* tty: sleeping function in invalid in context do_con_write and deadlock in gsm_control_retransmit
@ 2016-09-03 11:07 Dmitry Vyukov
2016-09-05 12:34 ` One Thousand Gnomes
0 siblings, 1 reply; 2+ messages in thread
From: Dmitry Vyukov @ 2016-09-03 11:07 UTC (permalink / raw)
To: Greg Kroah-Hartman, Jiri Slaby, LKML, Peter Hurley; +Cc: syzkaller
Hello,
While running syzkaller fuzzer on
0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of linux-next, I've for the
following splash. Note there are 2 separate bugs (but maybe related):
BUG: sleeping function called from invalid context at drivers/tty/vt/vt.c:2195
[ INFO: possible irq lock inversion dependency detected ]
BUG: sleeping function called from invalid context at drivers/tty/vt/vt.c:2195
in_atomic(): 1, irqs_disabled(): 1, pid: 11832, name: syz-executor
3 locks held by syz-executor/11832:
#0: (&tty->ldisc_sem){++++++}, at: [<ffffffff86e0f837>]
ldsem_down_write+0x37/0x3c drivers/tty/tty_ldsem.c:393
#1: (&(&gsm->control_lock)->rlock){......}, at: [<ffffffff8324c896>]
gsm_control_send+0x1b6/0x460 drivers/tty/n_gsm.c:1374
#2: (&(&gsm->tx_lock)->rlock){......}, at: [<ffffffff8324a87a>]
gsm_data_queue+0x3a/0xb0 drivers/tty/n_gsm.c:786
irq event stamp: 21728
hardirqs last enabled at (21727): [< inline >]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:162
hardirqs last enabled at (21727): [<ffffffff86e10441>]
_raw_spin_unlock_irqrestore+0x31/0xc0 kernel/locking/spinlock.c:191
hardirqs last disabled at (21728): [< inline >]
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110
hardirqs last disabled at (21728): [<ffffffff86e102e8>]
_raw_spin_lock_irqsave+0x78/0xd0 kernel/locking/spinlock.c:159
softirqs last enabled at (21418): [<ffffffff86e13c7c>]
__do_softirq+0x6cc/0xa3e kernel/softirq.c:299
softirqs last disabled at (21393): [< inline >] invoke_softirq
kernel/softirq.c:350
softirqs last disabled at (21393): [<ffffffff8139b4cf>]
irq_exit+0x18f/0x1d0 kernel/softirq.c:391
CPU: 1 PID: 11832 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffffffff886b6fe0 ffff8800612e72d8 ffffffff82db38d9 ffffffff6b47a680
fffffbfff10d6dfc ffff88006b47a680 0000000000002e38 0000000000000000
0000000000000000 ffff88003d8f9280 ffff8800612e7300 ffffffff8140d58b
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82db38d9>] dump_stack+0x12e/0x185 lib/dump_stack.c:51
[<ffffffff8140d58b>] ___might_sleep+0x27b/0x3a0 kernel/sched/core.c:7644
[<ffffffff8140d740>] __might_sleep+0x90/0x1a0
[<ffffffff83285a75>] do_con_write.part.22+0xa5/0x1c30 drivers/tty/vt/vt.c:2195
[< inline >] do_con_write drivers/tty/vt/vt.c:2778
[<ffffffff83287732>] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2774
[<ffffffff83248e3e>] gsmld_output+0xce/0x1a0 drivers/tty/n_gsm.c:2217
[<ffffffff83247db3>] gsm_data_kick+0x1f3/0x6d0 drivers/tty/n_gsm.c:708
[<ffffffff8324a50f>] __gsm_data_queue.isra.5+0x5af/0x8e0
drivers/tty/n_gsm.c:770
[<ffffffff8324a89f>] gsm_data_queue+0x5f/0xb0 drivers/tty/n_gsm.c:787
[<ffffffff8324c223>] gsm_control_transmit+0x193/0x220 drivers/tty/n_gsm.c:1315
[<ffffffff8324ca68>] gsm_control_send+0x388/0x460 drivers/tty/n_gsm.c:1385
[<ffffffff832502dd>] gsm_cleanup_mux+0x1cd/0x630 drivers/tty/n_gsm.c:2055
[< inline >] gsmld_detach_gsm drivers/tty/n_gsm.c:2267
[<ffffffff83251c63>] gsmld_close+0xc3/0x190 drivers/tty/n_gsm.c:2335
[<ffffffff83239a19>] tty_ldisc_close.isra.2+0x99/0xe0
drivers/tty/tty_ldisc.c:487
[<ffffffff83239aab>] tty_ldisc_kill+0x4b/0xc0 drivers/tty/tty_ldisc.c:619
[<ffffffff8323afb3>] tty_ldisc_release+0x1b3/0x260 drivers/tty/tty_ldisc.c:787
[<ffffffff83222e41>] tty_release+0xad1/0x1310 drivers/tty/tty_io.c:1904
[<ffffffff81868bbc>] __fput+0x28c/0x780 fs/file_table.c:208
[<ffffffff81869135>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff813ebf63>] task_work_run+0xf3/0x170
[< inline >] exit_task_work include/linux/task_work.h:21
[<ffffffff81394218>] do_exit+0x868/0x2e70 kernel/exit.c:828
[<ffffffff81396998>] do_group_exit+0x108/0x330 kernel/exit.c:958
[<ffffffff813ba4aa>] get_signal+0x62a/0x15d0 kernel/signal.c:2307
[<ffffffff81202333>] do_signal+0x83/0x1f60 arch/x86/kernel/signal.c:805
[<ffffffff81006345>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:163
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:198
[<ffffffff8100869f>] syscall_return_slowpath+0x2bf/0x340
arch/x86/entry/common.c:267
[<ffffffff86e1079c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
=========================================================
[ INFO: possible irq lock inversion dependency detected ]
4.8.0-rc3-next-20160825+ #8 Tainted: G W
---------------------------------------------------------
swapper/1/0 just changed the state of lock:
(&(&gsm->control_lock)->rlock){..-...}, at: [<ffffffff8324c2d6>]
gsm_control_retransmit+0x26/0x220 drivers/tty/n_gsm.c:1334
but this lock took another, SOFTIRQ-unsafe lock in the past:
(console_lock){+.+.+.}
other info that might help us debug this:
Chain exists of:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(console_lock);
local_irq_disable();
lock(&(&gsm->control_lock)->rlock);
lock(&(&gsm->tx_lock)->rlock);
<Interrupt>
lock(&(&gsm->control_lock)->rlock);
*** DEADLOCK ***
1 lock held by swapper/1/0:
#0: (((&gsm->t2_timer))){+.-...}, at: [< inline >]
lockdep_copy_map include/linux/lockdep.h:165
#0: (((&gsm->t2_timer))){+.-...}, at: [<ffffffff814fbe01>]
call_timer_fn+0xd1/0x6d0 kernel/time/timer.c:1288
the shortest dependencies between 2nd lock and 1st lock:
-> (console_lock){+.+.+.} ops: 4563 {
HARDIRQ-ON-W at:
[< inline >] mark_irqflags
kernel/locking/lockdep.c:2934
[<ffffffff8149bf29>]
__lock_acquire+0xd99/0x3410 kernel/locking/lockdep.c:3292
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450
kernel/locking/lockdep.c:3746
[<ffffffff814b3724>] console_lock+0x54/0x80
kernel/printk/printk.c:2224
[<ffffffff89705f5c>] con_init+0x17/0x5ac
drivers/tty/vt/vt.c:2966
[<ffffffff8970456a>] console_init+0x4d/0x5d
drivers/tty/tty_io.c:3585
[<ffffffff89642610>] start_kernel+0x3a3/0x660
init/main.c:587
[<ffffffff896412f4>]
x86_64_start_reservations+0x38/0x3a arch/x86/kernel/head64.c:195
[<ffffffff8964144e>]
x86_64_start_kernel+0x158/0x167 arch/x86/kernel/head64.c:176
SOFTIRQ-ON-W at:
[< inline >] mark_irqflags
kernel/locking/lockdep.c:2938
[<ffffffff8149bf8e>]
__lock_acquire+0xdfe/0x3410 kernel/locking/lockdep.c:3292
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450
kernel/locking/lockdep.c:3746
[<ffffffff814b3724>] console_lock+0x54/0x80
kernel/printk/printk.c:2224
[<ffffffff89705f5c>] con_init+0x17/0x5ac
drivers/tty/vt/vt.c:2966
[<ffffffff8970456a>] console_init+0x4d/0x5d
drivers/tty/tty_io.c:3585
[<ffffffff89642610>] start_kernel+0x3a3/0x660
init/main.c:587
[<ffffffff896412f4>]
x86_64_start_reservations+0x38/0x3a arch/x86/kernel/head64.c:195
[<ffffffff8964144e>]
x86_64_start_kernel+0x158/0x167 arch/x86/kernel/head64.c:176
RECLAIM_FS-ON-W at:
[<ffffffff8149a2e8>]
mark_held_locks+0xc8/0x120 kernel/locking/lockdep.c:2657
[< inline >] __lockdep_trace_alloc
kernel/locking/lockdep.c:2879
[<ffffffff814a0a77>]
lockdep_trace_alloc+0x1f7/0x350 kernel/locking/lockdep.c:2894
[< inline >] slab_pre_alloc_hook
mm/slab.h:392
[< inline >] slab_alloc mm/slab.c:3402
[<ffffffff81805701>]
kmem_cache_alloc_trace+0x31/0x7a0 mm/slab.c:3642
[< inline >] kmalloc include/linux/slab.h:490
[< inline >] kzalloc include/linux/slab.h:636
[<ffffffff83832232>]
device_create_groups_vargs+0x82/0x250 drivers/base/core.c:1691
[< inline >] device_create_vargs
drivers/base/core.c:1749
[<ffffffff83832517>]
device_create+0xb7/0xe0 drivers/base/core.c:1785
[<ffffffff896f3928>]
fb_console_init+0x5b/0x1fd drivers/video/console/fbcon.c:3606
[<ffffffff81002310>]
do_one_initcall+0xa0/0x2b0 init/main.c:778
[< inline >] do_initcall_level
init/main.c:844
[< inline >] do_initcalls init/main.c:852
[< inline >] do_basic_setup init/main.c:870
[<ffffffff89642d43>]
kernel_init_freeable+0x476/0x52f init/main.c:1017
[<ffffffff86df6283>] kernel_init+0x13/0x160
init/main.c:943
[<ffffffff86e1098a>]
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
INITIAL USE at:
[<ffffffff8149b98b>]
__lock_acquire+0x7fb/0x3410 kernel/locking/lockdep.c:3296
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450
kernel/locking/lockdep.c:3746
[<ffffffff814b3724>] console_lock+0x54/0x80
kernel/printk/printk.c:2224
[<ffffffff814b9d26>]
register_console+0x3b6/0xb80 kernel/printk/printk.c:2725
[<ffffffff81378e98>]
early_console_register+0xce/0xd3 arch/x86/kernel/early_printk.c:331
[<ffffffff8968298a>]
setup_early_printk+0x14a/0x614 arch/x86/kernel/early_printk.c:350
[<ffffffff89641ab6>] do_early_param+0xc4/0x12a
init/main.c:422
[< inline >] parse_one kernel/params.c:156
[<ffffffff813efcaf>] parse_args+0x64f/0xb70
kernel/params.c:243
[<ffffffff89642203>]
parse_early_options+0x2d/0x35 init/main.c:432
[<ffffffff89642246>]
parse_early_param+0x3b/0x4c init/main.c:447
[<ffffffff896657e3>] setup_arch+0x68a/0x17a9
arch/x86/kernel/setup.c:986
[<ffffffff8964230b>] start_kernel+0x9e/0x660
init/main.c:505
[<ffffffff896412f4>]
x86_64_start_reservations+0x38/0x3a arch/x86/kernel/head64.c:195
[<ffffffff8964144e>]
x86_64_start_kernel+0x158/0x167 arch/x86/kernel/head64.c:176
}
... key at: [<ffffffff887384a0>] console_lock_dep_map+0x0/0x40
... acquired at:
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450 kernel/locking/lockdep.c:3746
[<ffffffff814b3724>] console_lock+0x54/0x80 kernel/printk/printk.c:2224
[<ffffffff83285a7f>] do_con_write.part.22+0xaf/0x1c30
drivers/tty/vt/vt.c:2197
[< inline >] do_con_write drivers/tty/vt/vt.c:2778
[<ffffffff83287732>] con_write+0xb2/0xc0 drivers/tty/vt/vt.c:2774
[<ffffffff83248e3e>] gsmld_output+0xce/0x1a0 drivers/tty/n_gsm.c:2217
[<ffffffff83247db3>] gsm_data_kick+0x1f3/0x6d0 drivers/tty/n_gsm.c:708
[<ffffffff8324a50f>] __gsm_data_queue.isra.5+0x5af/0x8e0
drivers/tty/n_gsm.c:770
[<ffffffff8324a89f>] gsm_data_queue+0x5f/0xb0 drivers/tty/n_gsm.c:787
[<ffffffff8324c223>] gsm_control_transmit+0x193/0x220
drivers/tty/n_gsm.c:1315
[<ffffffff8324ca68>] gsm_control_send+0x388/0x460 drivers/tty/n_gsm.c:1385
[<ffffffff832502dd>] gsm_cleanup_mux+0x1cd/0x630 drivers/tty/n_gsm.c:2055
[< inline >] gsmld_detach_gsm drivers/tty/n_gsm.c:2267
[<ffffffff83251c63>] gsmld_close+0xc3/0x190 drivers/tty/n_gsm.c:2335
[<ffffffff83239a19>] tty_ldisc_close.isra.2+0x99/0xe0
drivers/tty/tty_ldisc.c:487
[<ffffffff83239aab>] tty_ldisc_kill+0x4b/0xc0 drivers/tty/tty_ldisc.c:619
[<ffffffff8323afb3>] tty_ldisc_release+0x1b3/0x260
drivers/tty/tty_ldisc.c:787
[<ffffffff83222e41>] tty_release+0xad1/0x1310 drivers/tty/tty_io.c:1904
[<ffffffff81868bbc>] __fput+0x28c/0x780 fs/file_table.c:208
[<ffffffff81869135>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff813ebf63>] task_work_run+0xf3/0x170
[< inline >] exit_task_work include/linux/task_work.h:21
[<ffffffff81394218>] do_exit+0x868/0x2e70 kernel/exit.c:828
[<ffffffff81396998>] do_group_exit+0x108/0x330 kernel/exit.c:958
[<ffffffff813ba4aa>] get_signal+0x62a/0x15d0 kernel/signal.c:2307
[<ffffffff81202333>] do_signal+0x83/0x1f60 arch/x86/kernel/signal.c:805
[<ffffffff81006345>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:163
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:198
[<ffffffff8100869f>] syscall_return_slowpath+0x2bf/0x340
arch/x86/entry/common.c:267
[<ffffffff86e1079c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
-> (&(&gsm->tx_lock)->rlock){......} ops: 1 {
INITIAL USE at:
[<ffffffff8149b98b>] __lock_acquire+0x7fb/0x3410
kernel/locking/lockdep.c:3296
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450
kernel/locking/lockdep.c:3746
[< inline >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112
[<ffffffff86e1030f>]
_raw_spin_lock_irqsave+0x9f/0xd0 kernel/locking/spinlock.c:159
[<ffffffff8324a87a>] gsm_data_queue+0x3a/0xb0
drivers/tty/n_gsm.c:786
[<ffffffff8324c223>]
gsm_control_transmit+0x193/0x220 drivers/tty/n_gsm.c:1315
[<ffffffff8324ca68>] gsm_control_send+0x388/0x460
drivers/tty/n_gsm.c:1385
[<ffffffff832502dd>] gsm_cleanup_mux+0x1cd/0x630
drivers/tty/n_gsm.c:2055
[< inline >] gsmld_detach_gsm
drivers/tty/n_gsm.c:2267
[<ffffffff83251c63>] gsmld_close+0xc3/0x190
drivers/tty/n_gsm.c:2335
[<ffffffff83239a19>]
tty_ldisc_close.isra.2+0x99/0xe0 drivers/tty/tty_ldisc.c:487
[<ffffffff83239aab>] tty_ldisc_kill+0x4b/0xc0
drivers/tty/tty_ldisc.c:619
[<ffffffff8323afb3>]
tty_ldisc_release+0x1b3/0x260 drivers/tty/tty_ldisc.c:787
[<ffffffff83222e41>] tty_release+0xad1/0x1310
drivers/tty/tty_io.c:1904
[<ffffffff81868bbc>] __fput+0x28c/0x780 fs/file_table.c:208
[<ffffffff81869135>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff813ebf63>] task_work_run+0xf3/0x170
[< inline >] exit_task_work
include/linux/task_work.h:21
[<ffffffff81394218>] do_exit+0x868/0x2e70 kernel/exit.c:828
[<ffffffff81396998>] do_group_exit+0x108/0x330
kernel/exit.c:958
[<ffffffff813ba4aa>] get_signal+0x62a/0x15d0
kernel/signal.c:2307
[<ffffffff81202333>] do_signal+0x83/0x1f60
arch/x86/kernel/signal.c:805
[<ffffffff81006345>]
exit_to_usermode_loop+0x1a5/0x210 arch/x86/entry/common.c:163
[< inline >] prepare_exit_to_usermode
arch/x86/entry/common.c:198
[<ffffffff8100869f>]
syscall_return_slowpath+0x2bf/0x340 arch/x86/entry/common.c:267
[<ffffffff86e1079c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
}
... key at: [<ffffffff8aef5fa0>] __key.52019+0x0/0x40
... acquired at:
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450 kernel/locking/lockdep.c:3746
[< inline >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112
[<ffffffff86e1030f>] _raw_spin_lock_irqsave+0x9f/0xd0
kernel/locking/spinlock.c:159
[<ffffffff8324a87a>] gsm_data_queue+0x3a/0xb0 drivers/tty/n_gsm.c:786
[<ffffffff8324c223>] gsm_control_transmit+0x193/0x220
drivers/tty/n_gsm.c:1315
[<ffffffff8324ca68>] gsm_control_send+0x388/0x460 drivers/tty/n_gsm.c:1385
[<ffffffff832502dd>] gsm_cleanup_mux+0x1cd/0x630 drivers/tty/n_gsm.c:2055
[< inline >] gsmld_detach_gsm drivers/tty/n_gsm.c:2267
[<ffffffff83251c63>] gsmld_close+0xc3/0x190 drivers/tty/n_gsm.c:2335
[<ffffffff83239a19>] tty_ldisc_close.isra.2+0x99/0xe0
drivers/tty/tty_ldisc.c:487
[<ffffffff83239aab>] tty_ldisc_kill+0x4b/0xc0 drivers/tty/tty_ldisc.c:619
[<ffffffff8323afb3>] tty_ldisc_release+0x1b3/0x260
drivers/tty/tty_ldisc.c:787
[<ffffffff83222e41>] tty_release+0xad1/0x1310 drivers/tty/tty_io.c:1904
[<ffffffff81868bbc>] __fput+0x28c/0x780 fs/file_table.c:208
[<ffffffff81869135>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff813ebf63>] task_work_run+0xf3/0x170
[< inline >] exit_task_work include/linux/task_work.h:21
[<ffffffff81394218>] do_exit+0x868/0x2e70 kernel/exit.c:828
[<ffffffff81396998>] do_group_exit+0x108/0x330 kernel/exit.c:958
[<ffffffff813ba4aa>] get_signal+0x62a/0x15d0 kernel/signal.c:2307
[<ffffffff81202333>] do_signal+0x83/0x1f60 arch/x86/kernel/signal.c:805
[<ffffffff81006345>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:163
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:198
[<ffffffff8100869f>] syscall_return_slowpath+0x2bf/0x340
arch/x86/entry/common.c:267
[<ffffffff86e1079c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
-> (&(&gsm->control_lock)->rlock){..-...} ops: 2 {
IN-SOFTIRQ-W at:
[< inline >] mark_irqflags
kernel/locking/lockdep.c:2920
[<ffffffff8149bd74>] __lock_acquire+0xbe4/0x3410
kernel/locking/lockdep.c:3292
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450
kernel/locking/lockdep.c:3746
[< inline >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112
[<ffffffff86e1030f>]
_raw_spin_lock_irqsave+0x9f/0xd0 kernel/locking/spinlock.c:159
[<ffffffff8324c2d6>]
gsm_control_retransmit+0x26/0x220 drivers/tty/n_gsm.c:1334
[<ffffffff814fbe9e>] call_timer_fn+0x16e/0x6d0
kernel/time/timer.c:1298
[< inline >] expire_timers kernel/time/timer.c:1338
[< inline >] __run_timers kernel/time/timer.c:1627
[<ffffffff814fca46>]
run_timer_softirq+0x646/0x1590 kernel/time/timer.c:1640
[<ffffffff86e1380c>] __do_softirq+0x25c/0xa3e
kernel/softirq.c:273
[< inline >] invoke_softirq kernel/softirq.c:350
[<ffffffff8139b4cf>] irq_exit+0x18f/0x1d0
kernel/softirq.c:391
[< inline >] exiting_irq
arch/x86/include/asm/apic.h:659
[<ffffffff86e1305b>]
smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958
[<ffffffff86e1210c>]
apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
[< inline >] arch_safe_halt
arch/x86/include/asm/paravirt.h:107
[<ffffffff8121dcf2>] default_idle+0x52/0x370
arch/x86/kernel/process.c:308
[<ffffffff8121f36a>] arch_cpu_idle+0xa/0x10
arch/x86/kernel/process.c:299
[<ffffffff8147bfd8>] default_idle_call+0x48/0xa0
kernel/sched/idle.c:93
[< inline >] cpuidle_idle_call
kernel/sched/idle.c:151
[< inline >] cpu_idle_loop kernel/sched/idle.c:244
[<ffffffff8147c5c2>] cpu_startup_entry+0x592/0x7b0
kernel/sched/idle.c:293
[<ffffffff81269c2a>] start_secondary+0x2fa/0x410
arch/x86/kernel/smpboot.c:263
INITIAL USE at:
[<ffffffff8149b98b>] __lock_acquire+0x7fb/0x3410
kernel/locking/lockdep.c:3296
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450
kernel/locking/lockdep.c:3746
[< inline >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112
[<ffffffff86e1030f>]
_raw_spin_lock_irqsave+0x9f/0xd0 kernel/locking/spinlock.c:159
[<ffffffff8324c896>] gsm_control_send+0x1b6/0x460
drivers/tty/n_gsm.c:1374
[<ffffffff832502dd>] gsm_cleanup_mux+0x1cd/0x630
drivers/tty/n_gsm.c:2055
[< inline >] gsmld_detach_gsm
drivers/tty/n_gsm.c:2267
[<ffffffff83251c63>] gsmld_close+0xc3/0x190
drivers/tty/n_gsm.c:2335
[<ffffffff83239a19>]
tty_ldisc_close.isra.2+0x99/0xe0 drivers/tty/tty_ldisc.c:487
[<ffffffff83239aab>] tty_ldisc_kill+0x4b/0xc0
drivers/tty/tty_ldisc.c:619
[<ffffffff8323afb3>] tty_ldisc_release+0x1b3/0x260
drivers/tty/tty_ldisc.c:787
[<ffffffff83222e41>] tty_release+0xad1/0x1310
drivers/tty/tty_io.c:1904
[<ffffffff81868bbc>] __fput+0x28c/0x780 fs/file_table.c:208
[<ffffffff81869135>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff813ebf63>] task_work_run+0xf3/0x170
[< inline >] exit_task_work
include/linux/task_work.h:21
[<ffffffff81394218>] do_exit+0x868/0x2e70 kernel/exit.c:828
[<ffffffff81396998>] do_group_exit+0x108/0x330
kernel/exit.c:958
[<ffffffff813ba4aa>] get_signal+0x62a/0x15d0
kernel/signal.c:2307
[<ffffffff81202333>] do_signal+0x83/0x1f60
arch/x86/kernel/signal.c:805
[<ffffffff81006345>]
exit_to_usermode_loop+0x1a5/0x210 arch/x86/entry/common.c:163
[< inline >] prepare_exit_to_usermode
arch/x86/entry/common.c:198
[<ffffffff8100869f>]
syscall_return_slowpath+0x2bf/0x340 arch/x86/entry/common.c:267
[<ffffffff86e1079c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
}
... key at: [<ffffffff8aef5fe0>] __key.52018+0x0/0x40
... acquired at:
[< inline >] print_irq_inversion_bug kernel/locking/lockdep.c:149
[<ffffffff81497e0b>] check_usage_forwards+0x2bb/0x2e0
kernel/locking/lockdep.c:2494
[< inline >] mark_lock_irq kernel/locking/lockdep.c:2607
[<ffffffff81499c82>] mark_lock+0x8e2/0xe80 kernel/locking/lockdep.c:3062
[< inline >] mark_irqflags kernel/locking/lockdep.c:2920
[<ffffffff8149bd74>] __lock_acquire+0xbe4/0x3410
kernel/locking/lockdep.c:3292
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450 kernel/locking/lockdep.c:3746
[< inline >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112
[<ffffffff86e1030f>] _raw_spin_lock_irqsave+0x9f/0xd0
kernel/locking/spinlock.c:159
[<ffffffff8324c2d6>] gsm_control_retransmit+0x26/0x220
drivers/tty/n_gsm.c:1334
[<ffffffff814fbe9e>] call_timer_fn+0x16e/0x6d0 kernel/time/timer.c:1298
[< inline >] expire_timers kernel/time/timer.c:1338
[< inline >] __run_timers kernel/time/timer.c:1627
[<ffffffff814fca46>] run_timer_softirq+0x646/0x1590 kernel/time/timer.c:1640
[<ffffffff86e1380c>] __do_softirq+0x25c/0xa3e kernel/softirq.c:273
[< inline >] invoke_softirq kernel/softirq.c:350
[<ffffffff8139b4cf>] irq_exit+0x18f/0x1d0 kernel/softirq.c:391
[< inline >] exiting_irq arch/x86/include/asm/apic.h:659
[<ffffffff86e1305b>] smp_apic_timer_interrupt+0x7b/0xa0
arch/x86/kernel/apic/apic.c:958
[<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0
arch/x86/entry/entry_64.S:487
[< inline >] arch_safe_halt arch/x86/include/asm/paravirt.h:107
[<ffffffff8121dcf2>] default_idle+0x52/0x370 arch/x86/kernel/process.c:308
[<ffffffff8121f36a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:299
[<ffffffff8147bfd8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
[< inline >] cpuidle_idle_call kernel/sched/idle.c:151
[< inline >] cpu_idle_loop kernel/sched/idle.c:244
[<ffffffff8147c5c2>] cpu_startup_entry+0x592/0x7b0 kernel/sched/idle.c:293
[<ffffffff81269c2a>] start_secondary+0x2fa/0x410
arch/x86/kernel/smpboot.c:263
stack backtrace:
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W
4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffffffff886b6fe0 ffff88003ed078c8 ffffffff82db38d9 ffffffff00000000
fffffbfff10d6dfc ffffffff8a425720 ffff88003ed079a0 ffffffff8a0e0800
ffff88003ed079b0 ffffffff8a03b8c0 ffff88003ed07920 ffffffff816d0428
Call Trace:
<IRQ> [< inline >] __dump_stack lib/dump_stack.c:15
<IRQ> [<ffffffff82db38d9>] dump_stack+0x12e/0x185 lib/dump_stack.c:51
[<ffffffff816d0428>] print_irq_inversion_bug.part.41+0x348/0x357
kernel/locking/lockdep.c:2469
[< inline >] print_irq_inversion_bug kernel/locking/lockdep.c:149
[<ffffffff81497e0b>] check_usage_forwards+0x2bb/0x2e0
kernel/locking/lockdep.c:2494
[< inline >] mark_lock_irq kernel/locking/lockdep.c:2607
[<ffffffff81499c82>] mark_lock+0x8e2/0xe80 kernel/locking/lockdep.c:3062
[< inline >] mark_irqflags kernel/locking/lockdep.c:2920
[<ffffffff8149bd74>] __lock_acquire+0xbe4/0x3410 kernel/locking/lockdep.c:3292
[<ffffffff8149f1eb>] lock_acquire+0x1db/0x450 kernel/locking/lockdep.c:3746
[< inline >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112
[<ffffffff86e1030f>] _raw_spin_lock_irqsave+0x9f/0xd0
kernel/locking/spinlock.c:159
[<ffffffff8324c2d6>] gsm_control_retransmit+0x26/0x220 drivers/tty/n_gsm.c:1334
[<ffffffff814fbe9e>] call_timer_fn+0x16e/0x6d0 kernel/time/timer.c:1298
[< inline >] expire_timers kernel/time/timer.c:1338
[< inline >] __run_timers kernel/time/timer.c:1627
[<ffffffff814fca46>] run_timer_softirq+0x646/0x1590 kernel/time/timer.c:1640
[<ffffffff86e1380c>] __do_softirq+0x25c/0xa3e kernel/softirq.c:273
[< inline >] invoke_softirq kernel/softirq.c:350
[<ffffffff8139b4cf>] irq_exit+0x18f/0x1d0 kernel/softirq.c:391
[< inline >] exiting_irq arch/x86/include/asm/apic.h:659
[<ffffffff86e1305b>] smp_apic_timer_interrupt+0x7b/0xa0
arch/x86/kernel/apic/apic.c:958
[<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0
arch/x86/entry/entry_64.S:487
<EOI> [<ffffffff8128f716>] ? native_safe_halt+0x6/0x10
[< inline >] arch_safe_halt arch/x86/include/asm/paravirt.h:107
[<ffffffff8121dcf2>] default_idle+0x52/0x370 arch/x86/kernel/process.c:308
[<ffffffff8121f36a>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:299
[<ffffffff8147bfd8>] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93
[< inline >] cpuidle_idle_call kernel/sched/idle.c:151
[< inline >] cpu_idle_loop kernel/sched/idle.c:244
[<ffffffff8147c5c2>] cpu_startup_entry+0x592/0x7b0 kernel/sched/idle.c:293
[<ffffffff81269c2a>] start_secondary+0x2fa/0x410 arch/x86/kernel/smpboot.c:263
sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current]
sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present
sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00
blk_update_request: I/O error, dev sr0, sector 0
sr 1:0:0:0: [sr0] tag#0 unaligned transfer
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: tty: sleeping function in invalid in context do_con_write and deadlock in gsm_control_retransmit
2016-09-03 11:07 tty: sleeping function in invalid in context do_con_write and deadlock in gsm_control_retransmit Dmitry Vyukov
@ 2016-09-05 12:34 ` One Thousand Gnomes
0 siblings, 0 replies; 2+ messages in thread
From: One Thousand Gnomes @ 2016-09-05 12:34 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Greg Kroah-Hartman, Jiri Slaby, LKML, Peter Hurley, syzkaller
On Sat, 3 Sep 2016 13:07:27 +0200
Dmitry Vyukov <dvyukov@google.com> wrote:
> Hello,
>
> While running syzkaller fuzzer on
> 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of linux-next, I've for the
> following splash. Note there are 2 separate bugs (but maybe related):
>
There are a couple of known cases where strange ldiscs plus console
breaks because the console locking is still completely fubar. The gsm one
is known.
Alan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-09-05 12:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-03 11:07 tty: sleeping function in invalid in context do_con_write and deadlock in gsm_control_retransmit Dmitry Vyukov
2016-09-05 12:34 ` One Thousand Gnomes
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.