[syzbot] [kernel?] WARNING: locking bug in __clocksource_register_scale
0 views
Skip to first unread message
syzbot
1:05 AM (4 hours ago) 1:05 AM
to jst...@google.com, linux-...@vger.kernel.org, sb...@kernel.org, syzkall...@googlegroups.com, tg...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: 5b33fc6492a7 Merge tag 'sched_ext-for-7.2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14df2b7a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=939bdd06f0288841
dashboard link: https://syzkaller.appspot.com/bug?extid=433936a09a76cdc554a6
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3051ac5cad9a/disk-5b33fc64.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/82a1893962c3/vmlinux-5b33fc64.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5c02a0772e44/bzImage-5b33fc64.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+433936...@syzkaller.appspotmail.com
Fallback order for Node 0: 0 1
Fallback order for Node 1: 1 0
Built 2 zonelists, mobility grouping on. Total pages: 2097051
Policy zone: Normal
mem auto-init: stack:all(zero), heap alloc:on, heap free:off
stackdepot: allocating hash table via alloc_large_system_hash
stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear)
stackdepot: allocating space for 8192 stack pools via memblock
**********************************************************
** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
** **
** This system shows unhashed kernel memory addresses **
** via the console, logs, and other interfaces. This **
** might reduce the security of your system. **
** **
** If you see this message and you are not debugging **
** the kernel, report this immediately to your system **
** administrator! **
** **
** Use hash_pointers=always to force this mode off **
** **
** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
**********************************************************
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
allocated 167772160 bytes of page_ext
Node 0, zone DMA: page owner found early allocated 0 pages
Node 0, zone DMA32: page owner found early allocated 21120 pages
Node 0, zone Normal: page owner found early allocated 131 pages
Node 1, zone Normal: page owner found early allocated 19847 pages
Kernel/User page tables isolation: enabled
Dynamic Preempt: full
Running RCU self tests
Running RCU synchronous self tests
rcu: Preemptible hierarchical RCU implementation.
rcu: RCU lockdep checking is enabled.
rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
rcu: RCU callback double-/use-after-free debug is enabled.
rcu: RCU debug extended QS entry/exit.
All grace periods are expedited (rcu_expedited).
Trampoline variant of Tasks RCU enabled.
Tracing variant of Tasks RCU enabled.
rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
Running RCU synchronous self tests
RCU Tasks: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
rcu: srcu_init: Setting srcu_struct sizes based on contention.
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
=============================
[ BUG: Invalid wait context ]
syzkaller #0 Not tainted
-----------------------------
swapper/0/0 is trying to lock:
ffffffff8e8251e0 (clocksource_mutex){....}-{4:4}, at: __clocksource_register_scale+0x46c/0xc10 kernel/time/clocksource.c:1319
other info that might help us debug this:
context-{5:5}
1 lock held by swapper/0/0:
#0: ffffffff9b1df3f0 (&tkd->lock){....}-{2:2}, at: class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:571 [inline]
#0: ffffffff9b1df3f0 (&tkd->lock){....}-{2:2}, at: timekeeping_init+0x29c/0x440 kernel/time/timekeeping.c:2064
stack backtrace:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_lock_invalid_wait_context kernel/locking/lockdep.c:4830 [inline]
check_wait_context kernel/locking/lockdep.c:4902 [inline]
__lock_acquire+0xf75/0x1a40 kernel/locking/lockdep.c:5187
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x1b9/0x370 kernel/locking/lockdep.c:5825
__mutex_lock_common kernel/locking/mutex.c:646 [inline]
__mutex_lock+0x1a4/0x1bd0 kernel/locking/mutex.c:821
__clocksource_register_scale+0x46c/0xc10 kernel/time/clocksource.c:1319
__clocksource_register include/linux/clocksource.h:273 [inline]
clocksource_default_clock+0x48/0x70 kernel/time/jiffies.c:68
timekeeping_init+0x2aa/0x440 kernel/time/timekeeping.c:2068
start_kernel+0x28a/0x490 init/main.c:1087
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0x12b/0x130 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x158
</TASK>
kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823be00000-0xffff88823c000000
Console: colour VGA+ 80x25
printk: legacy console [ttyS0] enabled
printk: legacy console [ttyS0] enabled
printk: legacy bootconsole [earlyser0] disabled
printk: legacy bootconsole [earlyser0] disabled
Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
... MAX_LOCKDEP_SUBCLASSES: 8
... MAX_LOCK_DEPTH: 48
... MAX_LOCKDEP_KEYS: 8192
... CLASSHASH_SIZE: 4096
... MAX_LOCKDEP_ENTRIES: 1048576
... MAX_LOCKDEP_CHAINS: 1048576
... CHAINHASH_SIZE: 524288
memory used by lock dependency info: 106625 kB
memory used for stack traces: 8320 kB
per task-struct memory footprint: 1920 bytes
mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
ACPI: Core revision 20260408
APIC: Switch to symmetric I/O mode setup
x2apic enabled
APIC: Switched APIC routing to: physical x2apic
..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x1fb63109b96, max_idle_ns: 440795265316 ns
Calibrating delay loop (skipped) preset value.. 4399.99 BogoMIPS (lpj=21999980)
numa_add_cpu cpu 0 node 0: mask now 0
numa_add_cpu cpu 0 node 1: mask now 0
Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
Last level dTLB entries: 4KB 64, 2MB 32, 4MB 32, 1GB 4
mitigations: Enabled attack vectors: user_kernel, user_user, guest_host, guest_guest, SMT mitigations: auto
Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
Spectre V2 : Mitigation: IBRS
RETBleed: Mitigation: IBRS
ITS: Mitigation: Aligned branch/return thunks
Spectre V2 : User space: Mitigation: STIBP via prctl
MDS: Mitigation: Clear CPU buffers
TAA: Mitigation: Clear CPU buffers
MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT
Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
active return thunk: its_return_thunk
Spectre V2 : Spectre BHI mitigation: SW BHB clearing on syscall and VM exit
x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
pid_max: default: 32768 minimum: 301
landlock: Up and running.
Yama: becoming mindful.
TOMOYO Linux initialized
AppArmor: AppArmor initialized
LSM support for eBPF active
Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
VFS: Finished mounting rootfs on nullfs
Running RCU synchronous self tests
Running RCU synchronous self tests
numa_add_cpu cpu 1 node 0: mask now 0-1
numa_add_cpu cpu 1 node 1: mask now 0-1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 5b33fc6492a7 Merge tag 'sched_ext-for-7.2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14df2b7a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=939bdd06f0288841
dashboard link: https://syzkaller.appspot.com/bug?extid=433936a09a76cdc554a6
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3051ac5cad9a/disk-5b33fc64.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/82a1893962c3/vmlinux-5b33fc64.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5c02a0772e44/bzImage-5b33fc64.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+433936...@syzkaller.appspotmail.com
Fallback order for Node 0: 0 1
Fallback order for Node 1: 1 0
Built 2 zonelists, mobility grouping on. Total pages: 2097051
Policy zone: Normal
mem auto-init: stack:all(zero), heap alloc:on, heap free:off
stackdepot: allocating hash table via alloc_large_system_hash
stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear)
stackdepot: allocating space for 8192 stack pools via memblock
**********************************************************
** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
** **
** This system shows unhashed kernel memory addresses **
** via the console, logs, and other interfaces. This **
** might reduce the security of your system. **
** **
** If you see this message and you are not debugging **
** the kernel, report this immediately to your system **
** administrator! **
** **
** Use hash_pointers=always to force this mode off **
** **
** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
**********************************************************
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
allocated 167772160 bytes of page_ext
Node 0, zone DMA: page owner found early allocated 0 pages
Node 0, zone DMA32: page owner found early allocated 21120 pages
Node 0, zone Normal: page owner found early allocated 131 pages
Node 1, zone Normal: page owner found early allocated 19847 pages
Kernel/User page tables isolation: enabled
Dynamic Preempt: full
Running RCU self tests
Running RCU synchronous self tests
rcu: Preemptible hierarchical RCU implementation.
rcu: RCU lockdep checking is enabled.
rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
rcu: RCU callback double-/use-after-free debug is enabled.
rcu: RCU debug extended QS entry/exit.
All grace periods are expedited (rcu_expedited).
Trampoline variant of Tasks RCU enabled.
Tracing variant of Tasks RCU enabled.
rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
Running RCU synchronous self tests
RCU Tasks: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
rcu: srcu_init: Setting srcu_struct sizes based on contention.
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
=============================
[ BUG: Invalid wait context ]
syzkaller #0 Not tainted
-----------------------------
swapper/0/0 is trying to lock:
ffffffff8e8251e0 (clocksource_mutex){....}-{4:4}, at: __clocksource_register_scale+0x46c/0xc10 kernel/time/clocksource.c:1319
other info that might help us debug this:
context-{5:5}
1 lock held by swapper/0/0:
#0: ffffffff9b1df3f0 (&tkd->lock){....}-{2:2}, at: class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:571 [inline]
#0: ffffffff9b1df3f0 (&tkd->lock){....}-{2:2}, at: timekeeping_init+0x29c/0x440 kernel/time/timekeeping.c:2064
stack backtrace:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_lock_invalid_wait_context kernel/locking/lockdep.c:4830 [inline]
check_wait_context kernel/locking/lockdep.c:4902 [inline]
__lock_acquire+0xf75/0x1a40 kernel/locking/lockdep.c:5187
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x1b9/0x370 kernel/locking/lockdep.c:5825
__mutex_lock_common kernel/locking/mutex.c:646 [inline]
__mutex_lock+0x1a4/0x1bd0 kernel/locking/mutex.c:821
__clocksource_register_scale+0x46c/0xc10 kernel/time/clocksource.c:1319
__clocksource_register include/linux/clocksource.h:273 [inline]
clocksource_default_clock+0x48/0x70 kernel/time/jiffies.c:68
timekeeping_init+0x2aa/0x440 kernel/time/timekeeping.c:2068
start_kernel+0x28a/0x490 init/main.c:1087
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0x12b/0x130 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x158
</TASK>
kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823be00000-0xffff88823c000000
Console: colour VGA+ 80x25
printk: legacy console [ttyS0] enabled
printk: legacy console [ttyS0] enabled
printk: legacy bootconsole [earlyser0] disabled
printk: legacy bootconsole [earlyser0] disabled
Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
... MAX_LOCKDEP_SUBCLASSES: 8
... MAX_LOCK_DEPTH: 48
... MAX_LOCKDEP_KEYS: 8192
... CLASSHASH_SIZE: 4096
... MAX_LOCKDEP_ENTRIES: 1048576
... MAX_LOCKDEP_CHAINS: 1048576
... CHAINHASH_SIZE: 524288
memory used by lock dependency info: 106625 kB
memory used for stack traces: 8320 kB
per task-struct memory footprint: 1920 bytes
mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
ACPI: Core revision 20260408
APIC: Switch to symmetric I/O mode setup
x2apic enabled
APIC: Switched APIC routing to: physical x2apic
..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x1fb63109b96, max_idle_ns: 440795265316 ns
Calibrating delay loop (skipped) preset value.. 4399.99 BogoMIPS (lpj=21999980)
numa_add_cpu cpu 0 node 0: mask now 0
numa_add_cpu cpu 0 node 1: mask now 0
Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
Last level dTLB entries: 4KB 64, 2MB 32, 4MB 32, 1GB 4
mitigations: Enabled attack vectors: user_kernel, user_user, guest_host, guest_guest, SMT mitigations: auto
Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
Spectre V2 : Mitigation: IBRS
RETBleed: Mitigation: IBRS
ITS: Mitigation: Aligned branch/return thunks
Spectre V2 : User space: Mitigation: STIBP via prctl
MDS: Mitigation: Clear CPU buffers
TAA: Mitigation: Clear CPU buffers
MMIO Stale Data: Vulnerable: Clear CPU buffers attempted, no microcode
Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT
Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
active return thunk: its_return_thunk
Spectre V2 : Spectre BHI mitigation: SW BHB clearing on syscall and VM exit
x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
pid_max: default: 32768 minimum: 301
landlock: Up and running.
Yama: becoming mindful.
TOMOYO Linux initialized
AppArmor: AppArmor initialized
LSM support for eBPF active
Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
VFS: Finished mounting rootfs on nullfs
Running RCU synchronous self tests
Running RCU synchronous self tests
numa_add_cpu cpu 1 node 0: mask now 0-1
numa_add_cpu cpu 1 node 1: mask now 0-1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages