INFO: task hung in pipe_write
23 views
Skip to first unread message
syzbot
Apr 14, 2019, 4:51:30 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=12981387400000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=369b764936acd107d869
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1521f188c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=153e2173400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+369b76...@syzkaller.appspotmail.com
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
313617 pages reserved
INFO: task syz-executor864:5578 blocked for more than 140 seconds.
Not tainted 4.9.141+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor864 D29672 5578 2226 0x00000004
ffff8801c53a5f00 ffff8801c68f4200 ffff8801c68f4200 ffff8801d8c78000
ffff8801db621018 ffff8801d849fa08 ffffffff828075c2 0000000000000000
ffff8801c53a67b0 ffffed0038a74cf5 00ff8801c53a5f00 ffff8801db6218f0
Call Trace:
[<ffffffff82808aef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
[<ffffffff828094a3>] schedule_preempt_disabled+0x13/0x20
kernel/sched/core.c:3586
[<ffffffff8280b51d>] __mutex_lock_common kernel/locking/mutex.c:582
[inline]
[<ffffffff8280b51d>] mutex_lock_nested+0x38d/0x900
kernel/locking/mutex.c:621
[<ffffffff81524a93>] pipe_lock_nested fs/pipe.c:66 [inline]
[<ffffffff81524a93>] pipe_lock fs/pipe.c:74 [inline]
[<ffffffff81524a93>] pipe_wait+0x1a3/0x1d0 fs/pipe.c:122
[<ffffffff815250e7>] pipe_write+0x4e7/0xd50 fs/pipe.c:475
[<ffffffff81508347>] new_sync_write fs/read_write.c:496 [inline]
[<ffffffff81508347>] __vfs_write+0x3d7/0x580 fs/read_write.c:509
[<ffffffff8150ab97>] vfs_write+0x187/0x520 fs/read_write.c:557
[<ffffffff8150e9c9>] SYSC_write fs/read_write.c:604 [inline]
[<ffffffff8150e9c9>] SyS_write+0xd9/0x1c0 fs/read_write.c:596
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Showing all locks held in the system:
2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<ffffffff813fe63f>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
1 lock held by rsyslogd/1902:
#0: (&f->f_pos_lock){+.+.+.}, at: [<ffffffff8156cc7c>]
__fdget_pos+0xac/0xd0 fs/file.c:781
2 locks held by getty/2029:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82815952>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d37362>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor864/5578:
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81524a93>] pipe_lock_nested
fs/pipe.c:66 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81524a93>] pipe_lock
fs/pipe.c:74 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81524a93>]
pipe_wait+0x1a3/0x1d0 fs/pipe.c:122
1 lock held by init/18475:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18476:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18477:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18478:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18479:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18480:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 24 Comm: khungtaskd Not tainted 4.9.141+ #1
ffff8801d9907d08 ffffffff81b42e79 0000000000000000 0000000000000001
0000000000000001 0000000000000001 ffffffff810983b0 ffff8801d9907d40
ffffffff81b4df89 0000000000000001 0000000000000000 0000000000000002
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81b4df89>] nmi_cpu_backtrace.cold.0+0x48/0x87
lib/nmi_backtrace.c:99
[<ffffffff81b4df1c>] nmi_trigger_cpumask_backtrace+0x12c/0x151
lib/nmi_backtrace.c:60
[<ffffffff810984b4>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<ffffffff8131c65d>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff8131c65d>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff8131c65d>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff8131c65d>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
[<ffffffff81142c3d>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff82817a5c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 20116 Comm: syz-executor864 Not tainted 4.9.141+ #1
task: ffff880100018000 task.stack: ffff880100008000
RIP: 0010:[<ffffffff82816ef2>] c [<ffffffff82816ef2>] __raw_spin_unlock
include/linux/spinlock_api_smp.h:154 [inline]
RIP: 0010:[<ffffffff82816ef2>] c [<ffffffff82816ef2>]
_raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
RSP: 0018:ffff88010000f588 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff880171c666c0 RCX: 0000000000000002
RDX: 1ffff1002e38ccd9 RSI: 0000000000000002 RDI: ffff880171c666c0
RBP: ffff88010000f590 R08: ffff880100018920 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000
R13: ffff8801cbbc1700 R14: ffff880171c65f00 R15: 0000000000001000
FS: 00007f1bcabed700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f585e702060 CR3: 000000018e858000 CR4: 00000000001606b0
Stack:
ffff880171c65f00 c ffff88010000f640 c ffffffff821f01d6 c ffffffff821efede c
ffff88010000f5e8 c ffffffff81ba7d7b c 0000000000000246 c ffff880100018000 c
ffffffff830cc2e0 c ffff88010000f718 c fffffbfff0601200 c 000000000000f608 c
Call Trace:
[<ffffffff821f01d6>] spin_unlock include/linux/spinlock.h:347 [inline]
[<ffffffff821f01d6>] task_unlock include/linux/sched.h:3262 [inline]
[<ffffffff821f01d6>] lowmem_scan+0x546/0xaf0
drivers/staging/android/lowmemorykiller.c:146
[<ffffffff81449cc6>] do_shrink_slab mm/vmscan.c:398 [inline]
[<ffffffff81449cc6>] shrink_slab.part.8+0x3c6/0xa00 mm/vmscan.c:501
[<ffffffff814557fd>] shrink_slab mm/vmscan.c:465 [inline]
[<ffffffff814557fd>] shrink_node+0x1ed/0x740 mm/vmscan.c:2602
[<ffffffff814560c7>] shrink_zones mm/vmscan.c:2749 [inline]
[<ffffffff814560c7>] do_try_to_free_pages mm/vmscan.c:2791 [inline]
[<ffffffff814560c7>] try_to_free_pages+0x377/0xb80 mm/vmscan.c:3002
[<ffffffff81428a01>] __perform_reclaim mm/page_alloc.c:3324 [inline]
[<ffffffff81428a01>] __alloc_pages_direct_reclaim mm/page_alloc.c:3345
[inline]
[<ffffffff81428a01>] __alloc_pages_slowpath mm/page_alloc.c:3697 [inline]
[<ffffffff81428a01>] __alloc_pages_nodemask+0x981/0x1bd0
mm/page_alloc.c:3862
[<ffffffff810d3100>] __alloc_pages include/linux/gfp.h:433 [inline]
[<ffffffff810d3100>] __alloc_pages_node include/linux/gfp.h:446 [inline]
[<ffffffff810d3100>] alloc_pages_node include/linux/gfp.h:460 [inline]
[<ffffffff810d3100>] alloc_thread_stack_node kernel/fork.c:212 [inline]
[<ffffffff810d3100>] dup_task_struct kernel/fork.c:492 [inline]
[<ffffffff810d3100>] copy_process.part.8+0x280/0x6a10 kernel/fork.c:1534
[<ffffffff810d9d12>] copy_process kernel/fork.c:1505 [inline]
[<ffffffff810d9d12>] _do_fork+0x1b2/0xd30 kernel/fork.c:1972
[<ffffffff810da967>] SYSC_clone kernel/fork.c:2084 [inline]
[<ffffffff810da967>] SyS_clone+0x37/0x50 kernel/fork.c:2078
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: c5d c5d cc3 c66 c0f c1f c44 c00 c00 c55 cbe c01 c00 c00
c00 c48 c89 ce5 c53 c48 c89 cfb c48 c83 cc7 c18 c48 c8b c55
c08 ce8 c96 c5c c9f cfe c48 c89 cdf ce8 c4e ce5 c9f cfe
c<bf> c01 c00 c00 c00 ce8 cd4 c04 c95 cfe c65 c8b c05 c8d
c0e c80 c7d c85 cc0 c74 c03 c
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=12981387400000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=369b764936acd107d869
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1521f188c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=153e2173400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+369b76...@syzkaller.appspotmail.com
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
313617 pages reserved
INFO: task syz-executor864:5578 blocked for more than 140 seconds.
Not tainted 4.9.141+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor864 D29672 5578 2226 0x00000004
ffff8801c53a5f00 ffff8801c68f4200 ffff8801c68f4200 ffff8801d8c78000
ffff8801db621018 ffff8801d849fa08 ffffffff828075c2 0000000000000000
ffff8801c53a67b0 ffffed0038a74cf5 00ff8801c53a5f00 ffff8801db6218f0
Call Trace:
[<ffffffff82808aef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
[<ffffffff828094a3>] schedule_preempt_disabled+0x13/0x20
kernel/sched/core.c:3586
[<ffffffff8280b51d>] __mutex_lock_common kernel/locking/mutex.c:582
[inline]
[<ffffffff8280b51d>] mutex_lock_nested+0x38d/0x900
kernel/locking/mutex.c:621
[<ffffffff81524a93>] pipe_lock_nested fs/pipe.c:66 [inline]
[<ffffffff81524a93>] pipe_lock fs/pipe.c:74 [inline]
[<ffffffff81524a93>] pipe_wait+0x1a3/0x1d0 fs/pipe.c:122
[<ffffffff815250e7>] pipe_write+0x4e7/0xd50 fs/pipe.c:475
[<ffffffff81508347>] new_sync_write fs/read_write.c:496 [inline]
[<ffffffff81508347>] __vfs_write+0x3d7/0x580 fs/read_write.c:509
[<ffffffff8150ab97>] vfs_write+0x187/0x520 fs/read_write.c:557
[<ffffffff8150e9c9>] SYSC_write fs/read_write.c:604 [inline]
[<ffffffff8150e9c9>] SyS_write+0xd9/0x1c0 fs/read_write.c:596
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Showing all locks held in the system:
2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<ffffffff813fe63f>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
1 lock held by rsyslogd/1902:
#0: (&f->f_pos_lock){+.+.+.}, at: [<ffffffff8156cc7c>]
__fdget_pos+0xac/0xd0 fs/file.c:781
2 locks held by getty/2029:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82815952>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d37362>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
1 lock held by syz-executor864/5578:
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81524a93>] pipe_lock_nested
fs/pipe.c:66 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81524a93>] pipe_lock
fs/pipe.c:74 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81524a93>]
pipe_wait+0x1a3/0x1d0 fs/pipe.c:122
1 lock held by init/18475:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18476:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18477:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18478:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18479:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
1 lock held by init/18480:
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open_by_driver
drivers/tty/tty_io.c:2052 [inline]
#0: (tty_mutex){+.+.+.}, at: [<ffffffff81d2bb96>] tty_open+0x476/0xdf0
drivers/tty/tty_io.c:2130
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 24 Comm: khungtaskd Not tainted 4.9.141+ #1
ffff8801d9907d08 ffffffff81b42e79 0000000000000000 0000000000000001
0000000000000001 0000000000000001 ffffffff810983b0 ffff8801d9907d40
ffffffff81b4df89 0000000000000001 0000000000000000 0000000000000002
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81b4df89>] nmi_cpu_backtrace.cold.0+0x48/0x87
lib/nmi_backtrace.c:99
[<ffffffff81b4df1c>] nmi_trigger_cpumask_backtrace+0x12c/0x151
lib/nmi_backtrace.c:60
[<ffffffff810984b4>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<ffffffff8131c65d>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff8131c65d>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff8131c65d>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff8131c65d>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
[<ffffffff81142c3d>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff82817a5c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 20116 Comm: syz-executor864 Not tainted 4.9.141+ #1
task: ffff880100018000 task.stack: ffff880100008000
RIP: 0010:[<ffffffff82816ef2>] c [<ffffffff82816ef2>] __raw_spin_unlock
include/linux/spinlock_api_smp.h:154 [inline]
RIP: 0010:[<ffffffff82816ef2>] c [<ffffffff82816ef2>]
_raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183
RSP: 0018:ffff88010000f588 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff880171c666c0 RCX: 0000000000000002
RDX: 1ffff1002e38ccd9 RSI: 0000000000000002 RDI: ffff880171c666c0
RBP: ffff88010000f590 R08: ffff880100018920 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000
R13: ffff8801cbbc1700 R14: ffff880171c65f00 R15: 0000000000001000
FS: 00007f1bcabed700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f585e702060 CR3: 000000018e858000 CR4: 00000000001606b0
Stack:
ffff880171c65f00 c ffff88010000f640 c ffffffff821f01d6 c ffffffff821efede c
ffff88010000f5e8 c ffffffff81ba7d7b c 0000000000000246 c ffff880100018000 c
ffffffff830cc2e0 c ffff88010000f718 c fffffbfff0601200 c 000000000000f608 c
Call Trace:
[<ffffffff821f01d6>] spin_unlock include/linux/spinlock.h:347 [inline]
[<ffffffff821f01d6>] task_unlock include/linux/sched.h:3262 [inline]
[<ffffffff821f01d6>] lowmem_scan+0x546/0xaf0
drivers/staging/android/lowmemorykiller.c:146
[<ffffffff81449cc6>] do_shrink_slab mm/vmscan.c:398 [inline]
[<ffffffff81449cc6>] shrink_slab.part.8+0x3c6/0xa00 mm/vmscan.c:501
[<ffffffff814557fd>] shrink_slab mm/vmscan.c:465 [inline]
[<ffffffff814557fd>] shrink_node+0x1ed/0x740 mm/vmscan.c:2602
[<ffffffff814560c7>] shrink_zones mm/vmscan.c:2749 [inline]
[<ffffffff814560c7>] do_try_to_free_pages mm/vmscan.c:2791 [inline]
[<ffffffff814560c7>] try_to_free_pages+0x377/0xb80 mm/vmscan.c:3002
[<ffffffff81428a01>] __perform_reclaim mm/page_alloc.c:3324 [inline]
[<ffffffff81428a01>] __alloc_pages_direct_reclaim mm/page_alloc.c:3345
[inline]
[<ffffffff81428a01>] __alloc_pages_slowpath mm/page_alloc.c:3697 [inline]
[<ffffffff81428a01>] __alloc_pages_nodemask+0x981/0x1bd0
mm/page_alloc.c:3862
[<ffffffff810d3100>] __alloc_pages include/linux/gfp.h:433 [inline]
[<ffffffff810d3100>] __alloc_pages_node include/linux/gfp.h:446 [inline]
[<ffffffff810d3100>] alloc_pages_node include/linux/gfp.h:460 [inline]
[<ffffffff810d3100>] alloc_thread_stack_node kernel/fork.c:212 [inline]
[<ffffffff810d3100>] dup_task_struct kernel/fork.c:492 [inline]
[<ffffffff810d3100>] copy_process.part.8+0x280/0x6a10 kernel/fork.c:1534
[<ffffffff810d9d12>] copy_process kernel/fork.c:1505 [inline]
[<ffffffff810d9d12>] _do_fork+0x1b2/0xd30 kernel/fork.c:1972
[<ffffffff810da967>] SYSC_clone kernel/fork.c:2084 [inline]
[<ffffffff810da967>] SyS_clone+0x37/0x50 kernel/fork.c:2078
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: c5d c5d cc3 c66 c0f c1f c44 c00 c00 c55 cbe c01 c00 c00
c00 c48 c89 ce5 c53 c48 c89 cfb c48 c83 cc7 c18 c48 c8b c55
c08 ce8 c96 c5c c9f cfe c48 c89 cdf ce8 c4e ce5 c9f cfe
c<bf> c01 c00 c00 c00 ce8 cd4 c04 c95 cfe c65 c8b c05 c8d
c0e c80 c7d c85 cc0 c74 c03 c
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 14, 2019, 5:28:27 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d40633ce UPSTREAM: binder: fix race that allows malicious ..
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=171787eb400000
kernel config: https://syzkaller.appspot.com/x/.config?x=58c98105e7c637a9
dashboard link: https://syzkaller.appspot.com/bug?extid=954589dd8456719dedfa
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Free memory is 2932kB above reserved
lowmemorykiller: Killing 'syz-executor5' (26713) (tgid 26713), adj 1000,
to free 38260kB on behalf of 'syz-fuzzer' (2071) because
cache 276kB is below limit 6144kB for oom_score_adj 0
Free memory is 2932kB above reserved
INFO: task syz-executor5:26709 blocked for more than 140 seconds.
Not tainted 4.4.166+ #5
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor5 D ffff8800910cfa38 29032 26709 2121 0x00100004
ffff8800910cfa38 0000000000000000 ffff8800a6cb3848 ffffed0014d96708
ffff8800a6cb2f00 ffff8801db71f180 ffff8801db71f1a8 ffff8801db71e898
ffff8801db71e880 ffff8801ab22df00 ffff8800a6cb2f80 0000000000000000
Call Trace:
[<ffffffff82706dba>] schedule+0x7a/0x1b0 kernel/sched/core.c:3355
[<ffffffff82707553>] schedule_preempt_disabled+0x13/0x20
kernel/sched/core.c:3388
[<ffffffff827097ce>] __mutex_lock_common kernel/locking/mutex.c:582
[inline]
[<ffffffff827097ce>] mutex_lock_nested+0x3be/0xb60
kernel/locking/mutex.c:621
[<ffffffff814ab203>] pipe_lock_nested fs/pipe.c:65 [inline]
[<ffffffff814ab203>] pipe_lock fs/pipe.c:73 [inline]
[<ffffffff814ab203>] pipe_wait+0x1a3/0x1d0 fs/pipe.c:121
[<ffffffff814ab8a5>] pipe_write+0x505/0xd80 fs/pipe.c:463
[<ffffffff814918c4>] new_sync_write fs/read_write.c:478 [inline]
[<ffffffff814918c4>] __vfs_write+0x304/0x3e0 fs/read_write.c:491
[<ffffffff8149338e>] vfs_write+0x17e/0x4e0 fs/read_write.c:538
[<ffffffff814959c9>] SYSC_write fs/read_write.c:585 [inline]
[<ffffffff814959c9>] SyS_write+0xd9/0x1c0 fs/read_write.c:577
[<ffffffff82715ce1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
lowmemorykiller: Killing 'syz-executor5' (26713) (tgid 26713), adj 1000,
to free 38260kB on behalf of 'syz-executor1' (26702) because
cache 276kB is below limit 6144kB for oom_score_adj 0
Free memory is 2932kB above reserved
lowmemorykiller: Killing 'syz-executor5' (26713) (tgid 26713), adj 1000,
to free 38260kB on behalf of 'syz-fuzzer' (2076) because
cache 276kB is below limit 6144kB for oom_score_adj 0
Free memory is 2932kB above reserved
1 lock held by syz-executor5/26709:
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff814ab203>] pipe_lock_nested
fs/pipe.c:65 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff814ab203>] pipe_lock
fs/pipe.c:73 [inline]
#0: (&pipe->mutex/1){+.+.+.}, at: [<ffffffff814ab203>]
pipe_wait+0x1a3/0x1d0 fs/pipe.c:121
Sending NMI to all CPUs:
NMI backtrace for cpu 0
CPU: 0 PID: 20 Comm: khungtaskd Not tainted 4.4.166+ #5
task: ffff8801da7c2f80 task.stack: ffff8800001d0000
RIP: 0010:[<ffffffff8109c386>] [<ffffffff8109c386>] native_apic_mem_write
arch/x86/include/asm/apic.h:93 [inline]
RIP: 0010:[<ffffffff8109c386>] [<ffffffff8109c386>]
__default_send_IPI_dest_field arch/x86/include/asm/ipi.h:119 [inline]
RIP: 0010:[<ffffffff8109c386>] [<ffffffff8109c386>] _flat_send_IPI_mask
arch/x86/kernel/apic/apic_flat_64.c:61 [inline]
RIP: 0010:[<ffffffff8109c386>] [<ffffffff8109c386>]
flat_send_IPI_mask+0xf6/0x1a0 arch/x86/kernel/apic/apic_flat_64.c:69
RSP: 0018:ffff8800001d7cc8 EFLAGS: 00000046
RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
RBP: ffff8800001d7cf0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000003000000 R14: ffffffff82e5f3a0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000040427c CR3: 00000000a6bfd000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Stack:
ffffffff82e5f3a0 ffffffff831a6400 0000000000000007 fffffbfff0634b5c
0000000000000008 ffff8800001d7d10 ffffffff810937b1 ffffffff82921f60
0000000000000003 ffff8800001d7d68 ffffffff81ab115e ffffffff813a8a20
Call Trace:
[<ffffffff810937b1>] nmi_raise_cpu_backtrace+0x61/0x80
arch/x86/kernel/apic/hw_nmi.c:33
[<ffffffff81ab115e>] nmi_trigger_all_cpu_backtrace.cold.0+0x70/0xae
lib/nmi_backtrace.c:85
[<ffffffff81093854>] arch_trigger_all_cpu_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:38
[<ffffffff813b1c90>] trigger_all_cpu_backtrace include/linux/nmi.h:44
[inline]
[<ffffffff813b1c90>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff813b1c90>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff813b1c90>] watchdog.cold.0+0xd3/0xee kernel/hung_task.c:238
[<ffffffff81134788>] kthread+0x268/0x300 kernel/kthread.c:211
[<ffffffff82716105>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Code: 00 c3 5f ff 80 e6 10 75 e1 41 c1 e5 18 44 89 2c 25 10 c3 5f ff 44 89
fa 09 da 80 cf 04 41 83 ff 02 0f 44 d3 89 14 25 00 c3 5f ff <41> f7 c4 00
02 00 00 75 1a 4c 89 e7 57 9d 0f 1f 44 00 00 e8 d2
NMI backtrace for cpu 1
CPU: 1 PID: 2076 Comm: syz-fuzzer Not tainted 4.4.166+ #5
task: ffff8800b8295f00 task.stack: ffff8801d4aa8000
RIP: 0010:[<ffffffff811fc68b>] [<ffffffff811fc68b>]
__lock_acquire+0x4b/0x5530 kernel/locking/lockdep.c:3072
RSP: 0018:ffff8801d4aaf160 EFLAGS: 00000086
RAX: 0000000000000000 RBX: ffff8800b8295f00 RCX: 0000000000000002
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffffffff82ea7360
RBP: ffff8801d4aaf300 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff82835d40 R11: ffffffff831a49b8 R12: ffffffff82ea7360
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 000000c4201651e8(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f199ef62d50 CR3: 00000000b71f9000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8800b8296880 ffff8800b82967c0 ffff8800b8296888 0000000000000000
ffff880000000000 ffff8800b82967b8 ffff8800b82967c8 1ffff1003a955e36
ffffffff83a81e80 ffff880000000001 0000000041b58ab3 ffffffff82c4bd98
Call Trace:
[<ffffffff812037de>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff813bfc46>] rcu_lock_acquire include/linux/rcupdate.h:477 [inline]
[<ffffffff813bfc46>] rcu_read_lock include/linux/rcupdate.h:861 [inline]
[<ffffffff813bfc46>] find_lock_task_mm+0x46/0x270 mm/oom_kill.c:106
[<ffffffff821190af>] lowmem_scan+0x34f/0xb80
drivers/staging/android/lowmemorykiller.c:132
[<ffffffff813eba79>] do_shrink_slab mm/vmscan.c:357 [inline]
[<ffffffff813eba79>] shrink_slab.part.8+0x3e9/0xaf0 mm/vmscan.c:455
[<ffffffff813f40bd>] shrink_slab mm/vmscan.c:425 [inline]
[<ffffffff813f40bd>] shrink_zone+0x4bd/0x600 mm/vmscan.c:2448
[<ffffffff813f4763>] shrink_zones mm/vmscan.c:2603 [inline]
[<ffffffff813f4763>] do_try_to_free_pages mm/vmscan.c:2653 [inline]
[<ffffffff813f4763>] try_to_free_pages+0x563/0xf20 mm/vmscan.c:2861
[<ffffffff813cdf72>] __perform_reclaim mm/page_alloc.c:2915 [inline]
[<ffffffff813cdf72>] __alloc_pages_direct_reclaim mm/page_alloc.c:2936
[inline]
[<ffffffff813cdf72>] __alloc_pages_slowpath mm/page_alloc.c:3201 [inline]
[<ffffffff813cdf72>] __alloc_pages_nodemask+0x862/0x1430
mm/page_alloc.c:3313
[<ffffffff813d950b>] __alloc_pages include/linux/gfp.h:415 [inline]
[<ffffffff813d950b>] __alloc_pages_node include/linux/gfp.h:428 [inline]
[<ffffffff813d950b>] alloc_pages_node include/linux/gfp.h:442 [inline]
[<ffffffff813d950b>] __page_cache_alloc include/linux/pagemap.h:226
[inline]
[<ffffffff813d950b>] page_cache_alloc_readahead
include/linux/pagemap.h:242 [inline]
[<ffffffff813d950b>] __do_page_cache_readahead+0x22b/0x860
mm/readahead.c:184
[<ffffffff813bcaa9>] ra_submit mm/internal.h:55 [inline]
[<ffffffff813bcaa9>] do_sync_mmap_readahead mm/filemap.c:1917 [inline]
[<ffffffff813bcaa9>] filemap_fault+0x729/0xbe0 mm/filemap.c:1994
[<ffffffff8165f3a1>] ext4_filemap_fault+0x71/0xa0 fs/ext4/inode.c:5558
[<ffffffff8142a5d7>] __do_fault+0x1d7/0x360 mm/memory.c:2822
[<ffffffff81437379>] do_read_fault mm/memory.c:3012 [inline]
[<ffffffff81437379>] do_fault mm/memory.c:3177 [inline]
[<ffffffff81437379>] handle_pte_fault mm/memory.c:3346 [inline]
[<ffffffff81437379>] __handle_mm_fault mm/memory.c:3474 [inline]
[<ffffffff81437379>] handle_mm_fault+0x1cd9/0x2f30 mm/memory.c:3503
[<ffffffff810ab7a1>] __do_page_fault+0x291/0x7e0 arch/x86/mm/fault.c:1243
[<ffffffff810abd47>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1306
[<ffffffff82716f75>] page_fault+0x25/0x30 arch/x86/entry/entry_64.S:1064
Code: 00 48 8b 45 10 89 54 24 68 48 ba 00 00 00 00 00 fc ff df 48 c7 84 24
90 00 00 00 b3 8a b5 41 48 c7 84 24 98 00 00 00 98 bd c4 82 <48> 89 84 24
80 00 00 00 48 8d 84 24 90 00 00 00 48 c1 e8 03 89
lowmemorykiller: Killing 'syz-executor5' (26713) (tgid 26713), adj 1000,
to free 38260kB on behalf of 'syz-fuzzer' (2076) because
cache 276kB is below limit 6144kB for oom_score_adj 0
Free memory is 2932kB above reserved
lowmemorykiller: Killing 'syz-executor5' (26713) (tgid 26713), adj 1000,
to free 38260kB on behalf of 'syz-executor1' (26702) because
cache 276kB is below limit 6144kB for oom_score_adj 0
Free memory is 2932kB above reserved
lowmemorykiller: Killing 'syz-executor5' (26713) (tgid 26713), adj 1000,
to free 38260kB on behalf of 'syz-fuzzer' (2076) because
cache 504kB is below limit 6144kB for oom_score_adj 0
Free memory is 2964kB above reserved
lowmemorykiller: Killing 'syz-executor5' (26713) (tgid 26713), adj 1000,
to free 38260kB on behalf of 'syz-executor1' (26682) because
cache 504kB is below limit 6144kB for oom_score_adj 0
Free memory is 2964kB above reserved
lowmemorykiller: Killing 'syz-executor5' (26713) (tgid 26713), adj 1000,
to free 38260kB on behalf of 'syz-fuzzer' (2071) because
cache 556kB is below limit 6144kB for oom_score_adj 0
Free memory is 2892kB above reserved
lowmemorykiller: Killing 'syz-executor5' (26713) (tgid 26713), adj 1000,
to free 38260kB on behalf of 'syz-executor1' (26702) because
cache 556kB is below limit 6144kB for oom_score_adj 0
Free memory is 2892kB above reserved
syzbot
Jun 5, 2019, 2:19:03 AM6/5/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages