syzbot


INFO: task hung in nbd_add_socket (2)
Status: upstream: reported C repro on 2022/03/21 16:06
Reported-by: syzbot+cbb4b1ebc70d0c5a8c29@syzkaller.appspotmail.com
First crash: 71d, last: 18d

Cause bisection: failed (bisect log)
similar bugs (5):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream INFO: task hung in nbd_add_socket 75 109d 188d 0/22 closed as dup on 2021/11/21 13:59
linux-4.14 INFO: task hung in nbd_add_socket (2) C 1 3d02h 153d 0/1 upstream: reported C repro on 2021/12/25 23:00
linux-4.14 INFO: task hung in nbd_add_socket 1 445d 445d 0/1 auto-closed as invalid on 2021/07/06 19:04
linux-4.19 INFO: task hung in nbd_add_socket C error 7 41d 445d 0/1 upstream: reported C repro on 2021/03/08 23:07
upstream INFO: task can't die in blk_mq_freeze_queue_wait 221 185d 194d 22/22 fixed on 2022/03/08 16:11
Patch testing requests:
Created Duration User Patch Repo Result
2022/04/07 10:23 11m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 3e732ebf7316 OK
2022/04/07 08:54 4m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 3e732ebf7316 error

Sample crash report:
INFO: task syz-executor558:3629 blocked for more than 143 seconds.
      Not tainted 5.18.0-rc1-syzkaller-00016-g3e732ebf7316 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor558 state:D stack:26896 pid: 3629 ppid:  3626 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5073 [inline]
 __schedule+0x937/0x1090 kernel/sched/core.c:6382
 schedule+0xeb/0x1b0 kernel/sched/core.c:6454
 blk_mq_freeze_queue_wait+0x105/0x190 block/blk-mq.c:179
 nbd_add_socket+0x17b/0x8e0 drivers/block/nbd.c:1109
 __nbd_ioctl drivers/block/nbd.c:1454 [inline]
 nbd_ioctl+0x263/0xb80 drivers/block/nbd.c:1511
 blkdev_ioctl+0x3a6/0x780 block/ioctl.c:588
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fe94e1c73e9
RSP: 002b:00007fff230e7bf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000074e0a RCX: 00007fe94e1c73e9
RDX: 0000000000000005 RSI: 000000000000ab00 RDI: 0000000000000004
RBP: 0000000000000000 R08: 00007fff230e7d98 R09: 00007fff230e7d98
R10: 00007fff230e7d98 R11: 0000000000000246 R12: 00007fff230e7c0c
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/27:
 #0: ffffffff8cd1cd60 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
1 lock held by klogd/2955:
 #0: ffff8880b9b39bd8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x25/0x110 kernel/sched/core.c:554
2 locks held by getty/3280:
 #0: ffff88814bfb8098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:244
 #1: ffffc90002e732e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6c2/0x1c60 drivers/tty/n_tty.c:2075
1 lock held by udevd/3628:
 #0: ffff88801c8a0918 (&disk->open_mutex){+.+.}-{3:3}, at: blkdev_put+0xf8/0x7a0 block/bdev.c:905
1 lock held by syz-executor558/3629:
 #0: ffff88801c775998 (&nbd->config_lock){+.+.}-{3:3}, at: nbd_ioctl+0x148/0xb80 drivers/block/nbd.c:1504

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 27 Comm: khungtaskd Not tainted 5.18.0-rc1-syzkaller-00016-g3e732ebf7316 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x45f/0x490 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x16a/0x280 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:212 [inline]
 watchdog+0xc82/0xcd0 kernel/hung_task.c:369
 kthread+0x2a3/0x2d0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 975 Comm: kworker/u4:4 Not tainted 5.18.0-rc1-syzkaller-00016-g3e732ebf7316 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:validate_chain+0xfe/0x8250 kernel/locking/lockdep.c:3770
Code: 48 8d 5e 20 48 89 d8 48 c1 e8 03 48 89 44 24 58 42 8a 04 20 84 c0 0f 85 de 09 00 00 48 89 5c 24 10 8b 1b 89 d8 25 00 80 04 00 <3d> 00 00 04 00 0f 85 e9 04 00 00 81 e3 ff 1f 00 00 48 89 d8 48 c1
RSP: 0018:ffffc90004967180 EFLAGS: 00000006
RAX: 0000000000040000 RBX: 000000000004008f RCX: 74d2cd9d99b1225f
RDX: 0000000000000000 RSI: ffff88801deae228 RDI: ffff88801dead700
RBP: ffffc90004967490 R08: dffffc0000000000 R09: fffffbfff1f86d83
R10: fffffbfff1f86d83 R11: 0000000000000000 R12: dffffc0000000000
R13: 1ffff9200092ce50 R14: 74d2cd9d99b1225f R15: 74d2cd9d99b1225f
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c1909809e8 CR3: 000000000ca8e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __lock_acquire+0x1382/0x2b00 kernel/locking/lockdep.c:5029
 lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5641
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:349 [inline]
 __get_locked_pte+0x2ad/0x390 mm/memory.c:1752
 get_locked_pte include/linux/mm.h:2128 [inline]
 __text_poke+0x280/0x9f0 arch/x86/kernel/alternative.c:1038
 text_poke arch/x86/kernel/alternative.c:1121 [inline]
 text_poke_bp_batch+0x680/0x920 arch/x86/kernel/alternative.c:1436
 text_poke_flush arch/x86/kernel/alternative.c:1542 [inline]
 text_poke_finish+0x16/0x30 arch/x86/kernel/alternative.c:1549
 arch_jump_label_transform_apply+0x13/0x20 arch/x86/kernel/jump_label.c:146
 static_key_enable_cpuslocked+0x12d/0x250 kernel/jump_label.c:177
 static_key_enable+0x16/0x20 kernel/jump_label.c:190
 toggle_allocation_gate+0xbf/0x460 mm/kfence/core.c:785
 process_one_work+0x83c/0x11a0 kernel/workqueue.c:2289
 worker_thread+0xa6c/0x1290 kernel/workqueue.c:2436
 kthread+0x2a3/0x2d0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30
 </TASK>
INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 1.168 msecs
----------------
Code disassembly (best guess):
   0:	48 8d 5e 20          	lea    0x20(%rsi),%rbx
   4:	48 89 d8             	mov    %rbx,%rax
   7:	48 c1 e8 03          	shr    $0x3,%rax
   b:	48 89 44 24 58       	mov    %rax,0x58(%rsp)
  10:	42 8a 04 20          	mov    (%rax,%r12,1),%al
  14:	84 c0                	test   %al,%al
  16:	0f 85 de 09 00 00    	jne    0x9fa
  1c:	48 89 5c 24 10       	mov    %rbx,0x10(%rsp)
  21:	8b 1b                	mov    (%rbx),%ebx
  23:	89 d8                	mov    %ebx,%eax
  25:	25 00 80 04 00       	and    $0x48000,%eax
* 2a:	3d 00 00 04 00       	cmp    $0x40000,%eax <-- trapping instruction
  2f:	0f 85 e9 04 00 00    	jne    0x51e
  35:	81 e3 ff 1f 00 00    	and    $0x1fff,%ebx
  3b:	48 89 d8             	mov    %rbx,%rax
  3e:	48                   	rex.W
  3f:	c1                   	.byte 0xc1

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2022/05/09 23:50 upstream 9be9ed2612b5 97582466 .config log report syz C
Crashes (7):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2022/04/07 05:35 upstream 3e732ebf7316 97582466 .config log report syz C INFO: task hung in nbd_add_socket
ci-upstream-kasan-gce-selinux-root 2022/04/07 05:23 upstream 3e732ebf7316 97582466 .config log report syz C INFO: task hung in nbd_add_socket
ci-upstream-kasan-gce-root 2022/03/17 15:46 upstream 56e337f2cf13 dfa9a8ed .config log report syz INFO: task hung in nbd_add_socket
ci-upstream-kasan-gce-smack-root 2022/04/07 02:49 upstream 3e732ebf7316 97582466 .config log report info INFO: task hung in nbd_add_socket
ci-upstream-kasan-gce-selinux-root 2022/04/07 02:49 upstream 3e732ebf7316 97582466 .config log report info INFO: task hung in nbd_add_socket
ci-upstream-kasan-gce-root 2022/04/07 02:45 upstream 3e732ebf7316 97582466 .config log report info INFO: task hung in nbd_add_socket
ci-upstream-kasan-gce-root 2022/03/17 13:28 upstream 56e337f2cf13 dfa9a8ed .config log report info INFO: task hung in nbd_add_socket