Hello,
syzbot found the following crash on:
HEAD commit: 666c420f FROMLIST: ANDROID: binder: Add BINDER_GET_NODE_IN..
git tree: android-4.14
console output:
https://syzkaller.appspot.com/x/log.txt?x=11cfb766400000
kernel config:
https://syzkaller.appspot.com/x/.config?x=89d929f317ea847c
dashboard link:
https://syzkaller.appspot.com/bug?extid=0b5b0db3e86b8fad4ed7
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=17610d11400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+0b5b0d...@syzkaller.appspotmail.com
INFO: task syz-executor3:8706 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D28424 8706 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
SYSC_exit_group kernel/exit.c:979 [inline]
SyS_exit_group+0x19/0x20 kernel/exit.c:977
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007ffdfaf7c938 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000001e RCX: 0000000000457679
RDX: 0000000000411151 RSI: fffffffffffffff7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000068ea5
R10: 00000000000001e0 R11: 0000000000000246 R12: 000000000000000a
R13: 0000000000068ea5 R14: 00000000000000a5 R15: badc0ffeebadface
INFO: task syz-executor3:8708 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D28320 8708 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3d1fcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072bf08 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000072bf08
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072bf0c
R13: 00007ffdfaf7c72f R14: 00007f25a3d209c0 R15: 0000000000000000
INFO: task syz-executor3:8713 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D28024 8713 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3cddcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072c048 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000072c048
RBP: 000000000072c040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072c04c
R13: 00007ffdfaf7c72f R14: 00007f25a3cde9c0 R15: 0000000000000002
INFO: task syz-executor3:8714 blocked for more than 140 seconds.
Not tainted 4.14.71+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D29160 8714 1856 0x80000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:269 [inline]
rwsem_down_read_failed+0x21a/0x3d0 kernel/locking/rwsem-xadd.c:286
call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94
__down_read arch/x86/include/asm/rwsem.h:66 [inline]
down_read+0x45/0xa0 kernel/locking/rwsem.c:26
exit_mm kernel/exit.c:510 [inline]
do_exit+0x512/0x2800 kernel/exit.c:852
do_group_exit+0x100/0x2e0 kernel/exit.c:968
get_signal+0x4e5/0x1470 kernel/signal.c:2348
do_signal+0x8f/0x1660 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x116/0x150 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3cbccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072c0e8 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000072c0e8
RBP: 000000000072c0e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072c0ec
R13: 00007ffdfaf7c72f R14: 00007f25a3cbd9c0 R15: 0000000000000003
Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: (tasklist_lock){.+.+}, at: [<ffffffff95601e67>]
debug_show_all_locks+0x74/0x20f kernel/locking/lockdep.c:4541
2 locks held by getty/1767:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffff961245e0>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffff9611fb5f>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor3/8706:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor3/8708:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor3/8713:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
1 lock held by syz-executor3/8714:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] exit_mm
kernel/exit.c:510 [inline]
#0: (&mm->mmap_sem){++++}, at: [<ffffffff954e5612>] do_exit+0x512/0x2800
kernel/exit.c:852
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 4.14.71+ #8
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
nmi_cpu_backtrace.cold.0+0x47/0x85 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x121/0x146 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x574/0xa70 kernel/hung_task.c:252
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 8712 Comm: syz-executor3 Not tainted 4.14.71+ #8
task: ffff8801c30dc680 task.stack: ffff8801c2680000
RIP: 0010:lock_acquire+0x0/0x380 kernel/locking/lockdep.c:3797
RSP: 0018:ffff8801c2687a90 EFLAGS: 00000246
RAX: ffff8801c291cfc0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801c291cfc0
RBP: ffff8801c2687c20 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8801c2687c40 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff8801c291cf60 R15: ffffffff957ffea4
FS: 00007f25a3cff700(0000) GS:ffff8801d7600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd6577cee8 CR3: 00000001c42a6005 CR4: 00000000001606b0
Call Trace:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xf5/0x1480 kernel/locking/mutex.c:893
perf_mmap+0x514/0x1370 kernel/events/core.c:5402
call_mmap include/linux/fs.h:1787 [inline]
mmap_region+0x836/0xfb0 mm/mmap.c:1731
do_mmap+0x551/0xb80 mm/mmap.c:1509
do_mmap_pgoff include/linux/mm.h:2167 [inline]
vm_mmap_pgoff+0x180/0x1d0 mm/util.c:333
SYSC_mmap_pgoff mm/mmap.c:1559 [inline]
SyS_mmap_pgoff+0xf8/0x1a0 mm/mmap.c:1517
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457679
RSP: 002b:00007f25a3cfec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f25a3cff6d4 RCX: 0000000000457679
RDX: 0000000000000000 RSI: 0000000000002000 RDI: 0000000020941000
RBP: 000000000072bfa0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000004011 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d3ab0 R14: 00000000004c2915 R15: 0000000000000001
Code: b5 32 00 e9 78 fc ff ff 4c 89 e7 e8 0b b5 32 00 e9 99 fd ff ff e8 f1
b4 32 00 e9 49 fe ff ff e8 e7 b4 32 00 e9 b2 fe ff ff 66 90 <48> b8 00 00
00 00 00 fc ff df 41 57 4d 89 ca 45 89 c7 41 56 41
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches