[syzbot] possible deadlock in console_lock_spinning_enable (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: debe436e77c7 Merge tag 'ext4_for_linus' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=162b3b8ab00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2897a869f0607967
dashboard link: https://syzkaller.appspot.com/bug?extid=3cc1054e15babd5f4cd2
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3cc105...@syzkaller.appspotmail.com

FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
======================================================
WARNING: possible circular locking dependency detected
5.15.0-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/6725 is trying to acquire lock:
ffffffff8cb12260 (console_owner){-.-.}-{0:0}, at: console_lock_spinning_enable+0x2d/0x60 kernel/printk/printk.c:1778

but task is already holding lock:
ffff8880893d4958 (&port->lock){-.-.}-{2:2}, at: pty_write+0xc5/0x170 drivers/tty/pty.c:120

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&port->lock){-.-.}-{2:2}:
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
tty_port_tty_get+0x21/0xe0 drivers/tty/tty_port.c:289
tty_port_default_wakeup+0x11/0x40 drivers/tty/tty_port.c:48
serial8250_tx_chars+0x68e/0x8a0 drivers/tty/serial/8250/8250_port.c:1845
serial8250_handle_irq+0x2fd/0x3e0 drivers/tty/serial/8250/8250_port.c:1932
serial8250_default_handle_irq+0xaf/0x190 drivers/tty/serial/8250/8250_port.c:1949
serial8250_interrupt+0xa3/0x1e0 drivers/tty/serial/8250/8250_core.c:126
__handle_irq_event_percpu+0x20d/0x730 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:198 [inline]
handle_irq_event+0x10a/0x300 kernel/irq/handle.c:215
handle_edge_irq+0x245/0xbe0 kernel/irq/chip.c:822
generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
handle_irq arch/x86/kernel/irq.c:231 [inline]
__common_interrupt+0xce/0x1e0 arch/x86/kernel/irq.c:250
common_interrupt+0x9f/0xc0 arch/x86/kernel/irq.c:240
asm_common_interrupt+0x1e/0x40
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock_irqrestore+0xd4/0x130 kernel/locking/spinlock.c:194
spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
uart_write+0x6ad/0x920 drivers/tty/serial/serial_core.c:598
do_output_char+0x638/0x940 drivers/tty/n_tty.c:444
process_output drivers/tty/n_tty.c:511 [inline]
n_tty_write+0xe95/0x1320 drivers/tty/n_tty.c:2300
do_tty_write drivers/tty/tty_io.c:1038 [inline]
file_tty_write+0x5c5/0x9a0 drivers/tty/tty_io.c:1110
do_iter_readv_writev+0x54f/0x740
do_iter_write+0x21e/0x7b0 fs/read_write.c:851
vfs_writev fs/read_write.c:924 [inline]
do_writev+0x279/0x470 fs/read_write.c:967
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

-> #1 (&port_lock_key){-.-.}-{2:2}:
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
serial8250_console_write+0x19c/0xf30 drivers/tty/serial/8250/8250_port.c:3358
console_unlock+0xb00/0xe90 kernel/printk/printk.c:2711
vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
_printk+0xcf/0x118 kernel/printk/printk.c:2266
register_console+0x6bd/0x9a0 kernel/printk/printk.c:3051
univ8250_console_init+0x41/0x43 drivers/tty/serial/8250/8250_core.c:680
console_init+0x52/0x97 kernel/printk/printk.c:3151
start_kernel+0x32d/0x56e init/main.c:1064
secondary_startup_64_no_verify+0xb1/0xbb

-> #0 (console_owner){-.-.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3063 [inline]
check_prevs_add kernel/locking/lockdep.c:3186 [inline]
validate_chain+0x1dfb/0x8240 kernel/locking/lockdep.c:3801
__lock_acquire+0x1382/0x2b00 kernel/locking/lockdep.c:5027
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
console_lock_spinning_enable+0x52/0x60 kernel/printk/printk.c:1781
console_unlock+0x834/0xe90 kernel/printk/printk.c:2708
vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
_printk+0xcf/0x118 kernel/printk/printk.c:2266
fail_dump lib/fault-inject.c:45 [inline]
should_fail+0x366/0x4b0 lib/fault-inject.c:146
should_failslab+0x5/0x20 mm/slab_common.c:1320
slab_pre_alloc_hook mm/slab.h:494 [inline]
slab_alloc_node mm/slub.c:3148 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x94/0x380 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
tty_buffer_alloc drivers/tty/tty_buffer.c:177 [inline]
__tty_buffer_request_room+0x1f0/0x540 drivers/tty/tty_buffer.c:275
tty_insert_flip_string_fixed_flag+0x92/0x2c0 drivers/tty/tty_buffer.c:321
tty_insert_flip_string include/linux/tty_flip.h:42 [inline]
pty_write+0xe9/0x170 drivers/tty/pty.c:122
tty_put_char+0x115/0x180 drivers/tty/tty_io.c:3174
do_output_char+0x583/0x940 drivers/tty/n_tty.c:485
__process_echoes+0x2a3/0x930 drivers/tty/n_tty.c:736
flush_echoes drivers/tty/n_tty.c:826 [inline]
__receive_buf drivers/tty/n_tty.c:1579 [inline]
n_tty_receive_buf_common+0x7c2d/0x81d0 drivers/tty/n_tty.c:1674
tiocsti drivers/tty/tty_io.c:2310 [inline]
tty_ioctl+0xe30/0x17d0 drivers/tty/tty_io.c:2719
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

other info that might help us debug this:

Chain exists of:
console_owner --> &port_lock_key --> &port->lock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&port->lock);
lock(&port_lock_key);
lock(&port->lock);
lock(console_owner);

*** DEADLOCK ***

6 locks held by syz-executor.5/6725:
#0: ffff888084da5098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:252
#1: ffff8880893d60b8 (&port->buf.lock/1){+.+.}-{3:3}, at: tiocsti drivers/tty/tty_io.c:2308 [inline]
#1: ffff8880893d60b8 (&port->buf.lock/1){+.+.}-{3:3}, at: tty_ioctl+0xdba/0x17d0 drivers/tty/tty_io.c:2719
#2: ffff888084da52e8 (&o_tty->termios_rwsem/1){++++}-{3:3}, at: n_tty_receive_buf_common+0x8e/0x81d0 drivers/tty/n_tty.c:1637
#3: ffffc90017a63378 (&ldata->output_lock){+.+.}-{3:3}, at: flush_echoes drivers/tty/n_tty.c:824 [inline]
#3: ffffc90017a63378 (&ldata->output_lock){+.+.}-{3:3}, at: __receive_buf drivers/tty/n_tty.c:1579 [inline]
#3: ffffc90017a63378 (&ldata->output_lock){+.+.}-{3:3}, at: n_tty_receive_buf_common+0x7be1/0x81d0 drivers/tty/n_tty.c:1674
#4: ffff8880893d4958 (&port->lock){-.-.}-{2:2}, at: pty_write+0xc5/0x170 drivers/tty/pty.c:120
#5: ffffffff8c9f9f00 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0xa1/0x140 kernel/printk/printk.c:2244

stack backtrace:
CPU: 0 PID: 6725 Comm: syz-executor.5 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
check_noncircular+0x2f9/0x3b0 kernel/locking/lockdep.c:2143
check_prev_add kernel/locking/lockdep.c:3063 [inline]
check_prevs_add kernel/locking/lockdep.c:3186 [inline]
validate_chain+0x1dfb/0x8240 kernel/locking/lockdep.c:3801
__lock_acquire+0x1382/0x2b00 kernel/locking/lockdep.c:5027
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
console_lock_spinning_enable+0x52/0x60 kernel/printk/printk.c:1781
console_unlock+0x834/0xe90 kernel/printk/printk.c:2708
vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
_printk+0xcf/0x118 kernel/printk/printk.c:2266
fail_dump lib/fault-inject.c:45 [inline]
should_fail+0x366/0x4b0 lib/fault-inject.c:146
should_failslab+0x5/0x20 mm/slab_common.c:1320
slab_pre_alloc_hook mm/slab.h:494 [inline]
slab_alloc_node mm/slub.c:3148 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x94/0x380 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
tty_buffer_alloc drivers/tty/tty_buffer.c:177 [inline]
__tty_buffer_request_room+0x1f0/0x540 drivers/tty/tty_buffer.c:275
tty_insert_flip_string_fixed_flag+0x92/0x2c0 drivers/tty/tty_buffer.c:321
tty_insert_flip_string include/linux/tty_flip.h:42 [inline]
pty_write+0xe9/0x170 drivers/tty/pty.c:122
tty_put_char+0x115/0x180 drivers/tty/tty_io.c:3174
do_output_char+0x583/0x940 drivers/tty/n_tty.c:485
__process_echoes+0x2a3/0x930 drivers/tty/n_tty.c:736
flush_echoes drivers/tty/n_tty.c:826 [inline]
__receive_buf drivers/tty/n_tty.c:1579 [inline]
n_tty_receive_buf_common+0x7c2d/0x81d0 drivers/tty/n_tty.c:1674
tiocsti drivers/tty/tty_io.c:2310 [inline]
tty_ioctl+0xe30/0x17d0 drivers/tty/tty_io.c:2719
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fa76cdb3ae9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa76a2e7188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa76cec70e0 RCX: 00007fa76cdb3ae9
RDX: 0000000020000100 RSI: 0000000000005412 RDI: 0000000000000004
RBP: 00007fa76a2e71d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff471d4ccf R14: 00007fa76a2e7300 R15: 0000000000022000
</TASK>
CPU: 0 PID: 6725 Comm: syz-executor.5 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
fail_dump lib/fault-inject.c:52 [inline]
should_fail+0x384/0x4b0 lib/fault-inject.c:146
should_failslab+0x5/0x20 mm/slab_common.c:1320
slab_pre_alloc_hook mm/slab.h:494 [inline]
slab_alloc_node mm/slub.c:3148 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x94/0x380 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
tty_buffer_alloc drivers/tty/tty_buffer.c:177 [inline]
__tty_buffer_request_room+0x1f0/0x540 drivers/tty/tty_buffer.c:275
tty_insert_flip_string_fixed_flag+0x92/0x2c0 drivers/tty/tty_buffer.c:321
tty_insert_flip_string include/linux/tty_flip.h:42 [inline]
pty_write+0xe9/0x170 drivers/tty/pty.c:122
tty_put_char+0x115/0x180 drivers/tty/tty_io.c:3174
do_output_char+0x583/0x940 drivers/tty/n_tty.c:485
__process_echoes+0x2a3/0x930 drivers/tty/n_tty.c:736
flush_echoes drivers/tty/n_tty.c:826 [inline]
__receive_buf drivers/tty/n_tty.c:1579 [inline]
n_tty_receive_buf_common+0x7c2d/0x81d0 drivers/tty/n_tty.c:1674
tiocsti drivers/tty/tty_io.c:2310 [inline]
tty_ioctl+0xe30/0x17d0 drivers/tty/tty_io.c:2719
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fa76cdb3ae9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa76a2e7188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa76cec70e0 RCX: 00007fa76cdb3ae9
RDX: 0000000020000100 RSI: 0000000000005412 RDI: 0000000000000004
RBP: 00007fa76a2e71d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff471d4ccf R14: 00007fa76a2e7300 R15: 0000000000022000
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: c741e49150db Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16b9df3ab00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7d5e878e3399b6cc

dashboard link: https://syzkaller.appspot.com/bug?extid=3cc1054e15babd5f4cd2
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b69fc5b00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14d5a9b9b00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3cc105...@syzkaller.appspotmail.com

FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
======================================================
WARNING: possible circular locking dependency detected

5.16.0-rc4-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor591/3817 is trying to acquire lock:
ffffffff8cb12620 (console_owner){....}-{0:0}, at: console_lock_spinning_enable+0x2d/0x60 kernel/printk/printk.c:1778

but task is already holding lock:

ffff88807b7fb158 (&port->lock){-...}-{2:2}, at: pty_write+0xc5/0x170 drivers/tty/pty.c:120

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&port->lock){-...}-{2:2}:

lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
tty_port_tty_get+0x21/0xe0 drivers/tty/tty_port.c:289
tty_port_default_wakeup+0x11/0x40 drivers/tty/tty_port.c:48
serial8250_tx_chars+0x68e/0x8a0 drivers/tty/serial/8250/8250_port.c:1845
serial8250_handle_irq+0x2fd/0x3e0 drivers/tty/serial/8250/8250_port.c:1932
serial8250_default_handle_irq+0xaf/0x190 drivers/tty/serial/8250/8250_port.c:1949
serial8250_interrupt+0xa3/0x1e0 drivers/tty/serial/8250/8250_core.c:126
__handle_irq_event_percpu+0x20d/0x730 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:198 [inline]
handle_irq_event+0x10a/0x300 kernel/irq/handle.c:215
handle_edge_irq+0x245/0xbe0 kernel/irq/chip.c:822
generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
handle_irq arch/x86/kernel/irq.c:231 [inline]
__common_interrupt+0xce/0x1e0 arch/x86/kernel/irq.c:250
common_interrupt+0x9f/0xc0 arch/x86/kernel/irq.c:240
asm_common_interrupt+0x1e/0x40
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock_irqrestore+0xd4/0x130 kernel/locking/spinlock.c:194
spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
uart_write+0x6ad/0x920 drivers/tty/serial/serial_core.c:598

process_output_block drivers/tty/n_tty.c:592 [inline]
n_tty_write+0xdda/0x1320 drivers/tty/n_tty.c:2288

do_tty_write drivers/tty/tty_io.c:1038 [inline]
file_tty_write+0x5c5/0x9a0 drivers/tty/tty_io.c:1110

call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write fs/read_write.c:503 [inline]
vfs_write+0xb11/0xe90 fs/read_write.c:590
ksys_write+0x18f/0x2c0 fs/read_write.c:643

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

-> #1 (&port_lock_key){-...}-{2:2}:

lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162

serial8250_console_write+0x19c/0xf30 drivers/tty/serial/8250/8250_port.c:3351

console_unlock+0xb00/0xe90 kernel/printk/printk.c:2711
vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
_printk+0xcf/0x118 kernel/printk/printk.c:2266
register_console+0x6bd/0x9a0 kernel/printk/printk.c:3051
univ8250_console_init+0x41/0x43 drivers/tty/serial/8250/8250_core.c:680
console_init+0x52/0x97 kernel/printk/printk.c:3151
start_kernel+0x32d/0x56e init/main.c:1064
secondary_startup_64_no_verify+0xb1/0xbb

-> #0 (console_owner){....}-{0:0}:

check_prev_add kernel/locking/lockdep.c:3063 [inline]
check_prevs_add kernel/locking/lockdep.c:3186 [inline]
validate_chain+0x1dfb/0x8240 kernel/locking/lockdep.c:3801
__lock_acquire+0x1382/0x2b00 kernel/locking/lockdep.c:5027
lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
console_lock_spinning_enable+0x52/0x60 kernel/printk/printk.c:1781
console_unlock+0x834/0xe90 kernel/printk/printk.c:2708
vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
_printk+0xcf/0x118 kernel/printk/printk.c:2266
fail_dump lib/fault-inject.c:45 [inline]
should_fail+0x366/0x4b0 lib/fault-inject.c:146
should_failslab+0x5/0x20 mm/slab_common.c:1320
slab_pre_alloc_hook mm/slab.h:494 [inline]
slab_alloc_node mm/slub.c:3148 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x94/0x380 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
tty_buffer_alloc drivers/tty/tty_buffer.c:177 [inline]
__tty_buffer_request_room+0x1f0/0x540 drivers/tty/tty_buffer.c:275
tty_insert_flip_string_fixed_flag+0x92/0x2c0 drivers/tty/tty_buffer.c:321
tty_insert_flip_string include/linux/tty_flip.h:42 [inline]
pty_write+0xe9/0x170 drivers/tty/pty.c:122
tty_put_char+0x115/0x180 drivers/tty/tty_io.c:3174

__process_echoes+0x461/0x930 drivers/tty/n_tty.c:725

flush_echoes drivers/tty/n_tty.c:826 [inline]
__receive_buf drivers/tty/n_tty.c:1579 [inline]
n_tty_receive_buf_common+0x7c2d/0x81d0 drivers/tty/n_tty.c:1674
tiocsti drivers/tty/tty_io.c:2310 [inline]
tty_ioctl+0xe30/0x17d0 drivers/tty/tty_io.c:2719
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

other info that might help us debug this:

Chain exists of:
console_owner --> &port_lock_key --> &port->lock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&port->lock);
lock(&port_lock_key);
lock(&port->lock);
lock(console_owner);

*** DEADLOCK ***

6 locks held by syz-executor591/3817:
#0: ffff88801ca3e098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:252
#1: ffff88807b7fa8b8 (&port->buf.lock/1){+.+.}-{3:3}, at: tiocsti drivers/tty/tty_io.c:2308 [inline]
#1: ffff88807b7fa8b8 (&port->buf.lock/1){+.+.}-{3:3}, at: tty_ioctl+0xdba/0x17d0 drivers/tty/tty_io.c:2719
#2: ffff88801ca3e2e8 (&o_tty->termios_rwsem/1){++++}-{3:3}, at: n_tty_receive_signal_char drivers/tty/n_tty.c:1240 [inline]
#2: ffff88801ca3e2e8 (&o_tty->termios_rwsem/1){++++}-{3:3}, at: n_tty_receive_char_special drivers/tty/n_tty.c:1281 [inline]
#2: ffff88801ca3e2e8 (&o_tty->termios_rwsem/1){++++}-{3:3}, at: n_tty_receive_buf_standard drivers/tty/n_tty.c:1558 [inline]
#2: ffff88801ca3e2e8 (&o_tty->termios_rwsem/1){++++}-{3:3}, at: __receive_buf drivers/tty/n_tty.c:1577 [inline]
#2: ffff88801ca3e2e8 (&o_tty->termios_rwsem/1){++++}-{3:3}, at: n_tty_receive_buf_common+0x19d6/0x81d0 drivers/tty/n_tty.c:1674
#3: ffffc900030f7378 (&ldata->output_lock){+.+.}-{3:3}, at: flush_echoes drivers/tty/n_tty.c:824 [inline]
#3: ffffc900030f7378 (&ldata->output_lock){+.+.}-{3:3}, at: __receive_buf drivers/tty/n_tty.c:1579 [inline]
#3: ffffc900030f7378 (&ldata->output_lock){+.+.}-{3:3}, at: n_tty_receive_buf_common+0x7be1/0x81d0 drivers/tty/n_tty.c:1674
#4: ffff88807b7fb158 (&port->lock){-...}-{2:2}, at: pty_write+0xc5/0x170 drivers/tty/pty.c:120
#5: ffffffff8c9fa2c0 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0xa1/0x140 kernel/printk/printk.c:2244

stack backtrace:
CPU: 1 PID: 3817 Comm: syz-executor591 Not tainted 5.16.0-rc4-syzkaller #0

__process_echoes+0x461/0x930 drivers/tty/n_tty.c:725

flush_echoes drivers/tty/n_tty.c:826 [inline]
__receive_buf drivers/tty/n_tty.c:1579 [inline]
n_tty_receive_buf_common+0x7c2d/0x81d0 drivers/tty/n_tty.c:1674
tiocsti drivers/tty/tty_io.c:2310 [inline]
tty_ioctl+0xe30/0x17d0 drivers/tty/tty_io.c:2719
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7ff47cc901a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff8cd4d1c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff47cc901a9
RDX: 0000000020000000 RSI: 0000000000005412 RDI: 0000000000000004
RBP: 00007fff8cd4d1e0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
</TASK>
CPU: 1 PID: 3817 Comm: syz-executor591 Not tainted 5.16.0-rc4-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
fail_dump lib/fault-inject.c:52 [inline]
should_fail+0x384/0x4b0 lib/fault-inject.c:146
should_failslab+0x5/0x20 mm/slab_common.c:1320
slab_pre_alloc_hook mm/slab.h:494 [inline]
slab_alloc_node mm/slub.c:3148 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x94/0x380 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
tty_buffer_alloc drivers/tty/tty_buffer.c:177 [inline]
__tty_buffer_request_room+0x1f0/0x540 drivers/tty/tty_buffer.c:275
tty_insert_flip_string_fixed_flag+0x92/0x2c0 drivers/tty/tty_buffer.c:321
tty_insert_flip_string include/linux/tty_flip.h:42 [inline]
pty_write+0xe9/0x170 drivers/tty/pty.c:122
tty_put_char+0x115/0x180 drivers/tty/tty_io.c:3174

__process_echoes+0x461/0x930 drivers/tty/n_tty.c:725

flush_echoes drivers/tty/n_tty.c:826 [inline]
__receive_buf drivers/tty/n_tty.c:1579 [inline]
n_tty_receive_buf_common+0x7c2d/0x81d0 drivers/tty/n_tty.c:1674
tiocsti drivers/tty/tty_io.c:2310 [inline]
tty_ioctl+0xe30/0x17d0 drivers/tty/tty_io.c:2719
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

RIP: 0033:0x7ff47cc901a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff8cd4d1c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff47cc901a9
RDX: 0000000020000000 RSI: 0000000000005412 RDI: 0000000000000004
RBP: 00007fff8cd4d1e0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
</TASK>

[syzbot]

syzbot suspects this issue was fixed by commit:

commit faebd693c59387b7b765fab64b543855e15a91b4
Author: John Ogness <john....@linutronix.de>
Date: Thu Apr 21 21:22:36 2022 +0000

printk: rename cpulock functions

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17d0607bf00000
start commit: bc403203d65a Merge tag 'powerpc-5.18-5' of git://git.kerne..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=78013caa620443d6
dashboard link: https://syzkaller.appspot.com/bug?extid=3cc1054e15babd5f4cd2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c08966f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=108132e9f00000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: printk: rename cpulock functions

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Hillf Danton]

On Fri, 10 Dec 2021 12:24:27 -0800

To fix the deadlock, set fault injection no dump for the current task with
port-lock held.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git c741e49150db

--- y/include/linux/sched.h
+++ s/include/linux/sched.h
@@ -933,6 +933,9 @@ struct task_struct {
/* Recursion prevention for eventfd_signal() */
unsigned in_eventfd_signal:1;
#endif
+#ifdef CONFIG_FAULT_INJECTION
+ unsigned fi_no_dump:1;
+#endif

unsigned long atomic_flags; /* Flags requiring atomic access. */

--- y/lib/fault-inject.c
+++ x/lib/fault-inject.c
@@ -41,6 +41,8 @@ EXPORT_SYMBOL_GPL(setup_fault_attr);

static void fail_dump(struct fault_attr *attr)
{
+ if (current->fi_no_dump)
+ return;
if (attr->verbose > 0 && __ratelimit(&attr->ratelimit_state)) {
printk(KERN_NOTICE "FAULT_INJECTION: forcing a failure.\n"
"name %pd, interval %lu, probability %lu, "
--- y/drivers/tty/pty.c
+++ p/drivers/tty/pty.c
@@ -117,10 +117,17 @@ static int pty_write(struct tty_struct *
return 0;

if (c > 0) {
+#ifdef CONFIG_FAULT_INJECTION
+ current->fi_no_dump = 1;
+#endif
spin_lock_irqsave(&to->port->lock, flags);
/* Stuff the data into the input queue of the other end */
c = tty_insert_flip_string(to->port, buf, c);
spin_unlock_irqrestore(&to->port->lock, flags);
+
+#ifdef CONFIG_FAULT_INJECTION
+ current->fi_no_dump = 0;
+#endif
/* And shovel */
if (c)
tty_flip_buffer_push(to->port);
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 10.844767][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 10.847514][ T1] NET: Registered PF_PHONET protocol family
[ 10.849852][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 10.862031][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 10.864153][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 10.868606][ T1] sctp: Hash tables configured (bind 32/56)
[ 10.872191][ T1] NET: Registered PF_RDS protocol family
[ 10.874827][ T1] Registered RDS/infiniband transport
[ 10.877896][ T1] Registered RDS/tcp transport
[ 10.878582][ T1] tipc: Activated (version 2.0.0)
[ 10.880662][ T1] NET: Registered PF_TIPC protocol family
[ 10.883066][ T1] tipc: Started in single node mode
[ 10.885611][ T1] NET: Registered PF_SMC protocol family
[ 10.887512][ T1] 9pnet: Installing 9P2000 support
[ 10.889041][ T1] NET: Registered PF_CAIF protocol family
[ 10.896316][ T1] NET: Registered PF_IEEE802154 protocol family
[ 10.898744][ T1] Key type dns_resolver registered
[ 10.900069][ T1] Key type ceph registered
[ 10.902352][ T1] libceph: loaded (mon/osd proto 15/24)
[ 10.906546][ T1] batman_adv: B.A.T.M.A.N. advanced 2021.3 (compatibility version 15) loaded
[ 10.908905][ T1] openvswitch: Open vSwitch switching datapath
[ 10.914955][ T1] NET: Registered PF_VSOCK protocol family
[ 10.916734][ T1] mpls_gso: MPLS GSO support
[ 10.925815][ T1] IPI shorthand broadcast: enabled
[ 10.927901][ T1] AVX2 version of gcm_enc/dec engaged.
[ 10.929353][ T1] AES CTR mode by8 optimization enabled
[ 10.935460][ T1] sched_clock: Marking stable (10918945287, 16319670)->(10947484662, -12219705)
[ 10.939476][ T1] registered taskstats version 1
[ 10.949666][ T1] Loading compiled-in X.509 certificates
[ 10.954893][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
[ 10.960358][ T1] zswap: loaded using pool lzo/zbud
[ 10.964105][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 12.891476][ T1] Key type ._fscrypt registered
[ 12.892493][ T1] Key type .fscrypt registered
[ 12.893303][ T1] Key type fscrypt-provisioning registered
[ 12.900821][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 12.902540][ T1] FS-Cache: Netfs 'afs' registered for caching
[ 12.914757][ T1] Btrfs loaded, crc32c=crc32c-intel, assert=on, zoned=yes, fsverity=yes
[ 12.924293][ T1] Key type big_key registered
[ 12.932517][ T1] Key type encrypted registered
[ 12.937808][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 12.944279][ T1] Loading compiled-in module X.509 certificates
[ 12.951349][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
[ 12.962289][ T1] ima: Allocated hash algorithm: sha256
[ 12.969019][ T1] ima: No architecture policies found
[ 12.974890][ T1] evm: Initialising EVM extended attributes:
[ 12.980993][ T1] evm: security.selinux (disabled)
[ 12.986193][ T1] evm: security.SMACK64
[ 12.990330][ T1] evm: security.SMACK64EXEC
[ 12.994944][ T1] evm: security.SMACK64TRANSMUTE
[ 13.000146][ T1] evm: security.SMACK64MMAP
[ 13.004847][ T1] evm: security.apparmor (disabled)
[ 13.010050][ T1] evm: security.ima
[ 13.013907][ T1] evm: security.capability
[ 13.018318][ T1] evm: HMAC attrs: 0x1
[ 13.107165][ T1] PM: Magic number: 10:960:626
[ 13.112264][ T1] net nr2: hash matches
[ 13.119666][ T1] printk: console [netcon0] enabled
[ 13.124977][ T1] netconsole: network logging started
[ 13.130961][ T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 13.139959][ T1] rdma_rxe: loaded
[ 13.144854][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 13.156087][ T1] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 13.165077][ T136] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 13.175748][ T136] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 13.175818][ T1] ALSA device list:
[ 13.188315][ T1] #0: Dummy 1
[ 13.192038][ T1] #1: Loopback 1
[ 13.196005][ T1] #2: Virtual MIDI Card 1
[ 13.203471][ T1] md: Waiting for all devices to be available before autodetect
[ 13.211120][ T1] md: If you don't use raid, use raid=noautodetect
[ 13.217788][ T1] md: Autodetecting RAID arrays.
[ 13.222873][ T1] md: autorun ...
[ 13.226613][ T1] md: ... autorun DONE.
[ 13.273639][ T1] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
[ 13.284816][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 13.305610][ T1] devtmpfs: mounted
[ 13.366871][ T1] Freeing unused kernel image (initmem) memory: 3820K
[ 13.373890][ T1] Write protecting the kernel read-only data: 169984k
[ 13.385399][ T1] Freeing unused kernel image (text/rodata gap) memory: 2012K
[ 13.395571][ T1] Freeing unused kernel image (rodata/data gap) memory: 1648K
[ 13.407818][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 13.417565][ T1] Run /sbin/init as init process
[ 13.799387][ T2938] mount (2938) used greatest stack depth: 23616 bytes left
[ 13.829633][ T2939] EXT4-fs (sda1): re-mounted. Opts: (null). Quota mode: none.
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
mount: mounting mqueue on /dev/mqueue failed: No such file or di[ 13.908724][ T2941] mount (2941) used greatest stack depth: 21664 bytes left
rectory
mount: mounting hugetlbfs on /dev/hugepages failed: No such file or directory
mount: mounting fuse.lxcfs on /var/lib/lxcfs failed: No such file or directory
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: [ 14.384860][ T2968] logger (2968) used greatest stack depth: 21264 bytes left
OK
Populating /dev using udev: [ 14.629834][ T2970] udevd[2970]: starting version 3.2.10
[ 14.766437][ T2971] udevd[2971]: starting eudev-3.2.10
[ 14.771664][ T2970] udevd (2970) used greatest stack depth: 20744 bytes left
[ 17.677808][ T2975] ================================================================================
[ 17.751683][ T2975] UBSAN: null-ptr-deref in ./include/linux/pagemap.h:1088:17
[ 17.763463][ T2975] member access within null pointer of type 'struct folio'
[ 17.777402][ T2975] CPU: 1 PID: 2975 Comm: udevd Not tainted 5.16.0-rc4-syzkaller-00161-gc741e49150db-dirty #0
[ 17.787589][ T2975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 17.797942][ T2975] Call Trace:
[ 17.801236][ T2975] <TASK>
[ 17.804175][ T2975] dump_stack_lvl+0x1e3/0x2cb
[ 17.808898][ T2975] ? bfq_pos_tree_add_move+0x451/0x451
[ 17.814536][ T2975] ? panic+0x7e3/0x7e3
[ 17.818626][ T2975] ? mpage_readahead+0x6a0/0x6a0
[ 17.823578][ T2975] ubsan_type_mismatch_common+0x280/0x390
[ 17.829899][ T2975] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 17.836081][ T2975] mpage_readahead+0x588/0x6a0
[ 17.840878][ T2975] ? dio_await_one+0x250/0x250
[ 17.845677][ T2975] ? blkdev_fallocate+0x330/0x330
[ 17.850847][ T2975] ? put_page+0x90/0x90
[ 17.855021][ T2975] ? __alloc_pages+0x2fd/0x5f0
[ 17.859813][ T2975] ? blk_start_plug_nr_ios+0xaa/0x210
[ 17.865212][ T2975] read_pages+0x162/0x520
[ 17.869658][ T2975] ? page_cache_ra_unbounded+0x840/0x840
[ 17.875316][ T2975] ? filemap_add_folio+0x1ab/0x220
[ 17.880461][ T2975] ? add_to_page_cache_locked+0x90/0x90
[ 17.886040][ T2975] ? folio_alloc+0x47/0x50
[ 17.890480][ T2975] ? filemap_alloc_folio+0x1a9/0x1c0
[ 17.895793][ T2975] page_cache_ra_unbounded+0x6c1/0x840
[ 17.901294][ T2975] ? read_cache_pages_invalidate_pages+0xa0/0xa0
[ 17.907660][ T2975] ? do_page_cache_ra+0xde/0x100
[ 17.912625][ T2975] force_page_cache_ra+0x288/0x2e0
[ 17.917802][ T2975] filemap_read+0x809/0x23d0
[ 17.922443][ T2975] ? find_get_pages_range_tag+0x570/0x570
[ 17.928182][ T2975] ? memset+0x1f/0x40
[ 17.932287][ T2975] ? generic_file_read_iter+0x9e/0x4a0
[ 17.937847][ T2975] ? memset+0x1f/0x40
[ 17.941845][ T2975] ? init_sync_kiocb+0x303/0x4b0
[ 17.946919][ T2975] vfs_read+0x5cd/0x760
[ 17.951205][ T2975] ? kernel_read+0x1f0/0x1f0
[ 17.955917][ T2975] ? __fget_light+0xcc/0x170
[ 17.963827][ T2975] ksys_read+0x19f/0x2d0
[ 17.968364][ T2975] ? vfs_write+0x720/0x720
[ 17.972798][ T2975] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 17.978800][ T2975] ? lockdep_hardirqs_on+0x95/0x140
[ 17.984015][ T2975] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 17.990020][ T2975] do_syscall_64+0x44/0xa0
[ 17.994540][ T2975] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 18.000620][ T2975] RIP: 0033:0x7f0caea3f8fe
[ 18.005044][ T2975] Code: c0 e9 e6 fe ff ff 50 48 8d 3d 0e c7 09 00 e8 c9 cf 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 18.024669][ T2975] RSP: 002b:00007fffae3113b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 18.033187][ T2975] RAX: ffffffffffffffda RBX: 000000007fff0000 RCX: 00007f0caea3f8fe
[ 18.041256][ T2975] RDX: 0000000000000040 RSI: 000056006c2e6e18 RDI: 0000000000000009
[ 18.049238][ T2975] RBP: 0000000000000040 R08: 000056006c2e6df0 R09: 00007f0caeb0fa60
[ 18.057255][ T2975] R10: 0000000000000040 R11: 0000000000000246 R12: 000056006c2e6df0
[ 18.065331][ T2975] R13: 000056006c2e6e08 R14: 000056006c2df7f0 R15: 000056006c2df7a0
[ 18.073720][ T2975] </TASK>
[ 18.461046][ T2975] ================================================================================
[ 18.536749][ T2975] Kernel panic - not syncing: panic_on_warn set ...
[ 18.543407][ T2975] CPU: 1 PID: 2975 Comm: udevd Not tainted 5.16.0-rc4-syzkaller-00161-gc741e49150db-dirty #0
[ 18.554051][ T2975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 18.564115][ T2975] Call Trace:
[ 18.567414][ T2975] <TASK>
[ 18.570355][ T2975] dump_stack_lvl+0x1e3/0x2cb
[ 18.575072][ T2975] ? bfq_pos_tree_add_move+0x451/0x451
[ 18.580648][ T2975] ? panic+0x7e3/0x7e3
[ 18.584755][ T2975] panic+0x2f1/0x7e3
[ 18.588776][ T2975] ? ubsan_type_mismatch_common+0x2a4/0x390
[ 18.594909][ T2975] ? fb_is_primary_device+0xcc/0xcc
[ 18.600137][ T2975] ? panic+0x7e3/0x7e3
[ 18.604237][ T2975] ? mpage_readahead+0x6a0/0x6a0
[ 18.609209][ T2975] ubsan_type_mismatch_common+0x38c/0x390
[ 18.615075][ T2975] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 18.621078][ T2975] mpage_readahead+0x588/0x6a0
[ 18.625976][ T2975] ? dio_await_one+0x250/0x250
[ 18.630804][ T2975] ? blkdev_fallocate+0x330/0x330
[ 18.635852][ T2975] ? put_page+0x90/0x90
[ 18.640023][ T2975] ? __alloc_pages+0x2fd/0x5f0
[ 18.645245][ T2975] ? blk_start_plug_nr_ios+0xaa/0x210
[ 18.648343][ T2987] ================================================================================
[ 18.650637][ T2975] read_pages+0x162/0x520
[ 18.660328][ T2987] UBSAN: object-size-mismatch in net/unix/af_unix.c:977:14
[ 18.664635][ T2975] ? page_cache_ra_unbounded+0x840/0x840
[ 18.664666][ T2975] ? filemap_add_folio+0x1ab/0x220
[ 18.664688][ T2975] ? add_to_page_cache_locked+0x90/0x90
[ 18.664707][ T2975] ? folio_alloc+0x47/0x50
[ 18.672435][ T2987] member access within address ffff88802187eccc with insufficient space
[ 18.677546][ T2975] ? filemap_alloc_folio+0x1a9/0x1c0
[ 18.677578][ T2975] page_cache_ra_unbounded+0x6c1/0x840
[ 18.677613][ T2975] ? read_cache_pages_invalidate_pages+0xa0/0xa0
[ 18.682698][ T2987] for an object of type 'struct sockaddr_un'
[ 18.688235][ T2975] ? do_page_cache_ra+0xde/0x100
[ 18.688259][ T2975] force_page_cache_ra+0x288/0x2e0
[ 18.688281][ T2975] filemap_read+0x809/0x23d0
[ 18.739227][ T2975] ? find_get_pages_range_tag+0x570/0x570
[ 18.744946][ T2975] ? memset+0x1f/0x40
[ 18.748928][ T2975] ? generic_file_read_iter+0x9e/0x4a0
[ 18.754388][ T2975] ? memset+0x1f/0x40
[ 18.758368][ T2975] ? init_sync_kiocb+0x303/0x4b0
[ 18.763401][ T2975] vfs_read+0x5cd/0x760
[ 18.767635][ T2975] ? kernel_read+0x1f0/0x1f0
[ 18.772314][ T2975] ? __fget_light+0xcc/0x170
[ 18.776898][ T2975] ksys_read+0x19f/0x2d0
[ 18.781138][ T2975] ? vfs_write+0x720/0x720
[ 18.785977][ T2975] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 18.791948][ T2975] ? lockdep_hardirqs_on+0x95/0x140
[ 18.797309][ T2975] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 18.803366][ T2975] do_syscall_64+0x44/0xa0
[ 18.808050][ T2975] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 18.814121][ T2975] RIP: 0033:0x7f0caea3f8fe
[ 18.818562][ T2975] Code: c0 e9 e6 fe ff ff 50 48 8d 3d 0e c7 09 00 e8 c9 cf 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 18.838256][ T2975] RSP: 002b:00007fffae3113b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 18.846694][ T2975] RAX: ffffffffffffffda RBX: 000000007fff0000 RCX: 00007f0caea3f8fe
[ 18.854746][ T2975] RDX: 0000000000000040 RSI: 000056006c2e6e18 RDI: 0000000000000009
[ 18.862707][ T2975] RBP: 0000000000000040 R08: 000056006c2e6df0 R09: 00007f0caeb0fa60
[ 18.870866][ T2975] R10: 0000000000000040 R11: 0000000000000246 R12: 000056006c2e6df0
[ 18.878953][ T2975] R13: 000056006c2e6e08 R14: 000056006c2df7f0 R15: 000056006c2df7a0
[ 18.886929][ T2975] </TASK>
[ 18.890138][ T2987] CPU: 0 PID: 2987 Comm: udevadm Not tainted 5.16.0-rc4-syzkaller-00161-gc741e49150db-dirty #0
[ 18.900576][ T2987] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 18.910642][ T2987] Call Trace:
[ 18.913918][ T2987] <TASK>
[ 18.917027][ T2987] dump_stack_lvl+0x1e3/0x2cb
[ 18.921732][ T2987] ? bfq_pos_tree_add_move+0x451/0x451
[ 18.927368][ T2987] ? panic+0x7e3/0x7e3
[ 18.931463][ T2987] ubsan_type_mismatch_common+0x1e6/0x390
[ 18.937297][ T2987] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 18.943302][ T2987] unix_autobind+0x129/0x4d0
[ 18.947996][ T2987] ? tomoyo_socket_connect_permission+0x1dc/0x300
[ 18.954645][ T2987] unix_stream_connect+0x896/0x1010
[ 18.960057][ T2987] ? unix_bind+0x9a0/0x9a0
[ 18.964571][ T2987] ? bpf_lsm_socket_connect+0x5/0x10
[ 18.970033][ T2987] ? __sys_connect_file+0xbd/0x170
[ 18.975243][ T2987] ? __x64_sys_connect+0x148/0x1e0
[ 18.980464][ T2987] __x64_sys_connect+0x15b/0x1e0
[ 18.985402][ T2987] ? __sys_connect+0x170/0x170
[ 18.990272][ T2987] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 18.996341][ T2987] ? lockdep_hardirqs_on+0x95/0x140
[ 19.001536][ T2987] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 19.007520][ T2987] do_syscall_64+0x44/0xa0
[ 19.011934][ T2987] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 19.017822][ T2987] RIP: 0033:0x7f536a0dcd23
[ 19.022232][ T2987] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 18 89 54 24 0c 48
[ 19.042137][ T2987] RSP: 002b:00007ffeaf475368 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 19.050735][ T2987] RAX: ffffffffffffffda RBX: 0000560b72990930 RCX: 00007f536a0dcd23
[ 19.058955][ T2987] RDX: 0000000000000013 RSI: 0000560b72990948 RDI: 0000000000000003
[ 19.066935][ T2987] RBP: 000000000000001e R08: 000000000000001e R09: 0030312e322e332d
[ 19.074919][ T2987] R10: 00007ffeaf4754b4 R11: 0000000000000246 R12: 00007ffeaf475380
[ 19.083318][ T2987] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000007
[ 19.091592][ T2987] </TASK>
[ 19.094678][ T2975] Kernel Offset: disabled
[ 19.099196][ T2975] Rebooting in 86400 seconds..


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=11480d28080000


Tested on:

commit: c741e491 Merge tag 'for-linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=308b87e56290f642
dashboard link: https://syzkaller.appspot.com/bug?extid=3cc1054e15babd5f4cd2
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1630cfe8080000

[Hillf Danton]

On Fri, 10 Dec 2021 12:24:27 -0800

v1, To fix the deadlock, set fault injection no dump for the current task with
port-lock held.
v2, add check for valid folio in readahead_page().

--- y/include/linux/pagemap.h
+++ p/include/linux/pagemap.h
@@ -1085,6 +1085,8 @@ static inline struct page *readahead_pag
{
struct folio *folio = __readahead_folio(ractl);

+ if (!folio)
+ return NULL;
return &folio->page;
}

--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

[ 10.802014][ T1] Simple TC action Loaded
[ 10.806041][ T1] netem: version 1.3
[ 10.807714][ T1] u32 classifier
[ 10.808804][ T1] Performance counters on
[ 10.810052][ T1] input device check on
[ 10.811533][ T1] Actions configured
[ 10.815988][ T1] nf_conntrack_irc: failed to register helpers
[ 10.817441][ T1] nf_conntrack_sane: failed to register helpers
[ 10.821557][ T1] nf_conntrack_sip: failed to register helpers
[ 10.828450][ T1] xt_time: kernel timezone is -0000
[ 10.830022][ T1] IPVS: Registered protocols (TCP, UDP, SCTP, AH, ESP)
[ 10.831890][ T1] IPVS: Connection hash table configured (size=4096, memory=64Kbytes)
[ 10.834704][ T1] IPVS: ipvs loaded.
[ 10.835491][ T1] IPVS: [rr] scheduler registered.
[ 10.836322][ T1] IPVS: [wrr] scheduler registered.
[ 10.837408][ T1] IPVS: [lc] scheduler registered.
[ 10.838559][ T1] IPVS: [wlc] scheduler registered.
[ 10.839491][ T1] IPVS: [fo] scheduler registered.
[ 10.840419][ T1] IPVS: [ovf] scheduler registered.
[ 10.841754][ T1] IPVS: [lblc] scheduler registered.
[ 10.842740][ T1] IPVS: [lblcr] scheduler registered.
[ 10.844313][ T1] IPVS: [dh] scheduler registered.
[ 10.845800][ T1] IPVS: [sh] scheduler registered.
[ 10.846728][ T1] IPVS: [mh] scheduler registered.
[ 10.847666][ T1] IPVS: [sed] scheduler registered.
[ 10.848884][ T1] IPVS: [nq] scheduler registered.
[ 10.850158][ T1] IPVS: [twos] scheduler registered.
[ 10.851507][ T1] IPVS: [sip] pe registered.
[ 10.852406][ T1] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 10.856743][ T1] gre: GRE over IPv4 demultiplexor driver
[ 10.858592][ T1] ip_gre: GRE over IPv4 tunneling driver
[ 10.867380][ T1] IPv4 over IPsec tunneling driver
[ 10.871527][ T1] ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully
[ 10.875103][ T1] Initializing XFRM netlink socket
[ 10.876272][ T1] IPsec XFRM device driver
[ 10.879599][ T1] NET: Registered PF_INET6 protocol family
[ 10.895773][ T1] Segment Routing with IPv6
[ 10.896808][ T1] RPL Segment Routing with IPv6
[ 10.898085][ T1] In-situ OAM (IOAM) with IPv6
[ 10.899644][ T1] mip6: Mobile IPv6
[ 10.904459][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 10.913264][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 10.918162][ T1] NET: Registered PF_PACKET protocol family
[ 10.919995][ T1] NET: Registered PF_KEY protocol family
[ 10.921942][ T1] Bridge firewalling registered
[ 10.923841][ T1] NET: Registered PF_X25 protocol family
[ 10.925469][ T1] X25: Linux Version 0.2
[ 10.972954][ T1] NET: Registered PF_NETROM protocol family
[ 11.021612][ T1] NET: Registered PF_ROSE protocol family
[ 11.023444][ T1] NET: Registered PF_AX25 protocol family
[ 11.026495][ T1] can: controller area network core
[ 11.029127][ T1] NET: Registered PF_CAN protocol family
[ 11.030384][ T1] can: raw protocol
[ 11.031262][ T1] can: broadcast manager protocol
[ 11.032209][ T1] can: netlink gateway - max_hops=1
[ 11.033734][ T1] can: SAE J1939
[ 11.035093][ T1] can: isotp protocol
[ 11.036248][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 11.037955][ T1] Bluetooth: RFCOMM socket layer initialized
[ 11.039643][ T1] Bluetooth: RFCOMM ver 1.11
[ 11.040831][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 11.041848][ T1] Bluetooth: BNEP filters: protocol multicast
[ 11.043280][ T1] Bluetooth: BNEP socket layer initialized
[ 11.045263][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 11.046599][ T1] Bluetooth: CMTP socket layer initialized
[ 11.047621][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 11.049430][ T1] Bluetooth: HIDP socket layer initialized
[ 11.056271][ T1] NET: Registered PF_RXRPC protocol family
[ 11.057506][ T1] Key type rxrpc registered
[ 11.058461][ T1] Key type rxrpc_s registered
[ 11.061172][ T1] NET: Registered PF_KCM protocol family
[ 11.062624][ T1] lec:lane_module_init: lec.c: initialized
[ 11.063962][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 11.066032][ T1] l2tp_core: L2TP core driver, V2.0
[ 11.067399][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 11.068261][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 11.070183][ T1] l2tp_netlink: L2TP netlink interface
[ 11.071402][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 11.072721][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 11.075132][ T1] NET: Registered PF_PHONET protocol family
[ 11.077079][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 11.088753][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 11.090644][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 11.094975][ T1] sctp: Hash tables configured (bind 32/56)
[ 11.098655][ T1] NET: Registered PF_RDS protocol family
[ 11.100754][ T1] Registered RDS/infiniband transport
[ 11.103576][ T1] Registered RDS/tcp transport
[ 11.104649][ T1] tipc: Activated (version 2.0.0)
[ 11.106531][ T1] NET: Registered PF_TIPC protocol family
[ 11.108185][ T1] tipc: Started in single node mode
[ 11.110008][ T1] NET: Registered PF_SMC protocol family
[ 11.111963][ T1] 9pnet: Installing 9P2000 support
[ 11.114190][ T1] NET: Registered PF_CAIF protocol family
[ 11.121488][ T1] NET: Registered PF_IEEE802154 protocol family
[ 11.123184][ T1] Key type dns_resolver registered
[ 11.124574][ T1] Key type ceph registered
[ 11.126408][ T1] libceph: loaded (mon/osd proto 15/24)
[ 11.130146][ T1] batman_adv: B.A.T.M.A.N. advanced 2021.3 (compatibility version 15) loaded
[ 11.131683][ T1] openvswitch: Open vSwitch switching datapath
[ 11.137487][ T1] NET: Registered PF_VSOCK protocol family
[ 11.138831][ T1] mpls_gso: MPLS GSO support
[ 11.148136][ T1] IPI shorthand broadcast: enabled
[ 11.149291][ T1] AVX2 version of gcm_enc/dec engaged.
[ 11.150798][ T1] AES CTR mode by8 optimization enabled
[ 11.155757][ T1] sched_clock: Marking stable (11128465327, 27129818)->(11161429034, -5833889)
[ 11.159736][ T1] registered taskstats version 1
[ 11.169377][ T1] Loading compiled-in X.509 certificates
[ 11.173978][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
[ 11.179898][ T1] zswap: loaded using pool lzo/zbud
[ 11.183624][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 13.358140][ T1] Key type ._fscrypt registered
[ 13.360032][ T1] Key type .fscrypt registered
[ 13.361849][ T1] Key type fscrypt-provisioning registered
[ 13.371180][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 13.373825][ T1] FS-Cache: Netfs 'afs' registered for caching
[ 13.386734][ T1] Btrfs loaded, crc32c=crc32c-intel, assert=on, zoned=yes, fsverity=yes
[ 13.396616][ T1] Key type big_key registered
[ 13.405906][ T1] Key type encrypted registered
[ 13.411212][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 13.417707][ T1] Loading compiled-in module X.509 certificates
[ 13.424860][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
[ 13.436509][ T1] ima: Allocated hash algorithm: sha256
[ 13.442596][ T1] ima: No architecture policies found
[ 13.448375][ T1] evm: Initialising EVM extended attributes:
[ 13.454408][ T1] evm: security.selinux (disabled)
[ 13.459503][ T1] evm: security.SMACK64
[ 13.463910][ T1] evm: security.SMACK64EXEC
[ 13.468455][ T1] evm: security.SMACK64TRANSMUTE
[ 13.473460][ T1] evm: security.SMACK64MMAP
[ 13.477995][ T1] evm: security.apparmor (disabled)
[ 13.483185][ T1] evm: security.ima
[ 13.487216][ T1] evm: security.capability
[ 13.491723][ T1] evm: HMAC attrs: 0x1
[ 13.589003][ T1] PM: Magic number: 10:75:431
[ 13.599513][ T1] printk: console [netcon0] enabled
[ 13.605434][ T1] netconsole: network logging started
[ 13.611823][ T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 13.621725][ T1] rdma_rxe: loaded
[ 13.626413][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 13.638663][ T1] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 13.648527][ T919] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 13.656733][ T1] ALSA device list:
[ 13.658843][ T919] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 13.662202][ T1] #0: Dummy 1
[ 13.674383][ T1] #1: Loopback 1
[ 13.678273][ T1] #2: Virtual MIDI Card 1
[ 13.686523][ T1] md: Waiting for all devices to be available before autodetect
[ 13.694420][ T1] md: If you don't use raid, use raid=noautodetect
[ 13.701108][ T1] md: Autodetecting RAID arrays.
[ 13.706435][ T1] md: autorun ...
[ 13.710407][ T1] md: ... autorun DONE.
[ 13.764392][ T1] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
[ 13.776436][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 13.809223][ T1] devtmpfs: mounted
[ 13.877590][ T1] Freeing unused kernel image (initmem) memory: 3820K
[ 13.884779][ T1] Write protecting the kernel read-only data: 169984k
[ 13.897551][ T1] Freeing unused kernel image (text/rodata gap) memory: 2012K
[ 13.909309][ T1] Freeing unused kernel image (rodata/data gap) memory: 1648K
[ 13.923952][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 13.936282][ T1] Run /sbin/init as init process
[ 14.412276][ T2936] mount (2936) used greatest stack depth: 24032 bytes left
[ 14.443897][ T2937] EXT4-fs (sda1): re-mounted. Opts: (null). Quota mode: none.

mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory

mount: mounting mqueue on /dev/mqueue failed: No such file or di[ 14.560305][ T2939] mount (2939) used greatest stack depth: 21664 bytes left

rectory
mount: mounting hugetlbfs on /dev/hugepages failed: No such file or directory
mount: mounting fuse.lxcfs on /var/lib/lxcfs failed: No such file or directory
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK

Running sysctl: [ 15.142288][ T2966] logger (2966) used greatest stack depth: 21264 bytes left
OK
Populating /dev using udev: [ 15.355331][ T2968] udevd[2968]: starting version 3.2.10
[ 15.518137][ T2969] udevd[2969]: starting eudev-3.2.10
[ 15.520485][ T2968] udevd (2968) used greatest stack depth: 20544 bytes left
[ 21.510608][ T3058] ================================================================================
[ 21.614370][ T3058] UBSAN: object-size-mismatch in net/unix/af_unix.c:977:14
[ 21.621715][ T3058] member access within address ffff8880152f2fcc with insufficient space
[ 21.721756][ T3058] for an object of type 'struct sockaddr_un'
[ 21.778735][ T3058] CPU: 0 PID: 3058 Comm: udevadm Not tainted 5.16.0-rc4-syzkaller-00161-gc741e49150db-dirty #0
[ 21.789827][ T3058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 21.799915][ T3058] Call Trace:
[ 21.803217][ T3058] <TASK>
[ 21.806249][ T3058] dump_stack_lvl+0x1e3/0x2cb
[ 21.810967][ T3058] ? bfq_pos_tree_add_move+0x451/0x451
[ 21.817185][ T3058] ? panic+0x7e3/0x7e3
[ 21.821585][ T3058] ubsan_type_mismatch_common+0x1e6/0x390
[ 21.827540][ T3058] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 21.833746][ T3058] unix_autobind+0x129/0x4d0
[ 21.838466][ T3058] ? tomoyo_socket_connect_permission+0x1dc/0x300
[ 21.845190][ T3058] unix_stream_connect+0x896/0x1010
[ 21.850428][ T3058] ? unix_bind+0x9a0/0x9a0
[ 21.854864][ T3058] ? bpf_lsm_socket_connect+0x5/0x10
[ 21.860278][ T3058] ? __sys_connect_file+0xbd/0x170
[ 21.865620][ T3058] ? __x64_sys_connect+0x148/0x1e0
[ 21.870845][ T3058] __x64_sys_connect+0x15b/0x1e0
[ 21.875813][ T3058] ? __sys_connect+0x170/0x170
[ 21.880697][ T3058] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 21.886700][ T3058] ? lockdep_hardirqs_on+0x95/0x140
[ 21.892033][ T3058] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 21.898132][ T3058] do_syscall_64+0x44/0xa0
[ 21.902678][ T3058] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 21.908660][ T3058] RIP: 0033:0x7f647d4e3d23
[ 21.913184][ T3058] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 18 89 54 24 0c 48
[ 21.932989][ T3058] RSP: 002b:00007ffd414990b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 21.941845][ T3058] RAX: ffffffffffffffda RBX: 00005610bca2f930 RCX: 00007f647d4e3d23
[ 21.949954][ T3058] RDX: 0000000000000013 RSI: 00005610bca2f948 RDI: 0000000000000003
[ 21.958122][ T3058] RBP: 000000000000001e R08: 000000000000001e R09: 0030312e322e332d
[ 21.966217][ T3058] R10: 00007ffd41499204 R11: 0000000000000246 R12: 00007ffd414990d0
[ 21.974216][ T3058] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000007
[ 21.982245][ T3058] </TASK>
[ 22.431726][ T3058] ================================================================================
[ 22.584101][ T3058] Kernel panic - not syncing: panic_on_warn set ...
[ 22.591436][ T3058] CPU: 1 PID: 3058 Comm: udevadm Not tainted 5.16.0-rc4-syzkaller-00161-gc741e49150db-dirty #0
[ 22.602145][ T3058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 22.612502][ T3058] Call Trace:
[ 22.615801][ T3058] <TASK>
[ 22.618827][ T3058] dump_stack_lvl+0x1e3/0x2cb
[ 22.623960][ T3058] ? bfq_pos_tree_add_move+0x451/0x451
[ 22.629581][ T3058] ? panic+0x7e3/0x7e3
[ 22.633808][ T3058] panic+0x2f1/0x7e3
[ 22.637988][ T3058] ? ubsan_type_mismatch_common+0x20a/0x390
[ 22.644259][ T3058] ? fb_is_primary_device+0xcc/0xcc
[ 22.649491][ T3058] ? panic+0x7e3/0x7e3
[ 22.653754][ T3058] ubsan_type_mismatch_common+0x38c/0x390
[ 22.659522][ T3058] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 22.665536][ T3058] unix_autobind+0x129/0x4d0
[ 22.670153][ T3058] ? tomoyo_socket_connect_permission+0x1dc/0x300
[ 22.676725][ T3058] unix_stream_connect+0x896/0x1010
[ 22.682052][ T3058] ? unix_bind+0x9a0/0x9a0
[ 22.686493][ T3058] ? bpf_lsm_socket_connect+0x5/0x10
[ 22.691811][ T3058] ? __sys_connect_file+0xbd/0x170
[ 22.696954][ T3058] ? __x64_sys_connect+0x148/0x1e0
[ 22.702096][ T3058] __x64_sys_connect+0x15b/0x1e0
[ 22.707072][ T3058] ? __sys_connect+0x170/0x170
[ 22.712396][ T3058] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 22.718411][ T3058] ? lockdep_hardirqs_on+0x95/0x140
[ 22.723725][ T3058] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 22.730002][ T3058] do_syscall_64+0x44/0xa0
[ 22.734580][ T3058] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 22.740704][ T3058] RIP: 0033:0x7f647d4e3d23
[ 22.745145][ T3058] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 18 89 54 24 0c 48
[ 22.764784][ T3058] RSP: 002b:00007ffd414990b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 22.773481][ T3058] RAX: ffffffffffffffda RBX: 00005610bca2f930 RCX: 00007f647d4e3d23
[ 22.781474][ T3058] RDX: 0000000000000013 RSI: 00005610bca2f948 RDI: 0000000000000003
[ 22.789466][ T3058] RBP: 000000000000001e R08: 000000000000001e R09: 0030312e322e332d
[ 22.797548][ T3058] R10: 00007ffd41499204 R11: 0000000000000246 R12: 00007ffd414990d0
[ 22.805626][ T3058] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000007
[ 22.813634][ T3058] </TASK>
[ 22.817049][ T3058] Kernel Offset: disabled
[ 22.821577][ T3058] Rebooting in 86400 seconds..

Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=13ea0818080000

Tested on:

commit: c741e491 Merge tag 'for-linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=308b87e56290f642

dashboard link: https://syzkaller.appspot.com/bug?extid=3cc1054e15babd5f4cd2
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1472f954080000

[Hillf Danton]

On Fri, 10 Dec 2021 12:24:27 -0800

v1, To fix the deadlock, set fault injection no dump for the current task with
port-lock held.
v2, add check for valid folio in readahead_page().

v3, add change to kzalloc size in unix_autobind().

--- y/net/unix/af_unix.c
+++ a/net/unix/af_unix.c
@@ -970,15 +970,15 @@ static int unix_autobind(struct socket *
goto out;

err = -ENOMEM;
- addr = kzalloc(sizeof(*addr) + sizeof(short) + 16, GFP_KERNEL);
+ addr = kzalloc(sizeof(*addr) + 16 + offsetof(struct sockaddr_un, sun_path), GFP_KERNEL);
if (!addr)
goto out;

+ addr->len = offsetof(struct sockaddr_un, sun_path) + 6;
addr->name->sun_family = AF_UNIX;
refcount_set(&addr->refcnt, 1);

retry:
- addr->len = sprintf(addr->name->sun_path+1, "%05x", ordernum) + 1 + sizeof(short);
addr->hash = unix_hash_fold(csum_partial(addr->name, addr->len, 0));
addr->hash ^= sk->sk_type;

--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

733894][ T1] nf_conntrack_irc: failed to register helpers
[ 9.735393][ T1] nf_conntrack_sane: failed to register helpers
[ 9.738647][ T1] nf_conntrack_sip: failed to register helpers
[ 9.744443][ T1] xt_time: kernel timezone is -0000
[ 9.746343][ T1] IPVS: Registered protocols (TCP, UDP, SCTP, AH, ESP)
[ 9.748347][ T1] IPVS: Connection hash table configured (size=4096, memory=64Kbytes)
[ 9.750263][ T1] IPVS: ipvs loaded.
[ 9.751181][ T1] IPVS: [rr] scheduler registered.
[ 9.752409][ T1] IPVS: [wrr] scheduler registered.
[ 9.753418][ T1] IPVS: [lc] scheduler registered.
[ 9.754260][ T1] IPVS: [wlc] scheduler registered.
[ 9.755407][ T1] IPVS: [fo] scheduler registered.
[ 9.756393][ T1] IPVS: [ovf] scheduler registered.
[ 9.758180][ T1] IPVS: [lblc] scheduler registered.
[ 9.759670][ T1] IPVS: [lblcr] scheduler registered.
[ 9.760978][ T1] IPVS: [dh] scheduler registered.
[ 9.762122][ T1] IPVS: [sh] scheduler registered.
[ 9.763108][ T1] IPVS: [mh] scheduler registered.
[ 9.764073][ T1] IPVS: [sed] scheduler registered.
[ 9.765581][ T1] IPVS: [nq] scheduler registered.
[ 9.766717][ T1] IPVS: [twos] scheduler registered.
[ 9.767890][ T1] IPVS: [sip] pe registered.
[ 9.769097][ T1] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 9.772940][ T1] gre: GRE over IPv4 demultiplexor driver
[ 9.775256][ T1] ip_gre: GRE over IPv4 tunneling driver
[ 9.783020][ T1] IPv4 over IPsec tunneling driver
[ 9.787176][ T1] ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully
[ 9.789164][ T1] Initializing XFRM netlink socket
[ 9.790288][ T1] IPsec XFRM device driver
[ 9.793369][ T1] NET: Registered PF_INET6 protocol family
[ 9.806445][ T1] Segment Routing with IPv6
[ 9.807546][ T1] RPL Segment Routing with IPv6
[ 9.808892][ T1] In-situ OAM (IOAM) with IPv6
[ 9.810163][ T1] mip6: Mobile IPv6
[ 9.814261][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 9.823034][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 9.827601][ T1] NET: Registered PF_PACKET protocol family
[ 9.829247][ T1] NET: Registered PF_KEY protocol family
[ 9.831023][ T1] Bridge firewalling registered
[ 9.832598][ T1] NET: Registered PF_X25 protocol family
[ 9.833907][ T1] X25: Linux Version 0.2
[ 9.877600][ T1] NET: Registered PF_NETROM protocol family
[ 9.919929][ T1] NET: Registered PF_ROSE protocol family
[ 9.922618][ T1] NET: Registered PF_AX25 protocol family
[ 9.924364][ T1] can: controller area network core
[ 9.926445][ T1] NET: Registered PF_CAN protocol family
[ 9.927484][ T1] can: raw protocol
[ 9.928285][ T1] can: broadcast manager protocol
[ 9.929768][ T1] can: netlink gateway - max_hops=1
[ 9.931513][ T1] can: SAE J1939
[ 9.932476][ T1] can: isotp protocol
[ 9.934137][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 9.936704][ T1] Bluetooth: RFCOMM socket layer initialized
[ 9.938406][ T1] Bluetooth: RFCOMM ver 1.11
[ 9.939497][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 9.940847][ T1] Bluetooth: BNEP filters: protocol multicast
[ 9.942188][ T1] Bluetooth: BNEP socket layer initialized
[ 9.943175][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 9.944837][ T1] Bluetooth: CMTP socket layer initialized
[ 9.946399][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 9.947644][ T1] Bluetooth: HIDP socket layer initialized
[ 9.952472][ T1] NET: Registered PF_RXRPC protocol family
[ 9.953713][ T1] Key type rxrpc registered
[ 9.954373][ T1] Key type rxrpc_s registered
[ 9.956935][ T1] NET: Registered PF_KCM protocol family
[ 9.958405][ T1] lec:lane_module_init: lec.c: initialized
[ 9.959966][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 9.961343][ T1] l2tp_core: L2TP core driver, V2.0
[ 9.962248][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 9.963438][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 9.964924][ T1] l2tp_netlink: L2TP netlink interface
[ 9.966842][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 9.968489][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 9.970375][ T1] NET: Registered PF_PHONET protocol family
[ 9.972316][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 9.982243][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 9.983972][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 9.988828][ T1] sctp: Hash tables configured (bind 32/56)
[ 9.992797][ T1] NET: Registered PF_RDS protocol family
[ 9.995952][ T1] Registered RDS/infiniband transport
[ 9.998331][ T1] Registered RDS/tcp transport
[ 9.999301][ T1] tipc: Activated (version 2.0.0)
[ 10.001185][ T1] NET: Registered PF_TIPC protocol family
[ 10.003426][ T1] tipc: Started in single node mode
[ 10.005953][ T1] NET: Registered PF_SMC protocol family
[ 10.007663][ T1] 9pnet: Installing 9P2000 support
[ 10.009531][ T1] NET: Registered PF_CAIF protocol family
[ 10.016448][ T1] NET: Registered PF_IEEE802154 protocol family
[ 10.018804][ T1] Key type dns_resolver registered
[ 10.019981][ T1] Key type ceph registered
[ 10.022035][ T1] libceph: loaded (mon/osd proto 15/24)
[ 10.025632][ T1] batman_adv: B.A.T.M.A.N. advanced 2021.3 (compatibility version 15) loaded
[ 10.027479][ T1] openvswitch: Open vSwitch switching datapath
[ 10.032455][ T1] NET: Registered PF_VSOCK protocol family
[ 10.034348][ T1] mpls_gso: MPLS GSO support
[ 10.042692][ T1] IPI shorthand broadcast: enabled
[ 10.044218][ T1] AVX2 version of gcm_enc/dec engaged.
[ 10.045496][ T1] AES CTR mode by8 optimization enabled
[ 10.050326][ T1] sched_clock: Marking stable (10029278411, 20887515)->(10056257631, -6091705)
[ 10.054020][ T1] registered taskstats version 1
[ 10.061818][ T1] Loading compiled-in X.509 certificates
[ 10.065938][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
[ 10.071352][ T1] zswap: loaded using pool lzo/zbud
[ 10.074824][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 11.756607][ T1] Key type ._fscrypt registered
[ 11.757678][ T1] Key type .fscrypt registered
[ 11.758612][ T1] Key type fscrypt-provisioning registered
[ 11.765929][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 11.767788][ T1] FS-Cache: Netfs 'afs' registered for caching
[ 11.778052][ T1] Btrfs loaded, crc32c=crc32c-intel, assert=on, zoned=yes, fsverity=yes
[ 11.780678][ T1] Key type big_key registered
[ 11.784695][ T1] Key type encrypted registered
[ 11.787180][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 11.788307][ T1] Loading compiled-in module X.509 certificates
[ 11.790027][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
[ 11.792366][ T1] ima: Allocated hash algorithm: sha256
[ 11.793679][ T1] ima: No architecture policies found
[ 11.795462][ T1] evm: Initialising EVM extended attributes:
[ 11.796533][ T1] evm: security.selinux (disabled)
[ 11.797337][ T1] evm: security.SMACK64
[ 11.798128][ T1] evm: security.SMACK64EXEC
[ 11.798914][ T1] evm: security.SMACK64TRANSMUTE
[ 11.800050][ T1] evm: security.SMACK64MMAP
[ 11.801294][ T1] evm: security.apparmor (disabled)
[ 11.802445][ T1] evm: security.ima
[ 11.803150][ T1] evm: security.capability
[ 11.803875][ T1] evm: HMAC attrs: 0x1
[ 11.878842][ T1] PM: Magic number: 10:155:591
[ 11.880170][ T1] cec cec18: hash matches
[ 11.881277][ T1] usbmon usbmon27: hash matches
[ 11.882205][ T1] usb usb20-port4: hash matches
[ 11.883765][ T1] tty ptyc9: hash matches
[ 11.886992][ T1] printk: console [netcon0] enabled
[ 11.888301][ T1] netconsole: network logging started
[ 11.889910][ T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 11.893148][ T1] rdma_rxe: loaded
[ 11.894125][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 11.900422][ T1] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 11.902966][ T136] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 11.907426][ T136] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 11.907483][ T1] ALSA device list:
[ 11.910739][ T1] #0: Dummy 1
[ 11.911554][ T1] #1: Loopback 1
[ 11.912331][ T1] #2: Virtual MIDI Card 1
[ 11.916533][ T1] md: Waiting for all devices to be available before autodetect
[ 11.918559][ T1] md: If you don't use raid, use raid=noautodetect
[ 11.919724][ T1] md: Autodetecting RAID arrays.
[ 11.920947][ T1] md: autorun ...
[ 11.921743][ T1] md: ... autorun DONE.
[ 11.945958][ T1] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
[ 11.949061][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 11.952878][ T1] devtmpfs: mounted
[ 12.009316][ T1] Freeing unused kernel image (initmem) memory: 3820K
[ 12.011137][ T1] Write protecting the kernel read-only data: 169984k
[ 12.017381][ T1] Freeing unused kernel image (text/rodata gap) memory: 2012K
[ 12.021141][ T1] Freeing unused kernel image (rodata/data gap) memory: 1648K
[ 12.026563][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 12.029361][ T1] Run /sbin/init as init process
[ 12.252245][ T2936] mount (2936) used greatest stack depth: 24880 bytes left
[ 12.289115][ T2937] EXT4-fs (sda1): re-mounted. Opts: (null). Quota mode: none.
[ 12.322458][ T2938] mkdir (2938) used greatest stack depth: 24744 bytes left

mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory

mount: mounting mqueue on /dev/mqueue failed: No such file or directory
mount: [ 12.363510][ T2939] mount (2939) used greatest stack depth: 21664 bytes left

mounting hugetlbfs on /dev/hugepages failed: No such file or directory
mount: mounting fuse.lxcfs on /var/lib/lxcfs failed: No such file or directory
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK

Running sysctl: OK
[ 12.811121][ T2964] logger (2964) used greatest stack depth: 21264 bytes left
Populating /dev using udev: [ 13.003968][ T2968] udevd[2968]: starting version 3.2.10
[ 13.183619][ T2969] udevd[2969]: starting eudev-3.2.10
[ 13.187999][ T2968] udevd (2968) used greatest stack depth: 20544 bytes left
[ 18.203068][ T3046] ================================================================================
[ 18.275244][ T3046] UBSAN: object-size-mismatch in net/unix/af_unix.c:978:14
[ 18.282483][ T3046] member access within address ffff888022443ccc with insufficient space
[ 18.402043][ T3046] for an object of type 'struct sockaddr_un'
[ 18.441637][ T3046] CPU: 0 PID: 3046 Comm: udevadm Not tainted 5.16.0-rc4-syzkaller-00161-gc741e49150db-dirty #0
[ 18.452006][ T3046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 18.462097][ T3046] Call Trace:
[ 18.465396][ T3046] <TASK>
[ 18.468342][ T3046] dump_stack_lvl+0x1e3/0x2cb
[ 18.473067][ T3046] ? bfq_pos_tree_add_move+0x451/0x451
[ 18.478547][ T3046] ? panic+0x7e3/0x7e3
[ 18.482662][ T3046] ubsan_type_mismatch_common+0x1e6/0x390
[ 18.488404][ T3046] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 18.494662][ T3046] unix_autobind+0x14f/0x4d0
[ 18.499274][ T3046] ? tomoyo_socket_connect_permission+0x1dc/0x300
[ 18.505713][ T3046] unix_stream_connect+0x896/0x1010
[ 18.511209][ T3046] ? unix_bind+0x9a0/0x9a0
[ 18.515642][ T3046] ? bpf_lsm_socket_connect+0x5/0x10
[ 18.520954][ T3046] ? __sys_connect_file+0xbd/0x170
[ 18.526083][ T3046] ? __x64_sys_connect+0x148/0x1e0
[ 18.531221][ T3046] __x64_sys_connect+0x15b/0x1e0
[ 18.536184][ T3046] ? __sys_connect+0x170/0x170
[ 18.540974][ T3046] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 18.546993][ T3046] ? lockdep_hardirqs_on+0x95/0x140
[ 18.552212][ T3046] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 18.558211][ T3046] do_syscall_64+0x44/0xa0
[ 18.562649][ T3046] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 18.568558][ T3046] RIP: 0033:0x7fa1d19a6d23
[ 18.572984][ T3046] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 18 89 54 24 0c 48
[ 18.592779][ T3046] RSP: 002b:00007ffe3ca5fba8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 18.601476][ T3046] RAX: ffffffffffffffda RBX: 0000559f3535a930 RCX: 00007fa1d19a6d23
[ 18.609893][ T3046] RDX: 0000000000000013 RSI: 0000559f3535a948 RDI: 0000000000000003
[ 18.618135][ T3046] RBP: 000000000000001e R08: 000000000000001e R09: 0030312e322e332d
[ 18.626560][ T3046] R10: 00007ffe3ca5fcf4 R11: 0000000000000246 R12: 00007ffe3ca5fbc0
[ 18.634896][ T3046] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000007
[ 18.642900][ T3046] </TASK>
[ 19.205668][ T3046] ================================================================================
[ 19.215846][ T3046] Kernel panic - not syncing: panic_on_warn set ...
[ 19.222533][ T3046] CPU: 0 PID: 3046 Comm: udevadm Not tainted 5.16.0-rc4-syzkaller-00161-gc741e49150db-dirty #0
[ 19.233304][ T3046] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 19.243368][ T3046] Call Trace:
[ 19.246699][ T3046] <TASK>
[ 19.249729][ T3046] dump_stack_lvl+0x1e3/0x2cb
[ 19.255049][ T3046] ? bfq_pos_tree_add_move+0x451/0x451
[ 19.260526][ T3046] ? panic+0x7e3/0x7e3
[ 19.264636][ T3046] panic+0x2f1/0x7e3
[ 19.268561][ T3046] ? ubsan_type_mismatch_common+0x20a/0x390
[ 19.274478][ T3046] ? fb_is_primary_device+0xcc/0xcc
[ 19.279697][ T3046] ? panic+0x7e3/0x7e3
[ 19.283805][ T3046] ubsan_type_mismatch_common+0x38c/0x390
[ 19.289548][ T3046] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 19.295542][ T3046] unix_autobind+0x14f/0x4d0
[ 19.300151][ T3046] ? tomoyo_socket_connect_permission+0x1dc/0x300
[ 19.306789][ T3046] unix_stream_connect+0x896/0x1010
[ 19.312097][ T3046] ? unix_bind+0x9a0/0x9a0
[ 19.316616][ T3046] ? bpf_lsm_socket_connect+0x5/0x10
[ 19.322357][ T3046] ? __sys_connect_file+0xbd/0x170
[ 19.327486][ T3046] ? __x64_sys_connect+0x148/0x1e0
[ 19.332870][ T3046] __x64_sys_connect+0x15b/0x1e0
[ 19.338167][ T3046] ? __sys_connect+0x170/0x170
[ 19.343057][ T3046] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 19.349499][ T3046] ? lockdep_hardirqs_on+0x95/0x140
[ 19.354717][ T3046] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 19.360820][ T3046] do_syscall_64+0x44/0xa0
[ 19.365259][ T3046] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 19.371340][ T3046] RIP: 0033:0x7fa1d19a6d23
[ 19.375766][ T3046] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 18 89 54 24 0c 48
[ 19.396086][ T3046] RSP: 002b:00007ffe3ca5fba8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 19.404692][ T3046] RAX: ffffffffffffffda RBX: 0000559f3535a930 RCX: 00007fa1d19a6d23
[ 19.412688][ T3046] RDX: 0000000000000013 RSI: 0000559f3535a948 RDI: 0000000000000003
[ 19.420676][ T3046] RBP: 000000000000001e R08: 000000000000001e R09: 0030312e322e332d
[ 19.428658][ T3046] R10: 00007ffe3ca5fcf4 R11: 0000000000000246 R12: 00007ffe3ca5fbc0
[ 19.436730][ T3046] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000007
[ 19.444816][ T3046] </TASK>
[ 19.448180][ T3046] Kernel Offset: disabled
[ 19.452546][ T3046] Rebooting in 86400 seconds..

Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=152f2d28080000

Tested on:

commit: c741e491 Merge tag 'for-linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=308b87e56290f642

dashboard link: https://syzkaller.appspot.com/bug?extid=3cc1054e15babd5f4cd2
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=150bf2f8080000

[Sergey Senozhatsky]

On (22/06/18 20:47), syzbot wrote:
> syzbot suspects this issue was fixed by commit:
>
> commit faebd693c59387b7b765fab64b543855e15a91b4
> Author: John Ogness <john....@linutronix.de>
> Date: Thu Apr 21 21:22:36 2022 +0000
>
> printk: rename cpulock functions

I'd rather guess that it was console kthread patch that fixed the problem.
And the problem here is slab fault injection, which triggers printk
under port->lock, which is a reverse locking chain: we usually do
printk, grab console owner and then call into console driver and take
the port->lock.

[ 302.408357][ T6160] isofs_fill_super: get root inode failed
[ 302.447591][ T6181] FAULT_INJECTION: forcing a failure.
[ 302.447591][ T6181] name failslab, interval 1, probability 0, space 0, times 0
[ 302.447761][ T6181]
[ 302.447764][ T6181] ======================================================
[ 302.447767][ T6181] WARNING: possible circular locking dependency detected
[ 302.447770][ T6181] 5.18.0-rc7-syzkaller-00048-gf993aed406ea #0 Not tainted
[ 302.447776][ T6181] ------------------------------------------------------
[ 302.447779][ T6181] syz-executor.5/6181 is trying to acquire lock:
[ 302.447784][ T6181] ffffffff8cb0f4a0 (console_owner){....}-{0:0}, at: console_lock_spinning_enable+0x2d/0x60
[ 302.447841][ T6181]
[ 302.447841][ T6181] but task is already holding lock:
[ 302.447843][ T6181] ffff88801b67f958 (&port->lock){-.-.}-{2:2}, at: pty_write+0xc5/0x170
[ 302.447874][ T6181]
[ 302.447874][ T6181] which lock already depends on the new lock.
[ 302.447874][ T6181]
[ 302.447877][ T6181]
[ 302.447877][ T6181] the existing dependency chain (in reverse order) is:
[ 302.447880][ T6181]
[ 302.447880][ T6181] -> #2 (&port->lock){-.-.}-{2:2}:
[ 302.447892][ T6181] lock_acquire+0x1a7/0x400
[ 302.447902][ T6181] _raw_spin_lock_irqsave+0xd1/0x120
[ 302.447911][ T6181] tty_port_default_wakeup+0x21/0x100
[ 302.447921][ T6181] serial8250_tx_chars+0x60e/0x810
[ 302.447962][ T6181] serial8250_handle_irq+0x32f/0x410
[ 302.447972][ T6181] serial8250_default_handle_irq+0xaf/0x190
[ 302.447980][ T6181] serial8250_interrupt+0xa3/0x1e0
[ 302.447990][ T6181] __handle_irq_event_percpu+0x200/0x620
[ 302.448001][ T6181] handle_irq_event+0x83/0x1e0
[ 302.448010][ T6181] handle_edge_irq+0x245/0xbe0
[ 302.448017][ T6181] __common_interrupt+0xce/0x1e0
[ 302.448056][ T6181] common_interrupt+0x9f/0xc0
[ 302.448065][ T6181] asm_common_interrupt+0x1e/0x40
[ 302.448074][ T6181] acpi_idle_enter+0x42d/0x790
[ 302.448112][ T6181] cpuidle_enter_state+0x517/0xed0
[ 302.448149][ T6181] cpuidle_enter+0x59/0x90
[ 302.448157][ T6181] do_idle+0x3d2/0x640
[ 302.448177][ T6181] cpu_startup_entry+0x15/0x20
[ 302.448186][ T6181] rest_init+0x24f/0x270
[ 302.448194][ T6181] start_kernel+0x0/0x56e
[ 302.448224][ T6181] start_kernel+0x4bf/0x56e
[ 302.448232][ T6181] secondary_startup_64_no_verify+0xc4/0xcb
[ 302.448247][ T6181]
[ 302.448247][ T6181] -> #1 (&port_lock_key){-.-.}-{2:2}:
[ 302.448262][ T6181] lock_acquire+0x1a7/0x400
[ 302.448275][ T6181] _raw_spin_lock_irqsave+0xd1/0x120
[ 302.448289][ T6181] serial8250_console_write+0x19c/0xf60
[ 302.448304][ T6181] console_unlock+0xa98/0x1150
[ 302.448319][ T6181] vprintk_emit+0xd1/0x1e0
[ 302.448334][ T6181] _printk+0xcf/0x10f
[ 302.448349][ T6181] register_console+0x6e2/0x9c0
[ 302.448362][ T6181] univ8250_console_init+0x41/0x43
[ 302.448390][ T6181] console_init+0x5d/0xa8
[ 302.448406][ T6181] start_kernel+0x328/0x56e
[ 302.448421][ T6181] secondary_startup_64_no_verify+0xc4/0xcb
[ 302.448440][ T6181]
[ 302.448440][ T6181] -> #0 (console_owner){....}-{0:0}:
[ 302.448462][ T6181] validate_chain+0x185c/0x65c0
[ 302.448479][ T6181] __lock_acquire+0x129a/0x1f80
[ 302.448492][ T6181] lock_acquire+0x1a7/0x400
[ 302.448500][ T6181] console_lock_spinning_enable+0x52/0x60
[ 302.448509][ T6181] console_unlock+0x7f4/0x1150
[ 302.448518][ T6181] vprintk_emit+0xd1/0x1e0
[ 302.448526][ T6181] _printk+0xcf/0x10f
[ 302.448534][ T6181] should_fail+0x366/0x4b0
[ 302.448544][ T6181] should_failslab+0x5/0x20
[ 302.448554][ T6181] __kmalloc+0x8b/0x370
[ 302.448562][ T6181] __tty_buffer_request_room+0x1f0/0x540
[ 302.448572][ T6181] tty_insert_flip_string_fixed_flag+0x91/0x2c0
[ 302.448582][ T6181] pty_write+0xe9/0x170
[ 302.448589][ T6181] n_tty_write+0x665/0x13b0
[ 302.448597][ T6181] file_tty_write+0x5a5/0x960
[ 302.448605][ T6181] vfs_write+0xa22/0xd40
[ 302.448613][ T6181] ksys_write+0x19b/0x2c0
[ 302.448620][ T6181] do_syscall_64+0x2b/0x70
[ 302.448628][ T6181] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 302.448637][ T6181]
[ 302.448637][ T6181] other info that might help us debug this:
[ 302.448637][ T6181]
[ 302.448640][ T6181] Chain exists of:
[ 302.448640][ T6181] console_owner --> &port_lock_key --> &port->lock
[ 302.448640][ T6181]
[ 302.448653][ T6181] Possible unsafe locking scenario:
[ 302.448653][ T6181]
[ 302.448655][ T6181] CPU0 CPU1
[ 302.448657][ T6181] ---- ----
[ 302.448659][ T6181] lock(&port->lock);
[ 302.448664][ T6181] lock(&port_lock_key);
[ 302.448670][ T6181] lock(&port->lock);
[ 302.448675][ T6181] lock(console_owner);
[ 302.448680][ T6181]
[ 302.448680][ T6181] *** DEADLOCK ***
[ 302.448680][ T6181]
[ 302.448682][ T6181] 6 locks held by syz-executor.5/6181:
[ 302.448687][ T6181] #0: ffff88804d6c2098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70
[ 302.448709][ T6181] #1: ffff88804d6c2130 (&tty->atomic_write_lock){+.+.}-{3:3}, at: file_tty_write+0x26e/0x960
[ 302.448731][ T6181] #2: ffff88804d6c22e8 (&tty->termios_rwsem){++++}-{3:3}, at: n_tty_write+0x244/0x13b0
[ 302.448752][ T6181] #3: ffffc90010d81378 (&ldata->output_lock){+.+.}-{3:3}, at: n_tty_write+0x61a/0x13b0
[ 302.448774][ T6181] #4: ffff88801b67f958 (&port->lock){-.-.}-{2:2}, at: pty_write+0xc5/0x170
[ 302.448793][ T6181] #5: ffffffff8c9f71a0 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0xb8/0x1e0
[ 302.448813][ T6181]
[ 302.448813][ T6181] stack backtrace:
[ 302.448817][ T6181] CPU: 0 PID: 6181 Comm: syz-executor.5 Not tainted 5.18.0-rc7-syzkaller-00048-gf993aed406ea #0
[ 302.448827][ T6181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 302.448832][ T6181] Call Trace:
[ 302.448836][ T6181] <TASK>
[ 302.448840][ T6181] dump_stack_lvl+0x1e3/0x2cb
[ 302.448853][ T6181] ? bfq_pos_tree_add_move+0x436/0x436
[ 302.448866][ T6181] ? print_circular_bug+0x13e/0x1c0
[ 302.448876][ T6181] check_noncircular+0x2f7/0x3b0
[ 302.448887][ T6181] ? add_chain_block+0x850/0x850
[ 302.448897][ T6181] ? lockdep_lock+0x11d/0x2a0
[ 302.448910][ T6181] validate_chain+0x185c/0x65c0
[ 302.448924][ T6181] ? vsnprintf+0x1ce0/0x1ce0
[ 302.448934][ T6181] ? reacquire_held_locks+0x680/0x680
[ 302.448943][ T6181] ? memset+0x1f/0x40
[ 302.448980][ T6181] ? vsnprintf+0x1fa/0x1ce0
[ 302.448990][ T6181] ? memcpy+0x3c/0x60
[ 302.448999][ T6181] ? vsnprintf+0x1c02/0x1ce0
[ 302.449009][ T6181] ? reacquire_held_locks+0x680/0x680
[ 302.449030][ T6181] ? sprintf+0xd6/0x120
[ 302.449040][ T6181] ? _prb_read_valid+0xbb9/0xbd0
[ 302.449051][ T6181] ? mark_lock+0x98/0x350
[ 302.449061][ T6181] __lock_acquire+0x129a/0x1f80
[ 302.449081][ T6181] lock_acquire+0x1a7/0x400
[ 302.449094][ T6181] ? console_lock_spinning_enable+0x2d/0x60
[ 302.449113][ T6181] ? read_lock_is_recursive+0x10/0x10
[ 302.449130][ T6181] ? console_lock_spinning_enable+0x2d/0x60
[ 302.449147][ T6181] ? __lock_acquire+0x1f80/0x1f80
[ 302.449162][ T6181] ? do_raw_spin_lock+0x148/0x360
[ 302.449183][ T6181] ? _raw_spin_unlock+0x40/0x40
[ 302.449200][ T6181] console_lock_spinning_enable+0x52/0x60
[ 302.449217][ T6181] ? console_lock_spinning_enable+0x2d/0x60
[ 302.449238][ T6181] console_unlock+0x7f4/0x1150
[ 302.449257][ T6181] ? vprintk_emit+0xb8/0x1e0
[ 302.449273][ T6181] ? console_trylock_spinning+0x450/0x450
[ 302.449288][ T6181] ? vprintk_emit+0xb8/0x1e0
[ 302.449297][ T6181] ? console_trylock+0x70/0x70
[ 302.449305][ T6181] ? register_lock_class+0xfe/0x9d0
[ 302.449315][ T6181] ? reacquire_held_locks+0x680/0x680
[ 302.449326][ T6181] ? register_lock_class+0xfe/0x9d0
[ 302.449336][ T6181] ? is_dynamic_key+0x1f0/0x1f0
[ 302.449345][ T6181] vprintk_emit+0xd1/0x1e0
[ 302.449355][ T6181] _printk+0xcf/0x10f
[ 302.449365][ T6181] ? panic+0x76e/0x76e
[ 302.449382][ T6181] should_fail+0x366/0x4b0
[ 302.449401][ T6181] ? __tty_buffer_request_room+0x1f0/0x540
[ 302.449427][ T6181] should_failslab+0x5/0x20
[ 302.449446][ T6181] __kmalloc+0x8b/0x370
[ 302.449465][ T6181] __tty_buffer_request_room+0x1f0/0x540
[ 302.449478][ T6181] tty_insert_flip_string_fixed_flag+0x91/0x2c0
[ 302.449491][ T6181] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 302.449507][ T6181] ? _raw_spin_unlock+0x40/0x40
[ 302.449524][ T6181] pty_write+0xe9/0x170
[ 302.449540][ T6181] n_tty_write+0x665/0x13b0
[ 302.449559][ T6181] ? _copy_from_iter+0x429/0xec0
[ 302.449584][ T6181] ? n_tty_read+0x1c90/0x1c90
[ 302.449599][ T6181] ? wait_woken+0x1b0/0x1b0
[ 302.449621][ T6181] ? check_heap_object+0x13c/0x310
[ 302.449633][ T6181] ? 0xffffffff81000000
[ 302.449639][ T6181] ? __check_object_size+0x15a/0x210
[ 302.449650][ T6181] file_tty_write+0x5a5/0x960
[ 302.449660][ T6181] ? n_tty_read+0x1c90/0x1c90
[ 302.449671][ T6181] vfs_write+0xa22/0xd40
[ 302.449679][ T6181] ? __lock_acquire+0x1f80/0x1f80
[ 302.449689][ T6181] ? file_end_write+0x230/0x230
[ 302.449700][ T6181] ? __fget_files+0x3d0/0x440
[ 302.449710][ T6181] ? __fdget_pos+0x1d7/0x2e0
[ 302.449718][ T6181] ? ksys_write+0x77/0x2c0
[ 302.449727][ T6181] ksys_write+0x19b/0x2c0
[ 302.449736][ T6181] ? print_irqtrace_events+0x220/0x220
[ 302.449745][ T6181] ? __ia32_sys_read+0x80/0x80
[ 302.449754][ T6181] ? syscall_enter_from_user_mode+0x2e/0x1a0
[ 302.449765][ T6181] ? syscall_enter_from_user_mode+0x2e/0x1a0
[ 302.449775][ T6181] do_syscall_64+0x2b/0x70
[ 302.449783][ T6181] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 302.449793][ T6181] RIP: 0033:0x7f2630c890e9
[ 302.449801][ T6181] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 302.449809][ T6181] RSP: 002b:00007f2631df9168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 302.449819][ T6181] RAX: ffffffffffffffda RBX: 00007f2630d9bf60 RCX: 00007f2630c890e9
[ 302.449827][ T6181] RDX: 000000000000ff2e RSI: 00000000200000c0 RDI: 0000000000000004
[ 302.449833][ T6181] RBP: 00007f2631df91d0 R08: 0000000000000000 R09: 0000000000000000
[ 302.449839][ T6181] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 302.449845][ T6181] R13: 00007ffe692c072f R14: 00007f2631df9300 R15: 0000000000022000
[ 302.449856][ T6181] </TASK>
[ 303.425580][ T6181] CPU: 0 PID: 6181 Comm: syz-executor.5 Not tainted 5.18.0-rc7-syzkaller-00048-gf993aed406ea #0
[ 303.435966][ T6181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 303.445999][ T6181] Call Trace:
[ 303.449261][ T6181] <TASK>
[ 303.452173][ T6181] dump_stack_lvl+0x1e3/0x2cb
[ 303.456838][ T6181] ? bfq_pos_tree_add_move+0x436/0x436
[ 303.462275][ T6181] ? panic+0x76e/0x76e
[ 303.466333][ T6181] should_fail+0x384/0x4b0
[ 303.470756][ T6181] ? __tty_buffer_request_room+0x1f0/0x540
[ 303.476557][ T6181] should_failslab+0x5/0x20
[ 303.481042][ T6181] __kmalloc+0x8b/0x370
[ 303.485179][ T6181] __tty_buffer_request_room+0x1f0/0x540
[ 303.490801][ T6181] tty_insert_flip_string_fixed_flag+0x91/0x2c0
[ 303.497028][ T6181] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 303.502902][ T6181] ? _raw_spin_unlock+0x40/0x40
[ 303.507731][ T6181] pty_write+0xe9/0x170
[ 303.511866][ T6181] n_tty_write+0x665/0x13b0
[ 303.516353][ T6181] ? _copy_from_iter+0x429/0xec0
[ 303.521277][ T6181] ? n_tty_read+0x1c90/0x1c90
[ 303.525944][ T6181] ? wait_woken+0x1b0/0x1b0
[ 303.530439][ T6181] ? check_heap_object+0x13c/0x310
[ 303.535546][ T6181] ? 0xffffffff81000000
[ 303.539687][ T6181] ? __check_object_size+0x15a/0x210
[ 303.544962][ T6181] file_tty_write+0x5a5/0x960
[ 303.549632][ T6181] ? n_tty_read+0x1c90/0x1c90
[ 303.554294][ T6181] vfs_write+0xa22/0xd40
[ 303.558519][ T6181] ? __lock_acquire+0x1f80/0x1f80
[ 303.563524][ T6181] ? file_end_write+0x230/0x230
[ 303.568357][ T6181] ? __fget_files+0x3d0/0x440
[ 303.573016][ T6181] ? __fdget_pos+0x1d7/0x2e0
[ 303.577588][ T6181] ? ksys_write+0x77/0x2c0
[ 303.581995][ T6181] ksys_write+0x19b/0x2c0
[ 303.586311][ T6181] ? print_irqtrace_events+0x220/0x220
[ 303.591763][ T6181] ? __ia32_sys_read+0x80/0x80
[ 303.596506][ T6181] ? syscall_enter_from_user_mode+0x2e/0x1a0
[ 303.602470][ T6181] ? syscall_enter_from_user_mode+0x2e/0x1a0
[ 303.608438][ T6181] do_syscall_64+0x2b/0x70
[ 303.612834][ T6181] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 303.618709][ T6181] RIP: 0033:0x7f2630c890e9
[ 303.623108][ T6181] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 303.642692][ T6181] RSP: 002b:00007f2631df9168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001

[Dmitry Vyukov]

On Mon, 20 Jun 2022 at 07:44, Sergey Senozhatsky
<senoz...@chromium.org> wrote:
>
> On (22/06/18 20:47), syzbot wrote:
> > syzbot suspects this issue was fixed by commit:
> >
> > commit faebd693c59387b7b765fab64b543855e15a91b4
> > Author: John Ogness <john....@linutronix.de>
> > Date: Thu Apr 21 21:22:36 2022 +0000
> >
> > printk: rename cpulock functions
>
> I'd rather guess that it was console kthread patch that fixed the problem.

Hi Sergey,

Do you mean this commit:

author: John Ogness 2022-04-21 23:28:48 +0206
printk: add kthread console printers

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09c5ba0aa2fcfdadb17d045c3ee6f86d69270df7

?

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/YrAJNuGg8n6f9Fcw%40google.com.

[Sergey Senozhatsky]

On (22/06/20 10:16), Dmitry Vyukov wrote:
> On Mon, 20 Jun 2022 at 07:44, Sergey Senozhatsky
> <senoz...@chromium.org> wrote:
> >
> > On (22/06/18 20:47), syzbot wrote:
> > > syzbot suspects this issue was fixed by commit:
> > >
> > > commit faebd693c59387b7b765fab64b543855e15a91b4
> > > Author: John Ogness <john....@linutronix.de>
> > > Date: Thu Apr 21 21:22:36 2022 +0000
> > >
> > > printk: rename cpulock functions
> >
> > I'd rather guess that it was console kthread patch that fixed the problem.
>
> Hi Sergey,
>
> Do you mean this commit:
>
> author: John Ogness 2022-04-21 23:28:48 +0206
> printk: add kthread console printers
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09c5ba0aa2fcfdadb17d045c3ee6f86d69270df7

Yes, I'd assume so. The patch removes

tty -> printk -> tty

which re-enters tty in unsafe manner, and replaces it with

tty -> printk -> wake_up console printer

[Hillf Danton]

On Fri, 10 Dec 2021 12:24:27 -0800

+ addr = kzalloc(sizeof(*addr) + sizeof(struct sockaddr_un), GFP_KERNEL);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: object-size-mismatch in wg_xmit

IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
================================================================================
UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2085:28
member access within address ffffc9000278f420 with insufficient space
for an object of type 'struct sk_buff'
CPU: 1 PID: 3626 Comm: kworker/1:6 Not tainted 5.16.0-rc4-syzkaller-00161-gc741e49150db-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Workqueue: ipv6_addrconf addrconf_dad_work

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]

dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
handle_object_size_mismatch lib/ubsan.c:232 [inline]
ubsan_type_mismatch_common+0x1e6/0x390 lib/ubsan.c:245
__ubsan_handle_type_mismatch_v1+0x4a/0x60 lib/ubsan.c:274
__skb_queue_before include/linux/skbuff.h:2085 [inline]
__skb_queue_tail include/linux/skbuff.h:2118 [inline]
wg_xmit+0x565/0xda0 drivers/net/wireguard/device.c:185
__netdev_start_xmit include/linux/netdevice.h:4994 [inline]
netdev_start_xmit+0x7b/0x140 include/linux/netdevice.h:5008
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x182/0x2e0 net/core/dev.c:3606
__dev_queue_xmit+0x158e/0x2540 net/core/dev.c:4229
neigh_output include/net/neighbour.h:527 [inline]
ip6_finish_output2+0xf45/0x1300 net/ipv6/ip6_output.c:126
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
ndisc_send_skb+0x8c3/0xdd0 net/ipv6/ndisc.c:508
addrconf_dad_completed+0x543/0xa70 net/ipv6/addrconf.c:4216
addrconf_dad_work+0xbd8/0x1450
process_one_work+0x4ea/0x920 kernel/workqueue.c:2298
worker_thread+0x686/0x9e0 kernel/workqueue.c:2445
kthread+0x35c/0x430 kernel/kthread.c:327
ret_from_fork+0x1f/0x30
</TASK>
================================================================================


Tested on:

commit: c741e491 Merge tag 'for-linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11102217f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=308b87e56290f642
dashboard link: https://syzkaller.appspot.com/bug?extid=3cc1054e15babd5f4cd2
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1117be40080000

[Dmitry Vyukov]

On Mon, 20 Jun 2022 at 11:24, Sergey Senozhatsky

Thanks. Let's tell syzbot so that it reports similar issues in future:

#syz fix: printk: add kthread console printers