syzbot

 sign-in | mailing list | source | docs
🐞 Open [717] 🐞 Fixed [181] 🐞 Invalid [640] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

INFO: task hung in fb_release

Status: fixed on 2020/08/28 16:06
Reported-by: syzbot+2e177b22e4c36407d8ee@syzkaller.appspotmail.com
Fix commit: c388072f90cc fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
First crash: 1598d, last: 1367d
Fix bisection: fixed by (bisect log) :
commit c388072f90cc2d5884cf42e0c6d605d65d323b41
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Wed Jul 15 01:51:02 2020 +0000

  fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.

  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream INFO: task hung in fb_release fbdev C done 64 1351d 1585d 0/26 closed as dup on 2020/07/27 23:00
linux-4.19 INFO: task hung in fb_release 10 1376d 1563d 0/1 auto-closed as invalid on 2020/11/15 14:18

Sample crash report:
INFO: task syz-executor088:6349 blocked for more than 140 seconds.
      Not tainted 4.14.175-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor088 D27520  6349   6347 0x80000006
Call Trace:
 schedule+0x8d/0x1b0 kernel/sched/core.c:3428
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3486
 __mutex_lock_common kernel/locking/mutex.c:833 [inline]
 __mutex_lock+0x73c/0x1470 kernel/locking/mutex.c:893
 fb_release+0x4e/0x140 drivers/video/fbdev/core/fbmem.c:1497
 __fput+0x25f/0x790 fs/file_table.c:210
 task_work_run+0x113/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9f2/0x2b00 kernel/exit.c:858
 do_group_exit+0x100/0x310 kernel/exit.c:955
 get_signal+0x385/0x1ca0 kernel/signal.c:2423
 do_signal+0x7c/0x1690 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x159/0x220 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441419
RSP: 002b:00007ffcf9fa5f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000441419
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402190
R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor088:6360 blocked for more than 140 seconds.
      Not tainted 4.14.175-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor088 D28688  6360   6348 0x00000004
Call Trace:
 schedule+0x8d/0x1b0 kernel/sched/core.c:3428
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3486
 __mutex_lock_common kernel/locking/mutex.c:833 [inline]
 __mutex_lock+0x73c/0x1470 kernel/locking/mutex.c:893
 fb_open+0xb7/0x400 drivers/video/fbdev/core/fbmem.c:1468
 chrdev_open+0x1fc/0x540 fs/char_dev.c:423
 do_dentry_open+0x732/0xe90 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x8ca/0x3c50 fs/namei.c:3569
 do_filp_open+0x18e/0x250 fs/namei.c:3603
 do_sys_open+0x29d/0x3f0 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441419
RSP: 002b:00007ffcf9fa5f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441419
RDX: 0000000000000000 RSI: 0000000020000180 RDI: ffffffffffffff9c
RBP: 0000000000101510 R08: 0000000000000004 R09: 00000009004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402190
R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor088:6361 blocked for more than 140 seconds.
      Not tainted 4.14.175-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor088 D28688  6361   6352 0x00000004
Call Trace:
 schedule+0x8d/0x1b0 kernel/sched/core.c:3428
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3486
 __mutex_lock_common kernel/locking/mutex.c:833 [inline]
 __mutex_lock+0x73c/0x1470 kernel/locking/mutex.c:893
 fb_open+0xb7/0x400 drivers/video/fbdev/core/fbmem.c:1468
 chrdev_open+0x1fc/0x540 fs/char_dev.c:423
 do_dentry_open+0x732/0xe90 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x8ca/0x3c50 fs/namei.c:3569
 do_filp_open+0x18e/0x250 fs/namei.c:3603
 do_sys_open+0x29d/0x3f0 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441419
RSP: 002b:00007ffcf9fa5f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441419
RDX: 0000000000000000 RSI: 0000000020000180 RDI: ffffffffffffff9c
RBP: 0000000000101512 R08: 0000000000000004 R09: 00000009004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402190
R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor088:6362 blocked for more than 140 seconds.
      Not tainted 4.14.175-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor088 D28688  6362   6350 0x00000004
Call Trace:
 schedule+0x8d/0x1b0 kernel/sched/core.c:3428
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3486
 __mutex_lock_common kernel/locking/mutex.c:833 [inline]
 __mutex_lock+0x73c/0x1470 kernel/locking/mutex.c:893
 fb_open+0xb7/0x400 drivers/video/fbdev/core/fbmem.c:1468
 chrdev_open+0x1fc/0x540 fs/char_dev.c:423
 do_dentry_open+0x732/0xe90 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x8ca/0x3c50 fs/namei.c:3569
 do_filp_open+0x18e/0x250 fs/namei.c:3603
 do_sys_open+0x29d/0x3f0 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441419
RSP: 002b:00007ffcf9fa5f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441419
RDX: 0000000000000000 RSI: 0000000020000180 RDI: ffffffffffffff9c
RBP: 0000000000101515 R08: 0000000000000004 R09: 00000009004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402190
R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000
INFO: task syz-executor088:6363 blocked for more than 140 seconds.
      Not tainted 4.14.175-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor088 D28688  6363   6351 0x00000004
Call Trace:
 schedule+0x8d/0x1b0 kernel/sched/core.c:3428
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3486
 __mutex_lock_common kernel/locking/mutex.c:833 [inline]
 __mutex_lock+0x73c/0x1470 kernel/locking/mutex.c:893
 fb_open+0xb7/0x400 drivers/video/fbdev/core/fbmem.c:1468
 chrdev_open+0x1fc/0x540 fs/char_dev.c:423
 do_dentry_open+0x732/0xe90 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x8ca/0x3c50 fs/namei.c:3569
 do_filp_open+0x18e/0x250 fs/namei.c:3603
 do_sys_open+0x29d/0x3f0 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441419
RSP: 002b:00007ffcf9fa5f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441419
RDX: 0000000000000000 RSI: 0000000020000180 RDI: ffffffffffffff9c
RBP: 000000000010150f R08: 0000000000000004 R09: 00000009004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402190
R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000

Showing all locks held in the system:
1 lock held by khungtaskd/1056:
 #0:  (tasklist_lock){.+.+}, at: [<ffffffff81465bb3>] debug_show_all_locks+0x7c/0x21a kernel/locking/lockdep.c:4544
1 lock held by in:imklog/6049:
 #0:  (&f->f_pos_lock){+.+.}, at: [<ffffffff8191b836>] __fdget_pos+0xa6/0xc0 fs/file.c:769
1 lock held by syz-executor088/6349:
 #0:  (&fb_info->lock){+.+.}, at: [<ffffffff831715be>] fb_release+0x4e/0x140 drivers/video/fbdev/core/fbmem.c:1497
1 lock held by syz-executor088/6360:
 #0:  (&fb_info->lock){+.+.}, at: [<ffffffff83171ec7>] fb_open+0xb7/0x400 drivers/video/fbdev/core/fbmem.c:1468
1 lock held by syz-executor088/6361:
 #0:  (&fb_info->lock){+.+.}, at: [<ffffffff83171ec7>] fb_open+0xb7/0x400 drivers/video/fbdev/core/fbmem.c:1468
1 lock held by syz-executor088/6362:
 #0:  (&fb_info->lock){+.+.}, at: [<ffffffff83171ec7>] fb_open+0xb7/0x400 drivers/video/fbdev/core/fbmem.c:1468
1 lock held by syz-executor088/6363:
 #0:  (&fb_info->lock){+.+.}, at: [<ffffffff83171ec7>] fb_open+0xb7/0x400 drivers/video/fbdev/core/fbmem.c:1468

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 1056 Comm: khungtaskd Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 nmi_cpu_backtrace.cold+0x57/0x93 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0x139/0x17e lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:140 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:195 [inline]
 watchdog+0x5e2/0xb80 kernel/hung_task.c:274
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 6359 Comm: syz-executor088 Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff888098342300 task.stack: ffff888097bf8000
RIP: 0010:bitfill_aligned+0x22/0x190 drivers/video/fbdev/core/cfbfillrect.c:40
RSP: 0018:ffff888097bff318 EFLAGS: 00000297
RAX: ffff888098342300 RBX: ffff8880000a0000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8880000a0000 RDI: ffff8882192b2e40
RBP: 0000000000001400 R08: 0000000000001400 R09: 0000000000000040
R10: ffffed104323b873 R11: ffff8882191dc39f R12: 0000000000000040
R13: 0000000061b8135f R14: 0000000000000000 R15: 0000000000000000
FS:  00000000007fc880(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000180 CR3: 00000000a546a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 cfb_fillrect+0x3d5/0x720 drivers/video/fbdev/core/cfbfillrect.c:327
 vga16fb_fillrect+0x61e/0x1880 drivers/video/fbdev/vga16fb.c:951
 bit_clear_margins+0x2a4/0x480 drivers/video/fbdev/core/bitblit.c:232
 fbcon_clear_margins+0x285/0x310 drivers/video/fbdev/core/fbcon.c:1317
 fbcon_switch+0xcdf/0x1780 drivers/video/fbdev/core/fbcon.c:2299
 redraw_screen+0x331/0x770 drivers/tty/vt/vt.c:689
 fbcon_modechanged+0x59d/0x890 drivers/video/fbdev/core/fbcon.c:2946
 fbcon_event_notify+0x11a/0x1746 drivers/video/fbdev/core/fbcon.c:3299
 notifier_call_chain+0x107/0x1a0 kernel/notifier.c:93
 __blocking_notifier_call_chain kernel/notifier.c:317 [inline]
 __blocking_notifier_call_chain kernel/notifier.c:304 [inline]
 blocking_notifier_call_chain kernel/notifier.c:328 [inline]
 blocking_notifier_call_chain+0x79/0x90 kernel/notifier.c:325
 fb_set_var+0xaad/0xc70 drivers/video/fbdev/core/fbmem.c:1054
 do_fb_ioctl+0x3cc/0x940 drivers/video/fbdev/core/fbmem.c:1127
 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1242
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x75a/0xfe0 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441419
RSP: 002b:00007ffcf9fa5f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441419
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 000000000010150f R08: 00000009004002c8 R09: 00000009004002c8
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402190
R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000
Code: ff 0f 1f 84 00 00 00 00 00 41 57 49 89 cf 41 56 41 89 d6 41 55 41 54 45 89 cc 55 44 89 c5 53 48 89 f3 48 83 ec 08 e8 5e 41 3f fe <85> ed 74 5f e8 55 41 3f fe 41 8d 3c 2e 44 89 f1 31 d2 49 c7 c5

Crashes (48):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/04/08 04:15 linux-4.14.y 4520f06b03ae db9bcd4b .config console log report syz C ci2-linux-4-14
2020/07/28 07:43 linux-4.14.y 69b94dd6dcd1 cb93dc6a .config console log report ci2-linux-4-14
2020/07/26 22:46 linux-4.14.y 69b94dd6dcd1 51265195 .config console log report ci2-linux-4-14
2020/07/23 22:32 linux-4.14.y 69b94dd6dcd1 70c104a1 .config console log report ci2-linux-4-14
2020/07/20 04:21 linux-4.14.y b850307b279c 9c812472 .config console log report ci2-linux-4-14
2020/07/15 18:20 linux-4.14.y b850307b279c ada108d0 .config console log report ci2-linux-4-14
2020/07/15 12:06 linux-4.14.y b850307b279c ada108d0 .config console log report ci2-linux-4-14
2020/07/14 06:29 linux-4.14.y b850307b279c ce4c95b3 .config console log report ci2-linux-4-14
2020/07/12 14:40 linux-4.14.y b850307b279c 115e1930 .config console log report ci2-linux-4-14
2020/06/28 16:56 linux-4.14.y b850307b279c a2cdad9d .config console log report ci2-linux-4-14
2020/06/25 01:33 linux-4.14.y b850307b279c 9d60b18e .config console log report ci2-linux-4-14
2020/06/23 12:17 linux-4.14.y b850307b279c 54566aff .config console log report ci2-linux-4-14
2020/06/22 00:51 linux-4.14.y b850307b279c 4f2acff9 .config console log report ci2-linux-4-14
2020/06/19 17:27 linux-4.14.y b850307b279c 123cf502 .config console log report ci2-linux-4-14
2020/06/18 20:23 linux-4.14.y b850307b279c 3ea11d3f .config console log report ci2-linux-4-14
2020/06/16 14:23 linux-4.14.y b850307b279c 4ea9d964 .config console log report ci2-linux-4-14
2020/06/13 19:25 linux-4.14.y b850307b279c dbce178a .config console log report ci2-linux-4-14
2020/06/12 20:03 linux-4.14.y b850307b279c 3036d6fd .config console log report ci2-linux-4-14
2020/06/06 22:53 linux-4.14.y c6db52a88798 e6b89e4e .config console log report ci2-linux-4-14
2020/06/06 06:10 linux-4.14.y c6db52a88798 c3e9afb3 .config console log report ci2-linux-4-14
2020/05/17 03:34 linux-4.14.y ab9dfda23248 37bccd4e .config console log report ci2-linux-4-14
2020/05/16 14:54 linux-4.14.y ab9dfda23248 37bccd4e .config console log report ci2-linux-4-14
2020/05/14 01:43 linux-4.14.y ab9dfda23248 a885920d .config console log report ci2-linux-4-14
2020/05/07 03:56 linux-4.14.y d71f695ce745 4618eb2d .config console log report ci2-linux-4-14
2020/04/30 21:48 linux-4.14.y 050272a0423e 3698959a .config console log report ci2-linux-4-14
2020/04/29 12:24 linux-4.14.y 050272a0423e ba2806db .config console log report ci2-linux-4-14
2020/04/27 23:39 linux-4.14.y 050272a0423e 0ce7569e .config console log report ci2-linux-4-14
2020/04/21 18:02 linux-4.14.y c10b57a567e4 f20434a8 .config console log report ci2-linux-4-14
2020/04/15 16:04 linux-4.14.y c10b57a567e4 3f3c5574 .config console log report ci2-linux-4-14
2020/04/11 01:41 linux-4.14.y 4520f06b03ae a8c6a3f8 .config console log report ci2-linux-4-14
2020/04/08 02:32 linux-4.14.y 4520f06b03ae db9bcd4b .config console log report ci2-linux-4-14
2020/04/03 00:13 linux-4.14.y 4520f06b03ae a34e2c33 .config console log report ci2-linux-4-14
2020/03/06 01:11 linux-4.14.y 78d697fc93f9 b655d91b .config console log report ci2-linux-4-14
2020/02/16 03:10 linux-4.14.y 98db2bf27b9e 5d7b90f1 .config console log report ci2-linux-4-14
2020/02/14 14:17 linux-4.14.y e0f8b8a65a47 5d7b90f1 .config console log report ci2-linux-4-14
2020/01/31 07:08 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/28 15:20 linux-4.14.y 9a95f25269bd 56cd6c9b .config console log report ci2-linux-4-14
2020/01/25 17:43 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/22 13:02 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/22 01:30 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/10 04:59 linux-4.14.y b0cdffaa546e 4de4e9f0 .config console log report ci2-linux-4-14
2020/01/08 04:02 linux-4.14.y 84f5ad468100 6738e0b3 .config console log report ci2-linux-4-14
2019/12/16 13:34 linux-4.14.y a844dc4c5442 0ae38e44 .config console log report ci2-linux-4-14
2019/12/12 04:56 linux-4.14.y a844dc4c5442 0d368675 .config console log report ci2-linux-4-14
2019/12/11 08:50 linux-4.14.y a844dc4c5442 101194eb .config console log report ci2-linux-4-14
2019/12/10 09:58 linux-4.14.y a844dc4c5442 4b83c8fb .config console log report ci2-linux-4-14
2019/12/10 08:19 linux-4.14.y a844dc4c5442 4b83c8fb .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.