BUG: sleeping function called from invalid context in ep_ptable_queue_proc
20 views
Skip to first unread message
syzbot
Dec 14, 2021, 10:59:26 AM12/14/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=171c1f89b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=bef6240acec16c72790c
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bef624...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at mm/slab.h:422
in_atomic(): 1, irqs_disabled(): 1, pid: 12104, name: syz-executor.5
3 locks held by syz-executor.5/12104:
#0: 00000000d1c83976 (&ep->mtx){+.+.}, at: __do_sys_epoll_ctl fs/eventpoll.c:2075 [inline]
#0: 00000000d1c83976 (&ep->mtx){+.+.}, at: __se_sys_epoll_ctl+0x5d2/0x2b90 fs/eventpoll.c:1997
#1: 00000000dc56f60b (&dev->dev_mutex){+.+.}, at: v4l2_m2m_fop_poll+0x91/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:1056
#2: 00000000c34c36e3 (&(&q->done_lock)->rlock){....}, at: v4l2_m2m_poll+0x140/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:623
irq event stamp: 266
hardirqs last enabled at (265): [<ffffffff881950e9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (265): [<ffffffff881950e9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:184
hardirqs last disabled at (266): [<ffffffff88194d76>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (266): [<ffffffff88194d76>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:152
softirqs last enabled at (0): [<ffffffff81370d39>] copy_process.part.0+0x15b9/0x8260 kernel/fork.c:1856
softirqs last disabled at (0): [<0000000000000000>] (null)
Preemption disabled at:
[<0000000000000000>] (null)
CPU: 1 PID: 12104 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6192
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x26d/0x370 mm/slab.c:3557
ep_ptable_queue_proc+0xaf/0x390 fs/eventpoll.c:1242
poll_wait include/linux/poll.h:51 [inline]
v4l2_m2m_poll+0x633/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:625
v4l2_m2m_fop_poll+0xa4/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:1058
v4l2_poll+0x146/0x1f0 drivers/media/v4l2-core/v4l2-dev.c:350
vfs_poll include/linux/poll.h:90 [inline]
ep_item_poll+0x14a/0x3e0 fs/eventpoll.c:890
ep_insert fs/eventpoll.c:1479 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2112 [inline]
__se_sys_epoll_ctl+0x1b04/0x2b90 fs/eventpoll.c:1997
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f8f08901e99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8f07277168 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 00007f8f08a14f60 RCX: 00007f8f08901e99
RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000004
RBP: 00007f8f0895bff1 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffda3cb784f R14: 00007f8f07277300 R15: 0000000000022000
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
Cannot find add_set index 0 as target
could not allocate digest TFM handle blake2s-160
Cannot find add_set index 0 as target
Cannot find add_set index 0 as target
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
Cannot find add_set index 0 as target
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
hid-generic 0000:0000:0000.0001: unknown main item tag 0x0
hid-generic 0000:0000:0000.0001: hidraw0: <UNKNOWN> HID v0.00 Device [syz0] on syz1
hid-generic 0000:0000:0000.0002: unknown main item tag 0x0
overlayfs: missing 'lowerdir'
hid-generic 0000:0000:0000.0002: hidraw0: <UNKNOWN> HID v0.00 Device [syz0] on syz1
hid-generic 0000:0000:0000.0003: unknown main item tag 0x0
hid-generic 0000:0000:0000.0003: hidraw0: <UNKNOWN> HID v0.00 Device [syz0] on syz1
Cannot find del_set index 0 as target
hid-generic 0000:0000:0000.0004: unknown main item tag 0x0
hid-generic 0000:0000:0000.0004: hidraw0: <UNKNOWN> HID v0.00 Device [syz0] on syz1
capability: warning: `syz-executor.4' uses 32-bit capabilities (legacy support in use)
Option ' ' to dns_resolver key: bad/missing value
kauditd_printk_skb: 4 callbacks suppressed
audit: type=1800 audit(1639497550.994:17): pid=12526 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="SYSV00000000" dev="hugetlbfs" ino=32769 res=0
[drm:drm_mode_legacy_fb_format] *ERROR* bad bpp, assuming x8r8g8b8 pixel format
MPI: mpi too large (211624 bits)
dccp_invalid_packet: P.type (REQUEST) not Data || [Data]Ack, while P.X == 0
input: syz0 as /devices/virtual/input/input16
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 'syz-executor.4': attribute type 10 has an invalid length.
team0: Device veth0_macvtap is up. Set it down before adding it as a team port
audit: type=1804 audit(1639497554.795:18): pid=12780 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir685514956/syzkaller.WrtJYB/139/bus" dev="sda1" ino=14377 res=1
audit: type=1804 audit(1639497554.795:19): pid=12780 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir685514956/syzkaller.WrtJYB/139/bus" dev="sda1" ino=14377 res=1
CUSE: unknown device info "�"
CUSE: unknown device info "*
���� 2ՖI�?�"
CUSE: unknown device info "&*e /��4�n��hI J[�5��M9{/d-s �� �kj/ X��P�Q(��ڡ� ��m t��Coh�� p)� ��"� �_�t}#� �(�9 �2|�6��\Qհe5�] ���2D����n�i!���8�v[D`���z�� ���kH �� �����u�,�g5�_x �!�b� �����2$ � ��A��O�� a� z��"
CUSE: unknown device info "�� ���V"
CUSE: DEVNAME unspecified
audit: type=1804 audit(1639497555.105:20): pid=12798 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir685514956/syzkaller.WrtJYB/140/bus" dev="sda1" ino=14384 res=1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=171c1f89b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=bef6240acec16c72790c
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bef624...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at mm/slab.h:422
in_atomic(): 1, irqs_disabled(): 1, pid: 12104, name: syz-executor.5
3 locks held by syz-executor.5/12104:
#0: 00000000d1c83976 (&ep->mtx){+.+.}, at: __do_sys_epoll_ctl fs/eventpoll.c:2075 [inline]
#0: 00000000d1c83976 (&ep->mtx){+.+.}, at: __se_sys_epoll_ctl+0x5d2/0x2b90 fs/eventpoll.c:1997
#1: 00000000dc56f60b (&dev->dev_mutex){+.+.}, at: v4l2_m2m_fop_poll+0x91/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:1056
#2: 00000000c34c36e3 (&(&q->done_lock)->rlock){....}, at: v4l2_m2m_poll+0x140/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:623
irq event stamp: 266
hardirqs last enabled at (265): [<ffffffff881950e9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (265): [<ffffffff881950e9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:184
hardirqs last disabled at (266): [<ffffffff88194d76>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (266): [<ffffffff88194d76>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:152
softirqs last enabled at (0): [<ffffffff81370d39>] copy_process.part.0+0x15b9/0x8260 kernel/fork.c:1856
softirqs last disabled at (0): [<0000000000000000>] (null)
Preemption disabled at:
[<0000000000000000>] (null)
CPU: 1 PID: 12104 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6192
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x26d/0x370 mm/slab.c:3557
ep_ptable_queue_proc+0xaf/0x390 fs/eventpoll.c:1242
poll_wait include/linux/poll.h:51 [inline]
v4l2_m2m_poll+0x633/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:625
v4l2_m2m_fop_poll+0xa4/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:1058
v4l2_poll+0x146/0x1f0 drivers/media/v4l2-core/v4l2-dev.c:350
vfs_poll include/linux/poll.h:90 [inline]
ep_item_poll+0x14a/0x3e0 fs/eventpoll.c:890
ep_insert fs/eventpoll.c:1479 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2112 [inline]
__se_sys_epoll_ctl+0x1b04/0x2b90 fs/eventpoll.c:1997
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f8f08901e99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8f07277168 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 00007f8f08a14f60 RCX: 00007f8f08901e99
RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000004
RBP: 00007f8f0895bff1 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffda3cb784f R14: 00007f8f07277300 R15: 0000000000022000
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
Cannot find add_set index 0 as target
could not allocate digest TFM handle blake2s-160
Cannot find add_set index 0 as target
Cannot find add_set index 0 as target
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
Cannot find add_set index 0 as target
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
hid-generic 0000:0000:0000.0001: unknown main item tag 0x0
hid-generic 0000:0000:0000.0001: hidraw0: <UNKNOWN> HID v0.00 Device [syz0] on syz1
hid-generic 0000:0000:0000.0002: unknown main item tag 0x0
overlayfs: missing 'lowerdir'
hid-generic 0000:0000:0000.0002: hidraw0: <UNKNOWN> HID v0.00 Device [syz0] on syz1
hid-generic 0000:0000:0000.0003: unknown main item tag 0x0
hid-generic 0000:0000:0000.0003: hidraw0: <UNKNOWN> HID v0.00 Device [syz0] on syz1
Cannot find del_set index 0 as target
hid-generic 0000:0000:0000.0004: unknown main item tag 0x0
hid-generic 0000:0000:0000.0004: hidraw0: <UNKNOWN> HID v0.00 Device [syz0] on syz1
capability: warning: `syz-executor.4' uses 32-bit capabilities (legacy support in use)
Option ' ' to dns_resolver key: bad/missing value
kauditd_printk_skb: 4 callbacks suppressed
audit: type=1800 audit(1639497550.994:17): pid=12526 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="SYSV00000000" dev="hugetlbfs" ino=32769 res=0
[drm:drm_mode_legacy_fb_format] *ERROR* bad bpp, assuming x8r8g8b8 pixel format
MPI: mpi too large (211624 bits)
dccp_invalid_packet: P.type (REQUEST) not Data || [Data]Ack, while P.X == 0
input: syz0 as /devices/virtual/input/input16
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 'syz-executor.4': attribute type 10 has an invalid length.
team0: Device veth0_macvtap is up. Set it down before adding it as a team port
audit: type=1804 audit(1639497554.795:18): pid=12780 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir685514956/syzkaller.WrtJYB/139/bus" dev="sda1" ino=14377 res=1
audit: type=1804 audit(1639497554.795:19): pid=12780 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir685514956/syzkaller.WrtJYB/139/bus" dev="sda1" ino=14377 res=1
CUSE: unknown device info "�"
CUSE: unknown device info "*
���� 2ՖI�?�"
CUSE: unknown device info "&*e /��4�n��hI J[�5��M9{/d-s �� �kj/ X��P�Q(��ڡ� ��m t��Coh�� p)� ��"� �_�t}#� �(�9 �2|�6��\Qհe5�] ���2D����n�i!���8�v[D`���z�� ���kH �� �����u�,�g5�_x �!�b� �����2$ � ��A��O�� a� z��"
CUSE: unknown device info "�� ���V"
CUSE: DEVNAME unspecified
audit: type=1804 audit(1639497555.105:20): pid=12798 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir685514956/syzkaller.WrtJYB/140/bus" dev="sda1" ino=14384 res=1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 14, 2021, 11:16:28 AM12/14/21
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=115d627db00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15e3c7ceb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bef624...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at mm/slab.h:422
in_atomic(): 1, irqs_disabled(): 1, pid: 8079, name: syz-executor600
3 locks held by syz-executor600/8079:
#0: 000000009bffcb92 (&ep->mtx){+.+.}, at: __do_sys_epoll_ctl fs/eventpoll.c:2075 [inline]
#0: 000000009bffcb92 (&ep->mtx){+.+.}, at: __se_sys_epoll_ctl+0x5d2/0x2b90 fs/eventpoll.c:1997
#1: 000000004d57ee7f (&dev->dev_mutex){+.+.}, at: v4l2_m2m_fop_poll+0x91/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:1056
#2: 00000000cf77bdf7 (&(&q->done_lock)->rlock){....}, at: v4l2_m2m_poll+0x140/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:623
irq event stamp: 6608
hardirqs last enabled at (6607): [<ffffffff881950e9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (6607): [<ffffffff881950e9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:184
hardirqs last disabled at (6608): [<ffffffff88194d76>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (6608): [<ffffffff88194d76>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:152
softirqs last enabled at (6404): [<ffffffff88400678>] __do_softirq+0x678/0x980 kernel/softirq.c:318
softirqs last disabled at (6381): [<ffffffff813927d5>] invoke_softirq kernel/softirq.c:372 [inline]
softirqs last disabled at (6381): [<ffffffff813927d5>] irq_exit+0x215/0x260 kernel/softirq.c:412
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7e718ac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=bef6240acec16c72790c
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134aa213b00000
dashboard link: https://syzkaller.appspot.com/bug?extid=bef6240acec16c72790c
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15e3c7ceb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bef624...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at mm/slab.h:422
3 locks held by syz-executor600/8079:
#0: 000000009bffcb92 (&ep->mtx){+.+.}, at: __do_sys_epoll_ctl fs/eventpoll.c:2075 [inline]
#0: 000000009bffcb92 (&ep->mtx){+.+.}, at: __se_sys_epoll_ctl+0x5d2/0x2b90 fs/eventpoll.c:1997
#1: 000000004d57ee7f (&dev->dev_mutex){+.+.}, at: v4l2_m2m_fop_poll+0x91/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:1056
#2: 00000000cf77bdf7 (&(&q->done_lock)->rlock){....}, at: v4l2_m2m_poll+0x140/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:623
irq event stamp: 6608
hardirqs last enabled at (6607): [<ffffffff881950e9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (6607): [<ffffffff881950e9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:184
hardirqs last disabled at (6608): [<ffffffff88194d76>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (6608): [<ffffffff88194d76>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:152
softirqs last enabled at (6404): [<ffffffff88400678>] __do_softirq+0x678/0x980 kernel/softirq.c:318
softirqs last disabled at (6381): [<ffffffff813927d5>] invoke_softirq kernel/softirq.c:372 [inline]
softirqs last disabled at (6381): [<ffffffff813927d5>] irq_exit+0x215/0x260 kernel/softirq.c:412
Preemption disabled at:
[<0000000000000000>] (null)
CPU: 0 PID: 8079 Comm: syz-executor600 Not tainted 4.19.211-syzkaller #0
[<0000000000000000>] (null)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6192
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x26d/0x370 mm/slab.c:3557
ep_ptable_queue_proc+0xaf/0x390 fs/eventpoll.c:1242
poll_wait include/linux/poll.h:51 [inline]
v4l2_m2m_poll+0x633/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:625
v4l2_m2m_fop_poll+0xa4/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:1058
v4l2_poll+0x146/0x1f0 drivers/media/v4l2-core/v4l2-dev.c:350
vfs_poll include/linux/poll.h:90 [inline]
ep_item_poll+0x14a/0x3e0 fs/eventpoll.c:890
ep_insert fs/eventpoll.c:1479 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2112 [inline]
__se_sys_epoll_ctl+0x1b04/0x2b90 fs/eventpoll.c:1997
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fe37b3b71e9
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6192
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x26d/0x370 mm/slab.c:3557
ep_ptable_queue_proc+0xaf/0x390 fs/eventpoll.c:1242
poll_wait include/linux/poll.h:51 [inline]
v4l2_m2m_poll+0x633/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:625
v4l2_m2m_fop_poll+0xa4/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:1058
v4l2_poll+0x146/0x1f0 drivers/media/v4l2-core/v4l2-dev.c:350
vfs_poll include/linux/poll.h:90 [inline]
ep_item_poll+0x14a/0x3e0 fs/eventpoll.c:890
ep_insert fs/eventpoll.c:1479 [inline]
__do_sys_epoll_ctl fs/eventpoll.c:2112 [inline]
__se_sys_epoll_ctl+0x1b04/0x2b90 fs/eventpoll.c:1997
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7e718ac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
syzbot
Dec 14, 2021, 11:48:23 AM12/14/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 9dfbac0e6b86 Linux 4.14.258
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=117f6583b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9cac3dc48a267418
dashboard link: https://syzkaller.appspot.com/bug?extid=da7361728feac64d0c3b
BUG: sleeping function called from invalid context at mm/slab.h:419
in_atomic(): 1, irqs_disabled(): 1, pid: 9994, name: syz-executor.0
3 locks held by syz-executor.0/9994:
#0: (&ep->mtx){+.+.}, at: [<ffffffff8196a296>] SYSC_epoll_ctl fs/eventpoll.c:2080 [inline]
#0: (&ep->mtx){+.+.}, at: [<ffffffff8196a296>] SyS_epoll_ctl+0x516/0x2780 fs/eventpoll.c:2002
#1: (&dev->dev_mutex){+.+.}, at: [<ffffffff84c03981>] v4l2_m2m_fop_poll+0x91/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:802
#2: (&(&q->done_lock)->rlock){....}, at: [<ffffffff84c02d36>] v4l2_m2m_poll+0x116/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:536
irq event stamp: 272
hardirqs last enabled at (271): [<ffffffff8723f9d9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (271): [<ffffffff8723f9d9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:192
hardirqs last disabled at (272): [<ffffffff8723f666>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (272): [<ffffffff8723f666>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:160
softirqs last enabled at (0): [<ffffffff81304b90>] copy_process.part.0+0x12d0/0x71c0 kernel/fork.c:1734
softirqs last disabled at (0): [< (null)>] (null)
Preemption disabled at:
[< (null)>] (null)
CPU: 1 PID: 9994 Comm: syz-executor.0 Not tainted 4.14.258-syzkaller #0
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6041
slab_pre_alloc_hook mm/slab.h:419 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc+0x284/0x3c0 mm/slab.c:3550
ep_ptable_queue_proc+0x9e/0x370 fs/eventpoll.c:1255
poll_wait include/linux/poll.h:50 [inline]
v4l2_m2m_poll+0x583/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:538
v4l2_m2m_fop_poll+0xa4/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:804
v4l2_poll+0x133/0x1d0 drivers/media/v4l2-core/v4l2-dev.c:342
ep_item_poll fs/eventpoll.c:885 [inline]
ep_insert fs/eventpoll.c:1490 [inline]
SYSC_epoll_ctl fs/eventpoll.c:2117 [inline]
SyS_epoll_ctl+0x14af/0x2780 fs/eventpoll.c:2002
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f946a155e99
RSP: 002b:00007f9468acb168 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 00007f946a268f60 RCX: 00007f946a155e99
capability: warning: `syz-executor.5' uses deprecated v2 capabilities in a way that may be insecure
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
syz-executor.1 (10203) used greatest stack depth: 24776 bytes left
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
netlink: 156 bytes leftover after parsing attributes in process `syz-executor.2'.
rtc_cmos 00:00: Alarms can be up to one day in the future
audit: type=1800 audit(1639500456.935:2): pid=10499 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=14060 res=0
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc rtc0: __rtc_set_alarm: err=-22
======================================================
WARNING: the mand mount option is being deprecated and
will be removed in v5.15!
======================================================
audit: type=1804 audit(1639500457.935:3): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/39/file0/bus" dev="ramfs" ino=31286 res=1
audit: type=1804 audit(1639500458.015:4): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/39/file0/bus" dev="ramfs" ino=31286 res=1
audit: type=1804 audit(1639500458.075:5): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/39/file0/bus" dev="ramfs" ino=31286 res=1
audit: type=1804 audit(1639500458.335:6): pid=10672 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/40/file0/bus" dev="ramfs" ino=32059 res=1
device lo entered promiscuous mode
audit: type=1804 audit(1639500458.365:7): pid=10672 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/40/file0/bus" dev="ramfs" ino=32059 res=1
device tunl0 entered promiscuous mode
device gre0 entered promiscuous mode
device gretap0 entered promiscuous mode
device erspan0 entered promiscuous mode
device ip_vti0 entered promiscuous mode
device ip6_vti0 entered promiscuous mode
device sit0 entered promiscuous mode
device ip6tnl0 entered promiscuous mode
audit: type=1804 audit(1639500458.525:8): pid=10672 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/40/file0/bus" dev="ramfs" ino=32059 res=1
device ip6gre0 entered promiscuous mode
device syz_tun entered promiscuous mode
device ip6gretap0 entered promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge0 entered promiscuous mode
device vcan0 entered promiscuous mode
device bond0 entered promiscuous mode
device bond_slave_0 entered promiscuous mode
device bond_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device dummy0 entered promiscuous mode
device nlmon0 entered promiscuous mode
device caif0 entered promiscuous mode
device batadv0 entered promiscuous mode
device vxcan0 entered promiscuous mode
device vxcan1 entered promiscuous mode
device veth0 entered promiscuous mode
device veth1 entered promiscuous mode
device veth0_to_bridge entered promiscuous mode
device veth1_to_bridge entered promiscuous mode
device veth0_to_bond entered promiscuous mode
device veth1_to_bond entered promiscuous mode
device veth0_to_team entered promiscuous mode
device veth1_to_team entered promiscuous mode
device veth0_to_batadv entered promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
device batadv_slave_0 entered promiscuous mode
device veth1_to_batadv entered promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_1
device batadv_slave_1 entered promiscuous mode
device veth0_to_hsr entered promiscuous mode
device veth1_to_hsr entered promiscuous mode
device hsr0 entered promiscuous mode
device veth1_virt_wifi entered promiscuous mode
device veth0_virt_wifi entered promiscuous mode
device vlan0 entered promiscuous mode
device vlan1 entered promiscuous mode
device macvlan0 entered promiscuous mode
device macvlan1 entered promiscuous mode
device ipvlan0 entered promiscuous mode
device ipvlan1 entered promiscuous mode
device macvtap0 entered promiscuous mode
device macsec0 entered promiscuous mode
device geneve0 entered promiscuous mode
device geneve1 entered promiscuous mode
syz-executor.2 (10678) used greatest stack depth: 24376 bytes left
audit: type=1804 audit(1639500459.185:9): pid=10723 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/41/file0/bus" dev="ramfs" ino=31393 res=1
audit: type=1804 audit(1639500459.335:10): pid=10723 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/41/file0/bus" dev="ramfs" ino=31393 res=1
audit: type=1804 audit(1639500459.505:11): pid=10723 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/41/file0/bus" dev="ramfs" ino=31393 res=1
device bridge0 left promiscuous mode
syzbot found the following issue on:
HEAD commit: 9dfbac0e6b86 Linux 4.14.258
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=117f6583b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9cac3dc48a267418
dashboard link: https://syzkaller.appspot.com/bug?extid=da7361728feac64d0c3b
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+da7361...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at mm/slab.h:419
in_atomic(): 1, irqs_disabled(): 1, pid: 9994, name: syz-executor.0
3 locks held by syz-executor.0/9994:
#0: (&ep->mtx){+.+.}, at: [<ffffffff8196a296>] SYSC_epoll_ctl fs/eventpoll.c:2080 [inline]
#0: (&ep->mtx){+.+.}, at: [<ffffffff8196a296>] SyS_epoll_ctl+0x516/0x2780 fs/eventpoll.c:2002
#1: (&dev->dev_mutex){+.+.}, at: [<ffffffff84c03981>] v4l2_m2m_fop_poll+0x91/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:802
#2: (&(&q->done_lock)->rlock){....}, at: [<ffffffff84c02d36>] v4l2_m2m_poll+0x116/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:536
irq event stamp: 272
hardirqs last enabled at (271): [<ffffffff8723f9d9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (271): [<ffffffff8723f9d9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:192
hardirqs last disabled at (272): [<ffffffff8723f666>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (272): [<ffffffff8723f666>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:160
softirqs last enabled at (0): [<ffffffff81304b90>] copy_process.part.0+0x12d0/0x71c0 kernel/fork.c:1734
softirqs last disabled at (0): [< (null)>] (null)
Preemption disabled at:
[< (null)>] (null)
CPU: 1 PID: 9994 Comm: syz-executor.0 Not tainted 4.14.258-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Call Trace:
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6041
slab_pre_alloc_hook mm/slab.h:419 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc+0x284/0x3c0 mm/slab.c:3550
ep_ptable_queue_proc+0x9e/0x370 fs/eventpoll.c:1255
poll_wait include/linux/poll.h:50 [inline]
v4l2_m2m_poll+0x583/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:538
v4l2_m2m_fop_poll+0xa4/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:804
v4l2_poll+0x133/0x1d0 drivers/media/v4l2-core/v4l2-dev.c:342
ep_item_poll fs/eventpoll.c:885 [inline]
ep_insert fs/eventpoll.c:1490 [inline]
SYSC_epoll_ctl fs/eventpoll.c:2117 [inline]
SyS_epoll_ctl+0x14af/0x2780 fs/eventpoll.c:2002
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f946a155e99
RSP: 002b:00007f9468acb168 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 00007f946a268f60 RCX: 00007f946a155e99
RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000004
RBP: 00007f946a1afff1 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffed5ac970f R14: 00007f9468acb300 R15: 0000000000022000
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
mip6: mip6_destopt_init_state: spi is not 0: 33554432
capability: warning: `syz-executor.5' uses deprecated v2 capabilities in a way that may be insecure
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
syz-executor.1 (10203) used greatest stack depth: 24776 bytes left
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
netlink: 156 bytes leftover after parsing attributes in process `syz-executor.2'.
rtc_cmos 00:00: Alarms can be up to one day in the future
audit: type=1800 audit(1639500456.935:2): pid=10499 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=14060 res=0
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc rtc0: __rtc_set_alarm: err=-22
======================================================
WARNING: the mand mount option is being deprecated and
will be removed in v5.15!
======================================================
audit: type=1804 audit(1639500457.935:3): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/39/file0/bus" dev="ramfs" ino=31286 res=1
audit: type=1804 audit(1639500458.015:4): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/39/file0/bus" dev="ramfs" ino=31286 res=1
audit: type=1804 audit(1639500458.075:5): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/39/file0/bus" dev="ramfs" ino=31286 res=1
audit: type=1804 audit(1639500458.335:6): pid=10672 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/40/file0/bus" dev="ramfs" ino=32059 res=1
device lo entered promiscuous mode
audit: type=1804 audit(1639500458.365:7): pid=10672 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/40/file0/bus" dev="ramfs" ino=32059 res=1
device tunl0 entered promiscuous mode
device gre0 entered promiscuous mode
device gretap0 entered promiscuous mode
device erspan0 entered promiscuous mode
device ip_vti0 entered promiscuous mode
device ip6_vti0 entered promiscuous mode
device sit0 entered promiscuous mode
device ip6tnl0 entered promiscuous mode
audit: type=1804 audit(1639500458.525:8): pid=10672 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/40/file0/bus" dev="ramfs" ino=32059 res=1
device ip6gre0 entered promiscuous mode
device syz_tun entered promiscuous mode
device ip6gretap0 entered promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge0 entered promiscuous mode
device vcan0 entered promiscuous mode
device bond0 entered promiscuous mode
device bond_slave_0 entered promiscuous mode
device bond_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device dummy0 entered promiscuous mode
device nlmon0 entered promiscuous mode
device caif0 entered promiscuous mode
device batadv0 entered promiscuous mode
device vxcan0 entered promiscuous mode
device vxcan1 entered promiscuous mode
device veth0 entered promiscuous mode
device veth1 entered promiscuous mode
device veth0_to_bridge entered promiscuous mode
device veth1_to_bridge entered promiscuous mode
device veth0_to_bond entered promiscuous mode
device veth1_to_bond entered promiscuous mode
device veth0_to_team entered promiscuous mode
device veth1_to_team entered promiscuous mode
device veth0_to_batadv entered promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
device batadv_slave_0 entered promiscuous mode
device veth1_to_batadv entered promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_1
device batadv_slave_1 entered promiscuous mode
device veth0_to_hsr entered promiscuous mode
device veth1_to_hsr entered promiscuous mode
device hsr0 entered promiscuous mode
device veth1_virt_wifi entered promiscuous mode
device veth0_virt_wifi entered promiscuous mode
device vlan0 entered promiscuous mode
device vlan1 entered promiscuous mode
device macvlan0 entered promiscuous mode
device macvlan1 entered promiscuous mode
device ipvlan0 entered promiscuous mode
device ipvlan1 entered promiscuous mode
device macvtap0 entered promiscuous mode
device macsec0 entered promiscuous mode
device geneve0 entered promiscuous mode
device geneve1 entered promiscuous mode
syz-executor.2 (10678) used greatest stack depth: 24376 bytes left
audit: type=1804 audit(1639500459.185:9): pid=10723 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/41/file0/bus" dev="ramfs" ino=31393 res=1
audit: type=1804 audit(1639500459.335:10): pid=10723 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/41/file0/bus" dev="ramfs" ino=31393 res=1
audit: type=1804 audit(1639500459.505:11): pid=10723 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/41/file0/bus" dev="ramfs" ino=31393 res=1
device bridge0 left promiscuous mode
syzbot
Dec 14, 2021, 12:54:32 PM12/14/21
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 9dfbac0e6b86 Linux 4.14.258
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=164e0213b00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=168134bab00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+da7361...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at mm/slab.h:419
in_atomic(): 1, irqs_disabled(): 1, pid: 7980, name: syz-executor774
3 locks held by syz-executor774/7980:
hardirqs last enabled at (6647): [<ffffffff8723f9d9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (6647): [<ffffffff8723f9d9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:192
hardirqs last disabled at (6648): [<ffffffff8723f666>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (6648): [<ffffffff8723f666>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:160
softirqs last enabled at (3068): [<ffffffff8760068b>] __do_softirq+0x68b/0x9ff kernel/softirq.c:314
softirqs last disabled at (3043): [<ffffffff81321d13>] invoke_softirq kernel/softirq.c:368 [inline]
softirqs last disabled at (3043): [<ffffffff81321d13>] irq_exit+0x193/0x240 kernel/softirq.c:409
RSP: 002b:00007ffd74d8c338 EFLAGS: 00000246 ORIG_RAX: 00000000000
HEAD commit: 9dfbac0e6b86 Linux 4.14.258
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9cac3dc48a267418
dashboard link: https://syzkaller.appspot.com/bug?extid=da7361728feac64d0c3b
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1260d615b00000
dashboard link: https://syzkaller.appspot.com/bug?extid=da7361728feac64d0c3b
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=168134bab00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+da7361...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at mm/slab.h:419
3 locks held by syz-executor774/7980:
#0: (&ep->mtx){+.+.}, at: [<ffffffff8196a296>] SYSC_epoll_ctl fs/eventpoll.c:2080 [inline]
#0: (&ep->mtx){+.+.}, at: [<ffffffff8196a296>] SyS_epoll_ctl+0x516/0x2780 fs/eventpoll.c:2002
#1: (&dev->dev_mutex){+.+.}, at: [<ffffffff84c03981>] v4l2_m2m_fop_poll+0x91/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:802
#2: (&(&q->done_lock)->rlock){....}, at: [<ffffffff84c02d36>] v4l2_m2m_poll+0x116/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:536
irq event stamp: 6648
#0: (&ep->mtx){+.+.}, at: [<ffffffff8196a296>] SyS_epoll_ctl+0x516/0x2780 fs/eventpoll.c:2002
#1: (&dev->dev_mutex){+.+.}, at: [<ffffffff84c03981>] v4l2_m2m_fop_poll+0x91/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:802
#2: (&(&q->done_lock)->rlock){....}, at: [<ffffffff84c02d36>] v4l2_m2m_poll+0x116/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:536
hardirqs last enabled at (6647): [<ffffffff8723f9d9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (6647): [<ffffffff8723f9d9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:192
hardirqs last disabled at (6648): [<ffffffff8723f666>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (6648): [<ffffffff8723f666>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:160
softirqs last enabled at (3068): [<ffffffff8760068b>] __do_softirq+0x68b/0x9ff kernel/softirq.c:314
softirqs last disabled at (3043): [<ffffffff81321d13>] invoke_softirq kernel/softirq.c:368 [inline]
softirqs last disabled at (3043): [<ffffffff81321d13>] irq_exit+0x193/0x240 kernel/softirq.c:409
Preemption disabled at:
[< (null)>] (null)
CPU: 1 PID: 7980 Comm: syz-executor774 Not tainted 4.14.258-syzkaller #0
[< (null)>] (null)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6041
slab_pre_alloc_hook mm/slab.h:419 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc+0x284/0x3c0 mm/slab.c:3550
ep_ptable_queue_proc+0x9e/0x370 fs/eventpoll.c:1255
poll_wait include/linux/poll.h:50 [inline]
v4l2_m2m_poll+0x583/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:538
v4l2_m2m_fop_poll+0xa4/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:804
v4l2_poll+0x133/0x1d0 drivers/media/v4l2-core/v4l2-dev.c:342
ep_item_poll fs/eventpoll.c:885 [inline]
ep_insert fs/eventpoll.c:1490 [inline]
SYSC_epoll_ctl fs/eventpoll.c:2117 [inline]
SyS_epoll_ctl+0x14af/0x2780 fs/eventpoll.c:2002
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f73a66dc1e9
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6041
slab_pre_alloc_hook mm/slab.h:419 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc+0x284/0x3c0 mm/slab.c:3550
ep_ptable_queue_proc+0x9e/0x370 fs/eventpoll.c:1255
poll_wait include/linux/poll.h:50 [inline]
v4l2_m2m_poll+0x583/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:538
v4l2_m2m_fop_poll+0xa4/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:804
v4l2_poll+0x133/0x1d0 drivers/media/v4l2-core/v4l2-dev.c:342
ep_item_poll fs/eventpoll.c:885 [inline]
ep_insert fs/eventpoll.c:1490 [inline]
SYSC_epoll_ctl fs/eventpoll.c:2117 [inline]
SyS_epoll_ctl+0x14af/0x2780 fs/eventpoll.c:2002
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007ffd74d8c338 EFLAGS: 00000246 ORIG_RAX: 00000000000
Reply all
Reply to author
Forward
0 new messages