INFO: task hung in tty_ioctl

17 views

Skip to first unread message

syzbot

unread,

Apr 11, 2019, 8:01:02 PM4/11/19

to syzkaller-a...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 4e76528b Merge 4.14.81 into android-4.14
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=1566f2d5400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e4a95e0186919ba
dashboard link: https://syzkaller.appspot.com/bug?extid=5de495773a78619a91c1
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154b6fbd400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16575f7b400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5de495...@syzkaller.appspotmail.com

INFO: task syz-executor556:2016 blocked for more than 140 seconds.
Not tainted 4.14.81+ #6
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor556 D29656 2016 1 0x00000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
schedule_timeout+0x710/0xe60 kernel/time/timer.c:1721
down_read_failed drivers/tty/tty_ldsem.c:242 [inline]
__ldsem_down_read_nested+0x2ca/0x5b0 drivers/tty/tty_ldsem.c:332
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
tty_ioctl+0x4cb/0x13e0 drivers/tty/tty_io.c:2654
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440e79
RSP: 002b:00007ffed6d2fc48 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440e79
RDX: 0000000020000000 RSI: 0000000000001261 RDI: 0000000000000002
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000ffffffff R11: 0000000000000217 R12: 000000000005cf10
R13: 0000000000401e50 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor556:2041 blocked for more than 140 seconds.
Not tainted 4.14.81+ #6
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor556 D29656 2041 1 0x00000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
schedule_timeout+0x710/0xe60 kernel/time/timer.c:1721
down_read_failed drivers/tty/tty_ldsem.c:242 [inline]
__ldsem_down_read_nested+0x2ca/0x5b0 drivers/tty/tty_ldsem.c:332
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
tty_ioctl+0x4cb/0x13e0 drivers/tty/tty_io.c:2654
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440e79
RSP: 002b:00007ffed6d2fc48 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440e79
RDX: 0000000020000000 RSI: 0000000000001261 RDI: 0000000000000004
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000ffffffff R11: 0000000000000217 R12: 000000000005cf1e
R13: 0000000000401e50 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor556:2092 blocked for more than 140 seconds.
Not tainted 4.14.81+ #6
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor556 D28712 2092 1 0x00000004
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
schedule_timeout+0x710/0xe60 kernel/time/timer.c:1721
down_read_failed drivers/tty/tty_ldsem.c:242 [inline]
__ldsem_down_read_nested+0x2ca/0x5b0 drivers/tty/tty_ldsem.c:332
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
tty_ioctl+0x4cb/0x13e0 drivers/tty/tty_io.c:2654
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440e79
RSP: 002b:00007ffed6d2fc48 EFLAGS: 00000207 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440e79
RDX: 0000000020000000 RSI: 0000000000001261 RDI: 0000000000000005
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000207 R12: 000000000005cf6e
R13: 0000000000401e50 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor556:2162 blocked for more than 140 seconds.
Not tainted 4.14.81+ #6
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor556 D29656 2162 1 0x00000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
schedule_timeout+0x710/0xe60 kernel/time/timer.c:1721
down_read_failed drivers/tty/tty_ldsem.c:242 [inline]
__ldsem_down_read_nested+0x2ca/0x5b0 drivers/tty/tty_ldsem.c:332
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
tty_ioctl+0x4cb/0x13e0 drivers/tty/tty_io.c:2654
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440e79
RSP: 002b:00007ffed6d2fc48 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440e79
RDX: 0000000020000000 RSI: 0000000000001261 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000b004002c8 R09: 0000000b004002c8
R10: 00000000ffffffff R11: 0000000000000217 R12: 000000000005d0cd
R13: 0000000000401e50 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor556:2368 blocked for more than 140 seconds.
Not tainted 4.14.81+ #6
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor556 D29752 2368 1 0x00000000
Call Trace:
schedule+0x7f/0x1b0 kernel/sched/core.c:3490
schedule_timeout+0x710/0xe60 kernel/time/timer.c:1721
down_read_failed drivers/tty/tty_ldsem.c:242 [inline]
__ldsem_down_read_nested+0x2ca/0x5b0 drivers/tty/tty_ldsem.c:332
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
tty_ioctl+0x4cb/0x13e0 drivers/tty/tty_io.c:2654
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440e79
RSP: 002b:00007ffed6d2fc48 EFLAGS: 00000203 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440e79
RDX: 0000000020000000 RSI: 0000000000001261 RDI: 0000000000000002
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000203 R12: 000000000005e1ac
R13: 0000000000401e50 R14: 0000000000000000 R15: 0000000000000000

Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: (tasklist_lock){.+.+}, at: [<ffffffffb74023b7>]
debug_show_all_locks+0x74/0x20f kernel/locking/lockdep.c:4541
2 locks held by getty/1762:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor556/2013:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor556/2016:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
2 locks held by syz-executor556/2037:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor556/2041:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
1 lock held by syz-executor556/2092:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
2 locks held by syz-executor556/2098:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor556/2153:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor556/2162:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
2 locks held by syz-executor556/2181:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor556/2368:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
2 locks held by syz-executor556/2369:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor556/3498:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
1 lock held by syz-executor556/3503:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
2 locks held by syz-executor556/3504:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor556/3505:
#0: (&tty->legacy_mutex){+.+.}, at: [<ffffffffb7f428ed>]
tty_lock+0x5d/0x70 drivers/tty/tty_mutex.c:19
#1: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3d949>] __tty_ldisc_lock
drivers/tty/tty_ldisc.c:323 [inline]
#1: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3d949>]
tty_ldisc_lock+0x19/0x40 drivers/tty/tty_ldisc.c:342
1 lock held by syz-executor556/3508:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
2 locks held by syz-executor556/3509:
#0: (&tty->legacy_mutex){+.+.}, at: [<ffffffffb7f428ed>]
tty_lock+0x5d/0x70 drivers/tty/tty_mutex.c:19
#1: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3d949>] __tty_ldisc_lock
drivers/tty/tty_ldisc.c:323 [inline]
#1: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3d949>]
tty_ldisc_lock+0x19/0x40 drivers/tty/tty_ldisc.c:342
2 locks held by syz-executor556/3510:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor556/3513:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
2 locks held by syz-executor556/3514:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor556/3515:
#0: (&tty->legacy_mutex){+.+.}, at: [<ffffffffb7f428ed>]
tty_lock+0x5d/0x70 drivers/tty/tty_mutex.c:19
#1: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3d949>] __tty_ldisc_lock
drivers/tty/tty_ldisc.c:323 [inline]
#1: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3d949>]
tty_ldisc_lock+0x19/0x40 drivers/tty/tty_ldisc.c:342
1 lock held by syz-executor556/3518:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
2 locks held by syz-executor556/3519:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3cf30>]
tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275
#1: (&ldata->atomic_read_lock){+.+.}, at: [<ffffffffb7f384af>]
n_tty_read+0x1ff/0x15e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor556/3520:
#0: (&tty->legacy_mutex){+.+.}, at: [<ffffffffb7f428ed>]
tty_lock+0x5d/0x70 drivers/tty/tty_mutex.c:19
#1: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3d949>] __tty_ldisc_lock
drivers/tty/tty_ldisc.c:323 [inline]
#1: (&tty->ldisc_sem){++++}, at: [<ffffffffb7f3d949>]
tty_ldisc_lock+0x19/0x40 drivers/tty/tty_ldisc.c:342

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 4.14.81+ #6
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
nmi_cpu_backtrace.cold.0+0x47/0x85 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x121/0x146 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x574/0xa70 kernel/hung_task.c:252
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 2183 Comm: syz-executor556 Not tainted 4.14.81+ #6
task: ffff8801cb1a9780 task.stack: ffff8801cb0f0000
RIP: 0010:entry_SYSCALL_64_after_hwframe+0x4b/0xb7
RSP: 0018:ffff8801cb0f7f58 EFLAGS: 00000097
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 1ffff100396352f1 RSI: 0000000000000000 RDI: ffff8801cb1a9788
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000d38880(0000) GS:ffff8801dba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffa72c5e30 CR3: 00000001cb21e005 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
RIP: 0033:0x400f7a
RSP: 002b:00007ffed6d2fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: fffffffffffffff6 RBX: 00000000ffffffff RCX: 0000000000400f7a
RDX: 0000000040000000 RSI: 00007ffed6d2fc54 RDI: ffffffffffffffff
RBP: 0000000000000003 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffed6d2fc54
R13: 00000000ffffffff R14: 0000000000000000 R15: 0000000000000000
Code: ed 41 54 45 31 e4 41 55 45 31 ed 41 56 45 31 f6 41 57 45 31 ff e8 e7
20 60 fe 48 89 e7 e8 5a 4f 60 fe 0f ba a4 24 90 00 00 00 09 <73> 05 e8 b3
20 60 fe 48 8b 4c 24 58 4c 8b 9c 24 80 00 00 00 49

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

syzbot

unread,

Apr 12, 2019, 8:00:54 PM4/12/19

to syzkaller-a...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 498bf612 ANDROID: zram: set comp_len to PAGE_SIZE when pag..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=17786ed5400000
kernel config: https://syzkaller.appspot.com/x/.config?x=91537011cdb01073
dashboard link: https://syzkaller.appspot.com/bug?extid=0abf5d62080d3b54c78c

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15273e2b400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10312783400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:

Reported-by: syzbot+0abf5d...@syzkaller.appspotmail.com

INFO: task syz-executor461:2508 blocked for more than 140 seconds.
Not tainted 4.4.163+ #122

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

syz-executor461 D ffff8801d1e278e0 29712 2508 1 0x00000000
ffff8801d1e278e0 0000000000000000 ffff8801d1d1d048 ffffffff83acc0a0
ffff8801d1d1cf00 ffff8801db71f180 ffff8801db71f1a8 ffff8801db71e898
ffff8801db71e880 ffff8801d2a15f00 ffff8801d1d1c740 0000000000000000
Call Trace:
[<ffffffff8270485a>] schedule+0x7a/0x1b0 kernel/sched/core.c:3355
[<ffffffff8270f6b1>] schedule_timeout+0x481/0x7b0 kernel/time/timer.c:1515
[<ffffffff82711054>] down_read_failed+0x294/0x580
drivers/tty/tty_ldsem.c:241
[<ffffffff827113d4>] __ldsem_down_read_nested drivers/tty/tty_ldsem.c:332
[inline]
[<ffffffff827113d4>] ldsem_down_read+0x94/0xc0 drivers/tty/tty_ldsem.c:367
[<ffffffff81c965fb>] tty_ldisc_ref_wait+0x2b/0xb0
drivers/tty/tty_ldisc.c:263
[<ffffffff81c7fd27>] tty_ioctl+0x3a7/0x2090 drivers/tty/tty_io.c:2988
[<ffffffff814cbbbf>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff814cbbbf>] file_ioctl fs/ioctl.c:470 [inline]
[<ffffffff814cbbbf>] do_vfs_ioctl+0x63f/0xf40 fs/ioctl.c:605
[<ffffffff814cc54f>] SYSC_ioctl fs/ioctl.c:622 [inline]
[<ffffffff814cc54f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
[<ffffffff827123e1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
1 lock held by syz-executor461/2508:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff81c965fb>]
tty_ldisc_ref_wait+0x2b/0xb0 drivers/tty/tty_ldisc.c:263
Sending NMI to all CPUs:

NMI backtrace for cpu 0

CPU: 0 PID: 20 Comm: khungtaskd Not tainted 4.4.163+ #122
task: ffff8801da6f4740 task.stack: ffff8800001c8000
RIP: 0010:[<ffffffff8109c2d6>] [<ffffffff8109c2d6>] native_apic_mem_write
arch/x86/include/asm/apic.h:93 [inline]
RIP: 0010:[<ffffffff8109c2d6>] [<ffffffff8109c2d6>]
__default_send_IPI_dest_field arch/x86/include/asm/ipi.h:119 [inline]
RIP: 0010:[<ffffffff8109c2d6>] [<ffffffff8109c2d6>] _flat_send_IPI_mask
arch/x86/kernel/apic/apic_flat_64.c:61 [inline]
RIP: 0010:[<ffffffff8109c2d6>] [<ffffffff8109c2d6>]
flat_send_IPI_mask+0xf6/0x1a0 arch/x86/kernel/apic/apic_flat_64.c:69
RSP: 0018:ffff8800001cfcc8 EFLAGS: 00000046
RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
RBP: ffff8800001cfcf0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000003000000 R14: ffffffff82e5f3a0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000000414ba0 CR3: 00000001d1b46000 CR4: 00000000001606b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Stack:
ffffffff82e5f3a0 ffffffff831a4760 0000000000000007 fffffbfff06347cc
0000000000000008 ffff8800001cfd10 ffffffff81093701 ffffffff829220a0
0000000000000003 ffff8800001cfd68 ffffffff81ab041e ffffffff813a7cfd
Call Trace:
[<ffffffff81093701>] nmi_raise_cpu_backtrace+0x61/0x80
arch/x86/kernel/apic/hw_nmi.c:33
[<ffffffff81ab041e>] nmi_trigger_all_cpu_backtrace.cold.0+0x70/0xae
lib/nmi_backtrace.c:85
[<ffffffff810937a4>] arch_trigger_all_cpu_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:38
[<ffffffff813b13e9>] trigger_all_cpu_backtrace include/linux/nmi.h:44
[inline]
[<ffffffff813b13e9>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff813b13e9>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff813b13e9>] watchdog.cold.0+0xd3/0xee kernel/hung_task.c:238
[<ffffffff811340d8>] kthread+0x268/0x300 kernel/kthread.c:211
[<ffffffff827127c5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510
Code: 00 c3 5f ff 80 e6 10 75 e1 41 c1 e5 18 44 89 2c 25 10 c3 5f ff 44 89
fa 09 da 80 cf 04 41 83 ff 02 0f 44 d3 89 14 25 00 c3 5f ff <41> f7 c4 00
02 00 00 75 1a 4c 89 e7 57 9d 0f 1f 44 00 00 e8 c2

NMI backtrace for cpu 1

CPU: 1 PID: 2201 Comm: syz-executor461 Not tainted 4.4.163+ #122
task: ffff8801d2a15f00 task.stack: ffff8801d2e08000
RIP: 0010:[<ffffffff8120c44f>] [<ffffffff8120c44f>] __read_once_size
include/linux/compiler.h:218 [inline]
RIP: 0010:[<ffffffff8120c44f>] [<ffffffff8120c44f>] atomic_read
arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:[<ffffffff8120c44f>] [<ffffffff8120c44f>] queued_spin_is_locked
include/asm-generic/qspinlock.h:48 [inline]
RIP: 0010:[<ffffffff8120c44f>] [<ffffffff8120c44f>] debug_spin_unlock
kernel/locking/spinlock_debug.c:98 [inline]
RIP: 0010:[<ffffffff8120c44f>] [<ffffffff8120c44f>]
do_raw_spin_unlock+0x5f/0x210 kernel/locking/spinlock_debug.c:158
RSP: 0018:ffff8801d2e0fd10 EFLAGS: 00000806
RAX: ffff8801d3327920 RBX: ffff8801d3327920 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8801d3327924
RBP: ffff8801d2e0fd28 R08: ffff8801d2e0fee0 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8801d3327920
R13: ffff8801d2e0fee8 R14: ffff8801d3327920 R15: ffff8801d3327958
FS: 0000000000d04880(0063) GS:ffff8801db700000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fe2e3130000 CR3: 00000001d32b7000 CR4: 00000000001606b0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Stack:
0000000000000286 ffff8801d3327920 ffff8801d2e0fee8 ffff8801d2e0fd48
ffffffff82711857 ffff8801d2e0fec8 ffff8801d2e0fee0 ffff8801d2e0fd90
ffffffff811e6a81 ffff8801d2a15ef0 0000000000000286 fffffffffffffff6
Call Trace:
[<ffffffff82711857>] __raw_spin_unlock_irqrestore
include/linux/spinlock_api_smp.h:161 [inline]
[<ffffffff82711857>] _raw_spin_unlock_irqrestore+0x27/0x70
kernel/locking/spinlock.c:191
[<ffffffff811e6a81>] spin_unlock_irqrestore include/linux/spinlock.h:362
[inline]
[<ffffffff811e6a81>] remove_wait_queue+0x111/0x1b0 kernel/sched/wait.c:51
[<ffffffff810ded89>] do_wait+0x429/0xa30 kernel/exit.c:1534
[<ffffffff810dfc0b>] SYSC_wait4 kernel/exit.c:1641 [inline]
[<ffffffff810dfc0b>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1606
[<ffffffff827123e1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 0f 85 a2 01 00 00 81 7b 04 ad 4e ad de 0f 85 5a 01 00 00 48 b8 00 00
00 00 00 fc ff df 48 89 da 48 c1 ea 03 0f b6 14 02 48 89 d8 <83> e0 07 83
c0 03 38 d0 7c 08 84 d2 0f 85 5e 01 00 00 8b 03 85

syzbot

unread,

Apr 13, 2019, 8:00:32 PM4/13/19

to syzkaller-a...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 109a48ed ANDROID: zram: set comp_len to PAGE_SIZE when pag..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=142dd093400000
kernel config: https://syzkaller.appspot.com/x/.config?x=13558268b29d9d4a
dashboard link: https://syzkaller.appspot.com/bug?extid=90fc10fea6bee3d02fdf

compiler: gcc (GCC) 8.0.1 20180413 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10c28ed5400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1309e015400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:

Reported-by: syzbot+90fc10...@syzkaller.appspotmail.com

INFO: task syz-executor688:2175 blocked for more than 140 seconds.
Not tainted 4.9.135+ #117

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

syz-executor688 D29976 2175 1 0x00000000
ffff8801cb57df00 ffff8801cb4e5d80 ffff8801cb4e5d80 ffff8801cb5797c0
ffff8801db721018 ffff8801cacf7840 ffffffff82806912 0000000000000000
ffffffff83cc4350 0000000000000000 00000000000044ad ffff8801db7218f0
Call Trace:
[<ffffffff82807e3f>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
[<ffffffff828135e5>] schedule_timeout+0x735/0xe20 kernel/time/timer.c:1771
[<ffffffff81d42f5c>] down_read_failed drivers/tty/tty_ldsem.c:241 [inline]
[<ffffffff81d42f5c>] __ldsem_down_read_nested+0x33c/0x610
drivers/tty/tty_ldsem.c:332
[<ffffffff82814c62>] ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
[<ffffffff81d3c8b5>] tty_ldisc_ref_wait+0x25/0x80
drivers/tty/tty_ldisc.c:275
[<ffffffff81d28286>] tty_ioctl+0x3b6/0x2190 drivers/tty/tty_io.c:3009
[<ffffffff81546ddc>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff81546ddc>] file_ioctl fs/ioctl.c:493 [inline]
[<ffffffff81546ddc>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
[<ffffffff81547e5f>] SYSC_ioctl fs/ioctl.c:694 [inline]
[<ffffffff81547e5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82816b93>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Showing all locks held in the system:

2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<ffffffff8131bb4c>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131bb4c>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<ffffffff813fe314>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
1 lock held by rsyslogd/1893:
#0: (&f->f_pos_lock){+.+.+.}, at: [<ffffffff8156cc6c>]
__fdget_pos+0xac/0xd0 fs/file.c:781
2 locks held by getty/2021:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor688/2172:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2175:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2208:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2211:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2233:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2235:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2238:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor688/2257:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2259:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2287:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2289:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2372:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2375:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2397:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2399:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2427:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2429:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2444:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2447:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2463:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2465:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2480:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2483:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2523:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2525:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2567:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2569:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2591:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2593:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2608:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2611:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2621:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2623:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2651:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2653:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2682:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2684:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2712:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2714:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2736:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2738:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2760:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2762:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2790:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2792:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2814:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2816:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2838:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2840:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2873:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2876:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2897:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2900:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2924:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2926:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/2978:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/2980:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/3002:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/3004:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/3020:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/3022:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/3062:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/3064:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/3098:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
2 locks held by syz-executor688/3121:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/3124:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/3151:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/3154:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/3176:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor688/3178:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
1 lock held by syz-executor688/3210:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
2 locks held by syz-executor688/3211:
#0: (&tty->legacy_mutex){+.+.+.}, at: [<ffffffff81d4205a>]
tty_lock+0x6a/0xd0 drivers/tty/tty_mutex.c:18
#1: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814ca2>]
ldsem_down_write+0x32/0x37 drivers/tty/tty_ldsem.c:393
2 locks held by syz-executor688/3212:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82814c62>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d36fc2>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142

=============================================

NMI backtrace for cpu 0

CPU: 0 PID: 24 Comm: khungtaskd Not tainted 4.9.135+ #117
ffff8801d9907d08 ffffffff81b42b89 0000000000000000 0000000000000000
0000000000000000 0000000000000001 ffffffff81098330 ffff8801d9907d40
ffffffff81b4dc99 0000000000000000 0000000000000000 0000000000000004
Call Trace:
[<ffffffff81b42b89>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42b89>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81b4dc99>] nmi_cpu_backtrace.cold.0+0x48/0x87
lib/nmi_backtrace.c:99
[<ffffffff81b4dc2c>] nmi_trigger_cpumask_backtrace+0x12c/0x151
lib/nmi_backtrace.c:60
[<ffffffff81098434>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<ffffffff8131c0dd>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff8131c0dd>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff8131c0dd>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff8131c0dd>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
[<ffffffff811428dd>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff82816d5c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at pc 0xffffffff828157a6

Reply all

Reply to author

Forward

0 new messages