syzbot

 sign-in | mailing list | source | docs
🐞 Open [717]
🐞 Fixed [181]
🐞 Invalid [640]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: soft lockup in lock_is_held_type

Status: auto-closed as invalid on 2022/07/26 21:52
Reported-by: syzbot+18c4ca633eb5ea16ad9e@syzkaller.appspotmail.com
First crash: 968d, last: 968d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: soft lockup in lock_is_held_type 3 817d 912d 0/1 auto-obsoleted due to no activity on 2022/12/25 06:00
linux-4.19 BUG: soft lockup in lock_is_held_type (2) 1 691d 691d 0/1 upstream: reported on 2022/12/31 04:23
upstream INFO: rcu detected stall in lock_is_held_type (4) mm 1 618d 618d 0/28 auto-obsoleted due to no activity on 2023/06/11 21:13
linux-6.1 INFO: rcu detected stall in lock_is_held_type 1 127d 127d 0/3 auto-obsoleted due to no activity on 2024/10/25 06:08
upstream INFO: rcu detected stall in lock_is_held_type (3) wireless 1 1209d 1209d 0/28 auto-closed as invalid on 2021/10/29 13:54

Sample crash report:
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor.0:9551]
Modules linked in:
irq event stamp: 3764811
hardirqs last  enabled at (3764810): [<ffffffff87400976>] restore_regs_and_return_to_kernel+0x0/0x2a
hardirqs last disabled at (3764811): [<ffffffff874018ae>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:793
softirqs last  enabled at (26174): [<ffffffff8760068b>] __do_softirq+0x68b/0x9ff kernel/softirq.c:314
softirqs last disabled at (26651): [<ffffffff81321d13>] invoke_softirq kernel/softirq.c:368 [inline]
softirqs last disabled at (26651): [<ffffffff81321d13>] irq_exit+0x193/0x240 kernel/softirq.c:409
CPU: 0 PID: 9551 Comm: syz-executor.0 Not tainted 4.14.274-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88805de80500 task.stack: ffff88805de88000
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
RIP: 0010:lock_is_held_type+0x17a/0x210 kernel/locking/lockdep.c:4038
RSP: 0018:ffff8880ba407d18 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10
RAX: 1ffffffff11e1309 RBX: 0000000000000286 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 00000000ffffffff RDI: 0000000000000286
RBP: ffff88805de80500 R08: ffffffff8c035848 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 1ffff11017480fae R14: 1ffff11017480fd3 R15: 0000000000000000
FS:  00007f0587e4f700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa5fc1b1e48 CR3: 000000009bfc9000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 lock_is_held include/linux/lockdep.h:437 [inline]
 rcu_read_lock_sched_held+0x16c/0x1d0 kernel/rcu/update.c:116
 trace_timer_expire_exit include/trace/events/timer.h:121 [inline]
 call_timer_fn+0x515/0x650 kernel/time/timer.c:1281
 expire_timers+0x232/0x4d0 kernel/time/timer.c:1319
 __run_timers kernel/time/timer.c:1637 [inline]
 run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650
 __do_softirq+0x24d/0x9ff kernel/softirq.c:288
 invoke_softirq kernel/softirq.c:368 [inline]
 irq_exit+0x193/0x240 kernel/softirq.c:409
 exiting_irq arch/x86/include/asm/apic.h:638 [inline]
 smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106
 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793
 </IRQ>
RIP: 0010:preempt_schedule_irq+0xa6/0x140 kernel/sched/core.c:3614
RSP: 0018:ffff88805de8f610 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
RAX: 1ffffffff11e130b RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88805de80d88 RDI: ffff88805de80d84
RBP: ffffed100bbd00a0 R08: ffffffff8b9e0320 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88805de80500
R13: ffffffff88f09858 R14: 0000000000000000 R15: 0000000000000000
 retint_kernel+0x1b/0x2d
RIP: 0010:__write_once_size include/linux/compiler.h:212 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x4a/0x50 kernel/kcov.c:90
RSP: 0018:ffff88805de8f6e0 EFLAGS: 00000212 ORIG_RAX: ffffffffffffff10
RAX: 0000000000040000 RBX: ffff88805de80500 RCX: ffffc90005cba000
RDX: 0000000000017246 RSI: ffffffff818d2d7a RDI: ffff88805de80d84
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000020012
R10: ffff88805de80d88 R11: ffff88805de80500 R12: ffff88809c88e400
R13: 0000000000000008 R14: 0000000000000003 R15: ffff88809c88e400
 rcu_read_lock include/linux/rcupdate.h:630 [inline]
 __fget+0x8a/0x3e0 fs/file.c:743
 __fget_light fs/file.c:794 [inline]
 __fdget+0x185/0x1f0 fs/file.c:802
 fdget include/linux/file.h:59 [inline]
 do_select+0x9de/0x1290 fs/select.c:505
 core_sys_select+0x32f/0x6a0 fs/select.c:656
 do_pselect fs/select.c:733 [inline]
 SYSC_pselect6 fs/select.c:774 [inline]
 SyS_pselect6+0x358/0x3c0 fs/select.c:759
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f05894da049
RSP: 002b:00007f0587e4f168 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 00007f05895ecf60 RCX: 00007f05894da049
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0e67d2ad1e0ff6b8
RBP: 00007f058953408d R08: 0000000020000200 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe6418715f R14: 00007f0587e4f300 R15: 0000000000022000
Code: 00 00 00 00 00 fc ff df c7 85 84 08 00 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 75 63 48 83 3d 35 5f af 07 00 74 2c 48 89 df 57 9d <0f> 1f 44 00 00 48 83 c4 08 44 89 e0 5b 5d 41 5c c3 48 83 c4 08 
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 9553 Comm: syz-executor.3 Not tainted 4.14.274-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88809bf4a580 task.stack: ffff88805df58000
RIP: 0010:native_apic_mem_write+0x8/0x10 arch/x86/include/asm/apic.h:100
RSP: 0018:ffff8880ba507400 EFLAGS: 00000046
RAX: dffffc0000000000 RBX: ffffffff88cc9000 RCX: 0000000000000020
RDX: 1ffffffff119921d RSI: 00000000000000ce RDI: 0000000000000380
RBP: ffff8880ba5282c0 R08: ffff88823fff7058 R09: ffff88823fff704f
R10: ffff88823fff7057 R11: 00000029abe1af5e R12: 00000000000000ce
R13: 0000000000000003 R14: 000000283e7ffec7 R15: 000000306ca2f4a8
FS:  00007fa5faab7700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30842000 CR3: 00000000a537f000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 apic_write arch/x86/include/asm/apic.h:385 [inline]
 lapic_next_event+0x53/0x80 arch/x86/kernel/apic/apic.c:468
 clockevents_program_event+0x1f1/0x2d0 kernel/time/clockevents.c:339
 tick_program_event+0x78/0xd0 kernel/time/tick-oneshot.c:47
 hrtimer_interrupt+0x336/0x5e0 kernel/time/hrtimer.c:1334
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1079 [inline]
 smp_apic_timer_interrupt+0x117/0x5e0 arch/x86/kernel/apic/apic.c:1104
 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793
RIP: 0010:deref_stack_reg arch/x86/kernel/unwind_orc.c:289 [inline]
RIP: 0010:deref_stack_reg+0x12d/0x1a0 arch/x86/kernel/unwind_orc.c:283
RSP: 0018:ffff8880ba5075f0 EFLAGS: 00000a06 ORIG_RAX: ffffffffffffff10
RAX: ffffffff863ae21e RBX: 1ffff110174a0ebf RCX: ffffffff8ad0db8a
RDX: 1ffff110174a0eee RSI: ffff8880ba507618 RDI: ffff8880ba507b00
RBP: ffffffff863ae21e R08: ffffffff8ad0db8e R09: ffffffff8ad0db8f
R10: 0000000000119e63 R11: 0000000000000001 R12: ffff8880ba507728
R13: ffff8880ba507770 R14: ffff8880ba500000 R15: ffff8880ba507728
 unwind_next_frame+0xc98/0x17d0 arch/x86/kernel/unwind_orc.c:425
 __save_stack_trace+0x90/0x160 arch/x86/kernel/stacktrace.c:44
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
 dst_alloc+0xed/0x6d0 net/core/dst.c:107
 __ip6_dst_alloc net/ipv6/route.c:357 [inline]
 ip6_dst_alloc+0x39/0x2d0 net/ipv6/route.c:370
 icmp6_dst_alloc+0x155/0x580 net/ipv6/route.c:1768
 ndisc_send_skb+0xace/0x1390 net/ipv6/ndisc.c:463
 ndisc_send_rs+0x125/0x630 net/ipv6/ndisc.c:677
 addrconf_rs_timer+0x2bb/0x5a0 net/ipv6/addrconf.c:3769
 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280
 expire_timers+0x232/0x4d0 kernel/time/timer.c:1319
 __run_timers kernel/time/timer.c:1637 [inline]
 run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650
 __do_softirq+0x24d/0x9ff kernel/softirq.c:288
 invoke_softirq kernel/softirq.c:368 [inline]
 irq_exit+0x193/0x240 kernel/softirq.c:409
 exiting_irq arch/x86/include/asm/apic.h:638 [inline]
 smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106
 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793
 </IRQ>
RIP: 0010:__raw_callee_save___pv_queued_spin_unlock+0xc/0x12
RSP: 0018:ffff88805df5fd20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 1ffff110137e95c1
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8880625ca0b8
RBP: ffff8880625ca0b8 R08: ffffffff8b9bed40 R09: 0000000000000000
R10: 0000000000000000 R11: ffff88809bf4a580 R12: ffff8880625ca0c0
R13: ffff8880625ca0c8 R14: ffff8880625ca1a8 R15: 0000000000000001
 pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:674 [inline]
 queued_spin_unlock arch/x86/include/asm/qspinlock.h:57 [inline]
 do_raw_spin_unlock+0x164/0x220 kernel/locking/spinlock_debug.c:135
 __raw_spin_unlock include/linux/spinlock_api_smp.h:151 [inline]
 _raw_spin_unlock+0x1f/0x40 kernel/locking/spinlock.c:184
 spin_unlock include/linux/spinlock.h:357 [inline]
 evict+0x49f/0x700 fs/inode.c:570
 iput_final fs/inode.c:1524 [inline]
 iput+0x458/0x7e0 fs/inode.c:1551
 __sock_release+0x232/0x2b0 net/socket.c:615
 sock_release net/socket.c:623 [inline]
 __sock_create+0x255/0x620 net/socket.c:1304
 sock_create net/socket.c:1315 [inline]
 SYSC_socket net/socket.c:1345 [inline]
 SyS_socket+0xd1/0x1b0 net/socket.c:1325
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fa5fc142049
RSP: 002b:00007fa5faab7168 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00007fa5fc254f60 RCX: 00007fa5fc142049
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007fa5fc19c08d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe5d07a70f R14: 00007fa5faab7300 R15: 0000000000022000
Code: 83 3d dc 0c 0c 0a 01 7f 02 5d c3 89 ef 5d e9 12 1b df 05 48 c7 c7 c0 93 2e 8b e8 c4 6b 5c 00 eb df 66 90 89 ff 89 b7 00 c0 5f ff <c3> 0f 1f 80 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 53 89 fb 
----------------
Code disassembly (best guess), 7 bytes skipped:
   0:	df c7                	ffreep %st(7)
   2:	85 84 08 00 00 00 00 	test   %eax,0x0(%rax,%rcx,1)
   9:	00 00                	add    %al,(%rax)
   b:	48 c1 e8 03          	shr    $0x3,%rax
   f:	80 3c 10 00          	cmpb   $0x0,(%rax,%rdx,1)
  13:	75 63                	jne    0x78
  15:	48 83 3d 35 5f af 07 	cmpq   $0x0,0x7af5f35(%rip)        # 0x7af5f52
  1c:	00
  1d:	74 2c                	je     0x4b
  1f:	48 89 df             	mov    %rbx,%rdi
  22:	57                   	push   %rdi
  23:	9d                   	popfq
* 24:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1) <-- trapping instruction
  29:	48 83 c4 08          	add    $0x8,%rsp
  2d:	44 89 e0             	mov    %r12d,%eax
  30:	5b                   	pop    %rbx
  31:	5d                   	pop    %rbp
  32:	41 5c                	pop    %r12
  34:	c3                   	retq
  35:	48 83 c4 08          	add    $0x8,%rsp

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/03/28 21:51 linux-4.14.y af1af6ebca0e 6bdac766 .config console log report info ci2-linux-4-14 BUG: soft lockup in lock_is_held_type
* Struck through repros no longer work on HEAD.