INFO: task hung in __fuse_request_send
62 views
Skip to first unread message
syzbot
Jul 12, 2018, 11:49:04 AM7/12/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e87044400000
kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
dashboard link: https://syzkaller.appspot.com/bug?extid=825801ae76b982dd8f73
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org
mik...@szeredi.hu]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+825801...@syzkaller.appspotmail.com
RBP: 000000000072bea0 R08: 0000000020000400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014
R13: 00000000004c021d R14: 00000000004cfeb8 R15: 0000000000000019
kernel msg: ebtables bug: please report to author: Couldn't copy entries
from userspace
kernel msg: ebtables bug: please report to author: Couldn't copy entries
from userspace
INFO: task syz-executor0:30440 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D24152 30440 4562 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
request_wait_answer+0x4c8/0x920 fs/fuse/dev.c:463
__fuse_request_send+0x12a/0x1d0 fs/fuse/dev.c:483
fuse_request_send+0x62/0xa0 fs/fuse/dev.c:496
fuse_simple_request+0x33d/0x730 fs/fuse/dev.c:554
fuse_lookup_name+0x3ee/0x830 fs/fuse/dir.c:323
fuse_lookup+0xf9/0x4c0 fs/fuse/dir.c:360
__lookup_hash+0x12e/0x190 fs/namei.c:1505
filename_create+0x1e5/0x5b0 fs/namei.c:3646
user_path_create fs/namei.c:3703 [inline]
do_mkdirat+0xda/0x310 fs/namei.c:3842
__do_sys_mkdirat fs/namei.c:3861 [inline]
__se_sys_mkdirat fs/namei.c:3859 [inline]
__x64_sys_mkdirat+0x76/0xb0 fs/namei.c:3859
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a79
Code: 0f 0b e8 5a 44 fd ff 0f 0b e8 c3 44 fd ff 0f 0b e8 4c 44 fd ff 0f 0b
e8 05 68 fd ff 48 8d 05 a4 9a 48 00 48 89 04 24 48 c7 44 <24> 08 1d 00 00
00 e8 8c 71 fd ff e8 37 6a fd ff 0f b6 44 24 2f 83
RSP: 002b:00007f5c735c8c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007f5c735c96d4 RCX: 0000000000455a79
RDX: 0000000000000000 RSI: 0000000020000500 RDI: ffffffffffffff9c
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c00fc R14: 00000000004cfc78 R15: 0000000000000000
INFO: task syz-executor0:30474 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D24904 30474 4562 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x95d/0x1630
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xaa/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:715 [inline]
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
do_add_mount+0x27/0x370 fs/namespace.c:2465
do_new_mount fs/namespace.c:2532 [inline]
do_mount+0x193f/0x30e0 fs/namespace.c:2848
ksys_mount+0x12d/0x140 fs/namespace.c:3064
__do_sys_mount fs/namespace.c:3078 [inline]
__se_sys_mount fs/namespace.c:3075 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a79
Code: 0f 0b e8 5a 44 fd ff 0f 0b e8 c3 44 fd ff 0f 0b e8 4c 44 fd ff 0f 0b
e8 05 68 fd ff 48 8d 05 a4 9a 48 00 48 89 04 24 48 c7 44 <24> 08 1d 00 00
00 e8 8c 71 fd ff e8 37 6a fd ff 0f b6 44 24 2f 83
RSP: 002b:00007f5c735a7c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f5c735a86d4 RCX: 0000000000455a79
RDX: 0000000020000300 RSI: 0000000020000200 RDI: 0000000000000000
RBP: 000000000072bf48 R08: 0000000020000400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c021d R14: 00000000004cfeb8 R15: 0000000000000001
INFO: task syz-executor0:30484 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D25408 30484 4562 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x95d/0x1630
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write_nested+0xae/0x130 kernel/locking/rwsem.c:194
inode_lock_nested include/linux/fs.h:750 [inline]
filename_create+0x1b2/0x5b0 fs/namei.c:3645
user_path_create fs/namei.c:3703 [inline]
do_mkdirat+0xda/0x310 fs/namei.c:3842
__do_sys_mkdirat fs/namei.c:3861 [inline]
__se_sys_mkdirat fs/namei.c:3859 [inline]
__x64_sys_mkdirat+0x76/0xb0 fs/namei.c:3859
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a79
Code: 0f 0b e8 5a 44 fd ff 0f 0b e8 c3 44 fd ff 0f 0b e8 4c 44 fd ff 0f 0b
e8 05 68 fd ff 48 8d 05 a4 9a 48 00 48 89 04 24 48 c7 44 <24> 08 1d 00 00
00 e8 8c 71 fd ff e8 37 6a fd ff 0f b6 44 24 2f 83
RSP: 002b:00007f5c73565c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007f5c735666d4 RCX: 0000000000455a79
RDX: 0000000000000000 RSI: 0000000020000500 RDI: ffffffffffffff9c
RBP: 000000000072c098 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c00fc R14: 00000000004cfc78 R15: 0000000000000003
Showing all locks held in the system:
1 lock held by khungtaskd/900:
#0: 0000000089d844e2 (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x428 kernel/locking/lockdep.c:4461
1 lock held by udevd/2418:
1 lock held by rsyslogd/4424:
#0: 000000004676b763 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
2 locks held by getty/4514:
#0: 000000008d5dc83f (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 0000000079d67a8e (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4515:
#0: 000000000077810c (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000013faa87 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4516:
#0: 00000000a31433ea (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 000000000b02ba1c (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4517:
#0: 00000000ddc43311 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 0000000083d3a266 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4518:
#0: 00000000445f4fa0 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000a6fed251 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4519:
#0: 00000000ff68c89a (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000cf9df215 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4520:
#0: 0000000053905977 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000dab43fb5 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
3 locks held by syz-executor0/30440:
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: sb_start_write
include/linux/fs.h:1554 [inline]
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:386
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
inode_lock_nested include/linux/fs.h:750 [inline]
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
filename_create+0x1b2/0x5b0 fs/namei.c:3645
#2: 0000000086d9b913 (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
fs/fuse/inode.c:363
1 lock held by syz-executor0/30474:
#0: 00000000b86b5ce9 (&type->i_mutex_dir_key#5){++++}, at: inode_lock
include/linux/fs.h:715 [inline]
#0: 00000000b86b5ce9 (&type->i_mutex_dir_key#5){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
2 locks held by syz-executor0/30484:
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: sb_start_write
include/linux/fs.h:1554 [inline]
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:386
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
inode_lock_nested include/linux/fs.h:750 [inline]
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
filename_create+0x1b2/0x5b0 fs/namei.c:3645
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 900 Comm: khungtaskd Not tainted 4.18.0-rc4+ #143
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x9c4/0xf80 kernel/hung_task.c:252
kthread+0x345/0x410 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 2418 Comm: udevd Not tainted 4.18.0-rc4+ #143
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__sanitizer_cov_trace_cmp8+0x1/0x20 kernel/kcov.c:167
Code: ff 5d c3 66 0f 1f 44 00 00 55 89 f2 89 fe bf 04 00 00 00 48 89 e5 48
8b 4d 08 e8 ea fe ff ff 5d c3 0f 1f 84 00 00 00 00 00 55 <48> 89 f2 48 89
fe bf 06 00 00 00 48 89 e5 48 8b 4d 08 e8 c8 fe ff
RSP: 0018:ffff8801ca09fdb0 EFLAGS: 00000293
RAX: ffff8801ca090040 RBX: 00007ffd3d4ce120 RCX: ffffffff81da16c8
RDX: 0000000000000000 RSI: 00007ffd3d4ce120 RDI: 00007ffffffff000
RBP: ffff8801ca09fdf0 R08: ffff8801ca090040 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffffffff000
R13: 0000000000000008 R14: 00007ffd3d4ce0c0 R15: 0000000000000000
FS: 00007f49ed4f87a0(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000001ca7c8000 CR4: 00000000001406f0
DR0: 0000000020000040 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
__do_sys_epoll_wait fs/eventpoll.c:2200 [inline]
__se_sys_epoll_wait fs/eventpoll.c:2197 [inline]
__x64_sys_epoll_wait+0x97/0xf0 fs/eventpoll.c:2197
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f49ecc0c943
Code: 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90 90 90 90 90 90 90
83 3d b5 dc 2a 00 00 75 13 49 89 ca b8 e8 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 34 c3 48 83 ec 08 e8 3b c4 00 00 48 89 04 24
RSP: 002b:00007ffd3d4cdfc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
RAX: ffffffffffffffda RBX: 0000000000000bb8 RCX: 00007f49ecc0c943
RDX: 0000000000000008 RSI: 00007ffd3d4ce0c0 RDI: 000000000000000a
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000bb8 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: 00000000012ea1f0 R15: 00000000012de250
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e87044400000
kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
dashboard link: https://syzkaller.appspot.com/bug?extid=825801ae76b982dd8f73
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org
mik...@szeredi.hu]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+825801...@syzkaller.appspotmail.com
RBP: 000000000072bea0 R08: 0000000020000400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014
R13: 00000000004c021d R14: 00000000004cfeb8 R15: 0000000000000019
kernel msg: ebtables bug: please report to author: Couldn't copy entries
from userspace
kernel msg: ebtables bug: please report to author: Couldn't copy entries
from userspace
INFO: task syz-executor0:30440 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D24152 30440 4562 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
request_wait_answer+0x4c8/0x920 fs/fuse/dev.c:463
__fuse_request_send+0x12a/0x1d0 fs/fuse/dev.c:483
fuse_request_send+0x62/0xa0 fs/fuse/dev.c:496
fuse_simple_request+0x33d/0x730 fs/fuse/dev.c:554
fuse_lookup_name+0x3ee/0x830 fs/fuse/dir.c:323
fuse_lookup+0xf9/0x4c0 fs/fuse/dir.c:360
__lookup_hash+0x12e/0x190 fs/namei.c:1505
filename_create+0x1e5/0x5b0 fs/namei.c:3646
user_path_create fs/namei.c:3703 [inline]
do_mkdirat+0xda/0x310 fs/namei.c:3842
__do_sys_mkdirat fs/namei.c:3861 [inline]
__se_sys_mkdirat fs/namei.c:3859 [inline]
__x64_sys_mkdirat+0x76/0xb0 fs/namei.c:3859
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a79
Code: 0f 0b e8 5a 44 fd ff 0f 0b e8 c3 44 fd ff 0f 0b e8 4c 44 fd ff 0f 0b
e8 05 68 fd ff 48 8d 05 a4 9a 48 00 48 89 04 24 48 c7 44 <24> 08 1d 00 00
00 e8 8c 71 fd ff e8 37 6a fd ff 0f b6 44 24 2f 83
RSP: 002b:00007f5c735c8c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007f5c735c96d4 RCX: 0000000000455a79
RDX: 0000000000000000 RSI: 0000000020000500 RDI: ffffffffffffff9c
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c00fc R14: 00000000004cfc78 R15: 0000000000000000
INFO: task syz-executor0:30474 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D24904 30474 4562 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x95d/0x1630
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xaa/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:715 [inline]
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
do_add_mount+0x27/0x370 fs/namespace.c:2465
do_new_mount fs/namespace.c:2532 [inline]
do_mount+0x193f/0x30e0 fs/namespace.c:2848
ksys_mount+0x12d/0x140 fs/namespace.c:3064
__do_sys_mount fs/namespace.c:3078 [inline]
__se_sys_mount fs/namespace.c:3075 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a79
Code: 0f 0b e8 5a 44 fd ff 0f 0b e8 c3 44 fd ff 0f 0b e8 4c 44 fd ff 0f 0b
e8 05 68 fd ff 48 8d 05 a4 9a 48 00 48 89 04 24 48 c7 44 <24> 08 1d 00 00
00 e8 8c 71 fd ff e8 37 6a fd ff 0f b6 44 24 2f 83
RSP: 002b:00007f5c735a7c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f5c735a86d4 RCX: 0000000000455a79
RDX: 0000000020000300 RSI: 0000000020000200 RDI: 0000000000000000
RBP: 000000000072bf48 R08: 0000000020000400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c021d R14: 00000000004cfeb8 R15: 0000000000000001
INFO: task syz-executor0:30484 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D25408 30484 4562 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x95d/0x1630
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write_nested+0xae/0x130 kernel/locking/rwsem.c:194
inode_lock_nested include/linux/fs.h:750 [inline]
filename_create+0x1b2/0x5b0 fs/namei.c:3645
user_path_create fs/namei.c:3703 [inline]
do_mkdirat+0xda/0x310 fs/namei.c:3842
__do_sys_mkdirat fs/namei.c:3861 [inline]
__se_sys_mkdirat fs/namei.c:3859 [inline]
__x64_sys_mkdirat+0x76/0xb0 fs/namei.c:3859
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a79
Code: 0f 0b e8 5a 44 fd ff 0f 0b e8 c3 44 fd ff 0f 0b e8 4c 44 fd ff 0f 0b
e8 05 68 fd ff 48 8d 05 a4 9a 48 00 48 89 04 24 48 c7 44 <24> 08 1d 00 00
00 e8 8c 71 fd ff e8 37 6a fd ff 0f b6 44 24 2f 83
RSP: 002b:00007f5c73565c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007f5c735666d4 RCX: 0000000000455a79
RDX: 0000000000000000 RSI: 0000000020000500 RDI: ffffffffffffff9c
RBP: 000000000072c098 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c00fc R14: 00000000004cfc78 R15: 0000000000000003
Showing all locks held in the system:
1 lock held by khungtaskd/900:
#0: 0000000089d844e2 (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x428 kernel/locking/lockdep.c:4461
1 lock held by udevd/2418:
1 lock held by rsyslogd/4424:
#0: 000000004676b763 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
2 locks held by getty/4514:
#0: 000000008d5dc83f (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 0000000079d67a8e (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4515:
#0: 000000000077810c (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000013faa87 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4516:
#0: 00000000a31433ea (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 000000000b02ba1c (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4517:
#0: 00000000ddc43311 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 0000000083d3a266 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4518:
#0: 00000000445f4fa0 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000a6fed251 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4519:
#0: 00000000ff68c89a (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000cf9df215 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4520:
#0: 0000000053905977 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000dab43fb5 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
3 locks held by syz-executor0/30440:
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: sb_start_write
include/linux/fs.h:1554 [inline]
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:386
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
inode_lock_nested include/linux/fs.h:750 [inline]
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
filename_create+0x1b2/0x5b0 fs/namei.c:3645
#2: 0000000086d9b913 (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
fs/fuse/inode.c:363
1 lock held by syz-executor0/30474:
#0: 00000000b86b5ce9 (&type->i_mutex_dir_key#5){++++}, at: inode_lock
include/linux/fs.h:715 [inline]
#0: 00000000b86b5ce9 (&type->i_mutex_dir_key#5){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
2 locks held by syz-executor0/30484:
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: sb_start_write
include/linux/fs.h:1554 [inline]
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:386
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
inode_lock_nested include/linux/fs.h:750 [inline]
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
filename_create+0x1b2/0x5b0 fs/namei.c:3645
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 900 Comm: khungtaskd Not tainted 4.18.0-rc4+ #143
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x9c4/0xf80 kernel/hung_task.c:252
kthread+0x345/0x410 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 2418 Comm: udevd Not tainted 4.18.0-rc4+ #143
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__sanitizer_cov_trace_cmp8+0x1/0x20 kernel/kcov.c:167
Code: ff 5d c3 66 0f 1f 44 00 00 55 89 f2 89 fe bf 04 00 00 00 48 89 e5 48
8b 4d 08 e8 ea fe ff ff 5d c3 0f 1f 84 00 00 00 00 00 55 <48> 89 f2 48 89
fe bf 06 00 00 00 48 89 e5 48 8b 4d 08 e8 c8 fe ff
RSP: 0018:ffff8801ca09fdb0 EFLAGS: 00000293
RAX: ffff8801ca090040 RBX: 00007ffd3d4ce120 RCX: ffffffff81da16c8
RDX: 0000000000000000 RSI: 00007ffd3d4ce120 RDI: 00007ffffffff000
RBP: ffff8801ca09fdf0 R08: ffff8801ca090040 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffffffff000
R13: 0000000000000008 R14: 00007ffd3d4ce0c0 R15: 0000000000000000
FS: 00007f49ed4f87a0(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000001ca7c8000 CR4: 00000000001406f0
DR0: 0000000020000040 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
__do_sys_epoll_wait fs/eventpoll.c:2200 [inline]
__se_sys_epoll_wait fs/eventpoll.c:2197 [inline]
__x64_sys_epoll_wait+0x97/0xf0 fs/eventpoll.c:2197
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f49ecc0c943
Code: 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90 90 90 90 90 90 90
83 3d b5 dc 2a 00 00 75 13 49 89 ca b8 e8 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 34 c3 48 83 ec 08 e8 3b c4 00 00 48 89 04 24
RSP: 002b:00007ffd3d4cdfc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
RAX: ffffffffffffffda RBX: 0000000000000bb8 RCX: 00007f49ecc0c943
RDX: 0000000000000008 RSI: 00007ffd3d4ce0c0 RDI: 000000000000000a
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000bb8 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: 00000000012ea1f0 R15: 00000000012de250
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Jul 12, 2018, 1:53:03 PM7/12/18
to syzkaller-upst...@googlegroups.com
syzbot has found a reproducer for the following crash on:
console output: https://syzkaller.appspot.com/x/log.txt?x=12826b0c400000
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1531a370400000
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org
mik...@szeredi.hu]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+825801...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
INFO: task syz-executor0:4802 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #46
lookup_slow+0x57/0x80 fs/namei.c:1647
walk_component+0x94a/0x2630 fs/namei.c:1769
lookup_last fs/namei.c:2237 [inline]
path_lookupat.isra.45+0x202/0xbf0 fs/namei.c:2287
filename_lookup+0x264/0x510 fs/namei.c:2321
user_path_at_empty+0x40/0x50 fs/namei.c:2584
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x129/0x210 fs/stat.c:185
vfs_stat include/linux/fs.h:3101 [inline]
__do_compat_sys_newstat+0x8f/0x110 fs/stat.c:626
__se_compat_sys_newstat fs/stat.c:620 [inline]
__ia32_compat_sys_newstat+0x52/0x70 fs/stat.c:620
do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7ff4cb9
Code: Bad RIP value.
RSP: 002b:00000000f7ff00ac EFLAGS: 00000282 ORIG_RAX: 000000000000006a
RAX: ffffffffffffffda RBX: 00000000200000c0 RCX: 0000000020000480
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor0:4804 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #46
fuse_notify_delete fs/fuse/dev.c:1541 [inline]
fuse_notify fs/fuse/dev.c:1773 [inline]
fuse_dev_do_write+0x2d4d/0x3700 fs/fuse/dev.c:1848
fuse_dev_write+0x19a/0x240 fs/fuse/dev.c:1928
call_write_iter include/linux/fs.h:1793 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x6c6/0x9f0 fs/read_write.c:487
vfs_write+0x1f8/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__ia32_sys_write+0x71/0xb0 fs/read_write.c:607
do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7ff4cb9
Code: Bad RIP value.
RSP: 002b:00000000f7fcf0ac EFLAGS: 00000282 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000280
RDX: 0000000000000033 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Showing all locks held in the system:
1 lock held by khungtaskd/902:
#0: (____ptrval____) (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x428 kernel/locking/lockdep.c:4461
1 lock held by rsyslogd/4412:
#0: (____ptrval____) (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
2 locks held by getty/4502:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4503:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4504:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4505:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4506:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4507:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4508:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by syz-executor0/4802:
#0: (____ptrval____) (&type->i_mutex_dir_key#5){++++}, at:
inode_lock_shared include/linux/fs.h:725 [inline]
#0: (____ptrval____) (&type->i_mutex_dir_key#5){++++}, at:
lookup_slow+0x49/0x80 fs/namei.c:1646
#1: (____ptrval____) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
fs/fuse/inode.c:363
2 locks held by syz-executor0/4804:
#0: (____ptrval____) (&fc->killsb){.+.+}, at: fuse_notify_delete
fs/fuse/dev.c:1538 [inline]
#0: (____ptrval____) (&fc->killsb){.+.+}, at: fuse_notify
fs/fuse/dev.c:1773 [inline]
#0: (____ptrval____) (&fc->killsb){.+.+}, at:
fuse_dev_do_write+0x2cbe/0x3700 fs/fuse/dev.c:1848
#1: (____ptrval____) (&type->i_mutex_dir_key#5){++++}, at: inode_lock
include/linux/fs.h:715 [inline]
#1: (____ptrval____) (&type->i_mutex_dir_key#5){++++}, at:
fuse_reverse_inval_entry+0xae/0x6d0 fs/fuse/dir.c:969
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 902 Comm: khungtaskd Not tainted 4.18.0-rc4+ #46
NMI backtrace for cpu 1 skipped: idling at native_safe_halt+0x6/0x10
arch/x86/include/asm/irqflags.h:54
console output: https://syzkaller.appspot.com/x/log.txt?x=12826b0c400000
kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
dashboard link: https://syzkaller.appspot.com/bug?extid=825801ae76b982dd8f73
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
dashboard link: https://syzkaller.appspot.com/bug?extid=825801ae76b982dd8f73
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1531a370400000
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org
mik...@szeredi.hu]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+825801...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
INFO: task syz-executor0:4802 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #46
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D21432 4802 4544 0x20020004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
request_wait_answer+0x4c8/0x920 fs/fuse/dev.c:463
__fuse_request_send+0x12a/0x1d0 fs/fuse/dev.c:483
fuse_request_send+0x62/0xa0 fs/fuse/dev.c:496
fuse_simple_request+0x33d/0x730 fs/fuse/dev.c:554
fuse_lookup_name+0x3ee/0x830 fs/fuse/dir.c:323
fuse_lookup+0xf9/0x4c0 fs/fuse/dir.c:360
__lookup_slow+0x2b5/0x540 fs/namei.c:1630
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
request_wait_answer+0x4c8/0x920 fs/fuse/dev.c:463
__fuse_request_send+0x12a/0x1d0 fs/fuse/dev.c:483
fuse_request_send+0x62/0xa0 fs/fuse/dev.c:496
fuse_simple_request+0x33d/0x730 fs/fuse/dev.c:554
fuse_lookup_name+0x3ee/0x830 fs/fuse/dir.c:323
fuse_lookup+0xf9/0x4c0 fs/fuse/dir.c:360
lookup_slow+0x57/0x80 fs/namei.c:1647
walk_component+0x94a/0x2630 fs/namei.c:1769
lookup_last fs/namei.c:2237 [inline]
path_lookupat.isra.45+0x202/0xbf0 fs/namei.c:2287
filename_lookup+0x264/0x510 fs/namei.c:2321
user_path_at_empty+0x40/0x50 fs/namei.c:2584
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x129/0x210 fs/stat.c:185
vfs_stat include/linux/fs.h:3101 [inline]
__do_compat_sys_newstat+0x8f/0x110 fs/stat.c:626
__se_compat_sys_newstat fs/stat.c:620 [inline]
__ia32_compat_sys_newstat+0x52/0x70 fs/stat.c:620
do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7ff4cb9
Code: Bad RIP value.
RSP: 002b:00000000f7ff00ac EFLAGS: 00000282 ORIG_RAX: 000000000000006a
RAX: ffffffffffffffda RBX: 00000000200000c0 RCX: 0000000020000480
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor0:4804 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #46
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D24296 4804 4544 0x20020004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x95d/0x1630
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xaa/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:715 [inline]
fuse_reverse_inval_entry+0xae/0x6d0 fs/fuse/dir.c:969
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x95d/0x1630
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xaa/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:715 [inline]
fuse_notify_delete fs/fuse/dev.c:1541 [inline]
fuse_notify fs/fuse/dev.c:1773 [inline]
fuse_dev_do_write+0x2d4d/0x3700 fs/fuse/dev.c:1848
fuse_dev_write+0x19a/0x240 fs/fuse/dev.c:1928
call_write_iter include/linux/fs.h:1793 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x6c6/0x9f0 fs/read_write.c:487
vfs_write+0x1f8/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__ia32_sys_write+0x71/0xb0 fs/read_write.c:607
do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7ff4cb9
Code: Bad RIP value.
RSP: 002b:00000000f7fcf0ac EFLAGS: 00000282 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000280
RDX: 0000000000000033 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Showing all locks held in the system:
#0: (____ptrval____) (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x428 kernel/locking/lockdep.c:4461
1 lock held by rsyslogd/4412:
#0: (____ptrval____) (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
2 locks held by getty/4502:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4503:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4504:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4505:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4506:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4507:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4508:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by syz-executor0/4802:
#0: (____ptrval____) (&type->i_mutex_dir_key#5){++++}, at:
inode_lock_shared include/linux/fs.h:725 [inline]
#0: (____ptrval____) (&type->i_mutex_dir_key#5){++++}, at:
lookup_slow+0x49/0x80 fs/namei.c:1646
#1: (____ptrval____) (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
fs/fuse/inode.c:363
2 locks held by syz-executor0/4804:
#0: (____ptrval____) (&fc->killsb){.+.+}, at: fuse_notify_delete
fs/fuse/dev.c:1538 [inline]
#0: (____ptrval____) (&fc->killsb){.+.+}, at: fuse_notify
fs/fuse/dev.c:1773 [inline]
#0: (____ptrval____) (&fc->killsb){.+.+}, at:
fuse_dev_do_write+0x2cbe/0x3700 fs/fuse/dev.c:1848
#1: (____ptrval____) (&type->i_mutex_dir_key#5){++++}, at: inode_lock
include/linux/fs.h:715 [inline]
#1: (____ptrval____) (&type->i_mutex_dir_key#5){++++}, at:
fuse_reverse_inval_entry+0xae/0x6d0 fs/fuse/dir.c:969
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 902 Comm: khungtaskd Not tainted 4.18.0-rc4+ #46
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x9c4/0xf80 kernel/hung_task.c:252
kthread+0x345/0x410 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Sending NMI from CPU 0 to CPUs 1:
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x9c4/0xf80 kernel/hung_task.c:252
kthread+0x345/0x410 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
NMI backtrace for cpu 1 skipped: idling at native_safe_halt+0x6/0x10
arch/x86/include/asm/irqflags.h:54
syzbot
Jul 12, 2018, 2:37:03 PM7/12/18
to syzkaller-upst...@googlegroups.com
syzbot has found a reproducer for the following crash on:
console output: https://syzkaller.appspot.com/x/log.txt?x=16b81e78400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101dc4c8400000
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org
mik...@szeredi.hu]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+825801...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
INFO: task syz-executor045:4583 blocked for more than 140 seconds.
fuse_do_open+0x25c/0x540 fs/fuse/file.c:133
fuse_open_common+0x160/0x2b0 fs/fuse/file.c:213
fuse_dir_open+0x22/0x30 fs/fuse/dir.c:1428
do_dentry_open+0x818/0xe40 fs/open.c:794
vfs_open+0x139/0x230 fs/open.c:908
do_last fs/namei.c:3399 [inline]
path_openat+0x174a/0x4e10 fs/namei.c:3540
do_filp_open+0x255/0x380 fs/namei.c:3574
do_open_execat+0x1fe/0x670 fs/exec.c:854
__do_execve_file.isra.35+0x1827/0x2730 fs/exec.c:1755
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445939
Code: Bad RIP value.
RSP: 002b:00007fd74b67eda8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 0000000000445939
RDX: 0000000020000800 RSI: 0000000020000700 RDI: 0000000020000180
RBP: 00000000006dac38 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 646165725f78616d R14: 3074656e786f6276 R15: 0000000000000001
Showing all locks held in the system:
1 lock held by khungtaskd/900:
#0: (____ptrval____) (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x428 kernel/locking/lockdep.c:4461
2 locks held by rsyslogd/4462:
#0: (____ptrval____) (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
#1: (____ptrval____) (&rq->lock){-.-.}, at: rq_lock
kernel/sched/sched.h:1812 [inline]
#1: (____ptrval____) (&rq->lock){-.-.}, at: __schedule+0x24d/0x1ed0
kernel/sched/core.c:3439
2 locks held by getty/4553:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4554:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4555:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4556:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4557:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4558:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4559:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
1 lock held by syz-executor045/4583:
#0: (____ptrval____) (&sig->cred_guard_mutex){+.+.}, at:
prepare_bprm_creds+0x53/0x120 fs/exec.c:1404
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 900 Comm: khungtaskd Not tainted 4.18.0-rc4+ #143
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x9c4/0xf80 kernel/hung_task.c:252
kthread+0x345/0x410 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.18.0-rc4+ #143
RIP: 0010:check_kcov_mode kernel/kcov.c:69 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:101
Code: 5d c3 66 90 55 65 48 8b 04 25 40 ee 01 00 65 8b 15 1f e2 85 7e 48 89
e5 81 e2 00 01 1f 00 48 8b 75 08 75 2b 8b 90 90 12 00 00 <83> fa 02 75 20
48 8b 88 98 12 00 00 8b 80 94 12 00 00 48 8b 11 48
RSP: 0018:ffff8801dae07c90 EFLAGS: 00000046
RAX: ffffffff88e75dc0 RBX: 0000000000026560 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff816e8489 RDI: 0000000000000086
RBP: ffff8801dae07c90 R08: 0000000000000000 R09: 0000000000000001
R10: ffffed003b5c46d6 R11: ffff8801dae236b3 R12: ffffffff88e75dc0
R13: 1ffff1003b5c0fa1 R14: ffff8801dae07e68 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
tick_irq_enter+0x19/0x390 kernel/time/tick-sched.c:1248
irq_enter+0xb6/0xd0 kernel/softirq.c:349
scheduler_ipi+0x3a9/0xa50 kernel/sched/core.c:1790
smp_reschedule_interrupt+0xf5/0x670 arch/x86/kernel/smp.c:277
reschedule_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:887
</IRQ>
RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54
Code: c7 48 89 45 d8 e8 0a 00 26 fa 48 8b 45 d8 e9 d2 fe ff ff 48 89 df e8
f9 ff 25 fa eb 8a 90 90 90 90 90 90 90 55 48 89 e5 fb f4 <5d> c3 0f 1f 84
00 00 00 00 00 55 48 89 e5 f4 5d c3 90 90 90 90 90
RSP: 0018:ffffffff88e07bc0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff02
RAX: dffffc0000000000 RBX: 1ffffffff11c0f7b RCX: 0000000000000000
RDX: 1ffffffff11e3610 RSI: 0000000000000001 RDI: ffffffff88f1b080
RBP: ffffffff88e07bc0 R08: ffffed003b5c46d7 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff88e07c78 R14: ffffffff899ed060 R15: 0000000000000000
arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
default_idle+0xc7/0x450 arch/x86/kernel/process.c:500
arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:491
default_idle_call+0x6d/0x90 kernel/sched/idle.c:93
cpuidle_idle_call kernel/sched/idle.c:153 [inline]
do_idle+0x3aa/0x570 kernel/sched/idle.c:262
cpu_startup_entry+0x10c/0x120 kernel/sched/idle.c:368
rest_init+0xe1/0xe4 init/main.c:442
start_kernel+0x90e/0x949 init/main.c:738
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:452
x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:433
secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242
console output: https://syzkaller.appspot.com/x/log.txt?x=16b81e78400000
kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
dashboard link: https://syzkaller.appspot.com/bug?extid=825801ae76b982dd8f73
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=10b878b4400000
dashboard link: https://syzkaller.appspot.com/bug?extid=825801ae76b982dd8f73
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101dc4c8400000
CC: [linux-...@vger.kernel.org linux-...@vger.kernel.org
mik...@szeredi.hu]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+825801...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
INFO: task syz-executor045:4583 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor045 D23912 4583 4579 0x00000004
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
request_wait_answer+0x4c8/0x920 fs/fuse/dev.c:463
__fuse_request_send+0x12a/0x1d0 fs/fuse/dev.c:483
fuse_request_send+0x62/0xa0 fs/fuse/dev.c:496
fuse_simple_request+0x33d/0x730 fs/fuse/dev.c:554
fuse_send_open.isra.17+0x366/0x450 fs/fuse/file.c:42
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
request_wait_answer+0x4c8/0x920 fs/fuse/dev.c:463
__fuse_request_send+0x12a/0x1d0 fs/fuse/dev.c:483
fuse_request_send+0x62/0xa0 fs/fuse/dev.c:496
fuse_simple_request+0x33d/0x730 fs/fuse/dev.c:554
fuse_do_open+0x25c/0x540 fs/fuse/file.c:133
fuse_open_common+0x160/0x2b0 fs/fuse/file.c:213
fuse_dir_open+0x22/0x30 fs/fuse/dir.c:1428
do_dentry_open+0x818/0xe40 fs/open.c:794
vfs_open+0x139/0x230 fs/open.c:908
do_last fs/namei.c:3399 [inline]
path_openat+0x174a/0x4e10 fs/namei.c:3540
do_filp_open+0x255/0x380 fs/namei.c:3574
do_open_execat+0x1fe/0x670 fs/exec.c:854
__do_execve_file.isra.35+0x1827/0x2730 fs/exec.c:1755
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445939
Code: Bad RIP value.
RSP: 002b:00007fd74b67eda8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00000000006dac3c RCX: 0000000000445939
RDX: 0000000020000800 RSI: 0000000020000700 RDI: 0000000020000180
RBP: 00000000006dac38 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 646165725f78616d R14: 3074656e786f6276 R15: 0000000000000001
Showing all locks held in the system:
1 lock held by khungtaskd/900:
debug_show_all_locks+0xd0/0x428 kernel/locking/lockdep.c:4461
2 locks held by rsyslogd/4462:
#0: (____ptrval____) (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
#1: (____ptrval____) (&rq->lock){-.-.}, at: rq_lock
kernel/sched/sched.h:1812 [inline]
#1: (____ptrval____) (&rq->lock){-.-.}, at: __schedule+0x24d/0x1ed0
kernel/sched/core.c:3439
2 locks held by getty/4553:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4554:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4555:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4556:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4557:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4558:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4559:
#0: (____ptrval____) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (____ptrval____) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
1 lock held by syz-executor045/4583:
#0: (____ptrval____) (&sig->cred_guard_mutex){+.+.}, at:
prepare_bprm_creds+0x53/0x120 fs/exec.c:1404
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 900 Comm: khungtaskd Not tainted 4.18.0-rc4+ #143
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x9c4/0xf80 kernel/hung_task.c:252
kthread+0x345/0x410 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
Google 01/01/2011
RIP: 0010:check_kcov_mode kernel/kcov.c:69 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:101
Code: 5d c3 66 90 55 65 48 8b 04 25 40 ee 01 00 65 8b 15 1f e2 85 7e 48 89
e5 81 e2 00 01 1f 00 48 8b 75 08 75 2b 8b 90 90 12 00 00 <83> fa 02 75 20
48 8b 88 98 12 00 00 8b 80 94 12 00 00 48 8b 11 48
RSP: 0018:ffff8801dae07c90 EFLAGS: 00000046
RAX: ffffffff88e75dc0 RBX: 0000000000026560 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff816e8489 RDI: 0000000000000086
RBP: ffff8801dae07c90 R08: 0000000000000000 R09: 0000000000000001
R10: ffffed003b5c46d6 R11: ffff8801dae236b3 R12: ffffffff88e75dc0
R13: 1ffff1003b5c0fa1 R14: ffff8801dae07e68 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc432abfe0 CR3: 00000001b008a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
tick_irq_enter+0x19/0x390 kernel/time/tick-sched.c:1248
irq_enter+0xb6/0xd0 kernel/softirq.c:349
scheduler_ipi+0x3a9/0xa50 kernel/sched/core.c:1790
smp_reschedule_interrupt+0xf5/0x670 arch/x86/kernel/smp.c:277
reschedule_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:887
</IRQ>
RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54
Code: c7 48 89 45 d8 e8 0a 00 26 fa 48 8b 45 d8 e9 d2 fe ff ff 48 89 df e8
f9 ff 25 fa eb 8a 90 90 90 90 90 90 90 55 48 89 e5 fb f4 <5d> c3 0f 1f 84
00 00 00 00 00 55 48 89 e5 f4 5d c3 90 90 90 90 90
RSP: 0018:ffffffff88e07bc0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff02
RAX: dffffc0000000000 RBX: 1ffffffff11c0f7b RCX: 0000000000000000
RDX: 1ffffffff11e3610 RSI: 0000000000000001 RDI: ffffffff88f1b080
RBP: ffffffff88e07bc0 R08: ffffed003b5c46d7 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff88e07c78 R14: ffffffff899ed060 R15: 0000000000000000
arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
default_idle+0xc7/0x450 arch/x86/kernel/process.c:500
arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:491
default_idle_call+0x6d/0x90 kernel/sched/idle.c:93
cpuidle_idle_call kernel/sched/idle.c:153 [inline]
do_idle+0x3aa/0x570 kernel/sched/idle.c:262
cpu_startup_entry+0x10c/0x120 kernel/sched/idle.c:368
rest_init+0xe1/0xe4 init/main.c:442
start_kernel+0x90e/0x949 init/main.c:738
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:452
x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:433
secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242
Dmitry Vyukov
Sep 13, 2018, 9:33:14 AM9/13/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Tried several reproducers from this bug and they don't trigger any
persistent problem. They do lead to hanged processes after abort, but
all processes die after aborting all fuse connections.
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/0000000000006fa8710570cf4d16%40google.com.
> For more options, visit https://groups.google.com/d/optout.
persistent problem. They do lead to hanged processes after abort, but
all processes die after aborting all fuse connections.
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/0000000000006fa8710570cf4d16%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Dmitry Vyukov
Feb 22, 2019, 6:41:07 AM2/22/19
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Let's see if this is reproducible after:
commit 3a7200e49b4e697ed93fb88178180ab6171d3f17
Date: Sat Aug 4 17:50:58 2018 +0200
executor: abort fuse connection
To report this upstream we need a fresh repro that aborts connections.
#syz invalid
commit 3a7200e49b4e697ed93fb88178180ab6171d3f17
Date: Sat Aug 4 17:50:58 2018 +0200
executor: abort fuse connection
To report this upstream we need a fresh repro that aborts connections.
#syz invalid
Reply all
Reply to author
Forward
0 new messages