INFO: task hung in do_exit
20 views
Skip to first unread message
syzbot
Apr 12, 2019, 8:01:17 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 666c420f FROMLIST: ANDROID: binder: Add BINDER_GET_NODE_IN..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=11cfb766400000
kernel config: https://syzkaller.appspot.com/x/.config?x=89d929f317ea847c
dashboard link: https://syzkaller.appspot.com/bug?extid=0b5b0db3e86b8fad4ed7
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17610d11400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0b5b0d...@syzkaller.appspotmail.com
INFO: task syz-executor3:8706 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D28424 8706 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
SYSC_exit_group kernel/exit.c:979 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:977
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007ffdfaf7c938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000001e RCX: 0000000000457679
RDX: 0000000000411151 RSI: fffffffffffffff7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000068ea5
R10: 00000000000001e0 R11: 0000000000000246 R12: 000000000000000a
R13: 0000000000068ea5 R14: 00000000000000a5 R15: badc0ffeebadface
INFO: task syz-executor3:8708 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D28320 8708 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3d1fcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072bf08 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000072bf08
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072bf0c
R13: 00007ffdfaf7c72f R14: 00007f25a3d209c0 R15: 0000000000000000
INFO: task syz-executor3:8713 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D28024 8713 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3cddcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072c048 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000072c048
RBP: 000000000072c040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072c04c
R13: 00007ffdfaf7c72f R14: 00007f25a3cde9c0 R15: 0000000000000002
INFO: task syz-executor3:8714 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D29160 8714 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3cbccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072c0e8 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000072c0e8
RBP: 000000000072c0e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072c0ec
R13: 00007ffdfaf7c72f R14: 00007f25a3cbd9c0 R15: 0000000000000003
Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: (tasklist_lock){.+.+}, at: [<ffffffff95601e67>]
debug_show_all_locks+0x74/0x20f kernel/locking/lockdep.c:4541
2 locks held by getty/1767:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffff961245e0>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffff9611fb5f>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor3/8706:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor3/8708:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor3/8713:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor3/8714:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 4.14.71+ #8
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
nmi_cpu_backtrace.cold.0+0x47/0x85 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x121/0x146 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x574/0xa70 kernel/hung_task.c:252
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 8712 Comm: syz-executor3 Not tainted 4.14.71+ #8
task: ffff8801c30dc680 task.stack: ffff8801c2680000
RIP: 0010:lock_acquire+0x0/0x380 kernel/locking/lockdep.c:3797
RSP: 0018:ffff8801c2687a90 EFLAGS: 00000246
RAX: ffff8801c291cfc0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801c291cfc0
RBP: ffff8801c2687c20 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8801c2687c40 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8801c291cf60 R15: ffffffff957ffea4
FS: 00007f25a3cff700(0000) GS:ffff8801d7600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd6577cee8 CR3: 00000001c42a6005 CR4: 00000000001606b0
Call Trace:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
perf_mmap+0x514/0x1370 kernel/events/core.c:5402
call_mmap include/linux/fs.h:1787 [inline]
mmap_region+0x836/0xfb0 mm/mmap.c:1731
do_mmap+0x551/0xb80 mm/mmap.c:1509
do_mmap_pgoff include/linux/mm.h:2167 [inline]
vm_mmap_pgoff+0x180/0x1d0 mm/util.c:333
SYSC_mmap_pgoff mm/mmap.c:1559 [inline]
SyS_mmap_pgoff+0xf8/0x1a0 mm/mmap.c:1517
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3cfec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f25a3cff6d4 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000002000 RDI: 0000000020941000
RBP: 000000000072bfa0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000004011 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d3ab0 R14: 00000000004c2915 R15: 0000000000000001
Code: b5 32 00 e9 78 fc ff ff 4c 89 e7 e8 0b b5 32 00 e9 99 fd ff ff e8 f1
b4 32 00 e9 49 fe ff ff e8 e7 b4 32 00 e9 b2 fe ff ff 66 90 <48> b8 00 00
00 00 00 fc ff df 41 57 4d 89 ca 45 89 c7 41 56 41
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 666c420f FROMLIST: ANDROID: binder: Add BINDER_GET_NODE_IN..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=11cfb766400000
kernel config: https://syzkaller.appspot.com/x/.config?x=89d929f317ea847c
dashboard link: https://syzkaller.appspot.com/bug?extid=0b5b0db3e86b8fad4ed7
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17610d11400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0b5b0d...@syzkaller.appspotmail.com
INFO: task syz-executor3:8706 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D28424 8706 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
SYSC_exit_group kernel/exit.c:979 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:977
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007ffdfaf7c938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000001e RCX: 0000000000457679
RDX: 0000000000411151 RSI: fffffffffffffff7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000068ea5
R10: 00000000000001e0 R11: 0000000000000246 R12: 000000000000000a
R13: 0000000000068ea5 R14: 00000000000000a5 R15: badc0ffeebadface
INFO: task syz-executor3:8708 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D28320 8708 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3d1fcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072bf08 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000072bf08
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072bf0c
R13: 00007ffdfaf7c72f R14: 00007f25a3d209c0 R15: 0000000000000000
INFO: task syz-executor3:8713 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D28024 8713 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3cddcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072c048 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000072c048
RBP: 000000000072c040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072c04c
R13: 00007ffdfaf7c72f R14: 00007f25a3cde9c0 R15: 0000000000000002
INFO: task syz-executor3:8714 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D29160 8714 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3cbccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072c0e8 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000072c0e8
RBP: 000000000072c0e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072c0ec
R13: 00007ffdfaf7c72f R14: 00007f25a3cbd9c0 R15: 0000000000000003
Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: (tasklist_lock){.+.+}, at: [<ffffffff95601e67>]
debug_show_all_locks+0x74/0x20f kernel/locking/lockdep.c:4541
2 locks held by getty/1767:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffff961245e0>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffff9611fb5f>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor3/8706:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor3/8708:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor3/8713:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor3/8714:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 4.14.71+ #8
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
nmi_cpu_backtrace.cold.0+0x47/0x85 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x121/0x146 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x574/0xa70 kernel/hung_task.c:252
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 8712 Comm: syz-executor3 Not tainted 4.14.71+ #8
task: ffff8801c30dc680 task.stack: ffff8801c2680000
RIP: 0010:lock_acquire+0x0/0x380 kernel/locking/lockdep.c:3797
RSP: 0018:ffff8801c2687a90 EFLAGS: 00000246
RAX: ffff8801c291cfc0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801c291cfc0
RBP: ffff8801c2687c20 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8801c2687c40 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8801c291cf60 R15: ffffffff957ffea4
FS: 00007f25a3cff700(0000) GS:ffff8801d7600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd6577cee8 CR3: 00000001c42a6005 CR4: 00000000001606b0
Call Trace:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
perf_mmap+0x514/0x1370 kernel/events/core.c:5402
call_mmap include/linux/fs.h:1787 [inline]
mmap_region+0x836/0xfb0 mm/mmap.c:1731
do_mmap+0x551/0xb80 mm/mmap.c:1509
do_mmap_pgoff include/linux/mm.h:2167 [inline]
vm_mmap_pgoff+0x180/0x1d0 mm/util.c:333
SYSC_mmap_pgoff mm/mmap.c:1559 [inline]
SyS_mmap_pgoff+0xf8/0x1a0 mm/mmap.c:1517
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3cfec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f25a3cff6d4 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000002000 RDI: 0000000020941000
RBP: 000000000072bfa0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000004011 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d3ab0 R14: 00000000004c2915 R15: 0000000000000001
Code: b5 32 00 e9 78 fc ff ff 4c 89 e7 e8 0b b5 32 00 e9 99 fd ff ff e8 f1
b4 32 00 e9 49 fe ff ff e8 e7 b4 32 00 e9 b2 fe ff ff 66 90 <48> b8 00 00
00 00 00 fc ff df 41 57 4d 89 ca 45 89 c7 41 56 41
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 14, 2019, 5:28:16 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 38f2b4a8 Merge 4.9.132 into android-4.9
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1571d96e400000
kernel config: https://syzkaller.appspot.com/x/.config?x=912079d9e892f390
dashboard link: https://syzkaller.appspot.com/bug?extid=f321b2782ec644debe61
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11432b4e400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
INFO: task syz-executor0:5550 blocked for more than 140 seconds.
Not tainted 4.9.132+ #51
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D28568 5550 2266 0x80000000
ffff8801ca552f80 ffff8801d4bba680 ffff8801d4bba680 ffff8801ca554740
ffff8801db621018 ffff8801c9bf7b10 ffffffff827f36e2 ffff8801c9bf7ae8
ffffffff81206c17 0000000000000000 00ff8801ca553828 ffff8801db6218f0
Call Trace:
[<ffffffff827f4c0f>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
[<ffffffff827ff96c>] rwsem_down_read_failed+0x26c/0x400
kernel/locking/rwsem-xadd.c:260
[<ffffffff81b69708>] call_rwsem_down_read_failed+0x18/0x30
arch/x86/lib/rwsem.S:94
[<ffffffff827fd742>] __down_read arch/x86/include/asm/rwsem.h:65 [inline]
[<ffffffff827fd742>] down_read+0x52/0xb0 kernel/locking/rwsem.c:24
[<ffffffff810e6841>] exit_mm kernel/exit.c:480 [inline]
[<ffffffff810e6841>] do_exit+0x3c1/0x29d0 kernel/exit.c:820
[<ffffffff810ed2e1>] do_group_exit+0x111/0x300 kernel/exit.c:937
[<ffffffff810ed4ed>] SYSC_exit_group kernel/exit.c:948 [inline]
[<ffffffff810ed4ed>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82803953>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Showing all locks held in the system:
#0: (rcu_read_lock){......}, at: [<ffffffff8131bc8c>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131bc8c>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<ffffffff813fe454>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
2 locks held by getty/2034:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82801a32>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d2b442>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor0/5550:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6841>] exit_mm
kernel/exit.c:480 [inline]
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6841>]
do_exit+0x3c1/0x29d0 kernel/exit.c:820
1 lock held by syz-executor0/5551:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6841>] exit_mm
kernel/exit.c:480 [inline]
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6841>]
do_exit+0x3c1/0x29d0 kernel/exit.c:820
1 lock held by syz-executor0/5563:
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6841>] exit_mm
kernel/exit.c:480 [inline]
#0: (&mm->mmap_sem){++++++}, at: [<ffffffff810e6841>]
do_exit+0x3c1/0x29d0 kernel/exit.c:820
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 24 Comm: khungtaskd Not tainted 4.9.132+ #51
ffff8801d9907d08 ffffffff81b371b9 0000000000000000 0000000000000000
0000000000000000 0000000000000001 ffffffff810984f0 ffff8801d9907d40
ffffffff81b422c9 0000000000000000 0000000000000000 0000000000000003
Call Trace:
[<ffffffff81b371b9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b371b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81b422c9>] nmi_cpu_backtrace.cold.0+0x48/0x87
lib/nmi_backtrace.c:99
[<ffffffff81b4225c>] nmi_trigger_cpumask_backtrace+0x12c/0x151
lib/nmi_backtrace.c:60
[<ffffffff810985f4>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<ffffffff8131c21d>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff8131c21d>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff8131c21d>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff8131c21d>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
[<ffffffff81142a9d>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff82803b1c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 5562 Comm: syz-executor0 Not tainted 4.9.132+ #51
task: ffff8801c9572f80 task.stack: ffff8801c9bd0000
RIP: 0010:[<ffffffff81205970>] c [<ffffffff81205970>]
mark_lock+0xb0/0x1290 kernel/locking/lockdep.c:3039
RSP: 0018:ffff8801c9bd7a60 EFLAGS: 00000046
RAX: dffffc0000000000 RBX: ffff8801c9573858 RCX: 1ffff100392ae70f
RDX: 1ffffffff0798f9e RSI: ffff8801c9573858 RDI: ffffffff83cc7cf0
RBP: ffff8801c9bd7aa8 R08: ffff8801c9573878 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff83cc7cc0
R13: 0000000000000040 R14: 0000000000000006 R15: ffff8801c9572f80
FS: 00007f20951aa700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000c9c308 CR3: 00000001c9b59000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000246 c ffff8801c9572f80 c ffffffff830cc2e0 c d4e84e40c231a289 c
0000000000000001 c ffff8801c9573830 c ffffed00392ae705 c ffff8801c9572f80 c
dffffc0000000000 c ffff8801c9bd7af8 c ffffffff81206c17 c 0000000000000246 c
Call Trace:
[<ffffffff81206c17>] mark_held_locks+0xc7/0x130
kernel/locking/lockdep.c:2660
[<ffffffff8120700b>] __trace_hardirqs_on_caller
kernel/locking/lockdep.c:2689 [inline]
[<ffffffff8120700b>] trace_hardirqs_on_caller+0x38b/0x590
kernel/locking/lockdep.c:2736
[<ffffffff8120721d>] trace_hardirqs_on+0xd/0x10
kernel/locking/lockdep.c:2743
[<ffffffff827f7937>] __mutex_lock_common kernel/locking/mutex.c:603
[inline]
[<ffffffff827f7937>] mutex_lock_nested+0x6b7/0x900
kernel/locking/mutex.c:621
[<ffffffff813d9897>] perf_mmap+0x4f7/0x1430 kernel/events/core.c:5265
[<ffffffff814b42bc>] mmap_region+0x80c/0xf90 mm/mmap.c:1726
[<ffffffff814b4f7d>] do_mmap+0x53d/0xbb0 mm/mmap.c:1505
[<ffffffff81469f88>] do_mmap_pgoff include/linux/mm.h:2032 [inline]
[<ffffffff81469f88>] vm_mmap_pgoff+0x168/0x1b0 mm/util.c:329
[<ffffffff814af62e>] SYSC_mmap_pgoff mm/mmap.c:1555 [inline]
[<ffffffff814af62e>] SyS_mmap_pgoff+0xfe/0x1b0 mm/mmap.c:1513
[<ffffffff8105d356>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline]
[<ffffffff8105d356>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82803953>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: cb0 c01 c00 c00 c49 c81 cc4 cc0 c79 cc6 c83 c49 c8d c7c
c24 c30 c48 cb8 c00 c00 c00 c00 c00 cfc cff cdf c48 c89 cfa
c48 cc1 cea c03 c80 c3c c02 c00 c0f c85 cbb c0d c00 c00
c<4d> c85 c6c c24 c30 c74 c5f c41 cbd c01 c00 c00 c00 c48
c83 cc4 c20 c44 c89 ce8 c5b c
Reply all
Reply to author
Forward
0 new messages