* INFO: task hung in lock_mount
@ 2018-04-30 17:46 syzbot
2018-04-30 17:55 ` Dmitry Vyukov
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: syzbot @ 2018-04-30 17:46 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel, syzkaller-bugs, viro
Hello,
syzbot found the following crash on:
HEAD commit: a27fc14219f2 Merge branch 'parisc-4.17-3' of
git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?id=5953322812964864
kernel config:
https://syzkaller.appspot.com/x/.config?id=-5914490758943236750
dashboard link: https://syzkaller.appspot.com/bug?extid=221d75710bde87fa0e97
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+221d75710bde87fa0e97@syzkaller.appspotmail.com
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
INFO: task syz-executor0:20276 blocked for more than 120 seconds.
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
Not tainted 4.17.0-rc1+ #6
b_state=0x00000029, b_size=512
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D24704 20276 23010 0x00000004
device loop0 blocksize: 4096
Call Trace:
context_switch kernel/sched/core.c:2848 [inline]
__schedule+0x801/0x1e30 kernel/sched/core.c:3490
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
schedule+0xef/0x430 kernel/sched/core.c:3549
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
__rwsem_down_write_failed_common+0x919/0x15d0
kernel/locking/rwsem-xadd.c:566
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
device loop0 blocksize: 4096
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__find_get_block_slow() failed. block=1, b_blocknr=8
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa2/0x120 kernel/locking/rwsem.c:72
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
inode_lock include/linux/fs.h:713 [inline]
lock_mount+0x8c/0x2e0 fs/namespace.c:2087
device loop0 blocksize: 4096
do_add_mount+0x27/0x370 fs/namespace.c:2464
__find_get_block_slow() failed. block=1, b_blocknr=8
do_new_mount fs/namespace.c:2531 [inline]
do_mount+0x18e6/0x3070 fs/namespace.c:2847
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
ksys_mount+0x12d/0x140 fs/namespace.c:3063
__do_sys_mount fs/namespace.c:3077 [inline]
__se_sys_mount fs/namespace.c:3074 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
b_state=0x00000029, b_size=512
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
b_state=0x00000029, b_size=512
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455329
device loop0 blocksize: 4096
RSP: 002b:00007f68cf133c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f68cf1346d4 RCX: 0000000000455329
__find_get_block_slow() failed. block=1, b_blocknr=8
RDX: 0000000020000240 RSI: 0000000020000080 RDI: 0000000020000280
RBP: 000000000072bf58 R08: 0000000020000040 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
b_state=0x00000029, b_size=512
R13: 00000000000003fb R14: 00000000006f9028 R15: 0000000000000001
Showing all locks held in the system:
device loop0 blocksize: 4096
2 locks held by khungtaskd/888:
__find_get_block_slow() failed. block=1, b_blocknr=8
#0: 00000000a9a44477 (
b_state=0x00000029, b_size=512
rcu_read_lock){....}, at: check_hung_uninterruptible_tasks
kernel/hung_task.c:175 [inline]
rcu_read_lock){....}, at: watchdog+0x1ff/0xf60 kernel/hung_task.c:249
device loop0 blocksize: 4096
#1: 000000009ff2053f (tasklist_lock){.+.+}, at:
debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470
2 locks held by getty/4439:
__find_get_block_slow() failed. block=1, b_blocknr=8
#0: 00000000c9b76b9a (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
#1:
b_state=0x00000029, b_size=512
000000000e5cb710 (&ldata->atomic_read_lock){+.+.}
device loop0 blocksize: 4096
, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4440:
__find_get_block_slow() failed. block=1, b_blocknr=8
#0: 000000005b768cd3 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
#1: 00000000addaef00 (
__find_get_block_slow() failed. block=1, b_blocknr=8
&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0
drivers/tty/n_tty.c:2131
2 locks held by getty/4441:
#0: 000000000c8a520e (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000be9918f7 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4442:
#0: 0000000029e321e8 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: 00000000c3a0104f (&ldata->atomic_read_lock
b_state=0x00000029, b_size=512
){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4443:
device loop0 blocksize: 4096
#0: 00000000b12d6ffd (
__find_get_block_slow() failed. block=1, b_blocknr=8
&tty->ldisc_sem){++++}, at: ldsem_down_read+0x37/0x40
drivers/tty/tty_ldsem.c:365
#1:
b_state=0x00000029, b_size=512
00000000625407e7 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4444:
device loop0 blocksize: 4096
#0: 0000000019948f4c (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1:
__find_get_block_slow() failed. block=1, b_blocknr=8
00000000071c1ff8 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4445:
b_state=0x00000029, b_size=512
#0: 00000000fe9e0006 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
device loop0 blocksize: 4096
#1: 00000000a738c9c9 (
__find_get_block_slow() failed. block=1, b_blocknr=8
&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0
drivers/tty/n_tty.c:2131
1 lock held by syz-executor0/20276:
b_state=0x00000029, b_size=512
#0: 00000000a1afb949 (&sb->s_type->i_mutex_key#16){++++}
device loop0 blocksize: 4096
, at: inode_lock include/linux/fs.h:713 [inline]
, at: lock_mount+0x8c/0x2e0 fs/namespace.c:2087
2 locks held by syz-executor0/20277:
__find_get_block_slow() failed. block=1, b_blocknr=8
#0: 000000008134fa51 (sb_writers#14){.+.+}, at: sb_start_write
include/linux/fs.h:1550 [inline]
#0: 000000008134fa51 (sb_writers#14){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:386
#1: 00000000a1afb949
b_state=0x00000029, b_size=512
device loop0 blocksize: 4096
(&sb->s_type->i_mutex_key#16/1
__find_get_block_slow() failed. block=1, b_blocknr=8
){+.+.}, at: inode_lock_nested include/linux/fs.h:748 [inline]
){+.+.}, at: filename_create+0x1aa/0x5a0 fs/namei.c:3606
1 lock held by syz-executor0/20279:
#0:
b_state=0x00000029, b_size=512
00000000a1afb949 (&sb->s_type->i_mutex_key#16){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
00000000a1afb949 (&sb->s_type->i_mutex_key#16){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2087
device loop0 blocksize: 4096
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 888 Comm: khungtaskd Not tainted 4.17.0-rc1+ #6
__find_get_block_slow() failed. block=1, b_blocknr=8
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
b_state=0x00000029, b_size=512
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_task kernel/hung_task.c:132 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:190 [inline]
watchdog+0xc10/0xf60 kernel/hung_task.c:249
device loop0 blocksize: 4096
__find_get_block_slow() failed. block=1, b_blocknr=8
kthread+0x345/0x410 kernel/kthread.c:238
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Sending NMI from CPU 0 to CPUs 1:
b_state=0x00000029, b_size=512
NMI backtrace for cpu 1
CPU: 1 PID: 20216 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__sanitizer_cov_trace_const_cmp4+0x1/0x20 kernel/kcov.c:187
RSP: 0018:ffff8801db107d88 EFLAGS: 00000006
RAX: ffff8801d11bc6c0 RBX: ffff8801db11f0c0 RCX: ffffffff816b3515
RDX: 0000000000010000 RSI: 0000000000000003 RDI: 0000000000000003
RBP: ffff8801db107dc0 R08: ffff8801d11bc6c0 R09: ffffed003b624b80
R10: ffffed003b624b80 R11: ffff8801db125c03 R12: 000000ac0c601b80
R13: 0000000000000000 R14: 0000000000000003 R15: ffff8801db125c00
FS: 00007f68cf155700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000001d8a72000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
tick_program_event+0xab/0x130 kernel/time/tick-oneshot.c:48
hrtimer_interrupt+0x2db/0x650 kernel/time/hrtimer.c:1519
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783
[inline]
RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1678 [inline]
RIP: 0010:vprintk_emit+0xbd0/0xdd0 kernel/printk/printk.c:1906
RSP: 0018:ffff88018a2df000 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000040000 RBX: 0000000000000200 RCX: ffffc90003ac6000
RDX: 0000000000040000 RSI: ffffffff8160bbb7 RDI: 0000000000000246
RBP: ffff88018a2df190 R08: ffff8801d11bcef8 R09: 0000000000000006
R10: ffff8801d11bc6c0 R11: 0000000000000000 R12: 1ffffffff116312d
R13: 000000000000001e R14: ffffed003145be1d R15: ffffffff8a49a360
vprintk_default+0x28/0x30 kernel/printk/printk.c:1947
vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:379
printk+0x9e/0xba kernel/printk/printk.c:1980
__find_get_block_slow fs/buffer.c:235 [inline]
__find_get_block.cold.58+0x85/0x103 fs/buffer.c:1287
__getblk_slow fs/buffer.c:1032 [inline]
__getblk_gfp+0x2a1/0xaf0 fs/buffer.c:1313
__bread_gfp+0x2d/0x310 fs/buffer.c:1347
sb_bread include/linux/buffer_head.h:309 [inline]
fat__get_entry+0x594/0xa20 fs/fat/dir.c:101
fat_get_entry fs/fat/dir.c:129 [inline]
fat_search_long+0x33b/0x15d0 fs/fat/dir.c:477
vfat_find+0x16d/0x1a0 fs/fat/namei_vfat.c:697
vfat_lookup+0xfc/0x6d0 fs/fat/namei_vfat.c:720
__lookup_hash+0x12e/0x190 fs/namei.c:1505
filename_create+0x1dd/0x5a0 fs/namei.c:3607
user_path_create fs/namei.c:3664 [inline]
do_mkdirat+0xd2/0x2f0 fs/namei.c:3802
__do_sys_mkdir fs/namei.c:3826 [inline]
__se_sys_mkdir fs/namei.c:3824 [inline]
__x64_sys_mkdir+0x5c/0x80 fs/namei.c:3824
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455329
RSP: 002b:00007f68cf154c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 00007f68cf1556d4 RCX: 0000000000455329
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000003eb R14: 00000000006f8ea8 R15: 0000000000000000
Code: a6 fe ff ff 5d c3 0f 1f 40 00 55 0f b7 d6 0f b7 f7 bf 03 00 00 00 48
89 e5 48 8b 4d 08 e8 88 fe ff ff 5d c3 66 0f 1f 44 00 00 55 <89> f2 89 fe
bf 05 00 00 00 48 89 e5 48 8b 4d 08 e8 6a fe ff ff
INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 1.012
msecs
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: INFO: task hung in lock_mount
2018-04-30 17:46 INFO: task hung in lock_mount syzbot
@ 2018-04-30 17:55 ` Dmitry Vyukov
2018-05-23 19:13 ` syzbot
2023-04-30 6:32 ` Theodore Ts'o
2 siblings, 0 replies; 6+ messages in thread
From: Dmitry Vyukov @ 2018-04-30 17:55 UTC (permalink / raw)
To: syzbot; +Cc: linux-fsdevel, LKML, syzkaller-bugs, Al Viro
On Mon, Apr 30, 2018 at 7:46 PM, syzbot
<syzbot+221d75710bde87fa0e97@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: a27fc14219f2 Merge branch 'parisc-4.17-3' of
> git://git.kernel...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?id=5953322812964864
> kernel config:
> https://syzkaller.appspot.com/x/.config?id=-5914490758943236750
> dashboard link: https://syzkaller.appspot.com/bug?extid=221d75710bde87fa0e97
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+221d75710bde87fa0e97@syzkaller.appspotmail.com
It seems this thread is in infinite loop printing:
[ 643.736460] b_state=0x00000029, b_size=512
[ 643.740722] device loop0 blocksize: 4096
[ 643.744857] __find_get_block_slow() failed. block=1, b_blocknr=8
[ 643.751020] b_state=0x00000029, b_size=512
[ 643.755271] device loop0 blocksize: 4096
[ 643.759349] __find_get_block_slow() failed. block=1, b_blocknr=8
[ 643.765540] b_state=0x00000029, b_size=512
...
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> INFO: task syz-executor0:20276 blocked for more than 120 seconds.
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> Not tainted 4.17.0-rc1+ #6
> b_state=0x00000029, b_size=512
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> syz-executor0 D24704 20276 23010 0x00000004
> device loop0 blocksize: 4096
> Call Trace:
> context_switch kernel/sched/core.c:2848 [inline]
> __schedule+0x801/0x1e30 kernel/sched/core.c:3490
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> schedule+0xef/0x430 kernel/sched/core.c:3549
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> __rwsem_down_write_failed_common+0x919/0x15d0
> kernel/locking/rwsem-xadd.c:566
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:595
> device loop0 blocksize: 4096
> call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
> __find_get_block_slow() failed. block=1, b_blocknr=8
> __down_write arch/x86/include/asm/rwsem.h:142 [inline]
> down_write+0xa2/0x120 kernel/locking/rwsem.c:72
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> inode_lock include/linux/fs.h:713 [inline]
> lock_mount+0x8c/0x2e0 fs/namespace.c:2087
> device loop0 blocksize: 4096
> do_add_mount+0x27/0x370 fs/namespace.c:2464
> __find_get_block_slow() failed. block=1, b_blocknr=8
> do_new_mount fs/namespace.c:2531 [inline]
> do_mount+0x18e6/0x3070 fs/namespace.c:2847
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> ksys_mount+0x12d/0x140 fs/namespace.c:3063
> __do_sys_mount fs/namespace.c:3077 [inline]
> __se_sys_mount fs/namespace.c:3074 [inline]
> __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
> b_state=0x00000029, b_size=512
> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> b_state=0x00000029, b_size=512
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x455329
> device loop0 blocksize: 4096
> RSP: 002b:00007f68cf133c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 00007f68cf1346d4 RCX: 0000000000455329
> __find_get_block_slow() failed. block=1, b_blocknr=8
> RDX: 0000000020000240 RSI: 0000000020000080 RDI: 0000000020000280
> RBP: 000000000072bf58 R08: 0000000020000040 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> b_state=0x00000029, b_size=512
> R13: 00000000000003fb R14: 00000000006f9028 R15: 0000000000000001
>
> Showing all locks held in the system:
> device loop0 blocksize: 4096
> 2 locks held by khungtaskd/888:
> __find_get_block_slow() failed. block=1, b_blocknr=8
> #0: 00000000a9a44477 (
> b_state=0x00000029, b_size=512
> rcu_read_lock){....}, at: check_hung_uninterruptible_tasks
> kernel/hung_task.c:175 [inline]
> rcu_read_lock){....}, at: watchdog+0x1ff/0xf60 kernel/hung_task.c:249
> device loop0 blocksize: 4096
> #1: 000000009ff2053f (tasklist_lock){.+.+}, at:
> debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470
> 2 locks held by getty/4439:
> __find_get_block_slow() failed. block=1, b_blocknr=8
> #0: 00000000c9b76b9a (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x37/0x40
> drivers/tty/tty_ldsem.c:365
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> #1:
> b_state=0x00000029, b_size=512
> 000000000e5cb710 (&ldata->atomic_read_lock){+.+.}
> device loop0 blocksize: 4096
> , at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4440:
> __find_get_block_slow() failed. block=1, b_blocknr=8
> #0: 000000005b768cd3 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x37/0x40
> drivers/tty/tty_ldsem.c:365
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> #1: 00000000addaef00 (
> __find_get_block_slow() failed. block=1, b_blocknr=8
> &ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0
> drivers/tty/n_tty.c:2131
> 2 locks held by getty/4441:
> #0: 000000000c8a520e (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x37/0x40
> drivers/tty/tty_ldsem.c:365
> #1: 00000000be9918f7 (&ldata->atomic_read_lock){+.+.}, at:
> n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4442:
> #0: 0000000029e321e8 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x37/0x40
> drivers/tty/tty_ldsem.c:365
> #1: 00000000c3a0104f (&ldata->atomic_read_lock
> b_state=0x00000029, b_size=512
> ){+.+.}, at: n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4443:
> device loop0 blocksize: 4096
> #0: 00000000b12d6ffd (
> __find_get_block_slow() failed. block=1, b_blocknr=8
> &tty->ldisc_sem){++++}, at: ldsem_down_read+0x37/0x40
> drivers/tty/tty_ldsem.c:365
> #1:
> b_state=0x00000029, b_size=512
> 00000000625407e7 (&ldata->atomic_read_lock){+.+.}, at:
> n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4444:
> device loop0 blocksize: 4096
> #0: 0000000019948f4c (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x37/0x40
> drivers/tty/tty_ldsem.c:365
> #1:
> __find_get_block_slow() failed. block=1, b_blocknr=8
> 00000000071c1ff8 (&ldata->atomic_read_lock){+.+.}, at:
> n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
> 2 locks held by getty/4445:
> b_state=0x00000029, b_size=512
> #0: 00000000fe9e0006 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x37/0x40
> drivers/tty/tty_ldsem.c:365
> device loop0 blocksize: 4096
> #1: 00000000a738c9c9 (
> __find_get_block_slow() failed. block=1, b_blocknr=8
> &ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x321/0x1cc0
> drivers/tty/n_tty.c:2131
> 1 lock held by syz-executor0/20276:
> b_state=0x00000029, b_size=512
> #0: 00000000a1afb949 (&sb->s_type->i_mutex_key#16){++++}
> device loop0 blocksize: 4096
> , at: inode_lock include/linux/fs.h:713 [inline]
> , at: lock_mount+0x8c/0x2e0 fs/namespace.c:2087
> 2 locks held by syz-executor0/20277:
> __find_get_block_slow() failed. block=1, b_blocknr=8
> #0: 000000008134fa51 (sb_writers#14){.+.+}, at: sb_start_write
> include/linux/fs.h:1550 [inline]
> #0: 000000008134fa51 (sb_writers#14){.+.+}, at: mnt_want_write+0x3f/0xc0
> fs/namespace.c:386
> #1: 00000000a1afb949
> b_state=0x00000029, b_size=512
> device loop0 blocksize: 4096
> (&sb->s_type->i_mutex_key#16/1
> __find_get_block_slow() failed. block=1, b_blocknr=8
> ){+.+.}, at: inode_lock_nested include/linux/fs.h:748 [inline]
> ){+.+.}, at: filename_create+0x1aa/0x5a0 fs/namei.c:3606
> 1 lock held by syz-executor0/20279:
> #0:
> b_state=0x00000029, b_size=512
> 00000000a1afb949 (&sb->s_type->i_mutex_key#16){++++}, at: inode_lock
> include/linux/fs.h:713 [inline]
> 00000000a1afb949 (&sb->s_type->i_mutex_key#16){++++}, at:
> lock_mount+0x8c/0x2e0 fs/namespace.c:2087
>
> device loop0 blocksize: 4096
> =============================================
>
> NMI backtrace for cpu 0
> CPU: 0 PID: 888 Comm: khungtaskd Not tainted 4.17.0-rc1+ #6
> __find_get_block_slow() failed. block=1, b_blocknr=8
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1b9/0x294 lib/dump_stack.c:113
> nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
> b_state=0x00000029, b_size=512
> nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
> arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
> trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
> check_hung_task kernel/hung_task.c:132 [inline]
> check_hung_uninterruptible_tasks kernel/hung_task.c:190 [inline]
> watchdog+0xc10/0xf60 kernel/hung_task.c:249
> device loop0 blocksize: 4096
> __find_get_block_slow() failed. block=1, b_blocknr=8
> kthread+0x345/0x410 kernel/kthread.c:238
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
> Sending NMI from CPU 0 to CPUs 1:
> b_state=0x00000029, b_size=512
> NMI backtrace for cpu 1
> CPU: 1 PID: 20216 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #6
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:__sanitizer_cov_trace_const_cmp4+0x1/0x20 kernel/kcov.c:187
> RSP: 0018:ffff8801db107d88 EFLAGS: 00000006
> RAX: ffff8801d11bc6c0 RBX: ffff8801db11f0c0 RCX: ffffffff816b3515
> RDX: 0000000000010000 RSI: 0000000000000003 RDI: 0000000000000003
> RBP: ffff8801db107dc0 R08: ffff8801d11bc6c0 R09: ffffed003b624b80
> R10: ffffed003b624b80 R11: ffff8801db125c03 R12: 000000ac0c601b80
> R13: 0000000000000000 R14: 0000000000000003 R15: ffff8801db125c00
> FS: 00007f68cf155700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffffff600400 CR3: 00000001d8a72000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <IRQ>
> tick_program_event+0xab/0x130 kernel/time/tick-oneshot.c:48
> hrtimer_interrupt+0x2db/0x650 kernel/time/hrtimer.c:1519
> local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline]
> smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050
> apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
> </IRQ>
> RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:783
> [inline]
> RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1678 [inline]
> RIP: 0010:vprintk_emit+0xbd0/0xdd0 kernel/printk/printk.c:1906
> RSP: 0018:ffff88018a2df000 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
> RAX: 0000000000040000 RBX: 0000000000000200 RCX: ffffc90003ac6000
> RDX: 0000000000040000 RSI: ffffffff8160bbb7 RDI: 0000000000000246
> RBP: ffff88018a2df190 R08: ffff8801d11bcef8 R09: 0000000000000006
> R10: ffff8801d11bc6c0 R11: 0000000000000000 R12: 1ffffffff116312d
> R13: 000000000000001e R14: ffffed003145be1d R15: ffffffff8a49a360
> vprintk_default+0x28/0x30 kernel/printk/printk.c:1947
> vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:379
> printk+0x9e/0xba kernel/printk/printk.c:1980
> __find_get_block_slow fs/buffer.c:235 [inline]
> __find_get_block.cold.58+0x85/0x103 fs/buffer.c:1287
> __getblk_slow fs/buffer.c:1032 [inline]
> __getblk_gfp+0x2a1/0xaf0 fs/buffer.c:1313
> __bread_gfp+0x2d/0x310 fs/buffer.c:1347
> sb_bread include/linux/buffer_head.h:309 [inline]
> fat__get_entry+0x594/0xa20 fs/fat/dir.c:101
> fat_get_entry fs/fat/dir.c:129 [inline]
> fat_search_long+0x33b/0x15d0 fs/fat/dir.c:477
> vfat_find+0x16d/0x1a0 fs/fat/namei_vfat.c:697
> vfat_lookup+0xfc/0x6d0 fs/fat/namei_vfat.c:720
> __lookup_hash+0x12e/0x190 fs/namei.c:1505
> filename_create+0x1dd/0x5a0 fs/namei.c:3607
> user_path_create fs/namei.c:3664 [inline]
> do_mkdirat+0xd2/0x2f0 fs/namei.c:3802
> __do_sys_mkdir fs/namei.c:3826 [inline]
> __se_sys_mkdir fs/namei.c:3824 [inline]
> __x64_sys_mkdir+0x5c/0x80 fs/namei.c:3824
> do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x455329
> RSP: 002b:00007f68cf154c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000053
> RAX: ffffffffffffffda RBX: 00007f68cf1556d4 RCX: 0000000000455329
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080
> RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 00000000000003eb R14: 00000000006f8ea8 R15: 0000000000000000
> Code: a6 fe ff ff 5d c3 0f 1f 40 00 55 0f b7 d6 0f b7 f7 bf 03 00 00 00 48
> 89 e5 48 8b 4d 08 e8 88 fe ff ff 5d c3 66 0f 1f 44 00 00 55 <89> f2 89 fe bf
> 05 00 00 00 48 89 e5 48 8b 4d 08 e8 6a fe ff ff
> INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 1.012
> msecs
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/0000000000006de361056b146dbe%40google.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: INFO: task hung in lock_mount
2018-04-30 17:46 INFO: task hung in lock_mount syzbot
2018-04-30 17:55 ` Dmitry Vyukov
@ 2018-05-23 19:13 ` syzbot
2023-04-30 6:32 ` Theodore Ts'o
2 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2018-05-23 19:13 UTC (permalink / raw)
To: dvyukov, linux-fsdevel, linux-kernel, syzkaller-bugs, viro
syzbot has found a reproducer for the following crash on:
HEAD commit: a048a07d7f45 powerpc/64s: Add support for a store forwardi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1084cc27800000
kernel config: https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
dashboard link: https://syzkaller.appspot.com/bug?extid=221d75710bde87fa0e97
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13992a0f800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131a727b800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+221d75710bde87fa0e97@syzkaller.appspotmail.com
INFO: task syz-executor694:4903 blocked for more than 120 seconds.
Not tainted 4.17.0-rc6+ #63
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor694 D24936 4903 4506 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2859 [inline]
__schedule+0x801/0x1e30 kernel/sched/core.c:3501
schedule+0xef/0x430 kernel/sched/core.c:3545
__rwsem_down_write_failed_common+0x919/0x15d0
kernel/locking/rwsem-xadd.c:565
rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:594
call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0xa2/0x120 kernel/locking/rwsem.c:72
namespace_lock fs/namespace.c:1431 [inline]
lock_mount+0xdc/0x2e0 fs/namespace.c:2093
do_loopback fs/namespace.c:2221 [inline]
do_mount+0xebc/0x3070 fs/namespace.c:2842
ksys_mount+0x12d/0x140 fs/namespace.c:3064
__do_sys_mount fs/namespace.c:3078 [inline]
__se_sys_mount fs/namespace.c:3075 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447099
RSP: 002b:00007f0d700b4da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00000000006ddcb4 RCX: 0000000000447099
RDX: 0000000020000140 RSI: 00000000200000c0 RDI: 0000000020000000
RBP: 00000000006ddcb0 R08: 0000000020000200 R09: 0000000000000000
R10: 0000000000003080 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 6f7365725f736e64 R14: 70756f7267632f2e R15: 0000000000000007
Showing all locks held in the system:
2 locks held by khungtaskd/892:
#0: (ptrval) (rcu_read_lock){....}, at:
check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline]
#0: (ptrval) (rcu_read_lock){....}, at: watchdog+0x1ff/0xf60
kernel/hung_task.c:249
#1: (ptrval) (tasklist_lock){.+.+}, at:
debug_show_all_locks+0xde/0x34a kernel/locking/lockdep.c:4470
1 lock held by rsyslogd/4380:
#0: (ptrval) (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x1a9/0x1e0
fs/file.c:766
2 locks held by getty/4470:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4471:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4472:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4473:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4474:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4475:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by getty/4476:
#0: (ptrval) (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365
#1: (ptrval) (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x321/0x1cc0 drivers/tty/n_tty.c:2131
2 locks held by syz-executor694/4903:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4901:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4905:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4911:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4913:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4919:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4921:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4928:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4935:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4937:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4939:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
2 locks held by syz-executor694/4941:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
#1: (ptrval) (namespace_sem){++++}, at: namespace_lock
fs/namespace.c:1431 [inline]
#1: (ptrval) (namespace_sem){++++}, at: lock_mount+0xdc/0x2e0
fs/namespace.c:2093
1 lock held by syz-executor694/4943:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
inode_lock_shared include/linux/fs.h:723 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lookup_slow+0x49/0x80 fs/namei.c:1646
2 locks held by syz-executor694/4944:
#0: (ptrval) (sb_writers#12){.+.+}, at: sb_start_write
include/linux/fs.h:1550 [inline]
#0: (ptrval) (sb_writers#12){.+.+}, at: mnt_want_write+0x3f/0xc0
fs/namespace.c:386
#1: (ptrval) (&sb->s_type->i_mutex_key#15/1){+.+.}, at:
inode_lock_nested include/linux/fs.h:748 [inline]
#1: (ptrval) (&sb->s_type->i_mutex_key#15/1){+.+.}, at:
filename_create+0x1aa/0x5a0 fs/namei.c:3606
1 lock held by syz-executor694/4945:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
1 lock held by syz-executor694/4947:
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at: inode_lock
include/linux/fs.h:713 [inline]
#0: (ptrval) (&sb->s_type->i_mutex_key#15){++++}, at:
lock_mount+0x8c/0x2e0 fs/namespace.c:2088
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 892 Comm: khungtaskd Not tainted 4.17.0-rc6+ #63
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.4+0x19/0xce lib/nmi_backtrace.c:103
nmi_trigger_cpumask_backtrace+0x151/0x192 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:138 [inline]
check_hung_task kernel/hung_task.c:132 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:190 [inline]
watchdog+0xc10/0xf60 kernel/hung_task.c:249
kthread+0x345/0x410 kernel/kthread.c:240
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 4901 Comm: syz-executor694 Not tainted 4.17.0-rc6+ #63
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__lock_release kernel/locking/lockdep.c:3674 [inline]
RIP: 0010:lock_release+0x1f5/0xa10 kernel/locking/lockdep.c:3939
RSP: 0018:ffff8801afca7708 EFLAGS: 00000097
RAX: 0000000000000003 RBX: 1ffff10035f94ee6 RCX: ffffffff815e1551
RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffff8801afca7838 R08: 0000000000000000 R09: ffffed00351966c8
R10: ffffed00351966c8 R11: ffff8801a8cb3643 R12: ffff8801afca7810
R13: ffff8801a8cb3658 R14: ffff8801a9a003c0 R15: ffff8801afca7750
FS: 00007f0d700f7700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000001d05cc000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__raw_spin_unlock include/linux/spinlock_api_smp.h:150 [inline]
_raw_spin_unlock+0x1a/0x30 kernel/locking/spinlock.c:176
spin_unlock include/linux/spinlock.h:350 [inline]
lockref_get+0x42/0x50 lib/lockref.c:51
dget include/linux/dcache.h:326 [inline]
mnt_set_mountpoint+0xe7/0x360 fs/namespace.c:914
propagate_one+0x5a7/0x910 fs/pnode.c:269
propagate_mnt+0x18a/0x3e0 fs/pnode.c:315
attach_recursive_mnt+0x5f8/0xb50 fs/namespace.c:2033
graft_tree+0x1aa/0x240 fs/namespace.c:2133
do_add_mount+0x1fe/0x370 fs/namespace.c:2491
do_new_mount fs/namespace.c:2532 [inline]
do_mount+0x18e6/0x3070 fs/namespace.c:2848
ksys_mount+0x12d/0x140 fs/namespace.c:3064
__do_sys_mount fs/namespace.c:3078 [inline]
__se_sys_mount fs/namespace.c:3075 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x447099
RSP: 002b:00007f0d700f6da8 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00000000006ddc84 RCX: 0000000000447099
RDX: 00000000200001c0 RSI: 0000000020026ff8 RDI: 000000002000a000
RBP: 00000000006ddc80 R08: 00000000200007c0 R09: 0000000000000000
R10: 0000000000000080 R11: 0000000000000293 R12: 0030656c69662f2e
R13: 6f7365725f736e64 R14: 70756f7267632f2e R15: 0000000000000007
Code: c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 65 4c 8b 34 25 40 ee
01 00 38 d0 7c 08 84 d2 0f 85 67 06 00 00 8b 3d fb bd ac 07 <85> ff 0f 84
41 02 00 00 49 8d 86 30 08 00 00 48 89 c2 48 89 85
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: INFO: task hung in lock_mount
2018-04-30 17:46 INFO: task hung in lock_mount syzbot
2018-04-30 17:55 ` Dmitry Vyukov
2018-05-23 19:13 ` syzbot
@ 2023-04-30 6:32 ` Theodore Ts'o
2023-04-30 8:56 ` Ryusuke Konishi
2 siblings, 1 reply; 6+ messages in thread
From: Theodore Ts'o @ 2023-04-30 6:32 UTC (permalink / raw)
To: syzbot; +Cc: linux-fsdevel, linux-kernel, syzkaller-bugs, viro
#syz set subsystems: nilfs
Per the information in the dashboard:
https://syzkaller.appspot.com/bug?extid=221d75710bde87fa0e97
There is no mention of ext4 anywhere, and nilfs does show up in the
stack trace. So why this is marked with the lables "ext4", "nilfs" is
a mystery.
Fix it.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: INFO: task hung in lock_mount
2023-04-30 6:32 ` Theodore Ts'o
@ 2023-04-30 8:56 ` Ryusuke Konishi
2023-04-30 19:30 ` [PATCH] nilfs2: fix infinite loop in nilfs_mdt_get_block() Ryusuke Konishi
0 siblings, 1 reply; 6+ messages in thread
From: Ryusuke Konishi @ 2023-04-30 8:56 UTC (permalink / raw)
To: Theodore Ts'o
Cc: syzbot, linux-fsdevel, linux-kernel, syzkaller-bugs, viro
On Sun, Apr 30, 2023 at 3:59 PM Theodore Ts'o wrote:
>
> #syz set subsystems: nilfs
>
> Per the information in the dashboard:
>
> https://syzkaller.appspot.com/bug?extid=221d75710bde87fa0e97
>
> There is no mention of ext4 anywhere, and nilfs does show up in the
> stack trace. So why this is marked with the lables "ext4", "nilfs" is
> a mystery.
>
> Fix it.
I don't know why it got the ext4 tag.
As you say, it looks like an issue on the nilfs2 side. I will
identify and fix it.
Regards,
Ryusuke Konishi
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] nilfs2: fix infinite loop in nilfs_mdt_get_block()
2023-04-30 8:56 ` Ryusuke Konishi
@ 2023-04-30 19:30 ` Ryusuke Konishi
0 siblings, 0 replies; 6+ messages in thread
From: Ryusuke Konishi @ 2023-04-30 19:30 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-nilfs, syzbot, syzkaller-bugs, LKML, linux-fsdevel
If the disk image that nilfs2 mounts is corrupted and a virtual block
address obtained by block lookup for a metadata file is invalid,
nilfs_bmap_lookup_at_level() may return the same internal return code
as -ENOENT, meaning the block does not exist in the metadata file.
This duplication of return codes confuses nilfs_mdt_get_block(), causing
it to read and create a metadata block indefinitely.
In particular, if this happens to the inode metadata file, ifile,
semaphore i_rwsem can be left held, causing task hangs in lock_mount.
Fix this issue by making nilfs_bmap_lookup_at_level() treat virtual
block address translation failures with -ENOENT as metadata corruption
instead of returning the error code.
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+221d75710bde87fa0e97@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=221d75710bde87fa0e97
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org
---
fs/nilfs2/bmap.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/fs/nilfs2/bmap.c b/fs/nilfs2/bmap.c
index 798a2c1b38c6..7a8f166f2c8d 100644
--- a/fs/nilfs2/bmap.c
+++ b/fs/nilfs2/bmap.c
@@ -67,20 +67,28 @@ int nilfs_bmap_lookup_at_level(struct nilfs_bmap *bmap, __u64 key, int level,
down_read(&bmap->b_sem);
ret = bmap->b_ops->bop_lookup(bmap, key, level, ptrp);
- if (ret < 0) {
- ret = nilfs_bmap_convert_error(bmap, __func__, ret);
+ if (ret < 0)
goto out;
- }
+
if (NILFS_BMAP_USE_VBN(bmap)) {
ret = nilfs_dat_translate(nilfs_bmap_get_dat(bmap), *ptrp,
&blocknr);
if (!ret)
*ptrp = blocknr;
+ else if (ret == -ENOENT) {
+ /*
+ * If there was no valid entry in DAT for the block
+ * address obtained by b_ops->bop_lookup, then pass
+ * internal code -EINVAL to nilfs_bmap_convert_error
+ * to treat it as metadata corruption.
+ */
+ ret = -EINVAL;
+ }
}
out:
up_read(&bmap->b_sem);
- return ret;
+ return nilfs_bmap_convert_error(bmap, __func__, ret);
}
int nilfs_bmap_lookup_contig(struct nilfs_bmap *bmap, __u64 key, __u64 *ptrp,
--
2.34.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-04-30 19:31 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-30 17:46 INFO: task hung in lock_mount syzbot
2018-04-30 17:55 ` Dmitry Vyukov
2018-05-23 19:13 ` syzbot
2023-04-30 6:32 ` Theodore Ts'o
2023-04-30 8:56 ` Ryusuke Konishi
2023-04-30 19:30 ` [PATCH] nilfs2: fix infinite loop in nilfs_mdt_get_block() Ryusuke Konishi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).