syzbot


INFO: task hung in chown_common

Status: upstream: reported on 2024/05/13 18:57
Reported-by: syzbot+47e9fc1de18afc4a360d@syzkaller.appspotmail.com
First crash: 32d, last: 32d
Similar bugs (11)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 INFO: task hung in chown_common (2) 1 527d 527d 0/1 upstream: reported on 2023/01/05 10:16
upstream INFO: task hung in chown_common (3) fuse 11 1211d 1262d 0/27 auto-closed as invalid on 2021/05/20 23:06
upstream INFO: task hung in chown_common fs 35 2059d 2166d 0/27 closed as invalid on 2018/12/31 08:00
android-414 INFO: task hung in chown_common 1 1871d 1871d 0/1 auto-closed as invalid on 2019/10/25 08:39
upstream INFO: task hung in chown_common (5) fuse 1 567d 567d 0/27 auto-obsoleted due to no activity on 2023/04/09 00:18
android-49 INFO: task hung in chown_common 10 2120d 2167d 0/3 auto-closed as invalid on 2019/02/22 14:39
upstream INFO: task hung in chown_common (2) fs 1 1511d 1511d 0/27 auto-closed as invalid on 2020/07/25 16:03
upstream INFO: task hung in chown_common (4) v9fs C error inconclusive 7 704d 831d 0/27 closed as invalid on 2022/10/12 18:37
linux-5.15 INFO: task hung in chown_common 5 32d 34d 0/3 upstream: reported on 2024/05/12 00:39
linux-4.19 INFO: task hung in chown_common 2 931d 969d 0/1 auto-closed as invalid on 2022/03/26 21:13
upstream INFO: task can't die in iget5_locked fuse 7 1207d 1231d 20/27 fixed on 2021/04/09 19:46

Sample crash report:
INFO: task syz-executor.1:6637 blocked for more than 143 seconds.
      Not tainted 6.1.90-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.1  state:D stack:28752 pid:6637  ppid:4042   flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5245 [inline]
 __schedule+0x142d/0x4550 kernel/sched/core.c:6558
 schedule+0xbf/0x180 kernel/sched/core.c:6634
 rwsem_down_write_slowpath+0xea1/0x14b0 kernel/locking/rwsem.c:1189
 inode_lock include/linux/fs.h:758 [inline]
 chown_common+0x3e5/0x900 fs/open.c:726
 do_fchownat+0x169/0x240 fs/open.c:767
 __do_sys_chown fs/open.c:787 [inline]
 __se_sys_chown fs/open.c:785 [inline]
 __x64_sys_chown+0x7e/0x90 fs/open.c:785
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fe4e727dd69
RSP: 002b:00007fe4e7f080c8 EFLAGS: 00000246 ORIG_RAX: 000000000000005c
RAX: ffffffffffffffda RBX: 00007fe4e73ac050 RCX: 00007fe4e727dd69
RDX: 0000000000000000 RSI: 000000000000ee00 RDI: 00000000200000c0
RBP: 00007fe4e72ca49e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fe4e73ac050 R15: 00007ffc089c1c98
 </TASK>

Showing all locks held in the system:
1 lock held by rcu_tasks_kthre/12:
 #0: ffffffff8d12ae50 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xe30 kernel/rcu/tasks.h:516
1 lock held by rcu_tasks_trace/13:
 #0: ffffffff8d12b650 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xe30 kernel/rcu/tasks.h:516
3 locks held by kworker/1:0/22:
 #0: 
ffff888012470938
 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc900001c7d20 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #2: ffff8880215a7240 (&data->fib_lock){+.+.}-{3:3}, at: nsim_fib_event_work+0x2cd/0x4120 drivers/net/netdevsim/fib.c:1489
1 lock held by khungtaskd/28:
 #0: ffffffff8d12ac80 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
 #0: ffffffff8d12ac80 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline]
 #0: ffffffff8d12ac80 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x51/0x290 kernel/locking/lockdep.c:6494
3 locks held by kworker/u4:2/33:
2 locks held by getty/3304:
 #0: ffff888028625098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:244
 #1: ffffc900031262f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6a7/0x1db0 drivers/tty/n_tty.c:2188
3 locks held by kworker/u4:5/3608:
4 locks held by kworker/u4:12/4728:
 #0: ffff888142eb6938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc9000367fd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #2: ffff8880761f00e0 (&type->s_umount_key#76){++++}-{3:3}, at: trylock_super+0x1b/0xf0 fs/super.c:415
 #3: 
ffff888014aad140 (&sbi->gc_lock){+.+.}-{3:3}, at: f2fs_down_write fs/f2fs/f2fs.h:2176 [inline]
ffff888014aad140 (&sbi->gc_lock){+.+.}-{3:3}, at: f2fs_balance_fs+0x4fb/0x6c0 fs/f2fs/segment.c:428
2 locks held by kworker/1:8/4906:
 #0: ffff888012472138 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc900047f7d20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
2 locks held by kworker/1:18/5269:
3 locks held by kworker/1:19/6189:
 #0: ffff888012470938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc9000b6ffd20 (key_gc_work){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #2: ffffffff8d130278 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:323 [inline]
 #2: ffffffff8d130278 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x360/0x930 kernel/rcu/tree_exp.h:962
5 locks held by syz-executor.1/6601:
2 locks held by syz-executor.1/6637:
 #0: ffff8880761f0460 (sb_writers#21){.+.+}-{0:0}, at: mnt_want_write+0x3b/0x80 fs/namespace.c:393
 #1: ffff888055138150 (&sb->s_type->i_mutex_key#30){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:758 [inline]
 #1: ffff888055138150 (&sb->s_type->i_mutex_key#30){+.+.}-{3:3}, at: chown_common+0x3e5/0x900 fs/open.c:726
1 lock held by syz-executor.1/7647:
 #0: ffff8880761f00e0 (&type->s_umount_key#76){++++}-{3:3}, at: user_get_super+0xd3/0x250 fs/super.c:876
3 locks held by syz-executor.0/8062:
1 lock held by syz-executor.3/8305:
 #0: ffffffff8d130140 (rcu_state.barrier_mutex){+.+.}-{3:3}, at: rcu_barrier+0x48/0x5f0 kernel/rcu/tree.c:4018
1 lock held by syz-executor.4/8319:
 #0: 
ffffffff8e29a9e8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:74 [inline]
ffffffff8e29a9e8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x7c1/0xff0 net/core/rtnetlink.c:6118
1 lock held by syz-executor.1/8330:

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.1.90-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 nmi_cpu_backtrace+0x4e1/0x560 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x1b0/0x3f0 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:220 [inline]
 watchdog+0xf88/0xfd0 kernel/hung_task.c:377
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 8062 Comm: syz-executor.0 Not tainted 6.1.90-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
RIP: 0010:unwind_done arch/x86/include/asm/unwind.h:50 [inline]
RIP: 0010:arch_stack_walk+0x10d/0x140 arch/x86/kernel/stacktrace.c:24
Code: 32 48 8d 9d 70 ff ff ff 48 89 df e8 dd f9 08 00 48 85 c0 74 1e 4c 89 f7 48 89 c6 41 ff d5 84 c0 74 11 48 89 df e8 e3 fa 08 00 <83> bd 70 ff ff ff 00 75 d5 65 48 8b 04 25 28 00 00 00 48 3b 45 d0
RSP: 0018:ffffc900001dff20 EFLAGS: 00000286
RAX: 0000000000000301 RBX: ffffc900001dff20 RCX: 0000000000000302
RDX: dffffc0000000000 RSI: ffffc90004cb0000 RDI: 0000000000000001
RBP: ffffc900001dffb0 R08: ffffc90004cb6430 R09: ffffc900001dff70
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff8880760d3b80
R13: ffffffff81784820 R14: ffffc900001e0000 R15: 0000000000000000
FS:  0000555556669480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa125b7c038 CR3: 000000004b6fa000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <IRQ>
 stack_trace_save+0x113/0x1c0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516
 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook mm/slub.c:1750 [inline]
 slab_free mm/slub.c:3661 [inline]
 kmem_cache_free+0x292/0x510 mm/slub.c:3683
 nsim_start_xmit+0x9a/0xc0 drivers/net/netdevsim/netdev.c:42
 __netdev_start_xmit include/linux/netdevice.h:4853 [inline]
 netdev_start_xmit include/linux/netdevice.h:4867 [inline]
 xmit_one net/core/dev.c:3627 [inline]
 dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3643
 __dev_queue_xmit+0x1bb1/0x3cf0 net/core/dev.c:4293
 neigh_output include/net/neighbour.h:544 [inline]
 ip6_finish_output2+0xee1/0x1530 net/ipv6/ip6_output.c:134
 __ip6_finish_output net/ipv6/ip6_output.c:201 [inline]
 ip6_finish_output+0x6a0/0xa80 net/ipv6/ip6_output.c:212
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 ndisc_send_skb+0xbab/0x14e0 net/ipv6/ndisc.c:509
 addrconf_rs_timer+0x357/0x610 net/ipv6/addrconf.c:3962
 call_timer_fn+0x1ad/0x6b0 kernel/time/timer.c:1504
 expire_timers kernel/time/timer.c:1549 [inline]
 __run_timers+0x67c/0x890 kernel/time/timer.c:1820
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1833
 __do_softirq+0x2e9/0xa4c kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x155/0x240 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1948 [inline]
RIP: 0010:vprintk_emit+0x4fa/0x740 kernel/printk/printk.c:2302
Code: 21 e3 0f 85 ad 01 00 00 e8 33 97 1c 00 44 8b 24 24 4d 85 ff 75 07 e8 25 97 1c 00 eb 06 e8 1e 97 1c 00 fb 48 c7 c7 80 6e 00 8d <31> f6 ba 01 00 00 00 31 c9 41 b8 01 00 00 00 45 31 c9 41 56 e8 ad
RSP: 0018:ffffc90004cb6340 EFLAGS: 00000293
RAX: ffffffff816df632 RBX: 0000000000000000 RCX: ffff8880760d3b80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8d006e80
RBP: ffffc90004cb6430 R08: ffffffff816df60f R09: fffffbfff2093646
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000049
R13: dffffc0000000000 R14: ffffffff816df480 R15: 0000000000000200
 dev_vprintk_emit+0x2aa/0x323 drivers/base/core.c:4922
 dev_printk_emit+0xd9/0x118 drivers/base/core.c:4933
 __netdev_printk+0x335/0x410 net/core/dev.c:11257
 netdev_info+0x11e/0x165 net/core/dev.c:11312
 nsim_udp_tunnel_set_port+0x2a7/0x450 drivers/net/netdevsim/udp_tunnels.c:34
 udp_tunnel_nic_device_sync_by_port net/ipv4/udp_tunnel_nic.c:246 [inline]
 __udp_tunnel_nic_device_sync+0xa7e/0x13b0 net/ipv4/udp_tunnel_nic.c:289
 udp_tunnel_nic_device_sync net/ipv4/udp_tunnel_nic.c:312 [inline]
 __udp_tunnel_nic_add_port+0xc6f/0xf20 net/ipv4/udp_tunnel_nic.c:531
 udp_tunnel_nic_add_port include/net/udp_tunnel.h:333 [inline]
 udp_tunnel_notify_add_rx_port+0x300/0x4c0 net/ipv4/udp_tunnel_core.c:127
 geneve_socket_create drivers/net/geneve.c:618 [inline]
 geneve_sock_add+0x643/0xbc0 drivers/net/geneve.c:693
 geneve_open+0xdf/0x150 drivers/net/geneve.c:735
 __dev_open+0x377/0x510 net/core/dev.c:1457
 __dev_change_flags+0x1db/0x6e0 net/core/dev.c:8585
 dev_change_flags+0x87/0x190 net/core/dev.c:8656
 do_setlink+0xcf4/0x3e30 net/core/rtnetlink.c:2801
 __rtnl_newlink net/core/rtnetlink.c:3576 [inline]
 rtnl_newlink+0x172c/0x2050 net/core/rtnetlink.c:3623
 rtnetlink_rcv_msg+0x818/0xff0 net/core/rtnetlink.c:6121
 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2508
 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
 netlink_unicast+0x7d8/0x970 net/netlink/af_netlink.c:1352
 netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1874
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg net/socket.c:730 [inline]
 __sys_sendto+0x480/0x600 net/socket.c:2148
 __do_sys_sendto net/socket.c:2160 [inline]
 __se_sys_sendto net/socket.c:2156 [inline]
 __x64_sys_sendto+0xda/0xf0 net/socket.c:2156
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fea86e7fa5c
Code: 1a 51 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 60 51 02 00 48 8b
RSP: 002b:00007ffdf7ba5150 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fea87ad4620 RCX: 00007fea86e7fa5c
RDX: 000000000000002c RSI: 00007fea87ad4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffdf7ba51a4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007fea87ad4670 R15: 0000000000000000
 </TASK>

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/14 06:20 linux-6.1.y 909ba1f1b414 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan INFO: task hung in chown_common
2024/05/13 18:56 linux-6.1.y 909ba1f1b414 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan INFO: task hung in chown_common
* Struck through repros no longer work on HEAD.