20020000
ffff8801c533df00 ffff8801ce0f3700 ffff8801ce0f5280 ffff8801d1cac740
ffff8801db621018 ffff8801c8767b80 ffffffff828075c2 ffffffff842cf948
ffffffff83ce1880 ffff8801c533e7d8 00000000000061b2 ffff8801db6218f0
Call Trace:
[<ffffffff82808aef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=769
sclass=netlink_route_socket pig=24092 comm=syz-executor.5
[<ffffffff828142d5>] schedule_timeout+0x735/0xe20 kernel/time/timer.c:1771
[<ffffffff8280a63f>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8280a63f>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8280a63f>] wait_for_common+0x3ef/0x5d0
kernel/sched/completion.c:101
futex_wake_op: syz-executor.5 tries to shift op by 1024; fix this program
[<ffffffff8280a838>] wait_for_completion+0x18/0x20
kernel/sched/completion.c:122
[<ffffffff815ff490>] SYSC_io_destroy fs/aio.c:1414 [inline]
[<ffffffff815ff490>] SyS_io_destroy+0x2c0/0x340 fs/aio.c:1392
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Showing all locks held in the system:
2 locks held by kworker/0:1/23:
#0: ("events"){.+.+.+}, at: [<ffffffff81130f0c>]
process_one_work+0x73c/0x15f0 kernel/workqueue.c:2085
#1: ((&rew.rew_work)){+.+...}, at: [<ffffffff81130f44>]
process_one_work+0x774/0x15f0 kernel/workqueue.c:2089
2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<ffffffff813fe63f>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
2 locks held by getty/2025:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82815952>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d37362>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
4 locks held by kworker/u4:8/16249:
#0: ("%s""netns"){.+.+.+}, at: [<ffffffff81130f0c>]
process_one_work+0x73c/0x15f0 kernel/workqueue.c:2085
#1: (net_cleanup_work){+.+.+.}, at: [<ffffffff81130f44>]
process_one_work+0x774/0x15f0 kernel/workqueue.c:2089
#2: (net_mutex){+.+.+.}, at: [<ffffffff822e681f>] cleanup_net+0x13f/0x8b0
net/core/net_namespace.c:439
#3: (rcu_preempt_state.barrier_mutex){+.+...}, at: [<ffffffff8124b1fd>]
_rcu_barrier+0x5d/0x340 kernel/rcu/tree.c:3637
1 lock held by syz-executor.0/24101:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
1 lock held by syz-executor.0/24105:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
2 locks held by syz-executor.3/24094:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
#1: (rcu_preempt_state.exp_mutex){+.+...}, at: [<ffffffff8124a749>]
exp_funnel_lock kernel/rcu/tree_exp.h:256 [inline]
#1: (rcu_preempt_state.exp_mutex){+.+...}, at: [<ffffffff8124a749>]
_synchronize_rcu_expedited+0x339/0x840 kernel/rcu/tree_exp.h:569
2 locks held by syz-executor.5/24108:
#0: (sb_writers#4){.+.+.+}, at: [<ffffffff815012ee>] sb_start_write
include/linux/fs.h:1573 [inline]
#0: (sb_writers#4){.+.+.+}, at: [<ffffffff815012ee>]
vfs_fallocate+0x2fe/0x620 fs/open.c:328
#1: (&sb->s_type->i_mutex_key#9){++++++}, at: [<ffffffff8178a55b>]
inode_lock include/linux/fs.h:766 [inline]
#1: (&sb->s_type->i_mutex_key#9){++++++}, at: [<ffffffff8178a55b>]
ext4_fallocate+0x1eb/0x1e80 fs/ext4/extents.c:4974
=============================================
NMI backtrace for cpu 1
ffff8801d9907d08 ffffffff81b42e79 0000000000000000 0000000000000001
0000000000000001 0000000000000001 ffffffff810983b0 ffff8801d9907d40
ffffffff81b4df89 0000000000000001 0000000000000000 0000000000000003
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81b4df89>] nmi_cpu_backtrace.cold.0+0x48/0x87
lib/nmi_backtrace.c:99
[<ffffffff81b4df1c>] nmi_trigger_cpumask_backtrace+0x12c/0x151
lib/nmi_backtrace.c:60
[<ffffffff810984b4>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<ffffffff8131c65d>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff8131c65d>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff8131c65d>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff8131c65d>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
[<ffffffff81142c3d>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff82817a5c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 2092 Comm: syz-executor.3 Not tainted 4.9.141+ #23
task: ffff8801ceac17c0 task.stack: ffff8801aba20000
RIP: 0010:[<ffffffff8131ba71>] c [<ffffffff8131ba71>] preempt_count
arch/x86/include/asm/preempt.h:22 [inline]
RIP: 0010:[<ffffffff8131ba71>] c [<ffffffff8131ba71>] check_kcov_mode
kernel/kcov.c:66 [inline]
RIP: 0010:[<ffffffff8131ba71>] c [<ffffffff8131ba71>]
__sanitizer_cov_trace_pc+0x11/0x50 kernel/kcov.c:100
RSP: 0018:ffff8801aba27848 EFLAGS: 00000296
RAX: ffff8801ceac17c0 RBX: ffff8801c8e112d8 RCX: 1ffffffff05cec80
RDX: 0000000000000000 RSI: ffffffff819e980c RDI: ffffffff84235e58
RBP: ffff8801aba27848 R08: ffff8801ceac20b8 R09: d8a1064c1ba25689
R10: ffff8801ceac17c0 R11: 0000000000000001 R12: dffffc0000000000
R13: 00000000000000cf R14: 0000000000000002 R15: 00000000000000cf
FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:00000000088ca900
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f5519db0 CR3: 00000001ab881000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801aba27880 c ffffffff819e980c c 1ffff10035744f18 c 0000000000000004 c
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801aba27980 c 0000000000000002 c ffff8801aba27c98 c ffff8801aba279a8 c
ffffffff819edabe c ffffffff819eda5e c ffffffff81ba7d7b c ffff8801ceac203c c
Call Trace:
[<ffffffff819e980c>] avc_search_node security/selinux/avc.c:582 [inline]
[<ffffffff819e980c>] avc_lookup+0xcc/0x190 security/selinux/avc.c:610
[<ffffffff819edabe>] avc_has_perm_noaudit security/selinux/avc.c:1110
[inline]
[<ffffffff819edabe>] avc_has_perm+0xfe/0x3a0 security/selinux/avc.c:1146
[<ffffffff819f7f2c>] task_has_perm+0x1fc/0x330
security/selinux/hooks.c:1615
[<ffffffff819f8083>] selinux_task_wait+0x23/0x30
security/selinux/hooks.c:3954
[<ffffffff819e6e73>] security_task_wait+0x73/0xb0 security/security.c:1032
[<ffffffff810e91f1>] wait_consider_task+0x2a1/0x3620 kernel/exit.c:1377
[<ffffffff810ec993>] do_wait_thread kernel/exit.c:1490 [inline]
[<ffffffff810ec993>] do_wait+0x423/0x950 kernel/exit.c:1561
[<ffffffff810eda0b>] SYSC_wait4 kernel/exit.c:1693 [inline]
[<ffffffff810eda0b>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1658
[<ffffffff812bf054>] C_SYSC_wait4 kernel/compat.c:543 [inline]
[<ffffffff812bf054>] compat_SyS_wait4+0x254/0x290 kernel/compat.c:536
[<ffffffff810c6305>] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Code: ce8 c15 c76 c1d c00 ce9 c9e cfe cff cff c4c c89 ce7 ce8
c08 c76 c1d c00 ce9 c23 cfe cff cff c0f c1f c00 c55 c48 c89
ce5 c48 c8b c75 c08 c65 c48 c8b c04 c25 c00 c7e c01 c00
c<65> c8b c15 c18 cc3 ccf c7e c81 ce2 c00 c01 c1f c00 c75
c2b c8b c90 c38 c12 c00 c00 c
futex_wake_op: syz-executor.5 tries to shift op by 1024; fix this program
syzbot
Sep 9, 2019, 4:53:06 PM9/9/19
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=15e92cf6600000
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e87b71600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+97953a...@syzkaller.appspotmail.com
INFO: task syz-executor.4:4663 blocked for more than 140 seconds.
Not tainted 4.4.174+ #17
ffff8800b37a7b10 ffffffff811ff385 0000000000000292 ffffffff840b1908
ffff8800b37a7ac0 0000000000000200 ffff8801db61f180 ffff8801db61f1a8
ffff8801db61e898 ffff8801cd7c2f80 ffff8801cd7c4740 ffffed00166f4001
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
no locks held by syz-executor.4/4663.
task: ffff8801da6f4740 task.stack: ffff8800001d0000
0000000000000008 ffffffff82924260 ffff8800001d7d30 ffffffff81ab8252
task: ffff8801d69a5f00 task.stack: ffff8800b9390000
RIP: 0010:[<ffffffff81309616>] [<ffffffff81309616>]
__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:100
RSP: 0018:ffff8800b9397810 EFLAGS: 00000046
RAX: ffff8801d69a5f00 RBX: ffff8801d85ffa85 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81ad2209 RDI: ffffffff82925936
RBP: ffff8800b9397810 R08: 000000000000000a R09: 0000000000000005
R10: ffffed003b0bff50 R11: ffff8801d85ffa83 R12: 0000000000000004
R13: ffff8801d85ffa85 R14: 0000000000000000 R15: 00000000fffffffe
FS: 00007f1280882700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
ffff8800b9397868 ffffffff81aca3ed 1ffff10017272f0f 00000004003979a8
0a000001003978f8 0000000000000462 ffffffff00000003 fffffffe00000000
Call Trace:
[<ffffffff81ad2209>] number.isra.0+0x409/0x9a0 lib/vsprintf.c:460
[<ffffffff81ad51b5>] vsnprintf+0x245/0x18a0 lib/vsprintf.c:1970
[<ffffffff81ad6b90>] sprintf+0xc0/0x100 lib/vsprintf.c:2106
[<ffffffff8121d76a>] print_time kernel/printk/printk.c:1061 [inline]
[<ffffffff8121d76a>] print_time kernel/printk/printk.c:1049 [inline]
[<ffffffff8121d76a>] print_prefix+0x28a/0x2e0 kernel/printk/printk.c:1084
[<ffffffff8121da00>] msg_print_text+0x240/0x2d0 kernel/printk/printk.c:1126
[<ffffffff8121f218>] syslog_print kernel/printk/printk.c:1176 [inline]
[<ffffffff8121f218>] do_syslog kernel/printk/printk.c:1336 [inline]
[<ffffffff8121f218>] do_syslog+0x7f8/0xaf0 kernel/printk/printk.c:1306
[<ffffffff81608274>] kmsg_read+0x74/0xa0 fs/proc/kmsg.c:39
[<ffffffff815e03bd>] proc_reg_read+0xfd/0x180 fs/proc/inode.c:202
[<ffffffff81496556>] __vfs_read+0x116/0x3c0 fs/read_write.c:434
[<ffffffff81498264>] vfs_read+0x134/0x360 fs/read_write.c:456
[<ffffffff8149aa8c>] SYSC_read fs/read_write.c:571 [inline]
[<ffffffff8149aa8c>] SyS_read+0xdc/0x1c0 fs/read_write.c:564
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: fe ff ff 66 90 55 48 89 e5 48 8b 75 08 65 48 8b 04 25 80 67 01 00 65
8b 15 08 d1 d0 7e 81 e2 00 01 1f 00 75 2b 8b 90 50 12 00 00 <83> fa 02 75
20 48 8b 88 58 12 00 00 8b 80 54 12 00 00 48 8b 11
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=97953a48665489148dcc
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
dashboard link: https://syzkaller.appspot.com/bug?extid=97953a48665489148dcc
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e87b71600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+97953a...@syzkaller.appspotmail.com
Not tainted 4.4.174+ #17
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.4 D ffff8800b37a7b10 30048 4663 4658 0x20020000
ffff8800b37a7b10 ffffffff811ff385 0000000000000292 ffffffff840b1908
ffff8800b37a7ac0 0000000000000200 ffff8801db61f180 ffff8801db61f1a8
ffff8801db61e898 ffff8801cd7c2f80 ffff8801cd7c4740 ffffed00166f4001
Call Trace:
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff82715c4b>] schedule_timeout+0x47b/0x7c0 kernel/time/timer.c:1515
[<ffffffff8270b455>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8270b455>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8270b455>] wait_for_common+0x2b5/0x530
kernel/sched/completion.c:101
[<ffffffff8270b6e8>] wait_for_completion+0x18/0x20
kernel/sched/completion.c:122
[<ffffffff81583bb1>] SYSC_io_destroy fs/aio.c:1396 [inline]
[<ffffffff81583bb1>] SyS_io_destroy+0x2c1/0x350 fs/aio.c:1374
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff82715c4b>] schedule_timeout+0x47b/0x7c0 kernel/time/timer.c:1515
[<ffffffff8270b455>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8270b455>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8270b455>] wait_for_common+0x2b5/0x530
kernel/sched/completion.c:101
[<ffffffff8270b6e8>] wait_for_completion+0x18/0x20
kernel/sched/completion.c:122
[<ffffffff81583bb1>] SYSC_io_destroy fs/aio.c:1396 [inline]
[<ffffffff81583bb1>] SyS_io_destroy+0x2c1/0x350 fs/aio.c:1374
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
no locks held by syz-executor.4/4663.
Sending NMI to all CPUs:
NMI backtrace for cpu 0
CPU: 0 PID: 20 Comm: khungtaskd Not tainted 4.4.174+ #17
NMI backtrace for cpu 0
task: ffff8801da6f4740 task.stack: ffff8800001d0000
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>] _flat_send_IPI_mask
arch/x86/kernel/apic/apic_flat_64.c:62 [inline]
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>]
flat_send_IPI_mask+0xf7/0x1b0 arch/x86/kernel/apic/apic_flat_64.c:69
RSP: 0018:ffff8800001d7c88 EFLAGS: 00000046
arch/x86/kernel/apic/apic_flat_64.c:62 [inline]
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>]
flat_send_IPI_mask+0xf7/0x1b0 arch/x86/kernel/apic/apic_flat_64.c:69
RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
RBP: ffff8800001d7cb8 R08: 0000000000000018 R09: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000003000000 R14: ffffffff82e5f2e0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
R13: 0000000003000000 R14: ffffffff82e5f2e0 R15: 0000000000000002
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f77c9168 CR3: 00000000b4ab6000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000001 ffffffff82e5f2e0 ffffffff831a6ac0 fffffbfff0634c34
000000000001b6c0 0000000000000008 ffff8800001d7cd8 ffffffff81092bee
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000001 ffffffff82e5f2e0 ffffffff831a6ac0 fffffbfff0634c34
0000000000000008 ffffffff82924260 ffff8800001d7d30 ffffffff81ab8252
Call Trace:
[<ffffffff81092bee>] nmi_raise_cpu_backtrace+0x5e/0x80
arch/x86/kernel/apic/hw_nmi.c:33
[<ffffffff81ab8252>] nmi_trigger_all_cpu_backtrace.cold+0xa1/0xae
lib/nmi_backtrace.c:85
[<ffffffff81092ca4>] arch_trigger_all_cpu_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:38
[<ffffffff813b4762>] trigger_all_cpu_backtrace include/linux/nmi.h:44
[inline]
[<ffffffff813b4762>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff813b4762>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff813b4762>] watchdog.cold+0xd3/0xee kernel/hung_task.c:238
[<ffffffff811342c3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Code: 00 c3 5f ff 80 e6 10 75 e1 41 c1 e5 18 44 89 2c 25 10 c3 5f ff 44 89
fa 09 da 80 cf 04 41 83 ff 02 0f 44 d3 89 14 25 00 c3 5f ff <41> f7 c4 00
02 00 00 75 1e 4c 89 e7 57 9d 0f 1f 44 00 00 e8 f1
[<ffffffff81092bee>] nmi_raise_cpu_backtrace+0x5e/0x80
arch/x86/kernel/apic/hw_nmi.c:33
[<ffffffff81ab8252>] nmi_trigger_all_cpu_backtrace.cold+0xa1/0xae
lib/nmi_backtrace.c:85
[<ffffffff81092ca4>] arch_trigger_all_cpu_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:38
[<ffffffff813b4762>] trigger_all_cpu_backtrace include/linux/nmi.h:44
[inline]
[<ffffffff813b4762>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff813b4762>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff813b4762>] watchdog.cold+0xd3/0xee kernel/hung_task.c:238
[<ffffffff811342c3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Code: 00 c3 5f ff 80 e6 10 75 e1 41 c1 e5 18 44 89 2c 25 10 c3 5f ff 44 89
fa 09 da 80 cf 04 41 83 ff 02 0f 44 d3 89 14 25 00 c3 5f ff <41> f7 c4 00
02 00 00 75 1e 4c 89 e7 57 9d 0f 1f 44 00 00 e8 f1
NMI backtrace for cpu 1
CPU: 1 PID: 1926 Comm: rsyslogd Not tainted 4.4.174+ #17
task: ffff8801d69a5f00 task.stack: ffff8800b9390000
RIP: 0010:[<ffffffff81309616>] [<ffffffff81309616>]
__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:100
RSP: 0018:ffff8800b9397810 EFLAGS: 00000046
RAX: ffff8801d69a5f00 RBX: ffff8801d85ffa85 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81ad2209 RDI: ffffffff82925936
RBP: ffff8800b9397810 R08: 000000000000000a R09: 0000000000000005
R10: ffffed003b0bff50 R11: ffff8801d85ffa83 R12: 0000000000000004
R13: ffff8801d85ffa85 R14: 0000000000000000 R15: 00000000fffffffe
FS: 00007f1280882700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000008148008 CR3: 00000001d7d1d000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8800b9397920 ffffffff81ad2209 ffffffff81012bc3 ffff8800b9397860
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8800b9397868 ffffffff81aca3ed 1ffff10017272f0f 00000004003979a8
0a000001003978f8 0000000000000462 ffffffff00000003 fffffffe00000000
Call Trace:
[<ffffffff81ad2209>] number.isra.0+0x409/0x9a0 lib/vsprintf.c:460
[<ffffffff81ad51b5>] vsnprintf+0x245/0x18a0 lib/vsprintf.c:1970
[<ffffffff81ad6b90>] sprintf+0xc0/0x100 lib/vsprintf.c:2106
[<ffffffff8121d76a>] print_time kernel/printk/printk.c:1061 [inline]
[<ffffffff8121d76a>] print_time kernel/printk/printk.c:1049 [inline]
[<ffffffff8121d76a>] print_prefix+0x28a/0x2e0 kernel/printk/printk.c:1084
[<ffffffff8121da00>] msg_print_text+0x240/0x2d0 kernel/printk/printk.c:1126
[<ffffffff8121f218>] syslog_print kernel/printk/printk.c:1176 [inline]
[<ffffffff8121f218>] do_syslog kernel/printk/printk.c:1336 [inline]
[<ffffffff8121f218>] do_syslog+0x7f8/0xaf0 kernel/printk/printk.c:1306
[<ffffffff81608274>] kmsg_read+0x74/0xa0 fs/proc/kmsg.c:39
[<ffffffff815e03bd>] proc_reg_read+0xfd/0x180 fs/proc/inode.c:202
[<ffffffff81496556>] __vfs_read+0x116/0x3c0 fs/read_write.c:434
[<ffffffff81498264>] vfs_read+0x134/0x360 fs/read_write.c:456
[<ffffffff8149aa8c>] SYSC_read fs/read_write.c:571 [inline]
[<ffffffff8149aa8c>] SyS_read+0xdc/0x1c0 fs/read_write.c:564
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: fe ff ff 66 90 55 48 89 e5 48 8b 75 08 65 48 8b 04 25 80 67 01 00 65
8b 15 08 d1 d0 7e 81 e2 00 01 1f 00 75 2b 8b 90 50 12 00 00 <83> fa 02 75
20 48 8b 88 58 12 00 00 8b 80 54 12 00 00 48 8b 11
syzbot
Sep 9, 2019, 4:56:09 PM9/9/19
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=114ff63a600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10bb5826600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+97953a...@syzkaller.appspotmail.com
INFO: task syz-executor432:2242 blocked for more than 140 seconds.
Not tainted 4.4.174+ #4
ffff8800b3b27b90 ffffffff811ff385 0000000000000296 ffffffff84126848
ffff8800b3b27b40 0000000000000200 ffff8801db71f180 ffff8801db71f1a8
ffff8801db71e898 ffff8801da6897c0 ffff8801d2508000 ffffed0016764001
task: ffff8801d1dac740 task.stack: ffff8801da7c0000
RIP: 0010:[<ffffffff8102e49f>] [<ffffffff8102e49f>]
save_stack_address+0x1f/0x30 arch/x86/kernel/stacktrace.c:38
RSP: 0000:ffff8801da7c7800 EFLAGS: 00000046
RAX: ffffffff8102e480 RBX: ffff8801da7c7dd0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81430941 RDI: ffff8801da7c7908
RBP: ffff8801da7c7850 R08: ffff8801da7c7908 R09: 0000000000000000
R10: ffff8801da7c7e28 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8801da7c7908 R14: ffff8801da7c7ff8 R15: ffff8801da7c0000
FS: 000000000199a940(0063) GS:ffff8801db600000(0000) knlGS:0000000000000000
ffffffff8280f0b0 ffff8801da7c7908 ffffffff8280f0b0 ffff8801da7c78a8
ffff8801db607fc0 0000000000000000 ffff8801da7c78e0 ffffffff81012bb9
Call Trace:
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81483f22>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81483f22>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81483f22>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
[<ffffffff81484197>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
[<ffffffff8148475f>] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
[<ffffffff8147fe9c>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff8147fe9c>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff8147fe9c>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff8147fe9c>] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628
[<ffffffff810f5c10>] __sigqueue_alloc+0x1e0/0x410 kernel/signal.c:380
[<ffffffff810fa012>] __send_signal+0x1b2/0x12a0 kernel/signal.c:1029
[<ffffffff810fb149>] send_signal+0x49/0xc0 kernel/signal.c:1096
[<ffffffff810fd0ea>] specific_send_sig_info kernel/signal.c:1141 [inline]
[<ffffffff810fd0ea>] force_sig_info+0x20a/0x310 kernel/signal.c:1189
[<ffffffff810a9760>] force_sig_info_fault.constprop.0+0xd0/0x110
arch/x86/mm/fault.c:187
[<ffffffff810aa1e5>] __bad_area_nosemaphore+0x225/0x3f0
arch/x86/mm/fault.c:805
[<ffffffff810aa456>] __bad_area arch/x86/mm/fault.c:835 [inline]
[<ffffffff810aa456>] bad_area+0x66/0x80 arch/x86/mm/fault.c:841
[<ffffffff810aad28>] __do_page_fault+0x568/0x7f0 arch/x86/mm/fault.c:1223
[<ffffffff810ab008>] do_page_fault+0x28/0x30 arch/x86/mm/fault.c:1306
[<ffffffff82719e35>] page_fault+0x25/0x30 arch/x86/entry/entry_64.S:1064
Code: 5b 41 5c 5d c3 0f 1f 80 00 00 00 00 85 d2 74 1b 8b 47 10 85 c0 7f 15
8b 07 3b 47 04 73 0d 48 8b 57 08 8d 48 01 89 0f 48 89 34 c2 <c3> 83 e8 01
89 47 10 c3 66 0f 1f 84 00 00 00 00 00 55 49 89 fa
0000000000000008 ffffffff82924260 ffff8800001d7d30 ffffffff81ab8252
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=97953a48665489148dcc
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=139e4c85600000
dashboard link: https://syzkaller.appspot.com/bug?extid=97953a48665489148dcc
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10bb5826600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+97953a...@syzkaller.appspotmail.com
Not tainted 4.4.174+ #4
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor432 D ffff8800b3b27b90 29816 2242 1 0x00000000
ffff8800b3b27b90 ffffffff811ff385 0000000000000296 ffffffff84126848
ffff8800b3b27b40 0000000000000200 ffff8801db71f180 ffff8801db71f1a8
ffff8801db71e898 ffff8801da6897c0 ffff8801d2508000 ffffed0016764001
Call Trace:
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff82715c4b>] schedule_timeout+0x47b/0x7c0 kernel/time/timer.c:1515
[<ffffffff8270b455>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8270b455>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8270b455>] wait_for_common+0x2b5/0x530
kernel/sched/completion.c:101
[<ffffffff8270b6e8>] wait_for_completion+0x18/0x20
kernel/sched/completion.c:122
[<ffffffff81583bb1>] SYSC_io_destroy fs/aio.c:1396 [inline]
[<ffffffff81583bb1>] SyS_io_destroy+0x2c1/0x350 fs/aio.c:1374
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
no locks held by syz-executor432/2242.
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff82715c4b>] schedule_timeout+0x47b/0x7c0 kernel/time/timer.c:1515
[<ffffffff8270b455>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8270b455>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8270b455>] wait_for_common+0x2b5/0x530
kernel/sched/completion.c:101
[<ffffffff8270b6e8>] wait_for_completion+0x18/0x20
kernel/sched/completion.c:122
[<ffffffff81583bb1>] SYSC_io_destroy fs/aio.c:1396 [inline]
[<ffffffff81583bb1>] SyS_io_destroy+0x2c1/0x350 fs/aio.c:1374
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Sending NMI to all CPUs:
NMI backtrace for cpu 0
CPU: 0 PID: 2250 Comm: syz-executor432 Not tainted 4.4.174+ #4
NMI backtrace for cpu 0
task: ffff8801d1dac740 task.stack: ffff8801da7c0000
RIP: 0010:[<ffffffff8102e49f>] [<ffffffff8102e49f>]
save_stack_address+0x1f/0x30 arch/x86/kernel/stacktrace.c:38
RSP: 0000:ffff8801da7c7800 EFLAGS: 00000046
RAX: ffffffff8102e480 RBX: ffff8801da7c7dd0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81430941 RDI: ffff8801da7c7908
RBP: ffff8801da7c7850 R08: ffff8801da7c7908 R09: 0000000000000000
R10: ffff8801da7c7e28 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8801da7c7908 R14: ffff8801da7c7ff8 R15: ffff8801da7c0000
FS: 000000000199a940(0063) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001cc69a000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff81013573 ffffffff81430941 ffff8801da7c7e28 ffff8801da7c7e28
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff8280f0b0 ffff8801da7c7908 ffffffff8280f0b0 ffff8801da7c78a8
ffff8801db607fc0 0000000000000000 ffff8801da7c78e0 ffffffff81012bb9
Call Trace:
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81483f22>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81483f22>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81483f22>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
[<ffffffff81484197>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
[<ffffffff8148475f>] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
[<ffffffff8147fe9c>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff8147fe9c>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff8147fe9c>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff8147fe9c>] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628
[<ffffffff810f5c10>] __sigqueue_alloc+0x1e0/0x410 kernel/signal.c:380
[<ffffffff810fa012>] __send_signal+0x1b2/0x12a0 kernel/signal.c:1029
[<ffffffff810fb149>] send_signal+0x49/0xc0 kernel/signal.c:1096
[<ffffffff810fd0ea>] specific_send_sig_info kernel/signal.c:1141 [inline]
[<ffffffff810fd0ea>] force_sig_info+0x20a/0x310 kernel/signal.c:1189
[<ffffffff810a9760>] force_sig_info_fault.constprop.0+0xd0/0x110
arch/x86/mm/fault.c:187
[<ffffffff810aa1e5>] __bad_area_nosemaphore+0x225/0x3f0
arch/x86/mm/fault.c:805
[<ffffffff810aa456>] __bad_area arch/x86/mm/fault.c:835 [inline]
[<ffffffff810aa456>] bad_area+0x66/0x80 arch/x86/mm/fault.c:841
[<ffffffff810aad28>] __do_page_fault+0x568/0x7f0 arch/x86/mm/fault.c:1223
[<ffffffff810ab008>] do_page_fault+0x28/0x30 arch/x86/mm/fault.c:1306
[<ffffffff82719e35>] page_fault+0x25/0x30 arch/x86/entry/entry_64.S:1064
Code: 5b 41 5c 5d c3 0f 1f 80 00 00 00 00 85 d2 74 1b 8b 47 10 85 c0 7f 15
8b 07 3b 47 04 73 0d 48 8b 57 08 8d 48 01 89 0f 48 89 34 c2 <c3> 83 e8 01
89 47 10 c3 66 0f 1f 84 00 00 00 00 00 55 49 89 fa
NMI backtrace for cpu 1
CPU: 1 PID: 20 Comm: khungtaskd Not tainted 4.4.174+ #4
task: ffff8801da6f4740 task.stack: ffff8800001d0000
CPU: 1 PID: 20 Comm: khungtaskd Not tainted 4.4.174+ #4
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>] _flat_send_IPI_mask
arch/x86/kernel/apic/apic_flat_64.c:62 [inline]
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>]
flat_send_IPI_mask+0xf7/0x1b0 arch/x86/kernel/apic/apic_flat_64.c:69
RSP: 0000:ffff8800001d7c88 EFLAGS: 00000046
arch/x86/kernel/apic/apic_flat_64.c:62 [inline]
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>]
flat_send_IPI_mask+0xf7/0x1b0 arch/x86/kernel/apic/apic_flat_64.c:69
RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
RBP: ffff8800001d7cb8 R08: 0000000000000018 R09: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000003000000 R14: ffffffff82e5f2e0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000b0573000 CR4: 00000000001606b0
R13: 0000000003000000 R14: ffffffff82e5f2e0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000001 ffffffff82e5f2e0 ffffffff831a6ac0 fffffbfff0634c34
000000000001b6c0 0000000000000008 ffff8800001d7cd8 ffffffff81092bee
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000001 ffffffff82e5f2e0 ffffffff831a6ac0 fffffbfff0634c34
0000000000000008 ffffffff82924260 ffff8800001d7d30 ffffffff81ab8252
syzbot
Sep 9, 2019, 7:21:06 PM9/9/19
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1617d399600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e02134...@syzkaller.appspotmail.com
INFO: task syz-executor.1:3434 blocked for more than 140 seconds.
ffff8801d06fdf00 0000000000000000 ffff8801d2f4f380 ffff8801da6b2f80
ffff8801db721018 ffff8801d13b7b80 ffffffff828075c2 ffffffff8432c608
ffffffff83cc61c0 ffff8801d06fe7d8 00000000000031cb ffff8801db7218f0
#0: (tasklist_lock){.+.+..}, at: [<ffffffff810e5158>]
release_task.part.4+0x148/0x14b0 kernel/exit.c:183
CPU: 0 PID: 2298 Comm: syz-executor.5 Not tainted 4.9.141+ #23
task: ffff8801c7815f00 task.stack: ffff8801cae48000
RIP: 0010:[<ffffffff810e9249>] c [<ffffffff810e9249>]
wait_consider_task+0x2f9/0x3620 kernel/exit.c:1401
RSP: 0018:ffff8801cae4fa30 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff8801c5c64768 RCX: 0000000000000000
RDX: 1ffff10038b8c8ed RSI: ffffffff810e9220 RDI: 0000000000000246
RBP: ffff8801cae4fb88 R08: ffffed00395c9f1f R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8801c5c64740 R14: ffff8801cae4fc9c R15: ffff8801cae4fc98
FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:000000000a363900
ffff8801cae4fb08 c ffff8801c789f338 c ffff8801cae4fa70 c ffffffff81243c87 c
ffff8801cae4fb28 c 0000000000000046 c 0000000000000046 c ffff8801c7815f00 c
Call Trace:
cff cdf c48 c89 cda c48 cc1 cea c03 c0f cb6 c04 c02 c84 cc0
c74 c08 c3c c03 c0f c8e c26 c14 c00 c00 c45 c8b c5d c28
c<45> c85 cdb c0f c85 c34 c15 c00 c00 ce8 c09 c28 c23 c00
c41 c83 cfc c20 c0f c84 c09 c
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=e02134477c158428c7ba
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=168f47e1600000
dashboard link: https://syzkaller.appspot.com/bug?extid=e02134477c158428c7ba
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e02134...@syzkaller.appspotmail.com
Not tainted 4.9.141+ #23
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.1 D29816 3434 3432 0x20020000
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
ffff8801d06fdf00 0000000000000000 ffff8801d2f4f380 ffff8801da6b2f80
ffff8801db721018 ffff8801d13b7b80 ffffffff828075c2 ffffffff8432c608
ffffffff83cc61c0 ffff8801d06fe7d8 00000000000031cb ffff8801db7218f0
Call Trace:
[<ffffffff82808aef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
[<ffffffff82808aef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
[<ffffffff828142d5>] schedule_timeout+0x735/0xe20 kernel/time/timer.c:1771
[<ffffffff8280a63f>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8280a63f>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8280a63f>] wait_for_common+0x3ef/0x5d0
kernel/sched/completion.c:101
[<ffffffff8280a63f>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8280a63f>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8280a63f>] wait_for_common+0x3ef/0x5d0
kernel/sched/completion.c:101
[<ffffffff8280a838>] wait_for_completion+0x18/0x20
kernel/sched/completion.c:122
[<ffffffff815ff490>] SYSC_io_destroy fs/aio.c:1414 [inline]
[<ffffffff815ff490>] SyS_io_destroy+0x2c0/0x340 fs/aio.c:1392
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Showing all locks held in the system:
kernel/sched/completion.c:122
[<ffffffff815ff490>] SYSC_io_destroy fs/aio.c:1414 [inline]
[<ffffffff815ff490>] SyS_io_destroy+0x2c0/0x340 fs/aio.c:1392
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Showing all locks held in the system:
2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<ffffffff813fe63f>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
2 locks held by getty/2020:
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<ffffffff813fe63f>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82815952>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d37362>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor.4/2297:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d37362>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
#0: (tasklist_lock){.+.+..}, at: [<ffffffff810e5158>]
release_task.part.4+0x148/0x14b0 kernel/exit.c:183
task: ffff8801c7815f00 task.stack: ffff8801cae48000
RIP: 0010:[<ffffffff810e9249>] c [<ffffffff810e9249>]
wait_consider_task+0x2f9/0x3620 kernel/exit.c:1401
RSP: 0018:ffff8801cae4fa30 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff8801c5c64768 RCX: 0000000000000000
RDX: 1ffff10038b8c8ed RSI: ffffffff810e9220 RDI: 0000000000000246
RBP: ffff8801cae4fb88 R08: ffffed00395c9f1f R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8801c5c64740 R14: ffff8801cae4fc9c R15: ffff8801cae4fc98
FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:000000000a363900
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00007fba78a3ef44 CR3: 00000001d4909000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000000 c ffff8801c78167d2 c ffff8801cae4fc00 c 0000000000000046 c
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801cae4fb08 c ffff8801c789f338 c ffff8801cae4fa70 c ffffffff81243c87 c
ffff8801cae4fb28 c 0000000000000046 c 0000000000000046 c ffff8801c7815f00 c
Call Trace:
[<ffffffff810ec993>] do_wait_thread kernel/exit.c:1490 [inline]
[<ffffffff810ec993>] do_wait+0x423/0x950 kernel/exit.c:1561
[<ffffffff810eda0b>] SYSC_wait4 kernel/exit.c:1693 [inline]
[<ffffffff810eda0b>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1658
[<ffffffff812bf054>] C_SYSC_wait4 kernel/compat.c:543 [inline]
[<ffffffff812bf054>] compat_SyS_wait4+0x254/0x290 kernel/compat.c:536
[<ffffffff810c6305>] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Code: c23 c00 c49 c8d c5d c28 c48 cb8 c00 c00 c00 c00 c00 cfc
[<ffffffff810ec993>] do_wait+0x423/0x950 kernel/exit.c:1561
[<ffffffff810eda0b>] SYSC_wait4 kernel/exit.c:1693 [inline]
[<ffffffff810eda0b>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1658
[<ffffffff812bf054>] C_SYSC_wait4 kernel/compat.c:543 [inline]
[<ffffffff812bf054>] compat_SyS_wait4+0x254/0x290 kernel/compat.c:536
[<ffffffff810c6305>] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
cff cdf c48 c89 cda c48 cc1 cea c03 c0f cb6 c04 c02 c84 cc0
c74 c08 c3c c03 c0f c8e c26 c14 c00 c00 c45 c8b c5d c28
c<45> c85 cdb c0f c85 c34 c15 c00 c00 ce8 c09 c28 c23 c00
c41 c83 cfc c20 c0f c84 c09 c
Reply all
Reply to author
Forward
0 new messages