kernel BUG at drivers/vhost/vhost.c:LINE! (2)

[syzbot]

Hello,

syzbot hit the following crash on upstream commit
38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +0000)
Merge tag 'armsoc-drivers' of
git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=65a84dde0214b0387ccd

So far this crash happened 4 times on upstream.
C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6586748079439872
syzkaller reproducer:
https://syzkaller.appspot.com/x/repro.syz?id=5974272052822016
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=6224632407392256
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-5813481738265533882
compiler: gcc (GCC) 8.0.1 20180301 (experimental)

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+65a84d...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

------------[ cut here ]------------
kernel BUG at drivers/vhost/vhost.c:1652!
invalid opcode: 0000 [#1] SMP KASAN
------------[ cut here ]------------
Dumping ftrace buffer:
kernel BUG at drivers/vhost/vhost.c:1652!
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4461 Comm: syzkaller684218 Not tainted 4.16.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:set_bit_to_user drivers/vhost/vhost.c:1652 [inline]
RIP: 0010:log_write+0x42a/0x4d0 drivers/vhost/vhost.c:1676
RSP: 0018:ffff8801b256f920 EFLAGS: 00010293
RAX: ffff8801adc9e2c0 RBX: dffffc0000000000 RCX: ffffffff85924a0f
RDX: 0000000000000000 RSI: ffffffff85924cea RDI: 0000000000000005
RBP: ffff8801b256fa58 R08: ffff8801adc9e2c0 R09: ffffed003962412d
R10: ffff8801b256fad8 R11: ffff8801cb12096f R12: 0001ffffffffffff
R13: ffffed00364adf36 R14: 0000000000000000 R15: ffff8801b256fa30
FS: 00007fdf24b19700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020bf6000 CR3: 00000001ae6a7000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
vhost_update_used_flags+0x3af/0x4a0 drivers/vhost/vhost.c:1723
vhost_vq_init_access+0x117/0x590 drivers/vhost/vhost.c:1763
vhost_vsock_start drivers/vhost/vsock.c:446 [inline]
vhost_vsock_dev_ioctl+0x751/0x920 drivers/vhost/vsock.c:678
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
SYSC_ioctl fs/ioctl.c:708 [inline]
SyS_ioctl+0x24/0x30 fs/ioctl.c:706
do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4456c9
RSP: 002b:00007fdf24b18da8 EFLAGS: 00000297 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 00000000004456c9
RDX: 0000000020f82ffc RSI: 000000004004af61 RDI: 000000000000001b
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 6b636f73762d7473
R13: 6f68762f7665642f R14: fffffffffffffffc R15: 0000000000000007
Code: e8 7c 5e e4 fb 4c 89 ef e8 e4 16 06 fc 48 8d 85 58 ff ff ff 48 c1 e8
03 c6 04 18 f8 e9 46 ff ff ff 45 31 f6 eb 91 e8 56 5e e4 fb <0f> 0b e8 4f
5e e4 fb 48 c7 c6 a0 a3 24 88 4c 89 ef e8 60 b6 10
RIP: set_bit_to_user drivers/vhost/vhost.c:1652 [inline] RSP:
ffff8801b256f920
RIP: log_write+0x42a/0x4d0 drivers/vhost/vhost.c:1676 RSP: ffff8801b256f920
invalid opcode: 0000 [#2] SMP KASAN
---[ end trace 0d0ff45aa44d8a23 ]---
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

t I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[ 2.818299] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a
16550A
[ 2.842965] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a
16550A
[ 2.850149] Non-volatile memory driver v1.3
[ 2.851851] Linux agpgart interface v0.103
[ 2.854437] [drm] radeon kernel modesetting enabled.
[ 2.855876] [drm] amdgpu kernel modesetting enabled.
[ 2.893255] brd: module loaded
[ 2.899275] kworker/u4:3 (1728) used greatest stack depth: 20456 bytes
left
[ 2.913573] loop: module loaded
[ 2.955550] null: module loaded
[ 2.958515] nfcsim 0.2 initialized
[ 2.960578] Loading iSCSI transport class v2.0-870.
[ 2.974224] scsi host0: Virtio SCSI HBA
[ 3.024737] scsi 0:0:1:0: Direct-Access Google PersistentDisk
1 PQ: 0 ANSI: 6
[ 3.616295] tsc: Refined TSC clocksource calibration: 2299.832 MHz
[ 3.617814] clocksource: tsc: mask: 0xffffffffffffffff max_cycles:
0x21269649554, max_idle_ns: 440795232708 ns
[ 3.773095] sd 0:0:1:0: [sda] 4194304 512-byte logical blocks: (2.15
GB/2.00 GiB)
[ 3.773938] sd 0:0:1:0: Attached scsi generic sg0 type 0
[ 3.774828] sd 0:0:1:0: [sda] 4096-byte physical blocks
[ 3.774943] sd 0:0:1:0: [sda] Write Protect is off
[ 3.775175] sd 0:0:1:0: [sda] Write cache: enabled, read cache: enabled,
doesn't support DPO or FUA
[ 3.778618] Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
[ 3.785802] sda: sda1
[ 3.793352] sd 0:0:1:0: [sda] Attached SCSI disk
[ 3.797890] eql: Equalizer2002: Simon Janes (si...@ncm.com) and David S.
Miller (da...@redhat.com)
[ 3.806646] MACsec IEEE 802.1AE
[ 3.807768] tun: Universal TUN/TAP device driver, 1.6
[ 3.828612] vcan: Virtual CAN interface driver
[ 3.829764] vxcan: Virtual CAN Tunnel driver
[ 3.830546] slcan: serial line CAN interface driver
[ 3.831348] slcan: 10 dynamic interface channels.
[ 3.832545] CAN device driver interface
[ 3.833866] enic: Cisco VIC Ethernet NIC Driver, ver 2.3.0.53
[ 3.834864] e100: Intel(R) PRO/100 Network Driver, 3.5.24-k2-NAPI
[ 3.835680] e100: Copyright(c) 1999-2006 Intel Corporation
[ 3.836920] e1000: Intel(R) PRO/1000 Network Driver - version
7.3.21-k8-NAPI
[ 3.838124] e1000: Copyright (c) 1999-2006 Intel Corporation.
[ 3.839369] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
[ 3.840741] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[ 3.841687] sky2: driver version 1.30
[ 3.843360] PPP generic driver version 2.4.2
[ 3.844869] PPP BSD Compression module registered
[ 3.846077] PPP Deflate Compression module registered
[ 3.847641] PPP MPPE Compression module registered
[ 3.848864] NET: Registered protocol family 24
[ 3.849821] PPTP driver version 0.8.5
[ 3.851165] mac80211_hwsim: initializing netlink
[ 3.863249] usbcore: registered new interface driver asix
[ 3.864408] usbcore: registered new interface driver ax88179_178a
[ 3.865863] usbcore: registered new interface driver cdc_ether
[ 3.867360] usbcore: registered new interface driver net1080
[ 3.868770] usbcore: registered new interface driver cdc_subset
[ 3.870241] usbcore: registered new interface driver zaurus
[ 3.871441] usbcore: registered new interface driver cdc_ncm
[ 3.877842] aoe: AoE v85 initialised.
[ 3.879357] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 3.880503] ehci-pci: EHCI PCI platform driver
[ 3.881477] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 3.883065] ohci-pci: OHCI PCI platform driver
[ 3.883650] uhci_hcd: USB Universal Host Controller Interface driver
[ 3.885521] usbcore: registered new interface driver usblp
[ 3.886584] usbcore: registered new interface driver usb-storage
[ 3.888519] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at
0x60,0x64 irq 1,12
[ 3.890697] i8042: Warning: Keylock active
[ 3.892862] serio: i8042 KBD port at 0x60,0x64 irq 1
[ 3.893968] serio: i8042 AUX port at 0x60,0x64 irq 12
[ 3.897524] mousedev: PS/2 mouse device common for all mice
[ 3.901253] rtc_cmos 00:00: RTC can wake from S4
[ 3.903386] rtc_cmos 00:00: rtc core: registered rtc_cmos as rtc0
[ 3.905271] rtc_cmos 00:00: alarms up to one day, 114 bytes nvram
[ 3.909403] device-mapper: ioctl: 4.39.0-ioctl (2018-04-03) initialised:
dm-d...@redhat.com
[ 3.911488] device-mapper: raid: Loading target version 1.13.2
[ 3.912910] usbcore: registered new interface driver btusb
[ 3.915625] usnic_verbs: Cisco VIC (USNIC) Verbs Driver v1.0.3 (December
19, 2013)
[ 3.917263] usnic_verbs:usnic_uiom_init:585:
[ 3.917269] IOMMU required but not present or enabled. USNIC QPs will
not function w/o enabling IOMMU
[ 3.919884] usnic_verbs:usnic_ib_init:649:
[ 3.919889] Unable to initalize umem with err -1
[ 3.922477] iscsi: registered transport (iser)
[ 3.923353] OPA Virtual Network Driver - v1.0
[ 3.930935] hidraw: raw HID events driver (C) Jiri Kosina
[ 3.936326] usbcore: registered new interface driver usbhid
[ 3.937815] usbhid: USB HID core driver
[ 3.940794] NET: Registered protocol family 40
[ 3.943540] ashmem: initialized
[ 3.996040] NET: Registered protocol family 26
[ 3.996650] Mirror/redirect action on
[ 3.997731] Simple TC action Loaded
[ 4.000113] netem: version 1.3
[ 4.000931] u32 classifier
[ 4.001638] Actions configured
[ 4.003916] nf_conntrack_irc: failed to register helpers
[ 4.004625] nf_conntrack_sane: failed to register helpers
[ 4.041164] nf_conntrack_sip: failed to register helpers
[ 4.044592] xt_time: kernel timezone is -0000
[ 4.045474] IPVS: Registered protocols (TCP, UDP, SCTP, AH, ESP)
[ 4.046919] IPVS: Connection hash table configured (size=4096,
memory=64Kbytes)
[ 4.049334] IPVS: ipvs loaded.
[ 4.050161] IPVS: [rr] scheduler registered.
[ 4.050880] IPVS: [wrr] scheduler registered.
[ 4.051848] IPVS: [lc] scheduler registered.
[ 4.052934] IPVS: [wlc] scheduler registered.
[ 4.053495] IPVS: [fo] scheduler registered.
[ 4.054544] IPVS: [ovf] scheduler registered.
[ 4.055668] IPVS: [lblc] scheduler registered.
[ 4.056703] IPVS: [lblcr] scheduler registered.
[ 4.057763] IPVS: [dh] scheduler registered.
[ 4.058780] IPVS: [sh] scheduler registered.
[ 4.059862] IPVS: [sed] scheduler registered.
[ 4.060811] IPVS: [nq] scheduler registered.
[ 4.061491] IPVS: ftp: loaded support on port[0] = 21
[ 4.062273] IPVS: [sip] pe registered.
[ 4.063270] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 4.066177] gre: GRE over IPv4 demultiplexor driver
[ 4.067259] ip_gre: GRE over IPv4 tunneling driver
[ 4.073549] IPv4 over IPsec tunneling driver
[ 4.077339] ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully
[ 4.079151] Initializing XFRM netlink socket
[ 4.080451] NET: Registered protocol family 10
[ 4.088690] Segment Routing with IPv6
[ 4.089581] mip6: Mobile IPv6
[ 4.093952] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 4.098614] ip6_gre: GRE over IPv6 tunneling driver
[ 4.100925] NET: Registered protocol family 17
[ 4.101853] NET: Registered protocol family 15
[ 4.102849] Bridge firewalling registered
[ 4.105294] input: AT Translated Set 2 keyboard as
/devices/platform/i8042/serio0/input/input2
[ 4.111115] can: controller area network core (rev 20170425 abi 9)
[ 4.113291] NET: Registered protocol family 29
[ 4.113800] can: raw protocol (rev 20170425)
[ 4.114344] can: broadcast manager protocol (rev 20170425 t)
[ 4.115641] can: netlink gateway (rev 20170425) max_hops=1
[ 4.117525] Bluetooth: RFCOMM TTY layer initialized
[ 4.118333] Bluetooth: RFCOMM socket layer initialized
[ 4.119788] Bluetooth: RFCOMM ver 1.11
[ 4.120345] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 4.120927] Bluetooth: BNEP filters: protocol multicast
[ 4.122258] Bluetooth: BNEP socket layer initialized
[ 4.123306] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 4.124642] Bluetooth: HIDP socket layer initialized
[ 4.126379] RPC: Registered rdma transport module.
[ 4.127190] RPC: Registered rdma backchannel transport module.
[ 4.129131] NET: Registered protocol family 41
[ 4.130545] lec:lane_module_init: lec.c: initialized
[ 4.131422] mpoa:atm_mpoa_init: mpc.c: initialized
[ 4.132527] l2tp_core: L2TP core driver, V2.0
[ 4.133260] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 4.134212] 8021q: 802.1Q VLAN Support v1.8
[ 4.147644] DCCP: Activated CCID 2 (TCP-like)
[ 4.148809] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 4.150048] sctp: Hash tables configured (bind 64/64)
[ 4.151347] NET: Registered protocol family 21
[ 4.152704] Registered RDS/infiniband transport
[ 4.154321] Registered RDS/tcp transport
[ 4.155177] tipc: Activated (version 2.0.0)
[ 4.155769] NET: Registered protocol family 30
[ 4.157506] tipc: Started in single node mode
[ 4.158792] NET: Registered protocol family 43
[ 4.159645] 9pnet: Installing 9P2000 support
[ 4.163285] NET: Registered protocol family 36
[ 4.164696] Key type dns_resolver registered
[ 4.165750] Key type ceph registered
[ 4.166978] libceph: loaded (mon/osd proto 15/24)
[ 4.167653] openvswitch: Open vSwitch switching datapath
[ 4.169120] mpls_gso: MPLS GSO support
[ 4.182159] AVX2 version of gcm_enc/dec engaged.
[ 4.183324] AES CTR mode by8 optimization enabled
[ 4.190595] sched_clock: Marking stable (4190559220, 0)->(5598372745,
-1407813525)
[ 4.194844] registered taskstats version 1
[ 4.195477] Loading compiled-in X.509 certificates
[ 4.197359] zswap: default zpool zbud not available
[ 4.198223] zswap: pool creation failed
[ 4.203587] Btrfs loaded, crc32c=crc32c-intel
[ 4.206897] Key type big_key registered
[ 4.209232] Key type encrypted registered
[ 4.211133] Magic number: 14:374:335
[ 4.212221] net eql: hash matches
[ 4.213238] tty tty56: hash matches
[ 4.214393] console [netcon0] enabled
[ 4.215234] netconsole: network logging started
[ 4.216545] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 4.219674] rdma_rxe: loaded
[ 4.220545] cfg80211: Loading compiled-in X.509 certificates for
regulatory database
[ 4.225051] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 4.227208] platform regulatory.0: Direct firmware load for
regulatory.db failed with error -2
[ 4.228205] ALSA device list:
[ 4.228942] cfg80211: failed to load regulatory.db
[ 4.229483] #0: Dummy 1
[ 4.230898] #1: Loopback 1
[ 4.231403] #2: Virtual MIDI Card 1
[ 4.538948] input: ImPS/2 Generic Wheel Mouse as
/devices/platform/i8042/serio1/input/input4
[ 4.542349] md: Waiting for all devices to be available before autodetect
[ 4.543300] md: If you don't use raid, use raid=noautodetect
[ 4.547197] md: Autodetecting RAID arrays.
[ 4.547862] md: autorun ...
[ 4.548325] md: ... autorun DONE.
[ 4.643252] EXT4-fs (sda1): mounted filesystem with ordered data mode.
Opts: (null)
[ 4.644444] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 4.680472] devtmpfs: mounted
[ 4.687850] Freeing unused kernel memory: 2852K
[ 4.688505] Kernel memory protection disabled.
[ 5.049373] SELinux: Disabled at runtime.
[ 5.077212] audit: type=1404 audit(1523114449.657:2): selinux=0
auid=4294967295 ses=4294967295
[ 5.084255] BUG: Dentry 00000000e8b33924{i=17,n=null} still in use (1)
[unmount of selinuxfs selinuxfs]
[ 5.085725] WARNING: CPU: 1 PID: 1 at fs/dcache.c:1500
umount_check.cold.52+0xde/0x117
[ 5.086789] Kernel panic - not syncing: panic_on_warn set ...
[ 5.086789]
[ 5.087781] CPU: 1 PID: 1 Comm: init Not tainted 4.16.0+ #6
[ 5.088542] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 01/01/2011
[ 5.089767] Call Trace:
[ 5.090133] dump_stack+0x1b9/0x294
[ 5.090631] ? dump_stack_print_info.cold.2+0x52/0x52
[ 5.091348] ? d_ancestor+0x50/0x64
[ 5.091845] panic+0x22f/0x4de
[ 5.092288] ? add_taint.cold.5+0x16/0x16
[ 5.092871] ? __warn.cold.8+0x148/0x1a3
[ 5.093424] ? __warn.cold.8+0x117/0x1a3
[ 5.093980] ? umount_check.cold.52+0xde/0x117
[ 5.094613] __warn.cold.8+0x163/0x1a3
[ 5.095145] ? umount_check.cold.52+0xde/0x117
[ 5.095765] report_bug+0x252/0x2d0
[ 5.096265] do_error_trap+0x1de/0x490
[ 5.096796] ? find_held_lock+0x36/0x1c0
[ 5.097349] ? math_error+0x420/0x420
[ 5.097866] ? graph_lock+0x170/0x170
[ 5.098386] ? lock_downgrade+0x8e0/0x8e0
[ 5.098947] ? lock_downgrade+0x8e0/0x8e0
[ 5.099516] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 5.100173] do_invalid_op+0x1b/0x20
[ 5.100681] invalid_op+0x1b/0x40
[ 5.101155] RIP: 0010:umount_check.cold.52+0xde/0x117
[ 5.101846] RSP: 0018:ffff8801d9e4f780 EFLAGS: 00010286
[ 5.102564] RAX: 000000000000005c RBX: 1ffff1003b3c9ef3 RCX:
0000000000000000
[ 5.103526] RDX: 000000000000005c RSI: ffffffff815f2d51 RDI:
ffffed003b3c9ee6
[ 5.104486] RBP: ffff8801d9e4f820 R08: ffff8801d9e44040 R09:
0000000000000006
[ 5.105444] R10: ffff8801d9e44040 R11: 0000000000000000 R12:
0000000000000001
[ 5.106421] R13: ffff8801d5220460 R14: ffff8801d343f090 R15:
0000000000000017
[ 5.107403] ? vprintk_func+0x81/0xe7
[ 5.107927] ? d_find_alias+0x490/0x490
[ 5.108471] ? kasan_check_write+0x14/0x20
[ 5.109047] ? do_raw_spin_lock+0xc1/0x200
[ 5.109627] d_walk+0x3c3/0xc80
[ 5.110082] ? d_find_alias+0x490/0x490
[ 5.110625] ? dget_parent+0x680/0x680
[ 5.111159] ? path_has_submounts+0x1a0/0x1a0
[ 5.111765] ? downgrade_write+0x290/0x290
[ 5.112338] ? do_raw_spin_unlock+0x9e/0x2e0
[ 5.112936] ? do_raw_spin_trylock+0x1b0/0x1b0
[ 5.113558] ? kasan_check_write+0x14/0x20
[ 5.114150] ? do_raw_spin_lock+0xc1/0x200
[ 5.114727] do_one_tree+0x29/0x50
[ 5.115213] shrink_dcache_for_umount+0xbf/0x290
[ 5.115857] ? d_set_mounted+0x2e0/0x2e0
[ 5.116426] ? read_word_at_a_time+0x20/0x20
[ 5.117029] generic_shutdown_super+0xcf/0x520
[ 5.117653] ? quarantine_put+0xeb/0x190
[ 5.118206] ? destroy_super_rcu+0x200/0x200
[ 5.118803] ? selinux_fs_info_free.isra.5+0x1a4/0x250
[ 5.119513] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 5.120188] ? trace_hardirqs_on+0xd/0x10
[ 5.120758] kill_litter_super+0x72/0x90
[ 5.121311] sel_kill_sb+0x21/0x30
[ 5.121797] deactivate_locked_super+0x97/0x100
[ 5.122425] deactivate_super+0x188/0x1b0
[ 5.122990] ? super_setup_bdi+0xb0/0xb0
[ 5.123548] cleanup_mnt+0xbf/0x160
[ 5.124044] __cleanup_mnt+0x16/0x20
[ 5.124574] task_work_run+0x1e4/0x290
[ 5.125105] ? task_work_cancel+0x240/0x240
[ 5.125693] ? exit_to_usermode_loop+0x87/0x310
[ 5.126325] exit_to_usermode_loop+0x2bd/0x310
[ 5.126947] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 5.127613] ? do_syscall_64+0xb7/0x9d0
[ 5.128157] do_syscall_64+0x792/0x9d0
[ 5.128687] ? vmalloc_sync_all+0x30/0x30
[ 5.129252] ? rcu_read_lock_sched_held+0x108/0x120
[ 5.129926] ? syscall_return_slowpath+0x5c0/0x5c0
[ 5.130591] ? syscall_return_slowpath+0x30f/0x5c0
[ 5.131254] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[ 5.131977] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 5.132630] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 5.133325] RIP: 0033:0x7f1dbac3b3a7
[ 5.133831] RSP: 002b:00007ffe9691d098 EFLAGS: 00000246 ORIG_RAX:
00000000000000a6
[ 5.134849] RAX: 0000000000000000 RBX: 00007f1dbb55f6a0 RCX:
00007f1dbac3b3a7
[ 5.135809] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000e8e7a0
[ 5.136771] RBP: 0000000000e8e800 R08: 00000000ffffffce R09:
0000000000e8e7a0
[ 5.137731] R10: 0000000000000000 R11: 0000000000000246 R12:
00000000ffffffff
[ 5.138709] R13: 00007ffe9691d46c R14: 0000000000000000 R15:
0000000000000000
[ 5.140135] Dumping ftrace buffer:
[ 5.140717] (ftrace buffer empty)
[ 5.141219] Kernel Offset: disabled
[ 5.141715] Rebooting in 86400 seconds..


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/log.txt?id=4609610350592000


Tested on upstream commit
f605ba97fb80522656c7dce9825a908f1e765b57 (Sat Apr 7 02:44:27 2018 +0000)
Merge tag 'vfio-v4.17-rc1' of git://github.com/awilliam/linux-vfio

compiler: gcc (GCC) 8.0.1 20180301 (experimental)

Patch: https://syzkaller.appspot.com/x/patch.diff?id=4665559010508800
Kernel config:
https://syzkaller.appspot.com/x/.config?id=-771321277174894814

[Dmitry Vyukov]

/\/\/\

This link turns out to be broken. Something to fix. This one works:
https://syzkaller.appspot.com/text?tag=Error&id=4609610350592000

> Tested on upstream commit
> f605ba97fb80522656c7dce9825a908f1e765b57 (Sat Apr 7 02:44:27 2018 +0000)
> Merge tag 'vfio-v4.17-rc1' of git://github.com/awilliam/linux-vfio
>
> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
> Patch: https://syzkaller.appspot.com/x/patch.diff?id=4665559010508800
> Kernel config:
> https://syzkaller.appspot.com/x/.config?id=-771321277174894814
>
>

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/883d24f79ad80bc9cd056943d567%40google.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Dmitry Vyukov]

+Al, do you have any ideas about this?
We did not change image or anything. This happened during init, so no
fuzzing involved :)
This happened right after vfio-v4.17-rc1 pull.

[Tetsuo Handa]

Dmitry Vyukov wrote:
> > syzbot tried to test the proposed patch but build/boot failed:

OK. Testing request itself is working.

But "syzbot will test the patch on HEAD of the specified git repo/branch."
might be inconvenient. It will be nice if we can test using specific commit
(especially which syzbot ran trials) so that we can avoid unexpected changes
between commit as of reported and commit as of HEAD.

> > Tested on upstream commit
> > f605ba97fb80522656c7dce9825a908f1e765b57 (Sat Apr 7 02:44:27 2018 +0000)
> > Merge tag 'vfio-v4.17-rc1' of git://github.com/awilliam/linux-vfio
> >
> > compiler: gcc (GCC) 8.0.1 20180301 (experimental)
> > Patch: https://syzkaller.appspot.com/x/patch.diff?id=4665559010508800

Well, since patch description part gets dropped, we should post the test
patch to both syzbot+XXXXXX...@syzkaller.appspotmail.com and
syzkall...@googlegroups.com so that patch description part will remain
visible? If yes, you can clarify "Note: you may send the request only to
syzbot email address" like "Note: you may send the request only to syzbot
email addresses (both syzbot+XXXXXX...@syzkaller.appspotmail.com
and syzkall...@googlegroups.com ) and relevant persons".

[Tetsuo Handa]

Hello.

Commit 0619f0f5e36f12e1 ("selinux: wrap selinuxfs state") is making syzbot
unable to run tests because selinux_null.dentry is still in use upon unmount.
Please fix and send to linux.git so that syzbot can resume testing.

----------------------------------------
+struct path selinux_null;

static int __init init_sel_fs(void)
{
+ struct qstr null_name = QSTR_INIT(NULL_FILE_NAME,
+ sizeof(NULL_FILE_NAME)-1);
int err;

if (!selinux_enabled)
@@ -1945,6 +2022,13 @@ static int __init init_sel_fs(void)
err = PTR_ERR(selinuxfs_mount);
selinuxfs_mount = NULL;
}
+ selinux_null.dentry = d_hash_and_lookup(selinux_null.mnt->mnt_root,
+ &null_name);
+ if (IS_ERR(selinux_null.dentry)) {
+ pr_err("selinuxfs: could not lookup null!\n");
+ err = PTR_ERR(selinux_null.dentry);
+ selinux_null.dentry = NULL;
+ }

return err;
}
----------------------------------------

Dmitry Vyukov wrote:
> On Sat, Apr 7, 2018 at 5:36 PM, Dmitry Vyukov <dvy...@google.com> wrote:
> > On Sat, Apr 7, 2018 at 5:29 PM, syzbot
> > <syzbot+65a84d...@syzkaller.appspotmail.com> wrote:
> >> Hello,
> >>
> >> syzbot tried to test the proposed patch but build/boot failed:
> >>

[Dmitry Vyukov]

On Sat, Apr 7, 2018 at 6:00 PM, Tetsuo Handa
<penguin...@i-love.sakura.ne.jp> wrote:
> Dmitry Vyukov wrote:
>> > syzbot tried to test the proposed patch but build/boot failed:
>
> OK. Testing request itself is working.
>
> But "syzbot will test the patch on HEAD of the specified git repo/branch."
> might be inconvenient. It will be nice if we can test using specific commit
> (especially which syzbot ran trials) so that we can avoid unexpected changes
> between commit as of reported and commit as of HEAD.

Hi Tetsuo,

Sounds reasonable, filed
https://github.com/google/syzkaller/issues/558 for this.
I am somewhat overloaded with all the stuff that happens with syzbot,
and sometimes can't even keep up with all emails, so not sure when
exactly I will get to this. But thanks for the suggestion.

>> > Tested on upstream commit
>> > f605ba97fb80522656c7dce9825a908f1e765b57 (Sat Apr 7 02:44:27 2018 +0000)
>> > Merge tag 'vfio-v4.17-rc1' of git://github.com/awilliam/linux-vfio
>> >
>> > compiler: gcc (GCC) 8.0.1 20180301 (experimental)
>> > Patch: https://syzkaller.appspot.com/x/patch.diff?id=4665559010508800
>
> Well, since patch description part gets dropped, we should post the test
> patch to both syzbot+XXXXXX...@syzkaller.appspotmail.com and
> syzkall...@googlegroups.com so that patch description part will remain
> visible? If yes, you can clarify "Note: you may send the request only to
> syzbot email address" like "Note: you may send the request only to syzbot
> email addresses (both syzbot+XXXXXX...@syzkaller.appspotmail.com
> and syzkall...@googlegroups.com ) and relevant persons".

I see what you mean, but I struggle to come up with reasonable text
which is not a page long.
Saying that you may send email _only_ to:
1. syzbot
2. syzkaller-bugs
and 3. relevant persons
which includes both groups of people and mailing list sounds somewhat
awkward. If this is "only", then what's "not only"?
I guess what we actually want to say in this sentence is that "you can
drop kernel lists from CC, because some of them will trigger
patchwork". But this now completely does not capture your point
(though, we never promised to memorize all possible context ;)). So if
you have a good suggestion of how to clearly communicate both points,
I can copy-paste that to the docs.

[Stefan Hajnoczi]

On Sat, Apr 7, 2018 at 3:02 AM, syzbot
<syzbot+65a84d...@syzkaller.appspotmail.com> wrote:
> syzbot hit the following crash on upstream commit
> 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +0000)
> Merge tag 'armsoc-drivers' of
> git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
> syzbot dashboard link:
> https://syzkaller.appspot.com/bug?extid=65a84dde0214b0387ccd

To prevent duplicated work: I am working on this one.

Stefan

[Michael S. Tsirkin]

On Mon, Apr 09, 2018 at 10:37:45AM +0800, Stefan Hajnoczi wrote:
> On Sat, Apr 7, 2018 at 3:02 AM, syzbot
> <syzbot+65a84d...@syzkaller.appspotmail.com> wrote:
> > syzbot hit the following crash on upstream commit
> > 38c23685b273cfb4ccf31a199feccce3bdcb5d83 (Fri Apr 6 04:29:35 2018 +0000)
> > Merge tag 'armsoc-drivers' of
> > git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
> > syzbot dashboard link:
> > https://syzkaller.appspot.com/bug?extid=65a84dde0214b0387ccd
>
> To prevent duplicated work: I am working on this one.
>
> Stefan

Do you want to try this patchset:
https://lkml.org/lkml/2018/4/5/665

?

--
MST

[Stefan Hajnoczi]

Thanks, I'll give it a shot.

I also noticed a regression in commit
d65026c6c62e7d9616c8ceb5a53b68bcdc050525 ("vhost: validate log when
IOTLB is enabled") and am currently testing a fix.

Stefan

[Stefan Hajnoczi]

I have sent a fix:
https://lkml.org/lkml/2018/4/9/390

Stefan

[Paul Moore]

To connect Stephen's patch back to this bug (thanks Stephen), this has
been fixed upstream in fd40ffc72e2f ("selinux: fix missing dput()
before selinuxfs unmount").

> Dmitry Vyukov wrote:
>> On Sat, Apr 7, 2018 at 5:36 PM, Dmitry Vyukov <dvy...@google.com> wrote:
>> > On Sat, Apr 7, 2018 at 5:29 PM, syzbot
>> > <syzbot+65a84d...@syzkaller.appspotmail.com> wrote:
>> >> Hello,
>> >>
>> >> syzbot tried to test the proposed patch but build/boot failed:
>> >>
>> >> [ 4.687850] Freeing unused kernel memory: 2852K
>> >> [ 4.688505] Kernel memory protection disabled.
>> >> [ 5.049373] SELinux: Disabled at runtime.
>> >> [ 5.077212] audit: type=1404 audit(1523114449.657:2): selinux=0
>> >> auid=4294967295 ses=4294967295
>> >> [ 5.084255] BUG: Dentry 00000000e8b33924{i=17,n=null} still in use (1)
>> >> [unmount of selinuxfs selinuxfs]
>>
>>
>> +Al, do you have any ideas about this?
>> We did not change image or anything. This happened during init, so no
>> fuzzing involved :)
>> This happened right after vfio-v4.17-rc1 pull.
>>
>>
>> >> [ 5.085725] WARNING: CPU: 1 PID: 1 at fs/dcache.c:1500
>> >> umount_check.cold.52+0xde/0x117
>> >> [ 5.086789] Kernel panic - not syncing: panic_on_warn set ...
>> >> [ 5.086789]

--
paul moore
www.paul-moore.com