BUG: soft lockup in sys_madvise
5 views
Skip to first unread message
syzbot
May 6, 2022, 1:10:22 AM5/6/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11836d00f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=fc45d19aeee447636572
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fc45d1...@syzkaller.appspotmail.com
misc userio: The device must be registered before sending interrupts
watchdog: BUG: soft lockup - CPU#1 stuck for 23s! [syz-executor.4:26625]
Modules linked in:
irq event stamp: 2488690
hardirqs last enabled at (2488689): [<ffffffff81003ce4>] trace_hardirqs_on_thunk+0x1a/0x1c
hardirqs last disabled at (2488690): [<ffffffff81003d00>] trace_hardirqs_off_thunk+0x1a/0x1c
softirqs last enabled at (2486986): [<ffffffff88400678>] __do_softirq+0x678/0x980 kernel/softirq.c:318
softirqs last disabled at (2486847): [<ffffffff813927d5>] invoke_softirq kernel/softirq.c:372 [inline]
softirqs last disabled at (2486847): [<ffffffff813927d5>] irq_exit+0x215/0x260 kernel/softirq.c:412
CPU: 1 PID: 26625 Comm: syz-executor.4 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:263 [inline]
RIP: 0010:trylock_clear_pending kernel/locking/qspinlock_paravirt.h:123 [inline]
RIP: 0010:pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:436 [inline]
RIP: 0010:__pv_queued_spin_lock_slowpath+0x3b5/0xae0 kernel/locking/qspinlock.c:474
Code: 83 e3 07 41 be 01 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8d 2c 01 eb 0c f3 90 41 83 ec 01 0f 84 38 04 00 00 41 0f b6 45 00 <38> d8 7f 08 84 c0 0f 85 75 05 00 00 0f b6 45 00 84 c0 75 db be 02
RSP: 0018:ffff888091cef318 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff11012fc2176
RDX: 0000000000000001 RSI: ffffffff8167a995 RDI: 0000000000000286
RBP: ffff888097e10bb0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000015bd
R13: ffffed1012fc2176 R14: 0000000000000001 R15: ffff8880ba12be00
FS: 00007f784fead700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f784fe8bff8 CR3: 00000000ab38e000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:679 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:53 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:88 [inline]
do_raw_spin_lock+0x189/0x220 kernel/locking/spinlock_debug.c:113
spin_lock include/linux/spinlock.h:329 [inline]
map_pte mm/page_vma_mapped.c:51 [inline]
page_vma_mapped_walk+0x1172/0x27d0 mm/page_vma_mapped.c:254
remove_migration_pte+0x145/0xff0 mm/migrate.c:217
rmap_walk_anon+0x472/0xa80 mm/rmap.c:1842
rmap_walk_locked+0x12a/0x190 mm/rmap.c:1924
remove_migration_ptes+0xbf/0x120 mm/migrate.c:298
remap_page+0xe2/0x180 mm/huge_memory.c:2452
__split_huge_page mm/huge_memory.c:2561 [inline]
split_huge_page_to_list+0x1b20/0x2ce0 mm/huge_memory.c:2796
split_huge_page include/linux/huge_mm.h:146 [inline]
madvise_free_huge_pmd+0x5a1/0xdd0 mm/huge_memory.c:1708
madvise_free_pte_range+0x6c5/0x2250 mm/madvise.c:325
walk_pmd_range mm/pagewalk.c:51 [inline]
walk_pud_range mm/pagewalk.c:109 [inline]
walk_p4d_range mm/pagewalk.c:135 [inline]
walk_pgd_range+0x8fe/0x1150 mm/pagewalk.c:161
__walk_page_range mm/pagewalk.c:254 [inline]
walk_page_range+0x1a5/0x490 mm/pagewalk.c:335
madvise_free_page_range.isra.0+0xae/0xf0 mm/madvise.c:454
madvise_free_single_vma+0x31c/0x4a0 mm/madvise.c:481
madvise_dontneed_free mm/madvise.c:565 [inline]
madvise_vma mm/madvise.c:698 [inline]
__do_sys_madvise mm/madvise.c:873 [inline]
__se_sys_madvise+0x75c/0x1c10 mm/madvise.c:801
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f78515380e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f784fead168 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007f785164af60 RCX: 00007f78515380e9
RDX: 0000000000000008 RSI: 0000000000600003 RDI: 0000000020000000
RBP: 00007f785159208d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe94d2948f R14: 00007f784fead300 R15: 0000000000022000
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0 skipped: idling at native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:60
----------------
Code disassembly (best guess):
0: 83 e3 07 and $0x7,%ebx
3: 41 be 01 00 00 00 mov $0x1,%r14d
9: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
10: fc ff df
13: 4c 8d 2c 01 lea (%rcx,%rax,1),%r13
17: eb 0c jmp 0x25
19: f3 90 pause
1b: 41 83 ec 01 sub $0x1,%r12d
1f: 0f 84 38 04 00 00 je 0x45d
25: 41 0f b6 45 00 movzbl 0x0(%r13),%eax
* 2a: 38 d8 cmp %bl,%al <-- trapping instruction
2c: 7f 08 jg 0x36
2e: 84 c0 test %al,%al
30: 0f 85 75 05 00 00 jne 0x5ab
36: 0f b6 45 00 movzbl 0x0(%rbp),%eax
3a: 84 c0 test %al,%al
3c: 75 db jne 0x19
3e: be .byte 0xbe
3f: 02 .byte 0x2
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11836d00f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=fc45d19aeee447636572
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fc45d1...@syzkaller.appspotmail.com
misc userio: The device must be registered before sending interrupts
watchdog: BUG: soft lockup - CPU#1 stuck for 23s! [syz-executor.4:26625]
Modules linked in:
irq event stamp: 2488690
hardirqs last enabled at (2488689): [<ffffffff81003ce4>] trace_hardirqs_on_thunk+0x1a/0x1c
hardirqs last disabled at (2488690): [<ffffffff81003d00>] trace_hardirqs_off_thunk+0x1a/0x1c
softirqs last enabled at (2486986): [<ffffffff88400678>] __do_softirq+0x678/0x980 kernel/softirq.c:318
softirqs last disabled at (2486847): [<ffffffff813927d5>] invoke_softirq kernel/softirq.c:372 [inline]
softirqs last disabled at (2486847): [<ffffffff813927d5>] irq_exit+0x215/0x260 kernel/softirq.c:412
CPU: 1 PID: 26625 Comm: syz-executor.4 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:263 [inline]
RIP: 0010:trylock_clear_pending kernel/locking/qspinlock_paravirt.h:123 [inline]
RIP: 0010:pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:436 [inline]
RIP: 0010:__pv_queued_spin_lock_slowpath+0x3b5/0xae0 kernel/locking/qspinlock.c:474
Code: 83 e3 07 41 be 01 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8d 2c 01 eb 0c f3 90 41 83 ec 01 0f 84 38 04 00 00 41 0f b6 45 00 <38> d8 7f 08 84 c0 0f 85 75 05 00 00 0f b6 45 00 84 c0 75 db be 02
RSP: 0018:ffff888091cef318 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffff11012fc2176
RDX: 0000000000000001 RSI: ffffffff8167a995 RDI: 0000000000000286
RBP: ffff888097e10bb0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000015bd
R13: ffffed1012fc2176 R14: 0000000000000001 R15: ffff8880ba12be00
FS: 00007f784fead700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f784fe8bff8 CR3: 00000000ab38e000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:679 [inline]
queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:53 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:88 [inline]
do_raw_spin_lock+0x189/0x220 kernel/locking/spinlock_debug.c:113
spin_lock include/linux/spinlock.h:329 [inline]
map_pte mm/page_vma_mapped.c:51 [inline]
page_vma_mapped_walk+0x1172/0x27d0 mm/page_vma_mapped.c:254
remove_migration_pte+0x145/0xff0 mm/migrate.c:217
rmap_walk_anon+0x472/0xa80 mm/rmap.c:1842
rmap_walk_locked+0x12a/0x190 mm/rmap.c:1924
remove_migration_ptes+0xbf/0x120 mm/migrate.c:298
remap_page+0xe2/0x180 mm/huge_memory.c:2452
__split_huge_page mm/huge_memory.c:2561 [inline]
split_huge_page_to_list+0x1b20/0x2ce0 mm/huge_memory.c:2796
split_huge_page include/linux/huge_mm.h:146 [inline]
madvise_free_huge_pmd+0x5a1/0xdd0 mm/huge_memory.c:1708
madvise_free_pte_range+0x6c5/0x2250 mm/madvise.c:325
walk_pmd_range mm/pagewalk.c:51 [inline]
walk_pud_range mm/pagewalk.c:109 [inline]
walk_p4d_range mm/pagewalk.c:135 [inline]
walk_pgd_range+0x8fe/0x1150 mm/pagewalk.c:161
__walk_page_range mm/pagewalk.c:254 [inline]
walk_page_range+0x1a5/0x490 mm/pagewalk.c:335
madvise_free_page_range.isra.0+0xae/0xf0 mm/madvise.c:454
madvise_free_single_vma+0x31c/0x4a0 mm/madvise.c:481
madvise_dontneed_free mm/madvise.c:565 [inline]
madvise_vma mm/madvise.c:698 [inline]
__do_sys_madvise mm/madvise.c:873 [inline]
__se_sys_madvise+0x75c/0x1c10 mm/madvise.c:801
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f78515380e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f784fead168 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007f785164af60 RCX: 00007f78515380e9
RDX: 0000000000000008 RSI: 0000000000600003 RDI: 0000000020000000
RBP: 00007f785159208d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe94d2948f R14: 00007f784fead300 R15: 0000000000022000
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0 skipped: idling at native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:60
----------------
Code disassembly (best guess):
0: 83 e3 07 and $0x7,%ebx
3: 41 be 01 00 00 00 mov $0x1,%r14d
9: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
10: fc ff df
13: 4c 8d 2c 01 lea (%rcx,%rax,1),%r13
17: eb 0c jmp 0x25
19: f3 90 pause
1b: 41 83 ec 01 sub $0x1,%r12d
1f: 0f 84 38 04 00 00 je 0x45d
25: 41 0f b6 45 00 movzbl 0x0(%r13),%eax
* 2a: 38 d8 cmp %bl,%al <-- trapping instruction
2c: 7f 08 jg 0x36
2e: 84 c0 test %al,%al
30: 0f 85 75 05 00 00 jne 0x5ab
36: 0f b6 45 00 movzbl 0x0(%rbp),%eax
3a: 84 c0 test %al,%al
3c: 75 db jne 0x19
3e: be .byte 0xbe
3f: 02 .byte 0x2
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 3, 2022, 1:10:19 AM9/3/22
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages