syzbot has found a reproducer for the following issue on:
HEAD commit: 8a923980a190 Linux 6.1.16
git tree: linux-6.1.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=13d36688c80000
kernel config:
https://syzkaller.appspot.com/x/.config?x=fc32d7322291d081
userspace arch: arm64
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=1285b888c80000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=16589f92c80000
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/bf09a4a426d0/disk-8a923980.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/99e88c1c3e26/vmlinux-8a923980.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/d13a720e0836/Image-8a923980.gz.xz
mounted in repro:
https://storage.googleapis.com/syzbot-assets/144ca3dac04f/mount_0.gz
INFO: task syz-executor341:4362 blocked for more than 143 seconds.
Not tainted 6.1.16-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor341 state:D
stack:0 pid:4362 ppid:4361 flags:0x00000008
Call trace:
__switch_to+0x320/0x754 arch/arm64/kernel/process.c:553
context_switch kernel/sched/core.c:5238 [inline]
__schedule+0xf9c/0x1d84 kernel/sched/core.c:6551
schedule+0xc4/0x170 kernel/sched/core.c:6627
wb_wait_for_completion+0x154/0x29c fs/fs-writeback.c:191
sync_inodes_sb+0x220/0x944 fs/fs-writeback.c:2714
sync_filesystem+0x160/0x218 fs/sync.c:64
generic_shutdown_super+0x70/0x328 fs/super.c:474
kill_block_super+0x70/0xdc fs/super.c:1441
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
INFO: task syz-executor341:4363 blocked for more than 143 seconds.
Not tainted 6.1.16-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor341 state:D
stack:0 pid:4363 ppid:4361 flags:0x00000008
Call trace:
__switch_to+0x320/0x754 arch/arm64/kernel/process.c:553
context_switch kernel/sched/core.c:5238 [inline]
__schedule+0xf9c/0x1d84 kernel/sched/core.c:6551
schedule+0xc4/0x170 kernel/sched/core.c:6627
wb_wait_for_completion+0x154/0x29c fs/fs-writeback.c:191
sync_inodes_sb+0x220/0x944 fs/fs-writeback.c:2714
sync_filesystem+0x160/0x218 fs/sync.c:64
generic_shutdown_super+0x70/0x328 fs/super.c:474
kill_block_super+0x70/0xdc fs/super.c:1441
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
INFO: task syz-executor341:4364 blocked for more than 143 seconds.
Not tainted 6.1.16-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor341 state:D
stack:0 pid:4364 ppid:4361 flags:0x00000008
Call trace:
__switch_to+0x320/0x754 arch/arm64/kernel/process.c:553
context_switch kernel/sched/core.c:5238 [inline]
__schedule+0xf9c/0x1d84 kernel/sched/core.c:6551
schedule+0xc4/0x170 kernel/sched/core.c:6627
wb_wait_for_completion+0x154/0x29c fs/fs-writeback.c:191
sync_inodes_sb+0x220/0x944 fs/fs-writeback.c:2714
sync_filesystem+0x160/0x218 fs/sync.c:64
generic_shutdown_super+0x70/0x328 fs/super.c:474
kill_block_super+0x70/0xdc fs/super.c:1441
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
INFO: task syz-executor341:4365 blocked for more than 143 seconds.
Not tainted 6.1.16-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor341 state:D
stack:0 pid:4365 ppid:4361 flags:0x00000008
Call trace:
__switch_to+0x320/0x754 arch/arm64/kernel/process.c:553
context_switch kernel/sched/core.c:5238 [inline]
__schedule+0xf9c/0x1d84 kernel/sched/core.c:6551
schedule+0xc4/0x170 kernel/sched/core.c:6627
wb_wait_for_completion+0x154/0x29c fs/fs-writeback.c:191
sync_inodes_sb+0x220/0x944 fs/fs-writeback.c:2714
sync_filesystem+0x160/0x218 fs/sync.c:64
generic_shutdown_super+0x70/0x328 fs/super.c:474
kill_block_super+0x70/0xdc fs/super.c:1441
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
INFO: task syz-executor341:4366 blocked for more than 143 seconds.
Not tainted 6.1.16-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor341 state:D
stack:0 pid:4366 ppid:4361 flags:0x00000008
Call trace:
__switch_to+0x320/0x754 arch/arm64/kernel/process.c:553
context_switch kernel/sched/core.c:5238 [inline]
__schedule+0xf9c/0x1d84 kernel/sched/core.c:6551
schedule+0xc4/0x170 kernel/sched/core.c:6627
wb_wait_for_completion+0x154/0x29c fs/fs-writeback.c:191
sync_inodes_sb+0x220/0x944 fs/fs-writeback.c:2714
sync_filesystem+0x160/0x218 fs/sync.c:64
generic_shutdown_super+0x70/0x328 fs/super.c:474
kill_block_super+0x70/0xdc fs/super.c:1441
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
INFO: task syz-executor341:4367 blocked for more than 143 seconds.
Not tainted 6.1.16-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor341 state:D
stack:0 pid:4367 ppid:4361 flags:0x00000008
Call trace:
__switch_to+0x320/0x754 arch/arm64/kernel/process.c:553
context_switch kernel/sched/core.c:5238 [inline]
__schedule+0xf9c/0x1d84 kernel/sched/core.c:6551
schedule+0xc4/0x170 kernel/sched/core.c:6627
wb_wait_for_completion+0x154/0x29c fs/fs-writeback.c:191
sync_inodes_sb+0x220/0x944 fs/fs-writeback.c:2714
sync_filesystem+0x160/0x218 fs/sync.c:64
generic_shutdown_super+0x70/0x328 fs/super.c:474
kill_block_super+0x70/0xdc fs/super.c:1441
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Showing all locks held in the system:
3 locks held by kworker/0:0/7:
1 lock held by rcu_tasks_kthre/12:
#0:
ffff800015905e30
(
rcu_tasks.tasks_gp_mutex
){+.+.}-{3:3}
, at: rcu_tasks_one_gp+0x44/0xcf4 kernel/rcu/tasks.h:510
1 lock held by rcu_tasks_trace/13:
#0:
ffff800015906630
(
rcu_tasks_trace.tasks_gp_mutex
){+.+.}-{3:3}
, at: rcu_tasks_one_gp+0x44/0xcf4 kernel/rcu/tasks.h:510
1 lock held by khungtaskd/28:
#0:
ffff800015905c60
(
rcu_read_lock
){....}-{1:2}
, at: rcu_lock_acquire+0xc/0x44 include/linux/rcupdate.h:305
4 locks held by kworker/u4:2/39:
#0:
ffff0000c0e3d938
(
(wq_completion)writeback
){+.+.}-{0:0}
, at: process_one_work+0x664/0x16f4 kernel/workqueue.c:2262
#1:
ffff80001b187c20
(
(work_completion)(&(&wb->dwork)->work)
){+.+.}-{0:0}
, at: process_one_work+0x6a8/0x16f4 kernel/workqueue.c:2264
#2:
ffff0000c1e00650
(
sb_internal
#2
){.+.+}-{0:0}
, at: xfs_bmapi_convert_delalloc+0x21c/0x10b0 fs/xfs/libxfs/xfs_bmap.c:4521
#3:
ffff0000e08d1858
(
&xfs_nondir_ilock_class
){++++}-{3:3}
, at: mrupdate_nested fs/xfs/mrlock.h:36 [inline]
, at: xfs_ilock+0x2fc/0x684 fs/xfs/xfs_inode.c:211
4 locks held by kworker/u4:5/1608:
#0:
ffff0000c0e3d938
(
(wq_completion)writeback
){+.+.}-{0:0}
, at: process_one_work+0x664/0x16f4 kernel/workqueue.c:2262
#1:
ffff800021ed7c20
((work_completion)(&(&wb->dwork)->work)
){+.+.}-{0:0}
, at: process_one_work+0x6a8/0x16f4 kernel/workqueue.c:2264
#2:
ffff0000c1c84650
(
sb_internal
#2
){.+.+}-{0:0}
, at: xfs_bmapi_convert_delalloc+0x21c/0x10b0 fs/xfs/libxfs/xfs_bmap.c:4521
#3:
ffff0000e0845e18
(
&xfs_nondir_ilock_class
){++++}-{3:3}
, at: mrupdate_nested fs/xfs/mrlock.h:36 [inline]
, at: xfs_ilock+0x2fc/0x684 fs/xfs/xfs_inode.c:211
2 locks held by getty/3988:
#0:
ffff0000d414e098
(
&tty->ldisc_sem
){++++}-{0:0}
, at: ldsem_down_read+0x3c/0x4c drivers/tty/tty_ldsem.c:340
#1:
ffff80001bba02f0
(
&ldata->atomic_read_lock
){+.+.}-{3:3}
, at: n_tty_read+0x414/0x1210 drivers/tty/n_tty.c:2177
4 locks held by kworker/u4:1/4349:
#0:
ffff0000c0e3d938
(
(wq_completion)writeback
){+.+.}-{0:0}
, at: process_one_work+0x664/0x16f4 kernel/workqueue.c:2262
#1:
ffff80001de47c20
(
(work_completion)(&(&wb->dwork)->work)
){+.+.}-{0:0}
, at: process_one_work+0x6a8/0x16f4 kernel/workqueue.c:2264
#2:
ffff0000da5c0650
(
sb_internal
#2
){.+.+}-{0:0}
, at: xfs_bmapi_convert_delalloc+0x21c/0x10b0 fs/xfs/libxfs/xfs_bmap.c:4521
#3:
ffff0000e0843f18
(
&xfs_nondir_ilock_class
){++++}-{3:3}
, at: mrupdate_nested fs/xfs/mrlock.h:36 [inline]
, at: xfs_ilock+0x2fc/0x684 fs/xfs/xfs_inode.c:211
2 locks held by syz-executor341/4362:
#0:
ffff0000c1e000e0
(
&type->s_umount_key
#40
){+.+.}-{3:3}
, at: deactivate_super+0xe8/0x110 fs/super.c:362
#1:
ffff0000cc88a7d0
(
&bdi->wb_switch_rwsem
){+.+.}-{3:3}
, at: bdi_down_write_wb_switch_rwsem fs/fs-writeback.c:362 [inline]
, at: sync_inodes_sb+0x208/0x944 fs/fs-writeback.c:2712
2 locks held by syz-executor341/4363:
#0:
ffff0000ceb0e0e0
(
&type->s_umount_key
#40
){+.+.}-{3:3}
, at: deactivate_super+0xe8/0x110 fs/super.c:362
#1:
ffff0000cc8d87d0
(
&bdi->wb_switch_rwsem
){+.+.}-{3:3}
, at: bdi_down_write_wb_switch_rwsem fs/fs-writeback.c:362 [inline]
, at: sync_inodes_sb+0x208/0x944 fs/fs-writeback.c:2712
2 locks held by syz-executor341/4364:
#0:
ffff0000d9b720e0
(
&type->s_umount_key
#40
){+.+.}-{3:3}
, at: deactivate_super+0xe8/0x110 fs/super.c:362
#1:
ffff0000cc8de7d0
(
&bdi->wb_switch_rwsem
){+.+.}-{3:3}
, at: bdi_down_write_wb_switch_rwsem fs/fs-writeback.c:362 [inline]
, at: sync_inodes_sb+0x208/0x944 fs/fs-writeback.c:2712
2 locks held by syz-executor341/4365:
#0:
ffff0000d92720e0
(
&type->s_umount_key
#40
){+.+.}-{3:3}
, at: deactivate_super+0xe8/0x110 fs/super.c:362
#1:
ffff0000cc8ec7d0
(
&bdi->wb_switch_rwsem
){+.+.}-{3:3}
, at: bdi_down_write_wb_switch_rwsem fs/fs-writeback.c:362 [inline]
, at: sync_inodes_sb+0x208/0x944 fs/fs-writeback.c:2712
2 locks held by syz-executor341/4366:
#0:
ffff0000da5c00e0
(
&type->s_umount_key
#40
){+.+.}-{3:3}
, at: deactivate_super+0xe8/0x110 fs/super.c:362
#1:
ffff0000cc8fa7d0
(
&bdi->wb_switch_rwsem
){+.+.}-{3:3}
, at: bdi_down_write_wb_switch_rwsem fs/fs-writeback.c:362 [inline]
, at: sync_inodes_sb+0x208/0x944 fs/fs-writeback.c:2712
2 locks held by syz-executor341/4367:
#0:
ffff0000c1c840e0
(
&type->s_umount_key
#40
){+.+.}-{3:3}
, at: deactivate_super+0xe8/0x110 fs/super.c:362
#1:
ffff0000cc9807d0
(
&bdi->wb_switch_rwsem
){+.+.}-{3:3}
, at: bdi_down_write_wb_switch_rwsem fs/fs-writeback.c:362 [inline]
, at: sync_inodes_sb+0x208/0x944 fs/fs-writeback.c:2712
4 locks held by kworker/u4:3/4424:
#0:
ffff0000c0e3d938
(
(wq_completion)writeback
){+.+.}-{0:0}
, at: process_one_work+0x664/0x16f4 kernel/workqueue.c:2262
#1:
ffff80001dc77c20
(
(work_completion)(&(&wb->dwork)->work)
){+.+.}-{0:0}
, at: process_one_work+0x6a8/0x16f4 kernel/workqueue.c:2264
#2:
ffff0000d9b72650
(
sb_internal
#2
){.+.+}-{0:0}
, at: xfs_bmapi_convert_delalloc+0x21c/0x10b0 fs/xfs/libxfs/xfs_bmap.c:4521
#3:
ffff0000e0841858
(
&xfs_nondir_ilock_class
){++++}-{3:3}
, at: mrupdate_nested fs/xfs/mrlock.h:36 [inline]
, at: xfs_ilock+0x2fc/0x684 fs/xfs/xfs_inode.c:211
4 locks held by kworker/u4:4/4425:
#0:
ffff0000c0e3d938
(
(wq_completion)writeback
){+.+.}-{0:0}
, at: process_one_work+0x664/0x16f4 kernel/workqueue.c:2262
#1:
ffff80001e007c20
(
(work_completion)(&(&wb->dwork)->work)
){+.+.}-{0:0}
, at: process_one_work+0x6a8/0x16f4 kernel/workqueue.c:2264
#2:
ffff0000ceb0e650
(
sb_internal
#2
){.+.+}-{0:0}
, at: xfs_bmapi_convert_delalloc+0x21c/0x10b0 fs/xfs/libxfs/xfs_bmap.c:4521
#3:
ffff0000e08d4e98
(
&xfs_nondir_ilock_class
){++++}-{3:3}
, at: mrupdate_nested fs/xfs/mrlock.h:36 [inline]
, at: xfs_ilock+0x2fc/0x684 fs/xfs/xfs_inode.c:211
4 locks held by kworker/u4:7/4427:
#0:
ffff0000c0e3d938
(
(wq_completion)writeback
){+.+.}-{0:0}
, at: process_one_work+0x664/0x16f4 kernel/workqueue.c:2262
#1:
ffff80001dc97c20
(
(work_completion)(&(&wb->dwork)->work)
){+.+.}-{0:0}
, at: process_one_work+0x6a8/0x16f4 kernel/workqueue.c:2264
#2:
ffff0000d9272650
(
sb_internal
#2
){.+.+}-{0:0}
, at: xfs_bmapi_convert_delalloc+0x21c/0x10b0 fs/xfs/libxfs/xfs_bmap.c:4521
#3:
ffff0000e0843758
(
&xfs_nondir_ilock_class
){++++}-{3:3}
, at: mrupdate_nested fs/xfs/mrlock.h:36 [inline]
, at: xfs_ilock+0x2fc/0x684 fs/xfs/xfs_inode.c:211
=============================================