possible deadlock in mon_bin_vma_fault

15 views

Skip to first unread message

syzbot

unread,

Apr 10, 2019, 11:13:07 PM4/10/19

to syzkaller...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 4d552acf Linux 4.19.34
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=160a245b200000
kernel config: https://syzkaller.appspot.com/x/.config?x=c95a88291f095edd
dashboard link: https://syzkaller.appspot.com/bug?extid=762c17ca3bcdb87f6d8e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+762c17...@syzkaller.appspotmail.com

audit: type=1400 audit(1554948748.381:356): avc: denied { map } for
pid=20693 comm="syz-executor.1" path="/dev/usbmon0" dev="devtmpfs"
ino=15564 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1
======================================================
WARNING: possible circular locking dependency detected
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
4.19.34 #2 Not tainted
------------------------------------------------------
syz-executor.1/20694 is trying to acquire lock:
000000006484955c (&rp->fetch_lock){+.+.}, at: mon_bin_vma_fault+0x73/0x2d0
drivers/usb/mon/mon_bin.c:1237

but task is already holding lock:
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
00000000242fe56e (&mm->mmap_sem){++++}, at: __mm_populate+0x270/0x380
mm/gup.c:1250

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:
kobject: 'loop4' (00000000d2329504): kobject_uevent_env

-> #1 (&mm->mmap_sem){++++}:
__might_fault mm/memory.c:4630 [inline]
__might_fault+0x15e/0x1e0 mm/memory.c:4615
_copy_to_user+0x30/0x120 lib/usercopy.c:25
copy_to_user include/linux/uaccess.h:155 [inline]
mon_bin_read+0x329/0x640 drivers/usb/mon/mon_bin.c:825
do_loop_readv_writev fs/read_write.c:700 [inline]
do_loop_readv_writev fs/read_write.c:687 [inline]
do_iter_read+0x495/0x650 fs/read_write.c:924
vfs_readv+0xf0/0x160 fs/read_write.c:986
do_readv+0xf6/0x290 fs/read_write.c:1019
__do_sys_readv fs/read_write.c:1106 [inline]
__se_sys_readv fs/read_write.c:1103 [inline]
__x64_sys_readv+0x75/0xb0 fs/read_write.c:1103
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'

-> #0 (&rp->fetch_lock){+.+.}:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
mon_bin_vma_fault+0x73/0x2d0 drivers/usb/mon/mon_bin.c:1237
__do_fault+0x116/0x480 mm/memory.c:3263
do_read_fault mm/memory.c:3675 [inline]
do_fault mm/memory.c:3804 [inline]
handle_pte_fault mm/memory.c:4035 [inline]
__handle_mm_fault+0x2d7d/0x3f80 mm/memory.c:4159
handle_mm_fault+0x43f/0xb30 mm/memory.c:4196
kobject: 'loop2' (000000006265e619): kobject_uevent_env
faultin_page mm/gup.c:518 [inline]
__get_user_pages+0x609/0x1770 mm/gup.c:718
populate_vma_page_range+0x20d/0x2a0 mm/gup.c:1222
__mm_populate+0x204/0x380 mm/gup.c:1270
mm_populate include/linux/mm.h:2315 [inline]
vm_mmap_pgoff+0x213/0x230 mm/util.c:362
ksys_mmap_pgoff+0x4aa/0x630 mm/mmap.c:1585
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
__x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'

other info that might help us debug this:

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&mm->mmap_sem);
lock(&rp->fetch_lock);
lock(&mm->mmap_sem);
lock(&rp->fetch_lock);

*** DEADLOCK ***

1 lock held by syz-executor.1/20694:
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
#0: 00000000242fe56e (&mm->mmap_sem){++++}, at: __mm_populate+0x270/0x380
mm/gup.c:1250

stack backtrace:
CPU: 1 PID: 20694 Comm: syz-executor.1 Not tainted 4.19.34 #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1221
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
check_prev_add kernel/locking/lockdep.c:1861 [inline]
check_prevs_add kernel/locking/lockdep.c:1974 [inline]
validate_chain kernel/locking/lockdep.c:2415 [inline]
__lock_acquire+0x2e6d/0x48f0 kernel/locking/lockdep.c:3411
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
mon_bin_vma_fault+0x73/0x2d0 drivers/usb/mon/mon_bin.c:1237
__do_fault+0x116/0x480 mm/memory.c:3263
do_read_fault mm/memory.c:3675 [inline]
do_fault mm/memory.c:3804 [inline]
handle_pte_fault mm/memory.c:4035 [inline]
__handle_mm_fault+0x2d7d/0x3f80 mm/memory.c:4159
kobject: 'loop2' (000000006265e619): kobject_uevent_env
handle_mm_fault+0x43f/0xb30 mm/memory.c:4196
faultin_page mm/gup.c:518 [inline]
__get_user_pages+0x609/0x1770 mm/gup.c:718
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
populate_vma_page_range+0x20d/0x2a0 mm/gup.c:1222
__mm_populate+0x204/0x380 mm/gup.c:1270
mm_populate include/linux/mm.h:2315 [inline]
vm_mmap_pgoff+0x213/0x230 mm/util.c:362
ksys_mmap_pgoff+0x4aa/0x630 mm/mmap.c:1585
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
__x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4582f9
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f36e8759c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000004582f9
RDX: 0000000001000001 RSI: 0000000000062000 RDI: 0000000020000000
RBP: 000000000073bf00 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000008011 R11: 0000000000000246 R12: 00007f36e875a6d4
R13: 00000000004c4015 R14: 00000000004d75d8 R15: 00000000ffffffff
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
QAT: failed to copy from user cfg_data.
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
QAT: failed to copy from user cfg_data.
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
QAT: failed to copy from user cfg_data.
QAT: failed to copy from user cfg_data.
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
QAT: failed to copy from user cfg_data.
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
QAT: failed to copy from user cfg_data.
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
QAT: failed to copy from user cfg_data.
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
IPv6 header not found
IPv6 header not found
Dead loop on virtual device ip6_vti0, fix it urgently!
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
IPv6 header not found
IPv6 header not found
Dead loop on virtual device ip6_vti0, fix it urgently!
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
IPv6 header not found
IPv6 header not found
Dead loop on virtual device ip6_vti0, fix it urgently!
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: '0:45' (00000000e0b4f10f): kobject_add_internal: parent: 'bdi',
set: 'devices'
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: '0:45' (00000000e0b4f10f): kobject_uevent_env
audit: type=1800 audit(1554948751.131:357): pid=21326 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0"
dev="sda1" ino=16878 res=0
kobject: '0:45' (00000000e0b4f10f): fill_kobj_path: path
= '/devices/virtual/bdi/0:45'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
IPv6 header not found
IPv6 header not found
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
Dead loop on virtual device ip6_vti0, fix it urgently!
audit: type=1804 audit(1554948751.171:358): pid=21326 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor.5"
name="/root/syzkaller-testdir883380867/syzkaller.tF9f77/1888/file0"
dev="sda1" ino=16878 res=1
IPv6 header not found
IPv6 header not found
Dead loop on virtual device ip6_vti0, fix it urgently!
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: '0:45' (00000000e0b4f10f): kobject_uevent_env
audit: type=1400 audit(1554948751.361:359): avc: denied { map } for
pid=21635 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
kobject: '0:45' (00000000e0b4f10f): fill_kobj_path: path
= '/devices/virtual/bdi/0:45'
IPv6 header not found
IPv6 header not found
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
Dead loop on virtual device ip6_vti0, fix it urgently!
kobject: '0:45' (00000000e0b4f10f): kobject_cleanup, parent (null)
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1800 audit(1554948751.391:360): pid=21637 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0"
dev="sda1" ino=16878 res=0
kobject: '0:45' (00000000e0b4f10f): calling ktype release
kobject: '0:45': free name
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
audit: type=1804 audit(1554948751.391:361): pid=21637 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor.5"
name="/root/syzkaller-testdir883380867/syzkaller.tF9f77/1889/file0"
dev="sda1" ino=16878 res=1
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: '0:45' (000000009f13c101): kobject_add_internal: parent: 'bdi',
set: 'devices'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
audit: type=1800 audit(1554948751.611:362): pid=21853 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0"
dev="sda1" ino=16878 res=0
kobject: '0:45' (000000009f13c101): kobject_uevent_env
audit: type=1804 audit(1554948751.641:363): pid=21853 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor.5"
name="/root/syzkaller-testdir883380867/syzkaller.tF9f77/1890/file0"
dev="sda1" ino=16878 res=1
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: '0:45' (000000009f13c101): fill_kobj_path: path
= '/devices/virtual/bdi/0:45'
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
IPv6 header not found
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
IPv6 header not found
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
Dead loop on virtual device ip6_vti0, fix it urgently!
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: '0:45' (000000009f13c101): kobject_uevent_env
kobject: '0:45' (000000009f13c101): fill_kobj_path: path
= '/devices/virtual/bdi/0:45'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: '0:45' (000000009f13c101): kobject_cleanup, parent (null)
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1800 audit(1554948751.921:364): pid=22173 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0"
dev="sda1" ino=16893 res=0
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: '0:45' (000000009f13c101): calling ktype release
audit: type=1804 audit(1554948751.951:365): pid=22173 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor.5"
name="/root/syzkaller-testdir883380867/syzkaller.tF9f77/1891/file0"
dev="sda1" ino=16893 res=1
kobject: '0:45': free name
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: '0:45' (00000000ec201ba3): kobject_add_internal: parent: 'bdi',
set: 'devices'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: '0:45' (00000000ec201ba3): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: '0:45' (00000000ec201ba3): fill_kobj_path: path
= '/devices/virtual/bdi/0:45'
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: '0:45' (00000000ec201ba3): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: '0:45' (00000000ec201ba3): fill_kobj_path: path
= '/devices/virtual/bdi/0:45'
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: '0:45' (00000000ec201ba3): kobject_cleanup, parent (null)
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: '0:45' (00000000ec201ba3): calling ktype release
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: '0:45': free name
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: '0:45' (000000009a89232a): kobject_add_internal: parent: 'bdi',
set: 'devices'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: '0:45' (000000009a89232a): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: '0:45' (000000009a89232a): fill_kobj_path: path
= '/devices/virtual/bdi/0:45'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: '0:45' (000000009a89232a): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: '0:45' (000000009a89232a): fill_kobj_path: path
= '/devices/virtual/bdi/0:45'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: '0:45' (000000009a89232a): kobject_cleanup, parent (null)
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: '0:45' (000000009a89232a): calling ktype release
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: '0:45': free name
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kauditd_printk_skb: 11 callbacks suppressed
audit: type=1800 audit(1554948753.971:377): pid=23719 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0"
dev="sda1" ino=16854 res=0
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
audit: type=1804 audit(1554948754.051:378): pid=23719 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=invalid_pcr cause=open_writers comm="syz-executor.4"
name="/root/syzkaller-testdir168514665/syzkaller.T6I96P/1882/file0"
dev="sda1" ino=16854 res=1
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
audit: type=1800 audit(1554948754.801:379): pid=23820 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed comm="syz-executor.0" name="SYSV00000000"
dev="hugetlbfs" ino=163845 res=0
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
audit: type=1800 audit(1554948754.971:380): pid=23938 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed comm="syz-executor.1" name="SYSV00000000"
dev="hugetlbfs" ino=98304 res=0
xt_bpf: check failed: parse error
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
audit: type=1800 audit(1554948755.011:381): pid=23940 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed comm="syz-executor.0" name="SYSV00000000"
dev="hugetlbfs" ino=229383 res=0
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1800 audit(1554948755.181:382): pid=23964 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed comm="syz-executor.0" name="SYSV00000000"
dev="hugetlbfs" ino=262152 res=0
xt_bpf: check failed: parse error
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
audit: type=1800 audit(1554948755.201:383): pid=23961 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed comm="syz-executor.1" name="SYSV00000000"
dev="hugetlbfs" ino=131075 res=0
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
xt_bpf: check failed: parse error
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
audit: type=1800 audit(1554948755.271:384): pid=23972 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed comm="syz-executor.1" name="SYSV00000000"
dev="hugetlbfs" ino=163844 res=0
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
audit: type=1800 audit(1554948755.341:385): pid=23987 uid=0 auid=4294967295
ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
op=collect_data cause=failed comm="syz-executor.0" name="SYSV00000000"
dev="hugetlbfs" ino=294921 res=0
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
xt_bpf: check failed: parse error
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
ip6gretap0: mtu less than device minimum
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
audit: type=1400 audit(1554948757.341:386): avc: denied { create } for
pid=25252 comm="syz-executor.2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
netlink: 'syz-executor.2': attribute type 116 has an invalid length.
ip6gretap0: mtu less than device minimum
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop2' (000000006265e619): kobject_uevent_env
ip6gretap0: mtu less than device minimum
platform regulatory.0: Direct firmware load for regulatory.db failed with
error -2
kobject: 'loop2' (000000006265e619): fill_kobj_path: path
= '/devices/virtual/block/loop2'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
netlink: 'syz-executor.2': attribute type 116 has an invalid length.
platform regulatory.0: Direct firmware load for regulatory.db failed with
error -2
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
ip6gretap0: mtu less than device minimum
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
netlink: 'syz-executor.3': attribute type 116 has an invalid length.
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
platform regulatory.0: Direct firmware load for regulatory.db failed with
error -2
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
netlink: 'syz-executor.2': attribute type 116 has an invalid length.
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
platform regulatory.0: Direct firmware load for regulatory.db failed with
error -2
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
netlink: 'syz-executor.3': attribute type 116 has an invalid length.
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
platform regulatory.0: Direct firmware load for regulatory.db failed with
error -2
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
netlink: 'syz-executor.2': attribute type 116 has an invalid length.
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env
kobject: 'loop1' (000000004c6ff07f): fill_kobj_path: path
= '/devices/virtual/block/loop1'
platform regulatory.0: Direct firmware load for regulatory.db failed with
error -2
kobject: 'loop5' (0000000068ffd4ac): kobject_uevent_env
kobject: 'loop5' (0000000068ffd4ac): fill_kobj_path: path
= '/devices/virtual/block/loop5'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
netlink: 'syz-executor.3': attribute type 116 has an invalid length.
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop0' (00000000d20cd7ac): kobject_uevent_env
platform regulatory.0: Direct firmware load for regulatory.db failed with
error -2
kobject: 'loop0' (00000000d20cd7ac): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'loop3' (0000000051aa6e39): kobject_uevent_env
kobject: 'loop3' (0000000051aa6e39): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop4' (00000000d2329504): kobject_uevent_env
kobject: 'loop4' (00000000d2329504): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'loop1' (000000004c6ff07f): kobject_uevent_env

---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

syzbot

unread,

Apr 16, 2019, 3:37:07 PM4/16/19

to syzkaller...@googlegroups.com

Hello,

syzbot found the following crash on:

HEAD commit: 1ec8f1f0 Linux 4.14.111
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1262026b200000
kernel config: https://syzkaller.appspot.com/x/.config?x=fdadf290ea9fc6f9
dashboard link: https://syzkaller.appspot.com/bug?extid=d7c97cadc3eee6ee853d

compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:

Reported-by: syzbot+d7c97c...@syzkaller.appspotmail.com

audit: type=1400 audit(1555439798.663:99): avc: denied { map } for
pid=14723 comm="syz-executor.2" path="/dev/usbmon0" dev="devtmpfs" ino=428

scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1
======================================================
WARNING: possible circular locking dependency detected

4.14.111 #1 Not tainted
------------------------------------------------------
syz-executor.2/14724 is trying to acquire lock:
(&rp->fetch_lock){+.+.}, at: [<ffffffff83f7c73f>]
mon_bin_vma_fault+0x6f/0x280 drivers/usb/mon/mon_bin.c:1236

but task is already holding lock:

(&mm->mmap_sem){++++}, at: [<ffffffff817b8425>] __mm_populate+0x1e5/0x2c0
mm/gup.c:1247

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&mm->mmap_sem){++++}:

lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__might_fault mm/memory.c:4578 [inline]
__might_fault+0x143/0x1d0 mm/memory.c:4563
_copy_to_user+0x2c/0xd0 lib/usercopy.c:25
copy_to_user include/linux/uaccess.h:155 [inline]
mon_bin_get_event+0x10a/0x430 drivers/usb/mon/mon_bin.c:756
mon_bin_ioctl+0x9b4/0xb50 drivers/usb/mon/mon_bin.c:1067
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&rp->fetch_lock){+.+.}:

check_prev_add kernel/locking/lockdep.c:1901 [inline]
check_prevs_add kernel/locking/lockdep.c:2018 [inline]
validate_chain kernel/locking/lockdep.c:2460 [inline]
__lock_acquire+0x2c89/0x45e0 kernel/locking/lockdep.c:3487
lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xe8/0x1470 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
mon_bin_vma_fault+0x6f/0x280 drivers/usb/mon/mon_bin.c:1236
__do_fault+0x109/0x390 mm/memory.c:3217
do_cow_fault mm/memory.c:3656 [inline]
do_fault mm/memory.c:3755 [inline]
handle_pte_fault mm/memory.c:3983 [inline]
__handle_mm_fault+0xde6/0x3470 mm/memory.c:4107
handle_mm_fault+0x293/0x7c0 mm/memory.c:4144
faultin_page mm/gup.c:502 [inline]
__get_user_pages+0x465/0x1250 mm/gup.c:702
populate_vma_page_range+0x18e/0x230 mm/gup.c:1219
__mm_populate+0x198/0x2c0 mm/gup.c:1267
mm_populate include/linux/mm.h:2174 [inline]
vm_mmap_pgoff+0x1be/0x1d0 mm/util.c:338
SYSC_mmap_pgoff mm/mmap.c:1550 [inline]
SyS_mmap_pgoff+0x3ca/0x520 mm/mmap.c:1508
SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&mm->mmap_sem);
lock(&rp->fetch_lock);
lock(&mm->mmap_sem);
lock(&rp->fetch_lock);

*** DEADLOCK ***

1 lock held by syz-executor.2/14724:
#0: (&mm->mmap_sem){++++}, at: [<ffffffff817b8425>]
__mm_populate+0x1e5/0x2c0 mm/gup.c:1247

stack backtrace:
CPU: 1 PID: 14724 Comm: syz-executor.2 Not tainted 4.14.111 #1