possible deadlock in pty_write

16 views

Skip to first unread message

syzbot

unread,

Jan 31, 2020, 8:19:13 PM1/31/20

to syzkaller...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 9fa690a2 Linux 4.14.169
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11f3c7c9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=eb55b601e76e3476
dashboard link: https://syzkaller.appspot.com/bug?extid=1521b53c8db420f4dea1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1521b5...@syzkaller.appspotmail.com

RDX: 1000000000000252 RSI: 00000000200023c0 RDI: 0000000000000005
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 0000000000000cda R14: 00000000004c9ca0 R15: 0000000000000002
======================================================
WARNING: possible circular locking dependency detected
4.14.169-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/18351 is trying to acquire lock:
(console_owner){-.-.}, at: [<ffffffff814b2661>] console_trylock_spinning kernel/printk/printk.c:1658 [inline]
(console_owner){-.-.}, at: [<ffffffff814b2661>] vprintk_emit kernel/printk/printk.c:1922 [inline]
(console_owner){-.-.}, at: [<ffffffff814b2661>] vprintk_emit+0x2f1/0x600 kernel/printk/printk.c:1888

but task is already holding lock:
(&(&port->lock)->rlock){-.-.}, at: [<ffffffff834db5e0>] pty_write+0xe0/0x1d0 drivers/tty/pty.c:120

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #2 (&(&port->lock)->rlock){-.-.}:
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:160
tty_port_tty_get+0x22/0x90 drivers/tty/tty_port.c:287
tty_port_default_wakeup+0x16/0x40 drivers/tty/tty_port.c:46
tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:389
uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:116
serial8250_tx_chars+0x40d/0xa10 drivers/tty/serial/8250/8250_port.c:1810
serial8250_handle_irq.part.0+0x206/0x250 drivers/tty/serial/8250/8250_port.c:1883
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1869 [inline]
serial8250_default_handle_irq+0xa1/0x120 drivers/tty/serial/8250/8250_port.c:1899
serial8250_interrupt+0xe9/0x1a0 drivers/tty/serial/8250/8250_core.c:129
__handle_irq_event_percpu+0x125/0x7f0 kernel/irq/handle.c:147
handle_irq_event_percpu+0x65/0x130 kernel/irq/handle.c:187
handle_irq_event+0xa7/0x134 kernel/irq/handle.c:204
handle_edge_irq+0x22b/0x840 kernel/irq/chip.c:770
generic_handle_irq_desc include/linux/irqdesc.h:159 [inline]
handle_irq+0x39/0x50 arch/x86/kernel/irq_64.c:87
do_IRQ+0x99/0x1d0 arch/x86/kernel/irq.c:230
ret_from_intr+0x0/0x1e
arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0x95/0xe0 kernel/locking/spinlock.c:192
spin_unlock_irqrestore include/linux/spinlock.h:372 [inline]
uart_write+0x29a/0x4f0 drivers/tty/serial/serial_core.c:625
process_output_block drivers/tty/n_tty.c:595 [inline]
n_tty_write+0x38b/0xf20 drivers/tty/n_tty.c:2333
do_tty_write drivers/tty/tty_io.c:959 [inline]
tty_write+0x3f6/0x700 drivers/tty/tty_io.c:1043
redirected_tty_write+0xa3/0xb0 drivers/tty/tty_io.c:1064
__vfs_write+0x105/0x6b0 fs/read_write.c:480
vfs_write+0x198/0x500 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xfd/0x230 fs/read_write.c:582
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #1 (&port_lock_key){-.-.}:
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:160
serial8250_console_write+0x709/0x930 drivers/tty/serial/8250/8250_port.c:3232
univ8250_console_write+0x5f/0x70 drivers/tty/serial/8250/8250_core.c:597
call_console_drivers kernel/printk/printk.c:1725 [inline]
console_unlock+0x9ba/0xed0 kernel/printk/printk.c:2397
vprintk_emit kernel/printk/printk.c:1923 [inline]
vprintk_emit+0x1f9/0x600 kernel/printk/printk.c:1888
vprintk_default+0x28/0x30 kernel/printk/printk.c:1963
vprintk_func+0x5d/0x159 kernel/printk/printk_safe.c:401
printk+0x9e/0xbc kernel/printk/printk.c:1996
register_console+0x614/0x9e0 kernel/printk/printk.c:2716
univ8250_console_init+0x33/0x3f drivers/tty/serial/8250/8250_core.c:692
console_init+0x4d/0x5d kernel/printk/printk.c:2797
start_kernel+0x43c/0x67d init/main.c:634
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:399
x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:380
secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240

-> #0 (console_owner){-.-.}:
check_prev_add kernel/locking/lockdep.c:1901 [inline]
check_prevs_add kernel/locking/lockdep.c:2018 [inline]
validate_chain kernel/locking/lockdep.c:2460 [inline]
__lock_acquire+0x2cb3/0x4620 kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
console_trylock_spinning kernel/printk/printk.c:1679 [inline]
vprintk_emit kernel/printk/printk.c:1922 [inline]
vprintk_emit+0x32e/0x600 kernel/printk/printk.c:1888
vprintk_default+0x28/0x30 kernel/printk/printk.c:1963
vprintk_func+0x5d/0x159 kernel/printk/printk_safe.c:401
printk+0x9e/0xbc kernel/printk/printk.c:1996
fail_dump lib/fault-inject.c:44 [inline]
should_fail.cold+0xe4/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3376 [inline]
__do_kmalloc mm/slab.c:3718 [inline]
__kmalloc+0x71/0x7a0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
tty_buffer_alloc drivers/tty/tty_buffer.c:169 [inline]
__tty_buffer_request_room+0x1a4/0x500 drivers/tty/tty_buffer.c:267
tty_insert_flip_string_fixed_flag+0x8a/0x1c0 drivers/tty/tty_buffer.c:312
tty_insert_flip_string include/linux/tty_flip.h:37 [inline]
pty_write+0x113/0x1d0 drivers/tty/pty.c:122
n_tty_write+0x953/0xf20 drivers/tty/n_tty.c:2356
do_tty_write drivers/tty/tty_io.c:959 [inline]
tty_write+0x3f6/0x700 drivers/tty/tty_io.c:1043
do_loop_readv_writev fs/read_write.c:698 [inline]
do_loop_readv_writev fs/read_write.c:682 [inline]
do_iter_write fs/read_write.c:956 [inline]
do_iter_write+0x3d3/0x540 fs/read_write.c:935
vfs_writev+0x170/0x2a0 fs/read_write.c:999
do_writev+0x10a/0x2d0 fs/read_write.c:1034
SYSC_writev fs/read_write.c:1107 [inline]
SyS_writev+0x28/0x30 fs/read_write.c:1104
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

Chain exists of:
console_owner --> &port_lock_key --> &(&port->lock)->rlock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&(&port->lock)->rlock);
lock(&port_lock_key);
lock(&(&port->lock)->rlock);
lock(console_owner);

*** DEADLOCK ***

5 locks held by syz-executor.1/18351:
#0: (&tty->ldisc_sem){++++}, at: [<ffffffff86692003>] ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:376
#1: (&tty->atomic_write_lock){+.+.}, at: [<ffffffff834b4f00>] tty_write_lock+0x20/0x60 drivers/tty/tty_io.c:885
#2: (&tty->termios_rwsem){++++}, at: [<ffffffff834c2249>] n_tty_write+0x179/0xf20 drivers/tty/n_tty.c:2316
#3: (&ldata->output_lock){+.+.}, at: [<ffffffff834c29e4>] n_tty_write+0x914/0xf20 drivers/tty/n_tty.c:2355
#4: (&(&port->lock)->rlock){-.-.}, at: [<ffffffff834db5e0>] pty_write+0xe0/0x1d0 drivers/tty/pty.c:120

stack backtrace:
CPU: 0 PID: 18351 Comm: syz-executor.1 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1901 [inline]
check_prevs_add kernel/locking/lockdep.c:2018 [inline]
validate_chain kernel/locking/lockdep.c:2460 [inline]
__lock_acquire+0x2cb3/0x4620 kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
console_trylock_spinning kernel/printk/printk.c:1679 [inline]
vprintk_emit kernel/printk/printk.c:1922 [inline]
vprintk_emit+0x32e/0x600 kernel/printk/printk.c:1888
vprintk_default+0x28/0x30 kernel/printk/printk.c:1963
vprintk_func+0x5d/0x159 kernel/printk/printk_safe.c:401
printk+0x9e/0xbc kernel/printk/printk.c:1996
fail_dump lib/fault-inject.c:44 [inline]
should_fail.cold+0xe4/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3376 [inline]
__do_kmalloc mm/slab.c:3718 [inline]
__kmalloc+0x71/0x7a0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
tty_buffer_alloc drivers/tty/tty_buffer.c:169 [inline]
__tty_buffer_request_room+0x1a4/0x500 drivers/tty/tty_buffer.c:267
tty_insert_flip_string_fixed_flag+0x8a/0x1c0 drivers/tty/tty_buffer.c:312
tty_insert_flip_string include/linux/tty_flip.h:37 [inline]
pty_write+0x113/0x1d0 drivers/tty/pty.c:122
n_tty_write+0x953/0xf20 drivers/tty/n_tty.c:2356
do_tty_write drivers/tty/tty_io.c:959 [inline]
tty_write+0x3f6/0x700 drivers/tty/tty_io.c:1043
do_loop_readv_writev fs/read_write.c:698 [inline]
do_loop_readv_writev fs/read_write.c:682 [inline]
do_iter_write fs/read_write.c:956 [inline]
do_iter_write+0x3d3/0x540 fs/read_write.c:935
vfs_writev+0x170/0x2a0 fs/read_write.c:999
do_writev+0x10a/0x2d0 fs/read_write.c:1034
SYSC_writev fs/read_write.c:1107 [inline]
SyS_writev+0x28/0x30 fs/read_write.c:1104
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007f6a5fb18c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007f6a5fb196d4 RCX: 000000000045b399
RDX: 1000000000000252 RSI: 00000000200023c0 RDI: 0000000000000005
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 0000000000000cda R14: 00000000004c9ca0 R15: 0000000000000002
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 1
CPU: 1 PID: 18366 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_fail_alloc_page mm/page_alloc.c:2891 [inline]
prepare_alloc_pages mm/page_alloc.c:4124 [inline]
__alloc_pages_nodemask+0x1d6/0x7a0 mm/page_alloc.c:4172
alloc_pages_current+0xec/0x1e0 mm/mempolicy.c:2113
alloc_pages include/linux/gfp.h:520 [inline]
pte_alloc_one+0x1a/0x100 arch/x86/mm/pgtable.c:30
do_huge_pmd_anonymous_page+0x84f/0x1200 mm/huge_memory.c:701
create_huge_pmd mm/memory.c:3881 [inline]
__handle_mm_fault+0x247d/0x33d0 mm/memory.c:4084
handle_mm_fault+0x293/0x7c0 mm/memory.c:4150
__do_page_fault+0x4c1/0xb80 arch/x86/mm/fault.c:1420
do_page_fault+0x71/0x511 arch/x86/mm/fault.c:1495
page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1122
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 arch/x86/lib/copy_user_64.S:181
RSP: 0018:ffff88805b62f9f8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000590 RCX: 0000000000000590
RDX: 0000000000000590 RSI: 0000000020d7cfcb RDI: ffff88805adfa6f0
RBP: ffff88805b62fa28 R08: ffffed100b5bf590 R09: 0000000000000000
R10: ffffed100b5bf58f R11: ffff88805adfac7f R12: 0000000020d7cfcb
R13: ffff88805adfa6f0 R14: 00007ffffffff000 R15: 0000000020d7d55b
_copy_from_iter_full+0x196/0x6c0 lib/iov_iter.c:608
copy_from_iter_full include/linux/uio.h:126 [inline]
skb_do_copy_data_nocache include/net/sock.h:1886 [inline]
skb_add_data_nocache include/net/sock.h:1897 [inline]
tcp_sendmsg_locked+0x1371/0x31c0 net/ipv4/tcp.c:1335
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000002
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 1
CPU: 1 PID: 18375 Comm: syz-executor.2 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_fail_alloc_page mm/page_alloc.c:2891 [inline]
prepare_alloc_pages mm/page_alloc.c:4124 [inline]
__alloc_pages_nodemask+0x1d6/0x7a0 mm/page_alloc.c:4172
alloc_pages_current+0xec/0x1e0 mm/mempolicy.c:2113
alloc_pages include/linux/gfp.h:520 [inline]
pte_alloc_one+0x1a/0x100 arch/x86/mm/pgtable.c:30
do_huge_pmd_anonymous_page+0x84f/0x1200 mm/huge_memory.c:701
create_huge_pmd mm/memory.c:3881 [inline]
__handle_mm_fault+0x247d/0x33d0 mm/memory.c:4084
handle_mm_fault+0x293/0x7c0 mm/memory.c:4150
__do_page_fault+0x4c1/0xb80 arch/x86/mm/fault.c:1420
do_page_fault+0x71/0x511 arch/x86/mm/fault.c:1495
page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1122
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 arch/x86/lib/copy_user_64.S:181
RSP: 0018:ffff8880582079f8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000590 RCX: 0000000000000590
RDX: 0000000000000590 RSI: 0000000020d7cfcb RDI: ffff888085878530
RBP: ffff888058207a28 R08: ffffed1010b0f158 R09: 0000000000000000
R10: ffffed1010b0f157 R11: ffff888085878abf R12: 0000000020d7cfcb
R13: ffff888085878530 R14: 00007ffffffff000 R15: 0000000020d7d55b
_copy_from_iter_full+0x196/0x6c0 lib/iov_iter.c:608
copy_from_iter_full include/linux/uio.h:126 [inline]
skb_do_copy_data_nocache include/net/sock.h:1886 [inline]
skb_add_data_nocache include/net/sock.h:1897 [inline]
tcp_sendmsg_locked+0x1371/0x31c0 net/ipv4/tcp.c:1335
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007f13a9e43c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f13a9e446d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000002
audit: type=1400 audit(1580519907.065:256): avc: denied { create } for pid=18437 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1580519907.095:257): avc: denied { write } for pid=18437 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1580519907.095:258): avc: denied { read } for pid=18437 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 18441 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc+0x2d7/0x780 mm/slab.c:3550
ptlock_alloc+0x20/0x70 mm/memory.c:4741
ptlock_init include/linux/mm.h:1752 [inline]
pgtable_page_ctor include/linux/mm.h:1786 [inline]
pte_alloc_one+0x60/0x100 arch/x86/mm/pgtable.c:33
do_huge_pmd_anonymous_page+0x84f/0x1200 mm/huge_memory.c:701
create_huge_pmd mm/memory.c:3881 [inline]
__handle_mm_fault+0x247d/0x33d0 mm/memory.c:4084
handle_mm_fault+0x293/0x7c0 mm/memory.c:4150
__do_page_fault+0x4c1/0xb80 arch/x86/mm/fault.c:1420
do_page_fault+0x71/0x511 arch/x86/mm/fault.c:1495
page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1122
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 arch/x86/lib/copy_user_64.S:181
RSP: 0018:ffff8880579779f8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000590 RCX: 0000000000000590
RDX: 0000000000000590 RSI: 0000000020d7cfcb RDI: ffff888058c4a1f0
RBP: ffff888057977a28 R08: ffffed100b1894f0 R09: 0000000000000000
R10: ffffed100b1894ef R11: ffff888058c4a77f R12: 0000000020d7cfcb
R13: ffff888058c4a1f0 R14: 00007ffffffff000 R15: 0000000020d7d55b
_copy_from_iter_full+0x196/0x6c0 lib/iov_iter.c:608
copy_from_iter_full include/linux/uio.h:126 [inline]
skb_do_copy_data_nocache include/net/sock.h:1886 [inline]
skb_add_data_nocache include/net/sock.h:1897 [inline]
tcp_sendmsg_locked+0x1371/0x31c0 net/ipv4/tcp.c:1335
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000003
CPU: 0 PID: 18442 Comm: syz-executor.2 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3376 [inline]
kmem_cache_alloc+0x2d7/0x780 mm/slab.c:3550
ptlock_alloc+0x20/0x70 mm/memory.c:4741
ptlock_init include/linux/mm.h:1752 [inline]
pgtable_page_ctor include/linux/mm.h:1786 [inline]
pte_alloc_one+0x60/0x100 arch/x86/mm/pgtable.c:33
do_huge_pmd_anonymous_page+0x84f/0x1200 mm/huge_memory.c:701
create_huge_pmd mm/memory.c:3881 [inline]
__handle_mm_fault+0x247d/0x33d0 mm/memory.c:4084
handle_mm_fault+0x293/0x7c0 mm/memory.c:4150
__do_page_fault+0x4c1/0xb80 arch/x86/mm/fault.c:1420
do_page_fault+0x71/0x511 arch/x86/mm/fault.c:1495
page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1122
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 arch/x86/lib/copy_user_64.S:181
RSP: 0018:ffff888051fdf9f8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000590 RCX: 0000000000000590
RDX: 0000000000000590 RSI: 0000000020d7cfcb RDI: ffff888080836cb0
RBP: ffff888051fdfa28 R08: ffffed1010106e48 R09: 0000000000000000
R10: ffffed1010106e47 R11: ffff88808083723f R12: 0000000020d7cfcb
R13: ffff888080836cb0 R14: 00007ffffffff000 R15: 0000000020d7d55b
_copy_from_iter_full+0x196/0x6c0 lib/iov_iter.c:608
copy_from_iter_full include/linux/uio.h:126 [inline]
skb_do_copy_data_nocache include/net/sock.h:1886 [inline]
skb_add_data_nocache include/net/sock.h:1897 [inline]
tcp_sendmsg_locked+0x1371/0x31c0 net/ipv4/tcp.c:1335
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007f13a9e43c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f13a9e446d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000003
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 18475 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_fail_alloc_page mm/page_alloc.c:2891 [inline]
prepare_alloc_pages mm/page_alloc.c:4124 [inline]
__alloc_pages_nodemask+0x1d6/0x7a0 mm/page_alloc.c:4172
alloc_pages_current+0xec/0x1e0 mm/mempolicy.c:2113
alloc_pages include/linux/gfp.h:520 [inline]
skb_page_frag_refill+0x1ef/0x490 net/core/sock.c:2201
sk_page_frag_refill+0x53/0x1c0 net/core/sock.c:2221
tcp_sendmsg_locked+0x7dc/0x31c0 net/ipv4/tcp.c:1343
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000004
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 18515 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node+0x56/0x780 mm/slab.c:3640
__alloc_skb+0x9c/0x500 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:980 [inline]
__tcp_send_ack.part.0+0x67/0x5b0 net/ipv4/tcp_output.c:3619
__tcp_send_ack net/ipv4/tcp_output.c:3646 [inline]
tcp_send_ack+0x7a/0xa0 net/ipv4/tcp_output.c:3646
__tcp_ack_snd_check+0x107/0x3a0 net/ipv4/tcp_input.c:5145
tcp_ack_snd_check net/ipv4/tcp_input.c:5158 [inline]
tcp_rcv_established+0x67e/0x1650 net/ipv4/tcp_input.c:5571
tcp_v4_do_rcv+0x56c/0x7f0 net/ipv4/tcp_ipv4.c:1467
sk_backlog_rcv include/net/sock.h:917 [inline]
__release_sock+0x12d/0x350 net/core/sock.c:2264
__sk_flush_backlog+0x28/0x40 net/core/sock.c:2284
sk_flush_backlog include/net/sock.h:1004 [inline]
tcp_sendmsg_locked+0x263d/0x31c0 net/ipv4/tcp.c:1296
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000005
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 18549 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node_trace+0x5a/0x770 mm/slab.c:3659
__do_kmalloc_node mm/slab.c:3681 [inline]
__kmalloc_node_track_caller+0x3d/0x80 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137
__alloc_skb+0xcf/0x500 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:980 [inline]
__tcp_send_ack.part.0+0x67/0x5b0 net/ipv4/tcp_output.c:3619
__tcp_send_ack net/ipv4/tcp_output.c:3646 [inline]
tcp_send_ack+0x7a/0xa0 net/ipv4/tcp_output.c:3646
__tcp_ack_snd_check+0x107/0x3a0 net/ipv4/tcp_input.c:5145
tcp_ack_snd_check net/ipv4/tcp_input.c:5158 [inline]
tcp_rcv_established+0x67e/0x1650 net/ipv4/tcp_input.c:5571
tcp_v4_do_rcv+0x56c/0x7f0 net/ipv4/tcp_ipv4.c:1467
sk_backlog_rcv include/net/sock.h:917 [inline]
__release_sock+0x12d/0x350 net/core/sock.c:2264
__sk_flush_backlog+0x28/0x40 net/core/sock.c:2284
sk_flush_backlog include/net/sock.h:1004 [inline]
tcp_sendmsg_locked+0x263d/0x31c0 net/ipv4/tcp.c:1296
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000006
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 18587 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node+0x287/0x780 mm/slab.c:3640
__alloc_skb+0x9c/0x500 net/core/skbuff.c:193
alloc_skb_fclone include/linux/skbuff.h:1022 [inline]
sk_stream_alloc_skb+0xb5/0x780 net/ipv4/tcp.c:855
tcp_sendmsg_locked+0xf6b/0x31c0 net/ipv4/tcp.c:1301
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000007
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 18611 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node_trace+0x280/0x770 mm/slab.c:3659
__do_kmalloc_node mm/slab.c:3681 [inline]
__kmalloc_node_track_caller+0x3d/0x80 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137
__alloc_skb+0xcf/0x500 net/core/skbuff.c:205
alloc_skb_fclone include/linux/skbuff.h:1022 [inline]
sk_stream_alloc_skb+0xb5/0x780 net/ipv4/tcp.c:855
tcp_sendmsg_locked+0xf6b/0x31c0 net/ipv4/tcp.c:1301
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000008
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=18625 comm=syz-executor.2
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=18625 comm=syz-executor.2
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 18664 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node_trace+0x280/0x770 mm/slab.c:3659
__do_kmalloc_node mm/slab.c:3681 [inline]
__kmalloc_node_track_caller+0x3d/0x80 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137
__alloc_skb+0xcf/0x500 net/core/skbuff.c:205
alloc_skb_fclone include/linux/skbuff.h:1022 [inline]
sk_stream_alloc_skb+0xb5/0x780 net/ipv4/tcp.c:855
tcp_sendmsg_locked+0xf6b/0x31c0 net/ipv4/tcp.c:1301
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 0000000000000009
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 18721 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_fail_alloc_page mm/page_alloc.c:2891 [inline]
prepare_alloc_pages mm/page_alloc.c:4124 [inline]
__alloc_pages_nodemask+0x1d6/0x7a0 mm/page_alloc.c:4172
alloc_pages_current+0xec/0x1e0 mm/mempolicy.c:2113
alloc_pages include/linux/gfp.h:520 [inline]
skb_page_frag_refill+0x1ef/0x490 net/core/sock.c:2201
sk_page_frag_refill+0x53/0x1c0 net/core/sock.c:2221
tcp_sendmsg_locked+0x7dc/0x31c0 net/ipv4/tcp.c:1343
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 000000000000000a
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 18785 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node+0x287/0x780 mm/slab.c:3640
__alloc_skb+0x9c/0x500 net/core/skbuff.c:193
alloc_skb_fclone include/linux/skbuff.h:1022 [inline]
sk_stream_alloc_skb+0xb5/0x780 net/ipv4/tcp.c:855
tcp_sendmsg_locked+0xf6b/0x31c0 net/ipv4/tcp.c:1301
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 000000000000000b
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 18811 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node_trace+0x280/0x770 mm/slab.c:3659
__do_kmalloc_node mm/slab.c:3681 [inline]
__kmalloc_node_track_caller+0x3d/0x80 mm/slab.c:3696
__kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137
__alloc_skb+0xcf/0x500 net/core/skbuff.c:205
alloc_skb_fclone include/linux/skbuff.h:1022 [inline]
sk_stream_alloc_skb+0xb5/0x780 net/ipv4/tcp.c:855
tcp_sendmsg_locked+0xf6b/0x31c0 net/ipv4/tcp.c:1301
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 000000000000000c
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 18850 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_fail_alloc_page mm/page_alloc.c:2891 [inline]
prepare_alloc_pages mm/page_alloc.c:4124 [inline]
__alloc_pages_nodemask+0x1d6/0x7a0 mm/page_alloc.c:4172
alloc_pages_current+0xec/0x1e0 mm/mempolicy.c:2113
alloc_pages include/linux/gfp.h:520 [inline]
skb_page_frag_refill+0x1ef/0x490 net/core/sock.c:2201
sk_page_frag_refill+0x53/0x1c0 net/core/sock.c:2221
tcp_sendmsg_locked+0x7dc/0x31c0 net/ipv4/tcp.c:1343
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 000000000000000d
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 18907 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_fail_alloc_page mm/page_alloc.c:2891 [inline]
prepare_alloc_pages mm/page_alloc.c:4124 [inline]
__alloc_pages_nodemask+0x1d6/0x7a0 mm/page_alloc.c:4172
alloc_pages_current+0xec/0x1e0 mm/mempolicy.c:2113
alloc_pages include/linux/gfp.h:520 [inline]
skb_page_frag_refill+0x1ef/0x490 net/core/sock.c:2201
sk_page_frag_refill+0x53/0x1c0 net/core/sock.c:2221
tcp_sendmsg_locked+0x7dc/0x31c0 net/ipv4/tcp.c:1343
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 000000000000000e
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 18963 Comm: syz-executor.0 Not tainted 4.14.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10f/0x159 lib/fault-inject.c:149
should_failslab+0xdb/0x130 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc_node mm/slab.c:3297 [inline]
kmem_cache_alloc_node+0x287/0x780 mm/slab.c:3640
__alloc_skb+0x9c/0x500 net/core/skbuff.c:193
alloc_skb_fclone include/linux/skbuff.h:1022 [inline]
sk_stream_alloc_skb+0xb5/0x780 net/ipv4/tcp.c:855
tcp_sendmsg_locked+0xf6b/0x31c0 net/ipv4/tcp.c:1301
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007fc1af258c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc1af2596d4 RCX: 000000000045b399
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00000000000009d4 R14: 00000000004cb445 R15: 000000000000000f

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,

Feb 2, 2020, 6:26:15 AM2/2/20

to syzkaller...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 32ee7492 Linux 4.19.101
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=115ec776e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=928a6b2d3f9b21f8
dashboard link: https://syzkaller.appspot.com/bug?extid=dd0b6736d3c24f05fbc7

compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:

Reported-by: syzbot+dd0b67...@syzkaller.appspotmail.com

RDX: 00000000fffffedf RSI: 0000000020000000 RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006

R13: 0000000000000c16 R14: 00000000004c8b8b R15: 0000000000000002

======================================================
WARNING: possible circular locking dependency detected

4.19.101-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/15097 is trying to acquire lock:
00000000d9187da0 (console_owner){-...}, at: console_trylock_spinning kernel/printk/printk.c:1669 [inline]
00000000d9187da0 (console_owner){-...}, at: vprintk_emit+0x3d5/0x6d0 kernel/printk/printk.c:1936

but task is already holding lock:

0000000008baf6a9 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xff/0x200 drivers/tty/pty.c:120

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #2 (&(&port->lock)->rlock){-.-.}:

__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
tty_port_tty_get+0x22/0x90 drivers/tty/tty_port.c:288
tty_port_default_wakeup+0x16/0x40 drivers/tty/tty_port.c:47
tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:390
uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:103
serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1806
serial8250_handle_irq.part.0+0x261/0x2b0 drivers/tty/serial/8250/8250_port.c:1879
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1865 [inline]
serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1895
serial8250_interrupt+0xfc/0x1e0 drivers/tty/serial/8250/8250_core.c:125
__handle_irq_event_percpu+0x144/0x8f0 kernel/irq/handle.c:149
handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:797
generic_handle_irq_desc include/linux/irqdesc.h:155 [inline]
handle_irq+0x39/0x50 arch/x86/kernel/irq_64.c:87
do_IRQ+0x99/0x1d0 arch/x86/kernel/irq.c:246
ret_from_intr+0x0/0x1e
arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
_raw_spin_unlock_irqrestore+0x95/0xe0 kernel/locking/spinlock.c:184
spin_unlock_irqrestore include/linux/spinlock.h:384 [inline]
uart_write+0x3a9/0x6e0 drivers/tty/serial/serial_core.c:612
process_output_block drivers/tty/n_tty.c:593 [inline]
n_tty_write+0x3f9/0x1140 drivers/tty/n_tty.c:2331
do_tty_write drivers/tty/tty_io.c:960 [inline]
tty_write+0x458/0x7a0 drivers/tty/tty_io.c:1044
redirected_tty_write+0xb2/0xc0 drivers/tty/tty_io.c:1065
__vfs_write+0x114/0x810 fs/read_write.c:485
vfs_write+0x20c/0x560 fs/read_write.c:549
ksys_write+0x14f/0x2d0 fs/read_write.c:599
__do_sys_write fs/read_write.c:611 [inline]
__se_sys_write fs/read_write.c:608 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:608
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #1 (&port_lock_key){-.-.}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
serial8250_console_write+0x7ca/0x9f0 drivers/tty/serial/8250/8250_port.c:3247
univ8250_console_write+0x5f/0x70 drivers/tty/serial/8250/8250_core.c:590
call_console_drivers kernel/printk/printk.c:1736 [inline]
console_unlock+0xbdf/0x10d0 kernel/printk/printk.c:2429
vprintk_emit+0x280/0x6d0 kernel/printk/printk.c:1937
vprintk_default+0x28/0x30 kernel/printk/printk.c:1979
vprintk_func+0x7e/0x189 kernel/printk/printk_safe.c:398
printk+0xba/0xed kernel/printk/printk.c:2012
register_console+0x77f/0xb90 kernel/printk/printk.c:2745
univ8250_console_init+0x3e/0x4b drivers/tty/serial/8250/8250_core.c:685
console_init+0x4f7/0x761 kernel/printk/printk.c:2831
start_kernel+0x59c/0x825 init/main.c:660
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243

-> #0 (console_owner){-...}:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
console_trylock_spinning kernel/printk/printk.c:1690 [inline]
vprintk_emit+0x412/0x6d0 kernel/printk/printk.c:1936
vprintk_default+0x28/0x30 kernel/printk/printk.c:1979
vprintk_func+0x7e/0x189 kernel/printk/printk_safe.c:398
printk+0xba/0xed kernel/printk/printk.c:2012
fail_dump lib/fault-inject.c:44 [inline]
should_fail+0x6f1/0x85c lib/fault-inject.c:149
__should_failslab+0x121/0x190 mm/failslab.c:32
should_failslab+0x9/0x14 mm/slab_common.c:1558
slab_pre_alloc_hook mm/slab.h:424 [inline]
slab_alloc mm/slab.c:3383 [inline]
__do_kmalloc mm/slab.c:3725 [inline]
__kmalloc+0x71/0x750 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
tty_buffer_alloc drivers/tty/tty_buffer.c:170 [inline]
__tty_buffer_request_room+0x1fb/0x5c0 drivers/tty/tty_buffer.c:268
tty_insert_flip_string_fixed_flag+0x93/0x1f0 drivers/tty/tty_buffer.c:313
tty_insert_flip_string include/linux/tty_flip.h:37 [inline]
pty_write+0x133/0x200 drivers/tty/pty.c:122
process_output_block drivers/tty/n_tty.c:593 [inline]
n_tty_write+0x3f9/0x1140 drivers/tty/n_tty.c:2331
do_tty_write drivers/tty/tty_io.c:960 [inline]
tty_write+0x458/0x7a0 drivers/tty/tty_io.c:1044
__vfs_write+0x114/0x810 fs/read_write.c:485
vfs_write+0x20c/0x560 fs/read_write.c:549
ksys_write+0x14f/0x2d0 fs/read_write.c:599
__do_sys_write fs/read_write.c:611 [inline]
__se_sys_write fs/read_write.c:608 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:608
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
console_owner --> &port_lock_key --> &(&port->lock)->rlock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&(&port->lock)->rlock);
lock(&port_lock_key);
lock(&(&port->lock)->rlock);
lock(console_owner);

*** DEADLOCK ***

5 locks held by syz-executor.3/15097:
#0: 00000000577e581e (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:362
#1: 00000000832cae01 (&tty->atomic_write_lock){+.+.}, at: tty_write_lock+0x23/0x90 drivers/tty/tty_io.c:886
#2: 000000005bcefb6b (&o_tty->termios_rwsem/1){++++}, at: n_tty_write+0x1ab/0x1140 drivers/tty/n_tty.c:2314
#3: 0000000068903d8b (&ldata->output_lock){+.+.}, at: process_output_block drivers/tty/n_tty.c:548 [inline]
#3: 0000000068903d8b (&ldata->output_lock){+.+.}, at: n_tty_write+0x52b/0x1140 drivers/tty/n_tty.c:2331
#4: 0000000008baf6a9 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xff/0x200 drivers/tty/pty.c:120

stack backtrace:
CPU: 1 PID: 15097 Comm: syz-executor.3 Not tainted 4.19.101-syzkaller #0