* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220517223806.2299-1-hdanton@sina.com>
@ 2022-05-17 22:49 ` syzbot
2022-05-17 22:58 ` Al Viro
0 siblings, 1 reply; 33+ messages in thread
From: syzbot @ 2022-05-17 22:49 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4486 at fs/namespace.c:1285 mntput_no_expire+0x985/0xfe0 fs/namespace.c:1285
Modules linked in:
CPU: 1 PID: 4486 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0x985/0xfe0 fs/namespace.c:1285
Code: 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 91 0b 72 ff e9 01 f9 ff ff e8 d7 bd 9d ff 0f 0b e9 b6 f8 ff ff e8 cb bd 9d ff <0f> 0b e9 aa f8 ff ff e8 bf bd 9d ff e8 aa dd 91 07 31 ff 89 c3 89
RSP: 0018:ffffc90004857d78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff888018b80000 RSI: ffffffff81db8365 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db7c0e R11: 0000000000000000 R12: 0000000000000002
R13: ffff88801d671e00 R14: dffffc0000000000 R15: ffffed1003ace3ca
FS: 0000555555fbb400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555556f3e848 CR3: 000000001f615000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1347
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f3b7a03bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffe9eb268b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3b7a03bd2b
RDX: 0000001b2ff20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f3b7a19d960 R08: 0000000000000000 R09: 00007ffe9ebbf080
R10: 00007ffe9ebbf090 R11: 0000000000000293 R12: 00000000000181f5
R13: 00007ffe9eb269b0 R14: 00007ffe9eb269d0 R15: 0000000000000032
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=15ee4759f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1108ae3af00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2022-05-17 22:49 ` [syzbot] WARNING in mntput_no_expire (3) syzbot
@ 2022-05-17 22:58 ` Al Viro
2022-05-18 0:59 ` Al Viro
0 siblings, 1 reply; 33+ messages in thread
From: Al Viro @ 2022-05-17 22:58 UTC (permalink / raw)
To: syzbot; +Cc: hdanton, linux-kernel, syzkaller-bugs
On Tue, May 17, 2022 at 03:49:07PM -0700, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in mntput_no_expire
Obvious question: which filesystem it is?
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7f3b7a03bd2b
> Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
> RSP: 002b:00007ffe9eb268b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
> RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3b7a03bd2b
> RDX: 0000001b2ff20000 RSI: 0000000000000000 RDI: 0000000000000003
> RBP: 00007f3b7a19d960 R08: 0000000000000000 R09: 00007ffe9ebbf080
> R10: 00007ffe9ebbf090 R11: 0000000000000293 R12: 00000000000181f5
> R13: 00007ffe9eb269b0 R14: 00007ffe9eb269d0 R15: 0000000000000032
> </TASK>
>
>
> Tested on:
>
> commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> console output: https://syzkaller.appspot.com/x/log.txt?x=15ee4759f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
> dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> patch: https://syzkaller.appspot.com/x/patch.diff?x=1108ae3af00000
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2022-05-17 22:58 ` Al Viro
@ 2022-05-18 0:59 ` Al Viro
2022-05-18 1:10 ` Al Viro
0 siblings, 1 reply; 33+ messages in thread
From: Al Viro @ 2022-05-18 0:59 UTC (permalink / raw)
To: syzbot; +Cc: hdanton, linux-kernel, syzkaller-bugs
On Tue, May 17, 2022 at 10:58:15PM +0000, Al Viro wrote:
> On Tue, May 17, 2022 at 03:49:07PM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > WARNING in mntput_no_expire
>
> Obvious question: which filesystem it is?
FWIW, can't reproduce here - at least not with C reproducer +
-rc7^ kernel + .config from report + debian kvm image (bullseye,
with systemd shite replaced with sysvinit, which might be relevant).
In case systemd-specific braindamage is needed to reproduce it...
Hell knows; at least mount --make-rshared / doesn't seem to suffice.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2022-05-18 0:59 ` Al Viro
@ 2022-05-18 1:10 ` Al Viro
2022-05-18 1:58 ` Al Viro
0 siblings, 1 reply; 33+ messages in thread
From: Al Viro @ 2022-05-18 1:10 UTC (permalink / raw)
To: syzbot; +Cc: hdanton, linux-kernel, syzkaller-bugs
On Wed, May 18, 2022 at 12:59:46AM +0000, Al Viro wrote:
> On Tue, May 17, 2022 at 10:58:15PM +0000, Al Viro wrote:
> > On Tue, May 17, 2022 at 03:49:07PM -0700, syzbot wrote:
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > WARNING in mntput_no_expire
> >
> > Obvious question: which filesystem it is?
>
> FWIW, can't reproduce here - at least not with C reproducer +
> -rc7^ kernel + .config from report + debian kvm image (bullseye,
> with systemd shite replaced with sysvinit, which might be relevant).
>
> In case systemd-specific braindamage is needed to reproduce it...
> Hell knows; at least mount --make-rshared / doesn't seem to suffice.
... doesn't reproduce with genuine systemd either. FWIW, 4-way SMP
setup here.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2022-05-18 1:10 ` Al Viro
@ 2022-05-18 1:58 ` Al Viro
2022-05-18 4:38 ` Al Viro
0 siblings, 1 reply; 33+ messages in thread
From: Al Viro @ 2022-05-18 1:58 UTC (permalink / raw)
To: syzbot; +Cc: hdanton, linux-kernel, syzkaller-bugs
On Wed, May 18, 2022 at 01:10:20AM +0000, Al Viro wrote:
> On Wed, May 18, 2022 at 12:59:46AM +0000, Al Viro wrote:
> > On Tue, May 17, 2022 at 10:58:15PM +0000, Al Viro wrote:
> > > On Tue, May 17, 2022 at 03:49:07PM -0700, syzbot wrote:
> > > > Hello,
> > > >
> > > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > > WARNING in mntput_no_expire
> > >
> > > Obvious question: which filesystem it is?
> >
> > FWIW, can't reproduce here - at least not with C reproducer +
> > -rc7^ kernel + .config from report + debian kvm image (bullseye,
> > with systemd shite replaced with sysvinit, which might be relevant).
> >
> > In case systemd-specific braindamage is needed to reproduce it...
> > Hell knows; at least mount --make-rshared / doesn't seem to suffice.
>
> ... doesn't reproduce with genuine systemd either. FWIW, 4-way SMP
> setup here.
OK, reproduced...
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2022-05-18 1:58 ` Al Viro
@ 2022-05-18 4:38 ` Al Viro
2022-05-18 4:57 ` Al Viro
0 siblings, 1 reply; 33+ messages in thread
From: Al Viro @ 2022-05-18 4:38 UTC (permalink / raw)
To: syzbot; +Cc: hdanton, linux-kernel, syzkaller-bugs
On Wed, May 18, 2022 at 01:58:40AM +0000, Al Viro wrote:
> On Wed, May 18, 2022 at 01:10:20AM +0000, Al Viro wrote:
> > On Wed, May 18, 2022 at 12:59:46AM +0000, Al Viro wrote:
> > > On Tue, May 17, 2022 at 10:58:15PM +0000, Al Viro wrote:
> > > > On Tue, May 17, 2022 at 03:49:07PM -0700, syzbot wrote:
> > > > > Hello,
> > > > >
> > > > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > > > WARNING in mntput_no_expire
> > > >
> > > > Obvious question: which filesystem it is?
> > >
> > > FWIW, can't reproduce here - at least not with C reproducer +
> > > -rc7^ kernel + .config from report + debian kvm image (bullseye,
> > > with systemd shite replaced with sysvinit, which might be relevant).
> > >
> > > In case systemd-specific braindamage is needed to reproduce it...
> > > Hell knows; at least mount --make-rshared / doesn't seem to suffice.
> >
> > ... doesn't reproduce with genuine systemd either. FWIW, 4-way SMP
> > setup here.
>
> OK, reproduced...
FWIW, it smells like something (cgroup?) fucking up percpu allocation/freeing.
Note that struct mount has both refcount and writers count held in percpu;
replacing the refcount with atomic_t gets rid of seeing negative refcount
in mntput_no_expire(), but leaves negative writers count caught in
cleanup_mnt(); turn that from WARN_ON into printk and we get past that,
only to see
percpu ref (css_release) <= 0 (-4294967294)
immediately afterwards.
IOW, it looks like we are getting not messed refcounting on either side,
but same refcount physically shared by unrelated objects.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2022-05-18 4:38 ` Al Viro
@ 2022-05-18 4:57 ` Al Viro
2022-05-18 5:37 ` Al Viro
0 siblings, 1 reply; 33+ messages in thread
From: Al Viro @ 2022-05-18 4:57 UTC (permalink / raw)
To: syzbot; +Cc: hdanton, linux-kernel, syzkaller-bugs
On Wed, May 18, 2022 at 04:38:53AM +0000, Al Viro wrote:
> On Wed, May 18, 2022 at 01:58:40AM +0000, Al Viro wrote:
> > On Wed, May 18, 2022 at 01:10:20AM +0000, Al Viro wrote:
> > > On Wed, May 18, 2022 at 12:59:46AM +0000, Al Viro wrote:
> > > > On Tue, May 17, 2022 at 10:58:15PM +0000, Al Viro wrote:
> > > > > On Tue, May 17, 2022 at 03:49:07PM -0700, syzbot wrote:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > > > > WARNING in mntput_no_expire
> > > > >
> > > > > Obvious question: which filesystem it is?
> > > >
> > > > FWIW, can't reproduce here - at least not with C reproducer +
> > > > -rc7^ kernel + .config from report + debian kvm image (bullseye,
> > > > with systemd shite replaced with sysvinit, which might be relevant).
> > > >
> > > > In case systemd-specific braindamage is needed to reproduce it...
> > > > Hell knows; at least mount --make-rshared / doesn't seem to suffice.
> > >
> > > ... doesn't reproduce with genuine systemd either. FWIW, 4-way SMP
> > > setup here.
> >
> > OK, reproduced...
>
> FWIW, it smells like something (cgroup?) fucking up percpu allocation/freeing.
> Note that struct mount has both refcount and writers count held in percpu;
> replacing the refcount with atomic_t gets rid of seeing negative refcount
> in mntput_no_expire(), but leaves negative writers count caught in
> cleanup_mnt(); turn that from WARN_ON into printk and we get past that,
> only to see
> percpu ref (css_release) <= 0 (-4294967294)
> immediately afterwards.
>
> IOW, it looks like we are getting not messed refcounting on either side,
> but same refcount physically shared by unrelated objects.
Gotcha.
percpu_ref_init():
ref->percpu_count_ptr = (unsigned long)
__alloc_percpu_gfp(sizeof(unsigned long), align, gfp);
if (!ref->percpu_count_ptr)
return -ENOMEM;
data = kzalloc(sizeof(*ref->data), gfp);
if (!data) {
free_percpu((void __percpu *)ref->percpu_count_ptr);
return -ENOMEM;
}
cgroup_create():
err = percpu_ref_init(&css->refcnt, css_release, 0, GFP_KERNEL);
if (err)
goto err_free_css;
err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_KERNEL);
if (err < 0)
goto err_free_css;
Now note that we end up hitting the same path in case of successful and
failed percpu_ref_init(). With no way to tell if css->refcnt.percpu_count_ptr
is an already freed object or needs to be freed. And sure enough, we have
err_free_css:
list_del_rcu(&css->rstat_css_node);
INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn);
queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork);
with css_free_rwork_fn() starting with
percpu_ref_exit(&css->refcnt);
which will give that double free. That might be not the only cause of
trouble, but this looks like a bug and a plausible source of the
symptoms observed here. Let's see if this helps:
diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
index af9302141bcf..e5c5315da274 100644
--- a/lib/percpu-refcount.c
+++ b/lib/percpu-refcount.c
@@ -76,6 +76,7 @@ int percpu_ref_init(struct percpu_ref *ref, percpu_ref_func_t *release,
data = kzalloc(sizeof(*ref->data), gfp);
if (!data) {
free_percpu((void __percpu *)ref->percpu_count_ptr);
+ ref->percpu_count_ptr = 0;
return -ENOMEM;
}
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2022-05-18 4:57 ` Al Viro
@ 2022-05-18 5:37 ` Al Viro
2022-05-18 6:25 ` Al Viro
0 siblings, 1 reply; 33+ messages in thread
From: Al Viro @ 2022-05-18 5:37 UTC (permalink / raw)
To: syzbot; +Cc: hdanton, linux-kernel, syzkaller-bugs
On Wed, May 18, 2022 at 04:57:46AM +0000, Al Viro wrote:
> Gotcha.
> percpu_ref_init():
> ref->percpu_count_ptr = (unsigned long)
> __alloc_percpu_gfp(sizeof(unsigned long), align, gfp);
> if (!ref->percpu_count_ptr)
> return -ENOMEM;
> data = kzalloc(sizeof(*ref->data), gfp);
> if (!data) {
> free_percpu((void __percpu *)ref->percpu_count_ptr);
> return -ENOMEM;
> }
>
> cgroup_create():
> err = percpu_ref_init(&css->refcnt, css_release, 0, GFP_KERNEL);
> if (err)
> goto err_free_css;
>
> err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_KERNEL);
> if (err < 0)
> goto err_free_css;
>
> Now note that we end up hitting the same path in case of successful and
> failed percpu_ref_init(). With no way to tell if css->refcnt.percpu_count_ptr
> is an already freed object or needs to be freed. And sure enough, we have
>
> err_free_css:
> list_del_rcu(&css->rstat_css_node);
> INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn);
> queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork);
>
> with css_free_rwork_fn() starting with
> percpu_ref_exit(&css->refcnt);
>
> which will give that double free. That might be not the only cause of
> trouble, but this looks like a bug and a plausible source of the
> symptoms observed here. Let's see if this helps:
>
> diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
> index af9302141bcf..e5c5315da274 100644
> --- a/lib/percpu-refcount.c
> +++ b/lib/percpu-refcount.c
> @@ -76,6 +76,7 @@ int percpu_ref_init(struct percpu_ref *ref, percpu_ref_func_t *release,
> data = kzalloc(sizeof(*ref->data), gfp);
> if (!data) {
> free_percpu((void __percpu *)ref->percpu_count_ptr);
> + ref->percpu_count_ptr = 0;
> return -ENOMEM;
> }
>
... and it appears to fix the damn thing. 10 minutes and still running;
without that it usually fails within a few seconds.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2022-05-18 5:37 ` Al Viro
@ 2022-05-18 6:25 ` Al Viro
2022-05-18 6:45 ` syzbot
0 siblings, 1 reply; 33+ messages in thread
From: Al Viro @ 2022-05-18 6:25 UTC (permalink / raw)
To: syzbot; +Cc: hdanton, linux-kernel, syzkaller-bugs
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git proposed-fix
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2022-05-18 6:25 ` Al Viro
@ 2022-05-18 6:45 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-18 6:45 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs, viro
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+5b1e53987f858500ec00@syzkaller.appspotmail.com
Tested on:
commit: a9171431 percpu_ref_init(): clean ->percpu_count_ref o..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git proposed-fix
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220518104052.2373-1-hdanton@sina.com>
@ 2022-05-18 11:00 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-18 11:00 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+5b1e53987f858500ec00@syzkaller.appspotmail.com
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12f8dccef00000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220517111247.2103-1-hdanton@sina.com>
@ 2022-05-17 11:35 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-17 11:35 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 0 PID: 4042 at fs/namespace.c:1239 mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1239
Modules linked in:
CPU: 0 PID: 4042 Comm: syz-executor.2 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1239
Code: 00 48 c7 c7 c0 16 db 89 c6 05 33 c9 c8 0b 01 e8 c9 55 4d 07 e9 57 ff ff ff e8 2a bd 9d ff 0f 0b e9 df f9 ff ff e8 1e bd 9d ff <0f> 0b e9 d3 f9 ff ff e8 12 bd 9d ff e8 4d b7 88 ff 31 ff 89 c3 89
RSP: 0018:ffffc9000313fcf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801ba15880 RSI: ffffffff81db8412 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: ffffffff9006e94f
R10: ffffffff81db7dce R11: 0000000000000001 R12: ffffc9000313fd40
R13: ffff88801f6ea800 R14: 0000000000000002 R15: dffffc0000000000
FS: 000055555676b400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff05411c78 CR3: 000000007a034000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
path_umount+0x7d4/0x1260 fs/namespace.c:1819
ksys_umount fs/namespace.c:1838 [inline]
__do_sys_umount fs/namespace.c:1843 [inline]
__se_sys_umount fs/namespace.c:1841 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1841
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f67c148a557
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7f7ec938 EFLAGS: 00000246
ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67c148a557
RDX: 00007ffc7f7eca0a RSI: 000000000000000a RDI: 00007ffc7f7eca00
RBP: 00007ffc7f7eca00 R08: 00000000ffffffff R09: 00007ffc7f7ec7d0
R10: 000055555676c8b3 R11: 0000000000000246 R12: 00007f67c14e21f8
R13: 00007ffc7f7edac0 R14: 000055555676c810 R15: 00007ffc7f7edb00
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=10df1295f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=16f621b9f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220516233918.2046-1-hdanton@sina.com>
@ 2022-05-17 2:57 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-17 2:57 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in percpu_ref_switch_to_atomic_rcu
------------[ cut here ]------------
percpu ref (css_release) <= 0 (-4294967295) after switching to atomic
WARNING: CPU: 1 PID: 0 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196
Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c0 00 00 00 49 8b 77 e8 4c 89 e2 48 c7 c7 60 e3 26 8a e8 bc a7 31 05 <0f> 0b e9 34 ff ff ff 48 89 c6 48 c7 c7 80 39 69 8c 48 89 44 24 08
RSP: 0018:ffffc900001e0e20 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888010e71d80 RSI: ffffffff81601ae8 RDI: fffff5200003c1b6
RBP: ffff88801c8e2380 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815fc4be R11: 0000000000000000 R12: ffffffff00000001
R13: dffffc0000000000 R14: 0000607f4607c018 R15: ffff88801c8e23a0
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555556503848 CR3: 0000000023275000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]
RIP: 0010:acpi_idle_do_entry+0x1c6/0x250 drivers/acpi/processor_idle.c:551
Code: 89 de e8 1d 00 09 f8 84 db 75 ac e8 34 fc 08 f8 e8 9f 44 0f f8 eb 0c e8 28 fc 08 f8 0f 00 2d c1 93 c2 00 e8 1c fc 08 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 97 fe 08 f8 48 85 db
RSP: 0018:ffffc90000177d20 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888010e71d80 RSI: ffffffff897044c4 RDI: 0000000000000000
RBP: ffff88801640a864 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817f8988 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88801640a800 R14: ffff88801640a864 R15: ffff888147cb0004
acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:686
cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x3e8/0x590 kernel/sched/idle.c:303
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:400
start_secondary+0x224/0x2c0 arch/x86/kernel/smpboot.c:266
secondary_startup_64_no_verify+0xc3/0xcb
</TASK>
----------------
Code disassembly (best guess):
0: 89 de mov %ebx,%esi
2: e8 1d 00 09 f8 callq 0xf8090024
7: 84 db test %bl,%bl
9: 75 ac jne 0xffffffb7
b: e8 34 fc 08 f8 callq 0xf808fc44
10: e8 9f 44 0f f8 callq 0xf80f44b4
15: eb 0c jmp 0x23
17: e8 28 fc 08 f8 callq 0xf808fc44
1c: 0f 00 2d c1 93 c2 00 verw 0xc293c1(%rip) # 0xc293e4
23: e8 1c fc 08 f8 callq 0xf808fc44
28: fb sti
29: f4 hlt
* 2a: 9c pushfq <-- trapping instruction
2b: 5b pop %rbx
2c: 81 e3 00 02 00 00 and $0x200,%ebx
32: fa cli
33: 31 ff xor %edi,%edi
35: 48 89 de mov %rbx,%rsi
38: e8 97 fe 08 f8 callq 0xf808fed4
3d: 48 85 db test %rbx,%rbx
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=110e4759f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1545e62df00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220516122225.1986-1-hdanton@sina.com>
@ 2022-05-16 12:33 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-16 12:33 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in percpu_ref_switch_to_atomic_rcu
------------[ cut here ]------------
percpu ref (css_release) <= 0 (-4294967295) after switching to atomic
WARNING: CPU: 1 PID: 4059 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196
Modules linked in:
CPU: 1 PID: 4059 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:percpu_ref_switch_to_atomic_rcu+0x46c/0x560 lib/percpu-refcount.c:196
Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c0 00 00 00 49 8b 77 e8 4c 89 e2 48 c7 c7 60 e3 26 8a e8 bc a7 31 05 <0f> 0b e9 34 ff ff ff 48 89 c6 48 c7 c7 80 39 69 8c 48 89 44 24 08
RSP: 0018:ffffc900001e0e20 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801d1bbb00 RSI: ffffffff81601ae8 RDI: fffff5200003c1b6
RBP: ffff88802009bf00 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815fc4be R11: 0000000000000000 R12: ffffffff00000001
R13: dffffc0000000000 R14: 0000607f46080068 R15: ffff88802009bf20
FS: 0000555556ed0400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f729536db58 CR3: 000000006f54c000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 ba 60 ed f7 48 89 ef e8 02 e0 ed f7 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 23 ff e0 f7 65 8b 05 2c 24 92 76 85 c0 74 0a 5b 5d c3 e8 b0 3d
RSP: 0018:ffffc9000331f668 EFLAGS: 00000206
RAX: 0000000000000006 RBX: 0000000000000200 RCX: 1ffffffff1b71ef9
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff8be8f980 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817f8988 R11: 0000000000000000 R12: 0000000000000000
R13: 0000607f4607e000 R14: ffff8881457e8448 R15: ffff8881457e8471
spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
free_percpu mm/percpu.c:2305 [inline]
free_percpu+0x7eb/0x10c0 mm/percpu.c:2261
xt_percpu_counter_free+0x96/0xc0 net/netfilter/x_tables.c:1950
cleanup_entry+0x24f/0x300 net/ipv4/netfilter/ip_tables.c:656
__do_replace+0x628/0x870 net/ipv4/netfilter/ip_tables.c:1085
do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline]
do_ipt_set_ctl+0x901/0xb80 net/ipv4/netfilter/ip_tables.c:1630
nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
ip_setsockopt+0x3c3/0x3ab0 net/ipv4/ip_sockglue.c:1444
tcp_setsockopt+0x136/0x2520 net/ipv4/tcp.c:3696
__sys_setsockopt+0x2db/0x6a0 net/socket.c:2180
__do_sys_setsockopt net/socket.c:2191 [inline]
__se_sys_setsockopt net/socket.c:2188 [inline]
__x64_sys_setsockopt+0xba/0x150 net/socket.c:2188
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f729528a73a
Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 36 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdea7f0d38 EFLAGS: 00000202 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f729528a73a
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffdea7f0d60 R08: 0000000000000408 R09: fefefefeff646b66
R10: 00007f729536db00 R11: 0000000000000202 R12: 00007ffdea7f0dc0
R13: 0000000000000003 R14: 00007ffdea7f0d5c R15: 00007f729536daa0
</TASK>
----------------
Code disassembly (best guess):
0: 74 24 je 0x26
2: 10 e8 adc %ch,%al
4: ba 60 ed f7 48 mov $0x48f7ed60,%edx
9: 89 ef mov %ebp,%edi
b: e8 02 e0 ed f7 callq 0xf7ede012
10: 81 e3 00 02 00 00 and $0x200,%ebx
16: 75 25 jne 0x3d
18: 9c pushfq
19: 58 pop %rax
1a: f6 c4 02 test $0x2,%ah
1d: 75 2d jne 0x4c
1f: 48 85 db test %rbx,%rbx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 23 ff e0 f7 callq 0xf7e0ff52 <-- trapping instruction
2f: 65 8b 05 2c 24 92 76 mov %gs:0x7692242c(%rip),%eax # 0x76922462
36: 85 c0 test %eax,%eax
38: 74 0a je 0x44
3a: 5b pop %rbx
3b: 5d pop %rbp
3c: c3 retq
3d: e8 .byte 0xe8
3e: b0 3d mov $0x3d,%al
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=1626d569f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1266a479f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220515133111.1864-1-hdanton@sina.com>
@ 2022-05-15 13:42 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-15 13:42 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in cleanup_mnt
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4044 at fs/namespace.c:1177 cleanup_mnt+0x416/0x540 fs/namespace.c:1177
Modules linked in:
CPU: 1 PID: 4044 Comm: syz-executor.0 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:cleanup_mnt+0x416/0x540 fs/namespace.c:1177
Code: 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f e9 f1 9f 89 ff e8 5c b3 9d ff 48 89 df e8 84 52 06 00 e9 40 fd ff ff e8 4a b3 9d ff <0f> 0b e9 ff fc ff ff e8 2e 44 e9 ff eb ab 48 c7 c7 a0 26 b9 8d e8
RSP: 0018:ffffc900031efe78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88814013dc80 RCX: 0000000000000000
RDX: ffff888073a85880 RSI: ffffffff81db8d96 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db8a93 R11: 0000000000000001 R12: 00000000ffffffff
R13: 0000000000000002 R14: dffffc0000000000 R15: ffffed1028027b9a
FS: 0000555556e94400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4df11a0000 CR3: 000000007054d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f832748a557
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc0b9d39f8 EFLAGS: 00000246
ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f832748a557
RDX: 00007ffc0b9d3ac9 RSI: 000000000000000a RDI: 00007ffc0b9d3ac0
RBP: 00007ffc0b9d3ac0 R08: 00000000ffffffff R09: 00007ffc0b9d3890
R10: 0000555556e958b3 R11: 0000000000000246 R12: 00007f83274e21f8
R13: 00007ffc0b9d4b80 R14: 0000555556e95810 R15: 00007ffc0b9d4bc0
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=17d119aef00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12ab09a5f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220515094719.1786-1-hdanton@sina.com>
@ 2022-05-15 9:59 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-15 9:59 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in dst_dev_put
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dst_dev_put+0x22/0x320 net/core/dst.c:154
Code: 00 00 00 00 00 0f 1f 00 41 57 41 56 49 89 fe 41 55 41 54 55 e8 5f 7b 2b fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 dc 02 00 00 49 8d 7e 3a 4d 8b 26 48 b8 00 00 00
RSP: 0018:ffffc90000147c88 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000100
RDX: 0000000000000000 RSI: ffffffff874dc581 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: ffffe8ffffd801e7
R10: fffff91ffffb003c R11: 0000000000000000 R12: 0000000000000003
R13: ffff888069c1a8a8 R14: 0000000000000001 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f729a014ff8 CR3: 0000000023035000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
fib6_nh_release_dsts.part.0+0xf8/0x160 net/ipv6/route.c:3672
fib6_nh_release_dsts net/ipv6/route.c:3663 [inline]
fib6_nh_release+0x11a/0x240 net/ipv6/route.c:3653
fib6_info_destroy_rcu+0x187/0x210 net/ipv6/ip6_fib.c:176
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
run_ksoftirqd kernel/softirq.c:921 [inline]
run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913
smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:dst_dev_put+0x22/0x320 net/core/dst.c:154
Code: 00 00 00 00 00 0f 1f 00 41 57 41 56 49 89 fe 41 55 41 54 55 e8 5f 7b 2b fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 dc 02 00 00 49 8d 7e 3a 4d 8b 26 48 b8 00 00 00
RSP: 0018:ffffc90000147c88 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000100
RDX: 0000000000000000 RSI: ffffffff874dc581 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: ffffe8ffffd801e7
R10: fffff91ffffb003c R11: 0000000000000000 R12: 0000000000000003
R13: ffff888069c1a8a8 R14: 0000000000000001 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f729a014ff8 CR3: 0000000023035000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 0f 1f 00 nopl (%rax)
7: 41 57 push %r15
9: 41 56 push %r14
b: 49 89 fe mov %rdi,%r14
e: 41 55 push %r13
10: 41 54 push %r12
12: 55 push %rbp
13: e8 5f 7b 2b fa callq 0xfa2b7b77
18: 4c 89 f2 mov %r14,%rdx
1b: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
22: fc ff df
25: 48 c1 ea 03 shr $0x3,%rdx
* 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2d: 0f 85 dc 02 00 00 jne 0x30f
33: 49 8d 7e 3a lea 0x3a(%r14),%rdi
37: 4d 8b 26 mov (%r14),%r12
3a: 48 rex.W
3b: b8 .byte 0xb8
3c: 00 00 add %al,(%rax)
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=16848769f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=15cc4e85f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220515050556.1646-1-hdanton@sina.com>
@ 2022-05-15 7:52 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-15 7:52 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mnt_check_count
------------[ cut here ]------------
WARNING: CPU: 0 PID: 4324 at fs/namespace.c:1307 mnt_check_count fs/namespace.c:1307 [inline]
WARNING: CPU: 0 PID: 4324 at fs/namespace.c:1307 mnt_check_count+0x14a/0x210 fs/namespace.c:1301
Modules linked in:
CPU: 1 PID: 4324 Comm: syz-executor.0 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mnt_check_count fs/namespace.c:1307 [inline]
RIP: 0010:mnt_check_count+0x14a/0x210 fs/namespace.c:1301
Code: ff 89 de bf 01 00 00 00 e8 c3 ed 9d ff 83 fb 01 7e 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f e9 8b eb 9d ff e8 86 eb 9d ff <0f> 0b e8 7f eb 9d ff 49 8d be c8 00 00 00 48 b8 00 00 00 00 00 fc
RSP: 0018:ffffc90003adfe60 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801613bb00 RSI: ffffffff81db555a RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db5528 R11: 0000000000000000 R12: 0000000000000002
R13: dffffc0000000000 R14: ffff88814013cda0 R15: ffffed10280279ba
FS: 000055555725a400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb39859d090 CR3: 000000001a0ad000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
fput_many.part.0+0x3d/0x1a0 fs/file_table.c:375
fput_many fs/file_table.c:396 [inline]
fput+0x42/0x50 fs/file_table.c:395
filp_close+0x124/0x160 fs/open.c:1329
close_fd+0x6f/0xa0 fs/file.c:671
__do_sys_close fs/open.c:1342 [inline]
__se_sys_close fs/open.c:1340 [inline]
__x64_sys_close+0x2f/0xa0 fs/open.c:1340
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f4ef943bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffc2b1ebbc0 EFLAGS: 00000293
ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f4ef943bd2b
RDX: 0000001b31d20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f4ef959d960 R08: 0000000000000000 R09: 00007ffc2b1fa080
R10: 00007ffc2b1fa090 R11: 0000000000000293 R12: 0000000000015538
R13: 00007ffc2b1ebcc0 R14: 00007ffc2b1ebce0 R15: 0000000000000032
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=1488f396f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12375f31f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220515012731.1529-1-hdanton@sina.com>
@ 2022-05-15 7:23 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-15 7:23 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
fs/namespace.c:1302:1: error: expected identifier or '(' before '{' token
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=13dff259f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220514233453.1426-1-hdanton@sina.com>
@ 2022-05-15 0:22 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-15 0:22 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
fs/file_table.c:377:22: error: implicit declaration of function 'real_mount'; did you mean 'kern_mount'? [-Werror=implicit-function-declaration]
fs/file_table.c:378:16: error: implicit declaration of function 'mnt_get_count'; did you mean 'init_page_count'? [-Werror=implicit-function-declaration]
fs/file_table.c:380:13: error: invalid use of undefined type 'struct mount'
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=16788769f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220514132858.1322-1-hdanton@sina.com>
@ 2022-05-14 13:40 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-14 13:40 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4205 at fs/namespace.c:1226 mntput_no_expire+0x979/0xfe0 fs/namespace.c:1226
Modules linked in:
CPU: 1 PID: 4205 Comm: syz-executor.2 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0x979/0xfe0 fs/namespace.c:1226
Code: 04 00 00 48 8b 35 ef 77 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 21 e1 71 ff e9 01 f9 ff ff e8 17 93 9d ff <0f> 0b e9 b6 f8 ff ff e8 0b 93 9d ff 0f 0b e9 aa f8 ff ff e8 ff 92
RSP: 0018:ffffc9000374fd78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802467bb00 RSI: ffffffff81dbadc9 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81dba668 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888079fad500 R14: dffffc0000000000 R15: ffffed100f3f5aaa
FS: 0000555556994400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555572e8848 CR3: 000000006a5f1000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1289
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f3c1a63bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffd7174ab10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3c1a63bd2b
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007f3c1a79d960 R08: 0000000000000000 R09: 00007ffd71751080
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000142ec
R13: 00007ffd7174ac10 R14: 00007ffd7174ac30 R15: 0000000000000032
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=124eef66f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=123ae715f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220514114718.1254-1-hdanton@sina.com>
@ 2022-05-14 11:59 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-14 11:59 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 0 PID: 4445 at fs/namespace.c:1226 mntput_no_expire+0x985/0xfe0 fs/namespace.c:1226
Modules linked in:
CPU: 0 PID: 4445 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0x985/0xfe0 fs/namespace.c:1226
Code: 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 51 e1 71 ff e9 01 f9 ff ff e8 47 93 9d ff 0f 0b e9 b6 f8 ff ff e8 3b 93 9d ff <0f> 0b e9 aa f8 ff ff e8 2f 93 9d ff e8 6a a3 91 07 31 ff 89 c3 89
RSP: 0018:ffffc9000459fd78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff8880220f3b00 RSI: ffffffff81dbada5 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81dba64e R11: 0000000000000000 R12: 0000000000000002
R13: ffff88807bd12900 R14: dffffc0000000000 R15: ffffed100f7a252a
FS: 0000555555d3b400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd780a50a0 CR3: 000000007cff9000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1288
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f59ef83bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffdc9489d50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f59ef83bd2b
RDX: 0000001b31020000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f59ef99d960 R08: 0000000000000000 R09: 00007ffdc9495080
R10: 00007ffdc9495090 R11: 0000000000000293 R12: 0000000000016fbc
R13: 00007ffdc9489e50 R14: 00007ffdc9489e70 R15: 0000000000000032
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=1794b83af00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10404456f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220514084129.1104-1-hdanton@sina.com>
@ 2022-05-14 9:20 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-14 9:20 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffeaa23bc1f R14: 00007fbb0b9ee300 R15: 0000000000022000
</TASK>
cgroup: cgroup_addrm_files: failed to add max, err=-12
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4705 at fs/namespace.c:1225 mntput_no_expire+0x979/0xfe0 fs/namespace.c:1225
Modules linked in:
CPU: 1 PID: 4705 Comm: syz-executor.1 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0x979/0xfe0 fs/namespace.c:1225
Code: 04 00 00 48 8b 35 af a3 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 e1 0c 72 ff e9 01 f9 ff ff e8 d7 be 9d ff <0f> 0b e9 b6 f8 ff ff e8 cb be 9d ff 0f 0b e9 aa f8 ff ff e8 bf be
RSP: 0018:ffffc90005887b08 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880687e1d80 RSI: ffffffff81db8209 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db7aa8 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888073407200 R14: dffffc0000000000 R15: ffffed100e680e4a
FS: 00007fbb0b9ee700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe756d5ff8 CR3: 0000000075509000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1288
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
get_signal+0x1c5/0x24c0 kernel/signal.c:2641
arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:867
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fbb0a8890e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbb0b9ee168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: fffffffffffffff4 RBX: 00007fbb0a99c030 RCX: 00007fbb0a8890e9
RDX: 0000000000000006 RSI: 00000000200000c0 RDI: 0000000000000004
RBP: 00007fbb0b9ee1d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffeaa23bc1f R14: 00007fbb0b9ee300 R15: 0000000000022000
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=13f70966f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1668ee31f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220514073117.965-1-hdanton@sina.com>
@ 2022-05-14 7:42 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-14 7:42 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 0 PID: 4055 at fs/namespace.c:1232 mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1232
Modules linked in:
CPU: 0 PID: 4055 Comm: syz-executor.4 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1232
Code: 00 48 c7 c7 80 16 db 89 c6 05 c3 9d c8 0b 01 e8 19 2b 4d 07 e9 57 ff ff ff e8 2a 92 9d ff 0f 0b e9 df f9 ff ff e8 1e 92 9d ff <0f> 0b e9 d3 f9 ff ff e8 12 92 9d ff e8 9d 8c 88 ff 31 ff 89 c3 89
RSP: 0018:ffffc9000334fcf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88807e7b1d80 RSI: ffffffff81dbaec2 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: ffffffff9006e94f
R10: ffffffff81dba87e R11: 0000000000000001 R12: ffffc9000334fd40
R13: ffff888077683b00 R14: 0000000000000002 R15: dffffc0000000000
FS: 0000555556613400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcf211088a5 CR3: 00000000740bc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
path_umount+0x7d4/0x1260 fs/namespace.c:1814
ksys_umount fs/namespace.c:1833 [inline]
__do_sys_umount fs/namespace.c:1838 [inline]
__se_sys_umount fs/namespace.c:1836 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1836
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fa5afe8a557
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc6ec4cb58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa5afe8a557
RDX: 00007ffc6ec4cc29 RSI: 000000000000000a RDI: 00007ffc6ec4cc20
RBP: 00007ffc6ec4cc20 R08: 00000000ffffffff R09: 00007ffc6ec4c9f0
R10: 00005555566148b3 R11: 0000000000000246 R12: 00007fa5afee21f8
R13: 00007ffc6ec4dce0 R14: 0000555556614810 R15: 00007ffc6ec4dd20
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=132990c6f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17ff8456f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220514062752.900-1-hdanton@sina.com>
@ 2022-05-14 6:38 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-14 6:38 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4281 at fs/namespace.c:1225 mntput_no_expire+0x979/0xfe0 fs/namespace.c:1225
Modules linked in:
CPU: 1 PID: 4281 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0x979/0xfe0 fs/namespace.c:1225
Code: 04 00 00 48 8b 35 0f a4 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 60 fe f0 8b e8 41 0d 72 ff e9 01 f9 ff ff e8 37 bf 9d ff <0f> 0b e9 b6 f8 ff ff e8 2b bf 9d ff 0f 0b e9 aa f8 ff ff e8 1f bf
RSP: 0018:ffffc9000388fd78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888015df8000 RSI: ffffffff81db81a9 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db7a48 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888019de1380 R14: dffffc0000000000 R15: ffffed10033bc27a
FS: 00005555555f0400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555563e6848 CR3: 000000007f64c000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1288
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f8b4ea3bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007fffd543b3b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f8b4ea3bd2b
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007f8b4eb9d960 R08: 0000000000000000 R09: 00007fffd547d080
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000169e6
R13: 00007fffd543b4b0 R14: 00007fffd543b4d0 R15: 0000000000000032
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=11d1bd99f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14c96d96f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220514005032.346-1-hdanton@sina.com>
@ 2022-05-14 1:30 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-14 1:30 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in dst_dev_put
BUG: unable to handle page fault for address: ffffffffffffffff
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD ba8f067
P4D ba8f067
PUD ba91067
PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dst_dev_put+0x30/0x320 net/core/dst.c:154
Code: fe 41 55 41 54 55 e8 bf 78 2b fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 dc 02 00 00 49 8d 7e 3a <4d> 8b 26 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6
RSP: 0018:ffffc900001b7c88 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000100
RDX: 1fffffffffffffff RSI: ffffffff874dc821 RDI: 0000000000000039
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffe8ffffc9571f
R10: fffff91ffff92ae3 R11: 0000000000000000 R12: 0000000000000003
R13: ffff88807ac008a8 R14: ffffffffffffffff R15: ffffffffffffffff
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffff CR3: 000000006b914000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
fib6_nh_release_dsts.part.0+0xf8/0x160 net/ipv6/route.c:3672
fib6_nh_release_dsts net/ipv6/route.c:3663 [inline]
fib6_nh_release+0x11a/0x240 net/ipv6/route.c:3653
fib6_info_destroy_rcu+0x187/0x210 net/ipv6/ip6_fib.c:176
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
run_ksoftirqd kernel/softirq.c:921 [inline]
run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913
smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Modules linked in:
CR2: ffffffffffffffff
---[ end trace 0000000000000000 ]---
RIP: 0010:dst_dev_put+0x30/0x320 net/core/dst.c:154
Code: fe 41 55 41 54 55 e8 bf 78 2b fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 dc 02 00 00 49 8d 7e 3a <4d> 8b 26 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6
RSP: 0018:ffffc900001b7c88 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000100
RDX: 1fffffffffffffff RSI: ffffffff874dc821 RDI: 0000000000000039
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffe8ffffc9571f
R10: fffff91ffff92ae3 R11: 0000000000000000 R12: 0000000000000003
R13: ffff88807ac008a8 R14: ffffffffffffffff R15: ffffffffffffffff
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffff CR3: 000000006b914000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: fe 41 55 incb 0x55(%rcx)
3: 41 54 push %r12
5: 55 push %rbp
6: e8 bf 78 2b fa callq 0xfa2b78ca
b: 4c 89 f2 mov %r14,%rdx
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 48 c1 ea 03 shr $0x3,%rdx
1c: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
20: 0f 85 dc 02 00 00 jne 0x302
26: 49 8d 7e 3a lea 0x3a(%r14),%rdi
* 2a: 4d 8b 26 mov (%r14),%r12 <-- trapping instruction
2d: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
34: fc ff df
37: 48 89 fa mov %rdi,%rdx
3a: 48 c1 ea 03 shr $0x3,%rdx
3e: 0f .byte 0xf
3f: b6 .byte 0xb6
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=13f8f0f1f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1233a91af00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220513144536.279-1-hdanton@sina.com>
@ 2022-05-13 15:14 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-13 15:14 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 0 PID: 4063 at fs/namespace.c:1232 mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1232
Modules linked in:
CPU: 0 PID: 4063 Comm: syz-executor.4 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0xb02/0xfe0 fs/namespace.c:1232
Code: 00 48 c7 c7 80 16 db 89 c6 05 c3 c9 c8 0b 01 e8 19 58 4d 07 e9 57 ff ff ff e8 2a bf 9d ff 0f 0b e9 df f9 ff ff e8 1e bf 9d ff <0f> 0b e9 d3 f9 ff ff e8 12 bf 9d ff e8 9d b9 88 ff 31 ff 89 c3 89
RSP: 0018:ffffc9000335fc38 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88806e651d80 RSI: ffffffff81db81c2 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: ffffffff9006e94f
R10: ffffffff81db7b7e R11: 0000000000000001 R12: ffffc9000335fc88
R13: ffff88801a842300 R14: 0000000000000002 R15: dffffc0000000000
FS: 0000555557159400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f18cda11280 CR3: 0000000077f04000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput fs/namespace.c:1288 [inline]
namespace_unlock+0x3ee/0x410 fs/namespace.c:1507
do_umount fs/namespace.c:1726 [inline]
path_umount+0x797/0x1260 fs/namespace.c:1808
ksys_umount fs/namespace.c:1831 [inline]
__do_sys_umount fs/namespace.c:1836 [inline]
__se_sys_umount fs/namespace.c:1834 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1834
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7ff9a7c8a557
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe33a40f28 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff9a7c8a557
RDX: 00007ffe33a40ff9 RSI: 000000000000000a RDI: 00007ffe33a40ff0
RBP: 00007ffe33a40ff0 R08: 00000000ffffffff R09: 00007ffe33a40dc0
R10: 000055555715a8b3 R11: 0000000000000246 R12: 00007ff9a7ce21f8
R13: 00007ffe33a420b0 R14: 000055555715a810 R15: 00007ffe33a420f0
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=14be78aef00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10db8f71f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220513134852.6446-1-hdanton@sina.com>
@ 2022-05-13 14:12 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-13 14:12 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 0 PID: 4363 at fs/namespace.c:1229 mntput_no_expire+0x979/0xfe0 fs/namespace.c:1229
Modules linked in:
CPU: 0 PID: 4363 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0x979/0xfe0 fs/namespace.c:1229
Code: 04 00 00 48 8b 35 ff a4 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 20 fe f0 8b e8 b1 0e 72 ff e9 01 f9 ff ff e8 a7 c0 9d ff <0f> 0b e9 b6 f8 ff ff e8 9b c0 9d ff 0f 0b e9 aa f8 ff ff e8 8f c0
RSP: 0018:ffffc90003c2fd78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880243f9d80 RSI: ffffffff81db8039 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db78d8 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888022f03800 R14: dffffc0000000000 R15: ffffed10045e070a
FS: 0000555556ec8400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555662a848 CR3: 000000006e4e0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1292
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f5ac9e3bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffd32b26f80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f5ac9e3bd2b
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007f5ac9f9d960 R08: 0000000000000000 R09: 00007ffd32bcf080
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000001705f
R13: 00007ffd32b27080 R14: 00007ffd32b270a0 R15: 0000000000000032
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=126c6aa5f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10935b21f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220513123641.6379-1-hdanton@sina.com>
@ 2022-05-13 12:48 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-13 12:48 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4387 at fs/namespace.c:1228 mntput_no_expire+0x985/0xfe0 fs/namespace.c:1228
Modules linked in:
CPU: 1 PID: 4387 Comm: syz-executor.4 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0x985/0xfe0 fs/namespace.c:1228
Code: 00 00 00 bf 08 00 00 00 48 c7 c2 e0 fd f0 8b e8 b1 0e 72 ff e9 01 f9 ff ff e8 a7 c0 9d ff 0f 0b e9 b6 f8 ff ff e8 9b c0 9d ff <0f> 0b e9 aa f8 ff ff e8 8f c0 9d ff e8 ca d0 91 07 31 ff 89 c3 89
RSP: 0018:ffffc90003fb7d78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 0000000000000000
RDX: ffff88806bd9d880 RSI: ffffffff81db8045 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db78ee R11: 0000000000000000 R12: 0000000000000002
R13: ffff88801f142600 R14: dffffc0000000000 R15: ffffed1003e284ca
FS: 00005555562ef400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f71d6e99ff8 CR3: 000000006b3ca000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1290
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f043643bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffecc2e9cc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f043643bd2b
RDX: 0000001b31320000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f043659d960 R08: 0000000000000000 R09: 00007ffecc37f080
R10: 00007ffecc37f090 R11: 0000000000000293 R12: 0000000000016ea4
R13: 00007ffecc2e9dc0 R14: 00007ffecc2e9de0 R15: 0000000000000032
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=103e78aef00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14aafa9ef00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220512133426.6300-1-hdanton@sina.com>
@ 2022-05-12 14:05 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-12 14:05 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4303 at fs/namespace.c:1225 mntput_no_expire+0x965/0xfc0 fs/namespace.c:1225
Modules linked in:
CPU: 1 PID: 4303 Comm: syz-executor.2 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0x965/0xfc0 fs/namespace.c:1225
Code: 05 00 00 48 8b 35 93 a4 dd 0b b9 01 00 00 00 bf 08 00 00 00 48 c7 c2 e0 fd f0 8b e8 c5 0e 72 ff e9 15 f9 ff ff e8 bb c0 9d ff <0f> 0b e9 ca f8 ff ff e8 af c0 9d ff 0f 0b e9 be f8 ff ff e8 a3 c0
RSP: 0018:ffffc900039dfd78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888018771d80 RSI: ffffffff81db8025 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81db78d8 R11: 0000000000000000 R12: 0000000000000002
R13: ffff88807d666600 R14: dffffc0000000000 R15: ffffed100facccca
FS: 00005555560e5400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555556a84848 CR3: 000000001a7cd000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mntput+0x67/0x90 fs/namespace.c:1287
__fput+0x3ba/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f215003bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffc71fd75e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f215003bd2b
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 00007f215019d960 R08: 0000000000000000 R09: 00007ffc71fe1080
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000016e46
R13: 00007ffc71fd76e0 R14: 00007ffc71fd7700 R15: 0000000000000032
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=10502459f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1786c8c6f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220512120234.6088-1-hdanton@sina.com>
@ 2022-05-12 12:20 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-12 12:20 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in mntput_no_expire
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4071 at fs/namespace.c:1236 mntput_no_expire+0xada/0xcd0 fs/namespace.c:1236
Modules linked in:
CPU: 1 PID: 4071 Comm: syz-executor.4 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0xada/0xcd0 fs/namespace.c:1236
Code: 30 84 c0 0f 84 b9 fe ff ff 3c 03 0f 8f b1 fe ff ff 4c 89 44 24 10 e8 45 50 e9 ff 4c 8b 44 24 10 e9 9d fe ff ff e8 46 bf 9d ff <0f> 0b e9 19 fd ff ff e8 3a bf 9d ff e8 75 cf 91 07 31 ff 89 c5 89
RSP: 0018:ffffc9000324fcf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff92000649fa4 RCX: 0000000000000000
RDX: ffff88807ccd0000 RSI: ffffffff81db819a RDI: 0000000000000003
RBP: ffff888022660c00 R08: 0000000000000000 R09: ffffffff9006d94f
R10: ffffffff81db7eb1 R11: 0000000000000001 R12: 0000000000000008
R13: ffffc9000324fd40 R14: 00000000ffffffff R15: 0000000000000002
FS: 0000555556484400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005567c4d8d680 CR3: 0000000022908000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
path_umount+0x925/0x10d0 fs/namespace.c:1809
ksys_umount fs/namespace.c:1828 [inline]
__do_sys_umount fs/namespace.c:1833 [inline]
__se_sys_umount fs/namespace.c:1831 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1831
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f0dfe48a557
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffef4140618 EFLAGS: 00000246
ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0dfe48a557
RDX: 00007ffef41406ea RSI: 000000000000000a RDI: 00007ffef41406e0
RBP: 00007ffef41406e0 R08: 00000000ffffffff R09: 00007ffef41404b0
R10: 00005555564858b3 R11: 0000000000000246 R12: 00007f0dfe4e21f8
R13: 00007ffef41417a0 R14: 0000555556485810 R15: 00007ffef41417e0
</TASK>
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=159cbc4ef00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1449df71f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
[not found] <20220511135117.5993-1-hdanton@sina.com>
@ 2022-05-11 14:03 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-11 14:03 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in __init_work
------------[ cut here ]------------
ODEBUG: init active (active state 0) object type: work_struct hint: css_killed_work_fn+0x0/0x5e0 kernel/cgroup/cgroup.c:3947
WARNING: CPU: 1 PID: 4107 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505
Modules linked in:
CPU: 1 PID: 4107 Comm: syz-executor.3 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505
Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 40 40 27 8a 4c 89 ee 48 c7 c7 40 34 27 8a e8 7a cc 2c 05 <0f> 0b 83 05 25 a2 bd 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffc900001e0cb8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff88807348bb00 RSI: ffffffff81601ae8 RDI: fffff5200003c189
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff815fc4be R11: 0000000000000000 R12: ffffffff89cb9000
R13: ffffffff8a2739c0 R14: ffffffff814c80d0 R15: ffffffff90840968
FS: 0000555555872400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f22b216c058 CR3: 000000006b894000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__debug_object_init+0x524/0xd10 lib/debugobjects.c:593
__init_work+0x48/0x50 kernel/workqueue.c:523
css_release+0x1a/0x110 kernel/cgroup/cgroup.c:5213
percpu_ref_put_many.constprop.0+0x22b/0x260 include/linux/percpu-refcount.h:335
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:__syscall_enter_from_user_work kernel/entry/common.c:89 [inline]
RIP: 0010:syscall_enter_from_user_mode+0x2b/0x70 kernel/entry/common.c:110
Code: 54 49 89 f4 55 48 89 fd 48 8b 7c 24 10 e8 ed f5 ff ff eb 27 eb 2b e8 04 35 12 f8 e8 7f 31 12 f8 fb 65 48 8b 04 25 00 70 02 00 <48> 8b 70 08 40 f6 c6 3f 75 19 4c 89 e0 5d 41 5c c3 eb 1b 0f 0b eb
RSP: 0018:ffffc9000352ff28 EFLAGS: 00000206
RAX: ffff88807348bb00 RBX: 0000000000000000 RCX: 1ffffffff1b71e79
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000352ff58 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817f8958 R11: 0000000000000000 R12: 000000000000003d
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
do_syscall_64+0x16/0xb0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f307ec87587
Code: 89 7c 24 10 48 89 4c 24 18 e8 35 50 02 00 4c 8b 54 24 18 8b 54 24 14 41 89 c0 48 8b 74 24 08 8b 7c 24 10 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 89 44 24 10 e8 65 50 02 00 8b 44
RSP: 002b:00007ffcba6fb200 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 0000000000000018 RCX: 00007f307ec87587
RDX: 0000000040000001 RSI: 00007ffcba6fb28c RDI: 00000000ffffffff
RBP: 00007ffcba6fb28c R08: 0000000000000000 R09: 00007ffcba74f080
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
R13: 0000000000016531 R14: 0000000000000004 R15: 00007ffcba6fb2f0
</TASK>
----------------
Code disassembly (best guess):
0: 54 push %rsp
1: 49 89 f4 mov %rsi,%r12
4: 55 push %rbp
5: 48 89 fd mov %rdi,%rbp
8: 48 8b 7c 24 10 mov 0x10(%rsp),%rdi
d: e8 ed f5 ff ff callq 0xfffff5ff
12: eb 27 jmp 0x3b
14: eb 2b jmp 0x41
16: e8 04 35 12 f8 callq 0xf812351f
1b: e8 7f 31 12 f8 callq 0xf812319f
20: fb sti
21: 65 48 8b 04 25 00 70 mov %gs:0x27000,%rax
28: 02 00
* 2a: 48 8b 70 08 mov 0x8(%rax),%rsi <-- trapping instruction
2e: 40 f6 c6 3f test $0x3f,%sil
32: 75 19 jne 0x4d
34: 4c 89 e0 mov %r12,%rax
37: 5d pop %rbp
38: 41 5c pop %r12
3a: c3 retq
3b: eb 1b jmp 0x58
3d: 0f 0b ud2
3f: eb .byte 0xeb
Tested on:
commit: feb9c5e1 Merge tag 'for_linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=1193d43af00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1681e821f00000
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [syzbot] WARNING in mntput_no_expire (3)
2021-11-15 22:27 syzbot
@ 2022-05-11 5:34 ` syzbot
0 siblings, 0 replies; 33+ messages in thread
From: syzbot @ 2022-05-11 5:34 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel, netdev, syzkaller-bugs, viro
syzbot has found a reproducer for the following issue on:
HEAD commit: feb9c5e19e91 Merge tag 'for_linus' of git://git.kernel.org..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10ea9d8ef00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125039fef00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a27b71f00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5b1e53987f858500ec00@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3608 at fs/namespace.c:1236 mntput_no_expire+0xada/0xcd0 fs/namespace.c:1236
Modules linked in:
CPU: 0 PID: 3608 Comm: syz-executor314 Not tainted 5.18.0-rc6-syzkaller-00009-gfeb9c5e19e91 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0xada/0xcd0 fs/namespace.c:1236
Code: 30 84 c0 0f 84 b9 fe ff ff 3c 03 0f 8f b1 fe ff ff 4c 89 44 24 10 e8 45 50 e9 ff 4c 8b 44 24 10 e9 9d fe ff ff e8 56 bf 9d ff <0f> 0b e9 19 fd ff ff e8 4a bf 9d ff e8 b5 cf 91 07 31 ff 89 c5 89
RSP: 0018:ffffc900030ffcf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff9200061ffa4 RCX: 0000000000000000
RDX: ffff88807c859d80 RSI: ffffffff81db815a RDI: 0000000000000003
RBP: ffff88801bcbca80 R08: 0000000000000000 R09: ffffffff9006d90f
R10: ffffffff81db7e71 R11: 0000000000000001 R12: 0000000000000008
R13: ffffc900030ffd40 R14: 00000000ffffffff R15: 0000000000000002
FS: 0000555556a0e300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555556a17628 CR3: 0000000071c9d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
path_umount+0x7d4/0x1260 fs/namespace.c:1806
ksys_umount fs/namespace.c:1825 [inline]
__do_sys_umount fs/namespace.c:1830 [inline]
__se_sys_umount fs/namespace.c:1828 [inline]
__x64_sys_umount+0x159/0x180 fs/namespace.c:1828
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fcc5b9cc2c7
Code: 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcb4fdf1a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcc5b9cc2c7
RDX: 00007ffcb4fdf269 RSI: 000000000000000a RDI: 00007ffcb4fdf260
RBP: 00007ffcb4fdf260 R08: 00000000ffffffff R09: 00007ffcb4fdf040
R10: 0000555556a0f693 R11: 0000000000000202 R12: 00007ffcb4fe02e0
R13: 0000555556a0f5f0 R14: 00007ffcb4fdf1d0 R15: 0000000000000002
</TASK>
^ permalink raw reply [flat|nested] 33+ messages in thread
* [syzbot] WARNING in mntput_no_expire (3)
@ 2021-11-15 22:27 syzbot
2022-05-11 5:34 ` syzbot
0 siblings, 1 reply; 33+ messages in thread
From: syzbot @ 2021-11-15 22:27 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel, netdev, syzkaller-bugs, viro
Hello,
syzbot found the following issue on:
HEAD commit: fceb07950a7a Merge https://git.kernel.org/pub/scm/linux/ke..
git tree: bpf
console output: https://syzkaller.appspot.com/x/log.txt?x=16f9e61ab00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5d447cdc3ae81d9
dashboard link: https://syzkaller.appspot.com/bug?extid=5b1e53987f858500ec00
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5b1e53987f858500ec00@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 13724 at fs/namespace.c:1187 mntput_no_expire+0xada/0xcd0 fs/namespace.c:1187
Modules linked in:
CPU: 0 PID: 13724 Comm: syz-executor.0 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mntput_no_expire+0xada/0xcd0 fs/namespace.c:1187
Code: 30 84 c0 0f 84 b9 fe ff ff 3c 03 0f 8f b1 fe ff ff 4c 89 44 24 10 e8 45 3e ec ff 4c 8b 44 24 10 e9 9d fe ff ff e8 d6 d1 a5 ff <0f> 0b e9 19 fd ff ff e8 ca d1 a5 ff e8 b5 e1 65 07 31 ff 89 c5 89
RSP: 0018:ffffc90003fffc18 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff920007fff89 RCX: 0000000000000000
RDX: ffff8880746c3a00 RSI: ffffffff81d1a0ba RDI: 0000000000000003
RBP: ffff88807324ad80 R08: 0000000000000000 R09: ffffffff8fd39a0f
R10: ffffffff81d19dd1 R11: 0000000000000000 R12: 0000000000000008
R13: ffffc90003fffc68 R14: 00000000ffffffff R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fee49cd9c18 CR3: 0000000030b77000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
<TASK>
mntput fs/namespace.c:1233 [inline]
namespace_unlock+0x26b/0x410 fs/namespace.c:1452
drop_collected_mounts fs/namespace.c:1935 [inline]
put_mnt_ns fs/namespace.c:4344 [inline]
put_mnt_ns+0x106/0x140 fs/namespace.c:4340
free_nsproxy+0x43/0x4c0 kernel/nsproxy.c:191
put_nsproxy include/linux/nsproxy.h:105 [inline]
switch_task_namespaces+0xad/0xc0 kernel/nsproxy.c:249
do_exit+0xba5/0x2a20 kernel/exit.c:825
do_group_exit+0x125/0x310 kernel/exit.c:923
__do_sys_exit_group kernel/exit.c:934 [inline]
__se_sys_exit_group kernel/exit.c:932 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:932
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fee49bf8ae9
Code: Unable to access opcode bytes at RIP 0x7fee49bf8abf.
RSP: 002b:00007ffe70646608 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000029 RCX: 00007fee49bf8ae9
RDX: 00007fee49bfa13a RSI: 0000000000000000 RDI: 0000000000000007
RBP: 0000000000000007 R08: ffffffffffff0000 R09: 0000000000000029
R10: 00000000000003b8 R11: 0000000000000246 R12: 00007ffe70646c70
R13: 0000000000000003 R14: 00007ffe70646c0c R15: 00007fee49cd9b60
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 33+ messages in thread
end of thread, other threads:[~2022-05-18 11:00 UTC | newest]
Thread overview: 33+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20220517223806.2299-1-hdanton@sina.com>
2022-05-17 22:49 ` [syzbot] WARNING in mntput_no_expire (3) syzbot
2022-05-17 22:58 ` Al Viro
2022-05-18 0:59 ` Al Viro
2022-05-18 1:10 ` Al Viro
2022-05-18 1:58 ` Al Viro
2022-05-18 4:38 ` Al Viro
2022-05-18 4:57 ` Al Viro
2022-05-18 5:37 ` Al Viro
2022-05-18 6:25 ` Al Viro
2022-05-18 6:45 ` syzbot
[not found] <20220518104052.2373-1-hdanton@sina.com>
2022-05-18 11:00 ` syzbot
[not found] <20220517111247.2103-1-hdanton@sina.com>
2022-05-17 11:35 ` syzbot
[not found] <20220516233918.2046-1-hdanton@sina.com>
2022-05-17 2:57 ` syzbot
[not found] <20220516122225.1986-1-hdanton@sina.com>
2022-05-16 12:33 ` syzbot
[not found] <20220515133111.1864-1-hdanton@sina.com>
2022-05-15 13:42 ` syzbot
[not found] <20220515094719.1786-1-hdanton@sina.com>
2022-05-15 9:59 ` syzbot
[not found] <20220515050556.1646-1-hdanton@sina.com>
2022-05-15 7:52 ` syzbot
[not found] <20220515012731.1529-1-hdanton@sina.com>
2022-05-15 7:23 ` syzbot
[not found] <20220514233453.1426-1-hdanton@sina.com>
2022-05-15 0:22 ` syzbot
[not found] <20220514132858.1322-1-hdanton@sina.com>
2022-05-14 13:40 ` syzbot
[not found] <20220514114718.1254-1-hdanton@sina.com>
2022-05-14 11:59 ` syzbot
[not found] <20220514084129.1104-1-hdanton@sina.com>
2022-05-14 9:20 ` syzbot
[not found] <20220514073117.965-1-hdanton@sina.com>
2022-05-14 7:42 ` syzbot
[not found] <20220514062752.900-1-hdanton@sina.com>
2022-05-14 6:38 ` syzbot
[not found] <20220514005032.346-1-hdanton@sina.com>
2022-05-14 1:30 ` syzbot
[not found] <20220513144536.279-1-hdanton@sina.com>
2022-05-13 15:14 ` syzbot
[not found] <20220513134852.6446-1-hdanton@sina.com>
2022-05-13 14:12 ` syzbot
[not found] <20220513123641.6379-1-hdanton@sina.com>
2022-05-13 12:48 ` syzbot
[not found] <20220512133426.6300-1-hdanton@sina.com>
2022-05-12 14:05 ` syzbot
[not found] <20220512120234.6088-1-hdanton@sina.com>
2022-05-12 12:20 ` syzbot
[not found] <20220511135117.5993-1-hdanton@sina.com>
2022-05-11 14:03 ` syzbot
2021-11-15 22:27 syzbot
2022-05-11 5:34 ` syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.