Hello,
syzbot found the following crash on:
HEAD commit: c25c74b7476e Merge tag 'trace-v4.18-rc3-2' of git://
git.ke..
git tree: upstream
console output:
https://syzkaller.appspot.com/x/log.txt?x=17e87044400000
kernel config:
https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
dashboard link:
https://syzkaller.appspot.com/bug?extid=825801ae76b982dd8f73
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [
linux-...@vger.kernel.org linux-...@vger.kernel.org
mik...@szeredi.hu]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+825801...@syzkaller.appspotmail.com
RBP: 000000000072bea0 R08: 0000000020000400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014
R13: 00000000004c021d R14: 00000000004cfeb8 R15: 0000000000000019
kernel msg: ebtables bug: please report to author: Couldn't copy entries
from userspace
kernel msg: ebtables bug: please report to author: Couldn't copy entries
from userspace
INFO: task syz-executor0:30440 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D24152 30440 4562 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
request_wait_answer+0x4c8/0x920 fs/fuse/dev.c:463
__fuse_request_send+0x12a/0x1d0 fs/fuse/dev.c:483
fuse_request_send+0x62/0xa0 fs/fuse/dev.c:496
fuse_simple_request+0x33d/0x730 fs/fuse/dev.c:554
fuse_lookup_name+0x3ee/0x830 fs/fuse/dir.c:323
fuse_lookup+0xf9/0x4c0 fs/fuse/dir.c:360
__lookup_hash+0x12e/0x190 fs/namei.c:1505
filename_create+0x1e5/0x5b0 fs/namei.c:3646
user_path_create fs/namei.c:3703 [inline]
do_mkdirat+0xda/0x310 fs/namei.c:3842
__do_sys_mkdirat fs/namei.c:3861 [inline]
__se_sys_mkdirat fs/namei.c:3859 [inline]
__x64_sys_mkdirat+0x76/0xb0 fs/namei.c:3859
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a79
Code: 0f 0b e8 5a 44 fd ff 0f 0b e8 c3 44 fd ff 0f 0b e8 4c 44 fd ff 0f 0b
e8 05 68 fd ff 48 8d 05 a4 9a 48 00 48 89 04 24 48 c7 44 <24> 08 1d 00 00
00 e8 8c 71 fd ff e8 37 6a fd ff 0f b6 44 24 2f 83
RSP: 002b:00007f5c735c8c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007f5c735c96d4 RCX: 0000000000455a79
RDX: 0000000000000000 RSI: 0000000020000500 RDI: ffffffffffffff9c
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c00fc R14: 00000000004cfc78 R15: 0000000000000000
INFO: task syz-executor0:30474 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D24904 30474 4562 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x95d/0x1630
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xaa/0x130 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:715 [inline]
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
do_add_mount+0x27/0x370 fs/namespace.c:2465
do_new_mount fs/namespace.c:2532 [inline]
do_mount+0x193f/0x30e0 fs/namespace.c:2848
ksys_mount+0x12d/0x140 fs/namespace.c:3064
__do_sys_mount fs/namespace.c:3078 [inline]
__se_sys_mount fs/namespace.c:3075 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a79
Code: 0f 0b e8 5a 44 fd ff 0f 0b e8 c3 44 fd ff 0f 0b e8 4c 44 fd ff 0f 0b
e8 05 68 fd ff 48 8d 05 a4 9a 48 00 48 89 04 24 48 c7 44 <24> 08 1d 00 00
00 e8 8c 71 fd ff e8 37 6a fd ff 0f b6 44 24 2f 83
RSP: 002b:00007f5c735a7c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f5c735a86d4 RCX: 0000000000455a79
RDX: 0000000020000300 RSI: 0000000020000200 RDI: 0000000000000000
RBP: 000000000072bf48 R08: 0000000020000400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c021d R14: 00000000004cfeb8 R15: 0000000000000001
INFO: task syz-executor0:30484 blocked for more than 140 seconds.
Not tainted 4.18.0-rc4+ #143
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D25408 30484 4562 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2853 [inline]
__schedule+0x87c/0x1ed0 kernel/sched/core.c:3501
schedule+0xfb/0x450 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x95d/0x1630
kernel/locking/rwsem-xadd.c:566
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write_nested+0xae/0x130 kernel/locking/rwsem.c:194
inode_lock_nested include/linux/fs.h:750 [inline]
filename_create+0x1b2/0x5b0 fs/namei.c:3645
user_path_create fs/namei.c:3703 [inline]
do_mkdirat+0xda/0x310 fs/namei.c:3842
__do_sys_mkdirat fs/namei.c:3861 [inline]
__se_sys_mkdirat fs/namei.c:3859 [inline]
__x64_sys_mkdirat+0x76/0xb0 fs/namei.c:3859
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a79
Code: 0f 0b e8 5a 44 fd ff 0f 0b e8 c3 44 fd ff 0f 0b e8 4c 44 fd ff 0f 0b
e8 05 68 fd ff 48 8d 05 a4 9a 48 00 48 89 04 24 48 c7 44 <24> 08 1d 00 00
00 e8 8c 71 fd ff e8 37 6a fd ff 0f b6 44 24 2f 83
RSP: 002b:00007f5c73565c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007f5c735666d4 RCX: 0000000000455a79
RDX: 0000000000000000 RSI: 0000000020000500 RDI: ffffffffffffff9c
RBP: 000000000072c098 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c00fc R14: 00000000004cfc78 R15: 0000000000000003
Showing all locks held in the system:
1 lock held by khungtaskd/900:
#0: 0000000089d844e2 (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x428 kernel/locking/lockdep.c:4461
1 lock held by udevd/2418:
1 lock held by rsyslogd/4424:
#0: 000000004676b763 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1bb/0x200
fs/file.c:766
2 locks held by getty/4514:
#0: 000000008d5dc83f (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 0000000079d67a8e (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4515:
#0: 000000000077810c (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000013faa87 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4516:
#0: 00000000a31433ea (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 000000000b02ba1c (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4517:
#0: 00000000ddc43311 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 0000000083d3a266 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4518:
#0: 00000000445f4fa0 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000a6fed251 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4519:
#0: 00000000ff68c89a (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000cf9df215 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/4520:
#0: 0000000053905977 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000dab43fb5 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
3 locks held by syz-executor0/30440:
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: sb_start_write
include/linux/fs.h:1554 [inline]
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:386
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
inode_lock_nested include/linux/fs.h:750 [inline]
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
filename_create+0x1b2/0x5b0 fs/namei.c:3645
#2: 0000000086d9b913 (&fi->mutex){+.+.}, at: fuse_lock_inode+0xaf/0xe0
fs/fuse/inode.c:363
1 lock held by syz-executor0/30474:
#0: 00000000b86b5ce9 (&type->i_mutex_dir_key#5){++++}, at: inode_lock
include/linux/fs.h:715 [inline]
#0: 00000000b86b5ce9 (&type->i_mutex_dir_key#5){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
2 locks held by syz-executor0/30484:
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: sb_start_write
include/linux/fs.h:1554 [inline]
#0: 00000000bede6997 (sb_writers#14){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:386
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
inode_lock_nested include/linux/fs.h:750 [inline]
#1: 00000000b86b5ce9 (&type->i_mutex_dir_key#5/1){+.+.}, at:
filename_create+0x1b2/0x5b0 fs/namei.c:3645
=============================================
NMI backtrace for cpu 1
CPU: 1 PID: 900 Comm: khungtaskd Not tainted 4.18.0-rc4+ #143
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline]
watchdog+0x9c4/0xf80 kernel/hung_task.c:252
kthread+0x345/0x410 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 2418 Comm: udevd Not tainted 4.18.0-rc4+ #143
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__sanitizer_cov_trace_cmp8+0x1/0x20 kernel/kcov.c:167
Code: ff 5d c3 66 0f 1f 44 00 00 55 89 f2 89 fe bf 04 00 00 00 48 89 e5 48
8b 4d 08 e8 ea fe ff ff 5d c3 0f 1f 84 00 00 00 00 00 55 <48> 89 f2 48 89
fe bf 06 00 00 00 48 89 e5 48 8b 4d 08 e8 c8 fe ff
RSP: 0018:ffff8801ca09fdb0 EFLAGS: 00000293
RAX: ffff8801ca090040 RBX: 00007ffd3d4ce120 RCX: ffffffff81da16c8
RDX: 0000000000000000 RSI: 00007ffd3d4ce120 RDI: 00007ffffffff000
RBP: ffff8801ca09fdf0 R08: ffff8801ca090040 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00007ffffffff000
R13: 0000000000000008 R14: 00007ffd3d4ce0c0 R15: 0000000000000000
FS: 00007f49ed4f87a0(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000001ca7c8000 CR4: 00000000001406f0
DR0: 0000000020000040 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
__do_sys_epoll_wait fs/eventpoll.c:2200 [inline]
__se_sys_epoll_wait fs/eventpoll.c:2197 [inline]
__x64_sys_epoll_wait+0x97/0xf0 fs/eventpoll.c:2197
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f49ecc0c943
Code: 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90 90 90 90 90 90 90
83 3d b5 dc 2a 00 00 75 13 49 89 ca b8 e8 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 73 34 c3 48 83 ec 08 e8 3b c4 00 00 48 89 04 24
RSP: 002b:00007ffd3d4cdfc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
RAX: ffffffffffffffda RBX: 0000000000000bb8 RCX: 00007f49ecc0c943
RDX: 0000000000000008 RSI: 00007ffd3d4ce0c0 RDI: 000000000000000a
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000bb8 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: 00000000012ea1f0 R15: 00000000012de250
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.