Hello,
syzbot hit the following crash on upstream commit
285848b0f4074f04ab606f1e5dca296482033d54 (Sun Apr 22 04:20:48 2018 +0000)
Merge tag 'random_for_linus_stable' of
git://
git.kernel.org/pub/scm/linux/kernel/git/tytso/random
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=7cf5e00d274a23782334
So far this crash happened 2 times on upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5559403109416960
Kernel config:
https://syzkaller.appspot.com/x/.config?id=1808800213120130118
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [
linux-...@vger.kernel.org linux-...@vger.kernel.org
vi...@zeniv.linux.org.uk]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+7cf5e0...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
=============================
WARNING: suspicious RCU usage
4.17.0-rc1+ #12 Not tainted
-----------------------------
include/linux/rcupdate.h:304 Illegal context switch in RCU read-side
critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
6 locks held by kworker/u4:1/22:
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
__write_once_size include/linux/compiler.h:215 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:40 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
atomic_long_set include/asm-generic/atomic-long.h:57 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at: set_work_data
kernel/workqueue.c:617 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116
#1: (ptrval) ((work_completion)(&(&wb->dwork)->work)){+.+.}, at:
process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120
#2: (ptrval) (&type->s_umount_key#29){++++}, at:
trylock_super+0x22/0x110 fs/super.c:399
#3: (ptrval) (&sbi->s_journal_flag_rwsem){.+.+}, at:
do_writepages+0x9a/0x1a0 mm/page-writeback.c:2341
#4: (ptrval) (jbd2_handle){.+.+}, at:
start_this_handle+0x581/0x1250 fs/jbd2/transaction.c:385
#5: (ptrval) (rcu_read_lock){....}, at:
find_get_pages_range_tag+0x139/0x1250 mm/filemap.c:1874
stack backtrace:
CPU: 0 PID: 22 Comm: kworker/u4:1 Not tainted 4.17.0-rc1+ #12
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: writeback wb_workfn (flush-8:0)
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4592
rcu_preempt_sleep_check include/linux/rcupdate.h:303 [inline]
___might_sleep+0x26d/0x320 kernel/sched/core.c:6153
__might_sleep+0x95/0x190 kernel/sched/core.c:6141
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3378 [inline]
__do_kmalloc mm/slab.c:3716 [inline]
__kmalloc+0x2b9/0x760 mm/slab.c:3727
kmalloc_array include/linux/slab.h:631 [inline]
kcalloc include/linux/slab.h:642 [inline]
numa_crng_init drivers/char/random.c:798 [inline]
crng_reseed+0x427/0x920 drivers/char/random.c:923
credit_entropy_bits+0x98d/0xa30 drivers/char/random.c:708
add_interrupt_randomness+0x494/0x860 drivers/char/random.c:1254
handle_irq_event_percpu+0xf9/0x1c0 kernel/irq/handle.c:191
handle_irq_event+0xa7/0x135 kernel/irq/handle.c:206
handle_edge_irq+0x20f/0x870 kernel/irq/chip.c:791
generic_handle_irq_desc include/linux/irqdesc.h:159 [inline]
handle_irq+0x18c/0x2e7 arch/x86/kernel/irq_64.c:77
do_IRQ+0x78/0x190 arch/x86/kernel/irq.c:245
common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:642
</IRQ>
RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x1/0x20 kernel/kcov.c:194
RSP: 0018:ffff8801d941dbf0 EFLAGS: 00000202 ORIG_RAX: ffffffffffffffda
RAX: ffff8801d94125c0 RBX: 000000007fffffff RCX: ffffffff8194e3dc
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff8801d941dfb8 R08: ffff8801d94125c0 R09: fffff94000de7f23
R10: fffff94000de7f23 R11: ffffea0006f3f91f R12: 0000000000000010
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff8801d941df90
pagevec_lookup_range_tag+0x40/0x80 mm/swap.c:1006
mpage_prepare_extent_to_map+0x3ff/0x1100 fs/ext4/inode.c:2633
ext4_writepages+0x186f/0x4030 fs/ext4/inode.c:2853
do_writepages+0x9a/0x1a0 mm/page-writeback.c:2341
__writeback_single_inode+0x1e4/0x15c0 fs/fs-writeback.c:1323
writeback_sb_inodes+0x6f0/0x11a0 fs/fs-writeback.c:1587
__writeback_inodes_wb+0x1b0/0x320 fs/fs-writeback.c:1656
wb_writeback+0x9e4/0xf50 fs/fs-writeback.c:1765
wb_check_old_data_flush fs/fs-writeback.c:1867 [inline]
wb_do_writeback fs/fs-writeback.c:1920 [inline]
wb_workfn+0xfba/0x1770 fs/fs-writeback.c:1949
process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
kthread+0x345/0x410 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
BUG: sleeping function called from invalid context at mm/slab.h:421
in_atomic(): 1, irqs_disabled(): 1, pid: 22, name: kworker/u4:1
6 locks held by kworker/u4:1/22:
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
__write_once_size include/linux/compiler.h:215 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:40 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
atomic_long_set include/asm-generic/atomic-long.h:57 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at: set_work_data
kernel/workqueue.c:617 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
#0: (ptrval) ((wq_completion)"writeback"){+.+.}, at:
process_one_work+0xaef/0x1b50 kernel/workqueue.c:2116
#1: (ptrval) ((work_completion)(&(&wb->dwork)->work)){+.+.}, at:
process_one_work+0xb46/0x1b50 kernel/workqueue.c:2120
#2: (ptrval) (&type->s_umount_key#29){++++}, at:
trylock_super+0x22/0x110 fs/super.c:399
#3: (ptrval) (&sbi->s_journal_flag_rwsem){.+.+}, at:
do_writepages+0x9a/0x1a0 mm/page-writeback.c:2341
#4: (ptrval) (jbd2_handle){.+.+}, at:
start_this_handle+0x581/0x1250 fs/jbd2/transaction.c:385
#5: (ptrval) (rcu_read_lock){....}, at:
find_get_pages_range_tag+0x139/0x1250 mm/filemap.c:1874
irq event stamp: 59140
hardirqs last enabled at (59139): [<ffffffff819829aa>]
free_unref_page_list+0xc9a/0x12c0 mm/page_alloc.c:2849
hardirqs last disabled at (59140): [<ffffffff87800905>]
interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
softirqs last enabled at (59128): [<ffffffff87a00778>]
__do_softirq+0x778/0xaf5 kernel/softirq.c:311
softirqs last disabled at (59121): [<ffffffff81475041>] invoke_softirq
kernel/softirq.c:365 [inline]
softirqs last disabled at (59121): [<ffffffff81475041>]
irq_exit+0x1d1/0x200 kernel/softirq.c:405
CPU: 0 PID: 22 Comm: kworker/u4:1 Not tainted 4.17.0-rc1+ #12
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: writeback wb_workfn (flush-8:0)
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
___might_sleep.cold.87+0x11f/0x13a kernel/sched/core.c:6188
__might_sleep+0x95/0x190 kernel/sched/core.c:6141
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3378 [inline]
__do_kmalloc mm/slab.c:3716 [inline]
__kmalloc+0x2b9/0x760 mm/slab.c:3727
kmalloc_array include/linux/slab.h:631 [inline]
kcalloc include/linux/slab.h:642 [inline]
numa_crng_init drivers/char/random.c:798 [inline]
crng_reseed+0x427/0x920 drivers/char/random.c:923
credit_entropy_bits+0x98d/0xa30 drivers/char/random.c:708
add_interrupt_randomness+0x494/0x860 drivers/char/random.c:1254
handle_irq_event_percpu+0xf9/0x1c0 kernel/irq/handle.c:191
handle_irq_event+0xa7/0x135 kernel/irq/handle.c:206
handle_edge_irq+0x20f/0x870 kernel/irq/chip.c:791
generic_handle_irq_desc include/linux/irqdesc.h:159 [inline]
handle_irq+0x18c/0x2e7 arch/x86/kernel/irq_64.c:77
do_IRQ+0x78/0x190 arch/x86/kernel/irq.c:245
common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:642
</IRQ>
RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x1/0x20 kernel/kcov.c:194
RSP: 0018:ffff8801d941dbf0 EFLAGS: 00000202 ORIG_RAX: ffffffffffffffda
RAX: ffff8801d94125c0 RBX: 000000007fffffff RCX: ffffffff8194e3dc
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff8801d941dfb8 R08: ffff8801d94125c0 R09: fffff94000de7f23
R10: fffff94000de7f23 R11: ffffea0006f3f91f R12: 0000000000000010
R13: 0000000000000001 R14: dffffc0000000000 R15: ffff8801d941df90
pagevec_lookup_range_tag+0x40/0x80 mm/swap.c:1006
mpage_prepare_extent_to_map+0x3ff/0x1100 fs/ext4/inode.c:2633
ext4_writepages+0x186f/0x4030 fs/ext4/inode.c:2853
do_writepages+0x9a/0x1a0 mm/page-writeback.c:2341
__writeback_single_inode+0x1e4/0x15c0 fs/fs-writeback.c:1323
writeback_sb_inodes+0x6f0/0x11a0 fs/fs-writeback.c:1587
__writeback_inodes_wb+0x1b0/0x320 fs/fs-writeback.c:1656
wb_writeback+0x9e4/0xf50 fs/fs-writeback.c:1765
wb_check_old_data_flush fs/fs-writeback.c:1867 [inline]
wb_do_writeback fs/fs-writeback.c:1920 [inline]
wb_workfn+0xfba/0x1770 fs/fs-writeback.c:1949
process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
kthread+0x345/0x410 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
random: crng init done
can: request_module (can-proto-0) failed.
can: request_module (can-proto-0) failed.
---
This bug is generated by a dumb bot. It may contain errors.
See
https://goo.gl/tpsmEJ for details.
Direct all questions to
syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream