Re: [syzbot] [usb?] [input?] INFO: task hung in __input_unregister_device (5)
syzbot has bisected this issue to:
commit 6b0b708f12d18f9cccfb1c418bea59fcbff8798c
Author: Takashi Sakamoto
Date: Wed May 1 07:32:38 2024 +
firewire: core: add tracepoint event for handling bus reset
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14969a1698
start commit: e0cce98fe279 Merge tag 'tpmdd-next-6.10-rc2' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12969a1698
kernel config: https://syzkaller.appspot.com/x/.config?x=238430243a58f702
dashboard link: https://syzkaller.appspot.com/bug?extid=78e2288f58b881ed3c45
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1318e16298
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122e8eaa98
Reported-by: syzbot+78e2288f58b881ed3...@syzkaller.appspotmail.com
Fixes: 6b0b708f12d1 ("firewire: core: add tracepoint event for handling bus
reset")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
[syzbot] Monthly trace report (May 2024)
Hello trace maintainers/developers, This is a 31-day syzbot report for the trace subsystem. All related reports/information can be found at: https://syzkaller.appspot.com/upstream/s/trace During the period, 1 new issues were detected and 0 were fixed. In total, 10 issues are still open and 35 have been fixed so far. Some of the still happening issues: Ref Crashes Repro Title <1> 705 Yes WARNING in format_decode (3) https://syzkaller.appspot.com/bug?extid=e2c932aec5c8a6e1d31c <2> 26 Yes INFO: task hung in blk_trace_ioctl (4) https://syzkaller.appspot.com/bug?extid=ed812ed461471ab17a0c <3> 7 Yes WARNING in get_probe_ref https://syzkaller.appspot.com/bug?extid=8672dcb9d10011c0a160 <4> 6 Yes INFO: task hung in blk_trace_remove (2) https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562 <5> 5 Yes general protection fault in bpf_get_attach_cookie_tracing https://syzkaller.appspot.com/bug?extid=3ab78ff125b7979e45f9 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. To disable reminders for individual bugs, reply with the following command: #syz set no-reminders To change bug's subsystems, reply with: #syz set subsystems: new-subsystem You may send multiple commands in a single email message.
[syzbot] [bpf?] [trace?] general protection fault in bpf_get_attach_cookie_tracing
Hello, syzbot found the following issue on: HEAD commit:a9e7715ce8b3 libbpf: Avoid casts from pointers to enums in.. git tree: bpf-next console+strace: https://syzkaller.appspot.com/x/log.txt?x=153c1dc498 kernel config: https://syzkaller.appspot.com/x/.config?x=e8aa3e4736485e94 dashboard link: https://syzkaller.appspot.com/bug?extid=3ab78ff125b7979e45f9 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d4b58898 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16cb047098 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/a6daa7801875/disk-a9e7715c.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/0d5b51385a69/vmlinux-a9e7715c.xz kernel image: https://storage.googleapis.com/syzbot-assets/999297a08631/bzImage-a9e7715c.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+3ab78ff125b7979e4...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc00: [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x-0x0007] CPU: 0 PID: 5082 Comm: syz-executor316 Not tainted 6.9.0-rc5-syzkaller-01452-ga9e7715ce8b3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:bpf_get_attach_cookie_tracing kernel/trace/bpf_trace.c:1179 [inline] RIP: 0010:bpf_get_attach_cookie_tracing+0x46/0x60 kernel/trace/bpf_trace.c:1174 Code: d3 03 00 48 81 c3 00 18 00 00 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 54 b9 59 00 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 3b b9 59 00 48 8b 03 5b 41 5e c3 RSP: 0018:c90002f9fba8 EFLAGS: 00010246 RAX: RBX: RCX: 888029575a00 RDX: RSI: c9ace048 RDI: RBP: c90002f9fbc0 R08: 89938ae7 R09: 125e80a0 R10: dc00 R11: a950 R12: c90002f9fc80 R13: dc00 R14: dc00 R15: FS: 78992380() GS:8880b940() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2e3e9388 CR3: 791c2000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: bpf_prog_fe13437f26555f61+0x1a/0x1c bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline] __bpf_prog_run include/linux/filter.h:691 [inline] bpf_prog_run include/linux/filter.h:698 [inline] __bpf_prog_test_run_raw_tp+0x149/0x310 net/bpf/test_run.c:732 bpf_prog_test_run_raw_tp+0x47b/0x6a0 net/bpf/test_run.c:772 bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4286 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5700 __do_sys_bpf kernel/bpf/syscall.c:5789 [inline] __se_sys_bpf kernel/bpf/syscall.c:5787 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5787 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f53be8a0469 Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffdcf680a08 EFLAGS: 0246 ORIG_RAX: 0141 RAX: ffda RBX: 7ffdcf680bd8 RCX: 7f53be8a0469 RDX: 000c RSI: 2080 RDI: 000a RBP: 7f53be913610 R08: R09: 7ffdcf680bd8 R10: 7f53be8dbae3 R11: 0246 R12: 0001 R13: 7ffdcf680bc8 R14: 0001 R15: 0001 Modules linked in: ---[ end trace ]--- RIP: 0010:bpf_get_attach_cookie_tracing kernel/trace/bpf_trace.c:1179 [inline] RIP: 0010:bpf_get_attach_cookie_tracing+0x46/0x60 kernel/trace/bpf_trace.c:1174 Code: d3 03 00 48 81 c3 00 18 00 00 48 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 54 b9 59 00 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48 89 df e8 3b b9 59 00 48 8b 03 5b 41 5e c3 RSP: 0018:c90002f9fba8 EFLAGS: 00010246 RAX: RBX: RCX: 888029575a00 RDX: RSI: c9ace048 RDI: RBP: c90002f9fbc0 R08: 89938ae7 R09: 125e80a0 R10: dc00 R11: a950 R12: c90002f9fc80 R13: dc00 R14: dc00 R15: FS: 78992380() GS:8880b940() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2e3e9388 CR3: 791c2000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 ---
Re: [syzbot] [net?] [virt?] [kvm?] KASAN: slab-use-after-free Read in vhost_task_fn
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+98edc2df894917b34...@syzkaller.appspotmail.com Tested on: commit: f138e94c KASAN: slab-use-after-free Read in vhost_task.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git console output: https://syzkaller.appspot.com/x/log.txt?x=10a152a718 kernel config: https://syzkaller.appspot.com/x/.config?x=3714fc09f933e505 dashboard link: https://syzkaller.appspot.com/bug?extid=98edc2df894917b3431f compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Note: no patches were applied. Note: testing is done by a robot and is best-effort only.
[syzbot] [net?] [virt?] [kvm?] KASAN: slab-use-after-free Read in vhost_task_fn
Hello,
syzbot found the following issue on:
HEAD commit:bb7a2467e6be Add linux-next specific files for 20240426
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=123bf96b18
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6a0288262dd108
dashboard link: https://syzkaller.appspot.com/bug?extid=98edc2df894917b3431f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian)
2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c8a4ef18
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16c3002898
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/5175af7dda64/disk-bb7a2467.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/70db0462e868/vmlinux-bb7a2467.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/3217fb825698/bzImage-bb7a2467.xz
The issue was bisected to:
commit a3df30984f4faf82d63d2a96f8ac773403ce935d
Author: Mike Christie
Date: Sat Mar 16 00:47:06 2024 +
vhost_task: Handle SIGKILL by flushing work and exiting
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1442391718
final oops: https://syzkaller.appspot.com/x/report.txt?x=1642391718
console output: https://syzkaller.appspot.com/x/log.txt?x=1242391718
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+98edc2df894917b34...@syzkaller.appspotmail.com
Fixes: a3df30984f4f ("vhost_task: Handle SIGKILL by flushing work and exiting")
==
BUG: KASAN: slab-use-after-free in instrument_atomic_read
include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_long_read
include/linux/atomic/atomic-instrumented.h:3188 [inline]
BUG: KASAN: slab-use-after-free in __mutex_unlock_slowpath+0xef/0x750
kernel/locking/mutex.c:921
Read of size 8 at addr 88802a9d9080 by task vhost-5103/5104
CPU: 1 PID: 5104 Comm: vhost-5103 Not tainted 6.9.0-rc5-next-20240426-syzkaller
#0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline]
__mutex_unlock_slowpath+0xef/0x750 kernel/locking/mutex.c:921
vhost_task_fn+0x3bc/0x3f0 kernel/vhost_task.c:65
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Allocated by task 5103:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
kmalloc_trace_noprof+0x19c/0x2b0 mm/slub.c:4146
kmalloc_noprof include/linux/slab.h:660 [inline]
kzalloc_noprof include/linux/slab.h:778 [inline]
vhost_task_create+0x149/0x300 kernel/vhost_task.c:134
vhost_worker_create+0x17b/0x3f0 drivers/vhost/vhost.c:667
vhost_dev_set_owner+0x563/0x940 drivers/vhost/vhost.c:945
vhost_dev_ioctl+0xda/0xda0 drivers/vhost/vhost.c:2108
vhost_vsock_dev_ioctl+0x2bb/0xfa0 drivers/vhost/vsock.c:875
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5103:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2190 [inline]
slab_free mm/slub.c:4430 [inline]
kfree+0x149/0x350 mm/slub.c:4551
vhost_worker_destroy drivers/vhost/vhost.c:629 [inline]
vhost_workers_free drivers/vhost/vhost.c:648 [inline]
vhost_dev_cleanup+0x9b0/0xba0 drivers/vhost/vhost.c:1051
vhost_vsock_dev_release+0x3aa/0x410 drivers/vhost/vsock.c:751
__fput+0x406/0x8b0 fs/file_table.c:422
__do_sys_close fs/open.c:1555 [inline]
__se_sys_close fs/open.c:1540 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1540
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at 88802a9d9000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 128 bytes inside of
freed 512-b
[syzbot] Monthly trace report (Apr 2024)
Hello trace maintainers/developers, This is a 31-day syzbot report for the trace subsystem. All related reports/information can be found at: https://syzkaller.appspot.com/upstream/s/trace During the period, 3 new issues were detected and 2 were fixed. In total, 9 issues are still open and 34 have been fixed so far. Some of the still happening issues: Ref Crashes Repro Title <1> 471 Yes WARNING in format_decode (3) https://syzkaller.appspot.com/bug?extid=e2c932aec5c8a6e1d31c <2> 26 Yes INFO: task hung in blk_trace_ioctl (4) https://syzkaller.appspot.com/bug?extid=ed812ed461471ab17a0c <3> 26 Yes WARNING in blk_register_tracepoints https://syzkaller.appspot.com/bug?extid=c54ded83396afee31eb1 <4> 13 Nopossible deadlock in __send_signal_locked https://syzkaller.appspot.com/bug?extid=6e3b6eab5bd4ed584a38 <5> 7 Yes WARNING in get_probe_ref https://syzkaller.appspot.com/bug?extid=8672dcb9d10011c0a160 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. To disable reminders for individual bugs, reply with the following command: #syz set no-reminders To change bug's subsystems, reply with: #syz set subsystems: new-subsystem You may send multiple commands in a single email message.
Re: [syzbot] [bpf?] [trace?] possible deadlock in force_sig_info_to_task
syzbot has found a reproducer for the following issue on:
HEAD commit:5eb4573ea63d Merge tag 'soc-fixes-6.9-2' of git://git.kern..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17b2b24098
kernel config: https://syzkaller.appspot.com/x/.config?x=3d46aa9d7a44f40d
dashboard link: https://syzkaller.appspot.com/bug?extid=83e7f982ca045ab4405c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian)
2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120f79ef18
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a1cd2718
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/d647177a878d/disk-5eb4573e.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/977f32ca169c/vmlinux-5eb4573e.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/67f3b92c1012/bzImage-5eb4573e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+83e7f982ca045ab44...@syzkaller.appspotmail.com
==
WARNING: possible circular locking dependency detected
6.9.0-rc5-syzkaller-00296-g5eb4573ea63d #0 Not tainted
--
syz-executor324/5151 is trying to acquire lock:
88802a6c8018 (>siglock){}-{2:2}, at:
force_sig_info_to_task+0x68/0x580 kernel/signal.c:1334
but task is already holding lock:
8880b943e658 (>__lock){-.-.}-{2:2}, at:
raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:559
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (>__lock){-.-.}-{2:2}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
_raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:559
raw_spin_rq_lock kernel/sched/sched.h:1387 [inline]
rq_lock kernel/sched/sched.h:1701 [inline]
task_fork_fair+0x61/0x1e0 kernel/sched/fair.c:12635
sched_cgroup_fork+0x37c/0x410 kernel/sched/core.c:4845
copy_process+0x2217/0x3df0 kernel/fork.c:2499
kernel_clone+0x223/0x870 kernel/fork.c:2797
user_mode_thread+0x132/0x1a0 kernel/fork.c:2875
rest_init+0x23/0x300 init/main.c:704
start_kernel+0x47a/0x500 init/main.c:1081
x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:507
x86_64_start_kernel+0x99/0xa0 arch/x86/kernel/head64.c:488
common_startup_64+0x13e/0x147
-> #1 (>pi_lock){-.-.}-{2:2}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:553
[inline]
try_to_wake_up+0xb0/0x1470 kernel/sched/core.c:4262
signal_wake_up_state+0xb4/0x120 kernel/signal.c:773
signal_wake_up include/linux/sched/signal.h:448 [inline]
complete_signal+0x94a/0xcf0 kernel/signal.c:1065
__send_signal_locked+0xb1b/0xdc0 kernel/signal.c:1185
do_notify_parent+0xd96/0x10a0 kernel/signal.c:2143
exit_notify kernel/exit.c:757 [inline]
do_exit+0x1811/0x27e0 kernel/exit.c:898
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (>siglock){}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
force_sig_info_to_task+0x68/0x580 kernel/signal.c:1334
force_sig_fault_to_task kernel/signal.c:1733 [inline]
force_sig_fault+0x12c/0x1d0 kernel/signal.c:1738
__bad_area_nosemaphore+0x127/0x780 arch/x86/mm/fault.c:814
handle_page_fault arch/x86/mm/fault.c:1505 [inline]
exc_page_fault+0x612/0x8e0 arch/x86/mm/fault.c:1563
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
rep_movs_alternative+0x22/0x70 arch/x86/lib/copy_user_64.S:48
copy_user_generic arch/x86/include/asm/uaccess_64.h:110 [inline]
raw_copy_from_user arch/x86/include/asm/uaccess_64.h:125 [inline]
__copy_from_user_inatomic include/linux/uaccess.h:87 [inline]
copy_from_user_nofault+0xb
[syzbot] [bpf?] [trace?] WARNING in group_send_sig_info
Hello, syzbot found the following issue on: HEAD commit:443574b03387 riscv, bpf: Fix kfunc parameters incompatibil.. git tree: bpf console output: https://syzkaller.appspot.com/x/log.txt?x=11ca8fe718 kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440 dashboard link: https://syzkaller.appspot.com/bug?extid=1902c6d326478ce2dfb0 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/3f355021a085/disk-443574b0.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/44cf4de7472a/vmlinux-443574b0.xz kernel image: https://storage.googleapis.com/syzbot-assets/a99a36c7ad65/bzImage-443574b0.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+1902c6d326478ce2d...@syzkaller.appspotmail.com [ cut here ] raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 1 PID: 7785 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x29/0x40 kernel/locking/irqflag-debug.c:10 Modules linked in: CPU: 1 PID: 7785 Comm: syz-executor.3 Not tainted 6.8.0-syzkaller-05236-g443574b03387 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:warn_bogus_irq_restore+0x29/0x40 kernel/locking/irqflag-debug.c:10 Code: 90 f3 0f 1e fa 90 80 3d de 59 01 04 00 74 06 90 c3 cc cc cc cc c6 05 cf 59 01 04 01 90 48 c7 c7 20 ba aa 8b e8 f8 d5 e7 f5 90 <0f> 0b 90 90 90 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f RSP: 0018:c9000399fbb8 EFLAGS: 00010246 RAX: 4aede97b00455d00 RBX: 192000733f7c RCX: 88802a129e00 RDX: RSI: RDI: RBP: c9000399fc50 R08: 8157cc12 R09: 1110172a51a2 R10: dc00 R11: ed10172a51a3 R12: dc00 R13: 192000733f78 R14: c9000399fbe0 R15: 0246 FS: 7ae76480() GS:8880b950() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7ffc27e190f8 CR3: 6cb5 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] _raw_spin_unlock_irqrestore+0x120/0x140 kernel/locking/spinlock.c:194 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline] unlock_task_sighand include/linux/sched/signal.h:754 [inline] do_send_sig_info kernel/signal.c:1302 [inline] group_send_sig_info+0x2e0/0x310 kernel/signal.c:1453 bpf_send_signal_common+0x2dd/0x430 kernel/trace/bpf_trace.c:881 bpf_send_signal kernel/trace/bpf_trace.c:886 [inline] bpf_send_signal+0x19/0x30 kernel/trace/bpf_trace.c:884 bpf_prog_8cc4ff36b5985b6a+0x1d/0x1f bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] __bpf_prog_run include/linux/filter.h:650 [inline] bpf_prog_run include/linux/filter.h:664 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline] bpf_trace_run2+0x375/0x420 kernel/trace/bpf_trace.c:2420 trace_sys_exit include/trace/events/syscalls.h:44 [inline] syscall_exit_work+0x153/0x170 kernel/entry/common.c:163 syscall_exit_to_user_mode_prepare kernel/entry/common.c:194 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:199 [inline] syscall_exit_to_user_mode+0x273/0x360 kernel/entry/common.c:212 do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f8e47e7dc0b Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:7ffd999e9950 EFLAGS: 0246 ORIG_RAX: 0010 RAX: fffa RBX: 0003 RCX: 7f8e47e7dc0b RDX: RSI: 4c01 RDI: 0003 RBP: 7ffd999e9a0c R08: R09: 7ffd999e96f7 R10: R11: 0246 R12: 0032 R13: 0004757a R14: 0004754c R15: 000f --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup
[syzbot] [bpf?] [trace?] possible deadlock in force_sig_info_to_task
Hello,
syzbot found the following issue on:
HEAD commit:977b1ef51866 Merge tag 'block-6.9-20240420' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17080d2098
kernel config: https://syzkaller.appspot.com/x/.config?x=f47e5e015c177e57
dashboard link: https://syzkaller.appspot.com/bug?extid=83e7f982ca045ab4405c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian)
2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/549d1add1da9/disk-977b1ef5.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/3e8e501c8aa2/vmlinux-977b1ef5.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/d02f7cb905b8/bzImage-977b1ef5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+83e7f982ca045ab44...@syzkaller.appspotmail.com
==
WARNING: possible circular locking dependency detected
6.9.0-rc4-syzkaller-00266-g977b1ef51866 #0 Not tainted
--
syz-executor.0/11241 is trying to acquire lock:
888020a2c0d8 (>siglock){-.-.}-{2:2}, at:
force_sig_info_to_task+0x68/0x580 kernel/signal.c:1334
but task is already holding lock:
8880b943e658 (>__lock){-.-.}-{2:2}, at:
raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:559
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (>__lock){-.-.}-{2:2}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
_raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:559
raw_spin_rq_lock kernel/sched/sched.h:1385 [inline]
_raw_spin_rq_lock_irqsave kernel/sched/sched.h:1404 [inline]
rq_lock_irqsave kernel/sched/sched.h:1683 [inline]
class_rq_lock_irqsave_constructor kernel/sched/sched.h:1737 [inline]
sched_mm_cid_exit_signals+0x17b/0x4b0 kernel/sched/core.c:12005
exit_signals+0x2a1/0x5c0 kernel/signal.c:3016
do_exit+0x6a8/0x27e0 kernel/exit.c:837
__do_sys_exit kernel/exit.c:994 [inline]
__se_sys_exit kernel/exit.c:992 [inline]
__pfx___ia32_sys_exit+0x0/0x10 kernel/exit.c:992
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (>siglock){-.-.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
force_sig_info_to_task+0x68/0x580 kernel/signal.c:1334
force_sig_fault_to_task kernel/signal.c:1733 [inline]
force_sig_fault+0x12c/0x1d0 kernel/signal.c:1738
__bad_area_nosemaphore+0x127/0x780 arch/x86/mm/fault.c:814
handle_page_fault arch/x86/mm/fault.c:1505 [inline]
exc_page_fault+0x612/0x8e0 arch/x86/mm/fault.c:1563
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
strncpy_from_user+0x2c6/0x2f0 lib/strncpy_from_user.c:138
strncpy_from_user_nofault+0x71/0x140 mm/maccess.c:186
bpf_probe_read_user_str_common kernel/trace/bpf_trace.c:216 [inline]
bpf_probe_read_compat_str kernel/trace/bpf_trace.c:311 [inline]
bpf_probe_read_compat_str+0xe9/0x180 kernel/trace/bpf_trace.c:307
bpf_prog_e42f6260c1b72fb3+0x3d/0x3f
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
bpf_trace_run4+0x25a/0x490 kernel/trace/bpf_trace.c:2422
__traceiter_sched_switch+0x98/0xd0 include/trace/events/sched.h:222
trace_sched_switch include/trace/events/sched.h:222 [inline]
__schedule+0x2535/0x4a00 kernel/sched/core.c:6743
preempt_schedule_irq+0xfb/0x1c0 kernel/sched/core.c:7068
irqentry_exit+0x5e/0x90 kernel/entry/common.c:354
asm_sysvec_apic_timer_interrupt+0x1a/0x20
arch/x86/include/asm/idtentry.h:702
force_sig_fault+0x0/0x1d0
__bad_area_nosemaphore+0x127/0x780 arch/x86/mm/fault.c:814
handle_page_fault arch/x86/mm/fault.c:1505 [inline]
exc_page_fault+0x612/0x8e0 arch/x86/mm/fault.c:1563
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
__put_user_handle_exception+0x0/0x10
__do_sys_gettimeofday kernel/time/
Re: [syzbot] [virt?] [net?] KMSAN: uninit-value in vsock_assign_transport (2)
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+6c21aeb59d0e82eb2...@syzkaller.appspotmail.com Tested on: commit: bcc17a06 vhost/vsock: always initialize seqpacket_allow git tree: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git console output: https://syzkaller.appspot.com/x/log.txt?x=12b58abb18 kernel config: https://syzkaller.appspot.com/x/.config?x=87a805e655619c64 dashboard link: https://syzkaller.appspot.com/bug?extid=6c21aeb59d0e82eb2782 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Note: no patches were applied. Note: testing is done by a robot and is best-effort only.
[syzbot] [virt?] [net?] KMSAN: uninit-value in vsock_assign_transport (2)
Hello, syzbot found the following issue on: HEAD commit:8cd26fd90c1a Merge tag 'for-6.9-rc4-tag' of git://git.kern.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=102d27cd18 kernel config: https://syzkaller.appspot.com/x/.config?x=87a805e655619c64 dashboard link: https://syzkaller.appspot.com/bug?extid=6c21aeb59d0e82eb2782 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16e38c3b18 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e62fed18 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/488822aee24a/disk-8cd26fd9.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/ba40e322ba00/vmlinux-8cd26fd9.xz kernel image: https://storage.googleapis.com/syzbot-assets/f30af1dfbc30/bzImage-8cd26fd9.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+6c21aeb59d0e82eb2...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in vsock_assign_transport+0xb2a/0xb90 net/vmw_vsock/af_vsock.c:500 vsock_assign_transport+0xb2a/0xb90 net/vmw_vsock/af_vsock.c:500 vsock_connect+0x544/0x1560 net/vmw_vsock/af_vsock.c:1393 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x606/0x690 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2072 x64_sys_call+0x3356/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: __kmalloc_large_node+0x231/0x370 mm/slub.c:3921 __do_kmalloc_node mm/slub.c:3954 [inline] __kmalloc_node+0xb07/0x1060 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0xc0/0x2d0 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] vhost_vsock_dev_open+0x44/0x510 drivers/vhost/vsock.c:659 misc_open+0x66b/0x760 drivers/char/misc.c:165 chrdev_open+0xa5f/0xb80 fs/char_dev.c:414 do_dentry_open+0x11f1/0x2120 fs/open.c:955 vfs_open+0x7e/0xa0 fs/open.c:1089 do_open fs/namei.c:3642 [inline] path_openat+0x4a3c/0x5b00 fs/namei.c:3799 do_filp_open+0x20e/0x590 fs/namei.c:3826 do_sys_openat2+0x1bf/0x2f0 fs/open.c:1406 do_sys_open fs/open.c:1421 [inline] __do_sys_openat fs/open.c:1437 [inline] __se_sys_openat fs/open.c:1432 [inline] __x64_sys_openat+0x2a1/0x310 fs/open.c:1432 x64_sys_call+0x3a64/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:258 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 PID: 5021 Comm: syz-executor390 Not tainted 6.9.0-rc4-syzkaller-00038-g8cd26fd90c1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 = --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup
[syzbot] [bpf?] [trace?] possible deadlock in __send_signal_locked
Hello,
syzbot found the following issue on:
HEAD commit:96fca68c4fbf Merge tag 'nfsd-6.9-3' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13967bb318
kernel config: https://syzkaller.appspot.com/x/.config?x=85dbe39cf8e4f599
dashboard link: https://syzkaller.appspot.com/bug?extid=6e3b6eab5bd4ed584a38
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian)
2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable):
https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-96fca68c.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/d6d7a71ca443/vmlinux-96fca68c.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/accb76ce6c9c/bzImage-96fca68c.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6e3b6eab5bd4ed584...@syzkaller.appspotmail.com
==
WARNING: possible circular locking dependency detected
6.9.0-rc4-syzkaller-00031-g96fca68c4fbf #0 Not tainted
--
syz-executor.0/7699 is trying to acquire lock:
88806b53d998 (>lock){-.-.}-{2:2}, at: __queue_work+0x23a/0x1020
kernel/workqueue.c:2346
but task is already holding lock:
888023446620 (>signalfd_wqh){}-{2:2}, at:
__wake_up_common_lock kernel/sched/wait.c:105 [inline]
888023446620 (>signalfd_wqh){}-{2:2}, at: __wake_up+0x1c/0x60
kernel/sched/wait.c:127
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (>signalfd_wqh){}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
__wake_up_common_lock kernel/sched/wait.c:105 [inline]
__wake_up+0x1c/0x60 kernel/sched/wait.c:127
signalfd_notify include/linux/signalfd.h:22 [inline]
__send_signal_locked+0x951/0x11c0 kernel/signal.c:1168
do_notify_parent+0xeb4/0x1040 kernel/signal.c:2143
exit_notify kernel/exit.c:754 [inline]
do_exit+0x1369/0x2c10 kernel/exit.c:898
do_group_exit+0xd3/0x2a0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1036
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #2 (>siglock){-...}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
__lock_task_sighand+0xc2/0x340 kernel/signal.c:1414
lock_task_sighand include/linux/sched/signal.h:746 [inline]
do_send_sig_info kernel/signal.c:1300 [inline]
group_send_sig_info+0x290/0x300 kernel/signal.c:1453
bpf_send_signal_common+0x2e8/0x3a0 kernel/trace/bpf_trace.c:881
bpf_send_signal_thread kernel/trace/bpf_trace.c:898 [inline]
bpf_send_signal_thread+0x16/0x20 kernel/trace/bpf_trace.c:896
___bpf_prog_run+0x3e51/0xabd0 kernel/bpf/core.c:1997
__bpf_prog_run32+0xc1/0x100 kernel/bpf/core.c:2236
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
bpf_trace_run4+0x176/0x460 kernel/trace/bpf_trace.c:2422
__bpf_trace_mmap_lock_acquire_returned+0x134/0x180
include/trace/events/mmap_lock.h:52
trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:52
[inline]
__mmap_lock_do_trace_acquire_returned+0x456/0x790 mm/mmap_lock.c:237
__mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
mmap_write_lock include/linux/mmap_lock.h:109 [inline]
__do_sys_set_mempolicy_home_node+0x574/0x860 mm/mempolicy.c:1568
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (lock#11){+.+.}-{2:2}:
local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
__mmap_lock_do_trace_acquire_returned+0x97/0x790 mm/mmap_lock.c:237
__mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
mmap_read_trylock include/linux/mmap_lock.h:166 [inline]
stack_map_get_build_id_offset+0x5df/0x7d0 kernel/bpf/stackmap.c:141
__bpf_get_stack+0x6bf/0x700 kernel/bpf/stackmap.c:449
bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1985 [inline]
bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1975
___bpf_prog_run+0x3e51/0xabd
[syzbot] [bpf?] [trace?] possible deadlock in put_pwq_unlocked
Hello,
syzbot found the following issue on:
HEAD commit:fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16fbaf7b18
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=fdf23a9c5eeb473d9c87
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian)
2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/0f7abe4afac7/disk-fe46a7dd.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/82598d09246c/vmlinux-fe46a7dd.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/efa23788c875/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fdf23a9c5eeb473d9...@syzkaller.appspotmail.com
[ cut here ]
==
WARNING: possible circular locking dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
--
syz-executor.0/5198 is trying to acquire lock:
8e126300 (console_owner){}-{0:0}, at: console_trylock_spinning
kernel/printk/printk.c:1997 [inline]
8e126300 (console_owner){}-{0:0}, at: vprintk_emit+0x3d6/0x770
kernel/printk/printk.c:2341
but task is already holding lock:
888016ee8120 ((worker)->lock){}-{2:2}, at:
kthread_queue_work+0x27/0x180 kernel/kthread.c:1019
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 ((worker)->lock){}-{2:2}:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
kthread_queue_work+0x27/0x180 kernel/kthread.c:1019
put_pwq kernel/workqueue.c:1642 [inline]
put_pwq_unlocked+0x12a/0x190 kernel/workqueue.c:1659
apply_wqattrs_cleanup kernel/workqueue.c:5098 [inline]
apply_workqueue_attrs_locked+0x132/0x210 kernel/workqueue.c:5219
apply_workqueue_attrs+0x30/0x50 kernel/workqueue.c:5249
padata_setup_cpumasks kernel/padata.c:435 [inline]
padata_alloc+0x22b/0x370 kernel/padata.c:1014
pcrypt_init_padata+0x27/0x100 crypto/pcrypt.c:327
pcrypt_init+0x65/0xe0 crypto/pcrypt.c:352
do_one_initcall+0x23a/0x830 init/main.c:1241
do_initcall_level+0x157/0x210 init/main.c:1303
do_initcalls+0x3f/0x80 init/main.c:1319
kernel_init_freeable+0x435/0x5d0 init/main.c:1550
kernel_init+0x1d/0x2a0 init/main.c:1439
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
-> #3 (>lock){-.-.}-{2:2}:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
__queue_work+0x6ec/0xec0
queue_work_on+0x14f/0x250 kernel/workqueue.c:2435
queue_work include/linux/workqueue.h:605 [inline]
rpm_suspend+0xe99/0x1780 drivers/base/power/runtime.c:662
__pm_runtime_idle+0x131/0x1a0 drivers/base/power/runtime.c:1104
pm_runtime_put include/linux/pm_runtime.h:448 [inline]
__device_attach+0x3e5/0x520 drivers/base/dd.c:1048
bus_probe_device+0x189/0x260 drivers/base/bus.c:532
device_add+0x8ff/0xca0 drivers/base/core.c:3639
serial_base_port_add+0x2b6/0x3f0 drivers/tty/serial/serial_base_bus.c:178
serial_core_port_device_add drivers/tty/serial/serial_core.c:3353
[inline]
serial_core_register_port+0x393/0x1e30
drivers/tty/serial/serial_core.c:3394
serial8250_register_8250_port+0x1433/0x1cd0
drivers/tty/serial/8250/8250_core.c:1138
serial_pnp_probe+0x7d5/0xa20 drivers/tty/serial/8250/8250_pnp.c:478
pnp_device_probe+0x2bc/0x460 drivers/pnp/driver.c:111
really_probe+0x2a0/0xc50 drivers/base/dd.c:658
__driver_probe_device+0x1a2/0x3e0 drivers/base/dd.c:800
driver_probe_device+0x50/0x430 drivers/base/dd.c:830
__driver_attach+0x45f/0x710 drivers/base/dd.c:1216
bus_for_each_dev+0x23b/0x2b0 drivers/base/bus.c:368
bus_add_driver+0x347/0x620 drivers/base/bus.c:673
driver_register+0x23a/0x320 drivers/base/driver.c:246
serial8250_init+0x9e/0x170 drivers/tty/serial/8250/8250_core.c:1239
do_one_initcall+0x23a/0x830 init/main.c:1241
do_initcall_level+0x157/0x210 init/main.c:1303
do_initcalls+0x3f/0x80 init/main.c:1319
kernel_init_freeable+0x435/0x5d0 init/main.c:1550
kernel_init+0x1d/0x2a0 init/main.c:1439
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30
[syzbot] [trace?] [bpf?] possible deadlock in pwq_dec_nr_in_flight
Hello,
syzbot found the following issue on:
HEAD commit:fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d2559918
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=92438ab91cb6348b16fa
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian)
2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/f6c04726a2ae/disk-fe46a7dd.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/09c26ce901ea/vmlinux-fe46a7dd.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/134acf7f5322/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+92438ab91cb6348b1...@syzkaller.appspotmail.com
[ cut here ]
==
WARNING: possible circular locking dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
--
kworker/u8:5/987 is trying to acquire lock:
8e126300 (console_owner){}-{0:0}, at: console_trylock_spinning
kernel/printk/printk.c:1997 [inline]
8e126300 (console_owner){}-{0:0}, at: vprintk_emit+0x3d6/0x770
kernel/printk/printk.c:2341
but task is already holding lock:
8881483629a0 (>lock){..-.}-{2:2}, at: node_activate_pending_pwq
kernel/workqueue.c:1882 [inline]
8881483629a0 (>lock){..-.}-{2:2}, at: pwq_dec_nr_active
kernel/workqueue.c:1993 [inline]
8881483629a0 (>lock){..-.}-{2:2}, at: pwq_dec_nr_in_flight+0x32a/0xd60
kernel/workqueue.c:2017
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #4 (>lock){..-.}-{2:2}:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
pwq_tryinc_nr_active+0x2ef/0x720 kernel/workqueue.c:1774
__queue_work+0xa9d/0xec0 kernel/workqueue.c:2395
queue_work_on+0x14f/0x250 kernel/workqueue.c:2435
queue_work include/linux/workqueue.h:605 [inline]
call_usermodehelper_exec+0x286/0x4a0 kernel/umh.c:434
kobject_uevent_env+0x6b5/0x8f0 lib/kobject_uevent.c:618
driver_register+0x2d6/0x320 drivers/base/driver.c:254
pcie_init_services+0xa/0x20 drivers/pci/pcie/portdrv.c:828
pcie_portdrv_init+0x38/0x60 drivers/pci/pcie/portdrv.c:839
do_one_initcall+0x238/0x830 init/main.c:1241
do_initcall_level+0x157/0x210 init/main.c:1303
do_initcalls+0x3f/0x80 init/main.c:1319
kernel_init_freeable+0x435/0x5d0 init/main.c:1550
kernel_init+0x1d/0x2a0 init/main.c:1439
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
-> #3 (>lock){-.-.}-{2:2}:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
__queue_work+0x6ec/0xec0
queue_work_on+0x14f/0x250 kernel/workqueue.c:2435
queue_work include/linux/workqueue.h:605 [inline]
rpm_suspend+0xe99/0x1780 drivers/base/power/runtime.c:662
__pm_runtime_idle+0x131/0x1a0 drivers/base/power/runtime.c:1104
pm_runtime_put include/linux/pm_runtime.h:448 [inline]
__device_attach+0x3e5/0x520 drivers/base/dd.c:1048
bus_probe_device+0x189/0x260 drivers/base/bus.c:532
device_add+0x8ff/0xca0 drivers/base/core.c:3639
serial_base_port_add+0x2b6/0x3f0 drivers/tty/serial/serial_base_bus.c:178
serial_core_port_device_add drivers/tty/serial/serial_core.c:3353
[inline]
serial_core_register_port+0x393/0x1e30
drivers/tty/serial/serial_core.c:3394
serial8250_register_8250_port+0x1433/0x1cd0
drivers/tty/serial/8250/8250_core.c:1138
serial_pnp_probe+0x7d5/0xa20 drivers/tty/serial/8250/8250_pnp.c:478
pnp_device_probe+0x2ba/0x460 drivers/pnp/driver.c:111
really_probe+0x29e/0xc50 drivers/base/dd.c:658
__driver_probe_device+0x1a2/0x3e0 drivers/base/dd.c:800
driver_probe_device+0x50/0x430 drivers/base/dd.c:830
__driver_attach+0x45f/0x710 drivers/base/dd.c:1216
bus_for_each_dev+0x239/0x2b0 drivers/base/bus.c:368
bus_add_driver+0x347/0x620 drivers/base/bus.c:673
driver_register+0x23a/0x320 drivers/base/driver.c:246
serial8250_init+0x9e/0x170 drivers/tty/serial/8250/8250_core.c:1239
do_one_initcall+0x238/0x830 init/main.c:1241
do_initcall_level+0x157/0x210 init/main.c:1303
do_initcalls+0x3f/0x80 init/main.c:1319
kernel_init_freeable+0x435/0x5d0 init/main.c:1550
[syzbot] [virtualization?] bpf-next boot error: WARNING: refcount bug in __free_pages_ok
Hello, syzbot found the following issue on: HEAD commit:623bdd58be37 selftests/bpf: make multi-uprobe tests work i.. git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=1224bd4118 kernel config: https://syzkaller.appspot.com/x/.config?x=7b667bc37450fdcd dashboard link: https://syzkaller.appspot.com/bug?extid=1f345d82b7f611cbcc66 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/26db68ddb08d/disk-623bdd58.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/53a312cd3825/vmlinux-623bdd58.xz kernel image: https://storage.googleapis.com/syzbot-assets/65571cb0c1db/bzImage-623bdd58.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+1f345d82b7f611cbc...@syzkaller.appspotmail.com Key type pkcs7_test registered Block layer SCSI generic (bsg) driver version 0.4 loaded (major 239) io scheduler mq-deadline registered io scheduler kyber registered io scheduler bfq registered input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 ACPI: button: Power Button [PWRF] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1 ACPI: button: Sleep Button [SLPF] ioatdma: Intel(R) QuickData Technology Driver 5.00 ACPI: \_SB_.LNKC: Enabled at IRQ 11 virtio-pci :00:03.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKD: Enabled at IRQ 10 virtio-pci :00:04.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKB: Enabled at IRQ 10 virtio-pci :00:06.0: virtio_pci: leaving for legacy driver virtio-pci :00:07.0: virtio_pci: leaving for legacy driver N_HDLC line discipline registered with maxframe=4096 Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A Non-volatile memory driver v1.3 Linux agpgart interface v0.103 ACPI: bus type drm_connector registered [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0 [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1 Console: switching to colour frame buffer device 128x48 platform vkms: [drm] fb0: vkmsdrmfb frame buffer device usbcore: registered new interface driver udl brd: module loaded loop: module loaded zram: Added device: zram0 null_blk: disk nullb0 created null_blk: module loaded Guest personality initialized and is inactive VMCI host device registered (name=vmci, major=10, minor=118) Initialized host personality usbcore: registered new interface driver rtsx_usb usbcore: registered new interface driver viperboard usbcore: registered new interface driver dln2 usbcore: registered new interface driver pn533_usb nfcsim 0.2 initialized usbcore: registered new interface driver port100 usbcore: registered new interface driver nfcmrvl Loading iSCSI transport class v2.0-870. virtio_scsi virtio0: 1/0/0 default/read/poll queues [ cut here ] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1-syzkaller-00263-g623bdd58be37 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Code: b2 00 00 00 e8 97 bb e9 fc 5b 5d c3 cc cc cc cc e8 8b bb e9 fc c6 05 ae 64 e8 0a 01 90 48 c7 c7 e0 33 1f 8c e8 c7 57 ac fc 90 <0f> 0b 90 90 eb d9 e8 6b bb e9 fc c6 05 8b 64 e8 0a 01 90 48 c7 c7 RSP: :c9066e18 EFLAGS: 00010246 RAX: ff83834d70b85b00 RBX: 888140b3571c RCX: 8880166d RDX: RSI: RDI: RBP: 0004 R08: 815800a2 R09: fbfff1c396e0 R10: dc00 R11: fbfff1c396e0 R12: ea84bdc0 R13: ea84bdc8 R14: 1d40001097b9 R15: FS: () GS:8880b940() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88823000 CR3: 0e132000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1141 [inline] __free_pages_ok+0xc60/0xd90 mm/page_alloc.c:1270 make_alloc_exact+0xa3/0xf0 mm/page_alloc.c:4829 vring_alloc_queue drivers/virtio/virtio_ring.c:319 [inline] vring_alloc_queue_split+0x20a/0x600 drivers/virtio/virtio_ring.c:1108 vring_create_virtqueue_split+0xc6/0x310 drivers/virtio/virtio_ring.c:1158 vring_create_virtqueue+0xca/0x110 drivers/virtio/virtio_ring.c:2683 setup_vq+0xe9/0x2d0 d
[syzbot] [virtualization?] bpf boot error: WARNING: refcount bug in __free_pages_ok
Hello, syzbot found the following issue on: HEAD commit:6dae957c8eef bpf: fix possible file descriptor leaks in ve.. git tree: bpf console output: https://syzkaller.appspot.com/x/log.txt?x=14ec025e18 kernel config: https://syzkaller.appspot.com/x/.config?x=7b667bc37450fdcd dashboard link: https://syzkaller.appspot.com/bug?extid=689655a7402cc18ace0a compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/94b03853b65f/disk-6dae957c.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/7375c1b6b108/vmlinux-6dae957c.xz kernel image: https://storage.googleapis.com/syzbot-assets/126013ac11e1/bzImage-6dae957c.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+689655a7402cc18ac...@syzkaller.appspotmail.com Key type pkcs7_test registered Block layer SCSI generic (bsg) driver version 0.4 loaded (major 239) io scheduler mq-deadline registered io scheduler kyber registered io scheduler bfq registered input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 ACPI: button: Power Button [PWRF] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1 ACPI: button: Sleep Button [SLPF] ioatdma: Intel(R) QuickData Technology Driver 5.00 ACPI: \_SB_.LNKC: Enabled at IRQ 11 virtio-pci :00:03.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKD: Enabled at IRQ 10 virtio-pci :00:04.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKB: Enabled at IRQ 10 virtio-pci :00:06.0: virtio_pci: leaving for legacy driver virtio-pci :00:07.0: virtio_pci: leaving for legacy driver N_HDLC line discipline registered with maxframe=4096 Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A Non-volatile memory driver v1.3 Linux agpgart interface v0.103 ACPI: bus type drm_connector registered [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0 [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1 Console: switching to colour frame buffer device 128x48 platform vkms: [drm] fb0: vkmsdrmfb frame buffer device usbcore: registered new interface driver udl brd: module loaded loop: module loaded zram: Added device: zram0 null_blk: disk nullb0 created null_blk: module loaded Guest personality initialized and is inactive VMCI host device registered (name=vmci, major=10, minor=118) Initialized host personality usbcore: registered new interface driver rtsx_usb usbcore: registered new interface driver viperboard usbcore: registered new interface driver dln2 usbcore: registered new interface driver pn533_usb nfcsim 0.2 initialized usbcore: registered new interface driver port100 usbcore: registered new interface driver nfcmrvl Loading iSCSI transport class v2.0-870. virtio_scsi virtio0: 1/0/0 default/read/poll queues [ cut here ] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 1 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1-syzkaller-00160-g6dae957c8eef #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Code: b2 00 00 00 e8 97 cf e9 fc 5b 5d c3 cc cc cc cc e8 8b cf e9 fc c6 05 8e 73 e8 0a 01 90 48 c7 c7 e0 33 1f 8c e8 c7 6b ac fc 90 <0f> 0b 90 90 eb d9 e8 6b cf e9 fc c6 05 6b 73 e8 0a 01 90 48 c7 c7 RSP: :c9066e18 EFLAGS: 00010246 RAX: eee901a1fb7e2300 RBX: 888146687e7c RCX: 8880166d RDX: RSI: RDI: RBP: 0004 R08: 815800c2 R09: fbfff1c396e0 R10: dc00 R11: fbfff1c396e0 R12: ea000502edc0 R13: ea000502edc8 R14: 1d4000a05db9 R15: FS: () GS:8880b950() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: CR3: 0e132000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1141 [inline] __free_pages_ok+0xc60/0xd90 mm/page_alloc.c:1270 make_alloc_exact+0xa3/0xf0 mm/page_alloc.c:4829 vring_alloc_queue drivers/virtio/virtio_ring.c:319 [inline] vring_alloc_queue_split+0x20a/0x600 drivers/virtio/virtio_ring.c:1108 vring_create_virtqueue_split+0xc6/0x310 drivers/virtio/virtio_ring.c:1158 vring_create_virtqueue+0xca/0x110 drivers/virtio/virtio_ring.c:2683 setup_vq+0xe9/0x2d0 drivers/
[syzbot] [virtualization?] net boot error: WARNING: refcount bug in __free_pages_ok
Hello, syzbot found the following issue on: HEAD commit:c1fd3a9433a2 Merge branch 'there-are-some-bugfix-for-the-h.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=134f4c8118 kernel config: https://syzkaller.appspot.com/x/.config?x=a5e4ca7f025e9172 dashboard link: https://syzkaller.appspot.com/bug?extid=84f677a274bd8b05f6cb compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/89219dafdd42/disk-c1fd3a94.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/d962e40c0da9/vmlinux-c1fd3a94.xz kernel image: https://storage.googleapis.com/syzbot-assets/248b8f5eb3a1/bzImage-c1fd3a94.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+84f677a274bd8b05f...@syzkaller.appspotmail.com Key type pkcs7_test registered Block layer SCSI generic (bsg) driver version 0.4 loaded (major 239) io scheduler mq-deadline registered io scheduler kyber registered io scheduler bfq registered input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 ACPI: button: Power Button [PWRF] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1 ACPI: button: Sleep Button [SLPF] ioatdma: Intel(R) QuickData Technology Driver 5.00 ACPI: \_SB_.LNKC: Enabled at IRQ 11 virtio-pci :00:03.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKD: Enabled at IRQ 10 virtio-pci :00:04.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKB: Enabled at IRQ 10 virtio-pci :00:06.0: virtio_pci: leaving for legacy driver virtio-pci :00:07.0: virtio_pci: leaving for legacy driver N_HDLC line discipline registered with maxframe=4096 Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A Non-volatile memory driver v1.3 Linux agpgart interface v0.103 ACPI: bus type drm_connector registered [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0 [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1 Console: switching to colour frame buffer device 128x48 platform vkms: [drm] fb0: vkmsdrmfb frame buffer device usbcore: registered new interface driver udl brd: module loaded loop: module loaded zram: Added device: zram0 null_blk: disk nullb0 created null_blk: module loaded Guest personality initialized and is inactive VMCI host device registered (name=vmci, major=10, minor=118) Initialized host personality usbcore: registered new interface driver rtsx_usb usbcore: registered new interface driver viperboard usbcore: registered new interface driver dln2 usbcore: registered new interface driver pn533_usb nfcsim 0.2 initialized usbcore: registered new interface driver port100 usbcore: registered new interface driver nfcmrvl Loading iSCSI transport class v2.0-870. virtio_scsi virtio0: 1/0/0 default/read/poll queues [ cut here ] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 1 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-12856-gc1fd3a9433a2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Code: b2 00 00 00 e8 97 cf e9 fc 5b 5d c3 cc cc cc cc e8 8b cf e9 fc c6 05 6c 6b e8 0a 01 90 48 c7 c7 e0 34 1f 8c e8 27 6c ac fc 90 <0f> 0b 90 90 eb d9 e8 6b cf e9 fc c6 05 49 6b e8 0a 01 90 48 c7 c7 RSP: :c9066e18 EFLAGS: 00010246 RAX: 57706ef3c4162200 RBX: 88801f8f468c RCX: 8880166d8000 RDX: RSI: RDI: RBP: 0004 R08: 815800c2 R09: fbfff1c396e0 R10: dc00 R11: fbfff1c396e0 R12: ea850dc0 R13: ea850dc8 R14: 1d400010a1b9 R15: FS: () GS:8880b950() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: CR3: 0e132000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1141 [inline] __free_pages_ok+0xc60/0xd90 mm/page_alloc.c:1270 make_alloc_exact+0xa3/0xf0 mm/page_alloc.c:4829 vring_alloc_queue drivers/virtio/virtio_ring.c:319 [inline] vring_alloc_queue_split+0x20a/0x600 drivers/virtio/virtio_ring.c:1108 vring_create_virtqueue_split+0xc6/0x310 drivers/virtio/virtio_ring.c:1158 vring_create_virtqueue+0xca/0x110 drivers/virtio/virtio_ring.c:2683 setup_vq+0xe9/0x2d0 drivers/
[syzbot] [bpf?] [trace?] KASAN: slab-use-after-free Read in bpf_trace_run1
Hello, syzbot found the following issue on: HEAD commit:520fad2e3206 selftests/bpf: scale benchmark counting by us.. git tree: bpf-next console+strace: https://syzkaller.appspot.com/x/log.txt?x=105af94618 kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440 dashboard link: https://syzkaller.appspot.com/bug?extid=981935d9485a560bfbcb compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=114f17a518 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162bb7a518 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/4eef3506c5ce/disk-520fad2e.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/24d60ebe76cc/vmlinux-520fad2e.xz kernel image: https://storage.googleapis.com/syzbot-assets/8f883e706550/bzImage-520fad2e.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+981935d9485a560bf...@syzkaller.appspotmail.com == BUG: KASAN: slab-use-after-free in __bpf_trace_run kernel/trace/bpf_trace.c:2376 [inline] BUG: KASAN: slab-use-after-free in bpf_trace_run1+0xcb/0x510 kernel/trace/bpf_trace.c:2430 Read of size 8 at addr 8880290d9918 by task migration/0/19 CPU: 0 PID: 19 Comm: migration/0 Not tainted 6.8.0-syzkaller-05233-g520fad2e3206 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Stopper: 0x0 <- 0x0 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __bpf_trace_run kernel/trace/bpf_trace.c:2376 [inline] bpf_trace_run1+0xcb/0x510 kernel/trace/bpf_trace.c:2430 __traceiter_rcu_utilization+0x74/0xb0 include/trace/events/rcu.h:27 trace_rcu_utilization+0x194/0x1c0 include/trace/events/rcu.h:27 rcu_note_context_switch+0xc7c/0xff0 kernel/rcu/tree_plugin.h:360 __schedule+0x345/0x4a20 kernel/sched/core.c:6635 __schedule_loop kernel/sched/core.c:6813 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6828 smpboot_thread_fn+0x61e/0xa30 kernel/smpboot.c:160 kthread+0x2f0/0x390 kernel/kthread.c:388 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 Allocated by task 5075: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] kmalloc_trace+0x1d9/0x360 mm/slub.c:4012 kmalloc include/linux/slab.h:590 [inline] kzalloc include/linux/slab.h:711 [inline] bpf_raw_tp_link_attach+0x2a0/0x6e0 kernel/bpf/syscall.c:3816 bpf_raw_tracepoint_open+0x1c2/0x240 kernel/bpf/syscall.c:3863 __sys_bpf+0x3c0/0x810 kernel/bpf/syscall.c:5673 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline] __se_sys_bpf kernel/bpf/syscall.c:5736 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Freed by task 5075: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:589 poison_slab_object+0xa6/0xe0 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x14a/0x380 mm/slub.c:4409 bpf_link_release+0x3b/0x50 kernel/bpf/syscall.c:3071 __fput+0x429/0x8a0 fs/file_table.c:423 task_work_run+0x24f/0x310 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa1b/0x27e0 kernel/exit.c:878 do_group_exit+0x207/0x2c0 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [inline] __se_sys_exit_group kernel/exit.c:1036 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 The buggy address belongs to the object at 8880290d9900 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 24 bytes inside of freed 128-byte region [8880290d9900, 8880290d9980) The buggy address belongs to the physical page: page:eaa43640 refcount:1 mapcount:0 mapping: index:0x0 pfn:0x290d9 anon flags: 0xfff800(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0x() raw: 00fff800 888014c418c0 0001 raw: 00100010 0001 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KER
[syzbot] [virtualization?] net-next boot error: WARNING: refcount bug in __free_pages_ok
Hello, syzbot found the following issue on: HEAD commit:537c2e91d354 Merge git://git.kernel.org/pub/scm/linux/kern.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=13c8343a18 kernel config: https://syzkaller.appspot.com/x/.config?x=a5e4ca7f025e9172 dashboard link: https://syzkaller.appspot.com/bug?extid=e58465c446f16bd6191a compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/31c81b152208/disk-537c2e91.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/d91fa59c13e4/vmlinux-537c2e91.xz kernel image: https://storage.googleapis.com/syzbot-assets/31dbb656b1c7/bzImage-537c2e91.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+e58465c446f16bd61...@syzkaller.appspotmail.com Key type pkcs7_test registered Block layer SCSI generic (bsg) driver version 0.4 loaded (major 239) io scheduler mq-deadline registered io scheduler kyber registered io scheduler bfq registered input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 ACPI: button: Power Button [PWRF] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1 ACPI: button: Sleep Button [SLPF] ioatdma: Intel(R) QuickData Technology Driver 5.00 ACPI: \_SB_.LNKC: Enabled at IRQ 11 virtio-pci :00:03.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKD: Enabled at IRQ 10 virtio-pci :00:04.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKB: Enabled at IRQ 10 virtio-pci :00:06.0: virtio_pci: leaving for legacy driver virtio-pci :00:07.0: virtio_pci: leaving for legacy driver N_HDLC line discipline registered with maxframe=4096 Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A Non-volatile memory driver v1.3 Linux agpgart interface v0.103 ACPI: bus type drm_connector registered [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0 [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1 Console: switching to colour frame buffer device 128x48 platform vkms: [drm] fb0: vkmsdrmfb frame buffer device usbcore: registered new interface driver udl brd: module loaded loop: module loaded zram: Added device: zram0 null_blk: disk nullb0 created null_blk: module loaded Guest personality initialized and is inactive VMCI host device registered (name=vmci, major=10, minor=118) Initialized host personality usbcore: registered new interface driver rtsx_usb usbcore: registered new interface driver viperboard usbcore: registered new interface driver dln2 usbcore: registered new interface driver pn533_usb nfcsim 0.2 initialized usbcore: registered new interface driver port100 usbcore: registered new interface driver nfcmrvl Loading iSCSI transport class v2.0-870. virtio_scsi virtio0: 1/0/0 default/read/poll queues [ cut here ] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-12821-g537c2e91d354 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Code: b2 00 00 00 e8 d7 d2 e9 fc 5b 5d c3 cc cc cc cc e8 cb d2 e9 fc c6 05 6c 6e e8 0a 01 90 48 c7 c7 60 34 1f 8c e8 67 6f ac fc 90 <0f> 0b 90 90 eb d9 e8 ab d2 e9 fc c6 05 49 6e e8 0a 01 90 48 c7 c7 RSP: :c9066e18 EFLAGS: 00010246 RAX: c71d06ef88c7c400 RBX: 8880214ecb6c RCX: 8880166d8000 RDX: RSI: RDI: RBP: 0004 R08: 815800c2 R09: fbfff1c396e0 R10: dc00 R11: fbfff1c396e0 R12: ea000501fdc0 R13: ea000501fdc8 R14: 1d4000a03fb9 R15: FS: () GS:8880b940() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88823000 CR3: 0e132000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1141 [inline] __free_pages_ok+0xc60/0xd90 mm/page_alloc.c:1270 make_alloc_exact+0xa3/0xf0 mm/page_alloc.c:4829 vring_alloc_queue drivers/virtio/virtio_ring.c:319 [inline] vring_alloc_queue_split+0x20a/0x600 drivers/virtio/virtio_ring.c:1108 vring_create_virtqueue_split+0xc6/0x310 drivers/virtio/virtio_ring.c:1158 vring_create_virtqueue+0xca/0x110 drivers/virtio/virtio_ring.c:2683 setup_vq+0xe9/0x2d0 drivers/
Re: [syzbot] [virtualization?] upstream boot error: WARNING: refcount bug in __free_pages_ok
Hello, syzbot tried to test the proposed patch but the build/boot failed: bcore: registered new interface driver viperboard [7.297712][T1] usbcore: registered new interface driver dln2 [7.299149][T1] usbcore: registered new interface driver pn533_usb [7.304759][ T924] kworker/u4:1 (924) used greatest stack depth: 22768 bytes left [7.308971][T1] nfcsim 0.2 initialized [7.310068][T1] usbcore: registered new interface driver port100 [7.311312][T1] usbcore: registered new interface driver nfcmrvl [7.318405][T1] Loading iSCSI transport class v2.0-870. [7.334687][T1] virtio_scsi virtio0: 1/0/0 default/read/poll queues [7.344927][T1] [ cut here ] [7.345739][T1] refcount_t: decrement hit 0; leaking memory. [7.346982][T1] WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 [7.348761][T1] Modules linked in: [7.349418][T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc5-syzkaller-00257-g217b2119b9e2 #0 [7.351070][T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 [7.352824][T1] RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 [7.353979][T1] Code: b2 00 00 00 e8 97 2d fc fc 5b 5d c3 cc cc cc cc e8 8b 2d fc fc c6 05 0d d9 d6 0a 01 90 48 c7 c7 a0 46 fd 8b e8 e7 2c c0 fc 90 <0f> 0b 90 90 eb d9 e8 6b 2d fc fc c6 05 ea d8 d6 0a 01 90 48 c7 c7 [7.358181][T1] RSP: :c9066e10 EFLAGS: 00010246 [7.360206][T1] RAX: 67b097fa09053300 RBX: 88814073377c RCX: 8880166c [7.362234][T1] RDX: RSI: RDI: [7.363496][T1] RBP: 0004 R08: 81589d62 R09: 1920cd14 [7.365139][T1] R10: dc00 R11: f520cd15 R12: ea000501edc0 [7.366612][T1] R13: ea000501edc8 R14: 1d4000a03db9 R15: [7.368171][T1] FS: () GS:8880b940() knlGS: [7.370111][T1] CS: 0010 DS: ES: CR0: 80050033 [7.371030][T1] CR2: 88823000 CR3: 0df34000 CR4: 003506f0 [7.372121][T1] DR0: DR1: DR2: [7.373506][T1] DR3: DR6: fffe0ff0 DR7: 0400 [7.374889][T1] Call Trace: [7.375371][T1] [7.375798][T1] ? __warn+0x162/0x4b0 [7.376442][T1] ? refcount_warn_saturate+0xfa/0x1d0 [7.377482][T1] ? report_bug+0x2b3/0x500 [7.378161][T1] ? refcount_warn_saturate+0xfa/0x1d0 [7.379268][T1] ? handle_bug+0x3e/0x70 [7.379887][T1] ? exc_invalid_op+0x1a/0x50 [7.380563][T1] ? asm_exc_invalid_op+0x1a/0x20 [7.381253][T1] ? __warn_printk+0x292/0x360 [7.381912][T1] ? refcount_warn_saturate+0xfa/0x1d0 [7.382752][T1] __free_pages_ok+0xc36/0xd60 [7.384180][T1] make_alloc_exact+0xc4/0x140 [7.385037][T1] vring_alloc_queue_split+0x20a/0x600 [7.386037][T1] ? __pfx_vring_alloc_queue_split+0x10/0x10 [7.387029][T1] ? vp_find_vqs+0x4c/0x4e0 [7.387719][T1] ? virtscsi_probe+0x3ea/0xf60 [7.388408][T1] ? virtio_dev_probe+0x991/0xaf0 [7.389665][T1] ? really_probe+0x29e/0xc50 [7.390429][T1] ? driver_probe_device+0x50/0x430 [7.391176][T1] vring_create_virtqueue_split+0xc6/0x310 [7.392014][T1] ? ret_from_fork+0x4b/0x80 [7.392800][T1] ? __pfx_vring_create_virtqueue_split+0x10/0x10 [7.394115][T1] vring_create_virtqueue+0xca/0x110 [7.395151][T1] ? __pfx_vp_notify+0x10/0x10 [7.395888][T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10 [7.396674][T1] setup_vq+0xe9/0x2d0 [7.397283][T1] ? __pfx_vp_notify+0x10/0x10 [7.397938][T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10 [7.398806][T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10 [7.399938][T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10 [7.400951][T1] vp_setup_vq+0xbf/0x330 [7.401889][T1] ? __pfx_vp_config_changed+0x10/0x10 [7.403092][T1] ? ioread16+0x2f/0x90 [7.403909][T1] ? __pfx_virtscsi_ctrl_done+0x10/0x10 [7.405136][T1] vp_find_vqs_msix+0x8b2/0xc80 [7.405892][T1] vp_find_vqs+0x4c/0x4e0 [7.406823][T1] virtscsi_init+0x8db/0xd00 [7.407669][T1] ? __pfx_virtscsi_init+0x10/0x10 [7.408413][T1] ? __pfx_default_calc_sets+0x10/0x10 [7.409369][T1] ? scsi_host_alloc+0xa57/0xea0 [7.410333][T1] ? vp_get+0xfd/0x140 [7.410899][T1] virtscsi_probe+0x3ea/0xf60 [7.411673][T1] ? __pfx_virtscsi_probe+0x10/0x10 [7.412520][T1] ? kernfs_add_one+0x159/0x8b0 [7.413222][T1] ? virtio_no_restricted_mem_acc+0x9/0x10 [7.414081][T1] ? virtio_features_ok+0x10c/0x270 [7.414875][
[syzbot] [trace?] [bpf?] KASAN: slab-use-after-free Read in bpf_trace_run4
Hello, syzbot found the following issue on: HEAD commit:520fad2e3206 selftests/bpf: scale benchmark counting by us.. git tree: bpf-next console+strace: https://syzkaller.appspot.com/x/log.txt?x=121c067918 kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440 dashboard link: https://syzkaller.appspot.com/bug?extid=62d8b26793e8a2bd0516 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13dc423118 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1705d18518 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/4eef3506c5ce/disk-520fad2e.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/24d60ebe76cc/vmlinux-520fad2e.xz kernel image: https://storage.googleapis.com/syzbot-assets/8f883e706550/bzImage-520fad2e.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+62d8b26793e8a2bd0...@syzkaller.appspotmail.com == BUG: KASAN: slab-use-after-free in __bpf_trace_run kernel/trace/bpf_trace.c:2376 [inline] BUG: KASAN: slab-use-after-free in bpf_trace_run4+0x143/0x580 kernel/trace/bpf_trace.c:2433 Read of size 8 at addr 8880238ba918 by task sshd/5076 CPU: 1 PID: 5076 Comm: sshd Not tainted 6.8.0-syzkaller-05233-g520fad2e3206 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __bpf_trace_run kernel/trace/bpf_trace.c:2376 [inline] bpf_trace_run4+0x143/0x580 kernel/trace/bpf_trace.c:2433 __traceiter_mm_page_alloc+0x3a/0x60 include/trace/events/kmem.h:177 trace_mm_page_alloc include/trace/events/kmem.h:177 [inline] __alloc_pages+0x657/0x680 mm/page_alloc.c:4591 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page+0x5f/0x160 mm/slub.c:2190 allocate_slab mm/slub.c:2354 [inline] new_slab+0x84/0x2f0 mm/slub.c:2407 ___slab_alloc+0xd1b/0x13e0 mm/slub.c:3540 __kmem_cache_alloc_bulk mm/slub.c:4574 [inline] kmem_cache_alloc_bulk+0x22e/0x790 mm/slub.c:4648 napi_skb_cache_get+0x166/0x230 net/core/skbuff.c:348 __napi_build_skb net/core/skbuff.c:527 [inline] __napi_alloc_skb+0x217/0x540 net/core/skbuff.c:846 napi_alloc_skb include/linux/skbuff.h:3363 [inline] page_to_skb+0x275/0x9b0 drivers/net/virtio_net.c:569 receive_mergeable drivers/net/virtio_net.c:1683 [inline] receive_buf+0x3b3/0x3890 drivers/net/virtio_net.c:1804 virtnet_receive drivers/net/virtio_net.c:2110 [inline] virtnet_poll+0x720/0x18f0 drivers/net/virtio_net.c:2203 __napi_poll+0xcb/0x490 net/core/dev.c:6632 napi_poll net/core/dev.c:6701 [inline] net_rx_action+0x7bb/0x1090 net/core/dev.c:6813 __do_softirq+0x2bc/0x943 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 common_interrupt+0xaa/0xd0 arch/x86/kernel/irq.c:247 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693 RIP: 0010:kasan_check_range+0x1b7/0x290 mm/kasan/generic.c:189 Code: f5 4d 01 fb 48 8d 5d 07 48 85 ed 48 0f 49 dd 48 83 e3 f8 48 29 dd 74 12 41 80 3b 00 0f 85 a6 00 00 00 49 ff c3 48 ff cd 75 ee <5b> 41 5c 41 5e 41 5f 5d c3 cc cc cc cc 40 84 ed 75 5f f7 c5 00 ff RSP: 0018:c900039ff950 EFLAGS: 0256 RAX: 845bbe01 RBX: 19200073ff40 RCX: 845bbe35 RDX: 0001 RSI: 0030 RDI: c900039ffa00 RBP: R08: c900039ffa2f R09: 19200073ff45 R10: dc00 R11: f5200073ff46 R12: 19200073ff3c R13: dc00 R14: dc01 R15: f5200073ff46 __asan_memset+0x23/0x50 mm/kasan/shadow.c:84 tomoyo_socket_sendmsg_permission+0x95/0x420 security/tomoyo/network.c:761 security_socket_sendmsg+0x75/0xb0 security/security.c:4501 __sock_sendmsg+0x49/0x270 net/socket.c:742 sock_write_iter+0x2dd/0x400 net/socket.c:1160 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa84/0xcb0 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f2e91716bf2 Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:7ffee57321e8 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 00f4 RCX: 7f2e91716bf2 RDX: 00f4 RSI: 55731dc092b0 RDI: 0004 RBP: 5573
[syzbot] [bpf?] [trace?] KASAN: slab-use-after-free Read in bpf_trace_run2
Hello, syzbot found the following issue on: HEAD commit:520fad2e3206 selftests/bpf: scale benchmark counting by us.. git tree: bpf-next console+strace: https://syzkaller.appspot.com/x/log.txt?x=11b967b918 kernel config: https://syzkaller.appspot.com/x/.config?x=6fb1be60a193d440 dashboard link: https://syzkaller.appspot.com/bug?extid=2cb5a6c573e98db598cc compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1257dd8518 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14b55c6e18 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/4eef3506c5ce/disk-520fad2e.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/24d60ebe76cc/vmlinux-520fad2e.xz kernel image: https://storage.googleapis.com/syzbot-assets/8f883e706550/bzImage-520fad2e.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2cb5a6c573e98db59...@syzkaller.appspotmail.com == BUG: KASAN: slab-use-after-free in __bpf_trace_run kernel/trace/bpf_trace.c:2376 [inline] BUG: KASAN: slab-use-after-free in bpf_trace_run2+0xfa/0x530 kernel/trace/bpf_trace.c:2431 Read of size 8 at addr 88802aaea218 by task syz-executor147/10463 CPU: 0 PID: 10463 Comm: syz-executor147 Not tainted 6.8.0-syzkaller-05233-g520fad2e3206 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __bpf_trace_run kernel/trace/bpf_trace.c:2376 [inline] bpf_trace_run2+0xfa/0x530 kernel/trace/bpf_trace.c:2431 __traceiter_kfree+0x2b/0x50 include/trace/events/kmem.h:94 trace_kfree include/trace/events/kmem.h:94 [inline] kfree+0x291/0x380 mm/slub.c:4396 tomoyo_realpath_from_path+0xc2/0x5e0 security/tomoyo/realpath.c:250 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x255/0x500 security/tomoyo/file.c:771 security_file_open+0x69/0x570 security/security.c:2933 do_dentry_open+0x327/0x15a0 fs/open.c:943 do_open fs/namei.c:3643 [inline] path_openat+0x2860/0x3240 fs/namei.c:3800 do_filp_open+0x235/0x490 fs/namei.c:3827 do_sys_openat2+0x13e/0x1d0 fs/open.c:1407 do_sys_open fs/open.c:1422 [inline] __do_sys_openat fs/open.c:1438 [inline] __se_sys_openat fs/open.c:1433 [inline] __x64_sys_openat+0x247/0x2a0 fs/open.c:1433 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f2308d06f51 Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 3a 91 07 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25 RSP: 002b:7fffb8a33850 EFLAGS: 0202 ORIG_RAX: 0101 RAX: ffda RBX: 00080001 RCX: 7f2308d06f51 RDX: 00080001 RSI: 7f2308d51022 RDI: ff9c RBP: 7f2308d51022 R08: R09: R10: R11: 0202 R12: 7fffb8a338f0 R13: 7fffb8a33dcc R14: 7fffb8a33de0 R15: 7fffb8a33dd0 Allocated by task 10462: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] kmalloc_trace+0x1d9/0x360 mm/slub.c:4012 kmalloc include/linux/slab.h:590 [inline] kzalloc include/linux/slab.h:711 [inline] bpf_raw_tp_link_attach+0x2a0/0x6e0 kernel/bpf/syscall.c:3816 bpf_raw_tracepoint_open+0x1c2/0x240 kernel/bpf/syscall.c:3863 __sys_bpf+0x3c0/0x810 kernel/bpf/syscall.c:5673 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline] __se_sys_bpf kernel/bpf/syscall.c:5736 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Freed by task 10462: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:589 poison_slab_object+0xa6/0xe0 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x14a/0x380 mm/slub.c:4409 bpf_link_release+0x3b/0x50 kernel/bpf/syscall.c:3071 __fput+0x429/0x8a0 fs/file_table.c:423 task_work_run+0x24f/0x310 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa1b/0x27e0 kernel/exit.c:878 do_group_exit+0x207/0x2c0 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [inline] __se_sys_exit_group kernel/exit.
Re: [syzbot] [virtualization?] upstream boot error: WARNING: refcount bug in __free_pages_ok
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+70f57d8a3ae84934c...@syzkaller.appspotmail.com Tested on: commit: 4bedfb31 mm,page_owner: maintain own list of stack_rec.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git kernel config: https://syzkaller.appspot.com/x/.config?x=527195e149aa3091 dashboard link: https://syzkaller.appspot.com/bug?extid=70f57d8a3ae84934c003 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Note: no patches were applied. Note: testing is done by a robot and is best-effort only.
Re: [syzbot] [virtualization?] upstream boot error: WARNING: refcount bug in __free_pages_ok
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+70f57d8a3ae84934c...@syzkaller.appspotmail.com Tested on: commit: 52998cdd Merge branch '6.8/scsi-staging' into 6.8/scsi.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git kernel config: https://syzkaller.appspot.com/x/.config?x=7b1f286a7e950707 dashboard link: https://syzkaller.appspot.com/bug?extid=70f57d8a3ae84934c003 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Note: no patches were applied. Note: testing is done by a robot and is best-effort only.
[syzbot] [virtualization?] upstream boot error: WARNING: refcount bug in __free_pages_ok
Hello, syzbot found the following issue on: HEAD commit:b3603fcb79b1 Merge tag 'dlm-6.9' of git://git.kernel.org/p.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10f04c8118 kernel config: https://syzkaller.appspot.com/x/.config?x=fcb5bfbee0a42b54 dashboard link: https://syzkaller.appspot.com/bug?extid=70f57d8a3ae84934c003 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/43969dffd4a6/disk-b3603fcb.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/ef48ab3b378b/vmlinux-b3603fcb.xz kernel image: https://storage.googleapis.com/syzbot-assets/728f5ff2b6fe/bzImage-b3603fcb.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+70f57d8a3ae84934c...@syzkaller.appspotmail.com Key type pkcs7_test registered Block layer SCSI generic (bsg) driver version 0.4 loaded (major 239) io scheduler mq-deadline registered io scheduler kyber registered io scheduler bfq registered input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 ACPI: button: Power Button [PWRF] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1 ACPI: button: Sleep Button [SLPF] ioatdma: Intel(R) QuickData Technology Driver 5.00 ACPI: \_SB_.LNKC: Enabled at IRQ 11 virtio-pci :00:03.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKD: Enabled at IRQ 10 virtio-pci :00:04.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKB: Enabled at IRQ 10 virtio-pci :00:06.0: virtio_pci: leaving for legacy driver virtio-pci :00:07.0: virtio_pci: leaving for legacy driver N_HDLC line discipline registered with maxframe=4096 Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A Non-volatile memory driver v1.3 Linux agpgart interface v0.103 ACPI: bus type drm_connector registered [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0 [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1 Console: switching to colour frame buffer device 128x48 platform vkms: [drm] fb0: vkmsdrmfb frame buffer device usbcore: registered new interface driver udl brd: module loaded loop: module loaded zram: Added device: zram0 null_blk: disk nullb0 created null_blk: module loaded Guest personality initialized and is inactive VMCI host device registered (name=vmci, major=10, minor=118) Initialized host personality usbcore: registered new interface driver rtsx_usb usbcore: registered new interface driver viperboard usbcore: registered new interface driver dln2 usbcore: registered new interface driver pn533_usb nfcsim 0.2 initialized usbcore: registered new interface driver port100 usbcore: registered new interface driver nfcmrvl Loading iSCSI transport class v2.0-870. virtio_scsi virtio0: 1/0/0 default/read/poll queues [ cut here ] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-11567-gb3603fcb79b1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Code: b2 00 00 00 e8 57 d4 f2 fc 5b 5d c3 cc cc cc cc e8 4b d4 f2 fc c6 05 0c f9 ef 0a 01 90 48 c7 c7 a0 5d 1e 8c e8 b7 75 b5 fc 90 <0f> 0b 90 90 eb d9 e8 2b d4 f2 fc c6 05 e9 f8 ef 0a 01 90 48 c7 c7 RSP: :c9066e18 EFLAGS: 00010246 RAX: 76f86e452fcad900 RBX: 8880210d2aec RCX: 888016ac8000 RDX: RSI: RDI: RBP: 0004 R08: 8157ffe2 R09: fbfff1c396e0 R10: dc00 R11: fbfff1c396e0 R12: ea000502cdc0 R13: ea000502cdc8 R14: 1d4000a059b9 R15: FS: () GS:8880b940() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88823000 CR3: 0e132000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1141 [inline] __free_pages_ok+0xc54/0xd80 mm/page_alloc.c:1270 make_alloc_exact+0xa3/0xf0 mm/page_alloc.c:4829 vring_alloc_queue drivers/virtio/virtio_ring.c:319 [inline] vring_alloc_queue_split+0x20a/0x600 drivers/virtio/virtio_ring.c:1108 vring_create_virtqueue_split+0xc6/0x310 drivers/virtio/virtio_ring.c:1158 vring_create_virtqueue+0xca/0x110 drivers/virtio/virtio_ring.c:2683 setup_vq+0xe9/0x2d0 drivers/
[syzbot] Monthly trace report (Feb 2024)
Hello trace maintainers/developers, This is a 31-day syzbot report for the trace subsystem. All related reports/information can be found at: https://syzkaller.appspot.com/upstream/s/trace During the period, 0 new issues were detected and 0 were fixed. In total, 8 issues are still open and 29 have been fixed so far. Some of the still happening issues: Ref Crashes Repro Title <1> 8197Yes possible deadlock in task_fork_fair https://syzkaller.appspot.com/bug?extid=1a93ee5d329e97cfbaff <2> 279 Yes WARNING in format_decode (3) https://syzkaller.appspot.com/bug?extid=e2c932aec5c8a6e1d31c <3> 26 Yes WARNING in blk_register_tracepoints https://syzkaller.appspot.com/bug?extid=c54ded83396afee31eb1 <4> 17 Yes INFO: task hung in blk_trace_ioctl (4) https://syzkaller.appspot.com/bug?extid=ed812ed461471ab17a0c --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. To disable reminders for individual bugs, reply with the following command: #syz set no-reminders To change bug's subsystems, reply with: #syz set subsystems: new-subsystem You may send multiple commands in a single email message.
[syzbot] [virtualization?] linux-next boot error: WARNING: refcount bug in __free_pages_ok
Hello, syzbot found the following issue on: HEAD commit:d37e1e4c52bc Add linux-next specific files for 20240216 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=171ca65218 kernel config: https://syzkaller.appspot.com/x/.config?x=4bc446d42a7d56c0 dashboard link: https://syzkaller.appspot.com/bug?extid=6f3c38e8a6a0297caa5a compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/14d0894504b9/disk-d37e1e4c.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/6cda61e084ee/vmlinux-d37e1e4c.xz kernel image: https://storage.googleapis.com/syzbot-assets/720c85283c05/bzImage-d37e1e4c.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+6f3c38e8a6a0297ca...@syzkaller.appspotmail.com Key type pkcs7_test registered Block layer SCSI generic (bsg) driver version 0.4 loaded (major 239) io scheduler mq-deadline registered io scheduler kyber registered io scheduler bfq registered input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 ACPI: button: Power Button [PWRF] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1 ACPI: button: Sleep Button [SLPF] ioatdma: Intel(R) QuickData Technology Driver 5.00 ACPI: \_SB_.LNKC: Enabled at IRQ 11 virtio-pci :00:03.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKD: Enabled at IRQ 10 virtio-pci :00:04.0: virtio_pci: leaving for legacy driver ACPI: \_SB_.LNKB: Enabled at IRQ 10 virtio-pci :00:06.0: virtio_pci: leaving for legacy driver virtio-pci :00:07.0: virtio_pci: leaving for legacy driver N_HDLC line discipline registered with maxframe=4096 Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A Non-volatile memory driver v1.3 Linux agpgart interface v0.103 ACPI: bus type drm_connector registered [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0 [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1 Console: switching to colour frame buffer device 128x48 platform vkms: [drm] fb0: vkmsdrmfb frame buffer device usbcore: registered new interface driver udl brd: module loaded loop: module loaded zram: Added device: zram0 null_blk: disk nullb0 created null_blk: module loaded Guest personality initialized and is inactive VMCI host device registered (name=vmci, major=10, minor=118) Initialized host personality usbcore: registered new interface driver rtsx_usb usbcore: registered new interface driver viperboard usbcore: registered new interface driver dln2 usbcore: registered new interface driver pn533_usb nfcsim 0.2 initialized usbcore: registered new interface driver port100 usbcore: registered new interface driver nfcmrvl Loading iSCSI transport class v2.0-870. virtio_scsi virtio0: 1/0/0 default/read/poll queues [ cut here ] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc4-next-20240216-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31 Code: b2 00 00 00 e8 b7 94 f0 fc 5b 5d c3 cc cc cc cc e8 ab 94 f0 fc c6 05 c6 16 ce 0a 01 90 48 c7 c7 a0 5a fe 8b e8 67 69 b4 fc 90 <0f> 0b 90 90 eb d9 e8 8b 94 f0 fc c6 05 a3 16 ce 0a 01 90 48 c7 c7 RSP: :c9066e10 EFLAGS: 00010246 RAX: 15c2c224c9b50400 RBX: 888020827d2c RCX: 8880162d8000 RDX: RSI: RDI: RBP: 0004 R08: 8157b942 R09: fbfff1bf95cc R10: dc00 R11: fbfff1bf95cc R12: ea000502fdc0 R13: ea000502fdc8 R14: 1d4000a05fb9 R15: FS: () GS:8880b940() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88823000 CR3: 0df32000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1140 [inline] __free_pages_ok+0xc42/0xd70 mm/page_alloc.c:1269 make_alloc_exact+0xc4/0x140 mm/page_alloc.c:4847 vring_alloc_queue drivers/virtio/virtio_ring.c:319 [inline] vring_alloc_queue_split+0x20a/0x600 drivers/virtio/virtio_ring.c:1108 vring_create_virtqueue_split+0xc6/0x310 drivers/virtio/virtio_ring.c:1158 vring_create_virtqueue+0xca/0x110 drivers/virtio/virtio_ring.c:2683 setup_vq+0xe9/0x2d0 drivers/
Re: [syzbot] [fs?] [trace?] BUG: unable to handle kernel paging request in tracefs_apply_options
syzbot suspects this issue was fixed by commit: commit ad579864637af46447208254719943179b69d41a Author: Steven Rostedt (Google) Date: Tue Jan 2 20:12:49 2024 + tracefs: Check for dentry->d_inode exists in set_gid() bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17659d2418 start commit: 453f5db0619e Merge tag 'trace-v6.7-rc7' of git://git.kerne.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=f8e72bae38c079e4 dashboard link: https://syzkaller.appspot.com/bug?extid=f8a023e0c6beabe2371a syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1414af31e8 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15e52409e8 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: tracefs: Check for dentry->d_inode exists in set_gid() For information about bisection process see: https://goo.gl/tpsmEJ#bisection
[syzbot] Monthly trace report (Jan 2024)
Hello trace maintainers/developers, This is a 31-day syzbot report for the trace subsystem. All related reports/information can be found at: https://syzkaller.appspot.com/upstream/s/trace During the period, 2 new issues were detected and 0 were fixed. In total, 8 issues are still open and 29 have been fixed so far. Some of the still happening issues: Ref Crashes Repro Title <1> 8174Yes possible deadlock in task_fork_fair https://syzkaller.appspot.com/bug?extid=1a93ee5d329e97cfbaff <2> 235 Yes WARNING in format_decode (3) https://syzkaller.appspot.com/bug?extid=e2c932aec5c8a6e1d31c <3> 26 Yes WARNING in blk_register_tracepoints https://syzkaller.appspot.com/bug?extid=c54ded83396afee31eb1 <4> 12 Yes INFO: task hung in blk_trace_ioctl (4) https://syzkaller.appspot.com/bug?extid=ed812ed461471ab17a0c <5> 5 Yes WARNING in get_probe_ref https://syzkaller.appspot.com/bug?extid=8672dcb9d10011c0a160 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. To disable reminders for individual bugs, reply with the following command: #syz set no-reminders To change bug's subsystems, reply with: #syz set subsystems: new-subsystem You may send multiple commands in a single email message.
[syzbot] [modules?] INFO: task hung in _vm_unmap_aliases (3)
Hello, syzbot found the following issue on: HEAD commit:610a9b8f49fb Linux 6.7-rc8 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=137c4981e8 kernel config: https://syzkaller.appspot.com/x/.config?x=c1d9baf5d2241e14 dashboard link: https://syzkaller.appspot.com/bug?extid=fe8f8efd070d727de971 compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 userspace arch: arm syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d5c931e8 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e4e3d9e8 Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-610a9b8f.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/5dcc5fecebbd/vmlinux-610a9b8f.xz kernel image: https://storage.googleapis.com/syzbot-assets/ac6cb620d377/zImage-610a9b8f.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+fe8f8efd070d727de...@syzkaller.appspotmail.com INFO: task kworker/0:1:9 blocked for more than 450 seconds. Not tainted 6.7.0-rc8-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:1 state:D stack:0 pid:9 tgid:9 ppid:2 flags:0x Workqueue: events bpf_prog_free_deferred Backtrace: [<81855408>] (__schedule) from [<81856028>] (__schedule_loop kernel/sched/core.c:6763 [inline]) [<81855408>] (__schedule) from [<81856028>] (schedule+0x2c/0xb8 kernel/sched/core.c:6778) r10:82c16005 r9: r8:8270dad4 r7:0002 r6:df83dda4 r5:82dee000 r4:82dee000 [<81855ffc>] (schedule) from [<818565d0>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6835) r5:82dee000 r4:8270dad0 [<818565b8>] (schedule_preempt_disabled) from [<81858eb8>] (__mutex_lock_common kernel/locking/mutex.c:679 [inline]) [<818565b8>] (schedule_preempt_disabled) from [<81858eb8>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:747) [<81858bd0>] (__mutex_lock.constprop.0) from [<81859784>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1035) r10:82c16005 r9:df83de30 r8: r7: r6: r5:84791b40 r4: [<81859770>] (__mutex_lock_slowpath) from [<818597c4>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286) [<81859788>] (mutex_lock) from [<804898b0>] (_vm_unmap_aliases+0x60/0x2e4 mm/vmalloc.c:2267) [<80489850>] (_vm_unmap_aliases) from [<8048d450>] (vm_reset_perms mm/vmalloc.c:2753 [inline]) [<80489850>] (_vm_unmap_aliases) from [<8048d450>] (vfree+0x170/0x1e0 mm/vmalloc.c:2832) r10:82c16005 r9:0001 r8: r7: r6: r5:84791b40 r4: [<8048d2e0>] (vfree) from [<802e9a2c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189) r9:847f7400 r8: r7: r6:82c16000 r5:1000 r4:7f077000 [<802e99fc>] (module_memfree) from [<80386f54>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1023) r5:1000 r4:ea91f000 [<80386f44>] (bpf_jit_free_exec) from [<80387114>] (bpf_jit_binary_free kernel/bpf/core.c:1069 [inline]) [<80386f44>] (bpf_jit_free_exec) from [<80387114>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1194) [<803870ac>] (bpf_jit_free) from [<80387318>] (bpf_prog_free_deferred+0x188/0x1a0 kernel/bpf/core.c:2744) r5:847f7750 r4:82c0bc00 [<80387190>] (bpf_prog_free_deferred) from [<802668f4>] (process_one_work+0x19c/0x4a4 kernel/workqueue.c:2627) r9:82dee000 r8: r7:12c0 r6:82c16000 r5:847f7750 r4:82c0bc00 [<80266758>] (process_one_work) from [<80266e3c>] (process_scheduled_works kernel/workqueue.c:2700 [inline]) [<80266758>] (process_one_work) from [<80266e3c>] (worker_thread+0x240/0x48c kernel/workqueue.c:2781) r10:61c88647 r9:82dee000 r8:12e0 r7:82604d40 r6:12c0 r5:82c0bc2c r4:82c0bc00 [<80266bfc>] (worker_thread) from [<8026e29c>] (kthread+0x104/0x134 kernel/kthread.c:388) r10: r9:df839e90 r8:82cb8640 r7:82c0bc00 r6:80266bfc r5:82dee000 r4:82cb8100 [<8026e198>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134) Exception stack(0xdf83dfb0 to 0xdf83dff8) dfa0: dfc0: dfe0: 0013 r9: r8: r7: r6: r5:8026e198 r4:82cb8100 INFO: task kworker/1:3:117 blocked for more than 450 seconds. Not tainted 6.7.0-rc8-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 state:D stack:0 pid:117 tgid:117 ppid:2 flags:0x Wor
Re: [v5.15] WARNING in kvm_arch_vcpu_ioctl_run
This bug is marked as fixed by commit: KVM: x86: Remove WARN sanity check on hypervisor timer vs. UNINITIALIZED vCPU But I can't find it in the tested trees[1] for more than 90 days. Is it a correct commit? Please update it by replying: #syz fix: exact-commit-title Until then the bug is still considered open and new crashes with the same signature are ignored. Kernel: Linux 5.15 Dashboard link: https://syzkaller.appspot.com/bug?extid=412c9ae97b4338c5187e --- [1] I expect the commit to be present in: 1. linux-5.15.y branch of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
[syzbot] [fs?] [trace?] BUG: unable to handle kernel paging request in tracefs_apply_options
Hello,
syzbot found the following issue on:
HEAD commit:453f5db0619e Merge tag 'trace-v6.7-rc7' of git://git.kerne..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10ec3829e8
kernel config: https://syzkaller.appspot.com/x/.config?x=f8e72bae38c079e4
dashboard link: https://syzkaller.appspot.com/bug?extid=f8a023e0c6beabe2371a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian)
2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1414af31e8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15e52409e8
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/38b92a7149e8/disk-453f5db0.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/4f872267133f/vmlinux-453f5db0.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/587572061791/bzImage-453f5db0.xz
The issue was bisected to:
commit 7e8358edf503e87236c8d07f69ef0ed846dd5112
Author: Steven Rostedt (Google)
Date: Fri Dec 22 00:07:57 2023 +
eventfs: Fix file and directory uid and gid ownership
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=108cd519e8
final oops: https://syzkaller.appspot.com/x/report.txt?x=128cd519e8
console output: https://syzkaller.appspot.com/x/log.txt?x=148cd519e8
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8a023e0c6beabe23...@syzkaller.appspotmail.com
Fixes: 7e8358edf503 ("eventfs: Fix file and directory uid and gid ownership")
BUG: unable to handle page fault for address: fff0
#PF: supervisor read access in kernel mode
#PF: error_code(0x) - not-present page
PGD d734067 P4D d734067 PUD d736067 PMD 0
Oops: [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5056 Comm: syz-executor170 Not tainted
6.7.0-rc7-syzkaller-00049-g453f5db0619e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
11/17/2023
RIP: 0010:set_gid fs/tracefs/inode.c:224 [inline]
RIP: 0010:tracefs_apply_options+0x4d0/0xa40 fs/tracefs/inode.c:337
Code: 24 10 49 8b 1e 48 83 c3 f0 74 3d 48 89 d8 48 c1 e8 03 48 bd 00 00 00 00
00 fc ff df 80 3c 28 00 74 08 48 89 df e8 70 ff 88 fe <48> 8b 1b 48 89 de 48 83
e6 02 31 ff e8 bf fe 2c fe 48 83 e3 02 75
RSP: 0018:c900040ffca8 EFLAGS: 00010246
RAX: 1ffe RBX: fff0 RCX: 888014bf5940
RDX: RSI: 0004 RDI: c900040ffc20
RBP: dc00 R08: 0003 R09: f5200081ff84
R10: dc00 R11: f5200081ff84 R12: 88801d743888
R13: 88801b0c3710 R14: 88801d7437e8 R15: 88801d743810
FS: 557dd480() GS:8880b980() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: fff0 CR3: 1ec48000 CR4: 003506f0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
tracefs_remount+0x78/0x80 fs/tracefs/inode.c:353
reconfigure_super+0x440/0x870 fs/super.c:1143
do_remount fs/namespace.c:2884 [inline]
path_mount+0xc24/0xfa0 fs/namespace.c:3656
do_mount fs/namespace.c:3677 [inline]
__do_sys_mount fs/namespace.c:3886 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3863
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fec326e8d99
Code: 48 83 c4 28 c3 e8 67 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:7ffc8103ddf8 EFLAGS: 0246 ORIG_RAX: 00a5
RAX: ffda RBX: 7ffc8103de00 RCX: 7fec326e8d99
RDX: RSI: 20c0 RDI:
RBP: 7ffc8103de08 R08: 2140 R09: 7fec326b5b80
R10: 02200022 R11: 0246 R12:
R13: 7ffc8103e068 R14: 0001 R15: 0001
Modules linked in:
CR2: fff0
---[ end trace ]---
RIP: 0010:set_gid fs/tracefs/inode.c:224 [inline]
RIP: 0010:tracefs_apply_options+0x4d0/0xa40 fs/tracefs/inode.c:337
Code: 24 10 49 8b 1e 48 83 c3 f0 74 3d 48 89 d8 48 c1 e8 03 48 bd 00 00 00 00
00 fc ff df 80 3c 28 00 74 08 48 89 df e8 70 ff 88 fe <48> 8b 1b 48 89 de 48 83
e6 02 31 ff e8 bf fe 2c fe 48 83 e3 02 75
RSP: 0018:c900040ffca8 EFLAGS: 00010246
RAX: 1ffe RBX: fff0 RCX: 888014bf5940
RDX: RSI: 0004 RDI: c900040ffc20
RBP: dc00 R08: 0003 R09: f5200081ff84
R10: dc00 R11: f5200081ff84 R12: 88801d743888
R13: 88801b0c3710 R14: 88801d7437e8 R15: 88801d743810
FS: 557dd480() GS:8880b980() knlGS:
CS: 0010 DS: ES: 00
[syzbot] [virtualization?] KMSAN: uninit-value in virtqueue_add (4)
Hello, syzbot found the following issue on: HEAD commit:fbafc3e621c3 Merge tag 'for_linus' of git://git.kernel.org.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=173df3e9e8 kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7078a6b901aa3 dashboard link: https://syzkaller.appspot.com/bug?extid=d7521c1e3841ed075a42 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1300b4a1e8 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=130b0379e8 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/1520f7b6daa4/disk-fbafc3e6.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/8b490af009d5/vmlinux-fbafc3e6.xz kernel image: https://storage.googleapis.com/syzbot-assets/202ca200f4a4/bzImage-fbafc3e6.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d7521c1e3841ed075...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline] BUG: KMSAN: uninit-value in virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline] BUG: KMSAN: uninit-value in virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210 vring_map_one_sg drivers/virtio/virtio_ring.c:380 [inline] virtqueue_add_split drivers/virtio/virtio_ring.c:614 [inline] virtqueue_add+0x21c6/0x6530 drivers/virtio/virtio_ring.c:2210 virtqueue_add_sgs+0x186/0x1a0 drivers/virtio/virtio_ring.c:2244 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:467 [inline] virtscsi_add_cmd+0x838/0xad0 drivers/scsi/virtio_scsi.c:501 virtscsi_queuecommand+0x896/0xa60 drivers/scsi/virtio_scsi.c:598 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1516 [inline] scsi_queue_rq+0x4874/0x5790 drivers/scsi/scsi_lib.c:1758 blk_mq_dispatch_rq_list+0x13f8/0x3600 block/blk-mq.c:2049 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:170 [inline] blk_mq_do_dispatch_sched block/blk-mq-sched.c:184 [inline] __blk_mq_sched_dispatch_requests+0x10af/0x2500 block/blk-mq-sched.c:309 blk_mq_sched_dispatch_requests+0x160/0x2d0 block/blk-mq-sched.c:333 blk_mq_run_work_fn+0xd0/0x280 block/blk-mq.c:2434 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2700 worker_thread+0xf45/0x1490 kernel/workqueue.c:2781 kthread+0x3ed/0x540 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Uninit was created at: __alloc_pages+0x9a4/0xe00 mm/page_alloc.c:4591 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 alloc_pages mm/mempolicy.c:2204 [inline] folio_alloc+0x1da/0x380 mm/mempolicy.c:2211 filemap_alloc_folio+0xa5/0x430 mm/filemap.c:974 __filemap_get_folio+0xa5a/0x1760 mm/filemap.c:1918 ext4_da_write_begin+0x7f8/0xec0 fs/ext4/inode.c:2891 generic_perform_write+0x3f5/0xc40 mm/filemap.c:3918 ext4_buffered_write_iter+0x564/0xaa0 fs/ext4/file.c:299 ext4_file_write_iter+0x20f/0x3460 __kernel_write_iter+0x329/0x930 fs/read_write.c:517 dump_emit_page fs/coredump.c:888 [inline] dump_user_range+0x593/0xcd0 fs/coredump.c:915 elf_core_dump+0x528d/0x5a40 fs/binfmt_elf.c:2077 do_coredump+0x32c9/0x4920 fs/coredump.c:764 get_signal+0x2185/0x2d10 kernel/signal.c:2890 arch_do_signal_or_restart+0x53/0xca0 arch/x86/kernel/signal.c:309 exit_to_user_mode_loop+0xe8/0x320 kernel/entry/common.c:168 exit_to_user_mode_prepare+0x163/0x220 kernel/entry/common.c:204 irqentry_exit_to_user_mode+0xd/0x30 kernel/entry/common.c:309 irqentry_exit+0x16/0x40 kernel/entry/common.c:412 exc_page_fault+0x246/0x6f0 arch/x86/mm/fault.c:1564 asm_exc_page_fault+0x2b/0x30 arch/x86/include/asm/idtentry.h:570 Bytes 0-4095 of 4096 are uninitialized Memory access of size 4096 starts at 88812c79c000 CPU: 0 PID: 997 Comm: kworker/0:1H Not tainted 6.7.0-rc7-syzkaller-3-gfbafc3e621c3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Workqueue: kblockd blk_mq_run_work_fn = --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply
[syzbot] Monthly trace report (Dec 2023)
Hello trace maintainers/developers, This is a 31-day syzbot report for the trace subsystem. All related reports/information can be found at: https://syzkaller.appspot.com/upstream/s/trace During the period, 0 new issues were detected and 0 were fixed. In total, 8 issues are still open and 29 have been fixed so far. Some of the still happening issues: Ref Crashes Repro Title <1> 8166Yes possible deadlock in task_fork_fair https://syzkaller.appspot.com/bug?extid=1a93ee5d329e97cfbaff <2> 114 Yes WARNING in format_decode (3) https://syzkaller.appspot.com/bug?extid=e2c932aec5c8a6e1d31c <3> 26 Yes WARNING in blk_register_tracepoints https://syzkaller.appspot.com/bug?extid=c54ded83396afee31eb1 <4> 7 Yes INFO: task hung in blk_trace_ioctl (4) https://syzkaller.appspot.com/bug?extid=ed812ed461471ab17a0c --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. To disable reminders for individual bugs, reply with the following command: #syz set no-reminders To change bug's subsystems, reply with: #syz set subsystems: new-subsystem You may send multiple commands in a single email message.
Re: [v5.15] WARNING in kvm_arch_vcpu_ioctl_run
This bug is marked as fixed by commit: KVM: x86: Remove WARN sanity check on hypervisor timer vs. UNINITIALIZED vCPU But I can't find it in the tested trees[1] for more than 90 days. Is it a correct commit? Please update it by replying: #syz fix: exact-commit-title Until then the bug is still considered open and new crashes with the same signature are ignored. Kernel: Linux 5.15 Dashboard link: https://syzkaller.appspot.com/bug?extid=412c9ae97b4338c5187e --- [1] I expect the commit to be present in: 1. linux-5.15.y branch of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
Re: [syzbot] [bpf?] [trace?] possible deadlock in task_fork_fair
syzbot has found a reproducer for the following issue on:
HEAD commit:2ebe81c81435 net, xdp: Allow metadata > 32
git tree: bpf-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16687bdee8
kernel config: https://syzkaller.appspot.com/x/.config?x=f8715b6ede5c4b90
dashboard link: https://syzkaller.appspot.com/bug?extid=1a93ee5d329e97cfbaff
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian)
2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148b2632e8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11aae88ee8
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/972e21c08639/disk-2ebe81c8.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/c55f0d0739c1/vmlinux-2ebe81c8.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/4aa04cd001b3/bzImage-2ebe81c8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1a93ee5d329e97cfb...@syzkaller.appspotmail.com
FAULT_INJECTION: forcing a failure.
name fail_usercopy, interval 1, probability 0, space 0, times 1
==
WARNING: possible circular locking dependency detected
6.7.0-rc3-syzkaller-00778-g2ebe81c81435 #0 Not tainted
--
syz-executor229/5088 is trying to acquire lock:
8ceb8da0 (console_owner){}-{0:0}, at: console_trylock_spinning
kernel/printk/printk.c:1962 [inline]
8ceb8da0 (console_owner){}-{0:0}, at: vprintk_emit+0x313/0x5f0
kernel/printk/printk.c:2302
but task is already holding lock:
8880b983c718 (>__lock){-.-.}-{2:2}, at:
raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:558
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #5 (>__lock){-.-.}-{2:2}:
_raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:558
raw_spin_rq_lock kernel/sched/sched.h:1349 [inline]
rq_lock kernel/sched/sched.h:1663 [inline]
task_fork_fair+0x70/0x240 kernel/sched/fair.c:12586
sched_cgroup_fork+0x3cf/0x510 kernel/sched/core.c:4812
copy_process+0x4c86/0x73f0 kernel/fork.c:2609
kernel_clone+0xfd/0x930 kernel/fork.c:2907
user_mode_thread+0xb4/0xf0 kernel/fork.c:2985
rest_init+0x27/0x2b0 init/main.c:695
arch_call_rest_init+0x13/0x30 init/main.c:827
start_kernel+0x39f/0x480 init/main.c:1072
x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:555
x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:536
secondary_startup_64_no_verify+0x166/0x16b
-> #4 (>pi_lock){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x50 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:518
[inline]
try_to_wake_up+0xb0/0x13d0 kernel/sched/core.c:4226
kick_pool+0x253/0x470 kernel/workqueue.c:1142
create_worker+0x46f/0x730 kernel/workqueue.c:2217
workqueue_init+0x319/0x830 kernel/workqueue.c:6698
kernel_init_freeable+0x332/0xc10 init/main.c:1536
kernel_init+0x1c/0x2a0 init/main.c:1441
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
-> #3 (>lock){-.-.}-{2:2}:
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
__queue_work+0x399/0x11f0 kernel/workqueue.c:1763
queue_work_on+0xed/0x110 kernel/workqueue.c:1834
queue_work include/linux/workqueue.h:562 [inline]
rpm_suspend+0x121b/0x16f0 drivers/base/power/runtime.c:660
rpm_idle+0x578/0x6e0 drivers/base/power/runtime.c:534
__pm_runtime_idle+0xbe/0x160 drivers/base/power/runtime.c:1102
pm_runtime_put include/linux/pm_runtime.h:460 [inline]
__device_attach+0x382/0x4b0 drivers/base/dd.c:1048
bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
device_add+0x117e/0x1aa0 drivers/base/core.c:3625
serial_base_port_add+0x353/0x4b0 drivers/tty/serial/serial_base_bus.c:178
serial_core_port_device_add drivers/tty/serial/serial_core.c:3316
[inline]
serial_core_register_port+0x137/0x1af0
drivers/tty/serial/serial_core.c:3357
serial8250_register_8250_port+0x140d/0x2080
drivers/tty/serial/8250/8250_core.c:1139
serial_pnp_probe+0x47d/0x880 drivers/tty/serial/8250/8250_pnp.c:478
pnp_device_probe+0x2a3/0x4c0 drivers/pnp/driver.c:111
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x234/0xc90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
__driver_attach+0x274
Re: [v5.15] WARNING in kvm_arch_vcpu_ioctl_run
This bug is marked as fixed by commit: KVM: x86: Remove WARN sanity check on hypervisor timer vs. UNINITIALIZED vCPU But I can't find it in the tested trees[1] for more than 90 days. Is it a correct commit? Please update it by replying: #syz fix: exact-commit-title Until then the bug is still considered open and new crashes with the same signature are ignored. Kernel: Linux 5.15 Dashboard link: https://syzkaller.appspot.com/bug?extid=412c9ae97b4338c5187e --- [1] I expect the commit to be present in: 1. linux-5.15.y branch of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
Re: [v5.15] WARNING in kvm_arch_vcpu_ioctl_run
This bug is marked as fixed by commit: KVM: x86: Remove WARN sanity check on hypervisor timer vs. UNINITIALIZED vCPU But I can't find it in the tested trees[1] for more than 90 days. Is it a correct commit? Please update it by replying: #syz fix: exact-commit-title Until then the bug is still considered open and new crashes with the same signature are ignored. Kernel: Linux 5.15 Dashboard link: https://syzkaller.appspot.com/bug?extid=412c9ae97b4338c5187e --- [1] I expect the commit to be present in: 1. linux-5.15.y branch of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
[syzbot] Monthly trace report (Nov 2023)
Hello trace maintainers/developers, This is a 31-day syzbot report for the trace subsystem. All related reports/information can be found at: https://syzkaller.appspot.com/upstream/s/trace During the period, 3 new issues were detected and 0 were fixed. In total, 5 issues are still open and 29 have been fixed so far. Some of the still happening issues: Ref Crashes Repro Title <1> 26 Yes WARNING in blk_register_tracepoints https://syzkaller.appspot.com/bug?extid=c54ded83396afee31eb1 <2> 5 Yes WARNING in get_probe_ref https://syzkaller.appspot.com/bug?extid=8672dcb9d10011c0a160 <3> 1 Nopossible deadlock in sctp_err_lookup https://syzkaller.appspot.com/bug?extid=422ecd5adb35122711b7 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. To disable reminders for individual bugs, reply with the following command: #syz set no-reminders To change bug's subsystems, reply with: #syz set subsystems: new-subsystem You may send multiple commands in a single email message.
[syzbot] [bpf?] [trace?] WARNING in format_decode (3)
Hello,
syzbot found the following issue on:
HEAD commit:76df934c6d5f MAINTAINERS: Add netdev subsystem profile link
git tree: net
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10c2b66768
kernel config: https://syzkaller.appspot.com/x/.config?x=84217b7fc4acdc59
dashboard link: https://syzkaller.appspot.com/bug?extid=e2c932aec5c8a6e1d31c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian)
2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12b2f668e8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171ea200e8
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/e271179068c6/disk-76df934c.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/b9523b3749bb/vmlinux-76df934c.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/6c1a888bade0/bzImage-76df934c.xz
The issue was bisected to:
commit 114039b342014680911c35bd6b72624180fd669a
Author: Stanislav Fomichev
Date: Mon Nov 21 18:03:39 2022 +
bpf: Move skb->len == 0 checks into __bpf_redirect
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13d237b768
final oops: https://syzkaller.appspot.com/x/report.txt?x=103237b768
console output: https://syzkaller.appspot.com/x/log.txt?x=17d237b768
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e2c932aec5c8a6e1d...@syzkaller.appspotmail.com
Fixes: 114039b34201 ("bpf: Move skb->len == 0 checks into __bpf_redirect")
[ cut here ]
Please remove unsupported %� in format string
WARNING: CPU: 0 PID: 5068 at lib/vsprintf.c:2675 format_decode+0xa03/0xba0
lib/vsprintf.c:2675
Modules linked in:
CPU: 0 PID: 5068 Comm: syz-executor288 Not tainted
6.7.0-rc1-syzkaller-00134-g76df934c6d5f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
11/10/2023
RIP: 0010:format_decode+0xa03/0xba0 lib/vsprintf.c:2675
Code: f7 41 c6 44 24 05 08 e9 c4 fa ff ff e8 c6 f7 15 f7 c6 05 0b bd 91 04 01
90 48 c7 c7 60 5f 19 8c 40 0f b6 f5 e8 2e 17 dc f6 90 <0f> 0b 90 90 e9 17 fc ff
ff 48 8b 3c 24 e8 4b 87 6c f7 e9 13 f7 ff
RSP: 0018:c90003b6f798 EFLAGS: 00010286
RAX: RBX: c90003b6fa0c RCX: 814db209
RDX: 8880214b9dc0 RSI: 814db216 RDI: 0001
RBP: R08: 0001 R09:
R10: R11: 0001 R12: c90003b6f898
R13: R14: R15: ffd0
FS: 5567c380() GS:8880b980() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 00f6f398 CR3: 251e7000 CR4: 003506f0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
bstr_printf+0x13b/0x1050 lib/vsprintf.c:3248
bpf_trace_printk kernel/trace/bpf_trace.c:386 [inline]
bpf_trace_printk+0x10b/0x180 kernel/trace/bpf_trace.c:371
bpf_prog_12183cdb1cd51dab+0x36/0x3a
bpf_dispatcher_nop_func include/linux/bpf.h:1196 [inline]
__bpf_prog_run include/linux/filter.h:651 [inline]
bpf_prog_run include/linux/filter.h:658 [inline]
bpf_test_run+0x3e1/0x9e0 net/bpf/test_run.c:423
bpf_prog_test_run_skb+0xb75/0x1dd0 net/bpf/test_run.c:1045
bpf_prog_test_run kernel/bpf/syscall.c:4040 [inline]
__sys_bpf+0x11bf/0x4920 kernel/bpf/syscall.c:5401
__do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5485
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fefcec014e9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:7ffca6179888 EFLAGS: 0246 ORIG_RAX: 0141
RAX: ffda RBX: 7ffca6179a58 RCX: 7fefcec014e9
RDX: 0028 RSI: 2080 RDI: 000a
RBP: 7fefcec74610 R08: R09: 7ffca6179a58
R10: R11: 0246 R12: 0001
R13: 7ffca6179a48 R14: 0001 R15: 0001
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git
Re: [syzbot] [kernel?] inconsistent lock state in __lock_task_sighand
syzbot has bisected this issue to:
commit 2d25a889601d2fbc87ec79b30ea315820f874b78
Author: Peter Zijlstra
Date: Sun Sep 17 11:24:21 2023 +
ptrace: Convert ptrace_attach() to use lock guards
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=144ac400e8
start commit: f31817cbcf48 Add linux-next specific files for 20231116
git tree: linux-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=164ac400e8
console output: https://syzkaller.appspot.com/x/log.txt?x=124ac400e8
kernel config: https://syzkaller.appspot.com/x/.config?x=f59345f1d0a928c
dashboard link: https://syzkaller.appspot.com/bug?extid=cf93299f5a30fb4c3829
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125ac3c0e8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12c4d79768
Reported-by: syzbot+cf93299f5a30fb4c3...@syzkaller.appspotmail.com
Fixes: 2d25a889601d ("ptrace: Convert ptrace_attach() to use lock guards")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
[syzbot] [bpf?] [trace?] possible deadlock in dev_watchdog
Hello,
syzbot found the following issue on:
HEAD commit:eff99d8edbed Add linux-next specific files for 20231117
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1155289f68
kernel config: https://syzkaller.appspot.com/x/.config?x=61991b2630c19677
dashboard link: https://syzkaller.appspot.com/bug?extid=db9ad150a8969744d703
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian)
2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/727bd99b8512/disk-eff99d8e.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/4a535e264e50/vmlinux-eff99d8e.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/23c31e53f4d8/bzImage-eff99d8e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+db9ad150a8969744d...@syzkaller.appspotmail.com
=
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
6.7.0-rc1-next-20231117-syzkaller #0 Not tainted
-
syz-executor.3/8448 [HC0[0]:SC0[2]:HE0:SE0] is trying to acquire:
888031a44a18 (>siglock){+.+.}-{2:2}, at:
__lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
and this task is already holding:
88802462ccd8 (_xmit_NONE#2){+...}-{2:2}, at: spin_lock
include/linux/spinlock.h:351 [inline]
88802462ccd8 (_xmit_NONE#2){+...}-{2:2}, at: __netif_tx_lock
include/linux/netdevice.h:4381 [inline]
88802462ccd8 (_xmit_NONE#2){+...}-{2:2}, at: __dev_direct_xmit+0x431/0x730
net/core/dev.c:4400
which would create a new lock dependency:
(_xmit_NONE#2){+...}-{2:2} -> (>siglock){+.+.}-{2:2}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(>tx_global_lock){+.-.}-{2:2}
... which became SOFTIRQ-irq-safe at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
dev_watchdog+0x7f/0x8b0 net/sched/sch_generic.c:500
call_timer_fn+0x1a0/0x5a0 kernel/time/timer.c:1700
expire_timers kernel/time/timer.c:1751 [inline]
__run_timers+0x769/0xb20 kernel/time/timer.c:2022
run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
__do_softirq+0x216/0x8d5 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb5/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline]
acpi_safe_halt+0x1a/0x20 drivers/acpi/processor_idle.c:112
acpi_idle_enter+0xc5/0x160 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x83/0x500 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x4e/0xa0 drivers/cpuidle/cpuidle.c:388
cpuidle_idle_call kernel/sched/idle.c:215 [inline]
do_idle+0x314/0x3f0 kernel/sched/idle.c:312
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:410
rest_init+0x16f/0x2b0 init/main.c:730
arch_call_rest_init+0x13/0x30 init/main.c:827
start_kernel+0x39e/0x480 init/main.c:1072
x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:555
x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:536
secondary_startup_64_no_verify+0x166/0x16b
to a SOFTIRQ-irq-unsafe lock:
(>siglock){+.+.}-{2:2}
... which became SOFTIRQ-irq-unsafe at:
...
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:530 [inline]
ptrace_set_stopped kernel/ptrace.c:391 [inline]
ptrace_attach+0x401/0x650 kernel/ptrace.c:478
__do_sys_ptrace+0x204/0x230 kernel/ptrace.c:1290
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
other info that might help us debug this:
Chain exists of:
>tx_global_lock --> _xmit_NONE#2 --> >siglock
Possible interrupt unsafe locking scenario:
CPU0CPU1
lock(>siglock);
local_irq_disable();
lock(>tx_global_lock);
lock(_xmit_NONE#2);
lock(>tx_global_lock);
*** DEADLOCK ***
3 locks held by syz-executor.3/8448:
#0: 88802462ccd8 (_xmit_NONE#2){+...}-{2:2}, at: spin_lock
include/linux/spinlock.h:351 [inli
[syzbot] [bpf?] [trace?] possible deadlock in sctp_err_lookup
Hello,
syzbot found the following issue on:
HEAD commit:f31817cbcf48 Add linux-next specific files for 20231116
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11a32f9768
kernel config: https://syzkaller.appspot.com/x/.config?x=f59345f1d0a928c
dashboard link: https://syzkaller.appspot.com/bug?extid=422ecd5adb35122711b7
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian)
2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/987488cb251e/disk-f31817cb.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/6d4a82d8bd4b/vmlinux-f31817cb.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/fc43dee9cb86/bzImage-f31817cb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+422ecd5adb3512271...@syzkaller.appspotmail.com
=
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
6.7.0-rc1-next-20231116-syzkaller #0 Not tainted
-
syz-executor.2/5088 [HC0[0]:SC0[2]:HE0:SE0] is trying to acquire:
888025d21bd8 (>siglock){+.+.}-{2:2}, at:
__lock_task_sighand+0xc2/0x340 kernel/signal.c:1422
and this task is already holding:
88802dd927b0 (slock-AF_INET6){+.-.}-{2:2}, at: spin_lock
include/linux/spinlock.h:351 [inline]
88802dd927b0 (slock-AF_INET6){+.-.}-{2:2}, at: __tcp_close+0x4e6/0xfd0
net/ipv4/tcp.c:2843
which would create a new lock dependency:
(slock-AF_INET6){+.-.}-{2:2} -> (>siglock){+.+.}-{2:2}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(slock-AF_INET6){+.-.}-{2:2}
... which became SOFTIRQ-irq-safe at:
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking/lockdep.c:5718
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
sctp_err_lookup+0x488/0xb50 net/sctp/input.c:523
sctp_v6_err+0x201/0x540 net/sctp/ipv6.c:175
icmpv6_notify+0x337/0x750 net/ipv6/icmp.c:867
icmpv6_rcv+0x882/0x19c0 net/ipv6/icmp.c:1013
ip6_protocol_deliver_rcu+0x170/0x13e0 net/ipv6/ip6_input.c:438
ip6_input_finish+0x14f/0x2f0 net/ipv6/ip6_input.c:483
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ip6_input+0xa1/0xc0 net/ipv6/ip6_input.c:492
dst_input include/net/dst.h:461 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ipv6_rcv+0x24e/0x380 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core+0x115/0x180 net/core/dev.c:5529
__netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5643
process_backlog+0x101/0x6b0 net/core/dev.c:5971
__napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6533
napi_poll net/core/dev.c:6602 [inline]
net_rx_action+0x956/0xe90 net/core/dev.c:6735
__do_softirq+0x216/0x8d5 kernel/softirq.c:553
do_softirq kernel/softirq.c:454 [inline]
do_softirq+0xaa/0xe0 kernel/softirq.c:441
__local_bh_enable_ip+0xfc/0x120 kernel/softirq.c:381
local_bh_enable include/linux/bottom_half.h:33 [inline]
icmp6_send+0x7d5/0x2b10 net/ipv6/icmp.c:633
__icmpv6_send include/linux/icmpv6.h:28 [inline]
icmpv6_send include/linux/icmpv6.h:49 [inline]
ip6_pkt_drop+0x1f3/0x860 net/ipv6/route.c:4515
dst_output include/net/dst.h:451 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ip6_xmit+0x1234/0x1cc0 net/ipv6/ip6_output.c:358
sctp_v6_xmit+0xc1b/0x1110 net/sctp/ipv6.c:248
sctp_packet_transmit+0x22e1/0x3020 net/sctp/output.c:653
sctp_packet_singleton+0x19f/0x370 net/sctp/outqueue.c:783
sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
sctp_outq_flush+0x54d/0x3340 net/sctp/outqueue.c:1212
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1818 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
sctp_do_sm+0x178f/0x5c50 net/sctp/sm_sideeffect.c:1169
sctp_primitive_ASSOCIATE+0x9c/0xc0 net/sctp/primitive.c:73
__sctp_connect+0x9e9/0xc30 net/sctp/socket.c:1233
sctp_connect net/sctp/socket.c:4811 [inline]
sctp_inet_connect+0x15f/0x1f0 net/sctp/socket.c:4826
__sys_connect_file+0x15b/0x1a0 net/socket.c:2046
__sys_connect+0x145/0x170 net/socket.c:2063
__do_sys_connect net/socket.c:2073 [inline]
__se_sys_connect net/socket.c:2070 [inline]
__x64_sys_connect+0x72/0xb0 net/socket.c:2070
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x62/0x6a
to a SOFTIRQ-irq-unsafe lock:
(>siglock){+.+.}-{2:2}
... which became SOFTIRQ-irq-unsafe at:
...
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1b1/0x530 kernel/locking
[syzbot] [wpan?] [input?] [usb?] memory leak in hwsim_add_one (2)
Hello, syzbot found the following issue on: HEAD commit:e789286468a9 Merge tag 'x86-urgent-2023-09-17' of git://gi.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16db487fa8 kernel config: https://syzkaller.appspot.com/x/.config?x=943a94479fa8e863 dashboard link: https://syzkaller.appspot.com/bug?extid=d2aa0f55c4ae66a9b75d compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15cc837268 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/60bec5b60566/disk-e7892864.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/509a449f2ff0/vmlinux-e7892864.xz kernel image: https://storage.googleapis.com/syzbot-assets/36581da19789/bzImage-e7892864.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d2aa0f55c4ae66a9b...@syzkaller.appspotmail.com BUG: memory leak unreferenced object 0x8881042a8940 (size 64): comm "swapper/0", pid 1, jiffies 4294937901 (age 1085.750s) hex dump (first 32 bytes): 00 0d 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114 [] kmalloc include/linux/slab.h:599 [inline] [] kzalloc include/linux/slab.h:720 [inline] [] hwsim_add_one+0x14a/0x650 drivers/net/ieee802154/mac802154_hwsim.c:949 [] hwsim_probe+0x23/0xe0 drivers/net/ieee802154/mac802154_hwsim.c:1022 [] platform_probe+0x83/0x110 drivers/base/platform.c:1404 [] call_driver_probe drivers/base/dd.c:579 [inline] [] really_probe+0x126/0x440 drivers/base/dd.c:658 [] __driver_probe_device+0xc3/0x190 drivers/base/dd.c:800 [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:830 [] __driver_attach drivers/base/dd.c:1216 [inline] [] __driver_attach+0x107/0x1f0 drivers/base/dd.c:1156 [] bus_for_each_dev+0xb3/0x110 drivers/base/bus.c:368 [] bus_add_driver+0x126/0x2a0 drivers/base/bus.c:673 [] driver_register+0x85/0x180 drivers/base/driver.c:246 [] hwsim_init_module+0xc6/0x110 drivers/net/ieee802154/mac802154_hwsim.c:1073 [] do_one_initcall+0x76/0x430 init/main.c:1232 [] do_initcall_level init/main.c:1294 [inline] [] do_initcalls init/main.c:1310 [inline] [] do_basic_setup init/main.c:1329 [inline] [] kernel_init_freeable+0x25a/0x460 init/main.c:1547 [] kernel_init+0x1b/0x290 init/main.c:1437 [] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147 BUG: memory leak unreferenced object 0x8881042a8780 (size 64): comm "swapper/0", pid 1, jiffies 4294937902 (age 1085.740s) hex dump (first 32 bytes): 00 0d 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114 [] kmalloc include/linux/slab.h:599 [inline] [] kzalloc include/linux/slab.h:720 [inline] [] hwsim_add_one+0x14a/0x650 drivers/net/ieee802154/mac802154_hwsim.c:949 [] hwsim_probe+0x46/0xe0 drivers/net/ieee802154/mac802154_hwsim.c:1022 [] platform_probe+0x83/0x110 drivers/base/platform.c:1404 [] call_driver_probe drivers/base/dd.c:579 [inline] [] really_probe+0x126/0x440 drivers/base/dd.c:658 [] __driver_probe_device+0xc3/0x190 drivers/base/dd.c:800 [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:830 [] __driver_attach drivers/base/dd.c:1216 [inline] [] __driver_attach+0x107/0x1f0 drivers/base/dd.c:1156 [] bus_for_each_dev+0xb3/0x110 drivers/base/bus.c:368 [] bus_add_driver+0x126/0x2a0 drivers/base/bus.c:673 [] driver_register+0x85/0x180 drivers/base/driver.c:246 [] hwsim_init_module+0xc6/0x110 drivers/net/ieee802154/mac802154_hwsim.c:1073 [] do_one_initcall+0x76/0x430 init/main.c:1232 [] do_initcall_level init/main.c:1294 [inline] [] do_initcalls init/main.c:1310 [inline] [] do_basic_setup init/main.c:1329 [inline] [] kernel_init_freeable+0x25a/0x460 init/main.c:1547 [] kernel_init+0x1b/0x290 init/main.c:1437 [] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147 BUG: memory leak unreferenced object 0x8881007cc000 (size 768): comm "udevd", pid 4480, jiffies 4295045154 (age 13.270s) hex dump (first 32 bytes): 01 00 00 00 03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [] alloc_inode_sb include/linux/fs.h:2909 [inline] [] sock_alloc_inode+0x25/0x90 net/socket.c:308 [] alloc_inode+0x23/0x100 fs/inode.c:259 [] new_inode_pseudo+0x16/0x50 fs/inode.c:1004 [] sock_alloc+0x1b/0x90 net/socket.c:634 [] __sock_create+0xbd/0x2e0 net/socket.c:1516 [] sock_create net/socket.c:1603 [inline] [] __sys_socket_create net/socket.c:1640 [inline]
[syzbot] WARNING in io_poll_double_wake
Hello,
syzbot found the following issue on:
HEAD commit:1216f02e Add linux-next specific files for 20210415
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12a322b1d0
kernel config: https://syzkaller.appspot.com/x/.config?x=3491b04113499f81
dashboard link: https://syzkaller.appspot.com/bug?extid=f2aca089e6f77e5acd46
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154654c5d0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=102c0319d0
The issue was bisected to:
commit b69de288e913030082bed3a324ddc58be6c1e983
Author: Jens Axboe
Date: Wed Mar 17 14:37:41 2021 +
io_uring: allow events and user_data update of running poll requests
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12c4b2b6d0
final oops: https://syzkaller.appspot.com/x/report.txt?x=11c4b2b6d0
console output: https://syzkaller.appspot.com/x/log.txt?x=16c4b2b6d0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f2aca089e6f77e5ac...@syzkaller.appspotmail.com
Fixes: b69de288e913 ("io_uring: allow events and user_data update of running
poll requests")
[ cut here ]
WARNING: CPU: 1 PID: 8455 at fs/io_uring.c:1494 req_ref_put fs/io_uring.c:1494
[inline]
WARNING: CPU: 1 PID: 8455 at fs/io_uring.c:1494 req_ref_put fs/io_uring.c:1492
[inline]
WARNING: CPU: 1 PID: 8455 at fs/io_uring.c:1494 io_poll_double_wake+0x516/0x770
fs/io_uring.c:4943
Modules linked in:
CPU: 1 PID: 8455 Comm: syz-executor676 Not tainted
5.12.0-rc7-next-20210415-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:req_ref_put fs/io_uring.c:1494 [inline]
RIP: 0010:req_ref_put fs/io_uring.c:1492 [inline]
RIP: 0010:io_poll_double_wake+0x516/0x770 fs/io_uring.c:4943
Code: e8 1f 4c dc ff f0 ff 4d 5c 0f 94 c3 31 ff 89 de e8 7f 92 97 ff 84 db b8
01 00 00 00 0f 84 57 fc ff ff 89 04 24 e8 ba 8b 97 ff <0f> 0b 8b 04 24 e9 45 fc
ff ff e8 ab 8b 97 ff 49 89 ec e9 83 fb ff
RSP: 0018:c9000172fad8 EFLAGS: 00010093
RAX: RBX: 0001 RCX:
RDX: 88801adbb900 RSI: 81dcec86 RDI: 0003
RBP: 8880125ac8c0 R08: 0001 R09: 0001
R10: 81dcec71 R11: R12: 8880125ac91c
R13: R14: 8880125ac8f0 R15: 888014ed6820
FS: 015a73c0() GS:8880b9d0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 004af100 CR3: 1eb33000 CR4: 001506e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
__wake_up_common+0x147/0x650 kernel/sched/wait.c:108
__wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138
tty_ldisc_lock+0x55/0xb0 drivers/tty/tty_ldisc.c:336
tty_ldisc_hangup+0x200/0x680 drivers/tty/tty_ldisc.c:752
__tty_hangup.part.0+0x40a/0x870 drivers/tty/tty_io.c:639
__tty_hangup drivers/tty/tty_io.c:595 [inline]
tty_vhangup drivers/tty/tty_io.c:712 [inline]
tty_ioctl+0xf6a/0x1600 drivers/tty/tty_io.c:2746
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:1069 [inline]
__se_sys_ioctl fs/ioctl.c:1055 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:1055
do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4408a9
Code: 1b 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:7ffeb1a62488 EFLAGS: 0246 ORIG_RAX: 0010
RAX: ffda RBX: 0003 RCX: 004408a9
RDX: RSI: 5437 RDI: 0005
RBP: 7ffeb1a624b8 R08: 000e R09: 7ffeb1a624e0
R10: R11: 0246 R12: 7ffeb1a624e0
R13: R14: 004af018 R15: 00400488
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
[syzbot] KASAN: use-after-free Write in ext4_put_super
Hello, syzbot found the following issue on: HEAD commit:2f7b98d1 Merge tag 'drm-fixes-2021-04-16' of git://anongit.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14299cb6d0 kernel config: https://syzkaller.appspot.com/x/.config?x=398c4d0fe6f66e68 dashboard link: https://syzkaller.appspot.com/bug?extid=2c925312fddc3493aff7 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2c925312fddc3493a...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline] BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline] BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline] BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline] BUG: KASAN: use-after-free in get_task_struct include/linux/sched/task.h:104 [inline] BUG: KASAN: use-after-free in kthread_stop+0x90/0x720 kernel/kthread.c:616 Write of size 4 at addr 8880655f1c68 by task syz-executor.0/8403 CPU: 1 PID: 8403 Comm: syz-executor.0 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 check_region_inline mm/kasan/generic.c:180 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline] __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] get_task_struct include/linux/sched/task.h:104 [inline] kthread_stop+0x90/0x720 kernel/kthread.c:616 ext4_put_super+0x926/0x10c0 fs/ext4/super.c:1248 generic_shutdown_super+0x144/0x370 fs/super.c:464 kill_block_super+0x97/0xf0 fs/super.c:1394 deactivate_locked_super+0x94/0x160 fs/super.c:335 deactivate_super+0xad/0xd0 fs/super.c:366 cleanup_mnt+0x3a3/0x530 fs/namespace.c:1136 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:174 [inline] exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4678b7 Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffdd26bfbf8 EFLAGS: 0246 ORIG_RAX: 00a6 RAX: RBX: RCX: 004678b7 RDX: 7ffdd26bfccb RSI: 0002 RDI: 7ffdd26bfcc0 RBP: 7ffdd26bfcc0 R08: R09: 7ffdd26bfa90 R10: 026228e3 R11: 0246 R12: 004bebb2 R13: 7ffdd26c0d90 R14: 02622810 R15: 7ffdd26c0dd0 Allocated by task 2: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] __kasan_slab_alloc+0x75/0x90 mm/kasan/common.c:460 kasan_slab_alloc include/linux/kasan.h:223 [inline] slab_post_alloc_hook mm/slab.h:516 [inline] slab_alloc_node mm/slub.c:2907 [inline] kmem_cache_alloc_node+0x164/0x3b0 mm/slub.c:2943 alloc_task_struct_node kernel/fork.c:170 [inline] dup_task_struct kernel/fork.c:860 [inline] copy_process+0x613/0x71a0 kernel/fork.c:1948 kernel_clone+0xe7/0xab0 kernel/fork.c:2500 kernel_thread+0xb5/0xf0 kernel/fork.c:2552 create_kthread kernel/kthread.c:315 [inline] kthreadd+0x52a/0x790 kernel/kthread.c:658 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Freed by task 12218: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 kasan_slab_free mm/kasan/common.c:360 [inline] kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xf5/0x130 mm/kasan/common.c:367 kasan_slab_free include/linux/kasan.h:199 [inline] slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x92/0x210 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kmem_cache_free+0x8a/0x740 mm/slub.c:3177 __put_task_struct+0x267/0x3f0 kernel/
[syzbot] WARNING in atp_close (2)
Hello, syzbot found the following issue on: HEAD commit:1216f02e Add linux-next specific files for 20210415 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=137dbb9ad0 kernel config: https://syzkaller.appspot.com/x/.config?x=3491b04113499f81 dashboard link: https://syzkaller.appspot.com/bug?extid=e03dc56b8ee7ec4b4dfd Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+e03dc56b8ee7ec4b4...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 18911 at kernel/workqueue.c:3043 __flush_work+0x8f4/0xad0 kernel/workqueue.c:3043 Modules linked in: CPU: 1 PID: 18911 Comm: syz-executor.2 Not tainted 5.12.0-rc7-next-20210415-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__flush_work+0x8f4/0xad0 kernel/workqueue.c:3043 Code: e3 08 48 0f ba 28 03 48 8b 95 70 fe ff ff 81 cb e0 01 00 00 e9 7e fa ff ff e8 68 4e 29 00 0f 0b e9 2e fc ff ff e8 5c 4e 29 00 <0f> 0b 45 31 f6 e9 1f fc ff ff e8 0d 0b 6e 00 e9 07 fb ff ff e8 43 RSP: 0018:c90001a7fb48 EFLAGS: 00010212 RAX: f9f3 RBX: dc00 RCX: c9000daae000 RDX: 0004 RSI: 814b29e4 RDI: 0003 RBP: c90001a7fcd8 R08: R09: 0001 R10: 814b2196 R11: R12: 0001 R13: 19200034ff9e R14: 0001 R15: 88801d9d1c80 FS: 7f53abfa1700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 02f16708 CR3: 1e366000 CR4: 001526f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __cancel_work_timer+0x3f9/0x570 kernel/workqueue.c:3139 atp_close+0x5e/0xa0 drivers/input/mouse/appletouch.c:812 input_close_device+0x156/0x1f0 drivers/input/input.c:687 evdev_close_device drivers/input/evdev.c:414 [inline] evdev_release+0x34c/0x410 drivers/input/evdev.c:456 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:174 [inline] exit_to_user_mode_prepare+0x272/0x280 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:57 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x419544 Code: 84 00 00 00 00 00 44 89 54 24 0c e8 96 f9 ff ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 89 44 24 0c e8 c8 f9 ff ff 8b 44 RSP: 002b:7f53abfa0cc0 EFLAGS: 0293 ORIG_RAX: 0101 RAX: ffea RBX: 6667 RCX: 00419544 RDX: 00024200 RSI: 7f53abfa0d60 RDI: ff9c RBP: 7f53abfa0d60 R08: R09: R10: R11: 0293 R12: 00024200 R13: 7ffdda3a06af R14: 7f53abfa1300 R15: 00022000 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: [syzbot] INFO: task hung in perf_event_free_task
syzbot has found a reproducer for the following issue on:
HEAD commit:7af08140 Revert "gcov: clang: fix clang-11+ build"
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15416871d0
kernel config: https://syzkaller.appspot.com/x/.config?x=c0a6882014fd3d45
dashboard link: https://syzkaller.appspot.com/bug?extid=7692cea7450c97fa2a0a
compiler: Debian clang version 11.0.1-2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=145c9ffed0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12de31ded0
The issue was bisected to:
commit 1cf8dfe8a661f0462925df943140e9f6d1ea5233
Author: Peter Zijlstra
Date: Sat Jul 13 09:21:25 2019 +
perf/core: Fix race between close() and fork()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1523f40c60
final oops: https://syzkaller.appspot.com/x/report.txt?x=1723f40c60
console output: https://syzkaller.appspot.com/x/log.txt?x=1323f40c60
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7692cea7450c97fa2...@syzkaller.appspotmail.com
Fixes: 1cf8dfe8a661 ("perf/core: Fix race between close() and fork()")
INFO: task syz-executor890:6628 blocked for more than 143 seconds.
Not tainted 5.12.0-rc8-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor890 state:D stack:25968 pid: 6628 ppid: 8391 flags:0x4004
Call Trace:
context_switch kernel/sched/core.c:4322 [inline]
__schedule+0xa4d/0xf80 kernel/sched/core.c:5073
schedule+0x14b/0x200 kernel/sched/core.c:5152
perf_event_free_task+0x575/0x6a0 kernel/events/core.c:12623
copy_process+0x418f/0x57e0 kernel/fork.c:2376
kernel_clone+0x21a/0x7d0 kernel/fork.c:2500
__do_sys_clone kernel/fork.c:2617 [inline]
__se_sys_clone kernel/fork.c:2601 [inline]
__x64_sys_clone+0x236/0x2b0 kernel/fork.c:2601
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x44b6e9
RSP: 002b:7fd6c1512208 EFLAGS: 0246 ORIG_RAX: 0038
RAX: ffda RBX: 004d7288 RCX: 0044b6e9
RDX: RSI: RDI: 22086605
RBP: 004d7280 R08: R09:
R10: R11: 0246 R12: 004d728c
R13: 7ffc3bab65ef R14: 7fd6c1512300 R15: 00022000
Showing all locks held in the system:
1 lock held by khungtaskd/1623:
#0: 8cd10280 (rcu_read_lock){}-{1:2}, at:
rcu_lock_acquire+0x0/0x30 arch/x86/pci/mmconfig_64.c:151
2 locks held by systemd-journal/4819:
1 lock held by in:imklog/8079:
#0: 8880163265f0 (>f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x24e/0x2f0
fs/file.c:974
2 locks held by syz-executor890/6495:
=
NMI backtrace for cpu 1
CPU: 1 PID: 1623 Comm: khungtaskd Not tainted 5.12.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x202/0x31e lib/dump_stack.c:120
nmi_cpu_backtrace+0x16c/0x190 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x191/0x2f0 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:209 [inline]
watchdog+0xcfb/0xd40 kernel/hung_task.c:294
kthread+0x39a/0x3c0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 6495 Comm: syz-executor890 Not tainted 5.12.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:155 [inline]
RIP: 0010:unwind_next_frame+0x184/0x1f90 arch/x86/kernel/unwind_orc.c:443
Code: 89 7c 24 70 0f 84 1a 01 00 00 48 c7 c0 00 00 00 81 49 39 c4 0f 82 16 01
00 00 48 c7 c0 52 83 e0 89 49 39 c4 0f 83 06 01 00 00 <48> c7 c0 00 00 00 81 4c
89 e5 48 29 c5 48 c1 ed 08 48 c7 c0 e8 8d
RSP: :c9000dd5f720 EFLAGS: 0087
RAX: 89e08352 RBX: c9000dd5f828 RCX: 9031ab03
RDX: c9000dd5fc20 RSI: 814e6de0 RDI: 0001
RBP: c9000dd5f815 R08: 0003 R09: c9000dd5f8b0
R10: f52001babf08 R11: R12: 814e6ddf
R13: c9000dd5f7e0 R14: dc00 R15: 192001babf02
FS: 7fd6c1512700() GS:8880b9c0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 00022000 CR3: 34d8b000 CR4: 001506f0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
arch_stack_walk+0xb2/0xe0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x104/0x1e0 kernel/stacktrace.c:121
kasan_save_stack mm/kasan/comm
[syzbot] KASAN: use-after-free Read in sctp_do_8_2_transport_strike
Hello, syzbot found the following issue on: HEAD commit:bf05bf16 Linux 5.12-rc8 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16a00dfed0 kernel config: https://syzkaller.appspot.com/x/.config?x=9404cfa686df2c05 dashboard link: https://syzkaller.appspot.com/bug?extid=bbe538efd1046586f587 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+bbe538efd1046586f...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in sctp_do_8_2_transport_strike.constprop.0+0xa27/0xab0 net/sctp/sm_sideeffect.c:531 Read of size 4 at addr 888024d65154 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 sctp_do_8_2_transport_strike.constprop.0+0xa27/0xab0 net/sctp/sm_sideeffect.c:531 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1636 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline] sctp_do_sm+0x114f/0x5120 net/sctp/sm_sideeffect.c:1156 sctp_generate_timeout_event+0x1bb/0x3d0 net/sctp/sm_sideeffect.c:295 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1431 expire_timers kernel/time/timer.c:1476 [inline] __run_timers.part.0+0x67c/0xa50 kernel/time/timer.c:1745 __run_timers kernel/time/timer.c:1726 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1758 __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu kernel/softirq.c:422 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline] RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline] RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:112 [inline] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:517 Code: ed 56 6e f8 84 db 75 ac e8 34 50 6e f8 e8 3f 3f 74 f8 e9 0c 00 00 00 e8 25 50 6e f8 0f 00 2d be a5 c7 00 e8 19 50 6e f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 24 58 6e f8 48 85 db RSP: 0018:c9d57d18 EFLAGS: 0293 RAX: RBX: RCX: RDX: 8880111c54c0 RSI: 8905a167 RDI: RBP: 888141433864 R08: 0001 R09: 0001 R10: 8179e0c8 R11: R12: 0001 R13: 888141433800 R14: 888141433864 R15: 888017879004 acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:652 cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351 call_cpuidle kernel/sched/idle.c:158 [inline] cpuidle_idle_call kernel/sched/idle.c:239 [inline] do_idle+0x3e1/0x590 kernel/sched/idle.c:300 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:397 start_secondary+0x274/0x350 arch/x86/kernel/smpboot.c:272 secondary_startup_64_no_verify+0xb0/0xbb Allocated by task 14433: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] kasan_kmalloc mm/kasan/common.c:506 [inline] kasan_kmalloc mm/kasan/common.c:465 [inline] __kasan_kmalloc+0x99/0xc0 mm/kasan/common.c:515 kmalloc include/linux/slab.h:554 [inline] kzalloc include/linux/slab.h:684 [inline] sctp_transport_new+0x8c/0x690 net/sctp/transport.c:96 sctp_assoc_add_peer+0x28f/0x1160 net/sctp/associola.c:618 sctp_process_init+0x12a/0x2940 net/sctp/sm_make_chunk.c:2345 sctp_sf_do_dupcook_a net/sctp/sm_statefuns.c:1800 [inline] sctp_sf_do_5_2_4_dupcook+0x1401/0x2d50 net/sctp/sm_statefuns.c:2200 sctp_do_sm+0x179/0x5120 net/sctp/sm_sideeffect.c:1153 sctp_assoc_bh_rcv+0x386/0x6c0 net/sctp/associola.c:1048 sctp_inq_push+0x1da/0x270 net/sctp/inqueue.c:80 sctp_rcv+0xf64/0x2f10 net/sctp/input.c:256 sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1077 ip6_protocol_deliver_rcu+0x2e9/0x17f0 net/ipv6/ip6_input.c:422 ip6_input_finish+0x7f/0x160 net/ipv6/ip6_input.c:463 NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472 dst_input include/net/dst.h:458 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] ipv6_rcv+0x28e/0x3
Re: [syzbot] INFO: task hung in __io_uring_cancel
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll == BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: null-ptr-deref in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline] BUG: KASAN: null-ptr-deref in io_uring_cancel_sqpoll+0x150/0x310 fs/io_uring.c:8930 Write of size 4 at addr 0114 by task iou-sqp-31588/31596 CPU: 0 PID: 31596 Comm: iou-sqp-31588 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 __kasan_report mm/kasan/report.c:403 [inline] kasan_report.cold+0x5f/0xd8 mm/kasan/report.c:416 check_region_inline mm/kasan/generic.c:180 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline] io_uring_cancel_sqpoll+0x150/0x310 fs/io_uring.c:8930 io_sq_thread+0x47e/0x1310 fs/io_uring.c:6873 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 == Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 31596 Comm: iou-sqp-31588 Tainted: GB 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 panic+0x306/0x73d kernel/panic.c:231 end_report mm/kasan/report.c:102 [inline] end_report.cold+0x5a/0x5a mm/kasan/report.c:88 __kasan_report mm/kasan/report.c:406 [inline] kasan_report.cold+0x6a/0xd8 mm/kasan/report.c:416 check_region_inline mm/kasan/generic.c:180 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline] io_uring_cancel_sqpoll+0x150/0x310 fs/io_uring.c:8930 io_sq_thread+0x47e/0x1310 fs/io_uring.c:6873 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Kernel Offset: disabled Rebooting in 86400 seconds.. Tested on: commit: 734551df io_uring: fix shared sqpoll cancellation hangs git tree: git://git.kernel.dk/linux-block for-5.13/io_uring console output: https://syzkaller.appspot.com/x/log.txt?x=175fec6dd0 kernel config: https://syzkaller.appspot.com/x/.config?x=601d16d8cd22e315 dashboard link: https://syzkaller.appspot.com/bug?extid=47fc00967b06a3019bd2 compiler:
[syzbot] INFO: task hung in __io_uring_cancel
Hello,
syzbot found the following issue on:
HEAD commit:1216f02e Add linux-next specific files for 20210415
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=130bbeded0
kernel config: https://syzkaller.appspot.com/x/.config?x=3491b04113499f81
dashboard link: https://syzkaller.appspot.com/bug?extid=47fc00967b06a3019bd2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14734dc5d0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dfaf65d0
The issue was bisected to:
commit d9d05217cb6990b9a56e13b56e7a1b71e2551f6c
Author: Pavel Begunkov
Date: Fri Jan 8 20:57:25 2021 +
io_uring: stop SQPOLL submit on creator's death
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11b86f9ad0
final oops: https://syzkaller.appspot.com/x/report.txt?x=13b86f9ad0
console output: https://syzkaller.appspot.com/x/log.txt?x=15b86f9ad0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+47fc00967b06a3019...@syzkaller.appspotmail.com
Fixes: d9d05217cb69 ("io_uring: stop SQPOLL submit on creator's death")
INFO: task iou-sqp-8700:8701 blocked for more than 143 seconds.
Not tainted 5.12.0-rc7-next-20210415-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:iou-sqp-8700state:D stack:28960 pid: 8701 ppid: 8414 flags:0x4004
Call Trace:
context_switch kernel/sched/core.c:4329 [inline]
__schedule+0x917/0x2170 kernel/sched/core.c:5079
schedule+0xcf/0x270 kernel/sched/core.c:5158
__io_uring_cancel+0x285/0x420 fs/io_uring.c:8977
io_uring_files_cancel include/linux/io_uring.h:16 [inline]
do_exit+0x299/0x2a70 kernel/exit.c:780
io_sq_thread+0x60a/0x1340 fs/io_uring.c:6873
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Showing all locks held in the system:
1 lock held by khungtaskd/1653:
#0: 8bf76560 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6333
1 lock held by in:imklog/8133:
#0: 888013088370 (>f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:990
=
NMI backtrace for cpu 1
CPU: 1 PID: 1653 Comm: khungtaskd Not tainted
5.12.0-rc7-next-20210415-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x44/0xd7 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:253 [inline]
watchdog+0xd3b/0xf50 kernel/hung_task.c:338
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0-rc7-next-20210415-syzkaller
#0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Workqueue: events toggle_allocation_gate
RIP: 0010:__preempt_count_sub arch/x86/include/asm/preempt.h:85 [inline]
RIP: 0010:preempt_count_sub+0x56/0x150 kernel/sched/core.c:4772
Code: 85 e4 00 00 00 8b 0d 19 08 e5 0e 85 c9 75 1b 65 8b 05 ae 60 b3 7e 89 c2
81 e2 ff ff ff 7f 39 da 7c 13 81 fb fe 00 00 00 76 63 db 65 01 1d 91 60 b3
7e 5b c3 e8 4a cd c2 07 85 c0 74 f5 48 c7
RSP: 0018:c9cc79f8 EFLAGS: 0002
RAX: 8002 RBX: 0001 RCX:
RDX: 0002 RSI: 83e7543f RDI: 0001
RBP: 8880b9c34a80 R08: 0002 R09: eb19
R10: 83e7538c R11: 003f R12: 0008
R13: 888140120660 R14: R15:
FS: () GS:8880b9c0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 7ffa2b511018 CR3: 0bc8e000 CR4: 001506f0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
flush_tlb_mm_range+0x111/0x230 arch/x86/mm/tlb.c:957
__text_poke+0x590/0x8c0 arch/x86/kernel/alternative.c:837
text_poke_bp_batch+0x3d7/0x560 arch/x86/kernel/alternative.c:1150
text_poke_flush arch/x86/kernel/alternative.c:1240 [inline]
text_poke_flush arch/x86/kernel/alternative.c:1237 [inline]
text_poke_finish+0x16/0x30 arch/x86/kernel/alternative.c:1247
arch_jump_label_transform_apply+0x13/0x20 arch/x86/kernel/jump_label.c:122
jump_label_update+0x1da/0x400 kernel/jump_label.c:825
static_key_enable_cpuslocked+0x1b1/0x260 kernel/jump_label.c:177
static_key_enable+0x16/0x20 kernel/jump_label.c:190
toggle_allocation_gate mm/kfence/core.c:610 [inline]
toggle_allocation_gate+0xbf/0x2e0 mm/kfence/core.c:602
process_one_work+0x98d/0x1600 kernel/workq
Re: [syzbot] WARNING in __percpu_ref_exit (2)
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+d6218cb2fae0b2411...@syzkaller.appspotmail.com Tested on: commit: 75c4021a io_uring: check register restriction afore quiesce git tree: git://git.kernel.dk/linux-block for-5.13/io_uring kernel config: https://syzkaller.appspot.com/x/.config?x=1dfd9a1e63100694 dashboard link: https://syzkaller.appspot.com/bug?extid=d6218cb2fae0b2411e9d compiler: Note: testing is done by a robot and is best-effort only.
Re: [syzbot] KASAN: use-after-free Read in __cpuhp_state_remove_instance
syzbot suspects this issue was fixed by commit: commit 470ec4ed8c91b4db398ad607c700e9ce88365202 Author: Jens Axboe Date: Fri Feb 26 17:20:34 2021 + io-wq: fix double put of 'wq' in error path bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11e89cc5d0 start commit: cee407c5 Merge tag 'for-linus' of git://git.kernel.org/pub.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=8f67201de02a572b dashboard link: https://syzkaller.appspot.com/bug?extid=38769495e847cea2dcca syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154e360ad0 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: io-wq: fix double put of 'wq' in error path For information about bisection process see: https://goo.gl/tpsmEJ#bisection
[syzbot] WARNING in kthread_is_per_cpu
Hello, syzbot found the following issue on: HEAD commit:1216f02e Add linux-next specific files for 20210415 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1032ba29d0 kernel config: https://syzkaller.appspot.com/x/.config?x=3491b04113499f81 dashboard link: https://syzkaller.appspot.com/bug?extid=9362b31a2e0cad8b749d Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9362b31a2e0cad8b7...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 23550 at kernel/kthread.c:83 to_kthread kernel/kthread.c:83 [inline] WARNING: CPU: 1 PID: 23550 at kernel/kthread.c:83 kthread_is_per_cpu+0xc4/0xf0 kernel/kthread.c:519 Modules linked in: CPU: 1 PID: 23550 Comm: syz-executor.3 Not tainted 5.12.0-rc7-next-20210415-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:to_kthread kernel/kthread.c:83 [inline] RIP: 0010:kthread_is_per_cpu+0xc4/0xf0 kernel/kthread.c:519 Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 2e 4c 8b 23 41 83 e4 01 e8 89 d3 27 00 44 89 e0 5b 5d 41 5c c3 e8 7c d3 27 00 <0f> 0b eb 88 e8 33 90 6c 00 e9 68 ff ff ff e8 39 90 6c 00 eb 9a 48 RSP: 0018:c9dc0c08 EFLAGS: 00010046 RAX: RBX: 88802533d580 RCX: 0100 RDX: 8880549bb900 RSI: 814ca4c4 RDI: 0003 RBP: R08: R09: 88802533d580 R10: 814ca44c R11: 018a3b90 R12: 0001 R13: c9dc0d90 R14: 0001 R15: 88802533d580 FS: 7f4be57d3700() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 001b2cd24000 CR3: 24626000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: can_migrate_task+0x124/0x1630 kernel/sched/fair.c:7610 detach_tasks kernel/sched/fair.c:7774 [inline] load_balance+0xc72/0x2730 kernel/sched/fair.c:9696 rebalance_domains+0x668/0xda0 kernel/sched/fair.c:10075 __do_softirq+0x29b/0x9fe kernel/softirq.c:559 invoke_softirq kernel/softirq.c:433 [inline] __irq_exit_rcu+0x136/0x200 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:191 Code: 74 24 10 e8 5a 05 46 f8 48 89 ef e8 f2 7d 46 f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 e3 83 3a f8 65 8b 05 cc e4 ed 76 85 c0 74 0a 5b 5d c3 e8 20 73 RSP: 0018:c90001c0ef30 EFLAGS: 0206 RAX: 0006 RBX: 0200 RCX: 11fbdad2 RDX: RSI: 0001 RDI: 0001 RBP: 8c076c20 R08: 0001 R09: 8fdeb8a7 R10: 0001 R11: R12: R13: 000c R14: 0002 R15: 0008f9b0 spin_unlock_irqrestore include/linux/spinlock.h:414 [inline] pcpu_alloc+0x4f7/0x17a0 mm/percpu.c:1807 vlan_dev_init+0x9f9/0xe70 net/8021q/vlan_dev.c:614 register_netdevice+0x51e/0x1500 net/core/dev.c:10188 register_vlan_dev+0x360/0x960 net/8021q/vlan.c:179 vlan_newlink+0x477/0x700 net/8021q/vlan_netlink.c:187 __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3452 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500 rtnetlink_rcv_msg+0x413/0xaf0 net/core/rtnetlink.c:5562 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x84c/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x466459 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f4be57d3188 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0056bf60 RCX: 00466459 RDX: 0810 RSI: 2000 RDI: 0006 RBP: 004bf9fb R08: R09: R10: R11: 0246 R12: 0056bf60 R13: 7ffc92da70af R14: 7f4be57d3300 R15: 00022000 ---
[syzbot] INFO: rcu detected stall in tx
Hello, syzbot found the following issue on: HEAD commit:50987bec Merge tag 'trace-v5.12-rc7' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1065c5fcd0 kernel config: https://syzkaller.appspot.com/x/.config?x=398c4d0fe6f66e68 dashboard link: https://syzkaller.appspot.com/bug?extid=e2eae5639e7203360018 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+e2eae5639e7203360...@syzkaller.appspotmail.com usbtmc 5-1:0.0: unknown status received: -71 usbtmc 3-1:0.0: unknown status received: -71 usbtmc 5-1:0.0: unknown status received: -71 rcu: INFO: rcu_preempt self-detected stall on CPU rcu:1-...!: (8580 ticks this GP) idle=72e/1/0x4000 softirq=20679/20679 fqs=0 (t=10500 jiffies g=27129 q=416) rcu: rcu_preempt kthread starved for 10500 jiffies! g27129 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0 rcu:Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. rcu: RCU grace-period kthread stack dump: task:rcu_preempt state:R running task stack:29168 pid: 14 ppid: 2 flags:0x4000 Call Trace: context_switch kernel/sched/core.c:4322 [inline] __schedule+0x911/0x21b0 kernel/sched/core.c:5073 schedule+0xcf/0x270 kernel/sched/core.c:5152 schedule_timeout+0x14a/0x250 kernel/time/timer.c:1892 rcu_gp_fqs_loop kernel/rcu/tree.c:2005 [inline] rcu_gp_kthread+0xd07/0x2250 kernel/rcu/tree.c:2178 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 rcu: Stack dump where RCU GP kthread last ran: Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 3232 Comm: aoe_tx0 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:native_apic_mem_write+0x8/0x10 arch/x86/include/asm/apic.h:110 Code: c7 40 d9 36 8f e8 c8 11 86 00 eb b0 66 0f 1f 44 00 00 be 01 00 00 00 e9 36 c7 2c 00 cc cc cc cc cc cc 89 ff 89 b7 00 c0 5f ff 0f 1f 80 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 53 89 fb 48 RSP: 0018:c9007ea8 EFLAGS: 0046 RAX: dc00 RBX: 8b0a78c0 RCX: 0020 RDX: 11614f1a RSI: 0001c285 RDI: 0380 RBP: 8880b9c1f2c0 R08: 003f R09: R10: 8166ecf7 R11: R12: 0001c285 R13: 0020 R14: 8880b9c26340 R15: 006120792e26 FS: () GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fb9e6cdb380 CR3: 18792000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: apic_write arch/x86/include/asm/apic.h:393 [inline] lapic_next_event+0x4d/0x80 arch/x86/kernel/apic/apic.c:472 clockevents_program_event+0x254/0x370 kernel/time/clockevents.c:334 tick_program_event+0xac/0x140 kernel/time/tick-oneshot.c:44 hrtimer_interrupt+0x414/0xa00 kernel/time/hrtimer.c:1676 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1089 [inline] __sysvec_apic_timer_interrupt+0x146/0x540 arch/x86/kernel/apic/apic.c:1106 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline] RIP: 0010:check_kcov_mode kernel/kcov.c:163 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:197 Code: f0 4d 89 03 e9 f2 fc ff ff b9 ff ff ff ff ba 08 00 00 00 4d 8b 03 48 0f bd ca 49 8b 45 00 48 63 c9 e9 64 ff ff ff 0f 1f 40 00 <65> 8b 05 39 fe 8d 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b RSP: 0018:c900030cf6f8 EFLAGS: 0293 RAX: RBX: RCX: RDX: 88801aff1c40 RSI: 815c2e4f RDI: 0003 RBP: c900030cf738 R08: R09: 8fa9a96f R10: 815c2e45 R11: R12: 002d R13: 8880113db880 R14: R15: 0200 console_trylock_spinning kernel/printk/printk.c:1818 [inline] vprintk_emit+0x3a5/0x560 kernel/printk/printk.c:2097 dev_vprintk_emit+0x36e/0x3b2 drivers/base/core.c:4434 dev_printk_emit+0xba/0xf1 drivers/base/core.c:4445 __netdev_printk+0x1c6/0x27a net/core/dev.c:11292 netdev_warn+0xd7/0x109 net/core/dev.c:11345 ieee802154_subif_start_xmit.cold+0x17/0x27 net/mac802154/tx.c:125 __netdev_start_xmit include/linux/netdevice.h:4825 [inline] netdev_start_xmit include/linux/netdevice.h:4839 [inline] xmit_one net/core/dev.c:3605 [inline] dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3621 sch_direct_xmit+0x2e1/0xbd0 net/sched/sch_generic.c:313 qdisc_restart net/sched/sch_generic.c:376 [inline] __qdisc_run+0x4ba/0x15
Re: [syzbot] WARNING in __percpu_ref_exit (2)
syzbot has found a reproducer for the following issue on: HEAD commit:c98ff1d0 Merge tag 'scsi-fixes' of git://git.kernel.org/pu.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=163d7229d0 kernel config: https://syzkaller.appspot.com/x/.config?x=1c70e618af4c2e92 dashboard link: https://syzkaller.appspot.com/bug?extid=d6218cb2fae0b2411e9d syz repro: https://syzkaller.appspot.com/x/repro.syz?x=145cb2b6d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157b72b1d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d6218cb2fae0b2411...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 169 at lib/percpu-refcount.c:113 __percpu_ref_exit+0x98/0x100 lib/percpu-refcount.c:113 Modules linked in: CPU: 1 PID: 169 Comm: kworker/u4:3 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound io_ring_exit_work RIP: 0010:__percpu_ref_exit+0x98/0x100 lib/percpu-refcount.c:113 Code: fd 49 8d 7c 24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 61 49 83 7c 24 10 00 74 07 e8 a8 4a ab fd <0f> 0b e8 a1 4a ab fd 48 89 ef e8 69 f0 d9 fd 48 89 da 48 b8 00 00 RSP: 0018:c90001077b48 EFLAGS: 00010293 RAX: RBX: 88802d5ca000 RCX: RDX: 88801217a1c0 RSI: 83c7db28 RDI: 88801d58f010 RBP: 607f4607bcb8 R08: R09: 8fa9f977 R10: 83c7dac8 R11: 0009 R12: 88801d58f000 R13: 00010002865e R14: 88801d58f000 R15: 88802d5ca8b0 FS: () GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2044 CR3: 15c02000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: percpu_ref_exit+0x3b/0x140 lib/percpu-refcount.c:134 io_ring_ctx_free fs/io_uring.c:8483 [inline] io_ring_exit_work+0xa64/0x12d0 fs/io_uring.c:8620 process_one_work+0x98d/0x1600 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Re: [syzbot] INFO: task hung in usb_remote_wakeup (2)
syzbot suspects this issue was fixed by commit: commit 363eaa3a450abb4e63bd6e3ad79d1f7a0f717814 Author: Shuah Khan Date: Tue Mar 30 01:36:51 2021 + usbip: synchronize event handler with sysfs code paths bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16c89e91d0 start commit: bec4c296 Merge tag 'ecryptfs-5.11-rc6-setxattr-fix' of git.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=9408d1770a50819c dashboard link: https://syzkaller.appspot.com/bug?extid=85439002c78b774488d8 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=138d0264d0 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: usbip: synchronize event handler with sysfs code paths For information about bisection process see: https://goo.gl/tpsmEJ#bisection
[syzbot] WARNING in ctx_sched_in
Hello, syzbot found the following issue on: HEAD commit:79c338ab riscv: keep interrupts disabled for BREAKPOINT ex.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes console output: https://syzkaller.appspot.com/x/log.txt?x=10fb93f9d0 kernel config: https://syzkaller.appspot.com/x/.config?x=f8af20e245283c9a dashboard link: https://syzkaller.appspot.com/bug?extid=50d41b514809f6f4f326 userspace arch: riscv64 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+50d41b514809f6f4f...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 4475 at kernel/events/core.c:3752 ctx_sched_in+0x12e/0x3ee kernel/events/core.c:3752 Modules linked in: CPU: 1 PID: 4475 Comm: syz-executor.1 Not tainted 5.12.0-rc6-syzkaller-00183-g79c338ab575e #0 Hardware name: riscv-virtio,qemu (DT) epc : ctx_sched_in+0x12e/0x3ee kernel/events/core.c:3752 ra : ctx_sched_in+0x12e/0x3ee kernel/events/core.c:3752 epc : ffe000279fe8 ra : ffe000279fe8 sp : ffe009e17680 gp : ffe004588ad0 tp : ffe006398000 t0 : t1 : 0001 t2 : 000f4240 s0 : ffe009e176f0 s1 : ffe0077edc00 a0 : ffe067d79118 a1 : 000f a2 : 0002 a3 : ffe000279fe8 a4 : ffe006399000 a5 : 4000 a6 : 00f0 a7 : ffe000280cc8 s2 : 0007 s3 : ffe0077edd40 s4 : ffe006398000 s5 : 0002 s6 : ffe00458c0d0 s7 : ffe067d78f70 s8 : 0007 s9 : ffe067d79118 s10: ffe0077edc00 s11: ffe0077edc08 t3 : e189d98bb4bfb900 t4 : ffc4042c47b2 t5 : ffc4042c47ba t6 : 0004 status: 0100 badaddr: cause: 0003 Call Trace: [] ctx_sched_in+0x12e/0x3ee kernel/events/core.c:3752 [] perf_event_sched_in+0x38/0x74 kernel/events/core.c:2680 [] perf_event_context_sched_in kernel/events/core.c:3817 [inline] [] __perf_event_task_sched_in+0x4ea/0x680 kernel/events/core.c:3860 [] perf_event_task_sched_in include/linux/perf_event.h:1210 [inline] [] finish_task_switch.isra.0+0x284/0x318 kernel/sched/core.c:4189 [] context_switch kernel/sched/core.c:4325 [inline] [] __schedule+0x484/0xe8c kernel/sched/core.c:5073 [] preempt_schedule_notrace+0x9c/0x19a kernel/sched/core.c:5312 [] rcu_read_unlock_sched_notrace include/linux/rcupdate.h:794 [inline] [] trace_lock_acquire+0xf0/0x20e include/trace/events/lock.h:13 [] lock_acquire+0x28/0x5a kernel/locking/lockdep.c:5481 [] rcu_lock_acquire include/linux/rcupdate.h:267 [inline] [] rcu_read_lock include/linux/rcupdate.h:656 [inline] [] percpu_ref_put_many.constprop.0+0x38/0x148 include/linux/percpu-refcount.h:317 [] percpu_ref_put include/linux/percpu-refcount.h:338 [inline] [] obj_cgroup_put include/linux/memcontrol.h:713 [inline] [] memcg_slab_free_hook mm/slab.h:372 [inline] [] memcg_slab_free_hook mm/slab.h:336 [inline] [] do_slab_free mm/slub.c:3117 [inline] [] ___cache_free+0x2bc/0x3dc mm/slub.c:3168 [] qlink_free mm/kasan/quarantine.c:146 [inline] [] qlist_free_all+0x56/0xac mm/kasan/quarantine.c:165 [] kasan_quarantine_reduce+0x14c/0x1c8 mm/kasan/quarantine.c:272 [] __kasan_slab_alloc+0x60/0x62 mm/kasan/common.c:437 [] kasan_slab_alloc include/linux/kasan.h:223 [inline] [] slab_post_alloc_hook mm/slab.h:516 [inline] [] slab_alloc_node mm/slub.c:2907 [inline] [] slab_alloc mm/slub.c:2915 [inline] [] kmem_cache_alloc+0x168/0x3ca mm/slub.c:2920 [] kmem_cache_zalloc include/linux/slab.h:674 [inline] [] taskstats_tgid_alloc kernel/taskstats.c:561 [inline] [] taskstats_exit+0x3ce/0x5fe kernel/taskstats.c:600 [] do_exit+0x3b2/0x1846 kernel/exit.c:810 [] do_group_exit+0xa0/0x198 kernel/exit.c:922 [] get_signal+0x31e/0x14ba kernel/signal.c:2781 [] do_signal arch/riscv/kernel/signal.c:271 [inline] [] do_notify_resume+0xa8/0x930 arch/riscv/kernel/signal.c:317 [] ret_from_exception+0x0/0x14 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: [syzbot] KASAN: use-after-free Read in idr_for_each (2)
syzbot suspects this issue was fixed by commit: commit 61cf93700fe6359552848ed5e3becba6cd760efa Author: Matthew Wilcox (Oracle) Date: Mon Mar 8 14:16:16 2021 + io_uring: Convert personality_idr to XArray bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16f91b9ad0 start commit: dd86e7fa Merge tag 'pci-v5.11-fixes-2' of git://git.kernel.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=e83e68d0a6aba5f6 dashboard link: https://syzkaller.appspot.com/bug?extid=12056a09a0311d758e60 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174b80ef50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=165522d4d0 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: io_uring: Convert personality_idr to XArray For information about bisection process see: https://goo.gl/tpsmEJ#bisection
[syzbot] KASAN: use-after-free Write in nfc_llcp_local_put
Hello, syzbot found the following issue on: HEAD commit:50987bec Merge tag 'trace-v5.12-rc7' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15680319d0 kernel config: https://syzkaller.appspot.com/x/.config?x=b5591c832f889fd9 dashboard link: https://syzkaller.appspot.com/bug?extid=f1c3c57efec16353f881 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f1c3c57efec16353f...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline] BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in kref_put include/linux/kref.h:64 [inline] BUG: KASAN: use-after-free in nfc_llcp_local_put net/nfc/llcp_core.c:183 [inline] BUG: KASAN: use-after-free in nfc_llcp_local_put+0x30/0x200 net/nfc/llcp_core.c:178 Write of size 4 at addr 888015cc8018 by task syz-executor.2/9727 CPU: 1 PID: 9727 Comm: syz-executor.2 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 check_region_inline mm/kasan/generic.c:180 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:220 [inline] __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] nfc_llcp_local_put net/nfc/llcp_core.c:183 [inline] nfc_llcp_local_put+0x30/0x200 net/nfc/llcp_core.c:178 llcp_sock_destruct+0x81/0x150 net/nfc/llcp_sock.c:950 __sk_destruct+0x4b/0x900 net/core/sock.c:1795 sk_destruct+0xbd/0xe0 net/core/sock.c:1839 __sk_free+0xef/0x3d0 net/core/sock.c:1850 sk_free+0x78/0xa0 net/core/sock.c:1861 sock_put include/net/sock.h:1807 [inline] llcp_sock_release+0x3c9/0x580 net/nfc/llcp_sock.c:644 __sock_release+0xcd/0x280 net/socket.c:599 sock_close+0x18/0x20 net/socket.c:1258 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xbfc/0x2a60 kernel/exit.c:825 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2150 kernel/signal.c:2781 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:789 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x466459 Code: Unable to access opcode bytes at RIP 0x46642f. RSP: 002b:7f6644f39218 EFLAGS: 0246 ORIG_RAX: 00ca RAX: fe00 RBX: 0056bf68 RCX: 00466459 RDX: RSI: 0080 RDI: 0056bf68 RBP: 0056bf60 R08: R09: R10: R11: 0246 R12: 0056bf6c R13: 7ffd102e94df R14: 7f6644f39300 R15: 00022000 Allocated by task 1: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] kasan_kmalloc mm/kasan/common.c:506 [inline] kasan_kmalloc mm/kasan/common.c:465 [inline] __kasan_kmalloc+0x96/0xc0 mm/kasan/common.c:515 kasan_kmalloc include/linux/kasan.h:233 [inline] kmem_cache_alloc_trace+0x1f5/0x440 mm/slab.c:3570 kmalloc include/linux/slab.h:554 [inline] kzalloc include/linux/slab.h:684 [inline] nfc_llcp_register_device+0x45/0x9d0 net/nfc/llcp_core.c:1572 nfc_register_device+0x6d/0x360 net/nfc/core.c:1124 nfcsim_device_new+0x345/0x5c1 drivers/nfc/nfcsim.c:408 nfcsim_init+0x71/0x14d drivers/nfc/nfcsim.c:455 do_one_initcall+0x103/0x650 init/main.c:1226 do_initcall_level init/main.c:1299 [inline] do_initcalls init/main.c:1315 [inline] do_basic_setup init/main.c:1335 [inline] kernel_init_freeable+0x63e/0x6c2 init/main.c:1537
[syzbot] INFO: trying to register non-static key in nfc_llcp_sock_unlink
Hello, syzbot found the following issue on: HEAD commit:50987bec Merge tag 'trace-v5.12-rc7' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14d2cab1d0 kernel config: https://syzkaller.appspot.com/x/.config?x=b5591c832f889fd9 dashboard link: https://syzkaller.appspot.com/bug?extid=0b2182efb62fe1a7e162 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+0b2182efb62fe1a7e...@syzkaller.appspotmail.com INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 3 PID: 10363 Comm: syz-executor.3 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 assign_lock_key kernel/locking/lockdep.c:936 [inline] register_lock_class+0x1077/0x1180 kernel/locking/lockdep.c:1248 __lock_acquire+0x106/0x54c0 kernel/locking/lockdep.c:4780 lock_acquire kernel/locking/lockdep.c:5511 [inline] lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5476 __raw_write_lock include/linux/rwlock_api_smp.h:210 [inline] _raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:295 nfc_llcp_sock_unlink+0x1d/0x1c0 net/nfc/llcp_core.c:32 llcp_sock_release+0x286/0x580 net/nfc/llcp_sock.c:640 __sock_release+0xcd/0x280 net/socket.c:599 sock_close+0x18/0x20 net/socket.c:1258 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xbfc/0x2a60 kernel/exit.c:825 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2150 kernel/signal.c:2781 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:789 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x466459 Code: Unable to access opcode bytes at RIP 0x46642f. RSP: 002b:7fddc86a8218 EFLAGS: 0246 ORIG_RAX: 00ca RAX: fe00 RBX: 0056bf68 RCX: 00466459 RDX: RSI: 0080 RDI: 0056bf68 RBP: 0056bf60 R08: R09: R10: R11: 0246 R12: 0056bf6c R13: 7fff5b1ed3ff R14: 7fddc86a8300 R15: 00022000 [ cut here ] refcount_t: underflow; use-after-free. WARNING: CPU: 3 PID: 10363 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Modules linked in: CPU: 3 PID: 10363 Comm: syz-executor.3 Not tainted 5.12.0-rc7-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Code: e9 db fe ff ff 48 89 df e8 4c c7 ed fd e9 8a fe ff ff e8 22 98 aa fd 48 c7 c7 c0 47 c1 89 c6 05 c4 30 e8 09 01 e8 14 a5 f9 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 RSP: :c9f77958 EFLAGS: 00010282 RAX: RBX: RCX: RDX: 888025e5a200 RSI: 815b8155 RDI: f520001eef1d RBP: 0003 R08: R09: R10: 815b0ebe R11: R12: R13: 888044a19018 R14: 888044a19000 R15: 888022a6d330 FS: () GS:88802ca0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f69397f80d8 CR3: 0bc8e000 CR4: 00150ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] nfc_llcp_local_put net/nfc/llcp_core.c:183 [inline] nfc_llcp_local_put+0x1ab/0x200 net/nfc/llcp_core.c:178 llcp_sock_destruct+0x81/0x150 net/nfc/llcp_sock.c:950 __sk_destruct+0x4b/0x900 net/core/sock.c:1795 sk_destruct+0xbd/0xe0 net/core/sock.c:1839 __sk_free+0xef/0x3d0 net/core/sock.c:1850 sk_free+0x78/0xa0 net/core/sock.c:1861 sock_put include/net/sock.h:1807 [inline] llcp_sock_release+0x3c9/0x580 net/nfc/llcp_sock.c:644 __sock_release+0xcd/0x280 net/socket.c:599 sock_close+0x18/0x20 net/socket.c:1258 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 exit_task_work include
[syzbot] KASAN: use-after-free Read in get_wchan
Hello, syzbot found the following issue on: HEAD commit:b2b3d18f riscv: Make NUMA depend on MMU git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes console output: https://syzkaller.appspot.com/x/log.txt?x=12b59d16d0 kernel config: https://syzkaller.appspot.com/x/.config?x=81b3e7c68dad6e dashboard link: https://syzkaller.appspot.com/bug?extid=0806291048161061627c userspace arch: riscv64 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+08062910481610616...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline] BUG: KASAN: use-after-free in get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136 Read of size 8 at addr ffe0058e3d90 by task syz-executor.0/4667 CPU: 1 PID: 4667 Comm: syz-executor.0 Not tainted 5.12.0-rc5-syzkaller-00721-gb2b3d18fc20e #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201 [] dump_backtrace+0x40/0x4e arch/riscv/kernel/stacktrace.c:113 [] show_stack+0x22/0x2e arch/riscv/kernel/stacktrace.c:118 [] __dump_stack lib/dump_stack.c:79 [inline] [] dump_stack+0x148/0x1d8 lib/dump_stack.c:120 [] print_address_description.constprop.0+0x52/0x31e mm/kasan/report.c:232 [] __kasan_report mm/kasan/report.c:399 [inline] [] kasan_report+0x16e/0x18c mm/kasan/report.c:416 [] check_region_inline mm/kasan/generic.c:180 [inline] [] __asan_load8+0x6e/0x80 mm/kasan/generic.c:253 [] walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline] [] get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136 [] proc_pid_wchan+0x48/0xa4 fs/proc/base.c:390 [] proc_single_show+0x9c/0x13c fs/proc/base.c:774 [] seq_read_iter+0x2e0/0x8f2 fs/seq_file.c:227 [] seq_read+0x200/0x298 fs/seq_file.c:159 [] vfs_read+0x108/0x2ac fs/read_write.c:494 [] ksys_read+0xb4/0x1b8 fs/read_write.c:634 [] __do_sys_read fs/read_write.c:644 [inline] [] sys_read+0x28/0x36 fs/read_write.c:642 [] ret_from_syscall+0x0/0x2 The buggy address belongs to the page: page:ffcf0216b8c0 refcount:0 mapcount:0 mapping: index:0x0 pfn:0x85ae3 flags: 0xffe() raw: 0ffe ffcf0216b8c8 ffcf0216b8c8 raw: page dumped because: kasan: bad access detected Memory state around the buggy address: ffe0058e3c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffe0058e3d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffe0058e3d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffe0058e3e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffe0058e3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] unexpected kernel reboot (4)
Hello, syzbot found the following issue on: HEAD commit:89698bec Merge tag 'm68knommu-for-v5.12-rc7' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1243fcfed0 kernel config: https://syzkaller.appspot.com/x/.config?x=b234ddbbe2953747 dashboard link: https://syzkaller.appspot.com/bug?extid=9ce030d4c89856b27619 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=173e92fed0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1735da2ed0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9ce030d4c89856b27...@syzkaller.appspotmail.com output_len: 0x0e74eb68 kernel_total_size: 0x0f226000 needed_size: 0x0f40 trampoline_32bit: 0x0009d000 Decompressing Linux... Parsing ELF... done. Booting the kernel. --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
[syzbot] possible deadlock in io_poll_double_wake (3)
Hello,
syzbot found the following issue on:
HEAD commit:17e7124a Merge tag '5.12-rc6-smb3' of git://git.samba.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=102c3891d0
kernel config: https://syzkaller.appspot.com/x/.config?x=9320464bf47598bd
dashboard link: https://syzkaller.appspot.com/bug?extid=e654d4e15e6b3b9deb53
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fe3096d0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=147b9431d0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e654d4e15e6b3b9de...@syzkaller.appspotmail.com
WARNING: possible recursive locking detected
5.12.0-rc6-syzkaller #0 Not tainted
swapper/0/0 is trying to acquire lock:
88802108c130 (>sleep){..-.}-{2:2}, at: spin_lock
include/linux/spinlock.h:354 [inline]
88802108c130 (>sleep){..-.}-{2:2}, at:
io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4988
but task is already holding lock:
888014fd8130 (>sleep){..-.}-{2:2}, at:
__wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
lock(>sleep);
lock(>sleep);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by swapper/0/0:
#0: 888020d18108 (>lock){..-.}-{2:2}, at:
_snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170
#1: 888014fd8130 (>sleep){..-.}-{2:2}, at:
__wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137
stack backtrace:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
print_deadlock_bug kernel/locking/lockdep.c:2829 [inline]
check_deadlock kernel/locking/lockdep.c:2872 [inline]
validate_chain kernel/locking/lockdep.c:3661 [inline]
__lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900
lock_acquire kernel/locking/lockdep.c:5510 [inline]
lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5475
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4988
__wake_up_common+0x147/0x650 kernel/sched/wait.c:108
__wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138
snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203
snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464
snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805
dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:377
__run_hrtimer kernel/time/hrtimer.c:1537 [inline]
__hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1601
hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1618
__do_softirq+0x29b/0x9f6 kernel/softirq.c:345
invoke_softirq kernel/softirq.c:221 [inline]
__irq_exit_rcu kernel/softirq.c:422 [inline]
irq_exit_rcu+0x134/0x200 kernel/softirq.c:434
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:112 [inline]
RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:517
Code: cd cb 6e f8 84 db 75 ac e8 14 c5 6e f8 e8 1f b4 74 f8 e9 0c 00 00 00 e8
05 c5 6e f8 0f 00 2d 0e 18 c8 00 e8 f9 c4 6e f8 fb f4 <9c> 5b 81 e3 00 02 00 00
fa 31 ff 48 89 de e8 04 cd 6e f8 48 85 db
RSP: 0018:8bc07d60 EFLAGS: 0293
RAX: RBX: RCX:
RDX: 8bcbc400 RSI: 89052c17 RDI:
RBP: 888015078064 R08: 0001 R09: 0001
R10: 8179e058 R11: R12: 0001
R13: 888015078000 R14: 888015078064 R15: 888143a48004
acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:654
cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3e1/0x590 kernel/sched/idle.c:300
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details
[syzbot] possible deadlock in del_gendisk
Hello,
syzbot found the following issue on:
HEAD commit:e99d8a84 Add linux-next specific files for 20210409
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13b01681d0
kernel config: https://syzkaller.appspot.com/x/.config?x=7cd69574979bfeb7
dashboard link: https://syzkaller.appspot.com/bug?extid=61e04e51b7ac86930589
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148265d9d0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a981a1d0
The issue was bisected to:
commit 997acaf6b4b59c6a9c259740312a69ea549cc684
Author: Mark Rutland
Date: Mon Jan 11 15:37:07 2021 +
lockdep: report broken irq restoration
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16a7e77ed0
final oops: https://syzkaller.appspot.com/x/report.txt?x=15a7e77ed0
console output: https://syzkaller.appspot.com/x/log.txt?x=11a7e77ed0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+61e04e51b7ac86930...@syzkaller.appspotmail.com
Fixes: 997acaf6b4b5 ("lockdep: report broken irq restoration")
==
WARNING: possible circular locking dependency detected
5.12.0-rc6-next-20210409-syzkaller #0 Not tainted
--
syz-executor104/8440 is trying to acquire lock:
888016e9dca0 (>bd_mutex){+.+.}-{3:3}, at: del_gendisk+0x250/0x9e0
block/genhd.c:618
but task is already holding lock:
8c7d9430 (bdev_lookup_sem){}-{3:3}, at: del_gendisk+0x222/0x9e0
block/genhd.c:616
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (bdev_lookup_sem){}-{3:3}:
down_write+0x92/0x150 kernel/locking/rwsem.c:1406
del_gendisk+0x222/0x9e0 block/genhd.c:616
loop_remove drivers/block/loop.c:2191 [inline]
loop_control_ioctl drivers/block/loop.c:2291 [inline]
loop_control_ioctl+0x40d/0x4f0 drivers/block/loop.c:2251
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
-> #1 (loop_ctl_mutex){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:949 [inline]
__mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
lo_open+0x1a/0x130 drivers/block/loop.c:1890
__blkdev_get+0x135/0xa30 fs/block_dev.c:1305
blkdev_get_by_dev fs/block_dev.c:1457 [inline]
blkdev_get_by_dev+0x26c/0x600 fs/block_dev.c:1425
blkdev_open+0x154/0x2b0 fs/block_dev.c:1554
do_dentry_open+0x4b9/0x11b0 fs/open.c:826
do_open fs/namei.c:3361 [inline]
path_openat+0x1c09/0x27d0 fs/namei.c:3494
do_filp_open+0x190/0x3d0 fs/namei.c:3521
do_sys_openat2+0x16d/0x420 fs/open.c:1187
do_sys_open fs/open.c:1203 [inline]
__do_sys_open fs/open.c:1211 [inline]
__se_sys_open fs/open.c:1207 [inline]
__x64_sys_open+0x119/0x1c0 fs/open.c:1207
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
-> #0 (>bd_mutex){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:2938 [inline]
check_prevs_add kernel/locking/lockdep.c:3061 [inline]
validate_chain kernel/locking/lockdep.c:3676 [inline]
__lock_acquire+0x2a17/0x5230 kernel/locking/lockdep.c:4902
lock_acquire kernel/locking/lockdep.c:5512 [inline]
lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
__mutex_lock_common kernel/locking/mutex.c:949 [inline]
__mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
del_gendisk+0x250/0x9e0 block/genhd.c:618
loop_remove drivers/block/loop.c:2191 [inline]
loop_control_ioctl drivers/block/loop.c:2291 [inline]
loop_control_ioctl+0x40d/0x4f0 drivers/block/loop.c:2251
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
other info that might help us debug this:
Chain exists of:
>bd_mutex --> loop_ctl_mutex --> bdev_lookup_sem
Possible unsafe locking scenario:
CPU0CPU1
lock(bdev_lookup_sem);
lock(loop_ctl_mutex);
lock(bdev_lookup_sem);
lock(>bd_mutex);
*** DEADLOCK ***
2 locks held by syz-executor104/8440:
#0: 8ca5f148 (loop_ctl_mutex){+.+.}-{3:3}, at:
loop_control_ioctl+0x7b/0x4f0 drivers/block/loop.c:2257
#1: 8c7d9430 (bdev_lookup_sem){}-{3:3}, at:
del_gendisk+0x222/0x9e0 block/genhd.c:6
[syzbot] general protection fault in gadget_setup
Hello, syzbot found the following issue on: HEAD commit:0f4498ce Merge tag 'for-5.12/dm-fixes-2' of git://git.kern.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=124adbf6d0 kernel config: https://syzkaller.appspot.com/x/.config?x=daeff30c2474a60f dashboard link: https://syzkaller.appspot.com/bug?extid=eb4674092e6cc8d9e0bd userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+eb4674092e6cc8d9e...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc04: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0020-0x0027] CPU: 1 PID: 5016 Comm: systemd-udevd Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:__lock_acquire+0xcfe/0x54c0 kernel/locking/lockdep.c:4770 Code: 09 0e 41 bf 01 00 00 00 0f 86 8c 00 00 00 89 05 48 69 09 0e e9 81 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 5b 31 00 00 49 81 3e c0 13 38 8f 0f 84 d0 f3 ff RSP: :c9ce77d8 EFLAGS: 00010002 RAX: dc00 RBX: RCX: RDX: 0004 RSI: 19200019cf0c RDI: 0020 RBP: R08: 0001 R09: 0001 R10: 0001 R11: 0006 R12: 88801295b880 R13: R14: 0020 R15: FS: 7fcd745f98c0() GS:88802cb0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7ffe279f7d87 CR3: 1c7d4000 CR4: 00150ee0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: lock_acquire kernel/locking/lockdep.c:5510 [inline] lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5475 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:159 gadget_setup+0x4e/0x510 drivers/usb/gadget/legacy/raw_gadget.c:327 dummy_timer+0x1615/0x32a0 drivers/usb/gadget/udc/dummy_hcd.c:1903 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1431 expire_timers kernel/time/timer.c:1476 [inline] __run_timers.part.0+0x67c/0xa50 kernel/time/timer.c:1745 __run_timers kernel/time/timer.c:1726 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1758 __do_softirq+0x29b/0x9f6 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu kernel/softirq.c:422 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x45/0xc0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0033:0x560cfc4a02ed Code: 4c 39 c1 48 89 42 18 4c 89 52 08 4c 89 5a 10 48 89 1a 0f 87 7b ff ff ff 48 89 f8 48 f7 d0 48 01 c8 48 83 e0 f8 48 8d 7c 07 08 <48> 8d 0d 34 d9 02 00 48 63 04 b1 48 01 c8 ff e0 0f 1f 00 48 8d 0d RSP: 002b:7ffe279f9dd0 EFLAGS: 0246 RAX: RBX: 560cfcd88e40 RCX: 560cfcd72af0 RDX: 7ffe279f9de0 RSI: 0007 RDI: 560cfcd72af0 RBP: 7ffe279f9e70 R08: R09: 0020 R10: 560cfcd72af7 R11: 560cfcd73530 R12: 560cfcd72af0 R13: R14: 560cfcd72b10 R15: 0001 Modules linked in: ---[ end trace ab0f6632fdd289cf ]--- RIP: 0010:__lock_acquire+0xcfe/0x54c0 kernel/locking/lockdep.c:4770 Code: 09 0e 41 bf 01 00 00 00 0f 86 8c 00 00 00 89 05 48 69 09 0e e9 81 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 5b 31 00 00 49 81 3e c0 13 38 8f 0f 84 d0 f3 ff RSP: :c9ce77d8 EFLAGS: 00010002 RAX: dc00 RBX: RCX: RDX: 0004 RSI: 19200019cf0c RDI: 0020 RBP: R08: 0001 R09: 0001 R10: 0001 R11: 0006 R12: 88801295b880 R13: R14: 0020 R15: FS: 7fcd745f98c0() GS:88802cb0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7ffe279f7d87 CR3: 1c7d4000 CR4: 00150ee0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] KASAN: null-ptr-deref Write in rhashtable_free_and_destroy (2)
Hello, syzbot found the following issue on: HEAD commit:d93a0d43 Merge tag 'block-5.12-2021-04-02' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12d81cfcd0 kernel config: https://syzkaller.appspot.com/x/.config?x=71a75beb62b62a34 dashboard link: https://syzkaller.appspot.com/bug?extid=860268315ba86ea6b96b compiler: Debian clang version 11.0.1-2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+860268315ba86ea6b...@syzkaller.appspotmail.com == BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: null-ptr-deref in test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:70 [inline] BUG: KASAN: null-ptr-deref in try_to_grab_pending+0xee/0xa50 kernel/workqueue.c:1257 Write of size 8 at addr 0088 by task kworker/0:3/4787 CPU: 0 PID: 4787 Comm: kworker/0:3 Not tainted 5.12.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events cfg80211_destroy_iface_wk Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x176/0x24e lib/dump_stack.c:120 __kasan_report mm/kasan/report.c:403 [inline] kasan_report+0x152/0x200 mm/kasan/report.c:416 check_region_inline mm/kasan/generic.c:135 [inline] kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:186 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:70 [inline] try_to_grab_pending+0xee/0xa50 kernel/workqueue.c:1257 __cancel_work_timer+0x81/0x5b0 kernel/workqueue.c:3098 rhashtable_free_and_destroy+0x25/0x8b0 lib/rhashtable.c:1137 mesh_table_free net/mac80211/mesh_pathtbl.c:70 [inline] mesh_pathtbl_unregister+0x4b/0xa0 net/mac80211/mesh_pathtbl.c:812 unregister_netdevice_many+0x12ea/0x18e0 net/core/dev.c:10951 unregister_netdevice_queue+0x2a9/0x300 net/core/dev.c:10868 unregister_netdevice include/linux/netdevice.h:2884 [inline] _cfg80211_unregister_wdev+0x17b/0x5b0 net/wireless/core.c:1127 ieee80211_if_remove+0x1cc/0x250 net/mac80211/iface.c:2020 ieee80211_del_iface+0x12/0x20 net/mac80211/cfg.c:144 rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline] cfg80211_destroy_ifaces+0x182/0x250 net/wireless/core.c:341 cfg80211_destroy_iface_wk+0x30/0x40 net/wireless/core.c:354 process_one_work+0x789/0xfd0 kernel/workqueue.c:2275 worker_thread+0xac1/0x1300 kernel/workqueue.c:2421 kthread+0x39a/0x3c0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2)
Hello, syzbot found the following issue on: HEAD commit:1678e493 Merge tag 'lto-v5.12-rc6' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1565bf7cd0 kernel config: https://syzkaller.appspot.com/x/.config?x=71a75beb62b62a34 dashboard link: https://syzkaller.appspot.com/bug?extid=518a7b845c0083047e9c compiler: Debian clang version 11.0.1-2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+518a7b845c0083047...@syzkaller.appspotmail.com == BUG: KASAN: slab-out-of-bounds in decode_session6 net/xfrm/xfrm_policy.c:3403 [inline] BUG: KASAN: slab-out-of-bounds in __xfrm_decode_session+0x1ba4/0x2720 net/xfrm/xfrm_policy.c:3495 Read of size 1 at addr 888013104540 by task syz-executor.3/16514 CPU: 0 PID: 16514 Comm: syz-executor.3 Not tainted 5.12.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x176/0x24e lib/dump_stack.c:120 print_address_description+0x5f/0x3a0 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report+0x15c/0x200 mm/kasan/report.c:416 decode_session6 net/xfrm/xfrm_policy.c:3403 [inline] __xfrm_decode_session+0x1ba4/0x2720 net/xfrm/xfrm_policy.c:3495 vti_tunnel_xmit+0x1ea/0x1510 net/ipv4/ip_vti.c:286 __netdev_start_xmit include/linux/netdevice.h:4825 [inline] netdev_start_xmit include/linux/netdevice.h:4839 [inline] xmit_one net/core/dev.c:3605 [inline] dev_hard_start_xmit+0x20b/0x450 net/core/dev.c:3621 sch_direct_xmit+0x1f0/0xd30 net/sched/sch_generic.c:313 qdisc_restart net/sched/sch_generic.c:376 [inline] __qdisc_run+0xa4d/0x1a90 net/sched/sch_generic.c:384 __dev_xmit_skb net/core/dev.c:3855 [inline] __dev_queue_xmit+0x1141/0x2a50 net/core/dev.c:4162 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0x10be/0x1460 net/ipv6/ip6_output.c:117 dst_output include/net/dst.h:448 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ndisc_send_skb+0x93b/0xd50 net/ipv6/ndisc.c:508 addrconf_rs_timer+0x242/0x6f0 net/ipv6/addrconf.c:3877 call_timer_fn+0x91/0x160 kernel/time/timer.c:1431 expire_timers kernel/time/timer.c:1476 [inline] __run_timers+0x6c0/0x8a0 kernel/time/timer.c:1745 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1758 __do_softirq+0x318/0x714 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu+0x1d8/0x200 kernel/softirq.c:422 irq_exit_rcu+0x5/0x20 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:__sanitizer_cov_trace_pc+0x56/0x60 kernel/kcov.c:205 Code: 2c 8b 91 10 15 00 00 83 fa 02 75 21 48 8b 91 18 15 00 00 48 8b 32 48 8d 7e 01 8b 89 14 15 00 00 48 39 cf 73 08 48 89 44 f2 08 <48> 89 3a c3 66 0f 1f 44 00 00 4c 8b 04 24 65 48 8b 14 25 80 ef 01 RSP: 0018:c90001acf9f0 EFLAGS: 0283 RAX: 821506a4 RBX: RCX: 0004 RDX: c9000f2df000 RSI: 2928 RDI: 2929 RBP: 192000359f57 R08: dc00 R09: f52000359f5e R10: f52000359f5e R11: R12: 111029006027 R13: 888034b67020 R14: 192000359f98 R15: 888034b67018 ext4_match fs/ext4/namei.c:1364 [inline] ext4_search_dir+0x2f4/0xa10 fs/ext4/namei.c:1395 search_dirblock fs/ext4/namei.c:1199 [inline] __ext4_find_entry+0x121c/0x1790 fs/ext4/namei.c:1553 ext4_find_entry fs/ext4/namei.c:1602 [inline] ext4_rmdir+0x347/0x1180 fs/ext4/namei.c:3132 vfs_rmdir+0x20a/0x3f0 fs/namei.c:3899 ovl_remove_upper fs/overlayfs/dir.c:825 [inline] ovl_do_remove+0x4d2/0xbe0 fs/overlayfs/dir.c:904 vfs_rmdir+0x20a/0x3f0 fs/namei.c:3899 do_rmdir+0x2a5/0x560 fs/namei.c:3962 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x466459 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f08cdd4a188 EFLAGS: 0246 ORIG_RAX: 0054 RAX: ffda RBX: 0056c008 RCX: 00466459 RDX: RSI: RDI: 20c0 RBP: 004bf9fb R08: R09: R10: R11: 0246 R12: 0056c008 R13: 7ffefaa401bf R14: 7f08cdd4a300 R15: 00022000 Allocated by task 8393: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506 kasan_kmalloc include/linux/kasan.h
[syzbot] BUG: unable to handle kernel NULL pointer dereference in __lookup_slow (2)
Hello, syzbot found the following issue on: HEAD commit:d93a0d43 Merge tag 'block-5.12-2021-04-02' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16519431d0 kernel config: https://syzkaller.appspot.com/x/.config?x=71a75beb62b62a34 dashboard link: https://syzkaller.appspot.com/bug?extid=11c49ce9d4e7896f3406 compiler: Debian clang version 11.0.1-2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+11c49ce9d4e7896f3...@syzkaller.appspotmail.com REISERFS (device loop4): Using r5 hash to sort names BUG: kernel NULL pointer dereference, address: #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 6bb82067 P4D 6bb82067 PUD 6bb81067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 0 PID: 11072 Comm: syz-executor.4 Not tainted 5.12.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c90008f8fa20 EFLAGS: 00010246 RAX: 113872e8 RBX: dc00 RCX: 0004 RDX: RSI: 88802e9d9490 RDI: 88807f140190 RBP: 89c39740 R08: 81c9d4de R09: fbfff200a946 R10: fbfff200a946 R11: R12: R13: 88807f140190 R14: 111005d3b292 R15: 88802e9d9490 FS: 7f894af88700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 6bb83000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __lookup_slow+0x240/0x370 fs/namei.c:1626 lookup_one_len+0x10e/0x200 fs/namei.c:2649 reiserfs_lookup_privroot+0x85/0x1e0 fs/reiserfs/xattr.c:980 reiserfs_fill_super+0x2a69/0x3160 fs/reiserfs/super.c:2176 mount_bdev+0x26c/0x3a0 fs/super.c:1367 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x86/0x270 fs/super.c:1497 do_new_mount fs/namespace.c:2903 [inline] path_mount+0x188a/0x29a0 fs/namespace.c:3233 do_mount fs/namespace.c:3246 [inline] __do_sys_mount fs/namespace.c:3454 [inline] __se_sys_mount+0x28c/0x320 fs/namespace.c:3431 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x46797a Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f894af87fa8 EFLAGS: 0206 ORIG_RAX: 00a5 RAX: ffda RBX: 2200 RCX: 0046797a RDX: 2000 RSI: 2100 RDI: 7f894af88000 RBP: 7f894af88040 R08: 7f894af88040 R09: 2000 R10: R11: 0206 R12: 2000 R13: 2100 R14: 7f894af88000 R15: 20011500 Modules linked in: CR2: ---[ end trace a1b8dbb111baf993 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c90008f8fa20 EFLAGS: 00010246 RAX: 113872e8 RBX: dc00 RCX: 0004 RDX: RSI: 88802e9d9490 RDI: 88807f140190 RBP: 89c39740 R08: 81c9d4de R09: fbfff200a946 R10: fbfff200a946 R11: R12: R13: 88807f140190 R14: 111005d3b292 R15: 88802e9d9490 FS: 7f894af88700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 6bb83000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] KASAN: slab-out-of-bounds Read in reiserfs_xattr_get
Hello, syzbot found the following issue on: HEAD commit:3a229812 Merge tag 'arm-fixes-5.11-2' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16b4d196d0 kernel config: https://syzkaller.appspot.com/x/.config?x=f91155ccddaf919c dashboard link: https://syzkaller.appspot.com/bug?extid=72ba979b6681c3369db4 compiler: Debian clang version 11.0.1-2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+72ba979b6681c3369...@syzkaller.appspotmail.com loop3: detected capacity change from 0 to 65534 == BUG: KASAN: slab-out-of-bounds in reiserfs_xattr_get+0xe0/0x590 fs/reiserfs/xattr.c:681 Read of size 8 at addr 888028983198 by task syz-executor.3/4211 CPU: 1 PID: 4211 Comm: syz-executor.3 Not tainted 5.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x176/0x24e lib/dump_stack.c:120 print_address_description+0x5f/0x3a0 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report+0x15c/0x200 mm/kasan/report.c:416 reiserfs_xattr_get+0xe0/0x590 fs/reiserfs/xattr.c:681 reiserfs_get_acl+0x63/0x670 fs/reiserfs/xattr_acl.c:211 get_acl+0x152/0x2e0 fs/posix_acl.c:141 check_acl fs/namei.c:294 [inline] acl_permission_check fs/namei.c:339 [inline] generic_permission+0x2ed/0x5b0 fs/namei.c:392 do_inode_permission fs/namei.c:446 [inline] inode_permission+0x28e/0x500 fs/namei.c:513 may_open+0x228/0x3e0 fs/namei.c:2985 do_open fs/namei.c:3365 [inline] path_openat+0x2697/0x3860 fs/namei.c:3500 do_filp_open+0x1a3/0x3b0 fs/namei.c:3527 do_sys_openat2+0xba/0x380 fs/open.c:1187 do_sys_open fs/open.c:1203 [inline] __do_sys_openat fs/open.c:1219 [inline] __se_sys_openat fs/open.c:1214 [inline] __x64_sys_openat+0x1c8/0x1f0 fs/open.c:1214 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x419544 Code: 84 00 00 00 00 00 44 89 54 24 0c e8 96 f9 ff ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 89 44 24 0c e8 c8 f9 ff ff 8b 44 RSP: 002b:7fa357a03f30 EFLAGS: 0293 ORIG_RAX: 0101 RAX: ffda RBX: 2200 RCX: 00419544 RDX: 0001 RSI: 2100 RDI: ff9c RBP: 2100 R08: R09: 2000 R10: R11: 0293 R12: 0001 R13: 2100 R14: 7fa357a04000 R15: 20065600 Allocated by task 4210: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506 kasan_kmalloc include/linux/kasan.h:233 [inline] kmem_cache_alloc_trace+0x21b/0x350 mm/slub.c:2934 kmalloc include/linux/slab.h:554 [inline] kzalloc include/linux/slab.h:684 [inline] smk_fetch security/smack/smack_lsm.c:288 [inline] smack_d_instantiate+0x65c/0xcc0 security/smack/smack_lsm.c:3411 security_d_instantiate+0xa5/0x100 security/security.c:1987 d_instantiate_new+0x61/0x110 fs/dcache.c:2025 ext4_add_nondir+0x22b/0x290 fs/ext4/namei.c:2590 ext4_symlink+0x8ce/0xe90 fs/ext4/namei.c:3417 vfs_symlink+0x3a0/0x540 fs/namei.c:4178 do_symlinkat+0x1c9/0x440 fs/namei.c:4208 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 4210: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:46 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:357 kasan_slab_free+0x100/0x140 mm/kasan/common.c:360 kasan_slab_free include/linux/kasan.h:199 [inline] slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x171/0x270 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kfree+0xcf/0x2d0 mm/slub.c:4213 smk_fetch security/smack/smack_lsm.c:300 [inline] smack_d_instantiate+0x6db/0xcc0 security/smack/smack_lsm.c:3411 security_d_instantiate+0xa5/0x100 security/security.c:1987 d_instantiate_new+0x61/0x110 fs/dcache.c:2025 ext4_add_nondir+0x22b/0x290 fs/ext4/namei.c:2590 ext4_symlink+0x8ce/0xe90 fs/ext4/namei.c:3417 vfs_symlink+0x3a0/0x540 fs/namei.c:4178 do_symlinkat+0x1c9/0x440 fs/namei.c:4208 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Last potentially related work creation: kasan_save_stack+0x27/0x50 mm/kasan/common.c:38 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345 __call_rcu kernel/rcu/tree.c:3039 [inline] call_rcu+0x130/0x8e0 kernel/rcu/tree.c:3114 fib6_info_release include/net/ip6_fib.h:337 [inline] nsim_rt6_release drivers/net/netdevsim/fib.c:507 [inline] nsim_fib6_event_fini+0x100
[syzbot] KASAN: use-after-free Read in skcipher_walk_next
Hello, syzbot found the following issue on: HEAD commit:4fa56ad0 Merge tag 'for-linus' of git://git.kernel.org/pub.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17dbd09ad0 kernel config: https://syzkaller.appspot.com/x/.config?x=9320464bf47598bd dashboard link: https://syzkaller.appspot.com/bug?extid=4061a98a8ab454dde8ff Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+4061a98a8ab454dde...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in memcpy include/linux/fortify-string.h:191 [inline] BUG: KASAN: use-after-free in skcipher_next_copy crypto/skcipher.c:292 [inline] BUG: KASAN: use-after-free in skcipher_walk_next+0xb69/0x1680 crypto/skcipher.c:379 Read of size 2785 at addr 8880781c by task kworker/u4:3/204 CPU: 0 PID: 204 Comm: kworker/u4:3 Not tainted 5.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: pencrypt_parallel padata_parallel_worker Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 check_region_inline mm/kasan/generic.c:180 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186 memcpy+0x20/0x60 mm/kasan/shadow.c:65 memcpy include/linux/fortify-string.h:191 [inline] skcipher_next_copy crypto/skcipher.c:292 [inline] skcipher_walk_next+0xb69/0x1680 crypto/skcipher.c:379 skcipher_walk_done+0x7a3/0xf00 crypto/skcipher.c:159 gcmaes_crypt_by_sg+0x377/0x8a0 arch/x86/crypto/aesni-intel_glue.c:694 The buggy address belongs to the page: page:ea0001e07000 refcount:0 mapcount:-128 mapping: index:0x1 pfn:0x781c0 flags: 0xfff000() raw: 00fff000 ea0001e06808 ea0001c67008 raw: 0001 0004 ff7f page dumped because: kasan: bad access detected Memory state around the buggy address: 8880781bff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8880781bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8880781c: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 8880781c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 8880781c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: [syzbot] possible deadlock in vmci_qp_broker_detach
syzbot has found a reproducer for the following issue on:
HEAD commit:d434405a Linux 5.12-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1661482ed0
kernel config: https://syzkaller.appspot.com/x/.config?x=9c3d8981d2bdb103
dashboard link: https://syzkaller.appspot.com/bug?extid=44e40ac2cfe68e8ce207
compiler: Debian clang version 11.0.1-2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=102336a6d0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+44e40ac2cfe68e8ce...@syzkaller.appspotmail.com
WARNING: possible recursive locking detected
5.12.0-rc7-syzkaller #0 Not tainted
syz-executor.0/10571 is trying to acquire lock:
8ce6c1f8 (qp_broker_list.mutex){+.+.}-{3:3}, at:
vmci_qp_broker_detach+0xd3/0x10c0 drivers/misc/vmw_vmci/vmci_queue_pair.c:2093
but task is already holding lock:
8ce6c1f8 (qp_broker_list.mutex){+.+.}-{3:3}, at:
vmci_qp_broker_detach+0xd3/0x10c0 drivers/misc/vmw_vmci/vmci_queue_pair.c:2093
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
lock(qp_broker_list.mutex);
lock(qp_broker_list.mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by syz-executor.0/10571:
#0: 8ce6c1f8 (qp_broker_list.mutex){+.+.}-{3:3}, at:
vmci_qp_broker_detach+0xd3/0x10c0 drivers/misc/vmw_vmci/vmci_queue_pair.c:2093
stack backtrace:
CPU: 1 PID: 10571 Comm: syz-executor.0 Not tainted 5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x176/0x24e lib/dump_stack.c:120
__lock_acquire+0x2303/0x5e60 kernel/locking/lockdep.c:4739
lock_acquire+0x126/0x650 kernel/locking/lockdep.c:5511
__mutex_lock_common+0x167/0x2eb0 kernel/locking/mutex.c:949
__mutex_lock kernel/locking/mutex.c:1096 [inline]
mutex_lock_nested+0x1a/0x20 kernel/locking/mutex.c:
vmci_qp_broker_detach+0xd3/0x10c0 drivers/misc/vmw_vmci/vmci_queue_pair.c:2093
ctx_free_ctx drivers/misc/vmw_vmci/vmci_context.c:444 [inline]
kref_put include/linux/kref.h:65 [inline]
vmci_ctx_put+0x722/0xe00 drivers/misc/vmw_vmci/vmci_context.c:497
vmci_ctx_enqueue_datagram+0x3a7/0x440 drivers/misc/vmw_vmci/vmci_context.c:360
dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:275 [inline]
vmci_datagram_dispatch+0x3ec/0xb40 drivers/misc/vmw_vmci/vmci_datagram.c:339
qp_notify_peer drivers/misc/vmw_vmci/vmci_queue_pair.c:1479 [inline]
vmci_qp_broker_detach+0x9fa/0x10c0 drivers/misc/vmw_vmci/vmci_queue_pair.c:2186
ctx_free_ctx drivers/misc/vmw_vmci/vmci_context.c:444 [inline]
kref_put include/linux/kref.h:65 [inline]
vmci_ctx_put+0x722/0xe00 drivers/misc/vmw_vmci/vmci_context.c:497
vmci_host_close+0x96/0x160 drivers/misc/vmw_vmci/vmci_host.c:143
__fput+0x352/0x7b0 fs/file_table.c:280
task_work_run+0x146/0x1c0 kernel/task_work.c:140
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
exit_to_user_mode_prepare+0x10b/0x1e0 kernel/entry/common.c:208
__syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
syscall_exit_to_user_mode+0x26/0x70 kernel/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x41926b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35
44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:7ffee76536f0 EFLAGS: 0293 ORIG_RAX: 0003
RAX: RBX: 0004 RCX: 0041926b
RDX: 00570698 RSI: 0001 RDI: 0003
RBP: 0001 R08: R09: 001b30e200a8
R10: 7ffee76537e0 R11: 0293 R12: 000688ea
R13: 03e8 R14: 0056bf60 R15: 000688cf
[syzbot] WARNING in smk_set_cipso (2)
Hello, syzbot found the following issue on: HEAD commit:7d900724 Merge tag 'for-5.12-rc6-tag' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1462c619d0 kernel config: https://syzkaller.appspot.com/x/.config?x=f91155ccddaf919c dashboard link: https://syzkaller.appspot.com/bug?extid=77c53db50c9fff774e8e compiler: Debian clang version 11.0.1-2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132c59a1d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13acf5e9d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+77c53db50c9fff774...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 8372 at mm/page_alloc.c:4985 __alloc_pages_nodemask+0x44e/0x500 mm/page_alloc.c:5029 Modules linked in: CPU: 1 PID: 8372 Comm: syz-executor118 Not tainted 5.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__alloc_pages_nodemask+0x44e/0x500 mm/page_alloc.c:5029 Code: 00 48 ba 00 00 00 00 00 fc ff df e9 fb fd ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 06 fe ff ff e8 97 67 09 00 e9 fc fd ff ff <0f> 0b e9 15 fe ff ff 44 89 ed a9 00 00 08 00 75 11 81 e5 7f ff ff RSP: 0018:c90001e2fba0 EFLAGS: 00010246 RAX: c90001e2fba8 RBX: c90001e2fbd4 RCX: RDX: 0028 RSI: RDI: c90001e2fbd0 RBP: R08: dc00 R09: c90001e2fba8 R10: f520003c5f7a R11: R12: 00f0ff80 R13: 00040cc0 R14: 1920003c5f7a R15: 000c FS: 01eb9300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20003314 CR3: 12ba3000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: alloc_pages include/linux/gfp.h:561 [inline] kmalloc_order+0x41/0x170 mm/slab_common.c:902 kmalloc_order_trace+0x15/0x70 mm/slab_common.c:918 kmalloc_large include/linux/slab.h:483 [inline] __kmalloc_track_caller+0x26d/0x390 mm/slub.c:4554 memdup_user_nul+0x26/0xf0 mm/util.c:260 smk_set_cipso+0xff/0x6f0 security/smack/smackfs.c:859 vfs_write+0x220/0xab0 fs/read_write.c:603 ksys_write+0x11b/0x220 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x43ee59 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffddac6bda8 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 00400488 RCX: 0043ee59 RDX: 00f0ff7f RSI: RDI: 0003 RBP: 00402e40 R08: R09: 00400488 R10: R11: 0246 R12: 00402ed0 R13: R14: 004ac018 R15: 00400488 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: [syzbot] WARNING in fw_load_sysfs_fallback
syzbot has found a reproducer for the following issue on: HEAD commit:52e44129 Merge branch 'for-5.12-fixes' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17f1d196d0 kernel config: https://syzkaller.appspot.com/x/.config?x=f91155ccddaf919c dashboard link: https://syzkaller.appspot.com/bug?extid=b064fbd5fc8b2cfae49d compiler: Debian clang version 11.0.1-2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a536a6d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11339dd9d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b064fbd5fc8b2cfae...@syzkaller.appspotmail.com [ cut here ] sysfs group 'power' not found for kobject 'ueagle-atm!adi930.fw' WARNING: CPU: 0 PID: 5 at fs/sysfs/group.c:281 sysfs_remove_group+0x16e/0x280 fs/sysfs/group.c:279 Modules linked in: CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func RIP: 0010:sysfs_remove_group+0x16e/0x280 fs/sysfs/group.c:279 Code: 89 e0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 e7 e8 37 92 cb ff 49 8b 14 24 48 c7 c7 40 1a c2 89 4c 89 f6 31 c0 e8 b2 87 56 ff <0f> 0b 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 40 a3 87 ff 49 8d 5e 20 RSP: 0018:c9ca7a90 EFLAGS: 00010246 RAX: f97192423f200500 RBX: 8880351a4038 RCX: 888011528000 RDX: RSI: 8000 RDI: RBP: 11459c30 R08: 8160b932 R09: ed1017385fe8 R10: ed1017385fe8 R11: R12: 8880351a4008 R13: dc00 R14: 8a2ce140 R15: 888035bbc3a0 FS: () GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7ffcb4541b47 CR3: 1d137000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: device_del+0x26a/0xa90 drivers/base/core.c:3398 fw_load_sysfs_fallback+0x53e/0x720 drivers/base/firmware_loader/fallback.c:543 fw_load_from_user_helper+0x242/0x320 drivers/base/firmware_loader/fallback.c:581 _request_firmware+0x2c5/0x4c0 drivers/base/firmware_loader/main.c:831 request_firmware_work_func+0xb8/0x1e0 drivers/base/firmware_loader/main.c:1077 process_one_work+0x789/0xfd0 kernel/workqueue.c:2275 worker_thread+0xac1/0x1300 kernel/workqueue.c:2421 kthread+0x39a/0x3c0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Re: [syzbot] general protection fault in drm_client_buffer_vunmap
syzbot suspects this issue was fixed by commit: commit 874a52f9b693ed8bf7a92b3592a547ce8a684e6f Author: Tong Zhang Date: Sun Feb 28 04:46:25 2021 + drm/fb-helper: only unmap if buffer not null bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10c27b7ed0 start commit: c03c21ba Merge tag 'keys-misc-20210126' of git://git.kerne.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=ec4c85e44cc3172e dashboard link: https://syzkaller.appspot.com/bug?extid=10328e8428a896b65119 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d95d7ad0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=148da9ccd0 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: drm/fb-helper: only unmap if buffer not null For information about bisection process see: https://goo.gl/tpsmEJ#bisection
[syzbot] WARNING in __nf_unregister_net_hook (4)
Hello, syzbot found the following issue on: HEAD commit:cc0626c2 net: smsc911x: skip acpi_device_id table when !CO.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=110a3096d0 kernel config: https://syzkaller.appspot.com/x/.config?x=7eff0f22b8563a5f dashboard link: https://syzkaller.appspot.com/bug?extid=154bd5be532a63aa778b Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+154bd5be532a63aa7...@syzkaller.appspotmail.com hook not found, pf 2 num 0 WARNING: CPU: 1 PID: 8144 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480 Modules linked in: CPU: 1 PID: 8144 Comm: syz-executor.0 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480 Code: 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 11 04 00 00 8b 53 1c 89 ee 48 c7 c7 e0 26 6c 8a e8 72 df 87 01 <0f> 0b e9 e5 00 00 00 e8 09 1d 37 fa 44 8b 3c 24 4c 89 f8 48 c1 e0 RSP: 0018:c9001534f418 EFLAGS: 00010282 RAX: RBX: 88802f867a00 RCX: RDX: 0004 RSI: 815c5205 RDI: f52002a69e75 RBP: 0002 R08: R09: R10: 815bdf9e R11: R12: 8880272c8f20 R13: R14: 88802fa34c00 R15: 0006 FS: 7feaf7d10700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fb651f70ca0 CR3: 69f31000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: nf_unregister_net_hook+0xd5/0x110 net/netfilter/core.c:502 nf_tables_unregister_hook.part.0+0x131/0x200 net/netfilter/nf_tables_api.c:234 nf_tables_unregister_hook net/netfilter/nf_tables_api.c:8122 [inline] nf_tables_commit+0x1d9b/0x4710 net/netfilter/nf_tables_api.c:8122 nfnetlink_rcv_batch+0x975/0x21b0 net/netfilter/nfnetlink.c:508 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x466459 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7feaf7d10188 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0056bf60 RCX: 00466459 RDX: RSI: 2000c2c0 RDI: 0003 RBP: 004bf9fb R08: R09: R10: R11: 0246 R12: 0056bf60 R13: 7ffe0fcaf04f R14: 7feaf7d10300 R15: 00022000 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] memory leak in skb_clone
Hello, syzbot found the following issue on: HEAD commit:17e7124a Merge tag '5.12-rc6-smb3' of git://git.samba.org/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11a62c6ad0 kernel config: https://syzkaller.appspot.com/x/.config?x=b8dbd3c72fdc dashboard link: https://syzkaller.appspot.com/bug?extid=1f68113fa907bf0695a8 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=179321a6d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11922ba1d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+1f68113fa907bf069...@syzkaller.appspotmail.com write to /proc/sys/kernel/softlockup_all_cpu_backtrace failed: No such file or directory BUG: memory leak unreferenced object 0x88810f644600 (size 232): comm "softirq", pid 0, jiffies 4294967032 (age 81.270s) hex dump (first 32 bytes): 10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K..}K. 00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff @|K. backtrace: [] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496 [] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline] [] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070 [] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384 [] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498 [] netif_receive_skb_internal net/core/dev.c:5603 [inline] [] netif_receive_skb+0x59/0x260 net/core/dev.c:5662 [] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline] [] ieee802154_subif_frame net/mac802154/rx.c:102 [inline] [] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline] [] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284 [] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35 [] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557 [] __do_softirq+0xbf/0x2ab kernel/softirq.c:345 [] do_softirq kernel/softirq.c:248 [inline] [] do_softirq+0x5c/0x80 kernel/softirq.c:235 [] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198 [] local_bh_enable include/linux/bottom_half.h:32 [inline] [] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline] [] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221 [] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295 [] sock_sendmsg_nosec net/socket.c:654 [inline] [] sock_sendmsg+0x56/0x80 net/socket.c:674 [] __sys_sendto+0x15c/0x200 net/socket.c:1977 [] __do_sys_sendto net/socket.c:1989 [inline] [] __se_sys_sendto net/socket.c:1985 [inline] [] __x64_sys_sendto+0x26/0x30 net/socket.c:1985 BUG: memory leak unreferenced object 0x88810dae5200 (size 512): comm "syz-executor749", pid 8387, jiffies 4294967560 (age 75.990s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [] kmalloc_reserve net/core/skbuff.c:353 [inline] [] __alloc_skb+0xdf/0x280 net/core/skbuff.c:424 [] __pskb_copy_fclone+0x73/0x330 net/core/skbuff.c:1601 [] __pskb_copy include/linux/skbuff.h:1167 [inline] [] pskb_copy include/linux/skbuff.h:3191 [inline] [] hwsim_hw_xmit+0xd3/0x140 drivers/net/ieee802154/mac802154_hwsim.c:132 [] drv_xmit_async net/mac802154/driver-ops.h:16 [inline] [] ieee802154_tx+0xc7/0x190 net/mac802154/tx.c:83 [] ieee802154_subif_start_xmit+0x58/0x70 net/mac802154/tx.c:132 [] __netdev_start_xmit include/linux/netdevice.h:4825 [inline] [] netdev_start_xmit include/linux/netdevice.h:4839 [inline] [] xmit_one net/core/dev.c:3605 [inline] [] dev_hard_start_xmit+0xe1/0x330 net/core/dev.c:3621 [] sch_direct_xmit+0x1c5/0x500 net/sched/sch_generic.c:313 [] qdisc_restart net/sched/sch_generic.c:376 [inline] [] __qdisc_run+0x201/0x810 net/sched/sch_generic.c:384 [] qdisc_run include/net/pkt_sched.h:136 [inline] [] qdisc_run include/net/pkt_sched.h:128 [inline] [] __dev_xmit_skb net/core/dev.c:3807 [inline] [] __dev_queue_xmit+0xb9f/0xf60 net/core/dev.c:4162 [] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295 [] sock_sendmsg_nosec net/socket.c:654 [inline] [] sock_sendmsg+0x56/0x80 net/socket.c:674 [] __sys_sendto+0x15c/0x200 net/socket.c:1977 [] __do_sys_sendto net/socket.c:1989 [inline] [] __se_sys_sendto net/socket.c:1985 [inline] [] __x64_sys_sendto+0x26/0x30 net/socket.c:1985 [] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0x88810e079d00 (size 232): comm "softirq", pid 0, jiffies 4294967560 (age 75.990s) hex dump (first 32 bytes): 10 71 4b 12 81 88 ff ff 10 71 4b 12 81 88 ff ff .qK..qK. 00 00 00 00 00 00 00 00 40 70 4b 12 81 88 ff ff @pK. backtrace: [] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496 [] ieee802
[syzbot] INFO: task hung in n_tty_read (2)
Hello,
syzbot found the following issue on:
HEAD commit:454c576c Add linux-next specific files for 20210401
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=113432a1d0
kernel config: https://syzkaller.appspot.com/x/.config?x=920cc274cae812a5
dashboard link: https://syzkaller.appspot.com/bug?extid=f013a12629d1698e22ca
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13682a36d0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10322fbed0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f013a12629d1698e2...@syzkaller.appspotmail.com
INFO: task agetty:1550 blocked for more than 143 seconds.
Not tainted 5.12.0-rc5-next-20210401-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:agetty state:D stack:27336 pid: 1550 ppid: 1 flags:0x4004
Call Trace:
context_switch kernel/sched/core.c:4329 [inline]
__schedule+0x911/0x2160 kernel/sched/core.c:5079
schedule+0xcf/0x270 kernel/sched/core.c:5158
schedule_timeout+0x1db/0x250 kernel/time/timer.c:1854
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
__flush_work+0x527/0xac0 kernel/workqueue.c:3052
n_tty_read+0x97c/0x12f0 drivers/tty/n_tty.c:2217
iterate_tty_read drivers/tty/tty_io.c:873 [inline]
tty_read+0x33a/0x5d0 drivers/tty/tty_io.c:950
call_read_iter include/linux/fs.h:2100 [inline]
new_sync_read+0x41e/0x6e0 fs/read_write.c:415
vfs_read+0x35c/0x570 fs/read_write.c:496
ksys_read+0x12d/0x250 fs/read_write.c:634
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f2a6197c910
RSP: 002b:7ffdc969e528 EFLAGS: 0246 ORIG_RAX:
RAX: ffda RBX: 7ffdc969e58f RCX: 7f2a6197c910
RDX: 0001 RSI: 7ffdc969e58f RDI:
RBP: 001e R08: ff98 R09: 7ffdc969d3e0
R10: R11: 0246 R12:
R13: 55ba37a0d900 R14: 7ffdc969e590 R15: 0012
Showing all locks held in the system:
8 locks held by kworker/0:1/7:
#0: 888015c01138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888015c01138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888015c01138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 888015c01138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 888015c01138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888015c01138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c9cc7da8 ((work_completion)(>events)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
#2: 88801cebf220 (>mutex){}-{3:3}, at: device_lock
include/linux/device.h:744 [inline]
#2: 88801cebf220 (>mutex){}-{3:3}, at: hub_event+0x1c1/0x4330
drivers/usb/core/hub.c:5590
#3: 888027283220 (>mutex){}-{3:3}, at: device_lock
include/linux/device.h:744 [inline]
#3: 888027283220 (>mutex){}-{3:3}, at:
usb_disconnect.cold+0x43/0x791 drivers/usb/core/hub.c:2210
#4:
8880316191a8 (>mutex){}-{3:3}, at: device_lock
include/linux/device.h:744 [inline]
8880316191a8 (>mutex){}-{3:3}, at: __device_driver_lock
drivers/base/dd.c:989 [inline]
8880316191a8 (>mutex){}-{3:3}, at: device_release_driver_internal
drivers/base/dd.c:1197 [inline]
8880316191a8 (>mutex){}-{3:3}, at: device_release_driver+0x1c/0x40
drivers/base/dd.c:1223
#5: 88801d601ab0 (>mutex){}-{3:3}, at: device_lock
include/linux/device.h:744 [inline]
#5: 88801d601ab0 (>mutex){}-{3:3}, at: __device_driver_lock
drivers/base/dd.c:989 [inline]
#5: 88801d601ab0 (>mutex){}-{3:3}, at:
device_release_driver_internal drivers/base/dd.c:1197 [inline]
#5: 88801d601ab0 (>mutex){}-{3:3}, at:
device_release_driver+0x1c/0x40 drivers/base/dd.c:1223
#6: 8cfd3668 (input_mutex){+.+.}-{3:3}, at:
__input_unregister_device+0x16d/0x470 drivers/input/input.c:2186
#7: 8bf7e268 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock
kernel/rcu/tree_exp.h:290 [inline]
#7: 8bf7e268 (rcu_state.exp_mutex){+.+.}-{3:3}, at:
synchronize_rcu_expedited+0x4fa/0x620 kernel/rcu/tree_exp.h:837
1 lock held by khungtaskd/1620:
#0: 8bf75060 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locki
[syzbot] BUG: spinlock bad magic in erofs_pcpubuf_growsize
Hello,
syzbot found the following issue on:
HEAD commit:9c54130c Add linux-next specific files for 20210406
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1654617ed0
kernel config: https://syzkaller.appspot.com/x/.config?x=d125958c3995ddcd
dashboard link: https://syzkaller.appspot.com/bug?extid=d6a0e4b80bd39f54c2f6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=101a5786d0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1147dd0ed0
The issue was bisected to:
commit 997acaf6b4b59c6a9c259740312a69ea549cc684
Author: Mark Rutland
Date: Mon Jan 11 15:37:07 2021 +
lockdep: report broken irq restoration
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11d8d7aad0
final oops: https://syzkaller.appspot.com/x/report.txt?x=13d8d7aad0
console output: https://syzkaller.appspot.com/x/log.txt?x=15d8d7aad0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6a0e4b80bd39f54c...@syzkaller.appspotmail.com
Fixes: 997acaf6b4b5 ("lockdep: report broken irq restoration")
loop0: detected capacity change from 0 to 31
BUG: spinlock bad magic on CPU#1, syz-executor062/8434
lock: 0x8880b9c31d60, .magic: , .owner: /-1, .owner_cpu: 0
CPU: 1 PID: 8434 Comm: syz-executor062 Not tainted
5.12.0-rc6-next-20210406-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
do_raw_spin_lock+0x216/0x2b0 kernel/locking/spinlock_debug.c:112
erofs_pcpubuf_growsize+0x36f/0x620 fs/erofs/pcpubuf.c:83
z_erofs_load_lz4_config+0x1ef/0x3e0 fs/erofs/decompressor.c:64
erofs_read_superblock fs/erofs/super.c:331 [inline]
erofs_fc_fill_super+0xe84/0x1d10 fs/erofs/super.c:499
get_tree_bdev+0x440/0x760 fs/super.c:1293
vfs_get_tree+0x89/0x2f0 fs/super.c:1498
do_new_mount fs/namespace.c:2905 [inline]
path_mount+0x132a/0x1fa0 fs/namespace.c:3235
do_mount fs/namespace.c:3248 [inline]
__do_sys_mount fs/namespace.c:3456 [inline]
__se_sys_mount fs/namespace.c:3433 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3433
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x444f7a
Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00
00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:7ffe1fa3c2a8 EFLAGS: 0286 ORIG_RAX: 00a5
RAX: ffda RBX: 7ffe1fa3c300 RCX: 00444f7a
RDX: 2000 RSI: 2100 RDI: 7ffe1fa3c2c0
RBP: 7ffe1fa3c2c0 R08: 7ffe1fa3c300 R09:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
[syzbot] kernel BUG in llc_sap_action_send_xid_c
Hello, syzbot found the following issue on: HEAD commit:864db232 net: ipv6: check for validity before dereferencin.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=16377d16d0 kernel config: https://syzkaller.appspot.com/x/.config?x=daeff30c2474a60f dashboard link: https://syzkaller.appspot.com/bug?extid=5e5a981ad7cc54c4b2b4 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154f8e9ad0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16fe2fbed0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+5e5a981ad7cc54c4b...@syzkaller.appspotmail.com skbuff: skb_over_panic: text:8717de50 len:692 put:3 head:888025f6f000 data:888025f6f00e tail:0x2c2 end:0x2c0 dev:bond0 [ cut here ] kernel BUG at net/core/skbuff.c:109! invalid opcode: [#1] PREEMPT SMP KASAN CPU: 1 PID: 8372 Comm: syz-executor543 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:109 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 40 b2 65 8a ff 74 24 10 ff 74 24 20 e8 e7 c0 c4 ff <0f> 0b e8 d2 e0 75 f8 4c 8b 64 24 18 e8 c8 87 b9 f8 48 c7 c1 80 be RSP: 0018:c9000132f7b8 EFLAGS: 00010282 RAX: 0086 RBX: 888012a91140 RCX: RDX: 888021d6d4c0 RSI: 815c4d75 RDI: f52000265ee9 RBP: 8a65bec0 R08: 0086 R09: R10: 815bdb0e R11: R12: 8717de50 R13: 0003 R14: 88801aa24000 R15: 02c0 FS: 01d53300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 55acdca69398 CR3: 20a7b000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: skb_over_panic net/core/skbuff.c:114 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1914 llc_pdu_init_as_xid_cmd include/net/llc_pdu.h:377 [inline] llc_sap_action_send_xid_c+0x240/0x380 net/llc/llc_s_ac.c:84 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x22a/0x4f0 net/llc/llc_sap.c:209 llc_ui_sendmsg+0x9ee/0x1040 net/llc/af_llc.c:964 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sys_sendmsg+0x331/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmmsg+0x195/0x470 net/socket.c:2490 __do_sys_sendmmsg net/socket.c:2519 [inline] __se_sys_sendmmsg net/socket.c:2516 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x43f329 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffc10253fb8 EFLAGS: 0246 ORIG_RAX: 0133 RAX: ffda RBX: 00400488 RCX: 0043f329 RDX: 0006 RSI: 20005bc0 RDI: 0003 RBP: 00403310 R08: 00400488 R09: 00400488 R10: 0400 R11: 0246 R12: 004033a0 R13: R14: 004ad018 R15: 00400488 Modules linked in: ---[ end trace 4d95aeb9a24efeaa ]--- RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:109 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 40 b2 65 8a ff 74 24 10 ff 74 24 20 e8 e7 c0 c4 ff <0f> 0b e8 d2 e0 75 f8 4c 8b 64 24 18 e8 c8 87 b9 f8 48 c7 c1 80 be RSP: 0018:c9000132f7b8 EFLAGS: 00010282 RAX: 0086 RBX: 888012a91140 RCX: RDX: 888021d6d4c0 RSI: 815c4d75 RDI: f52000265ee9 RBP: 8a65bec0 R08: 0086 R09: R10: 815bdb0e R11: R12: 8717de50 R13: 0003 R14: 88801aa24000 R15: 02c0 FS: 01d53300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 55acdca69398 CR3: 20a7b000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
[syzbot] WARNING in ieee802154_del_device
Hello, syzbot found the following issue on: HEAD commit:08c27f33 batman-adv: initialize "struct batadv_tvlv_tt_vla.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=111688fcd0 kernel config: https://syzkaller.appspot.com/x/.config?x=daeff30c2474a60f dashboard link: https://syzkaller.appspot.com/bug?extid=bf8b5834b7ec229487ce syz repro: https://syzkaller.appspot.com/x/repro.syz?x=176af0e2d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11fcb16ed0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+bf8b5834b7ec22948...@syzkaller.appspotmail.com [ cut here ] DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 8389 at kernel/locking/mutex.c:931 __mutex_lock_common kernel/locking/mutex.c:931 [inline] WARNING: CPU: 0 PID: 8389 at kernel/locking/mutex.c:931 __mutex_lock+0xc0b/0x1120 kernel/locking/mutex.c:1096 Modules linked in: CPU: 1 PID: 8389 Comm: syz-executor116 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:931 [inline] RIP: 0010:__mutex_lock+0xc0b/0x1120 kernel/locking/mutex.c:1096 Code: 08 84 d2 0f 85 a3 04 00 00 8b 05 78 80 c0 04 85 c0 0f 85 12 f5 ff ff 48 c7 c6 20 8b 6b 89 48 c7 c7 e0 88 6b 89 e8 12 3d bd ff <0f> 0b e9 f8 f4 ff ff 65 48 8b 1c 25 00 f0 01 00 be 08 00 00 00 48 RSP: 0018:c90001aaf3d8 EFLAGS: 00010286 RAX: RBX: RCX: RDX: 88801ac8d4c0 RSI: 815c4d15 RDI: f52000355e6d RBP: 888022324c90 R08: R09: R10: 815bdaae R11: R12: R13: dc00 R14: c90001aaf8b0 R15: FS: 0082e300() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2088 CR3: 18643000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: ieee802154_del_device+0x3f/0x70 net/mac802154/cfg.c:412 rdev_del_device net/ieee802154/rdev-ops.h:299 [inline] nl802154_del_llsec_dev+0x22f/0x310 net/ieee802154/nl802154.c:1767 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x43fd19 Code: 28 c3 e8 5a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffcff3b4778 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 004004a0 RCX: 0043fd19 RDX: 0004 RSI: 22c0 RDI: 0004 RBP: 00403780 R08: 0008 R09: 004004a0 R10: 0006 R11: 0246 R12: 00403810 R13: R14: 004ad018 R15: 004004a0 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
[syzbot] WARNING: refcount bug in sk_psock_get
Hello,
syzbot found the following issue on:
HEAD commit:9c54130c Add linux-next specific files for 20210406
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17d8d7aad0
kernel config: https://syzkaller.appspot.com/x/.config?x=d125958c3995ddcd
dashboard link: https://syzkaller.appspot.com/bug?extid=b54a1ce86ba4a623b7f0
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1729797ed0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1190f46ad0
The issue was bisected to:
commit 997acaf6b4b59c6a9c259740312a69ea549cc684
Author: Mark Rutland
Date: Mon Jan 11 15:37:07 2021 +
lockdep: report broken irq restoration
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11a6cc96d0
final oops: https://syzkaller.appspot.com/x/report.txt?x=13a6cc96d0
console output: https://syzkaller.appspot.com/x/log.txt?x=15a6cc96d0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b54a1ce86ba4a623b...@syzkaller.appspotmail.com
Fixes: 997acaf6b4b5 ("lockdep: report broken irq restoration")
[ cut here ]
refcount_t: saturated; leaking memory.
WARNING: CPU: 1 PID: 8414 at lib/refcount.c:19
refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19
Modules linked in:
CPU: 1 PID: 8414 Comm: syz-executor793 Not tainted
5.12.0-rc6-next-20210406-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19
Code: 1d 69 0c e6 09 31 ff 89 de e8 c8 b4 a6 fd 84 db 75 ab e8 0f ae a6 fd 48
c7 c7 e0 52 c2 89 c6 05 49 0c e6 09 01 e8 91 0f 00 05 <0f> 0b eb 8f e8 f3 ad a6
fd 0f b6 1d 33 0c e6 09 31 ff 89 de e8 93
RSP: 0018:c9eef388 EFLAGS: 00010282
RAX: RBX: RCX:
RDX: 88801bbdd580 RSI: 815c2e05 RDI: f520001dde63
RBP: R08: R09:
R10: 815bcc6e R11: R12: 1920001dde74
R13: 90200301 R14: 888026e0 R15: c9eef3c0
FS: 01422300() GS:8880b9d0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 2000 CR3: 12b3b000 CR4: 001506e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
__refcount_add_not_zero include/linux/refcount.h:163 [inline]
__refcount_inc_not_zero include/linux/refcount.h:227 [inline]
refcount_inc_not_zero include/linux/refcount.h:245 [inline]
sk_psock_get+0x3b0/0x400 include/linux/skmsg.h:435
bpf_exec_tx_verdict+0x11e/0x11a0 net/tls/tls_sw.c:799
tls_sw_sendmsg+0xa41/0x1800 net/tls/tls_sw.c:1013
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
sock_sendmsg_nosec net/socket.c:654 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:674
sock_write_iter+0x289/0x3c0 net/socket.c:1001
call_write_iter include/linux/fs.h:2106 [inline]
do_iter_readv_writev+0x46f/0x740 fs/read_write.c:740
do_iter_write+0x188/0x670 fs/read_write.c:866
vfs_writev+0x1aa/0x630 fs/read_write.c:939
do_writev+0x27f/0x300 fs/read_write.c:982
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43efa9
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:7ffe9279f418 EFLAGS: 0246 ORIG_RAX: 0014
RAX: ffda RBX: 00400488 RCX: 0043efa9
RDX: 0001 RSI: 2100 RDI: 0003
RBP: 00402f90 R08: 00400488 R09: 00400488
R10: 0038 R11: 0246 R12: 00403020
R13: R14: 004ac018 R15: 00400488
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
[syzbot] BUG: corrupted list in klist_dec_and_del
Hello, syzbot found the following issue on: HEAD commit:e49d033b Linux 5.12-rc6 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=167accfcd0 kernel config: https://syzkaller.appspot.com/x/.config?x=f91155ccddaf919c dashboard link: https://syzkaller.appspot.com/bug?extid=f9f9397a8879e0b3cecc compiler: Debian clang version 11.0.1-2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14981316d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=104fcc6ad0 Bisection is inconclusive: the issue happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13882a36d0 final oops: https://syzkaller.appspot.com/x/report.txt?x=10482a36d0 console output: https://syzkaller.appspot.com/x/log.txt?x=17882a36d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f9f9397a8879e0b3c...@syzkaller.appspotmail.com IPVS: ftp: loaded support on port[0] = 21 list_del corruption. prev->next should be 888018a74c68, but was 88801263b440 [ cut here ] kernel BUG at lib/list_debug.c:53! invalid opcode: [#1] PREEMPT SMP KASAN CPU: 0 PID: 8361 Comm: syz-executor523 Not tainted 5.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_del_entry_valid+0xe1/0x100 lib/list_debug.c:51 Code: 72 b0 87 fd 0f 0b 48 c7 c7 80 a0 11 8a 4c 89 f6 31 c0 e8 5f b0 87 fd 0f 0b 48 c7 c7 e0 a0 11 8a 4c 89 f6 31 c0 e8 4c b0 87 fd <0f> 0b 48 c7 c7 40 a1 11 8a 4c 89 f6 31 c0 e8 39 b0 87 fd 0f 0b 66 RSP: :c900010bf9c8 EFLAGS: 00010246 RAX: 0054 RBX: 88801191b468 RCX: ae24f9509f195200 RDX: RSI: 0001 RDI: RBP: R08: 8160b612 R09: ed1017385fe8 R10: ed1017385fe8 R11: R12: dc00 R13: 888018a74c68 R14: 888018a74c68 R15: 88801191b468 FS: () GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f9f12a2cbb0 CR3: 213fc000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __list_del_entry include/linux/list.h:132 [inline] list_del include/linux/list.h:146 [inline] klist_release lib/klist.c:189 [inline] kref_put include/linux/kref.h:65 [inline] klist_dec_and_del+0x9c/0x430 lib/klist.c:206 klist_put lib/klist.c:217 [inline] klist_del+0xa0/0x100 lib/klist.c:230 device_del+0x29e/0xa90 drivers/base/core.c:3400 hci_conn_del_sysfs+0xeb/0x190 net/bluetooth/hci_sysfs.c:78 hci_conn_cleanup+0x495/0x640 net/bluetooth/hci_conn.c:138 hci_conn_del+0x2ae/0x3b0 net/bluetooth/hci_conn.c:678 hci_conn_hash_flush+0x1bd/0x240 net/bluetooth/hci_conn.c:1599 hci_dev_do_close+0xa04/0xfe0 net/bluetooth/hci_core.c:1778 hci_unregister_dev+0x301/0x18a0 net/bluetooth/hci_core.c:3989 vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:340 __fput+0x352/0x7b0 fs/file_table.c:280 task_work_run+0x146/0x1c0 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0x6b2/0x2290 kernel/exit.c:825 do_group_exit+0x168/0x2d0 kernel/exit.c:922 __do_sys_exit_group+0x13/0x20 kernel/exit.c:933 __se_sys_exit_group+0x10/0x10 kernel/exit.c:931 __x64_sys_exit_group+0x37/0x40 kernel/exit.c:931 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4443c9 Code: Unable to access opcode bytes at RIP 0x44439f. RSP: 002b:706d1d58 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: 004cb370 RCX: 004443c9 RDX: 003c RSI: 00e7 RDI: 0001 RBP: 0001 R08: ffb8 R09: 00ff004c5fe0 R10: 706d1820 R11: 0246 R12: 004cb370 R13: 0001 R14: R15: 0001 Modules linked in: ---[ end trace d8c06b4c2761f315 ]--- RIP: 0010:__list_del_entry_valid+0xe1/0x100 lib/list_debug.c:51 Code: 72 b0 87 fd 0f 0b 48 c7 c7 80 a0 11 8a 4c 89 f6 31 c0 e8 5f b0 87 fd 0f 0b 48 c7 c7 e0 a0 11 8a 4c 89 f6 31 c0 e8 4c b0 87 fd <0f> 0b 48 c7 c7 40 a1 11 8a 4c 89 f6 31 c0 e8 39 b0 87 fd 0f 0b 66 RSP: :c900010bf9c8 EFLAGS: 00010246 RAX: 0054 RBX: 88801191b468 RCX: ae24f9509f195200 RDX: RSI: 0001 RDI: RBP: R08: 8160b612 R09: ed1017385fe8 R10: ed1017385fe8 R11: R12: dc00 R13: 888018a74c68 R14: 888018a74c68 R15: 88801191b468 FS: () GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f9f12a2cbb0 CR3: 0c48e000 CR4: 001506f0 DR0: 0
Re: [syzbot] memory leak in ext4_multi_mount_protect
syzbot has found a reproducer for the following issue on: HEAD commit:4fa56ad0 Merge tag 'for-linus' of git://git.kernel.org/pub.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12390a96d0 kernel config: https://syzkaller.appspot.com/x/.config?x=b8dbd3c72fdc dashboard link: https://syzkaller.appspot.com/bug?extid=d9e482e303930fa4f6ff syz repro: https://syzkaller.appspot.com/x/repro.syz?x=109aaa7ed0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e77d16d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d9e482e303930fa4f...@syzkaller.appspotmail.com executing program BUG: memory leak unreferenced object 0x888111edd780 (size 32): comm "syz-executor633", pid 8448, jiffies 4294951405 (age 17.620s) hex dump (first 32 bytes): 10 64 d1 0f 81 88 ff ff 00 10 7e 12 81 88 ff ff .d~. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [] kmalloc include/linux/slab.h:554 [inline] [] ext4_multi_mount_protect+0x4a6/0x5d0 fs/ext4/mmp.c:367 [] ext4_fill_super+0x56a4/0x5b20 fs/ext4/super.c:4769 [] mount_bdev+0x223/0x260 fs/super.c:1367 [] legacy_get_tree+0x2b/0x90 fs/fs_context.c:592 [] vfs_get_tree+0x28/0x100 fs/super.c:1497 [] do_new_mount fs/namespace.c:2903 [inline] [] path_mount+0xc3e/0x1120 fs/namespace.c:3233 [] do_mount fs/namespace.c:3246 [inline] [] __do_sys_mount fs/namespace.c:3454 [inline] [] __se_sys_mount fs/namespace.c:3431 [inline] [] __x64_sys_mount+0x18e/0x1d0 fs/namespace.c:3431 [] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [] entry_SYSCALL_64_after_hwframe+0x44/0xae
Re: [syzbot] possible deadlock in io_sq_thread_finish
syzbot suspects this issue was fixed by commit: commit f4e61f0c9add3b00bd5f2df3c814d688849b8707 Author: Wanpeng Li Date: Mon Mar 15 06:55:28 2021 + x86/kvm: Fix broken irq restoration in kvm_wait bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1022d7aad0 start commit: 144c79ef Merge tag 'perf-tools-fixes-for-v5.12-2020-03-07'.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=db9c6adb4986f2f2 dashboard link: https://syzkaller.appspot.com/bug?extid=ac39856cb1b332dbbdda syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167574dad0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12c8f566d0 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: x86/kvm: Fix broken irq restoration in kvm_wait For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: [syzbot] INFO: task hung in io_ring_exit_work
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: INFO: task hung in io_ring_exit_work INFO: task kworker/u4:0:9 blocked for more than 143 seconds. Not tainted 5.12.0-rc2-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u4:0state:D stack:26056 pid:9 ppid: 2 flags:0x4000 Workqueue: events_unbound io_ring_exit_work Call Trace: context_switch kernel/sched/core.c:4324 [inline] __schedule+0x911/0x21b0 kernel/sched/core.c:5075 schedule+0xcf/0x270 kernel/sched/core.c:5154 schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868 do_wait_for_common kernel/sched/completion.c:85 [inline] __wait_for_common kernel/sched/completion.c:106 [inline] wait_for_common kernel/sched/completion.c:117 [inline] wait_for_completion+0x168/0x270 kernel/sched/completion.c:138 io_ring_exit_work+0x4e8/0x12d0 fs/io_uring.c:8616 process_one_work+0x98d/0x1600 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task kworker/u4:1:25 blocked for more than 143 seconds. Not tainted 5.12.0-rc2-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u4:1state:D stack:25560 pid: 25 ppid: 2 flags:0x4000 Workqueue: events_unbound io_ring_exit_work Call Trace: context_switch kernel/sched/core.c:4324 [inline] __schedule+0x911/0x21b0 kernel/sched/core.c:5075 schedule+0xcf/0x270 kernel/sched/core.c:5154 schedule_timeout+0x14a/0x250 kernel/time/timer.c:1892 Tested on: commit: a2a68d4c io_uring: signalling fun / syz test git tree: https://github.com/isilence/linux.git syz_test3 console output: https://syzkaller.appspot.com/x/log.txt?x=12eed711d0 kernel config: https://syzkaller.appspot.com/x/.config?x=86318203e865a02b dashboard link: https://syzkaller.appspot.com/bug?extid=93f72b3885406bb09e0d compiler:
Re: [syzbot] INFO: task hung in io_ring_exit_work
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an
issue:
INFO: task hung in io_ring_exit_work
INFO: task kworker/u4:1:25 blocked for more than 143 seconds.
Not tainted 5.12.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:1state:D stack:26120 pid: 25 ppid: 2 flags:0x4000
Workqueue: events_unbound io_ring_exit_work
Call Trace:
context_switch kernel/sched/core.c:4324 [inline]
__schedule+0x911/0x21b0 kernel/sched/core.c:5075
schedule+0xcf/0x270 kernel/sched/core.c:5154
schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
io_ring_exit_work+0x4e8/0x12d0 fs/io_uring.c:8611
process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Showing all locks held in the system:
2 locks held by kworker/u4:0/9:
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c9ce7da8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
2 locks held by kworker/u4:1/25:
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c9dffda8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
2 locks held by kworker/u4:2/89:
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c9000111fda8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
2 locks held by kworker/u4:3/138:
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c9000110fda8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/work
Re: [syzbot] INFO: task hung in io_ring_exit_work
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an
issue:
INFO: task hung in io_ring_exit_work
INFO: task kworker/u4:0:9 blocked for more than 143 seconds.
Not tainted 5.12.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:0state:D stack:26336 pid:9 ppid: 2 flags:0x4000
Workqueue: events_unbound io_ring_exit_work
Call Trace:
context_switch kernel/sched/core.c:4324 [inline]
__schedule+0x911/0x21b0 kernel/sched/core.c:5075
schedule+0xcf/0x270 kernel/sched/core.c:5154
schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
io_ring_exit_work+0x4e8/0x12d0 fs/io_uring.c:8611
process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
INFO: task kworker/u4:1:25 blocked for more than 144 seconds.
Not tainted 5.12.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:1state:D stack:25312 pid: 25 ppid: 2 flags:0x4000
Workqueue: events_unbound io_ring_exit_work
Call Trace:
context_switch kernel/sched/core.c:4324 [inline]
__schedule+0x911/0x21b0 kernel/sched/core.c:5075
schedule+0xcf/0x270 kernel/sched/core.c:5154
schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
io_ring_exit_work+0x4e8/0x12d0 fs/io_uring.c:8611
process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
INFO: task kworker/u4:3:110 blocked for more than 145 seconds.
Not tainted 5.12.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:3state:D stack:23608 pid: 110 ppid: 2 flags:0x4000
Workqueue: events_unbound io_ring_exit_work
Call Trace:
context_switch kernel/sched/core.c:4324 [inline]
__schedule+0x911/0x21b0 kernel/sched/core.c:5075
schedule+0xcf/0x270 kernel/sched/core.c:5154
schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
io_ring_exit_work+0x4e8/0x12d0 fs/io_uring.c:8611
process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
INFO: task kworker/u4:4:185 blocked for more than 145 seconds.
Not tainted 5.12.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:4state:D stack:25584 pid: 185 ppid: 2 flags:0x4000
Workqueue: events_unbound io_ring_exit_work
Call Trace:
context_switch kernel/sched/core.c:4324 [inline]
__schedule+0x911/0x21b0 kernel/sched/core.c:5075
schedule+0xcf/0x270 kernel/sched/core.c:5154
schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
io_ring_exit_work+0x4e8/0x12d0 fs/io_uring.c:8611
process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Showing all locks held in the system:
2 locks held by kworker/u4:0/9:
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.
Re: [syzbot] INFO: task hung in io_ring_exit_work
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: WARNING in kvm_wait [ cut here ] raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 1 PID: 8751 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10 Modules linked in: CPU: 1 PID: 8751 Comm: syz-execprog Not tainted 5.12.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10 Code: bf ff cc cc cc cc cc cc cc cc cc cc cc 80 3d 50 f3 2f 04 00 74 01 c3 48 c7 c7 20 92 6b 89 c6 05 3f f3 2f 04 01 e8 77 2d bf ff <0f> 0b c3 48 39 77 10 0f 84 97 00 00 00 66 f7 47 22 f0 ff 74 4b 48 RSP: :c9f1fa00 EFLAGS: 00010282 RAX: RBX: 88802b5f5d88 RCX: RDX: 88802b5f54c0 RSI: 815c3df5 RDI: f520001e3f32 RBP: 0200 R08: R09: R10: 815bcb8e R11: R12: 0003 R13: ed10056bebb1 R14: 0001 R15: 8880b9f35f40 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 00454476 CR3: 13f15000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: kvm_wait arch/x86/kernel/kvm.c:860 [inline] kvm_wait+0xc9/0xe0 arch/x86/kernel/kvm.c:837 pv_wait arch/x86/include/asm/paravirt.h:564 [inline] pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:470 [inline] __pv_queued_spin_lock_slowpath+0x8b8/0xb40 kernel/locking/qspinlock.c:508 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:554 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock+0x200/0x2b0 kernel/locking/spinlock_debug.c:113 spin_lock include/linux/spinlock.h:354 [inline] task_lock include/linux/sched/task.h:168 [inline] exit_mm kernel/exit.c:481 [inline] do_exit+0xa6f/0x2a60 kernel/exit.c:812 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2150 kernel/signal.c:2781 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x46ca23 Code: Unable to access opcode bytes at RIP 0x46c9f9. RSP: 002b:7ffe5318bb08 EFLAGS: 0286 ORIG_RAX: 00ca RAX: fe00 RBX: 016b3d60 RCX: 0046ca23 RDX: RSI: 0080 RDI: 016b3ea8 RBP: 7ffe5318bb50 R08: R09: R10: R11: 0286 R12: 0003 R13: 016b39a0 R14: 0005 R15: 00aa Tested on: commit: 1507b68f io_uring: don't quiesce reg buffer git tree: https://github.com/isilence/linux.git syz_test console output: https://syzkaller.appspot.com/x/log.txt?x=1008508ed0 kernel config: https://syzkaller.appspot.com/x/.config?x=86318203e865a02b dashboard link: https://syzkaller.appspot.com/bug?extid=93f72b3885406bb09e0d compiler:
Re: [syzbot] WARNING in cm109_urb_irq_callback/usb_submit_urb
syzbot has found a reproducer for the following issue on: HEAD commit:2d743660 Merge branch 'fixes' of git://git.kernel.org/pub/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1548f46ad0 kernel config: https://syzkaller.appspot.com/x/.config?x=f91155ccddaf919c dashboard link: https://syzkaller.appspot.com/bug?extid=2d6d691af5ab4b7e66df compiler: Debian clang version 11.0.1-2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11d6cc96d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142de07ed0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2d6d691af5ab4b7e6...@syzkaller.appspotmail.com cm109 3-1:0.0: cm109_urb_irq_callback: urb status -71 [ cut here ] URB 3185a218 submitted while active WARNING: CPU: 0 PID: 8764 at drivers/usb/core/urb.c:378 usb_submit_urb+0xf7f/0x1550 drivers/usb/core/urb.c:378 Modules linked in: CPU: 0 PID: 8764 Comm: systemd-udevd Not tainted 5.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:usb_submit_urb+0xf7f/0x1550 drivers/usb/core/urb.c:378 Code: 5c 41 5d 41 5e 41 5f 5d e9 4e 5b ff ff e8 39 a0 fc fb c6 05 b4 45 25 08 01 48 c7 c7 e0 6e 5f 8a 4c 89 e6 31 c0 e8 81 84 cb fb <0f> 0b e9 f8 f0 ff ff e8 15 a0 fc fb eb 05 e8 0e a0 fc fb bb a6 ff RSP: 0018:c90079a8 EFLAGS: 00010046 RAX: 300ec5186f788100 RBX: 888020ad2508 RCX: 88803054d4c0 RDX: 0101 RSI: 0101 RDI: RBP: 0a20 R08: 8160b632 R09: ed1017383f1c R10: ed1017383f1c R11: R12: 888020ad2500 R13: dc00 R14: dc00 R15: 0082 FS: 7f65b13318c0() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7ffda12b4ff8 CR3: 20ed4000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: cm109_urb_irq_callback+0x693/0xbf0 drivers/input/misc/cm109.c:422 __usb_hcd_giveback_urb+0x375/0x520 drivers/usb/core/hcd.c:1656 dummy_timer+0xa22/0x2e70 drivers/usb/gadget/udc/dummy_hcd.c:1971 call_timer_fn+0x91/0x160 kernel/time/timer.c:1431 expire_timers kernel/time/timer.c:1476 [inline] __run_timers+0x6c0/0x8a0 kernel/time/timer.c:1745 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1758 __do_softirq+0x318/0x714 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu+0x1d8/0x200 kernel/softirq.c:422 irq_exit_rcu+0x5/0x20 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:tomoyo_check_acl+0xb1/0x430 security/tomoyo/domain.c:173 Code: 85 05 03 00 00 48 8b 1c 24 4c 8b 23 49 39 dc 0f 84 14 02 00 00 0f 1f 40 00 49 8d 6c 24 18 48 89 e8 48 c1 e8 03 42 0f b6 04 28 <84> c0 0f 85 1d 01 00 00 0f b6 6d 00 31 ff 89 ee e8 4a df d8 fd 85 RSP: 0018:c9000276fbb8 EFLAGS: 0a02 RAX: RBX: 888011bcec90 RCX: 88803054d4c0 RDX: RSI: RDI: 0002 RBP: 888013c51118 R08: 83a03cb6 R09: 83a09b20 R10: 0003 R11: 88803054d4c0 R12: 888013c51100 R13: dc00 R14: 888011bcec80 R15: tomoyo_path_permission+0x1af/0x370 security/tomoyo/file.c:586 tomoyo_path_perm+0x32f/0x570 security/tomoyo/file.c:838 security_inode_getattr+0xc0/0x140 security/security.c:1288 vfs_getattr fs/stat.c:131 [inline] vfs_statx+0xe8/0x320 fs/stat.c:199 vfs_fstatat fs/stat.c:217 [inline] vfs_lstat include/linux/fs.h:3240 [inline] __do_sys_newlstat fs/stat.c:372 [inline] __se_sys_newlstat fs/stat.c:366 [inline] __x64_sys_newlstat+0x81/0xd0 fs/stat.c:366 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f65b01a3335 Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89 RSP: 002b:7ffda12b2c78 EFLAGS: 0246 ORIG_RAX: 0006 RAX: ffda RBX: 55b4a2eaa170 RCX: 7f65b01a3335 RDX: 7ffda12b2cb0 RSI: 7ffda12b2cb0 RDI: 55b4a2ea9170 RBP: 7ffda12b2d70 R08: 7f65b0462218 R09: 1010 R10: 01a0 R11: 0246 R12: 55b4a2ea9170 R13: 55b4a2ea9191 R14: 55b4a2eb1fd6 R15: 55b4a2eb1fe1
[syzbot] possible deadlock in team_device_event (2)
Hello,
syzbot found the following issue on:
HEAD commit:bd78980b net: usb: ax88179_178a: initialize local variable..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1043f831d0
kernel config: https://syzkaller.appspot.com/x/.config?x=7eff0f22b8563a5f
dashboard link: https://syzkaller.appspot.com/bug?extid=d6d7f5e816b836806b38
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6d7f5e816b836806...@syzkaller.appspotmail.com
WARNING: possible recursive locking detected
5.12.0-rc4-syzkaller #0 Not tainted
syz-executor.2/10541 is trying to acquire lock:
888060ac8c78 (team->team_lock_key#3){+.+.}-{3:3}, at:
team_port_change_check drivers/net/team/team.c:2970 [inline]
888060ac8c78 (team->team_lock_key#3){+.+.}-{3:3}, at:
team_device_event+0x36a/0xa90 drivers/net/team/team.c:2996
but task is already holding lock:
888060ac8c78 (team->team_lock_key#3){+.+.}-{3:3}, at:
team_del_slave+0x29/0x140 drivers/net/team/team.c:1981
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
lock(team->team_lock_key#3);
lock(team->team_lock_key#3);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by syz-executor.2/10541:
#0: 8d66d7a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock
net/core/rtnetlink.c:72 [inline]
#0: 8d66d7a8 (rtnl_mutex){+.+.}-{3:3}, at:
rtnetlink_rcv_msg+0x3f9/0xad0 net/core/rtnetlink.c:5550
#1: 888060ac8c78 (team->team_lock_key#3){+.+.}-{3:3}, at:
team_del_slave+0x29/0x140 drivers/net/team/team.c:1981
stack backtrace:
CPU: 1 PID: 10541 Comm: syz-executor.2 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
print_deadlock_bug kernel/locking/lockdep.c:2829 [inline]
check_deadlock kernel/locking/lockdep.c:2872 [inline]
validate_chain kernel/locking/lockdep.c:3661 [inline]
__lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900
lock_acquire kernel/locking/lockdep.c:5510 [inline]
lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5475
__mutex_lock_common kernel/locking/mutex.c:949 [inline]
__mutex_lock+0x139/0x1120 kernel/locking/mutex.c:1096
team_port_change_check drivers/net/team/team.c:2970 [inline]
team_device_event+0x36a/0xa90 drivers/net/team/team.c:2996
notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2121
call_netdevice_notifiers_extack net/core/dev.c:2133 [inline]
call_netdevice_notifiers net/core/dev.c:2147 [inline]
dev_close_many+0x2ff/0x620 net/core/dev.c:1722
vlan_device_event+0x8eb/0x2020 net/8021q/vlan.c:453
notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2121
call_netdevice_notifiers_extack net/core/dev.c:2133 [inline]
call_netdevice_notifiers net/core/dev.c:2147 [inline]
dev_close_many+0x2ff/0x620 net/core/dev.c:1722
dev_close net/core/dev.c:1744 [inline]
dev_close+0x16d/0x210 net/core/dev.c:1738
team_port_del+0x34e/0x960 drivers/net/team/team.c:1349
team_del_slave+0x34/0x140 drivers/net/team/team.c:1982
do_set_master+0xe1/0x220 net/core/rtnetlink.c:2505
do_setlink+0x920/0x3a70 net/core/rtnetlink.c:2715
__rtnl_newlink+0xdcf/0x1710 net/core/rtnetlink.c:3376
rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
sock_sendmsg_nosec net/socket.c:654 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:674
sys_sendmsg+0x6e8/0x810 net/socket.c:2350
___sys_sendmsg+0xf3/0x170 net/socket.c:2404
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x466459
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:7f23b77d7188 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 0056bf60 RCX: 00466459
RDX: RSI: 21c0 RDI: 0004
RBP: 004bf9fb R08: R09:
R10: R11: 0246 R12: 0056bf60
R13: 7fff1a112cdf R14: 7f23b77d7300 R15: 00022000
---
This report is generated by a bot. It may contain errors.
See https:
[syzbot] KASAN: use-after-free Write in sk_psock_stop
Hello,
syzbot found the following issue on:
HEAD commit:f07669df libbpf: Remove redundant semi-colon
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1564f0e2d0
kernel config: https://syzkaller.appspot.com/x/.config?x=7eff0f22b8563a5f
dashboard link: https://syzkaller.appspot.com/bug?extid=7b6548ae483d6f4c64ae
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16462311d0
The issue was bisected to:
commit 997acaf6b4b59c6a9c259740312a69ea549cc684
Author: Mark Rutland
Date: Mon Jan 11 15:37:07 2021 +
lockdep: report broken irq restoration
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12c1c9ced0
final oops: https://syzkaller.appspot.com/x/report.txt?x=11c1c9ced0
console output: https://syzkaller.appspot.com/x/log.txt?x=16c1c9ced0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7b6548ae483d6f4c6...@syzkaller.appspotmail.com
Fixes: 997acaf6b4b5 ("lockdep: report broken irq restoration")
==
BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0
kernel/locking/lockdep.c:4770
Read of size 8 at addr 888024f66238 by task syz-executor.1/14202
CPU: 0 PID: 14202 Comm: syz-executor.1 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232
__kasan_report mm/kasan/report.c:399 [inline]
kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
__lock_acquire+0x3e6f/0x54c0 kernel/locking/lockdep.c:4770
lock_acquire kernel/locking/lockdep.c:5510 [inline]
lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5475
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175
spin_lock_bh include/linux/spinlock.h:359 [inline]
sk_psock_stop+0x2f/0x4d0 net/core/skmsg.c:750
sock_map_close+0x172/0x390 net/core/sock_map.c:1534
inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
__sock_release+0xcd/0x280 net/socket.c:599
sock_close+0x18/0x20 net/socket.c:1258
__fput+0x288/0x920 fs/file_table.c:280
task_work_run+0xdd/0x1a0 kernel/task_work.c:140
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:208
__syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x466459
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:7f1bde3a3188 EFLAGS: 0246 ORIG_RAX: 0003
RAX: RBX: 0056bf60 RCX: 00466459
RDX: RSI: RDI: 0005
RBP: 004bf9fb R08: R09:
R10: R11: 0246 R12: 0056bf60
R13: 7ffe6eb13bbf R14: 7f1bde3a3300 R15: 00022000
Allocated by task 14202:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:427 [inline]
kasan_kmalloc mm/kasan/common.c:506 [inline]
kasan_kmalloc mm/kasan/common.c:465 [inline]
__kasan_kmalloc+0x99/0xc0 mm/kasan/common.c:515
kmalloc_node include/linux/slab.h:572 [inline]
kzalloc_node include/linux/slab.h:695 [inline]
sk_psock_init+0xaf/0x730 net/core/skmsg.c:668
sock_map_link+0xbf4/0x1020 net/core/sock_map.c:286
sock_hash_update_common+0xe2/0xa60 net/core/sock_map.c:993
sock_map_update_elem_sys+0x561/0x680 net/core/sock_map.c:596
bpf_map_update_value.isra.0+0x36b/0x8d0 kernel/bpf/syscall.c:167
map_update_elem kernel/bpf/syscall.c:1129 [inline]
__do_sys_bpf+0x2d6e/0x4f40 kernel/bpf/syscall.c:4384
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 9712:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
kasan_slab_free mm/kasan/common.c:360 [inline]
kasan_slab_free mm/kasan/common.c:325 [inline]
__kasan_slab_free+0xf5/0x130 mm/kasan/common.c:367
kasan_slab_free include/linux/kasan.h:199 [inline]
slab_free_hook mm/slub.c:1562 [inline]
slab_free_freelist_hook+0x92/0x210 mm/slub.c:1600
slab_free mm/slub.c:3161 [inline]
kfree+0xe5/0x7f0 mm/slub.c:4213
process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x3
[syzbot] WARNING: suspicious RCU usage in tcp_bpf_update_proto
Hello,
syzbot found the following issue on:
HEAD commit:514e1150 net: x25: Queue received packets in the drivers i..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=112a8831d0
kernel config: https://syzkaller.appspot.com/x/.config?x=7eff0f22b8563a5f
dashboard link: https://syzkaller.appspot.com/bug?extid=320a3bc8d80f478c37e4
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1532d711d0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f44c5ed0
The issue was bisected to:
commit 4dfe6bd94959222e18d512bdf15f6bf9edb9c27c
Author: Rustam Kovhaev
Date: Wed Feb 24 20:00:30 2021 +
ntfs: check for valid standard information attribute
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16207a81d0
final oops: https://syzkaller.appspot.com/x/report.txt?x=15207a81d0
console output: https://syzkaller.appspot.com/x/log.txt?x=11207a81d0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+320a3bc8d80f478c3...@syzkaller.appspotmail.com
Fixes: 4dfe6bd94959 ("ntfs: check for valid standard information attribute")
=
WARNING: suspicious RCU usage
5.12.0-rc4-syzkaller #0 Not tainted
-
include/linux/skmsg.h:286 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor383/8454:
#0: 888013a99b48 (clock-AF_INET){++..}-{2:2}, at: sk_psock_drop+0x2c/0x460
net/core/skmsg.c:788
stack backtrace:
CPU: 1 PID: 8454 Comm: syz-executor383 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
sk_psock include/linux/skmsg.h:286 [inline]
tcp_bpf_update_proto+0x530/0x5f0 net/ipv4/tcp_bpf.c:504
sk_psock_restore_proto include/linux/skmsg.h:408 [inline]
sk_psock_drop+0xdf/0x460 net/core/skmsg.c:789
sk_psock_put include/linux/skmsg.h:446 [inline]
tcp_bpf_recvmsg+0x42d/0x480 net/ipv4/tcp_bpf.c:208
inet_recvmsg+0x11b/0x5d0 net/ipv4/af_inet.c:852
sock_recvmsg_nosec net/socket.c:888 [inline]
sock_recvmsg net/socket.c:906 [inline]
sock_recvmsg net/socket.c:902 [inline]
sys_recvmsg+0x2c4/0x600 net/socket.c:2569
___sys_recvmsg+0x127/0x200 net/socket.c:2611
do_recvmmsg+0x24d/0x6d0 net/socket.c:2705
__sys_recvmmsg net/socket.c:2784 [inline]
__do_sys_recvmmsg net/socket.c:2807 [inline]
__se_sys_recvmmsg net/socket.c:2800 [inline]
__x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2800
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4468e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:7f010b0cc318 EFLAGS: 0246 ORIG_RAX: 012b
RAX: ffda RBX: 004cb4e8 RCX: 004468e9
RDX: 0422 RSI: 2540 RDI: 0004
RBP: 004cb4e0 R08: R09:
R10: R11: 0246 R12: 0049b270
R13: 7ffe3829a5bf R14: 7f010b0cc400 R15: 00022000
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Re: [syzbot] INFO: task hung in io_ring_exit_work
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an
issue:
INFO: task hung in io_ring_exit_work
INFO: task kworker/u4:4:191 blocked for more than 143 seconds.
Not tainted 5.12.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:4state:D stack:26056 pid: 191 ppid: 2 flags:0x4000
Workqueue: events_unbound io_ring_exit_work
Call Trace:
context_switch kernel/sched/core.c:4324 [inline]
__schedule+0x911/0x21b0 kernel/sched/core.c:5075
schedule+0xcf/0x270 kernel/sched/core.c:5154
schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
io_ring_exit_work+0x4e8/0x12d0 fs/io_uring.c:8596
process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Showing all locks held in the system:
2 locks held by kworker/u4:0/9:
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c9ce7da8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
2 locks held by kworker/u4:1/25:
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c9dffda8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
2 locks held by kworker/u4:2/39:
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c9e5fda8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
2 locks held by kworker/u4:3/131:
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 88800fc69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c900013cfda8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/work
Re: [syzbot] memory leak in mgmt_cmd_status
syzbot has found a reproducer for the following issue on: HEAD commit:e49d033b Linux 5.12-rc6 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12579f11d0 kernel config: https://syzkaller.appspot.com/x/.config?x=b8dbd3c72fdc dashboard link: https://syzkaller.appspot.com/bug?extid=80f5bab4eb14d14e7386 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=143b1696d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c5a30ed0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+80f5bab4eb14d14e7...@syzkaller.appspotmail.com BUG: memory leak unreferenced object 0x88810ddf4700 (size 232): comm "kworker/u5:2", pid 8406, jiffies 4294997792 (age 10.670s) hex dump (first 32 bytes): d0 f0 af 0e 81 88 ff ff d0 f0 af 0e 81 88 ff ff 00 00 00 00 00 00 00 00 00 f0 af 0e 81 88 ff ff backtrace: [] __alloc_skb+0x20f/0x280 net/core/skbuff.c:412 [] alloc_skb include/linux/skbuff.h:1103 [inline] [] mgmt_cmd_status+0x31/0x160 net/bluetooth/mgmt_util.c:102 [] mgmt_set_discoverable_complete+0x1b9/0x1e0 net/bluetooth/mgmt.c:1357 [] discoverable_update_work+0x88/0xb0 net/bluetooth/hci_request.c:2806 [] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 [] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 [] kthread+0x178/0x1b0 kernel/kthread.c:292 [] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
[syzbot] WARNING: suspicious RCU usage in lock_sock_nested
Hello, syzbot found the following issue on: HEAD commit:d19cc4bf Merge tag 'trace-v5.12-rc5' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14898326d0 kernel config: https://syzkaller.appspot.com/x/.config?x=d1a3d65a48dbd1bc dashboard link: https://syzkaller.appspot.com/bug?extid=80a4f8091f8d5ba51de9 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+80a4f8091f8d5ba51...@syzkaller.appspotmail.com = WARNING: suspicious RCU usage 5.12.0-rc5-syzkaller #0 Not tainted - kernel/sched/core.c:8294 Illegal context switch in RCU-bh read-side critical section! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 0 no locks held by syz-executor.3/8407. stack backtrace: CPU: 0 PID: 8407 Comm: syz-executor.3 Not tainted 5.12.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ___might_sleep+0x229/0x2c0 kernel/sched/core.c:8294 lock_sock_nested+0x25/0x120 net/core/sock.c:3062 lock_sock include/net/sock.h:1600 [inline] do_ip_getsockopt+0x227/0x18e0 net/ipv4/ip_sockglue.c:1536 ip_getsockopt+0x84/0x1c0 net/ipv4/ip_sockglue.c:1761 tcp_getsockopt+0x86/0xd0 net/ipv4/tcp.c:4239 __sys_getsockopt+0x21f/0x5f0 net/socket.c:2161 __do_sys_getsockopt net/socket.c:2176 [inline] __se_sys_getsockopt net/socket.c:2173 [inline] __x64_sys_getsockopt+0xba/0x150 net/socket.c:2173 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x467a6a Code: 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffc76a6a848 EFLAGS: 0246 ORIG_RAX: 0037 RAX: ffda RBX: 7ffc76a6a85c RCX: 00467a6a RDX: 0060 RSI: RDI: 0003 RBP: 0003 R08: 7ffc76a6a85c R09: 7ffc76a6a8c0 R10: 7ffc76a6a860 R11: 0246 R12: 7ffc76a6a860 R13: 0005ecdc R14: R15: 7ffc76a6afd0 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] WARNING in inc_nlink (2)
Hello, syzbot found the following issue on: HEAD commit:57fbdb15 Merge tag 'scsi-fixes' of git://git.kernel.org/pu.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11e2ccfcd0 kernel config: https://syzkaller.appspot.com/x/.config?x=71a75beb62b62a34 dashboard link: https://syzkaller.appspot.com/bug?extid=1c8034b9f0e640f9ba45 compiler: Debian clang version 11.0.1-2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11bfd511d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ff8c5ed0 Bisection is inconclusive: the issue happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12b82fbed0 final oops: https://syzkaller.appspot.com/x/report.txt?x=11b82fbed0 console output: https://syzkaller.appspot.com/x/log.txt?x=16b82fbed0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+1c8034b9f0e640f9b...@syzkaller.appspotmail.com loop0: detected capacity change from 0 to 4 VFS: Found a V7 FS (block size = 512) on device loop0 [ cut here ] WARNING: CPU: 1 PID: 8352 at fs/inode.c:362 inc_nlink+0x11e/0x130 fs/inode.c:362 Modules linked in: CPU: 1 PID: 8352 Comm: syz-executor549 Not tainted 5.12.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:inc_nlink+0x11e/0x130 fs/inode.c:362 Code: ef ff e9 38 ff ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c 49 ff ff ff 4c 89 ef e8 fc 3f ef ff e9 3c ff ff ff e8 42 59 ab ff <0f> 0b eb 80 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 57 41 56 RSP: 0018:c9000178fdf8 EFLAGS: 00010293 RAX: 81cdbf6e RBX: 1110064a6810 RCX: 888015279c40 RDX: RSI: RDI: RBP: R08: 81cdbee8 R09: c9000178fdc8 R10: f520002f1fbd R11: R12: dc00 R13: 888032534080 R14: 888032534038 R15: FS: 00ba9300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fb76c03c0e8 CR3: 11cf3000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: inode_inc_link_count include/linux/fs.h:2297 [inline] sysv_mkdir+0x1d/0x120 fs/sysv/namei.c:119 vfs_mkdir+0x45b/0x640 fs/namei.c:3817 do_mkdirat+0x209/0x370 fs/namei.c:3842 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x443c29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fff53c97208 EFLAGS: 0246 ORIG_RAX: 0053 RAX: ffda RBX: 004004a0 RCX: 00443c29 RDX: 004021f3 RSI: 0023 RDI: 2080 RBP: 004034c0 R08: R09: R10: 7fff53c970d0 R11: 0246 R12: 00403550 R13: R14: 004b1018 R15: 004004a0 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
[syzbot] INFO: task hung in io_ring_exit_work
Hello,
syzbot found the following issue on:
HEAD commit:e49d033b Linux 5.12-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16217d16d0
kernel config: https://syzkaller.appspot.com/x/.config?x=9320464bf47598bd
dashboard link: https://syzkaller.appspot.com/bug?extid=93f72b3885406bb09e0d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15741cfcd0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c10a96d0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+93f72b3885406bb09...@syzkaller.appspotmail.com
INFO: task kworker/u4:6:3091 blocked for more than 143 seconds.
Not tainted 5.12.0-rc6-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:6state:D stack:24792 pid: 3091 ppid: 2 flags:0x4000
Workqueue: events_unbound io_ring_exit_work
Call Trace:
context_switch kernel/sched/core.c:4322 [inline]
__schedule+0x911/0x21b0 kernel/sched/core.c:5073
schedule+0xcf/0x270 kernel/sched/core.c:5152
schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
io_ring_exit_work+0x4e8/0x12d0 fs/io_uring.c:8596
process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Showing all locks held in the system:
2 locks held by kworker/u4:5/235:
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c900019bfda8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
1 lock held by khungtaskd/1630:
#0: 8bf74320 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6327
2 locks held by kworker/u4:6/3091:
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c90001cbfda8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
1 lock held by in:imklog/8101:
#0: 88801523b270 (>f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:961
2 locks held by kworker/u4:1/11499:
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888010469138 ((wq_completion)events_unbound){+.+.}-{0:0}, at:
process_one_work+0x871/0x1600 kernel/workqueue.c:2246
#1: c9000d957da8 ((work_completion)(>exit_work)){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x1600 kernel/workqueue.c:2250
2 locks held by syz-executor633/15066:
#0: 8880b9d35198 (>lock){-.-.}-{2:2}, at: rq_lock
kernel/sched/sched.h:1321 [inline]
#0: 8880b9d35198 (>lock){-.
Re: [syzbot] UBSAN: shift-out-of-bounds in detach_tasks
syzbot has found a reproducer for the following issue on: HEAD commit:e49d033b Linux 5.12-rc6 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15f7cc6ad0 kernel config: https://syzkaller.appspot.com/x/.config?x=f91155ccddaf919c dashboard link: https://syzkaller.appspot.com/bug?extid=f9131489729201445f66 compiler: Debian clang version 11.0.1-2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13dc5786d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f9131489729201445...@syzkaller.appspotmail.com UBSAN: shift-out-of-bounds in kernel/sched/fair.c:7712:14 shift exponent 77 is too large for 64-bit type 'unsigned long' CPU: 1 PID: 8407 Comm: syz-executor.4 Not tainted 5.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x176/0x24e lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_shift_out_of_bounds+0x42e/0x4d0 lib/ubsan.c:327 detach_tasks+0xd04/0x1110 kernel/sched/fair.c:7712 load_balance+0x39f6/0x5a80 kernel/sched/fair.c:9641 rebalance_domains+0x4ca/0x9c0 kernel/sched/fair.c:10029 __do_softirq+0x318/0x714 kernel/softirq.c:345 invoke_softirq kernel/softirq.c:221 [inline] __irq_exit_rcu+0x1d8/0x200 kernel/softirq.c:422 irq_exit_rcu+0x5/0x20 kernel/softirq.c:434 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline] RIP: 0010:_raw_spin_unlock_irq+0x25/0x40 kernel/locking/spinlock.c:199 Code: b2 fd ff 66 90 53 48 89 fb 48 83 c7 18 48 8b 74 24 08 e8 0e 54 08 f8 48 89 df e8 56 29 0a f8 e8 f1 a4 2a f8 fb bf 01 00 00 00 26 39 fe f7 65 8b 05 f7 7c ad 76 85 c0 74 02 5b c3 e8 ab d8 ab RSP: 0018:c9000187fc70 EFLAGS: 0282 RAX: eded0b76c3f98d00 RBX: 8880b9d34c80 RCX: 8ff89b03 RDX: 4000 RSI: 0002 RDI: 0001 RBP: c9000187fcd0 R08: 817f17a0 R09: ed10173a6991 R10: ed10173a6991 R11: R12: 8880b9d34c80 R13: 88801caeb880 R14: dc00 R15: finish_task_switch+0x145/0x620 kernel/sched/core.c:4191 context_switch kernel/sched/core.c:4325 [inline] __schedule+0x9a1/0xe70 kernel/sched/core.c:5073 schedule+0x14b/0x200 kernel/sched/core.c:5152 freezable_schedule include/linux/freezer.h:172 [inline] do_nanosleep+0x1cd/0x740 kernel/time/hrtimer.c:1896 hrtimer_nanosleep+0x1b9/0x3a0 kernel/time/hrtimer.c:1949 __do_sys_clock_nanosleep kernel/time/posix-timers.c:1267 [inline] __se_sys_clock_nanosleep kernel/time/posix-timers.c:1245 [inline] __x64_sys_clock_nanosleep+0x2f6/0x340 kernel/time/posix-timers.c:1245 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x48a621 Code: 24 0c 89 3c 24 48 89 4c 24 18 e8 aa e7 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 8b 74 24 0c 8b 3c 24 b8 e6 00 00 00 0f 05 <44> 89 c7 48 89 04 24 e8 e3 e7 ff ff 48 8b 04 24 eb 97 66 2e 0f 1f RSP: 002b:7ffd2ecab5c0 EFLAGS: 0293 ORIG_RAX: 00e6 RAX: ffda RBX: 0008 RCX: 0048a621 RDX: 7ffd2ecab600 RSI: RDI: RBP: 7ffd2ecab69c R08: R09: 0010 R10: R11: 0293 R12: 0032 R13: 0006640a R14: 000d R15: 7ffd2ecab700
[syzbot] WARNING: suspicious RCU usage in do_user_addr_fault
Hello,
syzbot found the following issue on:
HEAD commit:d19cc4bf Merge tag 'trace-v5.12-rc5' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17a22d16d0
kernel config: https://syzkaller.appspot.com/x/.config?x=78ef1d159159890
dashboard link: https://syzkaller.appspot.com/bug?extid=3d5082ab6eec95ad4231
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3d5082ab6eec95ad4...@syzkaller.appspotmail.com
WARNING: suspicious RCU usage
5.12.0-rc5-syzkaller #0 Not tainted
-
kernel/sched/core.c:8294 Illegal context switch in RCU-bh read-side critical
section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
1 lock held by syz-executor.5/8582:
#0: 888029093218 (>mmap_lock#2){}-{3:3}, at: mmap_read_trylock
include/linux/mmap_lock.h:136 [inline]
#0: 888029093218 (>mmap_lock#2){}-{3:3}, at:
do_user_addr_fault+0x285/0x1210 arch/x86/mm/fault.c:1331
stack backtrace:
CPU: 0 PID: 8582 Comm: syz-executor.5 Not tainted 5.12.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
___might_sleep+0x229/0x2c0 kernel/sched/core.c:8294
do_user_addr_fault+0x2c2/0x1210 arch/x86/mm/fault.c:1348
handle_page_fault arch/x86/mm/fault.c:1475 [inline]
exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1531
asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:577
RIP: 0033:0x406f13
Code: 00 00 e8 a0 a1 ff ff 85 c0 74 4e 8b 54 24 0c 49 8b 37 31 c0 48 8d 3d 79
7f 0b 00 e8 27 c3 ff ff 8b 44 24 6c 49 8d 4f 60 89 de <4d> 89 a7 b8 00 00 00 ba
40 00 00 00 44 89 ef 41 89 87 b4 00 00 00
RSP: 002b:7fff2a8e7140 EFLAGS: 00010202
RAX: 0005 RBX: RCX: 00544420
RDX: 0002 RSI: RDI: 004bee7d
RBP: 7fff2a8e7160 R08: 7fff2a8e715c R09: 7fff2a8e71f0
R10: 7fff2a8e71c0 R11: 0202 R12: 7fff2a8e71c0
R13: 0003 R14: 7fff2a8e715c R15: 005443c0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
