syzbot

 sign-in | mailing list | source | docs
🐞 Open [142]
🐞 Fixed [16]
🐞 Invalid [163]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

INFO: task hung in __do_page_fault

Status: public: reported C repro on 2019/04/14 00:00
Reported-by: syzbot+5c31404f4d0b8919bb24@syzkaller.appspotmail.com
First crash: 2106d, last: 2106d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 INFO: task hung in __do_page_fault C error 16 706d 2043d 0/1 upstream: reported C repro on 2019/04/19 08:53
upstream INFO: task hung in __do_page_fault (2) C done error 34 1933d 2217d 0/28 closed as invalid on 2022/02/08 10:55
android-49 INFO: task hung in __do_page_fault C 5 1874d 2048d 0/3 public: reported C repro on 2019/04/14 08:51
linux-4.19 INFO: task hung in __do_page_fault gfs2 C error 31 687d 1993d 0/1 upstream: reported C repro on 2019/06/08 06:01
android-414 INFO: task hung in __do_page_fault C 7 1883d 2050d 0/1 public: reported C repro on 2019/04/12 00:01
upstream INFO: task hung in __do_page_fault fs 1 2412d 2411d 5/28 fixed on 2018/05/17 10:02

Sample crash report:
binder_alloc: binder_alloc_mmap_handler: 4433 20001000-20004000 already mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 4435 20001000-20004000 already mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 4436 20001000-20004000 already mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 4445 20001000-20004000 already mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 4444 20001000-20004000 already mapped failed -16
INFO: task syz-executor029:2188 blocked for more than 140 seconds.
      Not tainted 4.4.174+ #4
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor029 D ffff8800b5b6fd30 29904  2188   2186 0x00000004
 ffff8800b5b6fd30 0000000000000006 ffff8800b4df5f00 dffffc0000000000
 ffff8800b5b6fd18 ffffffff811fef00 ffff8801db61f180 ffff8801db61f1a8
 ffff8801db61e898 ffff8800ba84df00 ffff8800b4df5f00 ffffed0016b6d001
Call Trace:
 [<ffffffff82709b79>] schedule+0x99/0x1d0 kernel/sched/core.c:3355
 [<ffffffff82714a70>] rwsem_down_read_failed+0x220/0x380 kernel/locking/rwsem-xadd.c:250
 [<ffffffff81add6b4>] call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:90
 [<ffffffff810aad4a>] __do_page_fault+0x58a/0x7f0 arch/x86/mm/fault.c:1189
 [<ffffffff810ab008>] do_page_fault+0x28/0x30 arch/x86/mm/fault.c:1306
 [<ffffffff82719e35>] page_fault+0x25/0x30 arch/x86/entry/entry_64.S:1064
1 lock held by syz-executor029/2188:
 #0:  (&mm->mmap_sem){++++++}, at: [<ffffffff810aad4a>] __do_page_fault+0x58a/0x7f0 arch/x86/mm/fault.c:1189
Sending NMI to all CPUs:
NMI backtrace for cpu 0
CPU: 0 PID: 20 Comm: khungtaskd Not tainted 4.4.174+ #4
task: ffff8801da6f4740 task.stack: ffff8800001d0000
RIP: 0010:[<ffffffff8109b617>]  [<ffffffff8109b617>] _flat_send_IPI_mask arch/x86/kernel/apic/apic_flat_64.c:62 [inline]
RIP: 0010:[<ffffffff8109b617>]  [<ffffffff8109b617>] flat_send_IPI_mask+0xf7/0x1b0 arch/x86/kernel/apic/apic_flat_64.c:69
RSP: 0018:ffff8800001d7c88  EFLAGS: 00000046
RAX: 0000000000000000 RBX: 0000000000000c00 RCX: 0000000000000000
RDX: 0000000000000c00 RSI: 0000000000000000 RDI: ffffffffff5fc300
RBP: ffff8800001d7cb8 R08: 0000000000000018 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000246
R13: 0000000003000000 R14: ffffffff82e5f2e0 R15: 0000000000000002
FS:  0000000000000000(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd9998ad60 CR3: 00000001d62a0000 CR4: 00000000001606b0
Stack:
 0000000000000001 ffffffff82e5f2e0 ffffffff831a6ac0 fffffbfff0634c34
 000000000001b6c0 0000000000000008 ffff8800001d7cd8 ffffffff81092bee
 0000000000000008 ffffffff82924260 ffff8800001d7d30 ffffffff81ab8252
Call Trace:
 [<ffffffff81092bee>] nmi_raise_cpu_backtrace+0x5e/0x80 arch/x86/kernel/apic/hw_nmi.c:33
 [<ffffffff81ab8252>] nmi_trigger_all_cpu_backtrace.cold+0xa1/0xae lib/nmi_backtrace.c:85
 [<ffffffff81092ca4>] arch_trigger_all_cpu_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 [<ffffffff813b4762>] trigger_all_cpu_backtrace include/linux/nmi.h:44 [inline]
 [<ffffffff813b4762>] check_hung_task kernel/hung_task.c:125 [inline]
 [<ffffffff813b4762>] check_hung_uninterruptible_tasks kernel/hung_task.c:182 [inline]
 [<ffffffff813b4762>] watchdog.cold+0xd3/0xee kernel/hung_task.c:238
 [<ffffffff811342c3>] kthread+0x273/0x310 kernel/kthread.c:211
 [<ffffffff82718fc5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Code: 00 c3 5f ff 80 e6 10 75 e1 41 c1 e5 18 44 89 2c 25 10 c3 5f ff 44 89 fa 09 da 80 cf 04 41 83 ff 02 0f 44 d3 89 14 25 00 c3 5f ff <41> f7 c4 00 02 00 00 75 1e 4c 89 e7 57 9d 0f 1f 44 00 00 e8 f1 
NMI backtrace for cpu 1
CPU: 1 PID: 2199 Comm: syz-executor029 Not tainted 4.4.174+ #4
task: ffff8801d2b597c0 task.stack: ffff8801d2a88000
RIP: 0010:[<ffffffff81ad8e28>]  [<ffffffff81ad8e28>] delay_tsc+0x38/0xc0 arch/x86/lib/delay.c:67
RSP: 0018:ffff8801d2a8f7e0  EFLAGS: 00000002
RAX: 0000000000000002 RBX: 00000178d22b7739 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffffffff81b0abec RDI: 0000000000000001
RBP: ffff8801d2a8f800 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff83fdf1c6 R12: 00000178d22b74c6
R13: 0000000000000001 R14: 00000000000008fd R15: fffffbfff092dca5
FS:  00007f629f14a700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f629f149db8 CR3: 00000000b4deb000 CR4: 00000000001606b0
Stack:
 ffffffff8496e4e0 000000000000270d 0000000000000020 fffffbfff092dce3
 ffff8801d2a8f810 ffffffff81ad8d30 ffff8801d2a8f820 ffffffff81ad8d6a
 ffff8801d2a8f870 ffffffff81cc45ff ffffed003a551f24 ffffffff8496e528
Call Trace:
 [<ffffffff81ad8d30>] __delay+0x10/0x20 arch/x86/lib/delay.c:160
 [<ffffffff81ad8d6a>] __const_udelay+0x2a/0x30 arch/x86/lib/delay.c:174
 [<ffffffff81cc45ff>] wait_for_xmitr+0x6f/0x1e0 drivers/tty/serial/8250/8250_port.c:1725
 [<ffffffff81cc4790>] serial8250_console_putchar+0x20/0x60 drivers/tty/serial/8250/8250_port.c:2806
 [<ffffffff81caf7c6>] uart_console_write+0x56/0xe0 drivers/tty/serial/serial_core.c:1789
 [<ffffffff81cce12b>] serial8250_console_write+0x2fb/0x870 drivers/tty/serial/8250/8250_port.c:2872
 [<ffffffff81cbd84f>] univ8250_console_write+0x5f/0x70 drivers/tty/serial/8250/8250_core.c:594
 [<ffffffff8121c8ff>] call_console_drivers.constprop.0+0x1ef/0x3f0 kernel/printk/printk.c:1468
 [<ffffffff8121fe02>] console_unlock kernel/printk/printk.c:2335 [inline]
 [<ffffffff8121fe02>] console_unlock+0x602/0xa10 kernel/printk/printk.c:2242
 [<ffffffff812205c2>] vprintk_emit+0x3b2/0x820 kernel/printk/printk.c:1837
 [<ffffffff81220a58>] vprintk+0x28/0x30 kernel/printk/printk.c:1848
 [<ffffffff813afd6f>] printk+0xc2/0xf5 kernel/printk/printk.c:1927
 [<ffffffff8214fb45>] binder_alloc_mmap_handler+0x655/0x820 drivers/android/binder_alloc.c:734
 [<ffffffff8212a528>] binder_mmap+0x1d8/0x2f0 drivers/android/binder.c:4966
 [<ffffffff8144893b>] mmap_region+0x87b/0x1090 mm/mmap.c:1696
 [<ffffffff81449634>] do_mmap+0x4e4/0xa20 mm/mmap.c:1473
 [<ffffffff81409daa>] do_mmap_pgoff include/linux/mm.h:1917 [inline]
 [<ffffffff81409daa>] vm_mmap_pgoff+0x16a/0x1c0 mm/util.c:296
 [<ffffffff81447b4a>] SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
 [<ffffffff81447b4a>] SyS_mmap_pgoff+0xfa/0x1b0 mm/mmap.c:1481
 [<ffffffff81016bf6>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
 [<ffffffff81016bf6>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
 [<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 00 41 55 41 54 53 e8 28 45 68 ff e8 a3 1f 03 00 41 89 c5 0f ae e8 0f 31 48 c1 e2 20 48 09 c2 49 89 d4 eb 16 f3 90 bf 01 00 00 00 <e8> 03 45 68 ff e8 7e 1f 03 00 44 39 e8 75 36 0f ae e8 0f 31 48

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/02/15 03:07 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 76dd003f .config console log report syz C ci-android-44-kasan-gce
* Struck through repros no longer work on HEAD.