[syzbot] [afs?] BUG: sleeping function called from invalid context in __alloc_frozen_pages_noprof
7 views
Skip to first unread message
syzbot
Mar 27, 2025, 12:26:44 PM3/27/25
to dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2df0c02dab82 x86 boot build: make git ignore stale 'tools'..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15bcc198580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5f1762820c18874b
dashboard link: https://syzkaller.appspot.com/bug?extid=3b6c5c6a1d0119b687a1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=114ffc4c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1580a804580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7fe089500003/disk-2df0c02d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d8df5abbd7c5/vmlinux-2df0c02d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/09d23e93d3a8/bzImage-2df0c02d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/70d29040b480/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1180a804580000)
The issue was bisected to:
commit 1d0b929fc070b4115403a0a6206a0c6a62dd61f5
Author: David Howells <dhow...@redhat.com>
Date: Mon Feb 24 09:52:58 2025 +0000
afs: Change dynroot to create contents on demand
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1207ade4580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1107ade4580000
console output: https://syzkaller.appspot.com/x/log.txt?x=1607ade4580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3b6c5c...@syzkaller.appspotmail.com
Fixes: 1d0b929fc070 ("afs: Change dynroot to create contents on demand")
BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5828, name: syz-executor995
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
4 locks held by syz-executor995/5828:
#0: ffff8880332ef0b8 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x247/0x310 fs/file.c:1213
#1: ffff888053d08148 (&type->i_mutex_dir_key#7){.+.+}-{4:4}, at: iterate_dir+0x4a6/0x760 fs/readdir.c:101
#2: ffffffff8eb3a760 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#2: ffffffff8eb3a760 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#2: ffffffff8eb3a760 (rcu_read_lock){....}-{1:3}, at: afs_dynroot_readdir+0x466/0xbe0 fs/afs/dynroot.c:351
#3: ffff88806d7fed20 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_trylock include/linux/mmap_lock.h:209 [inline]
#3: ffff88806d7fed20 (&mm->mmap_lock){++++}-{4:4}, at: get_mmap_lock_carefully mm/memory.c:6237 [inline]
#3: ffff88806d7fed20 (&mm->mmap_lock){++++}-{4:4}, at: lock_mm_and_find_vma+0x32/0x2f0 mm/memory.c:6297
CPU: 1 UID: 0 PID: 5828 Comm: syz-executor995 Not tainted 6.14.0-syzkaller-01103-g2df0c02dab82 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
__might_resched+0x558/0x6c0 kernel/sched/core.c:8798
might_alloc include/linux/sched/mm.h:321 [inline]
prepare_alloc_pages+0x1cc/0x5c0 mm/page_alloc.c:4513
__alloc_frozen_pages_noprof+0x181/0x7b0 mm/page_alloc.c:4729
alloc_pages_mpol+0x339/0x690 mm/mempolicy.c:2301
folio_alloc_mpol_noprof mm/mempolicy.c:2320 [inline]
vma_alloc_folio_noprof+0x12d/0x260 mm/mempolicy.c:2355
folio_prealloc+0x2e/0x170
alloc_anon_folio mm/memory.c:4834 [inline]
do_anonymous_page mm/memory.c:4891 [inline]
do_pte_missing mm/memory.c:4057 [inline]
handle_pte_fault mm/memory.c:5888 [inline]
__handle_mm_fault+0x32e8/0x6ef0 mm/memory.c:6031
handle_mm_fault+0x2c1/0x7e0 mm/memory.c:6200
do_user_addr_fault arch/x86/mm/fault.c:1388 [inline]
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x2bb/0x8b0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:filldir+0x2c4/0x6a0 fs/readdir.c:292
Code: 87 55 02 00 00 0f 01 cb 0f ae e8 48 8b 44 24 30 49 89 46 08 48 8b 4c 24 10 48 8b 44 24 60 48 89 01 48 8b 44 24 18 8b 6c 24 3c <66> 89 41 10 48 98 40 88 6c 01 ff 48 89 44 24 30 4d 63 f5 42 c6 44
RSP: 0018:ffffc90003a37be0 EFLAGS: 00050283
RAX: 0000000000000020 RBX: 0000200000002010 RCX: 0000200000001ff0
RDX: 0000000000000000 RSI: 0000200000001fd8 RDI: 0000200000002010
RBP: 0000000000000004 R08: ffffffff8240768d R09: 1ffff1100a7fa780
R10: dffffc0000000000 R11: ffffed100a7fa781 R12: ffff888029500e41
R13: 0000000000000005 R14: 0000200000001fd8 R15: 00007ffffffff000
dir_emit include/linux/fs.h:3853 [inline]
afs_dynroot_readdir_cells fs/afs/dynroot.c:310 [inline]
afs_dynroot_readdir+0x814/0xbe0 fs/afs/dynroot.c:352
iterate_dir+0x5a9/0x760 fs/readdir.c:108
__do_sys_getdents fs/readdir.c:322 [inline]
__se_sys_getdents+0x1ff/0x4e0 fs/readdir.c:308
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3db8a3a419
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5882c0e8 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 65726f6e67693d72 RCX: 00007f3db8a3a419
RDX: 00000000000000b8 RSI: 0000200000001fc0 RDI: 0000000000000004
RBP: 00007fff5882c0f8 R08: 6c616b7a79732f2e R09: 6c616b7a79732f2e
R10: 6c616b7a79732f2e R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff5882c358 R14: 000000
----------------
Code disassembly (best guess):
0: 87 55 02 xchg %edx,0x2(%rbp)
3: 00 00 add %al,(%rax)
5: 0f 01 cb stac
8: 0f ae e8 lfence
b: 48 8b 44 24 30 mov 0x30(%rsp),%rax
10: 49 89 46 08 mov %rax,0x8(%r14)
14: 48 8b 4c 24 10 mov 0x10(%rsp),%rcx
19: 48 8b 44 24 60 mov 0x60(%rsp),%rax
1e: 48 89 01 mov %rax,(%rcx)
21: 48 8b 44 24 18 mov 0x18(%rsp),%rax
26: 8b 6c 24 3c mov 0x3c(%rsp),%ebp
* 2a: 66 89 41 10 mov %ax,0x10(%rcx) <-- trapping instruction
2e: 48 98 cltq
30: 40 88 6c 01 ff mov %bpl,-0x1(%rcx,%rax,1)
35: 48 89 44 24 30 mov %rax,0x30(%rsp)
3a: 4d 63 f5 movslq %r13d,%r14
3d: 42 rex.X
3e: c6 .byte 0xc6
3f: 44 rex.R
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 2df0c02dab82 x86 boot build: make git ignore stale 'tools'..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15bcc198580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5f1762820c18874b
dashboard link: https://syzkaller.appspot.com/bug?extid=3b6c5c6a1d0119b687a1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=114ffc4c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1580a804580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7fe089500003/disk-2df0c02d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d8df5abbd7c5/vmlinux-2df0c02d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/09d23e93d3a8/bzImage-2df0c02d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/70d29040b480/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1180a804580000)
The issue was bisected to:
commit 1d0b929fc070b4115403a0a6206a0c6a62dd61f5
Author: David Howells <dhow...@redhat.com>
Date: Mon Feb 24 09:52:58 2025 +0000
afs: Change dynroot to create contents on demand
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1207ade4580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1107ade4580000
console output: https://syzkaller.appspot.com/x/log.txt?x=1607ade4580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3b6c5c...@syzkaller.appspotmail.com
Fixes: 1d0b929fc070 ("afs: Change dynroot to create contents on demand")
BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5828, name: syz-executor995
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
4 locks held by syz-executor995/5828:
#0: ffff8880332ef0b8 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x247/0x310 fs/file.c:1213
#1: ffff888053d08148 (&type->i_mutex_dir_key#7){.+.+}-{4:4}, at: iterate_dir+0x4a6/0x760 fs/readdir.c:101
#2: ffffffff8eb3a760 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#2: ffffffff8eb3a760 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
#2: ffffffff8eb3a760 (rcu_read_lock){....}-{1:3}, at: afs_dynroot_readdir+0x466/0xbe0 fs/afs/dynroot.c:351
#3: ffff88806d7fed20 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_trylock include/linux/mmap_lock.h:209 [inline]
#3: ffff88806d7fed20 (&mm->mmap_lock){++++}-{4:4}, at: get_mmap_lock_carefully mm/memory.c:6237 [inline]
#3: ffff88806d7fed20 (&mm->mmap_lock){++++}-{4:4}, at: lock_mm_and_find_vma+0x32/0x2f0 mm/memory.c:6297
CPU: 1 UID: 0 PID: 5828 Comm: syz-executor995 Not tainted 6.14.0-syzkaller-01103-g2df0c02dab82 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
__might_resched+0x558/0x6c0 kernel/sched/core.c:8798
might_alloc include/linux/sched/mm.h:321 [inline]
prepare_alloc_pages+0x1cc/0x5c0 mm/page_alloc.c:4513
__alloc_frozen_pages_noprof+0x181/0x7b0 mm/page_alloc.c:4729
alloc_pages_mpol+0x339/0x690 mm/mempolicy.c:2301
folio_alloc_mpol_noprof mm/mempolicy.c:2320 [inline]
vma_alloc_folio_noprof+0x12d/0x260 mm/mempolicy.c:2355
folio_prealloc+0x2e/0x170
alloc_anon_folio mm/memory.c:4834 [inline]
do_anonymous_page mm/memory.c:4891 [inline]
do_pte_missing mm/memory.c:4057 [inline]
handle_pte_fault mm/memory.c:5888 [inline]
__handle_mm_fault+0x32e8/0x6ef0 mm/memory.c:6031
handle_mm_fault+0x2c1/0x7e0 mm/memory.c:6200
do_user_addr_fault arch/x86/mm/fault.c:1388 [inline]
handle_page_fault arch/x86/mm/fault.c:1480 [inline]
exc_page_fault+0x2bb/0x8b0 arch/x86/mm/fault.c:1538
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:filldir+0x2c4/0x6a0 fs/readdir.c:292
Code: 87 55 02 00 00 0f 01 cb 0f ae e8 48 8b 44 24 30 49 89 46 08 48 8b 4c 24 10 48 8b 44 24 60 48 89 01 48 8b 44 24 18 8b 6c 24 3c <66> 89 41 10 48 98 40 88 6c 01 ff 48 89 44 24 30 4d 63 f5 42 c6 44
RSP: 0018:ffffc90003a37be0 EFLAGS: 00050283
RAX: 0000000000000020 RBX: 0000200000002010 RCX: 0000200000001ff0
RDX: 0000000000000000 RSI: 0000200000001fd8 RDI: 0000200000002010
RBP: 0000000000000004 R08: ffffffff8240768d R09: 1ffff1100a7fa780
R10: dffffc0000000000 R11: ffffed100a7fa781 R12: ffff888029500e41
R13: 0000000000000005 R14: 0000200000001fd8 R15: 00007ffffffff000
dir_emit include/linux/fs.h:3853 [inline]
afs_dynroot_readdir_cells fs/afs/dynroot.c:310 [inline]
afs_dynroot_readdir+0x814/0xbe0 fs/afs/dynroot.c:352
iterate_dir+0x5a9/0x760 fs/readdir.c:108
__do_sys_getdents fs/readdir.c:322 [inline]
__se_sys_getdents+0x1ff/0x4e0 fs/readdir.c:308
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3db8a3a419
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5882c0e8 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 65726f6e67693d72 RCX: 00007f3db8a3a419
RDX: 00000000000000b8 RSI: 0000200000001fc0 RDI: 0000000000000004
RBP: 00007fff5882c0f8 R08: 6c616b7a79732f2e R09: 6c616b7a79732f2e
R10: 6c616b7a79732f2e R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff5882c358 R14: 000000
----------------
Code disassembly (best guess):
0: 87 55 02 xchg %edx,0x2(%rbp)
3: 00 00 add %al,(%rax)
5: 0f 01 cb stac
8: 0f ae e8 lfence
b: 48 8b 44 24 30 mov 0x30(%rsp),%rax
10: 49 89 46 08 mov %rax,0x8(%r14)
14: 48 8b 4c 24 10 mov 0x10(%rsp),%rcx
19: 48 8b 44 24 60 mov 0x60(%rsp),%rax
1e: 48 89 01 mov %rax,(%rcx)
21: 48 8b 44 24 18 mov 0x18(%rsp),%rax
26: 8b 6c 24 3c mov 0x3c(%rsp),%ebp
* 2a: 66 89 41 10 mov %ax,0x10(%rcx) <-- trapping instruction
2e: 48 98 cltq
30: 40 88 6c 01 ff mov %bpl,-0x1(%rcx,%rax,1)
35: 48 89 44 24 30 mov %rax,0x30(%rsp)
3a: 4d 63 f5 movslq %r13d,%r14
3d: 42 rex.X
3e: c6 .byte 0xc6
3f: 44 rex.R
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
David Howells
Mar 28, 2025, 1:44:56 PM3/28/25
to syzbot, dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
commit f34068283e8650ecd7a2f57b0b55aa91e498a470
Author: David Howells <dhow...@redhat.com>
Date: Fri Mar 28 16:46:58 2025 +0000
afs: Fix afs_dynroot_readdir() to not use the RCU read lock
afs_dynroot_readdir() uses the RCU read lock to walk the cell list whilst
emitting cell automount entries - but dir_emit() may write to a userspace
buffer, thereby causing a fault to occur and waits to happen.
Fix afs_dynroot_readdir() to get a shared lock on i_rwsem instead.
Fixes: 1d0b929fc070 ("afs: Change dynroot to create contents on demand")
Reported-by: syzbot+3b6c5c...@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhow...@redhat.com>
cc: Marc Dionne <marc....@auristor.com>
cc: linu...@lists.infradead.org
cc: linux-...@vger.kernel.org
diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
index 691e0ae607a1..61bc8c81c5ca 100644
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -348,9 +348,9 @@ static int afs_dynroot_readdir(struct file *file, struct dir_context *ctx)
}
if ((unsigned long long)ctx->pos <= AFS_MAX_DYNROOT_CELL_INO) {
- rcu_read_lock();
+ down_read(&file_inode(file)->i_rwsem);
ret = afs_dynroot_readdir_cells(net, ctx);
- rcu_read_unlock();
+ up_read(&file_inode(file)->i_rwsem);
}
return ret;
}
commit f34068283e8650ecd7a2f57b0b55aa91e498a470
Author: David Howells <dhow...@redhat.com>
Date: Fri Mar 28 16:46:58 2025 +0000
afs: Fix afs_dynroot_readdir() to not use the RCU read lock
afs_dynroot_readdir() uses the RCU read lock to walk the cell list whilst
emitting cell automount entries - but dir_emit() may write to a userspace
buffer, thereby causing a fault to occur and waits to happen.
Fix afs_dynroot_readdir() to get a shared lock on i_rwsem instead.
Fixes: 1d0b929fc070 ("afs: Change dynroot to create contents on demand")
Signed-off-by: David Howells <dhow...@redhat.com>
cc: Marc Dionne <marc....@auristor.com>
cc: linu...@lists.infradead.org
cc: linux-...@vger.kernel.org
diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
index 691e0ae607a1..61bc8c81c5ca 100644
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -348,9 +348,9 @@ static int afs_dynroot_readdir(struct file *file, struct dir_context *ctx)
}
if ((unsigned long long)ctx->pos <= AFS_MAX_DYNROOT_CELL_INO) {
- rcu_read_lock();
+ down_read(&file_inode(file)->i_rwsem);
ret = afs_dynroot_readdir_cells(net, ctx);
- rcu_read_unlock();
+ up_read(&file_inode(file)->i_rwsem);
}
return ret;
}
syzbot
Mar 28, 2025, 2:15:05 PM3/28/25
to dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in afs_dynroot_readdir
loop0: detected capacity change from 0 to 512
EXT4-fs: Ignoring removed bh option
EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem
EXT4-fs (loop0): 1 truncate cleaned up
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
============================================
WARNING: possible recursive locking detected
6.14.0-syzkaller-07422-gacb4f33713b9-dirty #0 Not tainted
--------------------------------------------
syz.0.16/6130 is trying to acquire lock:
ffff888011d70148 (&type->i_mutex_dir_key#9){.+.+}-{4:4}, at: afs_dynroot_readdir+0x49e/0xb10 fs/afs/dynroot.c:351
but task is already holding lock:
ffff888011d70148 (&type->i_mutex_dir_key#9){.+.+}-{4:4}, at: iterate_dir+0x4a6/0x760 fs/readdir.c:101
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&type->i_mutex_dir_key#9);
lock(&type->i_mutex_dir_key#9);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by syz.0.16/6130:
#0: ffff88807e06bcf8 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x247/0x310 fs/file.c:1213
#1: ffff888011d70148 (&type->i_mutex_dir_key#9){.+.+}-{4:4}, at: iterate_dir+0x4a6/0x760 fs/readdir.c:101
stack backtrace:
CPU: 1 UID: 0 PID: 6130 Comm: syz.0.16 Not tainted 6.14.0-syzkaller-07422-gacb4f33713b9-dirty #0 PREEMPT(full)
check_deadlock kernel/locking/lockdep.c:3094 [inline]
validate_chain+0x928/0x24e0 kernel/locking/lockdep.c:3896
__lock_acquire+0xad5/0xd80 kernel/locking/lockdep.c:5235
lock_acquire+0x116/0x2f0 kernel/locking/lockdep.c:5866
down_read+0xb3/0xa50 kernel/locking/rwsem.c:1524
afs_dynroot_readdir+0x49e/0xb10 fs/afs/dynroot.c:351
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdd5c816038 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007fdd5bba5fa0 RCX: 00007fdd5b98d169
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fdd5bba5fa0 R15: 00007ffe6a4f5bb8
</TASK>
Tested on:
commit: acb4f337 Merge tag 'm68knommu-for-v6.15' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10922a4c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=982413b40f90fdf8
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in afs_dynroot_readdir
loop0: detected capacity change from 0 to 512
EXT4-fs: Ignoring removed bh option
EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem
EXT4-fs (loop0): 1 truncate cleaned up
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
============================================
WARNING: possible recursive locking detected
6.14.0-syzkaller-07422-gacb4f33713b9-dirty #0 Not tainted
--------------------------------------------
syz.0.16/6130 is trying to acquire lock:
ffff888011d70148 (&type->i_mutex_dir_key#9){.+.+}-{4:4}, at: afs_dynroot_readdir+0x49e/0xb10 fs/afs/dynroot.c:351
but task is already holding lock:
ffff888011d70148 (&type->i_mutex_dir_key#9){.+.+}-{4:4}, at: iterate_dir+0x4a6/0x760 fs/readdir.c:101
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&type->i_mutex_dir_key#9);
lock(&type->i_mutex_dir_key#9);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by syz.0.16/6130:
#0: ffff88807e06bcf8 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x247/0x310 fs/file.c:1213
#1: ffff888011d70148 (&type->i_mutex_dir_key#9){.+.+}-{4:4}, at: iterate_dir+0x4a6/0x760 fs/readdir.c:101
stack backtrace:
CPU: 1 UID: 0 PID: 6130 Comm: syz.0.16 Not tainted 6.14.0-syzkaller-07422-gacb4f33713b9-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_deadlock_bug+0x2be/0x2d0 kernel/locking/lockdep.c:3042
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
check_deadlock kernel/locking/lockdep.c:3094 [inline]
validate_chain+0x928/0x24e0 kernel/locking/lockdep.c:3896
__lock_acquire+0xad5/0xd80 kernel/locking/lockdep.c:5235
lock_acquire+0x116/0x2f0 kernel/locking/lockdep.c:5866
down_read+0xb3/0xa50 kernel/locking/rwsem.c:1524
afs_dynroot_readdir+0x49e/0xb10 fs/afs/dynroot.c:351
iterate_dir+0x5a9/0x760 fs/readdir.c:108
__do_sys_getdents fs/readdir.c:322 [inline]
__se_sys_getdents+0x1ff/0x4e0 fs/readdir.c:308
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdd5b98d169
__do_sys_getdents fs/readdir.c:322 [inline]
__se_sys_getdents+0x1ff/0x4e0 fs/readdir.c:308
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdd5c816038 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007fdd5bba5fa0 RCX: 00007fdd5b98d169
RDX: 00000000000000b8 RSI: 0000200000001fc0 RDI: 0000000000000004
RBP: 00007fdd5ba0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fdd5bba5fa0 R15: 00007ffe6a4f5bb8
</TASK>
Tested on:
commit: acb4f337 Merge tag 'm68knommu-for-v6.15' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10922a4c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=982413b40f90fdf8
dashboard link: https://syzkaller.appspot.com/bug?extid=3b6c5c6a1d0119b687a1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17f51198580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Mar 28, 2025, 10:47:45 PM3/28/25
to syzbot+3b6c5c...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
index 691e0ae607a1..829188ef5435 100644
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -287,12 +287,16 @@ static int afs_dynroot_readdir_cells(struct afs_net *net, struct dir_context *ct
_enter("%llu", ctx->pos);
+ rcu_read_lock();
for (;;) {
unsigned int ix = ctx->pos >> 1;
+ u8 name_len;
+ char *name;
+ unsigned int dynroot_ino;
cell = idr_get_next(&net->cells_dyn_ino, &ix);
if (!cell)
- return 0;
+ goto unlock;
if (READ_ONCE(cell->state) == AFS_CELL_REMOVING ||
READ_ONCE(cell->state) == AFS_CELL_DEAD) {
ctx->pos += 2;
@@ -306,19 +310,28 @@ static int afs_dynroot_readdir_cells(struct afs_net *net, struct dir_context *ct
_debug("pos %llu -> cell %u", ctx->pos, cell->dynroot_ino);
+ name_len = cell->name_len;
+ name = cell->name;
+ dynroot_ino = cell->dynroot_ino;
if ((ctx->pos & 1) == 0) {
- if (!dir_emit(ctx, cell->name, cell->name_len,
- cell->dynroot_ino, DT_DIR))
- return 0;
+ rcu_read_unlock();
+ if (!dir_emit(ctx, name, name_len, dynroot_ino, DT_DIR))
+ goto out;
+ rcu_read_lock();
ctx->pos++;
}
if ((ctx->pos & 1) == 1) {
- if (!dir_emit(ctx, cell->name - 1, cell->name_len + 1,
- cell->dynroot_ino + 1, DT_DIR))
- return 0;
+ rcu_read_unlock();
+ if (!dir_emit(ctx, name - 1, name_len + 1,
+ dynroot_ino + 1, DT_DIR))
+ goto out;
+ rcu_read_lock();
ctx->pos++;
}
}
+unlock:
+ rcu_read_unlock();
+out:
return 0;
}
@@ -348,9 +361,7 @@ static int afs_dynroot_readdir(struct file *file, struct dir_context *ctx)
}
diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
index 691e0ae607a1..829188ef5435 100644
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -287,12 +287,16 @@ static int afs_dynroot_readdir_cells(struct afs_net *net, struct dir_context *ct
_enter("%llu", ctx->pos);
+ rcu_read_lock();
for (;;) {
unsigned int ix = ctx->pos >> 1;
+ u8 name_len;
+ char *name;
+ unsigned int dynroot_ino;
cell = idr_get_next(&net->cells_dyn_ino, &ix);
if (!cell)
- return 0;
+ goto unlock;
if (READ_ONCE(cell->state) == AFS_CELL_REMOVING ||
READ_ONCE(cell->state) == AFS_CELL_DEAD) {
ctx->pos += 2;
@@ -306,19 +310,28 @@ static int afs_dynroot_readdir_cells(struct afs_net *net, struct dir_context *ct
_debug("pos %llu -> cell %u", ctx->pos, cell->dynroot_ino);
+ name_len = cell->name_len;
+ name = cell->name;
+ dynroot_ino = cell->dynroot_ino;
if ((ctx->pos & 1) == 0) {
- if (!dir_emit(ctx, cell->name, cell->name_len,
- cell->dynroot_ino, DT_DIR))
- return 0;
+ rcu_read_unlock();
+ if (!dir_emit(ctx, name, name_len, dynroot_ino, DT_DIR))
+ goto out;
+ rcu_read_lock();
ctx->pos++;
}
if ((ctx->pos & 1) == 1) {
- if (!dir_emit(ctx, cell->name - 1, cell->name_len + 1,
- cell->dynroot_ino + 1, DT_DIR))
- return 0;
+ rcu_read_unlock();
+ if (!dir_emit(ctx, name - 1, name_len + 1,
+ dynroot_ino + 1, DT_DIR))
+ goto out;
+ rcu_read_lock();
ctx->pos++;
}
}
+unlock:
+ rcu_read_unlock();
+out:
return 0;
}
@@ -348,9 +361,7 @@ static int afs_dynroot_readdir(struct file *file, struct dir_context *ctx)
}
if ((unsigned long long)ctx->pos <= AFS_MAX_DYNROOT_CELL_INO) {
- rcu_read_lock();
if ((unsigned long long)ctx->pos <= AFS_MAX_DYNROOT_CELL_INO) {
- rcu_read_lock();
ret = afs_dynroot_readdir_cells(net, ctx);
- rcu_read_unlock();
}
return ret;
- rcu_read_unlock();
}
}
syzbot
Mar 29, 2025, 1:51:07 AM3/29/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
mode
[ 69.518774][ T5887] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 69.531611][ T5887] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 69.542159][ T5887] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 69.551960][ T5887] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 69.560878][ T5887] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 69.570005][ T5887] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 69.691353][ T5887] syz-executor (5887) used greatest stack depth: 19616 bytes left
[ 69.711047][ T13] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 69.775907][ T13] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 69.840598][ T13] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 69.898295][ T13] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 70.157572][ T5919] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 70.166420][ T5919] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 70.174104][ T5919] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 70.183110][ T5919] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 70.192891][ T5919] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
2025/03/29 05:50:44 executed programs: 0
[ 70.660061][ T5919] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 70.669464][ T5919] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 70.678754][ T5919] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 70.687373][ T5919] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 70.695598][ T5919] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 70.785794][ T5933] chnl_net:caif_netlink_parms(): no params data found
[ 70.828056][ T5933] bridge0: port 1(bridge_slave_0) entered blocking state
[ 70.835717][ T5933] bridge0: port 1(bridge_slave_0) entered disabled state
[ 70.842920][ T5933] bridge_slave_0: entered allmulticast mode
[ 70.850250][ T5933] bridge_slave_0: entered promiscuous mode
[ 70.858138][ T5933] bridge0: port 2(bridge_slave_1) entered blocking state
[ 70.866441][ T5933] bridge0: port 2(bridge_slave_1) entered disabled state
[ 70.873655][ T5933] bridge_slave_1: entered allmulticast mode
[ 70.880415][ T5933] bridge_slave_1: entered promiscuous mode
[ 70.910123][ T5933] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 70.921677][ T5933] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 70.946174][ T5933] team0: Port device team_slave_0 added
[ 70.955650][ T5933] team0: Port device team_slave_1 added
[ 70.972195][ T5933] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 70.979290][ T5933] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 71.005779][ T5933] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 71.018566][ T5933] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 71.025719][ T5933] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 71.052143][ T5933] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 71.084918][ T5933] hsr_slave_0: entered promiscuous mode
[ 71.091172][ T5933] hsr_slave_1: entered promiscuous mode
[ 71.097607][ T5933] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 71.105530][ T5933] Cannot create hsr debugfs directory
[ 71.467764][ T1299] ieee802154 phy0 wpan0: encryption failed: -22
[ 71.474219][ T1299] ieee802154 phy1 wpan1: encryption failed: -22
[ 72.755330][ T5137] Bluetooth: hci0: command tx timeout
[ 73.078740][ T13] bridge_slave_1: left allmulticast mode
[ 73.087005][ T13] bridge_slave_1: left promiscuous mode
[ 73.094074][ T13] bridge0: port 2(bridge_slave_1) entered disabled state
[ 73.105207][ T13] bridge_slave_0: left allmulticast mode
[ 73.110923][ T13] bridge_slave_0: left promiscuous mode
[ 73.117589][ T13] bridge0: port 1(bridge_slave_0) entered disabled state
[ 73.292536][ T13] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 73.303595][ T13] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 73.316478][ T13] bond0 (unregistering): Released all slaves
[ 73.414239][ T13] hsr_slave_0: left promiscuous mode
[ 73.424392][ T13] hsr_slave_1: left promiscuous mode
[ 73.430886][ T13] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 73.442780][ T13] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 73.451616][ T13] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 73.460757][ T13] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 73.477508][ T13] veth1_macvtap: left promiscuous mode
[ 73.483334][ T13] veth0_macvtap: left promiscuous mode
[ 73.489387][ T13] veth1_vlan: left promiscuous mode
[ 73.496421][ T13] veth0_vlan: left promiscuous mode
[ 73.767218][ T13] team0 (unregistering): Port device team_slave_1 removed
[ 73.792742][ T13] team0 (unregistering): Port device team_slave_0 removed
[ 74.013067][ T5491]
[ 74.015514][ T5491] ============================================
[ 74.021675][ T5491] WARNING: possible recursive locking detected
[ 74.027830][ T5491] 6.14.0-syzkaller-09584-g7d06015d936c-dirty #0 Not tainted
[ 74.035096][ T5491] --------------------------------------------
[ 74.041229][ T5491] dhcpcd/5491 is trying to acquire lock:
[ 74.046854][ T5491] ffff88807edb8d28 (&dev->lock){+.+.}-{4:4}, at: lapbeth_device_event+0x766/0xa20
[ 74.056138][ T5491]
[ 74.056138][ T5491] but task is already holding lock:
[ 74.064028][ T5491] ffff888069be8d28 (&dev->lock){+.+.}-{4:4}, at: dev_change_flags+0x120/0x270
[ 74.072906][ T5491]
[ 74.072906][ T5491] other info that might help us debug this:
[ 74.080951][ T5491] Possible unsafe locking scenario:
[ 74.080951][ T5491]
[ 74.088384][ T5491] CPU0
[ 74.091676][ T5491] ----
[ 74.094943][ T5491] lock(&dev->lock);
[ 74.098914][ T5491] lock(&dev->lock);
[ 74.102886][ T5491]
[ 74.102886][ T5491] *** DEADLOCK ***
[ 74.102886][ T5491]
[ 74.111023][ T5491] May be due to missing lock nesting notation
[ 74.111023][ T5491]
[ 74.119346][ T5491] 2 locks held by dhcpcd/5491:
[ 74.124095][ T5491] #0: ffffffff900d3988 (rtnl_mutex){+.+.}-{4:4}, at: devinet_ioctl+0x34e/0x1d80
[ 74.133367][ T5491] #1: ffff888069be8d28 (&dev->lock){+.+.}-{4:4}, at: dev_change_flags+0x120/0x270
[ 74.142678][ T5491]
[ 74.142678][ T5491] stack backtrace:
[ 74.148570][ T5491] CPU: 1 UID: 0 PID: 5491 Comm: dhcpcd Not tainted 6.14.0-syzkaller-09584-g7d06015d936c-dirty #0 PREEMPT(full)
[ 74.148586][ T5491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 74.148597][ T5491] Call Trace:
[ 74.148603][ T5491] <TASK>
[ 74.148609][ T5491] dump_stack_lvl+0x241/0x360
[ 74.148627][ T5491] ? __pfx_dump_stack_lvl+0x10/0x10
[ 74.148641][ T5491] ? __pfx__printk+0x10/0x10
[ 74.148656][ T5491] ? print_lock+0x171/0x1a0
[ 74.148668][ T5491] print_deadlock_bug+0x2be/0x2d0
[ 74.148681][ T5491] validate_chain+0x928/0x24e0
[ 74.148693][ T5491] ? stack_depot_save_flags+0x3a/0x970
[ 74.148711][ T5491] ? look_up_lock_class+0x7b/0x170
[ 74.148723][ T5491] ? register_lock_class+0x54/0x330
[ 74.148740][ T5491] __lock_acquire+0xad5/0xd80
[ 74.148757][ T5491] lock_acquire+0x116/0x2f0
[ 74.148772][ T5491] ? lapbeth_device_event+0x766/0xa20
[ 74.148788][ T5491] __mutex_lock+0x1a5/0x10c0
[ 74.148799][ T5491] ? lapbeth_device_event+0x766/0xa20
[ 74.148812][ T5491] ? ref_tracker_alloc+0x316/0x4c0
[ 74.148829][ T5491] ? lapbeth_device_event+0x766/0xa20
[ 74.148840][ T5491] ? rcu_is_watching+0x15/0xb0
[ 74.148852][ T5491] ? __pfx___mutex_lock+0x10/0x10
[ 74.148866][ T5491] ? __raw_spin_lock_init+0x45/0x100
[ 74.148880][ T5491] lapbeth_device_event+0x766/0xa20
[ 74.148893][ T5491] notifier_call_chain+0x1a5/0x3f0
[ 74.148907][ T5491] __dev_notify_flags+0x209/0x410
[ 74.148923][ T5491] ? __pfx___dev_notify_flags+0x10/0x10
[ 74.148935][ T5491] ? __dev_change_flags+0x517/0x700
[ 74.148949][ T5491] ? __pfx___mutex_lock+0x10/0x10
[ 74.148960][ T5491] ? __pfx___dev_change_flags+0x10/0x10
[ 74.148975][ T5491] ? __pfx___mutex_lock+0x10/0x10
[ 74.148986][ T5491] netif_change_flags+0xf0/0x1a0
[ 74.149000][ T5491] dev_change_flags+0x146/0x270
[ 74.149015][ T5491] devinet_ioctl+0xea4/0x1d80
[ 74.149030][ T5491] ? __pfx_devinet_ioctl+0x10/0x10
[ 74.149042][ T5491] ? get_user_ifreq+0x1bb/0x200
[ 74.149058][ T5491] inet_ioctl+0x3d9/0x4f0
[ 74.149073][ T5491] ? __pfx_inet_ioctl+0x10/0x10
[ 74.149087][ T5491] ? lockdep_hardirqs_on+0x9d/0x150
[ 74.149109][ T5491] ? tomoyo_path_number_perm+0x215/0x790
[ 74.149122][ T5491] sock_do_ioctl+0x15a/0x490
[ 74.149134][ T5491] ? __pfx_sock_do_ioctl+0x10/0x10
[ 74.149146][ T5491] ? fd_install+0x9c/0x4c0
[ 74.149159][ T5491] ? __asan_memset+0x23/0x50
[ 74.149173][ T5491] ? smack_file_ioctl+0x2a7/0x3b0
[ 74.149186][ T5491] sock_ioctl+0x644/0x900
[ 74.149202][ T5491] ? __pfx_sock_ioctl+0x10/0x10
[ 74.149218][ T5491] ? __sys_socket+0x209/0x3c0
[ 74.149231][ T5491] ? __pfx_sock_ioctl+0x10/0x10
[ 74.149248][ T5491] __se_sys_ioctl+0xf1/0x160
[ 74.149265][ T5491] do_syscall_64+0xf3/0x230
[ 74.149276][ T5491] ? clear_bhb_loop+0x45/0xa0
[ 74.149289][ T5491] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.149303][ T5491] RIP: 0033:0x7ffb21c81d49
[ 74.149318][ T5491] Code: 5c c3 48 8d 44 24 08 48 89 54 24 e0 48 89 44 24 c0 48 8d 44 24 d0 48 89 44 24 c8 b8 10 00 00 00 c7 44 24 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 76 10 48 8b 15 ae 60 0d 00 f7 d8 41 83 c8
[ 74.149328][ T5491] RSP: 002b:00007ffe55611008 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 74.149341][ T5491] RAX: ffffffffffffffda RBX: 00007ffb21bb36c0 RCX: 00007ffb21c81d49
[ 74.149350][ T5491] RDX: 00007ffe556211f8 RSI: 0000000000008914 RDI: 000000000000000e
[ 74.149358][ T5491] RBP: 00007ffe556313b8 R08: 00007ffe556211b8 R09: 00007ffe55621168
[ 74.149366][ T5491] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 74.149374][ T5491] R13: 00007ffe556211f8 R14: 0000000000000028 R15: 0000000000008914
[ 74.149385][ T5491] </TASK>
[ 74.714069][ T5933] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 74.724023][ T5933] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 74.733084][ T5933] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 74.748582][ T5933] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 74.796465][ T5933] 8021q: adding VLAN 0 to HW filter on device bond0
[ 74.810222][ T5933] 8021q: adding VLAN 0 to HW filter on device team0
[ 74.821065][ T78] bridge0: port 1(bridge_slave_0) entered blocking state
[ 74.828458][ T78] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 74.838471][ T5137] Bluetooth: hci0: command tx timeout
[ 74.847260][ T1079] bridge0: port 2(bridge_slave_1) entered blocking state
[ 74.854495][ T1079] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 74.983183][ T5933] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 75.017511][ T5933] veth0_vlan: entered promiscuous mode
[ 75.027982][ T5933] veth1_vlan: entered promiscuous mode
[ 75.051472][ T5933] veth0_macvtap: entered promiscuous mode
[ 75.060843][ T5933] veth1_macvtap: entered promiscuous mode
[ 75.078135][ T5933] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 75.091091][ T5933] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 75.102457][ T5933] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.111555][ T5933] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.122011][ T5933] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.131879][ T5933] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.163469][ T5933] ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
[ 75.183636][ T36] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 75.193456][ T5933] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
[ 75.202887][ T36] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 75.224644][ T1079] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 75.232795][ T1079] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.6.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.6.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.6'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1160221299=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 875573af37b
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=875573af37b09758ab48042f2b8a368097204888 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250323-222138'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"875573af37b09758ab48042f2b8a368097204888\"
/usr/bin/ld: /tmp/cc8wE2TU.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1357064c580000
Tested on:
commit: 7d06015d Merge tag 'pci-v6.15-changes' of git://git.ke..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=6f5a67fe881fabe4
syzbot tried to test the proposed patch but the build/boot failed:
mode
[ 69.518774][ T5887] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 69.531611][ T5887] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 69.542159][ T5887] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 69.551960][ T5887] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 69.560878][ T5887] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 69.570005][ T5887] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 69.691353][ T5887] syz-executor (5887) used greatest stack depth: 19616 bytes left
[ 69.711047][ T13] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 69.775907][ T13] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 69.840598][ T13] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 69.898295][ T13] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 70.157572][ T5919] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 70.166420][ T5919] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 70.174104][ T5919] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 70.183110][ T5919] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 70.192891][ T5919] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
2025/03/29 05:50:44 executed programs: 0
[ 70.660061][ T5919] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 70.669464][ T5919] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 70.678754][ T5919] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 70.687373][ T5919] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 70.695598][ T5919] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 70.785794][ T5933] chnl_net:caif_netlink_parms(): no params data found
[ 70.828056][ T5933] bridge0: port 1(bridge_slave_0) entered blocking state
[ 70.835717][ T5933] bridge0: port 1(bridge_slave_0) entered disabled state
[ 70.842920][ T5933] bridge_slave_0: entered allmulticast mode
[ 70.850250][ T5933] bridge_slave_0: entered promiscuous mode
[ 70.858138][ T5933] bridge0: port 2(bridge_slave_1) entered blocking state
[ 70.866441][ T5933] bridge0: port 2(bridge_slave_1) entered disabled state
[ 70.873655][ T5933] bridge_slave_1: entered allmulticast mode
[ 70.880415][ T5933] bridge_slave_1: entered promiscuous mode
[ 70.910123][ T5933] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 70.921677][ T5933] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 70.946174][ T5933] team0: Port device team_slave_0 added
[ 70.955650][ T5933] team0: Port device team_slave_1 added
[ 70.972195][ T5933] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 70.979290][ T5933] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 71.005779][ T5933] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 71.018566][ T5933] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 71.025719][ T5933] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 71.052143][ T5933] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 71.084918][ T5933] hsr_slave_0: entered promiscuous mode
[ 71.091172][ T5933] hsr_slave_1: entered promiscuous mode
[ 71.097607][ T5933] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 71.105530][ T5933] Cannot create hsr debugfs directory
[ 71.467764][ T1299] ieee802154 phy0 wpan0: encryption failed: -22
[ 71.474219][ T1299] ieee802154 phy1 wpan1: encryption failed: -22
[ 72.755330][ T5137] Bluetooth: hci0: command tx timeout
[ 73.078740][ T13] bridge_slave_1: left allmulticast mode
[ 73.087005][ T13] bridge_slave_1: left promiscuous mode
[ 73.094074][ T13] bridge0: port 2(bridge_slave_1) entered disabled state
[ 73.105207][ T13] bridge_slave_0: left allmulticast mode
[ 73.110923][ T13] bridge_slave_0: left promiscuous mode
[ 73.117589][ T13] bridge0: port 1(bridge_slave_0) entered disabled state
[ 73.292536][ T13] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 73.303595][ T13] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 73.316478][ T13] bond0 (unregistering): Released all slaves
[ 73.414239][ T13] hsr_slave_0: left promiscuous mode
[ 73.424392][ T13] hsr_slave_1: left promiscuous mode
[ 73.430886][ T13] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 73.442780][ T13] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 73.451616][ T13] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 73.460757][ T13] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 73.477508][ T13] veth1_macvtap: left promiscuous mode
[ 73.483334][ T13] veth0_macvtap: left promiscuous mode
[ 73.489387][ T13] veth1_vlan: left promiscuous mode
[ 73.496421][ T13] veth0_vlan: left promiscuous mode
[ 73.767218][ T13] team0 (unregistering): Port device team_slave_1 removed
[ 73.792742][ T13] team0 (unregistering): Port device team_slave_0 removed
[ 74.013067][ T5491]
[ 74.015514][ T5491] ============================================
[ 74.021675][ T5491] WARNING: possible recursive locking detected
[ 74.027830][ T5491] 6.14.0-syzkaller-09584-g7d06015d936c-dirty #0 Not tainted
[ 74.035096][ T5491] --------------------------------------------
[ 74.041229][ T5491] dhcpcd/5491 is trying to acquire lock:
[ 74.046854][ T5491] ffff88807edb8d28 (&dev->lock){+.+.}-{4:4}, at: lapbeth_device_event+0x766/0xa20
[ 74.056138][ T5491]
[ 74.056138][ T5491] but task is already holding lock:
[ 74.064028][ T5491] ffff888069be8d28 (&dev->lock){+.+.}-{4:4}, at: dev_change_flags+0x120/0x270
[ 74.072906][ T5491]
[ 74.072906][ T5491] other info that might help us debug this:
[ 74.080951][ T5491] Possible unsafe locking scenario:
[ 74.080951][ T5491]
[ 74.088384][ T5491] CPU0
[ 74.091676][ T5491] ----
[ 74.094943][ T5491] lock(&dev->lock);
[ 74.098914][ T5491] lock(&dev->lock);
[ 74.102886][ T5491]
[ 74.102886][ T5491] *** DEADLOCK ***
[ 74.102886][ T5491]
[ 74.111023][ T5491] May be due to missing lock nesting notation
[ 74.111023][ T5491]
[ 74.119346][ T5491] 2 locks held by dhcpcd/5491:
[ 74.124095][ T5491] #0: ffffffff900d3988 (rtnl_mutex){+.+.}-{4:4}, at: devinet_ioctl+0x34e/0x1d80
[ 74.133367][ T5491] #1: ffff888069be8d28 (&dev->lock){+.+.}-{4:4}, at: dev_change_flags+0x120/0x270
[ 74.142678][ T5491]
[ 74.142678][ T5491] stack backtrace:
[ 74.148570][ T5491] CPU: 1 UID: 0 PID: 5491 Comm: dhcpcd Not tainted 6.14.0-syzkaller-09584-g7d06015d936c-dirty #0 PREEMPT(full)
[ 74.148586][ T5491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 74.148597][ T5491] Call Trace:
[ 74.148603][ T5491] <TASK>
[ 74.148609][ T5491] dump_stack_lvl+0x241/0x360
[ 74.148627][ T5491] ? __pfx_dump_stack_lvl+0x10/0x10
[ 74.148641][ T5491] ? __pfx__printk+0x10/0x10
[ 74.148656][ T5491] ? print_lock+0x171/0x1a0
[ 74.148668][ T5491] print_deadlock_bug+0x2be/0x2d0
[ 74.148681][ T5491] validate_chain+0x928/0x24e0
[ 74.148693][ T5491] ? stack_depot_save_flags+0x3a/0x970
[ 74.148711][ T5491] ? look_up_lock_class+0x7b/0x170
[ 74.148723][ T5491] ? register_lock_class+0x54/0x330
[ 74.148740][ T5491] __lock_acquire+0xad5/0xd80
[ 74.148757][ T5491] lock_acquire+0x116/0x2f0
[ 74.148772][ T5491] ? lapbeth_device_event+0x766/0xa20
[ 74.148788][ T5491] __mutex_lock+0x1a5/0x10c0
[ 74.148799][ T5491] ? lapbeth_device_event+0x766/0xa20
[ 74.148812][ T5491] ? ref_tracker_alloc+0x316/0x4c0
[ 74.148829][ T5491] ? lapbeth_device_event+0x766/0xa20
[ 74.148840][ T5491] ? rcu_is_watching+0x15/0xb0
[ 74.148852][ T5491] ? __pfx___mutex_lock+0x10/0x10
[ 74.148866][ T5491] ? __raw_spin_lock_init+0x45/0x100
[ 74.148880][ T5491] lapbeth_device_event+0x766/0xa20
[ 74.148893][ T5491] notifier_call_chain+0x1a5/0x3f0
[ 74.148907][ T5491] __dev_notify_flags+0x209/0x410
[ 74.148923][ T5491] ? __pfx___dev_notify_flags+0x10/0x10
[ 74.148935][ T5491] ? __dev_change_flags+0x517/0x700
[ 74.148949][ T5491] ? __pfx___mutex_lock+0x10/0x10
[ 74.148960][ T5491] ? __pfx___dev_change_flags+0x10/0x10
[ 74.148975][ T5491] ? __pfx___mutex_lock+0x10/0x10
[ 74.148986][ T5491] netif_change_flags+0xf0/0x1a0
[ 74.149000][ T5491] dev_change_flags+0x146/0x270
[ 74.149015][ T5491] devinet_ioctl+0xea4/0x1d80
[ 74.149030][ T5491] ? __pfx_devinet_ioctl+0x10/0x10
[ 74.149042][ T5491] ? get_user_ifreq+0x1bb/0x200
[ 74.149058][ T5491] inet_ioctl+0x3d9/0x4f0
[ 74.149073][ T5491] ? __pfx_inet_ioctl+0x10/0x10
[ 74.149087][ T5491] ? lockdep_hardirqs_on+0x9d/0x150
[ 74.149109][ T5491] ? tomoyo_path_number_perm+0x215/0x790
[ 74.149122][ T5491] sock_do_ioctl+0x15a/0x490
[ 74.149134][ T5491] ? __pfx_sock_do_ioctl+0x10/0x10
[ 74.149146][ T5491] ? fd_install+0x9c/0x4c0
[ 74.149159][ T5491] ? __asan_memset+0x23/0x50
[ 74.149173][ T5491] ? smack_file_ioctl+0x2a7/0x3b0
[ 74.149186][ T5491] sock_ioctl+0x644/0x900
[ 74.149202][ T5491] ? __pfx_sock_ioctl+0x10/0x10
[ 74.149218][ T5491] ? __sys_socket+0x209/0x3c0
[ 74.149231][ T5491] ? __pfx_sock_ioctl+0x10/0x10
[ 74.149248][ T5491] __se_sys_ioctl+0xf1/0x160
[ 74.149265][ T5491] do_syscall_64+0xf3/0x230
[ 74.149276][ T5491] ? clear_bhb_loop+0x45/0xa0
[ 74.149289][ T5491] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.149303][ T5491] RIP: 0033:0x7ffb21c81d49
[ 74.149318][ T5491] Code: 5c c3 48 8d 44 24 08 48 89 54 24 e0 48 89 44 24 c0 48 8d 44 24 d0 48 89 44 24 c8 b8 10 00 00 00 c7 44 24 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 76 10 48 8b 15 ae 60 0d 00 f7 d8 41 83 c8
[ 74.149328][ T5491] RSP: 002b:00007ffe55611008 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 74.149341][ T5491] RAX: ffffffffffffffda RBX: 00007ffb21bb36c0 RCX: 00007ffb21c81d49
[ 74.149350][ T5491] RDX: 00007ffe556211f8 RSI: 0000000000008914 RDI: 000000000000000e
[ 74.149358][ T5491] RBP: 00007ffe556313b8 R08: 00007ffe556211b8 R09: 00007ffe55621168
[ 74.149366][ T5491] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 74.149374][ T5491] R13: 00007ffe556211f8 R14: 0000000000000028 R15: 0000000000008914
[ 74.149385][ T5491] </TASK>
[ 74.714069][ T5933] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 74.724023][ T5933] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 74.733084][ T5933] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 74.748582][ T5933] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 74.796465][ T5933] 8021q: adding VLAN 0 to HW filter on device bond0
[ 74.810222][ T5933] 8021q: adding VLAN 0 to HW filter on device team0
[ 74.821065][ T78] bridge0: port 1(bridge_slave_0) entered blocking state
[ 74.828458][ T78] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 74.838471][ T5137] Bluetooth: hci0: command tx timeout
[ 74.847260][ T1079] bridge0: port 2(bridge_slave_1) entered blocking state
[ 74.854495][ T1079] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 74.983183][ T5933] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 75.017511][ T5933] veth0_vlan: entered promiscuous mode
[ 75.027982][ T5933] veth1_vlan: entered promiscuous mode
[ 75.051472][ T5933] veth0_macvtap: entered promiscuous mode
[ 75.060843][ T5933] veth1_macvtap: entered promiscuous mode
[ 75.078135][ T5933] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 75.091091][ T5933] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 75.102457][ T5933] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.111555][ T5933] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.122011][ T5933] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.131879][ T5933] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.163469][ T5933] ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
[ 75.183636][ T36] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 75.193456][ T5933] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
[ 75.202887][ T36] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 75.224644][ T1079] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 75.232795][ T1079] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.6.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.6.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.6'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1160221299=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 875573af37b
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=875573af37b09758ab48042f2b8a368097204888 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250323-222138'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"875573af37b09758ab48042f2b8a368097204888\"
/usr/bin/ld: /tmp/cc8wE2TU.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1357064c580000
Tested on:
commit: 7d06015d Merge tag 'pci-v6.15-changes' of git://git.ke..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=6f5a67fe881fabe4
dashboard link: https://syzkaller.appspot.com/bug?extid=3b6c5c6a1d0119b687a1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12c6bbb0580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Mar 29, 2025, 1:55:56 AM3/29/25
to syzbot+3b6c5c...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test: upstream 1d0b929fc070b4115403a0a6206a0c6a62dd61f5
syzbot
Mar 29, 2025, 2:07:06 AM3/29/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
syzbot tried to test the proposed patch but the build/boot failed:
checking file fs/afs/dynroot.c
Hunk #1 FAILED at 287.
Hunk #2 succeeded at 305 (offset -1 lines).
Hunk #3 succeeded at 356 (offset -1 lines).
1 out of 3 hunks FAILED
Tested on:
commit: 1d0b929f afs: Change dynroot to create contents on dem..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5f1762820c18874b
patch: https://syzkaller.appspot.com/x/patch.diff?x=17917804580000
Edward Adam Davis
Mar 29, 2025, 5:46:11 AM3/29/25
to syzbot+3b6c5c...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test: upstream 1d0b929fc070b4115403a0a6206a0c6a62dd61f5
diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
index eb20e231d7ac..8d640f6537fc 100644
diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -286,12 +286,16 @@ static int afs_dynroot_readdir_cells(struct afs_net *net, struct dir_context *ct
_enter("%llu", ctx->pos);
+ rcu_read_lock();
for (;;) {
unsigned int ix = ctx->pos >> 1;
+ u8 name_len;
+ char *name;
+ unsigned int dynroot_ino;
cell = idr_get_next(&net->cells_dyn_ino, &ix);
if (!cell)
- return 0;
+ goto unlock;
READ_ONCE(cell->state) == AFS_CELL_REMOVED) {
ctx->pos += 2;
@@ -305,19 +309,29 @@ static int afs_dynroot_readdir_cells(struct afs_net *net, struct dir_context *ct
_debug("pos %llu -> cell %u", ctx->pos, cell->dynroot_ino);
+ name_len = cell->name_len;
+ name = cell->name;
+ dynroot_ino = cell->dynroot_ino;
if ((ctx->pos & 1) == 0) {
- if (!dir_emit(ctx, cell->name, cell->name_len,
- cell->dynroot_ino, DT_DIR))
- return 0;
+ rcu_read_unlock();
+ if (!dir_emit(ctx, name, name_len,
+ goto out;
+ rcu_read_lock();
ctx->pos++;
}
if ((ctx->pos & 1) == 1) {
- if (!dir_emit(ctx, cell->name - 1, cell->name_len + 1,
- cell->dynroot_ino + 1, DT_DIR))
- return 0;
+ rcu_read_unlock();
+ if (!dir_emit(ctx, name - 1, name_len + 1,
+ dynroot_ino + 1, DT_DIR))
+ goto out;
+ rcu_read_lock();
ctx->pos++;
}
}
+unlock:
+ rcu_read_unlock();
+out:
return 0;
}
@@ -347,9 +361,7 @@ static int afs_dynroot_readdir(struct file *file, struct dir_context *ctx)
+ rcu_read_lock();
ctx->pos++;
}
if ((ctx->pos & 1) == 1) {
- if (!dir_emit(ctx, cell->name - 1, cell->name_len + 1,
- cell->dynroot_ino + 1, DT_DIR))
- return 0;
+ rcu_read_unlock();
+ if (!dir_emit(ctx, name - 1, name_len + 1,
+ dynroot_ino + 1, DT_DIR))
+ goto out;
+ rcu_read_lock();
ctx->pos++;
}
}
+unlock:
+ rcu_read_unlock();
+out:
return 0;
}
David Howells
Mar 29, 2025, 5:49:12 AM3/29/25
to syzbot, dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
commit db7a516159869b19f237c73bd75599bbe0bfcc4d
Author: David Howells <dhow...@redhat.com>
Fixes: 1d0b929fc070 ("afs: Change dynroot to create contents on demand")
index 691e0ae607a1..8c6130789fde 100644
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -348,9 +348,9 @@ static int afs_dynroot_readdir(struct file *file, struct dir_context *ctx)
}
return ret;
}
Author: David Howells <dhow...@redhat.com>
Date: Fri Mar 28 16:46:58 2025 +0000
afs: Fix afs_dynroot_readdir() to not use the RCU read lock
afs_dynroot_readdir() uses the RCU read lock to walk the cell list whilst
emitting cell automount entries - but dir_emit() may write to a userspace
buffer, thereby causing a fault to occur and waits to happen.
Fix afs_dynroot_readdir() to get a shared lock on net->cells_lock instead.
afs: Fix afs_dynroot_readdir() to not use the RCU read lock
afs_dynroot_readdir() uses the RCU read lock to walk the cell list whilst
emitting cell automount entries - but dir_emit() may write to a userspace
buffer, thereby causing a fault to occur and waits to happen.
Fixes: 1d0b929fc070 ("afs: Change dynroot to create contents on demand")
Reported-by: syzbot+3b6c5c...@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhow...@redhat.com>
cc: Marc Dionne <marc....@auristor.com>
cc: linu...@lists.infradead.org
cc: linux-...@vger.kernel.org
diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
Signed-off-by: David Howells <dhow...@redhat.com>
cc: Marc Dionne <marc....@auristor.com>
cc: linu...@lists.infradead.org
cc: linux-...@vger.kernel.org
index 691e0ae607a1..8c6130789fde 100644
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -348,9 +348,9 @@ static int afs_dynroot_readdir(struct file *file, struct dir_context *ctx)
}
if ((unsigned long long)ctx->pos <= AFS_MAX_DYNROOT_CELL_INO) {
- rcu_read_lock();
+ down_read(&net->cells_lock);
if ((unsigned long long)ctx->pos <= AFS_MAX_DYNROOT_CELL_INO) {
- rcu_read_lock();
ret = afs_dynroot_readdir_cells(net, ctx);
- rcu_read_unlock();
+ up_read(&net->cells_lock);
- rcu_read_unlock();
}
return ret;
}
syzbot
Mar 29, 2025, 6:03:08 AM3/29/25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in inode_set_cached_link
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
bad length passed for symlink [/tmp/syz-imagegen2884317625/ ] (got 39, expected 29)
WARNING: CPU: 0 PID: 6579 at ./include/linux/fs.h:803 inode_set_cached_link+0xd0/0x110 include/linux/fs.h:802
Modules linked in:
CPU: 0 UID: 0 PID: 6579 Comm: syz-executor Not tainted 6.14.0-rc4-syzkaller-00172-g1d0b929fc070-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:inode_set_cached_link+0xd0/0x110 include/linux/fs.h:802
Code: 41 5f 5d c3 cc cc cc cc e8 3d ef 44 ff c6 05 e0 41 a8 0d 01 90 48 c7 c7 e0 23 3e 8c 4c 89 f6 44 89 fa 89 e9 e8 21 79 03 ff 90 <0f> 0b 90 90 e9 6a ff ff ff 89 f9 80 e1 07 80 c1 03 38 c1 7c a1 e8
RSP: 0018:ffffc90003667698 EFLAGS: 00010246
RAX: 720c93d201fc4800 RBX: ffff888063c302b0 RCX: ffff88807b148000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 000000000000001d R08: ffffffff81819472 R09: 1ffff110170c519a
R10: dffffc0000000000 R11: ffffed10170c519b R12: ffff888063c302b0
R13: dffffc0000000000 R14: ffff888063c30000 R15: 0000000000000027
FS: 000055558945a500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe2a3a0da8 CR3: 0000000033d6c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__ext4_iget+0x2ea4/0x3f30 fs/ext4/inode.c:5012
ext4_lookup+0x3e3/0x750 fs/ext4/namei.c:1813
__lookup_slow+0x296/0x400 fs/namei.c:1793
lookup_slow+0x53/0x70 fs/namei.c:1810
walk_component+0x2ea/0x410 fs/namei.c:2114
lookup_last fs/namei.c:2612 [inline]
path_lookupat+0x16f/0x450 fs/namei.c:2636
filename_lookup+0x2a3/0x670 fs/namei.c:2665
user_path_at+0x3a/0x60 fs/namei.c:3072
ksys_umount fs/namespace.c:2071 [inline]
__do_sys_umount fs/namespace.c:2079 [inline]
__se_sys_umount fs/namespace.c:2077 [inline]
__x64_sys_umount+0xf1/0x170 fs/namespace.c:2077
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdcbc38e497
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffe2a3a1558 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 00007fdcbc40e08c RCX: 00007fdcbc38e497
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe2a3a1610
RBP: 00007ffe2a3a1610 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffe2a3a2700
R13: 00007fdcbc40e08c R14: 000000000001bcfe R15: 00007ffe2a3a48c0
</TASK>
Tested on:
commit: 1d0b929f afs: Change dynroot to create contents on dem..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=b1debf8c2c3d28b1
dashboard link: https://syzkaller.appspot.com/bug?extid=3b6c5c6a1d0119b687a1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1514864c580000
syzbot
Mar 29, 2025, 6:18:06 AM3/29/25
to dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
unregister_netdevice: waiting for DEV to become free
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
unregister_netdevice: waiting for batadv0 to become free. Usage count = 3
console output: https://syzkaller.appspot.com/x/log.txt?x=14c77804580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6f5a67fe881fabe4
dashboard link: https://syzkaller.appspot.com/bug?extid=3b6c5c6a1d0119b687a1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1259f43f980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
David Howells
Mar 31, 2025, 6:58:50 AM3/31/25
to syzbot, dhow...@redhat.com, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
Note to syzbot maintainers: the C test program contains a compressed ext3
image and decompression code that I think is entirely unnecessary. All it
does is provide a directory that the afs dynroot can be mounted upon.
This is the only bit of the test that is actually necessary:
NONFAILING(memcpy((void*)0x2000000001c0, "./file0\000", 8));
NONFAILING(memcpy((void*)0x2000000002c0, "afs\000", 4));
NONFAILING(memcpy((void*)0x200000000400, "dyn", 3));
NONFAILING(*(uint8_t*)0x200000000403 = 0x2c);
NONFAILING(*(uint8_t*)0x200000000404 = 0);
syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x2000000001c0ul,
/*type=*/0x2000000002c0ul, /*flags=*/0ul, /*opts=*/0x200000000400ul);
NONFAILING(memcpy((void*)0x2000000000c0, "./file0\000", 8));
syscall(__NR_chdir, /*dir=*/0x2000000000c0ul);
NONFAILING(memcpy((void*)0x200000000240, "./file1\000", 8));
syscall(__NR_lstat, /*file=*/0x200000000240ul, /*statbuf=*/0ul);
NONFAILING(memcpy((void*)0x2000000000c0, ".\000", 2));
res = syscall(__NR_open, /*file=*/0x2000000000c0ul, /*flags=*/0ul,
/*mode=*/0ul);
if (res != -1)
r[0] = res;
syscall(__NR_getdents, /*fd=*/r[0], /*ent=*/0x200000001fc0ul,
/*count=*/0xb8ul);
Basically:
mount(NULL, "./file0", "afs", 0, "dyn,") = 0
chdir("./file0") = 0
lstat("./file1", NULL) = -1 EFAULT (Bad address)
open(".", O_RDONLY) = 4
getdents(4, 0x200000001fc0 /* 5 entries */, 184) = 168
David
image and decompression code that I think is entirely unnecessary. All it
does is provide a directory that the afs dynroot can be mounted upon.
This is the only bit of the test that is actually necessary:
NONFAILING(memcpy((void*)0x2000000001c0, "./file0\000", 8));
NONFAILING(memcpy((void*)0x2000000002c0, "afs\000", 4));
NONFAILING(memcpy((void*)0x200000000400, "dyn", 3));
NONFAILING(*(uint8_t*)0x200000000403 = 0x2c);
NONFAILING(*(uint8_t*)0x200000000404 = 0);
syscall(__NR_mount, /*src=*/0ul, /*dst=*/0x2000000001c0ul,
/*type=*/0x2000000002c0ul, /*flags=*/0ul, /*opts=*/0x200000000400ul);
NONFAILING(memcpy((void*)0x2000000000c0, "./file0\000", 8));
syscall(__NR_chdir, /*dir=*/0x2000000000c0ul);
NONFAILING(memcpy((void*)0x200000000240, "./file1\000", 8));
syscall(__NR_lstat, /*file=*/0x200000000240ul, /*statbuf=*/0ul);
NONFAILING(memcpy((void*)0x2000000000c0, ".\000", 2));
res = syscall(__NR_open, /*file=*/0x2000000000c0ul, /*flags=*/0ul,
/*mode=*/0ul);
if (res != -1)
r[0] = res;
syscall(__NR_getdents, /*fd=*/r[0], /*ent=*/0x200000001fc0ul,
/*count=*/0xb8ul);
Basically:
mount(NULL, "./file0", "afs", 0, "dyn,") = 0
chdir("./file0") = 0
lstat("./file1", NULL) = -1 EFAULT (Bad address)
open(".", O_RDONLY) = 4
getdents(4, 0x200000001fc0 /* 5 entries */, 184) = 168
David
Aleksandr Nogikh
Mar 31, 2025, 8:49:22 AM3/31/25
to David Howells, syzbot, linu...@lists.infradead.org, linux-...@vger.kernel.org, marc....@auristor.com, syzkall...@googlegroups.com
Hi David,
Thanks for letting us know!
I've left a note in our issue tracker:
https://github.com/google/syzkaller/issues/1020#issuecomment-2766118626
--
Aleksandr
Thanks for letting us know!
I've left a note in our issue tracker:
https://github.com/google/syzkaller/issues/1020#issuecomment-2766118626
Aleksandr
Reply all
Reply to author
Forward
0 new messages