Hello,
syzbot found the following issue on:
HEAD commit: 9dfbac0e6b86 Linux 4.14.258
git tree: linux-4.14.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=117f6583b00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=9cac3dc48a267418
dashboard link:
https://syzkaller.appspot.com/bug?extid=da7361728feac64d0c3b
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+da7361...@syzkaller.appspotmail.com
BUG: sleeping function called from invalid context at mm/slab.h:419
in_atomic(): 1, irqs_disabled(): 1, pid: 9994, name: syz-executor.0
3 locks held by syz-executor.0/9994:
#0: (&ep->mtx){+.+.}, at: [<ffffffff8196a296>] SYSC_epoll_ctl fs/eventpoll.c:2080 [inline]
#0: (&ep->mtx){+.+.}, at: [<ffffffff8196a296>] SyS_epoll_ctl+0x516/0x2780 fs/eventpoll.c:2002
#1: (&dev->dev_mutex){+.+.}, at: [<ffffffff84c03981>] v4l2_m2m_fop_poll+0x91/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:802
#2: (&(&q->done_lock)->rlock){....}, at: [<ffffffff84c02d36>] v4l2_m2m_poll+0x116/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:536
irq event stamp: 272
hardirqs last enabled at (271): [<ffffffff8723f9d9>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (271): [<ffffffff8723f9d9>] _raw_spin_unlock_irqrestore+0x79/0xe0 kernel/locking/spinlock.c:192
hardirqs last disabled at (272): [<ffffffff8723f666>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (272): [<ffffffff8723f666>] _raw_spin_lock_irqsave+0x66/0xc0 kernel/locking/spinlock.c:160
softirqs last enabled at (0): [<ffffffff81304b90>] copy_process.part.0+0x12d0/0x71c0 kernel/fork.c:1734
softirqs last disabled at (0): [< (null)>] (null)
Preemption disabled at:
[< (null)>] (null)
CPU: 1 PID: 9994 Comm: syz-executor.0 Not tainted 4.14.258-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6041
slab_pre_alloc_hook mm/slab.h:419 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc+0x284/0x3c0 mm/slab.c:3550
ep_ptable_queue_proc+0x9e/0x370 fs/eventpoll.c:1255
poll_wait include/linux/poll.h:50 [inline]
v4l2_m2m_poll+0x583/0x670 drivers/media/v4l2-core/v4l2-mem2mem.c:538
v4l2_m2m_fop_poll+0xa4/0x110 drivers/media/v4l2-core/v4l2-mem2mem.c:804
v4l2_poll+0x133/0x1d0 drivers/media/v4l2-core/v4l2-dev.c:342
ep_item_poll fs/eventpoll.c:885 [inline]
ep_insert fs/eventpoll.c:1490 [inline]
SYSC_epoll_ctl fs/eventpoll.c:2117 [inline]
SyS_epoll_ctl+0x14af/0x2780 fs/eventpoll.c:2002
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f946a155e99
RSP: 002b:00007f9468acb168 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: ffffffffffffffda RBX: 00007f946a268f60 RCX: 00007f946a155e99
RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000004
RBP: 00007f946a1afff1 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffed5ac970f R14: 00007f9468acb300 R15: 0000000000022000
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
mip6: mip6_destopt_init_state: spi is not 0: 33554432
capability: warning: `syz-executor.5' uses deprecated v2 capabilities in a way that may be insecure
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
syz-executor.1 (10203) used greatest stack depth: 24776 bytes left
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
netlink: 156 bytes leftover after parsing attributes in process `syz-executor.2'.
rtc_cmos 00:00: Alarms can be up to one day in the future
audit: type=1800 audit(1639500456.935:2): pid=10499 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=14060 res=0
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc_cmos 00:00: Alarms can be up to one day in the future
rtc rtc0: __rtc_set_alarm: err=-22
======================================================
WARNING: the mand mount option is being deprecated and
will be removed in v5.15!
======================================================
audit: type=1804 audit(1639500457.935:3): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/39/file0/bus" dev="ramfs" ino=31286 res=1
audit: type=1804 audit(1639500458.015:4): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/39/file0/bus" dev="ramfs" ino=31286 res=1
audit: type=1804 audit(1639500458.075:5): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/39/file0/bus" dev="ramfs" ino=31286 res=1
audit: type=1804 audit(1639500458.335:6): pid=10672 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/40/file0/bus" dev="ramfs" ino=32059 res=1
device lo entered promiscuous mode
audit: type=1804 audit(1639500458.365:7): pid=10672 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/40/file0/bus" dev="ramfs" ino=32059 res=1
device tunl0 entered promiscuous mode
device gre0 entered promiscuous mode
device gretap0 entered promiscuous mode
device erspan0 entered promiscuous mode
device ip_vti0 entered promiscuous mode
device ip6_vti0 entered promiscuous mode
device sit0 entered promiscuous mode
device ip6tnl0 entered promiscuous mode
audit: type=1804 audit(1639500458.525:8): pid=10672 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/40/file0/bus" dev="ramfs" ino=32059 res=1
device ip6gre0 entered promiscuous mode
device syz_tun entered promiscuous mode
device ip6gretap0 entered promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge0 entered promiscuous mode
device vcan0 entered promiscuous mode
device bond0 entered promiscuous mode
device bond_slave_0 entered promiscuous mode
device bond_slave_1 entered promiscuous mode
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
device dummy0 entered promiscuous mode
device nlmon0 entered promiscuous mode
device caif0 entered promiscuous mode
device batadv0 entered promiscuous mode
device vxcan0 entered promiscuous mode
device vxcan1 entered promiscuous mode
device veth0 entered promiscuous mode
device veth1 entered promiscuous mode
device veth0_to_bridge entered promiscuous mode
device veth1_to_bridge entered promiscuous mode
device veth0_to_bond entered promiscuous mode
device veth1_to_bond entered promiscuous mode
device veth0_to_team entered promiscuous mode
device veth1_to_team entered promiscuous mode
device veth0_to_batadv entered promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
device batadv_slave_0 entered promiscuous mode
device veth1_to_batadv entered promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_1
device batadv_slave_1 entered promiscuous mode
device veth0_to_hsr entered promiscuous mode
device veth1_to_hsr entered promiscuous mode
device hsr0 entered promiscuous mode
device veth1_virt_wifi entered promiscuous mode
device veth0_virt_wifi entered promiscuous mode
device vlan0 entered promiscuous mode
device vlan1 entered promiscuous mode
device macvlan0 entered promiscuous mode
device macvlan1 entered promiscuous mode
device ipvlan0 entered promiscuous mode
device ipvlan1 entered promiscuous mode
device macvtap0 entered promiscuous mode
device macsec0 entered promiscuous mode
device geneve0 entered promiscuous mode
device geneve1 entered promiscuous mode
syz-executor.2 (10678) used greatest stack depth: 24376 bytes left
audit: type=1804 audit(1639500459.185:9): pid=10723 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/41/file0/bus" dev="ramfs" ino=31393 res=1
audit: type=1804 audit(1639500459.335:10): pid=10723 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/41/file0/bus" dev="ramfs" ino=31393 res=1
audit: type=1804 audit(1639500459.505:11): pid=10723 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir058917459/syzkaller.nu2WMK/41/file0/bus" dev="ramfs" ino=31393 res=1
device bridge0 left promiscuous mode