INFO: task hung in locks_remove_posix
31 views
Skip to first unread message
syzbot
May 20, 2020, 4:53:17 PM5/20/20
to andre...@google.com, bfi...@fieldses.org, jla...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot found the following crash on:
HEAD commit: 806d8acc USB: dummy-hcd: use configurable endpoint naming ..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=16c9ece2100000
kernel config: https://syzkaller.appspot.com/x/.config?x=d800e9bad158025f
dashboard link: https://syzkaller.appspot.com/bug?extid=f5bc30abd8916982419c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f5bc30...@syzkaller.appspotmail.com
INFO: task syz-executor.2:3145 blocked for more than 143 seconds.
Not tainted 5.7.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.2 D28552 3145 370 0x80004006
Call Trace:
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
schedule+0xcd/0x2b0 kernel/sched/core.c:4158
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
wait_for_completion+0x280/0x280
finish_wait+0x260/0x260 include/linux/list.h:301
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
schedule_timeout_idle+0x80/0x80 kernel/time/timer.c:1942
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
free_object+0x5/0x70 lib/debugobjects.c:429
destroy_hrtimer_on_stack kernel/time/hrtimer.c:453 [inline]
hrtimer_nanosleep+0x211/0x3a0 kernel/time/hrtimer.c:1947
nanosleep_copyout+0x100/0x100 kernel/time/hrtimer.c:1861
force_valid_ss arch/x86/kernel/signal.c:73 [inline]
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
hrtimer_init_sleeper_on_stack+0x90/0x90 kernel/time/hrtimer.c:1833
put_old_itimerspec32+0x1d0/0x1d0 kernel/time/time.c:908
__do_sys_clock_gettime kernel/time/posix-timers.c:1094 [inline]
__se_sys_clock_gettime kernel/time/posix-timers.c:1082 [inline]
__x64_sys_clock_gettime+0x154/0x240 kernel/time/posix-timers.c:1082
__do_sys_nanosleep kernel/time/hrtimer.c:1962 [inline]
__se_sys_nanosleep kernel/time/hrtimer.c:1953 [inline]
__x64_sys_nanosleep+0x1ed/0x260 kernel/time/hrtimer.c:1953
hrtimer_nanosleep+0x3a0/0x3a0 kernel/time/hrtimer.c:1943
exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
trace_hardirqs_off_caller+0x2b/0x200 kernel/trace/trace_preemptirq.c:67
Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: ffffffff87111260 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x264 kernel/locking/lockdep.c:5754
1 lock held by in:imklog/267:
#0: ffff8881d976d9f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:826
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 23 Comm: khungtaskd Not tainted 5.7.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
irq_force_complete_move.cold+0x13/0x47 arch/x86/kernel/apic/vector.c:1023
nmi_cpu_backtrace.cold+0x70/0xb1 lib/nmi_backtrace.c:101
lapic_can_unplug_cpu.cold+0x3b/0x3b
nmi_trigger_cpumask_backtrace+0x1db/0x207 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
watchdog+0xa99/0xfd0 kernel/hung_task.c:289
reset_hung_task_detector+0x30/0x30 kernel/hung_task.c:243
kthread+0x326/0x430 kernel/kthread.c:268
kthread_create_on_node+0xf0/0xf0 kernel/kthread.c:405
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
NMI backtrace for cpu 1 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
NMI backtrace for cpu 1 skipped: idling at default_idle+0x28/0x300 arch/x86/kernel/process.c:697
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 806d8acc USB: dummy-hcd: use configurable endpoint naming ..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=16c9ece2100000
kernel config: https://syzkaller.appspot.com/x/.config?x=d800e9bad158025f
dashboard link: https://syzkaller.appspot.com/bug?extid=f5bc30abd8916982419c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f5bc30...@syzkaller.appspotmail.com
INFO: task syz-executor.2:3145 blocked for more than 143 seconds.
Not tainted 5.7.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.2 D28552 3145 370 0x80004006
Call Trace:
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
schedule+0xcd/0x2b0 kernel/sched/core.c:4158
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
wait_for_completion+0x280/0x280
finish_wait+0x260/0x260 include/linux/list.h:301
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
schedule_timeout_idle+0x80/0x80 kernel/time/timer.c:1942
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
free_object+0x5/0x70 lib/debugobjects.c:429
destroy_hrtimer_on_stack kernel/time/hrtimer.c:453 [inline]
hrtimer_nanosleep+0x211/0x3a0 kernel/time/hrtimer.c:1947
nanosleep_copyout+0x100/0x100 kernel/time/hrtimer.c:1861
force_valid_ss arch/x86/kernel/signal.c:73 [inline]
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
hrtimer_init_sleeper_on_stack+0x90/0x90 kernel/time/hrtimer.c:1833
put_old_itimerspec32+0x1d0/0x1d0 kernel/time/time.c:908
__do_sys_clock_gettime kernel/time/posix-timers.c:1094 [inline]
__se_sys_clock_gettime kernel/time/posix-timers.c:1082 [inline]
__x64_sys_clock_gettime+0x154/0x240 kernel/time/posix-timers.c:1082
__do_sys_nanosleep kernel/time/hrtimer.c:1962 [inline]
__se_sys_nanosleep kernel/time/hrtimer.c:1953 [inline]
__x64_sys_nanosleep+0x1ed/0x260 kernel/time/hrtimer.c:1953
hrtimer_nanosleep+0x3a0/0x3a0 kernel/time/hrtimer.c:1943
exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
trace_hardirqs_off_caller+0x2b/0x200 kernel/trace/trace_preemptirq.c:67
Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: ffffffff87111260 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x264 kernel/locking/lockdep.c:5754
1 lock held by in:imklog/267:
#0: ffff8881d976d9f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:826
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 23 Comm: khungtaskd Not tainted 5.7.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
irq_force_complete_move.cold+0x13/0x47 arch/x86/kernel/apic/vector.c:1023
nmi_cpu_backtrace.cold+0x70/0xb1 lib/nmi_backtrace.c:101
lapic_can_unplug_cpu.cold+0x3b/0x3b
nmi_trigger_cpumask_backtrace+0x1db/0x207 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
watchdog+0xa99/0xfd0 kernel/hung_task.c:289
reset_hung_task_detector+0x30/0x30 kernel/hung_task.c:243
kthread+0x326/0x430 kernel/kthread.c:268
kthread_create_on_node+0xf0/0xf0 kernel/kthread.c:405
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
NMI backtrace for cpu 1 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
NMI backtrace for cpu 1 skipped: idling at default_idle+0x28/0x300 arch/x86/kernel/process.c:697
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Tetsuo Handa
May 21, 2020, 10:09:48 AM5/21/20
to syzbot, syzkall...@googlegroups.com, linux-...@vger.kernel.org
On 2020/05/21 5:53, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 806d8acc USB: dummy-hcd: use configurable endpoint naming ..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c9ece2100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d800e9bad158025f
> dashboard link: https://syzkaller.appspot.com/bug?extid=f5bc30abd8916982419c
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
This seems to be a mislabeling due to '?' in all lines in a trace.
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 806d8acc USB: dummy-hcd: use configurable endpoint naming ..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c9ece2100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d800e9bad158025f
> dashboard link: https://syzkaller.appspot.com/bug?extid=f5bc30abd8916982419c
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
#syz dup: INFO: task hung in wdm_flush
Dmitry Vyukov
May 21, 2020, 10:21:19 AM5/21/20
to Tetsuo Handa, syzbot, syzkaller-bugs, LKML
may be the action item here, otherwise we will get an infinite number
of such reports.
Jeff Layton
May 21, 2020, 10:48:14 AM5/21/20
to Tetsuo Handa, syzbot, syzkall...@googlegroups.com, linux-...@vger.kernel.org
characters in front of every frame. Doesn't that mean that that address
it found on the stack is unreliable?
In principle, unless you're overriding the filp->lock operation (and the
wdm fs doesn't do that, afaict), locks_remove_posix should not block.
I'll also note that there is some of this in the logs before the hung
task warnings:
[ 182.020388][ T12] usb 5-1: too many endpoints for config 0 interface 107 altsetting 116: 116, using maximum allowed: 30
[ 182.031661][ T12] usb 5-1: config 0 interface 107 altsetting 116 has 0 endpoint descriptors, different from the interface descriptor's value: 116
[ 182.045145][ T12] usb 5-1: config 0 interface 107 has no altsetting 0
[ 182.052028][ T12] usb 5-1: New USB device found, idVendor=0926, idProduct=3333, bcdDevice= 0.40
[ 182.060120][ T3525] usb 6-1: USB disconnect, device number 20
[ 182.061148][ C0] xpad 6-1:0.65: xpad_irq_out - usb_submit_urb failed with result -19
[ 182.075465][ T3525] xpad 6-1:0.65: xpad_try_sending_next_out_packet - usb_submit_urb failed with result -19
[ 182.075565][ T12] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 182.109020][ T12] usb 5-1: config 0 descriptor??
[ 182.136857][ T163] usb usb2-port1: attempt power cycle
[ 182.410396][ T4447] udc-core: couldn't find an available UDC or it's busy
[ 182.417562][ T4447] misc raw-gadget: fail, usb_gadget_probe_driver returned -16
[ 182.856513][ T163] usb 2-1: new high-speed USB device number 18 using dummy_hcd
[ 183.026601][ T163] usb 2-1: device descriptor read/8, error -61
[ 183.236577][ T163] usb 2-1: device descriptor read/8, error -71
[ 184.068991][ T3525] usb 5-1: USB disconnect, device number 21
[ 206.185571][ T23] INFO: task syz-executor.2:3145 blocked for more than 143 seconds.
[ 206.193630][ T23] Not tainted 5.7.0-rc5-syzkaller #0
[ 206.199512][ T23] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 206.208242][ T23] syz-executor.2 D28552 3145 370 0x80004006
...which leads me to believe that this might have more to do with the
USB subsystem than anything in the posix locking code.
In any case, I doubt there's much we can do here without a more reliable
stack trace to work from. That call stack doesn't seem to make much
sense.
--
Jeff Layton <jla...@kernel.org>
Andrey Konovalov
May 21, 2020, 12:27:44 PM5/21/20
to Jeff Layton, Tetsuo Handa, syzbot, syzkaller-bugs, LKML
https://syzkaller.appspot.com/bug?id=e7b761593b23eb50855b9ea31e3be5472b711186
(with more than 30000 crashes now :)
Hillf Danton
May 21, 2020, 10:57:53 PM5/21/20
to syzbot, andre...@google.com, bfi...@fieldses.org, jla...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Wed, 20 May 2020 13:53:15 -0700
WDM_IN_USE flag to go.
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -424,6 +424,7 @@ static ssize_t wdm_write
if (rv < 0) {
desc->outbuf = NULL;
clear_bit(WDM_IN_USE, &desc->flags);
+ wake_up(&desc->wait);
dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv);
rv = usb_translate_errors(rv);
goto out_free_mem_pm;
Tetsuo Handa
May 24, 2020, 8:13:46 PM5/24/20
to syzbot, syzkaller-bugs
#syz undup
Tetsuo Handa
May 24, 2020, 8:14:07 PM5/24/20
to syzbot, syzkaller-bugs
#syz fix: x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks
syzbot
May 24, 2020, 8:14:17 PM5/24/20
to andre...@google.com, bfi...@fieldses.org, dvy...@google.com, hda...@sina.com, jla...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, penguin...@i-love.sakura.ne.jp, penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
syzbot has found a reproducer for the following crash on:
HEAD commit: 806d8acc USB: dummy-hcd: use configurable endpoint naming ..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=1109c09a100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f5bc30...@syzkaller.appspotmail.com
INFO: task syz-executor.1:3125 blocked for more than 143 seconds.
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
lock_is_held include/linux/lockdep.h:406 [inline]
rcu_read_lock_sched_held+0x9c/0xd0 kernel/rcu/update.c:121
rcu_read_lock_bh_held+0xb0/0xb0 kernel/rcu/update.c:333
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
putname+0xe1/0x120 fs/namei.c:259
do_sys_openat2+0x46c/0x7d0 fs/open.c:1158
put_timespec64+0xcb/0x120 kernel/time/time.c:812
ns_to_kernel_old_timeval+0x100/0x100 kernel/time/time.c:521
do_sys_open+0xc3/0x140 fs/open.c:1164
filp_open+0x70/0x70 fs/open.c:1117
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
__trace_hardirqs_on_caller kernel/locking/lockdep.c:3657 [inline]
lockdep_hardirqs_on+0x3c7/0x5d0 kernel/locking/lockdep.c:3702
raw_ioctl+0x11f/0x2570 drivers/usb/gadget/legacy/raw_gadget.c:1261
ksys_dup3+0x3c0/0x3c0 include/linux/compiler.h:199
raw_open+0x4d0/0x4d0 include/linux/semaphore.h:34
down_read_nested+0x430/0x430 include/linux/compiler.h:199
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
__trace_hardirqs_on_caller kernel/locking/lockdep.c:3657 [inline]
lockdep_hardirqs_on+0x3c7/0x5d0 kernel/locking/lockdep.c:3702
raw_ioctl+0x11f/0x2570 drivers/usb/gadget/legacy/raw_gadget.c:1261
ksys_dup3+0x3c0/0x3c0 include/linux/compiler.h:199
raw_open+0x4d0/0x4d0 include/linux/semaphore.h:34
down_read_nested+0x430/0x430 include/linux/compiler.h:199
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
__trace_hardirqs_on_caller kernel/locking/lockdep.c:3657 [inline]
lockdep_hardirqs_on+0x3c7/0x5d0 kernel/locking/lockdep.c:3702
raw_ioctl+0x11f/0x2570 drivers/usb/gadget/legacy/raw_gadget.c:1261
ksys_dup3+0x3c0/0x3c0 include/linux/compiler.h:199
raw_open+0x4d0/0x4d0 include/linux/semaphore.h:34
down_read_nested+0x430/0x430 include/linux/compiler.h:199
#0: ffff8881c8468370 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:826
#1: ffffffff8719fce0 (fs_reclaim){+.+.}-{0:0}, at: fs_reclaim_acquire.part.0+0x0/0x30 include/asm-generic/bitops/instrumented-atomic.h:30
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 5.7.0-rc5-syzkaller #0
NMI backtrace for cpu 0 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
NMI backtrace for cpu 0 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
NMI backtrace for cpu 0 skipped: idling at default_idle+0x28/0x300 arch/x86/kernel/process.c:697
HEAD commit: 806d8acc USB: dummy-hcd: use configurable endpoint naming ..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=d800e9bad158025f
dashboard link: https://syzkaller.appspot.com/bug?extid=f5bc30abd8916982419c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171ea49a100000
dashboard link: https://syzkaller.appspot.com/bug?extid=f5bc30abd8916982419c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f5bc30...@syzkaller.appspotmail.com
Not tainted 5.7.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.1 D26504 3125 389 0x80004006
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
schedule+0xcd/0x2b0 kernel/sched/core.c:4158
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
finish_wait+0x260/0x260 include/linux/list.h:301
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
putname+0xe1/0x120 fs/namei.c:259
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
lock_is_held include/linux/lockdep.h:406 [inline]
rcu_read_lock_sched_held+0x9c/0xd0 kernel/rcu/update.c:121
rcu_read_lock_bh_held+0xb0/0xb0 kernel/rcu/update.c:333
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
putname+0xe1/0x120 fs/namei.c:259
do_sys_openat2+0x46c/0x7d0 fs/open.c:1158
force_valid_ss arch/x86/kernel/signal.c:73 [inline]
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
_copy_to_user+0x126/0x160 lib/usercopy.c:31
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
put_timespec64+0xcb/0x120 kernel/time/time.c:812
ns_to_kernel_old_timeval+0x100/0x100 kernel/time/time.c:521
do_sys_open+0xc3/0x140 fs/open.c:1164
filp_open+0x70/0x70 fs/open.c:1117
exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
INFO: task syz-executor.2:3132 blocked for more than 143 seconds.
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
Not tainted 5.7.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.2 D28552 3132 380 0x80004006
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
schedule+0xcd/0x2b0 kernel/sched/core.c:4158
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
finish_wait+0x260/0x260 include/linux/list.h:301
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
schedule_timeout_idle+0x80/0x80 kernel/time/timer.c:1942
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
free_object+0x5/0x70 lib/debugobjects.c:429
destroy_hrtimer_on_stack kernel/time/hrtimer.c:453 [inline]
hrtimer_nanosleep+0x211/0x3a0 kernel/time/hrtimer.c:1947
nanosleep_copyout+0x100/0x100 kernel/time/hrtimer.c:1861
force_valid_ss arch/x86/kernel/signal.c:73 [inline]
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
hrtimer_init_sleeper_on_stack+0x90/0x90 kernel/time/hrtimer.c:1833
put_old_itimerspec32+0x1d0/0x1d0 kernel/time/time.c:908
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
schedule_timeout_idle+0x80/0x80 kernel/time/timer.c:1942
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
free_object+0x5/0x70 lib/debugobjects.c:429
destroy_hrtimer_on_stack kernel/time/hrtimer.c:453 [inline]
hrtimer_nanosleep+0x211/0x3a0 kernel/time/hrtimer.c:1947
nanosleep_copyout+0x100/0x100 kernel/time/hrtimer.c:1861
force_valid_ss arch/x86/kernel/signal.c:73 [inline]
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
hrtimer_init_sleeper_on_stack+0x90/0x90 kernel/time/hrtimer.c:1833
put_old_itimerspec32+0x1d0/0x1d0 kernel/time/time.c:908
__do_sys_nanosleep kernel/time/hrtimer.c:1962 [inline]
__se_sys_nanosleep kernel/time/hrtimer.c:1953 [inline]
__x64_sys_nanosleep+0x1ed/0x260 kernel/time/hrtimer.c:1953
hrtimer_nanosleep+0x3a0/0x3a0 kernel/time/hrtimer.c:1943
exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
INFO: task syz-executor.3:3150 blocked for more than 143 seconds.
__se_sys_nanosleep kernel/time/hrtimer.c:1953 [inline]
__x64_sys_nanosleep+0x1ed/0x260 kernel/time/hrtimer.c:1953
hrtimer_nanosleep+0x3a0/0x3a0 kernel/time/hrtimer.c:1943
exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
Not tainted 5.7.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.3 D29048 3150 386 0x80004006
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
schedule+0xcd/0x2b0 kernel/sched/core.c:4158
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
finish_wait+0x260/0x260 include/linux/list.h:301
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
down_interruptible+0x4b/0x80 kernel/locking/semaphore.c:85
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
__trace_hardirqs_on_caller kernel/locking/lockdep.c:3657 [inline]
lockdep_hardirqs_on+0x3c7/0x5d0 kernel/locking/lockdep.c:3702
force_valid_ss arch/x86/kernel/signal.c:73 [inline]
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
down_interruptible+0x4b/0x80 kernel/locking/semaphore.c:85
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
raw_ioctl+0x11f/0x2570 drivers/usb/gadget/legacy/raw_gadget.c:1261
ksys_dup3+0x3c0/0x3c0 include/linux/compiler.h:199
raw_open+0x4d0/0x4d0 include/linux/semaphore.h:34
down_read_nested+0x430/0x430 include/linux/compiler.h:199
exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
INFO: task syz-executor.4:3151 blocked for more than 143 seconds.
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
Not tainted 5.7.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.4 D29048 3151 384 0x80004006
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
schedule+0xcd/0x2b0 kernel/sched/core.c:4158
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
finish_wait+0x260/0x260 include/linux/list.h:301
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
down_interruptible+0x4b/0x80 kernel/locking/semaphore.c:85
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
__trace_hardirqs_on_caller kernel/locking/lockdep.c:3657 [inline]
lockdep_hardirqs_on+0x3c7/0x5d0 kernel/locking/lockdep.c:3702
force_valid_ss arch/x86/kernel/signal.c:73 [inline]
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
down_interruptible+0x4b/0x80 kernel/locking/semaphore.c:85
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
raw_ioctl+0x11f/0x2570 drivers/usb/gadget/legacy/raw_gadget.c:1261
ksys_dup3+0x3c0/0x3c0 include/linux/compiler.h:199
raw_open+0x4d0/0x4d0 include/linux/semaphore.h:34
down_read_nested+0x430/0x430 include/linux/compiler.h:199
exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
INFO: task syz-executor.0:3152 blocked for more than 144 seconds.
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
Not tainted 5.7.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.0 D29048 3152 383 0x80004006
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
context_switch kernel/sched/core.c:3367 [inline]
__schedule+0x892/0x1d80 kernel/sched/core.c:4083
locks_remove_posix+0x277/0x4e0 fs/locks.c:2706
__sched_text_start+0x8/0x8
spin_unlock_irqrestore include/linux/spinlock.h:408 [inline]
prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
schedule+0xcd/0x2b0 kernel/sched/core.c:4158
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590
wdm_poll+0x280/0x280 include/linux/poll.h:50
finish_wait+0x260/0x260 include/linux/list.h:301
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
down_interruptible+0x4b/0x80 kernel/locking/semaphore.c:85
task_work_add+0x97/0x120 kernel/task_work.c:35
wdm_poll+0x280/0x280 include/linux/poll.h:50
filp_close+0xb4/0x170 fs/open.c:1251
close_files fs/file.c:388 [inline]
put_files_struct fs/file.c:416 [inline]
put_files_struct+0x1d8/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb36/0x2c80 kernel/exit.c:791
find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458
mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375
lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x480/0x2480 kernel/signal.c:2739
do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191
__trace_hardirqs_on_caller kernel/locking/lockdep.c:3657 [inline]
lockdep_hardirqs_on+0x3c7/0x5d0 kernel/locking/lockdep.c:3702
force_valid_ss arch/x86/kernel/signal.c:73 [inline]
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
down_interruptible+0x4b/0x80 kernel/locking/semaphore.c:85
restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134
raw_ioctl+0x11f/0x2570 drivers/usb/gadget/legacy/raw_gadget.c:1261
ksys_dup3+0x3c0/0x3c0 include/linux/compiler.h:199
raw_open+0x4d0/0x4d0 include/linux/semaphore.h:34
down_read_nested+0x430/0x430 include/linux/compiler.h:199
exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
Showing all locks held in the system:
1 lock held by khungtaskd/23:
#0: ffffffff87111260 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x264 kernel/locking/lockdep.c:5754
2 locks held by in:imklog/271:
1 lock held by khungtaskd/23:
#0: ffffffff87111260 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x264 kernel/locking/lockdep.c:5754
#0: ffff8881c8468370 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:826
#1: ffffffff8719fce0 (fs_reclaim){+.+.}-{0:0}, at: fs_reclaim_acquire.part.0+0x0/0x30 include/asm-generic/bitops/instrumented-atomic.h:30
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 5.7.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
irq_force_complete_move.cold+0x13/0x47 arch/x86/kernel/apic/vector.c:1023
nmi_cpu_backtrace.cold+0x70/0xb1 lib/nmi_backtrace.c:101
lapic_can_unplug_cpu.cold+0x3b/0x3b
nmi_trigger_cpumask_backtrace+0x1db/0x207 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
watchdog+0xa99/0xfd0 kernel/hung_task.c:289
reset_hung_task_detector+0x30/0x30 kernel/hung_task.c:243
kthread+0x326/0x430 kernel/kthread.c:268
kthread_create_on_node+0xf0/0xf0 kernel/kthread.c:405
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
Sending NMI from CPU 1 to CPUs 0:
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
irq_force_complete_move.cold+0x13/0x47 arch/x86/kernel/apic/vector.c:1023
nmi_cpu_backtrace.cold+0x70/0xb1 lib/nmi_backtrace.c:101
lapic_can_unplug_cpu.cold+0x3b/0x3b
nmi_trigger_cpumask_backtrace+0x1db/0x207 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
watchdog+0xa99/0xfd0 kernel/hung_task.c:289
reset_hung_task_detector+0x30/0x30 kernel/hung_task.c:243
kthread+0x326/0x430 kernel/kthread.c:268
kthread_create_on_node+0xf0/0xf0 kernel/kthread.c:405
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351
NMI backtrace for cpu 0 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
NMI backtrace for cpu 0 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
NMI backtrace for cpu 0 skipped: idling at default_idle+0x28/0x300 arch/x86/kernel/process.c:697
Reply all
Reply to author
Forward
0 new messages