syzbot


BUG: sleeping function called from invalid context in __do_page_fault

Status: upstream: reported C repro on 2019/08/06 03:38
Reported-by: syzbot+88ac58c27ce07fff6b76@syzkaller.appspotmail.com
First crash: 1777d, last: 1313d
Fix bisection the fix commit could be any of (bisect log):
  9fa690a2a016 Linux 4.14.169
  56dfe6252c68 Linux 4.14.188
  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: sleeping function called from invalid context in __do_page_fault C error 56 998d 1765d 0/1 upstream: reported C repro on 2019/08/18 01:17
upstream BUG: sleeping function called from invalid context in __do_page_fault kernel 2 1609d 1645d 0/27 auto-closed as invalid on 2020/05/19 13:57
Last patch testing requests (8)
Created Duration User Patch Repo Result
2023/02/05 02:32 9m retest repro linux-4.14.y report log
2023/02/05 01:32 9m retest repro linux-4.14.y report log
2023/02/05 00:32 9m retest repro linux-4.14.y report log
2023/02/04 23:32 10m retest repro linux-4.14.y report log
2022/09/14 12:27 9m retest repro linux-4.14.y report log
2022/09/14 11:27 8m retest repro linux-4.14.y report log
2022/09/14 10:27 9m retest repro linux-4.14.y report log
2022/09/14 09:27 13m retest repro linux-4.14.y report log
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2020/07/15 01:22 33m bisect fix linux-4.14.y job log (2)
2020/03/30 15:10 26m bisect fix linux-4.14.y job log (0) log
2020/01/03 15:56 24m bisect fix linux-4.14.y job log (0) log
2019/12/04 11:06 23m bisect fix linux-4.14.y job log (0) log

Sample crash report:
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441869
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00007ffe629ad570 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000
BUG: sleeping function called from invalid context at arch/x86/mm/fault.c:1385
in_atomic(): 0, irqs_disabled(): 1, pid: 8005, name: syz-executor681
3 locks held by syz-executor681/8005:
 #0:  (cb_lock){++++}, at: [<ffffffff85fe45d5>] genl_rcv+0x15/0x40 net/netlink/genetlink.c:635
 #1:  (genl_mutex){+.+.}, at: [<ffffffff85fe5232>] genl_lock net/netlink/genetlink.c:33 [inline]
 #1:  (genl_mutex){+.+.}, at: [<ffffffff85fe5232>] genl_rcv_msg+0x112/0x140 net/netlink/genetlink.c:623
 #2:  (rtnl_mutex){+.+.}, at: [<ffffffff86bd24c9>] nl80211_pre_doit+0x2d9/0x510 net/wireless/nl80211.c:12458
irq event stamp: 731
hardirqs last  enabled at (731): [<ffffffff81376d21>] __cancel_work_timer+0x2c1/0x460 kernel/workqueue.c:2957
hardirqs last disabled at (730): [<ffffffff8136ffb5>] try_to_grab_pending+0xb5/0x610 kernel/workqueue.c:1214
softirqs last  enabled at (724): [<ffffffff876006ab>] __do_softirq+0x6ab/0xa1d kernel/softirq.c:314
softirqs last disabled at (635): [<ffffffff81330353>] invoke_softirq kernel/softirq.c:368 [inline]
softirqs last disabled at (635): [<ffffffff81330353>] irq_exit+0x193/0x240 kernel/softirq.c:409
CPU: 1 PID: 8005 Comm: syz-executor681 Not tainted 4.14.206-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 ___might_sleep.cold+0x235/0x250 kernel/sched/core.c:6042
 __do_page_fault+0x2dc/0xad0 arch/x86/mm/fault.c:1385
 page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1123
RIP: 0010:atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
RIP: 0010:__lock_acquire+0x21e/0x3f20 kernel/locking/lockdep.c:3382
RSP: 0018:ffff8880b2887040 EFLAGS: 00010002
RAX: 00000000000001c8 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 1ffff110155eb566 RSI: 0000000000000000 RDI: ffff8880aaf5ab30
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888095ef6080 R12: ffff8880aaf5ab28
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff8beb2d40
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 flush_work+0xad/0x770 kernel/workqueue.c:2889
 __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2964
 rhashtable_free_and_destroy+0x26/0x710 lib/rhashtable.c:1073
 mesh_table_free net/mac80211/mesh_pathtbl.c:70 [inline]
 mesh_pathtbl_init+0x223/0x290 net/mac80211/mesh_pathtbl.c:863
 ieee80211_mesh_init_sdata+0x2b4/0x650 net/mac80211/mesh.c:1459
 ieee80211_setup_sdata+0xb29/0xf40 net/mac80211/iface.c:1476
 ieee80211_if_add+0xce0/0x16b0 net/mac80211/iface.c:1885
 ieee80211_add_iface+0x89/0x110 net/mac80211/cfg.c:124
 rdev_add_virtual_intf net/wireless/rdev-ops.h:45 [inline]
 nl80211_new_interface+0x44b/0x1360 net/wireless/nl80211.c:2990
 genl_family_rcv_msg+0x572/0xb20 net/netlink/genetlink.c:600
 genl_rcv_msg+0xaf/0x140 net/netlink/genetlink.c:625
 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:636
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x441869
RSP: 002b:00007ffe629ad558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441869
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00007ffe629ad570 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000
BUG: unable to handle kernel NULL pointer dereference at 0000000000000300
IP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
IP: __lock_acquire+0x21e/0x3f20 kernel/locking/lockdep.c:3382
PGD a3091067 P4D a3091067 PUD ab03e067 PMD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 8005 Comm: syz-executor681 Tainted: G        W       4.14.206-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff888095ef6080 task.stack: ffff8880b2880000
RIP: 0010:atomic_inc arch/x86/include/asm/atomic.h:92 [inline]
RIP: 0010:__lock_acquire+0x21e/0x3f20 kernel/locking/lockdep.c:3382
RSP: 0018:ffff8880b2887040 EFLAGS: 00010002
RAX: 00000000000001c8 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 1ffff110155eb566 RSI: 0000000000000000 RDI: ffff8880aaf5ab30
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffff888095ef6080 R12: ffff8880aaf5ab28
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffff8beb2d40
FS:  0000000002015880(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000300 CR3: 00000000af9ec000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 flush_work+0xad/0x770 kernel/workqueue.c:2889
 __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2964
 rhashtable_free_and_destroy+0x26/0x710 lib/rhashtable.c:1073
 mesh_table_free net/mac80211/mesh_pathtbl.c:70 [inline]
 mesh_pathtbl_init+0x223/0x290 net/mac80211/mesh_pathtbl.c:863
 ieee80211_mesh_init_sdata+0x2b4/0x650 net/mac80211/mesh.c:1459
 ieee80211_setup_sdata+0xb29/0xf40 net/mac80211/iface.c:1476
 ieee80211_if_add+0xce0/0x16b0 net/mac80211/iface.c:1885
 ieee80211_add_iface+0x89/0x110 net/mac80211/cfg.c:124
 rdev_add_virtual_intf net/wireless/rdev-ops.h:45 [inline]
 nl80211_new_interface+0x44b/0x1360 net/wireless/nl80211.c:2990
 genl_family_rcv_msg+0x572/0xb20 net/netlink/genetlink.c:600
 genl_rcv_msg+0xaf/0x140 net/netlink/genetlink.c:625
 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:636
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x441869
RSP: 002b:00007ffe629ad558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441869
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00007ffe629ad570 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000
Code: 00 fc ff df 41 89 f6 4b 8d 7c f4 08 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 5e 2a 00 00 4b 8b 44 f4 08 48 85 c0 0f 84 31 ff ff ff <f0> ff 80 38 01 00 00 49 8d b3 80 08 00 00 48 ba 00 00 00 00 00 
RIP: atomic_inc arch/x86/include/asm/atomic.h:92 [inline] RSP: ffff8880b2887040
RIP: __lock_acquire+0x21e/0x3f20 kernel/locking/lockdep.c:3382 RSP: ffff8880b2887040
CR2: 0000000000000300
---[ end trace 3dda8e650e704779 ]---

Crashes (24):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/11/11 08:26 linux-4.14.y 27ce4f2a6817 cca87986 .config console log report syz C ci2-linux-4-14
2020/01/31 16:09 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report syz C ci2-linux-4-14
2019/08/18 02:29 linux-4.14.y 45f092f9e9cb 55bf8926 .config console log report syz C ci2-linux-4-14
2019/08/06 03:19 linux-4.14.y 7d80e1218adf 6affd8e8 .config console log report syz C ci2-linux-4-14
2020/08/28 22:45 linux-4.14.y d7e78d08fa77 d5a3ae1f .config console log report ci2-linux-4-14
2020/08/26 07:12 linux-4.14.y 6a24ca2506d6 344da168 .config console log report ci2-linux-4-14
2020/08/15 20:57 linux-4.14.y 14b58326976d 5ce13532 .config console log report ci2-linux-4-14
2020/08/01 10:57 linux-4.14.y 7f2c5eb458b8 8df85ed9 .config console log report ci2-linux-4-14
2020/07/28 23:32 linux-4.14.y 69b94dd6dcd1 cb93dc6a .config console log report ci2-linux-4-14
2020/06/15 01:22 linux-4.14.y b850307b279c 2a22c77a .config console log report ci2-linux-4-14
2020/06/07 16:45 linux-4.14.y c6db52a88798 2c2b926c .config console log report ci2-linux-4-14
2020/05/15 15:14 linux-4.14.y ab9dfda23248 d7f9fffa .config console log report ci2-linux-4-14
2020/04/19 18:51 linux-4.14.y c10b57a567e4 6dfd45e1 .config console log report ci2-linux-4-14
2020/04/19 18:05 linux-4.14.y c10b57a567e4 6dfd45e1 .config console log report ci2-linux-4-14
2020/04/19 10:50 linux-4.14.y c10b57a567e4 6dfd45e1 .config console log report ci2-linux-4-14
2020/04/03 04:14 linux-4.14.y 4520f06b03ae a34e2c33 .config console log report ci2-linux-4-14
2020/03/31 04:13 linux-4.14.y 01364dad1d45 c8d1cc20 .config console log report ci2-linux-4-14
2020/02/29 13:30 linux-4.14.y 78d697fc93f9 c88c7b75 .config console log report ci2-linux-4-14
2020/02/26 12:32 linux-4.14.y 98db2bf27b9e 4f588111 .config console log report ci2-linux-4-14
2020/02/18 02:09 linux-4.14.y 98db2bf27b9e 1ce142dc .config console log report ci2-linux-4-14
2020/02/10 12:32 linux-4.14.y e0f8b8a65a47 35f5e45e .config console log report ci2-linux-4-14
2020/01/27 06:35 linux-4.14.y 8bac50406cca dd56146d .config console log report ci2-linux-4-14
2019/08/16 03:56 linux-4.14.y 3ffe1e79c174 faeffb00 .config console log report ci2-linux-4-14
2019/08/06 02:37 linux-4.14.y 7d80e1218adf 6affd8e8 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.