WARNING: bad unlock balance in mnt_drop_write
4 views
Skip to first unread message
syzbot
Jul 25, 2019, 1:20:06 AM7/25/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: ff33472c Linux 4.14.134
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=104068cc600000
kernel config: https://syzkaller.appspot.com/x/.config?x=3559c2b3fb5dd4b2
dashboard link: https://syzkaller.appspot.com/bug?extid=4dc2b9eb5cb7aef78ea1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4dc2b9...@syzkaller.appspotmail.com
EXT4-fs error (device sda1): ext4_remount:5189: Abort forced by user
overlayfs: failed to create directory ./file1\/work (errno: 30); mounting
read-only
=====================================
WARNING: bad unlock balance detected!
4.14.134 #29 Not tainted
-------------------------------------
syz-executor.4/10668 is trying to release lock (sb_writers) at:
[<ffffffff8194834e>] sb_end_write include/linux/fs.h:1500 [inline]
[<ffffffff8194834e>] mnt_drop_write+0x3e/0x50 fs/namespace.c:532
but there are no more locks to release!
other info that might help us debug this:
1 lock held by syz-executor.4/10668:
#0: (&type->s_umount_key#58/1){+.+.}, at: [<ffffffff818dbbe1>]
alloc_super fs/super.c:251 [inline]
#0: (&type->s_umount_key#58/1){+.+.}, at: [<ffffffff818dbbe1>]
sget_userns+0x551/0xc30 fs/super.c:516
stack backtrace:
CPU: 1 PID: 10668 Comm: syz-executor.4 Not tainted 4.14.134 #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_unlock_imbalance_bug kernel/locking/lockdep.c:3548 [inline]
print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3525
__lock_release kernel/locking/lockdep.c:3762 [inline]
lock_release+0x616/0x940 kernel/locking/lockdep.c:4010
percpu_up_read_preempt_enable include/linux/percpu-rwsem.h:102 [inline]
percpu_up_read include/linux/percpu-rwsem.h:108 [inline]
__sb_end_write+0xc1/0x100 fs/super.c:1329
sb_end_write include/linux/fs.h:1500 [inline]
mnt_drop_write+0x3e/0x50 fs/namespace.c:532
ovl_workdir_create.cold+0x101/0x10d fs/overlayfs/super.c:546
ovl_fill_super+0x100c/0x2660 fs/overlayfs/super.c:988
mount_nodev+0x52/0xf0 fs/super.c:1180
ovl_mount+0x2d/0x40 fs/overlayfs/super.c:1204
mount_fs+0x97/0x2a1 fs/super.c:1237
vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046
vfs_kern_mount fs/namespace.c:1036 [inline]
do_new_mount fs/namespace.c:2549 [inline]
do_mount+0x417/0x27d0 fs/namespace.c:2879
SYSC_mount fs/namespace.c:3095 [inline]
SyS_mount+0xab/0x120 fs/namespace.c:3072
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459829
RSP: 002b:00007f2c7d88fc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459829
RDX: 00000000200000c0 RSI: 0000000020000000 RDI: 0000000000404000
RBP: 000000000075bf20 R08: 0000000020000100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2c7d8906d4
R13: 00000000004c5ce2 R14: 00000000004da5a0 R15: 00000000ffffffff
kobject: 'syz_tun' (ffff8880608d8cf0): kobject_cleanup, parent
(null)
encrypted_key: insufficient parameters specified
kobject: 'kvm' (ffff8880a6e69450): kobject_uevent_env
kobject: 'loop0' (ffff888053298460): kobject_uevent_env
kobject: 'kvm' (ffff8880a6e69450): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'syz_tun' (ffff8880608d8cf0): calling ktype release
kobject: 'loop0' (ffff888053298460): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'syz_tun': free name
kobject: 'loop4' (ffff8880a4aa2ae0): kobject_uevent_env
kobject: 'loop4' (ffff8880a4aa2ae0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'kvm' (ffff8880a6e69450): kobject_uevent_env
kobject: 'kvm' (ffff8880a6e69450): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop3' (ffff8880a4a4aa60): kobject_uevent_env
kobject: 'loop4' (ffff8880a4aa2ae0): kobject_uevent_env
kobject: 'loop3' (ffff8880a4a4aa60): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop4' (ffff8880a4aa2ae0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
encrypted_key: insufficient parameters specified
VFS: Can't find a Minix filesystem V1 | V2 | V3 on device loop4.
kobject: '9p-5' (ffff888091d16b90): kobject_add_internal: parent: 'bdi',
set: 'devices'
kobject: 'loop0' (ffff888053298460): kobject_uevent_env
kobject: '9p-5' (ffff888091d16b90): kobject_uevent_env
kobject: 'loop0' (ffff888053298460): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: '9p-5' (ffff888091d16b90): fill_kobj_path: path
= '/devices/virtual/bdi/9p-5'
kobject: '9p-5' (ffff888091d16b90): kobject_uevent_env
kobject: '9p-5' (ffff888091d16b90): fill_kobj_path: path
= '/devices/virtual/bdi/9p-5'
overlayfs: filesystem on './file0' not supported as upperdir
kobject: '9p-5' (ffff888091d16b90): kobject_cleanup, parent (null)
kobject: 'loop4' (ffff8880a4aa2ae0): kobject_uevent_env
kobject: 'loop4' (ffff8880a4aa2ae0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: '9p-5' (ffff888091d16b90): calling ktype release
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor.0'.
kobject: '9p-5': free name
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7247 at fs/namespace.c:1178 cleanup_mnt+0x104/0x150
fs/namespace.c:1178
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: ff33472c Linux 4.14.134
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=104068cc600000
kernel config: https://syzkaller.appspot.com/x/.config?x=3559c2b3fb5dd4b2
dashboard link: https://syzkaller.appspot.com/bug?extid=4dc2b9eb5cb7aef78ea1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4dc2b9...@syzkaller.appspotmail.com
EXT4-fs error (device sda1): ext4_remount:5189: Abort forced by user
overlayfs: failed to create directory ./file1\/work (errno: 30); mounting
read-only
=====================================
WARNING: bad unlock balance detected!
4.14.134 #29 Not tainted
-------------------------------------
syz-executor.4/10668 is trying to release lock (sb_writers) at:
[<ffffffff8194834e>] sb_end_write include/linux/fs.h:1500 [inline]
[<ffffffff8194834e>] mnt_drop_write+0x3e/0x50 fs/namespace.c:532
but there are no more locks to release!
other info that might help us debug this:
1 lock held by syz-executor.4/10668:
#0: (&type->s_umount_key#58/1){+.+.}, at: [<ffffffff818dbbe1>]
alloc_super fs/super.c:251 [inline]
#0: (&type->s_umount_key#58/1){+.+.}, at: [<ffffffff818dbbe1>]
sget_userns+0x551/0xc30 fs/super.c:516
stack backtrace:
CPU: 1 PID: 10668 Comm: syz-executor.4 Not tainted 4.14.134 #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_unlock_imbalance_bug kernel/locking/lockdep.c:3548 [inline]
print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3525
__lock_release kernel/locking/lockdep.c:3762 [inline]
lock_release+0x616/0x940 kernel/locking/lockdep.c:4010
percpu_up_read_preempt_enable include/linux/percpu-rwsem.h:102 [inline]
percpu_up_read include/linux/percpu-rwsem.h:108 [inline]
__sb_end_write+0xc1/0x100 fs/super.c:1329
sb_end_write include/linux/fs.h:1500 [inline]
mnt_drop_write+0x3e/0x50 fs/namespace.c:532
ovl_workdir_create.cold+0x101/0x10d fs/overlayfs/super.c:546
ovl_fill_super+0x100c/0x2660 fs/overlayfs/super.c:988
mount_nodev+0x52/0xf0 fs/super.c:1180
ovl_mount+0x2d/0x40 fs/overlayfs/super.c:1204
mount_fs+0x97/0x2a1 fs/super.c:1237
vfs_kern_mount.part.0+0x5e/0x3d0 fs/namespace.c:1046
vfs_kern_mount fs/namespace.c:1036 [inline]
do_new_mount fs/namespace.c:2549 [inline]
do_mount+0x417/0x27d0 fs/namespace.c:2879
SYSC_mount fs/namespace.c:3095 [inline]
SyS_mount+0xab/0x120 fs/namespace.c:3072
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459829
RSP: 002b:00007f2c7d88fc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459829
RDX: 00000000200000c0 RSI: 0000000020000000 RDI: 0000000000404000
RBP: 000000000075bf20 R08: 0000000020000100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2c7d8906d4
R13: 00000000004c5ce2 R14: 00000000004da5a0 R15: 00000000ffffffff
kobject: 'syz_tun' (ffff8880608d8cf0): kobject_cleanup, parent
(null)
encrypted_key: insufficient parameters specified
kobject: 'kvm' (ffff8880a6e69450): kobject_uevent_env
kobject: 'loop0' (ffff888053298460): kobject_uevent_env
kobject: 'kvm' (ffff8880a6e69450): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'syz_tun' (ffff8880608d8cf0): calling ktype release
kobject: 'loop0' (ffff888053298460): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: 'syz_tun': free name
kobject: 'loop4' (ffff8880a4aa2ae0): kobject_uevent_env
kobject: 'loop4' (ffff8880a4aa2ae0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: 'kvm' (ffff8880a6e69450): kobject_uevent_env
kobject: 'kvm' (ffff8880a6e69450): fill_kobj_path: path
= '/devices/virtual/misc/kvm'
kobject: 'loop3' (ffff8880a4a4aa60): kobject_uevent_env
kobject: 'loop4' (ffff8880a4aa2ae0): kobject_uevent_env
kobject: 'loop3' (ffff8880a4a4aa60): fill_kobj_path: path
= '/devices/virtual/block/loop3'
kobject: 'loop4' (ffff8880a4aa2ae0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
encrypted_key: insufficient parameters specified
VFS: Can't find a Minix filesystem V1 | V2 | V3 on device loop4.
kobject: '9p-5' (ffff888091d16b90): kobject_add_internal: parent: 'bdi',
set: 'devices'
kobject: 'loop0' (ffff888053298460): kobject_uevent_env
kobject: '9p-5' (ffff888091d16b90): kobject_uevent_env
kobject: 'loop0' (ffff888053298460): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kobject: '9p-5' (ffff888091d16b90): fill_kobj_path: path
= '/devices/virtual/bdi/9p-5'
kobject: '9p-5' (ffff888091d16b90): kobject_uevent_env
kobject: '9p-5' (ffff888091d16b90): fill_kobj_path: path
= '/devices/virtual/bdi/9p-5'
overlayfs: filesystem on './file0' not supported as upperdir
kobject: '9p-5' (ffff888091d16b90): kobject_cleanup, parent (null)
kobject: 'loop4' (ffff8880a4aa2ae0): kobject_uevent_env
kobject: 'loop4' (ffff8880a4aa2ae0): fill_kobj_path: path
= '/devices/virtual/block/loop4'
kobject: '9p-5' (ffff888091d16b90): calling ktype release
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor.0'.
kobject: '9p-5': free name
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7247 at fs/namespace.c:1178 cleanup_mnt+0x104/0x150
fs/namespace.c:1178
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jun 7, 2020, 11:34:13 AM6/7/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages