[syzbot] [sound?] possible deadlock in snd_pcm_period_elapsed (4)
26 views
Skip to first unread message
syzbot
Mar 15, 2024, 6:00:32 AMMar 15
to linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, syzkall...@googlegroups.com, ti...@suse.com
Hello,
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14edc2be180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14835185180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1132fbfa180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/72ab73815344/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2d6d6b0d7071/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/48e275e5478b/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+28c1a5...@syzkaller.appspotmail.com
========================================================
WARNING: possible irq lock inversion dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
--------------------------------------------------------
swapper/1/0 just changed the state of lock:
ffff8880298e6110 (&group->lock#2){..-.}-{2:2}, at: class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
ffff8880298e6110 (&group->lock#2){..-.}-{2:2}, at: snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
but this lock took another, SOFTIRQ-unsafe lock in the past:
(&timer->lock){+.+.}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&timer->lock);
local_irq_disable();
lock(&group->lock#2);
lock(&timer->lock);
<Interrupt>
lock(&group->lock#2);
*** DEADLOCK ***
no locks held by swapper/1/0.
the shortest dependencies between 2nd lock and 1st lock:
-> (&timer->lock){+.+.}-{2:2} {
HARDIRQ-ON-W at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
snd_timer_close+0xae/0x130 sound/core/timer.c:464
snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302
queue_delete sound/core/seq/seq_queue.c:126 [inline]
snd_seq_queue_delete+0x8f/0xf0 sound/core/seq/seq_queue.c:188
delete_seq_queue sound/core/seq/oss/seq_oss_init.c:371 [inline]
snd_seq_oss_release+0x1d3/0x310 sound/core/seq/oss/seq_oss_init.c:416
odev_release+0x56/0x80 sound/core/seq/oss/seq_oss.c:144
__fput+0x429/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
SOFTIRQ-ON-W at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
snd_timer_close+0xae/0x130 sound/core/timer.c:464
snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302
queue_delete sound/core/seq/seq_queue.c:126 [inline]
snd_seq_queue_delete+0x8f/0xf0 sound/core/seq/seq_queue.c:188
delete_seq_queue sound/core/seq/oss/seq_oss_init.c:371 [inline]
snd_seq_oss_release+0x1d3/0x310 sound/core/seq/oss/seq_oss_init.c:416
odev_release+0x56/0x80 sound/core/seq/oss/seq_oss.c:144
__fput+0x429/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
INITIAL USE at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
snd_timer_close+0xae/0x130 sound/core/timer.c:464
snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302
queue_delete sound/core/seq/seq_queue.c:126 [inline]
snd_seq_queue_delete+0x8f/0xf0 sound/core/seq/seq_queue.c:188
delete_seq_queue sound/core/seq/oss/seq_oss_init.c:371 [inline]
snd_seq_oss_release+0x1d3/0x310 sound/core/seq/oss/seq_oss_init.c:416
odev_release+0x56/0x80 sound/core/seq/oss/seq_oss.c:144
__fput+0x429/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
}
... key at: [<ffffffff9485efe0>] snd_timer_new.__key+0x0/0x20
... acquired at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_spinlock_irqsave_constructor include/linux/spinlock.h:574 [inline]
snd_timer_notify+0x103/0x3d0 sound/core/timer.c:1040
snd_pcm_action sound/core/pcm_native.c:1370 [inline]
snd_pcm_start+0x3fa/0x4c0 sound/core/pcm_native.c:1478
__snd_pcm_lib_xfer+0x18bf/0x1e30 sound/core/pcm_lib.c:2371
snd_pcm_oss_write3+0x1c4/0x350 sound/core/oss/pcm_oss.c:1242
snd_pcm_plug_write_transfer+0x2ff/0x530 sound/core/oss/pcm_plugin.c:630
snd_pcm_oss_write2 sound/core/oss/pcm_oss.c:1374 [inline]
snd_pcm_oss_sync1+0x2fe/0x7b0 sound/core/oss/pcm_oss.c:1616
snd_pcm_oss_sync+0x7cd/0xc30 sound/core/oss/pcm_oss.c:1681
snd_pcm_oss_release+0x11e/0x280 sound/core/oss/pcm_oss.c:2575
__fput+0x429/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
-> (&group->lock#2){..-.}-{2:2} {
IN-SOFTIRQ-W at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x595/0xd00 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773
__do_softirq+0x2bc/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:112
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x118/0x490 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:332
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:430
__pfx_ap_starting+0x0/0x10 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x147
INITIAL USE at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xd3/0x120 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
snd_pcm_group_lock_irq sound/core/pcm_native.c:97 [inline]
snd_pcm_stream_lock_irq sound/core/pcm_native.c:136 [inline]
class_pcm_stream_lock_irq_constructor include/sound/pcm.h:666 [inline]
snd_pcm_hw_params+0x201/0x1ea0 sound/core/pcm_native.c:740
snd_pcm_oss_change_params_locked+0x20d5/0x3e00 sound/core/oss/pcm_oss.c:965
snd_pcm_oss_make_ready_locked sound/core/oss/pcm_oss.c:1187 [inline]
snd_pcm_oss_write1 sound/core/oss/pcm_oss.c:1405 [inline]
snd_pcm_oss_write+0x2d5/0x11f0 sound/core/oss/pcm_oss.c:2796
vfs_write+0x2a4/0xcb0 fs/read_write.c:588
ksys_write+0x1a0/0x2c0 fs/read_write.c:643
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
}
... key at: [<ffffffff9485f200>] snd_pcm_group_init.__key+0x0/0x20
... acquired at:
mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678
__lock_acquire+0xbcd/0x1fd0 kernel/locking/lockdep.c:5091
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x595/0xd00 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773
__do_softirq+0x2bc/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:112
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x118/0x490 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:332
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:430
__pfx_ap_starting+0x0/0x10 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x147
stack backtrace:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
mark_lock_irq+0x80c/0xc20 kernel/locking/lockdep.c:4243
mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678
__lock_acquire+0xbcd/0x1fd0 kernel/locking/lockdep.c:5091
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x595/0xd00 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773
__do_softirq+0x2bc/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:113
Code: 90 90 90 90 90 90 90 90 90 65 48 8b 04 25 40 d0 03 00 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d 95 ec 9b 00 f3 0f 1e fa fb f4 <fa> c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90
RSP: 0018:ffffc90000197d08 EFLAGS: 00000246
RAX: ffff8880172b5a00 RBX: ffff88801bae3064 RCX: 0000000000011741
RDX: 0000000000000001 RSI: ffff88801bae3000 RDI: ffff88801bae3064
RBP: 000000000003a0f8 R08: ffff8880b9537d0b R09: 1ffff110172a6fa1
R10: dffffc0000000000 R11: ffffffff8b6bc600 R12: ffff88801c310000
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8e8948a0
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x118/0x490 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:332
----------------
Code disassembly (best guess):
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 65 48 8b 04 25 40 d0 mov %gs:0x3d040,%rax
10: 03 00
12: 48 f7 00 08 00 00 00 testq $0x8,(%rax)
19: 75 10 jne 0x2b
1b: 66 90 xchg %ax,%ax
1d: 0f 00 2d 95 ec 9b 00 verw 0x9bec95(%rip) # 0x9becb9
24: f3 0f 1e fa endbr64
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: c3 ret
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
37: 00 00
39: 90 nop
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14edc2be180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14835185180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1132fbfa180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/72ab73815344/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2d6d6b0d7071/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/48e275e5478b/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+28c1a5...@syzkaller.appspotmail.com
========================================================
WARNING: possible irq lock inversion dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
--------------------------------------------------------
swapper/1/0 just changed the state of lock:
ffff8880298e6110 (&group->lock#2){..-.}-{2:2}, at: class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
ffff8880298e6110 (&group->lock#2){..-.}-{2:2}, at: snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
but this lock took another, SOFTIRQ-unsafe lock in the past:
(&timer->lock){+.+.}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&timer->lock);
local_irq_disable();
lock(&group->lock#2);
lock(&timer->lock);
<Interrupt>
lock(&group->lock#2);
*** DEADLOCK ***
no locks held by swapper/1/0.
the shortest dependencies between 2nd lock and 1st lock:
-> (&timer->lock){+.+.}-{2:2} {
HARDIRQ-ON-W at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
snd_timer_close+0xae/0x130 sound/core/timer.c:464
snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302
queue_delete sound/core/seq/seq_queue.c:126 [inline]
snd_seq_queue_delete+0x8f/0xf0 sound/core/seq/seq_queue.c:188
delete_seq_queue sound/core/seq/oss/seq_oss_init.c:371 [inline]
snd_seq_oss_release+0x1d3/0x310 sound/core/seq/oss/seq_oss_init.c:416
odev_release+0x56/0x80 sound/core/seq/oss/seq_oss.c:144
__fput+0x429/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
SOFTIRQ-ON-W at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
snd_timer_close+0xae/0x130 sound/core/timer.c:464
snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302
queue_delete sound/core/seq/seq_queue.c:126 [inline]
snd_seq_queue_delete+0x8f/0xf0 sound/core/seq/seq_queue.c:188
delete_seq_queue sound/core/seq/oss/seq_oss_init.c:371 [inline]
snd_seq_oss_release+0x1d3/0x310 sound/core/seq/oss/seq_oss_init.c:416
odev_release+0x56/0x80 sound/core/seq/oss/seq_oss.c:144
__fput+0x429/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
INITIAL USE at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
snd_timer_close+0xae/0x130 sound/core/timer.c:464
snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302
queue_delete sound/core/seq/seq_queue.c:126 [inline]
snd_seq_queue_delete+0x8f/0xf0 sound/core/seq/seq_queue.c:188
delete_seq_queue sound/core/seq/oss/seq_oss_init.c:371 [inline]
snd_seq_oss_release+0x1d3/0x310 sound/core/seq/oss/seq_oss_init.c:416
odev_release+0x56/0x80 sound/core/seq/oss/seq_oss.c:144
__fput+0x429/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
}
... key at: [<ffffffff9485efe0>] snd_timer_new.__key+0x0/0x20
... acquired at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_spinlock_irqsave_constructor include/linux/spinlock.h:574 [inline]
snd_timer_notify+0x103/0x3d0 sound/core/timer.c:1040
snd_pcm_action sound/core/pcm_native.c:1370 [inline]
snd_pcm_start+0x3fa/0x4c0 sound/core/pcm_native.c:1478
__snd_pcm_lib_xfer+0x18bf/0x1e30 sound/core/pcm_lib.c:2371
snd_pcm_oss_write3+0x1c4/0x350 sound/core/oss/pcm_oss.c:1242
snd_pcm_plug_write_transfer+0x2ff/0x530 sound/core/oss/pcm_plugin.c:630
snd_pcm_oss_write2 sound/core/oss/pcm_oss.c:1374 [inline]
snd_pcm_oss_sync1+0x2fe/0x7b0 sound/core/oss/pcm_oss.c:1616
snd_pcm_oss_sync+0x7cd/0xc30 sound/core/oss/pcm_oss.c:1681
snd_pcm_oss_release+0x11e/0x280 sound/core/oss/pcm_oss.c:2575
__fput+0x429/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
-> (&group->lock#2){..-.}-{2:2} {
IN-SOFTIRQ-W at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x595/0xd00 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773
__do_softirq+0x2bc/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:112
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x118/0x490 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:332
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:430
__pfx_ap_starting+0x0/0x10 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x147
INITIAL USE at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xd3/0x120 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
snd_pcm_group_lock_irq sound/core/pcm_native.c:97 [inline]
snd_pcm_stream_lock_irq sound/core/pcm_native.c:136 [inline]
class_pcm_stream_lock_irq_constructor include/sound/pcm.h:666 [inline]
snd_pcm_hw_params+0x201/0x1ea0 sound/core/pcm_native.c:740
snd_pcm_oss_change_params_locked+0x20d5/0x3e00 sound/core/oss/pcm_oss.c:965
snd_pcm_oss_make_ready_locked sound/core/oss/pcm_oss.c:1187 [inline]
snd_pcm_oss_write1 sound/core/oss/pcm_oss.c:1405 [inline]
snd_pcm_oss_write+0x2d5/0x11f0 sound/core/oss/pcm_oss.c:2796
vfs_write+0x2a4/0xcb0 fs/read_write.c:588
ksys_write+0x1a0/0x2c0 fs/read_write.c:643
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
}
... key at: [<ffffffff9485f200>] snd_pcm_group_init.__key+0x0/0x20
... acquired at:
mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678
__lock_acquire+0xbcd/0x1fd0 kernel/locking/lockdep.c:5091
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x595/0xd00 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773
__do_softirq+0x2bc/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:112
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x118/0x490 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:332
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:430
__pfx_ap_starting+0x0/0x10 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x147
stack backtrace:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
mark_lock_irq+0x80c/0xc20 kernel/locking/lockdep.c:4243
mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678
__lock_acquire+0xbcd/0x1fd0 kernel/locking/lockdep.c:5091
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x595/0xd00 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773
__do_softirq+0x2bc/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:113
Code: 90 90 90 90 90 90 90 90 90 65 48 8b 04 25 40 d0 03 00 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d 95 ec 9b 00 f3 0f 1e fa fb f4 <fa> c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90
RSP: 0018:ffffc90000197d08 EFLAGS: 00000246
RAX: ffff8880172b5a00 RBX: ffff88801bae3064 RCX: 0000000000011741
RDX: 0000000000000001 RSI: ffff88801bae3000 RDI: ffff88801bae3064
RBP: 000000000003a0f8 R08: ffff8880b9537d0b R09: 1ffff110172a6fa1
R10: dffffc0000000000 R11: ffffffff8b6bc600 R12: ffff88801c310000
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8e8948a0
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x118/0x490 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x375/0x5d0 kernel/sched/idle.c:332
----------------
Code disassembly (best guess):
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 65 48 8b 04 25 40 d0 mov %gs:0x3d040,%rax
10: 03 00
12: 48 f7 00 08 00 00 00 testq $0x8,(%rax)
19: 75 10 jne 0x2b
1b: 66 90 xchg %ax,%ax
1d: 0f 00 2d 95 ec 9b 00 verw 0x9bec95(%rip) # 0x9becb9
24: f3 0f 1e fa endbr64
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: c3 ret
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
37: 00 00
39: 90 nop
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Takashi Iwai
Mar 15, 2024, 6:14:34 AMMar 15
to syzbot, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, syzkall...@googlegroups.com, ti...@suse.com
On Fri, 15 Mar 2024 11:00:31 +0100,
syzbot wrote:
(snip)
guard(spinlock). It should have been guard(spinlock_irq), of course.
Will submit the fix patch.
thanks,
Takashi
syzbot wrote:
(snip)
> the shortest dependencies between 2nd lock and 1st lock:
> -> (&timer->lock){+.+.}-{2:2} {
> HARDIRQ-ON-W at:
> lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
> __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
> _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
> spin_lock include/linux/spinlock.h:351 [inline]
> class_spinlock_constructor include/linux/spinlock.h:561 [inline]
> snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
Ouch, I incorrectly converted from spin_lock_irq() to
> -> (&timer->lock){+.+.}-{2:2} {
> HARDIRQ-ON-W at:
> lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
> __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
> _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
> spin_lock include/linux/spinlock.h:351 [inline]
> class_spinlock_constructor include/linux/spinlock.h:561 [inline]
> snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
guard(spinlock). It should have been guard(spinlock_irq), of course.
Will submit the fix patch.
thanks,
Takashi
syzbot
Mar 15, 2024, 9:07:06 AMMar 15
to linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, syzkall...@googlegroups.com, ti...@suse.com, ti...@suse.de
syzbot has bisected this issue to:
commit beb45974dd49068b24788bbfc2abe20d50503761
Author: Takashi Iwai <ti...@suse.de>
Date: Tue Feb 27 08:52:45 2024 +0000
ALSA: timer: Use guard() for locking
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=148a87b9180000
start commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=168a87b9180000
console output: https://syzkaller.appspot.com/x/log.txt?x=128a87b9180000
Fixes: beb45974dd49 ("ALSA: timer: Use guard() for locking")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit beb45974dd49068b24788bbfc2abe20d50503761
Author: Takashi Iwai <ti...@suse.de>
Date: Tue Feb 27 08:52:45 2024 +0000
ALSA: timer: Use guard() for locking
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=148a87b9180000
start commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=168a87b9180000
console output: https://syzkaller.appspot.com/x/log.txt?x=128a87b9180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14835185180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1132fbfa180000
Reported-by: syzbot+28c1a5...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1132fbfa180000
Fixes: beb45974dd49 ("ALSA: timer: Use guard() for locking")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Hillf Danton
Mar 15, 2024, 9:13:36 AMMar 15
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/sound/core/timer.c
+++ y/sound/core/timer.c
@@ -409,8 +409,9 @@ static void snd_timer_close_locked(struc
struct snd_timer *timer = timeri->timer;
if (timer) {
- guard(spinlock)(&timer->lock);
+ spin_lock_irq(&timer->lock);
timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
+ spin_unlock_irq(&timer->lock);
}
if (!list_empty(&timeri->open_list)) {
--
--- x/sound/core/timer.c
+++ y/sound/core/timer.c
@@ -409,8 +409,9 @@ static void snd_timer_close_locked(struc
struct snd_timer *timer = timeri->timer;
if (timer) {
- guard(spinlock)(&timer->lock);
+ spin_lock_irq(&timer->lock);
timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
+ spin_unlock_irq(&timer->lock);
}
if (!list_empty(&timeri->open_list)) {
--
syzbot
Mar 15, 2024, 9:44:06 AMMar 15
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
ew interface driver port100
[ 7.632420][ T1] usbcore: registered new interface driver nfcmrvl
[ 7.642406][ T1] Loading iSCSI transport class v2.0-870.
[ 7.663982][ T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues
[ 7.675394][ T1] ------------[ cut here ]------------
[ 7.677077][ T1] refcount_t: decrement hit 0; leaking memory.
[ 7.678472][ T1] WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0
[ 7.680768][ T1] Modules linked in:
[ 7.681721][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af-dirty #0
[ 7.683377][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 7.685668][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 7.686689][ T1] Code: b2 00 00 00 e8 27 5a f7 fc 5b 5d c3 cc cc cc cc e8 1b 5a f7 fc c6 05 f6 81 d3 0a 01 90 48 c7 c7 e0 a7 fd 8b e8 47 2e ba fc 90 <0f> 0b 90 90 eb d9 e8 fb 59 f7 fc c6 05 d3 81 d3 0a 01 90 48 c7 c7
[ 7.690923][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 7.692584][ T1] RAX: 2fe2bb6c454da900 RBX: ffff888140b1401c RCX: ffff8880166c8000
[ 7.693870][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 7.695339][ T1] RBP: 0000000000000004 R08: ffffffff8157cf32 R09: fffffbfff1bf9650
[ 7.697370][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9650 R12: ffffea000502edc0
[ 7.699567][ T1] R13: ffffea000502edc8 R14: 1ffffd4000a05db9 R15: 0000000000000000
[ 7.702324][ T1] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 7.705012][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7.706430][ T1] CR2: ffff88823ffff000 CR3: 000000000df32000 CR4: 00000000003506f0
[ 7.708231][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 7.710105][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 7.711722][ T1] Call Trace:
[ 7.712321][ T1] <TASK>
[ 7.713548][ T1] ? __warn+0x163/0x4b0
[ 7.714368][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.715547][ T1] ? report_bug+0x2b3/0x500
[ 7.716268][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.717965][ T1] ? handle_bug+0x3e/0x70
[ 7.718786][ T1] ? exc_invalid_op+0x1a/0x50
[ 7.719977][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 7.721309][ T1] ? __warn_printk+0x292/0x360
[ 7.722222][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.723743][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 7.724864][ T1] __free_pages_ok+0xc36/0xd60
[ 7.726271][ T1] make_alloc_exact+0xa3/0xf0
[ 7.727744][ T1] vring_alloc_queue_split+0x20a/0x600
[ 7.729202][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 7.730313][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 7.731456][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 7.732637][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 7.733609][ T1] ? really_probe+0x29e/0xc50
[ 7.734939][ T1] ? driver_probe_device+0x50/0x430
[ 7.735709][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 7.736519][ T1] ? ret_from_fork+0x4b/0x80
[ 7.737155][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 7.738060][ T1] vring_create_virtqueue+0xca/0x110
[ 7.738936][ T1] ? __pfx_vp_notify+0x10/0x10
[ 7.739795][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.741152][ T1] setup_vq+0xe9/0x2d0
[ 7.741988][ T1] ? __pfx_vp_notify+0x10/0x10
[ 7.742766][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.743548][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.744432][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.745311][ T1] vp_setup_vq+0xbf/0x330
[ 7.745985][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 7.746878][ T1] ? ioread16+0x2f/0x90
[ 7.748076][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.748975][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 7.749689][ T1] vp_find_vqs+0x4c/0x4e0
[ 7.750445][ T1] virtscsi_init+0x8db/0xd00
[ 7.751140][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 7.751843][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 7.752717][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 7.753587][ T1] ? vp_get+0xfd/0x140
[ 7.754323][ T1] virtscsi_probe+0x3ea/0xf60
[ 7.755144][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 7.756003][ T1] ? virtqueue_dma_mapping_error+0xd/0x80
[ 7.756997][ T1] ? __pfx_vp_set_status+0x10/0x10
[ 7.757746][ T1] ? vp_set_status+0x1a/0x40
[ 7.758484][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 7.759510][ T1] ? virtio_features_ok+0x10c/0x270
[ 7.760586][ T1] virtio_dev_probe+0x991/0xaf0
[ 7.761286][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 7.762062][ T1] really_probe+0x29e/0xc50
[ 7.763086][ T1] __driver_probe_device+0x1a2/0x3e0
[ 7.763898][ T1] driver_probe_device+0x50/0x430
[ 7.764713][ T1] __driver_attach+0x45f/0x710
[ 7.765387][ T1] ? __pfx___driver_attach+0x10/0x10
[ 7.766680][ T1] bus_for_each_dev+0x239/0x2b0
[ 7.767448][ T1] ? __pfx___driver_attach+0x10/0x10
[ 7.768169][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 7.768922][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 7.770033][ T1] bus_add_driver+0x347/0x620
[ 7.771031][ T1] driver_register+0x23a/0x320
[ 7.772123][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.772858][ T1] virtio_scsi_init+0x65/0xe0
[ 7.773584][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.774375][ T1] do_one_initcall+0x238/0x830
[ 7.775257][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.776297][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 7.778115][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 7.779063][ T1] ? __pfx_parse_args+0x10/0x10
[ 7.779788][ T1] ? do_initcalls+0x1c/0x80
[ 7.780568][ T1] ? rcu_is_watching+0x15/0xb0
[ 7.781462][ T1] do_initcall_level+0x157/0x210
[ 7.782315][ T1] do_initcalls+0x3f/0x80
[ 7.782984][ T1] kernel_init_freeable+0x435/0x5d0
[ 7.783746][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 7.784523][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 7.785422][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.786126][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.786833][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.787600][ T1] kernel_init+0x1d/0x2b0
[ 7.788259][ T1] ret_from_fork+0x4b/0x80
[ 7.788928][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.789603][ T1] ret_from_fork_asm+0x1a/0x30
[ 7.790432][ T1] </TASK>
[ 7.790999][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 7.792157][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af-dirty #0
[ 7.793638][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 7.795183][ T1] Call Trace:
[ 7.795731][ T1] <TASK>
[ 7.796384][ T1] dump_stack_lvl+0x241/0x360
[ 7.797257][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 7.798175][ T1] ? __pfx__printk+0x10/0x10
[ 7.798929][ T1] ? _printk+0xd5/0x120
[ 7.799824][ T1] ? vscnprintf+0x5d/0x90
[ 7.800407][ T1] panic+0x349/0x860
[ 7.800407][ T1] ? __warn+0x172/0x4b0
[ 7.800407][ T1] ? __pfx_panic+0x10/0x10
[ 7.800407][ T1] ? show_trace_log_lvl+0x4e6/0x520
[ 7.800407][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 7.800407][ T1] __warn+0x31e/0x4b0
[ 7.800407][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.800407][ T1] report_bug+0x2b3/0x500
[ 7.800407][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.800407][ T1] handle_bug+0x3e/0x70
[ 7.800407][ T1] exc_invalid_op+0x1a/0x50
[ 7.800407][ T1] asm_exc_invalid_op+0x1a/0x20
[ 7.809948][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 7.809948][ T1] Code: b2 00 00 00 e8 27 5a f7 fc 5b 5d c3 cc cc cc cc e8 1b 5a f7 fc c6 05 f6 81 d3 0a 01 90 48 c7 c7 e0 a7 fd 8b e8 47 2e ba fc 90 <0f> 0b 90 90 eb d9 e8 fb 59 f7 fc c6 05 d3 81 d3 0a 01 90 48 c7 c7
[ 7.809948][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 7.809948][ T1] RAX: 2fe2bb6c454da900 RBX: ffff888140b1401c RCX: ffff8880166c8000
[ 7.809948][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 7.820130][ T1] RBP: 0000000000000004 R08: ffffffff8157cf32 R09: fffffbfff1bf9650
[ 7.820130][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9650 R12: ffffea000502edc0
[ 7.820130][ T1] R13: ffffea000502edc8 R14: 1ffffd4000a05db9 R15: 0000000000000000
[ 7.820130][ T1] ? __warn_printk+0x292/0x360
[ 7.820130][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 7.820130][ T1] __free_pages_ok+0xc36/0xd60
[ 7.829996][ T1] make_alloc_exact+0xa3/0xf0
[ 7.829996][ T1] vring_alloc_queue_split+0x20a/0x600
[ 7.829996][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 7.829996][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 7.829996][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 7.829996][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 7.829996][ T1] ? really_probe+0x29e/0xc50
[ 7.829996][ T1] ? driver_probe_device+0x50/0x430
[ 7.840103][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 7.840103][ T1] ? ret_from_fork+0x4b/0x80
[ 7.840103][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 7.840103][ T1] vring_create_virtqueue+0xca/0x110
[ 7.840103][ T1] ? __pfx_vp_notify+0x10/0x10
[ 7.840103][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.840103][ T1] setup_vq+0xe9/0x2d0
[ 7.849997][ T1] ? __pfx_vp_notify+0x10/0x10
[ 7.849997][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.849997][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.849997][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.849997][ T1] vp_setup_vq+0xbf/0x330
[ 7.849997][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 7.849997][ T1] ? ioread16+0x2f/0x90
[ 7.849997][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.860078][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 7.860078][ T1] vp_find_vqs+0x4c/0x4e0
[ 7.860078][ T1] virtscsi_init+0x8db/0xd00
[ 7.860078][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 7.860078][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 7.860078][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 7.860078][ T1] ? vp_get+0xfd/0x140
[ 7.860078][ T1] virtscsi_probe+0x3ea/0xf60
[ 7.869950][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 7.869950][ T1] ? virtqueue_dma_mapping_error+0xd/0x80
[ 7.869950][ T1] ? __pfx_vp_set_status+0x10/0x10
[ 7.869950][ T1] ? vp_set_status+0x1a/0x40
[ 7.869950][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 7.880123][ T1] ? virtio_features_ok+0x10c/0x270
[ 7.880123][ T1] virtio_dev_probe+0x991/0xaf0
[ 7.880123][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 7.880123][ T1] really_probe+0x29e/0xc50
[ 7.880123][ T1] __driver_probe_device+0x1a2/0x3e0
[ 7.880123][ T1] driver_probe_device+0x50/0x430
[ 7.880123][ T1] __driver_attach+0x45f/0x710
[ 7.889960][ T1] ? __pfx___driver_attach+0x10/0x10
[ 7.889960][ T1] bus_for_each_dev+0x239/0x2b0
[ 7.889960][ T1] ? __pfx___driver_attach+0x10/0x10
[ 7.889960][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 7.889960][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 7.889960][ T1] bus_add_driver+0x347/0x620
[ 7.889960][ T1] driver_register+0x23a/0x320
[ 7.889960][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.900147][ T1] virtio_scsi_init+0x65/0xe0
[ 7.900147][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.900147][ T1] do_one_initcall+0x238/0x830
[ 7.900147][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.900147][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 7.900147][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 7.900147][ T1] ? __pfx_parse_args+0x10/0x10
[ 7.900147][ T1] ? do_initcalls+0x1c/0x80
[ 7.900147][ T1] ? rcu_is_watching+0x15/0xb0
[ 7.900147][ T1] do_initcall_level+0x157/0x210
[ 7.900147][ T1] do_initcalls+0x3f/0x80
[ 7.900147][ T1] kernel_init_freeable+0x435/0x5d0
[ 7.900147][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 7.909999][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 7.909999][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.909999][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.909999][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.909999][ T1] kernel_init+0x1d/0x2b0
[ 7.909999][ T1] ret_from_fork+0x4b/0x80
[ 7.909999][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.909999][ T1] ret_from_fork_asm+0x1a/0x30
[ 7.909999][ T1] </TASK>
[ 7.909999][ T1] Kernel Offset: disabled
[ 7.909999][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1592746458=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at d615901c7
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d615901c739a765329b688494cee2f8e1b5037cb\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=118ff7b9180000
Tested on:
commit: e5eb28f6 Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=839e3be5d86ffd1d
syzbot tried to test the proposed patch but the build/boot failed:
ew interface driver port100
[ 7.632420][ T1] usbcore: registered new interface driver nfcmrvl
[ 7.642406][ T1] Loading iSCSI transport class v2.0-870.
[ 7.663982][ T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues
[ 7.675394][ T1] ------------[ cut here ]------------
[ 7.677077][ T1] refcount_t: decrement hit 0; leaking memory.
[ 7.678472][ T1] WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0
[ 7.680768][ T1] Modules linked in:
[ 7.681721][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af-dirty #0
[ 7.683377][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 7.685668][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 7.686689][ T1] Code: b2 00 00 00 e8 27 5a f7 fc 5b 5d c3 cc cc cc cc e8 1b 5a f7 fc c6 05 f6 81 d3 0a 01 90 48 c7 c7 e0 a7 fd 8b e8 47 2e ba fc 90 <0f> 0b 90 90 eb d9 e8 fb 59 f7 fc c6 05 d3 81 d3 0a 01 90 48 c7 c7
[ 7.690923][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 7.692584][ T1] RAX: 2fe2bb6c454da900 RBX: ffff888140b1401c RCX: ffff8880166c8000
[ 7.693870][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 7.695339][ T1] RBP: 0000000000000004 R08: ffffffff8157cf32 R09: fffffbfff1bf9650
[ 7.697370][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9650 R12: ffffea000502edc0
[ 7.699567][ T1] R13: ffffea000502edc8 R14: 1ffffd4000a05db9 R15: 0000000000000000
[ 7.702324][ T1] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 7.705012][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7.706430][ T1] CR2: ffff88823ffff000 CR3: 000000000df32000 CR4: 00000000003506f0
[ 7.708231][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 7.710105][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 7.711722][ T1] Call Trace:
[ 7.712321][ T1] <TASK>
[ 7.713548][ T1] ? __warn+0x163/0x4b0
[ 7.714368][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.715547][ T1] ? report_bug+0x2b3/0x500
[ 7.716268][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.717965][ T1] ? handle_bug+0x3e/0x70
[ 7.718786][ T1] ? exc_invalid_op+0x1a/0x50
[ 7.719977][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 7.721309][ T1] ? __warn_printk+0x292/0x360
[ 7.722222][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.723743][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 7.724864][ T1] __free_pages_ok+0xc36/0xd60
[ 7.726271][ T1] make_alloc_exact+0xa3/0xf0
[ 7.727744][ T1] vring_alloc_queue_split+0x20a/0x600
[ 7.729202][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 7.730313][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 7.731456][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 7.732637][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 7.733609][ T1] ? really_probe+0x29e/0xc50
[ 7.734939][ T1] ? driver_probe_device+0x50/0x430
[ 7.735709][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 7.736519][ T1] ? ret_from_fork+0x4b/0x80
[ 7.737155][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 7.738060][ T1] vring_create_virtqueue+0xca/0x110
[ 7.738936][ T1] ? __pfx_vp_notify+0x10/0x10
[ 7.739795][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.741152][ T1] setup_vq+0xe9/0x2d0
[ 7.741988][ T1] ? __pfx_vp_notify+0x10/0x10
[ 7.742766][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.743548][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.744432][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.745311][ T1] vp_setup_vq+0xbf/0x330
[ 7.745985][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 7.746878][ T1] ? ioread16+0x2f/0x90
[ 7.748076][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.748975][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 7.749689][ T1] vp_find_vqs+0x4c/0x4e0
[ 7.750445][ T1] virtscsi_init+0x8db/0xd00
[ 7.751140][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 7.751843][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 7.752717][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 7.753587][ T1] ? vp_get+0xfd/0x140
[ 7.754323][ T1] virtscsi_probe+0x3ea/0xf60
[ 7.755144][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 7.756003][ T1] ? virtqueue_dma_mapping_error+0xd/0x80
[ 7.756997][ T1] ? __pfx_vp_set_status+0x10/0x10
[ 7.757746][ T1] ? vp_set_status+0x1a/0x40
[ 7.758484][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 7.759510][ T1] ? virtio_features_ok+0x10c/0x270
[ 7.760586][ T1] virtio_dev_probe+0x991/0xaf0
[ 7.761286][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 7.762062][ T1] really_probe+0x29e/0xc50
[ 7.763086][ T1] __driver_probe_device+0x1a2/0x3e0
[ 7.763898][ T1] driver_probe_device+0x50/0x430
[ 7.764713][ T1] __driver_attach+0x45f/0x710
[ 7.765387][ T1] ? __pfx___driver_attach+0x10/0x10
[ 7.766680][ T1] bus_for_each_dev+0x239/0x2b0
[ 7.767448][ T1] ? __pfx___driver_attach+0x10/0x10
[ 7.768169][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 7.768922][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 7.770033][ T1] bus_add_driver+0x347/0x620
[ 7.771031][ T1] driver_register+0x23a/0x320
[ 7.772123][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.772858][ T1] virtio_scsi_init+0x65/0xe0
[ 7.773584][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.774375][ T1] do_one_initcall+0x238/0x830
[ 7.775257][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.776297][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 7.778115][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 7.779063][ T1] ? __pfx_parse_args+0x10/0x10
[ 7.779788][ T1] ? do_initcalls+0x1c/0x80
[ 7.780568][ T1] ? rcu_is_watching+0x15/0xb0
[ 7.781462][ T1] do_initcall_level+0x157/0x210
[ 7.782315][ T1] do_initcalls+0x3f/0x80
[ 7.782984][ T1] kernel_init_freeable+0x435/0x5d0
[ 7.783746][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 7.784523][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 7.785422][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.786126][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.786833][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.787600][ T1] kernel_init+0x1d/0x2b0
[ 7.788259][ T1] ret_from_fork+0x4b/0x80
[ 7.788928][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.789603][ T1] ret_from_fork_asm+0x1a/0x30
[ 7.790432][ T1] </TASK>
[ 7.790999][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 7.792157][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af-dirty #0
[ 7.793638][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 7.795183][ T1] Call Trace:
[ 7.795731][ T1] <TASK>
[ 7.796384][ T1] dump_stack_lvl+0x241/0x360
[ 7.797257][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 7.798175][ T1] ? __pfx__printk+0x10/0x10
[ 7.798929][ T1] ? _printk+0xd5/0x120
[ 7.799824][ T1] ? vscnprintf+0x5d/0x90
[ 7.800407][ T1] panic+0x349/0x860
[ 7.800407][ T1] ? __warn+0x172/0x4b0
[ 7.800407][ T1] ? __pfx_panic+0x10/0x10
[ 7.800407][ T1] ? show_trace_log_lvl+0x4e6/0x520
[ 7.800407][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 7.800407][ T1] __warn+0x31e/0x4b0
[ 7.800407][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.800407][ T1] report_bug+0x2b3/0x500
[ 7.800407][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 7.800407][ T1] handle_bug+0x3e/0x70
[ 7.800407][ T1] exc_invalid_op+0x1a/0x50
[ 7.800407][ T1] asm_exc_invalid_op+0x1a/0x20
[ 7.809948][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 7.809948][ T1] Code: b2 00 00 00 e8 27 5a f7 fc 5b 5d c3 cc cc cc cc e8 1b 5a f7 fc c6 05 f6 81 d3 0a 01 90 48 c7 c7 e0 a7 fd 8b e8 47 2e ba fc 90 <0f> 0b 90 90 eb d9 e8 fb 59 f7 fc c6 05 d3 81 d3 0a 01 90 48 c7 c7
[ 7.809948][ T1] RSP: 0000:ffffc90000066e18 EFLAGS: 00010246
[ 7.809948][ T1] RAX: 2fe2bb6c454da900 RBX: ffff888140b1401c RCX: ffff8880166c8000
[ 7.809948][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 7.820130][ T1] RBP: 0000000000000004 R08: ffffffff8157cf32 R09: fffffbfff1bf9650
[ 7.820130][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9650 R12: ffffea000502edc0
[ 7.820130][ T1] R13: ffffea000502edc8 R14: 1ffffd4000a05db9 R15: 0000000000000000
[ 7.820130][ T1] ? __warn_printk+0x292/0x360
[ 7.820130][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 7.820130][ T1] __free_pages_ok+0xc36/0xd60
[ 7.829996][ T1] make_alloc_exact+0xa3/0xf0
[ 7.829996][ T1] vring_alloc_queue_split+0x20a/0x600
[ 7.829996][ T1] ? __pfx_vring_alloc_queue_split+0x10/0x10
[ 7.829996][ T1] ? vp_find_vqs+0x4c/0x4e0
[ 7.829996][ T1] ? virtscsi_probe+0x3ea/0xf60
[ 7.829996][ T1] ? virtio_dev_probe+0x991/0xaf0
[ 7.829996][ T1] ? really_probe+0x29e/0xc50
[ 7.829996][ T1] ? driver_probe_device+0x50/0x430
[ 7.840103][ T1] vring_create_virtqueue_split+0xc6/0x310
[ 7.840103][ T1] ? ret_from_fork+0x4b/0x80
[ 7.840103][ T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10
[ 7.840103][ T1] vring_create_virtqueue+0xca/0x110
[ 7.840103][ T1] ? __pfx_vp_notify+0x10/0x10
[ 7.840103][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.840103][ T1] setup_vq+0xe9/0x2d0
[ 7.849997][ T1] ? __pfx_vp_notify+0x10/0x10
[ 7.849997][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.849997][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.849997][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.849997][ T1] vp_setup_vq+0xbf/0x330
[ 7.849997][ T1] ? __pfx_vp_config_changed+0x10/0x10
[ 7.849997][ T1] ? ioread16+0x2f/0x90
[ 7.849997][ T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10
[ 7.860078][ T1] vp_find_vqs_msix+0x8b2/0xc80
[ 7.860078][ T1] vp_find_vqs+0x4c/0x4e0
[ 7.860078][ T1] virtscsi_init+0x8db/0xd00
[ 7.860078][ T1] ? __pfx_virtscsi_init+0x10/0x10
[ 7.860078][ T1] ? __pfx_default_calc_sets+0x10/0x10
[ 7.860078][ T1] ? scsi_host_alloc+0xa57/0xea0
[ 7.860078][ T1] ? vp_get+0xfd/0x140
[ 7.860078][ T1] virtscsi_probe+0x3ea/0xf60
[ 7.869950][ T1] ? __pfx_virtscsi_probe+0x10/0x10
[ 7.869950][ T1] ? virtqueue_dma_mapping_error+0xd/0x80
[ 7.869950][ T1] ? __pfx_vp_set_status+0x10/0x10
[ 7.869950][ T1] ? vp_set_status+0x1a/0x40
[ 7.869950][ T1] ? virtio_no_restricted_mem_acc+0x9/0x10
[ 7.880123][ T1] ? virtio_features_ok+0x10c/0x270
[ 7.880123][ T1] virtio_dev_probe+0x991/0xaf0
[ 7.880123][ T1] ? __pfx_virtio_dev_probe+0x10/0x10
[ 7.880123][ T1] really_probe+0x29e/0xc50
[ 7.880123][ T1] __driver_probe_device+0x1a2/0x3e0
[ 7.880123][ T1] driver_probe_device+0x50/0x430
[ 7.880123][ T1] __driver_attach+0x45f/0x710
[ 7.889960][ T1] ? __pfx___driver_attach+0x10/0x10
[ 7.889960][ T1] bus_for_each_dev+0x239/0x2b0
[ 7.889960][ T1] ? __pfx___driver_attach+0x10/0x10
[ 7.889960][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 7.889960][ T1] ? do_raw_spin_unlock+0x13c/0x8b0
[ 7.889960][ T1] bus_add_driver+0x347/0x620
[ 7.889960][ T1] driver_register+0x23a/0x320
[ 7.889960][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.900147][ T1] virtio_scsi_init+0x65/0xe0
[ 7.900147][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.900147][ T1] do_one_initcall+0x238/0x830
[ 7.900147][ T1] ? __pfx_virtio_scsi_init+0x10/0x10
[ 7.900147][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 7.900147][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 7.900147][ T1] ? __pfx_parse_args+0x10/0x10
[ 7.900147][ T1] ? do_initcalls+0x1c/0x80
[ 7.900147][ T1] ? rcu_is_watching+0x15/0xb0
[ 7.900147][ T1] do_initcall_level+0x157/0x210
[ 7.900147][ T1] do_initcalls+0x3f/0x80
[ 7.900147][ T1] kernel_init_freeable+0x435/0x5d0
[ 7.900147][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 7.909999][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 7.909999][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.909999][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.909999][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.909999][ T1] kernel_init+0x1d/0x2b0
[ 7.909999][ T1] ret_from_fork+0x4b/0x80
[ 7.909999][ T1] ? __pfx_kernel_init+0x10/0x10
[ 7.909999][ T1] ret_from_fork_asm+0x1a/0x30
[ 7.909999][ T1] </TASK>
[ 7.909999][ T1] Kernel Offset: disabled
[ 7.909999][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1592746458=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at d615901c7
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d615901c739a765329b688494cee2f8e1b5037cb\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=118ff7b9180000
Tested on:
commit: e5eb28f6 Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=839e3be5d86ffd1d
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1388324e180000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Hillf Danton
Mar 15, 2024, 7:34:47 PMMar 15
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
+++ y/mm/page_alloc.c
@@ -4816,8 +4816,9 @@ static void *make_alloc_exact(unsigned l
{
if (addr) {
unsigned long nr = DIV_ROUND_UP(size, PAGE_SIZE);
+ unsigned long pgs = (1UL << order);
struct page *page = virt_to_page((void *)addr);
- struct page *last = page + nr;
+ struct page *last = page + max(nr, pgs);
split_page_owner(page, order, 0);
split_page_memcg(page, order, 0);
--
syzbot
Mar 15, 2024, 7:53:04 PMMar 15
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
scheduler registered.
syzbot tried to test the proposed patch but the build/boot failed:
[ 20.046212][ T1] IPVS: [twos] scheduler registered.
[ 20.052487][ T1] IPVS: [sip] pe registered.
[ 20.058236][ T1] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 20.068626][ T1] gre: GRE over IPv4 demultiplexor driver
[ 20.074591][ T1] ip_gre: GRE over IPv4 tunneling driver
[ 20.088795][ T1] IPv4 over IPsec tunneling driver
[ 20.098760][ T1] Initializing XFRM netlink socket
[ 20.104824][ T1] IPsec XFRM device driver
[ 20.109872][ T1] NET: Registered PF_INET6 protocol family
[ 20.126622][ T1] Segment Routing with IPv6
[ 20.131497][ T1] RPL Segment Routing with IPv6
[ 20.137569][ T1] In-situ OAM (IOAM) with IPv6
[ 20.143198][ T1] mip6: Mobile IPv6
[ 20.150447][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 20.163905][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 20.173318][ T1] NET: Registered PF_PACKET protocol family
[ 20.180115][ T1] NET: Registered PF_KEY protocol family
[ 20.185979][ T1] Bridge firewalling registered
[ 20.191499][ T1] NET: Registered PF_X25 protocol family
[ 20.197301][ T1] X25: Linux Version 0.2
[ 20.239984][ T1] NET: Registered PF_NETROM protocol family
[ 20.286824][ T1] NET: Registered PF_ROSE protocol family
[ 20.292725][ T1] NET: Registered PF_AX25 protocol family
[ 20.298720][ T1] can: controller area network core
[ 20.304462][ T1] NET: Registered PF_CAN protocol family
[ 20.310192][ T1] can: raw protocol
[ 20.314261][ T1] can: broadcast manager protocol
[ 20.319507][ T1] can: netlink gateway - max_hops=1
[ 20.325224][ T1] can: SAE J1939
[ 20.328777][ T1] can: isotp protocol (max_pdu_size 8300)
[ 20.335062][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 20.341008][ T1] Bluetooth: RFCOMM socket layer initialized
[ 20.347605][ T1] Bluetooth: RFCOMM ver 1.11
[ 20.352523][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 20.359022][ T1] Bluetooth: BNEP filters: protocol multicast
[ 20.365382][ T1] Bluetooth: BNEP socket layer initialized
[ 20.371175][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 20.377149][ T1] Bluetooth: CMTP socket layer initialized
[ 20.383020][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 20.390320][ T1] Bluetooth: HIDP socket layer initialized
[ 20.398622][ T1] NET: Registered PF_RXRPC protocol family
[ 20.405217][ T1] Key type rxrpc registered
[ 20.409717][ T1] Key type rxrpc_s registered
[ 20.415444][ T1] NET: Registered PF_KCM protocol family
[ 20.422288][ T1] lec:lane_module_init: lec.c: initialized
[ 20.428813][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 20.434819][ T1] l2tp_core: L2TP core driver, V2.0
[ 20.440043][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 20.445986][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 20.453014][ T1] l2tp_netlink: L2TP netlink interface
[ 20.459661][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 20.467052][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 20.474967][ T1] NET: Registered PF_PHONET protocol family
[ 20.481779][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 20.498499][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 20.504156][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 20.511295][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 20.522532][ T1] sctp: Hash tables configured (bind 32/56)
[ 20.530588][ T1] NET: Registered PF_RDS protocol family
[ 20.537571][ T1] Registered RDS/infiniband transport
[ 20.544168][ T1] Registered RDS/tcp transport
[ 20.549028][ T1] tipc: Activated (version 2.0.0)
[ 20.554726][ T1] NET: Registered PF_TIPC protocol family
[ 20.561546][ T1] tipc: Started in single node mode
[ 20.567475][ T1] NET: Registered PF_SMC protocol family
[ 20.573541][ T1] 9pnet: Installing 9P2000 support
[ 20.579112][ T1] NET: Registered PF_CAIF protocol family
[ 20.588434][ T1] NET: Registered PF_IEEE802154 protocol family
[ 20.595147][ T1] Key type dns_resolver registered
[ 20.600428][ T1] Key type ceph registered
[ 20.605307][ T1] libceph: loaded (mon/osd proto 15/24)
[ 20.612071][ T1] batman_adv: B.A.T.M.A.N. advanced 2024.1 (compatibility version 15) loaded
[ 20.621780][ T1] openvswitch: Open vSwitch switching datapath
[ 20.630000][ T1] NET: Registered PF_VSOCK protocol family
[ 20.636459][ T1] mpls_gso: MPLS GSO support
[ 20.656569][ T1] IPI shorthand broadcast: enabled
[ 20.661987][ T1] AVX2 version of gcm_enc/dec engaged.
[ 20.667932][ T1] AES CTR mode by8 optimization enabled
[ 21.651138][ T1] sched_clock: Marking stable (21600020702, 43682234)->(21641677555, 2025381)
[ 21.665130][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[ 21.676589][ T1] registered taskstats version 1
[ 21.691534][ T1] Loading compiled-in X.509 certificates
[ 21.701390][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: caf27e718a03c2875c0f3e9da2fdca81dac83f88'
[ 21.935630][ T1] zswap: loaded using pool lzo/zsmalloc
[ 21.942820][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 22.363865][ T1] ------------[ cut here ]------------
[ 22.369435][ T1] refcount_t: decrement hit 0; leaking memory.
[ 22.375980][ T1] WARNING: CPU: 1 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0
[ 22.385786][ T1] Modules linked in:
[ 22.389701][ T1] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G B 6.8.0-syzkaller-11063-g277100b3d5fe-dirty #0
[ 22.401469][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 22.411821][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 22.418047][ T1] Code: b2 00 00 00 e8 a7 9b f5 fc 5b 5d c3 cc cc cc cc e8 9b 9b f5 fc c6 05 78 1e d2 0a 01 90 48 c7 c7 60 da fd 8b e8 17 61 b8 fc 90 <0f> 0b 90 90 eb d9 e8 7b 9b f5 fc c6 05 55 1e d2 0a 01 90 48 c7 c7
[ 22.438852][ T1] RSP: 0000:ffffc90000067668 EFLAGS: 00010246
[ 22.445745][ T1] RAX: 033873f32e959400 RBX: ffff8880324819fc RCX: ffff888014fc8000
[ 22.453986][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 22.462526][ T1] RBP: 0000000000000004 R08: ffffffff8157df32 R09: fffffbfff1bf9660
[ 22.471060][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9660 R12: ffffea0001004000
[ 22.479700][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: ffffea0001004008
[ 22.487826][ T1] FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
[ 22.497607][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 22.504295][ T1] CR2: 0000000000000000 CR3: 000000000df32000 CR4: 00000000003506f0
[ 22.512391][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 22.520813][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 22.528932][ T1] Call Trace:
[ 22.532611][ T1] <TASK>
[ 22.535936][ T1] ? __warn+0x163/0x4b0
[ 22.540206][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 22.546004][ T1] ? report_bug+0x2b3/0x500
[ 22.550821][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 22.556437][ T1] ? handle_bug+0x3e/0x70
[ 22.560824][ T1] ? exc_invalid_op+0x1a/0x50
[ 22.566609][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 22.572222][ T1] ? __warn_printk+0x292/0x360
[ 22.577412][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 22.582973][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 22.588927][ T1] free_unref_page_prepare+0x95d/0xa80
[ 22.594950][ T1] free_unref_page+0x37/0x3f0
[ 22.599804][ T1] free_contig_range+0x9e/0x160
[ 22.605030][ T1] destroy_args+0x8a/0x890
[ 22.609936][ T1] debug_vm_pgtable+0x4be/0x550
[ 22.615039][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 22.620764][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 22.627385][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 22.633103][ T1] do_one_initcall+0x238/0x830
[ 22.638015][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 22.643644][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 22.650443][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 22.656040][ T1] ? __pfx_parse_args+0x10/0x10
[ 22.660908][ T1] ? do_initcalls+0x1c/0x80
[ 22.665859][ T1] ? rcu_is_watching+0x15/0xb0
[ 22.670696][ T1] do_initcall_level+0x157/0x210
[ 22.675732][ T1] do_initcalls+0x3f/0x80
[ 22.680130][ T1] kernel_init_freeable+0x435/0x5d0
[ 22.685954][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 22.691972][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 22.699054][ T1] ? __pfx_kernel_init+0x10/0x10
[ 22.704428][ T1] ? rcu_is_watching+0x15/0xb0
[ 22.709362][ T1] ? __pfx_kernel_init+0x10/0x10
[ 22.714513][ T1] kernel_init+0x1d/0x2b0
[ 22.719075][ T1] ret_from_fork+0x4b/0x80
[ 22.723973][ T1] ? __pfx_kernel_init+0x10/0x10
[ 22.729016][ T1] ret_from_fork_asm+0x1a/0x30
[ 22.734205][ T1] </TASK>
[ 22.737838][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 22.745594][ T1] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G B 6.8.0-syzkaller-11063-g277100b3d5fe-dirty #0
[ 22.758472][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 22.768882][ T1] Call Trace:
[ 22.772150][ T1] <TASK>
[ 22.775081][ T1] dump_stack_lvl+0x241/0x360
[ 22.779750][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 22.785102][ T1] ? __pfx__printk+0x10/0x10
[ 22.789812][ T1] ? vscnprintf+0x5d/0x90
[ 22.794277][ T1] panic+0x349/0x860
[ 22.798282][ T1] ? __warn+0x172/0x4b0
[ 22.802468][ T1] ? __pfx_panic+0x10/0x10
[ 22.807313][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 22.812449][ T1] __warn+0x31e/0x4b0
[ 22.816898][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 22.823360][ T1] report_bug+0x2b3/0x500
[ 22.827814][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 22.833548][ T1] handle_bug+0x3e/0x70
[ 22.837969][ T1] exc_invalid_op+0x1a/0x50
[ 22.842546][ T1] asm_exc_invalid_op+0x1a/0x20
[ 22.847390][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 22.853763][ T1] Code: b2 00 00 00 e8 a7 9b f5 fc 5b 5d c3 cc cc cc cc e8 9b 9b f5 fc c6 05 78 1e d2 0a 01 90 48 c7 c7 60 da fd 8b e8 17 61 b8 fc 90 <0f> 0b 90 90 eb d9 e8 7b 9b f5 fc c6 05 55 1e d2 0a 01 90 48 c7 c7
[ 22.874384][ T1] RSP: 0000:ffffc90000067668 EFLAGS: 00010246
[ 22.880535][ T1] RAX: 033873f32e959400 RBX: ffff8880324819fc RCX: ffff888014fc8000
[ 22.888976][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 22.898233][ T1] RBP: 0000000000000004 R08: ffffffff8157df32 R09: fffffbfff1bf9660
[ 22.906475][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9660 R12: ffffea0001004000
[ 22.914518][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: ffffea0001004008
[ 22.923156][ T1] ? __warn_printk+0x292/0x360
[ 22.927943][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 22.933793][ T1] free_unref_page_prepare+0x95d/0xa80
[ 22.939366][ T1] free_unref_page+0x37/0x3f0
[ 22.944052][ T1] free_contig_range+0x9e/0x160
[ 22.949130][ T1] destroy_args+0x8a/0x890
[ 22.953659][ T1] debug_vm_pgtable+0x4be/0x550
[ 22.958647][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 22.964417][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 22.970326][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 22.975903][ T1] do_one_initcall+0x238/0x830
[ 22.981102][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 22.987110][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 22.994429][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 22.999923][ T1] ? __pfx_parse_args+0x10/0x10
[ 23.005032][ T1] ? do_initcalls+0x1c/0x80
[ 23.010320][ T1] ? rcu_is_watching+0x15/0xb0
[ 23.015546][ T1] do_initcall_level+0x157/0x210
[ 23.020786][ T1] do_initcalls+0x3f/0x80
[ 23.025244][ T1] kernel_init_freeable+0x435/0x5d0
[ 23.030660][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 23.036955][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 23.044099][ T1] ? __pfx_kernel_init+0x10/0x10
[ 23.049265][ T1] ? rcu_is_watching+0x15/0xb0
[ 23.054394][ T1] ? __pfx_kernel_init+0x10/0x10
[ 23.059490][ T1] kernel_init+0x1d/0x2b0
[ 23.063815][ T1] ret_from_fork+0x4b/0x80
[ 23.068382][ T1] ? __pfx_kernel_init+0x10/0x10
[ 23.073539][ T1] ret_from_fork_asm+0x1a/0x30
[ 23.078377][ T1] </TASK>
[ 23.082209][ T1] Kernel Offset: disabled
[ 23.086616][ T1] Rebooting in 86400 seconds..
git status (err=<nil>)
HEAD detached at d615901c7
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d615901c739a765329b688494cee2f8e1b5037cb\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: 277100b3 Merge tag 'block-6.9-20240315' of git://git.k..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=fe0919aedd4b3fc3
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13e5efb6180000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Hillf Danton
Mar 15, 2024, 9:23:23 PMMar 15
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/sound/core/timer.c
+++ y/sound/core/timer.c
@@ -409,8 +409,9 @@ static void snd_timer_close_locked(struc
struct snd_timer *timer = timeri->timer;
if (timer) {
- guard(spinlock)(&timer->lock);
+ spin_lock_irq(&timer->lock);
timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
+ spin_unlock_irq(&timer->lock);
}
if (!list_empty(&timeri->open_list)) {
--- x/drivers/virtio/virtio_ring.c
--- x/sound/core/timer.c
+++ y/sound/core/timer.c
@@ -409,8 +409,9 @@ static void snd_timer_close_locked(struc
struct snd_timer *timer = timeri->timer;
if (timer) {
- guard(spinlock)(&timer->lock);
+ spin_lock_irq(&timer->lock);
timeri->flags |= SNDRV_TIMER_IFLG_DEAD;
+ spin_unlock_irq(&timer->lock);
}
if (!list_empty(&timeri->open_list)) {
+++ y/drivers/virtio/virtio_ring.c
@@ -316,7 +316,13 @@ static void *vring_alloc_queue(struct vi
return dma_alloc_coherent(dma_dev, size,
dma_handle, flag);
} else {
- void *queue = alloc_pages_exact(PAGE_ALIGN(size), flag);
+ void *queue;
+ unsigned long sz = PAGE_ALIGN(size);
+ unsigned int order = 0;
+
+ while ((PAGE_SIZE << order) < sz)
+ order++;
+ queue = (void *) __get_free_pages(flag, order);
if (queue) {
phys_addr_t phys_addr = virt_to_phys(queue);
@@ -334,7 +340,7 @@ static void *vring_alloc_queue(struct vi
* unrepresentable address.
*/
if (WARN_ON_ONCE(*dma_handle != phys_addr)) {
- free_pages_exact(queue, PAGE_ALIGN(size));
+ free_pages((unsigned long) queue, order);
return NULL;
}
}
@@ -348,8 +354,14 @@ static void vring_free_queue(struct virt
{
if (vring_use_dma_api(vdev))
dma_free_coherent(dma_dev, size, queue, dma_handle);
- else
- free_pages_exact(queue, PAGE_ALIGN(size));
+ else {
+ unsigned long sz = PAGE_ALIGN(size);
+ unsigned int order = 0;
+
+ while ((PAGE_SIZE << order) < sz)
+ order++;
+ free_pages((unsigned long) queue, order);
+ }
}
/*
--
syzbot
Mar 15, 2024, 10:37:04 PMMar 15
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
cheduler registered.
syzbot tried to test the proposed patch but the build/boot failed:
[ 12.516188][ T1] IPVS: [sip] pe registered.
[ 12.520995][ T1] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 12.530995][ T2596] kworker/u8:6 (2596) used greatest stack depth: 24584 bytes left
[ 12.531547][ T1] gre: GRE over IPv4 demultiplexor driver
[ 12.546566][ T1] ip_gre: GRE over IPv4 tunneling driver
[ 12.562031][ T1] IPv4 over IPsec tunneling driver
[ 12.571861][ T1] Initializing XFRM netlink socket
[ 12.577184][ T1] IPsec XFRM device driver
[ 12.582228][ T1] NET: Registered PF_INET6 protocol family
[ 12.601211][ T1] Segment Routing with IPv6
[ 12.605725][ T1] RPL Segment Routing with IPv6
[ 12.611988][ T1] In-situ OAM (IOAM) with IPv6
[ 12.617157][ T1] mip6: Mobile IPv6
[ 12.625315][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 12.640254][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 12.650891][ T1] NET: Registered PF_PACKET protocol family
[ 12.657015][ T1] NET: Registered PF_KEY protocol family
[ 12.663860][ T1] Bridge firewalling registered
[ 12.669841][ T1] NET: Registered PF_X25 protocol family
[ 12.675613][ T1] X25: Linux Version 0.2
[ 12.728707][ T1] NET: Registered PF_NETROM protocol family
[ 12.781365][ T1] NET: Registered PF_ROSE protocol family
[ 12.787626][ T1] NET: Registered PF_AX25 protocol family
[ 12.793791][ T1] can: controller area network core
[ 12.799680][ T1] NET: Registered PF_CAN protocol family
[ 12.805409][ T1] can: raw protocol
[ 12.809343][ T1] can: broadcast manager protocol
[ 12.814559][ T1] can: netlink gateway - max_hops=1
[ 12.820138][ T1] can: SAE J1939
[ 12.823728][ T1] can: isotp protocol (max_pdu_size 8300)
[ 12.829882][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 12.835710][ T1] Bluetooth: RFCOMM socket layer initialized
[ 12.842556][ T1] Bluetooth: RFCOMM ver 1.11
[ 12.847753][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 12.854618][ T1] Bluetooth: BNEP filters: protocol multicast
[ 12.861574][ T1] Bluetooth: BNEP socket layer initialized
[ 12.867468][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 12.873580][ T1] Bluetooth: CMTP socket layer initialized
[ 12.879495][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 12.886302][ T1] Bluetooth: HIDP socket layer initialized
[ 12.895398][ T1] NET: Registered PF_RXRPC protocol family
[ 12.901429][ T1] Key type rxrpc registered
[ 12.906026][ T1] Key type rxrpc_s registered
[ 12.911826][ T1] NET: Registered PF_KCM protocol family
[ 12.918328][ T1] lec:lane_module_init: lec.c: initialized
[ 12.924409][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 12.930280][ T1] l2tp_core: L2TP core driver, V2.0
[ 12.935598][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 12.941358][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 12.947949][ T1] l2tp_netlink: L2TP netlink interface
[ 12.953654][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 12.960697][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 12.968360][ T1] NET: Registered PF_PHONET protocol family
[ 12.974813][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 12.994336][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 12.999843][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 13.007186][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 13.018788][ T1] sctp: Hash tables configured (bind 32/56)
[ 13.026856][ T1] NET: Registered PF_RDS protocol family
[ 13.033336][ T1] Registered RDS/infiniband transport
[ 13.040666][ T1] Registered RDS/tcp transport
[ 13.045434][ T1] tipc: Activated (version 2.0.0)
[ 13.051314][ T1] NET: Registered PF_TIPC protocol family
[ 13.058003][ T1] tipc: Started in single node mode
[ 13.064169][ T1] NET: Registered PF_SMC protocol family
[ 13.070187][ T1] 9pnet: Installing 9P2000 support
[ 13.076496][ T1] NET: Registered PF_CAIF protocol family
[ 13.086967][ T1] NET: Registered PF_IEEE802154 protocol family
[ 13.093617][ T1] Key type dns_resolver registered
[ 13.098818][ T1] Key type ceph registered
[ 13.104600][ T1] libceph: loaded (mon/osd proto 15/24)
[ 13.112473][ T1] batman_adv: B.A.T.M.A.N. advanced 2024.1 (compatibility version 15) loaded
[ 13.121607][ T1] openvswitch: Open vSwitch switching datapath
[ 13.131618][ T1] NET: Registered PF_VSOCK protocol family
[ 13.137773][ T1] mpls_gso: MPLS GSO support
[ 13.156405][ T1] IPI shorthand broadcast: enabled
[ 13.161743][ T1] AVX2 version of gcm_enc/dec engaged.
[ 13.167509][ T1] AES CTR mode by8 optimization enabled
[ 14.590865][ T1] sched_clock: Marking stable (14560030479, 29021812)->(14596728069, -7675778)
[ 14.601567][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[ 14.613912][ T1] registered taskstats version 1
[ 14.632381][ T1] Loading compiled-in X.509 certificates
[ 14.642765][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 08ce2e0f9d36a5c5a02b0d1885081503e195390d'
[ 14.937998][ T1] zswap: loaded using pool lzo/zsmalloc
[ 14.945577][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 15.348632][ T1] ------------[ cut here ]------------
[ 15.354159][ T1] refcount_t: decrement hit 0; leaking memory.
[ 15.360853][ T1] WARNING: CPU: 1 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0
[ 15.370031][ T1] Modules linked in:
[ 15.374015][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-11136-g66a27abac311-dirty #0
[ 15.383944][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 15.394635][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 15.401092][ T1] Code: b2 00 00 00 e8 e7 9b f5 fc 5b 5d c3 cc cc cc cc e8 db 9b f5 fc c6 05 b8 1e d2 0a 01 90 48 c7 c7 60 da fd 8b e8 57 61 b8 fc 90 <0f> 0b 90 90 eb d9 e8 bb 9b f5 fc c6 05 95 1e d2 0a 01 90 48 c7 c7
[ 15.421121][ T1] RSP: 0000:ffffc90000067668 EFLAGS: 00010246
[ 15.427191][ T1] RAX: e1235bce1b62cf00 RBX: ffff88803032668c RCX: ffff8880166c8000
[ 15.435218][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 15.443447][ T1] RBP: 0000000000000004 R08: ffffffff8157df32 R09: fffffbfff1bf9660
[ 15.451777][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9660 R12: ffffea0001004000
[ 15.459840][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: ffffea0001004008
[ 15.468317][ T1] FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
[ 15.477318][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 15.483974][ T1] CR2: 0000000000000000 CR3: 000000000df32000 CR4: 00000000003506f0
[ 15.492092][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 15.500314][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 15.508269][ T1] Call Trace:
[ 15.513679][ T1] <TASK>
[ 15.516698][ T1] ? __warn+0x163/0x4b0
[ 15.520937][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 15.526671][ T1] ? report_bug+0x2b3/0x500
[ 15.531428][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 15.536983][ T1] ? handle_bug+0x3e/0x70
[ 15.541430][ T1] ? exc_invalid_op+0x1a/0x50
[ 15.546283][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 15.551725][ T1] ? __warn_printk+0x292/0x360
[ 15.557114][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 15.562830][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 15.568524][ T1] free_unref_page_prepare+0x95d/0xa80
[ 15.574314][ T1] free_unref_page+0x37/0x3f0
[ 15.579022][ T1] free_contig_range+0x9e/0x160
[ 15.584149][ T1] destroy_args+0x8a/0x890
[ 15.588646][ T1] debug_vm_pgtable+0x4be/0x550
[ 15.593527][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 15.598924][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 15.604940][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 15.610502][ T1] do_one_initcall+0x238/0x830
[ 15.615350][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 15.620738][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 15.626106][ T1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 15.632176][ T1] ? __pfx_parse_args+0x10/0x10
[ 15.637014][ T1] ? lockdep_hardirqs_on+0x99/0x150
[ 15.642851][ T1] ? rcu_is_watching+0x15/0xb0
[ 15.647694][ T1] do_initcall_level+0x157/0x210
[ 15.652718][ T1] do_initcalls+0x3f/0x80
[ 15.657067][ T1] kernel_init_freeable+0x435/0x5d0
[ 15.662296][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 15.668107][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 15.674547][ T1] ? __pfx_kernel_init+0x10/0x10
[ 15.679619][ T1] ? __pfx_kernel_init+0x10/0x10
[ 15.684552][ T1] ? __pfx_kernel_init+0x10/0x10
[ 15.689518][ T1] kernel_init+0x1d/0x2b0
[ 15.693855][ T1] ret_from_fork+0x4b/0x80
[ 15.698260][ T1] ? __pfx_kernel_init+0x10/0x10
[ 15.703215][ T1] ret_from_fork_asm+0x1a/0x30
[ 15.708008][ T1] </TASK>
[ 15.711089][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 15.718361][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-11136-g66a27abac311-dirty #0
[ 15.728316][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 15.738366][ T1] Call Trace:
[ 15.741728][ T1] <TASK>
[ 15.744741][ T1] dump_stack_lvl+0x241/0x360
[ 15.749412][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 15.754650][ T1] ? __pfx__printk+0x10/0x10
[ 15.759325][ T1] ? vscnprintf+0x5d/0x90
[ 15.763651][ T1] panic+0x349/0x860
[ 15.767594][ T1] ? __warn+0x172/0x4b0
[ 15.771736][ T1] ? __pfx_panic+0x10/0x10
[ 15.776157][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 15.781165][ T1] __warn+0x31e/0x4b0
[ 15.785225][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 15.790902][ T1] report_bug+0x2b3/0x500
[ 15.795231][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 15.800875][ T1] handle_bug+0x3e/0x70
[ 15.805104][ T1] exc_invalid_op+0x1a/0x50
[ 15.809682][ T1] asm_exc_invalid_op+0x1a/0x20
[ 15.814549][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 15.820611][ T1] Code: b2 00 00 00 e8 e7 9b f5 fc 5b 5d c3 cc cc cc cc e8 db 9b f5 fc c6 05 b8 1e d2 0a 01 90 48 c7 c7 60 da fd 8b e8 57 61 b8 fc 90 <0f> 0b 90 90 eb d9 e8 bb 9b f5 fc c6 05 95 1e d2 0a 01 90 48 c7 c7
[ 15.840487][ T1] RSP: 0000:ffffc90000067668 EFLAGS: 00010246
[ 15.846584][ T1] RAX: e1235bce1b62cf00 RBX: ffff88803032668c RCX: ffff8880166c8000
[ 15.854803][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 15.862798][ T1] RBP: 0000000000000004 R08: ffffffff8157df32 R09: fffffbfff1bf9660
[ 15.870787][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9660 R12: ffffea0001004000
[ 15.878941][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: ffffea0001004008
[ 15.887231][ T1] ? __warn_printk+0x292/0x360
[ 15.892088][ T1] ? refcount_warn_saturate+0xf9/0x1d0
[ 15.897560][ T1] free_unref_page_prepare+0x95d/0xa80
[ 15.903006][ T1] free_unref_page+0x37/0x3f0
[ 15.907714][ T1] free_contig_range+0x9e/0x160
[ 15.912573][ T1] destroy_args+0x8a/0x890
[ 15.916981][ T1] debug_vm_pgtable+0x4be/0x550
[ 15.921815][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 15.927183][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 15.932971][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 15.938411][ T1] do_one_initcall+0x238/0x830
[ 15.943437][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 15.948978][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 15.954251][ T1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 15.960417][ T1] ? __pfx_parse_args+0x10/0x10
[ 15.965563][ T1] ? lockdep_hardirqs_on+0x99/0x150
[ 15.970756][ T1] ? rcu_is_watching+0x15/0xb0
[ 15.975499][ T1] do_initcall_level+0x157/0x210
[ 15.980614][ T1] do_initcalls+0x3f/0x80
[ 15.984954][ T1] kernel_init_freeable+0x435/0x5d0
[ 15.990162][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 15.996700][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 16.003016][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.008110][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.013192][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.018149][ T1] kernel_init+0x1d/0x2b0
[ 16.022473][ T1] ret_from_fork+0x4b/0x80
[ 16.026961][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.031885][ T1] ret_from_fork_asm+0x1a/0x30
[ 16.036835][ T1] </TASK>
[ 16.040270][ T1] Kernel Offset: disabled
[ 16.044588][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2856129853=/tmp/go-build -gno-record-gcc-switches'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at d615901c7
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d615901c739a765329b688494cee2f8e1b5037cb\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: 66a27aba Merge tag 'powerpc-6.9-1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=fe0919aedd4b3fc3
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11968711180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe0919aedd4b3fc3
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Hillf Danton
Mar 16, 2024, 1:40:43 AMMar 16
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
+++ y/mm/debug_vm_pgtable.c
@@ -77,6 +77,7 @@ struct pgtable_debug_args {
pgprot_t page_prot_none;
bool is_contiguous_page;
+ unsigned int ctg_order;
unsigned long pud_pfn;
unsigned long pmd_pfn;
unsigned long pte_pfn;
@@ -1033,7 +1034,8 @@ static void __init destroy_args(struct p
has_transparent_pud_hugepage() &&
args->pud_pfn != ULONG_MAX) {
if (args->is_contiguous_page) {
- free_contig_range(args->pud_pfn,
+ if (args->ctg_order == HPAGE_PUD_SHIFT - PAGE_SHIFT)
+ free_contig_range(args->pud_pfn,
(1 << (HPAGE_PUD_SHIFT - PAGE_SHIFT)));
} else {
page = pfn_to_page(args->pud_pfn);
@@ -1049,7 +1051,8 @@ static void __init destroy_args(struct p
has_transparent_hugepage() &&
args->pmd_pfn != ULONG_MAX) {
if (args->is_contiguous_page) {
- free_contig_range(args->pmd_pfn, (1 << HPAGE_PMD_ORDER));
+ if (args->ctg_order == HPAGE_PMD_ORDER)
+ free_contig_range(args->pmd_pfn, (1 << HPAGE_PMD_ORDER));
} else {
page = pfn_to_page(args->pmd_pfn);
__free_pages(page, HPAGE_PMD_ORDER);
@@ -1104,6 +1107,7 @@ debug_vm_pgtable_alloc_huge_page(struct
first_online_node, NULL);
if (page) {
args->is_contiguous_page = true;
+ args->ctg_order = order;
return page;
}
}
--
syzbot
Mar 16, 2024, 2:04:04 AMMar 16
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
12.943031][ T1] IPVS: [mh] scheduler registered.
syzbot tried to test the proposed patch but the build/boot failed:
[ 12.948210][ T1] IPVS: [sed] scheduler registered.
[ 12.953811][ T1] IPVS: [nq] scheduler registered.
[ 12.958959][ T1] IPVS: [twos] scheduler registered.
[ 12.964757][ T1] IPVS: [sip] pe registered.
[ 12.969994][ T1] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 12.980131][ T1] gre: GRE over IPv4 demultiplexor driver
[ 12.986107][ T1] ip_gre: GRE over IPv4 tunneling driver
[ 13.002885][ T1] IPv4 over IPsec tunneling driver
[ 13.013497][ T1] Initializing XFRM netlink socket
[ 13.019152][ T1] IPsec XFRM device driver
[ 13.024288][ T1] NET: Registered PF_INET6 protocol family
[ 13.044269][ T1] Segment Routing with IPv6
[ 13.049148][ T1] RPL Segment Routing with IPv6
[ 13.054335][ T1] In-situ OAM (IOAM) with IPv6
[ 13.059809][ T1] mip6: Mobile IPv6
[ 13.068217][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 13.084725][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 13.094832][ T1] NET: Registered PF_PACKET protocol family
[ 13.100861][ T1] NET: Registered PF_KEY protocol family
[ 13.107075][ T1] Bridge firewalling registered
[ 13.112811][ T1] NET: Registered PF_X25 protocol family
[ 13.118805][ T1] X25: Linux Version 0.2
[ 13.171958][ T1] NET: Registered PF_NETROM protocol family
[ 13.231378][ T1] NET: Registered PF_ROSE protocol family
[ 13.237759][ T1] NET: Registered PF_AX25 protocol family
[ 13.243628][ T1] can: controller area network core
[ 13.249225][ T1] NET: Registered PF_CAN protocol family
[ 13.254866][ T1] can: raw protocol
[ 13.260173][ T1] can: broadcast manager protocol
[ 13.265261][ T1] can: netlink gateway - max_hops=1
[ 13.270756][ T1] can: SAE J1939
[ 13.274343][ T1] can: isotp protocol (max_pdu_size 8300)
[ 13.280558][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 13.287006][ T1] Bluetooth: RFCOMM socket layer initialized
[ 13.293219][ T1] Bluetooth: RFCOMM ver 1.11
[ 13.298196][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 13.304369][ T1] Bluetooth: BNEP filters: protocol multicast
[ 13.310576][ T1] Bluetooth: BNEP socket layer initialized
[ 13.316420][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 13.322246][ T1] Bluetooth: CMTP socket layer initialized
[ 13.328135][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 13.334946][ T1] Bluetooth: HIDP socket layer initialized
[ 13.344387][ T1] NET: Registered PF_RXRPC protocol family
[ 13.350330][ T1] Key type rxrpc registered
[ 13.354846][ T1] Key type rxrpc_s registered
[ 13.360283][ T1] NET: Registered PF_KCM protocol family
[ 13.366731][ T1] lec:lane_module_init: lec.c: initialized
[ 13.372544][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 13.378511][ T1] l2tp_core: L2TP core driver, V2.0
[ 13.383910][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 13.389565][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 13.396254][ T1] l2tp_netlink: L2TP netlink interface
[ 13.401985][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 13.408805][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 13.417012][ T1] NET: Registered PF_PHONET protocol family
[ 13.423231][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 13.444693][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 13.450195][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 13.457434][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 13.469019][ T1] sctp: Hash tables configured (bind 32/56)
[ 13.477144][ T1] NET: Registered PF_RDS protocol family
[ 13.483759][ T1] Registered RDS/infiniband transport
[ 13.490657][ T1] Registered RDS/tcp transport
[ 13.495427][ T1] tipc: Activated (version 2.0.0)
[ 13.502074][ T1] NET: Registered PF_TIPC protocol family
[ 13.509135][ T1] tipc: Started in single node mode
[ 13.515425][ T1] NET: Registered PF_SMC protocol family
[ 13.521519][ T1] 9pnet: Installing 9P2000 support
[ 13.527264][ T1] NET: Registered PF_CAIF protocol family
[ 13.538490][ T1] NET: Registered PF_IEEE802154 protocol family
[ 13.545010][ T1] Key type dns_resolver registered
[ 13.550298][ T1] Key type ceph registered
[ 13.555300][ T1] libceph: loaded (mon/osd proto 15/24)
[ 13.562208][ T1] batman_adv: B.A.T.M.A.N. advanced 2024.1 (compatibility version 15) loaded
[ 13.571294][ T1] openvswitch: Open vSwitch switching datapath
[ 13.581192][ T1] NET: Registered PF_VSOCK protocol family
[ 13.587645][ T1] mpls_gso: MPLS GSO support
[ 13.606375][ T1] IPI shorthand broadcast: enabled
[ 13.611614][ T1] AVX2 version of gcm_enc/dec engaged.
[ 13.617408][ T1] AES CTR mode by8 optimization enabled
[ 15.027917][ T1] sched_clock: Marking stable (14980033732, 45862812)->(15027552445, -1655901)
[ 15.060393][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[ 15.071403][ T1] registered taskstats version 1
[ 15.093857][ T1] Loading compiled-in X.509 certificates
[ 15.104512][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 991e12b3e9ed2951305419ad7742982355df57eb'
[ 15.401200][ T1] zswap: loaded using pool lzo/zsmalloc
[ 15.408732][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 15.900621][ T1] ------------[ cut here ]------------
[ 15.906364][ T1] refcount_t: decrement hit 0; leaking memory.
[ 15.912957][ T1] WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0
[ 15.922163][ T1] Modules linked in:
[ 15.926098][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-11136-g66a27abac311-dirty #0
[ 15.935922][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 15.946042][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 15.952210][ T1] Code: b2 00 00 00 e8 e7 9b f5 fc 5b 5d c3 cc cc cc cc e8 db 9b f5 fc c6 05 b8 1e d2 0a 01 90 48 c7 c7 60 da fd 8b e8 57 61 b8 fc 90 <0f> 0b 90 90 eb d9 e8 bb 9b f5 fc c6 05 95 1e d2 0a 01 90 48 c7 c7
[ 15.971955][ T1] RSP: 0000:ffffc90000067660 EFLAGS: 00010246
[ 15.978221][ T1] RAX: 0fe32bb113e5bf00 RBX: ffff88802fb6472c RCX: ffff8880166c8000
[ 15.986337][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 15.994305][ T1] RBP: 0000000000000004 R08: ffffffff8157df32 R09: fffffbfff1bf9660
[ 16.002477][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9660 R12: ffffea0001004000
[ 16.010484][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: ffffea0001004008
[ 16.018469][ T1] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 16.027499][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 16.034061][ T1] CR2: ffff88823ffff000 CR3: 000000000df32000 CR4: 00000000003506f0
[ 16.042391][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 16.050505][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 16.058778][ T1] Call Trace:
[ 16.062157][ T1] <TASK>
[ 16.065073][ T1] ? __warn+0x163/0x4b0
[ 16.069266][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 16.074748][ T1] ? report_bug+0x2b3/0x500
[ 16.079564][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 16.085135][ T1] ? handle_bug+0x3e/0x70
[ 16.089485][ T1] ? exc_invalid_op+0x1a/0x50
[ 16.094158][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 16.099373][ T1] ? __warn_printk+0x292/0x360
[ 16.104139][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 16.109624][ T1] free_unref_page_prepare+0x95d/0xa80
[ 16.115106][ T1] free_unref_page+0x37/0x3f0
[ 16.119816][ T1] free_contig_range+0x9e/0x160
[ 16.124767][ T1] destroy_args+0xbf/0x930
[ 16.129207][ T1] debug_vm_pgtable+0x4be/0x550
[ 16.134142][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 16.139640][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 16.145480][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 16.151256][ T1] do_one_initcall+0x238/0x830
[ 16.156291][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 16.161763][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 16.167120][ T1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 16.173394][ T1] ? __pfx_parse_args+0x10/0x10
[ 16.178404][ T1] ? lockdep_hardirqs_on+0x99/0x150
[ 16.183698][ T1] ? rcu_is_watching+0x15/0xb0
[ 16.188485][ T1] do_initcall_level+0x157/0x210
[ 16.193436][ T1] do_initcalls+0x3f/0x80
[ 16.197830][ T1] kernel_init_freeable+0x435/0x5d0
[ 16.203149][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 16.209002][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 16.215336][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.220450][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.225404][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.230363][ T1] kernel_init+0x1d/0x2b0
[ 16.234710][ T1] ret_from_fork+0x4b/0x80
[ 16.239252][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.244360][ T1] ret_from_fork_asm+0x1a/0x30
[ 16.249246][ T1] </TASK>
[ 16.252545][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 16.259895][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-11136-g66a27abac311-dirty #0
[ 16.269779][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 16.279812][ T1] Call Trace:
[ 16.283087][ T1] <TASK>
[ 16.286006][ T1] dump_stack_lvl+0x241/0x360
[ 16.290695][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 16.295873][ T1] ? __pfx__printk+0x10/0x10
[ 16.300449][ T1] ? vscnprintf+0x5d/0x90
[ 16.304763][ T1] panic+0x349/0x860
[ 16.308647][ T1] ? __warn+0x172/0x4b0
[ 16.312869][ T1] ? __pfx_panic+0x10/0x10
[ 16.317443][ T1] ? ret_from_fork_asm+0x1a/0x30
[ 16.322385][ T1] __warn+0x31e/0x4b0
[ 16.326346][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 16.331877][ T1] report_bug+0x2b3/0x500
[ 16.336186][ T1] ? refcount_warn_saturate+0xfa/0x1d0
[ 16.341810][ T1] handle_bug+0x3e/0x70
[ 16.345964][ T1] exc_invalid_op+0x1a/0x50
[ 16.350577][ T1] asm_exc_invalid_op+0x1a/0x20
[ 16.355427][ T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0
[ 16.361582][ T1] Code: b2 00 00 00 e8 e7 9b f5 fc 5b 5d c3 cc cc cc cc e8 db 9b f5 fc c6 05 b8 1e d2 0a 01 90 48 c7 c7 60 da fd 8b e8 57 61 b8 fc 90 <0f> 0b 90 90 eb d9 e8 bb 9b f5 fc c6 05 95 1e d2 0a 01 90 48 c7 c7
[ 16.381608][ T1] RSP: 0000:ffffc90000067660 EFLAGS: 00010246
[ 16.387763][ T1] RAX: 0fe32bb113e5bf00 RBX: ffff88802fb6472c RCX: ffff8880166c8000
[ 16.395735][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 16.403711][ T1] RBP: 0000000000000004 R08: ffffffff8157df32 R09: fffffbfff1bf9660
[ 16.411751][ T1] R10: dffffc0000000000 R11: fffffbfff1bf9660 R12: ffffea0001004000
[ 16.419724][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: ffffea0001004008
[ 16.427717][ T1] ? __warn_printk+0x292/0x360
[ 16.432558][ T1] free_unref_page_prepare+0x95d/0xa80
[ 16.438001][ T1] free_unref_page+0x37/0x3f0
[ 16.442973][ T1] free_contig_range+0x9e/0x160
[ 16.448493][ T1] destroy_args+0xbf/0x930
[ 16.453099][ T1] debug_vm_pgtable+0x4be/0x550
[ 16.457978][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 16.463467][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 16.469469][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 16.474941][ T1] do_one_initcall+0x238/0x830
[ 16.479709][ T1] ? __pfx_debug_vm_pgtable+0x10/0x10
[ 16.485072][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 16.490365][ T1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 16.496385][ T1] ? __pfx_parse_args+0x10/0x10
[ 16.501233][ T1] ? lockdep_hardirqs_on+0x99/0x150
[ 16.506558][ T1] ? rcu_is_watching+0x15/0xb0
[ 16.511494][ T1] do_initcall_level+0x157/0x210
[ 16.516440][ T1] do_initcalls+0x3f/0x80
[ 16.520760][ T1] kernel_init_freeable+0x435/0x5d0
[ 16.526036][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 16.531754][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 16.538096][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.543023][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.547967][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.552913][ T1] kernel_init+0x1d/0x2b0
[ 16.557267][ T1] ret_from_fork+0x4b/0x80
[ 16.562141][ T1] ? __pfx_kernel_init+0x10/0x10
[ 16.567085][ T1] ret_from_fork_asm+0x1a/0x30
[ 16.572035][ T1] </TASK>
[ 16.575576][ T1] Kernel Offset: disabled
[ 16.579900][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build501078772=/tmp/go-build -gno-record-gcc-switches'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at d615901c7
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d615901c739a765329b688494cee2f8e1b5037cb -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240314-145638'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d615901c739a765329b688494cee2f8e1b5037cb\"
Error text is too large and was truncated, full error text is at:
Tested on:
commit: 66a27aba Merge tag 'powerpc-6.9-1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=fe0919aedd4b3fc3
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Hillf Danton
Mar 16, 2024, 4:14:04 AMMar 16
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Mar 16, 2024, 4:32:04 AMMar 16
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+28c1a5...@syzkaller.appspotmail.com
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15c227b6180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+28c1a5...@syzkaller.appspotmail.com
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15c227b6180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=28c1a5a5b041a754b947
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11aa1d66180000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages