Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output:
https://syzkaller.appspot.com/x/log.txt?x=11717788a00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link:
https://syzkaller.appspot.com/bug?extid=50cd10c782465e1e58f6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+50cd10...@syzkaller.appspotmail.com
INFO: task kworker/u4:5:2214 blocked for more than 140 seconds.
Not tainted 4.4.174+ #4
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/u4:5 D ffff8800bafe7968 26000 2214 2 0x80000000
Workqueue: netns cleanup_net
ffff8800bafe7968 ffff8800ba562f80 d14d1c62f37f2f7a ffff8800ba562f80
0000000000000002 ffff8800ba563800 ffff8801db71f180 ffff8801db71f1a8
ffff8801db71e898 ffff880093b397c0 ffff8800ba562f80 ffffed00175fc001
Call Trace:
[<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
[<ffffffff8270a333>] schedule_preempt_disabled+0x13/0x20
kernel/sched/core.c:3388
[<ffffffff8270c492>] __mutex_lock_common kernel/locking/mutex.c:582
[inline]
[<ffffffff8270c492>] mutex_lock_nested+0x3c2/0xb80
kernel/locking/mutex.c:621
[<ffffffff8221a971>] cleanup_net+0x131/0x860 net/core/net_namespace.c:418
[<ffffffff81122c25>] process_one_work+0x825/0x1720 kernel/workqueue.c:2064
[<ffffffff81124004>] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196
[<ffffffff811342c3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
3 locks held by kworker/u4:5/2214:
#0: ("%s""netns"){.+.+.+}, at: [<ffffffff81122b0a>]
process_one_work+0x70a/0x1720 kernel/workqueue.c:2057
#1: (net_cleanup_work){+.+.+.}, at: [<ffffffff81122b42>]
process_one_work+0x742/0x1720 kernel/workqueue.c:2061
#2: (net_mutex){+.+.+.}, at: [<ffffffff8221a971>] cleanup_net+0x131/0x860
net/core/net_namespace.c:418
Sending NMI to all CPUs:
NMI backtrace for cpu 0
CPU: 0 PID: 20 Comm: khungtaskd Not tainted 4.4.174+ #4
task: ffff8801da6c4740 task.stack: ffff8801d9ef0000
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>] _flat_send_IPI_mask
arch/x86/kernel/apic/apic_flat_64.c:62 [inline]
RIP: 0010:[<ffffffff8109b617>] [<ffffffff8109b617>]
flat_send_IPI_mask+0xf7/0x1b0 arch/x86/kernel/apic/apic_flat_64.c:69
RSP: 0018:ffff8801d9ef7c88 EFLAGS: 00000046
RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
RBP: ffff8801d9ef7cb8 R08: 0000000000000018 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000003000000 R14: ffffffff82e5f2e0 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000003 CR3: 000000008ff6b000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000001 ffffffff82e5f2e0 ffffffff831a6ac0 fffffbfff0634c34
000000000001b6c0 0000000000000008 ffff8801d9ef7cd8 ffffffff81092bee
0000000000000008 ffffffff82924260 ffff8801d9ef7d30 ffffffff81ab8252
Call Trace:
[<ffffffff81092bee>] nmi_raise_cpu_backtrace+0x5e/0x80
arch/x86/kernel/apic/hw_nmi.c:33
[<ffffffff81ab8252>] nmi_trigger_all_cpu_backtrace.cold+0xa1/0xae
lib/nmi_backtrace.c:85
[<ffffffff81092ca4>] arch_trigger_all_cpu_backtrace+0x14/0x20
arch/x86/kernel/apic/hw_nmi.c:38
[<ffffffff813b4762>] trigger_all_cpu_backtrace include/linux/nmi.h:44
[inline]
[<ffffffff813b4762>] check_hung_task kernel/hung_task.c:125 [inline]
[<ffffffff813b4762>] check_hung_uninterruptible_tasks
kernel/hung_task.c:182 [inline]
[<ffffffff813b4762>] watchdog.cold+0xd3/0xee kernel/hung_task.c:238
[<ffffffff811342c3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Code: 00 c3 5f ff 80 e6 10 75 e1 41 c1 e5 18 44 89 2c 25 10 c3 5f ff 44 89
fa 09 da 80 cf 04 41 83 ff 02 0f 44 d3 89 14 25 00 c3 5f ff <41> f7 c4 00
02 00 00 75 1e 4c 89 e7 57 9d 0f 1f 44 00 00 e8 f1
NMI backtrace for cpu 1
CPU: 1 PID: 7849 Comm: syz-executor.2 Not tainted 4.4.174+ #4
task: ffff8801acb74740 task.stack: ffff880191b50000
RIP: 0010:[<ffffffff812aef93>] [<ffffffff812aef93>]
is_module_text_address+0x33/0x50 kernel/module.c:4109
RSP: 0000:ffff880191b57188 EFLAGS: 00000293
RAX: 0000000080000001 RBX: ffff8801a6d62240 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffff8801a6d62240 RDI: 0000000000000001
RBP: ffff880191b57190 R08: ffff880191b572b8 R09: 0000000000000000
R10: ffff880191b57918 R11: 0000000000000000 R12: ffff8801a6d62200
R13: ffff880191b572b8 R14: ffff880191b57ff8 R15: ffff880191b50000
FS: 00007f6ac5304700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000003 CR3: 000000019c8a5000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000000 ffff880191b571a8 ffffffff8112f548 ffff880191b57888
ffff880191b57200 ffffffff81013549 ffff8801a6d62240 ffff880191b57918
ffff880191b57918 ffffffff8280f0b0 ffff880191b572b8 ffffffff8280f0b0
Call Trace:
[<ffffffff8112f548>] __kernel_text_address+0x68/0xa0 kernel/extable.c:103
[<ffffffff81013549>] print_context_stack+0x59/0xd0
arch/x86/kernel/dumpstack.c:107
[<ffffffff81012bb9>] dump_trace+0x179/0x390
arch/x86/kernel/dumpstack_64.c:243
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81483f22>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81483f22>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81483f22>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
[<ffffffff81484197>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
[<ffffffff8148475f>] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
[<ffffffff81483505>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff81483505>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff81483505>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff81483505>] __kmalloc_track_caller+0xf5/0x2e0 mm/slub.c:4153
[<ffffffff821f79a3>] __kmalloc_reserve.isra.0+0x33/0xc0
net/core/skbuff.c:137
[<ffffffff821f7b50>] __alloc_skb+0x120/0x5d0 net/core/skbuff.c:230
[<ffffffff81ab5f52>] alloc_skb include/linux/skbuff.h:820 [inline]
[<ffffffff81ab5f52>] kobject_uevent_env+0x582/0xba0
lib/kobject_uevent.c:300
[<ffffffff81ab6590>] kobject_uevent+0x20/0x30 lib/kobject_uevent.c:374
[<ffffffff8229431c>] netdev_queue_add_kobject net/core/net-sysfs.c:1296
[inline]
[<ffffffff8229431c>] netdev_queue_update_kobjects+0x1bc/0x290
net/core/net-sysfs.c:1314
[<ffffffff8229473b>] netdev_register_kobject+0x23
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.