syzbot

 sign-in | mailing list | source | docs
🐞 Open [984] Subsystems 🐞 Fixed [5216] 🐞 Invalid [12474] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

INFO: task hung in io_wqe_worker

Status: fixed on 2022/03/08 16:11
Subsystems: fs io-uring
[Documentation on labels]
Reported-by: syzbot+27d62ee6f256b186883e@syzkaller.appspotmail.com
Fix commit: 1d5f5ea7cb7d io-wq: remove worker to owner tw dependency
First crash: 916d, last: 914d
Cause bisection: introduced by (bisect log) [no-op commit]:
commit add0733d19c5610b10a1b398fcfb370a9f21afec
Author: Anthony Koo <Anthony.Koo@amd.com>
Date: Sun Jul 18 01:46:31 2021 +0000

  drm/amd/display: [FW Promotion] Release 0.0.76

Crash: BUG: sleeping function called from invalid context in lock_sock_nested (log)
Repro: C syz .config
  
Discussions (4)
Title Replies (including bot) Last reply
Re: [RFC] coredump: Do not interrupt dump for TIF_NOTIFY_SIGNAL 7 (7) 2022/03/14 23:58
[PATCH 5.15 000/917] 5.15.3-rc1 review 945 (945) 2021/11/24 18:04
[PATCH] io-wq: remove worker to owner tw dependency 2 (2) 2021/10/29 12:48
[syzbot] INFO: task hung in io_wqe_worker 4 (7) 2021/10/28 22:35
Last patch testing requests (2)
Created Duration User Patch Repo Result
2021/10/28 20:32 18m asml.silence@gmail.com https://github.com/isilence/linux.git syz_coredump OK
2021/10/21 23:48 13m asml.silence@gmail.com git://git.kernel.dk/linux-block io_uring-5.15 report log

Sample crash report:
INFO: task iou-wrk-6609:6612 blocked for more than 143 seconds.
      Not tainted 5.15.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:iou-wrk-6609    state:D stack:27944 pid: 6612 ppid:  6526 flags:0x00004006
Call Trace:
 context_switch kernel/sched/core.c:4940 [inline]
 __schedule+0xb44/0x5960 kernel/sched/core.c:6287
 schedule+0xd3/0x270 kernel/sched/core.c:6366
 schedule_timeout+0x1db/0x2a0 kernel/time/timer.c:1857
 do_wait_for_common kernel/sched/completion.c:85 [inline]
 __wait_for_common kernel/sched/completion.c:106 [inline]
 wait_for_common kernel/sched/completion.c:117 [inline]
 wait_for_completion+0x176/0x280 kernel/sched/completion.c:138
 io_worker_exit fs/io-wq.c:183 [inline]
 io_wqe_worker+0x66d/0xc40 fs/io-wq.c:597
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Showing all locks held in the system:
1 lock held by khungtaskd/27:
 #0: ffffffff8b981ae0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 27 Comm: khungtaskd Not tainted 5.15.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:105
 nmi_trigger_cpumask_backtrace+0x1ae/0x220 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline]
 watchdog+0xc1d/0xf50 kernel/hung_task.c:295
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 1414 Comm: kworker/u4:5 Not tainted 5.15.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0xde/0x180 mm/kasan/generic.c:189
Code: 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 48 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00 <74> f2 eb d4 41 bc 08 00 00 00 48 89 ea 45 29 dc 4d 8d 1c 2c eb 0c
RSP: 0018:ffffc90005aa7988 EFLAGS: 00000046
RAX: ffffed10021cd084 RBX: ffffed10021cd085 RCX: ffffffff81348c59
RDX: ffffed10021cd085 RSI: 0000000000000008 RDI: ffff888010e68420
RBP: ffffed10021cd084 R08: 0000000000000000 R09: ffff888010e68427
R10: ffffed10021cd084 R11: 000000000000003f R12: ffffffff8baabbe0
R13: ffff888010e68420 R14: 0000000000000000 R15: ffff88801dfeda50
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f93e8906000 CR3: 000000000b68e000 CR4: 0000000000350ee0
Call Trace:
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 atomic64_read include/linux/atomic/atomic-instrumented.h:605 [inline]
 switch_mm_irqs_off+0x1e9/0xa10 arch/x86/mm/tlb.c:615
 use_temporary_mm arch/x86/kernel/alternative.c:741 [inline]
 __text_poke+0x447/0x8c0 arch/x86/kernel/alternative.c:838
 text_poke_bp_batch+0x3d7/0x560 arch/x86/kernel/alternative.c:1178
 text_poke_flush arch/x86/kernel/alternative.c:1268 [inline]
 text_poke_flush arch/x86/kernel/alternative.c:1265 [inline]
 text_poke_finish+0x16/0x30 arch/x86/kernel/alternative.c:1275
 arch_jump_label_transform_apply+0x13/0x20 arch/x86/kernel/jump_label.c:146
 jump_label_update+0x1d5/0x430 kernel/jump_label.c:830
 static_key_enable_cpuslocked+0x1b1/0x260 kernel/jump_label.c:177
 static_key_enable+0x16/0x20 kernel/jump_label.c:190
 toggle_allocation_gate mm/kfence/core.c:626 [inline]
 toggle_allocation_gate+0x100/0x390 mm/kfence/core.c:618
 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
----------------
Code disassembly (best guess):
   0:	74 f2                	je     0xfffffff4
   2:	48 89 c2             	mov    %rax,%rdx
   5:	b8 01 00 00 00       	mov    $0x1,%eax
   a:	48 85 d2             	test   %rdx,%rdx
   d:	75 56                	jne    0x65
   f:	5b                   	pop    %rbx
  10:	5d                   	pop    %rbp
  11:	41 5c                	pop    %r12
  13:	c3                   	retq
  14:	48 85 d2             	test   %rdx,%rdx
  17:	74 5e                	je     0x77
  19:	48 01 ea             	add    %rbp,%rdx
  1c:	eb 09                	jmp    0x27
  1e:	48 83 c0 01          	add    $0x1,%rax
  22:	48 39 d0             	cmp    %rdx,%rax
  25:	74 50                	je     0x77
  27:	80 38 00             	cmpb   $0x0,(%rax)
* 2a:	74 f2                	je     0x1e <-- trapping instruction
  2c:	eb d4                	jmp    0x2
  2e:	41 bc 08 00 00 00    	mov    $0x8,%r12d
  34:	48 89 ea             	mov    %rbp,%rdx
  37:	45 29 dc             	sub    %r11d,%r12d
  3a:	4d 8d 1c 2c          	lea    (%r12,%rbp,1),%r11
  3e:	eb 0c                	jmp    0x4c

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/10/17 20:52 upstream d999ade1cc86 0c5d9412 .config console log report syz C ci-upstream-kasan-gce-root INFO: task hung in io_wqe_worker
2021/10/17 14:53 upstream d999ade1cc86 0c5d9412 .config console log report info ci-upstream-kasan-gce-root INFO: task hung in io_wqe_worker
2021/10/16 00:49 upstream ec681c53f8d2 0c5d9412 .config console log report info ci-upstream-kasan-gce-root INFO: task hung in io_wqe_worker
* Struck through repros no longer work on HEAD.