[syzbot] [afs?] WARNING: lock held when returning to user space in afs_proc_addr_prefs_write
4 views
Skip to first unread message
syzbot
Dec 25, 2024, 4:54:23 PM12/25/24
to dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 499551201b5f Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=153420c4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
dashboard link: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1503ef30580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17d33cf8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5ee1fc255de9/disk-49955120.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/24f10c9fac9a/vmlinux-49955120.xz
kernel image: https://storage.googleapis.com/syzbot-assets/211e35102c2e/bzImage-49955120.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+76f335...@syzkaller.appspotmail.com
netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
kafs: addr_prefs: Too many elements in string
================================================
WARNING: lock held when returning to user space!
6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
------------------------------------------------
syz-executor133/5823 is leaving the kernel with locks still held!
1 lock held by syz-executor133/5823:
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 499551201b5f Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=153420c4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
dashboard link: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1503ef30580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17d33cf8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5ee1fc255de9/disk-49955120.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/24f10c9fac9a/vmlinux-49955120.xz
kernel image: https://storage.googleapis.com/syzbot-assets/211e35102c2e/bzImage-49955120.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+76f335...@syzkaller.appspotmail.com
netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
kafs: addr_prefs: Too many elements in string
================================================
WARNING: lock held when returning to user space!
6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
------------------------------------------------
syz-executor133/5823 is leaving the kernel with locks still held!
1 lock held by syz-executor133/5823:
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Lizhi Xu
Dec 25, 2024, 8:05:13 PM12/25/24
to syzbot+76f335...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test
diff --git a/fs/afs/addr_prefs.c b/fs/afs/addr_prefs.c
index a189ff8a5034..ba391f8558d5 100644
--- a/fs/afs/addr_prefs.c
+++ b/fs/afs/addr_prefs.c
@@ -413,8 +413,6 @@ int afs_proc_addr_prefs_write(struct file *file, char *buf, size_t size)
do {
argc = afs_split_string(&buf, argv, ARRAY_SIZE(argv));
- if (argc < 0)
- return argc;
if (argc < 2)
goto inval;
diff --git a/fs/afs/addr_prefs.c b/fs/afs/addr_prefs.c
index a189ff8a5034..ba391f8558d5 100644
--- a/fs/afs/addr_prefs.c
+++ b/fs/afs/addr_prefs.c
@@ -413,8 +413,6 @@ int afs_proc_addr_prefs_write(struct file *file, char *buf, size_t size)
do {
argc = afs_split_string(&buf, argv, ARRAY_SIZE(argv));
- if (argc < 0)
- return argc;
if (argc < 2)
goto inval;
syzbot
Dec 25, 2024, 8:25:05 PM12/25/24
to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+76f335...@syzkaller.appspotmail.com
Tested-by: syzbot+76f335...@syzkaller.appspotmail.com
Tested on:
commit: 9b2ffa61 Merge tag 'mtd/fixes-for-6.13-rc5' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=137b8018580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c078001e66e4a17e
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+76f335...@syzkaller.appspotmail.com
Tested-by: syzbot+76f335...@syzkaller.appspotmail.com
Tested on:
commit: 9b2ffa61 Merge tag 'mtd/fixes-for-6.13-rc5' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=137b8018580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c078001e66e4a17e
dashboard link: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10731adf980000
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Lizhi Xu
Dec 25, 2024, 8:26:50 PM12/25/24
to syzbot+76f335...@syzkaller.appspotmail.com, dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
syzbot reported a lock held when returning to user space. [1]
If argc is less than 0 and the function returns directly, the held inode
lock is not released. Combine it with less than 2.
[1]
Closes: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
Tested-by: syzbot+76f335...@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/afs/addr_prefs.c | 2 --
1 file changed, 2 deletions(-)
--
2.43.0
If argc is less than 0 and the function returns directly, the held inode
lock is not released. Combine it with less than 2.
[1]
WARNING: lock held when returning to user space!
6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
------------------------------------------------
syz-executor133/5823 is leaving the kernel with locks still held!
1 lock held by syz-executor133/5823:
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388
Reported-by: syzbot+76f335...@syzkaller.appspotmail.com
6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
------------------------------------------------
syz-executor133/5823 is leaving the kernel with locks still held!
1 lock held by syz-executor133/5823:
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388
Closes: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
Tested-by: syzbot+76f335...@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
---
fs/afs/addr_prefs.c | 2 --
1 file changed, 2 deletions(-)
2.43.0
David Howells
Jan 6, 2025, 8:48:44 AM1/6/25
to Lizhi Xu, dhow...@redhat.com, syzbot+76f335...@syzkaller.appspotmail.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
Lizhi Xu <lizh...@windriver.com> wrote:
> argc = afs_split_string(&buf, argv, ARRAY_SIZE(argv));
> - if (argc < 0)
> - return argc;
> if (argc < 2)
> goto inval;
I think this needs to be slightly different. afs_split_string() will print
> argc = afs_split_string(&buf, argv, ARRAY_SIZE(argv));
> - if (argc < 0)
> - return argc;
> if (argc < 2)
> goto inval;
error messages and can return an error code, so we should go with that and set
ret to argc and go to done, not inval.
David
David Howells
Jan 6, 2025, 9:07:01 AM1/6/25
to syzbot, dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
afs: Merge preference rule failure condition
syzbot reported a lock held when returning to userspace[1]. This is
because if argc is less than 0 and the function returns directly, the held
returning directly.
[dh: Modified Lizhi Xu's original patch to make it honour the error code
from afs_split_string()]
[1]
Signed-off-by: David Howells <dhow...@redhat.com>
cc: Marc Dionne <marc....@auristor.com>
cc: linu...@lists.infradead.org
Link: https://lore.kernel.org/r/20241226012616.2...@windriver.com/
---
diff --git a/fs/afs/addr_prefs.c b/fs/afs/addr_prefs.c
index a189ff8a5034..c0384201b8fe 100644
--- a/fs/afs/addr_prefs.c
+++ b/fs/afs/addr_prefs.c
@@ -413,8 +413,10 @@ int afs_proc_addr_prefs_write(struct file *file, char *buf, size_t size)
do {
+ ret = argc;
+ goto done;
+ }
afs: Merge preference rule failure condition
syzbot reported a lock held when returning to userspace[1]. This is
because if argc is less than 0 and the function returns directly, the held
inode lock is not released.
Fix this by store the error in ret and jump to done to clean up instead of
returning directly.
[dh: Modified Lizhi Xu's original patch to make it honour the error code
from afs_split_string()]
[1]
WARNING: lock held when returning to user space!
6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
------------------------------------------------
syz-executor133/5823 is leaving the kernel with locks still held!
1 lock held by syz-executor133/5823:
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388
6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
------------------------------------------------
syz-executor133/5823 is leaving the kernel with locks still held!
1 lock held by syz-executor133/5823:
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388
Reported-by: syzbot+76f335...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
Signed-off-by: Lizhi Xu <lizh...@windriver.com>
Closes: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
Signed-off-by: David Howells <dhow...@redhat.com>
cc: Marc Dionne <marc....@auristor.com>
cc: linu...@lists.infradead.org
Link: https://lore.kernel.org/r/20241226012616.2...@windriver.com/
---
diff --git a/fs/afs/addr_prefs.c b/fs/afs/addr_prefs.c
index a189ff8a5034..c0384201b8fe 100644
--- a/fs/afs/addr_prefs.c
+++ b/fs/afs/addr_prefs.c
@@ -413,8 +413,10 @@ int afs_proc_addr_prefs_write(struct file *file, char *buf, size_t size)
do {
argc = afs_split_string(&buf, argv, ARRAY_SIZE(argv));
- if (argc < 0)
- return argc;
+ if (argc < 0) {
- if (argc < 0)
- return argc;
+ ret = argc;
+ goto done;
+ }
syzbot
Jan 6, 2025, 9:27:05 AM1/6/25
to dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
page owner found early allocated 19843 pages
[ 2.071960][ T0] Kernel/User page tables isolation: enabled
[ 2.075149][ T0] Dynamic Preempt: full
[ 2.077132][ T0] Running RCU self tests
[ 2.078106][ T0] Running RCU synchronous self tests
[ 2.079907][ T0] rcu: Preemptible hierarchical RCU implementation.
[ 2.081445][ T0] rcu: RCU lockdep checking is enabled.
[ 2.083588][ T0] rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
[ 2.085399][ T0] rcu: RCU callback double-/use-after-free debug is enabled.
[ 2.087450][ T0] rcu: RCU debug extended QS entry/exit.
[ 2.088523][ T0] All grace periods are expedited (rcu_expedited).
[ 2.090346][ T0] Trampoline variant of Tasks RCU enabled.
[ 2.091376][ T0] Tracing variant of Tasks RCU enabled.
[ 2.092797][ T0] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[ 2.094823][ T0] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 2.096481][ T0] Running RCU synchronous self tests
[ 2.097771][ T0] RCU Tasks: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 2.099560][ T0] RCU Tasks Trace: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 2.247806][ T0] NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
[ 2.250263][ T0] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[ 2.252270][ T0] kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823be00000-0xffff88823c000000
[ 2.255249][ T0] Console: colour VGA+ 80x25
[ 2.256184][ T0] printk: legacy console [ttyS0] enabled
[ 2.256184][ T0] printk: legacy console [ttyS0] enabled
[ 2.258337][ T0] printk: legacy bootconsole [earlyser0] disabled
[ 2.258337][ T0] printk: legacy bootconsole [earlyser0] disabled
[ 2.260621][ T0] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[ 2.262203][ T0] ... MAX_LOCKDEP_SUBCLASSES: 8
[ 2.262945][ T0] ... MAX_LOCK_DEPTH: 48
[ 2.263988][ T0] ... MAX_LOCKDEP_KEYS: 8192
[ 2.265553][ T0] ... CLASSHASH_SIZE: 4096
[ 2.267023][ T0] ... MAX_LOCKDEP_ENTRIES: 1048576
[ 2.267977][ T0] ... MAX_LOCKDEP_CHAINS: 1048576
[ 2.268789][ T0] ... CHAINHASH_SIZE: 524288
[ 2.269562][ T0] memory used by lock dependency info: 106625 kB
[ 2.270554][ T0] memory used for stack traces: 8320 kB
[ 2.271461][ T0] per task-struct memory footprint: 1920 bytes
[ 2.273329][ T0] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[ 2.275805][ T0] ACPI: Core revision 20240827
[ 2.277665][ T0] APIC: Switch to symmetric I/O mode setup
[ 2.279420][ T0] x2apic enabled
[ 2.284009][ T0] APIC: Switched APIC routing to: physical x2apic
[ 2.291502][ T0] ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
[ 2.294252][ T0] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x1fb6f965d9b, max_idle_ns: 440795282877 ns
[ 2.298627][ T0] Calibrating delay loop (skipped) preset value.. 4400.42 BogoMIPS (lpj=22002100)
[ 2.301057][ T0] Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
[ 2.302645][ T0] Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0, 1GB 4
[ 2.304079][ T0] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[ 2.305738][ T0] Spectre V2 : Spectre BHI mitigation: SW BHB clearing on syscall and VM exit
[ 2.307226][ T0] Spectre V2 : Mitigation: IBRS
[ 2.308628][ T0] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 2.310524][ T0] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
[ 2.311803][ T0] RETBleed: Mitigation: IBRS
[ 2.312526][ T0] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[ 2.313856][ T0] Spectre V2 : User space: Mitigation: STIBP via prctl
[ 2.315073][ T0] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[ 2.316603][ T0] MDS: Mitigation: Clear CPU buffers
[ 2.317473][ T0] TAA: Mitigation: Clear CPU buffers
[ 2.318622][ T0] MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
[ 2.320919][ T0] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 2.322382][ T0] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 2.323635][ T0] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[ 2.324822][ T0] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
[ 2.325946][ T0] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
[ 2.592952][ T0] Freeing SMP alternatives memory: 124K
[ 2.594208][ T0] pid_max: default: 32768 minimum: 301
[ 2.595787][ T0] LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,tomoyo,apparmor,bpf,ima,evm
[ 2.598213][ T0] landlock: Up and running.
[ 2.598628][ T0] Yama: becoming mindful.
[ 2.599717][ T0] TOMOYO Linux initialized
[ 2.601324][ T0] AppArmor: AppArmor initialized
[ 2.604240][ T0] LSM support for eBPF active
[ 2.611042][ T0] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
[ 2.615317][ T0] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
[ 2.617873][ T0] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 2.618918][ T0] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 2.624503][ T0] Running RCU synchronous self tests
[ 2.625906][ T0] Running RCU synchronous self tests
[ 2.750053][ T1] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.20GHz (family: 0x6, model: 0x4f, stepping: 0x0)
[ 2.756899][ T1] Running RCU Tasks wait API self tests
[ 2.859036][ T1] Running RCU Tasks Trace wait API self tests
[ 2.860455][ T1] Performance Events: unsupported p6 CPU model 79 no PMU driver, software events only.
[ 2.862568][ T1] signal: max sigframe size: 1776
[ 2.864222][ T1] rcu: Hierarchical SRCU implementation.
[ 2.865500][ T1] rcu: Max phase no-delay instances is 1000.
[ 2.867279][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[ 2.873416][ T1] NMI watchdog: Perf NMI watchdog permanently disabled
[ 2.875521][ T1] smp: Bringing up secondary CPUs ...
[ 2.878815][ T1] smpboot: x86: Booting SMP configuration:
[ 2.880304][ T1] .... node #0, CPUs: #1
[ 2.880519][ T15] Callback from call_rcu_tasks_trace() invoked.
[ 2.883042][ T22] ------------[ cut here ]------------
[ 2.883042][ T22] workqueue: work disable count underflowed
[ 2.883042][ T22] WARNING: CPU: 1 PID: 22 at kernel/workqueue.c:4317 enable_work+0x2fa/0x340
[ 2.883042][ T22] Modules linked in:
[ 2.883554][ T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0
[ 2.885161][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 2.887278][ T22] RIP: 0010:enable_work+0x2fa/0x340
[ 2.888264][ T22] Code: 89 ee e8 e9 59 36 00 45 84 ed 0f 85 28 fe ff ff e8 3b 5f 36 00 c6 05 c9 96 a2 0e 01 90 48 c7 c7 20 d3 4b 8b e8 a7 22 f7 ff 90 <0f> 0b 90 90 e9 05 fe ff ff 48 89 ef e8 85 c7 98 00 e9 a9 fe ff ff
[ 2.888609][ T22] RSP: 0000:ffffc900001c7ca0 EFLAGS: 00010082
[ 2.888609][ T22] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff815a1789
[ 2.888609][ T22] RDX: ffff88801d2f3c00 RSI: ffffffff815a1796 RDI: 0000000000000001
[ 2.888609][ T22] RBP: ffff8880b8738660 R08: 0000000000000001 R09: 0000000000000000
[ 2.888609][ T22] R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff92000038f95
[ 2.888609][ T22] R13: 0000000000000000 R14: 00000000000000c4 R15: ffffffff81db22a0
[ 2.888609][ T22] FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
[ 2.888609][ T22] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.888609][ T22] CR2: 0000000000000000 CR3: 000000000db7e000 CR4: 00000000003506f0
[ 2.888609][ T22] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.888609][ T22] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.888609][ T22] Call Trace:
[ 2.888609][ T22] <TASK>
[ 2.888609][ T22] ? __warn+0xea/0x3c0
[ 2.888609][ T22] ? enable_work+0x2fa/0x340
[ 2.888609][ T22] ? report_bug+0x3c0/0x580
[ 2.888609][ T22] ? handle_bug+0x54/0xa0
[ 2.888609][ T22] ? exc_invalid_op+0x17/0x50
[ 2.888609][ T22] ? asm_exc_invalid_op+0x1a/0x20
[ 2.888609][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.888609][ T22] ? __warn_printk+0x199/0x350
[ 2.888609][ T22] ? __warn_printk+0x1a6/0x350
[ 2.888609][ T22] ? enable_work+0x2fa/0x340
[ 2.888609][ T22] ? __pfx_enable_work+0x10/0x10
[ 2.888609][ T22] vmstat_cpu_online+0x83/0xf0
[ 2.888609][ T22] cpuhp_invoke_callback+0x3d0/0xa10
[ 2.888609][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.888609][ T22] ? lock_acquire.part.0+0x2e0/0x380
[ 2.888609][ T22] ? cpuhp_next_state+0x100/0x1c0
[ 2.888609][ T22] cpuhp_thread_fun+0x480/0x6f0
[ 2.888609][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.888609][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.888609][ T22] ? smpboot_thread_fn+0x59d/0xa30
[ 2.888609][ T22] smpboot_thread_fn+0x661/0xa30
[ 2.888609][ T22] ? __kthread_parkme+0x148/0x220
[ 2.888609][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.888609][ T22] kthread+0x2c1/0x3a0
[ 2.888609][ T22] ? _raw_spin_unlock_irq+0x23/0x50
[ 2.888609][ T22] ? __pfx_kthread+0x10/0x10
[ 2.888609][ T22] ret_from_fork+0x45/0x80
[ 2.888609][ T22] ? __pfx_kthread+0x10/0x10
[ 2.888609][ T22] ret_from_fork_asm+0x1a/0x30
[ 2.888609][ T22] </TASK>
[ 2.888609][ T22] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 2.888609][ T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0
[ 2.888609][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 2.888609][ T22] Call Trace:
[ 2.888609][ T22] <TASK>
[ 2.888609][ T22] dump_stack_lvl+0x3d/0x1f0
[ 2.888609][ T22] panic+0x71d/0x800
[ 2.888609][ T22] ? __pfx_panic+0x10/0x10
[ 2.888609][ T22] ? show_trace_log_lvl+0x29d/0x3d0
[ 2.888609][ T22] ? check_panic_on_warn+0x1f/0xb0
[ 2.888609][ T22] ? enable_work+0x2fa/0x340
[ 2.888609][ T22] check_panic_on_warn+0xab/0xb0
[ 2.888609][ T22] __warn+0xf6/0x3c0
[ 2.888609][ T22] ? enable_work+0x2fa/0x340
[ 2.888609][ T22] report_bug+0x3c0/0x580
[ 2.888609][ T22] handle_bug+0x54/0xa0
[ 2.888609][ T22] exc_invalid_op+0x17/0x50
[ 2.888609][ T22] asm_exc_invalid_op+0x1a/0x20
[ 2.888609][ T22] RIP: 0010:enable_work+0x2fa/0x340
[ 2.888609][ T22] Code: 89 ee e8 e9 59 36 00 45 84 ed 0f 85 28 fe ff ff e8 3b 5f 36 00 c6 05 c9 96 a2 0e 01 90 48 c7 c7 20 d3 4b 8b e8 a7 22 f7 ff 90 <0f> 0b 90 90 e9 05 fe ff ff 48 89 ef e8 85 c7 98 00 e9 a9 fe ff ff
[ 2.888609][ T22] RSP: 0000:ffffc900001c7ca0 EFLAGS: 00010082
[ 2.888609][ T22] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff815a1789
[ 2.888609][ T22] RDX: ffff88801d2f3c00 RSI: ffffffff815a1796 RDI: 0000000000000001
[ 2.888609][ T22] RBP: ffff8880b8738660 R08: 0000000000000001 R09: 0000000000000000
[ 2.888609][ T22] R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff92000038f95
[ 2.888609][ T22] R13: 0000000000000000 R14: 00000000000000c4 R15: ffffffff81db22a0
[ 2.888609][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.888609][ T22] ? __warn_printk+0x199/0x350
[ 2.888609][ T22] ? __warn_printk+0x1a6/0x350
[ 2.888609][ T22] ? __pfx_enable_work+0x10/0x10
[ 2.888609][ T22] vmstat_cpu_online+0x83/0xf0
[ 2.888609][ T22] cpuhp_invoke_callback+0x3d0/0xa10
[ 2.888609][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.888609][ T22] ? lock_acquire.part.0+0x2e0/0x380
[ 2.888609][ T22] ? cpuhp_next_state+0x100/0x1c0
[ 2.888609][ T22] cpuhp_thread_fun+0x480/0x6f0
[ 2.888609][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.888609][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.888609][ T22] ? smpboot_thread_fn+0x59d/0xa30
[ 2.888609][ T22] smpboot_thread_fn+0x661/0xa30
[ 2.888609][ T22] ? __kthread_parkme+0x148/0x220
[ 2.888609][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.888609][ T22] kthread+0x2c1/0x3a0
[ 2.888609][ T22] ? _raw_spin_unlock_irq+0x23/0x50
[ 2.888609][ T22] ? __pfx_kthread+0x10/0x10
[ 2.888609][ T22] ret_from_fork+0x45/0x80
[ 2.888609][ T22] ? __pfx_kthread+0x10/0x10
[ 2.888609][ T22] ret_from_fork_asm+0x1a/0x30
[ 2.888609][ T22] </TASK>
[ 2.888609][ T22] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1808338263=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at d7f584ee3c
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d7f584ee3c24504bb07d04526a23b7d8df38b8ed -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241220-210006'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d7f584ee3c24504bb07d04526a23b7d8df38b8ed\"
/usr/bin/ld: /tmp/ccNZxct1.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=121736f8580000
Tested on:
commit: 9d895519 Linux 6.13-rc6
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=ad08f7f48e13abcd
syzbot tried to test the proposed patch but the build/boot failed:
page owner found early allocated 19843 pages
[ 2.071960][ T0] Kernel/User page tables isolation: enabled
[ 2.075149][ T0] Dynamic Preempt: full
[ 2.077132][ T0] Running RCU self tests
[ 2.078106][ T0] Running RCU synchronous self tests
[ 2.079907][ T0] rcu: Preemptible hierarchical RCU implementation.
[ 2.081445][ T0] rcu: RCU lockdep checking is enabled.
[ 2.083588][ T0] rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
[ 2.085399][ T0] rcu: RCU callback double-/use-after-free debug is enabled.
[ 2.087450][ T0] rcu: RCU debug extended QS entry/exit.
[ 2.088523][ T0] All grace periods are expedited (rcu_expedited).
[ 2.090346][ T0] Trampoline variant of Tasks RCU enabled.
[ 2.091376][ T0] Tracing variant of Tasks RCU enabled.
[ 2.092797][ T0] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[ 2.094823][ T0] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 2.096481][ T0] Running RCU synchronous self tests
[ 2.097771][ T0] RCU Tasks: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 2.099560][ T0] RCU Tasks Trace: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[ 2.247806][ T0] NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
[ 2.250263][ T0] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[ 2.252270][ T0] kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823be00000-0xffff88823c000000
[ 2.255249][ T0] Console: colour VGA+ 80x25
[ 2.256184][ T0] printk: legacy console [ttyS0] enabled
[ 2.256184][ T0] printk: legacy console [ttyS0] enabled
[ 2.258337][ T0] printk: legacy bootconsole [earlyser0] disabled
[ 2.258337][ T0] printk: legacy bootconsole [earlyser0] disabled
[ 2.260621][ T0] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[ 2.262203][ T0] ... MAX_LOCKDEP_SUBCLASSES: 8
[ 2.262945][ T0] ... MAX_LOCK_DEPTH: 48
[ 2.263988][ T0] ... MAX_LOCKDEP_KEYS: 8192
[ 2.265553][ T0] ... CLASSHASH_SIZE: 4096
[ 2.267023][ T0] ... MAX_LOCKDEP_ENTRIES: 1048576
[ 2.267977][ T0] ... MAX_LOCKDEP_CHAINS: 1048576
[ 2.268789][ T0] ... CHAINHASH_SIZE: 524288
[ 2.269562][ T0] memory used by lock dependency info: 106625 kB
[ 2.270554][ T0] memory used for stack traces: 8320 kB
[ 2.271461][ T0] per task-struct memory footprint: 1920 bytes
[ 2.273329][ T0] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[ 2.275805][ T0] ACPI: Core revision 20240827
[ 2.277665][ T0] APIC: Switch to symmetric I/O mode setup
[ 2.279420][ T0] x2apic enabled
[ 2.284009][ T0] APIC: Switched APIC routing to: physical x2apic
[ 2.291502][ T0] ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
[ 2.294252][ T0] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x1fb6f965d9b, max_idle_ns: 440795282877 ns
[ 2.298627][ T0] Calibrating delay loop (skipped) preset value.. 4400.42 BogoMIPS (lpj=22002100)
[ 2.301057][ T0] Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
[ 2.302645][ T0] Last level dTLB entries: 4KB 64, 2MB 0, 4MB 0, 1GB 4
[ 2.304079][ T0] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[ 2.305738][ T0] Spectre V2 : Spectre BHI mitigation: SW BHB clearing on syscall and VM exit
[ 2.307226][ T0] Spectre V2 : Mitigation: IBRS
[ 2.308628][ T0] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 2.310524][ T0] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
[ 2.311803][ T0] RETBleed: Mitigation: IBRS
[ 2.312526][ T0] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[ 2.313856][ T0] Spectre V2 : User space: Mitigation: STIBP via prctl
[ 2.315073][ T0] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[ 2.316603][ T0] MDS: Mitigation: Clear CPU buffers
[ 2.317473][ T0] TAA: Mitigation: Clear CPU buffers
[ 2.318622][ T0] MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
[ 2.320919][ T0] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 2.322382][ T0] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 2.323635][ T0] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[ 2.324822][ T0] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
[ 2.325946][ T0] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
[ 2.592952][ T0] Freeing SMP alternatives memory: 124K
[ 2.594208][ T0] pid_max: default: 32768 minimum: 301
[ 2.595787][ T0] LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,tomoyo,apparmor,bpf,ima,evm
[ 2.598213][ T0] landlock: Up and running.
[ 2.598628][ T0] Yama: becoming mindful.
[ 2.599717][ T0] TOMOYO Linux initialized
[ 2.601324][ T0] AppArmor: AppArmor initialized
[ 2.604240][ T0] LSM support for eBPF active
[ 2.611042][ T0] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
[ 2.615317][ T0] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
[ 2.617873][ T0] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 2.618918][ T0] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[ 2.624503][ T0] Running RCU synchronous self tests
[ 2.625906][ T0] Running RCU synchronous self tests
[ 2.750053][ T1] smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.20GHz (family: 0x6, model: 0x4f, stepping: 0x0)
[ 2.756899][ T1] Running RCU Tasks wait API self tests
[ 2.859036][ T1] Running RCU Tasks Trace wait API self tests
[ 2.860455][ T1] Performance Events: unsupported p6 CPU model 79 no PMU driver, software events only.
[ 2.862568][ T1] signal: max sigframe size: 1776
[ 2.864222][ T1] rcu: Hierarchical SRCU implementation.
[ 2.865500][ T1] rcu: Max phase no-delay instances is 1000.
[ 2.867279][ T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[ 2.873416][ T1] NMI watchdog: Perf NMI watchdog permanently disabled
[ 2.875521][ T1] smp: Bringing up secondary CPUs ...
[ 2.878815][ T1] smpboot: x86: Booting SMP configuration:
[ 2.880304][ T1] .... node #0, CPUs: #1
[ 2.880519][ T15] Callback from call_rcu_tasks_trace() invoked.
[ 2.883042][ T22] ------------[ cut here ]------------
[ 2.883042][ T22] workqueue: work disable count underflowed
[ 2.883042][ T22] WARNING: CPU: 1 PID: 22 at kernel/workqueue.c:4317 enable_work+0x2fa/0x340
[ 2.883042][ T22] Modules linked in:
[ 2.883554][ T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0
[ 2.885161][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 2.887278][ T22] RIP: 0010:enable_work+0x2fa/0x340
[ 2.888264][ T22] Code: 89 ee e8 e9 59 36 00 45 84 ed 0f 85 28 fe ff ff e8 3b 5f 36 00 c6 05 c9 96 a2 0e 01 90 48 c7 c7 20 d3 4b 8b e8 a7 22 f7 ff 90 <0f> 0b 90 90 e9 05 fe ff ff 48 89 ef e8 85 c7 98 00 e9 a9 fe ff ff
[ 2.888609][ T22] RSP: 0000:ffffc900001c7ca0 EFLAGS: 00010082
[ 2.888609][ T22] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff815a1789
[ 2.888609][ T22] RDX: ffff88801d2f3c00 RSI: ffffffff815a1796 RDI: 0000000000000001
[ 2.888609][ T22] RBP: ffff8880b8738660 R08: 0000000000000001 R09: 0000000000000000
[ 2.888609][ T22] R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff92000038f95
[ 2.888609][ T22] R13: 0000000000000000 R14: 00000000000000c4 R15: ffffffff81db22a0
[ 2.888609][ T22] FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
[ 2.888609][ T22] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.888609][ T22] CR2: 0000000000000000 CR3: 000000000db7e000 CR4: 00000000003506f0
[ 2.888609][ T22] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.888609][ T22] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.888609][ T22] Call Trace:
[ 2.888609][ T22] <TASK>
[ 2.888609][ T22] ? __warn+0xea/0x3c0
[ 2.888609][ T22] ? enable_work+0x2fa/0x340
[ 2.888609][ T22] ? report_bug+0x3c0/0x580
[ 2.888609][ T22] ? handle_bug+0x54/0xa0
[ 2.888609][ T22] ? exc_invalid_op+0x17/0x50
[ 2.888609][ T22] ? asm_exc_invalid_op+0x1a/0x20
[ 2.888609][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.888609][ T22] ? __warn_printk+0x199/0x350
[ 2.888609][ T22] ? __warn_printk+0x1a6/0x350
[ 2.888609][ T22] ? enable_work+0x2fa/0x340
[ 2.888609][ T22] ? __pfx_enable_work+0x10/0x10
[ 2.888609][ T22] vmstat_cpu_online+0x83/0xf0
[ 2.888609][ T22] cpuhp_invoke_callback+0x3d0/0xa10
[ 2.888609][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.888609][ T22] ? lock_acquire.part.0+0x2e0/0x380
[ 2.888609][ T22] ? cpuhp_next_state+0x100/0x1c0
[ 2.888609][ T22] cpuhp_thread_fun+0x480/0x6f0
[ 2.888609][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.888609][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.888609][ T22] ? smpboot_thread_fn+0x59d/0xa30
[ 2.888609][ T22] smpboot_thread_fn+0x661/0xa30
[ 2.888609][ T22] ? __kthread_parkme+0x148/0x220
[ 2.888609][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.888609][ T22] kthread+0x2c1/0x3a0
[ 2.888609][ T22] ? _raw_spin_unlock_irq+0x23/0x50
[ 2.888609][ T22] ? __pfx_kthread+0x10/0x10
[ 2.888609][ T22] ret_from_fork+0x45/0x80
[ 2.888609][ T22] ? __pfx_kthread+0x10/0x10
[ 2.888609][ T22] ret_from_fork_asm+0x1a/0x30
[ 2.888609][ T22] </TASK>
[ 2.888609][ T22] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 2.888609][ T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0
[ 2.888609][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 2.888609][ T22] Call Trace:
[ 2.888609][ T22] <TASK>
[ 2.888609][ T22] dump_stack_lvl+0x3d/0x1f0
[ 2.888609][ T22] panic+0x71d/0x800
[ 2.888609][ T22] ? __pfx_panic+0x10/0x10
[ 2.888609][ T22] ? show_trace_log_lvl+0x29d/0x3d0
[ 2.888609][ T22] ? check_panic_on_warn+0x1f/0xb0
[ 2.888609][ T22] ? enable_work+0x2fa/0x340
[ 2.888609][ T22] check_panic_on_warn+0xab/0xb0
[ 2.888609][ T22] __warn+0xf6/0x3c0
[ 2.888609][ T22] ? enable_work+0x2fa/0x340
[ 2.888609][ T22] report_bug+0x3c0/0x580
[ 2.888609][ T22] handle_bug+0x54/0xa0
[ 2.888609][ T22] exc_invalid_op+0x17/0x50
[ 2.888609][ T22] asm_exc_invalid_op+0x1a/0x20
[ 2.888609][ T22] RIP: 0010:enable_work+0x2fa/0x340
[ 2.888609][ T22] Code: 89 ee e8 e9 59 36 00 45 84 ed 0f 85 28 fe ff ff e8 3b 5f 36 00 c6 05 c9 96 a2 0e 01 90 48 c7 c7 20 d3 4b 8b e8 a7 22 f7 ff 90 <0f> 0b 90 90 e9 05 fe ff ff 48 89 ef e8 85 c7 98 00 e9 a9 fe ff ff
[ 2.888609][ T22] RSP: 0000:ffffc900001c7ca0 EFLAGS: 00010082
[ 2.888609][ T22] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff815a1789
[ 2.888609][ T22] RDX: ffff88801d2f3c00 RSI: ffffffff815a1796 RDI: 0000000000000001
[ 2.888609][ T22] RBP: ffff8880b8738660 R08: 0000000000000001 R09: 0000000000000000
[ 2.888609][ T22] R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff92000038f95
[ 2.888609][ T22] R13: 0000000000000000 R14: 00000000000000c4 R15: ffffffff81db22a0
[ 2.888609][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.888609][ T22] ? __warn_printk+0x199/0x350
[ 2.888609][ T22] ? __warn_printk+0x1a6/0x350
[ 2.888609][ T22] ? __pfx_enable_work+0x10/0x10
[ 2.888609][ T22] vmstat_cpu_online+0x83/0xf0
[ 2.888609][ T22] cpuhp_invoke_callback+0x3d0/0xa10
[ 2.888609][ T22] ? __pfx_vmstat_cpu_online+0x10/0x10
[ 2.888609][ T22] ? lock_acquire.part.0+0x2e0/0x380
[ 2.888609][ T22] ? cpuhp_next_state+0x100/0x1c0
[ 2.888609][ T22] cpuhp_thread_fun+0x480/0x6f0
[ 2.888609][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.888609][ T22] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 2.888609][ T22] ? smpboot_thread_fn+0x59d/0xa30
[ 2.888609][ T22] smpboot_thread_fn+0x661/0xa30
[ 2.888609][ T22] ? __kthread_parkme+0x148/0x220
[ 2.888609][ T22] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 2.888609][ T22] kthread+0x2c1/0x3a0
[ 2.888609][ T22] ? _raw_spin_unlock_irq+0x23/0x50
[ 2.888609][ T22] ? __pfx_kthread+0x10/0x10
[ 2.888609][ T22] ret_from_fork+0x45/0x80
[ 2.888609][ T22] ? __pfx_kthread+0x10/0x10
[ 2.888609][ T22] ret_from_fork_asm+0x1a/0x30
[ 2.888609][ T22] </TASK>
[ 2.888609][ T22] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1808338263=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at d7f584ee3c
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=d7f584ee3c24504bb07d04526a23b7d8df38b8ed -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241220-210006'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d7f584ee3c24504bb07d04526a23b7d8df38b8ed\"
/usr/bin/ld: /tmp/ccNZxct1.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=121736f8580000
Tested on:
commit: 9d895519 Linux 6.13-rc6
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=ad08f7f48e13abcd
dashboard link: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11671edf980000
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
David Howells
Jan 6, 2025, 11:44:56 AM1/6/25
to syzbot, dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
[Retrying due to previous boot failure]
afs: Merge preference rule failure condition
syzbot reported a lock held when returning to userspace[1]. This is
because if argc is less than 0 and the function returns directly, the held
inode lock is not released.
Fix this by store the error in ret and jump to done to clean up instead of
returning directly.
[dh: Modified Lizhi Xu's original patch to make it honour the error code
from afs_split_string()]
[1]
afs: Merge preference rule failure condition
syzbot reported a lock held when returning to userspace[1]. This is
because if argc is less than 0 and the function returns directly, the held
inode lock is not released.
Fix this by store the error in ret and jump to done to clean up instead of
returning directly.
[dh: Modified Lizhi Xu's original patch to make it honour the error code
from afs_split_string()]
[1]
WARNING: lock held when returning to user space!
6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
------------------------------------------------
syz-executor133/5823 is leaving the kernel with locks still held!
1 lock held by syz-executor133/5823:
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388
6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
------------------------------------------------
syz-executor133/5823 is leaving the kernel with locks still held!
1 lock held by syz-executor133/5823:
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388
syzbot
Jan 6, 2025, 12:05:04 PM1/6/25
to dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+76f335...@syzkaller.appspotmail.com
Tested-by: syzbot+76f335...@syzkaller.appspotmail.com
Tested on:
commit: 13563da6 Merge tag 'vfio-v6.13-rc7' of https://github...
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+76f335...@syzkaller.appspotmail.com
Tested-by: syzbot+76f335...@syzkaller.appspotmail.com
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=154cb6f8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ad08f7f48e13abcd
dashboard link: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=164dc4b0580000
dashboard link: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Reply all
Reply to author
Forward
0 new messages