syzbot


INFO: task hung in pipe_release

Status: auto-closed as invalid on 2019/07/14 20:38
Reported-by: syzbot+03c6d2a475b35bd19756@syzkaller.appspotmail.com
First crash: 2018d, last: 1918d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-414 INFO: task hung in pipe_release 1 1725d 1725d 0/1 auto-closed as invalid on 2019/11/24 16:38
upstream INFO: task hung in pipe_release (2) ext4 syz done 3 1322d 1353d 15/26 fixed on 2020/09/25 01:17
android-49 INFO: task hung in pipe_release (2) 1 1689d 1689d 0/3 auto-closed as invalid on 2019/12/30 22:08
upstream INFO: task hung in pipe_release (4) fs C done 51 279d 279d 23/26 fixed on 2023/10/12 12:48
upstream INFO: task hung in pipe_release (3) fs 4 883d 997d 0/26 closed as invalid on 2022/02/07 19:19
upstream INFO: task hung in pipe_release fs 2 1815d 1980d 0/26 auto-closed as invalid on 2019/10/25 10:11
linux-4.19 INFO: task hung in pipe_release 1 1118d 1118d 0/1 auto-closed as invalid on 2021/07/23 11:59

Sample crash report:
INFO: task syz-executor1:8157 blocked for more than 140 seconds.
      Not tainted 4.9.141+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor1   D30024  8157   2107 0x80000002
 ffff8801cad52f80 ffff8801d5101080 ffff8801d5106880 ffff8801ca0adf00
 ffff8801db621018 ffff8801d801fad8 ffffffff828075c2 0000000000000000
 ffff8801cad53830 ffffed00395aa705 00ff8801cad52f80 ffff8801db6218f0
Call Trace:
 [<ffffffff82808aef>] schedule+0x7f/0x1b0 kernel/sched/core.c:3553
 [<ffffffff828094a3>] schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3586
 [<ffffffff8280b51d>] __mutex_lock_common kernel/locking/mutex.c:582 [inline]
 [<ffffffff8280b51d>] mutex_lock_nested+0x38d/0x900 kernel/locking/mutex.c:621
 [<ffffffff815268b0>] __pipe_lock fs/pipe.c:87 [inline]
 [<ffffffff815268b0>] pipe_release+0x50/0x250 fs/pipe.c:568
 [<ffffffff81510293>] __fput+0x263/0x700 fs/file_table.c:208
 [<ffffffff815107b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff8113dc4c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
 [<ffffffff810e6c4d>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff810e6c4d>] do_exit+0x78d/0x2a50 kernel/exit.c:833
 [<ffffffff810ed3a1>] do_group_exit+0x111/0x300 kernel/exit.c:937
 [<ffffffff810ed5ad>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff810ed5ad>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Showing all locks held in the system:
2 locks held by kworker/1:1/22:
 #0:  ("events"){.+.+.+}, at: [<ffffffff81130f0c>] process_one_work+0x73c/0x15f0 kernel/workqueue.c:2085
 #1:  ((&rew.rew_work)){+.+...}, at: [<ffffffff81130f44>] process_one_work+0x774/0x15f0 kernel/workqueue.c:2089
2 locks held by khungtaskd/24:
 #0:  (rcu_read_lock){......}, at: [<ffffffff8131c0cc>] check_hung_uninterruptible_tasks kernel/hung_task.c:168 [inline]
 #0:  (rcu_read_lock){......}, at: [<ffffffff8131c0cc>] watchdog+0x11c/0xa20 kernel/hung_task.c:239
 #1:  (tasklist_lock){.+.+..}, at: [<ffffffff813fe63f>] debug_show_all_locks+0x79/0x218 kernel/locking/lockdep.c:4336
2 locks held by getty/2029:
 #0:  (&tty->ldisc_sem){++++++}, at: [<ffffffff82815952>] ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:367
 #1:  (&ldata->atomic_read_lock){+.+...}, at: [<ffffffff81d37362>] n_tty_read+0x202/0x16e0 drivers/tty/n_tty.c:2142
5 locks held by kworker/u4:3/2119:
 #0:  ("%s""netns"){.+.+.+}, at: [<ffffffff81130f0c>] process_one_work+0x73c/0x15f0 kernel/workqueue.c:2085
 #1:  (net_cleanup_work){+.+.+.}, at: [<ffffffff81130f44>] process_one_work+0x774/0x15f0 kernel/workqueue.c:2089
 #2:  (net_mutex){+.+.+.}, at: [<ffffffff822e681f>] cleanup_net+0x13f/0x8b0 net/core/net_namespace.c:439
 #3:  (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
 #4:  (rcu_preempt_state.exp_mutex){+.+...}, at: [<ffffffff8124a749>] exp_funnel_lock kernel/rcu/tree_exp.h:256 [inline]
 #4:  (rcu_preempt_state.exp_mutex){+.+...}, at: [<ffffffff8124a749>] _synchronize_rcu_expedited+0x339/0x840 kernel/rcu/tree_exp.h:569
1 lock held by syz-executor1/8102:
 #0:  (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81523c1e>] pipe_lock_nested fs/pipe.c:66 [inline]
 #0:  (&pipe->mutex/1){+.+.+.}, at: [<ffffffff81523c1e>] pipe_lock+0x5e/0x70 fs/pipe.c:74
1 lock held by syz-executor1/8157:
 #0:  (&pipe->mutex/1){+.+.+.}, at: [<ffffffff815268b0>] __pipe_lock fs/pipe.c:87 [inline]
 #0:  (&pipe->mutex/1){+.+.+.}, at: [<ffffffff815268b0>] pipe_release+0x50/0x250 fs/pipe.c:568
2 locks held by kworker/u4:11/11818:
 #0:  ("events_unbound"){.+.+.+}, at: [<ffffffff81130f0c>] process_one_work+0x73c/0x15f0 kernel/workqueue.c:2085
 #1:  ((&sub_info->work)){+.+.+.}, at: [<ffffffff81130f44>] process_one_work+0x774/0x15f0 kernel/workqueue.c:2089
1 lock held by syz-executor4/18584:
 #0:  (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<ffffffff8229bd8b>] inode_lock include/linux/fs.h:766 [inline]
 #0:  (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<ffffffff8229bd8b>] __sock_release+0x8b/0x260 net/socket.c:604
1 lock held by syz-executor4/18590:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
1 lock held by syz-executor4/18599:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
1 lock held by syz-executor0/18596:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
1 lock held by syz-executor0/18598:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
1 lock held by syz-executor3/18597:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70

=============================================

audit_printk_skb: 1716 callbacks suppressed
audit: type=1400 audit(1547584659.936:15118): avc:  denied  { sys_admin } for  pid=2104 comm="syz-executor2" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1547584659.976:15119): avc:  denied  { sys_admin } for  pid=2104 comm="syz-executor2" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1547584660.016:15120): avc:  denied  { sys_admin } for  pid=2104 comm="syz-executor2" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1547584660.056:15121): avc:  denied  { sys_admin } for  pid=2104 comm="syz-executor2" capability=21  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1547584660.106:15122): avc:  denied  { net_admin } for  pid=2104 comm="syz-executor2" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1547584660.126:15123): avc:  denied  { net_admin } for  pid=2104 comm="syz-executor2" capability=12  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
NMI backtrace for cpu 0
CPU: 0 PID: 24 Comm: khungtaskd Not tainted 4.9.141+ #1
 ffff8801d9907d08 ffffffff81b42e79 0000000000000000 0000000000000000
 0000000000000000 0000000000000001 ffffffff810983b0 ffff8801d9907d40
 ffffffff81b4df89 0000000000000000 0000000000000000 0000000000000002
Call Trace:
 [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81b4df89>] nmi_cpu_backtrace.cold.0+0x48/0x87 lib/nmi_backtrace.c:99
 [<ffffffff81b4df1c>] nmi_trigger_cpumask_backtrace+0x12c/0x151 lib/nmi_backtrace.c:60
 [<ffffffff810984b4>] arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:37
 [<ffffffff8131c65d>] trigger_all_cpu_backtrace include/linux/nmi.h:58 [inline]
 [<ffffffff8131c65d>] check_hung_task kernel/hung_task.c:125 [inline]
 [<ffffffff8131c65d>] check_hung_uninterruptible_tasks kernel/hung_task.c:182 [inline]
 [<ffffffff8131c65d>] watchdog+0x6ad/0xa20 kernel/hung_task.c:239
 [<ffffffff81142c3d>] kthread+0x26d/0x300 kernel/kthread.c:211
 [<ffffffff82817a5c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 2104 Comm: syz-executor2 Not tainted 4.9.141+ #1
task: ffff8801cfc25f00 task.stack: ffff8801ac848000
RIP: 0010:[<ffffffff81d6254b>] c [<ffffffff81d6254b>] io_serial_in+0x6b/0x90 drivers/tty/serial/8250/8250_port.c:414
RSP: 0018:ffff8801ac84f208  EFLAGS: 00000002
RAX: dffffc0000000000 RBX: 00000000000003fd RCX: 0000000000000000
RDX: 00000000000003fd RSI: ffffffff81d624f1 RDI: ffffffff84b5bb58
RBP: ffff8801ac84f218 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff84b5bb20
R13: 0000000000000020 R14: fffffbfff096b7ab R15: fffffbfff096b76d
FS:  00000000020d2940(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004cf048 CR3: 00000001ac832000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff84b5bb20c 000000000000270dc ffff8801ac84f268c ffffffff81d64764c
 ffffffff81b6cdd8c ffffffff84b5bb68c ffffffff84b5bd5ac ffffffff84b5bb20c
 000000000000006fc ffffffff81d648b0c dffffc0000000000c 000000000000006fc
Call Trace:
 [<ffffffff81d64764>] serial_in drivers/tty/serial/8250/8250.h:111 [inline]
 [<ffffffff81d64764>] wait_for_xmitr+0x94/0x1e0 drivers/tty/serial/8250/8250_port.c:1997
 [<ffffffff81d648cf>] serial8250_console_putchar+0x1f/0x60 drivers/tty/serial/8250/8250_port.c:3103
 [<ffffffff81d4cce9>] uart_console_write+0x59/0xf0 drivers/tty/serial/serial_core.c:1866
 [<ffffffff81d6fae8>] serial8250_console_write+0x528/0x820 drivers/tty/serial/8250/8250_port.c:3169
 [<ffffffff81d5d4ff>] univ8250_console_write+0x5f/0x70 drivers/tty/serial/8250/8250_core.c:594
 [<ffffffff8122387d>] call_console_drivers.isra.0.constprop.15+0x1ad/0x360 kernel/printk/printk.c:1594
 [<ffffffff812265af>] console_unlock+0x47f/0xb50 kernel/printk/printk.c:2454
 [<ffffffff812270c8>] vprintk_emit+0x448/0x790 kernel/printk/printk.c:1908
 [<ffffffff81227438>] vprintk+0x28/0x30 kernel/printk/printk.c:1918
 [<ffffffff8122745d>] vprintk_default+0x1d/0x30 kernel/printk/printk.c:1919
 [<ffffffff81402f9f>] vprintk_func kernel/printk/internal.h:36 [inline]
 [<ffffffff81402f9f>] printk+0xaf/0xd7 kernel/printk/printk.c:1980
 [<ffffffff814078dc>] audit_printk_skb.cold.12+0x3f/0x4e kernel/audit.c:397
 [<ffffffff812f1ca4>] audit_log_end+0x3b4/0x600 kernel/audit.c:2016
 [<ffffffff81a47a06>] common_lsm_audit+0x546/0x1b40 security/lsm_audit.c:448
 [<ffffffff819ec79f>] slow_avc_audit+0x17f/0x210 security/selinux/avc.c:773
 [<ffffffff819fac91>] avc_audit security/selinux/include/avc.h:140 [inline]
 [<ffffffff819fac91>] cred_has_capability+0x251/0x2e0 security/selinux/hooks.c:1668
 [<ffffffff819fadb6>] selinux_capable+0x36/0x40 security/selinux/hooks.c:2178
 [<ffffffff819e2d78>] security_capable+0x88/0xc0 security/security.c:189
 [<ffffffff810fa7c4>] ns_capable_common+0xd4/0x150 kernel/capability.c:373
 [<ffffffff810fa862>] ns_capable+0x22/0x30 kernel/capability.c:395
 [<ffffffff8261c0d6>] do_arpt_get_ctl+0xf6/0x860 net/ipv4/netfilter/arp_tables.c:1487
 [<ffffffff823e2840>] nf_sockopt net/netfilter/nf_sockopt.c:103 [inline]
 [<ffffffff823e2840>] nf_getsockopt+0x70/0xd0 net/netfilter/nf_sockopt.c:121
 [<ffffffff824bd877>] ip_getsockopt+0x127/0x170 net/ipv4/ip_sockglue.c:1557
 [<ffffffff824e0228>] tcp_getsockopt+0x88/0xe0 net/ipv4/tcp.c:3106
 [<ffffffff822a706a>] sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:2665
 [<ffffffff822a4fc0>] SYSC_getsockopt net/socket.c:1816 [inline]
 [<ffffffff822a4fc0>] SyS_getsockopt+0x150/0x240 net/socket.c:1798
 [<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: c24 cc9 c00 c00 c00 c49 c8d c7c c24 c38 c48 cb8 c00 c00 c00 c00 c00 cfc cff cdf c48 c89 cfa c48 cc1 cea c03 cd3 ce3 c80 c3c c02 c00 c75 c17 c41 c03 c5c c24 c38 c89 cda cec c<5b> c0f cb6 cc0 c41 c5c c5d cc3 ce8 ca8 c0a c79 cff ceb cc2 ce8 c01 c0b c79 cff ceb c

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/01/15 20:37 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 79cb1a7c .config console log report ci-android-49-kasan-gce
2018/10/07 12:05 https://android.googlesource.com/kernel/common android-4.9 7bebf33f9d46 8b311eaf .config console log report ci-android-49-kasan-gce-root
* Struck through repros no longer work on HEAD.