BUG: sleeping function called from invalid context in __generic_file_fsync
4 views
Skip to first unread message
syzbot
May 24, 2019, 4:11:06 AM5/24/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1603bdf8a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=6f8bb91ea09642f62c8d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6f8bb9...@syzkaller.appspotmail.com
hid-generic 0000:0004:FFFFFFFD.0002: hidraw1: <UNKNOWN> HID v0.00 Device
[syz0] on sy
BUG: sleeping function called from invalid context at
kernel/locking/mutex.c:620
in_atomic(): 1, irqs_disabled(): 0, pid: 3197, name: syz-executor.4
1 lock held by syz-executor.4/3197:
#0: (sb_writers#6){.+.+.+}, at: [<ffffffff8149a6b6>] file_start_write
include/linux/fs.h:2543 [inline]
#0: (sb_writers#6){.+.+.+}, at: [<ffffffff8149a6b6>]
do_sendfile+0x8a6/0xba0 fs/read_write.c:1228
Preemption disabled at:[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17
0000000000000000 ac77befc5d002042 ffff8801db707870 ffffffff81aad1a1
ffff8800bac897c0 0000000000000101 ffff8800bac897c0 0000000000000101
ffff8800bac897c0 ffff8801db7078a8 ffffffff813a6f33 ffff8800bac897c0
Call Trace:
<IRQ> [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813a6f33>] ___might_sleep.cold+0x1c6/0x1dc
kernel/sched/core.c:7988
[<ffffffff81159d30>] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7948
[<ffffffff8270c15d>] mutex_lock_nested+0x8d/0xb80
kernel/locking/mutex.c:620
[<ffffffff815135af>] __generic_file_fsync+0xcf/0x1c0 fs/libfs.c:944
[<ffffffff81513718>] generic_file_fsync+0x78/0x120 fs/libfs.c:977
[<ffffffff81635822>] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109
[<ffffffff81538fd1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815534d6>] generic_write_sync include/linux/fs.h:2517 [inline]
[<ffffffff815534d6>] dio_complete+0x3e6/0x720 fs/direct-io.c:266
[<ffffffff81553986>] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312
[<ffffffff81a22de7>] bio_endio+0x187/0x1e0 block/bio.c:1786
[<ffffffff81a41d37>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81a41d37>] blk_update_request+0x267/0xa50 block/blk-core.c:2653
[<ffffffff81d76bbc>] scsi_end_request+0x9c/0x5d0
drivers/scsi/scsi_lib.c:695
[<ffffffff81d7f3c5>] scsi_io_completion+0x275/0x1810
drivers/scsi/scsi_lib.c:918
[<ffffffff81d62b84>] scsi_finish_command+0x3a4/0x520
drivers/scsi/scsi.c:607
[<ffffffff81d7d919>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1654
[<ffffffff81a5f098>] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff810e1a8a>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff810e1a8a>] irq_exit+0x10a/0x150 kernel/softirq.c:391
[<ffffffff8271b111>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff8271b111>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251
[<ffffffff8271971d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:623
<EOI> [<ffffffff8115d36b>] ? preempt_count_add+0x3b/0x1d0
kernel/sched/core.c:3069
[<ffffffff812aef73>] is_module_text_address+0x13/0x50 kernel/module.c:4107
[<ffffffff8112f548>] __kernel_text_address+0x68/0xa0 kernel/extable.c:103
[<ffffffff81013549>] print_context_stack+0x59/0xd0
arch/x86/kernel/dumpstack.c:107
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
[<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff8153464a>] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053
[<ffffffff81530c16>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81530c16>] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294
[<ffffffff8153252e>] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247
[<ffffffff81532c55>] do_splice_direct+0x1a5/0x260 fs/splice.c:1337
[<ffffffff8149a2fd>] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229
[<ffffffff8149c474>] C_SYSC_sendfile fs/read_write.c:1311 [inline]
[<ffffffff8149c474>] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
=================================
[ INFO: inconsistent lock state ]
4.4.174+ #17 Not tainted
---------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor.4/3197 [HC0[0]:SC1[1]:HE1:SE0] takes:
(&sb->s_type->i_mutex_key#9){+.?.+.}, at: [<ffffffff815135af>]
__generic_file_fsync+0xcf/0x1c0 fs/libfs.c:944
{SOFTIRQ-ON-W} state was registered at:
[<ffffffff81200423>] mark_irqflags kernel/locking/lockdep.c:2817 [inline]
[<ffffffff81200423>] __lock_acquire+0xe73/0x4f50
kernel/locking/lockdep.c:3169
[<ffffffff81205f6e>] lock_acquire+0x15e/0x450
kernel/locking/lockdep.c:3592
[<ffffffff8270c191>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8270c191>] mutex_lock_nested+0xc1/0xb80
kernel/locking/mutex.c:621
[<ffffffff814ab41f>] bprm_fill_uid fs/exec.c:1357 [inline]
[<ffffffff814ab41f>] prepare_binprm+0x2bf/0x770 fs/exec.c:1391
[<ffffffff814ad996>] do_execveat_common.isra.0+0xd86/0x1e90 fs/exec.c:1620
[<ffffffff814af422>] do_execve fs/exec.c:1683 [inline]
[<ffffffff814af422>] SYSC_execve fs/exec.c:1764 [inline]
[<ffffffff814af422>] SyS_execve+0x42/0x50 fs/exec.c:1759
[<ffffffff82718ef5>] return_from_execve+0x0/0x23
irq event stamp: 11488
hardirqs last enabled at (11488): [<ffffffff827197a6>]
restore_regs_and_iret+0x0/0x1d
hardirqs last disabled at (11487): [<ffffffff8271a598>]
apic_timer_interrupt+0x98/0xb0 arch/x86/entry/entry_64.S:768
softirqs last enabled at (11202): [<ffffffff8271bdca>]
__do_softirq+0x4da/0xa3f kernel/softirq.c:299
softirqs last disabled at (11425): [<ffffffff810e1a8a>] invoke_softirq
kernel/softirq.c:350 [inline]
softirqs last disabled at (11425): [<ffffffff810e1a8a>]
irq_exit+0x10a/0x150 kernel/softirq.c:391
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&sb->s_type->i_mutex_key#9);
<Interrupt>
lock(&sb->s_type->i_mutex_key#9);
*** DEADLOCK ***
1 lock held by syz-executor.4/3197:
#0: (sb_writers#6){.+.+.+}, at: [<ffffffff8149a6b6>] file_start_write
include/linux/fs.h:2543 [inline]
#0: (sb_writers#6){.+.+.+}, at: [<ffffffff8149a6b6>]
do_sendfile+0x8a6/0xba0 fs/read_write.c:1228
stack backtrace:
CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17
0000000000000000 ac77befc5d002042 ffff8801db707610 ffffffff81aad1a1
0000000000000090 ffff8800bac897c0 ffffffff83abf2c0 ffffffff84057a80
ffff8800bac8a0d0 ffff8801db707688 ffffffff813ad456 0000000000000001
Call Trace:
<IRQ> [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813ad456>] print_usage_bug.cold+0x454/0x592
kernel/locking/lockdep.c:2267
[<ffffffff811fe1bd>] valid_state kernel/locking/lockdep.c:2280 [inline]
[<ffffffff811fe1bd>] mark_lock_irq kernel/locking/lockdep.c:2478 [inline]
[<ffffffff811fe1bd>] mark_lock+0x6fd/0x1440 kernel/locking/lockdep.c:2933
[<ffffffff81200a0e>] mark_irqflags kernel/locking/lockdep.c:2799 [inline]
[<ffffffff81200a0e>] __lock_acquire+0x145e/0x4f50
kernel/locking/lockdep.c:3169
[<ffffffff81205f6e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff8270c191>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8270c191>] mutex_lock_nested+0xc1/0xb80
kernel/locking/mutex.c:621
[<ffffffff815135af>] __generic_file_fsync+0xcf/0x1c0 fs/libfs.c:944
[<ffffffff81513718>] generic_file_fsync+0x78/0x120 fs/libfs.c:977
[<ffffffff81635822>] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109
[<ffffffff81538fd1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815534d6>] generic_write_sync include/linux/fs.h:2517 [inline]
[<ffffffff815534d6>] dio_complete+0x3e6/0x720 fs/direct-io.c:266
[<ffffffff81553986>] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312
[<ffffffff81a22de7>] bio_endio+0x187/0x1e0 block/bio.c:1786
[<ffffffff81a41d37>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81a41d37>] blk_update_request+0x267/0xa50 block/blk-core.c:2653
[<ffffffff81d76bbc>] scsi_end_request+0x9c/0x5d0
drivers/scsi/scsi_lib.c:695
[<ffffffff81d7f3c5>] scsi_io_completion+0x275/0x1810
drivers/scsi/scsi_lib.c:918
[<ffffffff81d62b84>] scsi_finish_command+0x3a4/0x520
drivers/scsi/scsi.c:607
[<ffffffff81d7d919>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1654
[<ffffffff81a5f098>] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff810e1a8a>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff810e1a8a>] irq_exit+0x10a/0x150 kernel/softirq.c:391
[<ffffffff8271b111>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff8271b111>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251
[<ffffffff8271971d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:623
<EOI> [<ffffffff8115d36b>] ? preempt_count_add+0x3b/0x1d0
kernel/sched/core.c:3069
[<ffffffff812aef73>] is_module_text_address+0x13/0x50 kernel/module.c:4107
[<ffffffff8112f548>] __kernel_text_address+0x68/0xa0 kernel/extable.c:103
[<ffffffff81013549>] print_context_stack+0x59/0xd0
arch/x86/kernel/dumpstack.c:107
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
[<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff8153464a>] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053
[<ffffffff81530c16>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81530c16>] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294
[<ffffffff8153252e>] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247
[<ffffffff81532c55>] do_splice_direct+0x1a5/0x260 fs/splice.c:1337
[<ffffffff8149a2fd>] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229
[<ffffffff8149c474>] C_SYSC_sendfile fs/read_write.c:1311 [inline]
[<ffffffff8149c474>] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
BUG: sleeping function called from invalid context at fs/buffer.c:1395
in_atomic(): 1, irqs_disabled(): 0, pid: 3197, name: syz-executor.4
INFO: lockdep is turned off.
Preemption disabled at:[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17
0000000000000000 ac77befc5d002042 ffff8801db7076a8 ffffffff81aad1a1
ffff8800bac897c0 0000000000000101 ffff8800bac897c0 0000000000000101
ffff8800bac897c0 ffff8801db7076e0 ffffffff813a6f33 ffff8800bac897c0
Call Trace:
<IRQ> [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813a6f33>] ___might_sleep.cold+0x1c6/0x1dc
kernel/sched/core.c:7988
[<ffffffff81159d30>] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7948
[<ffffffff815435a1>] __getblk_gfp+0x41/0x80 fs/buffer.c:1395
[<ffffffff81644432>] sb_getblk include/linux/buffer_head.h:313 [inline]
[<ffffffff81644432>] __ext4_get_inode_loc+0x332/0xfb0 fs/ext4/inode.c:4054
[<ffffffff8165261d>] ext4_write_inode+0x21d/0x3d0 fs/ext4/inode.c:4808
[<ffffffff81526d0a>] write_inode fs/fs-writeback.c:1145 [inline]
[<ffffffff81526d0a>] __writeback_single_inode+0x51a/0x1380
fs/fs-writeback.c:1343
[<ffffffff8152a8e6>] writeback_single_inode+0x256/0x450
fs/fs-writeback.c:1397
[<ffffffff8152abd3>] sync_inode fs/fs-writeback.c:2391 [inline]
[<ffffffff8152abd3>] sync_inode_metadata+0xc3/0x100 fs/fs-writeback.c:2411
[<ffffffff8151362e>] __generic_file_fsync+0x14e/0x1c0 fs/libfs.c:951
[<ffffffff81513718>] generic_file_fsync+0x78/0x120 fs/libfs.c:977
[<ffffffff81635822>] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109
[<ffffffff81538fd1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815534d6>] generic_write_sync include/linux/fs.h:2517 [inline]
[<ffffffff815534d6>] dio_complete+0x3e6/0x720 fs/direct-io.c:266
[<ffffffff81553986>] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312
[<ffffffff81a22de7>] bio_endio+0x187/0x1e0 block/bio.c:1786
[<ffffffff81a41d37>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81a41d37>] blk_update_request+0x267/0xa50 block/blk-core.c:2653
[<ffffffff81d76bbc>] scsi_end_request+0x9c/0x5d0
drivers/scsi/scsi_lib.c:695
[<ffffffff81d7f3c5>] scsi_io_completion+0x275/0x1810
drivers/scsi/scsi_lib.c:918
[<ffffffff81d62b84>] scsi_finish_command+0x3a4/0x520
drivers/scsi/scsi.c:607
[<ffffffff81d7d919>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1654
[<ffffffff81a5f098>] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff810e1a8a>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff810e1a8a>] irq_exit+0x10a/0x150 kernel/softirq.c:391
[<ffffffff8271b111>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff8271b111>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251
[<ffffffff8271971d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:623
<EOI> [<ffffffff8115d36b>] ? preempt_count_add+0x3b/0x1d0
kernel/sched/core.c:3069
[<ffffffff812aef73>] is_module_text_address+0x13/0x50 kernel/module.c:4107
[<ffffffff8112f548>] __kernel_text_address+0x68/0xa0 kernel/extable.c:103
[<ffffffff81013549>] print_context_stack+0x59/0xd0
arch/x86/kernel/dumpstack.c:107
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
[<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff8153464a>] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053
[<ffffffff81530c16>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81530c16>] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294
[<ffffffff8153252e>] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247
[<ffffffff81532c55>] do_splice_direct+0x1a5/0x260 fs/splice.c:1337
[<ffffffff8149a2fd>] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229
[<ffffffff8149c474>] C_SYSC_sendfile fs/read_write.c:1311 [inline]
[<ffffffff8149c474>] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
BUG: scheduling while atomic: syz-executor.4/3197/0x00000102
INFO: lockdep is turned off.
Modules linked in:
Preemption disabled at:[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17
0000000000000000 ac77befc5d002042 ffff8801db7073e8 ffffffff81aad1a1
0000000000000000 ffff8800bac897c0 0000000000000102 0000000000000001
000000000001e880 ffff8801db707408 ffffffff813a6fa9 ffff8801db71e880
Call Trace:
<IRQ> [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813a6fa9>] __schedule_bug.cold+0x60/0x71 kernel/sched/core.c:3138
[<ffffffff82708bdb>] schedule_debug kernel/sched/core.c:3153 [inline]
[<ffffffff82708bdb>] __schedule+0x118b/0x1ee0 kernel/sched/core.c:3265
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff82715c4b>] schedule_timeout+0x47b/0x7c0 kernel/time/timer.c:1515
[<ffffffff8270787a>] io_schedule_timeout+0x1ba/0x390
kernel/sched/core.c:4937
[<ffffffff8270ad93>] io_schedule include/linux/sched.h:447 [inline]
[<ffffffff8270ad93>] bit_wait_io+0x23/0xc0 kernel/sched/wait.c:595
[<ffffffff8270a58d>] __wait_on_bit+0xbd/0x140 kernel/sched/wait.c:395
[<ffffffff8270a6f2>] out_of_line_wait_on_bit+0xe2/0x120
kernel/sched/wait.c:408
[<ffffffff8153f02e>] wait_on_bit_io include/linux/wait.h:1015 [inline]
[<ffffffff8153f02e>] __wait_on_buffer+0x5e/0x80 fs/buffer.c:123
[<ffffffff8154a04e>] wait_on_buffer include/linux/buffer_head.h:342
[inline]
[<ffffffff8154a04e>] __sync_dirty_buffer+0x17e/0x1d0 fs/buffer.c:3143
[<ffffffff8154a0bb>] sync_dirty_buffer+0x1b/0x20 fs/buffer.c:3155
[<ffffffff8165276c>] ext4_write_inode+0x36c/0x3d0 fs/ext4/inode.c:4816
[<ffffffff81526d0a>] write_inode fs/fs-writeback.c:1145 [inline]
[<ffffffff81526d0a>] __writeback_single_inode+0x51a/0x1380
fs/fs-writeback.c:1343
[<ffffffff8152a8e6>] writeback_single_inode+0x256/0x450
fs/fs-writeback.c:1397
[<ffffffff8152abd3>] sync_inode fs/fs-writeback.c:2391 [inline]
[<ffffffff8152abd3>] sync_inode_metadata+0xc3/0x100 fs/fs-writeback.c:2411
[<ffffffff8151362e>] __generic_file_fsync+0x14e/0x1c0 fs/libfs.c:951
[<ffffffff81513718>] generic_file_fsync+0x78/0x120 fs/libfs.c:977
[<ffffffff81635822>] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109
[<ffffffff81538fd1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815534d6>] generic_write_sync include/linux/fs.h:2517 [inline]
[<ffffffff815534d6>] dio_complete+0x3e6/0x720 fs/direct-io.c:266
[<ffffffff81553986>] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312
[<ffffffff81a22de7>] bio_endio+0x187/0x1e0 block/bio.c:1786
[<ffffffff81a41d37>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81a41d37>] blk_update_request+0x267/0xa50 block/blk-core.c:2653
[<ffffffff81d76bbc>] scsi_end_request+0x9c/0x5d0
drivers/scsi/scsi_lib.c:695
[<ffffffff81d7f3c5>] scsi_io_completion+0x275/0x1810
drivers/scsi/scsi_lib.c:918
[<ffffffff81d62b84>] scsi_finish_command+0x3a4/0x520
drivers/scsi/scsi.c:607
[<ffffffff81d7d919>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1654
[<ffffffff81a5f098>] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff810e1a8a>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff810e1a8a>] irq_exit+0x10a/0x150 kernel/softirq.c:391
[<ffffffff8271b111>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff8271b111>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251
[<ffffffff8271971d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:623
<EOI> [<ffffffff8115d36b>] ? preempt_count_add+0x3b/0x1d0
kernel/sched/core.c:3069
[<ffffffff812aef73>] is_module_text_address+0x13/0x50 kernel/module.c:4107
[<ffffffff8112f548>] __kernel_text_address+0x68/0xa0 kernel/extable.c:103
[<ffffffff81013549>] print_context_stack+0x59/0xd0
arch/x86/kernel/dumpstack.c:107
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
[<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff8153464a>] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053
[<ffffffff81530c16>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81530c16>] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294
[<ffffffff8153252e>] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247
[<ffffffff81532c55>] do_splice_direct+0x1a5/0x260 fs/splice.c:1337
[<ffffffff8149a2fd>] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229
[<ffffffff8149c474>] C_SYSC_sendfile fs/read_write.c:1311 [inline]
[<ffffffff8149c474>] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
softirq: huh, entered softirq 4 BLOCK ffffffff81a5ee40 with preempt_count
00000101, exited with 00000000?
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1603bdf8a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=6f8bb91ea09642f62c8d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6f8bb9...@syzkaller.appspotmail.com
hid-generic 0000:0004:FFFFFFFD.0002: hidraw1: <UNKNOWN> HID v0.00 Device
[syz0] on sy
BUG: sleeping function called from invalid context at
kernel/locking/mutex.c:620
in_atomic(): 1, irqs_disabled(): 0, pid: 3197, name: syz-executor.4
1 lock held by syz-executor.4/3197:
#0: (sb_writers#6){.+.+.+}, at: [<ffffffff8149a6b6>] file_start_write
include/linux/fs.h:2543 [inline]
#0: (sb_writers#6){.+.+.+}, at: [<ffffffff8149a6b6>]
do_sendfile+0x8a6/0xba0 fs/read_write.c:1228
Preemption disabled at:[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17
0000000000000000 ac77befc5d002042 ffff8801db707870 ffffffff81aad1a1
ffff8800bac897c0 0000000000000101 ffff8800bac897c0 0000000000000101
ffff8800bac897c0 ffff8801db7078a8 ffffffff813a6f33 ffff8800bac897c0
Call Trace:
<IRQ> [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813a6f33>] ___might_sleep.cold+0x1c6/0x1dc
kernel/sched/core.c:7988
[<ffffffff81159d30>] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7948
[<ffffffff8270c15d>] mutex_lock_nested+0x8d/0xb80
kernel/locking/mutex.c:620
[<ffffffff815135af>] __generic_file_fsync+0xcf/0x1c0 fs/libfs.c:944
[<ffffffff81513718>] generic_file_fsync+0x78/0x120 fs/libfs.c:977
[<ffffffff81635822>] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109
[<ffffffff81538fd1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815534d6>] generic_write_sync include/linux/fs.h:2517 [inline]
[<ffffffff815534d6>] dio_complete+0x3e6/0x720 fs/direct-io.c:266
[<ffffffff81553986>] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312
[<ffffffff81a22de7>] bio_endio+0x187/0x1e0 block/bio.c:1786
[<ffffffff81a41d37>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81a41d37>] blk_update_request+0x267/0xa50 block/blk-core.c:2653
[<ffffffff81d76bbc>] scsi_end_request+0x9c/0x5d0
drivers/scsi/scsi_lib.c:695
[<ffffffff81d7f3c5>] scsi_io_completion+0x275/0x1810
drivers/scsi/scsi_lib.c:918
[<ffffffff81d62b84>] scsi_finish_command+0x3a4/0x520
drivers/scsi/scsi.c:607
[<ffffffff81d7d919>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1654
[<ffffffff81a5f098>] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff810e1a8a>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff810e1a8a>] irq_exit+0x10a/0x150 kernel/softirq.c:391
[<ffffffff8271b111>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff8271b111>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251
[<ffffffff8271971d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:623
<EOI> [<ffffffff8115d36b>] ? preempt_count_add+0x3b/0x1d0
kernel/sched/core.c:3069
[<ffffffff812aef73>] is_module_text_address+0x13/0x50 kernel/module.c:4107
[<ffffffff8112f548>] __kernel_text_address+0x68/0xa0 kernel/extable.c:103
[<ffffffff81013549>] print_context_stack+0x59/0xd0
arch/x86/kernel/dumpstack.c:107
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
[<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff8153464a>] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053
[<ffffffff81530c16>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81530c16>] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294
[<ffffffff8153252e>] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247
[<ffffffff81532c55>] do_splice_direct+0x1a5/0x260 fs/splice.c:1337
[<ffffffff8149a2fd>] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229
[<ffffffff8149c474>] C_SYSC_sendfile fs/read_write.c:1311 [inline]
[<ffffffff8149c474>] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
=================================
[ INFO: inconsistent lock state ]
4.4.174+ #17 Not tainted
---------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor.4/3197 [HC0[0]:SC1[1]:HE1:SE0] takes:
(&sb->s_type->i_mutex_key#9){+.?.+.}, at: [<ffffffff815135af>]
__generic_file_fsync+0xcf/0x1c0 fs/libfs.c:944
{SOFTIRQ-ON-W} state was registered at:
[<ffffffff81200423>] mark_irqflags kernel/locking/lockdep.c:2817 [inline]
[<ffffffff81200423>] __lock_acquire+0xe73/0x4f50
kernel/locking/lockdep.c:3169
[<ffffffff81205f6e>] lock_acquire+0x15e/0x450
kernel/locking/lockdep.c:3592
[<ffffffff8270c191>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8270c191>] mutex_lock_nested+0xc1/0xb80
kernel/locking/mutex.c:621
[<ffffffff814ab41f>] bprm_fill_uid fs/exec.c:1357 [inline]
[<ffffffff814ab41f>] prepare_binprm+0x2bf/0x770 fs/exec.c:1391
[<ffffffff814ad996>] do_execveat_common.isra.0+0xd86/0x1e90 fs/exec.c:1620
[<ffffffff814af422>] do_execve fs/exec.c:1683 [inline]
[<ffffffff814af422>] SYSC_execve fs/exec.c:1764 [inline]
[<ffffffff814af422>] SyS_execve+0x42/0x50 fs/exec.c:1759
[<ffffffff82718ef5>] return_from_execve+0x0/0x23
irq event stamp: 11488
hardirqs last enabled at (11488): [<ffffffff827197a6>]
restore_regs_and_iret+0x0/0x1d
hardirqs last disabled at (11487): [<ffffffff8271a598>]
apic_timer_interrupt+0x98/0xb0 arch/x86/entry/entry_64.S:768
softirqs last enabled at (11202): [<ffffffff8271bdca>]
__do_softirq+0x4da/0xa3f kernel/softirq.c:299
softirqs last disabled at (11425): [<ffffffff810e1a8a>] invoke_softirq
kernel/softirq.c:350 [inline]
softirqs last disabled at (11425): [<ffffffff810e1a8a>]
irq_exit+0x10a/0x150 kernel/softirq.c:391
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&sb->s_type->i_mutex_key#9);
<Interrupt>
lock(&sb->s_type->i_mutex_key#9);
*** DEADLOCK ***
1 lock held by syz-executor.4/3197:
#0: (sb_writers#6){.+.+.+}, at: [<ffffffff8149a6b6>] file_start_write
include/linux/fs.h:2543 [inline]
#0: (sb_writers#6){.+.+.+}, at: [<ffffffff8149a6b6>]
do_sendfile+0x8a6/0xba0 fs/read_write.c:1228
stack backtrace:
CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17
0000000000000000 ac77befc5d002042 ffff8801db707610 ffffffff81aad1a1
0000000000000090 ffff8800bac897c0 ffffffff83abf2c0 ffffffff84057a80
ffff8800bac8a0d0 ffff8801db707688 ffffffff813ad456 0000000000000001
Call Trace:
<IRQ> [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813ad456>] print_usage_bug.cold+0x454/0x592
kernel/locking/lockdep.c:2267
[<ffffffff811fe1bd>] valid_state kernel/locking/lockdep.c:2280 [inline]
[<ffffffff811fe1bd>] mark_lock_irq kernel/locking/lockdep.c:2478 [inline]
[<ffffffff811fe1bd>] mark_lock+0x6fd/0x1440 kernel/locking/lockdep.c:2933
[<ffffffff81200a0e>] mark_irqflags kernel/locking/lockdep.c:2799 [inline]
[<ffffffff81200a0e>] __lock_acquire+0x145e/0x4f50
kernel/locking/lockdep.c:3169
[<ffffffff81205f6e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
[<ffffffff8270c191>] __mutex_lock_common kernel/locking/mutex.c:521
[inline]
[<ffffffff8270c191>] mutex_lock_nested+0xc1/0xb80
kernel/locking/mutex.c:621
[<ffffffff815135af>] __generic_file_fsync+0xcf/0x1c0 fs/libfs.c:944
[<ffffffff81513718>] generic_file_fsync+0x78/0x120 fs/libfs.c:977
[<ffffffff81635822>] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109
[<ffffffff81538fd1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815534d6>] generic_write_sync include/linux/fs.h:2517 [inline]
[<ffffffff815534d6>] dio_complete+0x3e6/0x720 fs/direct-io.c:266
[<ffffffff81553986>] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312
[<ffffffff81a22de7>] bio_endio+0x187/0x1e0 block/bio.c:1786
[<ffffffff81a41d37>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81a41d37>] blk_update_request+0x267/0xa50 block/blk-core.c:2653
[<ffffffff81d76bbc>] scsi_end_request+0x9c/0x5d0
drivers/scsi/scsi_lib.c:695
[<ffffffff81d7f3c5>] scsi_io_completion+0x275/0x1810
drivers/scsi/scsi_lib.c:918
[<ffffffff81d62b84>] scsi_finish_command+0x3a4/0x520
drivers/scsi/scsi.c:607
[<ffffffff81d7d919>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1654
[<ffffffff81a5f098>] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff810e1a8a>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff810e1a8a>] irq_exit+0x10a/0x150 kernel/softirq.c:391
[<ffffffff8271b111>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff8271b111>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251
[<ffffffff8271971d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:623
<EOI> [<ffffffff8115d36b>] ? preempt_count_add+0x3b/0x1d0
kernel/sched/core.c:3069
[<ffffffff812aef73>] is_module_text_address+0x13/0x50 kernel/module.c:4107
[<ffffffff8112f548>] __kernel_text_address+0x68/0xa0 kernel/extable.c:103
[<ffffffff81013549>] print_context_stack+0x59/0xd0
arch/x86/kernel/dumpstack.c:107
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
[<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff8153464a>] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053
[<ffffffff81530c16>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81530c16>] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294
[<ffffffff8153252e>] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247
[<ffffffff81532c55>] do_splice_direct+0x1a5/0x260 fs/splice.c:1337
[<ffffffff8149a2fd>] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229
[<ffffffff8149c474>] C_SYSC_sendfile fs/read_write.c:1311 [inline]
[<ffffffff8149c474>] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
BUG: sleeping function called from invalid context at fs/buffer.c:1395
in_atomic(): 1, irqs_disabled(): 0, pid: 3197, name: syz-executor.4
INFO: lockdep is turned off.
Preemption disabled at:[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17
0000000000000000 ac77befc5d002042 ffff8801db7076a8 ffffffff81aad1a1
ffff8800bac897c0 0000000000000101 ffff8800bac897c0 0000000000000101
ffff8800bac897c0 ffff8801db7076e0 ffffffff813a6f33 ffff8800bac897c0
Call Trace:
<IRQ> [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813a6f33>] ___might_sleep.cold+0x1c6/0x1dc
kernel/sched/core.c:7988
[<ffffffff81159d30>] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7948
[<ffffffff815435a1>] __getblk_gfp+0x41/0x80 fs/buffer.c:1395
[<ffffffff81644432>] sb_getblk include/linux/buffer_head.h:313 [inline]
[<ffffffff81644432>] __ext4_get_inode_loc+0x332/0xfb0 fs/ext4/inode.c:4054
[<ffffffff8165261d>] ext4_write_inode+0x21d/0x3d0 fs/ext4/inode.c:4808
[<ffffffff81526d0a>] write_inode fs/fs-writeback.c:1145 [inline]
[<ffffffff81526d0a>] __writeback_single_inode+0x51a/0x1380
fs/fs-writeback.c:1343
[<ffffffff8152a8e6>] writeback_single_inode+0x256/0x450
fs/fs-writeback.c:1397
[<ffffffff8152abd3>] sync_inode fs/fs-writeback.c:2391 [inline]
[<ffffffff8152abd3>] sync_inode_metadata+0xc3/0x100 fs/fs-writeback.c:2411
[<ffffffff8151362e>] __generic_file_fsync+0x14e/0x1c0 fs/libfs.c:951
[<ffffffff81513718>] generic_file_fsync+0x78/0x120 fs/libfs.c:977
[<ffffffff81635822>] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109
[<ffffffff81538fd1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815534d6>] generic_write_sync include/linux/fs.h:2517 [inline]
[<ffffffff815534d6>] dio_complete+0x3e6/0x720 fs/direct-io.c:266
[<ffffffff81553986>] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312
[<ffffffff81a22de7>] bio_endio+0x187/0x1e0 block/bio.c:1786
[<ffffffff81a41d37>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81a41d37>] blk_update_request+0x267/0xa50 block/blk-core.c:2653
[<ffffffff81d76bbc>] scsi_end_request+0x9c/0x5d0
drivers/scsi/scsi_lib.c:695
[<ffffffff81d7f3c5>] scsi_io_completion+0x275/0x1810
drivers/scsi/scsi_lib.c:918
[<ffffffff81d62b84>] scsi_finish_command+0x3a4/0x520
drivers/scsi/scsi.c:607
[<ffffffff81d7d919>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1654
[<ffffffff81a5f098>] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff810e1a8a>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff810e1a8a>] irq_exit+0x10a/0x150 kernel/softirq.c:391
[<ffffffff8271b111>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff8271b111>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251
[<ffffffff8271971d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:623
<EOI> [<ffffffff8115d36b>] ? preempt_count_add+0x3b/0x1d0
kernel/sched/core.c:3069
[<ffffffff812aef73>] is_module_text_address+0x13/0x50 kernel/module.c:4107
[<ffffffff8112f548>] __kernel_text_address+0x68/0xa0 kernel/extable.c:103
[<ffffffff81013549>] print_context_stack+0x59/0xd0
arch/x86/kernel/dumpstack.c:107
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
[<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff8153464a>] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053
[<ffffffff81530c16>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81530c16>] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294
[<ffffffff8153252e>] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247
[<ffffffff81532c55>] do_splice_direct+0x1a5/0x260 fs/splice.c:1337
[<ffffffff8149a2fd>] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229
[<ffffffff8149c474>] C_SYSC_sendfile fs/read_write.c:1311 [inline]
[<ffffffff8149c474>] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
BUG: scheduling while atomic: syz-executor.4/3197/0x00000102
INFO: lockdep is turned off.
Modules linked in:
Preemption disabled at:[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
CPU: 1 PID: 3197 Comm: syz-executor.4 Not tainted 4.4.174+ #17
0000000000000000 ac77befc5d002042 ffff8801db7073e8 ffffffff81aad1a1
0000000000000000 ffff8800bac897c0 0000000000000102 0000000000000001
000000000001e880 ffff8801db707408 ffffffff813a6fa9 ffff8801db71e880
Call Trace:
<IRQ> [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff813a6fa9>] __schedule_bug.cold+0x60/0x71 kernel/sched/core.c:3138
[<ffffffff82708bdb>] schedule_debug kernel/sched/core.c:3153 [inline]
[<ffffffff82708bdb>] __schedule+0x118b/0x1ee0 kernel/sched/core.c:3265
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff82715c4b>] schedule_timeout+0x47b/0x7c0 kernel/time/timer.c:1515
[<ffffffff8270787a>] io_schedule_timeout+0x1ba/0x390
kernel/sched/core.c:4937
[<ffffffff8270ad93>] io_schedule include/linux/sched.h:447 [inline]
[<ffffffff8270ad93>] bit_wait_io+0x23/0xc0 kernel/sched/wait.c:595
[<ffffffff8270a58d>] __wait_on_bit+0xbd/0x140 kernel/sched/wait.c:395
[<ffffffff8270a6f2>] out_of_line_wait_on_bit+0xe2/0x120
kernel/sched/wait.c:408
[<ffffffff8153f02e>] wait_on_bit_io include/linux/wait.h:1015 [inline]
[<ffffffff8153f02e>] __wait_on_buffer+0x5e/0x80 fs/buffer.c:123
[<ffffffff8154a04e>] wait_on_buffer include/linux/buffer_head.h:342
[inline]
[<ffffffff8154a04e>] __sync_dirty_buffer+0x17e/0x1d0 fs/buffer.c:3143
[<ffffffff8154a0bb>] sync_dirty_buffer+0x1b/0x20 fs/buffer.c:3155
[<ffffffff8165276c>] ext4_write_inode+0x36c/0x3d0 fs/ext4/inode.c:4816
[<ffffffff81526d0a>] write_inode fs/fs-writeback.c:1145 [inline]
[<ffffffff81526d0a>] __writeback_single_inode+0x51a/0x1380
fs/fs-writeback.c:1343
[<ffffffff8152a8e6>] writeback_single_inode+0x256/0x450
fs/fs-writeback.c:1397
[<ffffffff8152abd3>] sync_inode fs/fs-writeback.c:2391 [inline]
[<ffffffff8152abd3>] sync_inode_metadata+0xc3/0x100 fs/fs-writeback.c:2411
[<ffffffff8151362e>] __generic_file_fsync+0x14e/0x1c0 fs/libfs.c:951
[<ffffffff81513718>] generic_file_fsync+0x78/0x120 fs/libfs.c:977
[<ffffffff81635822>] ext4_sync_file+0x772/0xf10 fs/ext4/fsync.c:109
[<ffffffff81538fd1>] vfs_fsync_range+0x111/0x260 fs/sync.c:195
[<ffffffff815534d6>] generic_write_sync include/linux/fs.h:2517 [inline]
[<ffffffff815534d6>] dio_complete+0x3e6/0x720 fs/direct-io.c:266
[<ffffffff81553986>] dio_bio_end_aio+0x176/0x3f0 fs/direct-io.c:312
[<ffffffff81a22de7>] bio_endio+0x187/0x1e0 block/bio.c:1786
[<ffffffff81a41d37>] req_bio_endio block/blk-core.c:157 [inline]
[<ffffffff81a41d37>] blk_update_request+0x267/0xa50 block/blk-core.c:2653
[<ffffffff81d76bbc>] scsi_end_request+0x9c/0x5d0
drivers/scsi/scsi_lib.c:695
[<ffffffff81d7f3c5>] scsi_io_completion+0x275/0x1810
drivers/scsi/scsi_lib.c:918
[<ffffffff81d62b84>] scsi_finish_command+0x3a4/0x520
drivers/scsi/scsi.c:607
[<ffffffff81d7d919>] scsi_softirq_done+0x259/0x370
drivers/scsi/scsi_lib.c:1654
[<ffffffff81a5f098>] blk_done_softirq+0x258/0x3a0 block/blk-softirq.c:35
[<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
[<ffffffff810e1a8a>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff810e1a8a>] irq_exit+0x10a/0x150 kernel/softirq.c:391
[<ffffffff8271b111>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff8271b111>] do_IRQ+0x111/0x1d0 arch/x86/kernel/irq.c:251
[<ffffffff8271971d>] common_interrupt+0x9d/0x9d
arch/x86/entry/entry_64.S:623
<EOI> [<ffffffff8115d36b>] ? preempt_count_add+0x3b/0x1d0
kernel/sched/core.c:3069
[<ffffffff812aef73>] is_module_text_address+0x13/0x50 kernel/module.c:4107
[<ffffffff8112f548>] __kernel_text_address+0x68/0xa0 kernel/extable.c:103
[<ffffffff81013549>] print_context_stack+0x59/0xd0
arch/x86/kernel/dumpstack.c:107
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
[<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff8153464a>] iter_file_splice_write+0x4da/0xb30 fs/splice.c:1053
[<ffffffff81530c16>] do_splice_from fs/splice.c:1128 [inline]
[<ffffffff81530c16>] direct_splice_actor+0x126/0x1a0 fs/splice.c:1294
[<ffffffff8153252e>] splice_direct_to_actor+0x2ce/0x850 fs/splice.c:1247
[<ffffffff81532c55>] do_splice_direct+0x1a5/0x260 fs/splice.c:1337
[<ffffffff8149a2fd>] do_sendfile+0x4ed/0xba0 fs/read_write.c:1229
[<ffffffff8149c474>] C_SYSC_sendfile fs/read_write.c:1311 [inline]
[<ffffffff8149c474>] compat_SyS_sendfile+0x144/0x160 fs/read_write.c:1294
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
softirq: huh, entered softirq 4 BLOCK ffffffff81a5ee40 with preempt_count
00000101, exited with 00000000?
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 25, 2019, 4:43:07 AM10/25/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages