syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: sleeping function called from invalid context in __generic_file_fsync

Status: auto-closed as invalid on 2020/03/10 13:07
Reported-by: syzbot+8753c198c1554c72bfd9@syzkaller.appspotmail.com
First crash: 1837d, last: 1837d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 BUG: sleeping function called from invalid context in __generic_file_fsync 1 2008d 2008d 0/2 auto-closed as invalid on 2019/10/25 08:43

Sample crash report:
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:51
in_atomic(): 1, irqs_disabled(): 0, pid: 2640, name: syz-executor.2
1 lock held by syz-executor.2/2640:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
Preemption disabled at:[  889.819015] [<ffffffff8281ca6d>] __do_softirq+0xdd/0x964 kernel/softirq.c:265
CPU: 0 PID: 2640 Comm: syz-executor.2 Not tainted 4.9.141+ #1
 ffff8801db607a20 ffffffff81b42e79 ffffffff8281ca6d 0000000000000000
 0000000000000100 ffff8801c4f997c0 ffff8801c4f997c0 ffff8801db607a58
 ffffffff813f9ecf ffff8801c4f997c0 ffffffff82a4fa80 0000000000000033
Call Trace:
 <IRQ> [  889.860451]  [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ> [  889.860451]  [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff813f9ecf>] ___might_sleep.cold.31+0x18a/0x1fc kernel/sched/core.c:7988
 [<ffffffff81167c85>] __might_sleep+0x95/0x1a0 kernel/sched/core.c:7945
 [<ffffffff828116d1>] down_write+0x21/0xa0 kernel/locking/rwsem.c:51
 [<ffffffff8158b831>] inode_lock include/linux/fs.h:766 [inline]
 [<ffffffff8158b831>] __generic_file_fsync+0xc1/0x1a0 fs/libfs.c:978
 [<ffffffff816b5209>] ext4_sync_file+0x659/0x10a0 fs/ext4/fsync.c:116
 [<ffffffff815b195c>] vfs_fsync_range+0x10c/0x260 fs/sync.c:195
 [<ffffffff815cd622>] generic_write_sync include/linux/fs.h:2607 [inline]
 [<ffffffff815cd622>] dio_complete+0x512/0x6c0 fs/direct-io.c:282
 [<ffffffff815cd8ec>] dio_bio_end_aio+0x11c/0x370 fs/direct-io.c:323
 [<ffffffff81ab5f75>] bio_endio+0x1a5/0x1f0 block/bio.c:1781
 [<ffffffff81ad65d8>] req_bio_endio block/blk-core.c:157 [inline]
 [<ffffffff81ad65d8>] blk_update_request+0x248/0x9b0 block/blk-core.c:2628
 [<ffffffff81e1c7ed>] scsi_end_request+0x9d/0x5c0 drivers/scsi/scsi_lib.c:606
 [<ffffffff81e257f3>] scsi_io_completion+0x273/0x17a0 drivers/scsi/scsi_lib.c:829
 [<ffffffff81e0871a>] scsi_finish_command+0x3ba/0x530 drivers/scsi/scsi.c:607
 [<ffffffff81e23d20>] scsi_softirq_done+0x250/0x360 drivers/scsi/scsi_lib.c:1567
 [<ffffffff81af449d>] blk_done_softirq+0x27d/0x3e0 block/blk-softirq.c:35
 [<ffffffff8281cb9e>] __do_softirq+0x20e/0x964 kernel/softirq.c:288
 [<ffffffff810efdbc>] invoke_softirq kernel/softirq.c:368 [inline]
 [<ffffffff810efdbc>] irq_exit+0x11c/0x150 kernel/softirq.c:409
 [<ffffffff82819b9d>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
 [<ffffffff82819b9d>] do_IRQ+0x10d/0x1c0 arch/x86/kernel/irq.c:252
 [<ffffffff8281819d>] common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:461
 <EOI> [  890.069779]  [<ffffffff823fbaa8>] ? get_next_corpse net/netfilter/nf_conntrack_core.c:1550 [inline]
 <EOI> [  890.069779]  [<ffffffff823fbaa8>] ? nf_ct_iterate_cleanup+0x238/0x480 net/netfilter/nf_conntrack_core.c:1621
 [<ffffffff823fbacf>] local_bh_enable include/linux/bottom_half.h:31 [inline]
 [<ffffffff823fbacf>] get_next_corpse net/netfilter/nf_conntrack_core.c:1565 [inline]
 [<ffffffff823fbacf>] nf_ct_iterate_cleanup+0x25f/0x480 net/netfilter/nf_conntrack_core.c:1621
 [<ffffffff8260a028>] masq_device_event+0xa8/0xd0 net/ipv4/netfilter/nf_nat_masquerade_ipv4.c:100
 [<ffffffff811478d4>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
 [<ffffffff81147a5d>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff81147a5d>] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 [<ffffffff822f4a45>] call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
 [<ffffffff82317fdd>] call_netdevice_notifiers net/core/dev.c:1663 [inline]
 [<ffffffff82317fdd>] __dev_notify_flags+0x19d/0x270 net/core/dev.c:6541
 [<ffffffff82319123>] dev_change_flags+0xf3/0x140 net/core/dev.c:6572
 [<ffffffff8258e871>] devinet_ioctl+0x9d1/0x15d0 net/ipv4/devinet.c:1052
 [<ffffffff82596cbe>] inet_ioctl+0x11e/0x1d0 net/ipv4/af_inet.c:908
 [<ffffffff8229c00a>] sock_do_ioctl+0x6a/0xb0 net/socket.c:905
 [<ffffffff8229cabd>] sock_ioctl+0x32d/0x3c0 net/socket.c:991
 [<ffffffff81546dec>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff81546dec>] file_ioctl fs/ioctl.c:493 [inline]
 [<ffffffff81546dec>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
 [<ffffffff81547e6f>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff81547e6f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

=================================
[ INFO: inconsistent lock state ]
4.9.141+ #1 Tainted: G        W      
---------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor.2/2640 [HC0[0]:SC1[1]:HE1:SE0] takes:
 (&sb->s_type->i_mutex_key#9){++?+++}, at: [<ffffffff8158b831>] inode_lock include/linux/fs.h:766 [inline]
 (&sb->s_type->i_mutex_key#9){++?+++}, at: [<ffffffff8158b831>] __generic_file_fsync+0xc1/0x1a0 fs/libfs.c:978
  mark_irqflags kernel/locking/lockdep.c:2941 [inline]
  __lock_acquire+0xbdd/0x4a10 kernel/locking/lockdep.c:3302
  lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
  down_write+0x41/0xa0 kernel/locking/rwsem.c:52
  inode_lock include/linux/fs.h:766 [inline]
  bprm_fill_uid fs/exec.c:1506 [inline]
  prepare_binprm+0x2b7/0x750 fs/exec.c:1540
  do_execveat_common.isra.14+0xe9f/0x1ed0 fs/exec.c:1766
  do_execve fs/exec.c:1829 [inline]
  SYSC_execve fs/exec.c:1910 [inline]
  SyS_execve+0x42/0x50 fs/exec.c:1905
  do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
  entry_SYSCALL_64_after_swapgs+0x5d/0xdb
irq event stamp: 94020
hardirqs last  enabled at (94020): [<ffffffff82818226>] restore_regs_and_iret+0x0/0x1d
hardirqs last disabled at (94019): [<ffffffff82819028>] apic_timer_interrupt+0x98/0xb0 arch/x86/entry/entry_64.S:648
softirqs last  enabled at (93974): [<ffffffff823fbaa8>] get_next_corpse net/netfilter/nf_conntrack_core.c:1550 [inline]
softirqs last  enabled at (93974): [<ffffffff823fbaa8>] nf_ct_iterate_cleanup+0x238/0x480 net/netfilter/nf_conntrack_core.c:1621
softirqs last disabled at (93977): [<ffffffff810efdbc>] invoke_softirq kernel/softirq.c:368 [inline]
softirqs last disabled at (93977): [<ffffffff810efdbc>] irq_exit+0x11c/0x150 kernel/softirq.c:409

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&sb->s_type->i_mutex_key#9);
  <Interrupt>
    lock(&sb->s_type->i_mutex_key#9);

 *** DEADLOCK ***

1 lock held by syz-executor.2/2640:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70

stack backtrace:
CPU: 0 PID: 2640 Comm: syz-executor.2 Tainted: G        W       4.9.141+ #1
 ffff8801db607790 ffffffff81b42e79 ffff8801c4f997c0 ffffffff83cac0f0
 ffff8801c4f9a098 ffff8801c4f9a0b8 ffffffff84244d40 ffff8801db607808
 ffffffff81400780 0000000000000001 ffffffff00000001 0000000000000000
Call Trace:
 <IRQ> [  890.495553]  [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ> [  890.495553]  [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81400780>] print_usage_bug.cold.40+0x44e/0x57e kernel/locking/lockdep.c:2387
 [<ffffffff81205d42>] valid_state kernel/locking/lockdep.c:2400 [inline]
 [<ffffffff81205d42>] mark_lock_irq kernel/locking/lockdep.c:2602 [inline]
 [<ffffffff81205d42>] mark_lock+0x2f2/0x1290 kernel/locking/lockdep.c:3065
 [<ffffffff81208434>] mark_irqflags kernel/locking/lockdep.c:2923 [inline]
 [<ffffffff81208434>] __lock_acquire+0x1084/0x4a10 kernel/locking/lockdep.c:3302
 [<ffffffff8120c8d0>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
 [<ffffffff828116f1>] down_write+0x41/0xa0 kernel/locking/rwsem.c:52
 [<ffffffff8158b831>] inode_lock include/linux/fs.h:766 [inline]
 [<ffffffff8158b831>] __generic_file_fsync+0xc1/0x1a0 fs/libfs.c:978
 [<ffffffff816b5209>] ext4_sync_file+0x659/0x10a0 fs/ext4/fsync.c:116
 [<ffffffff815b195c>] vfs_fsync_range+0x10c/0x260 fs/sync.c:195
 [<ffffffff815cd622>] generic_write_sync include/linux/fs.h:2607 [inline]
 [<ffffffff815cd622>] dio_complete+0x512/0x6c0 fs/direct-io.c:282
 [<ffffffff815cd8ec>] dio_bio_end_aio+0x11c/0x370 fs/direct-io.c:323
 [<ffffffff81ab5f75>] bio_endio+0x1a5/0x1f0 block/bio.c:1781
 [<ffffffff81ad65d8>] req_bio_endio block/blk-core.c:157 [inline]
 [<ffffffff81ad65d8>] blk_update_request+0x248/0x9b0 block/blk-core.c:2628
 [<ffffffff81e1c7ed>] scsi_end_request+0x9d/0x5c0 drivers/scsi/scsi_lib.c:606
 [<ffffffff81e257f3>] scsi_io_completion+0x273/0x17a0 drivers/scsi/scsi_lib.c:829
 [<ffffffff81e0871a>] scsi_finish_command+0x3ba/0x530 drivers/scsi/scsi.c:607
 [<ffffffff81e23d20>] scsi_softirq_done+0x250/0x360 drivers/scsi/scsi_lib.c:1567
 [<ffffffff81af449d>] blk_done_softirq+0x27d/0x3e0 block/blk-softirq.c:35
 [<ffffffff8281cb9e>] __do_softirq+0x20e/0x964 kernel/softirq.c:288
 [<ffffffff810efdbc>] invoke_softirq kernel/softirq.c:368 [inline]
 [<ffffffff810efdbc>] irq_exit+0x11c/0x150 kernel/softirq.c:409
 [<ffffffff82819b9d>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
 [<ffffffff82819b9d>] do_IRQ+0x10d/0x1c0 arch/x86/kernel/irq.c:252
 [<ffffffff8281819d>] common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:461
 <EOI> [  890.773868]  [<ffffffff823fbaa8>] ? get_next_corpse net/netfilter/nf_conntrack_core.c:1550 [inline]
 <EOI> [  890.773868]  [<ffffffff823fbaa8>] ? nf_ct_iterate_cleanup+0x238/0x480 net/netfilter/nf_conntrack_core.c:1621
 [<ffffffff823fbacf>] local_bh_enable include/linux/bottom_half.h:31 [inline]
 [<ffffffff823fbacf>] get_next_corpse net/netfilter/nf_conntrack_core.c:1565 [inline]
 [<ffffffff823fbacf>] nf_ct_iterate_cleanup+0x25f/0x480 net/netfilter/nf_conntrack_core.c:1621
 [<ffffffff8260a028>] masq_device_event+0xa8/0xd0 net/ipv4/netfilter/nf_nat_masquerade_ipv4.c:100
 [<ffffffff811478d4>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
 [<ffffffff81147a5d>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff81147a5d>] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 [<ffffffff822f4a45>] call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
 [<ffffffff82317fdd>] call_netdevice_notifiers net/core/dev.c:1663 [inline]
 [<ffffffff82317fdd>] __dev_notify_flags+0x19d/0x270 net/core/dev.c:6541
 [<ffffffff82319123>] dev_change_flags+0xf3/0x140 net/core/dev.c:6572
 [<ffffffff8258e871>] devinet_ioctl+0x9d1/0x15d0 net/ipv4/devinet.c:1052
 [<ffffffff82596cbe>] inet_ioctl+0x11e/0x1d0 net/ipv4/af_inet.c:908
 [<ffffffff8229c00a>] sock_do_ioctl+0x6a/0xb0 net/socket.c:905
 [<ffffffff8229cabd>] sock_ioctl+0x32d/0x3c0 net/socket.c:991
 [<ffffffff81546dec>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff81546dec>] file_ioctl fs/ioctl.c:493 [inline]
 [<ffffffff81546dec>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
 [<ffffffff81547e6f>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff81547e6f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
BUG: scheduling while atomic: syz-executor.2/2640/0x00000101
INFO: lockdep is turned off.
Modules linked in:
Preemption disabled at:[  891.005947] [<ffffffff8281ca6d>] __do_softirq+0xdd/0x964 kernel/softirq.c:265

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/11 13:06 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 dc438b91 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.