suspicious RCU usage at ./include/linux/rcupdate.h:LINE (2)
43 views
Skip to first unread message
syzbot
Nov 2, 2017, 1:52:29 PM11/2/17
to JBeu...@suse.com, h...@zytor.com, jpoi...@redhat.com, kirill....@linux.intel.com, ldu...@linux.vnet.ibm.com, linux-...@vger.kernel.org, lu...@kernel.org, mi...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de, x...@kernel.org
Hello,
syzkaller hit the following crash on
85b1bb248071967135d22cc84e62292094f4a3c6
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
=============================
WARNING: suspicious RCU usage
4.14.0-rc3+ #121 Not tainted
-----------------------------
./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side
critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
3 locks held by syz-executor6/19499:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff81303e4e>]
__do_page_fault+0x31e/0xd60 arch/x86/mm/fault.c:1383
#1: (&p->pi_lock){-.-.}, at: [<ffffffff814b299c>]
try_to_wake_up+0xbc/0x1600 kernel/sched/core.c:1979
#2: (rcu_read_lock){....}, at: [<ffffffff814d0e50>]
select_task_rq_fair+0x3e0/0x3070 kernel/sched/fair.c:5983
stack backtrace:
CPU: 0 PID: 19499 Comm: syz-executor6 Not tainted 4.14.0-rc3+ #121
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4673
rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline]
___might_sleep+0x385/0x470 kernel/sched/core.c:6002
clear_huge_page+0x37d/0x6f0 mm/memory.c:4553
__do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline]
do_huge_pmd_anonymous_page+0x59c/0x1b00 mm/huge_memory.c:728
create_huge_pmd mm/memory.c:3802 [inline]
__handle_mm_fault+0x1827/0x39c0 mm/memory.c:4005
handle_mm_fault+0x334/0x8d0 mm/memory.c:4071
__do_page_fault+0x5bd/0xd60 arch/x86/mm/fault.c:1444
do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1520
page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1066
RIP: 0033:0x405424
RSP: 002b:0000000000a6f8e0 EFLAGS: 00010246
RAX: 000000002034f000 RBX: 0000000000000004 RCX: 0000000000000004
RDX: b6db98369fb4b2fc RSI: 0000000000000000 RDI: 0000000000f40848
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000a6f980 R11: 0000000000000206 R12: fffffffffffffffe
R13: 0000000000718000 R14: 000000002034f000 R15: 0000000000000010
======================================================
WARNING: possible circular locking dependency detected
4.14.0-rc3+ #121 Not tainted
------------------------------------------------------
loop0/18908 is trying to acquire lock:
(&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff818750ac>] inode_lock
include/linux/fs.h:712 [inline]
(&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff818750ac>]
generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3175
but now in release context of a crosslock acquired at the following:
((complete)&ret.event){+.+.}, at: [<ffffffff822ac39e>]
submit_bio_wait+0x15e/0x200 block/bio.c:953
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 ((complete)&ret.event){+.+.}:
check_prevs_add kernel/locking/lockdep.c:2020 [inline]
validate_chain kernel/locking/lockdep.c:2469 [inline]
__lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
complete_acquire include/linux/completion.h:39 [inline]
__wait_for_common kernel/sched/completion.c:108 [inline]
wait_for_common_io kernel/sched/completion.c:128 [inline]
wait_for_completion_io+0xcb/0x7b0 kernel/sched/completion.c:176
submit_bio_wait+0x15e/0x200 block/bio.c:953
blkdev_issue_zeroout+0x13c/0x1d0 block/blk-lib.c:370
sb_issue_zeroout include/linux/blkdev.h:1368 [inline]
ext4_init_inode_table+0x4fd/0xdb1 fs/ext4/ialloc.c:1447
ext4_run_li_request fs/ext4/super.c:2866 [inline]
ext4_lazyinit_thread+0x808/0xd30 fs/ext4/super.c:2960
kthread+0x39c/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
-> #3 (&meta_group_info[i]->alloc_sem){++++}:
check_prevs_add kernel/locking/lockdep.c:2020 [inline]
validate_chain kernel/locking/lockdep.c:2469 [inline]
__lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
down_read+0x96/0x150 kernel/locking/rwsem.c:23
__ext4_new_inode+0x26dc/0x4f00 fs/ext4/ialloc.c:1056
ext4_symlink+0x2d9/0xae0 fs/ext4/namei.c:3118
vfs_symlink+0x323/0x560 fs/namei.c:4115
SYSC_symlinkat fs/namei.c:4142 [inline]
SyS_symlinkat fs/namei.c:4122 [inline]
SYSC_symlink fs/namei.c:4155 [inline]
SyS_symlink+0x134/0x200 fs/namei.c:4153
entry_SYSCALL_64_fastpath+0x1f/0xbe
-> #2 (jbd2_handle){++++}:
check_prevs_add kernel/locking/lockdep.c:2020 [inline]
validate_chain kernel/locking/lockdep.c:2469 [inline]
__lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
start_this_handle+0x4b8/0x1080 fs/jbd2/transaction.c:390
jbd2__journal_start+0x389/0x9f0 fs/jbd2/transaction.c:444
__ext4_journal_start_sb+0x15f/0x550 fs/ext4/ext4_jbd2.c:80
__ext4_journal_start fs/ext4/ext4_jbd2.h:314 [inline]
ext4_dirty_inode+0x56/0xa0 fs/ext4/inode.c:5859
__mark_inode_dirty+0x912/0x1170 fs/fs-writeback.c:2096
generic_update_time+0x1b2/0x270 fs/inode.c:1649
update_time fs/inode.c:1665 [inline]
touch_atime+0x26d/0x2f0 fs/inode.c:1737
file_accessed include/linux/fs.h:2061 [inline]
ext4_file_mmap+0x161/0x1b0 fs/ext4/file.c:352
call_mmap include/linux/fs.h:1775 [inline]
mmap_region+0xa99/0x15a0 mm/mmap.c:1690
do_mmap+0x6a1/0xd50 mm/mmap.c:1468
do_mmap_pgoff include/linux/mm.h:2150 [inline]
vm_mmap_pgoff+0x1de/0x280 mm/util.c:333
SYSC_mmap_pgoff mm/mmap.c:1518 [inline]
SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1476
SYSC_mmap arch/x86/kernel/sys_x86_64.c:99 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:90
entry_SYSCALL_64_fastpath+0x1f/0xbe
-> #1 (&mm->mmap_sem){++++}:
check_prevs_add kernel/locking/lockdep.c:2020 [inline]
validate_chain kernel/locking/lockdep.c:2469 [inline]
__lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
__might_fault+0x13a/0x1d0 mm/memory.c:4502
_copy_to_user+0x2c/0xc0 lib/usercopy.c:24
copy_to_user include/linux/uaccess.h:154 [inline]
filldir+0x1a7/0x320 fs/readdir.c:196
dir_emit_dot include/linux/fs.h:3339 [inline]
dir_emit_dots include/linux/fs.h:3350 [inline]
dcache_readdir+0x12d/0x5e0 fs/libfs.c:192
iterate_dir+0x4b2/0x5d0 fs/readdir.c:51
SYSC_getdents fs/readdir.c:231 [inline]
SyS_getdents+0x225/0x450 fs/readdir.c:212
entry_SYSCALL_64_fastpath+0x1f/0xbe
-> #0 (&sb->s_type->i_mutex_key#9){++++}:
down_write+0x87/0x120 kernel/locking/rwsem.c:53
inode_lock include/linux/fs.h:712 [inline]
generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3175
call_write_iter include/linux/fs.h:1770 [inline]
do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:673
do_iter_write+0x15a/0x540 fs/read_write.c:952
vfs_iter_write+0x77/0xb0 fs/read_write.c:965
other info that might help us debug this:
Chain exists of:
&sb->s_type->i_mutex_key#9 --> &meta_group_info[i]->alloc_sem -->
(complete)&ret.event
Possible unsafe locking scenario by crosslock:
CPU0 CPU1
---- ----
lock(&meta_group_info[i]->alloc_sem);
lock((complete)&ret.event);
lock(&sb->s_type->i_mutex_key#9);
unlock((complete)&ret.event);
*** DEADLOCK ***
1 lock held by loop0/18908:
#0: (&x->wait#14){..-.}, at: [<ffffffff8152ade8>] complete+0x18/0x80
kernel/sched/completion.c:34
stack backtrace:
CPU: 1 PID: 18908 Comm: loop0 Not tainted 4.14.0-rc3+ #121
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_circular_bug+0x503/0x710 kernel/locking/lockdep.c:1259
check_prev_add+0x865/0x1520 kernel/locking/lockdep.c:1894
commit_xhlock kernel/locking/lockdep.c:5015 [inline]
commit_xhlocks kernel/locking/lockdep.c:5059 [inline]
lock_commit_crosslock+0xe59/0x1d00 kernel/locking/lockdep.c:5098
complete_release_commit include/linux/completion.h:49 [inline]
complete+0x24/0x80 kernel/sched/completion.c:39
submit_bio_wait_endio+0x9c/0xd0 block/bio.c:930
bio_endio+0x2f8/0x8d0 block/bio.c:1843
req_bio_endio block/blk-core.c:204 [inline]
blk_update_request+0x2a6/0xe20 block/blk-core.c:2746
blk_mq_end_request+0x54/0x120 block/blk-mq.c:509
lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:463
__blk_mq_complete_request+0x38f/0x6c0 block/blk-mq.c:550
blk_mq_complete_request+0x4f/0x60 block/blk-mq.c:570
loop_handle_cmd drivers/block/loop.c:1710 [inline]
loop_queue_work+0x26b/0x3900 drivers/block/loop.c:1719
kthread_worker_fn+0x32b/0x980 kernel/kthread.c:635
loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:836
kthread+0x39c/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
loop_reread_partitions: partition scan of loop0
(- \� t�@�� r�9h �x G�Q:[��i�l �
�L�*� �@� ���R�-�T�r-�x�� ) failed (rc=-13)
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=19625 comm=syz-executor0
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor2'.
device syz6 left promiscuous mode
QAT: Invalid ioctl
QAT: Invalid ioctl
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor2'.
QAT: Invalid ioctl
QAT: Invalid ioctl
sctp: [Deprecated]: syz-executor7 (pid 19753) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor7 (pid 19763) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
print_req_error: 98 callbacks suppressed
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
QAT: Invalid ioctl
QAT: Invalid ioctl
syz-executor3: vmalloc: allocation failure: 16587630936 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
QAT: Invalid ioctl
QAT: Invalid ioctl
syz-executor3 cpuset=/ mems_allowed=0
CPU: 1 PID: 19853 Comm: syz-executor3 Not tainted 4.14.0-rc3+ #121
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
syz-executor3: vmalloc: allocation failure: 16587630936 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor3 cpuset=/ mems_allowed=0
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x581/0x710 mm/vmalloc.c:1781
__vmalloc_node mm/vmalloc.c:1810 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1832
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1610 net/ipv4/netfilter/ip_tables.c:686
do_replace net/ipv4/netfilter/ip_tables.c:1130 [inline]
do_ipt_set_ctl+0x34b/0x5c0 net/ipv4/netfilter/ip_tables.c:1664
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1255
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2799
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2965
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4520a9
RSP: 002b:00007f5b38234c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000018
RBP: 0000000000000600 R08: 0000000000000056 R09: 0000000000000000
R10: 0000000020c2c000 R11: 0000000000000216 R12: 00000000004b75b5
R13: 00000000ffffffff R14: ffffffffffffffff R15: 000000002034dfdc
CPU: 0 PID: 19867 Comm: syz-executor3 Not tainted 4.14.0-rc3+ #121
warn_alloc_show_mem: 1 callbacks suppressed
Mem-Info:
active_anon:125389 inactive_anon:46 isolated_anon:0
active_file:3815 inactive_file:6419 isolated_file:0
unevictable:0 dirty:126 writeback:0 unstable:0
slab_reclaimable:8324 slab_unreclaimable:101825
mapped:22218 shmem:57 pagetables:864 bounce:0
free:1359513 free_pcp:399 free_cma:0
Node 0 active_anon:501556kB inactive_anon:184kB active_file:15260kB
inactive_file:25676kB unevictable:0kB isolated(anon):0kB isolated(file):0kB
mapped:88872kB dirty:504kB writeback:0kB shmem:228kB shmem_thp: 0kB
shmem_pmdmapped: 0kB anon_thp: 49152kB writeback_tmp:0kB unstable:0kB
all_unreclaimable? no
Node 0 DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:15992kB managed:15908kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB
free_cma:0kB
lowmem_reserve[]: 0 2886 6399 6399
Node 0 DMA32 free:2957424kB min:30408kB low:38008kB high:45608kB
active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:8kB
unevictable:0kB writepending:0kB present:3129332kB managed:2958156kB
mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:732kB
local_pcp:140kB free_cma:0kB
lowmem_reserve[]: 0 0 3513 3513
Node 0 Normal free:2464720kB min:37008kB low:46260kB high:55512kB
active_anon:501556kB inactive_anon:184kB active_file:15260kB
inactive_file:47412kB unevictable:0kB writepending:504kB present:4718592kB
managed:3597444kB mlocked:0kB kernel_stack:4640kB pagetables:3456kB
bounce:0kB free_pcp:864kB local_pcp:620kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U)
1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 DMA32: 4*4kB (M) 2*8kB (UM) 3*16kB (UM) 3*32kB (UM) 3*64kB (M)
2*128kB (M) 4*256kB (UM) 5*512kB (UM) 2*1024kB (UM) 3*2048kB (UM)
719*4096kB (M) = 2957424kB
Node 0 Normal: 202*4kB (UME) 835*8kB (UME) 559*16kB (UM) 567*32kB (UME)
805*64kB (UME) 391*128kB (UM) 266*256kB (UM) 43*512kB (UM) 22*1024kB (UME)
12*2048kB (UME) 535*4096kB (UM) = 2464720kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0
hugepages_size=2048kB
10290 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
323102 pages reserved
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x581/0x710 mm/vmalloc.c:1781
__vmalloc_node mm/vmalloc.c:1810 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1832
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1610 net/ipv4/netfilter/ip_tables.c:686
do_replace net/ipv4/netfilter/ip_tables.c:1130 [inline]
do_ipt_set_ctl+0x34b/0x5c0 net/ipv4/netfilter/ip_tables.c:1664
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1255
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2799
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2965
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4520a9
RSP: 002b:00007f5b381f2c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000718160 RCX: 00000000004520a9
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 000000000000001e
RBP: 0000000000005e90 R08: 0000000000000056 R09: 0000000000000000
R10: 0000000020c2c000 R11: 0000000000000216 R12: 00000000004bbcbf
R13: 00000000ffffffff R14: 0000000020c18000 R15: 000000000000007f
kauditd_printk_skb: 43 callbacks suppressed
audit: type=1326 audit(1507481365.662:451): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=19882 comm="syz-executor1"
exe="/root/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0x0
audit: type=1326 audit(1507481365.776:452): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=19882 comm="syz-executor1"
exe="/root/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0x0
sctp: [Deprecated]: syz-executor2 (pid 19957) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor2 (pid 19967) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor3'.
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor3'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1042
sclass=netlink_route_socket pig=20017 comm=syz-executor1
?: renamed from sit0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1042
sclass=netlink_route_socket pig=20017 comm=syz-executor1
device syz6 entered promiscuous mode
sctp: [Deprecated]: syz-executor4 (pid 20153) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
device syz6 left promiscuous mode
sctp: [Deprecated]: syz-executor4 (pid 20173) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor3'.
A link change request failed with some changes committed already. Interface
lo may have been left with an inconsistent configuration, please check.
audit: type=1326 audit(1507481367.246:453): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20197 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor3'.
A link change request failed with some changes committed already. Interface
lo may have been left with an inconsistent configuration, please check.
audit: type=1326 audit(1507481367.382:454): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20197 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor3'.
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
?: renamed from sit0
device lo left promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
9pnet_virtio: no channels available for device ./bus
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor6'.
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor6'.
audit: type=1326 audit(1507481368.404:455): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20453 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
IPv6: Can't replace route, no match found
*** Guest State ***
IPv6: Can't replace route, no match found
audit: type=1326 audit(1507481368.519:456): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20453 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
kvm: emulating exchange as write
CR0: actual=0x0000000080000031, shadow=0x0000000060000011,
gh_mask=fffffffffffffff7
CR4: actual=0x0000000000002050, shadow=0x0000000000000020,
gh_mask=ffffffffffffe871
CR3 = 0x00000000fffbc000
RSP = 0x0000000000000f80 RIP = 0x0000000000000000
device gre0 entered promiscuous mode
RFLAGS=0x00000002 DR7 = 0x0000000000000400
Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810
CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000
DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
GDTR: limit=0x000007ff, base=0x0000000000001000
LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800
IDTR: limit=0x000001ff, base=0x0000000000003800
TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000
EFER = 0x0000000000000001 PAT = 0x0007040600070406
DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000
Interruptibility = 00000000 ActivityState = 00000000
*** Host State ***
RIP = 0xffffffff811ba093 RSP = 0xffff8801d92274c8
CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040
FSBase=00007febaa214700 GSBase=ffff8801db200000 TRBase=ffff8801db3231c0
GDTBase=ffffffffff576000 IDTBase=ffffffffff57b000
CR0=0000000080050033 CR3=00000001cdfea000 CR4=00000000001426f0
Sysenter RSP=0000000000000000 CS:RIP=0010:ffffffff84d43fb0
EFER = 0x0000000000000d01 PAT = 0x0000000000000000
*** Control State ***
PinBased=0000003f CPUBased=b699edfe SecondaryExec=00000042
EntryControls=0000d1ff ExitControls=0023efff
ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000
VMEntry: intr_info=80000080 errcode=00000000 ilen=00000000
VMExit: intr_info=00000000 errcode=00000000 ilen=00000000
reason=80000021 qualification=0000000000000000
IDTVectoring: info=00000000 errcode=00000000
TSC Offset = 0xffffffa28309cb38
EPT pointer = 0x00000001c9ff001e
buffer_io_error: 410 callbacks suppressed
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
nla_parse: 4 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process
`syz-executor3'.
sg_write: data in/out 36090/1 bytes for SCSI command 0x67-- guessing data
in;
program syz-executor1 not setting count and/or reply_len properly
QAT: Invalid ioctl
QAT: Invalid ioctl
sg_write: data in/out 36090/1 bytes for SCSI command 0x67-- guessing data
in;
program syz-executor1 not setting count and/or reply_len properly
QAT: Invalid ioctl
QAT: Invalid ioctl
netlink: 4 bytes leftover after parsing attributes in process
`syz-executor5'.
Bearer <��> rejected, not supported in standalone mode
print_req_error: 469 callbacks suppressed
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
netlink: 4 bytes leftover after parsing attributes in process
`syz-executor5'.
Bearer <��> rejected, not supported in standalone mode
audit: type=1326 audit(1507481369.685:457): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20704 comm="bdev!" exe="/root/syz-executor7"
sig=0 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0x7ffc0000
audit: type=1326 audit(1507481369.685:458): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20704 comm="bdev!" exe="/root/syz-executor7"
sig=0 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0x7ffc0000
audit: type=1326 audit(1507481369.685:459): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20704 comm="syz-executor7"
exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0x7ffc0000
audit: type=1326 audit(1507481369.685:460): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20704 comm="syz-executor7"
exe="/root/syz-executor7" sig=0 arch=c000003e syscall=228 compat=0
ip=0x454e4a code=0x7ffc0000
sctp: [Deprecated]: syz-executor1 (pid 20780) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor1 (pid 20780) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
kvm [20785]: vcpu0, guest rIP: 0xfff0 disabled perfctr wrmsr: 0x186 data 0xa
kvm [20785]: vcpu0, guest rIP: 0xfff0 disabled perfctr wrmsr: 0x186 data 0xa
sctp: [Deprecated]: syz-executor1 (pid 20805) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor1 (pid 20825) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=5
sclass=netlink_audit_socket pig=20829 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=5
sclass=netlink_audit_socket pig=20829 comm=syz-executor3
sg_write: data in/out 3171656/144 bytes for SCSI command 0xff-- guessing
data in;
program syz-executor4 not setting count and/or reply_len properly
sg_write: data in/out 3171656/144 bytes for SCSI command 0xff-- guessing
data in;
program syz-executor4 not setting count and/or reply_len properly
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=20882 comm=syz-executor0
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor1'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=20942 comm=syz-executor3
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor1'.
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor6'.
pit: kvm: requested 838 ns i8254 timer period limited to 500000 ns
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
QAT: Invalid ioctl
kauditd_printk_skb: 224 callbacks suppressed
audit: type=1326 audit(1507481371.595:685): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=21217 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
audit: type=1326 audit(1507481371.709:686): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=21217 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
xprt_adjust_timeout: rq_timeout = 0!
xprt_adjust_timeout: rq_timeout = 0!
syz-executor0: vmalloc: allocation failure: 17179607040 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor0 cpuset=/ mems_allowed=0
CPU: 1 PID: 21316 Comm: syz-executor0 Not tainted 4.14.0-rc3+ #121
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x581/0x710 mm/vmalloc.c:1781
__vmalloc_node mm/vmalloc.c:1810 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1832
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1690 net/ipv6/netfilter/ip6_tables.c:705
do_replace net/ipv6/netfilter/ip6_tables.c:1150 [inline]
do_ip6t_set_ctl+0x34b/0x5c0 net/ipv6/netfilter/ip6_tables.c:1676
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:919
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2799
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2965
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4520a9
RSP: 002b:00007f7d7f23fc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000016
RBP: 00000000000000d0 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020001fde R11: 0000000000000216 R12: 00000000004b7162
R13: 00000000ffffffff R14: 0000000000000006 R15: 0000000020ac9ff0
warn_alloc_show_mem: 1 callbacks suppressed
Mem-Info:
active_anon:132279 inactive_anon:40 isolated_anon:0
active_file:3885 inactive_file:6376 isolated_file:0
unevictable:0 dirty:119 writeback:0 unstable:0
slab_reclaimable:8440 slab_unreclaimable:102657
mapped:22256 shmem:49 pagetables:889 bounce:0
free:1351225 free_pcp:351 free_cma:0
Node 0 active_anon:531188kB inactive_anon:160kB active_file:15540kB
inactive_file:25504kB unevictable:0kB isolated(anon):0kB isolated(file):0kB
mapped:89024kB dirty:476kB writeback:0kB shmem:196kB shmem_thp: 0kB
shmem_pmdmapped: 0kB anon_thp: 112640kB writeback_tmp:0kB unstable:0kB
all_unreclaimable? no
Node 0 DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:15992kB managed:15908kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB
free_cma:0kB
lowmem_reserve[]: 0 2886 6399 6399
Node 0 DMA32 free:2957424kB min:30408kB low:38008kB high:45608kB
active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:8kB
unevictable:0kB writepending:0kB present:3129332kB managed:2958156kB
mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:724kB
local_pcp:108kB free_cma:0kB
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
syzkaller hit the following crash on
85b1bb248071967135d22cc84e62292094f4a3c6
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
=============================
WARNING: suspicious RCU usage
4.14.0-rc3+ #121 Not tainted
-----------------------------
./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side
critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
3 locks held by syz-executor6/19499:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff81303e4e>]
__do_page_fault+0x31e/0xd60 arch/x86/mm/fault.c:1383
#1: (&p->pi_lock){-.-.}, at: [<ffffffff814b299c>]
try_to_wake_up+0xbc/0x1600 kernel/sched/core.c:1979
#2: (rcu_read_lock){....}, at: [<ffffffff814d0e50>]
select_task_rq_fair+0x3e0/0x3070 kernel/sched/fair.c:5983
stack backtrace:
CPU: 0 PID: 19499 Comm: syz-executor6 Not tainted 4.14.0-rc3+ #121
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4673
rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline]
___might_sleep+0x385/0x470 kernel/sched/core.c:6002
clear_huge_page+0x37d/0x6f0 mm/memory.c:4553
__do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline]
do_huge_pmd_anonymous_page+0x59c/0x1b00 mm/huge_memory.c:728
create_huge_pmd mm/memory.c:3802 [inline]
__handle_mm_fault+0x1827/0x39c0 mm/memory.c:4005
handle_mm_fault+0x334/0x8d0 mm/memory.c:4071
__do_page_fault+0x5bd/0xd60 arch/x86/mm/fault.c:1444
do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1520
page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1066
RIP: 0033:0x405424
RSP: 002b:0000000000a6f8e0 EFLAGS: 00010246
RAX: 000000002034f000 RBX: 0000000000000004 RCX: 0000000000000004
RDX: b6db98369fb4b2fc RSI: 0000000000000000 RDI: 0000000000f40848
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000a6f980 R11: 0000000000000206 R12: fffffffffffffffe
R13: 0000000000718000 R14: 000000002034f000 R15: 0000000000000010
======================================================
WARNING: possible circular locking dependency detected
4.14.0-rc3+ #121 Not tainted
------------------------------------------------------
loop0/18908 is trying to acquire lock:
(&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff818750ac>] inode_lock
include/linux/fs.h:712 [inline]
(&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff818750ac>]
generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3175
but now in release context of a crosslock acquired at the following:
((complete)&ret.event){+.+.}, at: [<ffffffff822ac39e>]
submit_bio_wait+0x15e/0x200 block/bio.c:953
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 ((complete)&ret.event){+.+.}:
check_prevs_add kernel/locking/lockdep.c:2020 [inline]
validate_chain kernel/locking/lockdep.c:2469 [inline]
__lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
complete_acquire include/linux/completion.h:39 [inline]
__wait_for_common kernel/sched/completion.c:108 [inline]
wait_for_common_io kernel/sched/completion.c:128 [inline]
wait_for_completion_io+0xcb/0x7b0 kernel/sched/completion.c:176
submit_bio_wait+0x15e/0x200 block/bio.c:953
blkdev_issue_zeroout+0x13c/0x1d0 block/blk-lib.c:370
sb_issue_zeroout include/linux/blkdev.h:1368 [inline]
ext4_init_inode_table+0x4fd/0xdb1 fs/ext4/ialloc.c:1447
ext4_run_li_request fs/ext4/super.c:2866 [inline]
ext4_lazyinit_thread+0x808/0xd30 fs/ext4/super.c:2960
kthread+0x39c/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
-> #3 (&meta_group_info[i]->alloc_sem){++++}:
check_prevs_add kernel/locking/lockdep.c:2020 [inline]
validate_chain kernel/locking/lockdep.c:2469 [inline]
__lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
down_read+0x96/0x150 kernel/locking/rwsem.c:23
__ext4_new_inode+0x26dc/0x4f00 fs/ext4/ialloc.c:1056
ext4_symlink+0x2d9/0xae0 fs/ext4/namei.c:3118
vfs_symlink+0x323/0x560 fs/namei.c:4115
SYSC_symlinkat fs/namei.c:4142 [inline]
SyS_symlinkat fs/namei.c:4122 [inline]
SYSC_symlink fs/namei.c:4155 [inline]
SyS_symlink+0x134/0x200 fs/namei.c:4153
entry_SYSCALL_64_fastpath+0x1f/0xbe
-> #2 (jbd2_handle){++++}:
check_prevs_add kernel/locking/lockdep.c:2020 [inline]
validate_chain kernel/locking/lockdep.c:2469 [inline]
__lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
start_this_handle+0x4b8/0x1080 fs/jbd2/transaction.c:390
jbd2__journal_start+0x389/0x9f0 fs/jbd2/transaction.c:444
__ext4_journal_start_sb+0x15f/0x550 fs/ext4/ext4_jbd2.c:80
__ext4_journal_start fs/ext4/ext4_jbd2.h:314 [inline]
ext4_dirty_inode+0x56/0xa0 fs/ext4/inode.c:5859
__mark_inode_dirty+0x912/0x1170 fs/fs-writeback.c:2096
generic_update_time+0x1b2/0x270 fs/inode.c:1649
update_time fs/inode.c:1665 [inline]
touch_atime+0x26d/0x2f0 fs/inode.c:1737
file_accessed include/linux/fs.h:2061 [inline]
ext4_file_mmap+0x161/0x1b0 fs/ext4/file.c:352
call_mmap include/linux/fs.h:1775 [inline]
mmap_region+0xa99/0x15a0 mm/mmap.c:1690
do_mmap+0x6a1/0xd50 mm/mmap.c:1468
do_mmap_pgoff include/linux/mm.h:2150 [inline]
vm_mmap_pgoff+0x1de/0x280 mm/util.c:333
SYSC_mmap_pgoff mm/mmap.c:1518 [inline]
SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1476
SYSC_mmap arch/x86/kernel/sys_x86_64.c:99 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:90
entry_SYSCALL_64_fastpath+0x1f/0xbe
-> #1 (&mm->mmap_sem){++++}:
check_prevs_add kernel/locking/lockdep.c:2020 [inline]
validate_chain kernel/locking/lockdep.c:2469 [inline]
__lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002
__might_fault+0x13a/0x1d0 mm/memory.c:4502
_copy_to_user+0x2c/0xc0 lib/usercopy.c:24
copy_to_user include/linux/uaccess.h:154 [inline]
filldir+0x1a7/0x320 fs/readdir.c:196
dir_emit_dot include/linux/fs.h:3339 [inline]
dir_emit_dots include/linux/fs.h:3350 [inline]
dcache_readdir+0x12d/0x5e0 fs/libfs.c:192
iterate_dir+0x4b2/0x5d0 fs/readdir.c:51
SYSC_getdents fs/readdir.c:231 [inline]
SyS_getdents+0x225/0x450 fs/readdir.c:212
entry_SYSCALL_64_fastpath+0x1f/0xbe
-> #0 (&sb->s_type->i_mutex_key#9){++++}:
down_write+0x87/0x120 kernel/locking/rwsem.c:53
inode_lock include/linux/fs.h:712 [inline]
generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3175
call_write_iter include/linux/fs.h:1770 [inline]
do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:673
do_iter_write+0x15a/0x540 fs/read_write.c:952
vfs_iter_write+0x77/0xb0 fs/read_write.c:965
other info that might help us debug this:
Chain exists of:
&sb->s_type->i_mutex_key#9 --> &meta_group_info[i]->alloc_sem -->
(complete)&ret.event
Possible unsafe locking scenario by crosslock:
CPU0 CPU1
---- ----
lock(&meta_group_info[i]->alloc_sem);
lock((complete)&ret.event);
lock(&sb->s_type->i_mutex_key#9);
unlock((complete)&ret.event);
*** DEADLOCK ***
1 lock held by loop0/18908:
#0: (&x->wait#14){..-.}, at: [<ffffffff8152ade8>] complete+0x18/0x80
kernel/sched/completion.c:34
stack backtrace:
CPU: 1 PID: 18908 Comm: loop0 Not tainted 4.14.0-rc3+ #121
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_circular_bug+0x503/0x710 kernel/locking/lockdep.c:1259
check_prev_add+0x865/0x1520 kernel/locking/lockdep.c:1894
commit_xhlock kernel/locking/lockdep.c:5015 [inline]
commit_xhlocks kernel/locking/lockdep.c:5059 [inline]
lock_commit_crosslock+0xe59/0x1d00 kernel/locking/lockdep.c:5098
complete_release_commit include/linux/completion.h:49 [inline]
complete+0x24/0x80 kernel/sched/completion.c:39
submit_bio_wait_endio+0x9c/0xd0 block/bio.c:930
bio_endio+0x2f8/0x8d0 block/bio.c:1843
req_bio_endio block/blk-core.c:204 [inline]
blk_update_request+0x2a6/0xe20 block/blk-core.c:2746
blk_mq_end_request+0x54/0x120 block/blk-mq.c:509
lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:463
__blk_mq_complete_request+0x38f/0x6c0 block/blk-mq.c:550
blk_mq_complete_request+0x4f/0x60 block/blk-mq.c:570
loop_handle_cmd drivers/block/loop.c:1710 [inline]
loop_queue_work+0x26b/0x3900 drivers/block/loop.c:1719
kthread_worker_fn+0x32b/0x980 kernel/kthread.c:635
loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:836
kthread+0x39c/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
loop_reread_partitions: partition scan of loop0
(- \� t�@�� r�9h �x G�Q:[��i�l �
�L�*� �@� ���R�-�T�r-�x�� ) failed (rc=-13)
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=19625 comm=syz-executor0
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor2'.
device syz6 left promiscuous mode
QAT: Invalid ioctl
QAT: Invalid ioctl
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor2'.
QAT: Invalid ioctl
QAT: Invalid ioctl
sctp: [Deprecated]: syz-executor7 (pid 19753) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor7 (pid 19763) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
print_req_error: 98 callbacks suppressed
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
QAT: Invalid ioctl
QAT: Invalid ioctl
syz-executor3: vmalloc: allocation failure: 16587630936 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
QAT: Invalid ioctl
QAT: Invalid ioctl
syz-executor3 cpuset=/ mems_allowed=0
CPU: 1 PID: 19853 Comm: syz-executor3 Not tainted 4.14.0-rc3+ #121
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
syz-executor3: vmalloc: allocation failure: 16587630936 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor3 cpuset=/ mems_allowed=0
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x581/0x710 mm/vmalloc.c:1781
__vmalloc_node mm/vmalloc.c:1810 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1832
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1610 net/ipv4/netfilter/ip_tables.c:686
do_replace net/ipv4/netfilter/ip_tables.c:1130 [inline]
do_ipt_set_ctl+0x34b/0x5c0 net/ipv4/netfilter/ip_tables.c:1664
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1255
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2799
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2965
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4520a9
RSP: 002b:00007f5b38234c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000018
RBP: 0000000000000600 R08: 0000000000000056 R09: 0000000000000000
R10: 0000000020c2c000 R11: 0000000000000216 R12: 00000000004b75b5
R13: 00000000ffffffff R14: ffffffffffffffff R15: 000000002034dfdc
CPU: 0 PID: 19867 Comm: syz-executor3 Not tainted 4.14.0-rc3+ #121
warn_alloc_show_mem: 1 callbacks suppressed
Mem-Info:
active_anon:125389 inactive_anon:46 isolated_anon:0
active_file:3815 inactive_file:6419 isolated_file:0
unevictable:0 dirty:126 writeback:0 unstable:0
slab_reclaimable:8324 slab_unreclaimable:101825
mapped:22218 shmem:57 pagetables:864 bounce:0
free:1359513 free_pcp:399 free_cma:0
Node 0 active_anon:501556kB inactive_anon:184kB active_file:15260kB
inactive_file:25676kB unevictable:0kB isolated(anon):0kB isolated(file):0kB
mapped:88872kB dirty:504kB writeback:0kB shmem:228kB shmem_thp: 0kB
shmem_pmdmapped: 0kB anon_thp: 49152kB writeback_tmp:0kB unstable:0kB
all_unreclaimable? no
Node 0 DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:15992kB managed:15908kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB
free_cma:0kB
lowmem_reserve[]: 0 2886 6399 6399
Node 0 DMA32 free:2957424kB min:30408kB low:38008kB high:45608kB
active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:8kB
unevictable:0kB writepending:0kB present:3129332kB managed:2958156kB
mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:732kB
local_pcp:140kB free_cma:0kB
lowmem_reserve[]: 0 0 3513 3513
Node 0 Normal free:2464720kB min:37008kB low:46260kB high:55512kB
active_anon:501556kB inactive_anon:184kB active_file:15260kB
inactive_file:47412kB unevictable:0kB writepending:504kB present:4718592kB
managed:3597444kB mlocked:0kB kernel_stack:4640kB pagetables:3456kB
bounce:0kB free_pcp:864kB local_pcp:620kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U)
1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 DMA32: 4*4kB (M) 2*8kB (UM) 3*16kB (UM) 3*32kB (UM) 3*64kB (M)
2*128kB (M) 4*256kB (UM) 5*512kB (UM) 2*1024kB (UM) 3*2048kB (UM)
719*4096kB (M) = 2957424kB
Node 0 Normal: 202*4kB (UME) 835*8kB (UME) 559*16kB (UM) 567*32kB (UME)
805*64kB (UME) 391*128kB (UM) 266*256kB (UM) 43*512kB (UM) 22*1024kB (UME)
12*2048kB (UME) 535*4096kB (UM) = 2464720kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0
hugepages_size=2048kB
10290 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
323102 pages reserved
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x581/0x710 mm/vmalloc.c:1781
__vmalloc_node mm/vmalloc.c:1810 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1832
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1610 net/ipv4/netfilter/ip_tables.c:686
do_replace net/ipv4/netfilter/ip_tables.c:1130 [inline]
do_ipt_set_ctl+0x34b/0x5c0 net/ipv4/netfilter/ip_tables.c:1664
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1255
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2799
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2965
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4520a9
RSP: 002b:00007f5b381f2c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000718160 RCX: 00000000004520a9
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 000000000000001e
RBP: 0000000000005e90 R08: 0000000000000056 R09: 0000000000000000
R10: 0000000020c2c000 R11: 0000000000000216 R12: 00000000004bbcbf
R13: 00000000ffffffff R14: 0000000020c18000 R15: 000000000000007f
kauditd_printk_skb: 43 callbacks suppressed
audit: type=1326 audit(1507481365.662:451): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=19882 comm="syz-executor1"
exe="/root/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0x0
audit: type=1326 audit(1507481365.776:452): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=19882 comm="syz-executor1"
exe="/root/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0x0
sctp: [Deprecated]: syz-executor2 (pid 19957) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor2 (pid 19967) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor3'.
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor3'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1042
sclass=netlink_route_socket pig=20017 comm=syz-executor1
?: renamed from sit0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1042
sclass=netlink_route_socket pig=20017 comm=syz-executor1
device syz6 entered promiscuous mode
sctp: [Deprecated]: syz-executor4 (pid 20153) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
device syz6 left promiscuous mode
sctp: [Deprecated]: syz-executor4 (pid 20173) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor3'.
A link change request failed with some changes committed already. Interface
lo may have been left with an inconsistent configuration, please check.
audit: type=1326 audit(1507481367.246:453): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20197 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor3'.
A link change request failed with some changes committed already. Interface
lo may have been left with an inconsistent configuration, please check.
audit: type=1326 audit(1507481367.382:454): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20197 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor3'.
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
?: renamed from sit0
device lo left promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
9pnet_virtio: no channels available for device ./bus
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor6'.
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor6'.
audit: type=1326 audit(1507481368.404:455): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20453 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
IPv6: Can't replace route, no match found
*** Guest State ***
IPv6: Can't replace route, no match found
audit: type=1326 audit(1507481368.519:456): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20453 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
kvm: emulating exchange as write
CR0: actual=0x0000000080000031, shadow=0x0000000060000011,
gh_mask=fffffffffffffff7
CR4: actual=0x0000000000002050, shadow=0x0000000000000020,
gh_mask=ffffffffffffe871
CR3 = 0x00000000fffbc000
RSP = 0x0000000000000f80 RIP = 0x0000000000000000
device gre0 entered promiscuous mode
RFLAGS=0x00000002 DR7 = 0x0000000000000400
Sysenter RSP=0000000000000f80 CS:RIP=0050:0000000000002810
CS: sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000
DS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
SS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
ES: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
FS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
GS: sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
GDTR: limit=0x000007ff, base=0x0000000000001000
LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800
IDTR: limit=0x000001ff, base=0x0000000000003800
TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000
EFER = 0x0000000000000001 PAT = 0x0007040600070406
DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000
Interruptibility = 00000000 ActivityState = 00000000
*** Host State ***
RIP = 0xffffffff811ba093 RSP = 0xffff8801d92274c8
CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040
FSBase=00007febaa214700 GSBase=ffff8801db200000 TRBase=ffff8801db3231c0
GDTBase=ffffffffff576000 IDTBase=ffffffffff57b000
CR0=0000000080050033 CR3=00000001cdfea000 CR4=00000000001426f0
Sysenter RSP=0000000000000000 CS:RIP=0010:ffffffff84d43fb0
EFER = 0x0000000000000d01 PAT = 0x0000000000000000
*** Control State ***
PinBased=0000003f CPUBased=b699edfe SecondaryExec=00000042
EntryControls=0000d1ff ExitControls=0023efff
ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000
VMEntry: intr_info=80000080 errcode=00000000 ilen=00000000
VMExit: intr_info=00000000 errcode=00000000 ilen=00000000
reason=80000021 qualification=0000000000000000
IDTVectoring: info=00000000 errcode=00000000
TSC Offset = 0xffffffa28309cb38
EPT pointer = 0x00000001c9ff001e
buffer_io_error: 410 callbacks suppressed
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
Buffer I/O error on dev loop0, logical block 0, async page read
nla_parse: 4 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process
`syz-executor3'.
sg_write: data in/out 36090/1 bytes for SCSI command 0x67-- guessing data
in;
program syz-executor1 not setting count and/or reply_len properly
QAT: Invalid ioctl
QAT: Invalid ioctl
sg_write: data in/out 36090/1 bytes for SCSI command 0x67-- guessing data
in;
program syz-executor1 not setting count and/or reply_len properly
QAT: Invalid ioctl
QAT: Invalid ioctl
netlink: 4 bytes leftover after parsing attributes in process
`syz-executor5'.
Bearer <��> rejected, not supported in standalone mode
print_req_error: 469 callbacks suppressed
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
print_req_error: I/O error, dev loop0, sector 0
netlink: 4 bytes leftover after parsing attributes in process
`syz-executor5'.
Bearer <��> rejected, not supported in standalone mode
audit: type=1326 audit(1507481369.685:457): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20704 comm="bdev!" exe="/root/syz-executor7"
sig=0 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0x7ffc0000
audit: type=1326 audit(1507481369.685:458): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20704 comm="bdev!" exe="/root/syz-executor7"
sig=0 arch=c000003e syscall=202 compat=0 ip=0x4520a9 code=0x7ffc0000
audit: type=1326 audit(1507481369.685:459): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20704 comm="syz-executor7"
exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0x7ffc0000
audit: type=1326 audit(1507481369.685:460): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=20704 comm="syz-executor7"
exe="/root/syz-executor7" sig=0 arch=c000003e syscall=228 compat=0
ip=0x454e4a code=0x7ffc0000
sctp: [Deprecated]: syz-executor1 (pid 20780) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor1 (pid 20780) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
kvm [20785]: vcpu0, guest rIP: 0xfff0 disabled perfctr wrmsr: 0x186 data 0xa
kvm [20785]: vcpu0, guest rIP: 0xfff0 disabled perfctr wrmsr: 0x186 data 0xa
sctp: [Deprecated]: syz-executor1 (pid 20805) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor1 (pid 20825) Use of struct
sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=5
sclass=netlink_audit_socket pig=20829 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=5
sclass=netlink_audit_socket pig=20829 comm=syz-executor3
sg_write: data in/out 3171656/144 bytes for SCSI command 0xff-- guessing
data in;
program syz-executor4 not setting count and/or reply_len properly
sg_write: data in/out 3171656/144 bytes for SCSI command 0xff-- guessing
data in;
program syz-executor4 not setting count and/or reply_len properly
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=20882 comm=syz-executor0
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor1'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=20942 comm=syz-executor3
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor1'.
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor6'.
pit: kvm: requested 838 ns i8254 timer period limited to 500000 ns
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
QAT: Invalid ioctl
kauditd_printk_skb: 224 callbacks suppressed
audit: type=1326 audit(1507481371.595:685): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=21217 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
audit: type=1326 audit(1507481371.709:686): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=21217 comm="syz-executor3"
exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0
ip=0x4520a9 code=0xffff0000
xprt_adjust_timeout: rq_timeout = 0!
xprt_adjust_timeout: rq_timeout = 0!
syz-executor0: vmalloc: allocation failure: 17179607040 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor0 cpuset=/ mems_allowed=0
CPU: 1 PID: 21316 Comm: syz-executor0 Not tainted 4.14.0-rc3+ #121
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x581/0x710 mm/vmalloc.c:1781
__vmalloc_node mm/vmalloc.c:1810 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1832
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1690 net/ipv6/netfilter/ip6_tables.c:705
do_replace net/ipv6/netfilter/ip6_tables.c:1150 [inline]
do_ip6t_set_ctl+0x34b/0x5c0 net/ipv6/netfilter/ip6_tables.c:1676
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:919
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2799
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2965
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4520a9
RSP: 002b:00007f7d7f23fc08 EFLAGS: 00000216 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000016
RBP: 00000000000000d0 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020001fde R11: 0000000000000216 R12: 00000000004b7162
R13: 00000000ffffffff R14: 0000000000000006 R15: 0000000020ac9ff0
warn_alloc_show_mem: 1 callbacks suppressed
Mem-Info:
active_anon:132279 inactive_anon:40 isolated_anon:0
active_file:3885 inactive_file:6376 isolated_file:0
unevictable:0 dirty:119 writeback:0 unstable:0
slab_reclaimable:8440 slab_unreclaimable:102657
mapped:22256 shmem:49 pagetables:889 bounce:0
free:1351225 free_pcp:351 free_cma:0
Node 0 active_anon:531188kB inactive_anon:160kB active_file:15540kB
inactive_file:25504kB unevictable:0kB isolated(anon):0kB isolated(file):0kB
mapped:89024kB dirty:476kB writeback:0kB shmem:196kB shmem_thp: 0kB
shmem_pmdmapped: 0kB anon_thp: 112640kB writeback_tmp:0kB unstable:0kB
all_unreclaimable? no
Node 0 DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:15992kB managed:15908kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB
free_cma:0kB
lowmem_reserve[]: 0 2886 6399 6399
Node 0 DMA32 free:2957424kB min:30408kB low:38008kB high:45608kB
active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:8kB
unevictable:0kB writepending:0kB present:3129332kB managed:2958156kB
mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:724kB
local_pcp:108kB free_cma:0kB
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
syzbot
Dec 31, 2017, 7:54:02 AM12/31/17
to JBeu...@suse.com, da...@davemloft.net, her...@gondor.apana.org.au, h...@zytor.com, jpoi...@redhat.com, kirill....@linux.intel.com, ldu...@linux.vnet.ibm.com, linux-...@vger.kernel.org, lu...@kernel.org, mi...@redhat.com, net...@vger.kernel.org, steffen....@secunet.com, syzkall...@googlegroups.com, tg...@linutronix.de, x...@kernel.org
syzkaller has found reproducer for the following crash on
6bb8824732f69de0f233ae6b1a8158e149627b38
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+ca425f44816d749e...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.
audit: type=1400 audit(1514724677.759:7): avc: denied { map } for
pid=3495 comm="syzkaller246415" path="/root/syzkaller246415126" dev="sda1"
ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
=============================
WARNING: suspicious RCU usage
4.15.0-rc5+ #171 Not tainted
2 locks held by syzkaller246415/3495:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<0000000085c20885>]
xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598
#1: (rcu_read_lock){....}, at: [<00000000bee17d16>]
xfrm_state_get_afinfo+0x62/0x280 net/xfrm/xfrm_state.c:2157
stack backtrace:
CPU: 1 PID: 3495 Comm: syzkaller246415 Not tainted 4.15.0-rc5+ #171
dump_stack+0x194/0x257 lib/dump_stack.c:53
lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585
rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline]
___might_sleep+0x385/0x470 kernel/sched/core.c:6025
__might_sleep+0x95/0x190 kernel/sched/core.c:6013
slab_pre_alloc_hook mm/slab.h:419 [inline]
slab_alloc mm/slab.c:3368 [inline]
kmem_cache_alloc_trace+0x298/0x750 mm/slab.c:3608
kmalloc include/linux/slab.h:499 [inline]
call_modprobe kernel/kmod.c:80 [inline]
__request_module+0x2e1/0xc20 kernel/kmod.c:171
xfrm_get_type_offload net/xfrm/xfrm_state.c:317 [inline]
__xfrm_init_state+0xa61/0xdd0 net/xfrm/xfrm_state.c:2257
xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline]
xfrm_add_sa+0x1a09/0x33e0 net/xfrm/xfrm_user.c:646
xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591
netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441
xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599
netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
sock_sendmsg_nosec net/socket.c:628 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:638
___sys_sendmsg+0x767/0x8b0 net/socket.c:2018
__sys_sendmsg+0xe5/0x210 net/socket.c:2052
SYSC_sendmsg net/socket.c:2063 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2059
entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x4400c9
RSP: 002b:00007ffe9973f518 EFLAGS: 00000203 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004400c9
RDX: 0000000000000000 RSI: 0000000020004000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000203 R12: 0000000000401a30
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
BUG: sleeping function called from invalid context at mm/slab.h:419
in_atomic(): 1, irqs_disabled(): 0, pid: 3495, name: syzkaller246415
2 locks held by syzkaller246415/3495:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<0000000085c20885>]
xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598
#1: (rcu_read_lock){....}, at: [<00000000bee17d16>]
xfrm_state_get_afinfo+0x62/0x280 net/xfrm/xfrm_state.c:2157
CPU: 1 PID: 3495 Comm: syzkaller246415 Not tainted 4.15.0-rc5+ #171
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060
__might_sleep+0x95/0x190 kernel/sched/core.c:6013
slab_pre_alloc_hook mm/slab.h:419 [inline]
slab_alloc mm/slab.c:3368 [inline]
kmem_cache_alloc_trace+0x298/0x750 mm/slab.c:3608
kmalloc include/linux/slab.h:499 [inline]
call_modprobe kernel/kmod.c:80 [inline]
__request_module+0x2e1/0xc20 kernel/kmod.c:171
xfrm_get_type_offload net/xfrm/xfrm_state.c:317 [inline]
__xfrm_init_state+0xa61/0xdd0 net/xfrm/xfrm_state.c:2257
xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline]
xfrm_add_sa+0x1a09/0x33e0 net/xfrm/xfrm_user.c:646
xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591
netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441
xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599
netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
sock_sendmsg_nosec net/socket.c:628 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:638
___sys_sendmsg+0x767/0x8b0 net/socket.c:2018
__sys_sendmsg+0xe5/0x210 net/socket.c:2052
SYSC_sendmsg net/socket.c:2063 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2059
entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x4400c9
RSP: 002b:00007ffe9973f518 EFLAGS: 00000203 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004400c9
RDX: 0000000000000000 RSI: 0000000020004000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000203 R12: 0000000000401a30
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
BUG: scheduling while atomic: syzkaller246415/3495/0x00000002
2 locks held by syzkaller246415/3495:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<0000000085c20885>]
xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598
#1: (rcu_read_lock){....}, at: [<00000000bee17d16>]
xfrm_state_get_afinfo+0x62/0x280 net/xfrm/xfrm_state.c:2157
Modules linked in:
6bb8824732f69de0f233ae6b1a8158e149627b38
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+ca425f44816d749e...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed.
audit: type=1400 audit(1514724677.759:7): avc: denied { map } for
pid=3495 comm="syzkaller246415" path="/root/syzkaller246415126" dev="sda1"
ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
=============================
WARNING: suspicious RCU usage
-----------------------------
./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side
critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side
critical section!
other info that might help us debug this:
2 locks held by syzkaller246415/3495:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<0000000085c20885>]
xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598
#1: (rcu_read_lock){....}, at: [<00000000bee17d16>]
xfrm_state_get_afinfo+0x62/0x280 net/xfrm/xfrm_state.c:2157
stack backtrace:
CPU: 1 PID: 3495 Comm: syzkaller246415 Not tainted 4.15.0-rc5+ #171
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x194/0x257 lib/dump_stack.c:53
lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585
rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline]
___might_sleep+0x385/0x470 kernel/sched/core.c:6025
__might_sleep+0x95/0x190 kernel/sched/core.c:6013
slab_pre_alloc_hook mm/slab.h:419 [inline]
slab_alloc mm/slab.c:3368 [inline]
kmem_cache_alloc_trace+0x298/0x750 mm/slab.c:3608
kmalloc include/linux/slab.h:499 [inline]
call_modprobe kernel/kmod.c:80 [inline]
__request_module+0x2e1/0xc20 kernel/kmod.c:171
xfrm_get_type_offload net/xfrm/xfrm_state.c:317 [inline]
__xfrm_init_state+0xa61/0xdd0 net/xfrm/xfrm_state.c:2257
xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline]
xfrm_add_sa+0x1a09/0x33e0 net/xfrm/xfrm_user.c:646
xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591
netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441
xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599
netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
sock_sendmsg_nosec net/socket.c:628 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:638
___sys_sendmsg+0x767/0x8b0 net/socket.c:2018
__sys_sendmsg+0xe5/0x210 net/socket.c:2052
SYSC_sendmsg net/socket.c:2063 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2059
entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x4400c9
RSP: 002b:00007ffe9973f518 EFLAGS: 00000203 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004400c9
RDX: 0000000000000000 RSI: 0000000020004000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000203 R12: 0000000000401a30
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
BUG: sleeping function called from invalid context at mm/slab.h:419
in_atomic(): 1, irqs_disabled(): 0, pid: 3495, name: syzkaller246415
2 locks held by syzkaller246415/3495:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<0000000085c20885>]
xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598
#1: (rcu_read_lock){....}, at: [<00000000bee17d16>]
xfrm_state_get_afinfo+0x62/0x280 net/xfrm/xfrm_state.c:2157
CPU: 1 PID: 3495 Comm: syzkaller246415 Not tainted 4.15.0-rc5+ #171
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x194/0x257 lib/dump_stack.c:53
___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060
__might_sleep+0x95/0x190 kernel/sched/core.c:6013
slab_pre_alloc_hook mm/slab.h:419 [inline]
slab_alloc mm/slab.c:3368 [inline]
kmem_cache_alloc_trace+0x298/0x750 mm/slab.c:3608
kmalloc include/linux/slab.h:499 [inline]
call_modprobe kernel/kmod.c:80 [inline]
__request_module+0x2e1/0xc20 kernel/kmod.c:171
xfrm_get_type_offload net/xfrm/xfrm_state.c:317 [inline]
__xfrm_init_state+0xa61/0xdd0 net/xfrm/xfrm_state.c:2257
xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline]
xfrm_add_sa+0x1a09/0x33e0 net/xfrm/xfrm_user.c:646
xfrm_user_rcv_msg+0x422/0x860 net/xfrm/xfrm_user.c:2591
netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2441
xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2599
netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
sock_sendmsg_nosec net/socket.c:628 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:638
___sys_sendmsg+0x767/0x8b0 net/socket.c:2018
__sys_sendmsg+0xe5/0x210 net/socket.c:2052
SYSC_sendmsg net/socket.c:2063 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2059
entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x4400c9
RSP: 002b:00007ffe9973f518 EFLAGS: 00000203 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004400c9
RDX: 0000000000000000 RSI: 0000000020004000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000203 R12: 0000000000401a30
R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000
BUG: scheduling while atomic: syzkaller246415/3495/0x00000002
2 locks held by syzkaller246415/3495:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.}, at: [<0000000085c20885>]
xfrm_netlink_rcv+0x60/0x90 net/xfrm/xfrm_user.c:2598
#1: (rcu_read_lock){....}, at: [<00000000bee17d16>]
xfrm_state_get_afinfo+0x62/0x280 net/xfrm/xfrm_state.c:2157
Modules linked in:
Sabrina Dubroca
Dec 31, 2017, 10:19:03 AM12/31/17
to net...@vger.kernel.org, steffen....@secunet.com, syzkall...@googlegroups.com, il...@mellanox.com, syzbot+ca425f44816d749e...@syzkaller.appspotmail.com, Sabrina Dubroca
request_module can sleep, thus we cannot hold rcu_read_lock() while
calling it. The function also jumps back and takes rcu_read_lock()
again (in xfrm_state_get_afinfo()), resulting in an imbalance.
This codepath is triggered whenever a new offloaded state is created.
Fixes: ffdb5211da1c ("xfrm: Auto-load xfrm offload modules")
Reported-by: syzbot+ca425f44816d749e...@syzkaller.appspotmail.com
Signed-off-by: Sabrina Dubroca <s...@queasysnail.net>
---
net/xfrm/xfrm_state.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 500b3391f474..7e6c297a3924 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -313,13 +313,14 @@ xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load)
if ((type && !try_module_get(type->owner)))
type = NULL;
+ rcu_read_unlock();
+
if (!type && try_load) {
request_module("xfrm-offload-%d-%d", family, proto);
try_load = 0;
goto retry;
}
- rcu_read_unlock();
return type;
}
--
2.15.1
calling it. The function also jumps back and takes rcu_read_lock()
again (in xfrm_state_get_afinfo()), resulting in an imbalance.
This codepath is triggered whenever a new offloaded state is created.
Fixes: ffdb5211da1c ("xfrm: Auto-load xfrm offload modules")
Reported-by: syzbot+ca425f44816d749e...@syzkaller.appspotmail.com
Signed-off-by: Sabrina Dubroca <s...@queasysnail.net>
---
net/xfrm/xfrm_state.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 500b3391f474..7e6c297a3924 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -313,13 +313,14 @@ xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load)
if ((type && !try_module_get(type->owner)))
type = NULL;
+ rcu_read_unlock();
+
if (!type && try_load) {
request_module("xfrm-offload-%d-%d", family, proto);
try_load = 0;
goto retry;
}
- rcu_read_unlock();
return type;
}
--
2.15.1
Steffen Klassert
Dec 31, 2017, 11:09:14 AM12/31/17
to Sabrina Dubroca, net...@vger.kernel.org, syzkall...@googlegroups.com, il...@mellanox.com, syzbot+ca425f44816d749e...@syzkaller.appspotmail.com
On Sun, Dec 31, 2017 at 04:18:56PM +0100, Sabrina Dubroca wrote:
> request_module can sleep, thus we cannot hold rcu_read_lock() while
> calling it. The function also jumps back and takes rcu_read_lock()
> again (in xfrm_state_get_afinfo()), resulting in an imbalance.
>
> This codepath is triggered whenever a new offloaded state is created.
>
> Fixes: ffdb5211da1c ("xfrm: Auto-load xfrm offload modules")
> Reported-by: syzbot+ca425f44816d749e...@syzkaller.appspotmail.com
> Signed-off-by: Sabrina Dubroca <s...@queasysnail.net>
Patch applied, thanks a lot for the fix Sabrina!
> request_module can sleep, thus we cannot hold rcu_read_lock() while
> calling it. The function also jumps back and takes rcu_read_lock()
> again (in xfrm_state_get_afinfo()), resulting in an imbalance.
>
> This codepath is triggered whenever a new offloaded state is created.
>
> Fixes: ffdb5211da1c ("xfrm: Auto-load xfrm offload modules")
> Reported-by: syzbot+ca425f44816d749e...@syzkaller.appspotmail.com
> Signed-off-by: Sabrina Dubroca <s...@queasysnail.net>
Reply all
Reply to author
Forward
0 new messages