Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=139bd5c1600000
kernel config:
https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link:
https://syzkaller.appspot.com/bug?extid=e02134477c158428c7ba
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+e02134...@syzkaller.appspotmail.com
INFO: task syz-executor.3:16091 blocked for more than 140 seconds.
Not tainted 4.9.141+ #23
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.3 D29816 16091 16088 0x20020000
ffff8801c533df00 ffff8801ce0f3700 ffff8801ce0f5280 ffff8801d1cac740
ffff8801db621018 ffff8801c8767b80 ffffffff828075c2 ffffffff842cf948
ffffffff83ce1880 ffff8801c533e7d8 00000000000061b2 ffff8801db6218f0
Call Trace:
[<ffffffff82808aef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=769
sclass=netlink_route_socket pig=24092 comm=syz-executor.5
[<ffffffff828142d5>] schedule_timeout+0x735/0xe20 kernel/time/timer.c:1771
[<ffffffff8280a63f>] do_wait_for_common kernel/sched/completion.c:75
[inline]
[<ffffffff8280a63f>] __wait_for_common kernel/sched/completion.c:93
[inline]
[<ffffffff8280a63f>] wait_for_common+0x3ef/0x5d0
kernel/sched/completion.c:101
futex_wake_op: syz-executor.5 tries to shift op by 1024; fix this program
[<ffffffff8280a838>] wait_for_completion+0x18/0x20
kernel/sched/completion.c:122
[<ffffffff815ff490>] SYSC_io_destroy fs/aio.c:1414 [inline]
[<ffffffff815ff490>] SyS_io_destroy+0x2c0/0x340 fs/aio.c:1392
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Showing all locks held in the system:
2 locks held by kworker/0:1/23:
#0: ("events"){.+.+.+}, at: [<ffffffff81130f0c>]
process_one_work+0x73c/0x15f0 kernel/workqueue.c:2085
#1: ((&rew.rew_work)){+.+...}, at: [<ffffffff81130f44>]
process_one_work+0x774/0x15f0 kernel/workqueue.c:2089
2 locks held by khungtaskd/24:
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
#0: (rcu_read_lock){......}, at: [<ffffffff8131c0cc>]
watchdog+0x11c/0xa20 kernel/hung_task.c:239
#1: (tasklist_lock){.+.+..}, at: [<ffffffff813fe63f>]
debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
2 locks held by getty/2025:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff82815952>]
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
#1: (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d37362>]
n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
4 locks held by kworker/u4:8/16249:
#0: ("%s""netns"){.+.+.+}, at: [<ffffffff81130f0c>]
process_one_work+0x73c/0x15f0 kernel/workqueue.c:2085
#1: (net_cleanup_work){+.+.+.}, at: [<ffffffff81130f44>]
process_one_work+0x774/0x15f0 kernel/workqueue.c:2089
#2: (net_mutex){+.+.+.}, at: [<ffffffff822e681f>] cleanup_net+0x13f/0x8b0
net/core/net_namespace.c:439
#3: (rcu_preempt_state.barrier_mutex){+.+...}, at: [<ffffffff8124b1fd>]
_rcu_barrier+0x5d/0x340 kernel/rcu/tree.c:3637
1 lock held by syz-executor.0/24101:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
1 lock held by syz-executor.0/24105:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
2 locks held by syz-executor.3/24094:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:70
#1: (rcu_preempt_state.exp_mutex){+.+...}, at: [<ffffffff8124a749>]
exp_funnel_lock kernel/rcu/tree_exp.h:256 [inline]
#1: (rcu_preempt_state.exp_mutex){+.+...}, at: [<ffffffff8124a749>]
_synchronize_rcu_expedited+0x339/0x840 kernel/rcu/tree_exp.h:569
2 locks held by syz-executor.5/24108:
#0: (sb_writers#4){.+.+.+}, at: [<ffffffff815012ee>] sb_start_write
include/linux/fs.h:1573 [inline]
#0: (sb_writers#4){.+.+.+}, at: [<ffffffff815012ee>]
vfs_fallocate+0x2fe/0x620 fs/open.c:328
#1: (&sb->s_type->i_mutex_key#9){++++++}, at: [<ffffffff8178a55b>]
inode_lock include/linux/fs.h:766 [inline]
#1: (&sb->s_type->i_mutex_key#9){++++++}, at: [<ffffffff8178a55b>]
ext4_fallocate+0x1eb/0x1e80 fs/ext4/extents.c:4974
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 24 Comm: khungtaskd Not tainted 4.9.141+ #23
ffff8801d9907d08 ffffffff81b42e79 0000000000000000 0000000000000001
0000000000000001 0000000000000001 ffffffff810983b0 ffff8801d9907d40
ffffffff81b4df89 0000000000000001 0000000000000000 0000000000000003
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81b4df89>] nmi_cpu_backtrace.cold.0+0x48/0x87
lib/nmi_backtrace.c:99
[<ffffffff81b4df1c>] nmi_trigger_cpumask_backtrace+0x12c/0x151
lib/nmi_backtrace.c:60
[<ffffffff810984b4>] arch_trigger_cpumask_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:37
[<ffffffff8131c65d>] trigger_all_cpu_backtrace include/linux/nmi.h:58
[inline]
[<ffffffff8131c65d>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff8131c65d>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff8131c65d>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
[<ffffffff81142c3d>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff82817a5c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 2092 Comm: syz-executor.3 Not tainted 4.9.141+ #23
task: ffff8801ceac17c0 task.stack: ffff8801aba20000
RIP: 0010:[<ffffffff8131ba71>] c [<ffffffff8131ba71>] preempt_count
arch/x86/include/asm/preempt.h:22 [inline]
RIP: 0010:[<ffffffff8131ba71>] c [<ffffffff8131ba71>] check_kcov_mode
kernel/kcov.c:66 [inline]
RIP: 0010:[<ffffffff8131ba71>] c [<ffffffff8131ba71>]
__sanitizer_cov_trace_pc+0x11/0x50 kernel/kcov.c:100
RSP: 0018:ffff8801aba27848 EFLAGS: 00000296
RAX: ffff8801ceac17c0 RBX: ffff8801c8e112d8 RCX: 1ffffffff05cec80
RDX: 0000000000000000 RSI: ffffffff819e980c RDI: ffffffff84235e58
RBP: ffff8801aba27848 R08: ffff8801ceac20b8 R09: d8a1064c1ba25689
R10: ffff8801ceac17c0 R11: 0000000000000001 R12: dffffc0000000000
R13: 00000000000000cf R14: 0000000000000002 R15: 00000000000000cf
FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:00000000088ca900
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f5519db0 CR3: 00000001ab881000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801aba27880 c ffffffff819e980c c 1ffff10035744f18 c 0000000000000004 c
ffff8801aba27980 c 0000000000000002 c ffff8801aba27c98 c ffff8801aba279a8 c
ffffffff819edabe c ffffffff819eda5e c ffffffff81ba7d7b c ffff8801ceac203c c
Call Trace:
[<ffffffff819e980c>] avc_search_node security/selinux/avc.c:582 [inline]
[<ffffffff819e980c>] avc_lookup+0xcc/0x190 security/selinux/avc.c:610
[<ffffffff819edabe>] avc_has_perm_noaudit security/selinux/avc.c:1110
[inline]
[<ffffffff819edabe>] avc_has_perm+0xfe/0x3a0 security/selinux/avc.c:1146
[<ffffffff819f7f2c>] task_has_perm+0x1fc/0x330
security/selinux/hooks.c:1615
[<ffffffff819f8083>] selinux_task_wait+0x23/0x30
security/selinux/hooks.c:3954
[<ffffffff819e6e73>] security_task_wait+0x73/0xb0 security/security.c:1032
[<ffffffff810e91f1>] wait_consider_task+0x2a1/0x3620 kernel/exit.c:1377
[<ffffffff810ec993>] do_wait_thread kernel/exit.c:1490 [inline]
[<ffffffff810ec993>] do_wait+0x423/0x950 kernel/exit.c:1561
[<ffffffff810eda0b>] SYSC_wait4 kernel/exit.c:1693 [inline]
[<ffffffff810eda0b>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1658
[<ffffffff812bf054>] C_SYSC_wait4 kernel/compat.c:543 [inline]
[<ffffffff812bf054>] compat_SyS_wait4+0x254/0x290 kernel/compat.c:536
[<ffffffff810c6305>] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
Code: ce8 c15 c76 c1d c00 ce9 c9e cfe cff cff c4c c89 ce7 ce8
c08 c76 c1d c00 ce9 c23 cfe cff cff c0f c1f c00 c55 c48 c89
ce5 c48 c8b c75 c08 c65 c48 c8b c04 c25 c00 c7e c01 c00
c<65> c8b c15 c18 cc3 ccf c7e c81 ce2 c00 c01 c1f c00 c75
c2b c8b c90 c38 c12 c00 c00 c
futex_wake_op: syz-executor.5 tries to shift op by 1024; fix this program