syzbot

 sign-in | mailing list | source | docs
🐞 Open [976] Subsystems 🐞 Fixed [5235] 🐞 Invalid [12491] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: soft lockup in new_sync_write

Status: closed as invalid on 2020/02/04 12:57
Subsystems: kvm
[Documentation on labels]
First crash: 1609d, last: 1609d

Sample crash report:
watchdog: BUG: soft lockup - CPU#1 stuck for 123s! [syz-executor.1:14212]
Modules linked in:
irq event stamp: 66822
hardirqs last  enabled at (66821): [<ffffffff810f3e79>] kvm_wait arch/x86/kernel/kvm.c:790 [inline]
hardirqs last  enabled at (66821): [<ffffffff810f3e79>] kvm_wait+0x89/0xb0 arch/x86/kernel/kvm.c:770
hardirqs last disabled at (66822): [<ffffffff8100427a>] trace_hardirqs_off_thunk+0x1a/0x20 arch/x86/entry/thunk_64.S:42
softirqs last  enabled at (66762): [<ffffffff85a00650>] __do_softirq+0x650/0x912 kernel/softirq.c:319
softirqs last disabled at (66723): [<ffffffff81154b68>] invoke_softirq kernel/softirq.c:373 [inline]
softirqs last disabled at (66723): [<ffffffff81154b68>] irq_exit+0x178/0x1a0 kernel/softirq.c:413
CPU: 1 PID: 14212 Comm: syz-executor.1 Not tainted 5.4.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:arch_irqs_disabled_flags arch/x86/include/asm/irqflags.h:164 [inline]
RIP: 0010:kvm_wait arch/x86/kernel/kvm.c:793 [inline]
RIP: 0010:kvm_wait+0x97/0xb0 arch/x86/kernel/kvm.c:770
Code: 00 41 f7 c4 00 02 00 00 74 eb e8 c4 14 34 00 41 54 9d 5b 5d 41 5c c3 e8 b7 14 34 00 e9 07 00 00 00 0f 00 2d db 39 b5 04 fb f4 <eb> de 48 89 df e8 5f 2d 56 00 eb a1 0f 1f 00 66 2e 0f 1f 84 00 00
RSP: 0018:ffff8881bf937140 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881cdb25688 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d23d384c
RBP: 0000000000000003 R08: ffff8881d23d3000 R09: fffffbfff11aafa6
R10: fffffbfff11aafa5 R11: ffffffff88d57d2f R12: 0000000000000246
R13: 0000000000000000 R14: 0000000000000001 R15: ffff8881db332b00
FS:  00007f35e27ce700(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001d312d000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 pv_wait arch/x86/include/asm/paravirt.h:652 [inline]
 pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:470 [inline]
 __pv_queued_spin_lock_slowpath+0x88a/0xaa0 kernel/locking/qspinlock.c:507
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:642 [inline]
 queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:50 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:81 [inline]
 do_raw_spin_lock+0x1d1/0x280 kernel/locking/spinlock_debug.c:113
 spin_lock include/linux/spinlock.h:338 [inline]
 follow_page_pte mm/gup.c:186 [inline]
 follow_pmd_mask mm/gup.c:365 [inline]
 follow_pud_mask mm/gup.c:460 [inline]
 follow_p4d_mask mm/gup.c:486 [inline]
 follow_page_mask+0xae8/0x1620 mm/gup.c:545
 __get_user_pages+0x658/0x1710 mm/gup.c:843
 __get_user_pages_locked mm/gup.c:1023 [inline]
 get_user_pages_unlocked+0x26d/0x450 mm/gup.c:1688
 __gup_longterm_unlocked mm/gup.c:2375 [inline]
 get_user_pages_fast+0x3ef/0x440 mm/gup.c:2430
 iov_iter_get_pages+0x2a0/0xec0 lib/iov_iter.c:1287
 dio_refill_pages fs/direct-io.c:171 [inline]
 dio_get_page fs/direct-io.c:215 [inline]
 do_direct_IO fs/direct-io.c:973 [inline]
 do_blockdev_direct_IO+0x2e63/0x8500 fs/direct-io.c:1326
 ext4_direct_IO_write fs/ext4/inode.c:3742 [inline]
 ext4_direct_IO+0xcb5/0x1b90 fs/ext4/inode.c:3871
 generic_file_direct_write+0x201/0x490 mm/filemap.c:3208
 __generic_file_write_iter+0x22e/0x5c0 mm/filemap.c:3391
 ext4_file_write_iter+0x3b6/0x1210 fs/ext4/file.c:268
 call_write_iter include/linux/fs.h:1895 [inline]
 new_sync_write+0x420/0x650 fs/read_write.c:483
 __vfs_write+0xc9/0x100 fs/read_write.c:496
 vfs_write+0x262/0x5c0 fs/read_write.c:558
 ksys_write+0x127/0x250 fs/read_write.c:611
 do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a649
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f35e27cdc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a649
RDX: 0000000000101200 RSI: 0000000020000000 RDI: 000000000000000b
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f35e27ce6d4
R13: 00000000004cb1ce R14: 00000000004e3950 R15: 00000000ffffffff
Sending NMI from CPU 1 to CPUs 0:
RDX: 0000000000001000 RSI: ffff8881a5601e00 RDI: 00000000200c3000
RBP: 00000000200c2200 R08: ffffed1034ac0400 R09: 0000000000000000
NMI backtrace for cpu 0
CPU: 0 PID: 14211 Comm: syz-executor.1 Not tainted 5.4.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:memcpy_erms+0x8/0x10 arch/x86/lib/memcpy_64.S:57
Code: 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4 <c3> 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35
RSP: 0018:ffff8881db2094b8 EFLAGS: 00000046
RAX: ffff8881db209715 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff85c74f85 RDI: ffff8881db209716
RBP: ffffffff85c74f84 R08: 0000000000000006 R09: ffffed103b6412e3
R10: ffffed103b6412e2 R11: ffff8881db209715 R12: ffff8881db209715
R13: ffffffff85c74f85 R14: 0000000000000001 R15: ffff8881db2095c0
FS:  00007f35e27ef700(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200c3000 CR3: 00000001d312d000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 memcpy include/linux/string.h:378 [inline]
 vsnprintf+0x915/0x14f0 lib/vsprintf.c:2472
 sprintf+0xc0/0x100 lib/vsprintf.c:2712
 print_caller kernel/printk/printk.c:1282 [inline]
 print_prefix kernel/printk/printk.c:1299 [inline]
 msg_print_text+0x190/0x560 kernel/printk/printk.c:1316
 console_unlock+0x301/0xc40 kernel/printk/printk.c:2448
 vprintk_emit+0x171/0x3e0 kernel/printk/printk.c:1996
 vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:386
 printk+0xba/0xed kernel/printk/printk.c:2056
 __show_regs.cold+0x179/0x551 arch/x86/kernel/process_64.c:85
 show_trace_log_lvl+0x25f/0x2b5 arch/x86/kernel/dumpstack.c:274
 fn_show_ptregs+0x20/0x30 drivers/tty/vt/keyboard.c:479
 k_spec drivers/tty/vt/keyboard.c:636 [inline]
 k_spec+0xdc/0x120 drivers/tty/vt/keyboard.c:625
 kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
 kbd_event+0x927/0x3790 drivers/tty/vt/keyboard.c:1495
 input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
 input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
 input_pass_values drivers/input/input.c:181 [inline]
 input_repeat_key+0x1ee/0x2c0 drivers/input/input.c:193
 call_timer_fn+0x179/0x650 kernel/time/timer.c:1404
 expire_timers kernel/time/timer.c:1449 [inline]
 __run_timers kernel/time/timer.c:1773 [inline]
 __run_timers kernel/time/timer.c:1740 [inline]
 run_timer_softirq+0x5e3/0x1490 kernel/time/timer.c:1786
 __do_softirq+0x221/0x912 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x178/0x1a0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x12f/0x500 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
 </IRQ>
RIP: 0010:_raw_spin_lock_irqsave+0x0/0x50 kernel/locking/spinlock.c:158
Code: 01 00 00 00 31 c9 ff 74 24 08 48 8d 7d 18 31 d2 31 f6 e8 a3 c3 b6 fb 48 89 ef 58 5d e9 c9 97 b7 fb 66 0f 1f 84 00 00 00 00 00 <41> 54 55 48 89 fd 9c 41 5c fa e8 d1 6f d4 fb 65 ff 05 12 0f 93 7a
RSP: 0018:ffff8881cdf1f498 EFLAGS: 00000216 ORIG_RAX: ffffffffffffff13
RAX: 0000000000040000 RBX: 0000000000000000 RCX: ffffc90006ae4000
RDX: 000000000002c5f4 RSI: ffffffff8151385e RDI: ffff88821fffd680
RBP: ffffea0006aaa3c0 R08: ffff8881ae668000 R09: fffff94000df954f
R10: fffff94000df954e R11: ffffea0006fcaa77 R12: ffff88821fffa000
R13: ffff8881db22f1e0 R14: 0000000000000000 R15: dffffc0000000000
 pagevec_lru_move_fn+0x12b/0x260 mm/swap.c:207
 __pagevec_lru_add mm/swap.c:966 [inline]
 __lru_cache_add+0x1a0/0x260 mm/swap.c:406
 wp_page_copy+0x904/0x19b0 mm/memory.c:2369
 do_wp_page+0x2cd/0x1b40 mm/memory.c:2628
 handle_pte_fault mm/memory.c:3865 [inline]
 __handle_mm_fault+0x1415/0x2980 mm/memory.c:3973
 handle_mm_fault+0x2f1/0x910 mm/memory.c:4010
 do_user_addr_fault arch/x86/mm/fault.c:1441 [inline]
 __do_page_fault+0x62b/0xcc0 arch/x86/mm/fault.c:1506
 page_fault+0x34/0x40 arch/x86/entry/entry_64.S:1202
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x30 arch/x86/lib/copy_user_64.S:205
Code: 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 31 c0 0f 1f 00 c3 0f 1f 80 00 00 00 00 0f 1f 00 83 fa 40 0f 82 70 ff ff ff 89 d1 <f3> a4 31 c0 0f 1f 00 c3 66 2e 0f 1f 84 00 00 00 00 00 89 d1 f3 a4
RSP: 0018:ffff8881cdf1fa08 EFLAGS: 00010206
RAX: 0000000000000001 RBX: 0000000000001000 RCX: 0000000000000200
RDX: 0000000000001000 RSI: ffff8881a5601e00 RDI: 00000000200c3000
RBP: 00000000200c2200 R08: ffffed1034ac0400 R09: 0000000000000000
R10: ffffed1034ac03ff R11: ffff8881a5601fff R12: ffff8881a5601000
R13: 00000000200c3200 R14: 00007ffffffff000 R15: 0000000000000000
 copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline]
 raw_copy_to_user arch/x86/include/asm/uaccess_64.h:128 [inline]
 copyout+0x11c/0x140 lib/iov_iter.c:142
 copy_page_to_iter_iovec lib/iov_iter.c:211 [inline]
 copy_page_to_iter+0x406/0xdc0 lib/iov_iter.c:900
 generic_file_buffered_read mm/filemap.c:2144 [inline]
 generic_file_read_iter+0xffd/0x29c0 mm/filemap.c:2324
 ext4_file_read_iter+0x145/0x1b0 fs/ext4/file.c:77
 call_read_iter include/linux/fs.h:1889 [inline]
 new_sync_read+0x418/0x6d0 fs/read_write.c:414
 __vfs_read+0xc9/0x100 fs/read_write.c:427
 vfs_read+0x1ea/0x430 fs/read_write.c:461
 ksys_read+0x127/0x250 fs/read_write.c:587
 do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a649
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f35e27eec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a649
RDX: 00000000ffffffad RSI: 0000000020003200 RDI: 0000000000000008
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f35e27ef6d4
R13: 00000000004c81be R14: 00000000004de4a8 R15: 00000000ffffffff

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/26 22:53 https://github.com/google/kasan.git usb-fuzzer da06441bb485 1048481f .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.