[v5.15] possible deadlock in iterate_dir (2)
0 views
Skip to first unread message
syzbot
Aug 28, 2023, 12:55:47 PM8/28/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5ddfe5cc8716 Linux 5.15.128
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=172a17eba80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1b6ad98d397fbe23
dashboard link: https://syzkaller.appspot.com/bug?extid=ae07d55f2021d33f9cb4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9a542b09fbaf/disk-5ddfe5cc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4452fc1a4542/vmlinux-5ddfe5cc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/90dc6d0c61df/bzImage-5ddfe5cc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae07d5...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.128-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.0/3656 is trying to acquire lock:
ffff8880243bf128 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock+0x1c/0x50 include/linux/mmap_lock.h:117
but task is already holding lock:
ffff8880129388b0 (&type->i_mutex_dir_key#2){++++}-{3:3}, at: iterate_dir+0x10a/0x570 fs/readdir.c:55
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&type->i_mutex_dir_key#2){++++}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1488
inode_lock_shared include/linux/fs.h:797 [inline]
lookup_slow+0x45/0x70 fs/namei.c:1675
walk_component+0x48c/0x610 fs/namei.c:1972
lookup_last fs/namei.c:2427 [inline]
path_lookupat+0x16f/0x450 fs/namei.c:2451
filename_lookup+0x230/0x5c0 fs/namei.c:2480
kern_path+0x37/0x180 fs/namei.c:2570
lookup_bdev+0xc1/0x280 block/bdev.c:979
device_matched fs/btrfs/volumes.c:563 [inline]
btrfs_free_stale_devices+0x6cc/0xb00 fs/btrfs/volumes.c:608
btrfs_scan_one_device+0x494/0x690 fs/btrfs/volumes.c:1440
btrfs_mount_root+0x4b4/0x930 fs/btrfs/super.c:1716
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1517
fc_mount fs/namespace.c:1000 [inline]
vfs_kern_mount+0xb8/0x150 fs/namespace.c:1030
btrfs_mount+0x395/0xb40 fs/btrfs/super.c:1812
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1517
do_new_mount+0x28b/0xae0 fs/namespace.c:2994
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3522
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #2 (&fs_devs->device_list_mutex){+.+.}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
insert_dev_extents fs/btrfs/block-group.c:2379 [inline]
btrfs_create_pending_block_groups+0x5c1/0x1130 fs/btrfs/block-group.c:2429
__btrfs_end_transaction+0x296/0x780 fs/btrfs/transaction.c:1013
btrfs_inc_block_group_ro+0x583/0x5f0 fs/btrfs/block-group.c:2644
btrfs_relocate_block_group+0x3ec/0xcb0 fs/btrfs/relocation.c:4041
btrfs_relocate_chunk+0xac/0x270 fs/btrfs/volumes.c:3280
__btrfs_balance+0x185e/0x27c0 fs/btrfs/volumes.c:4010
btrfs_balance+0xd40/0x14a0 fs/btrfs/volumes.c:4400
btrfs_ioctl_balance+0x643/0x7d0 fs/btrfs/ioctl.c:4130
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #1 (sb_internal#3){.+.+}-{0:0}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1742 [inline]
sb_start_intwrite include/linux/fs.h:1859 [inline]
start_transaction+0x5a8/0x11a0 fs/btrfs/transaction.c:677
btrfs_dirty_inode+0xcc/0x1c0 fs/btrfs/inode.c:6322
inode_update_time fs/inode.c:1829 [inline]
touch_atime+0x34e/0x680 fs/inode.c:1902
file_accessed include/linux/fs.h:2447 [inline]
btrfs_file_mmap+0xbf/0x120 fs/btrfs/file.c:2424
call_mmap include/linux/fs.h:2108 [inline]
mmap_region+0x10e7/0x1670 mm/mmap.c:1791
do_mmap+0x78d/0xe00 mm/mmap.c:1575
vm_mmap_pgoff+0x1ca/0x2d0 mm/util.c:551
ksys_mmap_pgoff+0x559/0x780 mm/mmap.c:1624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #0 (&mm->mmap_lock){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1646/0x58b0 kernel/locking/lockdep.c:3787
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5011
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1488
mmap_read_lock+0x1c/0x50 include/linux/mmap_lock.h:117
do_user_addr_fault arch/x86/mm/fault.c:1348 [inline]
handle_page_fault arch/x86/mm/fault.c:1485 [inline]
exc_page_fault+0x5ce/0x740 arch/x86/mm/fault.c:1541
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
user_access_begin arch/x86/include/asm/uaccess.h:574 [inline]
filldir64+0x32b/0x730 fs/readdir.c:331
dir_emit_dot include/linux/fs.h:3605 [inline]
dir_emit_dots include/linux/fs.h:3616 [inline]
dcache_readdir+0x181/0x800 fs/libfs.c:196
iterate_dir+0x224/0x570
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x209/0x4f0 fs/readdir.c:354
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
other info that might help us debug this:
Chain exists of:
&mm->mmap_lock --> &fs_devs->device_list_mutex --> &type->i_mutex_dir_key#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&type->i_mutex_dir_key#2);
lock(&fs_devs->device_list_mutex);
lock(&type->i_mutex_dir_key#2);
lock(&mm->mmap_lock);
*** DEADLOCK ***
2 locks held by syz-executor.0/3656:
#0: ffff88801ca5e5f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x2cb/0x380 fs/file.c:1088
#1: ffff8880129388b0 (&type->i_mutex_dir_key#2){++++}-{3:3}, at: iterate_dir+0x10a/0x570 fs/readdir.c:55
stack backtrace:
CPU: 0 PID: 3656 Comm: syz-executor.0 Not tainted 5.15.128-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
check_noncircular+0x2f8/0x3b0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1646/0x58b0 kernel/locking/lockdep.c:3787
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5011
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1488
mmap_read_lock+0x1c/0x50 include/linux/mmap_lock.h:117
do_user_addr_fault arch/x86/mm/fault.c:1348 [inline]
handle_page_fault arch/x86/mm/fault.c:1485 [inline]
exc_page_fault+0x5ce/0x740 arch/x86/mm/fault.c:1541
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
RIP: 0010:filldir64+0x32b/0x730 fs/readdir.c:335
Code: fd 0f 82 60 02 00 00 48 b8 00 f0 ff ff ff 7f 00 00 48 39 c5 0f 87 4d 02 00 00 0f 01 cb 0f ae e8 48 8b 44 24 60 48 8b 4c 24 18 <48> 89 41 08 48 8b 44 24 10 48 8b 4c 24 58 48 89 08 48 8b 4c 24 20
RSP: 0018:ffffc90002e1fc68 EFLAGS: 00050287
RAX: 0000000000000000 RBX: 0000000020000118 RCX: 0000000020000100
RDX: ffffc9000cb1c000 RSI: 0000000020000118 RDI: 00007ffffffff000
RBP: 0000000020000118 R08: ffffffff81da52df R09: 0000000000000004
R10: 0000000000000003 R11: ffff88802473d940 R12: ffffffff8a970040
R13: ffffc90002e1fe70 R14: 0000000000000001 R15: 0000000020000100
dir_emit_dot include/linux/fs.h:3605 [inline]
dir_emit_dots include/linux/fs.h:3616 [inline]
dcache_readdir+0x181/0x800 fs/libfs.c:196
iterate_dir+0x224/0x570
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x209/0x4f0 fs/readdir.c:354
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f3498e06ae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f34973880c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f3498f25f80 RCX: 00007f3498e06ae9
RDX: 000000000000ffd1 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00007f3498e5247a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f3498f25f80 R15: 00007ffe5f4f4d18
</TASK>
----------------
Code disassembly (best guess):
0: fd std
1: 0f 82 60 02 00 00 jb 0x267
7: 48 b8 00 f0 ff ff ff movabs $0x7ffffffff000,%rax
e: 7f 00 00
11: 48 39 c5 cmp %rax,%rbp
14: 0f 87 4d 02 00 00 ja 0x267
1a: 0f 01 cb stac
1d: 0f ae e8 lfence
20: 48 8b 44 24 60 mov 0x60(%rsp),%rax
25: 48 8b 4c 24 18 mov 0x18(%rsp),%rcx
* 2a: 48 89 41 08 mov %rax,0x8(%rcx) <-- trapping instruction
2e: 48 8b 44 24 10 mov 0x10(%rsp),%rax
33: 48 8b 4c 24 58 mov 0x58(%rsp),%rcx
38: 48 89 08 mov %rcx,(%rax)
3b: 48 8b 4c 24 20 mov 0x20(%rsp),%rcx
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 5ddfe5cc8716 Linux 5.15.128
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=172a17eba80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1b6ad98d397fbe23
dashboard link: https://syzkaller.appspot.com/bug?extid=ae07d55f2021d33f9cb4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9a542b09fbaf/disk-5ddfe5cc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4452fc1a4542/vmlinux-5ddfe5cc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/90dc6d0c61df/bzImage-5ddfe5cc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae07d5...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.128-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.0/3656 is trying to acquire lock:
ffff8880243bf128 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock+0x1c/0x50 include/linux/mmap_lock.h:117
but task is already holding lock:
ffff8880129388b0 (&type->i_mutex_dir_key#2){++++}-{3:3}, at: iterate_dir+0x10a/0x570 fs/readdir.c:55
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&type->i_mutex_dir_key#2){++++}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1488
inode_lock_shared include/linux/fs.h:797 [inline]
lookup_slow+0x45/0x70 fs/namei.c:1675
walk_component+0x48c/0x610 fs/namei.c:1972
lookup_last fs/namei.c:2427 [inline]
path_lookupat+0x16f/0x450 fs/namei.c:2451
filename_lookup+0x230/0x5c0 fs/namei.c:2480
kern_path+0x37/0x180 fs/namei.c:2570
lookup_bdev+0xc1/0x280 block/bdev.c:979
device_matched fs/btrfs/volumes.c:563 [inline]
btrfs_free_stale_devices+0x6cc/0xb00 fs/btrfs/volumes.c:608
btrfs_scan_one_device+0x494/0x690 fs/btrfs/volumes.c:1440
btrfs_mount_root+0x4b4/0x930 fs/btrfs/super.c:1716
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1517
fc_mount fs/namespace.c:1000 [inline]
vfs_kern_mount+0xb8/0x150 fs/namespace.c:1030
btrfs_mount+0x395/0xb40 fs/btrfs/super.c:1812
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1517
do_new_mount+0x28b/0xae0 fs/namespace.c:2994
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3522
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #2 (&fs_devs->device_list_mutex){+.+.}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
insert_dev_extents fs/btrfs/block-group.c:2379 [inline]
btrfs_create_pending_block_groups+0x5c1/0x1130 fs/btrfs/block-group.c:2429
__btrfs_end_transaction+0x296/0x780 fs/btrfs/transaction.c:1013
btrfs_inc_block_group_ro+0x583/0x5f0 fs/btrfs/block-group.c:2644
btrfs_relocate_block_group+0x3ec/0xcb0 fs/btrfs/relocation.c:4041
btrfs_relocate_chunk+0xac/0x270 fs/btrfs/volumes.c:3280
__btrfs_balance+0x185e/0x27c0 fs/btrfs/volumes.c:4010
btrfs_balance+0xd40/0x14a0 fs/btrfs/volumes.c:4400
btrfs_ioctl_balance+0x643/0x7d0 fs/btrfs/ioctl.c:4130
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #1 (sb_internal#3){.+.+}-{0:0}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1742 [inline]
sb_start_intwrite include/linux/fs.h:1859 [inline]
start_transaction+0x5a8/0x11a0 fs/btrfs/transaction.c:677
btrfs_dirty_inode+0xcc/0x1c0 fs/btrfs/inode.c:6322
inode_update_time fs/inode.c:1829 [inline]
touch_atime+0x34e/0x680 fs/inode.c:1902
file_accessed include/linux/fs.h:2447 [inline]
btrfs_file_mmap+0xbf/0x120 fs/btrfs/file.c:2424
call_mmap include/linux/fs.h:2108 [inline]
mmap_region+0x10e7/0x1670 mm/mmap.c:1791
do_mmap+0x78d/0xe00 mm/mmap.c:1575
vm_mmap_pgoff+0x1ca/0x2d0 mm/util.c:551
ksys_mmap_pgoff+0x559/0x780 mm/mmap.c:1624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #0 (&mm->mmap_lock){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1646/0x58b0 kernel/locking/lockdep.c:3787
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5011
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1488
mmap_read_lock+0x1c/0x50 include/linux/mmap_lock.h:117
do_user_addr_fault arch/x86/mm/fault.c:1348 [inline]
handle_page_fault arch/x86/mm/fault.c:1485 [inline]
exc_page_fault+0x5ce/0x740 arch/x86/mm/fault.c:1541
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
user_access_begin arch/x86/include/asm/uaccess.h:574 [inline]
filldir64+0x32b/0x730 fs/readdir.c:331
dir_emit_dot include/linux/fs.h:3605 [inline]
dir_emit_dots include/linux/fs.h:3616 [inline]
dcache_readdir+0x181/0x800 fs/libfs.c:196
iterate_dir+0x224/0x570
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x209/0x4f0 fs/readdir.c:354
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
other info that might help us debug this:
Chain exists of:
&mm->mmap_lock --> &fs_devs->device_list_mutex --> &type->i_mutex_dir_key#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&type->i_mutex_dir_key#2);
lock(&fs_devs->device_list_mutex);
lock(&type->i_mutex_dir_key#2);
lock(&mm->mmap_lock);
*** DEADLOCK ***
2 locks held by syz-executor.0/3656:
#0: ffff88801ca5e5f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x2cb/0x380 fs/file.c:1088
#1: ffff8880129388b0 (&type->i_mutex_dir_key#2){++++}-{3:3}, at: iterate_dir+0x10a/0x570 fs/readdir.c:55
stack backtrace:
CPU: 0 PID: 3656 Comm: syz-executor.0 Not tainted 5.15.128-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
check_noncircular+0x2f8/0x3b0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1646/0x58b0 kernel/locking/lockdep.c:3787
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5011
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1488
mmap_read_lock+0x1c/0x50 include/linux/mmap_lock.h:117
do_user_addr_fault arch/x86/mm/fault.c:1348 [inline]
handle_page_fault arch/x86/mm/fault.c:1485 [inline]
exc_page_fault+0x5ce/0x740 arch/x86/mm/fault.c:1541
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
RIP: 0010:filldir64+0x32b/0x730 fs/readdir.c:335
Code: fd 0f 82 60 02 00 00 48 b8 00 f0 ff ff ff 7f 00 00 48 39 c5 0f 87 4d 02 00 00 0f 01 cb 0f ae e8 48 8b 44 24 60 48 8b 4c 24 18 <48> 89 41 08 48 8b 44 24 10 48 8b 4c 24 58 48 89 08 48 8b 4c 24 20
RSP: 0018:ffffc90002e1fc68 EFLAGS: 00050287
RAX: 0000000000000000 RBX: 0000000020000118 RCX: 0000000020000100
RDX: ffffc9000cb1c000 RSI: 0000000020000118 RDI: 00007ffffffff000
RBP: 0000000020000118 R08: ffffffff81da52df R09: 0000000000000004
R10: 0000000000000003 R11: ffff88802473d940 R12: ffffffff8a970040
R13: ffffc90002e1fe70 R14: 0000000000000001 R15: 0000000020000100
dir_emit_dot include/linux/fs.h:3605 [inline]
dir_emit_dots include/linux/fs.h:3616 [inline]
dcache_readdir+0x181/0x800 fs/libfs.c:196
iterate_dir+0x224/0x570
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x209/0x4f0 fs/readdir.c:354
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f3498e06ae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f34973880c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f3498f25f80 RCX: 00007f3498e06ae9
RDX: 000000000000ffd1 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00007f3498e5247a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f3498f25f80 R15: 00007ffe5f4f4d18
</TASK>
----------------
Code disassembly (best guess):
0: fd std
1: 0f 82 60 02 00 00 jb 0x267
7: 48 b8 00 f0 ff ff ff movabs $0x7ffffffff000,%rax
e: 7f 00 00
11: 48 39 c5 cmp %rax,%rbp
14: 0f 87 4d 02 00 00 ja 0x267
1a: 0f 01 cb stac
1d: 0f ae e8 lfence
20: 48 8b 44 24 60 mov 0x60(%rsp),%rax
25: 48 8b 4c 24 18 mov 0x18(%rsp),%rcx
* 2a: 48 89 41 08 mov %rax,0x8(%rcx) <-- trapping instruction
2e: 48 8b 44 24 10 mov 0x10(%rsp),%rax
33: 48 8b 4c 24 58 mov 0x58(%rsp),%rcx
38: 48 89 08 mov %rcx,(%rax)
3b: 48 8b 4c 24 20 mov 0x20(%rsp),%rcx
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Mar 8, 2024, 8:21:13 AMMar 8
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages