INFO: task hung in ext4_fallocate
33 views
Skip to first unread message
syzbot
Oct 1, 2018, 2:14:05 PM10/1/18
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, ty...@mit.edu
Hello,
syzbot found the following crash on:
HEAD commit: 291d0e5d81e1 Merge tag 'for-linus-20180929' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10332181400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a8212f992609a887
dashboard link: https://syzkaller.appspot.com/bug?extid=c61979f6f2cba5cb3c06
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1611fbfa400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1489f831400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c61979...@syzkaller.appspotmail.com
audit: type=1400 audit(1538313446.938:37): avc: denied { map } for
pid=5541 comm="syz-executor212" path="/root/syz-executor212822736"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
INFO: task syz-executor212:5548 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D19712 5548 5545 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
ext4_fallocate+0x921/0x2300 fs/ext4/extents.c:4957
vfs_fallocate+0x4b4/0x940 fs/open.c:308
ksys_fallocate+0x56/0x90 fs/open.c:331
__do_sys_fallocate fs/open.c:339 [inline]
__se_sys_fallocate fs/open.c:337 [inline]
__x64_sys_fallocate+0x97/0xf0 fs/open.c:337
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000217 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000000010001 R11: 0000000000000217 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor212:5550 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D23736 5550 5543 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134d/0x5160 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_openat fs/open.c:1090 [inline]
__se_sys_openat fs/open.c:1084 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1084
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000207 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000008c3880 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor212:5551 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D23736 5551 5546 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134d/0x5160 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_openat fs/open.c:1090 [inline]
__se_sys_openat fs/open.c:1084 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1084
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000207 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000008c3880 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor212:5552 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D23888 5552 5544 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134d/0x5160 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_openat fs/open.c:1090 [inline]
__se_sys_openat fs/open.c:1084 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1084
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000207 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000008c3880 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor212:5553 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D23736 5553 5542 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134d/0x5160 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_openat fs/open.c:1090 [inline]
__se_sys_openat fs/open.c:1084 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1084
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000207 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000008c3880 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
Showing all locks held in the system:
1 lock held by khungtaskd/983:
#0: 000000005e364832 (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x424 kernel/locking/lockdep.c:4435
1 lock held by rsyslogd/5383:
#0: 000000003ee63875 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
2 locks held by getty/5505:
#0: 0000000016366007 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000001962389b (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5506:
#0: 00000000459f06bd (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000009ba0e33f (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5507:
#0: 00000000ed059e98 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000006a8dd22c (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5508:
#0: 00000000de392f74 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000002f41f35e (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5509:
#0: 000000004b0015bd (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000fbcabc1c (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5510:
#0: 000000000749babf (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 0000000039eaad48 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5511:
#0: 000000009592ef13 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 0000000080736cf9 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by syz-executor212/5548:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: file_start_write
include/linux/fs.h:2759 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: vfs_fallocate+0x72a/0x940
fs/open.c:307
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
ext4_fallocate+0x921/0x2300 fs/ext4/extents.c:4957
6 locks held by syz-executor212/5549:
2 locks held by syz-executor212/5550:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: sb_start_write
include/linux/fs.h:1566 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:360
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
2 locks held by syz-executor212/5551:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: sb_start_write
include/linux/fs.h:1566 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:360
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
2 locks held by syz-executor212/5552:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: sb_start_write
include/linux/fs.h:1566 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:360
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
2 locks held by syz-executor212/5553:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: sb_start_write
include/linux/fs.h:1566 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:360
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 983 Comm: khungtaskd Not tainted 4.19.0-rc5+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.3+0x63/0xa2 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x1b3/0x1ed lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:144 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:204 [inline]
watchdog+0xb3e/0x1050 kernel/hung_task.c:265
kthread+0x35a/0x420 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 5549 Comm: syz-executor212 Not tainted 4.19.0-rc5+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:mext_check_coverage.constprop.13+0x20d/0x510
fs/ext4/move_extent.c:101
Code: 86 16 fe ff ff 4c 8d 24 40 48 b8 00 00 00 00 00 fc ff df 49 c1 e4 04
49 01 dc 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 80 3c 02 00 <0f> 85 36 02 00
00 48 b8 00 00 00 00 00 fc ff df 4d 8b 64 24 10 49
RSP: 0018:ffff8801b4af71c0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff8801bac71600 RCX: ffffffff821e4a52
RDX: 1ffff1003758e2c2 RSI: ffffffff821e493b RDI: ffff8801bac71610
RBP: ffff8801b4af7270 R08: ffff8801c3056180 R09: 1ffffffff1273955
R10: ffffed003b5e4732 R11: ffff8801daf23993 R12: ffff8801bac71600
R13: 00000000cbb0eca5 R14: ffff8801b0f34530 R15: ffff8801b4af73e0
FS: 00000000008c3880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000001c59e4000 CR4: 00000000001406e0
Call Trace:
move_extent_per_page fs/ext4/move_extent.c:323 [inline]
ext4_move_extents+0x2784/0x3c20 fs/ext4/move_extent.c:669
ext4_ioctl+0x3154/0x4210 fs/ext4/ioctl.c:799
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
__do_sys_ioctl fs/ioctl.c:709 [inline]
__se_sys_ioctl fs/ioctl.c:707 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 0b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd82484778 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 0000000020000040 RSI: 00000000c028660f RDI: 0000000000000003
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000217 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 291d0e5d81e1 Merge tag 'for-linus-20180929' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10332181400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a8212f992609a887
dashboard link: https://syzkaller.appspot.com/bug?extid=c61979f6f2cba5cb3c06
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1611fbfa400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1489f831400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c61979...@syzkaller.appspotmail.com
audit: type=1400 audit(1538313446.938:37): avc: denied { map } for
pid=5541 comm="syz-executor212" path="/root/syz-executor212822736"
dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
INFO: task syz-executor212:5548 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D19712 5548 5545 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
ext4_fallocate+0x921/0x2300 fs/ext4/extents.c:4957
vfs_fallocate+0x4b4/0x940 fs/open.c:308
ksys_fallocate+0x56/0x90 fs/open.c:331
__do_sys_fallocate fs/open.c:339 [inline]
__se_sys_fallocate fs/open.c:337 [inline]
__x64_sys_fallocate+0x97/0xf0 fs/open.c:337
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000217 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000000010001 R11: 0000000000000217 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor212:5550 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D23736 5550 5543 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134d/0x5160 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_openat fs/open.c:1090 [inline]
__se_sys_openat fs/open.c:1084 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1084
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000207 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000008c3880 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor212:5551 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D23736 5551 5546 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134d/0x5160 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_openat fs/open.c:1090 [inline]
__se_sys_openat fs/open.c:1084 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1084
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000207 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000008c3880 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor212:5552 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D23888 5552 5544 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134d/0x5160 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_openat fs/open.c:1090 [inline]
__se_sys_openat fs/open.c:1084 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1084
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000207 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000008c3880 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor212:5553 blocked for more than 140 seconds.
Not tainted 4.19.0-rc5+ #40
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor212 D23736 5553 5542 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
__rwsem_down_write_failed_common+0xbb9/0x1670
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa5/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:738 [inline]
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
ima_file_check+0xe5/0x130 security/integrity/ima/ima_main.c:391
do_last fs/namei.c:3422 [inline]
path_openat+0x134d/0x5160 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_openat fs/open.c:1090 [inline]
__se_sys_openat fs/open.c:1084 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1084
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: 67 00 00 00 00 00 00 00 00 49 6e 76 61 6c 69 64 20 22 24 4d 61 69 6e
4d 73 67 51 75 65 75 65 44 65 71 75 65 75 65 54 69 6d 65 <45> 6e 64 22 2c
20 65 72 72 6f 72 20 25 64 2e 20 49 67 6e 6f 72 65
RSP: 002b:00007ffd82484778 EFLAGS: 00000207 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 000000000000275a RSI: 0000000020000080 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 00000000008c3880 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
Showing all locks held in the system:
1 lock held by khungtaskd/983:
#0: 000000005e364832 (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x424 kernel/locking/lockdep.c:4435
1 lock held by rsyslogd/5383:
#0: 000000003ee63875 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
2 locks held by getty/5505:
#0: 0000000016366007 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000001962389b (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5506:
#0: 00000000459f06bd (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000009ba0e33f (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5507:
#0: 00000000ed059e98 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000006a8dd22c (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5508:
#0: 00000000de392f74 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000002f41f35e (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5509:
#0: 000000004b0015bd (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000fbcabc1c (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5510:
#0: 000000000749babf (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 0000000039eaad48 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5511:
#0: 000000009592ef13 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 0000000080736cf9 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by syz-executor212/5548:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: file_start_write
include/linux/fs.h:2759 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: vfs_fallocate+0x72a/0x940
fs/open.c:307
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
ext4_fallocate+0x921/0x2300 fs/ext4/extents.c:4957
6 locks held by syz-executor212/5549:
2 locks held by syz-executor212/5550:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: sb_start_write
include/linux/fs.h:1566 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:360
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
2 locks held by syz-executor212/5551:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: sb_start_write
include/linux/fs.h:1566 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:360
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
2 locks held by syz-executor212/5552:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: sb_start_write
include/linux/fs.h:1566 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:360
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
2 locks held by syz-executor212/5553:
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: sb_start_write
include/linux/fs.h:1566 [inline]
#0: 00000000dd953693 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:360
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at: inode_lock
include/linux/fs.h:738 [inline]
#1: 000000000a255960 (&sb->s_type->i_mutex_key#9){+.+.}, at:
process_measurement+0x190f/0x1bf0 security/integrity/ima/ima_main.c:205
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 983 Comm: khungtaskd Not tainted 4.19.0-rc5+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.3+0x63/0xa2 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x1b3/0x1ed lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:144 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:204 [inline]
watchdog+0xb3e/0x1050 kernel/hung_task.c:265
kthread+0x35a/0x420 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 5549 Comm: syz-executor212 Not tainted 4.19.0-rc5+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:mext_check_coverage.constprop.13+0x20d/0x510
fs/ext4/move_extent.c:101
Code: 86 16 fe ff ff 4c 8d 24 40 48 b8 00 00 00 00 00 fc ff df 49 c1 e4 04
49 01 dc 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 80 3c 02 00 <0f> 85 36 02 00
00 48 b8 00 00 00 00 00 fc ff df 4d 8b 64 24 10 49
RSP: 0018:ffff8801b4af71c0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff8801bac71600 RCX: ffffffff821e4a52
RDX: 1ffff1003758e2c2 RSI: ffffffff821e493b RDI: ffff8801bac71610
RBP: ffff8801b4af7270 R08: ffff8801c3056180 R09: 1ffffffff1273955
R10: ffffed003b5e4732 R11: ffff8801daf23993 R12: ffff8801bac71600
R13: 00000000cbb0eca5 R14: ffff8801b0f34530 R15: ffff8801b4af73e0
FS: 00000000008c3880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000001c59e4000 CR4: 00000000001406e0
Call Trace:
move_extent_per_page fs/ext4/move_extent.c:323 [inline]
ext4_move_extents+0x2784/0x3c20 fs/ext4/move_extent.c:669
ext4_ioctl+0x3154/0x4210 fs/ext4/ioctl.c:799
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
__do_sys_ioctl fs/ioctl.c:709 [inline]
__se_sys_ioctl fs/ioctl.c:707 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440ef9
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 0b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd82484778 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ef9
RDX: 0000000020000040 RSI: 00000000c028660f RDI: 0000000000000003
RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000217 R12: 0000000000401d90
R13: 0000000000401e20 R14: 0000000000000000 R15: 0000000000000000
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Theodore Y. Ts'o
Oct 2, 2018, 1:35:59 AM10/2/18
to syzbot, adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
This is fixed with the following patch.
- Ted
From c4a928ee604e31354c969b461aa9a6171825096a Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <ty...@mit.edu>
Date: Tue, 2 Oct 2018 01:34:44 -0400
Subject: [PATCH] ext4: fix argument checking in EXT4_IOC_MOVE_EXT
If the starting block number of either the source or destination file
exceeds the EOF, EXT4_IOC_MOVE_EXT should return EINVAL.
Also fixed the helper function mext_check_coverage() so that if the
logical block is beyond EOF, make it return immediately, instead of
looping until the block number wraps all the away around. This takes
long enough that if there are multiple threads trying to do pound on
an the same inode doing non-sensical things, it can end up triggering
the kernel's soft lockup detector.
Reported-by: syzbot+c61979...@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
---
fs/ext4/move_extent.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index a409ff70d67b..4901e389f847 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -92,16 +92,18 @@ mext_check_coverage(struct inode *inode, ext4_lblk_t from, ext4_lblk_t count,
{
struct ext4_ext_path *path = NULL;
struct ext4_extent *ext;
- int ret = 0;
+ int len, ret = 0;
ext4_lblk_t last = from + count;
while (from < last) {
*err = get_ext_path(inode, from, &path);
if (*err)
goto out;
ext = path[ext_depth(inode)].p_ext;
- if (unwritten != ext4_ext_is_unwritten(ext))
+ len = ext4_ext_get_actual_len(ext);
+ if ((ext->ee_block < from) ||
+ (unwritten != ext4_ext_is_unwritten(ext)))
goto out;
- from += ext4_ext_get_actual_len(ext);
+ from = ext->ee_block + len;
ext4_ext_drop_refs(path);
}
ret = 1;
@@ -516,9 +518,13 @@ mext_check_arguments(struct inode *orig_inode,
orig_inode->i_ino, donor_inode->i_ino);
return -EINVAL;
}
- if (orig_eof < orig_start + *len - 1)
+ if (orig_eof <= orig_start)
+ *len = 0;
+ else if (orig_eof < orig_start + *len - 1)
*len = orig_eof - orig_start;
- if (donor_eof < donor_start + *len - 1)
+ if (donor_eof <= donor_start)
+ *len = 0;
+ else if (donor_eof < donor_start + *len - 1)
*len = donor_eof - donor_start;
if (!*len) {
ext4_debug("ext4 move extent: len should not be 0 "
--
2.18.0.rc0
- Ted
From c4a928ee604e31354c969b461aa9a6171825096a Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <ty...@mit.edu>
Date: Tue, 2 Oct 2018 01:34:44 -0400
Subject: [PATCH] ext4: fix argument checking in EXT4_IOC_MOVE_EXT
If the starting block number of either the source or destination file
exceeds the EOF, EXT4_IOC_MOVE_EXT should return EINVAL.
Also fixed the helper function mext_check_coverage() so that if the
logical block is beyond EOF, make it return immediately, instead of
looping until the block number wraps all the away around. This takes
long enough that if there are multiple threads trying to do pound on
an the same inode doing non-sensical things, it can end up triggering
the kernel's soft lockup detector.
Reported-by: syzbot+c61979...@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
---
fs/ext4/move_extent.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index a409ff70d67b..4901e389f847 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -92,16 +92,18 @@ mext_check_coverage(struct inode *inode, ext4_lblk_t from, ext4_lblk_t count,
{
struct ext4_ext_path *path = NULL;
struct ext4_extent *ext;
- int ret = 0;
+ int len, ret = 0;
ext4_lblk_t last = from + count;
while (from < last) {
*err = get_ext_path(inode, from, &path);
if (*err)
goto out;
ext = path[ext_depth(inode)].p_ext;
- if (unwritten != ext4_ext_is_unwritten(ext))
+ len = ext4_ext_get_actual_len(ext);
+ if ((ext->ee_block < from) ||
+ (unwritten != ext4_ext_is_unwritten(ext)))
goto out;
- from += ext4_ext_get_actual_len(ext);
+ from = ext->ee_block + len;
ext4_ext_drop_refs(path);
}
ret = 1;
@@ -516,9 +518,13 @@ mext_check_arguments(struct inode *orig_inode,
orig_inode->i_ino, donor_inode->i_ino);
return -EINVAL;
}
- if (orig_eof < orig_start + *len - 1)
+ if (orig_eof <= orig_start)
+ *len = 0;
+ else if (orig_eof < orig_start + *len - 1)
*len = orig_eof - orig_start;
- if (donor_eof < donor_start + *len - 1)
+ if (donor_eof <= donor_start)
+ *len = 0;
+ else if (donor_eof < donor_start + *len - 1)
*len = donor_eof - donor_start;
if (!*len) {
ext4_debug("ext4 move extent: len should not be 0 "
--
2.18.0.rc0
Reply all
Reply to author
Forward
0 new messages