INFO: task hung in do_truncate2
13 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:00:59 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b7e40c3d Merge 4.14.75 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=127baad6400000
kernel config: https://syzkaller.appspot.com/x/.config?x=83372ecdbe063bdb
dashboard link: https://syzkaller.appspot.com/bug?extid=7c08a8b5468740bcc8f1
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=147bbbc9400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17885691400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7c08a8...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1539238308.440:7): avc: denied { map } for
pid=1891 comm="syz-executor550" path="/root/syz-executor550573404"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
INFO: task syz-executor550:1913 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D29408 1913 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
do_truncate2+0xfd/0x1c0 fs/open.c:61
handle_truncate fs/namei.c:2998 [inline]
do_last fs/namei.c:3417 [inline]
path_openat+0xaea/0x23a0 fs/namei.c:3550
do_filp_open+0x197/0x270 fs/namei.c:3584
do_sys_open+0x2ef/0x580 fs/open.c:1071
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f71eada8 EFLAGS: 00000297 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 0000000000446619
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 00000000006dbc50 R08: 00007fe9f71eb700 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dbc5c
R13: 0030656c69662f2e R14: 00007fe9f71eb9c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1914 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D29560 1914 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
do_truncate2+0xfd/0x1c0 fs/open.c:61
handle_truncate fs/namei.c:2998 [inline]
do_last fs/namei.c:3417 [inline]
path_openat+0xaea/0x23a0 fs/namei.c:3550
do_filp_open+0x197/0x270 fs/namei.c:3584
do_sys_open+0x2ef/0x580 fs/open.c:1071
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f71c9da8 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446619
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 00000000006dbc60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000006dbc6c
R13: 0030656c69662f2e R14: 00007fe9f71ca9c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1915 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D28984 1915 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
do_truncate2+0xfd/0x1c0 fs/open.c:61
handle_truncate fs/namei.c:2998 [inline]
do_last fs/namei.c:3417 [inline]
path_openat+0xaea/0x23a0 fs/namei.c:3550
do_filp_open+0x197/0x270 fs/namei.c:3584
do_sys_open+0x2ef/0x580 fs/open.c:1071
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f71a8da8 EFLAGS: 00000293 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00000000006dbc78 RCX: 0000000000446619
RDX: 00000000004028e4 RSI: 0000000000000000 RDI: 0000000020000140
RBP: 00000000006dbc70 R08: 00007fe9f71a9700 R09: 0000000000000000
R10: 00007fe9f71a9700 R11: 0000000000000293 R12: 00000000006dbc7c
R13: 0030656c69662f2e R14: 00007fe9f71a99c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1916 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D27824 1916 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
do_truncate2+0xfd/0x1c0 fs/open.c:61
handle_truncate fs/namei.c:2998 [inline]
do_last fs/namei.c:3417 [inline]
path_openat+0xaea/0x23a0 fs/namei.c:3550
do_filp_open+0x197/0x270 fs/namei.c:3584
do_sys_open+0x2ef/0x580 fs/open.c:1071
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f7187da8 EFLAGS: 00000297 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000006dbc88 RCX: 0000000000446619
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 00000000006dbc80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dbc8c
R13: 0030656c69662f2e R14: 00007fe9f71889c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1917 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D29928 1917 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
ext4_fallocate+0x359/0x1c80 fs/ext4/extents.c:4965
vfs_fallocate+0x346/0x700 fs/open.c:328
SYSC_fallocate fs/open.c:351 [inline]
SyS_fallocate+0x4b/0x80 fs/open.c:345
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f7166da8 EFLAGS: 00000297 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00000000006dbc98 RCX: 0000000000446619
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006dbc90 R08: 00007fe9f7167700 R09: 0000000000000000
R10: 0000000000010001 R11: 0000000000000297 R12: 00000000006dbc9c
R13: 0030656c69662f2e R14: 00007fe9f71679c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1918 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D29456 1918 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write_nested+0x51/0x90 kernel/locking/rwsem.c:174
inode_lock_nested include/linux/fs.h:748 [inline]
lock_two_nondirectories+0xb2/0xf0 fs/inode.c:984
swap_inode_boot_loader fs/ext4/ioctl.c:120 [inline]
ext4_ioctl+0x1843/0x35e0 fs/ext4/ioctl.c:863
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f7145da8 EFLAGS: 00000297 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbca8 RCX: 0000000000446619
RDX: 00000000004028e4 RSI: 0000000000006611 RDI: 0000000000000004
RBP: 00000000006dbca0 R08: 00007fe9f7146700 R09: 0000000000000000
R10: 00007fe9f7146700 R11: 0000000000000297 R12: 00000000006dbcac
R13: 0030656c69662f2e R14: 00007fe9f71469c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1919 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D28824 1919 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
lock_two_nondirectories+0xca/0xf0 fs/inode.c:982
ext4_move_extents+0x4cf/0x2a10 fs/ext4/move_extent.c:609
ext4_ioctl+0x275c/0x35e0 fs/ext4/ioctl.c:765
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f7124da8 EFLAGS: 00000293 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbcb8 RCX: 0000000000446619
RDX: 0000000020000040 RSI: 00000000c028660f RDI: 0000000000000003
RBP: 00000000006dbcb0 R08: 00007fe9f7125700 R09: 0000000000000000
R10: 00007fe9f7125700 R11: 0000000000000293 R12: 00000000006dbcbc
R13: 0030656c69662f2e R14: 00007fe9f71259c0 R15: 00000000006dbd4c
Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: (tasklist_lock){.+.+}, at: [<ffffffff98602247>]
debug_show_all_locks+0x74/0x20f kernel/locking/lockdep.c:4541
3 locks held by rs:main Q:Reg/1632:
#0: (&f->f_pos_lock){+.+.}, at: [<ffffffff989bd5e2>]
__fdget_pos+0xa2/0xc0 fs/file.c:768
#1: (sb_writers#4){.+.+}, at: [<ffffffff9895bed7>] file_start_write
include/linux/fs.h:2722 [inline]
#1: (sb_writers#4){.+.+}, at: [<ffffffff9895bed7>] vfs_write+0x3d7/0x4d0
fs/read_write.c:545
#2: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b15539>]
inode_trylock include/linux/fs.h:733 [inline]
#2: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b15539>]
ext4_file_write_iter+0x1b9/0xe20 fs/ext4/file.c:230
2 locks held by getty/1762:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffff9912f070>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffff9912a5ef>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor550/1913:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>]
mnt_want_write+0x3a/0xa0 fs/namespace.c:387
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
do_truncate2+0xfd/0x1c0 fs/open.c:61
2 locks held by syz-executor550/1914:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>]
mnt_want_write+0x3a/0xa0 fs/namespace.c:387
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
do_truncate2+0xfd/0x1c0 fs/open.c:61
2 locks held by syz-executor550/1915:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>]
mnt_want_write+0x3a/0xa0 fs/namespace.c:387
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
do_truncate2+0xfd/0x1c0 fs/open.c:61
2 locks held by syz-executor550/1916:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>]
mnt_want_write+0x3a/0xa0 fs/namespace.c:387
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
do_truncate2+0xfd/0x1c0 fs/open.c:61
2 locks held by syz-executor550/1917:
#0: (sb_writers#4){.+.+}, at: [<ffffffff9894ed9d>] file_start_write
include/linux/fs.h:2722 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff9894ed9d>]
vfs_fallocate+0x4dd/0x700 fs/open.c:327
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b0b9f9>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b0b9f9>]
ext4_fallocate+0x359/0x1c80 fs/ext4/extents.c:4965
3 locks held by syz-executor550/1918:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c5a6a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c5a6a>]
mnt_want_write_file+0xfa/0x300 fs/namespace.c:498
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff989b1a3a>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff989b1a3a>]
lock_two_nondirectories+0xca/0xf0 fs/inode.c:982
#2: (&sb->s_type->i_mutex_key#9/4){+.+.}, at: [<ffffffff989b1a22>]
inode_lock_nested include/linux/fs.h:748 [inline]
#2: (&sb->s_type->i_mutex_key#9/4){+.+.}, at: [<ffffffff989b1a22>]
lock_two_nondirectories+0xb2/0xf0 fs/inode.c:984
2 locks held by syz-executor550/1919:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c5a6a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c5a6a>]
mnt_want_write_file+0xfa/0x300 fs/namespace.c:498
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff989b1a3a>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff989b1a3a>]
lock_two_nondirectories+0xca/0xf0 fs/inode.c:982
2 locks held by init/1921:
#0: (sb_writers#4){.+.+}, at: [<ffffffff9895bed7>] file_start_write
include/linux/fs.h:2722 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff9895bed7>] vfs_write+0x3d7/0x4d0
fs/read_write.c:545
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b15539>]
inode_trylock include/linux/fs.h:733 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b15539>]
ext4_file_write_iter+0x1b9/0xe20 fs/ext4/file.c:230
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 4.14.75+ #18
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
nmi_cpu_backtrace.cold.0+0x47/0x85 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x121/0x146 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x574/0xa70 kernel/hung_task.c:252
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 1912 Comm: syz-executor550 Not tainted 4.14.75+ #18
task: ffff8801cac59780 task.stack: ffff8801cac88000
RIP: 0010:__sanitizer_cov_trace_pc+0x28/0x60 kernel/kcov.c:68
RSP: 0018:ffff8801cac8f6e0 EFLAGS: 00000297
RAX: ffff8801cac59780 RBX: ffff8801cf761c80 RCX: 1ffff10039eec392
RDX: 0000000000000000 RSI: 00000000e2abfb99 RDI: ffff8801cf761c90
RBP: 00000000e2abfb99 R08: 00000000dc90bca5 R09: 0000000000000000
R10: ffff8801cac5a0a0 R11: 0000000000000001 R12: ffff8801cac8f8f8
R13: ffff8801c444a250 R14: ffff8801c444a060 R15: 0000000000008011
FS: 00007fe9f720c700(0000) GS:ffff8801dba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fde259f0f80 CR3: 00000001cb71a005 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext_depth fs/ext4/ext4_extents.h:189 [inline]
mext_check_coverage.constprop.2+0x156/0x3c0 fs/ext4/move_extent.c:109
move_extent_per_page fs/ext4/move_extent.c:333 [inline]
ext4_move_extents+0x17dc/0x2a10 fs/ext4/move_extent.c:681
ext4_ioctl+0x275c/0x35e0 fs/ext4/ioctl.c:765
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f720bda8 EFLAGS: 00000293 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446619
RDX: 0000000020000040 RSI: 00000000c028660f RDI: 0000000000000003
RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000006dbc4c
R13: 0030656c69662f2e R14: 00007fe9f720c9c0 R15: 00000000006dbd4c
Code: 90 90 90 65 48 8b 04 25 c0 de 01 00 48 85 c0 74 1a 65 8b 15 eb 20 91
67 81 e2 00 01 1f 00 75 0b 8b 90 a8 11 00 00 83 fa 01 74 01 <c3> 48 c7 c2
00 00 00 81 48 81 ea 00 00 40 98 48 03 14 24 48 8b
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: b7e40c3d Merge 4.14.75 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=127baad6400000
kernel config: https://syzkaller.appspot.com/x/.config?x=83372ecdbe063bdb
dashboard link: https://syzkaller.appspot.com/bug?extid=7c08a8b5468740bcc8f1
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=147bbbc9400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17885691400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7c08a8...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1539238308.440:7): avc: denied { map } for
pid=1891 comm="syz-executor550" path="/root/syz-executor550573404"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
INFO: task syz-executor550:1913 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D29408 1913 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
do_truncate2+0xfd/0x1c0 fs/open.c:61
handle_truncate fs/namei.c:2998 [inline]
do_last fs/namei.c:3417 [inline]
path_openat+0xaea/0x23a0 fs/namei.c:3550
do_filp_open+0x197/0x270 fs/namei.c:3584
do_sys_open+0x2ef/0x580 fs/open.c:1071
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f71eada8 EFLAGS: 00000297 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 0000000000446619
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 00000000006dbc50 R08: 00007fe9f71eb700 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dbc5c
R13: 0030656c69662f2e R14: 00007fe9f71eb9c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1914 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D29560 1914 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
do_truncate2+0xfd/0x1c0 fs/open.c:61
handle_truncate fs/namei.c:2998 [inline]
do_last fs/namei.c:3417 [inline]
path_openat+0xaea/0x23a0 fs/namei.c:3550
do_filp_open+0x197/0x270 fs/namei.c:3584
do_sys_open+0x2ef/0x580 fs/open.c:1071
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f71c9da8 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446619
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 00000000006dbc60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000006dbc6c
R13: 0030656c69662f2e R14: 00007fe9f71ca9c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1915 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D28984 1915 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
do_truncate2+0xfd/0x1c0 fs/open.c:61
handle_truncate fs/namei.c:2998 [inline]
do_last fs/namei.c:3417 [inline]
path_openat+0xaea/0x23a0 fs/namei.c:3550
do_filp_open+0x197/0x270 fs/namei.c:3584
do_sys_open+0x2ef/0x580 fs/open.c:1071
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f71a8da8 EFLAGS: 00000293 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00000000006dbc78 RCX: 0000000000446619
RDX: 00000000004028e4 RSI: 0000000000000000 RDI: 0000000020000140
RBP: 00000000006dbc70 R08: 00007fe9f71a9700 R09: 0000000000000000
R10: 00007fe9f71a9700 R11: 0000000000000293 R12: 00000000006dbc7c
R13: 0030656c69662f2e R14: 00007fe9f71a99c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1916 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D27824 1916 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
do_truncate2+0xfd/0x1c0 fs/open.c:61
handle_truncate fs/namei.c:2998 [inline]
do_last fs/namei.c:3417 [inline]
path_openat+0xaea/0x23a0 fs/namei.c:3550
do_filp_open+0x197/0x270 fs/namei.c:3584
do_sys_open+0x2ef/0x580 fs/open.c:1071
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f7187da8 EFLAGS: 00000297 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000006dbc88 RCX: 0000000000446619
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 00000000006dbc80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dbc8c
R13: 0030656c69662f2e R14: 00007fe9f71889c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1917 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D29928 1917 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
ext4_fallocate+0x359/0x1c80 fs/ext4/extents.c:4965
vfs_fallocate+0x346/0x700 fs/open.c:328
SYSC_fallocate fs/open.c:351 [inline]
SyS_fallocate+0x4b/0x80 fs/open.c:345
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f7166da8 EFLAGS: 00000297 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00000000006dbc98 RCX: 0000000000446619
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006dbc90 R08: 00007fe9f7167700 R09: 0000000000000000
R10: 0000000000010001 R11: 0000000000000297 R12: 00000000006dbc9c
R13: 0030656c69662f2e R14: 00007fe9f71679c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1918 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D29456 1918 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write_nested+0x51/0x90 kernel/locking/rwsem.c:174
inode_lock_nested include/linux/fs.h:748 [inline]
lock_two_nondirectories+0xb2/0xf0 fs/inode.c:984
swap_inode_boot_loader fs/ext4/ioctl.c:120 [inline]
ext4_ioctl+0x1843/0x35e0 fs/ext4/ioctl.c:863
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f7145da8 EFLAGS: 00000297 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbca8 RCX: 0000000000446619
RDX: 00000000004028e4 RSI: 0000000000006611 RDI: 0000000000000004
RBP: 00000000006dbca0 R08: 00007fe9f7146700 R09: 0000000000000000
R10: 00007fe9f7146700 R11: 0000000000000297 R12: 00000000006dbcac
R13: 0030656c69662f2e R14: 00007fe9f71469c0 R15: 00000000006dbd4c
INFO: task syz-executor550:1919 blocked for more than 140 seconds.
Not tainted 4.14.75+ #18
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor550 D28824 1919 1891 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline]
rwsem_down_write_failed+0x390/0x730 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:713 [inline]
lock_two_nondirectories+0xca/0xf0 fs/inode.c:982
ext4_move_extents+0x4cf/0x2a10 fs/ext4/move_extent.c:609
ext4_ioctl+0x275c/0x35e0 fs/ext4/ioctl.c:765
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f7124da8 EFLAGS: 00000293 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbcb8 RCX: 0000000000446619
RDX: 0000000020000040 RSI: 00000000c028660f RDI: 0000000000000003
RBP: 00000000006dbcb0 R08: 00007fe9f7125700 R09: 0000000000000000
R10: 00007fe9f7125700 R11: 0000000000000293 R12: 00000000006dbcbc
R13: 0030656c69662f2e R14: 00007fe9f71259c0 R15: 00000000006dbd4c
Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: (tasklist_lock){.+.+}, at: [<ffffffff98602247>]
debug_show_all_locks+0x74/0x20f kernel/locking/lockdep.c:4541
3 locks held by rs:main Q:Reg/1632:
#0: (&f->f_pos_lock){+.+.}, at: [<ffffffff989bd5e2>]
__fdget_pos+0xa2/0xc0 fs/file.c:768
#1: (sb_writers#4){.+.+}, at: [<ffffffff9895bed7>] file_start_write
include/linux/fs.h:2722 [inline]
#1: (sb_writers#4){.+.+}, at: [<ffffffff9895bed7>] vfs_write+0x3d7/0x4d0
fs/read_write.c:545
#2: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b15539>]
inode_trylock include/linux/fs.h:733 [inline]
#2: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b15539>]
ext4_file_write_iter+0x1b9/0xe20 fs/ext4/file.c:230
2 locks held by getty/1762:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffff9912f070>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffff9912a5ef>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor550/1913:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>]
mnt_want_write+0x3a/0xa0 fs/namespace.c:387
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
do_truncate2+0xfd/0x1c0 fs/open.c:61
2 locks held by syz-executor550/1914:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>]
mnt_want_write+0x3a/0xa0 fs/namespace.c:387
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
do_truncate2+0xfd/0x1c0 fs/open.c:61
2 locks held by syz-executor550/1915:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>]
mnt_want_write+0x3a/0xa0 fs/namespace.c:387
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
do_truncate2+0xfd/0x1c0 fs/open.c:61
2 locks held by syz-executor550/1916:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c586a>]
mnt_want_write+0x3a/0xa0 fs/namespace.c:387
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98950ccd>]
do_truncate2+0xfd/0x1c0 fs/open.c:61
2 locks held by syz-executor550/1917:
#0: (sb_writers#4){.+.+}, at: [<ffffffff9894ed9d>] file_start_write
include/linux/fs.h:2722 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff9894ed9d>]
vfs_fallocate+0x4dd/0x700 fs/open.c:327
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b0b9f9>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b0b9f9>]
ext4_fallocate+0x359/0x1c80 fs/ext4/extents.c:4965
3 locks held by syz-executor550/1918:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c5a6a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c5a6a>]
mnt_want_write_file+0xfa/0x300 fs/namespace.c:498
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff989b1a3a>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff989b1a3a>]
lock_two_nondirectories+0xca/0xf0 fs/inode.c:982
#2: (&sb->s_type->i_mutex_key#9/4){+.+.}, at: [<ffffffff989b1a22>]
inode_lock_nested include/linux/fs.h:748 [inline]
#2: (&sb->s_type->i_mutex_key#9/4){+.+.}, at: [<ffffffff989b1a22>]
lock_two_nondirectories+0xb2/0xf0 fs/inode.c:984
2 locks held by syz-executor550/1919:
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c5a6a>] sb_start_write
include/linux/fs.h:1543 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff989c5a6a>]
mnt_want_write_file+0xfa/0x300 fs/namespace.c:498
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff989b1a3a>]
inode_lock include/linux/fs.h:713 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff989b1a3a>]
lock_two_nondirectories+0xca/0xf0 fs/inode.c:982
2 locks held by init/1921:
#0: (sb_writers#4){.+.+}, at: [<ffffffff9895bed7>] file_start_write
include/linux/fs.h:2722 [inline]
#0: (sb_writers#4){.+.+}, at: [<ffffffff9895bed7>] vfs_write+0x3d7/0x4d0
fs/read_write.c:545
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b15539>]
inode_trylock include/linux/fs.h:733 [inline]
#1: (&sb->s_type->i_mutex_key#9){+.+.}, at: [<ffffffff98b15539>]
ext4_file_write_iter+0x1b9/0xe20 fs/ext4/file.c:230
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 4.14.75+ #18
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
nmi_cpu_backtrace.cold.0+0x47/0x85 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x121/0x146 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x574/0xa70 kernel/hung_task.c:252
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 1912 Comm: syz-executor550 Not tainted 4.14.75+ #18
task: ffff8801cac59780 task.stack: ffff8801cac88000
RIP: 0010:__sanitizer_cov_trace_pc+0x28/0x60 kernel/kcov.c:68
RSP: 0018:ffff8801cac8f6e0 EFLAGS: 00000297
RAX: ffff8801cac59780 RBX: ffff8801cf761c80 RCX: 1ffff10039eec392
RDX: 0000000000000000 RSI: 00000000e2abfb99 RDI: ffff8801cf761c90
RBP: 00000000e2abfb99 R08: 00000000dc90bca5 R09: 0000000000000000
R10: ffff8801cac5a0a0 R11: 0000000000000001 R12: ffff8801cac8f8f8
R13: ffff8801c444a250 R14: ffff8801c444a060 R15: 0000000000008011
FS: 00007fe9f720c700(0000) GS:ffff8801dba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fde259f0f80 CR3: 00000001cb71a005 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext_depth fs/ext4/ext4_extents.h:189 [inline]
mext_check_coverage.constprop.2+0x156/0x3c0 fs/ext4/move_extent.c:109
move_extent_per_page fs/ext4/move_extent.c:333 [inline]
ext4_move_extents+0x17dc/0x2a10 fs/ext4/move_extent.c:681
ext4_ioctl+0x275c/0x35e0 fs/ext4/ioctl.c:765
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446619
RSP: 002b:00007fe9f720bda8 EFLAGS: 00000293 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446619
RDX: 0000000020000040 RSI: 00000000c028660f RDI: 0000000000000003
RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000006dbc4c
R13: 0030656c69662f2e R14: 00007fe9f720c9c0 R15: 00000000006dbd4c
Code: 90 90 90 65 48 8b 04 25 c0 de 01 00 48 85 c0 74 1a 65 8b 15 eb 20 91
67 81 e2 00 01 1f 00 75 0b 8b 90 a8 11 00 00 83 fa 01 74 01 <c3> 48 c7 c2
00 00 00 81 48 81 ea 00 00 40 98 48 03 14 24 48 8b
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 14, 2019, 5:30:22 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d7e64f80 ANDROID: x86_64_cuttlefish_defconfig: Enable F2FS
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=110700af800000
kernel config: https://syzkaller.appspot.com/x/.config?x=f99aced9dd6a7628
dashboard link: https://syzkaller.appspot.com/bug?extid=119112116796c4b3c214
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=2, b_blocknr=16
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
INFO: task syz-executor0:10099 blocked for more than 120 seconds.
Not tainted 4.9.105-gd7e64f8 #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D29160 10099 3885 0x00000004
ffff880185466000
__find_get_block_slow() failed. block=2, b_blocknr=16
ffff88018ac03480 ffff8801d81d6a00 ffff880190e44800
0000000000000000 ffff8801854668c0 0000000600000007 ffff8801db2224e8
Call Trace:
b_state=0x00000029, b_size=512
[<ffffffff839ea21f>] schedule+0x7f/0x1b0 kernel/sched/core.c:3557
device loop0 blocksize: 4096
[<ffffffff839f5858>] __rwsem_down_write_failed_common
kernel/locking/rwsem-xadd.c:526 [inline]
[<ffffffff839f5858>] rwsem_down_write_failed+0x598/0x990
kernel/locking/rwsem-xadd.c:555
[<ffffffff81ee8487>] call_rwsem_down_write_failed+0x17/0x30
arch/x86/lib/rwsem.S:105
__find_get_block_slow() failed. block=2, b_blocknr=16
[<ffffffff839f362c>] __down_write arch/x86/include/asm/rwsem.h:125 [inline]
[<ffffffff839f362c>] down_write+0x5c/0xa0 kernel/locking/rwsem.c:54
b_state=0x00000029, b_size=512
[<ffffffff8156aaa8>] inode_lock include/linux/fs.h:766 [inline]
[<ffffffff8156aaa8>] do_truncate2+0x128/0x1f0 fs/open.c:61
device loop0 blocksize: 4096
[<ffffffff815a66ae>] handle_truncate fs/namei.c:2990 [inline]
[<ffffffff815a66ae>] do_last fs/namei.c:3419 [inline]
[<ffffffff815a66ae>] path_openat+0x251e/0x3590 fs/namei.c:3534
[<ffffffff815ab9e7>] do_filp_open+0x197/0x270 fs/namei.c:3568
__find_get_block_slow() failed. block=2, b_blocknr=16
b_state=0x00000029, b_size=512
[<ffffffff8156e1bd>] do_sys_open+0x30d/0x5c0 fs/open.c:1072
device loop0 blocksize: 4096
[<ffffffff8156e517>] SYSC_open fs/open.c:1090 [inline]
[<ffffffff8156e517>] SyS_open fs/open.c:1085 [inline]
[<ffffffff8156e517>] SYSC_creat fs/open.c:1110 [inline]
[<ffffffff8156e517>] SyS_creat+0x27/0x30 fs/open.c:1108
[<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
[<ffffffff839f9b13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
__find_get_block_slow() failed. block=2, b_blocknr=16
Showing all locks held in the system:
b_state=0x00000029, b_size=512
#0:
device loop0 blocksize: 4096
(rcu_read_lock){......}, at: [<ffffffff81366b9c>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
(rcu_read_lock){......}, at: [<ffffffff81366b9c>] watchdog+0x11c/0xa20
kernel/hung_task.c:239
1 lock held by rsyslogd/3677:
__find_get_block_slow() failed. block=2, b_blocknr=16
#0: (&f->f_pos_lock){+.+.+.}, at: [<ffffffff815d83fc>]
__fdget_pos+0xac/0xd0 fs/file.c:781
2 locks held by getty/3772:
b_state=0x00000029, b_size=512
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff839f7cc2>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
device loop0 blocksize: 4096
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff82120062>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2133
2 locks held by syz-executor0/10099:
#0: (sb_writers#11){.+.+.+}, at: [<ffffffff815e0c9f>] sb_start_write
include/linux/fs.h:1573 [inline]
#0: (sb_writers#11){.+.+.+}, at: [<ffffffff815e0c9f>]
mnt_want_write+0x3f/0xb0 fs/namespace.c:391
#1: (&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff8156aaa8>]
inode_lock include/linux/fs.h:766 [inline]
#1: (&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff8156aaa8>]
do_truncate2+0x128/0x1f0 fs/open.c:61
__find_get_block_slow() failed. block=2, b_blocknr=16
2 locks held by syz-executor0/10101:
#0: (sb_writers#11){.+.+.+}
b_state=0x00000029, b_size=512
, at: [<ffffffff815e0c9f>] sb_start_write include/linux/fs.h:1573 [inline]
, at: [<ffffffff815e0c9f>] mnt_want_write+0x3f/0xb0 fs/namespace.c:391
2 locks held by syz-executor0/10104:
#0:
device loop0 blocksize: 4096
(sb_writers#11){.+.+.+}, at: [<ffffffff81568a1b>] sb_start_write
include/linux/fs.h:1573 [inline]
(sb_writers#11){.+.+.+}, at: [<ffffffff81568a1b>]
vfs_fallocate+0x2fb/0x600 fs/open.c:328
2 locks held by syz-executor0/10107:
#0: (sb_writers#11){.+.+.+}, at: [<ffffffff815e0c9f>] sb_start_write
include/linux/fs.h:1573 [inline]
#0: (sb_writers#11){.+.+.+}, at: [<ffffffff815e0c9f>]
mnt_want_write+0x3f/0xb0 fs/namespace.c:391
#1: (&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff8156aaa8>]
inode_lock include/linux/fs.h:766 [inline]
#1: (&sb->s_type->i_mutex_key#14){++++++}, at: [<ffffffff8156aaa8>]
do_truncate2+0x128/0x1f0 fs/open.c:61
1 lock held by init/10113:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open_by_driver
drivers/tty/tty_io.c:2047 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open+0x46c/0xe20
drivers/tty/tty_io.c:2125
__find_get_block_slow() failed. block=2, b_blocknr=16
1 lock held by init/10114:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open_by_driver
drivers/tty/tty_io.c:2047 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open+0x46c/0xe20
drivers/tty/tty_io.c:2125
b_state=0x00000029, b_size=512
1 lock held by init/10115:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open_by_driver
drivers/tty/tty_io.c:2047 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open+0x46c/0xe20
drivers/tty/tty_io.c:2125
device loop0 blocksize: 4096
1 lock held by init/10116:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open_by_driver
drivers/tty/tty_io.c:2047 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open+0x46c/0xe20
drivers/tty/tty_io.c:2125
1 lock held by init/10117:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open_by_driver
drivers/tty/tty_io.c:2047 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff8211a10c>] tty_open+0x46c/0xe20
drivers/tty/tty_io.c:2125
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 519 Comm: khungtaskd Not tainted 4.9.105-gd7e64f8 #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801d85d7d08 ffffffff81eb41a9 0000000000000000 0000000000000000
0000000000000000 0000000000000001 ffffffff810b96a0 ffff8801d85d7d40
ffffffff81ebf4a7 0000000000000000 0000000000000000 0000000000000003
__find_get_block_slow() failed. block=2, b_blocknr=16
Call Trace:
[<ffffffff81eb41a9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81eb41a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
[<ffffffff81ebf4a7>] nmi_cpu_backtrace.cold.2+0x48/0x87
lib/nmi_backtrace.c:99
__find_get_block_slow() failed. block=2, b_blocknr=16
[<ffffffff81ebf43a>] nmi_trigger_cpumask_backtrace+0x12a/0x14f
lib/nmi_backtrace.c:60
[<ffffffff810b97a4>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
b_state=0x00000029, b_size=512
[<ffffffff81367134>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff81367134>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff81367134>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff81367134>] watchdog+0x6b4/0xa20 kernel/hung_task.c:239
device loop0 blocksize: 4096
[<ffffffff8119d04d>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff839f9cdc>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 10037 Comm: syz-executor0 Not tainted 4.9.105-gd7e64f8 #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d787c800 task.stack: ffff8801d6c60000
RIP: 0010:[<ffffffff810c2bfc>] c [<ffffffff810c2bfc>]
native_apic_mem_write+0xc/0x10 arch/x86/include/asm/apic.h:98
RSP: 0018:ffff8801db307dc8 EFLAGS: 00000046
RAX: ffffffff810c2bf0 RBX: ffffffff84432860 RCX: 0000000000000020
RDX: 1ffffffff0886529 RSI: 00000000000000d2 RDI: 0000000000000380
RBP: ffff8801db307dc8 R08: ffff88021fffd058 R09: 0000000000000004
R10: ffffed0043fffa09 R11: 0000000000000001 R12: 00000000000000d2
R13: 1ffff1003b660fc0 R14: 0000000000000003 R15: ffff8801db307e60
FS: 00007f34666bb700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f96ccd5c4c0 CR3: 00000001c1fed000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
ffff8801db307de8 c ffffffff810b13c0 c 0000000000000003 c ffff8801db3180c0 c
ffff8801db307e88 c ffffffff812c72d4 c 00000000db307eb0 c 0000000041b58ab3 c
ffffffff843bdbe2 c ffffffff812c7020 c ffff8801db31c960 c 00000038bc8b6bd4 c
Call Trace:
<IRQ> d [<ffffffff810b13c0>] apic_write arch/x86/include/asm/apic.h:398
[inline]
<IRQ> d [<ffffffff810b13c0>] lapic_next_event+0x60/0x90
arch/x86/kernel/apic/apic.c:468
[<ffffffff812c72d4>] clockevents_program_event+0x2b4/0x3e0
kernel/time/clockevents.c:339
[<ffffffff812cbff4>] tick_program_event+0x104/0x190
kernel/time/tick-oneshot.c:47
[<ffffffff812a60f1>] hrtimer_interrupt+0x1e1/0x430
kernel/time/hrtimer.c:1366
[<ffffffff810b1e54>] local_apic_timer_interrupt+0x74/0xa0
arch/x86/kernel/apic/apic.c:935
[<ffffffff839ff2dc>] smp_apic_timer_interrupt+0x7c/0xa0
arch/x86/kernel/apic/apic.c:959
[<ffffffff839fb470>] apic_timer_interrupt+0xa0/0xb0
arch/x86/entry/entry_64.S:648
<EOI> d [<ffffffff816246ea>] ? arch_local_irq_enable
arch/x86/include/asm/paravirt.h:778 [inline]
<EOI> d [<ffffffff816246ea>] ? lookup_bh_lru fs/buffer.c:1344 [inline]
<EOI> d [<ffffffff816246ea>] ? __find_get_block+0x18a/0x4c0
fs/buffer.c:1356
[<ffffffff816255a9>] __getblk_slow fs/buffer.c:1101 [inline]
[<ffffffff816255a9>] __getblk_gfp+0x189/0x710 fs/buffer.c:1386
[<ffffffff81628f4d>] __bread_gfp+0x2d/0x270 fs/buffer.c:1420
[<ffffffff818c4a70>] sb_bread include/linux/buffer_head.h:300 [inline]
[<ffffffff818c4a70>] fat_ent_bread+0x160/0x2f0 fs/fat/fatent.c:106
[<ffffffff818c676b>] fat_ent_read_block fs/fat/fatent.c:441 [inline]
[<ffffffff818c676b>] fat_alloc_clusters+0x51b/0xe10 fs/fat/fatent.c:489
[<ffffffff818d393f>] fat_add_cluster+0x6f/0xe0 fs/fat/inode.c:100
[<ffffffff818c80cc>] fat_fallocate+0x23c/0x2d0 fs/fat/file.c:262
[<ffffffff81568a79>] vfs_fallocate+0x359/0x600 fs/open.c:329
[<ffffffff8156b983>] SYSC_fallocate fs/open.c:352 [inline]
[<ffffffff8156b983>] SyS_fallocate+0x53/0x90 fs/open.c:346
[<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
[<ffffffff839f9b13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: c00 c0f c1f c40 c00 c66 c2e c0f c1f c84 c00 c00 c00 c00
c00 c55 cbe c01 c00 c00 c00 c48 c89 ce5 ce8 ce2 c2b c1b c00
c5d cc3 c55 c89 cff c48 c89 ce5 c89 cb7 c00 cc0 c5f cff
c<5d> cc3 c66 c90 c48 cb8 c00 c00 c00 c00 c00 cfc cff cdf
c55 c48 c89 ce5 c53 c89 cfb c
__find_get_block_slow() failed. block=2, b_blocknr=16
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=2, b_blocknr=16
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
syzbot
Aug 31, 2019, 7:12:05 AM8/31/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages